I've been studying the three-line assembly code taken from Windbg on a Windows 8.1 (64 bit) computer. I've been told that the below assembly code returns a pointer to a EPROCESS object. I however understand the very first line which walks the _KPCR struct object until it reaches offset +0x180 Prcb member of this struct. Then it walks the _KPRCB struct and eventually points to offset +0x008 of this same struct which is represented by CurrentThread _KTHREAD object member.
Could someone now explain the second line and how this function points to a EPROCESS structure ?
lkd> uf nt!PsGetCurrentProcess
nt!PsGetCurrentProcess:
fffff801`2f640490 65488b042588010000 mov rax,qword ptr gs:[188h] ;this points to _KTHREAD (CurrentThread)
fffff801`2f640499 488b80b8000000 mov rax,qword ptr [rax+0B8h]
fffff801`2f6404a0 c3 ret
I've added the respective structures that should help:
lkd> dt _KPCR
nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 GdtBase : Ptr64 _KGDTENTRY64
+0x008 TssBase : Ptr64 _KTSS64
+0x010 UserRsp : Uint8B
+0x018 Self : Ptr64 _KPCR
+0x020 CurrentPrcb : Ptr64 _KPRCB
+0x028 LockArray : Ptr64 _KSPIN_LOCK_QUEUE
+0x030 Used_Self : Ptr64 Void
+0x038 IdtBase : Ptr64 _KIDTENTRY64
+0x040 Unused : [2] Uint8B
+0x050 Irql : UChar
+0x051 SecondLevelCacheAssociativity : UChar
+0x052 ObsoleteNumber : UChar
+0x053 Fill0 : UChar
+0x054 Unused0 : [3] Uint4B
+0x060 MajorVersion : Uint2B
+0x062 MinorVersion : Uint2B
+0x064 StallScaleFactor : Uint4B
+0x068 Unused1 : [3] Ptr64 Void
+0x080 KernelReserved : [15] Uint4B
+0x0bc SecondLevelCacheSize : Uint4B
+0x0c0 HalReserved : [16] Uint4B
+0x100 Unused2 : Uint4B
+0x108 KdVersionBlock : Ptr64 Void
+0x110 Unused3 : Ptr64 Void
+0x118 PcrAlign1 : [24] Uint4B
+0x180 Prcb : _KPRCB
lkd> dt _KPRCB
nt!_KPRCB
+0x000 MxCsr : Uint4B
+0x004 LegacyNumber : UChar
+0x005 ReservedMustBeZero : UChar
+0x006 InterruptRequest : UChar
+0x007 IdleHalt : UChar
+0x008 CurrentThread : Ptr64 _KTHREAD
+0x010 NextThread : Ptr64 _KTHREAD
+0x018 IdleThread : Ptr64 _KTHREAD
+0x020 NestingLevel : UChar
+0x021 ClockOwner : UChar
+0x022 PendingTickFlags : UChar
+0x022 PendingTick : Pos 0, 1 Bit
+0x022 PendingBackupTick : Pos 1, 1 Bit
+0x023 PrcbPad00 : [1] UChar
+0x024 Number : Uint4B
+0x028 RspBase : Uint8B
+0x030 PrcbLock : Uint8B
+0x038 PriorityState : Ptr64 Char
+0x040 ProcessorState : _KPROCESSOR_STATE
+0x5f0 CpuType : Char
+0x5f1 CpuID : Char
+0x5f2 CpuStep : Uint2B
+0x5f2 CpuStepping : UChar
+0x5f3 CpuModel : UChar
+0x5f4 MHz : Uint4B
