A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #23262  by karlx
 Wed Jul 02, 2014 7:11 pm
we can get KiTimerTableListHead before WIN7
But it doesn`t work now.

I have search in google and bing for a long time. But I haven`t get the issue.

I would like to hnow how to enum dcp timers in Win8 or Win 8.1 x64.

Tkanks.(Never mind my poor english :D )
 #23270  by EP_X0FF
 Thu Jul 03, 2014 6:15 am
x64 6.3 build 9600

Same per processor specific.
Code: Select all
dt nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 GdtBase          : Ptr64 _KGDTENTRY64
   +0x008 TssBase          : Ptr64 _KTSS64
   +0x010 UserRsp          : Uint8B
   +0x018 Self             : Ptr64 _KPCR
   +0x020 CurrentPrcb      : Ptr64 _KPRCB
   +0x028 LockArray        : Ptr64 _KSPIN_LOCK_QUEUE
   +0x030 Used_Self        : Ptr64 Void
   +0x038 IdtBase          : Ptr64 _KIDTENTRY64
   +0x040 Unused           : [2] Uint8B
   +0x050 Irql             : UChar
   +0x051 SecondLevelCacheAssociativity : UChar
   +0x052 ObsoleteNumber   : UChar
   +0x053 Fill0            : UChar
   +0x054 Unused0          : [3] Uint4B
   +0x060 MajorVersion     : Uint2B
   +0x062 MinorVersion     : Uint2B
   +0x064 StallScaleFactor : Uint4B
   +0x068 Unused1          : [3] Ptr64 Void
   +0x080 KernelReserved   : [15] Uint4B
   +0x0bc SecondLevelCacheSize : Uint4B
   +0x0c0 HalReserved      : [16] Uint4B
   +0x100 Unused2          : Uint4B
   +0x108 KdVersionBlock   : Ptr64 Void
   +0x110 Unused3          : Ptr64 Void
   +0x118 PcrAlign1        : [24] Uint4B
   +0x180 Prcb             : _KPRCB
+0x180 Prcb : _KPRCB
Code: Select all
dt nt!_KPRCB
   +0x000 MxCsr            : Uint4B
   +0x004 LegacyNumber     : UChar
   +0x005 ReservedMustBeZero : UChar
   +0x006 InterruptRequest : UChar
   +0x007 IdleHalt         : UChar
   +0x008 CurrentThread    : Ptr64 _KTHREAD
   +0x010 NextThread       : Ptr64 _KTHREAD
   +0x018 IdleThread       : Ptr64 _KTHREAD
   +0x020 NestingLevel     : UChar
   +0x021 ClockOwner       : UChar
   +0x022 PendingTickFlags : UChar
   +0x022 PendingTick      : Pos 0, 1 Bit
   +0x022 PendingBackupTick : Pos 1, 1 Bit
   +0x023 PrcbPad00        : [1] UChar
   +0x024 Number           : Uint4B
   +0x028 RspBase          : Uint8B
   +0x030 PrcbLock         : Uint8B
   +0x038 PriorityState    : Ptr64 Char
   +0x040 ProcessorState   : _KPROCESSOR_STATE
   +0x5f0 CpuType          : Char
   +0x5f1 CpuID            : Char
   +0x5f2 CpuStep          : Uint2B
   +0x5f2 CpuStepping      : UChar
   +0x5f3 CpuModel         : UChar
   +0x5f4 MHz              : Uint4B
   +0x5f8 HalReserved      : [8] Uint8B
   +0x638 MinorVersion     : Uint2B
   +0x63a MajorVersion     : Uint2B
   +0x63c BuildType        : UChar
   +0x63d CpuVendor        : UChar
   +0x63e CoresPerPhysicalProcessor : UChar
   +0x63f LogicalProcessorsPerCore : UChar
   +0x640 ParentNode       : Ptr64 _KNODE
   +0x648 GroupSetMember   : Uint8B
   +0x650 Group            : UChar
   +0x651 GroupIndex       : UChar
   +0x652 PrcbPad05        : [2] UChar
