/* Header autogenerated by Brandon Falk's PDB Dumper * * Invocation: C:\projects\pdbdump_2\pdbdump.exe L:\symbolarchive\win8_spB_x86\fltmgr.pdb\035EB1D890B648B58C34AA5B351580242\fltmgr.pdb */ struct LIST_ENTRY64 { unsigned long long Flink; /* +0x0000 */ unsigned long long Blink; /* +0x0008 */ }; struct LIST_ENTRY32 { unsigned long Flink; /* +0x0000 */ unsigned long Blink; /* +0x0004 */ }; struct _LIST_ENTRY { unsigned char Flink[4]; /* +0x0000 18 10 00 00 */ unsigned char Blink[4]; /* +0x0004 18 10 00 00 */ }; struct _SINGLE_LIST_ENTRY { unsigned char Next[4]; /* +0x0000 2a 10 00 00 */ }; struct _UNICODE_STRING { unsigned short Length; /* +0x0000 */ unsigned short MaximumLength; /* +0x0002 */ unsigned short *Buffer; /* +0x0004 */ }; struct _STRING { unsigned short Length; /* +0x0000 */ unsigned short MaximumLength; /* +0x0002 */ char *Buffer; /* +0x0004 */ }; /* struct { unsigned long LowPart; +0x0000 long HighPart; +0x0004 }; */ struct _LARGE_INTEGER { unsigned long LowPart; /* +0x0000 */ long HighPart; /* +0x0004 */ /* unsigned char u[0]; +0x0000 3c 10 00 00 */ long long QuadPart; /* +0x0000 */ }; /* struct { unsigned long LowPart; +0x0000 unsigned long HighPart; +0x0004 }; */ struct _ULARGE_INTEGER { unsigned long LowPart; /* +0x0000 */ unsigned long HighPart; /* +0x0004 */ /* unsigned char u[0]; +0x0000 41 10 00 00 */ unsigned long long QuadPart; /* +0x0000 */ }; struct _FAST_MUTEX { unsigned char Count[4]; /* +0x0000 15 10 00 00 */ void *Owner; /* +0x0004 */ unsigned long Contention; /* +0x0008 */ unsigned char Event[16]; /* +0x000c 4b 10 00 00 */ unsigned long OldIrql; /* +0x001c */ }; enum _EVENT_TYPE { NotificationEvent = 0, SynchronizationEvent = 1 }; struct _KEVENT { unsigned char Header[16]; /* +0x0000 56 10 00 00 */ }; struct _SLIST_HEADER { unsigned long long Alignment; /* +0x0000 */ unsigned char Next[4]; /* +0x0000 29 10 00 00 */ unsigned short Depth; /* +0x0004 */ unsigned short Sequence; /* +0x0006 */ }; struct _LOOKASIDE_LIST_EX { unsigned char L[72]; /* +0x0000 62 10 00 00 */ }; enum _POOL_TYPE { NonPagedPool = 0, NonPagedPoolExecute = 0, PagedPool = 1, NonPagedPoolMustSucceed = 2, DontUseThisType = 3, NonPagedPoolCacheAligned = 4, PagedPoolCacheAligned = 5, NonPagedPoolCacheAlignedMustS = 6, MaxPoolType = 7, NonPagedPoolBase = 0, NonPagedPoolBaseMustSucceed = 2, NonPagedPoolBaseCacheAligned = 4, NonPagedPoolBaseCacheAlignedMustS = 6, NonPagedPoolSession = 32, PagedPoolSession = 33, NonPagedPoolMustSucceedSession = 34, DontUseThisTypeSession = 35, NonPagedPoolCacheAlignedSession = 36, PagedPoolCacheAlignedSession = 37, NonPagedPoolCacheAlignedMustSSession = 38, NonPagedPoolNx = 512, NonPagedPoolNxCacheAligned = 516, NonPagedPoolSessionNx = 544 }; struct _NPAGED_LOOKASIDE_LIST { unsigned char L[72]; /* +0x0000 79 10 00 00 */ unsigned long Lock__ObsoleteButDoNotDelete; /* +0x0048 */ }; struct _PAGED_LOOKASIDE_LIST { unsigned char L[72]; /* +0x0000 79 10 00 00 */ unsigned char Lock__ObsoleteButDoNotDelete[32]; /* +0x0048 49 10 00 00 */ }; struct _WORK_QUEUE_ITEM { unsigned char List[8]; /* +0x0000 17 10 00 00 */ unsigned char WorkerRoutine[4]; /* +0x0008 82 10 00 00 */ void *Parameter; /* +0x000c */ }; struct _MDL { unsigned char Next[4]; /* +0x0000 8d 10 00 00 */ short Size; /* +0x0004 */ short MdlFlags; /* +0x0006 */ unsigned char Process[4]; /* +0x0008 8f 10 00 00 */ void *MappedSystemVa; /* +0x000c */ void *StartVa; /* +0x0010 */ unsigned long ByteCount; /* +0x0014 */ unsigned long ByteOffset; /* +0x0018 */ }; enum _MEMORY_CACHING_TYPE { MmNonCached = 0, MmCached = 1, MmWriteCombined = 2, MmHardwareCoherentCached = 3, MmNonCachedUnordered = 4, MmUSWCCached = 5, MmMaximumCacheType = 6 }; /* struct { /* unsigned char MasterIrp[0]; +0x0000 a1 10 00 00 long IrpCount; +0x0000 void *SystemBuffer; +0x0000 }; */ /* struct { /* unsigned char UserApcRoutine[0]; +0x0000 a8 10 00 00 void *IssuingProcess; +0x0000 void *UserApcContext; +0x0004 }; */ /* struct { /* unsigned char AsynchronousParameters[0]; +0x0000 aa 10 00 00 unsigned char AllocationSize[8]; +0x0000 3a 10 00 00 }; */ /* struct { /* unsigned char DeviceQueueEntry[0]; +0x0000 b2 10 00 00 unsigned char DriverContext[16]; +0x0000 b3 10 00 00 unsigned char Thread[4]; +0x0010 9c 10 00 00 char *AuxiliaryBuffer; +0x0014 unsigned char ListEntry[8]; +0x0018 17 10 00 00 /* unsigned char CurrentStackLocation[0]; +0x0020 b5 10 00 00 unsigned long PacketType; +0x0020 unsigned char OriginalFileObject[4]; +0x0024 b7 10 00 00 }; */ /* struct { /* unsigned char Overlay[0]; +0x0000 b9 10 00 00 /* unsigned char Apc[0]; +0x0000 ba 10 00 00 void *CompletionKey; +0x0000 }; */ struct _IRP { short Type; /* +0x0000 */ unsigned short Size; /* +0x0002 */ unsigned char MdlAddress[4]; /* +0x0004 8d 10 00 00 */ unsigned long Flags; /* +0x0008 */ unsigned char AssociatedIrp[4]; /* +0x000c a3 10 00 00 */ unsigned char ThreadListEntry[8]; /* +0x0010 17 10 00 00 */ unsigned char IoStatus[8]; /* +0x0018 a4 10 00 00 */ char RequestorMode; /* +0x0020 */ unsigned char PendingReturned; /* +0x0021 */ char StackCount; /* +0x0022 */ char CurrentLocation; /* +0x0023 */ unsigned char Cancel; /* +0x0024 */ unsigned char CancelIrql; /* +0x0025 */ char ApcEnvironment; /* +0x0026 */ unsigned char AllocationFlags; /* +0x0027 */ unsigned char UserIosb[4]; /* +0x0028 a5 10 00 00 */ unsigned char UserEvent[4]; /* +0x002c 4f 10 00 00 */ unsigned char Overlay[8]; /* +0x0030 ac 10 00 00 */ unsigned char CancelRoutine[4]; /* +0x0038 b1 10 00 00 */ void *UserBuffer; /* +0x003c */ unsigned char Tail[48]; /* +0x0040 bc 10 00 00 */ }; /* struct { unsigned char SecurityContext[4]; +0x0000 c1 10 00 00 unsigned long Options; +0x0004 unsigned short FileAttributes; +0x0008 unsigned short ShareAccess; +0x000a unsigned long EaLength; +0x000c }; */ /* struct { unsigned char SecurityContext[4]; +0x0000 c1 10 00 00 unsigned long Options; +0x0004 unsigned short Reserved; +0x0008 unsigned short ShareAccess; +0x000a unsigned char Parameters[4]; +0x000c c5 10 00 00 }; */ /* struct { unsigned char SecurityContext[4]; +0x0000 c1 10 00 00 unsigned long Options; +0x0004 unsigned short Reserved; +0x0008 unsigned short ShareAccess; +0x000a unsigned char Parameters[4]; +0x000c c9 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned long Key; +0x0004 unsigned char ByteOffset[8]; +0x0008 3a 10 00 00 }; */ enum _FILE_INFORMATION_CLASS { FileDirectoryInformation = 1, FileFullDirectoryInformation = 2, FileBothDirectoryInformation = 3, FileBasicInformation = 4, FileStandardInformation = 5, FileInternalInformation = 6, FileEaInformation = 7, FileAccessInformation = 8, FileNameInformation = 9, FileRenameInformation = 10, FileLinkInformation = 11, FileNamesInformation = 12, FileDispositionInformation = 13, FilePositionInformation = 14, FileFullEaInformation = 15, FileModeInformation = 16, FileAlignmentInformation = 17, FileAllInformation = 18, FileAllocationInformation = 19, FileEndOfFileInformation = 20, FileAlternateNameInformation = 21, FileStreamInformation = 22, FilePipeInformation = 23, FilePipeLocalInformation = 24, FilePipeRemoteInformation = 25, FileMailslotQueryInformation = 26, FileMailslotSetInformation = 27, FileCompressionInformation = 28, FileObjectIdInformation = 29, FileCompletionInformation = 30, FileMoveClusterInformation = 31, FileQuotaInformation = 32, FileReparsePointInformation = 33, FileNetworkOpenInformation = 34, FileAttributeTagInformation = 35, FileTrackingInformation = 36, FileIdBothDirectoryInformation = 37, FileIdFullDirectoryInformation = 38, FileValidDataLengthInformation = 39, FileShortNameInformation = 40, FileIoCompletionNotificationInformation = 41, FileIoStatusBlockRangeInformation = 42, FileIoPriorityHintInformation = 43, FileSfioReserveInformation = 44, FileSfioVolumeInformation = 45, FileHardLinkInformation = 46, FileProcessIdsUsingFileInformation = 47, FileNormalizedNameInformation = 48, FileNetworkPhysicalNameInformation = 49, FileIdGlobalTxDirectoryInformation = 50, FileIsRemoteDeviceInformation = 51, FileAttributeCacheInformation = 52, FileNumaNodeInformation = 53, FileStandardLinkInformation = 54, FileRemoteProtocolInformation = 55, FileRenameInformationBypassAccessCheck = 56, FileLinkInformationBypassAccessCheck = 57, FileIntegrityStreamInformation = 58, FileVolumeNameInformation = 59, FileMaximumInformation = 60 }; /* struct { unsigned long Length; +0x0000 unsigned char FileName[4]; +0x0004 2f 10 00 00 unsigned char FileInformationClass[4]; +0x0008 cf 10 00 00 unsigned long FileIndex; +0x000c }; */ /* struct { unsigned long Length; +0x0000 unsigned long CompletionFilter; +0x0004 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FileInformationClass[4]; +0x0004 cf 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FileInformationClass[4]; +0x0004 cf 10 00 00 unsigned char FileObject[4]; +0x0008 b7 10 00 00 unsigned char ReplaceIfExists; +0x000c unsigned char AdvanceOnly; +0x000d unsigned long ClusterCount; +0x000c void *DeleteHandle; +0x000c }; */ /* struct { unsigned long Length; +0x0000 void *EaList; +0x0004 unsigned long EaListLength; +0x0008 unsigned long EaIndex; +0x000c }; */ /* struct { unsigned long Length; +0x0000 }; */ enum _FSINFOCLASS { FileFsVolumeInformation = 1, FileFsLabelInformation = 2, FileFsSizeInformation = 3, FileFsDeviceInformation = 4, FileFsAttributeInformation = 5, FileFsControlInformation = 6, FileFsFullSizeInformation = 7, FileFsObjectIdInformation = 8, FileFsDriverPathInformation = 9, FileFsVolumeFlagsInformation = 10, FileFsSectorSizeInformation = 11, FileFsMaximumInformation = 12 }; /* struct { unsigned long Length; +0x0000 unsigned char FsInformationClass[4]; +0x0004 dd 10 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long FsControlCode; +0x0008 void *Type3InputBuffer; +0x000c }; */ /* struct { unsigned char Length[4]; +0x0000 e2 10 00 00 unsigned long Key; +0x0004 unsigned char ByteOffset[8]; +0x0008 3a 10 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 void *Type3InputBuffer; +0x000c }; */ /* struct { unsigned long SecurityInformation; +0x0000 unsigned long Length; +0x0004 }; */ /* struct { unsigned long SecurityInformation; +0x0000 void *SecurityDescriptor; +0x0004 }; */ /* struct { unsigned char Vpb[4]; +0x0000 ec 10 00 00 unsigned char DeviceObject[4]; +0x0004 ae 10 00 00 }; */ /* struct { unsigned char Srb[4]; +0x0000 f0 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 void *StartSid; +0x0004 unsigned char SidList[4]; +0x0008 f4 10 00 00 unsigned long SidListLength; +0x000c }; */ enum _DEVICE_RELATION_TYPE { BusRelations = 0, EjectionRelations = 1, PowerRelations = 2, RemovalRelations = 3, TargetDeviceRelation = 4, SingleBusRelations = 5, TransportRelations = 6 }; /* struct { unsigned char Type[4]; +0x0000 f8 10 00 00 }; */ /* struct { unsigned char InterfaceType[4]; +0x0000 fd 10 00 00 unsigned short Size; +0x0004 unsigned short Version; +0x0006 unsigned char Interface[4]; +0x0008 ff 10 00 00 void *InterfaceSpecificData; +0x000c }; */ /* struct { unsigned char Capabilities[4]; +0x0000 03 11 00 00 }; */ /* struct { unsigned char IoResourceRequirementList[4]; +0x0000 07 11 00 00 }; */ /* struct { unsigned long WhichSpace; +0x0000 void *Buffer; +0x0004 unsigned long Offset; +0x0008 unsigned long Length; +0x000c }; */ /* struct { unsigned char Lock; +0x0000 }; */ enum BUS_QUERY_ID_TYPE { BusQueryDeviceID = 0, BusQueryHardwareIDs = 1, BusQueryCompatibleIDs = 2, BusQueryInstanceID = 3, BusQueryDeviceSerialNumber = 4, BusQueryContainerID = 5 }; /* struct { unsigned char IdType[4]; +0x0000 0f 11 00 00 }; */ enum DEVICE_TEXT_TYPE { DeviceTextDescription = 0, DeviceTextLocationInformation = 1 }; /* struct { unsigned char DeviceTextType[4]; +0x0000 13 11 00 00 unsigned long LocaleId; +0x0004 }; */ enum _DEVICE_USAGE_NOTIFICATION_TYPE { DeviceUsageTypeUndefined = 0, DeviceUsageTypePaging = 1, DeviceUsageTypeHibernation = 2, DeviceUsageTypeDumpFile = 3, DeviceUsageTypeBoot = 4 }; /* struct { unsigned char InPath; +0x0000 unsigned char Reserved[3]; +0x0001 16 11 00 00 unsigned char Type[4]; +0x0004 18 11 00 00 }; */ enum _SYSTEM_POWER_STATE { PowerSystemUnspecified = 0, PowerSystemWorking = 1, PowerSystemSleeping1 = 2, PowerSystemSleeping2 = 3, PowerSystemSleeping3 = 4, PowerSystemHibernate = 5, PowerSystemShutdown = 6, PowerSystemMaximum = 7 }; /* struct { unsigned char PowerState[4]; +0x0000 1c 11 00 00 }; */ /* struct { unsigned char PowerSequence[4]; +0x0000 20 11 00 00 }; */ enum _POWER_STATE_TYPE { SystemPowerState = 0, DevicePowerState = 1 }; enum POWER_ACTION { PowerActionNone = 0, PowerActionReserved = 1, PowerActionSleep = 2, PowerActionHibernate = 3, PowerActionShutdown = 4, PowerActionShutdownReset = 5, PowerActionShutdownOff = 6, PowerActionWarmEject = 7 }; /* struct { unsigned long SystemContext; +0x0000 unsigned char SystemPowerStateContext[4]; +0x0000 23 11 00 00 unsigned char Type[4]; +0x0004 25 11 00 00 unsigned char State[4]; +0x0008 26 11 00 00 unsigned char ShutdownType[4]; +0x000c 28 11 00 00 }; */ /* struct { unsigned char AllocatedResources[4]; +0x0000 2c 11 00 00 unsigned char AllocatedResourcesTranslated[4]; +0x0004 2c 11 00 00 }; */ /* struct { unsigned long ProviderId; +0x0000 void *DataPath; +0x0004 unsigned long BufferSize; +0x0008 void *Buffer; +0x000c }; */ /* struct { void *Argument1; +0x0000 void *Argument2; +0x0004 void *Argument3; +0x0008 void *Argument4; +0x000c }; */ /* struct { /* unsigned char Create[0]; +0x0000 c3 10 00 00 /* unsigned char CreatePipe[0]; +0x0000 