A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #16971  by xdeadcode
 Sun Dec 02, 2012 5:08 pm
Hi Tigzy,

To get range of workitem like in case of tdl family roots, just use RtlCaptureStackBackTrace() api + APC stuff to achieve that.

Best regards,
 #16973  by Tigzy
 Sun Dec 02, 2012 6:02 pm
Xdeadcode
Thanks for the tip
I'm not familiar with this, I guess the stack must be captured at a specific time. Here in a dummy work item queuing?
Do you have an example of usage?
 #16975  by xdeadcode
 Sun Dec 02, 2012 6:41 pm
Hi Tigzy,

Basically this method will be good for fighting with e.g TDL rootkit.

1. first localize all system process threads and queue APCs for it (I believe this is simple for you ZwQuerySystemInformation((SystemProcessInformation, ..) + PsLookupProcessByProcessId + check if system one + KeInitializeApc + KeInsertQueueApc
2. for grabbing stack you can use something like this:
Code: Select all
VOID GrabStackBackTraceKernelAPC(	PKAPC				pApc,
									PKNORMAL_ROUTINE	*pNormalRoutine,
									PVOID				*pNormalContext,
									PVOID				*pSystemArgument1,
									PVOID				*pSystemArgument2	)
{	
	MYApcRoutineContext		*pApcContext = 0;
	pApcContext		= (MYApcRoutineContext*)(*pSystemArgument1);

	if (0 != pApcContext)
	{
		pApcContext->m_ulNumberOfLevels = RtlCaptureStackBackTrace(MY_FRAMES_TO_SKIP, MY_FRAMES_TO_CAPTURE, pApcContext->m_pRetAddresses, NULL);
	}

	KeSetEvent(&eApcFinished, 0, FALSE);
}
3. Afterwards you need to parse this stack:
Code: Select all
//pseudocode
for each level in grabbed stack
		{
                 foreach loaded modules
                {
                         bFound = true;
                       if ( (ULONG_PTR)(pModuleList->a_Modules[ulModules].p_Base) >= (ULONG_PTR)rContext.m_pRetAddresses[usCounter] ||
					(ULONG_PTR)((ULONG_PTR)pModuleList->a_Modules[ulModules].p_Base + (ULONG_PTR)(pModuleList->a_Modules[ulModules].d_Size)) <= (ULONG_PTR)rContext.m_pRetAddresses[usCounter])
				{				
					bFound = false;
					break;
				}

               }

               if (!bFound)
               {
                 //you found something suspicious
               }

               }
This is not perfect and can be optimized and realized in complately different way, but should work
4. As I've stated before this is good for cases like TDL3 - in many cases (when thread is pushed to work item, system is performing work, thread is killed) in won;t be that easy to be done.


Best regards
 #16980  by xdeadcode
 Sun Dec 02, 2012 9:22 pm
Tigzy,

You do not need to pass ethread. First you need to localize all system threads, then for each one (of course you can filter some of them - it would be even expected) you will queue apc with your stack grabber, when you successfully grab stack - you will simply analyze it (outside apc). Apc is needed to grab stack (you are not sure that your code will be in context of system process right?).
When system creates work item queues (and work item itself) in ExpCreateWorkerThread() it uses PsCreateSystemThread() (which is available to you also) - difference is function that is executed that works on queues.


Best regards,
 #16982  by a_d_13
 Sun Dec 02, 2012 11:02 pm
Hello,

One other note: inside ETHREAD, there is a flag "ActiveExWorker", which shows whether the thread is a worker thread. You can enumerate all threads in the System process and check this flag, if you only want to capture backtraces for worker threads. Note: I have not checked this on Windows 8.

Thanks,
--AD
 #16985  by EP_X0FF
 Mon Dec 03, 2012 2:18 am
Tigzy wrote:Thanks.
But I don't make the link between worker thread and the APC queued. Should I pass the ETHREAD or something?
Sometimes I have a feeling that you never read the thread you are posting in. Ready for copy-paste solution posted as link on the first page.