   +0x654 ApicMask         : Uint4B
   +0x658 CFlushSize       : Uint4B
   +0x660 AcpiReserved     : Ptr64 Void
   +0x668 InitialApicId    : Uint4B
   +0x670 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x780 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x880 PPNxPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1480 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x2080 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x2c80 PrcbPad20        : Uint8B
   +0x2c88 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x2c90 MmPageFaultCount : Int4B
   +0x2c94 MmCopyOnWriteCount : Int4B
   +0x2c98 MmTransitionCount : Int4B
   +0x2c9c MmDemandZeroCount : Int4B
   +0x2ca0 MmPageReadCount  : Int4B
   +0x2ca4 MmPageReadIoCount : Int4B
   +0x2ca8 MmDirtyPagesWriteCount : Int4B
   +0x2cac MmDirtyWriteIoCount : Int4B
   +0x2cb0 MmMappedPagesWriteCount : Int4B
   +0x2cb4 MmMappedWriteIoCount : Int4B
   +0x2cb8 KeSystemCalls    : Uint4B
   +0x2cbc KeContextSwitches : Uint4B
   +0x2cc0 LdtSelector      : Uint2B
   +0x2cc2 PrcbPad40        : Uint2B
   +0x2cc4 CcFastReadNoWait : Uint4B
   +0x2cc8 CcFastReadWait   : Uint4B
   +0x2ccc CcFastReadNotPossible : Uint4B
   +0x2cd0 CcCopyReadNoWait : Uint4B
   +0x2cd4 CcCopyReadWait   : Uint4B
   +0x2cd8 CcCopyReadNoWaitMiss : Uint4B
   +0x2cdc IoReadOperationCount : Int4B
   +0x2ce0 IoWriteOperationCount : Int4B
   +0x2ce4 IoOtherOperationCount : Int4B
   +0x2ce8 IoReadTransferCount : _LARGE_INTEGER
   +0x2cf0 IoWriteTransferCount : _LARGE_INTEGER
   +0x2cf8 IoOtherTransferCount : _LARGE_INTEGER
   +0x2d00 PacketBarrier    : Int4B
   +0x2d04 TargetCount      : Int4B
   +0x2d08 IpiFrozen        : Uint4B
   +0x2d10 IsrDpcStats      : Ptr64 Void
   +0x2d18 DeviceInterrupts : Uint4B
   +0x2d1c LookasideIrpFloat : Int4B
   +0x2d20 InterruptLastCount : Uint4B
   +0x2d24 InterruptRate    : Uint4B
   +0x2d28 PrcbPad41        : [22] Uint4B
   +0x2d80 DpcData          : [2] _KDPC_DATA
   +0x2dd0 DpcStack         : Ptr64 Void
   +0x2dd8 MaximumDpcQueueDepth : Int4B
   +0x2ddc DpcRequestRate   : Uint4B
   +0x2de0 MinimumDpcRate   : Uint4B
   +0x2de4 DpcLastCount     : Uint4B
   +0x2de8 ThreadDpcEnable  : UChar
   +0x2de9 QuantumEnd       : UChar
   +0x2dea DpcRoutineActive : UChar
   +0x2deb IdleSchedule     : UChar
   +0x2dec DpcRequestSummary : Int4B
   +0x2dec DpcRequestSlot   : [2] Int2B
   +0x2dec NormalDpcState   : Int2B
   +0x2dee ThreadDpcState   : Int2B
   +0x2dec DpcNormalProcessingActive : Pos 0, 1 Bit
   +0x2dec DpcNormalProcessingRequested : Pos 1, 1 Bit
   +0x2dec DpcNormalThreadSignal : Pos 2, 1 Bit
   +0x2dec DpcNormalTimerExpiration : Pos 3, 1 Bit
   +0x2dec DpcNormalDpcPresent : Pos 4, 1 Bit
   +0x2dec DpcNormalLocalInterrupt : Pos 5, 1 Bit
   +0x2dec DpcNormalSpare   : Pos 6, 10 Bits
   +0x2dec DpcThreadActive  : Pos 16, 1 Bit
   +0x2dec DpcThreadRequested : Pos 17, 1 Bit
   +0x2dec DpcThreadSpare   : Pos 18, 14 Bits
   +0x2df0 LastTimerHand    : Uint4B
