├── lib
    ├── x64
    │   ├── dbgeng.lib
    │   ├── dbghelp.lib
    │   └── engextcpp.lib
    └── x86
    │   ├── dbgeng.lib
    │   ├── dbghelp.lib
    │   └── engextcpp.lib
├── doc
    └── Did_You_Get_Your_Token.pdf
├── tokenext
    ├── makefile
    ├── sources
    ├── HandleTable.h
    ├── tokenext.def
    ├── tokenext.vcxproj.user
    ├── usr_common.h
    ├── tokenext.rc
    ├── HandleTable.cpp
    ├── tokenext.vcxproj
    └── TokenExt.h
├── tokenext.sln
├── README.md
├── LICENSE
└── inc
    └── extsfns.h


/lib/x64/dbgeng.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x64/dbgeng.lib


--------------------------------------------------------------------------------
/lib/x86/dbgeng.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x86/dbgeng.lib


--------------------------------------------------------------------------------
/lib/x64/dbghelp.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x64/dbghelp.lib


--------------------------------------------------------------------------------
/lib/x64/engextcpp.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x64/engextcpp.lib


--------------------------------------------------------------------------------
/lib/x86/dbghelp.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x86/dbghelp.lib


--------------------------------------------------------------------------------
/lib/x86/engextcpp.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/lib/x86/engextcpp.lib


--------------------------------------------------------------------------------
/doc/Did_You_Get_Your_Token.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/long123king/tokenext/HEAD/doc/Did_You_Get_Your_Token.pdf


--------------------------------------------------------------------------------
/tokenext/makefile:
--------------------------------------------------------------------------------
1 | #
2 | # DO NOT EDIT THIS FILE!!!  Edit .\sources. if you want to add a new source
3 | # file to this component.  This file merely indirects to the real make file
4 | # that is shared by all the components of Windows
5 | #
6 | !INCLUDE $(NTMAKEENV)\makefile.def
7 | 


--------------------------------------------------------------------------------
/tokenext/sources:
--------------------------------------------------------------------------------
 1 | TARGETNAME = extcpp
 2 | 
 3 | TARGETTYPE = DYNLINK
 4 | 
 5 | _NT_TARGET_VERSION=$(_NT_TARGET_VERSION_WINXP)
 6 | 
 7 | DLLENTRY=_DllMainCRTStartup
 8 | 
 9 | LINKLIBS = $(SDKTOOLS_LIB_PATH)\engextcpp.lib
10 | 
11 | TARGETLIBS = \
12 |         $(SDK_LIB_PATH)\kernel32.lib \
13 |         $(SDK_LIB_PATH)\advapi32.lib \
14 |         $(SDK_LIB_PATH)\dbgeng.lib
15 | 
16 | DLLDEF_OBJECTS=\
17 |     $(SDKTOOLS_LIB_PATH)\engextcpp.lib \
18 | 
19 | 
20 | USE_NOTHROW_NEW=1
21 | USE_MSVCRT = 1
22 | 
23 | UMTYPE = windows
24 | 
25 | MSC_WARNING_LEVEL = /W4 /WX
26 | 
27 | SOURCES = \
28 |          extcpp.cpp\
29 |          extcpp.rc
30 | 


--------------------------------------------------------------------------------
/tokenext/HandleTable.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "usr_common.h"   
 3 | #include <functional>
 4 | using namespace std;
 5 | 
 6 | class ExtExtension;
 7 | extern ExtExtension* g_ExtInstancePtr;
 8 | 
 9 | class CHandleTable
10 | {
11 | public:
12 |     CHandleTable(
13 |         __in size_t levels,
14 |         __in size_t l1Addr,
15 |         __in size_t handleCount);
16 |     ~CHandleTable();
17 | 
18 |     void 
19 |     traverse(
20 |         __in function<bool(size_t, size_t)> callback
21 |         );
22 | 
23 |     size_t 
24 |     remained()
25 |     {
26 |         return m_handleCount;
27 |     }
28 | 
29 | private:
30 |     size_t m_levels;
31 |     size_t m_l1Addr;
32 |     size_t m_handleCount;
33 | };
34 | 
35 | 


--------------------------------------------------------------------------------
/tokenext/tokenext.def:
--------------------------------------------------------------------------------
 1 | ;--------------------------------------------------------------------
 2 | ;   Copyright (c) 2005  Microsoft Corporation
 3 | ;
 4 | ;Module:
 5 | ;   tokenext.def
 6 | ;--------------------------------------------------------------------
 7 | 
 8 | EXPORTS
 9 | 
10 | ;--------------------------------------------------------------------
11 | ; Core exports provided by the ExtCpp framework.
12 | ;--------------------------------------------------------------------
13 | 
14 |     DebugExtensionInitialize
15 |     DebugExtensionUninitialize
16 |     DebugExtensionNotify
17 |     help
18 | 
19 | ;--------------------------------------------------------------------
20 | ; Extension commands.
21 | ;--------------------------------------------------------------------
22 | 
23 | 	dk
24 | 


--------------------------------------------------------------------------------
/tokenext/tokenext.vcxproj.user:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 4 |     <LocalDebuggerCommandArguments>-z D:\AccessToken\dump_analysis\1_fuzz_breakpoint_too_much_2.dmp -c ".load tokenext.dll; !handles"</LocalDebuggerCommandArguments>
 5 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
 6 |     <LocalDebuggerCommand>windbg.exe</LocalDebuggerCommand>
 7 |   </PropertyGroup>
 8 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 9 |     <LocalDebuggerCommand>C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe</LocalDebuggerCommand>
10 |     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
11 |     <LocalDebuggerCommandArguments>-z D:\AccessToken\dump_analysis\1_fuzz_breakpoint_too_much_2.dmp -c ".load tokenext.dll; "</LocalDebuggerCommandArguments>
12 |   </PropertyGroup>
13 | </Project>


--------------------------------------------------------------------------------
/tokenext/usr_common.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #include <assert.h>
 4 | 
 5 | #ifdef WIN32
 6 | #include <intrin.h>
 7 | #include <wtypes.h>
 8 | #include <sal.h>
 9 | #include <winternl.h>
10 | #include <SDKDDKVer.h>
11 | #else
12 | #include <unistd.h>
13 | #endif
14 | 
15 | #include <memory>
16 | 
17 | #include <vector>
18 | #include <ctime>
19 | #include <stdlib.h>
20 | #include <cstdlib>
21 | 
22 | #define POWER2(exp) ((size_t)1 << (exp))
23 | 
24 | #define MEMBER(cast, ptr, member) reinterpret_cast<cast*>(reinterpret_cast<ULONG_PTR>(ptr) + static_cast<size_t>(member))
25 | 
26 | using mem_t = std::unique_ptr<void, decltype(&free)>;
27 | 
28 | #ifdef WINDOWS
29 | #define getpid() GetCurrentProcessId()
30 | #define gettid() GetCurrentThreadId()
31 | #else
32 | #define __in
33 | #define __out
34 | #define __inout
35 | #define __in_opt
36 | #define __in_bcount(x)
37 | #define __out_bcount(x)
38 | #define __inout_bcount(x)
39 | #define __in_ecount(x)
40 | 
41 | #define __checkReturn
42 | #define __forceinline
43 | 
44 | template <typename Type, size_t Size>
45 | char(*__countof_helper(Type(&ar)[Size]))[Size];
46 | #define _countof(ar) sizeof(*__countof_helper(ar))
47 | 
48 | #define _declspec(x) __attribute__((x))
49 | 
50 | #endif
51 | 


--------------------------------------------------------------------------------
/tokenext.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 14
 4 | VisualStudioVersion = 14.0.23107.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "tokenext", "tokenext\tokenext.vcxproj", "{40F5610C-6675-CC02-35FD-37062B3BA1E3}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Debug|x64.Build.0 = Debug|x64
18 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Debug|x86.Build.0 = Debug|Win32
20 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Release|x64.ActiveCfg = Release|x64
21 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Release|x64.Build.0 = Release|x64
22 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Release|x86.ActiveCfg = Release|Win32
23 | 		{40F5610C-6675-CC02-35FD-37062B3BA1E3}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # tokenext
 2 | A windbg extension, extracting token related contents
 3 | 
 4 | Usage:
 5 | 
 6 | 1. compile this project to get a **tokenext.dll** file 
 7 | 
 8 | 2. move **tokenext.dll** to **[WINDBG_DIR]/winext**  
 9 |  
10 | 3. in windbg, load this extention with command:  
11 | 
12 |         .load tokenext.dll;
13 | 
14 | 4. run a command, such as handles like this:
15 | 
16 |         !dk handles
17 | 
18 | 5. supported commands and options:  
19 | 
20 |         !dk cmd [address] [options]
21 |         commands:
22 |                 pses - dump all active processes
23 |                 gobj - dump all global object, same as WinObj
24 |              handles - dump all open handles by a specific process
25 |             khandles - dump all kernle open handles
26 |                types - dump all object types
27 |              dbgdata - dump all debug data
28 |              process - dump a specific process
29 |                  obj - dump a specific object header
30 |         handle_table - dump a specific process's handle table
31 |                token - dump a specific token
32 |                  sdr - dump a specific security descriptor [relative]
33 |                  acl - dump a specific acl
34 |                  sid - dump a specific sid
35 |             sessions - dump all logon sessions
36 |         options:
37 |                   /f - dump all related fields in detail
38 |                  /po - dump related process object header
39 |                  /to - dump related token object header
40 |                   /r - dump object directory recursively
41 |                   /o - dump related object header
42 |                  /ht - dump related handle table
43 |               /token - dump related token
44 |                /link - dump linked token
45 | 


--------------------------------------------------------------------------------
/tokenext/tokenext.rc:
--------------------------------------------------------------------------------
 1 | // Microsoft Visual C++ generated resource script.
 2 | //
 3 | #include "resource.h"
 4 | /////////////////////////////////////////////////////////////////////////////
 5 | // English (United States) resources
 6 | 
 7 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
 8 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
 9 | #pragma code_page(1252)
10 | 
11 | /////////////////////////////////////////////////////////////////////////////
12 | //
13 | // Version
14 | //
15 | 
16 | VS_VERSION_INFO VERSIONINFO
17 |  FILEVERSION 0,0,1,0
18 |  PRODUCTVERSION 0,0,1,0
19 |  FILEFLAGSMASK 0x3fL
20 | #ifdef _DEBUG
21 |  FILEFLAGS 0x9L
22 | #else
23 |  FILEFLAGS 0x8L
24 | #endif
25 |  FILEOS 0x40004L
26 |  FILETYPE 0x2L
27 |  FILESUBTYPE 0x0L
28 | BEGIN
29 |     BLOCK "StringFileInfo"
30 |     BEGIN
31 |         BLOCK "040904b0"
32 |         BEGIN
33 |             VALUE "CompanyName", "Daniel King(@long123king)"
34 |             VALUE "FileDescription", "DK Windbg Extension"
35 |             VALUE "FileVersion", "0.0.1.0"
36 |             VALUE "InternalName", "dk.dll"
37 |             VALUE "LegalCopyright", "Daniel King(@long123king)"
38 |             VALUE "OriginalFilename", "dk.dll"
39 |             VALUE "ProductName", "DK Windbg Extension"
40 |             VALUE "ProductVersion", "0.0.1.0"
41 |         END
42 |     END
43 |     BLOCK "VarFileInfo"
44 |     BEGIN
45 |         VALUE "Translation", 0x409, 1200
46 |     END
47 | END
48 | 
49 | 
50 | #ifdef APSTUDIO_INVOKED
51 | /////////////////////////////////////////////////////////////////////////////
52 | //
53 | // TEXTINCLUDE
54 | //
55 | 
56 | 1 TEXTINCLUDE 
57 | BEGIN
58 |     "resource.h\0"
59 | END
60 | 
61 | 2 TEXTINCLUDE 
62 | BEGIN
63 |     "\0"
64 | END
65 | 
66 | 3 TEXTINCLUDE 
67 | BEGIN
68 |     "\r\n"
69 |     "\0"
70 | END
71 | 
72 | #endif    // APSTUDIO_INVOKED
73 | 
74 | #endif    // English (United States) resources
75 | /////////////////////////////////////////////////////////////////////////////
76 | 
77 | 
78 | 
79 | #ifndef APSTUDIO_INVOKED
80 | /////////////////////////////////////////////////////////////////////////////
81 | //
82 | // Generated from the TEXTINCLUDE 3 resource.
83 | //
84 | 
85 | 
86 | /////////////////////////////////////////////////////////////////////////////
87 | #endif    // not APSTUDIO_INVOKED
88 | 
89 | 