Yes, ActiveExWorker in place. Below ETHREAD/EPROCESS from x64 win8 RTM.
Code: Select all
lkd> dt nt!_ETHREAD -b
   +0x000 Tcb              : _KTHREAD
      +0x000 Header           : _DISPATCHER_HEADER
         +0x000 Type             : UChar
         +0x001 TimerControlFlags : UChar
         +0x001 Absolute         : Pos 0, 1 Bit
         +0x001 Wake             : Pos 1, 1 Bit
         +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
         +0x001 Abandoned        : UChar
         +0x001 Signalling       : UChar
         +0x002 ThreadControlFlags : UChar
         +0x002 CycleProfiling   : Pos 0, 1 Bit
         +0x002 CounterProfiling : Pos 1, 1 Bit
         +0x002 GroupScheduling  : Pos 2, 1 Bit
         +0x002 AffinitySet      : Pos 3, 1 Bit
         +0x002 Reserved         : Pos 4, 4 Bits
         +0x002 Hand             : UChar
         +0x002 Size             : UChar
         +0x003 TimerMiscFlags   : UChar
         +0x003 Index            : Pos 0, 6 Bits
         +0x003 Inserted         : Pos 6, 1 Bit
         +0x003 Expired          : Pos 7, 1 Bit
         +0x003 DebugActive      : UChar
         +0x003 ActiveDR7        : Pos 0, 1 Bit
         +0x003 Instrumented     : Pos 1, 1 Bit
         +0x003 Reserved2        : Pos 2, 4 Bits
         +0x003 UmsScheduled     : Pos 6, 1 Bit
         +0x003 UmsPrimary       : Pos 7, 1 Bit
         +0x003 DpcActive        : UChar
         +0x000 Lock             : Int4B
         +0x000 LockNV           : Int4B
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
      +0x018 SListFaultAddress : Ptr64 
      +0x020 QuantumTarget    : Uint8B
      +0x028 InitialStack     : Ptr64 
      +0x030 StackLimit       : Ptr64 
      +0x038 StackBase        : Ptr64 
      +0x040 ThreadLock       : Uint8B
      +0x048 CycleTime        : Uint8B
      +0x050 CurrentRunTime   : Uint4B
      +0x054 ExpectedRunTime  : Uint4B
      +0x058 KernelStack      : Ptr64 
      +0x060 StateSaveArea    : Ptr64 
      +0x068 SchedulingGroup  : Ptr64 
      +0x070 WaitRegister     : _KWAIT_STATUS_REGISTER
         +0x000 Flags            : UChar
         +0x000 State            : Pos 0, 2 Bits
         +0x000 Affinity         : Pos 2, 1 Bit
         +0x000 Priority         : Pos 3, 1 Bit
         +0x000 Apc              : Pos 4, 1 Bit
         +0x000 UserApc          : Pos 5, 1 Bit
         +0x000 Alert            : Pos 6, 1 Bit
         +0x000 Unused           : Pos 7, 1 Bit
      +0x071 Running          : UChar
      +0x072 Alerted          : UChar
      +0x074 KernelStackResident : Pos 0, 1 Bit
      +0x074 ReadyTransition  : Pos 1, 1 Bit
      +0x074 ProcessReadyQueue : Pos 2, 1 Bit
      +0x074 WaitNext         : Pos 3, 1 Bit
      +0x074 SystemAffinityActive : Pos 4, 1 Bit
      +0x074 Alertable        : Pos 5, 1 Bit
      +0x074 CodePatchInProgress : Pos 6, 1 Bit
      +0x074 UserStackWalkActive : Pos 7, 1 Bit
      +0x074 ApcInterruptRequest : Pos 8, 1 Bit
      +0x074 QuantumEndMigrate : Pos 9, 1 Bit
      +0x074 UmsDirectedSwitchEnable : Pos 10, 1 Bit
      +0x074 TimerActive      : Pos 11, 1 Bit
      +0x074 SystemThread     : Pos 12, 1 Bit
      +0x074 ProcessDetachActive : Pos 13, 1 Bit
      +0x074 CalloutActive    : Pos 14, 1 Bit
      +0x074 ScbReadyQueue    : Pos 15, 1 Bit
      +0x074 ApcQueueable     : Pos 16, 1 Bit
      +0x074 ReservedStackInUse : Pos 17, 1 Bit
      +0x074 UmsPerformingSyscall : Pos 18, 1 Bit
      +0x074 Reserved         : Pos 19, 13 Bits
      +0x074 MiscFlags        : Int4B
      +0x078 AutoAlignment    : Pos 0, 1 Bit
      +0x078 DisableBoost     : Pos 1, 1 Bit
      +0x078 UserAffinitySet  : Pos 2, 1 Bit
      +0x078 AlertedByThreadId : Pos 3, 1 Bit
      +0x078 QuantumDonation  : Pos 4, 1 Bit
      +0x078 EnableStackSwap  : Pos 5, 1 Bit
      +0x078 GuiThread        : Pos 6, 1 Bit
      +0x078 DisableQuantum   : Pos 7, 1 Bit
      +0x078 ChargeOnlyGroup  : Pos 8, 1 Bit
      +0x078 DeferPreemption  : Pos 9, 1 Bit
      +0x078 QueueDeferPreemption : Pos 10, 1 Bit
      +0x078 ForceDeferSchedule : Pos 11, 1 Bit
      +0x078 ExplicitIdealProcessor : Pos 12, 1 Bit
      +0x078 FreezeCount      : Pos 13, 1 Bit
      +0x078 EtwStackTraceApcInserted : Pos 14, 8 Bits
      +0x078 ReservedFlags    : Pos 22, 10 Bits
      +0x078 ThreadFlags      : Int4B
      +0x07c Spare0           : Uint4B
      +0x080 SystemCallNumber : Uint4B
      +0x084 Spare1           : Uint4B
      +0x088 FirstArgument    : Ptr64 
      +0x090 TrapFrame        : Ptr64 
      +0x098 ApcState         : _KAPC_STATE
         +0x000 ApcListHead      : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
         +0x020 Process          : Ptr64 
         +0x028 KernelApcInProgress : UChar
         +0x029 KernelApcPending : UChar
         +0x02a UserApcPending   : UChar
      +0x098 ApcStateFill     : UChar
      +0x0c3 Priority         : Char
      +0x0c4 UserIdealProcessor : Uint4B
      +0x0c8 WaitStatus       : Int8B
      +0x0d0 WaitBlockList    : Ptr64 
      +0x0d8 WaitListEntry    : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x0d8 SwapListEntry    : _SINGLE_LIST_ENTRY
         +0x000 Next             : Ptr64 
      +0x0e8 Queue            : Ptr64 
      +0x0f0 Teb              : Ptr64 
      +0x0f8 RelativeTimerBias : Uint8B
      +0x100 Timer            : _KTIMER
         +0x000 Header           : _DISPATCHER_HEADER
            +0x000 Type             : UChar
            +0x001 TimerControlFlags : UChar
            +0x001 Absolute         : Pos 0, 1 Bit
            +0x001 Wake             : Pos 1, 1 Bit
            +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
            +0x001 Abandoned        : UChar
            +0x001 Signalling       : UChar
            +0x002 ThreadControlFlags : UChar
            +0x002 CycleProfiling   : Pos 0, 1 Bit
            +0x002 CounterProfiling : Pos 1, 1 Bit
            +0x002 GroupScheduling  : Pos 2, 1 Bit
            +0x002 AffinitySet      : Pos 3, 1 Bit
            +0x002 Reserved         : Pos 4, 4 Bits
            +0x002 Hand             : UChar
            +0x002 Size             : UChar
            +0x003 TimerMiscFlags   : UChar
            +0x003 Index            : Pos 0, 6 Bits
            +0x003 Inserted         : Pos 6, 1 Bit
            +0x003 Expired          : Pos 7, 1 Bit
            +0x003 DebugActive      : UChar
            +0x003 ActiveDR7        : Pos 0, 1 Bit
            +0x003 Instrumented     : Pos 1, 1 Bit
            +0x003 Reserved2        : Pos 2, 4 Bits
            +0x003 UmsScheduled     : Pos 6, 1 Bit
            +0x003 UmsPrimary       : Pos 7, 1 Bit
            +0x003 DpcActive        : UChar
            +0x000 Lock             : Int4B
            +0x000 LockNV           : Int4B
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : _LIST_ENTRY
               +0x000 Flink            : Ptr64 
               +0x008 Blink            : Ptr64 
         +0x018 DueTime          : _ULARGE_INTEGER
            +0x000 LowPart          : Uint4B
            +0x004 HighPart         : Uint4B
            +0x000 u                : <unnamed-tag>
               +0x000 LowPart          : Uint4B
               +0x004 HighPart         : Uint4B
            +0x000 QuadPart         : Uint8B
         +0x020 TimerListEntry   : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
         +0x030 Dpc              : Ptr64 
         +0x038 Processor        : Uint4B
         +0x03c Period           : Uint4B
      +0x140 WaitBlock        : _KWAIT_BLOCK
         +0x000 WaitListEntry    : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
         +0x010 WaitType         : UChar
         +0x011 BlockState       : UChar
         +0x012 WaitKey          : Uint2B
         +0x014 SpareLong        : Int4B
         +0x018 Thread           : Ptr64 
         +0x018 NotificationQueue : Ptr64 
         +0x020 Object           : Ptr64 
         +0x028 SparePtr         : Ptr64 
      +0x140 WaitBlockFill4   : UChar
      +0x154 ContextSwitches  : Uint4B
      +0x140 WaitBlockFill5   : UChar
      +0x184 State            : UChar
      +0x185 NpxState         : Char
      +0x186 WaitIrql         : UChar
