Skip to content

Instantly share code, notes, and snippets.

@matterpreter

matterpreter/20H2_EPROCESS.log

Created December 10, 2020 14:32
Show Gist options
  • Save matterpreter/3f0e6aa99f1d68ac990c7c1e1904561c to your computer and use it in GitHub Desktop.
Save matterpreter/3f0e6aa99f1d68ac990c7c1e1904561c to your computer and use it in GitHub Desktop.
Download ZIP
Win10 20H2 EPROCESS
Raw
20H2_EPROCESS.log
lkd> dt -b nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x000 Lock : Int4B
+0x000 LockNV : Int4B
+0x000 Type : UChar
+0x001 Signalling : UChar
+0x002 Size : UChar
+0x003 Reserved1 : UChar
+0x000 TimerType : UChar
+0x001 TimerControlFlags : UChar
+0x001 Absolute : Pos 0, 1 Bit
+0x001 Wake : Pos 1, 1 Bit
+0x001 EncodedTolerableDelay : Pos 2, 6 Bits
+0x002 Hand : UChar
+0x003 TimerMiscFlags : UChar
+0x003 Index : Pos 0, 6 Bits
+0x003 Inserted : Pos 6, 1 Bit
+0x003 Expired : Pos 7, 1 Bit
+0x000 Timer2Type : UChar
+0x001 Timer2Flags : UChar
+0x001 Timer2Inserted : Pos 0, 1 Bit
+0x001 Timer2Expiring : Pos 1, 1 Bit
+0x001 Timer2CancelPending : Pos 2, 1 Bit
+0x001 Timer2SetPending : Pos 3, 1 Bit
+0x001 Timer2Running : Pos 4, 1 Bit
+0x001 Timer2Disabled : Pos 5, 1 Bit
+0x001 Timer2ReservedFlags : Pos 6, 2 Bits
+0x002 Timer2ComponentId : UChar
+0x003 Timer2RelativeId : UChar
+0x000 QueueType : UChar
+0x001 QueueControlFlags : UChar
+0x001 Abandoned : Pos 0, 1 Bit
+0x001 DisableIncrement : Pos 1, 1 Bit
+0x001 QueueReservedControlFlags : Pos 2, 6 Bits
+0x002 QueueSize : UChar
+0x003 QueueReserved : UChar
+0x000 ThreadType : UChar
+0x001 ThreadReserved : UChar
+0x002 ThreadControlFlags : UChar
+0x002 CycleProfiling : Pos 0, 1 Bit
+0x002 CounterProfiling : Pos 1, 1 Bit
+0x002 GroupScheduling : Pos 2, 1 Bit
+0x002 AffinitySet : Pos 3, 1 Bit
+0x002 Tagged : Pos 4, 1 Bit
+0x002 EnergyProfiling : Pos 5, 1 Bit
+0x002 SchedulerAssist : Pos 6, 1 Bit
+0x002 ThreadReservedControlFlags : Pos 7, 1 Bit
+0x003 DebugActive : UChar
+0x003 ActiveDR7 : Pos 0, 1 Bit
+0x003 Instrumented : Pos 1, 1 Bit
+0x003 Minimal : Pos 2, 1 Bit
+0x003 Reserved4 : Pos 3, 2 Bits
+0x003 AltSyscall : Pos 5, 1 Bit
+0x003 UmsScheduled : Pos 6, 1 Bit
+0x003 UmsPrimary : Pos 7, 1 Bit
+0x000 MutantType : UChar
+0x001 MutantSize : UChar
+0x002 DpcActive : UChar
+0x003 MutantReserved : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x018 ProfileListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x028 DirectoryTableBase : Uint8B
+0x030 ThreadListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x040 ProcessLock : Uint4B
+0x044 ProcessTimerDelay : Uint4B
+0x048 DeepFreezeStartTime : Uint8B
+0x050 Affinity : _KAFFINITY_EX
+0x000 Count : Uint2B
+0x002 Size : Uint2B
+0x004 Reserved : Uint4B
+0x008 Bitmap : Uint8B
+0x0f8 AffinityPadding : Uint8B
