KPRCB structure modified in Win7. Another thing to fix into win32dd.

If you’re generating a Microsoft Crash Dump file under Windows Seven you might noticied that DirectoryTableBase field in the crash dump header is set to zero. The reason is the current version of win32dd choosed to retrieve cr3 register through the PROCESSOR_STATE structure stored into KPRCB. But since KPRCB had been updated in Windows 7 the following ugly piece of code doesn’t return a correct cr3 value.

  1. DirectoryTableBase = __readKPCR()->PrcbData.ProcessorState.SpecialRegisters.Cr3;

If you take a look at these two structures, you can see SetMember 32bits ULONG had been removed. But don’t worry this value is still present in KPCR structure, I guess Microsoft kernel developpers removed it from KPRCB to clean the structure and avoid duplicated field.

Anyway, I’ll publish an update soon for win32dd. :-)

For people interested into technical details of these structures here is output of KPRCB structure under Windows Vista and Seven.

This is how look KPCRB structure under Windows Vista:

typedef struct _KPRCB      // 129 elements, 0xEC0 bytes (sizeof) 
{    
/*0x000*/     UINT16       MinorVersion;
/*0x002*/     UINT16       MajorVersion;
/*0x004*/     struct _KTHREAD* CurrentThread;
/*0x008*/     struct _KTHREAD* NextThread;
/*0x00C*/     struct _KTHREAD* IdleThread;
/*0x010*/     CHAR         Number;
/*0x011*/     CHAR         Reserved;
/*0x012*/     UINT16       BuildType;
/*0x014*/     ULONG32      SetMember; 
/*0x018*/     CHAR         CpuType;
/*0x019*/     CHAR         CpuID;
/*0x01A*/     UINT16       CpuStep;
/*0x01C*/     struct _KPROCESSOR_STATE ProcessorState;  
/*0x33C*/     ULONG32      KernelReserved[16];
/*0x37C*/     ULONG32      HalReserved[16];
/*0x3BC*/     UINT8        PrcbPad0[92];
/*0x418*/     struct _KSPIN_LOCK_QUEUE LockQueue[33];
/*0x520*/     struct _KTHREAD* NpxThread;
/*0x524*/     ULONG32      InterruptCount;
/*0x528*/     ULONG32      KernelTime;
/*0x52C*/     ULONG32      UserTime;
/*0x530*/     ULONG32      DpcTime;
/*0x534*/     ULONG32      DebugDpcTime;
/*0x538*/     ULONG32      InterruptTime;
/*0x53C*/     ULONG32      AdjustDpcThreshold;
/*0x540*/     ULONG32      PageColor;
/*0x544*/     UINT8        SkipTick;
/*0x545*/     UINT8        DebuggerSavedIRQL;
/*0x546*/     UINT8        NodeColor;
/*0x547*/     UINT8        Spare1;
/*0x548*/     ULONG32      NodeShiftedColor;
/*0x54C*/     struct _KNODE* ParentNode;
/*0x550*/     ULONG32      MultiThreadProcessorSet;
/*0x554*/     struct _KPRCB* MultiThreadSetMaster;
/*0x558*/     ULONG32      SecondaryColorMask;
/*0x55C*/     LONG32       Sleeping;
/*0x560*/     ULONG32      CcFastReadNoWait;
/*0x564*/     ULONG32      CcFastReadWait;
/*0x568*/     ULONG32      CcFastReadNotPossible;
/*0x56C*/     ULONG32      CcCopyReadNoWait;
/*0x570*/     ULONG32      CcCopyReadWait;
/*0x574*/     ULONG32      CcCopyReadNoWaitMiss;
/*0x578*/     ULONG32      KeAlignmentFixupCount;
/*0x57C*/     ULONG32      SpareCounter0;
/*0x580*/     ULONG32      KeDcacheFlushCount;
/*0x584*/     ULONG32      KeExceptionDispatchCount;
/*0x588*/     ULONG32      KeFirstLevelTbFills;
/*0x58C*/     ULONG32      KeFloatingEmulationCount;
/*0x590*/     ULONG32      KeIcacheFlushCount;
/*0x594*/     ULONG32      KeSecondLevelTbFills;
/*0x598*/     ULONG32      KeSystemCalls;
/*0x59C*/     LONG32       IoReadOperationCount;
/*0x5A0*/     LONG32       IoWriteOperationCount;
/*0x5A4*/     LONG32       IoOtherOperationCount;
/*0x5A8*/     union _LARGE_INTEGER IoReadTransferCount;    