--------------------------------------------------------------------------------
/tokenext/HandleTable.cpp:
--------------------------------------------------------------------------------
 1 | #include "HandleTable.h"
 2 | #include "../inc/engextcpp10.hpp"
 3 | 
 4 | CHandleTable::CHandleTable(
 5 |     __in size_t levels,
 6 |     __in size_t l1Addr,
 7 |     __in size_t handleCount)
 8 |     :m_levels(levels)
 9 |     ,m_l1Addr(l1Addr)
10 |     ,m_handleCount(handleCount)
11 | {
12 | }
13 | 
14 | 
15 | CHandleTable::~CHandleTable()
16 | {
17 | }
18 | 
19 | void 
20 | CHandleTable::traverse(
21 |     __in function<bool(size_t, size_t)> callback
22 |     )
23 | {
24 |     if (0 == m_levels)
25 |     {
26 | 		uint8_t* this_page = new uint8_t[0x1000];
27 | 		if (S_OK == g_ExtInstancePtr->m_Data->ReadVirtual(m_l1Addr, this_page, 0x1000, NULL))
28 | 		{
29 | 			for (size_t i = 0; i < 256 && m_handleCount > 0; i++)
30 | 			{
31 | 				size_t entry = *(size_t*)(this_page + i * 0x10);
32 | 				size_t access = *(size_t*)(this_page + i * 0x10 + 0x08);
33 | 
34 | 				callback(entry, access);
35 | 				m_handleCount--;
36 | 			}
37 | 		}
38 | 
39 | 		delete[] this_page;
40 | 
41 |         //for (size_t i = 0; i < 256 && m_handleCount > 0; i++)
42 |         //{
43 |         //    size_t entry = 0;
44 |         //    size_t access = 0;
45 |         //    
46 |         //    if (g_ExtInstancePtr &&
47 |         //        S_OK == g_ExtInstancePtr->m_Data->ReadVirtual(m_l1Addr + i * 0x10, &entry, sizeof(size_t), NULL) &&
48 |         //        S_OK == g_ExtInstancePtr->m_Data->ReadVirtual(m_l1Addr + i * 0x10 + 0x08, &access, sizeof(size_t), NULL) &&
49 |         //        callback(entry, access))
50 |         //        m_handleCount--;
51 |         //        
52 |         //}
53 |     }
54 |     else
55 |     {
56 | 		uint8_t* this_page = new uint8_t[0x1000];
57 | 		if (S_OK == g_ExtInstancePtr->m_Data->ReadVirtual(m_l1Addr, this_page, 0x1000, NULL))
58 | 		{
59 | 			for (size_t i = 0; i < 512; i++)
60 | 			{
61 | 				size_t next_level_addr = *(size_t*)(this_page + i * 0x08);
62 | 
63 | 				CHandleTable next_level_table(m_levels - 1, next_level_addr, m_handleCount);
64 | 				next_level_table.traverse(callback);
65 | 				m_handleCount = next_level_table.remained();
66 | 				if (m_handleCount == 0)
67 | 					break;
68 | 			}
69 | 		}
70 | 
71 | 		delete[] this_page;
72 | 
73 |         //for (size_t i = 0; i < 512; i++)
74 |         //{
75 |         //    size_t next_level_addr = 0;
76 |         //    if (g_ExtInstancePtr &&
77 |         //        S_OK == g_ExtInstancePtr->m_Data->ReadVirtual(m_l1Addr + i * 0x08, &next_level_addr, sizeof(size_t), NULL))
78 |         //    {
79 |         //        //size_t processed_count = i * 256 * (1 << ((m_levels - 1 >= 0 ? m_levels - 1 : 0) * 8));
80 |         //        CHandleTable next_level_table(m_levels - 1, next_level_addr, m_handleCount);
81 |         //        next_level_table.traverse(callback);    
82 |         //        m_handleCount = next_level_table.remained();
83 |         //        if (m_handleCount == 0)
84 |         //            break;
85 |         //    }
86 |         //}
87 |     }
88 | }
89 | 


--------------------------------------------------------------------------------
/tokenext/tokenext.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|x64">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>x64</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Release|Win32">
 13 |       <Configuration>Release</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals" />
 22 |   <PropertyGroup Label="Globals">
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{40F5610C-6675-CC02-35FD-37062B3BA1E3}</ProjectGuid>
 25 |     <WindowsTargetPlatformVersion>10</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 29 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v140</PlatformToolset>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 34 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 35 |     <UseDebugLibraries>true</UseDebugLibraries>
 36 |     <PlatformToolset>v140</PlatformToolset>
 37 |   </PropertyGroup>
 38 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 39 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 40 |     <UseDebugLibraries>false</UseDebugLibraries>
 41 |     <PlatformToolset>v140</PlatformToolset>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 44 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 45 |     <UseDebugLibraries>false</UseDebugLibraries>
 46 |     <PlatformToolset>v140</PlatformToolset>
 47 |   </PropertyGroup>
 48 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 49 |   <ImportGroup Label="ExtensionSettings">
 50 |   </ImportGroup>
 51 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 52 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 53 |   </ImportGroup>
 54 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
 55 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 56 |   </ImportGroup>
 57 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 58 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 59 |   </ImportGroup>
 60 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <PropertyGroup Label="UserMacros" />
 64 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 65 |     <LinkIncremental>false</LinkIncremental>
 66 |   </PropertyGroup>
 67 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 68 |     <LinkIncremental>false</LinkIncremental>
 69 |   </PropertyGroup>
 70 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <LinkIncremental>false</LinkIncremental>
 72 |   </PropertyGroup>
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 74 |     <LinkIncremental>false</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <ClCompile>
 78 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXTCPP_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 79 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
 80 |       <WarningLevel>Level3</WarningLevel>
 81 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
 82 |       <Optimization>Disabled</Optimization>
 83 |       <AdditionalIncludeDirectories>$(WindowsSdkDir)\Debuggers\inc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
 84 |     </ClCompile>
 85 |     <Link>
 86 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 87 |       <SubSystem>Windows</SubSystem>
 88 |       <AdditionalDependencies>dbgeng.lib;engextcpp.lib</AdditionalDependencies>
 89 |       <LinkStatus>
 90 |       </LinkStatus>
 91 |       <ModuleDefinitionFile>tokenext.def</ModuleDefinitionFile>
 92 |       <AdditionalLibraryDirectories>$(WindowsSdkDir)\Debuggers\lib\x64</AdditionalLibraryDirectories>
 93 |     </Link>
 94 |     <PostBuildEvent>
 95 |       <Command>copy /Y $(SolutionDir)$(PlatformName)\$(ConfigurationName)\tokenext.dll "C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\winext\\tokenext.dll"</Command>
 96 |     </PostBuildEvent>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 99 |     <ClCompile>
100 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;EXTCPP_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
101 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
104 |       <Optimization>Disabled</Optimization>
105 |       <AdditionalIncludeDirectories>$(SolutionDir)inc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
106 |     </ClCompile>
107 |     <Link>
108 |       <GenerateDebugInformation>true</GenerateDebugInformation>
109 |       <SubSystem>Windows</SubSystem>
110 |       <AdditionalDependencies>legacy_stdio_definitions.lib;dbgeng.lib;engextcpp.lib</AdditionalDependencies>
111 |       <LinkStatus>
112 |       </LinkStatus>
113 |       <ModuleDefinitionFile>tokenext.def</ModuleDefinitionFile>
114 |       <AdditionalLibraryDirectories>$(SolutionDir)lib/x86</AdditionalLibraryDirectories>
115 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
116 |     </Link>
117 |   </ItemDefinitionGroup>
118 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
119 |     <ClCompile>
120 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXTCPP_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
121 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
122 |       <WarningLevel>Level3</WarningLevel>
123 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
124 |       <AdditionalIncludeDirectories>$(WindowsSdkDir)\Debuggers\inc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
125 |     </ClCompile>
126 |     <Link>
127 |       <GenerateDebugInformation>true</GenerateDebugInformation>
128 |       <SubSystem>Windows</SubSystem>
129 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
130 |       <OptimizeReferences>true</OptimizeReferences>
131 |       <AdditionalDependencies>dbgeng.lib;engextcpp.lib</AdditionalDependencies>
132 |       <LinkStatus>
133 |       </LinkStatus>
134 |       <ModuleDefinitionFile>tokenext.def</ModuleDefinitionFile>
135 |       <AdditionalLibraryDirectories>$(WindowsSdkDir)\Debuggers\lib\x64</AdditionalLibraryDirectories>
136 |     </Link>
137 |     <PostBuildEvent>
138 |       <Command>copy /Y $(SolutionDir)$(PlatformName)\$(ConfigurationName)\tokenext.dll "C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\winext\\tokenext.dll"</Command>
139 |     </PostBuildEvent>
140 |   </ItemDefinitionGroup>
141 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
142 |     <ClCompile>
143 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXTCPP_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
144 |       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
145 |       <WarningLevel>Level3</WarningLevel>
146 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
147 |       <AdditionalIncludeDirectories>$(WindowsSdkDir)\Debuggers\inc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
148 |     </ClCompile>
149 |     <Link>
150 |       <GenerateDebugInformation>true</GenerateDebugInformation>
151 |       <SubSystem>Windows</SubSystem>
152 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
153 |       <OptimizeReferences>true</OptimizeReferences>
154 |       <AdditionalDependencies>dbgeng.lib;engextcpp.lib</AdditionalDependencies>
155 |       <LinkStatus>
156 |       </LinkStatus>
157 |       <ModuleDefinitionFile>tokenext.def</ModuleDefinitionFile>
158 |       <AdditionalLibraryDirectories>$(WindowsSdkDir)\Debuggers\lib\x86</AdditionalLibraryDirectories>
159 |       <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
160 |     </Link>
161 |   </ItemDefinitionGroup>
162 |   <ItemGroup>
163 |     <ClCompile Include="..\inc\engextcpp10.cpp" />
164 |     <ClCompile Include="HandleTable.cpp" />
165 |     <ClCompile Include="TokenExt.cpp" />
166 |   </ItemGroup>
167 |   <ItemGroup>
168 |     <ClInclude Include="..\inc\engextcpp10.hpp" />
169 |     <ClInclude Include="HandleTable.h" />
170 |     <ClInclude Include="resource.h" />
171 |     <ClInclude Include="TokenExt.h" />
172 |     <ClInclude Include="usr_common.h" />
173 |   </ItemGroup>
174 |   <ItemGroup>
175 |     <None Include="tokenext.def" />
176 |   </ItemGroup>
177 |   <ItemGroup>
178 |     <ResourceCompile Include="tokenext.rc" />
179 |   </ItemGroup>
180 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
181 |   <ImportGroup Label="ExtensionTargets">
182 |   </ImportGroup>
183 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     {description}
294 |     Copyright (C) {year}  {fullname}
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   {signature of Ty Coon}, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 
341 | 