c7 10 00 00 /* unsigned char CreateMailslot[0]; +0x0000 cb 10 00 00 /* unsigned char Read[0]; +0x0000 cd 10 00 00 /* unsigned char Write[0]; +0x0000 cd 10 00 00 /* unsigned char QueryDirectory[0]; +0x0000 d1 10 00 00 /* unsigned char NotifyDirectory[0]; +0x0000 d3 10 00 00 /* unsigned char QueryFile[0]; +0x0000 d5 10 00 00 /* unsigned char SetFile[0]; +0x0000 d7 10 00 00 /* unsigned char QueryEa[0]; +0x0000 d9 10 00 00 /* unsigned char SetEa[0]; +0x0000 db 10 00 00 /* unsigned char QueryVolume[0]; +0x0000 df 10 00 00 /* unsigned char SetVolume[0]; +0x0000 df 10 00 00 /* unsigned char FileSystemControl[0]; +0x0000 e1 10 00 00 /* unsigned char LockControl[0]; +0x0000 e4 10 00 00 /* unsigned char DeviceIoControl[0]; +0x0000 e6 10 00 00 /* unsigned char QuerySecurity[0]; +0x0000 e8 10 00 00 /* unsigned char SetSecurity[0]; +0x0000 ea 10 00 00 /* unsigned char MountVolume[0]; +0x0000 ee 10 00 00 /* unsigned char VerifyVolume[0]; +0x0000 ee 10 00 00 /* unsigned char Scsi[0]; +0x0000 f2 10 00 00 /* unsigned char QueryQuota[0]; +0x0000 f6 10 00 00 /* unsigned char SetQuota[0]; +0x0000 db 10 00 00 /* unsigned char QueryDeviceRelations[0]; +0x0000 fa 10 00 00 /* unsigned char QueryInterface[0]; +0x0000 01 11 00 00 /* unsigned char DeviceCapabilities[0]; +0x0000 05 11 00 00 /* unsigned char FilterResourceRequirements[0]; +0x0000 09 11 00 00 /* unsigned char ReadWriteConfig[0]; +0x0000 0b 11 00 00 /* unsigned char SetLock[0]; +0x0000 0d 11 00 00 /* unsigned char QueryId[0]; +0x0000 11 11 00 00 /* unsigned char QueryDeviceText[0]; +0x0000 15 11 00 00 /* unsigned char UsageNotification[0]; +0x0000 1a 11 00 00 /* unsigned char WaitWake[0]; +0x0000 1e 11 00 00 /* unsigned char PowerSequence[0]; +0x0000 22 11 00 00 /* unsigned char Power[0]; +0x0000 2a 11 00 00 /* unsigned char StartDevice[0]; +0x0000 2e 11 00 00 /* unsigned char WMI[0]; +0x0000 30 11 00 00 unsigned char Others[16]; +0x0000 32 11 00 00 }; */ struct _IO_STACK_LOCATION { unsigned char MajorFunction; /* +0x0000 */ unsigned char MinorFunction; /* +0x0001 */ unsigned char Flags; /* +0x0002 */ unsigned char Control; /* +0x0003 */ unsigned char Parameters[16]; /* +0x0004 34 11 00 00 */ unsigned char DeviceObject[4]; /* +0x0014 ae 10 00 00 */ unsigned char FileObject[4]; /* +0x0018 b7 10 00 00 */ unsigned char CompletionRoutine[4]; /* +0x001c 37 11 00 00 */ void *Context; /* +0x0020 */ }; /* struct { /* unsigned char ListEntry[0]; +0x0000 17 10 00 00 unsigned char Wcb[40]; +0x0000 49 11 00 00 }; */ struct _DEVICE_OBJECT { short Type; /* +0x0000 */ unsigned short Size; /* +0x0002 */ long ReferenceCount; /* +0x0004 */ unsigned char DriverObject[4]; /* +0x0008 46 11 00 00 */ unsigned char NextDevice[4]; /* +0x000c ae 10 00 00 */ unsigned char AttachedDevice[4]; /* +0x0010 ae 10 00 00 */ unsigned char CurrentIrp[4]; /* +0x0014 a1 10 00 00 */ unsigned char Timer[4]; /* +0x0018 48 11 00 00 */ unsigned long Flags; /* +0x001c */ unsigned long Characteristics; /* +0x0020 */ unsigned char Vpb[4]; /* +0x0024 ec 10 00 00 */ void *DeviceExtension; /* +0x0028 */ unsigned long DeviceType; /* +0x002c */ char StackSize; /* +0x0030 */ unsigned char Queue[40]; /* +0x0034 4b 11 00 00 */ unsigned long AlignmentRequirement; /* +0x005c */ unsigned char DeviceQueue[20]; /* +0x0060 4c 11 00 00 */ unsigned char Dpc[32]; /* +0x0074 3d 11 00 00 */ unsigned long ActiveThreadCount; /* +0x0094 */ void *SecurityDescriptor; /* +0x0098 */ unsigned char DeviceLock[16]; /* +0x009c 4b 10 00 00 */ unsigned short SectorSize; /* +0x00ac */ unsigned short Spare1; /* +0x00ae */ unsigned char DeviceObjectExtension[4]; /* +0x00b0 4e 11 00 00 */ void *Reserved; /* +0x00b4 */ }; struct _KDPC { unsigned char Type; /* +0x0000 */ unsigned char Importance; /* +0x0001 */ unsigned char Number[2]; /* +0x0002 55 11 00 00 */ unsigned char DpcListEntry[8]; /* +0x0004 17 10 00 00 */ unsigned char DeferredRoutine[4]; /* +0x000c 41 11 00 00 */ void *DeferredContext; /* +0x0010 */ void *SystemArgument1; /* +0x0014 */ void *SystemArgument2; /* +0x0018 */ void *DpcData; /* +0x001c */ }; struct _EVENT_DATA_DESCRIPTOR { unsigned long long Ptr; /* +0x0000 */ unsigned long Size; /* +0x0008 */ unsigned long Reserved; /* +0x000c */ }; struct _EVENT_DESCRIPTOR { unsigned short Id; /* +0x0000 */ unsigned char Version; /* +0x0002 */ unsigned char Channel; /* +0x0003 */ unsigned char Level; /* +0x0004 */ unsigned char Opcode; /* +0x0005 */ unsigned short Task; /* +0x0006 */ unsigned long long Keyword; /* +0x0008 */ }; enum _DEVICE_POWER_STATE { PowerDeviceUnspecified = 0, PowerDeviceD0 = 1, PowerDeviceD1 = 2, PowerDeviceD2 = 3, PowerDeviceD3 = 4, PowerDeviceMaximum = 5 }; enum _DEVICE_WAKE_DEPTH { DeviceWakeDepthNotWakeable = 0, DeviceWakeDepthD0 = 1, DeviceWakeDepthD1 = 2, DeviceWakeDepthD2 = 3, DeviceWakeDepthD3hot = 4, DeviceWakeDepthD3cold = 5, DeviceWakeDepthMaximum = 6 }; struct _RTL_SPLAY_LINKS { unsigned char Parent[4]; /* +0x0000 7c 11 00 00 */ unsigned char LeftChild[4]; /* +0x0004 7c 11 00 00 */ unsigned char RightChild[4]; /* +0x0008 7c 11 00 00 */ }; struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT { unsigned char ChainHead[4]; /* +0x0000 18 10 00 00 */ unsigned char PrevLinkage[4]; /* +0x0004 18 10 00 00 */ unsigned long Signature; /* +0x0008 */ }; struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR { unsigned char HashEntry[12]; /* +0x0000 86 11 00 00 */ unsigned char ChainHead[4]; /* +0x000c 18 10 00 00 */ unsigned long BucketIndex; /* +0x0010 */ }; struct _RTL_DYNAMIC_HASH_TABLE { unsigned long Flags; /* +0x0000 */ unsigned long Shift; /* +0x0004 */ unsigned long TableSize; /* +0x0008 */ unsigned long Pivot; /* +0x000c */ unsigned long DivisorMask; /* +0x0010 */ unsigned long NumEntries; /* +0x0014 */ unsigned long NonEmptyBuckets; /* +0x0018 */ unsigned long NumEnumerators; /* +0x001c */ void *Directory; /* +0x0020 */ }; struct _IO_DRIVER_CREATE_CONTEXT { short Size; /* +0x0000 */ unsigned char ExtraCreateParameter[4]; /* +0x0004 95 11 00 00 */ void *DeviceObjectHint; /* +0x0008 */ unsigned char TxnParameters[4]; /* +0x000c 97 11 00 00 */ }; enum _WHEA_ERROR_TYPE { WheaErrTypeProcessor = 0, WheaErrTypeMemory = 1, WheaErrTypePCIExpress = 2, WheaErrTypeNMI = 3, WheaErrTypePCIXBus = 4, WheaErrTypePCIXDevice = 5, WheaErrTypeGeneric = 6 }; enum _WHEA_ERROR_SEVERITY { WheaErrSevRecoverable = 0, WheaErrSevFatal = 1, WheaErrSevCorrected = 2, WheaErrSevInformational = 3 }; enum _WHEA_ERROR_SOURCE_TYPE { WheaErrSrcTypeMCE = 0, WheaErrSrcTypeCMC = 1, WheaErrSrcTypeCPE = 2, WheaErrSrcTypeNMI = 3, WheaErrSrcTypePCIe = 4, WheaErrSrcTypeGeneric = 5, WheaErrSrcTypeINIT = 6, WheaErrSrcTypeBOOT = 7, WheaErrSrcTypeSCIGeneric = 8, WheaErrSrcTypeIPFMCA = 9, WheaErrSrcTypeIPFCMC = 10, WheaErrSrcTypeIPFCPE = 11, WheaErrSrcTypeMax = 12 }; enum _WHEA_ERROR_PACKET_DATA_FORMAT { WheaDataFormatIPFSalRecord = 0, WheaDataFormatXPFMCA = 1, WheaDataFormatMemory = 2, WheaDataFormatPCIExpress = 3, WheaDataFormatNMIPort = 4, WheaDataFormatPCIXBus = 5, WheaDataFormatPCIXDevice = 6, WheaDataFormatGeneric = 7, WheaDataFormatMax = 8 }; struct _WHEA_ERROR_PACKET_V2 { unsigned long Signature; /* +0x0000 */ unsigned long Version; /* +0x0004 */ unsigned long Length; /* +0x0008 */ unsigned char Flags[4]; /* +0x000c 9c 11 00 00 */ unsigned char ErrorType[4]; /* +0x0010 9e 11 00 00 */ unsigned char ErrorSeverity[4]; /* +0x0014 a0 11 00 00 */ unsigned long ErrorSourceId; /* +0x0018 */ unsigned char ErrorSourceType[4]; /* +0x001c a2 11 00 00 */ unsigned char NotifyType[16]; /* +0x0020 fb 10 00 00 */ unsigned long long Context; /* +0x0030 */ unsigned char DataFormat[4]; /* +0x0038 a4 11 00 00 */ unsigned long Reserved1; /* +0x003c */ unsigned long DataOffset; /* +0x0040 */ unsigned long DataLength; /* +0x0044 */ unsigned long PshedDataOffset; /* +0x0048 */ unsigned long PshedDataLength; /* +0x004c */ }; struct _WHEA_ERROR_RECORD { unsigned char Header[128]; /* +0x0000 a9 11 00 00 */ unsigned char SectionDescriptor[72]; /* +0x0080 ab 11 00 00 */ }; struct _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR { unsigned long SectionOffset; /* +0x0000 */ unsigned long SectionLength; /* +0x0004 */ unsigned char Revision[2]; /* +0x0008 b0 11 00 00 */ unsigned char ValidBits[1]; /* +0x000a b1 11 00 00 */ unsigned char Reserved; /* +0x000b */ unsigned char Flags[4]; /* +0x000c b2 11 00 00 */ unsigned char SectionType[16]; /* +0x0010 fb 10 00 00 */ unsigned char FRUId[16]; /* +0x0020 fb 10 00 00 */ unsigned char SectionSeverity[4]; /* +0x0030 a0 11 00 00 */ unsigned char FRUText[20]; /* +0x0034 b3 11 00 00 */ }; struct _GUID { unsigned long Data1; /* +0x0000 */ unsigned short Data2; /* +0x0004 */ unsigned short Data3; /* +0x0006 */ unsigned char Data4[8]; /* +0x0008 bb 11 00 00 */ }; enum _IO_PRIORITY_HINT { IoPriorityVeryLow = 0, IoPriorityLow = 1, IoPriorityNormal = 2, IoPriorityHigh = 3, IoPriorityCritical = 4, MaxIoPriorityTypes = 5 }; struct _IO_PRIORITY_INFO { unsigned long Size; /* +0x0000 */ unsigned long ThreadPriority; /* +0x0004 */ unsigned long PagePriority; /* +0x0008 */ unsigned char IoPriority[4]; /* +0x000c c4 11 00 00 */ }; struct _FSRTL_ADVANCED_FCB_HEADER { short NodeTypeCode; /* +0x0000 */ short NodeByteSize; /* +0x0002 */ unsigned char Flags; /* +0x0004 */ unsigned char IsFastIoPossible; /* +0x0005 */ unsigned char Flags2; /* +0x0006 */ /* unsigned char Reserved[0]; +0x0007 ca 11 00 00 */ unsigned char Version[1]; /* +0x0007 cb 11 00 00 */ unsigned char Resource[4]; /* +0x0008 cd 11 00 00 */ unsigned char PagingIoResource[4]; /* +0x000c cd 11 00 00 */ unsigned char AllocationSize[8]; /* +0x0010 3a 10 00 00 */ unsigned char FileSize[8]; /* +0x0018 3a 10 00 00 */ unsigned char ValidDataLength[8]; /* +0x0020 3a 10 00 00 */ unsigned char FastMutex[4]; /* +0x0028 4a 10 00 00 */ unsigned char FilterContexts[8]; /* +0x002c 17 10 00 00 */ unsigned long PushLock; /* +0x0034 */ unsigned char FileContextSupportPointer[4]; /* +0x0038 4e 10 00 00 */ void *Oplock; /* +0x003c */ void *ReservedForRemote; /* +0x003c */ }; struct _EX_PUSH_LOCK { /* unsigned char Locked[0]; +0x0000 d5 11 00 00 */ /* unsigned char Waiting[0]; +0x0000 d6 11 00 00 */ /* unsigned char Waking[0]; +0x0000 d7 11 00 00 */ /* unsigned char MultipleShared[0]; +0x0000 d8 11 00 00 */ /* unsigned char Shared[0]; +0x0000 d9 11 00 00 */ unsigned long Value; /* +0x0000 */ void *Ptr; /* +0x0000 */ }; struct _PROCESSOR_NUMBER { unsigned short Group; /* +0x0000 */ unsigned char Number; /* +0x0002 */ unsigned char Reserved; /* +0x0003 */ }; struct _EX_PUSH_LOCK_CACHE_AWARE { unsigned char Locks[128]; /* +0x0000 ec 11 00 00 */ }; /* struct { /* unsigned char InitialPrivilegeSet[0]; +0x0000 f6 11 00 00 unsigned char PrivilegeSet[44]; +0x0000 f7 11 00 00 }; */ struct _ACCESS_STATE { unsigned char OperationID[8]; /* +0x0000 8d 11 00 00 */ unsigned char SecurityEvaluated; /* +0x0008 */ unsigned char GenerateAudit; /* +0x0009 */ unsigned char GenerateOnClose; /* +0x000a */ unsigned char PrivilegesAllocated; /* +0x000b */ unsigned long Flags; /* +0x000c */ unsigned long RemainingDesiredAccess; /* +0x0010 */ unsigned long PreviouslyGrantedAccess; /* +0x0014 */ unsigned long OriginalDesiredAccess; /* +0x0018 */ unsigned char SubjectSecurityContext[16]; /* +0x001c f5 11 00 00 */ void *SecurityDescriptor; /* +0x002c */ void *AuxData; /* +0x0030 */ unsigned char Privileges[44]; /* +0x0034 f9 11 00 00 */ unsigned char AuditPrivileges; /* +0x0060 */ unsigned char ObjectName[8]; /* +0x0064 2e 10 00 00 */ unsigned char ObjectTypeName[8]; /* +0x006c 2e 10 00 00 */ }; struct _AUX_ACCESS_DATA { unsigned char PrivilegesUsed[4]; /* +0x0000 fe 11 00 00 */ unsigned char GenericMapping[16]; /* +0x0004 ff 11 00 00 */ unsigned long AccessesToAudit; /* +0x0014 */ unsigned long MaximumAuditMask; /* +0x0018 */ unsigned char TransactionId[16]; /* +0x001c fb 10 00 00 */ void *NewSecurityDescriptor; /* +0x002c */ void *ExistingSecurityDescriptor; /* +0x0030 */ void *ParentSecurityDescriptor; /* +0x0034 */ unsigned char DeRefSecurityDescriptor[4]; /* +0x0038 02 12 00 00 */ void *SDLock; /* +0x003c */ unsigned char AccessReasons[128]; /* +0x0040 03 12 00 00 */ unsigned char GenerateStagingEvents; /* +0x00c0 */ }; struct _TREE_NODE { unsigned char Link[12]; /* +0x0000 7b 11 00 00 */ unsigned char TreeRoot[4]; /* +0x000c 09 12 00 00 */ void *Key1; /* +0x0010 */ void *Key2; /* +0x0014 */ unsigned long Flags; /* +0x0018 */ }; struct _ERESOURCE { unsigned char SystemResourcesList[8]; /* +0x0000 17 10 00 00 */ unsigned char OwnerTable[4]; /* +0x0008 13 12 00 00 */ short ActiveCount; /* +0x000c */ unsigned short Flag; /* +0x000e */ unsigned char ReservedLowFlags; /* +0x000e */ unsigned char WaiterPriority; /* +0x000f */ unsigned char SharedWaiters[4]; /* +0x0010 15 12 00 00 */ unsigned char ExclusiveWaiters[4]; /* +0x0014 4f 10 00 00 */ unsigned char OwnerEntry[8]; /* +0x0018 12 12 00 00 */ unsigned long ActiveEntries; /* +0x0020 */ unsigned long ContentionCount; /* +0x0024 */ unsigned long NumberOfSharedWaiters; /* +0x0028 */ unsigned long NumberOfExclusiveWaiters; /* +0x002c */ void *Address; /* +0x0030 */ unsigned long CreatorBackTraceIndex; /* +0x0030 */ unsigned long SpinLock; /* +0x0034 */ }; struct _FLT_MUTEX_LIST_HEAD { unsigned char mLock[32]; /* +0x0000 49 10 00 00 */ unsigned char mList[8]; /* +0x0020 17 10 00 00 */ unsigned long mCount; /* +0x0028 */ unsigned char mInvalid[4]; /* +0x0028 2b 12 00 00 */ }; struct _FLT_RESOURCE_LIST_HEAD { unsigned char rLock[56]; /* +0x0000 