+0x5f8 HalReserved : [8] Uint8B
+0x638 MinorVersion : Uint2B
+0x63a MajorVersion : Uint2B
+0x63c BuildType : UChar
+0x63d CpuVendor : UChar
+0x63e CoresPerPhysicalProcessor : UChar
+0x63f LogicalProcessorsPerCore : UChar
+0x640 ParentNode : Ptr64 _KNODE
+0x648 GroupSetMember : Uint8B
+0x650 Group : UChar
+0x651 GroupIndex : UChar
+0x652 PrcbPad05 : [2] UChar
+0x654 ApicMask : Uint4B
+0x658 CFlushSize : Uint4B
+0x660 AcpiReserved : Ptr64 Void
+0x668 InitialApicId : Uint4B
+0x670 LockQueue : [17] _KSPIN_LOCK_QUEUE
+0x780 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x880 PPNxPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1480 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x2080 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x2c80 MsrIa32TsxCtrl : Uint8B
+0x2c88 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0x2c90 MmPageFaultCount : Int4B
+0x2c94 MmCopyOnWriteCount : Int4B
+0x2c98 MmTransitionCount : Int4B
+0x2c9c MmDemandZeroCount : Int4B
+0x2ca0 MmPageReadCount : Int4B
+0x2ca4 MmPageReadIoCount : Int4B
+0x2ca8 MmDirtyPagesWriteCount : Int4B
+0x2cac MmDirtyWriteIoCount : Int4B
+0x2cb0 MmMappedPagesWriteCount : Int4B
+0x2cb4 MmMappedWriteIoCount : Int4B
+0x2cb8 KeSystemCalls : Uint4B
+0x2cbc KeContextSwitches : Uint4B
+0x2cc0 LdtSelector : Uint2B
+0x2cc2 PrcbPad40 : Uint2B
+0x2cc4 CcFastReadNoWait : Uint4B
+0x2cc8 CcFastReadWait : Uint4B
+0x2ccc CcFastReadNotPossible : Uint4B
+0x2cd0 CcCopyReadNoWait : Uint4B
+0x2cd4 CcCopyReadWait : Uint4B
+0x2cd8 CcCopyReadNoWaitMiss : Uint4B
+0x2cdc IoReadOperationCount : Int4B
+0x2ce0 IoWriteOperationCount : Int4B
+0x2ce4 IoOtherOperationCount : Int4B
+0x2ce8 IoReadTransferCount : _LARGE_INTEGER
+0x2cf0 IoWriteTransferCount : _LARGE_INTEGER
+0x2cf8 IoOtherTransferCount : _LARGE_INTEGER
+0x2d00 PacketBarrier : Int4B
+0x2d04 TargetCount : Int4B
+0x2d08 IpiFrozen : Uint4B
+0x2d10 IsrDpcStats : Ptr64 Void
+0x2d18 DeviceInterrupts : Uint4B
+0x2d1c LookasideIrpFloat : Int4B
+0x2d20 InterruptLastCount : Uint4B
+0x2d24 InterruptRate : Uint4B
+0x2d28 PrcbPad41 : [22] Uint4B
+0x2d80 DpcData : [2] _KDPC_DATA
+0x2dd0 DpcStack : Ptr64 Void
+0x2dd8 MaximumDpcQueueDepth : Int4B
+0x2ddc DpcRequestRate : Uint4B
+0x2de0 MinimumDpcRate : Uint4B
+0x2de4 DpcLastCount : Uint4B
+0x2de8 ThreadDpcEnable : UChar
+0x2de9 QuantumEnd : UChar
+0x2dea DpcRoutineActive : UChar
+0x2deb IdleSchedule : UChar
+0x2dec DpcRequestSummary : Int4B
+0x2dec DpcRequestSlot : [2] Int2B
+0x2dec NormalDpcState : Int2B
+0x2dee ThreadDpcState : Int2B