+0x158 ReadyListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x168 SwapListEntry : _SINGLE_LIST_ENTRY
+0x000 Next : Ptr64
+0x170 ActiveProcessors : _KAFFINITY_EX
+0x000 Count : Uint2B
+0x002 Size : Uint2B
+0x004 Reserved : Uint4B
+0x008 Bitmap : Uint8B
+0x218 ActiveProcessorsPadding : Uint8B
+0x278 AutoAlignment : Pos 0, 1 Bit
+0x278 DisableBoost : Pos 1, 1 Bit
+0x278 DisableQuantum : Pos 2, 1 Bit
+0x278 DeepFreeze : Pos 3, 1 Bit
+0x278 TimerVirtualization : Pos 4, 1 Bit
+0x278 CheckStackExtents : Pos 5, 1 Bit
+0x278 CacheIsolationEnabled : Pos 6, 1 Bit
+0x278 PpmPolicy : Pos 7, 3 Bits
+0x278 VaSpaceDeleted : Pos 10, 1 Bit
+0x278 ReservedFlags : Pos 11, 21 Bits
+0x278 ProcessFlags : Int4B
+0x27c ActiveGroupsMask : Uint4B
+0x280 BasePriority : Char
+0x281 QuantumReset : Char
+0x282 Visited : Char
+0x283 Flags : _KEXECUTE_OPTIONS
+0x000 ExecuteDisable : Pos 0, 1 Bit
+0x000 ExecuteEnable : Pos 1, 1 Bit
+0x000 DisableThunkEmulation : Pos 2, 1 Bit
+0x000 Permanent : Pos 3, 1 Bit
+0x000 ExecuteDispatchEnable : Pos 4, 1 Bit
+0x000 ImageDispatchEnable : Pos 5, 1 Bit
+0x000 DisableExceptionChainValidation : Pos 6, 1 Bit
+0x000 Spare : Pos 7, 1 Bit
+0x000 ExecuteOptions : UChar
+0x000 ExecuteOptionsNV : UChar
+0x284 ThreadSeed : Uint2B
+0x2ac ThreadSeedPadding : Uint2B
+0x2c4 IdealProcessor : Uint2B
+0x2ec IdealProcessorPadding : Uint2B
+0x304 IdealNode : Uint2B
+0x32c IdealNodePadding : Uint2B
+0x344 IdealGlobalNode : Uint2B
+0x346 Spare1 : Uint2B
+0x348 StackCount : _KSTACK_COUNT
+0x000 Value : Int4B
+0x000 State : Pos 0, 3 Bits
+0x000 StackCount : Pos 3, 29 Bits
+0x350 ProcessListEntry : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x360 CycleTime : Uint8B
+0x368 ContextSwitches : Uint8B
+0x370 SchedulingGroup : Ptr64
+0x378 FreezeCount : Uint4B
+0x37c KernelTime : Uint4B
+0x380 UserTime : Uint4B
+0x384 ReadyTime : Uint4B
+0x388 UserDirectoryTableBase : Uint8B
+0x390 AddressPolicy : UChar
+0x391 Spare2 : UChar
+0x3d8 InstrumentationCallback : Ptr64
+0x3e0 SecureState : <anonymous-tag>
+0x000 SecureHandle : Uint8B
+0x000 Flags : <anonymous-tag>
+0x000 SecureProcess : Pos 0, 1 Bit
+0x000 Unused : Pos 1, 1 Bit
+0x3e8 KernelWaitTime : Uint8B
+0x3f0 UserWaitTime : Uint8B
+0x3f8 EndPadding : Uint8B
+0x438 ProcessLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x440 UniqueProcessId : Ptr64
+0x448 ActiveProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x458 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : Uint8B
+0x000 Ptr : Ptr64
+0x460 Flags2 : Uint4B
+0x460 JobNotReallyActive : Pos 0, 1 Bit
+0x460 AccountingFolded : Pos 1, 1 Bit
+0x460 NewProcessReported : Pos 2, 1 Bit
+0x460 ExitProcessReported : Pos 3, 1 Bit
+0x460 ReportCommitChanges : Pos 4, 1 Bit
+0x460 LastReportMemory : Pos 5, 1 Bit
+0x460 ForceWakeCharge : Pos 6, 1 Bit
+0x460 CrossSessionCreate : Pos 7, 1 Bit
+0x460 NeedsHandleRundown : Pos 8, 1 Bit