cc 11 00 00 */ unsigned char rList[8]; /* +0x0038 17 10 00 00 */ unsigned long rCount; /* +0x0040 */ }; /* struct { /* unsigned char Volume[0]; +0x0000 43 12 00 00 /* unsigned char Instance[0]; +0x0000 45 12 00 00 /* unsigned char StreamList[0]; +0x0000 47 12 00 00 /* unsigned char FileList[0]; +0x0000 49 12 00 00 void *Pointer; +0x0000 unsigned long Data; +0x0000 }; */ struct _CONTEXT_NODE { /* unsigned char TxCtxExtension[0]; +0x0000 3d 12 00 00 */ /* unsigned char SectionCtxExtension[0]; +0x0000 3f 12 00 00 */ void *Data; /* +0x0000 */ unsigned char RegInfo[4]; /* +0x0004 41 12 00 00 */ unsigned char AttachedObject[4]; /* +0x0008 4b 12 00 00 */ /* unsigned char TreeLink[0]; +0x000c 06 12 00 00 */ unsigned char FltWork[28]; /* +0x000c 4c 12 00 00 */ long UseCount; /* +0x0028 */ }; struct _CONTEXT_LIST_CTRL { unsigned char List[4]; /* +0x0000 08 12 00 00 */ }; struct _NAME_CACHE_CONTEXT { unsigned char ProvidingInstance[8]; /* +0x0000 45 12 00 00 */ unsigned char CreationTime[8]; /* +0x0008 3a 10 00 00 */ }; struct _KSYSTEM_TIME { unsigned long LowPart; /* +0x0000 */ long High1Time; /* +0x0004 */ long High2Time; /* +0x0008 */ }; struct _FLT_CALLBACK_DATA { unsigned long Flags; /* +0x0000 */ unsigned char Thread[4]; /* +0x0004 63 12 00 00 */ unsigned char Iopb[4]; /* +0x0008 65 12 00 00 */ unsigned char IoStatus[8]; /* +0x000c a4 10 00 00 */ unsigned char TagData[4]; /* +0x0014 67 12 00 00 */ unsigned char QueueLinks[8]; /* +0x0018 17 10 00 00 */ /* unsigned char QueueContext[-8]; +0x0020 68 12 00 00 */ unsigned char FilterContext[16]; /* +0x0018 b3 10 00 00 */ char RequestorMode; /* +0x0028 */ }; struct _KLOCK_QUEUE_HANDLE { unsigned char LockQueue[8]; /* +0x0000 70 12 00 00 */ unsigned char OldIrql; /* +0x0008 */ }; struct _COMPLETION_NODE_TRACKING_LIST { unsigned long Lock; /* +0x0000 */ unsigned char ActiveList[8]; /* +0x0004 17 10 00 00 */ unsigned char WaitingList[8]; /* +0x000c 17 10 00 00 */ unsigned char TrackCtrl[4]; /* +0x0014 76 12 00 00 */ }; /* struct { unsigned char Icc[4]; +0x0000 89 12 00 00 }; */ /* struct { unsigned char SwappedBufferMdl[4]; +0x0000 8d 10 00 00 }; */ /* struct { unsigned char NameCacheCtrl[4]; +0x0000 92 12 00 00 void *SavedFsContext; +0x0004 unsigned char SavedFileName[8]; +0x0008 2e 10 00 00 }; */ /* struct { unsigned char StreamListCtrl[4]; +0x0000 47 12 00 00 }; */ struct _IRP_CTRL { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned long Flags; /* +0x0004 */ unsigned char MajorFunction; /* +0x0008 */ unsigned char Reserved0; /* +0x0009 */ unsigned char CompletionStackLength; /* +0x000a */ unsigned char NextCompletion; /* +0x000b */ unsigned char CompletionStack[4]; /* +0x000c 80 12 00 00 */ unsigned char SyncEvent[16]; /* +0x0010 4b 10 00 00 */ /* unsigned char Irp[0]; +0x0020 a1 10 00 00 */ unsigned char FsFilterData[4]; /* +0x0020 82 12 00 00 */ unsigned char AsyncCompletionRoutine[4]; /* +0x0024 85 12 00 00 */ void *AsyncCompletionContext; /* +0x0028 */ unsigned char InitiatingInstance[4]; /* +0x002c 45 12 00 00 */ /* unsigned char PendingCallbackNode[0]; +0x0030 87 12 00 00 */ unsigned char StartingCallbackNode[4]; /* +0x0030 87 12 00 00 */ /* unsigned char preOp[0]; +0x0034 8b 12 00 00 */ unsigned char postOp[4]; /* +0x0034 8d 12 00 00 */ unsigned char PostCompletionRoutine[4]; /* +0x0038 90 12 00 00 */ unsigned char DeviceObject[4]; /* +0x003c ae 10 00 00 */ unsigned char FileObject[4]; /* +0x0040 b7 10 00 00 */ /* unsigned char FltWork[0]; +0x0044 4c 12 00 00 */ void *PendingCallbackContext; /* +0x0044 */ unsigned char CachedCompletionNode[4]; /* +0x0048 80 12 00 00 */ long PendingStatus; /* +0x004c */ /* unsigned char CreateIrp[0]; +0x0058 94 12 00 00 */ unsigned char CloseIrp[16]; /* +0x0058 96 12 00 00 */ unsigned char OperationTimestamp[16]; /* +0x0068 97 12 00 00 */ long TraceStatus; /* +0x0078 */ unsigned char Data[44]; /* +0x007c 61 12 00 00 */ unsigned char WorkingParameters[48]; /* +0x00a8 64 12 00 00 */ }; struct _COMPLETION_NODE { unsigned char IrpCtrl[4]; /* +0x0000 7d 12 00 00 */ /* unsigned char CallbackNode[0]; +0x0004 87 12 00 00 */ unsigned char Filter[4]; /* +0x0004 9c 12 00 00 */ unsigned char InstanceLink[8]; /* +0x0008 17 10 00 00 */ unsigned char InstanceTrackingList[4]; /* +0x0010 74 12 00 00 */ void *Context; /* +0x0014 */ unsigned char DataSnapshot[44]; /* +0x0018 64 12 00 00 */ unsigned short Flags; /* +0x0044 */ }; enum _FLT_VOLUME_FLAGS { VOLFL_NETWORK_FILESYSTEM = 1, VOLFL_PENDING_MOUNT_SETUP_NOTIFIES = 2, VOLFL_MOUNT_SETUP_NOTIFIES_CALLED = 4, VOLFL_MOUNTING = 8, VOLFL_SENT_SHUTDOWN_IRP = 16, VOLFL_ENABLE_NAME_CACHING = 32, VOLFL_FILTER_EVER_ATTACHED = 64, VOLFL_STANDARD_LINK_NOT_SUPPORTED = 128, VOLFL_ENABLE_DATASCAN = 256, VOLFL_READ_ONLY_DATASCAN = 512, VOLFL_SUPPORTED_FEATURES_KNOWN = 1024 }; enum _FLT_FILESYSTEM_TYPE { FLT_FSTYPE_UNKNOWN = 0, FLT_FSTYPE_RAW = 1, FLT_FSTYPE_NTFS = 2, FLT_FSTYPE_FAT = 3, FLT_FSTYPE_CDFS = 4, FLT_FSTYPE_UDFS = 5, FLT_FSTYPE_LANMAN = 6, FLT_FSTYPE_WEBDAV = 7, FLT_FSTYPE_RDPDR = 8, FLT_FSTYPE_NFS = 9, FLT_FSTYPE_MS_NETWARE = 10, FLT_FSTYPE_NETWARE = 11, FLT_FSTYPE_BSUDF = 12, FLT_FSTYPE_MUP = 13, FLT_FSTYPE_RSFX = 14, FLT_FSTYPE_ROXIO_UDF1 = 15, FLT_FSTYPE_ROXIO_UDF2 = 16, FLT_FSTYPE_ROXIO_UDF3 = 17, FLT_FSTYPE_TACIT = 18, FLT_FSTYPE_FS_REC = 19, FLT_FSTYPE_INCD = 20, FLT_FSTYPE_INCD_FAT = 21, FLT_FSTYPE_EXFAT = 22, FLT_FSTYPE_PSFS = 23, FLT_FSTYPE_GPFS = 24, FLT_FSTYPE_NPFS = 25, FLT_FSTYPE_MSFS = 26, FLT_FSTYPE_CSVFS = 27 }; struct _FLT_VOLUME { unsigned char Base[20]; /* +0x0000 a5 12 00 00 */ unsigned char Flags[4]; /* +0x0014 a7 12 00 00 */ unsigned char FileSystemType[4]; /* +0x0018 a9 12 00 00 */ unsigned char DeviceObject[4]; /* +0x001c ae 10 00 00 */ unsigned char DiskDeviceObject[4]; /* +0x0020 ae 10 00 00 */ unsigned char FrameZeroVolume[4]; /* +0x0024 43 12 00 00 */ unsigned char VolumeInNextFrame[4]; /* +0x0028 43 12 00 00 */ unsigned char Frame[4]; /* +0x002c ab 12 00 00 */ unsigned char DeviceName[8]; /* +0x0030 2e 10 00 00 */ unsigned char GuidName[8]; /* +0x0038 2e 10 00 00 */ unsigned char CDODeviceName[8]; /* +0x0040 2e 10 00 00 */ unsigned char CDODriverName[8]; /* +0x0048 2e 10 00 00 */ unsigned char InstanceList[68]; /* +0x0050 33 12 00 00 */ unsigned char Callbacks[600]; /* +0x0094 ac 12 00 00 */ unsigned char ContextLock[4]; /* +0x02ec d3 11 00 00 */ unsigned char VolumeContexts[4]; /* +0x02f0 4f 12 00 00 */ unsigned char StreamListCtrls[68]; /* +0x02f4 33 12 00 00 */ unsigned char FileListCtrls[72]; /* +0x0338 33 12 00 00 */ unsigned char NameCacheCtrl[152]; /* +0x0380 ad 12 00 00 */ unsigned char MountNotifyLock[56]; /* +0x0418 cc 11 00 00 */ long TargetedOpenActiveCount; /* +0x0450 */ unsigned char TxVolContextListLock[4]; /* +0x0454 d3 11 00 00 */ unsigned char TxVolContexts[4]; /* +0x0458 08 12 00 00 */ long SupportedFeatures; /* +0x045c */ }; enum _CALLBACK_NODE_FLAGS { CBNFL_SKIP_PAGING_IO = 1, CBNFL_SKIP_CACHED_IO = 2, CBNFL_USE_NAME_CALLBACK_EX = 4, CBNFL_SKIP_NON_DASD_IO = 8 }; struct _FILE_OBJECT { short Type; /* +0x0000 */ short Size; /* +0x0002 */ unsigned char DeviceObject[4]; /* +0x0004 ae 10 00 00 */ unsigned char Vpb[4]; /* +0x0008 ec 10 00 00 */ void *FsContext; /* +0x000c */ void *FsContext2; /* +0x0010 */ unsigned char SectionObjectPointer[4]; /* +0x0014 b5 12 00 00 */ void *PrivateCacheMap; /* +0x0018 */ long FinalStatus; /* +0x001c */ unsigned char RelatedFileObject[4]; /* +0x0020 b7 10 00 00 */ unsigned char LockOperation; /* +0x0024 */ unsigned char DeletePending; /* +0x0025 */ unsigned char ReadAccess; /* +0x0026 */ unsigned char WriteAccess; /* +0x0027 */ unsigned char DeleteAccess; /* +0x0028 */ unsigned char SharedRead; /* +0x0029 */ unsigned char SharedWrite; /* +0x002a */ unsigned char SharedDelete; /* +0x002b */ unsigned long Flags; /* +0x002c */ unsigned char FileName[8]; /* +0x0030 2e 10 00 00 */ unsigned char CurrentByteOffset[8]; /* +0x0038 3a 10 00 00 */ unsigned long Waiters; /* +0x0040 */ unsigned long Busy; /* +0x0044 */ void *LastLock; /* +0x0048 */ unsigned char Lock[16]; /* +0x004c 4b 10 00 00 */ unsigned char Event[16]; /* +0x005c 4b 10 00 00 */ unsigned char CompletionContext[4]; /* +0x006c b7 12 00 00 */ unsigned long IrpListLock; /* +0x0070 */ unsigned char IrpList[8]; /* +0x0074 17 10 00 00 */ void *FileObjectExtension; /* +0x007c */ }; struct _FLTP_FRAME { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char Links[8]; /* +0x0004 17 10 00 00 */ unsigned long FrameID; /* +0x000c */ unsigned char AltitudeIntervalLow[8]; /* +0x0010 2e 10 00 00 */ unsigned char AltitudeIntervalHigh[8]; /* +0x0018 2e 10 00 00 */ unsigned char LargeIrpCtrlStackSize; /* +0x0020 */ unsigned char SmallIrpCtrlStackSize; /* +0x0021 */ unsigned char RegisteredFilters[68]; /* +0x0024 33 12 00 00 */ unsigned char AttachedVolumes[68]; /* +0x0068 33 12 00 00 */ unsigned char MountingVolumes[8]; /* +0x00ac 17 10 00 00 */ unsigned char AttachedFileSystems[44]; /* +0x00b4 29 12 00 00 */ unsigned char ZombiedFltObjectContexts[44]; /* +0x00e0 29 12 00 00 */ void *KtmResourceManagerHandle; /* +0x010c */ unsigned char KtmResourceManager[4]; /* +0x0110 bb 12 00 00 */ unsigned char FilterUnloadLock[56]; /* +0x0114 cc 11 00 00 */ unsigned char DeviceObjectAttachLock[32]; /* +0x014c 49 10 00 00 */ unsigned char Prcb[4]; /* +0x016c bd 12 00 00 */ void *PrcbPoolToFree; /* +0x0170 */ void *LookasidePoolToFree; /* +0x0174 */ unsigned char IrpCtrlStackProfiler[200]; /* +0x0178 be 12 00 00 */ unsigned char SmallIrpCtrlLookasideList[128]; /* +0x0240 77 10 00 00 */ unsigned char LargeIrpCtrlLookasideList[80]; /* +0x02c0 77 10 00 00 */ unsigned char BackpocketIrpCtrls[112]; /* +0x0310 bf 12 00 00 */ }; struct _FLT_PRCB { unsigned char PPIrpCtrlLookasideLists[64]; /* +0x0000 c4 12 00 00 */ }; enum ICC_FLAGS { ICCFL_SKIP_STARTING_NODE = 1, ICCFL_SKIP_DEREF = 2, ICCFL_DO_LEGACY_PROCESSING = 4, ICCFL_DO_SKIP = 8, ICCFL_TARGETED_NAME_PROVIDERS = 16, ICCFL_NESTED_FASTIO_OPERATION = 256, ICCFL_DO_FOCTX_CLEANUP = 512, ICCFL_USE_EXISTING_STARTING_NODE = 1024 }; struct _IRP_CALL_CTRL { unsigned char Volume[4]; /* +0x0000 43 12 00 00 */ unsigned char Irp[4]; /* +0x0004 a1 10 00 00 */ unsigned char IrpCtrl[4]; /* +0x0008 7d 12 00 00 */ unsigned char StartingCallbackNode[4]; /* +0x000c 87 12 00 00 */ unsigned char OperationStatusCallbackListHead[4]; /* +0x0010 29 10 00 00 */ unsigned char Flags[4]; /* +0x0014 c8 12 00 00 */ }; struct _VOLUME_DEVICE_EXTENSION { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char AttachedToDeviceObject[4]; /* +0x0004 ae 10 00 00 */ unsigned char Frame[4]; /* +0x0008 ab 12 00 00 */ unsigned char VolumeAccessLock[32]; /* +0x000c 49 10 00 00 */ unsigned char Volume[4]; /* +0x002c 43 12 00 00 */ }; enum _FLT_PREOP_CALLBACK_STATUS { FLT_PREOP_SUCCESS_WITH_CALLBACK = 0, FLT_PREOP_SUCCESS_NO_CALLBACK = 1, FLT_PREOP_PENDING = 2, FLT_PREOP_DISALLOW_FASTIO = 3, FLT_PREOP_COMPLETE = 4, FLT_PREOP_SYNCHRONIZE = 5, FLT_PREOP_USE_DATA_NODE = 10000 }; enum _FLT_POSTOP_CALLBACK_STATUS { FLT_POSTOP_FINISHED_PROCESSING = 0, FLT_POSTOP_MORE_PROCESSING_REQUIRED = 1 }; struct _CALLBACK_NODE { unsigned char CallbackLinks[8]; /* +0x0000 17 10 00 00 */ unsigned char Instance[4]; /* +0x0008 45 12 00 00 */ unsigned char PreOperation[4]; /* +0x000c d9 12 00 00 */ /* unsigned char PostOperation[-4]; +0x0010 de 12 00 00 */ /* unsigned char GenerateFileName[0]; +0x000c e3 12 00 00 */ /* unsigned char NormalizeNameComponent[0]; +0x000c ea 12 00 00 */ unsigned char NormalizeNameComponentEx[4]; /* +0x000c ed 12 00 00 */ unsigned char NormalizeContextCleanup[4]; /* +0x0010 f0 12 00 00 */ unsigned char Flags[4]; /* +0x0014 b1 12 00 00 */ }; enum _WORK_QUEUE_TYPE { CriticalWorkQueue = 0, DelayedWorkQueue = 1, HyperCriticalWorkQueue = 2, NormalWorkQueue = 3, BackgroundWorkQueue = 4, MaximumWorkQueue = 5 }; struct _ASYNC_IO_COMPLETION_CONTEXT { unsigned char UserCallback[4]; /* +0x0000 85 12 00 00 */ void *UserContext; /* +0x0004 */ }; enum _FLT_INSTANCE_FLAGS { INSFL_CAN_BE_DETACHED = 1, INSFL_DELETING = 2, INSFL_INITING = 4, INSFL_VOLUME_ATTRIBUTES_QUERIED = 8, INSFL_SUPPORTS_NAMED_STREAMS = 16 }; struct _FLT_INSTANCE { unsigned char Base[20]; /* +0x0000 a5 12 00 00 */ unsigned char OperationRundownRef[4]; /* +0x0014 06 13 00 00 */ unsigned char Volume[4]; /* +0x0018 43 12 00 00 */ unsigned char Filter[4]; /* +0x001c 9c 12 00 00 */ unsigned char Flags[4]; /* +0x0020 08 13 00 00 */ unsigned char Altitude[8]; /* +0x0024 2e 10 00 00 */ unsigned char Name[8]; /* +0x002c 2e 10 00 00 */ unsigned char FilterLink[8]; /* +0x0034 17 10 00 00 */ unsigned char ContextLock[4]; /* +0x003c d3 11 00 00 */ unsigned char Context[4]; /* +0x0040 3b 12 00 00 */ unsigned char TransactionContexts[4]; /* +0x0044 4f 12 00 00 */ unsigned char TrackCompletionNodes[4]; /* +0x0048 76 12 00 00 */ unsigned char CallbackNodes[200]; /* +0x004c 09 13 00 00 */ }; enum _FLT_FILTER_FLAGS { FLTFL_MANDATORY_UNLOAD_IN_PROGRESS = 1, FLTFL_FILTERING_INITIATED = 2, FLTFL_NAME_PROVIDER = 4, FLTFL_SUPPORTS_PIPES_MAILSLOTS = 8 }; struct _FLT_FILTER { unsigned char Base[20]; /* +0x0000 a5 12 00 00 */ unsigned char Frame[4]; /* +0x0014 ab 12 00 00 */ unsigned char Name[8]; /* +0x0018 2e 10 00 00 */ unsigned char DefaultAltitude[8]; /* +0x0020 2e 10 00 00 */ unsigned char Flags[4]; /* +0x0028 0e 13 00 00 */ unsigned char DriverObject[4]; /* +0x002c 46 11 00 00 */ unsigned char InstanceList[68]; /* +0x0030 33 12 00 00 */ unsigned char VerifierExtension[4]; /* +0x0074 10 13 00 00 */ unsigned char