--------------------------------------------------------------------------------
/tokenext/TokenExt.h:
--------------------------------------------------------------------------------
   1 | #pragma once
   2 | 
   3 | #pragma warning( disable : 4005)
   4 | #pragma warning( disable : 4101)
   5 | #pragma warning( disable : 4129)
   6 | #pragma warning( disable : 4267)
   7 | 
   8 | 
   9 | #include <map>
  10 | #include <string>
  11 | #include <sstream>
  12 | #include <vector>
  13 | #include <tuple>
  14 | #include <iomanip>
  15 | #include <fstream>
  16 | #include <regex>
  17 | #include <set>
  18 | using namespace std;
  19 |                
  20 | #define INITGUID
  21 | #define EXT_CLASS CTokenExt 
  22 | #include "../inc/engextcpp10.hpp"
  23 | #include "HandleTable.h"
  24 | 
  25 | #define REG_RAX     0
  26 | #define REG_RCX     1
  27 | #define REG_RDX     2
  28 | #define REG_RBX     3
  29 | #define REG_RSP     4
  30 | #define REG_RBP     5
  31 | #define REG_RSI     6
  32 | #define REG_RDI     7
  33 | #define REG_R8      8
  34 | #define REG_R9      9
  35 | #define REG_R10     10
  36 | #define REG_R11     11
  37 | #define REG_R12     12
  38 | #define REG_R13     13
  39 | #define REG_R14     14
  40 | #define REG_R15     15
  41 | #define REG_RIP     16
  42 | 
  43 | class CPoolHeader
  44 | {
  45 | public:
  46 | 	CPoolHeader(size_t data)
  47 | 	{
  48 | 		memcpy(this, &data, 8);
  49 | 	}
  50 | 
  51 | 	uint32_t prev_size : 8;
  52 | 	uint32_t pool_index : 8;
  53 | 	uint32_t block_size : 8;
  54 | 	uint32_t pool_type : 8;
  55 | 	char tag[4];
  56 | };
  57 | 
  58 | //kd> dt _POOL_TRACKER_BIG_PAGES
  59 | //nt!_POOL_TRACKER_BIG_PAGES
  60 | //+ 0x000 Va               : Uint8B
  61 | //+ 0x008 Key : Uint4B
  62 | //+ 0x00c Pattern : Pos 0, 8 Bits
  63 | //+ 0x00c PoolType : Pos 8, 12 Bits
  64 | //+ 0x00c SlushSize : Pos 20, 12 Bits
  65 | //+ 0x010 NumberOfBytes : Uint8B
  66 | 
  67 | class CBigPoolHeader
  68 | {
  69 | public:
  70 | 	CBigPoolHeader(uint8_t* data)
  71 | 	{
  72 | 		memcpy(this, data, 0x18);
  73 | 	}
  74 | 
  75 | 	size_t va;
  76 | 	char tag[4];
  77 | 	uint32_t pattern : 8;
  78 | 	uint32_t pool_type : 12;
  79 | 	uint32_t slush_size : 12;
  80 | 	size_t size;
  81 | };
  82 | 
  83 | /****************************************************
  84 | *                               8          5   2 1 0
  85 | *                               |          |   | | |
  86 | *                               V          V   V V V
  87 | * ___________________________________________________
  88 | * |                            | |        | | | | | |
  89 | * |____________________________|_|________|_|_|_|_|_|
  90 | *                               ^          ^   ^ ^ ^
  91 | *                               |          |   | | |
  92 | *                               |          |   | | 0: Non-Paged Pool
  93 | *                               |          |   | | 1: Paged Pool
  94 | *                               |          |   | |
  95 | *                               |          |   | 1: Must Succeed (0x02)
  96 | *                               |          |   |
  97 | *                               |          |   |
  98 | *                               |          |   1: Cache Aligned (0x04)
  99 | *                               |          |
 100 | *                               |          |
 101 | *                               |          1: Session Pool (0x20)
 102 | *                               |
 103 | *                               |
 104 | *                               1: NX, No Execute (0x200)
 105 | *
 106 | *****************************************************/
 107 | 
 108 | #define NonPagedPool                            0x0000
 109 | #define NonPagedPoolExecute                     0x0000
 110 | #define NonPagedPoolBase                        0x0000
 111 | 
 112 | #define PagedPool                               0x0001
 113 | 
 114 | #define NonPagedPoolMustSucceed                 0x0002
 115 | #define NonPagedPoolBaseMustSucceed             0x0002
 116 | 
 117 | #define DontUseThisType                         0x0003
 118 | 
 119 | #define NonPagedPoolCacheAligned                0x0004
 120 | #define NonPagedPoolBaseCacheAligned            0x0004
 121 | 
 122 | #define PagedPoolCacheAligned                   0x0005
 123 | 
 124 | #define NonPagedPoolCacheAlignedMustS           0x0006
 125 | #define NonPagedPoolBaseCacheAlignedMustS       0x0006
 126 | 
 127 | #define MaxPoolType                             0x0007
 128 | 
 129 | #define NonPagedPoolSession                     0x0020
 130 | #define PagedPoolSession                        0x0021
 131 | #define NonPagedPoolMustSucceedSession          0x0022
 132 | #define DontUseThisTypeSession                  0x0023
 133 | #define NonPagedPoolCacheAlignedSession         0x0024
 134 | #define PagedPoolCacheAlignedSession            0x0025
 135 | #define NonPagedPoolCacheAlignedMustSSession    0x0026
 136 | 
 137 | #define NonPagedPoolNx                          0x0200
 138 | #define NonPagedPoolNxCacheAligned              0x0204
 139 | 
 140 | #define NonPagedPoolSessionNx                   0x0220
 141 | 
 142 | struct PTE64
 143 | {
 144 |     size_t Valid : 1;
 145 |     size_t Write : 1;
 146 |     size_t Owner : 1;
 147 |     size_t WriteThrough : 1;
 148 |     size_t CacheDisabled : 1;
 149 |     size_t Accessed : 1;
 150 |     size_t Dirty : 1;
 151 |     size_t LargePage : 1;
 152 |     size_t Global : 1;
 153 |     size_t SoftCopyOnWrite : 1;
 154 |     size_t SoftPrototype : 1;
 155 |     size_t SoftWrite : 1;
 156 |     size_t PageFrameNumber : 28;
 157 |     size_t Reserved : 12;
 158 |     size_t SoftWorkingSetIndex : 11;
 159 |     size_t NoExecute : 1;
 160 | 
 161 | 	PTE64(size_t source)
 162 | 	{
 163 | 		memcpy(this, &source, 8);
 164 | 	}
 165 | 
 166 |     size_t PFN()
 167 |     {
 168 |         return (size_t)PageFrameNumber << 12;       
 169 |     }          
 170 | 
 171 |     bool valid() { return Valid != 0; }
 172 |     bool write() { return Write != 0; }
 173 |     bool owner() { return Owner != 0; }
 174 |     bool writeThrough() { return WriteThrough != 0; }
 175 |     bool cache() { return CacheDisabled == 0; }
 176 |     bool accessed() { return Accessed != 0; }
 177 |     bool dirty() { return Dirty != 0; }
 178 |     bool large() { return LargePage != 0; }
 179 |     bool global() { return Global != 0; }
 180 |     bool softCow() { return SoftCopyOnWrite != 0; }
 181 |     bool softProto() { return SoftPrototype != 0; }
 182 |     bool softWrite() { return SoftWrite != 0; }
 183 |     bool nx() { return NoExecute != 0; }
 184 |     size_t workingsetIndex() { return SoftWorkingSetIndex; }
 185 | 
 186 |     string str()
 187 |     {
 188 |         stringstream ss;
 189 |         ss << (valid() ? "Valid" : "invalid") << " "
 190 |             << (write() ? "Write" : "readonly") << " "
 191 |             << (owner() ? "Usermode" : "kernelmode") << " "
 192 |             << (accessed() ? "Accessed" : "noaccess") << " "
 193 |             << (dirty() ? "Dirty" : "no-dirty") << " "
 194 |             << (large() ? "Large" : "no-large") << " "
 195 |             << (global() ? "Global" : "no-global") << " "
 196 |             << (softCow() ? "CopyOnWrite" : "no-copyonwrite") << " "
 197 |             << (softWrite() ? "SoftWrite" : "no-softwrite") << " "
 198 |             << (nx() ? "NX" : "no-NX") << " ";
 199 |             ;
 200 | 
 201 |         return ss.str();
 202 |     }
 203 | };
 204 | 
 205 | struct PS_FLAGS
 206 | {
 207 | 	uint32_t CreateReported : 1;
 208 | 	uint32_t NoDebugInherit : 1;
 209 | 	uint32_t ProcessExiting : 1;
 210 | 	uint32_t ProcessDelete : 1;
 211 | 	uint32_t ControlFlowGuardEnabled : 1;
 212 | 	uint32_t VmDeleted : 1;
 213 | 	uint32_t OutswapEnabled : 1;
 214 | 	uint32_t Outswapped : 1;
 215 | 	uint32_t FailFastOnCommitFail : 1;
 216 | 	uint32_t Wow64VaSpace4Gb : 1;
 217 | 	uint32_t AddressSpaceInitialized : 2;
 218 | 	uint32_t SetTimerResolution : 1;
 219 | 	uint32_t BreakOnTermination : 1;
 220 | 	uint32_t DeprioritizeViews : 1;
 221 | 	uint32_t WriteWatch : 1;
 222 | 	uint32_t ProcessInSession : 1;
 223 | 	uint32_t OverrideAddressSpace : 1;
 224 | 	uint32_t HasAddressSpace : 1;
 225 | 	uint32_t LaunchPrefetched : 1;
 226 | 	uint32_t Background : 1;
 227 | 	uint32_t VmTopDown : 1;
 228 | 	uint32_t ImageNotifyDone : 1;
 229 | 	uint32_t PdeUpdateNeeded : 1;
 230 | 	uint32_t VdmAllowed : 1;
 231 | 	uint32_t ProcessRundown : 1;
 232 | 	uint32_t ProcessInserted : 1;
 233 | 	uint32_t DefaultIoPriority : 3;
 234 | 	uint32_t ProcessSelfDelete : 1;
 235 | 	uint32_t SetTimerResolutionLink : 1;
 236 | 
 237 | 
 238 | 	PS_FLAGS(uint32_t source)
 239 | 	{
 240 | 		memcpy(this, &source, 4);
 241 | 	}
 242 | 
 243 | 	string str()
 244 | 	{
 245 | 		stringstream ss;
 246 | 		
 247 | 		if (CreateReported != 0) ss << setw(50) << " CreateReported \n";
 248 | 		if (NoDebugInherit != 0) ss << setw(50) << " NoDebugInherit \n";
 249 | 		if (ProcessExiting != 0) ss << setw(50) << " ProcessExiting \n";
 250 | 		if (ProcessDelete != 0) ss << setw(50) << " ProcessDelete \n";
 251 | 		if (ControlFlowGuardEnabled != 0) ss << setw(50) << " ControlFlowGuardEnabled " << "\t\t[Mitigation]\n";
 252 | 		if (VmDeleted != 0) ss << setw(50) << " VmDeleted \n";
 253 | 		if (OutswapEnabled != 0) ss << setw(50) << " OutswapEnabled \n";
 254 | 		if (Outswapped != 0) ss << setw(50) << " Outswapped \n";
 255 | 		if (FailFastOnCommitFail != 0) ss << setw(50) << " FailFastOnCommitFail \n";
 256 | 		if (Wow64VaSpace4Gb != 0) ss << setw(50) << " Wow64VaSpace4Gb \n";
 257 | 
 258 | 		if (SetTimerResolution != 0) ss << setw(50) << " SetTimerResolution \n";
 259 | 		if (BreakOnTermination != 0) ss << setw(50) << " BreakOnTermination \n";
 260 | 		if (DeprioritizeViews != 0) ss << setw(50) << " DeprioritizeViews \n";
 261 | 		if (WriteWatch != 0) ss << setw(50) << " WriteWatch \n";
 262 | 		if (ProcessInSession != 0) ss << setw(50) << " ProcessInSession \n";
 263 | 		if (OverrideAddressSpace != 0) ss << setw(50) << " OverrideAddressSpace \n";
 264 | 		if (HasAddressSpace != 0) ss << setw(50) << " HasAddressSpace \n";
 265 | 		if (LaunchPrefetched != 0) ss << setw(50) << " LaunchPrefetched \n";
 266 | 		if (Background != 0) ss << setw(50) << " Background \n";
 267 | 		if (VmTopDown != 0) ss << setw(50) << " VmTopDown \n";
 268 | 		if (ImageNotifyDone != 0) ss << setw(50) << " ImageNotifyDone \n";
 269 | 		if (PdeUpdateNeeded != 0) ss << setw(50) << " PdeUpdateNeeded \n";
 270 | 		if (VdmAllowed != 0) ss << setw(50) << " VdmAllowed \n";
 271 | 		if (ProcessRundown != 0) ss << setw(50) << " ProcessRundown \n";