   +0x2df4 LastTick         : Uint4B
   +0x2df8 ClockInterrupts  : Uint4B
   +0x2dfc ReadyScanTick    : Uint4B
   +0x2e00 TimerTable       : _KTIMER_TABLE
   +0x5000 DpcGate          : _KGATE
   +0x5018 PrcbPad52        : Ptr64 Void
   +0x5020 CallDpc          : _KDPC
   +0x5060 ClockKeepAlive   : Int4B
   +0x5064 PrcbPad60        : [2] UChar
   +0x5066 NmiActive        : Uint2B
   +0x5068 DpcWatchdogPeriod : Int4B
   +0x506c DpcWatchdogCount : Int4B
   +0x5070 KeSpinLockOrdering : Int4B
   +0x5074 PrcbPad70        : [1] Uint4B
   +0x5078 CachedPtes       : Ptr64 Void
   +0x5080 WaitListHead     : _LIST_ENTRY
   +0x5090 WaitLock         : Uint8B
   +0x5098 ReadySummary     : Uint4B
   +0x509c AffinitizedSelectionMask : Int4B
   +0x50a0 QueueIndex       : Uint4B
   +0x50a4 PrcbPad75        : [3] Uint4B
   +0x50b0 TimerExpirationDpc : _KDPC
   +0x50f0 ScbQueue         : _RTL_RB_TREE
   +0x5100 DispatcherReadyListHead : [32] _LIST_ENTRY
   +0x5300 InterruptCount   : Uint4B
   +0x5304 KernelTime       : Uint4B
   +0x5308 UserTime         : Uint4B
   +0x530c DpcTime          : Uint4B
   +0x5310 InterruptTime    : Uint4B
   +0x5314 AdjustDpcThreshold : Uint4B
   +0x5318 DebuggerSavedIRQL : UChar
   +0x5319 GroupSchedulingOverQuota : UChar
   +0x531a DeepSleep        : UChar
   +0x531b PrcbPad80        : [1] UChar
   +0x531c ScbOffset        : Uint4B
   +0x5320 DpcTimeCount     : Uint4B
   +0x5324 DpcTimeLimit     : Uint4B
   +0x5328 PeriodicCount    : Uint4B
   +0x532c PeriodicBias     : Uint4B
   +0x5330 AvailableTime    : Uint4B
   +0x5334 KeExceptionDispatchCount : Uint4B
   +0x5338 StartCycles      : Uint8B
   +0x5340 GenerationTarget : Uint8B
   +0x5348 AffinitizedCycles : Uint8B
   +0x5350 PrcbPad81        : [2] Uint8B
   +0x5360 MmSpinLockOrdering : Int4B
   +0x5364 PageColor        : Uint4B
   +0x5368 NodeColor        : Uint4B
   +0x536c NodeShiftedColor : Uint4B
   +0x5370 SecondaryColorMask : Uint4B
   +0x5374 PrcbPad83        : Uint4B
   +0x5378 CycleTime        : Uint8B
   +0x5380 CcFastMdlReadNoWait : Uint4B
   +0x5384 CcFastMdlReadWait : Uint4B
   +0x5388 CcFastMdlReadNotPossible : Uint4B
   +0x538c CcMapDataNoWait  : Uint4B
   +0x5390 CcMapDataWait    : Uint4B
   +0x5394 CcPinMappedDataCount : Uint4B
   +0x5398 CcPinReadNoWait  : Uint4B
   +0x539c CcPinReadWait    : Uint4B
   +0x53a0 CcMdlReadNoWait  : Uint4B
   +0x53a4 CcMdlReadWait    : Uint4B
   +0x53a8 CcLazyWriteHotSpots : Uint4B
   +0x53ac CcLazyWriteIos   : Uint4B
   +0x53b0 CcLazyWritePages : Uint4B
   +0x53b4 CcDataFlushes    : Uint4B
   +0x53b8 CcDataPages      : Uint4B
   +0x53bc CcLostDelayedWrites : Uint4B
   +0x53c0 CcFastReadResourceMiss : Uint4B
   +0x53c4 CcCopyReadWaitMiss : Uint4B
   +0x53c8 CcFastMdlReadResourceMiss : Uint4B
   +0x53cc CcMapDataNoWaitMiss : Uint4B
   +0x53d0 CcMapDataWaitMiss : Uint4B
   +0x53d4 CcPinReadNoWaitMiss : Uint4B
   +0x53d8 CcPinReadWaitMiss : Uint4B
   +0x53dc CcMdlReadNoWaitMiss : Uint4B
   +0x53e0 CcMdlReadWaitMiss : Uint4B
   +0x53e4 CcReadAheadIos   : Uint4B