+0x2dec DpcNormalProcessingActive : Pos 0, 1 Bit
+0x2dec DpcNormalProcessingRequested : Pos 1, 1 Bit
+0x2dec DpcNormalThreadSignal : Pos 2, 1 Bit
+0x2dec DpcNormalTimerExpiration : Pos 3, 1 Bit
+0x2dec DpcNormalDpcPresent : Pos 4, 1 Bit
+0x2dec DpcNormalLocalInterrupt : Pos 5, 1 Bit
+0x2dec DpcNormalSpare : Pos 6, 10 Bits
+0x2dec DpcThreadActive : Pos 16, 1 Bit
+0x2dec DpcThreadRequested : Pos 17, 1 Bit
+0x2dec DpcThreadSpare : Pos 18, 14 Bits
+0x2df0 LastTimerHand : Uint4B
+0x2df4 LastTick : Uint4B
+0x2df8 ClockInterrupts : Uint4B
+0x2dfc ReadyScanTick : Uint4B
+0x2e00 InterruptObject : [256] Ptr64 Void
+0x3600 TimerTable : _KTIMER_TABLE
+0x5800 DpcGate : _KGATE
+0x5818 PrcbPad52 : Ptr64 Void
+0x5820 CallDpc : _KDPC
+0x5860 ClockKeepAlive : Int4B
+0x5864 PrcbPad60 : [2] UChar
+0x5866 NmiActive : Uint2B
+0x5868 DpcWatchdogPeriod : Int4B
+0x586c DpcWatchdogCount : Int4B
+0x5870 KeSpinLockOrdering : Int4B
+0x5874 PrcbPad70 : [1] Uint4B
+0x5878 CachedPtes : Ptr64 Void
+0x5880 WaitListHead : _LIST_ENTRY
+0x5890 WaitLock : Uint8B
+0x5898 ReadySummary : Uint4B
+0x589c AffinitizedSelectionMask : Int4B
+0x58a0 QueueIndex : Uint4B
+0x58a4 PrcbPad75 : [3] Uint4B
+0x58b0 TimerExpirationDpc : _KDPC
+0x58f0 ScbQueue : _RTL_RB_TREE
+0x5900 DispatcherReadyListHead : [32] _LIST_ENTRY
+0x5b00 InterruptCount : Uint4B
+0x5b04 KernelTime : Uint4B
+0x5b08 UserTime : Uint4B
+0x5b0c DpcTime : Uint4B
+0x5b10 InterruptTime : Uint4B
+0x5b14 AdjustDpcThreshold : Uint4B
+0x5b18 DebuggerSavedIRQL : UChar
+0x5b19 GroupSchedulingOverQuota : UChar
+0x5b1a DeepSleep : UChar
+0x5b1b PrcbPad80 : [1] UChar
+0x5b1c ScbOffset : Uint4B
+0x5b20 DpcTimeCount : Uint4B
+0x5b24 DpcTimeLimit : Uint4B
+0x5b28 PeriodicCount : Uint4B
+0x5b2c PeriodicBias : Uint4B
+0x5b30 AvailableTime : Uint4B
+0x5b34 KeExceptionDispatchCount : Uint4B
+0x5b38 StartCycles : Uint8B
+0x5b40 GenerationTarget : Uint8B
+0x5b48 AffinitizedCycles : Uint8B
+0x5b50 PrcbPad81 : [2] Uint8B
+0x5b60 MmSpinLockOrdering : Int4B
+0x5b64 PageColor : Uint4B
+0x5b68 NodeColor : Uint4B
+0x5b6c NodeShiftedColor : Uint4B
+0x5b70 SecondaryColorMask : Uint4B
+0x5b74 PrcbPad83 : Uint4B
+0x5b78 CycleTime : Uint8B
+0x5b80 CcFastMdlReadNoWait : Uint4B
+0x5b84 CcFastMdlReadWait : Uint4B
+0x5b88 CcFastMdlReadNotPossible : Uint4B
+0x5b8c CcMapDataNoWait : Uint4B
+0x5b90 CcMapDataWait : Uint4B
+0x5b94 CcPinMappedDataCount : Uint4B
+0x5b98 CcPinReadNoWait : Uint4B
+0x5b9c CcPinReadWait : Uint4B
+0x5ba0 CcMdlReadNoWait : Uint4B
+0x5ba4 CcMdlReadWait : Uint4B