+0x460 RefTraceEnabled : Pos 9, 1 Bit
+0x460 PicoCreated : Pos 10, 1 Bit
+0x460 EmptyJobEvaluated : Pos 11, 1 Bit
+0x460 DefaultPagePriority : Pos 12, 3 Bits
+0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x460 ProcessVerifierTarget : Pos 16, 1 Bit
+0x460 RestrictSetThreadContext : Pos 17, 1 Bit
+0x460 AffinityPermanent : Pos 18, 1 Bit
+0x460 AffinityUpdateEnable : Pos 19, 1 Bit
+0x460 PropagateNode : Pos 20, 1 Bit
+0x460 ExplicitAffinity : Pos 21, 1 Bit
+0x460 ProcessExecutionState : Pos 22, 2 Bits
+0x460 EnableReadVmLogging : Pos 24, 1 Bit
+0x460 EnableWriteVmLogging : Pos 25, 1 Bit
+0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit
+0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
+0x460 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x460 InPrivate : Pos 31, 1 Bit
+0x464 Flags : Uint4B
+0x464 CreateReported : Pos 0, 1 Bit
+0x464 NoDebugInherit : Pos 1, 1 Bit
+0x464 ProcessExiting : Pos 2, 1 Bit
+0x464 ProcessDelete : Pos 3, 1 Bit
+0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit
+0x464 VmDeleted : Pos 5, 1 Bit
+0x464 OutswapEnabled : Pos 6, 1 Bit
+0x464 Outswapped : Pos 7, 1 Bit
+0x464 FailFastOnCommitFail : Pos 8, 1 Bit
+0x464 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x464 AddressSpaceInitialized : Pos 10, 2 Bits
+0x464 SetTimerResolution : Pos 12, 1 Bit
+0x464 BreakOnTermination : Pos 13, 1 Bit
+0x464 DeprioritizeViews : Pos 14, 1 Bit
+0x464 WriteWatch : Pos 15, 1 Bit
+0x464 ProcessInSession : Pos 16, 1 Bit
+0x464 OverrideAddressSpace : Pos 17, 1 Bit
+0x464 HasAddressSpace : Pos 18, 1 Bit
+0x464 LaunchPrefetched : Pos 19, 1 Bit
+0x464 Background : Pos 20, 1 Bit
+0x464 VmTopDown : Pos 21, 1 Bit
+0x464 ImageNotifyDone : Pos 22, 1 Bit
+0x464 PdeUpdateNeeded : Pos 23, 1 Bit
+0x464 VdmAllowed : Pos 24, 1 Bit
+0x464 ProcessRundown : Pos 25, 1 Bit
+0x464 ProcessInserted : Pos 26, 1 Bit
+0x464 DefaultIoPriority : Pos 27, 3 Bits
+0x464 ProcessSelfDelete : Pos 30, 1 Bit
+0x464 SetTimerResolutionLink : Pos 31, 1 Bit
+0x468 CreateTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x470 ProcessQuotaUsage : Uint8B
+0x480 ProcessQuotaPeak : Uint8B
+0x490 PeakVirtualSize : Uint8B
+0x498 VirtualSize : Uint8B
+0x4a0 SessionProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x4b0 ExceptionPortData : Ptr64
+0x4b0 ExceptionPortValue : Uint8B
+0x4b0 ExceptionPortState : Pos 0, 3 Bits
+0x4b8 Token : _EX_FAST_REF
+0x000 Object : Ptr64
+0x000 RefCnt : Pos 0, 4 Bits
+0x000 Value : Uint8B
+0x4c0 MmReserved : Uint8B
+0x4c8 AddressCreationLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x4d8 RotateInProgress : Ptr64
+0x4e0 ForkInProgress : Ptr64
+0x4e8 CommitChargeJob : Ptr64
+0x4f0 CloneRoot : _RTL_AVL_TREE
+0x000 Root : Ptr64
+0x4f8 NumberOfPrivatePages : Uint8B
+0x500 NumberOfLockedPages : Uint8B
+0x508 Win32Process : Ptr64