   +0x53e8 MmCacheTransitionCount : Int4B
   +0x53ec MmCacheReadCount : Int4B
   +0x53f0 MmCacheIoCount   : Int4B
   +0x53f4 PrcbPad91        : [3] Uint4B
   +0x5400 PowerState       : _PROCESSOR_POWER_STATE
   +0x55e0 ScbList          : _LIST_ENTRY
   +0x55f0 PrcbPad92        : [19] Uint4B
   +0x563c KeAlignmentFixupCount : Uint4B
   +0x5640 DpcWatchdogDpc   : _KDPC
   +0x5680 DpcWatchdogTimer : _KTIMER
   +0x56c0 Cache            : [5] _CACHE_DESCRIPTOR
   +0x56fc CacheCount       : Uint4B
   +0x5700 CachedCommit     : Uint4B
   +0x5704 CachedResidentAvailable : Uint4B
   +0x5708 HyperPte         : Ptr64 Void
   +0x5710 WheaInfo         : Ptr64 Void
   +0x5718 EtwSupport       : Ptr64 Void
   +0x5720 InterruptObjectPool : _SLIST_HEADER
   +0x5730 HypercallPageList : _SLIST_HEADER
   +0x5740 HypercallPageVirtual : Ptr64 Void
   +0x5748 VirtualApicAssist : Ptr64 Void
   +0x5750 StatisticsPage   : Ptr64 Uint8B
   +0x5758 PackageProcessorSet : _KAFFINITY_EX
   +0x5800 SharedReadyQueueMask : Uint8B
   +0x5808 SharedReadyQueue : Ptr64 _KSHARED_READY_QUEUE
   +0x5810 CoreProcessorSet : Uint8B
   +0x5818 ScanSiblingMask  : Uint8B
   +0x5820 LLCMask          : Uint8B
   +0x5828 CacheProcessorMask : [5] Uint8B
   +0x5850 ScanSiblingIndex : Uint4B
   +0x5854 SharedReadyQueueOffset : Uint4B
   +0x5858 ProcessorProfileControlArea : Ptr64 _PROCESSOR_PROFILE_CONTROL_AREA
   +0x5860 ProfileEventIndexAddress : Ptr64 Void
   +0x5868 PrcbPad94        : [3] Uint8B
   +0x5880 SynchCounters    : _SYNCH_COUNTERS
   +0x5938 PteBitCache      : Uint8B
   +0x5940 PteBitOffset     : Uint4B
   +0x5948 FsCounters       : _FILESYSTEM_DISK_COUNTERS
   +0x5958 VendorString     : [13] UChar
   +0x5965 PrcbPad10        : [3] UChar
   +0x5968 FeatureBits      : Uint8B
   +0x5970 PrcbPad11        : Uint4B
   +0x5978 UpdateSignature  : _LARGE_INTEGER
   +0x5980 Context          : Ptr64 _CONTEXT
   +0x5988 ContextFlagsInit : Uint4B
   +0x5990 ExtendedState    : Ptr64 _XSAVE_AREA
   +0x5998 IsrStack         : Ptr64 Void
   +0x59a0 EntropyTimingState : _KENTROPY_TIMING_STATE
   +0x5af0 AbSelfIoBoostsList : _SINGLE_LIST_ENTRY
   +0x5af8 AbPropagateBoostsList : _SINGLE_LIST_ENTRY
   +0x5b00 AbDpc            : _KDPC
   +0x5b40 IoIrpStackProfilerCurrent : _IOP_IRP_STACK_PROFILER
   +0x5b94 IoIrpStackProfilerPrevious : _IOP_IRP_STACK_PROFILER
   +0x5be8 TimerExpirationTrace : [16] _KTIMER_EXPIRATION_TRACE
   +0x5ce8 TimerExpirationTraceCount : Uint4B
   +0x5d00 Mailbox          : Ptr64 _REQUEST_MAILBOX
   +0x5d40 RequestMailbox   : [1] _REQUEST_MAILBOX
+0x2e00 TimerTable : _KTIMER_TABLE
Code: Select all
dt nt!_KTIMER_TABLE
   +0x000 TimerExpiry      : [64] Ptr64 _KTIMER
   +0x200 TimerEntries     : [256] _KTIMER_TABLE_ENTRY
Code: Select all
dt nt!_KTIMER_TABLE_ENTRY
   +0x000 Lock             : Uint8B
   +0x008 Entry            : _LIST_ENTRY
   +0x018 Time             : _ULARGE_INTEGER
 #23307  by karlx
 Tue Jul 08, 2014 8:12 am
Thanks for your help.But there is another question.