/*0x5B0*/     union _LARGE_INTEGER IoWriteTransferCount;     
/*0x5B8*/     union _LARGE_INTEGER IoOtherTransferCount;     
/*0x5C0*/     ULONG32      SpareCounter1[8];
/*0x5E0*/     struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x660*/     struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[32];
/*0x760*/     struct _PP_LOOKASIDE_LIST PPPagedLookasideList[32];
/*0x860*/     ULONG32      PacketBarrier;
/*0x864*/     ULONG32      ReverseStall;
/*0x868*/     VOID*        IpiFrame;
/*0x86C*/     UINT8        PrcbPad2[52];
/*0x8A0*/     VOID*        CurrentPacket[3];
/*0x8AC*/     ULONG32      TargetSet;
/*0x8B0*/     FUNCT_014C_02D2_WorkerRoutine* WorkerRoutine;
/*0x8B4*/     ULONG32      IpiFrozen;
/*0x8B8*/     UINT8        PrcbPad3[40];
/*0x8E0*/     ULONG32      RequestSummary;
/*0x8E4*/     struct _KPRCB* SignalDone;
/*0x8E8*/     UINT8        PrcbPad4[56];
/*0x920*/     struct _KDPC_DATA DpcData[2];
/*0x948*/     VOID*        DpcStack;
/*0x94C*/     ULONG32      MaximumDpcQueueDepth;
/*0x950*/     ULONG32      DpcRequestRate;
/*0x954*/     ULONG32      MinimumDpcRate;
/*0x958*/     UINT8        DpcInterruptRequested;
/*0x959*/     UINT8        DpcThreadRequested;
/*0x95A*/     UINT8        DpcRoutineActive;
/*0x95B*/     UINT8        DpcThreadActive;
/*0x95C*/     ULONG32      PrcbLock;
/*0x960*/     ULONG32      DpcLastCount;
/*0x964*/     ULONG32      TimerHand;
/*0x968*/     ULONG32      TimerRequest;
/*0x96C*/     VOID*        DpcThread;
/*0x970*/     struct _KEVENT DpcEvent;    
/*0x980*/     UINT8        ThreadDpcEnable;
/*0x981*/     UINT8        QuantumEnd;
/*0x982*/     UINT8        PrcbPad50;
/*0x983*/     UINT8        IdleSchedule;
/*0x984*/     LONG32       DpcSetEventRequest;
/*0x988*/     UINT8        PrcbPad5[18];
/*0x99A*/     UINT8        _PADDING0_[0x2];
/*0x99C*/     LONG32       TickOffset;
/*0x9A0*/     struct _KDPC CallDpc;   
/*0x9C0*/     ULONG32      PrcbPad7[8];
/*0x9E0*/     struct _LIST_ENTRY WaitListHead;      
/*0x9E8*/     ULONG32      ReadySummary;
/*0x9EC*/     ULONG32      QueueIndex;
/*0x9F0*/     struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0xAF0*/     struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0xAF4*/     ULONG32      PrcbPad72[11];
/*0xB20*/     VOID*        ChainedInterruptList;
/*0xB24*/     LONG32       LookasideIrpFloat;
/*0xB28*/     LONG32       MmPageFaultCount;
/*0xB2C*/     LONG32       MmCopyOnWriteCount;
/*0xB30*/     LONG32       MmTransitionCount;
/*0xB34*/     LONG32       MmCacheTransitionCount;
/*0xB38*/     LONG32       MmDemandZeroCount;
/*0xB3C*/     LONG32       MmPageReadCount;
/*0xB40*/     LONG32       MmPageReadIoCount;
/*0xB44*/     LONG32       MmCacheReadCount;
/*0xB48*/     LONG32       MmCacheIoCount;
/*0xB4C*/     LONG32       MmDirtyPagesWriteCount;
/*0xB50*/     LONG32       MmDirtyWriteIoCount;
/*0xB54*/     LONG32       MmMappedPagesWriteCount;
/*0xB58*/     LONG32       MmMappedWriteIoCount;
/*0xB5C*/     ULONG32      SpareFields0[1];
/*0xB60*/     UINT8        VendorString[13];
/*0xB6D*/     UINT8        InitialApicId;
/*0xB6E*/     UINT8        LogicalProcessorsPerPhysicalProcessor;
/*0xB6F*/     UINT8        _PADDING1_[0x1];
/*0xB70*/     ULONG32      MHz;
/*0xB74*/     ULONG32      FeatureBits;
/*0xB78*/     union _LARGE_INTEGER UpdateSignature;     
/*0xB80*/     UINT64       IsrTime;
/*0xB88*/     UINT64       SpareField1;
/*0xB90*/     struct _FX_SAVE_AREA NpxSaveArea;   
/*0xDA0*/     struct _PROCESSOR_POWER_STATE PowerState; 
}KPRCB, *PKPRCB;