+0x510 Job : Ptr64
+0x518 SectionObject : Ptr64
+0x520 SectionBaseAddress : Ptr64
+0x528 Cookie : Uint4B
+0x530 WorkingSetWatch : Ptr64
+0x538 Win32WindowStation : Ptr64
+0x540 InheritedFromUniqueProcessId : Ptr64
+0x548 OwnerProcessId : Uint8B
+0x550 Peb : Ptr64
+0x558 Session : Ptr64
+0x560 Spare1 : Ptr64
+0x568 QuotaBlock : Ptr64
+0x570 ObjectTable : Ptr64
+0x578 DebugPort : Ptr64
+0x580 WoW64Process : Ptr64
+0x588 DeviceMap : Ptr64
+0x590 EtwDataSource : Ptr64
+0x598 PageDirectoryPte : Uint8B
+0x5a0 ImageFilePointer : Ptr64
+0x5a8 ImageFileName : UChar
+0x5b7 PriorityClass : UChar
+0x5b8 SecurityPort : Ptr64
+0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : Ptr64
+0x5c8 JobLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x5d8 HighestUserAddress : Ptr64
+0x5e0 ThreadListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x5f0 ActiveThreads : Uint4B
+0x5f4 ImagePathHash : Uint4B
+0x5f8 DefaultHardErrorProcessing : Uint4B
+0x5fc LastThreadExitStatus : Int4B
+0x600 PrefetchTrace : _EX_FAST_REF
+0x000 Object : Ptr64
+0x000 RefCnt : Pos 0, 4 Bits
+0x000 Value : Uint8B
+0x608 LockedPagesList : Ptr64
+0x610 ReadOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x618 WriteOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x620 OtherOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x628 ReadTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x630 WriteTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x638 OtherTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x640 CommitChargeLimit : Uint8B
+0x648 CommitCharge : Uint8B
+0x650 CommitChargePeak : Uint8B
+0x680 Vm : _MMSUPPORT_FULL
+0x000 Instance : _MMSUPPORT_INSTANCE
+0x000 NextPageColor : Uint4B
+0x004 PageFaultCount : Uint4B
+0x008 TrimmedPageCount : Uint8B
+0x010 VmWorkingSetList : Ptr64
+0x018 WorkingSetExpansionLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x028 AgeDistribution : Uint8B
+0x068 ExitOutswapGate : Ptr64
+0x070 MinimumWorkingSetSize : Uint8B
+0x078 WorkingSetLeafSize : Uint8B
+0x080 WorkingSetLeafPrivateSize : Uint8B
+0x088 WorkingSetSize : Uint8B
+0x090 WorkingSetPrivateSize : Uint8B
+0x098 MaximumWorkingSetSize : Uint8B
+0x0a0 PeakWorkingSetSize : Uint8B
+0x0a8 HardFaultCount : Uint4B
+0x0ac LastTrimStamp : Uint2B
+0x0ae PartitionId : Uint2B
+0x0b0 SelfmapLock : Uint8B
+0x0b8 Flags : _MMSUPPORT_FLAGS
+0x000 WorkingSetType : Pos 0, 3 Bits
+0x000 Reserved0 : Pos 3, 3 Bits
+0x000 MaximumWorkingSetHard : Pos 6, 1 Bit
+0x000 MinimumWorkingSetHard : Pos 7, 1 Bit
+0x001 SessionMaster : Pos 0, 1 Bit
+0x001 TrimmerState : Pos 1, 2 Bits
+0x001 Reserved : Pos 3, 1 Bit
+0x001 PageStealers : Pos 4, 4 Bits
+0x000 u1 : Uint2B
+0x002 MemoryPriority : UChar
+0x003 WsleDeleted : Pos 0, 1 Bit
+0x003 SvmEnabled : Pos 1, 1 Bit
+0x003 ForceAge : Pos 2, 1 Bit