VerifiedFiltersLink[8]; /* +0x0078 17 10 00 00 */ unsigned char FilterUnload[4]; /* +0x0080 12 13 00 00 */ unsigned char InstanceSetup[4]; /* +0x0084 15 13 00 00 */ unsigned char InstanceQueryTeardown[4]; /* +0x0088 18 13 00 00 */ unsigned char InstanceTeardownStart[4]; /* +0x008c 1a 13 00 00 */ unsigned char InstanceTeardownComplete[4]; /* +0x0090 1a 13 00 00 */ unsigned char SupportedContextsListHead[4]; /* +0x0094 41 12 00 00 */ unsigned char SupportedContexts[28]; /* +0x0098 1b 13 00 00 */ unsigned char PreVolumeMount[4]; /* +0x00b4 d9 12 00 00 */ unsigned char PostVolumeMount[4]; /* +0x00b8 de 12 00 00 */ unsigned char GenerateFileName[4]; /* +0x00bc e3 12 00 00 */ unsigned char NormalizeNameComponent[4]; /* +0x00c0 ea 12 00 00 */ unsigned char NormalizeNameComponentEx[4]; /* +0x00c4 ed 12 00 00 */ unsigned char NormalizeContextCleanup[4]; /* +0x00c8 f0 12 00 00 */ unsigned char KtmNotification[4]; /* +0x00cc 1e 13 00 00 */ unsigned char SectionNotification[4]; /* +0x00d0 21 13 00 00 */ unsigned char Operations[4]; /* +0x00d4 23 13 00 00 */ unsigned char OldDriverUnload[4]; /* +0x00d8 26 13 00 00 */ unsigned char ActiveOpens[44]; /* +0x00dc 29 12 00 00 */ unsigned char ConnectionList[44]; /* +0x0108 29 12 00 00 */ unsigned char PortList[44]; /* +0x0134 29 12 00 00 */ unsigned char PortLock[4]; /* +0x0160 d3 11 00 00 */ }; struct _NAME_CONTROL { unsigned char Name[8]; /* +0x0000 2e 10 00 00 */ unsigned char *AllocatedBuffer; /* +0x0008 */ unsigned long BufferSize; /* +0x000c */ unsigned short ShareNameLength; /* +0x0010 */ unsigned short StreamNameLength; /* +0x0012 */ unsigned char SmallBuffer[256]; /* +0x0014 2b 13 00 00 */ }; struct _PERFINFO_GROUPMASK { unsigned char Masks[32]; /* +0x0000 33 13 00 00 */ }; struct _ALLOCATE_CONTEXT_ROUTINES { unsigned char Filter[4]; /* +0x0000 9c 12 00 00 */ unsigned char ContextCleanupCallback[4]; /* +0x0004 3b 13 00 00 */ unsigned char Next[4]; /* +0x0008 41 12 00 00 */ unsigned short ContextType; /* +0x000c */ unsigned char Flags; /* +0x000e */ unsigned char AllocationType; /* +0x000f */ unsigned char ContextAllocateCallback[4]; /* +0x0010 3e 13 00 00 */ unsigned char ContextFreeCallback[4]; /* +0x0014 3b 13 00 00 */ }; enum _INTERFACE_TYPE { InterfaceTypeUndefined = -1, Internal = 0, Isa = 1, Eisa = 2, MicroChannel = 3, TurboChannel = 4, PCIBus = 5, VMEBus = 6, NuBus = 7, PCMCIABus = 8, CBus = 9, MPIBus = 10, MPSABus = 11, ProcessorInternal = 12, InternalPowerBus = 13, PNPISABus = 14, PNPBus = 15, Vmcs = 16, ACPIBus = 17, MaximumInterfaceType = 18 }; struct _IO_RESOURCE_REQUIREMENTS_LIST { unsigned long ListSize; /* +0x0000 */ unsigned char InterfaceType[4]; /* +0x0004 42 13 00 00 */ unsigned long BusNumber; /* +0x0008 */ unsigned long SlotNumber; /* +0x000c */ unsigned char Reserved[12]; /* +0x0010 43 13 00 00 */ unsigned long AlternativeLists; /* +0x001c */ unsigned char List[40]; /* +0x0020 45 13 00 00 */ }; struct _DISPATCHER_HEADER { unsigned char Type; /* +0x0000 */ unsigned char TimerControlFlags; /* +0x0001 */ /* unsigned char Absolute[0]; +0x0001 2b 12 00 00 */ /* unsigned char Wake[0]; +0x0001 48 13 00 00 */ /* unsigned char Coalescable[0]; +0x0001 49 13 00 00 */ /* unsigned char KeepShifting[0]; +0x0001 4a 13 00 00 */ /* unsigned char EncodedTolerableDelay[0]; +0x0001 cb 11 00 00 */ unsigned char Abandoned; /* +0x0001 */ unsigned char Signalling; /* +0x0001 */ unsigned char ThreadControlFlags; /* +0x0002 */ /* unsigned char CycleProfiling[0]; +0x0002 2b 12 00 00 */ /* unsigned char CounterProfiling[0]; +0x0002 48 13 00 00 */ /* unsigned char GroupScheduling[0]; +0x0002 49 13 00 00 */ /* unsigned char AffinitySet[0]; +0x0002 4a 13 00 00 */ /* unsigned char Reserved[0]; +0x0002 cb 11 00 00 */ unsigned char Hand; /* +0x0002 */ unsigned char Size; /* +0x0002 */ unsigned char TimerMiscFlags; /* +0x0003 */ /* unsigned char Index[0]; +0x0003 2b 12 00 00 */ /* unsigned char Processor[0]; +0x0003 4b 13 00 00 */ /* unsigned char Inserted[0]; +0x0003 4c 13 00 00 */ /* unsigned char Expired[0]; +0x0003 4e 13 00 00 */ unsigned char DebugActive; /* +0x0003 */ unsigned char DpcActive; /* +0x0003 */ unsigned char Lock[4]; /* +0x0000 15 10 00 00 */ long SignalState; /* +0x0004 */ unsigned char WaitListHead[8]; /* +0x0008 17 10 00 00 */ }; struct _FLT_SERVER_PORT_OBJECT { unsigned char FilterLink[8]; /* +0x0000 17 10 00 00 */ unsigned char ConnectNotify[4]; /* +0x0008 56 13 00 00 */ unsigned char DisconnectNotify[4]; /* +0x000c 82 10 00 00 */ unsigned char MessageNotify[4]; /* +0x0010 59 13 00 00 */ unsigned char Filter[4]; /* +0x0014 9c 12 00 00 */ void *Cookie; /* +0x0018 */ unsigned long Flags; /* +0x001c */ long NumberOfConnections; /* +0x0020 */ long MaxConnections; /* +0x0024 */ }; struct _INITIAL_PRIVILEGE_SET { unsigned long PrivilegeCount; /* +0x0000 */ unsigned long Control; /* +0x0004 */ unsigned char Privilege[36]; /* +0x0008 5d 13 00 00 */ }; struct _FLT_DEFERRED_IO_WORKITEM { unsigned char FltWork[20]; /* +0x0000 4c 12 00 00 */ unsigned char QueueType[4]; /* +0x0014 f6 12 00 00 */ /* unsigned char DeferredWorkerRoutine[0]; +0x0018 64 13 00 00 */ unsigned char GenericWorkerRoutine[4]; /* +0x0018 69 13 00 00 */ void *Context; /* +0x001c */ unsigned char IoPriorityInfo[16]; /* +0x0020 c1 11 00 00 */ unsigned char Instance[4]; /* +0x0030 45 12 00 00 */ unsigned char ActivityId[16]; /* +0x0034 fb 10 00 00 */ unsigned char CallbackData[4]; /* +0x0044 62 12 00 00 */ }; struct _KAPC { unsigned char Type; /* +0x0000 */ unsigned char SpareByte0; /* +0x0001 */ unsigned char Size; /* +0x0002 */ unsigned char SpareByte1; /* +0x0003 */ unsigned long SpareLong0; /* +0x0004 */ unsigned char Thread[4]; /* +0x0008 9c 10 00 00 */ unsigned char ApcListEntry[8]; /* +0x000c 17 10 00 00 */ unsigned char Reserved[12]; /* +0x0014 6c 13 00 00 */ void *NormalContext; /* +0x0020 */ void *SystemArgument1; /* +0x0024 */ void *SystemArgument2; /* +0x0028 */ char ApcStateIndex; /* +0x002c */ char ApcMode; /* +0x002d */ unsigned char Inserted; /* +0x002e */ }; struct _FILE_GET_QUOTA_INFORMATION { unsigned long NextEntryOffset; /* +0x0000 */ unsigned long SidLength; /* +0x0004 */ unsigned char Sid[12]; /* +0x0008 6f 13 00 00 */ }; struct _ACCESS_REASONS { unsigned char Data[128]; /* +0x0000 72 13 00 00 */ }; struct _FLT_NAME_CONTROL { unsigned char Name[8]; /* +0x0000 2e 10 00 00 */ }; struct _WHEA_ERROR_PACKET_FLAGS { /* unsigned char PreviousError[0]; +0x0000 d5 11 00 00 */ /* unsigned char Reserved1[0]; +0x0000 d6 11 00 00 */ /* unsigned char HypervisorError[0]; +0x0000 d7 11 00 00 */ /* unsigned char Simulated[0]; +0x0000 d8 11 00 00 */ /* unsigned char PlatformPfaControl[0]; +0x0000 77 13 00 00 */ /* unsigned char PlatformDirectedOffline[0]; +0x0000 78 13 00 00 */ /* unsigned char Reserved2[0]; +0x0000 79 13 00 00 */ unsigned long AsULONG; /* +0x0000 */ }; struct _FLT_GENERIC_WORKITEM { unsigned char FltWork[20]; /* +0x0000 4c 12 00 00 */ unsigned char QueueType[4]; /* +0x0014 f6 12 00 00 */ /* unsigned char DeferredWorkerRoutine[0]; +0x0018 64 13 00 00 */ unsigned char GenericWorkerRoutine[4]; /* +0x0018 69 13 00 00 */ void *Context; /* +0x001c */ unsigned char IoPriorityInfo[16]; /* +0x0020 c1 11 00 00 */ unsigned char FltObject[4]; /* +0x0030 7c 13 00 00 */ }; enum _FLT_VERIFIER_EXTENSION_FLAGS { FLTVFL_ALLOCATION_FAILURE = 1 }; struct _FLT_VERIFIER_EXTENSION { unsigned char Flags[4]; /* +0x0000 80 13 00 00 */ unsigned char FilterUnload[4]; /* +0x0004 12 13 00 00 */ unsigned char InstanceSetup[4]; /* +0x0008 15 13 00 00 */ unsigned char InstanceQueryTeardown[4]; /* +0x000c 18 13 00 00 */ unsigned char InstanceTeardownStart[4]; /* +0x0010 1a 13 00 00 */ unsigned char InstanceTeardownComplete[4]; /* +0x0014 1a 13 00 00 */ unsigned char GenerateFileName[4]; /* +0x0018 e3 12 00 00 */ unsigned char NormalizeNameComponent[4]; /* +0x001c ea 12 00 00 */ unsigned char NormalizeNameComponentEx[4]; /* +0x0020 ed 12 00 00 */ unsigned char Operations[400]; /* +0x0024 82 13 00 00 */ char *Name; /* +0x01b4 */ unsigned char FltVerifierObjectsLookasideList[80]; /* +0x01b8 77 10 00 00 */ unsigned char List[4]; /* +0x0208 08 12 00 00 */ unsigned long Lock; /* +0x020c */ unsigned char Count[36]; /* +0x0210 83 13 00 00 */ long FltVerifierObjectsAllocFailures; /* +0x0234 */ long FltVerifierObjectsUnlinkFailures; /* +0x0238 */ }; struct _WHEA_REVISION { unsigned char MinorRevision; /* +0x0000 */ unsigned char MajorRevision; /* +0x0001 */ unsigned short AsUSHORT; /* +0x0000 */ }; struct _WHEA_ERROR_RECORD_HEADER { unsigned long Signature; /* +0x0000 */ unsigned char Revision[2]; /* +0x0004 b0 11 00 00 */ unsigned long SignatureEnd; /* +0x0006 */ unsigned short SectionCount; /* +0x000a */ unsigned char Severity[4]; /* +0x000c a0 11 00 00 */ unsigned char ValidBits[4]; /* +0x0010 88 13 00 00 */ unsigned long Length; /* +0x0014 */ unsigned char Timestamp[8]; /* +0x0018 89 13 00 00 */ unsigned char PlatformId[16]; /* +0x0020 fb 10 00 00 */ unsigned char PartitionId[16]; /* +0x0030 fb 10 00 00 */ unsigned char CreatorId[16]; /* +0x0040 fb 10 00 00 */ unsigned char NotifyType[16]; /* +0x0050 fb 10 00 00 */ unsigned long long RecordId; /* +0x0060 */ unsigned char Flags[4]; /* +0x0068 8a 13 00 00 */ unsigned char PersistenceInfo[8]; /* +0x006c 8b 13 00 00 */ unsigned char Reserved[12]; /* +0x0074 8c 13 00 00 */ }; struct _PRIVILEGE_SET { unsigned long PrivilegeCount; /* +0x0000 */ unsigned long Control; /* +0x0004 */ unsigned char Privilege[12]; /* +0x0008 8f 13 00 00 */ }; struct _SID { unsigned char Revision; /* +0x0000 */ unsigned char SubAuthorityCount; /* +0x0001 */ unsigned char IdentifierAuthority[6]; /* +0x0002 92 13 00 00 */ unsigned char SubAuthority[4]; /* +0x0008 93 13 00 00 */ }; enum _USER_ACTIVITY_PRESENCE { PowerUserPresent = 0, PowerUserNotPresent = 1, PowerUserInactive = 2, PowerUserMaximum = 3, PowerUserInvalid = 3 }; struct _FLT_FILE_NAME_INFORMATION { unsigned short Size; /* +0x0000 */ unsigned short NamesParsed; /* +0x0002 */ unsigned long Format; /* +0x0004 */ unsigned char Name[8]; /* +0x0008 2e 10 00 00 */ unsigned char Volume[8]; /* +0x0010 2e 10 00 00 */ unsigned char Share[8]; /* +0x0018 2e 10 00 00 */ unsigned char Extension[8]; /* +0x0020 2e 10 00 00 */ unsigned char Stream[8]; /* +0x0028 2e 10 00 00 */ unsigned char FinalComponent[8]; /* +0x0030 2e 10 00 00 */ unsigned char ParentDir[8]; /* +0x0038 2e 10 00 00 */ }; struct _GENERAL_LOOKASIDE { /* unsigned char ListHead[0]; +0x0000 5c 10 00 00 */ unsigned char SingleListHead[8]; /* +0x0000 29 10 00 00 */ unsigned short Depth; /* +0x0008 */ unsigned short MaximumDepth; /* +0x000a */ unsigned long TotalAllocates; /* +0x000c */ unsigned long AllocateMisses; /* +0x0010 */ unsigned long AllocateHits; /* +0x0010 */ unsigned long TotalFrees; /* +0x0014 */ unsigned long FreeMisses; /* +0x0018 */ unsigned long FreeHits; /* +0x0018 */ unsigned char Type[4]; /* +0x001c 6a 10 00 00 */ unsigned long Tag; /* +0x0020 */ unsigned long Size; /* +0x0024 */ /* unsigned char AllocateEx[0]; +0x0028 6d 10 00 00 */ unsigned char Allocate[4]; /* +0x0028 7e 10 00 00 */ /* unsigned char FreeEx[0]; +0x002c 72 10 00 00 */ unsigned char Free[4]; /* +0x002c 82 10 00 00 */ unsigned char ListEntry[8]; /* +0x0030 17 10 00 00 */ unsigned long LastTotalAllocates; /* +0x0038 */ unsigned long LastAllocateMisses; /* +0x003c */ unsigned long LastAllocateHits; /* +0x003c */ unsigned char Future[8]; /* +0x0040 9b 13 00 00 */ }; struct _IO_COMPLETION_CONTEXT { void *Port; /* +0x0000 */ void *Key; /* +0x0004 */ }; struct _INTERFACE { unsigned short Size; /* +0x0000 */ unsigned short Version; /* +0x0002 */ void *Context; /* +0x0004 */ unsigned char InterfaceReference[4]; /* +0x0008 82 10 00 00 */ unsigned char InterfaceDereference[4]; /* +0x000c 82 10 00 00 */ }; enum _FLT_OBJECT_FLAGS { FLT_OBFL_DRAINING = 1, FLT_OBFL_ZOMBIED = 2, /* FLT_OBFL_TYPE_INSTANCE = Unavail */ }; struct _FLT_OBJECT { unsigned char Flags[4]; /* +0x0000 a3 13 00 00 */ unsigned long PointerCount; /* +0x0004 */ unsigned char RundownRef[4]; /* +0x0008 a4 13 00 00 */ unsigned char PrimaryLink[8]; /* +0x000c 17 10 00 00 */ }; struct _FLT_MESSAGE_WAITER_QUEUE { unsigned char Csq[32]; /* +0x0000 a8 13 00 00 */ unsigned char WaiterQ[44]; /* +0x0020 29 12 00 00 */ unsigned long MinimumWaiterLength; /* +0x004c */ unsigned char Semaphore[20]; /* +0x0050 14 12 00 00 */ unsigned char Event[16]; /* +0x0064 4b 10 00 00 */ }; struct _SID_IDENTIFIER_AUTHORITY { unsigned char Value[6]; /* +0x0000 ab 13 00 00 */ }; struct _DRIVER_OBJECT { short Type; /* +0x0000 */ short Size; /* +0x0002 */ unsigned char DeviceObject[4]; /* +0x0004 ae 10 00 00 */ unsigned long Flags; /* +0x0008 */ void *DriverStart; /* +0x000c */ unsigned long DriverSize; /* +0x0010 */ void *DriverSection; /* +0x0014 */ unsigned char DriverExtension[4]; /* +0x0018 af 13 00 00 */ unsigned char DriverName[8]; /* +0x001c 2e 10 00 00 */ unsigned char HardwareDatabase[4]; /* +0x0024 2f 10 00 00 */ unsigned char FastIoDispatch[4]; /* +0x0028 b1 13 00 00 */ unsigned char DriverInit[4]; /* +0x002c b4 13 00 00 */ unsigned char DriverStartIo[4]; /* +0x0030 b1 10 00 00 */ unsigned char DriverUnload[4]; /* +0x0034 26 13 00 00 */ unsigned char MajorFunction[112]; /* +0x0038 b7 13 00 00 */ }; struct _ALLOCATE_CONTEXT_HEADER { unsigned char Filter[4]; /* +0x0000 9c 12 00 00 */ unsigned char ContextCleanupCallback[4]; /* +0x0004 3b 13 00 00 */ unsigned char Next[4]; /* +0x0008 41 12 00 00 */ unsigned short ContextType; /* +0x000c */ unsigned char Flags; /* +0x000e */ unsigned char AllocationType; /* +0x000f */ }; struct _KSPIN_LOCK_QUEUE { unsigned char Next[4]; /* +0x0000 bc 13 00 00 */ unsigned char Lock[4]; /* +0x0004 bd 13 00 00 */ }; struct _FILTER_CCB { unsigned char Filter[4]; /* +0x0000 9c 12 00 00 */ unsigned long Iterator; /* +0x0004 */ }; struct _DRIVER_EXTENSION { unsigned char DriverObject[4]; /* +0x0000 46 11 00 00 */ unsigned char AddDevice[4]; /* +0x0004 c5 13 00 00 */ unsigned long Count; /* +0x0008 */ unsigned char ServiceKeyName[8]; /* +0x000c 2e 10 00 00 */ }; struct _FS_FILTER_CALLBACK_DATA { unsigned long SizeOfFsFilterCallbackData; /* +0x0000 */ unsigned char Operation; /* +0x0004 */ unsigned char Reserved; /* +0x0005 */ unsigned char DeviceObject[4]; /* +0x0008 ae 10 00 00 */ unsigned char FileObject[4]; /* +0x000c b7 10 00 00 */ unsigned char Parameters[20]; /* +0x0010 c8 13 00 00 */ }; struct _TREE_ROOT { unsigned char Tree[4]; /* +0x0000 7c 11 00 00 */ }; struct _INSTANCE_CCB { unsigned char Instance[4]; /* +0x0000 45 12 00 00 */ }; struct _ALLOCATE_CONTEXT_DIRECT { unsigned char Filter[4]; /* +0x0000 9c 12 00 00 */ unsigned char ContextCleanupCallback[4]; /* +0x0004 3b 13 00 00 */ unsigned char Next[4]; /* +0x0008 41 12 00 00 */ unsigned short ContextType; /* +0x000c */ unsigned char Flags; /* +0x000e */ unsigned char AllocationType; /* +0x000f */ unsigned long PoolTag; /* +0x0010 */ }; struct _FLT_IO_PARAMETER_BLOCK { unsigned long IrpFlags; /* +0x0000 */ unsigned char MajorFunction; /* +0x0004 */ unsigned char MinorFunction; /* +0x0005 */ unsigned char OperationFlags; /* +0x0006 */ unsigned char Reserved; /* +0x0007 */ unsigned char TargetFileObject[4]; /* +0x0008 b7 10 00 00 */ unsigned char TargetInstance[4]; /* +0x000c 45 12 00 00 */ unsigned char Parameters[28]; /* +0x0010 d3 13 00 00 */ }; struct _FLTP_IRPCTRL_STACK_PROFILER { unsigned char Frame[4]; /* +0x0000 ab 12 00 00 */ unsigned char Profile[44]; /* +0x0004 d6 13 00 00 */ unsigned char Timer[40]; /* +0x0030 d7 13 00 00 */ unsigned char Dpc[32]; /* +0x0058 3d 11 00 00 */ unsigned char WorkItem[16]; /* +0x0078 88 10 00 00 */ unsigned char Mutex[32]; /* +0x0088 49 10 00 00 */ unsigned long WorkItemFlags; /* +0x00a8 */ unsigned long Flags; /* +0x00ac */ unsigned long AllocCount; /* +0x00b0 */ }; struct _NAME_CACHE_VOLUME_CTRL { unsigned char Lock[32]; /* +0x0000 49 10 00 00 */ long AllContextsTemporary; /* +0x0020 */ unsigned char LastRenameCompleted[8]; /* +0x0028 3a 10 00 00 */ unsigned char Stats[104]; /* +0x0030 da 13 00 00 */ }; struct _CALLBACK_CTRL { unsigned char OperationLists[400]; /* +0x0000 dd 13 00 00 */ unsigned char OperationFlags[200]; /* +0x0190 de 13 00 00 */ }; struct _NAME_CACHE_NODE { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char ProvidingInstance[4]; /* +0x0004 45 12 00 00 */ unsigned char CreationTime[8]; /* +0x0008 3a 10 00 00 */ unsigned char TreeLink[28]; /* +0x0010 06 12 00 00 */ unsigned char NameInfo[64]; /* +0x002c 98 13 00 00 */ long UseCount; /* +0x006c */ }; struct _FLTP_WORKITEM { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char WorkItem[16]; /* +0x0004 88 10 00 00 */ }; struct _CM_RESOURCE_LIST { unsigned long Count; /* +0x0000 */ unsigned char List[32]; /* +0x0004 e8 13 00 00 */ }; struct _CM_FULL_RESOURCE_DESCRIPTOR { unsigned char InterfaceType[4]; /* +0x0000 42 13 00 00 */ unsigned long BusNumber; /* +0x0004 */ unsigned char PartialResourceList[24]; /* +0x0008 eb 13 00 00 */ }; struct _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS { /* unsigned char Primary[0]; +0x0000 d5 11 00 00 */ /* unsigned char ContainmentWarning[0]; +0x0000 d6 11 00 00 */ /* unsigned char Reset[0]; +0x0000 d7 11 00 00 */ /* unsigned char ThresholdExceeded[0]; +0x0000 d8 11 00 00 */ /* unsigned char ResourceNotAvailable[0]; +0x0000 77 13 00 00 */ /* unsigned char LatentError[0]; +0x0000 78 13 00 00 */ /* unsigned char Reserved[0]; +0x0000 79 13 00 00 */ unsigned long AsULONG; /* +0x0000 */ }; struct _POWER_SEQUENCE { unsigned long SequenceD1; /* +0x0000 */ unsigned long SequenceD2; /* +0x0004 */ unsigned long SequenceD3; /* +0x0008 */ }; struct _KSEMAPHORE { unsigned char Header[16]; /* +0x0000 56 10 00 00 */ long Limit; /* +0x0010 */ }; struct _FLT_TYPE { unsigned short Signature; /* +0x0000 */ unsigned short Size; /* +0x0002 */ }; struct _IO_STATUS_BLOCK { long Status; /* +0x0000 */ void *Pointer; /* +0x0000 */ unsigned long Information; /* +0x0004 */ }; enum _LOCK_OPERATION { IoReadAccess = 0, IoWriteAccess = 1, IoModifyAccess = 2 }; /* struct { unsigned char DesiredAccess[4]; +0x0000 fd 13 00 00 unsigned char MdlAddressOffset; +0x0004 unsigned char BufferOffset; +0x0005 unsigned char LengthOffset; +0x0006 unsigned char ReservedOffset; +0x0007 }; */ struct _GLOBALS { unsigned long DebugFlags; /* +0x0000 */ unsigned long long TraceFlags; /* +0x0008 */ unsigned long GFlags; /* +0x0010 */ unsigned long long RegHandle; /* +0x0018 */ unsigned long NumProcessors; /* +0x0020 */ unsigned long CacheLineSize; /* +0x0024 */ unsigned long AlignedInstanceTrackingListSize; /* +0x0028 */ unsigned char ControlDeviceObject[4]; /* +0x002c ae 10 00 00 */ unsigned char DriverObject[4]; /* +0x0030 46 11 00 00 */ void *KtmTransactionManagerHandle; /* +0x0034 */ void *TxVolKtmResourceManagerHandle; /* +0x0038 */ unsigned char TxVolKtmResourceManager[4]; /* +0x003c bb 12 00 00 */ unsigned char FrameList[68]; /* +0x0040 33 12 00 00 */ unsigned char Phase2InitLock[32]; /* +0x0084 49 10 00 00 */ unsigned char RegistryPath[8]; /* +0x00a4 2e 10 00 00 */ unsigned char RegistryPathBuffer[320]; /* +0x00ac f9 13 00 00 */ unsigned char GlobalVolumeOperationLock[4]; /* +0x01ec eb 11 00 00 */ unsigned char FltpServerPortObjectType[4]; /* +0x01f0 fb 13 00 00 */ unsigned char FltpCommunicationPortObjectType[4]; /* +0x01f4 fb 13 00 00 */ unsigned char MsgDeviceObject[8]; /* +0x01f8 ae 10 00 00 */ unsigned char ManualDeviceAttachTimer[40]; /* +0x0200 d7 13 00 00 */ unsigned char ManualDeviceAttachTimerDpc[32]; /* +0x0228 3d 11 00 00 */ unsigned char ManualDeviceAttachWork[16]; /* +0x0248 88 10 00 00 */ long ManualDeviceAttachLimit; /* +0x0258 */ long ManualDeviceAttachDelay; /* +0x025c */ unsigned char TargetedIoCtrlLookasideList[128]; /* +0x0280 77 10 00 00 */ unsigned char IoDeviceHintLookasideList[128]; /* +0x0300 84 10 00 00 */ unsigned char StreamListCtrlLookasideList[128]; /* +0x0380 77 10 00 00 */ unsigned char FileListCtrlLookasideList[128]; /* +0x0400 77 10 00 00 */ unsigned char NameCacheCreateCtrlLookasideList[128]; /* +0x0480 77 10 00 00 */ unsigned char AsyncIoContextLookasideList[128]; /* +0x0500 77 10 00 00 */ unsigned char WorkItemLookasideList[128]; /* +0x0580 77 10 00 00 */ unsigned char NameControlLookasideList[128]; /* +0x0600 77 10 00 00 */ unsigned char OperationStatusCtrlLookasideList[128]; /* +0x0680 77 10 00 00 */ unsigned char NameGenerationContextLookasideList[128]; /* +0x0700 77 10 00 00 */ unsigned char FileLockLookasideList[128]; /* +0x0780 84 10 00 00 */ unsigned char TxnParameterBlockLookasideList[128]; /* +0x0800 77 10 00 00 */ unsigned char TxCtxExtensionNPagedLookasideList[128]; /* +0x0880 77 10 00 00 */ unsigned char TxVolCtxLookasideList[128]; /* +0x0900 77 10 00 00 */ unsigned char TxVolStreamListCtrlEntryLookasideList[128]; /* +0x0980 84 10 00 00 */ unsigned char SectionListCtrlLookasideList[128]; /* +0x0a00 77 10 00 00 */ unsigned char SectionCtxExtensionLookasideList[128]; /* +0x0a80 77 10 00 00 */ unsigned char FltpParameterOffsetTable[224]; /* +0x0b00 00 14 00 00 */ unsigned char ThrottledWorkCtrl[132]; /* +0x0be0 01 14 00 00 */ unsigned char Stats[116]; /* +0x0c64 02 14 00 00 */ unsigned long LostItemDelayInSeconds; /* +0x0cd8 */ unsigned char VerifiedFiltersList[8]; /* +0x0cdc 17 10 00 00 */ unsigned long VerifiedFiltersLock; /* +0x0ce4 */ long VerifiedResourceLinkFailures; /* +0x0ce8 */ long VerifiedResourceUnlinkFailures; /* +0x0cec */ unsigned char PerfTraceRoutines[4]; /* +0x0cf0 04 14 00 00 */ unsigned char DummyPerfTraceRoutines[20]; /* +0x0cf4 03 14 00 00 */ long FilterSupportedFeaturesMode; /* +0x0d08 */ }; struct _TRACK_COMPLETION_NODES { unsigned long NumLists; /* +0x0000 */ unsigned long DrainingRefCount; /* +0x0004 */ unsigned char TrackingLists[4]; /* +0x0008 74 12 00 00 */ void *PointerToFree; /* +0x000c */ }; struct _GENERIC_MAPPING { unsigned long GenericRead; /* +0x0000 */ unsigned long GenericWrite; /* +0x0004 */ unsigned long GenericExecute; /* +0x0008 */ unsigned long GenericAll; /* +0x000c */ }; struct _OWNER_ENTRY { unsigned long OwnerThread; /* +0x0000 */ /* unsigned char IoPriorityBoosted[0]; +0x0004 d5 11 00 00 */ /* unsigned char OwnerReferenced[0]; +0x0004 d6 11 00 00 */ /* unsigned char OwnerCount[0]; +0x0004 0b 14 00 00 */ unsigned long TableSize; /* +0x0004 */ }; struct _DEVICE_EXTENSION_HEADER { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char AttachedToDeviceObject[4]; /* +0x0004 ae 10 00 00 */ unsigned char Frame[4]; /* +0x0008 ab 12 00 00 */ }; /* struct { /* unsigned char FileContextCtrl[0]; +0x0000 11 14 00 00 unsigned char StreamContextCtrl[20]; +0x0000 12 14 00 00 }; */ enum _FILE_LIST_CTRL_FLAGS { FLCFL_LINKED_TO_FILE = 1, FLCFL_CLEANED_UP = 2, FLCFL_LINKED_AS_STRM_CTX = 4 }; struct _FILE_LIST_CTRL { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char ContextCtrl[20]; /* +0x0004 14 14 00 00 */ unsigned char VolumeLink[8]; /* +0x0018 17 10 00 00 */ unsigned char Flags[4]; /* +0x0020 16 14 00 00 */ long UseCount; /* +0x0024 */ unsigned char ContextLock[4]; /* +0x0028 d3 11 00 00 */ unsigned char FileContexts[4]; /* +0x002c 4f 12 00 00 */ }; struct _KDEVICE_QUEUE_ENTRY { unsigned char DeviceListEntry[8]; /* +0x0000 17 10 00 00 */ unsigned long SortKey; /* +0x0008 */ unsigned char Inserted; /* +0x000c */ }; struct _DEVICE_CAPABILITIES { unsigned short Size; /* +0x0000 */ unsigned short Version; /* +0x0002 */ /* unsigned char DeviceD1[0]; +0x0004 d5 11 00 00 */ /* unsigned char DeviceD2[0]; +0x0004 d6 11 00 00 */ /* unsigned char LockSupported[0]; +0x0004 d7 11 00 00 */ /* unsigned char EjectSupported[0]; +0x0004 d8 11 00 00 */ /* unsigned char Removable[0]; +0x0004 77 13 00 00 */ /* unsigned char DockDevice[0]; +0x0004 78 13 00 00 */ /* unsigned char UniqueID[0]; +0x0004 1b 14 00 00 */ /* unsigned char SilentInstall[0]; +0x0004 1c 14 00 00 */ /* unsigned char RawDeviceOK[0]; +0x0004 1d 14 00 00 */ /* unsigned char SurpriseRemovalOK[0]; +0x0004 1e 14 00 00 */ /* unsigned char WakeFromD0[0]; +0x0004 1f 14 00 00 */ /* unsigned char WakeFromD1[0]; +0x0004 20 14 00 00 */ /* unsigned char WakeFromD2[0]; +0x0004 21 14 00 00 */ /* unsigned char WakeFromD3[0]; +0x0004 22 14 00 00 */ /* unsigned char HardwareDisabled[0]; +0x0004 23 14 00 00 */ /* unsigned char NonDynamic[0]; +0x0004 24 14 00 00 */ /* unsigned char WarmEjectSupported[0]; +0x0004 25 14 00 00 */ /* unsigned char NoDisplayInUI[0]; +0x0004 26 14 00 00 */ /* unsigned char Reserved1[0]; +0x0004 27 14 00 00 */ unsigned char Reserved[4]; /* +0x0004 28 14 00 00 */ unsigned long Address; /* +0x0008 */ unsigned long UINumber; /* +0x000c */ unsigned char DeviceState[28]; /* +0x0010 29 14 00 00 */ unsigned char SystemWake[4]; /* +0x002c 1c 11 00 00 */ unsigned char DeviceWake[4]; /* +0x0030 75 11 00 00 */ unsigned long D1Latency; /* +0x0034 */ unsigned long D2Latency; /* +0x0038 */ unsigned long D3Latency; /* +0x003c */ }; struct _WHEA_ERROR_RECORD_HEADER_VALIDBITS { /* unsigned char PlatformId[0]; +0x0000 d5 11 00 00 */ /* unsigned char Timestamp[0]; +0x0000 d6 11 00 00 */ /* unsigned char PartitionId[0]; +0x0000 d7 11 00 00 */ /* unsigned char Reserved[0]; +0x0000 2c 14 00 00 */ unsigned long AsULONG; /* +0x0000 */ }; struct _CM_PARTIAL_RESOURCE_LIST { unsigned short Version; /* +0x0000 */ unsigned short Revision; /* +0x0002 */ unsigned long Count; /* +0x0004 */ unsigned char PartialDescriptors[16]; /* +0x0008 30 14 00 00 */ }; struct _SECTION_OBJECT_POINTERS { void *DataSectionObject; /* +0x0000 */ void *SharedCacheMap; /* +0x0004 */ void *ImageSectionObject; /* +0x0008 */ }; struct _SECTION_CONTEXT_EXTENSION { unsigned char Instance[4]; /* +0x0000 45 12 00 00 */ unsigned char FileObject[4]; /* +0x0004 b7 10 00 00 */ unsigned long Flags; /* +0x0008 */ unsigned char Event[16]; /* +0x000c 4b 10 00 00 */ }; struct _WMI_FLTIO_NOTIFY_ROUTINES { unsigned char TimeStampRoutine[4]; /* +0x0000 3a 14 00 00 */ unsigned char FailureNotifyRoutine[4]; /* +0x0004 3d 14 00 00 */ unsigned char InitiationNotifyRoutine[4]; /* +0x0008 3d 14 00 00 */ unsigned char CompletionNotifyRoutine[4]; /* +0x000c 40 14 00 00 */ unsigned char FastCompletionNotifyRoutine[4]; /* +0x0010 40 14 00 00 */ }; struct _LUID_AND_ATTRIBUTES { unsigned char Luid[8]; /* +0x0000 8d 11 00 00 */ unsigned long Attributes; /* +0x0008 */ }; struct _KDEVICE_QUEUE { short Type; /* +0x0000 */ short Size; /* +0x0002 */ unsigned char DeviceListHead[8]; /* +0x0004 17 10 00 00 */ unsigned long Lock; /* +0x000c */ unsigned char Busy; /* +0x0010 */ }; struct _SYSTEM_POWER_STATE_CONTEXT { /* unsigned char Reserved1[0]; +0x0000 47 14 00 00 */ /* unsigned char TargetSystemState[0]; +0x0000 48 14 00 00 */ /* unsigned char EffectiveSystemState[0]; +0x0000 49 14 00 00 */ /* unsigned char CurrentSystemState[0]; +0x0000 4a 14 00 00 */ /* unsigned char IgnoreHibernationPath[0]; +0x0000 4b 14 00 00 */ /* unsigned char PseudoTransition[0]; +0x0000 4c 14 00 00 */ /* unsigned char Reserved2[0]; +0x0000 4d 14 00 00 */ unsigned long ContextAsUlong; /* +0x0000 */ }; struct _FLT_CALLBACK_DATA_QUEUE { unsigned char Csq[32]; /* +0x0000 a8 13 00 00 */ unsigned char Flags[4]; /* +0x0020 51 14 00 00 */ unsigned char Instance[4]; /* +0x0024 45 12 00 00 */ unsigned char InsertIo[4]; /* +0x0028 55 14 00 00 */ unsigned char RemoveIo[4]; /* +0x002c 58 14 00 00 */ unsigned char PeekNextIo[4]; /* +0x0030 5a 14 00 00 */ unsigned char Acquire[4]; /* +0x0034 5d 14 00 00 */ unsigned char Release[4]; /* +0x0038 60 14 00 00 */ unsigned char CompleteCanceledIo[4]; /* +0x003c 58 14 00 00 */ }; struct _FSRTL_PER_STREAM_CONTEXT { unsigned char Links[8]; /* +0x0000 17 10 00 00 */ void *OwnerId; /* +0x0008 */ void *InstanceId; /* +0x000c */ unsigned char FreeCallback[4]; /* +0x0010 82 10 00 00 */ }; struct _IO_CSQ { unsigned long Type; /* +0x0000 */ unsigned char CsqInsertIrp[4]; /* +0x0004 68 14 00 00 */ unsigned char CsqRemoveIrp[4]; /* +0x0008 68 14 00 00 */ unsigned char CsqPeekNextIrp[4]; /* +0x000c 6b 14 00 00 */ unsigned char CsqAcquireLock[4]; /* +0x0010 6e 14 00 00 */ unsigned char CsqReleaseLock[4]; /* +0x0014 71 14 00 00 */ unsigned char CsqCompleteCanceledIrp[4]; /* +0x0018 68 14 00 00 */ void *ReservePointer; /* +0x001c */ }; struct _WHEA_TIMESTAMP { /* unsigned char Seconds[0]; +0x0000 74 14 00 00 */ /* unsigned char Minutes[0]; +0x0000 75 14 00 00 */ /* unsigned char Hours[0]; +0x0000 76 14 00 00 */ /* unsigned char Precise[0]; +0x0000 77 14 00 00 */ /* unsigned char Reserved[0]; +0x0000 78 14 00 00 */ /* unsigned char Day[0]; +0x0000 79 14 00 00 */ /* unsigned char Month[0]; +0x0000 7a 14 00 00 */ /* unsigned char Year[0]; +0x0000 7b 14 00 00 */ /* unsigned char Century[0]; +0x0000 7c 14 00 00 */ unsigned char AsLARGE_INTEGER[8]; /* +0x0000 3a 10 00 00 */ }; /* struct { unsigned char EndingOffset[4]; +0x0000 e2 10 00 00 unsigned char ResourceToRelease[4]; +0x0004 39 12 00 00 }; */ /* struct { unsigned char ResourceToRelease[4]; +0x0000 cd 11 00 00 }; */ enum _FS_FILTER_SECTION_SYNC_TYPE { SyncTypeOther = 0, SyncTypeCreateSection = 1 }; /* struct { unsigned char SyncType[4]; +0x0000 84 14 00 00 unsigned long PageProtection; +0x0004 }; */ enum _FS_FILTER_STREAM_FO_NOTIFICATION_TYPE { NotifyTypeCreate = 0, NotifyTypeRetired = 1 }; /* struct { unsigned char NotificationType[4]; +0x0000 88 14 00 00 unsigned char SafeToRecurse; +0x0004 }; */ /* struct { void *Argument1; +0x0000 void *Argument2; +0x0004 void *Argument3; +0x0008 void *Argument4; +0x000c void *Argument5; +0x0010 }; */ struct _FS_FILTER_PARAMETERS { /* unsigned char AcquireForModifiedPageWriter[0]; +0x0000 80 14 00 00 */ /* unsigned char ReleaseForModifiedPageWriter[0]; +0x0000 82 14 00 00 */ /* unsigned char AcquireForSectionSynchronization[0]; +0x0000 86 14 00 00 */ /* unsigned char NotifyStreamFileObject[0]; +0x0000 8a 14 00 00 */ unsigned char Others[20]; /* +0x0000 8c 14 00 00 */ }; struct _VPB { short Type; /* +0x0000 */ short Size; /* +0x0002 */ unsigned short Flags; /* +0x0004 */ unsigned short VolumeLabelLength; /* +0x0006 */ unsigned char DeviceObject[4]; /* +0x0008 ae 10 00 00 */ unsigned char RealDevice[4]; /* +0x000c ae 10 00 00 */ unsigned long SerialNumber; /* +0x0010 */ unsigned long ReferenceCount; /* +0x0014 */ unsigned char VolumeLabel[64]; /* +0x0018 8f 14 00 00 */ }; enum _SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous = 0, SecurityIdentification = 1, SecurityImpersonation = 2, SecurityDelegation = 3 }; struct _SECURITY_SUBJECT_CONTEXT { void *ClientToken; /* +0x0000 */ unsigned char ImpersonationLevel[4]; /* +0x0004 93 14 00 00 */ void *PrimaryToken; /* +0x0008 */ void *ProcessAuditId; /* +0x000c */ }; enum _MEMORY_CACHING_TYPE_ORIG { MmFrameBufferCached = 2 }; struct _FLT_STATS { unsigned long IrpCtrlLookasideAllocs; /* +0x0000 */ unsigned long IrpCtrlNormalAllocs; /* +0x0004 */ unsigned long IrpCtrlAllocFailures; /* +0x0008 */ unsigned long IrpCtrlLookasideFrees; /* +0x000c */ unsigned long IrpCtrlNormalFrees; /* +0x0010 */ unsigned long IrpCtrlExtends; /* +0x0014 */ unsigned long IrpCtrlExtendFailures; /* +0x0018 */ unsigned long IrpCtrlMustSucceedAllocFailures; /* +0x001c */ unsigned long IrpCtrlLookasideStackResized; /* +0x0020 */ unsigned long IrpCtrlLookasideQuotaExceeded; /* +0x0024 */ unsigned long IrpCtrlLookasideInsufficientStackSize; /* +0x0028 */ unsigned long IrpMustSucceedAllocFailures; /* +0x002c */ unsigned long UsedPagingFileIrpCtrl; /* +0x0030 */ unsigned long UsedBackPocketIrpCtrl; /* +0x0034 */ unsigned long StreamListInstanceCleanupLoopRestart; /* +0x0038 */ unsigned long FileListInstanceCleanupLoopRestart; /* +0x003c */ unsigned long MessagesWithoutWaiters; /* +0x0040 */ unsigned long TrackedCompletionNodes; /* +0x0044 */ unsigned long UnTrackedCompletionNodes; /* +0x0048 */ unsigned long DrainedCompletionNodes; /* +0x004c */ unsigned long CanceledCompletionNodes; /* +0x0050 */ unsigned long ExpandFilePathTotalCalls; /* +0x0054 */ unsigned long ExpandFilePathSwappedStacks; /* +0x0058 */ unsigned long ExpandFilePathWouldPost0x1C00; /* +0x005c */ unsigned long ExpandFilePathWouldPost0x2000; /* +0x0060 */ unsigned long GetNormalizedFileNameTotalCalls; /* +0x0064 */ unsigned long GetNormalizedFileNameSwappedStacks; /* +0x0068 */ unsigned long GetNormalizedFileNameWouldPost0x1C00; /* +0x006c */ unsigned long GetNormalizedFileNameWouldPost0x2000; /* +0x0070 */ }; struct _FLT_RELATED_CONTEXTS { void *VolumeContext; /* +0x0000 */ void *InstanceContext; /* +0x0004 */ void *FileContext; /* +0x0008 */ void *StreamContext; /* +0x000c */ void *StreamHandleContext; /* +0x0010 */ void *TransactionContext; /* +0x0014 */ }; struct _FLT_RELATED_OBJECTS { unsigned char Size[2]; /* +0x0000 6e 11 00 00 */ unsigned char TransactionContext[2]; /* +0x0002 6e 11 00 00 */ unsigned char Filter[4]; /* +0x0004 9d 14 00 00 */ unsigned char Volume[4]; /* +0x0008 9e 14 00 00 */ unsigned char Instance[4]; /* +0x000c 9f 14 00 00 */ unsigned char FileObject[4]; /* +0x0010 a0 14 00 00 */ unsigned char Transaction[4]; /* +0x0014 a2 14 00 00 */ }; enum _KSPIN_LOCK_QUEUE_NUMBER { LockQueueUnusedSpare0 = 0, LockQueueExpansionLock = 1, LockQueueUnusedSpare2 = 2, LockQueueSystemSpaceLock = 3, LockQueueVacbLock = 4, LockQueueMasterLock = 5, LockQueueNonPagedPoolLock = 6, LockQueueIoCancelLock = 7, LockQueueWorkQueueLock = 8, LockQueueIoVpbLock = 9, LockQueueIoDatabaseLock = 10, LockQueueIoCompletionLock = 11, LockQueueNtfsStructLock = 12, LockQueueAfdWorkQueueLock = 13, LockQueueBcbLock = 14, LockQueueMmNonPagedPoolLock = 15, LockQueueUnusedSpare16 = 16, LockQueueMaximumLock = 17 }; struct _POWER_STATE { /* unsigned char SystemState[0]; +0x0000 1c 11 00 00 */ unsigned char DeviceState[4]; /* +0x0000 75 11 00 00 */ }; struct FLT_VERIFIER_OPERATIONS { unsigned char PreOperation[4]; /* +0x0000 d9 12 00 00 */ unsigned char PostOperation[4]; /* +0x0004 de 12 00 00 */ }; struct _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS { /* unsigned char FRUId[0]; +0x0000 2b 12 00 00 */ /* unsigned char FRUText[0]; +0x0000 48 13 00 00 */ /* unsigned char Reserved[0]; +0x0000 ab 14 00 00 */ unsigned char AsUCHAR; /* +0x0000 */ }; enum _MODE { KernelMode = 0, UserMode = 1, MaximumMode = 2 }; struct _ETW_KERNEL_TRACE_TIMESTAMP { unsigned char KernelTraceTimeStamp[16]; /* +0x0000 b0 14 00 00 */ }; struct _FLT_CONTEXT_REGISTRATION { unsigned short ContextType; /* +0x0000 */ unsigned short Flags; /* +0x0002 */ unsigned char ContextCleanupCallback[4]; /* +0x0004 3b 13 00 00 */ unsigned long Size; /* +0x0008 */ unsigned long PoolTag; /* +0x000c */ unsigned char ContextAllocateCallback[4]; /* +0x0010 3e 13 00 00 */ unsigned char ContextFreeCallback[4]; /* +0x0014 3b 13 00 00 */ void *Reserved1; /* +0x0018 */ }; struct _IO_RESOURCE_LIST { unsigned short Version; /* +0x0000 */ unsigned short Revision; /* +0x0002 */ unsigned long Count; /* +0x0004 */ unsigned char Descriptors[32]; /* +0x0008 b7 14 00 00 */ }; struct _WHEA_ERROR_RECORD_HEADER_FLAGS { /* unsigned char Recovered[0]; +0x0000 d5 11 00 00 */ /* unsigned char PreviousError[0]; +0x0000 d6 11 00 00 */ /* unsigned char Simulated[0]; +0x0000 d7 11 00 00 */ /* unsigned char Reserved[0]; +0x0000 2c 14 00 00 */ unsigned long AsULONG; /* +0x0000 */ }; struct _FLT_MESSAGE_WAITER { unsigned long Flags; /* +0x0000 */ }; /* struct { unsigned char Start[8]; +0x0000 3a 10 00 00 unsigned long Length; +0x0008 }; */ /* struct { unsigned long Level; +0x0000 unsigned long Vector; +0x0004 unsigned long Affinity; +0x0008 }; */ /* struct { unsigned short Reserved; +0x0000 unsigned short MessageCount; +0x0002 unsigned long Vector; +0x0004 unsigned long Affinity; +0x0008 }; */ /* struct { /* unsigned char Raw[0]; +0x0000 c4 14 00 00 unsigned char Translated[12]; +0x0000 c2 14 00 00 }; */ /* struct { unsigned long Channel; +0x0000 unsigned long Port; +0x0004 unsigned long Reserved1; +0x0008 }; */ /* struct { unsigned long Channel; +0x0000 unsigned long RequestLine; +0x0004 unsigned long Reserved1; +0x0008 }; */ /* struct { unsigned char Data[12]; +0x0000 43 13 00 00 }; */ /* struct { unsigned long Start; +0x0000 unsigned long Length; +0x0004 unsigned long Reserved; +0x0008 }; */ /* struct { unsigned long DataSize; +0x0000 unsigned long Reserved1; +0x0004 unsigned long Reserved2; +0x0008 }; */ /* struct { unsigned char Start[8]; +0x0000 3a 10 00 00 unsigned long Length40; +0x0008 }; */ /* struct { unsigned char Start[8]; +0x0000 3a 10 00 00 unsigned long Length48; +0x0008 }; */ /* struct { unsigned char Start[8]; +0x0000 3a 10 00 00 unsigned long Length64; +0x0008 }; */ /* struct { unsigned char Class; +0x0000 unsigned char Type; +0x0001 unsigned char Reserved1; +0x0002 unsigned char Reserved2; +0x0003 unsigned long IdLowPart; +0x0004 unsigned long IdHighPart; +0x0008 }; */ /* struct { /* unsigned char Generic[0]; +0x0000 c0 14 00 00 /* unsigned char Port[0]; +0x0000 c0 14 00 00 /* unsigned char Interrupt[0]; +0x0000 c2 14 00 00 /* unsigned char MessageInterrupt[0]; +0x0000 c6 14 00 00 /* unsigned char Memory[0]; +0x0000 c0 14 00 00 /* unsigned char Dma[0]; +0x0000 c8 14 00 00 /* unsigned char DmaV3[0]; +0x0000 ca 14 00 00 /* unsigned char DevicePrivate[0]; +0x0000 cc 14 00 00 /* unsigned char BusNumber[0]; +0x0000 ce 14 00 00 /* unsigned char DeviceSpecificData[0]; +0x0000 d0 14 00 00 /* unsigned char Memory40[0]; +0x0000 d2 14 00 00 /* unsigned char Memory48[0]; +0x0000 d4 14 00 00 /* unsigned char Memory64[0]; +0x0000 d6 14 00 00 unsigned char Connection[12]; +0x0000 d8 14 00 00 }; */ struct _CM_PARTIAL_RESOURCE_DESCRIPTOR { unsigned char Type; /* +0x0000 */ unsigned char ShareDisposition; /* +0x0001 */ unsigned short Flags; /* +0x0002 */ unsigned char u[12]; /* +0x0004 da 14 00 00 */ }; enum _IO_ALLOCATION_ACTION { KeepObject = 1, DeallocateObject = 2, DeallocateObjectKeepRegisters = 3 }; struct _WAIT_CONTEXT_BLOCK { /* unsigned char WaitQueueEntry[0]; +0x0000 b2 10 00 00 */ unsigned char DmaWaitEntry[8]; /* +0x0000 17 10 00 00 */ unsigned long NumberOfChannels; /* +0x0008 */ /* unsigned char SyncCallback[0]; +0x000c d5 11 00 00 */ /* unsigned char DmaContext[0]; +0x000c d6 11 00 00 */ unsigned char Reserved[4]; /* +0x000c 0b 14 00 00 */ unsigned char DeviceRoutine[4]; /* +0x0010 e1 14 00 00 */ void *DeviceContext; /* +0x0014 */ unsigned long NumberOfMapRegisters; /* +0x0018 */ void *DeviceObject; /* +0x001c */ void *CurrentIrp; /* +0x0020 */ unsigned char BufferChainingDpc[4]; /* +0x0024 3e 11 00 00 */ }; struct _RTL_DYNAMIC_HASH_TABLE_ENTRY { unsigned char Linkage[8]; /* +0x0000 17 10 00 00 */ unsigned long Signature; /* +0x0008 */ }; struct _VOLUME_CCB { unsigned char Volume[8]; /* +0x0000 2e 10 00 00 */ unsigned long Iterator; /* +0x0008 */ }; struct _FLT_OPERATION_REGISTRATION { unsigned char MajorFunction; /* +0x0000 */ unsigned long Flags; /* +0x0004 */ unsigned char PreOperation[4]; /* +0x0008 d9 12 00 00 */ unsigned char PostOperation[4]; /* +0x000c de 12 00 00 */ void *Reserved1; /* +0x0010 */ }; struct _KTIMER { unsigned char Header[16]; /* +0x0000 56 10 00 00 */ unsigned char DueTime[8]; /* +0x0010 3f 10 00 00 */ unsigned char TimerListEntry[8]; /* +0x0018 17 10 00 00 */ unsigned char Dpc[4]; /* +0x0020 3e 11 00 00 */ unsigned long Period; /* +0x0024 */ }; struct _FLTPP_LOOKASIDE_LIST { unsigned char P[4]; /* +0x0000 78 10 00 00 */ unsigned char L[4]; /* +0x0004 78 10 00 00 */ }; struct _FS_CONTROL_DEVICE_EXTENSION { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char AttachedToDeviceObject[4]; /* +0x0004 ae 10 00 00 */ unsigned char Frame[4]; /* +0x0008 ab 12 00 00 */ unsigned char Link[8]; /* +0x000c 17 10 00 00 */ unsigned char DeviceObject[4]; /* +0x0014 ae 10 00 00 */ unsigned char ControlDeviceName[8]; /* +0x0018 2e 10 00 00 */ unsigned char DriverObjectName[8]; /* +0x0020 2e 10 00 00 */ }; enum _PERFINFO_KERNELMEMORY_USAGE_TYPE { PerfInfoMemUsagePfnMetadata = 0, PerfInfoMemUsageMax = 1 }; struct _MANAGER_CCB { unsigned char Frame[4]; /* +0x0000 ab 12 00 00 */ unsigned long Iterator; /* +0x0004 */ }; struct _FAST_IO_DISPATCH { unsigned long SizeOfFastIoDispatch; /* +0x0000 */ unsigned char FastIoCheckIfPossible[4]; /* +0x0004 fb 14 00 00 */ unsigned char FastIoRead[4]; /* +0x0008 fe 14 00 00 */ unsigned char FastIoWrite[4]; /* +0x000c fe 14 00 00 */ unsigned char FastIoQueryBasicInfo[4]; /* +0x0010 03 15 00 00 */ unsigned char FastIoQueryStandardInfo[4]; /* +0x0014 08 15 00 00 */ unsigned char FastIoLock[4]; /* +0x0018 0d 15 00 00 */ unsigned char FastIoUnlockSingle[4]; /* +0x001c 10 15 00 00 */ unsigned char