 272 | 		if (ProcessInserted != 0) ss << setw(50) << " ProcessInserted \n";
 273 | 
 274 | 		if (ProcessSelfDelete != 0) ss << setw(50) << " ProcessSelfDelete \n";
 275 | 		if (SetTimerResolutionLink != 0) ss << setw(50) << " SetTimerResolutionLink \n";
 276 | 
 277 | 		ss << setw(50) << "AddressSpaceInitialized : " << hex << setw(8) << AddressSpaceInitialized << "\n"
 278 | 			<< setw(50) << "DefaultIoPriority : " << hex << setw(8) << DefaultIoPriority;
 279 | 
 280 | 		return ss.str();
 281 | 	}
 282 | };
 283 | 
 284 | struct PS_FLAGS3
 285 | {
 286 | 	uint32_t Minimal : 1;
 287 | 	uint32_t ReplacingPageRoot : 1;
 288 | 	uint32_t DisableNonSystemFonts : 1;
 289 | 	uint32_t AuditNonSystemFontLoading : 1;
 290 | 	uint32_t Crashed : 1;
 291 | 	uint32_t JobVadsAreTracked : 1;
 292 | 	uint32_t VadTrackingDisabled : 1;
 293 | 	uint32_t AuxiliaryProcess : 1;
 294 | 	uint32_t SubsystemProcess : 1;
 295 | 	uint32_t IndirectCpuSets : 1;
 296 | 	uint32_t InPrivate : 1;
 297 | 	uint32_t ProhibitRemoteImageMap : 1;
 298 | 	uint32_t ProhibitLowILImageMap : 1;
 299 | 	uint32_t SignatureMitigationOptIn : 1;
 300 | 	uint32_t DisableDynamicCodeAllowOptOut : 1;
 301 | 	uint32_t EnableFilteredWin32kAPIs : 1;
 302 | 	uint32_t AuditFilteredWin32kAPIs : 1;
 303 | 	uint32_t PreferSystem32Images : 1;
 304 | 	uint32_t RelinquishedCommit : 1;
 305 | 	uint32_t AutomaticallyOverrideChildProcessPolicy : 1;
 306 | 	uint32_t HighGraphicsPriority : 1;
 307 | 	uint32_t CommitFailLogged : 1;
 308 | 	uint32_t ReserveFailLogged : 1;
 309 | 
 310 | 	PS_FLAGS3(uint32_t source)
 311 | 	{
 312 | 		memcpy(this, &source, 4);
 313 | 	}
 314 | 
 315 | 	string str()
 316 | 	{
 317 | 		stringstream ss;
 318 | 
 319 | 		if ( Minimal != 0) ss << setw(50) << " Minimal \n";
 320 | 		if ( ReplacingPageRoot != 0) ss << setw(50) << " ReplacingPageRoot \n";
 321 | 		if ( DisableNonSystemFonts != 0) ss << setw(50) << " DisableNonSystemFonts " << "\t\t[Mitigation]\n";
 322 | 		if ( AuditNonSystemFontLoading != 0) ss << setw(50) << " AuditNonSystemFontLoading \n";
 323 | 		if ( Crashed != 0) ss << setw(50) << " Crashed \n";
 324 | 		if ( JobVadsAreTracked != 0) ss << setw(50) << " JobVadsAreTracked \n";
 325 | 		if ( VadTrackingDisabled != 0) ss << setw(50) << " VadTrackingDisabled \n";
 326 | 		if ( AuxiliaryProcess != 0) ss << setw(50) << " AuxiliaryProcess \n";
 327 | 		if ( SubsystemProcess != 0) ss << setw(50) << " SubsystemProcess \n";
 328 | 		if ( IndirectCpuSets != 0) ss << setw(50) << " IndirectCpuSets \n";
 329 | 		if ( InPrivate != 0) ss << setw(50) << " InPrivate \n";
 330 | 		if ( ProhibitRemoteImageMap != 0) ss << setw(50) << " ProhibitRemoteImageMap " << "\t\t[Mitigation]\n";
 331 | 		if ( ProhibitLowILImageMap != 0) ss << setw(50) << " ProhibitLowILImageMap " << "\t\t[Mitigation]\n";
 332 | 		if ( SignatureMitigationOptIn != 0) ss << setw(50) << " SignatureMitigationOptIn \n";
 333 | 		if ( DisableDynamicCodeAllowOptOut != 0) ss << setw(50) << " DisableDynamicCodeAllowOptOut \n";
 334 | 		if ( EnableFilteredWin32kAPIs != 0) ss << setw(50) << " EnableFilteredWin32kAPIs " << "\t\t[Mitigation]\n";
 335 | 		if ( AuditFilteredWin32kAPIs != 0) ss << setw(50) << " AuditFilteredWin32kAPIs \n";
 336 | 		if ( PreferSystem32Images != 0) ss << setw(50) << " PreferSystem32Images " << "\t\t[Mitigation]\n";
 337 | 		if ( RelinquishedCommit != 0) ss << setw(50) << " RelinquishedCommit \n";
 338 | 		if ( AutomaticallyOverrideChildProcessPolicy != 0) ss << setw(50) << " AutomaticallyOverrideChildProcessPolicy \n";
 339 | 		if ( HighGraphicsPriority != 0) ss << setw(50) << " HighGraphicsPriority \n";
 340 | 		if ( CommitFailLogged != 0) ss << setw(50) << " CommitFailLogged \n";
 341 | 		if ( ReserveFailLogged != 0) ss << setw(50) << " ReserveFailLogged \n";
 342 | 
 343 | 		return ss.str();
 344 | 	}
 345 | };
 346 | 
 347 | struct PS_FLAGS2
 348 | {
 349 | 	uint32_t JobNotReallyActive : 1;
 350 | 	uint32_t AccountingFolded : 1;
 351 | 	uint32_t NewProcessReported : 1;
 352 | 	uint32_t ExitProcessReported : 1;
 353 | 	uint32_t ReportCommitChanges : 1;
 354 | 	uint32_t LastReportMemory : 1;
 355 | 	uint32_t ForceWakeCharge : 1;
 356 | 	uint32_t CrossSessionCreate : 1;
 357 | 	uint32_t NeedsHandleRundown : 1;
 358 | 	uint32_t RefTraceEnabled : 1;
 359 | 	uint32_t DisableDynamicCode : 1;
 360 | 	uint32_t EmptyJobEvaluated : 1;
 361 | 	uint32_t DefaultPagePriority : 3;
 362 | 	uint32_t PrimaryTokenFrozen : 1;
 363 | 	uint32_t ProcessVerifierTarget : 1;
 364 | 	uint32_t StackRandomizationDisabled : 1;
 365 | 	uint32_t AffinityPermanent : 1;
 366 | 	uint32_t AffinityUpdateEnable : 1;
 367 | 	uint32_t PropagateNode : 1;
 368 | 	uint32_t ExplicitAffinity : 1;
 369 | 	uint32_t ProcessExecutionState : 2;
 370 | 	uint32_t DisallowStrippedImages : 1;
 371 | 	uint32_t HighEntropyASLREnabled : 1;
 372 | 	uint32_t ExtensionPointDisable : 1;
 373 | 	uint32_t ForceRelocateImages : 1;
 374 | 	uint32_t ProcessStateChangeRequest : 2;
 375 | 	uint32_t ProcessStateChangeInProgress : 1;
 376 | 	uint32_t DisallowWin32kSystemCalls : 1;
 377 | 
 378 | 	PS_FLAGS2(uint32_t source)
 379 | 	{
 380 | 		memcpy(this, &source, 4);
 381 | 	}
 382 | 
 383 | 	string str()
 384 | 	{
 385 | 		stringstream ss;
 386 | 
 387 | 		if ( JobNotReallyActive != 0) ss << setw(50) << " JobNotReallyActive \n";
 388 | 		if ( AccountingFolded != 0) ss << setw(50) << " AccountingFolded \n";
 389 | 		if ( NewProcessReported != 0) ss << setw(50) << " NewProcessReported \n";
 390 | 		if ( ExitProcessReported != 0) ss << setw(50) << " ExitProcessReported \n";
 391 | 		if ( ReportCommitChanges != 0) ss << setw(50) << " ReportCommitChanges \n";
 392 | 		if ( LastReportMemory != 0) ss << setw(50) << " LastReportMemory \n";
 393 | 		if ( ForceWakeCharge != 0) ss << setw(50) << " ForceWakeCharge \n";
 394 | 		if ( CrossSessionCreate != 0) ss << setw(50) << " CrossSessionCreate \n";
 395 | 		if ( NeedsHandleRundown != 0) ss << setw(50) << " NeedsHandleRundown \n";
 396 | 		if ( RefTraceEnabled != 0) ss << setw(50) << " RefTraceEnabled \n";
 397 | 		if ( DisableDynamicCode != 0) ss << setw(50) << " DisableDynamicCode \n";
 398 | 		if ( EmptyJobEvaluated != 0) ss << setw(50) << " EmptyJobEvaluated \n";
 399 | 
 400 | 		if ( PrimaryTokenFrozen != 0) ss << setw(50) << " PrimaryTokenFrozen \n";
 401 | 		if ( ProcessVerifierTarget != 0) ss << setw(50) << " ProcessVerifierTarget \n";
 402 | 		if ( StackRandomizationDisabled != 0) ss << setw(50) << " StackRandomizationDisabled \n";
 403 | 		if ( AffinityPermanent != 0) ss << setw(50) << " AffinityPermanent \n";
 404 | 		if ( AffinityUpdateEnable != 0) ss << setw(50) << " AffinityUpdateEnable \n";
 405 | 		if ( PropagateNode != 0) ss << setw(50) << " PropagateNode \n";
 406 | 		if ( ExplicitAffinity != 0) ss << setw(50) << " ExplicitAffinity \n";
 407 | 
 408 | 		if ( DisallowStrippedImages != 0) ss << setw(50) << " DisallowStrippedImages " << "\t\t[Mitigation]\n";
 409 | 		if ( HighEntropyASLREnabled != 0) ss << setw(50) << " HighEntropyASLREnabled " << "\t\t[Mitigation]\n";
 410 | 		if ( ExtensionPointDisable != 0) ss << setw(50) << " ExtensionPointDisable " << "\t\t[Mitigation]\n";
 411 | 		if ( ForceRelocateImages != 0) ss << setw(50) << " ForceRelocateImages " << "\t\t[Mitigation]\n";
 412 | 
 413 | 		if ( ProcessStateChangeInProgress != 0) ss << setw(50) << " ProcessStateChangeInProgress \n";
 414 | 		if ( DisallowWin32kSystemCalls != 0) ss << setw(50) << " DisallowWin32kSystemCalls " << "\t\t[Mitigation]\n";
 415 | 
 416 | 		ss << setw(50) << " DefaultPagePriority : " << hex << setw(8) << DefaultPagePriority << "\n"
 417 | 			<< setw(50) << "ProcessExecutionState : " << hex << setw(8) << ProcessExecutionState << "\n"
 418 | 			<< setw(50) << "ProcessStateChangeRequest : " << hex << setw(8) << ProcessStateChangeRequest;
 419 | 
 420 | 		return ss.str();
 421 | 	}
 422 | };
 423 | 
 424 | #pragma pack(pop)
 425 | 
 426 | #pragma pack(push, 1)
 427 | struct SEP_TOKEN_PRIVILEGES
 428 | {
 429 |     size_t     Present;
 430 |     size_t     Enabled;
 431 |     size_t     EnabledByDefault;
 432 | };
 433 | 
 434 | struct SEP_AUDIT_POLICY
 435 | {
 436 |     uint8_t     AdtTokenPolicy[0x1e];
 437 |     uint8_t     PolicySetStatus[0x01];
 438 |     uint8_t     Reserved[0x01];
 439 | };
 440 | 
 441 | struct SEP_LOGON_SESSION_REFERENCES
 442 | {
 443 |     SEP_LOGON_SESSION_REFERENCES*       Next;
 444 |     LUID                                LogonId;
 445 |     LUID                                BuddyLogonId;
 446 |     size_t                              ReferenceCount;
 447 |     uint32_t                            Flags;
 448 |     PVOID                               pDeviceMap;
 449 |     PVOID                               Token;
 450 |     UNICODE_STRING                      AccountName;
 451 |     UNICODE_STRING                      AuthorityName;
 452 |     uint8_t                             LowBoxHandlesTable[0x10]; // 0
 453 |     uint8_t                             SharedDataLock[0x08]; // 0
 454 |     PVOID                               SharedClaimAttributes;
 455 |     PVOID                               SharedSidValues;
 456 |     PVOID                               RevocationBlock_Infos_Flink;
 457 |     PVOID                               RevocationBlock_Infos_Blink;
 458 |     uint8_t                             RevocationBlock_Lock[0x08];
 459 |     uint8_t                             RevocationBlock_Rundown[0x08];
 460 |     PVOID                               ServerSilo;
 461 |     LUID                                SiblingAuthId;
 462 | };
 463 | 
 464 | 
 465 | class CBitFieldAnalyzer
 466 | {
 467 | public:
 468 |     CBitFieldAnalyzer()
 469 |     {}
 470 | 
 471 |     CBitFieldAnalyzer(
 472 |         __in const map<uint32_t, const char*>& definitions
 473 |         )
 474 |     {
 475 |         for (auto it = definitions.begin();
 476 |         it != definitions.end();
 477 |             it++)
 478 |         {
 479 |             m_definitions[it->first] = it->second;
 480 |         }
 481 |     }
 482 | 
 483 |     CBitFieldAnalyzer(
 484 |         __in map<uint32_t, const char*>&& definitions
 485 |         )
 486 |         :m_definitions(move(definitions))
 487 |     {
 488 |     }
 489 | 
 490 |     string
 491 |         GetText(
 492 |             __in const uint32_t compound,
 493 |             __in bool pureText = false
 494 |             )
 495 |     {
 496 |         stringstream ss;
 497 |         if (!pureText)
 498 |             ss << "0x" << hex << noshowbase << setw(8) << setfill('0') << compound << "(";
 499 | 
 500 |         for (auto it = m_definitions.begin();
 501 |         it != m_definitions.end();
 502 |             it++)
 503 |         {
 504 |             if (it->first & compound)