And under Windows 7

typedef struct _KPRCB // 244 elements, 0x1EE8 bytes (sizeof)
{     
/*0x000*/      UINT16       MinorVersion;
/*0x002*/      UINT16       MajorVersion;
/*0x004*/      struct _KTHREAD* CurrentThread;
/*0x008*/      struct _KTHREAD* NextThread;
/*0x00C*/      struct _KTHREAD* IdleThread;
/*0x010*/      UINT8        LegacyNumber;
/*0x011*/      UINT8        NestingLevel;
/*0x012*/      UINT16       BuildType;
/*0x014*/      CHAR         CpuType;
/*0x015*/      CHAR         CpuID;
/*0x016*/UINT16       CpuStep;
/*0x018*/      struct _KPROCESSOR_STATE ProcessorState;   
/*0x338*/      ULONG32      KernelReserved[16];
/*0x378*/      ULONG32      HalReserved[16];
/*0x3B8*/      ULONG32      CFlushSize;
/*0x3BC*/      UINT8        CoresPerPhysicalProcessor;
/*0x3BD*/      UINT8        LogicalProcessorsPerCore;
/*0x3BE*/      UINT8        PrcbPad0[2];
/*0x3C0*/      ULONG32      MHz;
/*0x3C4*/      UINT8        CpuVendor;
/*0x3C5*/      UINT8        GroupIndex;
/*0x3C6*/      UINT16       Group;
/*0x3C8*/      ULONG32      GroupSetMember;
/*0x3CC*/      ULONG32      Number;
/*0x3D0*/      UINT8        PrcbPad1[72];
/*0x418*/      struct _KSPIN_LOCK_QUEUE LockQueue[49];
/*0x5A0*/      struct _KTHREAD* NpxThread;
/*0x5A4*/      ULONG32      InterruptCount;
/*0x5A8*/      ULONG32      KernelTime;
/*0x5AC*/      ULONG32      UserTime;
/*0x5B0*/      ULONG32      DpcTime;
/*0x5B4*/      ULONG32      DpcTimeCount;
/*0x5B8*/      ULONG32      InterruptTime;
/*0x5BC*/      ULONG32      AdjustDpcThreshold;
/*0x5C0*/      ULONG32      PageColor;
/*0x5C4*/      UINT8        DebuggerSavedIRQL;
/*0x5C5*/      UINT8        NodeColor;
/*0x5C6*/      UINT8        PrcbPad20[2];
/*0x5C8*/      ULONG32      NodeShiftedColor;
/*0x5CC*/      struct _KNODE* ParentNode;
/*0x5D0*/      ULONG32      SecondaryColorMask;
/*0x5D4*/      ULONG32      DpcTimeLimit;
/*0x5D8*/      ULONG32      PrcbPad21[2];
/*0x5E0*/      ULONG32      CcFastReadNoWait;
/*0x5E4*/      ULONG32      CcFastReadWait;
/*0x5E8*/      ULONG32      CcFastReadNotPossible;
/*0x5EC*/      ULONG32      CcCopyReadNoWait;
/*0x5F0*/      ULONG32      CcCopyReadWait;
/*0x5F4*/      ULONG32      CcCopyReadNoWaitMiss;
/*0x5F8*/      LONG32       MmSpinLockOrdering;
/*0x5FC*/      LONG32       IoReadOperationCount;
/*0x600*/      LONG32       IoWriteOperationCount;
/*0x604*/      LONG32       IoOtherOperationCount;