+0x5ba8 CcLazyWriteHotSpots : Uint4B
+0x5bac CcLazyWriteIos : Uint4B
+0x5bb0 CcLazyWritePages : Uint4B
+0x5bb4 CcDataFlushes : Uint4B
+0x5bb8 CcDataPages : Uint4B
+0x5bbc CcLostDelayedWrites : Uint4B
+0x5bc0 CcFastReadResourceMiss : Uint4B
+0x5bc4 CcCopyReadWaitMiss : Uint4B
+0x5bc8 CcFastMdlReadResourceMiss : Uint4B
+0x5bcc CcMapDataNoWaitMiss : Uint4B
+0x5bd0 CcMapDataWaitMiss : Uint4B
+0x5bd4 CcPinReadNoWaitMiss : Uint4B
+0x5bd8 CcPinReadWaitMiss : Uint4B
+0x5bdc CcMdlReadNoWaitMiss : Uint4B
+0x5be0 CcMdlReadWaitMiss : Uint4B
+0x5be4 CcReadAheadIos : Uint4B
+0x5be8 MmCacheTransitionCount : Int4B
+0x5bec MmCacheReadCount : Int4B
+0x5bf0 MmCacheIoCount : Int4B
+0x5bf4 PrcbPad91 : [3] Uint4B
+0x5c00 PowerState : _PROCESSOR_POWER_STATE
+0x5de0 ScbList : _LIST_ENTRY
+0x5df0 PrcbPad92 : [19] Uint4B
+0x5e3c KeAlignmentFixupCount : Uint4B
+0x5e40 DpcWatchdogDpc : _KDPC
+0x5e80 DpcWatchdogTimer : _KTIMER
+0x5ec0 Cache : [5] _CACHE_DESCRIPTOR
+0x5efc CacheCount : Uint4B
+0x5f00 CachedCommit : Uint4B
+0x5f04 CachedResidentAvailable : Uint4B
+0x5f08 HyperPte : Ptr64 Void
+0x5f10 WheaInfo : Ptr64 Void
+0x5f18 EtwSupport : Ptr64 Void
+0x5f20 InterruptObjectPool : _SLIST_HEADER
+0x5f30 HypercallPageList : _SLIST_HEADER
+0x5f40 HypercallPageVirtual : Ptr64 Void
+0x5f48 VirtualApicAssist : Ptr64 Void
+0x5f50 StatisticsPage : Ptr64 Uint8B
+0x5f58 PackageProcessorSet : _KAFFINITY_EX
+0x6000 SharedReadyQueueMask : Uint8B
+0x6008 SharedReadyQueue : Ptr64 _KSHARED_READY_QUEUE
+0x6010 CoreProcessorSet : Uint8B
+0x6018 ScanSiblingMask : Uint8B
+0x6020 LLCMask : Uint8B
+0x6028 CacheProcessorMask : [5] Uint8B
+0x6050 ScanSiblingIndex : Uint4B
+0x6054 SharedReadyQueueOffset : Uint4B
+0x6058 ProcessorProfileControlArea : Ptr64 _PROCESSOR_PROFILE_CONTROL_AREA
+0x6060 ProfileEventIndexAddress : Ptr64 Void
+0x6068 TrappedSecurityDomain : Uint8B
+0x6070 BpbState : UChar
+0x6070 BpbCpuIdle : Pos 0, 1 Bit
+0x6070 BpbFlushRsbOnTrap : Pos 1, 1 Bit
+0x6070 BpbIbpbOnReturn : Pos 2, 1 Bit
+0x6070 BpbIbpbOnTrap : Pos 3, 1 Bit
+0x6070 BpbReserved1 : Pos 4, 1 Bit
+0x6070 BpbFlushRsbOnReturn : Pos 5, 1 Bit
+0x6070 BpbReserved : Pos 6, 2 Bits
+0x6071 BpbFeatures : UChar
+0x6071 BpbClearOnIdle : Pos 0, 1 Bit
+0x6071 BpbEnabled : Pos 1, 1 Bit
+0x6071 BpbSmep : Pos 2, 1 Bit
+0x6071 BpbFeaturesReserved : Pos 3, 5 Bits
+0x6072 BpbCurrentSpecCtrl : UChar
+0x6073 BpbKernelSpecCtrl : UChar
+0x6074 BpbNmiSpecCtrl : UChar
+0x6075 BpbUserSpecCtrl : UChar
+0x6076 BpbPad : [2] UChar