Each Dpc Timer has its own routine,but it doesn't indicated in _KTIMER_TABLE_ENTRY,and _KTIMER in _KTIMER_TABLE always mostly be zero.
How can i get the routine for a dpc timer?
EP_X0FF wrote:x64 6.3 build 9600

Same per processor specific.
Code: Select all
dt nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 GdtBase          : Ptr64 _KGDTENTRY64
   +0x008 TssBase          : Ptr64 _KTSS64
   +0x010 UserRsp          : Uint8B
   +0x018 Self             : Ptr64 _KPCR
   +0x020 CurrentPrcb      : Ptr64 _KPRCB
   +0x028 LockArray        : Ptr64 _KSPIN_LOCK_QUEUE
   +0x030 Used_Self        : Ptr64 Void
   +0x038 IdtBase          : Ptr64 _KIDTENTRY64
   +0x040 Unused           : [2] Uint8B
   +0x050 Irql             : UChar
   +0x051 SecondLevelCacheAssociativity : UChar
   +0x052 ObsoleteNumber   : UChar
   +0x053 Fill0            : UChar
   +0x054 Unused0          : [3] Uint4B
   +0x060 MajorVersion     : Uint2B
   +0x062 MinorVersion     : Uint2B
   +0x064 StallScaleFactor : Uint4B
   +0x068 Unused1          : [3] Ptr64 Void
   +0x080 KernelReserved   : [15] Uint4B
   +0x0bc SecondLevelCacheSize : Uint4B
   +0x0c0 HalReserved      : [16] Uint4B
   +0x100 Unused2          : Uint4B
   +0x108 KdVersionBlock   : Ptr64 Void
   +0x110 Unused3          : Ptr64 Void
   +0x118 PcrAlign1        : [24] Uint4B
   +0x180 Prcb             : _KPRCB
+0x180 Prcb : _KPRCB
Code: Select all
dt nt!_KPRCB
   +0x000 MxCsr            : Uint4B
   +0x004 LegacyNumber     : UChar
   +0x005 ReservedMustBeZero : UChar
   +0x006 InterruptRequest : UChar
   +0x007 IdleHalt         : UChar
   +0x008 CurrentThread    : Ptr64 _KTHREAD
   +0x010 NextThread       : Ptr64 _KTHREAD
   +0x018 IdleThread       : Ptr64 _KTHREAD
   +0x020 NestingLevel     : UChar
   +0x021 ClockOwner       : UChar
   +0x022 PendingTickFlags : UChar
   +0x022 PendingTick      : Pos 0, 1 Bit
   +0x022 PendingBackupTick : Pos 1, 1 Bit
   +0x023 PrcbPad00        : [1] UChar
   +0x024 Number           : Uint4B
   +0x028 RspBase          : Uint8B
   +0x030 PrcbLock         : Uint8B
   +0x038 PriorityState    : Ptr64 Char
   +0x040 ProcessorState   : _KPROCESSOR_STATE
   +0x5f0 CpuType          : Char
   +0x5f1 CpuID            : Char
   +0x5f2 CpuStep          : Uint2B
   +0x5f2 CpuStepping      : UChar
   +0x5f3 CpuModel         : UChar
   +0x5f4 MHz              : Uint4B
   +0x5f8 HalReserved      : [8] Uint8B
   +0x638 MinorVersion     : Uint2B
   +0x63a MajorVersion     : Uint2B
   +0x63c BuildType        : UChar
   +0x63d CpuVendor        : UChar
   +0x63e CoresPerPhysicalProcessor : UChar
   +0x63f LogicalProcessorsPerCore : UChar
   +0x640 ParentNode       : Ptr64 _KNODE
   +0x648 GroupSetMember   : Uint8B
   +0x650 Group            : UChar
   +0x651 GroupIndex       : UChar
   +0x652 PrcbPad05        : [2] UChar
   +0x654 ApicMask         : Uint4B
   +0x658 CFlushSize       : Uint4B
   +0x660 AcpiReserved     : Ptr64 Void