      +0x187 WaitMode         : Char
      +0x140 WaitBlockFill6   : UChar
      +0x1b4 WaitTime         : Uint4B
      +0x140 WaitBlockFill7   : UChar
      +0x1e4 KernelApcDisable : Int2B
      +0x1e6 SpecialApcDisable : Int2B
      +0x1e4 CombinedApcDisable : Uint4B
      +0x140 WaitBlockFill8   : UChar
      +0x168 ThreadCounters   : Ptr64 
      +0x140 WaitBlockFill9   : UChar
      +0x198 XStateSave       : Ptr64 
      +0x140 WaitBlockFill10  : UChar
      +0x1c8 Win32Thread      : Ptr64 
      +0x140 WaitBlockFill11  : UChar
      +0x1f0 Ucb              : Ptr64 
      +0x1f8 Uch              : Ptr64 
      +0x200 TebMappedLowVa   : Ptr64 
      +0x208 QueueListEntry   : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x218 NextProcessor    : Uint4B
      +0x21c DeferredProcessor : Uint4B
      +0x220 Process          : Ptr64 
      +0x228 UserAffinity     : _GROUP_AFFINITY
         +0x000 Mask             : Uint8B
         +0x008 Group            : Uint2B
         +0x00a Reserved         : Uint2B
      +0x228 UserAffinityFill : UChar
      +0x232 PreviousMode     : Char
      +0x233 BasePriority     : Char
      +0x234 PriorityDecrement : Char
      +0x234 ForegroundBoost  : Pos 0, 4 Bits
      +0x234 UnusualBoost     : Pos 4, 4 Bits
      +0x235 Preempted        : UChar
      +0x236 AdjustReason     : UChar
      +0x237 AdjustIncrement  : Char
      +0x238 Affinity         : _GROUP_AFFINITY
         +0x000 Mask             : Uint8B
         +0x008 Group            : Uint2B
         +0x00a Reserved         : Uint2B
      +0x238 AffinityFill     : UChar
      +0x242 ApcStateIndex    : UChar
      +0x243 WaitBlockCount   : UChar
      +0x244 IdealProcessor   : Uint4B
      +0x248 ApcStatePointer  : Ptr64 
      +0x258 SavedApcState    : _KAPC_STATE
         +0x000 ApcListHead      : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
         +0x020 Process          : Ptr64 
         +0x028 KernelApcInProgress : UChar
         +0x029 KernelApcPending : UChar
         +0x02a UserApcPending   : UChar
      +0x258 SavedApcStateFill : UChar
      +0x283 WaitReason       : UChar
      +0x284 SuspendCount     : Char
      +0x285 Saturation       : Char
      +0x286 SListFaultCount  : Uint2B
      +0x288 SchedulerApc     : _KAPC
         +0x000 Type             : UChar
         +0x001 SpareByte0       : UChar
         +0x002 Size             : UChar
         +0x003 SpareByte1       : UChar
         +0x004 SpareLong0       : Uint4B
         +0x008 Thread           : Ptr64 
         +0x010 ApcListEntry     : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
         +0x020 KernelRoutine    : Ptr64 
         +0x028 RundownRoutine   : Ptr64 
         +0x030 NormalRoutine    : Ptr64 
         +0x020 Reserved         : Ptr64 
         +0x038 NormalContext    : Ptr64 
         +0x040 SystemArgument1  : Ptr64 
         +0x048 SystemArgument2  : Ptr64 
         +0x050 ApcStateIndex    : Char
         +0x051 ApcMode          : Char
         +0x052 Inserted         : UChar
      +0x288 SchedulerApcFill0 : UChar
      +0x289 ResourceIndex    : UChar
      +0x288 SchedulerApcFill1 : UChar
      +0x28b QuantumReset     : UChar
      +0x288 SchedulerApcFill2 : UChar
      +0x28c KernelTime       : Uint4B
      +0x288 SchedulerApcFill3 : UChar
      +0x2c8 WaitPrcb         : Ptr64 
      +0x288 SchedulerApcFill4 : UChar
      +0x2d0 LegoData         : Ptr64 
      +0x288 SchedulerApcFill5 : UChar
      +0x2db CallbackNestingLevel : UChar
      +0x2dc UserTime         : Uint4B
      +0x2e0 SuspendEvent     : _KEVENT
         +0x000 Header           : _DISPATCHER_HEADER
            +0x000 Type             : UChar
            +0x001 TimerControlFlags : UChar
            +0x001 Absolute         : Pos 0, 1 Bit
            +0x001 Wake             : Pos 1, 1 Bit
            +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
            +0x001 Abandoned        : UChar
            +0x001 Signalling       : UChar
            +0x002 ThreadControlFlags : UChar
            +0x002 CycleProfiling   : Pos 0, 1 Bit
            +0x002 CounterProfiling : Pos 1, 1 Bit
            +0x002 GroupScheduling  : Pos 2, 1 Bit
            +0x002 AffinitySet      : Pos 3, 1 Bit
            +0x002 Reserved         : Pos 4, 4 Bits
            +0x002 Hand             : UChar
            +0x002 Size             : UChar
            +0x003 TimerMiscFlags   : UChar
            +0x003 Index            : Pos 0, 6 Bits
            +0x003 Inserted         : Pos 6, 1 Bit
            +0x003 Expired          : Pos 7, 1 Bit
            +0x003 DebugActive      : UChar
            +0x003 ActiveDR7        : Pos 0, 1 Bit
            +0x003 Instrumented     : Pos 1, 1 Bit
            +0x003 Reserved2        : Pos 2, 4 Bits
            +0x003 UmsScheduled     : Pos 6, 1 Bit
            +0x003 UmsPrimary       : Pos 7, 1 Bit
            +0x003 DpcActive        : UChar
            +0x000 Lock             : Int4B
            +0x000 LockNV           : Int4B
            +0x004 SignalState      : Int4B
            +0x008 WaitListHead     : _LIST_ENTRY
               +0x000 Flink            : Ptr64 
               +0x008 Blink            : Ptr64 
      +0x2f8 ThreadListEntry  : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x308 MutantListHead   : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x318 ReadOperationCount : Int8B
      +0x320 WriteOperationCount : Int8B
      +0x328 OtherOperationCount : Int8B
      +0x330 ReadTransferCount : Int8B
      +0x338 WriteTransferCount : Int8B
      +0x340 OtherTransferCount : Int8B
   +0x348 CreateTime       : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x350 ExitTime         : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x350 KeyedWaitChain   : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x360 ChargeOnlySession : Ptr64 
   +0x368 PostBlockList    : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x368 ForwardLinkShadow : Ptr64 
   +0x370 StartAddress     : Ptr64 
   +0x378 TerminationPort  : Ptr64 
   +0x378 ReaperLink       : Ptr64 
   +0x378 KeyedWaitValue   : Ptr64 
   +0x380 ActiveTimerListLock : Uint8B
   +0x388 ActiveTimerListHead : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x398 Cid              : _CLIENT_ID
      +0x000 UniqueProcess    : Ptr64 
      +0x008 UniqueThread     : Ptr64 
   +0x3a8 KeyedWaitSemaphore : _KSEMAPHORE
      +0x000 Header           : _DISPATCHER_HEADER
         +0x000 Type             : UChar
         +0x001 TimerControlFlags : UChar
         +0x001 Absolute         : Pos 0, 1 Bit
         +0x001 Wake             : Pos 1, 1 Bit
         +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
         +0x001 Abandoned        : UChar
         +0x001 Signalling       : UChar
         +0x002 ThreadControlFlags : UChar
         +0x002 CycleProfiling   : Pos 0, 1 Bit
         +0x002 CounterProfiling : Pos 1, 1 Bit
         +0x002 GroupScheduling  : Pos 2, 1 Bit
         +0x002 AffinitySet      : Pos 3, 1 Bit
         +0x002 Reserved         : Pos 4, 4 Bits
         +0x002 Hand             : UChar
         +0x002 Size             : UChar
         +0x003 TimerMiscFlags   : UChar
         +0x003 Index            : Pos 0, 6 Bits
         +0x003 Inserted         : Pos 6, 1 Bit
         +0x003 Expired          : Pos 7, 1 Bit
         +0x003 DebugActive      : UChar
         +0x003 ActiveDR7        : Pos 0, 1 Bit
         +0x003 Instrumented     : Pos 1, 1 Bit
         +0x003 Reserved2        : Pos 2, 4 Bits
         +0x003 UmsScheduled     : Pos 6, 1 Bit
         +0x003 UmsPrimary       : Pos 7, 1 Bit
         +0x003 DpcActive        : UChar
         +0x000 Lock             : Int4B
         +0x000 LockNV           : Int4B
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
      +0x018 Limit            : Int4B
   +0x3a8 AlpcWaitSemaphore : _KSEMAPHORE
      +0x000 Header           : _DISPATCHER_HEADER
         +0x000 Type             : UChar
         +0x001 TimerControlFlags : UChar
         +0x001 Absolute         : Pos 0, 1 Bit
         +0x001 Wake             : Pos 1, 1 Bit
         +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