 505 |                 ss << it->second << ",";
 506 |         }
 507 | 
 508 |         if (!pureText)
 509 |             ss << ")";
 510 | 
 511 |         return ss.str();
 512 |     }
 513 | 
 514 | private:
 515 |     map<uint32_t, const char*> m_definitions;
 516 | };
 517 | 
 518 | struct cmp_str
 519 | {
 520 |     bool operator()(const char* a, const char* b) const
 521 |     {
 522 |         return std::strcmp(a, b) < 0;
 523 |     }
 524 | };
 525 | 
 526 | class POOL_METRICS
 527 | {
 528 | public:
 529 |     size_t _pool_addr;
 530 |     size_t _pool_index;
 531 |     size_t _pool_type;
 532 |     size_t _pool_start;
 533 |     size_t _pool_end;
 534 |     size_t _total_pages;
 535 |     size_t _total_bytes;
 536 |     size_t _total_big_pages;
 537 |     string _comment;
 538 |     vector<size_t> _pending_frees;
 539 |     map<size_t, vector<size_t>> _free_lists;
 540 | };
 541 | 
 542 | bool is_alpha(uint8_t ch)
 543 | {
 544 | 	if (ch >= '0' && ch <= '9')
 545 | 		return true;
 546 | 
 547 | 	if (ch >= 'A' && ch <= 'Z')
 548 | 		return true;
 549 | 
 550 | 	if (ch >= 'a' && ch <= 'z')
 551 | 		return true;
 552 | 
 553 | 	return false;
 554 | }
 555 | 
 556 | class CBuffer
 557 | {
 558 | public:
 559 |     CBuffer(size_t len)
 560 |         :m_len(len)
 561 |     {
 562 |         m_buffer = new (nothrow) uint8_t[len];
 563 |         if (m_buffer == nullptr)
 564 |             m_len = 0;
 565 |         else
 566 |             memset(m_buffer, 0, m_len);
 567 |     }
 568 |     ~CBuffer()
 569 |     {
 570 |         if (valid())
 571 |         {
 572 |             delete[] m_buffer;
 573 |             m_buffer = nullptr;
 574 |             m_len = 0;
 575 |         }
 576 |     }
 577 | 
 578 |     uint8_t* ptr()
 579 |     {
 580 |         return m_buffer;
 581 |     }
 582 | 
 583 |     size_t len()
 584 |     {
 585 |         return m_len;
 586 |     }
 587 | 
 588 |     bool valid()
 589 |     {
 590 |         return m_buffer != nullptr;
 591 |     }
 592 | 
 593 |     template<class T>
 594 |     bool set(size_t offset, T content)
 595 |     {
 596 |         if (offset >= m_len)
 597 |             return false;
 598 | 
 599 |         *(reinterpret_cast<T*>(m_buffer + offset)) = content;
 600 |         return true;
 601 |     }
 602 | 
 603 | private:
 604 |     uint8_t* m_buffer;
 605 |     size_t  m_len;
 606 | };
 607 | 
 608 | class CTokenExt 
 609 |     : public ExtExtension
 610 |     //, public IDebugEventCallbacks
 611 |     //, public IDebugOutputCallbacks
 612 | {
 613 | public:
 614 |     CTokenExt();
 615 |     ~CTokenExt();
 616 | 
 617 |     void handles(void);
 618 | 
 619 |     void dbgdata(void);
 620 | 
 621 |     void obj(void);
 622 | 
 623 |     void gobj(void);
 624 | 
 625 |     void pses(void);
 626 | 
 627 |     void lmu(void);
 628 | 
 629 |     void lmk(void);
 630 | 
 631 |     void types(void);
 632 | 
 633 |     void dk(void);
 634 | 
 635 | 
 636 | public:
 637 | 
 638 |     size_t readDbgDataAddr(ULONG index);
 639 | 
 640 |     wstring getTypeName(size_t index);
 641 | 
 642 | 	template<class T>
 643 | 	bool is_in_range(T value, T min, T max);
 644 | 
 645 |     void initialize();
 646 | 
 647 |     void dump_user_modules();
 648 | 
 649 |     void dump_kernel_modules();
 650 | 
 651 |     uint8_t realIndex(size_t type_index, size_t obj_hdr_addr);
 652 | 
 653 |     void dump_obj(size_t obj_addr, bool b_simple = false);
 654 | 
 655 | 	string wstr2str(wstring wstr);
 656 | 
 657 |     void dump_process(size_t process_addr);
 658 | 
 659 |     void dump_handle_table(size_t handle_table_addr);
 660 | 
 661 |     void dump_kernel_handle_table();
 662 | 
 663 |     void dump_process_handle_table(size_t process_addr);
 664 | 
 665 |     void dump_sdr(size_t sd_addr, string type_name = "File");
 666 | 
 667 |     void dump_pool_handles(size_t table_addr, size_t count);
 668 | 
 669 |     void dump_token(size_t token_addr);
 670 | 
 671 |     void dump_session(size_t session_addr);
 672 | 
 673 |     void kill_process(size_t proc_addr);
 674 | 
 675 |     void dump_logon_sessions();
 676 | 
 677 |     void token_privilege_add(size_t token_addr, size_t bitmap);
 678 | 
 679 |     void dump_process_threads(size_t process_addr);
 680 | 
 681 | 	void dump_pool(size_t addr);
 682 | 
 683 | 	void dump_args();
 684 | 
 685 |     size_t find_proc(string name);
 686 | 
 687 |     void dump_free_pool(size_t size);
 688 | 
 689 |     void dump_threads_stack(size_t process_addr);
 690 | 
 691 |     void dump_all_threads_stack();
 692 | 
 693 |     void dig_link(size_t addr);
 694 | 
 695 |     void tpool(size_t addr);
 696 | 
 697 |     void poolhdr(size_t addr);
 698 | 
 699 | 
 700 | 	void dump_page_info(size_t addr);
 701 | 
 702 | 	void dump_pages_around(size_t addr);
 703 | 
 704 |     void dump_pool_metrics();
 705 | 
 706 |     void dump_pe_guid(size_t addr);
 707 | 
 708 |     void dump_session_pool();
 709 | 
 710 |     void dump_session_space(size_t addr);
 711 | 
 712 |     void dump_page_dir(size_t proc_addr, bool user_mode_only = true);
 713 | 
 714 |     string dump_obj_ref(size_t addr);
 715 | 
 716 |     vector<size_t> dump_avl_entries(size_t addr);
 717 | 
 718 |     bool VisitSide(size_t addr, vector<size_t>& entries);
 719 | 
 720 |     string ctime(time_t* time);
 721 | 
 722 |     string fctime(time_t* time);
 723 | 
 724 |     HRESULT x(string cmd);
 725 | 
 726 | 	string x_output(string cmd);
 727 | 
 728 |     size_t reg(size_t reg);
 729 | 
 730 |     size_t reg_of(const char* reg);
 731 | 
 732 |     tuple<size_t, size_t> get_thread_token(size_t thread_addr);
 733 | 
 734 |     string dump_luid(size_t addr);
 735 | 
 736 |     tuple<string, string> dump_sid(size_t sid_addr);
 737 | 
 738 |     string dump_guid(size_t addr);
 739 | 
 740 |     string dump_sid_attr_array(size_t sid_addr, size_t count);
 741 | 
 742 |     size_t get_sid_attr_array_item(size_t sid_addr, size_t count, size_t index);
 743 | 
 744 |     string dump_sid_attr_hash(size_t addr);
 745 | 
 746 |     size_t get_sid_attr_hash_item(size_t addr, size_t index);
 747 | 
 748 |     string dump_acl(size_t acl_addr, string type_name = "File");
 749 | 
 750 |     string dump_privilege(size_t addr);
 751 | 
 752 |     string dump_privileges_by_bitmap(size_t bitmap);
 753 | 
 754 |     string privilege_bit_to_text(size_t bit_offset);
 755 | 
 756 |     void do_memcpy(size_t src_addr, size_t dst_addr, size_t count);
 757 | 
 758 |     void dump_obj_dir(size_t obj_hdr_addr, size_t level = 0, bool recurse = false);
 759 | 
 760 |     size_t getSymbolAddr(const char* name);    
 761 | 
 762 |     string getAddrSymbol(size_t addr);
 763 | 
 764 |     string getProtectionText(uint8_t protection);
 765 | 
 766 |     string getTokenIL(size_t token_addr);
 767 | 
 768 |     bool valid_addr(size_t addr);
 769 | 
 770 |     wstring readUnicodeString(size_t addr);
 771 | 
 772 |     wstring dump_obj_name(size_t obj_hdr_addr);
 773 | 
 774 |     wstring dump_file_name(size_t file_obj_addr);
 775 | 
 776 |     wstring dump_sym_link(size_t addr);
 777 | 
 778 | 	void dump_ps_flags(size_t addr);
 779 | 
 780 |     void dump_big_pool();
 781 | 
 782 |     void dump_pool_track();
 783 | 
 784 |     void dump_pool_range();
 785 | 
 786 |     void traverse_linked_list(size_t head);
 787 | 
 788 |     void dump_trap_frame(size_t thread_addr);
 789 | 
 790 |     void dump_types();
 791 | 
 792 |     void dump_hole(size_t addr);
 793 | 
 794 |     size_t curr_proc();
 795 | 
 796 |     size_t curr_thread();
 797 | 
 798 |     size_t curr_tid();
 799 | 
 800 |     size_t curr_token();
 801 | 
 802 |     void dump_usage();
 803 | 
 804 | 	size_t get_cr3();
 805 | 
 806 |     void dump_modules();
 807 | 
 808 | 	void dump_size(size_t value);
 809 | 
 810 | 	void dump_va_regions();
 811 | 
 812 | 	void dump_regs();
 813 | 
 814 |     void pte(size_t addr);
 815 | 
 816 | 	void analyze_qword(size_t value);
 817 | 
 818 | 	void analyze_mem(size_t start, size_t len);
 819 | 
 820 | 	bool like_kaddr(size_t addr);
 821 | 
 822 | 	bool in_user_heap(size_t addr);
 823 | 
 824 | 	bool in_curr_stack(size_t addr);
 825 | 
 826 | 	bool in_paged_pool(size_t addr);
 827 | 
 828 | 	bool in_non_paged_pool(size_t addr);
 829 | 
 830 | 	bool in_small_pool_page(size_t addr);
 831 | 
 832 | 	tuple<bool, size_t, string, string> as_kcode(size_t addr);
 833 | 	tuple<bool, size_t, string, string> as_ucode(size_t addr);
 834 | 
 835 | 	// bool: is_Small_or_large_pool
 836 | 	// bool: is_Paged_or_nonpaged_pool
 837 | 	// bool: is_Allocated_or_free_pool
 838 | 	// size_t: pool_start_addr
 839 | 	// size_t: pool_size (exclude header size)
 840 | 	// string: tag
 841 | 	tuple<bool, bool, bool, size_t, size_t, string> as_small_pool(size_t addr);
 842 | 
 843 | 	tuple<bool, bool, bool, size_t, size_t, string> as_large_pool(size_t addr);
 844 | 
 845 |     void dump_token_buffer(size_t addr);
 846 | 
 847 |     bool is_reg(string& str);
 848 | 
 849 |     size_t getIntArg(vector<string>& args, size_t idx, size_t default_val);
 850 | 
 851 |     static
 852 |     string
 853 |     getIntegrityLevel(
 854 |         __in const string& sidText
 855 |         )
 856 |     {
 857 |         auto it = s_integrity_level_texts.find(sidText.c_str());
 858 | 
 859 |         if (it != s_integrity_level_texts.end())
 860 |             return it->second;
 861 | 
 862 |         return sidText;
 863 |     }
 864 | 
 865 |     static
 866 |     string
 867 |     getImpersonationLevel(
 868 |         __in const size_t level
 869 |     )
 870 |     {
 871 |         static map<size_t, const char*> s_impersonation_level_map{ {
 872 |             { SecurityAnonymous, "SecurityAnonymous" },
 873 |             { SecurityIdentification, "SecurityIdentification" },
 874 |             { SecurityImpersonation, "SecurityImpersonation" },
 875 |             { SecurityDelegation, "SecurityDelegation" },
 876 |         } };
 877 | 
 878 |         auto it = s_impersonation_level_map.find(level);
 879 | 
 880 |         if (it != s_impersonation_level_map.end())
 881 |             return it->second;
 882 | 
 883 |         return "";
 884 |     }
 885 | 
 886 | 	static
 887 | 	string
 888 | 	getAceTypeStr(
 889 | 		__in const size_t ace_type
 890 | 	)
 891 | 	{
 892 | 		static map<size_t, const char*> s_ace_type_map{
 893 | 			{ ACCESS_ALLOWED_ACE_TYPE				 , "[Allow]" },
 894 | 			{ ACCESS_DENIED_ACE_TYPE			     , "[Deny ]" },
 895 | 			{ SYSTEM_AUDIT_ACE_TYPE					 , "[Audit]" },
 896 | 			{ SYSTEM_ALARM_ACE_TYPE					 , "[Alarm]" },
 897 | 			{ ACCESS_ALLOWED_COMPOUND_ACE_TYPE        , "[Allow_Compound]" },
 898 | 			{ ACCESS_ALLOWED_OBJECT_ACE_TYPE          , "[Allow_Object]" },
 899 | 			{ ACCESS_DENIED_OBJECT_ACE_TYPE           , "[Deny_Object]" },