FastIoUnlockAll[4]; /* +0x0020 13 15 00 00 */ unsigned char FastIoUnlockAllByKey[4]; /* +0x0024 16 15 00 00 */ unsigned char FastIoDeviceControl[4]; /* +0x0028 19 15 00 00 */ unsigned char AcquireFileForNtCreateSection[4]; /* +0x002c 1c 15 00 00 */ unsigned char ReleaseFileForNtCreateSection[4]; /* +0x0030 1c 15 00 00 */ unsigned char FastIoDetachDevice[4]; /* +0x0034 1f 15 00 00 */ unsigned char FastIoQueryNetworkOpenInfo[4]; /* +0x0038 24 15 00 00 */ unsigned char AcquireForModWrite[4]; /* +0x003c 27 15 00 00 */ unsigned char MdlRead[4]; /* +0x0040 2a 15 00 00 */ unsigned char MdlReadComplete[4]; /* +0x0044 2d 15 00 00 */ unsigned char PrepareMdlWrite[4]; /* +0x0048 2a 15 00 00 */ unsigned char MdlWriteComplete[4]; /* +0x004c 30 15 00 00 */ unsigned char FastIoReadCompressed[4]; /* +0x0050 35 15 00 00 */ unsigned char FastIoWriteCompressed[4]; /* +0x0054 35 15 00 00 */ unsigned char MdlReadCompleteCompressed[4]; /* +0x0058 2d 15 00 00 */ unsigned char MdlWriteCompleteCompressed[4]; /* +0x005c 30 15 00 00 */ unsigned char FastIoQueryOpen[4]; /* +0x0060 38 15 00 00 */ unsigned char ReleaseForModWrite[4]; /* +0x0064 3b 15 00 00 */ unsigned char AcquireForCcFlush[4]; /* +0x0068 3e 15 00 00 */ unsigned char ReleaseForCcFlush[4]; /* +0x006c 3e 15 00 00 */ }; struct _FLT_VOLUME_PROPERTIES { unsigned long DeviceType; /* +0x0000 */ unsigned long DeviceCharacteristics; /* +0x0004 */ unsigned long DeviceObjectFlags; /* +0x0008 */ unsigned long AlignmentRequirement; /* +0x000c */ unsigned short SectorSize; /* +0x0010 */ unsigned short Reserved0; /* +0x0012 */ unsigned char FileSystemDriverName[8]; /* +0x0014 2e 10 00 00 */ unsigned char FileSystemDeviceName[8]; /* +0x001c 2e 10 00 00 */ unsigned char RealDeviceName[8]; /* +0x0024 2e 10 00 00 */ }; struct _NAME_CACHE_VOLUME_CTRL_STATS { unsigned long AllContextsTemporary; /* +0x0000 */ unsigned long PurgeNameCache; /* +0x0004 */ unsigned char NormalizedNames[28]; /* +0x0008 44 15 00 00 */ unsigned char OpenedNames[28]; /* +0x0024 44 15 00 00 */ unsigned char ShortNames[28]; /* +0x0040 44 15 00 00 */ unsigned long AncestorLookup; /* +0x005c */ unsigned long ParentHit; /* +0x0060 */ unsigned long NonParentHit; /* +0x0064 */ }; enum _FLT_NPAGED_LOOKASIDE_NUMBER { LookasideSmallIrpCtrlList = 0, LookasideLargeIrpCtrlList = 1, NumLookasideLists = 2 }; /* struct { unsigned short SubstituteNameOffset; +0x0000 unsigned short SubstituteNameLength; +0x0002 unsigned short PrintNameOffset; +0x0004 unsigned short PrintNameLength; +0x0006 unsigned long Flags; +0x0008 unsigned char PathBuffer[4]; +0x000c 49 15 00 00 }; */ /* struct { unsigned short SubstituteNameOffset; +0x0000 unsigned short SubstituteNameLength; +0x0002 unsigned short PrintNameOffset; +0x0004 unsigned short PrintNameLength; +0x0006 unsigned char PathBuffer[2]; +0x0008 49 15 00 00 }; */ /* struct { unsigned char DataBuffer[1]; +0x0000 4e 15 00 00 }; */ /* struct { unsigned char TagGuid[16]; +0x0000 fb 10 00 00 unsigned char DataBuffer[4]; +0x0010 4e 15 00 00 }; */ struct _FLT_TAG_DATA_BUFFER { unsigned long FileTag; /* +0x0000 */ unsigned short TagDataLength; /* +0x0004 */ unsigned short UnparsedNameLength; /* +0x0006 */ /* unsigned char SymbolicLinkReparseBuffer[0]; +0x0008 4b 15 00 00 */ /* unsigned char MountPointReparseBuffer[0]; +0x0008 4d 15 00 00 */ /* unsigned char GenericReparseBuffer[0]; +0x0008 50 15 00 00 */ unsigned char GenericGUIDReparseBuffer[20]; /* +0x0008 52 15 00 00 */ }; enum _FLTP_WORK_QUEUE_TYPE { FltpCriticalWorkQueue = 5, FltpDelayedWorkQueue = 6, FltpHyperCriticalWorkQueue = 7, FltpMaximumWorkQueue = 8 }; enum _NAME_CACHE_CREATE_CTRL_FLAGS { NCCFL_VOLUME_OPEN = 1, NCCFL_CREATE_SHOULD_FAIL = 2 }; struct _NAME_CACHE_CREATE_CTRL { unsigned char Flags[4]; /* +0x0000 58 15 00 00 */ long ErrorStatus; /* +0x0004 */ unsigned char ErrorInstance[4]; /* +0x0008 45 12 00 00 */ unsigned char CompletingInstance[4]; /* +0x000c 45 12 00 00 */ unsigned char NormalizedNameCache[8]; /* +0x0010 59 15 00 00 */ unsigned char OpenedNameCache[8]; /* +0x0018 59 15 00 00 */ }; struct _FLT_REGISTRATION { unsigned short Size; /* +0x0000 */ unsigned short Version; /* +0x0002 */ unsigned long Flags; /* +0x0004 */ unsigned char ContextRegistration[4]; /* +0x0008 5e 15 00 00 */ unsigned char OperationRegistration[4]; /* +0x000c 60 15 00 00 */ unsigned char FilterUnloadCallback[4]; /* +0x0010 12 13 00 00 */ unsigned char InstanceSetupCallback[4]; /* +0x0014 15 13 00 00 */ unsigned char InstanceQueryTeardownCallback[4]; /* +0x0018 18 13 00 00 */ unsigned char InstanceTeardownStartCallback[4]; /* +0x001c 1a 13 00 00 */ unsigned char InstanceTeardownCompleteCallback[4]; /* +0x0020 1a 13 00 00 */ unsigned char GenerateFileNameCallback[4]; /* +0x0024 e3 12 00 00 */ unsigned char NormalizeNameComponentCallback[4]; /* +0x0028 ea 12 00 00 */ unsigned char NormalizeContextCleanupCallback[4]; /* +0x002c f0 12 00 00 */ unsigned char TransactionNotificationCallback[4]; /* +0x0030 1e 13 00 00 */ unsigned char NormalizeNameComponentExCallback[4]; /* +0x0034 ed 12 00 00 */ unsigned char SectionNotificationCallback[4]; /* +0x0038 21 13 00 00 */ }; struct _ALLOCATE_CONTEXT_LOOKASIDE { unsigned char Filter[4]; /* +0x0000 9c 12 00 00 */ unsigned char ContextCleanupCallback[4]; /* +0x0004 3b 13 00 00 */ unsigned char Next[4]; /* +0x0008 41 12 00 00 */ unsigned short ContextType; /* +0x000c */ unsigned char Flags; /* +0x000e */ unsigned char AllocationType; /* +0x000f */ unsigned char NonPaged[80]; /* +0x0010 77 10 00 00 */ unsigned char Paged[104]; /* +0x0060 84 10 00 00 */ }; struct _FILE_BASIC_INFORMATION { unsigned char CreationTime[8]; /* +0x0000 3a 10 00 00 */ unsigned char LastAccessTime[8]; /* +0x0008 3a 10 00 00 */ unsigned char LastWriteTime[8]; /* +0x0010 3a 10 00 00 */ unsigned char ChangeTime[8]; /* +0x0018 3a 10 00 00 */ unsigned long FileAttributes; /* +0x0020 */ }; /* struct { unsigned char SecurityContext[4]; +0x0000 c1 10 00 00 unsigned long Options; +0x0004 unsigned short FileAttributes; +0x0008 unsigned short ShareAccess; +0x000a unsigned long EaLength; +0x000c void *EaBuffer; +0x0010 unsigned char AllocationSize[8]; +0x0014 3a 10 00 00 }; */ /* struct { unsigned char SecurityContext[4]; +0x0000 c1 10 00 00 unsigned long Options; +0x0004 unsigned short Reserved; +0x0008 unsigned short ShareAccess; +0x000a void *Parameters; +0x000c }; */ /* struct { unsigned long Length; +0x0000 unsigned long Key; +0x0004 unsigned char ByteOffset[8]; +0x0008 3a 10 00 00 void *ReadBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned long Key; +0x0004 unsigned char ByteOffset[8]; +0x0008 3a 10 00 00 void *WriteBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FileInformationClass[4]; +0x0004 cf 10 00 00 void *InfoBuffer; +0x0008 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FileInformationClass[4]; +0x0004 cf 10 00 00 unsigned char ParentOfTarget[4]; +0x0008 b7 10 00 00 unsigned char ReplaceIfExists; +0x000c unsigned char AdvanceOnly; +0x000d unsigned long ClusterCount; +0x000c void *DeleteHandle; +0x000c void *InfoBuffer; +0x0010 }; */ /* struct { unsigned long Length; +0x0000 void *EaList; +0x0004 unsigned long EaListLength; +0x0008 unsigned long EaIndex; +0x000c void *EaBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 void *EaBuffer; +0x0004 unsigned char MdlAddress[4]; +0x0008 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FsInformationClass[4]; +0x0004 dd 10 00 00 void *VolumeBuffer; +0x0008 }; */ /* struct { unsigned long Length; +0x0000 unsigned char FileName[4]; +0x0004 2f 10 00 00 unsigned char FileInformationClass[4]; +0x0008 cf 10 00 00 unsigned long FileIndex; +0x000c void *DirectoryBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 unsigned long CompletionFilter; +0x0004 unsigned long Spare1; +0x0008 unsigned long Spare2; +0x000c void *DirectoryBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { /* unsigned char QueryDirectory[0]; +0x0000 7b 15 00 00 unsigned char NotifyDirectory[24]; +0x0000 7d 15 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long FsControlCode; +0x0008 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long FsControlCode; +0x0008 void *InputBuffer; +0x000c void *OutputBuffer; +0x0010 unsigned char OutputMdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long FsControlCode; +0x0008 void *SystemBuffer; +0x000c }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long FsControlCode; +0x0008 void *InputSystemBuffer; +0x000c void *OutputBuffer; +0x0010 unsigned char OutputMdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { /* unsigned char VerifyVolume[0]; +0x0000 ee 10 00 00 /* unsigned char Common[0]; +0x0000 81 15 00 00 /* unsigned char Neither[0]; +0x0000 83 15 00 00 /* unsigned char Buffered[0]; +0x0000 85 15 00 00 unsigned char Direct[24]; +0x0000 87 15 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 void *InputBuffer; +0x000c void *OutputBuffer; +0x0010 unsigned char OutputMdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 void *SystemBuffer; +0x000c }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 void *InputSystemBuffer; +0x000c void *OutputBuffer; +0x0010 unsigned char OutputMdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long OutputBufferLength; +0x0000 unsigned long InputBufferLength; +0x0004 unsigned long IoControlCode; +0x0008 void *InputBuffer; +0x000c void *OutputBuffer; +0x0010 }; */ /* struct { /* unsigned char Common[0]; +0x0000 8b 15 00 00 /* unsigned char Neither[0]; +0x0000 8d 15 00 00 /* unsigned char Buffered[0]; +0x0000 8f 15 00 00 /* unsigned char Direct[0]; +0x0000 91 15 00 00 unsigned char FastIo[24]; +0x0000 93 15 00 00 }; */ /* struct { unsigned char Length[4]; +0x0000 e2 10 00 00 unsigned long Key; +0x0004 unsigned char ByteOffset[8]; +0x0008 3a 10 00 00 unsigned char ProcessId[4]; +0x0010 0a 15 00 00 unsigned char FailImmediately; +0x0014 unsigned char ExclusiveLock; +0x0015 }; */ /* struct { unsigned long SecurityInformation; +0x0000 unsigned long Length; +0x0004 void *SecurityBuffer; +0x0008 unsigned char MdlAddress[4]; +0x000c 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 void *StartSid; +0x0004 unsigned char SidList[4]; +0x0008 f4 10 00 00 unsigned long SidListLength; +0x000c void *QuotaBuffer; +0x0010 unsigned char MdlAddress[4]; +0x0014 8d 10 00 00 }; */ /* struct { unsigned long Length; +0x0000 void *QuotaBuffer; +0x0004 unsigned char MdlAddress[4]; +0x0008 8d 10 00 00 }; */ /* struct { /* unsigned char StartDevice[0]; +0x0000 2e 11 00 00 /* unsigned char QueryDeviceRelations[0]; +0x0000 fa 10 00 00 /* unsigned char QueryInterface[0]; +0x0000 01 11 00 00 /* unsigned char DeviceCapabilities[0]; +0x0000 05 11 00 00 /* unsigned char FilterResourceRequirements[0]; +0x0000 09 11 00 00 /* unsigned char ReadWriteConfig[0]; +0x0000 0b 11 00 00 /* unsigned char SetLock[0]; +0x0000 0d 11 00 00 /* unsigned char QueryId[0]; +0x0000 11 11 00 00 /* unsigned char QueryDeviceText[0]; +0x0000 15 11 00 00 unsigned char UsageNotification[16]; +0x0000 1a 11 00 00 }; */ /* struct { unsigned char FileOffset[8]; +0x0000 3a 10 00 00 unsigned long Length; +0x0008 unsigned long LockKey; +0x000c unsigned char CheckForReadOperation; +0x0010 }; */ /* struct { unsigned char Irp[4]; +0x0000 a1 10 00 00 unsigned char NetworkInformation[4]; +0x0004 21 15 00 00 }; */ /* struct { unsigned char FileOffset[8]; +0x0000 3a 10 00 00 unsigned long Length; +0x0008 unsigned long Key; +0x000c unsigned char MdlChain[4]; +0x0010 92 10 00 00 }; */ /* struct { unsigned char MdlChain[4]; +0x0000 8d 10 00 00 }; */ /* struct { unsigned char FileOffset[8]; +0x0000 3a 10 00 00 unsigned char MdlChain[4]; +0x0008 8d 10 00 00 }; */ /* struct { unsigned long DeviceType; +0x0000 }; */ /* struct { void *Argument1; +0x0000 void *Argument2; +0x0004 void *Argument3; +0x0008 void *Argument4; +0x000c void *Argument5; +0x0010 unsigned char Argument6[8]; +0x0014 3a 10 00 00 }; */ struct _FLT_PARAMETERS { /* unsigned char Create[0]; +0x0000 69 15 00 00 */ /* unsigned char CreatePipe[0]; +0x0000 6b 15 00 00 */ /* unsigned char CreateMailslot[0]; +0x0000 6b 15 00 00 */ /* unsigned char Read[0]; +0x0000 6d 15 00 00 */ /* unsigned char Write[0]; +0x0000 6f 15 00 00 */ /* unsigned char QueryFileInformation[0]; +0x0000 71 15 00 00 */ /* unsigned char SetFileInformation[0]; +0x0000 73 15 00 00 */ /* unsigned char QueryEa[0]; +0x0000 75 15 00 00 */ /* unsigned char SetEa[0]; +0x0000 77 15 00 00 */ /* unsigned char QueryVolumeInformation[0]; +0x0000 79 15 00 00 */ /* unsigned char SetVolumeInformation[0]; +0x0000 79 15 00 00 */ /* unsigned char DirectoryControl[0]; +0x0000 7f 15 00 00 */ /* unsigned char FileSystemControl[0]; +0x0000 89 15 00 00 */ /* unsigned char DeviceIoControl[0]; +0x0000 95 15 00 00 */ /* unsigned char LockControl[0]; +0x0000 97 15 00 00 */ /* unsigned char QuerySecurity[0]; +0x0000 99 15 00 00 */ /* unsigned char SetSecurity[0]; +0x0000 ea 10 00 00 */ /* unsigned char WMI[0]; +0x0000 30 11 00 00 */ /* unsigned char QueryQuota[0]; +0x0000 9b 15 00 00 */ /* unsigned char SetQuota[0]; +0x0000 9d 15 00 00 */ /* unsigned char Pnp[0]; +0x0000 9f 15 00 00 */ /* unsigned char AcquireForSectionSynchronization[0]; +0x0000 86 14 00 00 */ /* unsigned char AcquireForModifiedPageWriter[0]; +0x0000 80 14 00 00 */ /* unsigned char ReleaseForModifiedPageWriter[0]; +0x0000 82 14 00 00 */ /* unsigned char FastIoCheckIfPossible[0]; +0x0000 a1 15 00 00 */ /* unsigned char NetworkQueryOpen[0]; +0x0000 a3 15 00 00 */ /* unsigned char