         +0x001 Abandoned        : UChar
         +0x001 Signalling       : UChar
         +0x002 ThreadControlFlags : UChar
         +0x002 CycleProfiling   : Pos 0, 1 Bit
         +0x002 CounterProfiling : Pos 1, 1 Bit
         +0x002 GroupScheduling  : Pos 2, 1 Bit
         +0x002 AffinitySet      : Pos 3, 1 Bit
         +0x002 Reserved         : Pos 4, 4 Bits
         +0x002 Hand             : UChar
         +0x002 Size             : UChar
         +0x003 TimerMiscFlags   : UChar
         +0x003 Index            : Pos 0, 6 Bits
         +0x003 Inserted         : Pos 6, 1 Bit
         +0x003 Expired          : Pos 7, 1 Bit
         +0x003 DebugActive      : UChar
         +0x003 ActiveDR7        : Pos 0, 1 Bit
         +0x003 Instrumented     : Pos 1, 1 Bit
         +0x003 Reserved2        : Pos 2, 4 Bits
         +0x003 UmsScheduled     : Pos 6, 1 Bit
         +0x003 UmsPrimary       : Pos 7, 1 Bit
         +0x003 DpcActive        : UChar
         +0x000 Lock             : Int4B
         +0x000 LockNV           : Int4B
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
      +0x018 Limit            : Int4B
   +0x3c8 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT
      +0x000 ImpersonationData : Uint8B
      +0x000 ImpersonationToken : Ptr64 
      +0x000 ImpersonationLevel : Pos 0, 2 Bits
      +0x000 EffectiveOnly    : Pos 2, 1 Bit
   +0x3d0 IrpList          : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x3e0 TopLevelIrp      : Uint8B
   +0x3e8 DeviceToVerify   : Ptr64 
   +0x3f0 Win32StartAddress : Ptr64 
   +0x3f8 LegacyPowerObject : Ptr64 
   +0x400 ThreadListEntry  : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x410 RundownProtect   : _EX_RUNDOWN_REF
      +0x000 Count            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x418 ThreadLock       : _EX_PUSH_LOCK
      +0x000 Locked           : Pos 0, 1 Bit
      +0x000 Waiting          : Pos 1, 1 Bit
      +0x000 Waking           : Pos 2, 1 Bit
      +0x000 MultipleShared   : Pos 3, 1 Bit
      +0x000 Shared           : Pos 4, 60 Bits
      +0x000 Value            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x420 ReadClusterSize  : Uint4B
   +0x424 MmLockOrdering   : Int4B
   +0x428 CmLockOrdering   : Int4B
   +0x42c CrossThreadFlags : Uint4B
   +0x42c Terminated       : Pos 0, 1 Bit
   +0x42c ThreadInserted   : Pos 1, 1 Bit
   +0x42c HideFromDebugger : Pos 2, 1 Bit
   +0x42c ActiveImpersonationInfo : Pos 3, 1 Bit
   +0x42c HardErrorsAreDisabled : Pos 4, 1 Bit
   +0x42c BreakOnTermination : Pos 5, 1 Bit
   +0x42c SkipCreationMsg  : Pos 6, 1 Bit
   +0x42c SkipTerminationMsg : Pos 7, 1 Bit
   +0x42c CopyTokenOnOpen  : Pos 8, 1 Bit
   +0x42c ThreadIoPriority : Pos 9, 3 Bits
   +0x42c ThreadPagePriority : Pos 12, 3 Bits
   +0x42c RundownFail      : Pos 15, 1 Bit
   +0x42c UmsForceQueueTermination : Pos 16, 1 Bit
   +0x42c ReservedCrossThreadFlags : Pos 17, 15 Bits
   +0x430 SameThreadPassiveFlags : Uint4B
   +0x430 ActiveExWorker   : Pos 0, 1 Bit
   +0x430 MemoryMaker      : Pos 1, 1 Bit
   +0x430 ClonedThread     : Pos 2, 1 Bit
   +0x430 KeyedEventInUse  : Pos 3, 1 Bit
   +0x430 SelfTerminate    : Pos 4, 1 Bit
   +0x434 SameThreadApcFlags : Uint4B
   +0x434 Spare            : Pos 0, 1 Bit
   +0x434 StartAddressInvalid : Pos 1, 1 Bit
   +0x434 EtwCalloutActive : Pos 2, 1 Bit
   +0x434 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
   +0x434 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
   +0x434 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
   +0x434 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
   +0x434 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
   +0x435 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
   +0x435 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
   +0x435 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
   +0x435 SuppressSymbolLoad : Pos 3, 1 Bit
   +0x435 Prefetching      : Pos 4, 1 Bit
   +0x435 OwnsVadExclusive : Pos 5, 1 Bit
   +0x435 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
   +0x435 OwnsChangeControlAreaShared : Pos 7, 1 Bit
   +0x436 OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
   +0x436 OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
   +0x436 OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
   +0x436 OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
   +0x436 TrimTrigger      : Pos 4, 2 Bits
   +0x436 Spare2           : Pos 6, 2 Bits
   +0x437 PriorityRegionActive : UChar
   +0x438 CacheManagerActive : UChar
   +0x439 DisablePageFaultClustering : UChar
   +0x43a ActiveFaultCount : UChar
   +0x43b LockOrderState   : UChar
   +0x440 AlpcMessageId    : Uint8B
   +0x448 AlpcMessage      : Ptr64 
   +0x448 AlpcReceiveAttributeSet : Uint4B
   +0x450 ExitStatus       : Int4B
   +0x458 AlpcWaitListEntry : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x468 CacheManagerCount : Uint4B
   +0x46c IoBoostCount     : Uint4B
   +0x470 BoostList        : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x480 DeboostList      : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x490 BoostListLock    : Uint8B
   +0x498 IrpListLock      : Uint8B
   +0x4a0 ReservedForSynchTracking : Ptr64 
   +0x4a8 CmCallbackListHead : _SINGLE_LIST_ENTRY
      +0x000 Next             : Ptr64 
   +0x4b0 ActivityId       : Ptr64 
   +0x4b8 WnfContext       : Ptr64 
   +0x4c0 KernelStackReference : Uint4B
lkd> dt nt!_EPROCESS -b
   +0x000 Pcb              : _KPROCESS
      +0x000 Header           : _DISPATCHER_HEADER
         +0x000 Type             : UChar
         +0x001 TimerControlFlags : UChar
         +0x001 Absolute         : Pos 0, 1 Bit
         +0x001 Wake             : Pos 1, 1 Bit
         +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
         +0x001 Abandoned        : UChar
         +0x001 Signalling       : UChar
         +0x002 ThreadControlFlags : UChar
         +0x002 CycleProfiling   : Pos 0, 1 Bit
         +0x002 CounterProfiling : Pos 1, 1 Bit
         +0x002 GroupScheduling  : Pos 2, 1 Bit
         +0x002 AffinitySet      : Pos 3, 1 Bit
         +0x002 Reserved         : Pos 4, 4 Bits
         +0x002 Hand             : UChar
         +0x002 Size             : UChar
         +0x003 TimerMiscFlags   : UChar
         +0x003 Index            : Pos 0, 6 Bits
         +0x003 Inserted         : Pos 6, 1 Bit
         +0x003 Expired          : Pos 7, 1 Bit
         +0x003 DebugActive      : UChar
         +0x003 ActiveDR7        : Pos 0, 1 Bit
         +0x003 Instrumented     : Pos 1, 1 Bit
         +0x003 Reserved2        : Pos 2, 4 Bits
         +0x003 UmsScheduled     : Pos 6, 1 Bit
         +0x003 UmsPrimary       : Pos 7, 1 Bit
         +0x003 DpcActive        : UChar
         +0x000 Lock             : Int4B
         +0x000 LockNV           : Int4B
         +0x004 SignalState      : Int4B
         +0x008 WaitListHead     : _LIST_ENTRY
            +0x000 Flink            : Ptr64 
            +0x008 Blink            : Ptr64 
      +0x018 ProfileListHead  : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x028 DirectoryTableBase : Uint8B
      +0x030 ThreadListHead   : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x040 ProcessLock      : Uint4B
      +0x044 Spare0           : Uint4B
      +0x048 Affinity         : _KAFFINITY_EX
         +0x000 Count            : Uint2B
         +0x002 Size             : Uint2B
         +0x004 Reserved         : Uint4B
         +0x008 Bitmap           : Uint8B
      +0x0f0 ReadyListHead    : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x100 SwapListEntry    : _SINGLE_LIST_ENTRY
         +0x000 Next             : Ptr64 
      +0x108 ActiveProcessors : _KAFFINITY_EX
         +0x000 Count            : Uint2B
         +0x002 Size             : Uint2B
         +0x004 Reserved         : Uint4B
         +0x008 Bitmap           : Uint8B
      +0x1b0 AutoAlignment    : Pos 0, 1 Bit
      +0x1b0 DisableBoost     : Pos 1, 1 Bit
      +0x1b0 DisableQuantum   : Pos 2, 1 Bit
      +0x1b0 AffinitySet      : Pos 3, 1 Bit
      +0x1b0 DeepFreeze       : Pos 4, 1 Bit
      +0x1b0 TimerVirtualization : Pos 5, 1 Bit
      +0x1b0 ActiveGroupsMask : Pos 6, 20 Bits