 900 | 			{ SYSTEM_AUDIT_OBJECT_ACE_TYPE            , "[Audit_Object]" },
 901 | 			{ SYSTEM_ALARM_OBJECT_ACE_TYPE            , "[Alarm_Object]" },
 902 | 			{ ACCESS_ALLOWED_CALLBACK_ACE_TYPE        , "[Allow_Callback]" },
 903 | 			{ ACCESS_DENIED_CALLBACK_ACE_TYPE         , "[Deny_Callback]" },
 904 | 			{ ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE , "[Allow_Callback_Object]" },
 905 | 			{ ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE  , "[Deny_Callback_Object]" },
 906 | 			{ SYSTEM_AUDIT_CALLBACK_ACE_TYPE          , "[Audit_Callback]" },
 907 | 			{ SYSTEM_ALARM_CALLBACK_ACE_TYPE          , "[Alarm_Callback]" },
 908 | 			{ SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE   , "[Audit_Callback_Object]" },
 909 | 			{ SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE   , "[Alarm_Callback_Object]" },
 910 | 			{ SYSTEM_MANDATORY_LABEL_ACE_TYPE         , "[Madatory_Label]" },
 911 | 			{ SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE      , "[Resource_Attribute]" },
 912 | 			{ SYSTEM_SCOPED_POLICY_ID_ACE_TYPE        , "[Scoped_Policy_Id]" },
 913 | 			{ SYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE     , "[Process_Trust_Label]" },
 914 | 		};
 915 | 
 916 | 		auto it = s_ace_type_map.find(ace_type);
 917 | 		if (it != s_ace_type_map.end())
 918 | 			return it->second;
 919 | 
 920 | 		return "[     ]";
 921 | 	}
 922 | 
 923 | 	static
 924 | 		string
 925 | 		getAceMaskStr(
 926 | 		__in const size_t ace_mask,
 927 | 		__in string type_name = "File",
 928 | 		__in bool     pureText = false
 929 | 	)
 930 | 	{
 931 | 		static CBitFieldAnalyzer s_AceMaskAnalyzer{ {
 932 | 			{DELETE                  , "DELETE"},                           //(0x00010000L)
 933 | 			{READ_CONTROL            , "READ_CONTROL"},                     //(0x00020000L)
 934 | 			{WRITE_DAC               , "WRITE_DAC" },                       //(0x00040000L)
 935 | 			{WRITE_OWNER             , "WRITE_OWNER" },                     //(0x00080000L)
 936 | 			{SYNCHRONIZE             , "SYNCHRONIZE" },                     //(0x00100000L)
 937 | 			{ACCESS_SYSTEM_SECURITY  , "ACCESS_SYSTEM_SECURITY" },          //(0x01000000L)
 938 | 			{MAXIMUM_ALLOWED         , "MAXIMUM_ALLOWED" },                 //(0x02000000L)
 939 | 			{GENERIC_READ            , "GENERIC_READ" },                    //(0x80000000L)
 940 | 			{GENERIC_WRITE           , "GENERIC_WRITE" },                   //(0x40000000L)
 941 | 			{GENERIC_EXECUTE         , "GENERIC_EXECUTE" },                 //(0x20000000L)
 942 | 			{GENERIC_ALL             , "GENERIC_ALL" },                     //(0x10000000L)
 943 | 			} };
 944 | 
 945 | 		string generic_mask_str = s_AceMaskAnalyzer.GetText(ace_mask & 0xFFFF0000, pureText);
 946 | 
 947 | 		auto specific_mask = ace_mask & 0xffff;
 948 | 
 949 | 		generic_mask_str += " ";
 950 | 		generic_mask_str += type_name;
 951 | 		generic_mask_str += ": ";
 952 | 		
 953 | 		if (type_name == "Token")
 954 | 			generic_mask_str += getTokenSpecificAccess(specific_mask, pureText);
 955 | 		else if (type_name == "Process")
 956 | 			generic_mask_str += getProcessSpecificAccess(specific_mask, pureText);
 957 | 		else if (type_name == "Thread")
 958 | 			generic_mask_str += getThreadSpecificAccess(specific_mask, pureText);
 959 | 		else if (type_name == "Directory")
 960 | 			generic_mask_str += getDirectorySpecificAccess(specific_mask, pureText);
 961 | 		else if (type_name == "Section")
 962 | 			generic_mask_str += getSectionSpecificAccess(specific_mask, pureText);
 963 | 		else if (type_name == "Mutant")
 964 | 			generic_mask_str += getMutantSpecificAccess(specific_mask, pureText);
 965 | 		else if (type_name == "Semaphore")
 966 | 			generic_mask_str += getSemaphoreSpecificAccess(specific_mask, pureText);
 967 | 		else if (type_name == "Event")
 968 | 			generic_mask_str += getEventSpecificAccess(specific_mask, pureText);
 969 | 		else if (type_name == "TmTx")
 970 | 			generic_mask_str += getTxSpecificAccess(specific_mask, pureText);
 971 | 		else if (type_name == "TmTm")
 972 | 			generic_mask_str += getTxMSpecificAccess(specific_mask, pureText);
 973 | 		else if (type_name == "TmRm")
 974 | 			generic_mask_str += getRMSpecificAccess(specific_mask, pureText);
 975 | 		else if (type_name == "Timer")
 976 | 			generic_mask_str += getTimerSpecificAccess(specific_mask, pureText);
 977 | 		else if (type_name == "Job")
 978 | 			generic_mask_str += getJobSpecificAccess(specific_mask, pureText);
 979 | 		else if (type_name == "Key")
 980 | 			generic_mask_str += getKeySpecificAccess(specific_mask, pureText);
 981 | 		else if (type_name == "TmEn")
 982 | 			generic_mask_str += getEnlistSpecificAccess(specific_mask, pureText);
 983 | 		else if (type_name == "IoCompletion")
 984 | 			generic_mask_str += getIoCSpecificAccess(specific_mask, pureText);
 985 | 		else// if (type_name == "File")
 986 | 			generic_mask_str += getFileSpecificAccess(specific_mask, pureText);
 987 | 
 988 | 		return generic_mask_str;
 989 | 	}
 990 | 
 991 | 	static 
 992 | 	string
 993 | 	getTokenSpecificAccess(
 994 | 		__in size_t access,
 995 | 		__in bool     pureText = false)
 996 | 	{
 997 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {
 998 | 			{ TOKEN_ASSIGN_PRIMARY, "TOKEN_ASSIGN_PRIMARY"},  // #define TOKEN_ASSIGN_PRIMARY    (0x0001)
 999 | 			{ TOKEN_DUPLICATE, "TOKEN_DUPLICATE" },  // #define TOKEN_DUPLICATE         (0x0002)
1000 | 			{ TOKEN_IMPERSONATE, "TOKEN_IMPERSONATE" },  // #define TOKEN_IMPERSONATE       (0x0004)
1001 | 			{ TOKEN_QUERY, "TOKEN_QUERY" },  // #define TOKEN_QUERY             (0x0008)
1002 | 			{ TOKEN_QUERY_SOURCE, "TOKEN_QUERY_SOURCE" },  // #define TOKEN_QUERY_SOURCE      (0x0010)
1003 | 			{ TOKEN_ADJUST_PRIVILEGES, "TOKEN_ADJUST_PRIVILEGES" },  // #define TOKEN_ADJUST_PRIVILEGES (0x0020)
1004 | 			{ TOKEN_ADJUST_GROUPS, "TOKEN_ADJUST_GROUPS" },  // #define TOKEN_ADJUST_GROUPS     (0x0040)
1005 | 			{ TOKEN_ADJUST_DEFAULT, "TOKEN_ADJUST_DEFAULT" },  // #define TOKEN_ADJUST_DEFAULT    (0x0080)
1006 | 			{ TOKEN_ADJUST_SESSIONID, "TOKEN_ADJUST_SESSIONID" },  // #define TOKEN_ADJUST_SESSIONID  (0x0100)
1007 | 	    } };
1008 | 
1009 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1010 | 	}
1011 | 			
1012 | 	static
1013 | 	string
1014 | 	getProcessSpecificAccess(
1015 | 		__in size_t access,
1016 | 		__in bool     pureText = false)
1017 | 	{
1018 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {//
1019 | 			{ PROCESS_TERMINATE, "PROCESS_TERMINATE" },  // #define PROCESS_TERMINATE                  (0x0001)
1020 | 			{ PROCESS_CREATE_THREAD, "PROCESS_CREATE_THREAD" },  // #define PROCESS_CREATE_THREAD              (0x0002)
1021 | 			{ PROCESS_SET_SESSIONID, "PROCESS_SET_SESSIONID" },  // #define PROCESS_SET_SESSIONID              (0x0004)
1022 | 			{ PROCESS_VM_OPERATION, "PROCESS_VM_OPERATION" },  // #define PROCESS_VM_OPERATION               (0x0008)
1023 | 			{ PROCESS_VM_READ, "PROCESS_VM_READ" },  // #define PROCESS_VM_READ                    (0x0010)
1024 | 			{ PROCESS_VM_WRITE, "PROCESS_VM_WRITE" },  // #define PROCESS_VM_WRITE                   (0x0020)
1025 | 			{ PROCESS_DUP_HANDLE, "PROCESS_DUP_HANDLE" },  // #define PROCESS_DUP_HANDLE                 (0x0040)
1026 | 			{ PROCESS_CREATE_PROCESS, "PROCESS_CREATE_PROCESS" },  // #define PROCESS_CREATE_PROCESS             (0x0080)
1027 | 			{ PROCESS_SET_QUOTA, "PROCESS_SET_QUOTA" },  // #define PROCESS_SET_QUOTA                  (0x0100)
1028 | 			{ PROCESS_SET_INFORMATION, "PROCESS_SET_INFORMATION" },  // #define PROCESS_SET_INFORMATION            (0x0200)
1029 | 			{ PROCESS_QUERY_INFORMATION, "PROCESS_QUERY_INFORMATION" },  // #define PROCESS_QUERY_INFORMATION          (0x0400)
1030 | 			{ PROCESS_SUSPEND_RESUME, "PROCESS_SUSPEND_RESUME" },  // #define PROCESS_SUSPEND_RESUME             (0x0800)
1031 | 			{ PROCESS_QUERY_LIMITED_INFORMATION, "PROCESS_QUERY_LIMITED_INFORMATION" },  // #define PROCESS_QUERY_LIMITED_INFORMATION  (0x1000)
1032 | 			{ PROCESS_SET_LIMITED_INFORMATION, "PROCESS_SET_LIMITED_INFORMATION" },  // #define PROCESS_SET_LIMITED_INFORMATION    (0x2000)
1033 | 			} };
1034 | 
1035 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1036 | 	}
1037 | 	static
1038 | 	string
1039 | 	getThreadSpecificAccess(
1040 | 		__in size_t access,
1041 | 		__in bool     pureText = false)
1042 | 	{
1043 | 		 static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {//
1044 | 		 	{ THREAD_TERMINATE, "THREAD_TERMINATE" },  // #define THREAD_TERMINATE                 (0x0001)
1045 | 		 	{ THREAD_SUSPEND_RESUME, "THREAD_SUSPEND_RESUME" },  // #define THREAD_SUSPEND_RESUME            (0x0002)
1046 | 		 	{ THREAD_GET_CONTEXT, "THREAD_GET_CONTEXT" },  // #define THREAD_GET_CONTEXT               (0x0008)
1047 | 		 	{ THREAD_SET_CONTEXT, "THREAD_SET_CONTEXT" },  // #define THREAD_SET_CONTEXT               (0x0010)
1048 | 		 	{ THREAD_QUERY_INFORMATION, "THREAD_QUERY_INFORMATION" },  // #define THREAD_QUERY_INFORMATION         (0x0040)
1049 | 		 	{ THREAD_SET_INFORMATION, "THREAD_SET_INFORMATION" },  // #define THREAD_SET_INFORMATION           (0x0020)
1050 | 		 	{ THREAD_SET_THREAD_TOKEN, "THREAD_SET_THREAD_TOKEN" },  // #define THREAD_SET_THREAD_TOKEN          (0x0080)
1051 | 		 	{ THREAD_IMPERSONATE, "THREAD_IMPERSONATE" },  // #define THREAD_IMPERSONATE               (0x0100)
1052 | 		 	{ THREAD_DIRECT_IMPERSONATION, "THREAD_DIRECT_IMPERSONATION" },  // #define THREAD_DIRECT_IMPERSONATION      (0x0200)
1053 | 		 	{ THREAD_SET_LIMITED_INFORMATION, "THREAD_SET_LIMITED_INFORMATION" },  // #define THREAD_SET_LIMITED_INFORMATION   (0x0400)
1054 | 		 	{ THREAD_QUERY_LIMITED_INFORMATION, "THREAD_QUERY_LIMITED_INFORMATION" },  // #define THREAD_QUERY_LIMITED_INFORMATION (0x0800)
1055 | 		 	{ THREAD_RESUME, "THREAD_RESUME" },  // #define THREAD_RESUME                    (0x1000)
1056 | 		 	} };
1057 | 		 
1058 | 		 return s_SpecificAccessAnalyzer.GetText(access, pureText);
1059 | 	}
1060 | 
1061 | 	static
1062 | 	string
1063 | 	getJobSpecificAccess(
1064 | 		__in size_t access,
1065 | 		__in bool     pureText = false)
1066 | 	{
1067 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ { //
1068 | 			{ JOB_OBJECT_ASSIGN_PROCESS, "JOB_OBJECT_ASSIGN_PROCESS" },  // #define JOB_OBJECT_ASSIGN_PROCESS           (0x0001)
1069 | 			{ JOB_OBJECT_SET_ATTRIBUTES, "JOB_OBJECT_SET_ATTRIBUTES" },  // #define JOB_OBJECT_SET_ATTRIBUTES           (0x0002)
1070 | 			{ JOB_OBJECT_QUERY, "JOB_OBJECT_QUERY" },  // #define JOB_OBJECT_QUERY                    (0x0004)
1071 | 			{ JOB_OBJECT_TERMINATE, "JOB_OBJECT_TERMINATE" },  // #define JOB_OBJECT_TERMINATE                (0x0008)
1072 | 			{ JOB_OBJECT_SET_SECURITY_ATTRIBUTES, "JOB_OBJECT_SET_SECURITY_ATTRIBUTES" },  // #define JOB_OBJECT_SET_SECURITY_ATTRIBUTES  (0x0010)