+0x003 ForceTrim : Pos 3, 1 Bit
+0x003 NewMaximum : Pos 4, 1 Bit
+0x003 CommitReleaseState : Pos 5, 2 Bits
+0x003 u2 : UChar
+0x0c0 Shared : _MMSUPPORT_SHARED
+0x000 WorkingSetLock : Int4B
+0x004 GoodCitizenWaiting : Int4B
+0x008 ReleasedCommitDebt : Uint8B
+0x010 ResetPagesRepurposedCount : Uint8B
+0x018 WsSwapSupport : Ptr64
+0x020 CommitReleaseContext : Ptr64
+0x028 AccessLog : Ptr64
+0x030 ChargedWslePages : Uint8B
+0x038 ActualWslePages : Uint8B
+0x040 WorkingSetCoreLock : Uint8B
+0x048 ShadowMapping : Ptr64
+0x7c0 MmProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x7d0 ModifiedPageCount : Uint4B
+0x7d4 ExitStatus : Int4B
+0x7d8 VadRoot : _RTL_AVL_TREE
+0x000 Root : Ptr64
+0x7e0 VadHint : Ptr64
+0x7e8 VadCount : Uint8B
+0x7f0 VadPhysicalPages : Uint8B
+0x7f8 VadPhysicalPagesLimit : Uint8B
+0x800 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x000 Lock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x008 ViewListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x018 PagedPoolQuotaCache : Uint8B
+0x820 TimerResolutionLink : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x830 TimerResolutionStackRecord : Ptr64
+0x838 RequestedTimerResolution : Uint4B
+0x83c SmallestTimerResolution : Uint4B
+0x840 ExitTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : <anonymous-tag>
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x848 InvertedFunctionTable : Ptr64
+0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x858 ActiveThreadsHighWatermark : Uint4B
+0x85c LargePrivateVadCount : Uint4B
+0x860 ThreadListLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x868 WnfContext : Ptr64
+0x870 ServerSilo : Ptr64
+0x878 SignatureLevel : UChar
+0x879 SectionSignatureLevel : UChar
+0x87a Protection : _PS_PROTECTION
+0x000 Level : UChar
+0x000 Type : Pos 0, 3 Bits
+0x000 Audit : Pos 3, 1 Bit
+0x000 Signer : Pos 4, 4 Bits
+0x87b HangCount : Pos 0, 3 Bits
+0x87b GhostCount : Pos 3, 3 Bits
+0x87b PrefilterException : Pos 6, 1 Bit
+0x87c Flags3 : Uint4B
+0x87c Minimal : Pos 0, 1 Bit
+0x87c ReplacingPageRoot : Pos 1, 1 Bit
+0x87c Crashed : Pos 2, 1 Bit
+0x87c JobVadsAreTracked : Pos 3, 1 Bit
+0x87c VadTrackingDisabled : Pos 4, 1 Bit
+0x87c AuxiliaryProcess : Pos 5, 1 Bit
+0x87c SubsystemProcess : Pos 6, 1 Bit
+0x87c IndirectCpuSets : Pos 7, 1 Bit
+0x87c RelinquishedCommit : Pos 8, 1 Bit
+0x87c HighGraphicsPriority : Pos 9, 1 Bit
+0x87c CommitFailLogged : Pos 10, 1 Bit
+0x87c ReserveFailLogged : Pos 11, 1 Bit
+0x87c SystemProcess : Pos 12, 1 Bit
+0x87c HideImageBaseAddresses : Pos 13, 1 Bit
+0x87c AddressPolicyFrozen : Pos 14, 1 Bit
+0x87c ProcessFirstResume : Pos 15, 1 Bit
+0x87c ForegroundExternal : Pos 16, 1 Bit
+0x87c ForegroundSystem : Pos 17, 1 Bit
+0x87c HighMemoryPriority : Pos 18, 1 Bit
+0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