      +0x1b0 ReservedFlags    : Pos 26, 6 Bits
      +0x1b0 ProcessFlags     : Int4B
      +0x1b4 BasePriority     : Char
      +0x1b5 QuantumReset     : Char
      +0x1b6 Visited          : UChar
      +0x1b7 Flags            : _KEXECUTE_OPTIONS
         +0x000 ExecuteDisable   : Pos 0, 1 Bit
         +0x000 ExecuteEnable    : Pos 1, 1 Bit
         +0x000 DisableThunkEmulation : Pos 2, 1 Bit
         +0x000 Permanent        : Pos 3, 1 Bit
         +0x000 ExecuteDispatchEnable : Pos 4, 1 Bit
         +0x000 ImageDispatchEnable : Pos 5, 1 Bit
         +0x000 DisableExceptionChainValidation : Pos 6, 1 Bit
         +0x000 Spare            : Pos 7, 1 Bit
         +0x000 ExecuteOptions   : UChar
         +0x000 ExecuteOptionsNV : UChar
      +0x1b8 ThreadSeed       : Uint4B
      +0x208 IdealNode        : Uint2B
      +0x230 IdealGlobalNode  : Uint2B
      +0x232 Spare1           : Uint2B
      +0x234 StackCount       : _KSTACK_COUNT
         +0x000 Value            : Int4B
         +0x000 State            : Pos 0, 3 Bits
         +0x000 StackCount       : Pos 3, 29 Bits
      +0x238 ProcessListEntry : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x248 CycleTime        : Uint8B
      +0x250 ContextSwitches  : Uint8B
      +0x258 SchedulingGroup  : Ptr64 
      +0x260 FreezeCount      : Uint4B
      +0x264 KernelTime       : Uint4B
      +0x268 UserTime         : Uint4B
      +0x26c LdtFreeSelectorHint : Uint2B
      +0x26e LdtTableLength   : Uint2B
      +0x270 LdtSystemDescriptor : _KGDTENTRY64
         +0x000 LimitLow         : Uint2B
         +0x002 BaseLow          : Uint2B
         +0x004 Bytes            : <unnamed-tag>
            +0x000 BaseMiddle       : UChar
            +0x001 Flags1           : UChar
            +0x002 Flags2           : UChar
            +0x003 BaseHigh         : UChar
         +0x004 Bits             : <unnamed-tag>
            +0x000 BaseMiddle       : Pos 0, 8 Bits
            +0x000 Type             : Pos 8, 5 Bits
            +0x000 Dpl              : Pos 13, 2 Bits
            +0x000 Present          : Pos 15, 1 Bit
            +0x000 LimitHigh        : Pos 16, 4 Bits
            +0x000 System           : Pos 20, 1 Bit
            +0x000 LongMode         : Pos 21, 1 Bit
            +0x000 DefaultBig       : Pos 22, 1 Bit
            +0x000 Granularity      : Pos 23, 1 Bit
            +0x000 BaseHigh         : Pos 24, 8 Bits
         +0x008 BaseUpper        : Uint4B
         +0x00c MustBeZero       : Uint4B
         +0x000 DataLow          : Int8B
         +0x008 DataHigh         : Int8B
      +0x280 LdtBaseAddress   : Ptr64 
      +0x288 LdtProcessLock   : _FAST_MUTEX
         +0x000 Count            : Int4B
         +0x008 Owner            : Ptr64 
         +0x010 Contention       : Uint4B
         +0x018 Event            : _KEVENT
            +0x000 Header           : _DISPATCHER_HEADER
               +0x000 Type             : UChar
               +0x001 TimerControlFlags : UChar
               +0x001 Absolute         : Pos 0, 1 Bit
               +0x001 Wake             : Pos 1, 1 Bit
               +0x001 EncodedTolerableDelay : Pos 2, 6 Bits
               +0x001 Abandoned        : UChar
               +0x001 Signalling       : UChar
               +0x002 ThreadControlFlags : UChar
               +0x002 CycleProfiling   : Pos 0, 1 Bit
               +0x002 CounterProfiling : Pos 1, 1 Bit
               +0x002 GroupScheduling  : Pos 2, 1 Bit
               +0x002 AffinitySet      : Pos 3, 1 Bit
               +0x002 Reserved         : Pos 4, 4 Bits
               +0x002 Hand             : UChar
               +0x002 Size             : UChar
               +0x003 TimerMiscFlags   : UChar
               +0x003 Index            : Pos 0, 6 Bits
               +0x003 Inserted         : Pos 6, 1 Bit
               +0x003 Expired          : Pos 7, 1 Bit
               +0x003 DebugActive      : UChar
               +0x003 ActiveDR7        : Pos 0, 1 Bit
               +0x003 Instrumented     : Pos 1, 1 Bit
               +0x003 Reserved2        : Pos 2, 4 Bits
               +0x003 UmsScheduled     : Pos 6, 1 Bit
               +0x003 UmsPrimary       : Pos 7, 1 Bit
               +0x003 DpcActive        : UChar
               +0x000 Lock             : Int4B
               +0x000 LockNV           : Int4B
               +0x004 SignalState      : Int4B
               +0x008 WaitListHead     : _LIST_ENTRY
                  +0x000 Flink            : Ptr64 
                  +0x008 Blink            : Ptr64 
         +0x030 OldIrql          : Uint4B
      +0x2c0 InstrumentationCallback : Ptr64 
   +0x2c8 ProcessLock      : _EX_PUSH_LOCK
      +0x000 Locked           : Pos 0, 1 Bit
      +0x000 Waiting          : Pos 1, 1 Bit
      +0x000 Waking           : Pos 2, 1 Bit
      +0x000 MultipleShared   : Pos 3, 1 Bit
      +0x000 Shared           : Pos 4, 60 Bits
      +0x000 Value            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x2d0 CreateTime       : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x2d8 RundownProtect   : _EX_RUNDOWN_REF
      +0x000 Count            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x2e0 UniqueProcessId  : Ptr64 
   +0x2e8 ActiveProcessLinks : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x2f8 Flags2           : Uint4B
   +0x2f8 JobNotReallyActive : Pos 0, 1 Bit
   +0x2f8 AccountingFolded : Pos 1, 1 Bit
   +0x2f8 NewProcessReported : Pos 2, 1 Bit
   +0x2f8 ExitProcessReported : Pos 3, 1 Bit
   +0x2f8 ReportCommitChanges : Pos 4, 1 Bit
   +0x2f8 LastReportMemory : Pos 5, 1 Bit
   +0x2f8 NoWakeCharge     : Pos 6, 1 Bit
   +0x2f8 HandleTableRundown : Pos 7, 1 Bit
   +0x2f8 NeedsHandleRundown : Pos 8, 1 Bit
   +0x2f8 RefTraceEnabled  : Pos 9, 1 Bit
   +0x2f8 NumaAware        : Pos 10, 1 Bit
   +0x2f8 EmptyJobEvaluated : Pos 11, 1 Bit
   +0x2f8 DefaultPagePriority : Pos 12, 3 Bits
   +0x2f8 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x2f8 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x2f8 StackRandomizationDisabled : Pos 17, 1 Bit
   +0x2f8 AffinityPermanent : Pos 18, 1 Bit
   +0x2f8 AffinityUpdateEnable : Pos 19, 1 Bit
   +0x2f8 PropagateNode    : Pos 20, 1 Bit
   +0x2f8 ExplicitAffinity : Pos 21, 1 Bit
   +0x2f8 ProcessExecutionState : Pos 22, 2 Bits
   +0x2f8 DisallowStrippedImages : Pos 24, 1 Bit
   +0x2f8 HighEntropyASLREnabled : Pos 25, 1 Bit
   +0x2f8 ExtensionPointDisable : Pos 26, 1 Bit
   +0x2f8 ForceRelocateImages : Pos 27, 1 Bit
   +0x2f8 ProcessStateChangeRequest : Pos 28, 2 Bits
   +0x2f8 ProcessStateChangeInProgress : Pos 30, 1 Bit
   +0x2f8 DisallowWin32kSystemCalls : Pos 31, 1 Bit
   +0x2fc Flags            : Uint4B
   +0x2fc CreateReported   : Pos 0, 1 Bit
   +0x2fc NoDebugInherit   : Pos 1, 1 Bit
   +0x2fc ProcessExiting   : Pos 2, 1 Bit
   +0x2fc ProcessDelete    : Pos 3, 1 Bit
   +0x2fc Wow64SplitPages  : Pos 4, 1 Bit
   +0x2fc VmDeleted        : Pos 5, 1 Bit
   +0x2fc OutswapEnabled   : Pos 6, 1 Bit
   +0x2fc Outswapped       : Pos 7, 1 Bit
   +0x2fc ForkFailed       : Pos 8, 1 Bit
   +0x2fc Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x2fc AddressSpaceInitialized : Pos 10, 2 Bits
   +0x2fc SetTimerResolution : Pos 12, 1 Bit
   +0x2fc BreakOnTermination : Pos 13, 1 Bit
   +0x2fc DeprioritizeViews : Pos 14, 1 Bit
   +0x2fc WriteWatch       : Pos 15, 1 Bit
   +0x2fc ProcessInSession : Pos 16, 1 Bit
   +0x2fc OverrideAddressSpace : Pos 17, 1 Bit
   +0x2fc HasAddressSpace  : Pos 18, 1 Bit
   +0x2fc LaunchPrefetched : Pos 19, 1 Bit
   +0x2fc Background       : Pos 20, 1 Bit
   +0x2fc VmTopDown        : Pos 21, 1 Bit
   +0x2fc ImageNotifyDone  : Pos 22, 1 Bit
   +0x2fc PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x2fc VdmAllowed       : Pos 24, 1 Bit
   +0x2fc CrossSessionCreate : Pos 25, 1 Bit
   +0x2fc ProcessInserted  : Pos 26, 1 Bit
   +0x2fc DefaultIoPriority : Pos 27, 3 Bits
   +0x2fc ProcessSelfDelete : Pos 30, 1 Bit
   +0x2fc SetTimerResolutionLink : Pos 31, 1 Bit
   +0x300 ProcessQuotaUsage : Uint8B
   +0x310 ProcessQuotaPeak : Uint8B
   +0x320 PeakVirtualSize  : Uint8B
   +0x328 VirtualSize      : Uint8B