/*0x608*/      union _LARGE_INTEGER IoReadTransferCount;      
/*0x610*/      union _LARGE_INTEGER IoWriteTransferCount;     
/*0x618*/      union _LARGE_INTEGER IoOtherTransferCount;      
/*0x620*/      ULONG32      CcFastMdlReadNoWait;
/*0x624*/      ULONG32      CcFastMdlReadWait;
/*0x628*/      ULONG32      CcFastMdlReadNotPossible;
/*0x62C*/      ULONG32      CcMapDataNoWait;
/*0x630*/      ULONG32      CcMapDataWait;
/*0x634*/      ULONG32      CcPinMappedDataCount;
/*0x638*/      ULONG32      CcPinReadNoWait;
/*0x63C*/      ULONG32      CcPinReadWait;
/*0x640*/      ULONG32      CcMdlReadNoWait;
/*0x644*/      ULONG32      CcMdlReadWait;
/*0x648*/      ULONG32      CcLazyWriteHotSpots;
/*0x64C*/      ULONG32      CcLazyWriteIos;
/*0x650*/      ULONG32      CcLazyWritePages;
/*0x654*/      ULONG32      CcDataFlushes;
/*0x658*/      ULONG32      CcDataPages;
/*0x65C*/      ULONG32      CcLostDelayedWrites;
/*0x660*/      ULONG32      CcFastReadResourceMiss;
/*0x664*/      ULONG32      CcCopyReadWaitMiss;
/*0x668*/      ULONG32      CcFastMdlReadResourceMiss;
/*0x66C*/      ULONG32      CcMapDataNoWaitMiss;
/*0x670*/      ULONG32      CcMapDataWaitMiss;
/*0x674*/      ULONG32      CcPinReadNoWaitMiss;
/*0x678*/      ULONG32      CcPinReadWaitMiss;
/*0x67C*/      ULONG32      CcMdlReadNoWaitMiss;
/*0x680*/      ULONG32      CcMdlReadWaitMiss;
/*0x684*/      ULONG32      CcReadAheadIos;
/*0x688*/      ULONG32      KeAlignmentFixupCount;
/*0x68C*/      ULONG32      KeExceptionDispatchCount;
/*0x690*/      ULONG32      KeSystemCalls;
/*0x694*/      ULONG32      AvailableTime;
/*0x698*/      ULONG32      PrcbPad22[2];
/*0x6A0*/      struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x720*/      struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32];
/*0x1020*/     struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32];
/*0x1920*/     ULONG32      PacketBarrier;
/*0x1924*/     LONG32       ReverseStall;
/*0x1928*/     VOID*        IpiFrame;
/*0x192C*/     UINT8        PrcbPad3[52];
/*0x1960*/     VOID*        CurrentPacket[3];
/*0x196C*/     ULONG32      TargetSet;
/*0x1970*/     FUNCT_009A_0657_WorkerRoutine* WorkerRoutine;
/*0x1974*/     ULONG32      IpiFrozen;
/*0x1978*/     UINT8        PrcbPad4[40];
/*0x19A0*/     ULONG32      RequestSummary;
/*0x19A4*/     struct _KPRCB* SignalDone;
/*0x19A8*/     UINT8        PrcbPad50[56];