+0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
+0x87c SecurityDomainChanged : Pos 21, 1 Bit
+0x87c SecurityFreezeComplete : Pos 22, 1 Bit
+0x87c VmProcessorHost : Pos 23, 1 Bit
+0x87c VmProcessorHostTransition : Pos 24, 1 Bit
+0x87c AltSyscall : Pos 25, 1 Bit
+0x87c TimerResolutionIgnore : Pos 26, 1 Bit
+0x87c DisallowUserTerminate : Pos 27, 1 Bit
+0x880 DeviceAsid : Int4B
+0x888 SvmData : Ptr64
+0x890 SvmProcessLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x898 SvmLock : Uint8B
+0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x8b0 LastFreezeInterruptTime : Uint8B
+0x8b8 DiskCounters : Ptr64
+0x8c0 PicoContext : Ptr64
+0x8c8 EnclaveTable : Ptr64
+0x8d0 EnclaveNumber : Uint8B
+0x8d8 EnclaveLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x8e0 HighPriorityFaultsAllowed : Uint4B
+0x8e8 EnergyContext : Ptr64
+0x8f0 VmContext : Ptr64
+0x8f8 SequenceNumber : Uint8B
+0x900 CreateInterruptTime : Uint8B
+0x908 CreateUnbiasedInterruptTime : Uint8B
+0x910 TotalUnbiasedFrozenTime : Uint8B
+0x918 LastAppStateUpdateTime : Uint8B
+0x920 LastAppStateUptime : Pos 0, 61 Bits
+0x920 LastAppState : Pos 61, 3 Bits
+0x928 SharedCommitCharge : Uint8B
+0x930 SharedCommitLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
+0x938 SharedCommitLinks : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x948 AllowedCpuSets : Uint8B
+0x950 DefaultCpuSets : Uint8B
+0x948 AllowedCpuSetsIndirect : Ptr64
+0x950 DefaultCpuSetsIndirect : Ptr64
+0x958 DiskIoAttribution : Ptr64
+0x960 DxgProcess : Ptr64
+0x968 Win32KFilterSet : Uint4B
+0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
+0x000 DelayMs : Pos 0, 30 Bits
+0x000 CoalescingWindowMs : Pos 30, 30 Bits
+0x000 Reserved : Pos 60, 1 Bit
+0x000 NewTimerWheel : Pos 61, 1 Bit
+0x000 Retry : Pos 62, 1 Bit
+0x000 Locked : Pos 63, 1 Bit
+0x000 All : Uint8B
+0x978 KTimerSets : Uint4B
+0x97c KTimer2Sets : Uint4B
+0x980 ThreadTimerSets : Uint4B
+0x988 VirtualTimerListLock : Uint8B
+0x990 VirtualTimerListHead : _LIST_ENTRY
+0x000 Flink : Ptr64
+0x008 Blink : Ptr64
+0x9a0 WakeChannel : _WNF_STATE_NAME
+0x000 Data : Uint4B
+0x9a0 WakeInfo : _PS_PROCESS_WAKE_INFORMATION
+0x000 NotificationChannel : Uint8B
+0x008 WakeCounters : Uint4B
+0x024 WakeFilter : _JOBOBJECT_WAKE_FILTER
+0x000 HighEdgeFilter : Uint4B
+0x004 LowEdgeFilter : Uint4B
+0x02c NoWakeCounter : Uint4B
+0x9d0 MitigationFlags : Uint4B
+0x9d0 MitigationFlagsValues : <anonymous-tag>
+0x000 ControlFlowGuardEnabled : Pos 0, 1 Bit
+0x000 ControlFlowGuardExportSuppressionEnabled : Pos 1, 1 Bit
+0x000 ControlFlowGuardStrict : Pos 2, 1 Bit
+0x000 DisallowStrippedImages : Pos 3, 1 Bit
+0x000 ForceRelocateImages : Pos 4, 1 Bit
+0x000 HighEntropyASLREnabled : Pos 5, 1 Bit
+0x000 StackRandomizationDisabled : Pos 6, 1 Bit
+0x000 ExtensionPointDisable : Pos 7, 1 Bit