+0x6078 PrcbPad94 : Uint8B
+0x6080 SynchCounters : _SYNCH_COUNTERS
+0x6138 PteBitCache : Uint8B
+0x6140 PteBitOffset : Uint4B
+0x6148 FsCounters : _FILESYSTEM_DISK_COUNTERS
+0x6158 VendorString : [13] UChar
+0x6165 PrcbPad10 : [3] UChar
+0x6168 FeatureBits : Uint8B
+0x6170 PrcbPad11 : Uint4B
+0x6178 UpdateSignature : _LARGE_INTEGER
+0x6180 Context : Ptr64 _CONTEXT
+0x6188 ContextFlagsInit : Uint4B
+0x6190 ExtendedState : Ptr64 _XSAVE_AREA
+0x6198 IsrStack : Ptr64 Void
+0x61a0 EntropyTimingState : _KENTROPY_TIMING_STATE
+0x62f0 PrcbPad111 : Uint8B
+0x62f8 PrcbPad112 : [7] Uint8B
+0x6330 AbSelfIoBoostsList : _SINGLE_LIST_ENTRY
+0x6338 AbPropagateBoostsList : _SINGLE_LIST_ENTRY
+0x6340 AbDpc : _KDPC
+0x6380 IoIrpStackProfilerCurrent : _IOP_IRP_STACK_PROFILER
+0x63d4 IoIrpStackProfilerPrevious : _IOP_IRP_STACK_PROFILER
+0x6428 TimerExpirationTrace : [16] _KTIMER_EXPIRATION_TRACE
+0x6528 TimerExpirationTraceCount : Uint4B
+0x6540 Mailbox : Ptr64 _REQUEST_MAILBOX
+0x6548 PrcbPad130 : [7] Uint8B
+0x6580 ProcessorSignature : Uint4B
+0x6584 PrcbPad135 : [2300] UChar
+0x6e80 KernelDirectoryTableBase : Uint8B
+0x6e88 RspBaseShadow : Uint8B
+0x6e90 UserRspShadow : Uint8B
+0x6e98 ShadowFlags : Uint4B
+0x6e9c VerwSelector : Uint2B
+0x6e9e PrcbPad139 : Uint2B
+0x6ea0 PrcbPad140 : [508] Uint8B
+0x7e80 RequestMailbox : [1] _REQUEST_MAILBOX
lkd> dt _KTHREAD
nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x018 SListFaultAddress : Ptr64 Void
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr64 Void
+0x030 StackLimit : Ptr64 Void
+0x038 StackBase : Ptr64 Void
+0x040 ThreadLock : Uint8B
+0x048 CycleTime : Uint8B
+0x050 CurrentRunTime : Uint4B
+0x054 ExpectedRunTime : Uint4B
+0x058 KernelStack : Ptr64 Void
+0x060 StateSaveArea : Ptr64 _XSAVE_FORMAT
+0x068 SchedulingGroup : Ptr64 _KSCHEDULING_GROUP
+0x070 WaitRegister : _KWAIT_STATUS_REGISTER
+0x071 Running : UChar
+0x072 Alerted : [2] UChar
+0x074 SpareMiscFlag0 : Pos 0, 1 Bit
+0x074 ReadyTransition : Pos 1, 1 Bit
+0x074 ProcessReadyQueue : Pos 2, 1 Bit
+0x074 WaitNext : Pos 3, 1 Bit
+0x074 SystemAffinityActive : Pos 4, 1 Bit
+0x074 Alertable : Pos 5, 1 Bit
+0x074 UserStackWalkActive : Pos 6, 1 Bit
+0x074 ApcInterruptRequest : Pos 7, 1 Bit
+0x074 QuantumEndMigrate : Pos 8, 1 Bit
+0x074 UmsDirectedSwitchEnable : Pos 9, 1 Bit
+0x074 TimerActive : Pos 10, 1 Bit
+0x074 SystemThread : Pos 11, 1 Bit
+0x074 ProcessDetachActive : Pos 12, 1 Bit
+0x074 CalloutActive : Pos 13, 1 Bit
+0x074 ScbReadyQueue : Pos 14, 1 Bit
+0x074 ApcQueueable : Pos 15, 1 Bit