1073 | 			} };
1074 | 
1075 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1076 | 	}
1077 | 
1078 | 	static
1079 | 	string
1080 | 	getEventSpecificAccess(
1081 | 		__in size_t access,
1082 | 		__in bool     pureText = false)
1083 | 	{
1084 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {				   //
1085 | 			{ EVENT_MODIFY_STATE, "EVENT_MODIFY_STATE" },  // #define EVENT_MODIFY_STATE      0x0002
1086 | 		} };
1087 | 
1088 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1089 | 	}
1090 | 
1091 | 	static
1092 | 	string
1093 | 	getMutantSpecificAccess(
1094 | 		__in size_t access,
1095 | 		__in bool     pureText = false)
1096 | 	{
1097 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ { //
1098 | 			{ MUTANT_QUERY_STATE, "MUTANT_QUERY_STATE" },  // #define MUTANT_QUERY_STATE      0x0001
1099 | 		} };
1100 | 
1101 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1102 | 	}
1103 | 
1104 | 	static
1105 | 	string
1106 | 	getSemaphoreSpecificAccess(
1107 | 		__in size_t access,
1108 | 		__in bool     pureText = false)
1109 | 	{
1110 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ { //
1111 | 			{ SEMAPHORE_MODIFY_STATE, "SEMAPHORE_MODIFY_STATE" },  // #define SEMAPHORE_MODIFY_STATE      0x0002
1112 | 		} };
1113 | 
1114 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1115 | 	}
1116 | 
1117 | 	static
1118 | 	string
1119 | 	getTimerSpecificAccess(
1120 | 		__in size_t access,
1121 | 		__in bool     pureText = false)
1122 | 	{
1123 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {		   //
1124 | 			{ TIMER_QUERY_STATE, "TIMER_QUERY_STATE" },  // #define TIMER_QUERY_STATE       0x0001
1125 | 			{ TIMER_MODIFY_STATE, "TIMER_MODIFY_STATE" },  // #define TIMER_MODIFY_STATE      0x0002
1126 | 		} };
1127 | 
1128 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1129 | 	}
1130 | 
1131 | 	static
1132 | 	string
1133 | 	getSectionSpecificAccess(
1134 | 		__in size_t access,
1135 | 		__in bool     pureText = false)
1136 | 	{
1137 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {   //
1138 | 			{ SECTION_QUERY, "SECTION_QUERY" },  // #define SECTION_QUERY                0x0001
1139 | 			{ SECTION_MAP_WRITE, "SECTION_MAP_WRITE" },  // #define SECTION_MAP_WRITE            0x0002
1140 | 			{ SECTION_MAP_READ, "SECTION_MAP_READ" },  // #define SECTION_MAP_READ             0x0004
1141 | 			{ SECTION_MAP_EXECUTE, "SECTION_MAP_EXECUTE" },  // #define SECTION_MAP_EXECUTE          0x0008
1142 | 			{ SECTION_EXTEND_SIZE, "SECTION_EXTEND_SIZE" },  // #define SECTION_EXTEND_SIZE          0x0010
1143 | 			{ SECTION_MAP_EXECUTE_EXPLICIT, "SECTION_MAP_EXECUTE_EXPLICIT" },  // #define SECTION_MAP_EXECUTE_EXPLICIT 0x0020
1144 | 		} };
1145 | 
1146 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1147 | 	}
1148 | 
1149 | 	static
1150 | 	string
1151 | 	getFileSpecificAccess(
1152 | 		__in size_t access,
1153 | 		__in bool     pureText = false)
1154 | 	{
1155 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {					   //
1156 | 		// // File
1157 | 			{ FILE_READ_DATA, "FILE_READ_DATA" },  // #define FILE_READ_DATA            ( 0x0001 )    // file & pipe
1158 | 			{ FILE_WRITE_DATA, "FILE_WRITE_DATA" },  // #define FILE_WRITE_DATA           ( 0x0002 )    // file & pipe
1159 | 			{ FILE_APPEND_DATA, "FILE_APPEND_DATA" },  // #define FILE_APPEND_DATA          ( 0x0004 )    // file
1160 | 			{ FILE_READ_EA, "FILE_READ_EA" },  // #define FILE_READ_EA              ( 0x0008 )    // file & directory
1161 | 			{ FILE_WRITE_EA, "FILE_WRITE_EA" },  // #define FILE_WRITE_EA             ( 0x0010 )    // file & directory
1162 | 			{ FILE_EXECUTE, "FILE_EXECUTE" },  // #define FILE_EXECUTE              ( 0x0020 )    // file
1163 | 			{ FILE_READ_ATTRIBUTES, "FILE_READ_ATTRIBUTES" },  // #define FILE_READ_ATTRIBUTES      ( 0x0080 )    // all
1164 | 			{ FILE_WRITE_ATTRIBUTES, "FILE_WRITE_ATTRIBUTES" },  // #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )    // all
1165 | 		} };
1166 | 
1167 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1168 | 	}
1169 | 
1170 | 	static
1171 | 	string
1172 | 	getDirectorySpecificAccess(
1173 | 		__in size_t access,
1174 | 		__in bool     pureText = false)
1175 | 	{
1176 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {		 //
1177 | 		// // Directory
1178 | 			{ FILE_LIST_DIRECTORY, "FILE_LIST_DIRECTORY" },  // #define FILE_LIST_DIRECTORY       ( 0x0001 )    // directory
1179 | 			{ FILE_ADD_FILE, "FILE_ADD_FILE" },  // #define FILE_ADD_FILE             ( 0x0002 )    // directory
1180 | 			{ FILE_ADD_SUBDIRECTORY, "FILE_ADD_SUBDIRECTORY" },  // #define FILE_ADD_SUBDIRECTORY     ( 0x0004 )    // directory
1181 | 			{ FILE_READ_EA, "FILE_READ_EA" },  // #define FILE_READ_EA              ( 0x0008 )    // file & directory
1182 | 			{ FILE_WRITE_EA, "FILE_WRITE_EA" },  // #define FILE_WRITE_EA             ( 0x0010 )    // file & directory
1183 | 			{ FILE_TRAVERSE, "FILE_TRAVERSE" },  // #define FILE_TRAVERSE             ( 0x0020 )    // directory
1184 | 			{ FILE_DELETE_CHILD, "FILE_DELETE_CHILD" },  // #define FILE_DELETE_CHILD         ( 0x0040 )    // directory
1185 | 			{ FILE_READ_ATTRIBUTES, "FILE_READ_ATTRIBUTES" },  // #define FILE_READ_ATTRIBUTES      ( 0x0080 )    // all
1186 | 			{ FILE_WRITE_ATTRIBUTES, "FILE_WRITE_ATTRIBUTES" },  // #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )    // all
1187 | 		} };
1188 | 
1189 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1190 | 	}
1191 | 
1192 | 	static
1193 | 	string
1194 | 	getPipeSpecificAccess(
1195 | 		__in size_t access,
1196 | 		__in bool     pureText = false)
1197 | 	{
1198 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {		 //
1199 | 		// // Pipe
1200 | 			{ FILE_READ_DATA, "FILE_READ_DATA" },  // #define FILE_READ_DATA            ( 0x0001 )    // file & pipe
1201 | 			{ FILE_WRITE_DATA, "FILE_WRITE_DATA" },  // #define FILE_WRITE_DATA           ( 0x0002 )    // file & pipe
1202 | 			{ FILE_CREATE_PIPE_INSTANCE, "FILE_CREATE_PIPE_INSTANCE" },  // #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )    // named pipe
1203 | 			{ FILE_READ_ATTRIBUTES, "FILE_READ_ATTRIBUTES" },  // #define FILE_READ_ATTRIBUTES      ( 0x0080 )    // all
1204 | 			{ FILE_WRITE_ATTRIBUTES, "FILE_WRITE_ATTRIBUTES" },  // #define FILE_WRITE_ATTRIBUTES     ( 0x0100 )    // all
1205 | 		} };
1206 | 
1207 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1208 | 	}
1209 | 
1210 | 	static
1211 | 	string
1212 | 	getIoCSpecificAccess(
1213 | 		__in size_t access,
1214 | 		__in bool     pureText = false)
1215 | 	{
1216 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {		 //
1217 | 			{ IO_COMPLETION_MODIFY_STATE, "IO_COMPLETION_MODIFY_STATE" },  // #define IO_COMPLETION_MODIFY_STATE  0x0002
1218 | 		} };
1219 | 
1220 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1221 | 	}
1222 | 
1223 | 	static
1224 | 	string
1225 | 	getKeySpecificAccess(
1226 | 		__in size_t access,
1227 | 		__in bool     pureText = false)
1228 | 	{
1229 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {					   //
1230 | 			{ KEY_QUERY_VALUE, "KEY_QUERY_VALUE" },  // #define KEY_QUERY_VALUE         (0x0001)
1231 | 			{ KEY_SET_VALUE, "KEY_SET_VALUE" },  // #define KEY_SET_VALUE           (0x0002)
1232 | 			{ KEY_CREATE_SUB_KEY, "KEY_CREATE_SUB_KEY" },  // #define KEY_CREATE_SUB_KEY      (0x0004)
1233 | 			{ KEY_ENUMERATE_SUB_KEYS, "KEY_ENUMERATE_SUB_KEYS" },  // #define KEY_ENUMERATE_SUB_KEYS  (0x0008)
1234 | 			{ KEY_NOTIFY, "KEY_NOTIFY" },  // #define KEY_NOTIFY              (0x0010)
1235 | 			{ KEY_CREATE_LINK, "KEY_CREATE_LINK" },  // #define KEY_CREATE_LINK         (0x0020)
1236 | 			{ KEY_WOW64_32KEY, "KEY_WOW64_32KEY" },  // #define KEY_WOW64_32KEY         (0x0200)
1237 | 			{ KEY_WOW64_64KEY, "KEY_WOW64_64KEY" },  // #define KEY_WOW64_64KEY         (0x0100)
1238 | 		} };
1239 | 
1240 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1241 | 	}
1242 | 
1243 | 	static
1244 | 	string
1245 | 	getTxMSpecificAccess(
1246 | 		__in size_t access,
1247 | 		__in bool     pureText = false)
1248 | 	{
1249 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ { //
1250 | 			{ TRANSACTIONMANAGER_QUERY_INFORMATION, "TRANSACTIONMANAGER_QUERY_INFORMATION" },  // #define TRANSACTIONMANAGER_QUERY_INFORMATION     ( 0x0001 )
1251 | 			{ TRANSACTIONMANAGER_SET_INFORMATION, "TRANSACTIONMANAGER_SET_INFORMATION" },  // #define TRANSACTIONMANAGER_SET_INFORMATION       ( 0x0002 )
1252 | 			{ TRANSACTIONMANAGER_RECOVER, "TRANSACTIONMANAGER_RECOVER" },  // #define TRANSACTIONMANAGER_RECOVER               ( 0x0004 )
1253 | 			{ TRANSACTIONMANAGER_RENAME, "TRANSACTIONMANAGER_RENAME" },  // #define TRANSACTIONMANAGER_RENAME                ( 0x0008 )
1254 | 			{ TRANSACTIONMANAGER_CREATE_RM, "TRANSACTIONMANAGER_CREATE_RM" },  // #define TRANSACTIONMANAGER_CREATE_RM             ( 0x0010 )
1255 | 			{ TRANSACTIONMANAGER_BIND_TRANSACTION, "TRANSACTIONMANAGER_BIND_TRANSACTION" },  // #define TRANSACTIONMANAGER_BIND_TRANSACTION      ( 0x0020 )
1256 | 		} };
1257 | 
1258 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1259 | 	}
1260 | 
1261 | 	static
1262 | 	string
1263 | 	getTxSpecificAccess(
1264 | 		__in size_t access,
1265 | 		__in bool     pureText = false)
1266 | 	{
1267 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {										 //
1268 | 			{ TRANSACTION_QUERY_INFORMATION, "TRANSACTION_QUERY_INFORMATION" },  // #define TRANSACTION_QUERY_INFORMATION     ( 0x0001 )
1269 | 			{ TRANSACTION_SET_INFORMATION, "TRANSACTION_SET_INFORMATION" },  // #define TRANSACTION_SET_INFORMATION       ( 0x0002 )
1270 | 			{ TRANSACTION_ENLIST, "TRANSACTION_ENLIST" },  // #define TRANSACTION_ENLIST                ( 0x0004 )
1271 | 			{ TRANSACTION_COMMIT, "TRANSACTION_COMMIT" },  // #define TRANSACTION_COMMIT                ( 0x0008 )
1272 | 			{ TRANSACTION_ROLLBACK, "TRANSACTION_ROLLBACK" },  // #define TRANSACTION_ROLLBACK              ( 0x0010 )
1273 | 			{ TRANSACTION_PROPAGATE, "TRANSACTION_PROPAGATE" },  // #define TRANSACTION_PROPAGATE             ( 0x0020 )
1274 | 			{ TRANSACTION_RIGHT_RESERVED1, "TRANSACTION_RIGHT_RESERVED1" },  // #define TRANSACTION_RIGHT_RESERVED1       ( 0x0040 )
1275 | 		} };
1276 | 
1277 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1278 | 	}
1279 | 
1280 | 	static
1281 | 	string
1282 | 	getRMSpecificAccess(
1283 | 		__in size_t access,
1284 | 		__in bool     pureText = false)
1285 | 	{
1286 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {							 //
1287 | 			{ RESOURCEMANAGER_QUERY_INFORMATION, "RESOURCEMANAGER_QUERY_INFORMATION" },  // #define RESOURCEMANAGER_QUERY_INFORMATION     ( 0x0001 )
1288 | 			{ RESOURCEMANAGER_SET_INFORMATION, "RESOURCEMANAGER_SET_INFORMATION" },  // #define RESOURCEMANAGER_SET_INFORMATION       ( 0x0002 )