   +0x668 InitialApicId    : Uint4B
   +0x670 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x780 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x880 PPNxPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1480 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x2080 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x2c80 PrcbPad20        : Uint8B
   +0x2c88 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x2c90 MmPageFaultCount : Int4B
   +0x2c94 MmCopyOnWriteCount : Int4B
   +0x2c98 MmTransitionCount : Int4B
   +0x2c9c MmDemandZeroCount : Int4B
   +0x2ca0 MmPageReadCount  : Int4B
   +0x2ca4 MmPageReadIoCount : Int4B
   +0x2ca8 MmDirtyPagesWriteCount : Int4B
   +0x2cac MmDirtyWriteIoCount : Int4B
   +0x2cb0 MmMappedPagesWriteCount : Int4B
   +0x2cb4 MmMappedWriteIoCount : Int4B
   +0x2cb8 KeSystemCalls    : Uint4B
   +0x2cbc KeContextSwitches : Uint4B
   +0x2cc0 LdtSelector      : Uint2B
   +0x2cc2 PrcbPad40        : Uint2B
   +0x2cc4 CcFastReadNoWait : Uint4B
   +0x2cc8 CcFastReadWait   : Uint4B
   +0x2ccc CcFastReadNotPossible : Uint4B
   +0x2cd0 CcCopyReadNoWait : Uint4B
   +0x2cd4 CcCopyReadWait   : Uint4B
   +0x2cd8 CcCopyReadNoWaitMiss : Uint4B
   +0x2cdc IoReadOperationCount : Int4B
   +0x2ce0 IoWriteOperationCount : Int4B
   +0x2ce4 IoOtherOperationCount : Int4B
   +0x2ce8 IoReadTransferCount : _LARGE_INTEGER
   +0x2cf0 IoWriteTransferCount : _LARGE_INTEGER
   +0x2cf8 IoOtherTransferCount : _LARGE_INTEGER
   +0x2d00 PacketBarrier    : Int4B
   +0x2d04 TargetCount      : Int4B
   +0x2d08 IpiFrozen        : Uint4B
   +0x2d10 IsrDpcStats      : Ptr64 Void
   +0x2d18 DeviceInterrupts : Uint4B
   +0x2d1c LookasideIrpFloat : Int4B
   +0x2d20 InterruptLastCount : Uint4B
   +0x2d24 InterruptRate    : Uint4B
   +0x2d28 PrcbPad41        : [22] Uint4B
   +0x2d80 DpcData          : [2] _KDPC_DATA
   +0x2dd0 DpcStack         : Ptr64 Void
   +0x2dd8 MaximumDpcQueueDepth : Int4B
   +0x2ddc DpcRequestRate   : Uint4B
   +0x2de0 MinimumDpcRate   : Uint4B
   +0x2de4 DpcLastCount     : Uint4B
   +0x2de8 ThreadDpcEnable  : UChar
   +0x2de9 QuantumEnd       : UChar
   +0x2dea DpcRoutineActive : UChar
   +0x2deb IdleSchedule     : UChar
   +0x2dec DpcRequestSummary : Int4B
   +0x2dec DpcRequestSlot   : [2] Int2B
   +0x2dec NormalDpcState   : Int2B
   +0x2dee ThreadDpcState   : Int2B
   +0x2dec DpcNormalProcessingActive : Pos 0, 1 Bit
   +0x2dec DpcNormalProcessingRequested : Pos 1, 1 Bit
   +0x2dec DpcNormalThreadSignal : Pos 2, 1 Bit
   +0x2dec DpcNormalTimerExpiration : Pos 3, 1 Bit
   +0x2dec DpcNormalDpcPresent : Pos 4, 1 Bit
   +0x2dec DpcNormalLocalInterrupt : Pos 5, 1 Bit
   +0x2dec DpcNormalSpare   : Pos 6, 10 Bits
   +0x2dec DpcThreadActive  : Pos 16, 1 Bit
   +0x2dec DpcThreadRequested : Pos 17, 1 Bit
   +0x2dec DpcThreadSpare   : Pos 18, 14 Bits
   +0x2df0 LastTimerHand    : Uint4B
   +0x2df4 LastTick         : Uint4B
   +0x2df8 ClockInterrupts  : Uint4B