   +0x330 SessionProcessLinks : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x340 ExceptionPortData : Ptr64 
   +0x340 ExceptionPortValue : Uint8B
   +0x340 ExceptionPortState : Pos 0, 3 Bits
   +0x348 Token            : _EX_FAST_REF
      +0x000 Object           : Ptr64 
      +0x000 RefCnt           : Pos 0, 4 Bits
      +0x000 Value            : Uint8B
   +0x350 WorkingSetPage   : Uint8B
   +0x358 AddressCreationLock : _EX_PUSH_LOCK
      +0x000 Locked           : Pos 0, 1 Bit
      +0x000 Waiting          : Pos 1, 1 Bit
      +0x000 Waking           : Pos 2, 1 Bit
      +0x000 MultipleShared   : Pos 3, 1 Bit
      +0x000 Shared           : Pos 4, 60 Bits
      +0x000 Value            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x360 RotateInProgress : Ptr64 
   +0x368 ForkInProgress   : Ptr64 
   +0x370 HardwareTrigger  : Uint8B
   +0x378 CommitChargeJob  : Ptr64 
   +0x380 CloneRoot        : Ptr64 
   +0x388 NumberOfPrivatePages : Uint8B
   +0x390 NumberOfLockedPages : Uint8B
   +0x398 Win32Process     : Ptr64 
   +0x3a0 Job              : Ptr64 
   +0x3a8 SectionObject    : Ptr64 
   +0x3b0 SectionBaseAddress : Ptr64 
   +0x3b8 Cookie           : Uint4B
   +0x3c0 WorkingSetWatch  : Ptr64 
   +0x3c8 Win32WindowStation : Ptr64 
   +0x3d0 InheritedFromUniqueProcessId : Ptr64 
   +0x3d8 LdtInformation   : Ptr64 
   +0x3e0 CreatorProcess   : Ptr64 
   +0x3e0 ConsoleHostProcess : Uint8B
   +0x3e8 Peb              : Ptr64 
   +0x3f0 Session          : Ptr64 
   +0x3f8 AweInfo          : Ptr64 
   +0x400 QuotaBlock       : Ptr64 
   +0x408 ObjectTable      : Ptr64 
   +0x410 DebugPort        : Ptr64 
   +0x418 Wow64Process     : Ptr64 
   +0x420 DeviceMap        : Ptr64 
   +0x428 EtwDataSource    : Ptr64 
   +0x430 PageDirectoryPte : Uint8B
   +0x438 ImageFileName    : UChar
   +0x447 PriorityClass    : UChar
   +0x448 SecurityPort     : Ptr64 
   +0x450 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
      +0x000 ImageFileName    : Ptr64 
   +0x458 JobLinks         : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x468 HighestUserAddress : Ptr64 
   +0x470 ThreadListHead   : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x480 ActiveThreads    : Uint4B
   +0x484 ImagePathHash    : Uint4B
   +0x488 DefaultHardErrorProcessing : Uint4B
   +0x48c LastThreadExitStatus : Int4B
   +0x490 PrefetchTrace    : _EX_FAST_REF
      +0x000 Object           : Ptr64 
      +0x000 RefCnt           : Pos 0, 4 Bits
      +0x000 Value            : Uint8B
   +0x498 LockedPagesList  : Ptr64 
   +0x4a0 ReadOperationCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4a8 WriteOperationCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4b0 OtherOperationCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4b8 ReadTransferCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4c0 WriteTransferCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4c8 OtherTransferCount : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x4d0 CommitChargeLimit : Uint8B
   +0x4d8 CommitCharge     : Uint8B
   +0x4e0 CommitChargePeak : Uint8B
   +0x4e8 Vm               : _MMSUPPORT
      +0x000 WorkingSetMutex  : _EX_PUSH_LOCK
         +0x000 Locked           : Pos 0, 1 Bit
         +0x000 Waiting          : Pos 1, 1 Bit
         +0x000 Waking           : Pos 2, 1 Bit
         +0x000 MultipleShared   : Pos 3, 1 Bit
         +0x000 Shared           : Pos 4, 60 Bits
         +0x000 Value            : Uint8B
         +0x000 Ptr              : Ptr64 
      +0x008 ExitGate         : Ptr64 
      +0x010 AccessLog        : Ptr64 
      +0x018 WorkingSetExpansionLinks : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x028 AgeDistribution  : Uint4B
      +0x044 MinimumWorkingSetSize : Uint4B
      +0x048 WorkingSetSize   : Uint4B
      +0x04c WorkingSetPrivateSize : Uint4B
      +0x050 MaximumWorkingSetSize : Uint4B
      +0x054 ChargedWslePages : Uint4B
      +0x058 ActualWslePages  : Uint4B
      +0x05c WorkingSetSizeOverhead : Uint4B
      +0x060 PeakWorkingSetSize : Uint4B
      +0x064 HardFaultCount   : Uint4B
      +0x068 VmWorkingSetList : Ptr64 
      +0x070 NextPageColor    : Uint2B
      +0x072 LastTrimStamp    : Uint2B
      +0x074 PageFaultCount   : Uint4B
      +0x078 TrimmedPageCount : Uint4B
      +0x07c Spare            : Uint4B
      +0x080 ForceTrimPages   : Uint4B
      +0x084 Flags            : _MMSUPPORT_FLAGS
         +0x000 WorkingSetType   : Pos 0, 3 Bits
         +0x000 ForceCredits     : Pos 3, 3 Bits
         +0x000 MaximumWorkingSetHard : Pos 6, 1 Bit
         +0x000 MinimumWorkingSetHard : Pos 7, 1 Bit
         +0x001 SessionMaster    : Pos 0, 1 Bit
         +0x001 TrimmerState     : Pos 1, 2 Bits
         +0x001 Reserved         : Pos 3, 1 Bit
         +0x001 PageStealers     : Pos 4, 4 Bits
         +0x002 MemoryPriority   : Pos 0, 8 Bits
         +0x003 WsleDeleted      : Pos 0, 1 Bit
         +0x003 VmExiting        : Pos 1, 1 Bit
         +0x003 ExpansionFailed  : Pos 2, 1 Bit
         +0x003 Available        : Pos 3, 5 Bits
      +0x088 WsSwapSupport    : Ptr64 
   +0x578 MmProcessLinks   : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x588 ModifiedPageCount : Uint4B
   +0x58c ExitStatus       : Int4B
   +0x590 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MM_AVL_NODE
         +0x000 u1               : <unnamed-tag>
            +0x000 Balance          : Pos 0, 2 Bits
            +0x000 Parent           : Ptr64 
         +0x008 LeftChild        : Ptr64 
         +0x010 RightChild       : Ptr64 
      +0x018 DepthOfTree      : Pos 0, 5 Bits
      +0x018 TableType        : Pos 5, 3 Bits
      +0x018 NumberGenericTableElements : Pos 8, 56 Bits
      +0x020 NodeHint         : Ptr64 
      +0x028 NodeFreeHint     : Ptr64 
   +0x5c0 VadPhysicalPages : Uint8B
   +0x5c8 VadPhysicalPagesLimit : Uint8B
   +0x5d0 AlpcContext      : _ALPC_PROCESS_CONTEXT
      +0x000 Lock             : _EX_PUSH_LOCK
         +0x000 Locked           : Pos 0, 1 Bit
         +0x000 Waiting          : Pos 1, 1 Bit
         +0x000 Waking           : Pos 2, 1 Bit
         +0x000 MultipleShared   : Pos 3, 1 Bit
         +0x000 Shared           : Pos 4, 60 Bits
         +0x000 Value            : Uint8B
         +0x000 Ptr              : Ptr64 
      +0x008 ViewListHead     : _LIST_ENTRY
         +0x000 Flink            : Ptr64 
         +0x008 Blink            : Ptr64 
      +0x018 PagedPoolQuotaCache : Uint8B
   +0x5f0 TimerResolutionLink : _LIST_ENTRY
      +0x000 Flink            : Ptr64 
      +0x008 Blink            : Ptr64 
   +0x600 TimerResolutionStackRecord : Ptr64 
   +0x608 RequestedTimerResolution : Uint4B
   +0x60c SmallestTimerResolution : Uint4B
   +0x610 ExitTime         : _LARGE_INTEGER
      +0x000 LowPart          : Uint4B
      +0x004 HighPart         : Int4B
      +0x000 u                : <unnamed-tag>
         +0x000 LowPart          : Uint4B
         +0x004 HighPart         : Int4B
      +0x000 QuadPart         : Int8B
   +0x618 InvertedFunctionTable : Ptr64 
   +0x620 InvertedFunctionTableLock : _EX_PUSH_LOCK
      +0x000 Locked           : Pos 0, 1 Bit
      +0x000 Waiting          : Pos 1, 1 Bit
      +0x000 Waking           : Pos 2, 1 Bit
      +0x000 MultipleShared   : Pos 3, 1 Bit
      +0x000 Shared           : Pos 4, 60 Bits
      +0x000 Value            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x628 ActiveThreadsHighWatermark : Uint4B
   +0x62c LargePrivateVadCount : Uint4B
   +0x630 ThreadListLock   : _EX_PUSH_LOCK
      +0x000 Locked           : Pos 0, 1 Bit
      +0x000 Waiting          : Pos 1, 1 Bit
      +0x000 Waking           : Pos 2, 1 Bit
      +0x000 MultipleShared   : Pos 3, 1 Bit
      +0x000 Shared           : Pos 4, 60 Bits
      +0x000 Value            : Uint8B
      +0x000 Ptr              : Ptr64 
   +0x638 WnfContext       : Ptr64 
   +0x640 SectionMappingSize : Uint8B
   +0x648 SignatureLevel   : UChar
   +0x649 SectionSignatureLevel : UChar
   +0x64a SpareByte20      : UChar
   +0x64c KeepAliveCounter : Uint4B
   +0x650 DiskCounters     : Ptr64 
   +0x658 LastFreezeInterruptTime : Uint8B
 #16989  by Tigzy
 Mon Dec 03, 2012 7:24 am
Ok, I will clarify