MdlRead[0]; +0x0000 a5 15 00 00 */ /* unsigned char MdlReadComplete[0]; +0x0000 a7 15 00 00 */ /* unsigned char PrepareMdlWrite[0]; +0x0000 a5 15 00 00 */ /* unsigned char MdlWriteComplete[0]; +0x0000 a9 15 00 00 */ /* unsigned char MountVolume[0]; +0x0000 ab 15 00 00 */ unsigned char Others[28]; /* +0x0000 ad 15 00 00 */ }; struct _FLT_PORT_OBJECT { unsigned char FilterLink[8]; /* +0x0000 17 10 00 00 */ unsigned char ServerPort[4]; /* +0x0008 b1 15 00 00 */ void *Cookie; /* +0x000c */ unsigned char MsgNotifRundownRef[4]; /* +0x0010 a4 13 00 00 */ unsigned char Lock[32]; /* +0x0014 49 10 00 00 */ unsigned char MsgQ[116]; /* +0x0034 a7 13 00 00 */ unsigned long long MessageId; /* +0x00a8 */ unsigned char DisconnectEvent[16]; /* +0x00b0 4b 10 00 00 */ unsigned char Disconnected; /* +0x00c0 */ }; struct _IO_SECURITY_CONTEXT { unsigned char SecurityQos[4]; /* +0x0000 b5 15 00 00 */ unsigned char AccessState[4]; /* +0x0004 f4 11 00 00 */ unsigned long DesiredAccess; /* +0x0008 */ unsigned long FullCreateOptions; /* +0x000c */ }; enum ReplacesCorHdrNumericDefines { COMIMAGE_FLAGS_ILONLY = 1, COMIMAGE_FLAGS_32BITREQUIRED = 2, COMIMAGE_FLAGS_IL_LIBRARY = 4, COMIMAGE_FLAGS_STRONGNAMESIGNED = 8, COMIMAGE_FLAGS_NATIVE_ENTRYPOINT = 16, /* COMIMAGE_FLAGS_TRACKDEBUGDATA = Unavail */ }; struct _MAILSLOT_CREATE_PARAMETERS { unsigned long MailslotQuota; /* +0x0000 */ unsigned long MaximumMessageSize; /* +0x0004 */ unsigned char ReadTimeout[8]; /* +0x0008 3a 10 00 00 */ unsigned char TimeoutSpecified; /* +0x0010 */ }; struct _FILE_NAMES_INFORMATION { unsigned long NextEntryOffset; /* +0x0000 */ unsigned long FileIndex; /* +0x0004 */ unsigned long FileNameLength; /* +0x0008 */ unsigned char FileName[4]; /* +0x000c 49 15 00 00 */ }; struct _NAMED_PIPE_CREATE_PARAMETERS { unsigned long NamedPipeType; /* +0x0000 */ unsigned long ReadMode; /* +0x0004 */ unsigned long CompletionMode; /* +0x0008 */ unsigned long MaximumInstances; /* +0x000c */ unsigned long InboundQuota; /* +0x0010 */ unsigned long OutboundQuota; /* +0x0014 */ unsigned char DefaultTimeout[8]; /* +0x0018 3a 10 00 00 */ unsigned char TimeoutSpecified; /* +0x0020 */ }; struct _DEVOBJ_EXTENSION { short Type; /* +0x0000 */ unsigned short Size; /* +0x0002 */ unsigned char DeviceObject[4]; /* +0x0004 ae 10 00 00 */ }; struct _TX_CONTEXT_EXTENSION { void *TxEnlistmentHandle; /* +0x0000 */ unsigned char TxEnlistmentObject[4]; /* +0x0004 c3 15 00 00 */ unsigned long TxNotificationMask; /* +0x0008 */ unsigned char TxCompleteFinalizeWork[20]; /* +0x000c 4c 12 00 00 */ unsigned char TxCtxExtensionLock[4]; /* +0x0020 d3 11 00 00 */ }; struct _BACKPOCKET_IRPCTRL { unsigned char PageFileIoLock[20]; /* +0x0000 14 12 00 00 */ unsigned char PageFileIo[4]; /* +0x0014 7d 12 00 00 */ unsigned char OwningThread[4]; /* +0x0018 9c 10 00 00 */ unsigned char EntriesLock[20]; /* +0x001c 14 12 00 00 */ unsigned char Entries[36]; /* +0x0030 c7 15 00 00 */ }; struct _TXN_PARAMETER_BLOCK { unsigned short Length; /* +0x0000 */ unsigned short TxFsContext; /* +0x0002 */ void *TransactionObject; /* +0x0004 */ }; struct _FLT_VERIFIER_OBJECT { unsigned char TreeLink[28]; /* +0x0000 06 12 00 00 */ unsigned long Type; /* +0x001c */ void *Object; /* +0x0020 */ long RefCount; /* +0x0024 */ }; enum _STREAM_LIST_CTRL_FLAGS { SLCFL_LINKED_TO_STREAM = 1, SLCFL_CLEANED_UP = 2, SLCFL_IS_FILE = 16, SLCFL_IS_DIRECTORY = 32, SLCFL_HAS_HARDLINKS = 256, SLCFL_NO_HARDLINKS = 512, SLCFL_VOLUME_OPEN = 1024, SLCFL_NPFS_MSFS_VCB = 2048 }; struct _STREAM_LIST_CTRL { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ long AllNameContextsTemporary; /* +0x0004 */ unsigned char ContextCtrl[20]; /* +0x0008 12 14 00 00 */ unsigned char VolumeLink[8]; /* +0x001c 17 10 00 00 */ unsigned char Flags[4]; /* +0x0024 d0 15 00 00 */ long UseCount; /* +0x0028 */ unsigned char ContextLock[4]; /* +0x002c d3 11 00 00 */ unsigned char StreamContexts[4]; /* +0x0030 4f 12 00 00 */ unsigned char StreamHandleContexts[4]; /* +0x0034 4f 12 00 00 */ unsigned char SectionContexts[4]; /* +0x0038 d2 15 00 00 */ unsigned char NameCacheLock[4]; /* +0x003c d3 11 00 00 */ unsigned char LastRenameCompleted[8]; /* +0x0040 3a 10 00 00 */ unsigned char NormalizedNameCache[8]; /* +0x0048 59 15 00 00 */ unsigned char ShortNameCache[8]; /* +0x0050 59 15 00 00 */ unsigned char OpenedNameCache[8]; /* +0x0058 59 15 00 00 */ unsigned char SectionLock[56]; /* +0x0060 cc 11 00 00 */ }; /* struct { /* unsigned char Manager[0]; +0x0000 f6 14 00 00 /* unsigned char Filter[0]; +0x0000 c0 13 00 00 /* unsigned char Instance[0]; +0x0000 cd 13 00 00 /* unsigned char Volume[0]; +0x0000 e7 14 00 00 unsigned char Port[48]; +0x0000 d6 15 00 00 }; */ struct _FLT_CCB { unsigned char Type[4]; /* +0x0000 7e 12 00 00 */ unsigned char Data[48]; /* +0x0004 d8 15 00 00 */ }; struct _FILE_NETWORK_OPEN_INFORMATION { unsigned char CreationTime[8]; /* +0x0000 3a 10 00 00 */ unsigned char LastAccessTime[8]; /* +0x0008 3a 10 00 00 */ unsigned char LastWriteTime[8]; /* +0x0010 3a 10 00 00 */ unsigned char ChangeTime[8]; /* +0x0018 3a 10 00 00 */ unsigned char AllocationSize[8]; /* +0x0020 3a 10 00 00 */ unsigned char EndOfFile[8]; /* +0x0028 3a 10 00 00 */ unsigned long FileAttributes; /* +0x0030 */ }; struct _BACKPOCKET_THREAD_ENTRY { unsigned char OwningThread[4]; /* +0x0000 9c 10 00 00 */ unsigned char IrpCtrlList[4]; /* +0x0004 29 10 00 00 */ unsigned long Count; /* +0x0008 */ }; struct _NAME_CACHE_LIST_CTRL_STATS { unsigned long Searches; /* +0x0000 */ unsigned long Hits; /* +0x0004 */ unsigned long Created; /* +0x0008 */ unsigned long Temporary; /* +0x000c */ unsigned long Duplicate; /* +0x0010 */ unsigned long Removed; /* +0x0014 */ unsigned long RemovedDueToCase; /* +0x0018 */ }; enum _REG_NOTIFY_CLASS { RegNtDeleteKey = 0, RegNtPreDeleteKey = 0, RegNtSetValueKey = 1, RegNtPreSetValueKey = 1, RegNtDeleteValueKey = 2, RegNtPreDeleteValueKey = 2, RegNtSetInformationKey = 3, RegNtPreSetInformationKey = 3, RegNtRenameKey = 4, RegNtPreRenameKey = 4, RegNtEnumerateKey = 5, RegNtPreEnumerateKey = 5, RegNtEnumerateValueKey = 6, RegNtPreEnumerateValueKey = 6, RegNtQueryKey = 7, RegNtPreQueryKey = 7, RegNtQueryValueKey = 8, RegNtPreQueryValueKey = 8, RegNtQueryMultipleValueKey = 9, RegNtPreQueryMultipleValueKey = 9, RegNtPreCreateKey = 10, RegNtPostCreateKey = 11, RegNtPreOpenKey = 12, RegNtPostOpenKey = 13, RegNtKeyHandleClose = 14, RegNtPreKeyHandleClose = 14, RegNtPostDeleteKey = 15, RegNtPostSetValueKey = 16, RegNtPostDeleteValueKey = 17, RegNtPostSetInformationKey = 18, RegNtPostRenameKey = 19, RegNtPostEnumerateKey = 20, RegNtPostEnumerateValueKey = 21, RegNtPostQueryKey = 22, RegNtPostQueryValueKey = 23, RegNtPostQueryMultipleValueKey = 24, RegNtPostKeyHandleClose = 25, RegNtPreCreateKeyEx = 26, RegNtPostCreateKeyEx = 27, RegNtPreOpenKeyEx = 28, RegNtPostOpenKeyEx = 29, RegNtPreFlushKey = 30, RegNtPostFlushKey = 31, RegNtPreLoadKey = 32, RegNtPostLoadKey = 33, RegNtPreUnLoadKey = 34, RegNtPostUnLoadKey = 35, RegNtPreQueryKeySecurity = 36, RegNtPostQueryKeySecurity = 37, RegNtPreSetKeySecurity = 38, RegNtPostSetKeySecurity = 39, RegNtCallbackObjectContextCleanup = 40, RegNtPreRestoreKey = 41, RegNtPostRestoreKey = 42, RegNtPreSaveKey = 43, RegNtPostSaveKey = 44, RegNtPreReplaceKey = 45, RegNtPostReplaceKey = 46, MaxRegNtNotifyClass = 47 }; struct _WPP_TRACE_CONTROL_BLOCK { unsigned char Callback[4]; /* +0x0000 e7 15 00 00 */ unsigned char Next[4]; /* +0x0004 e8 15 00 00 */ long long Logger; /* +0x0008 */ unsigned char FlagsLen; /* +0x0010 */ unsigned char Level; /* +0x0011 */ unsigned short Reserved; /* +0x0012 */ unsigned char Flags[4]; /* +0x0014 93 13 00 00 */ }; enum _PERFINFO_MM_STAT { PerfInfoMMStatNotUsed = 0, PerfInfoMMStatAggregatePageCombine = 1, PerfInfoMMStatIterationPageCombine = 2, PerfInfoMMStatMax = 3 }; struct _WORK_CONTEXT { unsigned char FltWork[20]; /* +0x0000 4c 12 00 00 */ unsigned char SyncOpRoutine[4]; /* +0x0014 ef 15 00 00 */ void *Parameter; /* +0x0018 */ unsigned char SyncEvent[16]; /* +0x001c 4b 10 00 00 */ long Status; /* +0x002c */ unsigned char QueueType[4]; /* +0x0030 56 15 00 00 */ unsigned char IoPriorityInfo[16]; /* +0x0034 c1 11 00 00 */ }; struct _EX_RUNDOWN_REF { unsigned long Count; /* +0x0000 */ void *Ptr; /* +0x0000 */ }; struct _WHEA_PERSISTENCE_INFO { /* unsigned char Signature[0]; +0x0000 f4 15 00 00 */ /* unsigned char Length[0]; +0x0000 f5 15 00 00 */ /* unsigned char Identifier[0]; +0x0000 f6 15 00 00 */ /* unsigned char Attributes[0]; +0x0000 f7 15 00 00 */ /* unsigned char DoNotLog[0]; +0x0000 f8 15 00 00 */ /* unsigned char Reserved[0]; +0x0000 f9 15 00 00 */ unsigned long long AsULONGLONG; /* +0x0000 */ }; struct _ECP_LIST { unsigned long Signature; /* +0x0000 */ unsigned long Flags; /* +0x0004 */ unsigned char EcpList[8]; /* +0x0008 17 10 00 00 */ }; enum _KINTERRUPT_POLARITY { InterruptPolarityUnknown = 0, InterruptActiveHigh = 1, InterruptRisingEdge = 1, InterruptActiveLow = 2, InterruptFallingEdge = 2, InterruptActiveBoth = 3 }; /* struct { unsigned long Length; +0x0000 unsigned long Alignment; +0x0004 unsigned char MinimumAddress[8]; +0x0008 3a 10 00 00 unsigned char MaximumAddress[8]; +0x0010 3a 10 00 00 }; */ enum _IRQ_DEVICE_POLICY { IrqPolicyMachineDefault = 0, IrqPolicyAllCloseProcessors = 1, IrqPolicyOneCloseProcessor = 2, IrqPolicyAllProcessorsInMachine = 3, IrqPolicySpecifiedProcessors = 4, IrqPolicySpreadMessagesAcrossAllProcessors = 5 }; enum _IRQ_PRIORITY { IrqPriorityUndefined = 0, IrqPriorityLow = 1, IrqPriorityNormal = 2, IrqPriorityHigh = 3 }; /* struct { unsigned long MinimumVector; +0x0000 unsigned long MaximumVector; +0x0004 unsigned char AffinityPolicy[4]; +0x0008 03 16 00 00 unsigned char PriorityPolicy[4]; +0x000c 05 16 00 00 unsigned long TargetedProcessors; +0x0010 }; */ /* struct { unsigned long MinimumChannel; +0x0000 unsigned long MaximumChannel; +0x0004 }; */ /* struct { unsigned long RequestLine; +0x0000 unsigned long Reserved; +0x0004 unsigned long Channel; +0x0008 unsigned long TransferWidth; +0x000c }; */ /* struct { unsigned long Length; +0x0000 unsigned long MinBusNumber; +0x0004 unsigned long MaxBusNumber; +0x0008 unsigned long Reserved; +0x000c }; */ /* struct { unsigned long Priority; +0x0000 unsigned long Reserved1; +0x0004 unsigned long Reserved2; +0x0008 }; */ /* struct { unsigned long Length40; +0x0000 unsigned long Alignment40; +0x0004 unsigned char MinimumAddress[8]; +0x0008 3a 10 00 00 unsigned char MaximumAddress[8]; +0x0010 3a 10 00 00 }; */ /* struct { unsigned long Length48; +0x0000 unsigned long Alignment48; +0x0004 unsigned char MinimumAddress[8]; +0x0008 3a 10 00 00 unsigned char MaximumAddress[8]; +0x0010 3a 10 00 00 }; */ /* struct { unsigned long Length64; +0x0000 unsigned long Alignment64; +0x0004 unsigned char MinimumAddress[8]; +0x0008 3a 10 00 00 unsigned char MaximumAddress[8]; +0x0010 3a 10 00 00 }; */ /* struct { /* unsigned char Port[0]; +0x0000 01 16 00 00 /* unsigned char Memory[0]; +0x0000 01 16 00 00 /* unsigned char Interrupt[0]; +0x0000 07 16 00 00 /* unsigned char Dma[0]; +0x0000 09 16 00 00 /* unsigned char DmaV3[0]; +0x0000 0b 16 00 00 /* unsigned char Generic[0]; +0x0000 01 16 00 00 /* unsigned char DevicePrivate[0]; +0x0000 cc 14 00 00 /* unsigned char BusNumber[0]; +0x0000 0d 16 00 00 /* unsigned char ConfigData[0]; +0x0000 0f 16 00 00 /* unsigned char Memory40[0]; +0x0000 11 16 00 00 /* unsigned char Memory48[0]; +0x0000 13 16 00 00 /* unsigned char Memory64[0]; +0x0000 15 16 00 00 unsigned char Connection[24]; +0x0000 d8 14 00 00 }; */ struct _IO_RESOURCE_DESCRIPTOR { unsigned char Option; /* +0x0000 */ unsigned char Type; /* +0x0001 */ unsigned char ShareDisposition; /* +0x0002 */ unsigned char Spare1; /* +0x0003 */ unsigned short Flags; /* +0x0004 */ unsigned short Spare2; /* +0x0006 */ unsigned char u[24]; /* +0x0008 17 16 00 00 */ }; struct _THROTTLED_WORK_ITEM_CTRL { unsigned long ThrottleLock; /* +0x0000 */ unsigned char Queues[128]; /* +0x0004 1c 16 00 00 */ }; struct _COMPRESSED_DATA_INFO { unsigned short CompressionFormatAndEngine; /* +0x0000 */ unsigned char CompressionUnitShift; /* +0x0002 */ unsigned char ChunkShift; /* +0x0003 */ unsigned char ClusterShift; /* +0x0004 */ unsigned char Reserved; /* +0x0005 */ unsigned short NumberOfChunks; /* +0x0006 */ unsigned char CompressedChunkSizes[4]; /* +0x0008 93 13 00 00 */ }; struct _SECTION_LIST_CTRL { unsigned char RundownRef[4]; /* +0x0000 06 13 00 00 */ unsigned char Event[16]; /* +0x0004 4b 10 00 00 */ unsigned char CtxList[4]; /* +0x0014 4f 12 00 00 */ }; struct _SECURITY_QUALITY_OF_SERVICE { unsigned long Length; /* +0x0000 */ unsigned char ImpersonationLevel[4]; /* +0x0004 93 14 00 00 */ unsigned char ContextTrackingMode; /* +0x0008 */ unsigned char EffectiveOnly; /* +0x0009 */ }; struct _FILE_STANDARD_INFORMATION { unsigned char AllocationSize[8]; /* +0x0000 3a 10 00 00 */ unsigned char EndOfFile[8]; /* +0x0008 3a 10 00 00 */ unsigned long NumberOfLinks; /* +0x0010 */ unsigned char DeletePending; /* +0x0014 */ unsigned char Directory; /* +0x0015 */ }; struct _THROTTLE_ELEMENT { unsigned char PendingList[8]; /* +0x0000 17 10 00 00 */ unsigned long RunningCount; /* +0x0008 */ unsigned long RunningLimit; /* +0x000c */ }; struct _NAME_CACHE_LIST_CTRL { unsigned long NameFormat; /* +0x0000 */ unsigned char List[4]; /* +0x0004 08 12 00 00 */ }; struct _PORT_CCB { unsigned char Port[4]; /* +0x0000 2b 16 00 00 */ unsigned char ReplyWaiterList[44]; /* +0x0004 29 12 00 00 */ };