   +0x2dfc ReadyScanTick    : Uint4B
   +0x2e00 TimerTable       : _KTIMER_TABLE
   +0x5000 DpcGate          : _KGATE
   +0x5018 PrcbPad52        : Ptr64 Void
   +0x5020 CallDpc          : _KDPC
   +0x5060 ClockKeepAlive   : Int4B
   +0x5064 PrcbPad60        : [2] UChar
   +0x5066 NmiActive        : Uint2B
   +0x5068 DpcWatchdogPeriod : Int4B
   +0x506c DpcWatchdogCount : Int4B
   +0x5070 KeSpinLockOrdering : Int4B
   +0x5074 PrcbPad70        : [1] Uint4B
   +0x5078 CachedPtes       : Ptr64 Void
   +0x5080 WaitListHead     : _LIST_ENTRY
   +0x5090 WaitLock         : Uint8B
   +0x5098 ReadySummary     : Uint4B
   +0x509c AffinitizedSelectionMask : Int4B
   +0x50a0 QueueIndex       : Uint4B
   +0x50a4 PrcbPad75        : [3] Uint4B
   +0x50b0 TimerExpirationDpc : _KDPC
   +0x50f0 ScbQueue         : _RTL_RB_TREE
   +0x5100 DispatcherReadyListHead : [32] _LIST_ENTRY
   +0x5300 InterruptCount   : Uint4B
   +0x5304 KernelTime       : Uint4B
   +0x5308 UserTime         : Uint4B
   +0x530c DpcTime          : Uint4B
   +0x5310 InterruptTime    : Uint4B
   +0x5314 AdjustDpcThreshold : Uint4B
   +0x5318 DebuggerSavedIRQL : UChar
   +0x5319 GroupSchedulingOverQuota : UChar
   +0x531a DeepSleep        : UChar
   +0x531b PrcbPad80        : [1] UChar
   +0x531c ScbOffset        : Uint4B
   +0x5320 DpcTimeCount     : Uint4B
   +0x5324 DpcTimeLimit     : Uint4B
   +0x5328 PeriodicCount    : Uint4B
   +0x532c PeriodicBias     : Uint4B
   +0x5330 AvailableTime    : Uint4B
   +0x5334 KeExceptionDispatchCount : Uint4B
   +0x5338 StartCycles      : Uint8B
   +0x5340 GenerationTarget : Uint8B
   +0x5348 AffinitizedCycles : Uint8B
   +0x5350 PrcbPad81        : [2] Uint8B
   +0x5360 MmSpinLockOrdering : Int4B
   +0x5364 PageColor        : Uint4B
   +0x5368 NodeColor        : Uint4B
   +0x536c NodeShiftedColor : Uint4B
   +0x5370 SecondaryColorMask : Uint4B
   +0x5374 PrcbPad83        : Uint4B
   +0x5378 CycleTime        : Uint8B
   +0x5380 CcFastMdlReadNoWait : Uint4B
   +0x5384 CcFastMdlReadWait : Uint4B
   +0x5388 CcFastMdlReadNotPossible : Uint4B
   +0x538c CcMapDataNoWait  : Uint4B
   +0x5390 CcMapDataWait    : Uint4B
   +0x5394 CcPinMappedDataCount : Uint4B
   +0x5398 CcPinReadNoWait  : Uint4B
   +0x539c CcPinReadWait    : Uint4B
   +0x53a0 CcMdlReadNoWait  : Uint4B
   +0x53a4 CcMdlReadWait    : Uint4B
   +0x53a8 CcLazyWriteHotSpots : Uint4B
   +0x53ac CcLazyWriteIos   : Uint4B
   +0x53b0 CcLazyWritePages : Uint4B
   +0x53b4 CcDataFlushes    : Uint4B
   +0x53b8 CcDataPages      : Uint4B
   +0x53bc CcLostDelayedWrites : Uint4B
   +0x53c0 CcFastReadResourceMiss : Uint4B
   +0x53c4 CcCopyReadWaitMiss : Uint4B
   +0x53c8 CcFastMdlReadResourceMiss : Uint4B
   +0x53cc CcMapDataNoWaitMiss : Uint4B
   +0x53d0 CcMapDataWaitMiss : Uint4B
   +0x53d4 CcPinReadNoWaitMiss : Uint4B
   +0x53d8 CcPinReadWaitMiss : Uint4B
   +0x53dc CcMdlReadNoWaitMiss : Uint4B
   +0x53e0 CcMdlReadWaitMiss : Uint4B