/*0x19E0*/     struct _KDPC_DATA DpcData[2];
/*0x1A08*/     VOID*        DpcStack;
/*0x1A0C*/     LONG32       MaximumDpcQueueDepth;
/*0x1A10*/     ULONG32      DpcRequestRate;
/*0x1A14*/     ULONG32      MinimumDpcRate;
/*0x1A18*/     ULONG32      PrcbPad41;
/*0x1A1C*/     ULONG32      PrcbLock;
/*0x1A20*/     ULONG32      DpcLastCount;
/*0x1A24*/     ULONG32      TimerHand;
/*0x1A28*/     ULONG32      TimerRequest;
/*0x1A2C*/     struct _KTIMER** TimerExpiry;
/*0x1A30*/     struct _KGATE DpcGate;     
/*0x1A40*/     UINT8        ThreadDpcEnable;
/*0x1A41*/     UINT8        QuantumEnd;
/*0x1A42*/     UINT8        DpcRoutineActive;
/*0x1A43*/     UINT8        IdleSchedule;
union   // 3 elements, 0x4 bytes (sizeof)      
{ 
/*0x1A44*/         LONG32       DpcRequestSummary;
/*0x1A44*/         INT16        DpcRequestSlot[2];
    struct// 2 elements, 0x4 bytes (sizeof)      
    {  
/*0x1A44*/INT16        NormalDpcState;
        union// 2 elements, 0x2 bytes (sizeof)      
        {        
/*0x1A46*/  UINT16       DpcThreadActive : 1; // 0 BitPosition        
/*0x1A46*/  INT16        ThreadDpcState;
        };
    };
};
/*0x1A48*/     ULONG32      PrcbPad42;
/*0x1A4C*/     ULONG32      PeriodicCount;
/*0x1A50*/     ULONG32      PeriodicBias;
/*0x1A54*/     UINT8        _PADDING0_[0x4];
/*0x1A58*/     UINT64       TickOffset;
/*0x1A60*/     struct _KDPC CallDpc; // 9 elements, 0x20 bytes (sizeof)     
/*0x1A80*/     LONG32       ClockKeepAlive;
/*0x1A84*/     UINT8        ClockCheckSlot;
/*0x1A85*/     UINT8        ClockPollCycle;
/*0x1A86*/     UINT8        PrcbPad6[2];
/*0x1A88*/     LONG32       DpcWatchdogPeriod;
/*0x1A8C*/     LONG32       DpcWatchdogCount;
/*0x1A90*/     LONG32       ThreadWatchdogPeriod;
/*0x1A94*/     LONG32       ThreadWatchdogCount;
/*0x1A98*/     LONG32       KeSpinLockOrdering;
/*0x1A9C*/     ULONG32      PrcbPad70[1];
/*0x1AA0*/     struct _LIST_ENTRY WaitListHead;      
/*0x1AA8*/     ULONG32      WaitLock;
/*0x1AAC*/     ULONG32      ReadySummary;
/*0x1AB0*/     ULONG32      QueueIndex;
/*0x1AB4*/     struct _SINGLE_LIST_ENTRY DeferredReadyListHead; 
/*0x1AB8*/     UINT64       StartCycles;
/*0x1AC0*/     UINT64       CycleTime;
/*0x1AC8*/     ULONG32      HighCycleTime;
/*0x1ACC*/     ULONG32      PrcbPad71;
/*0x1AD0*/     UINT64       PrcbPad72[2];
/*0x1AE0*/     struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0x1BE0*/     VOID*        ChainedInterruptList;
/*0x1BE4*/     LONG32       LookasideIrpFloat;
/*0x1BE8*/     LONG32       MmPageFaultCount;
/*0x1BEC*/     LONG32       MmCopyOnWriteCount;
/*0x1BF0*/     LONG32       MmTransitionCount;
/*0x1BF4*/     LONG32       MmCacheTransitionCount;
/*0x1BF8*/     LONG32       MmDemandZeroCount;
/*0x1BFC*/     LONG32       MmPageReadCount;
/*0x1C00*/     LONG32       MmPageReadIoCount;
/*0x1C04*/     LONG32       MmCacheReadCount;
/*0x1C08*/     LONG32       MmCacheIoCount;
/*0x1C0C*/     LONG32       MmDirtyPagesWriteCount;
/*0x1C10*/     LONG32       MmDirtyWriteIoCount;
/*0x1C14*/     LONG32       MmMappedPagesWriteCount;
/*0x1C18*/     LONG32       MmMappedWriteIoCount;
/*0x1C1C*/     ULONG32      CachedCommit;
/*0x1C20*/     ULONG32      CachedResidentAvailable;
/*0x1C24*/     VOID*        HyperPte;
/*0x1C28*/     UINT8        PrcbPad8[4];
/*0x1C2C*/     UINT8        VendorString[13];
/*0x1C39*/     UINT8        InitialApicId;
/*0x1C3A*/     UINT8        LogicalProcessorsPerPhysicalProcessor;
/*0x1C3B*/     UINT8        PrcbPad9[5];
/*0x1C40*/     ULONG32      FeatureBits;
/*0x1C44*/     UINT8        _PADDING1_[0x4];
/*0x1C48*/     union _LARGE_INTEGER UpdateSignature;   
/*0x1C50*/     UINT64       IsrTime;
/*0x1C58*/     UINT64       RuntimeAccumulation;
/*0x1C60*/     struct _PROCESSOR_POWER_STATE PowerState; 
/*0x1D30*/     struct _KDPC DpcWatchdogDpc;     
/*0x1D50*/     struct _KTIMER DpcWatchdogTimer;   
/*0x1D78*/     VOID*        WheaInfo;
/*0x1D7C*/     VOID*        EtwSupport;
/*0x1D80*/     union _SLIST_HEADER InterruptObjectPool;     
/*0x1D88*/     union _SLIST_HEADER HypercallPageList;     
/*0x1D90*/     VOID*        HypercallPageVirtual;
/*0x1D94*/     VOID*        VirtualApicAssist;
/*0x1D98*/     UINT64*      StatisticsPage;
/*0x1D9C*/     VOID*        RateControl;
/*0x1DA0*/     struct _CACHE_DESCRIPTOR Cache[5];
/*0x1DDC*/     ULONG32      CacheCount;
/*0x1DE0*/     ULONG32      CacheProcessorMask[5];
/*0x1DF4*/     ULONG32      PackageProcessorSet;
/*0x1DF8*/     ULONG32      CoreProcessorSet;
/*0x1DFC*/     UINT8        PrcbPad10[36];
/*0x1E20*/     ULONG32      SpinLockAcquireCount;
/*0x1E24*/     ULONG32      SpinLockContentionCount;
/*0x1E28*/     ULONG32      SpinLockSpinCount;
/*0x1E2C*/     ULONG32      IpiSendRequestBroadcastCount;
/*0x1E30*/     ULONG32      IpiSendRequestRoutineCount;

/*0x1E34*/     ULONG32      IpiSendSoftwareInterruptCount;
/*0x1E38*/     ULONG32      ExInitializeResourceCount;
/*0x1E3C*/     ULONG32      ExReInitializeResourceCount;
/*0x1E40*/     ULONG32      ExDeleteResourceCount;
/*0x1E44*/     ULONG32      ExecutiveResourceAcquiresCount;
/*0x1E48*/     ULONG32      ExecutiveResourceContentionsCount;
/*0x1E4C*/     ULONG32      ExecutiveResourceReleaseExclusiveCount;
/*0x1E50*/     ULONG32      ExecutiveResourceReleaseSharedCount;
/*0x1E54*/     ULONG32      ExecutiveResourceConvertsCount;
/*0x1E58*/     ULONG32      ExAcqResExclusiveAttempts;
/*0x1E5C*/     ULONG32      ExAcqResExclusiveAcquiresExclusive;
/*0x1E60*/     ULONG32      ExAcqResExclusiveAcquiresExclusiveRecursive;
/*0x1E64*/     ULONG32      ExAcqResExclusiveWaits;
/*0x1E68*/     ULONG32      ExAcqResExclusiveNotAcquires;
/*0x1E6C*/     ULONG32      ExAcqResSharedAttempts;
/*0x1E70*/     ULONG32      ExAcqResSharedAcquiresExclusive;
/*0x1E74*/     ULONG32      ExAcqResSharedAcquiresShared;
/*0x1E78*/     ULONG32      ExAcqResSharedAcquiresSharedRecursive;
/*0x1E7C*/     ULONG32      ExAcqResSharedWaits;
/*0x1E80*/     ULONG32      ExAcqResSharedNotAcquires;
/*0x1E84*/     ULONG32      ExAcqResSharedStarveExclusiveAttempts;
/*0x1E88*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresExclusive;
/*0x1E8C*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresShared;
/*0x1E90*/     ULONG32      ExAcqResSharedStarveExclusiveAcquiresSharedRecursive;
/*0x1E94*/     ULONG32      ExAcqResSharedStarveExclusiveWaits;
/*0x1E98*/     ULONG32      ExAcqResSharedStarveExclusiveNotAcquires;
/*0x1E9C*/     ULONG32      ExAcqResSharedWaitForExclusiveAttempts;
/*0x1EA0*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresExclusive;
/*0x1EA4*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresShared;
/*0x1EA8*/     ULONG32      ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive;
/*0x1EAC*/     ULONG32      ExAcqResSharedWaitForExclusiveWaits;
/*0x1EB0*/     ULONG32      ExAcqResSharedWaitForExclusiveNotAcquires;
/*0x1EB4*/     ULONG32      ExSetResOwnerPointerExclusive;
/*0x1EB8*/     ULONG32      ExSetResOwnerPointerSharedNew;
/*0x1EBC*/     ULONG32      ExSetResOwnerPointerSharedOld;
/*0x1EC0*/     ULONG32      ExTryToAcqExclusiveAttempts;
/*0x1EC4*/     ULONG32      ExTryToAcqExclusiveAcquires;
/*0x1EC8*/     ULONG32      ExBoostExclusiveOwner;
/*0x1ECC*/     ULONG32      ExBoostSharedOwners;
/*0x1ED0*/     ULONG32      ExEtwSynchTrackingNotificationsCount;
/*0x1ED4*/     ULONG32      ExEtwSynchTrackingNotificationsAccountedCount;
/*0x1ED8*/     struct _CONTEXT* Context;
/*0x1EDC*/     ULONG32      ContextFlags;
/*0x1EE0*/     struct _XSAVE_AREA* ExtendedState;
/*0x1EE4*/     UINT8        _PADDING2_[0x4];
 }KPRCB, *PKPRCB;

2 thoughts on “KPRCB structure modified in Win7. Another thing to fix into win32dd.

  1. Hi Mathiew,
    So… on Windows 7, how do you retrieve the DirectoryTableBase if you can’t do it anymore through the prcb ?

Comments are closed.