EP_X0FF. This is not I don't read, but that I don't understand some things. Can you accept this? :!:

I was misunderstanding the APC, that I was misleading with DPC (which is definitely not the same thing).
I found this link for exaplaining APC, this is clear now : http://www.drdobbs.com/inside-nts-async ... /184416590

By looking at the APC initialize, the link between APC and the thread is here:
void KeInitializeApc(struct _KAPC *Apc, PKTHREAD thread,
unsigned char state_index,
PKKERNEL_ROUTINE ker_routine,
PKRUNDOWN_ROUTINE rd_routine,
PKNORMAL_ROUTINE nor_routine,
unsigned char mode,
void *context);
ActiveExWorker
Already done. If you look at my first capture, you will see that for each line of System threads, there's a flag that is either 'W' (for worker) or '-' (for uhuh not-worker)

Sorry for the confusing, once again :)
It's hard to discuss with strong people sometimes.
 #16995  by Tigzy
 Mon Dec 03, 2012 10:43 am
Here's what I've done:
Code: Select all
if ((ULONG)pKth == 0x898858A0) //for targeting only one interesting thread -debug
{
	kApc = ExAllocatePool(NonPagedPool, sizeof(KAPC));
										
	KeInitializeApc(kApc, (PKTHREAD)pKth, 0, (PKKERNEL_ROUTINE)GrabStackBackTraceKernelAPC, NULL, NULL, KernelMode, NULL);
	KeInsertQueueApc (kApc, NULL, NULL, 0);										
}