   +0x53e4 CcReadAheadIos   : Uint4B
   +0x53e8 MmCacheTransitionCount : Int4B
   +0x53ec MmCacheReadCount : Int4B
   +0x53f0 MmCacheIoCount   : Int4B
   +0x53f4 PrcbPad91        : [3] Uint4B
   +0x5400 PowerState       : _PROCESSOR_POWER_STATE
   +0x55e0 ScbList          : _LIST_ENTRY
   +0x55f0 PrcbPad92        : [19] Uint4B
   +0x563c KeAlignmentFixupCount : Uint4B
   +0x5640 DpcWatchdogDpc   : _KDPC
   +0x5680 DpcWatchdogTimer : _KTIMER
   +0x56c0 Cache            : [5] _CACHE_DESCRIPTOR
   +0x56fc CacheCount       : Uint4B
   +0x5700 CachedCommit     : Uint4B
   +0x5704 CachedResidentAvailable : Uint4B
   +0x5708 HyperPte         : Ptr64 Void
   +0x5710 WheaInfo         : Ptr64 Void
   +0x5718 EtwSupport       : Ptr64 Void
   +0x5720 InterruptObjectPool : _SLIST_HEADER
   +0x5730 HypercallPageList : _SLIST_HEADER
   +0x5740 HypercallPageVirtual : Ptr64 Void
   +0x5748 VirtualApicAssist : Ptr64 Void
   +0x5750 StatisticsPage   : Ptr64 Uint8B
   +0x5758 PackageProcessorSet : _KAFFINITY_EX
   +0x5800 SharedReadyQueueMask : Uint8B
   +0x5808 SharedReadyQueue : Ptr64 _KSHARED_READY_QUEUE
   +0x5810 CoreProcessorSet : Uint8B
   +0x5818 ScanSiblingMask  : Uint8B
   +0x5820 LLCMask          : Uint8B
   +0x5828 CacheProcessorMask : [5] Uint8B
   +0x5850 ScanSiblingIndex : Uint4B
   +0x5854 SharedReadyQueueOffset : Uint4B
   +0x5858 ProcessorProfileControlArea : Ptr64 _PROCESSOR_PROFILE_CONTROL_AREA
   +0x5860 ProfileEventIndexAddress : Ptr64 Void
   +0x5868 PrcbPad94        : [3] Uint8B
   +0x5880 SynchCounters    : _SYNCH_COUNTERS
   +0x5938 PteBitCache      : Uint8B
   +0x5940 PteBitOffset     : Uint4B
   +0x5948 FsCounters       : _FILESYSTEM_DISK_COUNTERS
   +0x5958 VendorString     : [13] UChar
   +0x5965 PrcbPad10        : [3] UChar
   +0x5968 FeatureBits      : Uint8B
   +0x5970 PrcbPad11        : Uint4B
   +0x5978 UpdateSignature  : _LARGE_INTEGER
   +0x5980 Context          : Ptr64 _CONTEXT
   +0x5988 ContextFlagsInit : Uint4B
   +0x5990 ExtendedState    : Ptr64 _XSAVE_AREA
   +0x5998 IsrStack         : Ptr64 Void
   +0x59a0 EntropyTimingState : _KENTROPY_TIMING_STATE
   +0x5af0 AbSelfIoBoostsList : _SINGLE_LIST_ENTRY
   +0x5af8 AbPropagateBoostsList : _SINGLE_LIST_ENTRY
   +0x5b00 AbDpc            : _KDPC
   +0x5b40 IoIrpStackProfilerCurrent : _IOP_IRP_STACK_PROFILER
   +0x5b94 IoIrpStackProfilerPrevious : _IOP_IRP_STACK_PROFILER
   +0x5be8 TimerExpirationTrace : [16] _KTIMER_EXPIRATION_TRACE
   +0x5ce8 TimerExpirationTraceCount : Uint4B
   +0x5d00 Mailbox          : Ptr64 _REQUEST_MAILBOX
   +0x5d40 RequestMailbox   : [1] _REQUEST_MAILBOX
+0x2e00 TimerTable : _KTIMER_TABLE
Code: Select all
dt nt!_KTIMER_TABLE
   +0x000 TimerExpiry      : [64] Ptr64 _KTIMER
   +0x200 TimerEntries     : [256] _KTIMER_TABLE_ENTRY
Code: Select all
dt nt!_KTIMER_TABLE_ENTRY
   +0x000 Lock             : Uint8B
   +0x008 Entry            : _LIST_ENTRY
   +0x018 Time             : _ULARGE_INTEGER