+0x074 ReservedStackInUse : Pos 16, 1 Bit
+0x074 UmsPerformingSyscall : Pos 17, 1 Bit
+0x074 ApcPendingReload : Pos 18, 1 Bit
+0x074 TimerSuspended : Pos 19, 1 Bit
+0x074 SuspendedWaitMode : Pos 20, 1 Bit
+0x074 Reserved : Pos 21, 11 Bits
+0x074 MiscFlags : Int4B
+0x078 AutoAlignment : Pos 0, 1 Bit
+0x078 DisableBoost : Pos 1, 1 Bit
+0x078 UserAffinitySet : Pos 2, 1 Bit
+0x078 AlertedByThreadId : Pos 3, 1 Bit
+0x078 QuantumDonation : Pos 4, 1 Bit
+0x078 EnableStackSwap : Pos 5, 1 Bit
+0x078 GuiThread : Pos 6, 1 Bit
+0x078 DisableQuantum : Pos 7, 1 Bit
+0x078 ChargeOnlySchedulingGroup : Pos 8, 1 Bit
+0x078 DeferPreemption : Pos 9, 1 Bit
+0x078 QueueDeferPreemption : Pos 10, 1 Bit
+0x078 ForceDeferSchedule : Pos 11, 1 Bit
+0x078 SharedReadyQueueAffinity : Pos 12, 1 Bit
+0x078 FreezeCount : Pos 13, 1 Bit
+0x078 TerminationApcRequest : Pos 14, 1 Bit
+0x078 AutoBoostEntriesExhausted : Pos 15, 1 Bit
+0x078 KernelStackResident : Pos 16, 1 Bit
+0x078 EtwStackTraceApcInserted : Pos 17, 8 Bits
+0x078 ReservedFlags : Pos 25, 7 Bits
+0x078 ThreadFlags : Int4B
+0x07c Spare0 : Uint4B
+0x080 SystemCallNumber : Uint4B
+0x084 Spare1 : Uint4B
+0x088 FirstArgument : Ptr64 Void
+0x090 TrapFrame : Ptr64 _KTRAP_FRAME
+0x098 ApcState : _KAPC_STATE
+0x098 ApcStateFill : [43] UChar
+0x0c3 Priority : Char
+0x0c4 UserIdealProcessor : Uint4B
+0x0c8 WaitStatus : Int8B
+0x0d0 WaitBlockList : Ptr64 _KWAIT_BLOCK
+0x0d8 WaitListEntry : _LIST_ENTRY
+0x0d8 SwapListEntry : _SINGLE_LIST_ENTRY
+0x0e8 Queue : Ptr64 _DISPATCHER_HEADER
+0x0f0 Teb : Ptr64 Void
+0x0f8 RelativeTimerBias : Uint8B
+0x100 Timer : _KTIMER
+0x140 WaitBlock : [4] _KWAIT_BLOCK
+0x140 WaitBlockFill4 : [20] UChar
+0x154 ContextSwitches : Uint4B
+0x140 WaitBlockFill5 : [68] UChar
+0x184 State : UChar
+0x185 NpxState : Char
+0x186 WaitIrql : UChar
+0x187 WaitMode : Char
+0x140 WaitBlockFill6 : [116] UChar
+0x1b4 WaitTime : Uint4B
+0x140 WaitBlockFill7 : [164] UChar
+0x1e4 KernelApcDisable : Int2B
+0x1e6 SpecialApcDisable : Int2B
+0x1e4 CombinedApcDisable : Uint4B
+0x140 WaitBlockFill8 : [40] UChar
+0x168 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+0x140 WaitBlockFill9 : [88] UChar
+0x198 XStateSave : Ptr64 _XSTATE_SAVE
+0x140 WaitBlockFill10 : [136] UChar
+0x1c8 Win32Thread : Ptr64 Void
+0x140 WaitBlockFill11 : [176] UChar
+0x1f0 Ucb : Ptr64 _UMS_CONTROL_BLOCK
+0x1f8 Uch : Ptr64 _KUMS_CONTEXT_HEADER
+0x200 TebMappedLowVa : Ptr64 Void
+0x208 QueueListEntry : _LIST_ENTRY
+0x218 NextProcessor : Uint4B