#define NbFramesSkip	0
#define NbFramesCapture 60 //Less than 63
VOID GrabStackBackTraceKernelAPC(PKAPC pApc, PKNORMAL_ROUTINE *pNormalRoutine, PVOID *pNormalContext, PVOID *pSystemArgument1, PVOID *pSystemArgument2)
{  
	PVOID PointerArray[NbFramesCapture];
	USHORT ret = 0;
	DWORD i = 0;

	ret = RtlCaptureStackBackTrace(NbFramesSkip, NbFramesCapture, PointerArray, NULL);
	if (ret)
	{
		DbgPrint ("%d frames captured\n", ret);
		for (i = 0 ; i < ret && i < NbFramesCapture ; i++)
		{
			DbgPrint("[%i] 0x%x\n", i, PointerArray[i]);
		}
	}
}
And the results for each address (Windbg)
nt!KiDeliverApc+0xb3
nt!KiSwapThread+0x64:
nt!ExpWorkerThread+0xd6:
nt!PspSystemThreadStartup+0x34:
nt!KiThreadStartup+0x16:

Routine entry in Xuetr is:
nt!ObpProcessRemoveObjectQueue:
What I'm doing wrong?
Capture.PNG
Capture.PNG (78.94 KiB) Viewed 466 times
 #17000  by xdeadcode
 Mon Dec 03, 2012 8:00 pm
Tigzy,

Those values (routine entries) are changing since when workitem has finished it's job on behalf of someone it takes new from queue.
Easiest way to test it is to install TDL3 (since it is 'stealing' one work item - and routine entry will be let's say constant in one period of time) so you will have a time to just grab stack (remember that you will be somewhere inside routine).
I know that code you pasted is PoC for you, but remember not to analyse stack in apc.

Best regards,