+0x000 DisableDynamicCode : Pos 8, 1 Bit
+0x000 DisableDynamicCodeAllowOptOut : Pos 9, 1 Bit
+0x000 DisableDynamicCodeAllowRemoteDowngrade : Pos 10, 1 Bit
+0x000 AuditDisableDynamicCode : Pos 11, 1 Bit
+0x000 DisallowWin32kSystemCalls : Pos 12, 1 Bit
+0x000 AuditDisallowWin32kSystemCalls : Pos 13, 1 Bit
+0x000 EnableFilteredWin32kAPIs : Pos 14, 1 Bit
+0x000 AuditFilteredWin32kAPIs : Pos 15, 1 Bit
+0x000 DisableNonSystemFonts : Pos 16, 1 Bit
+0x000 AuditNonSystemFontLoading : Pos 17, 1 Bit
+0x000 PreferSystem32Images : Pos 18, 1 Bit
+0x000 ProhibitRemoteImageMap : Pos 19, 1 Bit
+0x000 AuditProhibitRemoteImageMap : Pos 20, 1 Bit
+0x000 ProhibitLowILImageMap : Pos 21, 1 Bit
+0x000 AuditProhibitLowILImageMap : Pos 22, 1 Bit
+0x000 SignatureMitigationOptIn : Pos 23, 1 Bit
+0x000 AuditBlockNonMicrosoftBinaries : Pos 24, 1 Bit
+0x000 AuditBlockNonMicrosoftBinariesAllowStore : Pos 25, 1 Bit
+0x000 LoaderIntegrityContinuityEnabled : Pos 26, 1 Bit
+0x000 AuditLoaderIntegrityContinuity : Pos 27, 1 Bit
+0x000 EnableModuleTamperingProtection : Pos 28, 1 Bit
+0x000 EnableModuleTamperingProtectionNoInherit : Pos 29, 1 Bit
+0x000 RestrictIndirectBranchPrediction : Pos 30, 1 Bit
+0x000 IsolateSecurityDomain : Pos 31, 1 Bit
+0x9d4 MitigationFlags2 : Uint4B
+0x9d4 MitigationFlags2Values : <anonymous-tag>
+0x000 EnableExportAddressFilter : Pos 0, 1 Bit
+0x000 AuditExportAddressFilter : Pos 1, 1 Bit
+0x000 EnableExportAddressFilterPlus : Pos 2, 1 Bit
+0x000 AuditExportAddressFilterPlus : Pos 3, 1 Bit
+0x000 EnableRopStackPivot : Pos 4, 1 Bit
+0x000 AuditRopStackPivot : Pos 5, 1 Bit
+0x000 EnableRopCallerCheck : Pos 6, 1 Bit
+0x000 AuditRopCallerCheck : Pos 7, 1 Bit
+0x000 EnableRopSimExec : Pos 8, 1 Bit
+0x000 AuditRopSimExec : Pos 9, 1 Bit
+0x000 EnableImportAddressFilter : Pos 10, 1 Bit
+0x000 AuditImportAddressFilter : Pos 11, 1 Bit
+0x000 DisablePageCombine : Pos 12, 1 Bit
+0x000 SpeculativeStoreBypassDisable : Pos 13, 1 Bit
+0x000 CetUserShadowStacks : Pos 14, 1 Bit
+0x000 AuditCetUserShadowStacks : Pos 15, 1 Bit
+0x000 AuditCetUserShadowStacksLogged : Pos 16, 1 Bit
+0x000 UserCetSetContextIpValidation : Pos 17, 1 Bit
+0x000 AuditUserCetSetContextIpValidation : Pos 18, 1 Bit
+0x000 AuditUserCetSetContextIpValidationLogged : Pos 19, 1 Bit
+0x9d8 PartitionObject : Ptr64
+0x9e0 SecurityDomain : Uint8B
+0x9e8 ParentSecurityDomain : Uint8B
+0x9f0 CoverageSamplerContext : Ptr64
+0x9f8 MmHotPatchContext : Ptr64
+0xa00 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE
+0x000 Root : Ptr64
+0xa08 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK
+0x000 Locked : Pos 0, 1 Bit
+0x000 Waiting : Pos 1, 1 Bit
+0x000 Waking : Pos 2, 1 Bit
+0x000 MultipleShared : Pos 3, 1 Bit
+0x000 Shared : Pos 4, 60 Bits
+0x000 Value : Uint8B
+0x000 Ptr : Ptr64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment