KPRCB structure modified in Win7. Another thing to fix into win32dd.
If you’re generating a Microsoft Crash Dump file under Windows Seven you might noticied that DirectoryTableBase field in the crash dump header is set to zero. The reason is the current version of win32dd choosed to retrieve cr3 register through the PROCESSOR_STATE structure stored into KPRCB. But since KPRCB had been updated in Windows 7 the following ugly piece of code doesn’t return a correct cr3 value.
-
DirectoryTableBase = __readKPCR()->PrcbData.ProcessorState.SpecialRegisters.Cr3;
If you take a look at these two structures, you can see SetMember 32bits ULONG had been removed. But don’t worry this value is still present in KPCR structure, I guess Microsoft kernel developpers removed it from KPRCB to clean the structure and avoid duplicated field.
Anyway, I’ll publish an update soon for win32dd. :-)
For people interested into technical details of these structures here is output of KPRCB structure under Windows Vista and Seven.
This is how look KPCRB structure under Windows Vista:
typedef struct _KPRCB // 129 elements, 0xEC0 bytes (sizeof)
{
/*0x000*/ UINT16 MinorVersion;
/*0x002*/ UINT16 MajorVersion;
/*0x004*/ struct _KTHREAD* CurrentThread;
/*0x008*/ struct _KTHREAD* NextThread;
/*0x00C*/ struct _KTHREAD* IdleThread;
/*0x010*/ CHAR Number;
/*0x011*/ CHAR Reserved;
/*0x012*/ UINT16 BuildType;
/*0x014*/ ULONG32 SetMember;
/*0x018*/ CHAR CpuType;
/*0x019*/ CHAR CpuID;
/*0x01A*/ UINT16 CpuStep;
/*0x01C*/ struct _KPROCESSOR_STATE ProcessorState;
/*0x33C*/ ULONG32 KernelReserved[16];
/*0x37C*/ ULONG32 HalReserved[16];
/*0x3BC*/ UINT8 PrcbPad0[92];
/*0x418*/ struct _KSPIN_LOCK_QUEUE LockQueue[33];
/*0x520*/ struct _KTHREAD* NpxThread;
/*0x524*/ ULONG32 InterruptCount;
/*0x528*/ ULONG32 KernelTime;
/*0x52C*/ ULONG32 UserTime;
/*0x530*/ ULONG32 DpcTime;
/*0x534*/ ULONG32 DebugDpcTime;
/*0x538*/ ULONG32 InterruptTime;
/*0x53C*/ ULONG32 AdjustDpcThreshold;
/*0x540*/ ULONG32 PageColor;
/*0x544*/ UINT8 SkipTick;
/*0x545*/ UINT8 DebuggerSavedIRQL;
/*0x546*/ UINT8 NodeColor;
/*0x547*/ UINT8 Spare1;
/*0x548*/ ULONG32 NodeShiftedColor;
/*0x54C*/ struct _KNODE* ParentNode;
/*0x550*/ ULONG32 MultiThreadProcessorSet;
/*0x554*/ struct _KPRCB* MultiThreadSetMaster;
/*0x558*/ ULONG32 SecondaryColorMask;
/*0x55C*/ LONG32 Sleeping;
/*0x560*/ ULONG32 CcFastReadNoWait;
/*0x564*/ ULONG32 CcFastReadWait;
/*0x568*/ ULONG32 CcFastReadNotPossible;
/*0x56C*/ ULONG32 CcCopyReadNoWait;
/*0x570*/ ULONG32 CcCopyReadWait;
/*0x574*/ ULONG32 CcCopyReadNoWaitMiss;
/*0x578*/ ULONG32 KeAlignmentFixupCount;
/*0x57C*/ ULONG32 SpareCounter0;
/*0x580*/ ULONG32 KeDcacheFlushCount;
/*0x584*/ ULONG32 KeExceptionDispatchCount;
/*0x588*/ ULONG32 KeFirstLevelTbFills;
/*0x58C*/ ULONG32 KeFloatingEmulationCount;
/*0x590*/ ULONG32 KeIcacheFlushCount;
/*0x594*/ ULONG32 KeSecondLevelTbFills;
/*0x598*/ ULONG32 KeSystemCalls;
/*0x59C*/ LONG32 IoReadOperationCount;
/*0x5A0*/ LONG32 IoWriteOperationCount;
/*0x5A4*/ LONG32 IoOtherOperationCount;
/*0x5A8*/ union _LARGE_INTEGER IoReadTransferCount;
/*0x5B0*/ union _LARGE_INTEGER IoWriteTransferCount;
/*0x5B8*/ union _LARGE_INTEGER IoOtherTransferCount;
/*0x5C0*/ ULONG32 SpareCounter1[8];
/*0x5E0*/ struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x660*/ struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[32];
/*0x760*/ struct _PP_LOOKASIDE_LIST PPPagedLookasideList[32];
/*0x860*/ ULONG32 PacketBarrier;
/*0x864*/ ULONG32 ReverseStall;
/*0x868*/ VOID* IpiFrame;
/*0x86C*/ UINT8 PrcbPad2[52];
/*0x8A0*/ VOID* CurrentPacket[3];
/*0x8AC*/ ULONG32 TargetSet;
/*0x8B0*/ FUNCT_014C_02D2_WorkerRoutine* WorkerRoutine;
/*0x8B4*/ ULONG32 IpiFrozen;
/*0x8B8*/ UINT8 PrcbPad3[40];
/*0x8E0*/ ULONG32 RequestSummary;
/*0x8E4*/ struct _KPRCB* SignalDone;
/*0x8E8*/ UINT8 PrcbPad4[56];
/*0x920*/ struct _KDPC_DATA DpcData[2];
/*0x948*/ VOID* DpcStack;
/*0x94C*/ ULONG32 MaximumDpcQueueDepth;
/*0x950*/ ULONG32 DpcRequestRate;
/*0x954*/ ULONG32 MinimumDpcRate;
/*0x958*/ UINT8 DpcInterruptRequested;
/*0x959*/ UINT8 DpcThreadRequested;
/*0x95A*/ UINT8 DpcRoutineActive;
/*0x95B*/ UINT8 DpcThreadActive;
/*0x95C*/ ULONG32 PrcbLock;
/*0x960*/ ULONG32 DpcLastCount;
/*0x964*/ ULONG32 TimerHand;
/*0x968*/ ULONG32 TimerRequest;
/*0x96C*/ VOID* DpcThread;
/*0x970*/ struct _KEVENT DpcEvent;
/*0x980*/ UINT8 ThreadDpcEnable;
/*0x981*/ UINT8 QuantumEnd;
/*0x982*/ UINT8 PrcbPad50;
/*0x983*/ UINT8 IdleSchedule;
/*0x984*/ LONG32 DpcSetEventRequest;
/*0x988*/ UINT8 PrcbPad5[18];
/*0x99A*/ UINT8 _PADDING0_[0x2];
/*0x99C*/ LONG32 TickOffset;
/*0x9A0*/ struct _KDPC CallDpc;
/*0x9C0*/ ULONG32 PrcbPad7[8];
/*0x9E0*/ struct _LIST_ENTRY WaitListHead;
/*0x9E8*/ ULONG32 ReadySummary;
/*0x9EC*/ ULONG32 QueueIndex;
/*0x9F0*/ struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0xAF0*/ struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0xAF4*/ ULONG32 PrcbPad72[11];
/*0xB20*/ VOID* ChainedInterruptList;
/*0xB24*/ LONG32 LookasideIrpFloat;
/*0xB28*/ LONG32 MmPageFaultCount;
/*0xB2C*/ LONG32 MmCopyOnWriteCount;
/*0xB30*/ LONG32 MmTransitionCount;
/*0xB34*/ LONG32 MmCacheTransitionCount;
/*0xB38*/ LONG32 MmDemandZeroCount;
/*0xB3C*/ LONG32 MmPageReadCount;
/*0xB40*/ LONG32 MmPageReadIoCount;
/*0xB44*/ LONG32 MmCacheReadCount;
/*0xB48*/ LONG32 MmCacheIoCount;
/*0xB4C*/ LONG32 MmDirtyPagesWriteCount;
/*0xB50*/ LONG32 MmDirtyWriteIoCount;
/*0xB54*/ LONG32 MmMappedPagesWriteCount;
/*0xB58*/ LONG32 MmMappedWriteIoCount;
/*0xB5C*/ ULONG32 SpareFields0[1];
/*0xB60*/ UINT8 VendorString[13];
/*0xB6D*/ UINT8 InitialApicId;
/*0xB6E*/ UINT8 LogicalProcessorsPerPhysicalProcessor;
/*0xB6F*/ UINT8 _PADDING1_[0x1];
/*0xB70*/ ULONG32 MHz;
/*0xB74*/ ULONG32 FeatureBits;
/*0xB78*/ union _LARGE_INTEGER UpdateSignature;
/*0xB80*/ UINT64 IsrTime;
/*0xB88*/ UINT64 SpareField1;
/*0xB90*/ struct _FX_SAVE_AREA NpxSaveArea;
/*0xDA0*/ struct _PROCESSOR_POWER_STATE PowerState;
}KPRCB, *PKPRCB;
And under Windows 7
typedef struct _KPRCB // 244 elements, 0x1EE8 bytes (sizeof)
{
/*0x000*/ UINT16 MinorVersion;
/*0x002*/ UINT16 MajorVersion;
/*0x004*/ struct _KTHREAD* CurrentThread;
/*0x008*/ struct _KTHREAD* NextThread;
/*0x00C*/ struct _KTHREAD* IdleThread;
/*0x010*/ UINT8 LegacyNumber;
/*0x011*/ UINT8 NestingLevel;
/*0x012*/ UINT16 BuildType;
/*0x014*/ CHAR CpuType;
/*0x015*/ CHAR CpuID;
/*0x016*/UINT16 CpuStep;
/*0x018*/ struct _KPROCESSOR_STATE ProcessorState;
/*0x338*/ ULONG32 KernelReserved[16];
/*0x378*/ ULONG32 HalReserved[16];
/*0x3B8*/ ULONG32 CFlushSize;
/*0x3BC*/ UINT8 CoresPerPhysicalProcessor;
/*0x3BD*/ UINT8 LogicalProcessorsPerCore;
/*0x3BE*/ UINT8 PrcbPad0[2];
/*0x3C0*/ ULONG32 MHz;
/*0x3C4*/ UINT8 CpuVendor;
/*0x3C5*/ UINT8 GroupIndex;
/*0x3C6*/ UINT16 Group;
/*0x3C8*/ ULONG32 GroupSetMember;
/*0x3CC*/ ULONG32 Number;
/*0x3D0*/ UINT8 PrcbPad1[72];
/*0x418*/ struct _KSPIN_LOCK_QUEUE LockQueue[49];
/*0x5A0*/ struct _KTHREAD* NpxThread;
/*0x5A4*/ ULONG32 InterruptCount;
/*0x5A8*/ ULONG32 KernelTime;
/*0x5AC*/ ULONG32 UserTime;
/*0x5B0*/ ULONG32 DpcTime;
/*0x5B4*/ ULONG32 DpcTimeCount;
/*0x5B8*/ ULONG32 InterruptTime;
/*0x5BC*/ ULONG32 AdjustDpcThreshold;
/*0x5C0*/ ULONG32 PageColor;
/*0x5C4*/ UINT8 DebuggerSavedIRQL;
/*0x5C5*/ UINT8 NodeColor;
/*0x5C6*/ UINT8 PrcbPad20[2];
/*0x5C8*/ ULONG32 NodeShiftedColor;
/*0x5CC*/ struct _KNODE* ParentNode;
/*0x5D0*/ ULONG32 SecondaryColorMask;
/*0x5D4*/ ULONG32 DpcTimeLimit;
/*0x5D8*/ ULONG32 PrcbPad21[2];
/*0x5E0*/ ULONG32 CcFastReadNoWait;
/*0x5E4*/ ULONG32 CcFastReadWait;
/*0x5E8*/ ULONG32 CcFastReadNotPossible;
/*0x5EC*/ ULONG32 CcCopyReadNoWait;
/*0x5F0*/ ULONG32 CcCopyReadWait;
/*0x5F4*/ ULONG32 CcCopyReadNoWaitMiss;
/*0x5F8*/ LONG32 MmSpinLockOrdering;
/*0x5FC*/ LONG32 IoReadOperationCount;
/*0x600*/ LONG32 IoWriteOperationCount;
/*0x604*/ LONG32 IoOtherOperationCount;
/*0x608*/ union _LARGE_INTEGER IoReadTransferCount;
/*0x610*/ union _LARGE_INTEGER IoWriteTransferCount;
/*0x618*/ union _LARGE_INTEGER IoOtherTransferCount;
/*0x620*/ ULONG32 CcFastMdlReadNoWait;
/*0x624*/ ULONG32 CcFastMdlReadWait;
/*0x628*/ ULONG32 CcFastMdlReadNotPossible;
/*0x62C*/ ULONG32 CcMapDataNoWait;
/*0x630*/ ULONG32 CcMapDataWait;
/*0x634*/ ULONG32 CcPinMappedDataCount;
/*0x638*/ ULONG32 CcPinReadNoWait;
/*0x63C*/ ULONG32 CcPinReadWait;
/*0x640*/ ULONG32 CcMdlReadNoWait;
/*0x644*/ ULONG32 CcMdlReadWait;
/*0x648*/ ULONG32 CcLazyWriteHotSpots;
/*0x64C*/ ULONG32 CcLazyWriteIos;
/*0x650*/ ULONG32 CcLazyWritePages;
/*0x654*/ ULONG32 CcDataFlushes;
/*0x658*/ ULONG32 CcDataPages;
/*0x65C*/ ULONG32 CcLostDelayedWrites;
/*0x660*/ ULONG32 CcFastReadResourceMiss;
/*0x664*/ ULONG32 CcCopyReadWaitMiss;
/*0x668*/ ULONG32 CcFastMdlReadResourceMiss;
/*0x66C*/ ULONG32 CcMapDataNoWaitMiss;
/*0x670*/ ULONG32 CcMapDataWaitMiss;
/*0x674*/ ULONG32 CcPinReadNoWaitMiss;
/*0x678*/ ULONG32 CcPinReadWaitMiss;
/*0x67C*/ ULONG32 CcMdlReadNoWaitMiss;
/*0x680*/ ULONG32 CcMdlReadWaitMiss;
/*0x684*/ ULONG32 CcReadAheadIos;
/*0x688*/ ULONG32 KeAlignmentFixupCount;
/*0x68C*/ ULONG32 KeExceptionDispatchCount;
/*0x690*/ ULONG32 KeSystemCalls;
/*0x694*/ ULONG32 AvailableTime;
/*0x698*/ ULONG32 PrcbPad22[2];
/*0x6A0*/ struct _PP_LOOKASIDE_LIST PPLookasideList[16];
/*0x720*/ struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32];
/*0x1020*/ struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32];
/*0x1920*/ ULONG32 PacketBarrier;
/*0x1924*/ LONG32 ReverseStall;
/*0x1928*/ VOID* IpiFrame;
/*0x192C*/ UINT8 PrcbPad3[52];
/*0x1960*/ VOID* CurrentPacket[3];
/*0x196C*/ ULONG32 TargetSet;
/*0x1970*/ FUNCT_009A_0657_WorkerRoutine* WorkerRoutine;
/*0x1974*/ ULONG32 IpiFrozen;
/*0x1978*/ UINT8 PrcbPad4[40];
/*0x19A0*/ ULONG32 RequestSummary;
/*0x19A4*/ struct _KPRCB* SignalDone;
/*0x19A8*/ UINT8 PrcbPad50[56];
/*0x19E0*/ struct _KDPC_DATA DpcData[2];
/*0x1A08*/ VOID* DpcStack;
/*0x1A0C*/ LONG32 MaximumDpcQueueDepth;
/*0x1A10*/ ULONG32 DpcRequestRate;
/*0x1A14*/ ULONG32 MinimumDpcRate;
/*0x1A18*/ ULONG32 PrcbPad41;
/*0x1A1C*/ ULONG32 PrcbLock;
/*0x1A20*/ ULONG32 DpcLastCount;
/*0x1A24*/ ULONG32 TimerHand;
/*0x1A28*/ ULONG32 TimerRequest;
/*0x1A2C*/ struct _KTIMER** TimerExpiry;
/*0x1A30*/ struct _KGATE DpcGate;
/*0x1A40*/ UINT8 ThreadDpcEnable;
/*0x1A41*/ UINT8 QuantumEnd;
/*0x1A42*/ UINT8 DpcRoutineActive;
/*0x1A43*/ UINT8 IdleSchedule;
union // 3 elements, 0x4 bytes (sizeof)
{
/*0x1A44*/ LONG32 DpcRequestSummary;
/*0x1A44*/ INT16 DpcRequestSlot[2];
struct// 2 elements, 0x4 bytes (sizeof)
{
/*0x1A44*/INT16 NormalDpcState;
union// 2 elements, 0x2 bytes (sizeof)
{
/*0x1A46*/ UINT16 DpcThreadActive : 1; // 0 BitPosition
/*0x1A46*/ INT16 ThreadDpcState;
};
};
};
/*0x1A48*/ ULONG32 PrcbPad42;
/*0x1A4C*/ ULONG32 PeriodicCount;
/*0x1A50*/ ULONG32 PeriodicBias;
/*0x1A54*/ UINT8 _PADDING0_[0x4];
/*0x1A58*/ UINT64 TickOffset;
/*0x1A60*/ struct _KDPC CallDpc; // 9 elements, 0x20 bytes (sizeof)
/*0x1A80*/ LONG32 ClockKeepAlive;
/*0x1A84*/ UINT8 ClockCheckSlot;
/*0x1A85*/ UINT8 ClockPollCycle;
/*0x1A86*/ UINT8 PrcbPad6[2];
/*0x1A88*/ LONG32 DpcWatchdogPeriod;
/*0x1A8C*/ LONG32 DpcWatchdogCount;
/*0x1A90*/ LONG32 ThreadWatchdogPeriod;
/*0x1A94*/ LONG32 ThreadWatchdogCount;
/*0x1A98*/ LONG32 KeSpinLockOrdering;
/*0x1A9C*/ ULONG32 PrcbPad70[1];
/*0x1AA0*/ struct _LIST_ENTRY WaitListHead;
/*0x1AA8*/ ULONG32 WaitLock;
/*0x1AAC*/ ULONG32 ReadySummary;
/*0x1AB0*/ ULONG32 QueueIndex;
/*0x1AB4*/ struct _SINGLE_LIST_ENTRY DeferredReadyListHead;
/*0x1AB8*/ UINT64 StartCycles;
/*0x1AC0*/ UINT64 CycleTime;
/*0x1AC8*/ ULONG32 HighCycleTime;
/*0x1ACC*/ ULONG32 PrcbPad71;
/*0x1AD0*/ UINT64 PrcbPad72[2];
/*0x1AE0*/ struct _LIST_ENTRY DispatcherReadyListHead[32];
/*0x1BE0*/ VOID* ChainedInterruptList;
/*0x1BE4*/ LONG32 LookasideIrpFloat;
/*0x1BE8*/ LONG32 MmPageFaultCount;
/*0x1BEC*/ LONG32 MmCopyOnWriteCount;
/*0x1BF0*/ LONG32 MmTransitionCount;
/*0x1BF4*/ LONG32 MmCacheTransitionCount;
/*0x1BF8*/ LONG32 MmDemandZeroCount;
/*0x1BFC*/ LONG32 MmPageReadCount;
/*0x1C00*/ LONG32 MmPageReadIoCount;
/*0x1C04*/ LONG32 MmCacheReadCount;
/*0x1C08*/ LONG32 MmCacheIoCount;
/*0x1C0C*/ LONG32 MmDirtyPagesWriteCount;
/*0x1C10*/ LONG32 MmDirtyWriteIoCount;
/*0x1C14*/ LONG32 MmMappedPagesWriteCount;
/*0x1C18*/ LONG32 MmMappedWriteIoCount;
/*0x1C1C*/ ULONG32 CachedCommit;
/*0x1C20*/ ULONG32 CachedResidentAvailable;
/*0x1C24*/ VOID* HyperPte;
/*0x1C28*/ UINT8 PrcbPad8[4];
/*0x1C2C*/ UINT8 VendorString[13];
/*0x1C39*/ UINT8 InitialApicId;
/*0x1C3A*/ UINT8 LogicalProcessorsPerPhysicalProcessor;
/*0x1C3B*/ UINT8 PrcbPad9[5];
/*0x1C40*/ ULONG32 FeatureBits;
/*0x1C44*/ UINT8 _PADDING1_[0x4];
/*0x1C48*/ union _LARGE_INTEGER UpdateSignature;
/*0x1C50*/ UINT64 IsrTime;
/*0x1C58*/ UINT64 RuntimeAccumulation;
/*0x1C60*/ struct _PROCESSOR_POWER_STATE PowerState;
/*0x1D30*/ struct _KDPC DpcWatchdogDpc;
/*0x1D50*/ struct _KTIMER DpcWatchdogTimer;
/*0x1D78*/ VOID* WheaInfo;
/*0x1D7C*/ VOID* EtwSupport;
/*0x1D80*/ union _SLIST_HEADER InterruptObjectPool;
/*0x1D88*/ union _SLIST_HEADER HypercallPageList;
/*0x1D90*/ VOID* HypercallPageVirtual;
/*0x1D94*/ VOID* VirtualApicAssist;
/*0x1D98*/ UINT64* StatisticsPage;
/*0x1D9C*/ VOID* RateControl;
/*0x1DA0*/ struct _CACHE_DESCRIPTOR Cache[5];
/*0x1DDC*/ ULONG32 CacheCount;
/*0x1DE0*/ ULONG32 CacheProcessorMask[5];
/*0x1DF4*/ ULONG32 PackageProcessorSet;
/*0x1DF8*/ ULONG32 CoreProcessorSet;
/*0x1DFC*/ UINT8 PrcbPad10[36];
/*0x1E20*/ ULONG32 SpinLockAcquireCount;
/*0x1E24*/ ULONG32 SpinLockContentionCount;
/*0x1E28*/ ULONG32 SpinLockSpinCount;
/*0x1E2C*/ ULONG32 IpiSendRequestBroadcastCount;
/*0x1E30*/ ULONG32 IpiSendRequestRoutineCount;
/*0x1E34*/ ULONG32 IpiSendSoftwareInterruptCount;
/*0x1E38*/ ULONG32 ExInitializeResourceCount;
/*0x1E3C*/ ULONG32 ExReInitializeResourceCount;
/*0x1E40*/ ULONG32 ExDeleteResourceCount;
/*0x1E44*/ ULONG32 ExecutiveResourceAcquiresCount;
/*0x1E48*/ ULONG32 ExecutiveResourceContentionsCount;
/*0x1E4C*/ ULONG32 ExecutiveResourceReleaseExclusiveCount;
/*0x1E50*/ ULONG32 ExecutiveResourceReleaseSharedCount;
/*0x1E54*/ ULONG32 ExecutiveResourceConvertsCount;
/*0x1E58*/ ULONG32 ExAcqResExclusiveAttempts;
/*0x1E5C*/ ULONG32 ExAcqResExclusiveAcquiresExclusive;
/*0x1E60*/ ULONG32 ExAcqResExclusiveAcquiresExclusiveRecursive;
/*0x1E64*/ ULONG32 ExAcqResExclusiveWaits;
/*0x1E68*/ ULONG32 ExAcqResExclusiveNotAcquires;
/*0x1E6C*/ ULONG32 ExAcqResSharedAttempts;
/*0x1E70*/ ULONG32 ExAcqResSharedAcquiresExclusive;
/*0x1E74*/ ULONG32 ExAcqResSharedAcquiresShared;
/*0x1E78*/ ULONG32 ExAcqResSharedAcquiresSharedRecursive;
/*0x1E7C*/ ULONG32 ExAcqResSharedWaits;
/*0x1E80*/ ULONG32 ExAcqResSharedNotAcquires;
/*0x1E84*/ ULONG32 ExAcqResSharedStarveExclusiveAttempts;
/*0x1E88*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresExclusive;
/*0x1E8C*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresShared;
/*0x1E90*/ ULONG32 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive;
/*0x1E94*/ ULONG32 ExAcqResSharedStarveExclusiveWaits;
/*0x1E98*/ ULONG32 ExAcqResSharedStarveExclusiveNotAcquires;
/*0x1E9C*/ ULONG32 ExAcqResSharedWaitForExclusiveAttempts;
/*0x1EA0*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresExclusive;
/*0x1EA4*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresShared;
/*0x1EA8*/ ULONG32 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive;
/*0x1EAC*/ ULONG32 ExAcqResSharedWaitForExclusiveWaits;
/*0x1EB0*/ ULONG32 ExAcqResSharedWaitForExclusiveNotAcquires;
/*0x1EB4*/ ULONG32 ExSetResOwnerPointerExclusive;
/*0x1EB8*/ ULONG32 ExSetResOwnerPointerSharedNew;
/*0x1EBC*/ ULONG32 ExSetResOwnerPointerSharedOld;
/*0x1EC0*/ ULONG32 ExTryToAcqExclusiveAttempts;
/*0x1EC4*/ ULONG32 ExTryToAcqExclusiveAcquires;
/*0x1EC8*/ ULONG32 ExBoostExclusiveOwner;
/*0x1ECC*/ ULONG32 ExBoostSharedOwners;
/*0x1ED0*/ ULONG32 ExEtwSynchTrackingNotificationsCount;
/*0x1ED4*/ ULONG32 ExEtwSynchTrackingNotificationsAccountedCount;
/*0x1ED8*/ struct _CONTEXT* Context;
/*0x1EDC*/ ULONG32 ContextFlags;
/*0x1EE0*/ struct _XSAVE_AREA* ExtendedState;
/*0x1EE4*/ UINT8 _PADDING2_[0x4];
}KPRCB, *PKPRCB;
Hi Mathiew,
So… on Windows 7, how do you retrieve the DirectoryTableBase if you can’t do it anymore through the prcb ?
I only use control registers (mov eax, cr3) but not as funny as using PCRB.