+0x218 NextProcessorNumber : Pos 0, 31 Bits
+0x218 SharedReadyQueue : Pos 31, 1 Bit
+0x21c QueuePriority : Int4B
+0x220 Process : Ptr64 _KPROCESS
+0x228 UserAffinity : _GROUP_AFFINITY
+0x228 UserAffinityFill : [10] UChar
+0x232 PreviousMode : Char
+0x233 BasePriority : Char
+0x234 PriorityDecrement : Char
+0x234 ForegroundBoost : Pos 0, 4 Bits
+0x234 UnusualBoost : Pos 4, 4 Bits
+0x235 Preempted : UChar
+0x236 AdjustReason : UChar
+0x237 AdjustIncrement : Char
+0x238 Affinity : _GROUP_AFFINITY
+0x238 AffinityFill : [10] UChar
+0x242 ApcStateIndex : UChar
+0x243 WaitBlockCount : UChar
+0x244 IdealProcessor : Uint4B
+0x248 ApcStatePointer : [2] Ptr64 _KAPC_STATE
+0x258 SavedApcState : _KAPC_STATE
+0x258 SavedApcStateFill : [43] UChar
+0x283 WaitReason : UChar
+0x284 SuspendCount : Char
+0x285 Saturation : Char
+0x286 SListFaultCount : Uint2B
+0x288 SchedulerApc : _KAPC
+0x288 SchedulerApcFill0 : [1] UChar
+0x289 ResourceIndex : UChar
+0x288 SchedulerApcFill1 : [3] UChar
+0x28b QuantumReset : UChar
+0x288 SchedulerApcFill2 : [4] UChar
+0x28c KernelTime : Uint4B
+0x288 SchedulerApcFill3 : [64] UChar
+0x2c8 WaitPrcb : Ptr64 _KPRCB
+0x288 SchedulerApcFill4 : [72] UChar
+0x2d0 LegoData : Ptr64 Void
+0x288 SchedulerApcFill5 : [83] UChar
+0x2db CallbackNestingLevel : UChar
+0x2dc UserTime : Uint4B
+0x2e0 SuspendEvent : _KEVENT
+0x2f8 ThreadListEntry : _LIST_ENTRY
+0x308 MutantListHead : _LIST_ENTRY
+0x318 LockEntriesFreeList : _SINGLE_LIST_ENTRY
+0x320 LockEntries : [6] _KLOCK_ENTRY
+0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY
+0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY
+0x570 PriorityFloorCounts : [16] UChar
+0x580 PriorityFloorSummary : Uint4B
+0x584 AbCompletedIoBoostCount : Int4B
+0x588 AbReferenceCount : Int2B
+0x58a AbFreeEntryCount : UChar
+0x58b AbWaitEntryCount : UChar
+0x58c ForegroundLossTime : Uint4B
+0x590 GlobalForegroundListEntry : _LIST_ENTRY
+0x590 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY
+0x598 InGlobalForegroundList : Uint8B
+0x5a0 ReadOperationCount : Int8B
+0x5a8 WriteOperationCount : Int8B
+0x5b0 OtherOperationCount : Int8B
+0x5b8 ReadTransferCount : Int8B
+0x5c0 WriteTransferCount : Int8B
+0x5c8 OtherTransferCount : Int8B
lkd> dt _KAPC_STATE
nt!_KAPC_STATE
+0x000 ApcListHead : [2] _LIST_ENTRY
+0x020 Process : Ptr64 _KPROCESS
+0x028 InProgressFlags : UChar
+0x028 KernelApcInProgress : Pos 0, 1 Bit
+0x028 SpecialApcInProgress : Pos 1, 1 Bit
+0x029 KernelApcPending : UChar
+0x02a UserApcPending : UChar