1289 | 			{ RESOURCEMANAGER_RECOVER, "RESOURCEMANAGER_RECOVER" },  // #define RESOURCEMANAGER_RECOVER               ( 0x0004 )
1290 | 			{ RESOURCEMANAGER_ENLIST, "RESOURCEMANAGER_ENLIST" },  // #define RESOURCEMANAGER_ENLIST                ( 0x0008 )
1291 | 			{ RESOURCEMANAGER_GET_NOTIFICATION, "RESOURCEMANAGER_GET_NOTIFICATION" },  // #define RESOURCEMANAGER_GET_NOTIFICATION      ( 0x0010 )
1292 | 			{ RESOURCEMANAGER_REGISTER_PROTOCOL, "RESOURCEMANAGER_REGISTER_PROTOCOL" },  // #define RESOURCEMANAGER_REGISTER_PROTOCOL     ( 0x0020 )
1293 | 			{ RESOURCEMANAGER_COMPLETE_PROPAGATION, "RESOURCEMANAGER_COMPLETE_PROPAGATION" },  // #define RESOURCEMANAGER_COMPLETE_PROPAGATION  ( 0x0040 )
1294 | 		} };
1295 | 
1296 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1297 | 	}
1298 | 
1299 | 	static
1300 | 	string
1301 | 	getEnlistSpecificAccess(
1302 | 		__in size_t access,
1303 | 		__in bool     pureText = false)
1304 | 	{
1305 | 		static CBitFieldAnalyzer s_SpecificAccessAnalyzer{ {											   //
1306 | 			{ ENLISTMENT_QUERY_INFORMATION, "ENLISTMENT_QUERY_INFORMATION" },  // #define ENLISTMENT_QUERY_INFORMATION     ( 0x0001 )
1307 | 			{ ENLISTMENT_SET_INFORMATION, "ENLISTMENT_SET_INFORMATION" },  // #define ENLISTMENT_SET_INFORMATION       ( 0x0002 )
1308 | 			{ ENLISTMENT_RECOVER, "ENLISTMENT_RECOVER" },  // #define ENLISTMENT_RECOVER               ( 0x0004 )
1309 | 			{ ENLISTMENT_SUBORDINATE_RIGHTS, "ENLISTMENT_SUBORDINATE_RIGHTS" },  // #define ENLISTMENT_SUBORDINATE_RIGHTS    ( 0x0008 )
1310 | 			{ ENLISTMENT_SUPERIOR_RIGHTS, "ENLISTMENT_SUPERIOR_RIGHTS" },  // #define ENLISTMENT_SUPERIOR_RIGHTS       ( 0x0010 )
1311 | 		} };
1312 | 
1313 | 		return s_SpecificAccessAnalyzer.GetText(access, pureText);
1314 | 	}
1315 | 
1316 | 
1317 |     static
1318 |     string
1319 |     getTrustLabel(
1320 |         __in const string& sidText
1321 |         )
1322 |     {
1323 |         auto it = s_trust_label_texts.find(sidText.c_str());
1324 | 
1325 |         if (it != s_trust_label_texts.end())
1326 |             return it->second;
1327 | 
1328 |         return "";
1329 |     }
1330 | 
1331 |     static
1332 |     string
1333 |     getWellKnownAccount(
1334 |         __in const string& sidText
1335 |         )
1336 |     {
1337 |         auto it = s_wellknown_sids.find(sidText.c_str());
1338 | 
1339 |         if (it != s_wellknown_sids.end())
1340 |             return it->second;
1341 | 
1342 | 		auto it1 = s_integrity_level_texts.find(sidText.c_str());
1343 | 
1344 | 		if (it1 != s_integrity_level_texts.end())
1345 | 			return it1->second;
1346 | 
1347 | 		auto it2 = s_trust_label_texts.find(sidText.c_str());
1348 | 
1349 | 		if (it2 != s_trust_label_texts.end())
1350 | 			return it2->second;
1351 | 
1352 |         if (sidText.find("S-1-5-5-") == 0 && sidText.rfind("-") > 7)
1353 |             return "Logon Session";
1354 | 
1355 |         if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-500") == sidText.length() - 4)
1356 |             return "Administrator";
1357 | 
1358 |         if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-501") == sidText.length() - 4)
1359 |             return "Guest";
1360 | 
1361 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-512") == sidText.length() - 4)
1362 | 			return "Domain Admins";
1363 | 
1364 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-512") == sidText.length() - 4)
1365 | 			return "Domain Admins";
1366 | 
1367 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-513") == sidText.length() - 4)
1368 | 			return "Domain Users";
1369 | 
1370 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-514") == sidText.length() - 4)
1371 | 			return "Domain Guests";
1372 | 
1373 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-515") == sidText.length() - 4)
1374 | 			return "Domain Computers";
1375 | 
1376 | 		if (sidText.find("S-1-5-21") == 0 && sidText.rfind("-516") == sidText.length() - 4)
1377 | 			return "Domain Controllers";
1378 | 
1379 |         return "";
1380 |     }
1381 | 
1382 |     static
1383 |     string
1384 |     getGroupsAttrText(
1385 |         __in uint32_t attr,
1386 |         __in bool     pureText = false
1387 |         )
1388 |     {
1389 |         static CBitFieldAnalyzer s_GroupsAttrAnalyzer{ {
1390 |             { 0x00000004, "enabled" },
1391 |             { 0x00000002, "default" },
1392 |             { 0x00000020, "integrity" },
1393 |             { 0x00000040, "integrity-enabled" },
1394 |             { 0xC0000000, "logon-id" },
1395 |             { 0x00000001, "mandatory" },
1396 |             { 0x00000008, "owner" },
1397 |             { 0x00000010, "deny-only" },
1398 |             { 0x20000000, "resource" }
1399 |             } };
1400 | 
1401 |         return s_GroupsAttrAnalyzer.GetText(attr, pureText);
1402 |     }
1403 | 
1404 | 	static
1405 | 		string
1406 | 		getPteFlagText(
1407 | 			__in size_t pte,
1408 | 			__in bool     pureText = false
1409 | 		)
1410 | 	{
1411 | 		static CBitFieldAnalyzer s_PageFlagsText{ {
1412 | 			{ 0x00000001, "valid" },
1413 | 			{ 0x00000002, "write" },
1414 | 			{ 0x00000004, "owner" },
1415 | 			{ 0x00000008, "write-through" },
1416 | 			{ 0x00000010, "cache-disabled" },
1417 | 			{ 0x00000020, "accessed" },
1418 | 			{ 0x00000040, "dirty" },
1419 | 			{ 0x00000080, "large-page" },
1420 | 			{ 0x00000100, "global" },
1421 | 			{ 0x00000200, "s-copy-on-write" },
1422 | 			{ 0x00000400, "s-prototype" },
1423 | 			{ 0x00000800, "s-write" },
1424 | 			} };
1425 | 
1426 | 		string flag_str = s_PageFlagsText.GetText(pte, pureText);
1427 | 
1428 | 		if (pte & 0x8000000000000000)
1429 | 			flag_str += "|NX";
1430 | 
1431 | 		return flag_str;
1432 | 	}
1433 | 
1434 |     template<typename T>
1435 |     T read(size_t addr);
1436 | 
1437 |     template<typename T>
1438 |     T readX(size_t addr);
1439 | 
1440 |     template<typename T>
1441 |     void write(size_t addr, T data);
1442 | 
1443 |     bool check();
1444 | 
1445 |     size_t m_header_cookie_addr;
1446 |     size_t m_type_index_table_addr;
1447 |     size_t m_ob_header_cookie;
1448 | 
1449 |     size_t m_debug_cbk_ref{ 1 };
1450 | 
1451 |     regex m_pool_entry_re;
1452 | 
1453 |     //regex m_args_regex;
1454 | 
1455 |     map<uint8_t, wstring> m_type_name_map;  
1456 |     static const map<const char*, const char*, cmp_str> s_wellknown_sids;
1457 |     static const map < const char*, const char*, cmp_str > s_integrity_level_texts;
1458 |     static const map < const char*, const char*, cmp_str > s_trust_label_texts;
1459 | 
1460 |     ULONG m_ref_count;
1461 |     string m_pattern;
1462 |     PDEBUG_CLIENT m_new_client{nullptr};
1463 | 	PDEBUG_CLIENT m_output_side_client{ nullptr };
1464 |     size_t m_bp_offset{ 0 };
1465 | 
1466 |     bool m_trace_next{ false };
1467 |     bool m_trace_err{ false };
1468 | 
1469 |     bool m_b_silent{ false };
1470 | 
1471 |     map<size_t, set<size_t>> m_trace_packs;
1472 |     map<size_t, size_t> m_trace_funcs;
1473 | 
1474 |     map<size_t, string> m_icall_map;
1475 | 
1476 |     size_t m_curr_frame_num{ 0 };
1477 | 
1478 |     string m_last_cmd_output;
1479 | 
1480 |     vector<tuple<uint64_t, uint64_t, uint64_t, uint64_t>> m_mem_accesses;
1481 | 
1482 |     //vector<shared_ptr<kdlib::AutoBreakpoint<CTokenExt>>> m_breakpoints;
1483 | };
1484 | 
1485 | CTokenExt g_ExtInstance;
1486 | ExtExtension* g_ExtInstancePtr = &g_ExtInstance;
1487 | 
1488 | template<class T>
1489 | inline bool CTokenExt::is_in_range(T value, T min, T max)
1490 | {
1491 | 	return value >= min && value < max;
1492 | }
1493 | 
1494 | template<typename T>
1495 | inline T CTokenExt::read(size_t addr)
1496 | {
1497 |     T ret = 0;
1498 |     if (S_OK != m_Data->ReadVirtual(addr, &ret, sizeof(T), NULL))
1499 |         ThrowRemote(E_ACCESSDENIED, "Fail to read memory");
1500 | 
1501 |     return ret;
1502 | }
1503 | 
1504 | template<typename T>
1505 | inline T CTokenExt::readX(size_t addr)
1506 | {
1507 |     T ret = 0;
1508 |     if (S_OK != m_Data->ReadPhysical(addr, &ret, sizeof(T), NULL))
1509 |         ThrowRemote(E_ACCESSDENIED, "Fail to read memory");
1510 | 
1511 |     return ret;
1512 | }
1513 | 
1514 | template<typename T>
1515 | inline void CTokenExt::write(size_t addr, T data)
1516 | {
1517 |     if (S_OK != m_Data->WriteVirtual(addr, &data, sizeof(T), NULL))
1518 |         ThrowRemote(E_ACCESSDENIED, "Fail to write memory");
1519 | }
1520 | 
1521 | const map<const char*, const char*, cmp_str> CTokenExt::s_integrity_level_texts{ {
1522 |     { "S-1-16-0",         "Untrusted(0)" },
1523 |     { "S-1-16-4096",      "Low(1)" },
1524 |     { "S-1-16-8192",      "Medium(2)" },
1525 |     { "S-1-16-12288",     "High(3)" },
1526 |     { "S-1-16-16384",     "System(4)" },
1527 | 	{ "S-1-16-20480",     "Protected(5)" },
1528 |     } };
1529 | 
1530 | const map<const char*, const char*, cmp_str> CTokenExt::s_trust_label_texts{ {
1531 |     { "S-1-19-512-4096",          "Trust Label Lite(PPL) PsProtectedSignerWindows(5)" },
1532 |     { "S-1-19-1024-4096",         "Trust Label Protected(PP) PsProtectedSignerWindows(5)" },
1533 |     { "S-1-19-512-8192",          "Trust Label Lite(PPL) PsProtectedSignerTcb(6)" },
1534 |     { "S-1-19-1024-8192",         "Trust Label Protected(PP) PsProtectedSignerTcb(6)" }
1535 |     } };
1536 | 
1537 | const map<const char*, const char*, cmp_str> CTokenExt::s_wellknown_sids{ {
1538 | 	{ "S-1-0",				"Null"},
1539 | 	{ "S-1-1-0",			"Everyone" },
1540 |     { "S-1-2-0",			"Local" },
1541 |     { "S-1-2-1",			"Console Logon" },
1542 | 	{ "S-1-3",				"Creator Authority"},
1543 | 	{ "S-1-3-0",			"Creator Owner"},
1544 | 	{ "S-1-3-1",			"Creator Group"},
1545 | 	{ "S-1-3-4",			"Owner Rights"},
1546 | 	{ "S-1-5-2",			"Network"},
1547 | 	{ "S-1-5-4",			"Interactive"},
1548 | 	{ "S-1-5-6",			"Service"},
1549 | 	{ "S-1-5-7",			"Anonymous"},
1550 | 	{ "S-1-5-9",			"Enterprise Domain Controllers"},
1551 | 	{ "S-1-5-10",			"Principal Self"},
1552 | 	{ "S-1-5-11",			"Authenticated Users"},
1553 | 	{ "S-1-5-12",			"Restricted Code"},
1554 | 	{ "S-1-5-13",			"Terminal Server Users"},
1555 | 	{ "S-1-5-14",			"Remote Interactive Logon"},
1556 | 	{ "S-1-5-15",			"This Organization"},
1557 | 	{ "S-1-5-17",			"IUSR"},			
1558 |     { "S-1-5-18",           "Local System" },
1559 | 	{ "S-1-5-19",			"NT Authority/Local Service"},
1560 | 	{ "S-1-5-20",			"NT Authority/Network Service"},
1561 | 	{ "S-1-5-32-544",		"BUILTIN/Administrators" },
1562 |     { "S-1-5-32-545",		"BUILTIN/Users" },
1563 |     { "S-1-5-32-546",		"BUILTIN/Guests" },
1564 |     { "S-1-5-32-555",		"BUILTIN/Remote Desktop Users" },
1565 | 	{ "S-1-5-32-559",		"BUILTIN/Performance Log Users"},
1566 | 	{ "S-1-5-32-558",		"BUILTIN/Performance Monitor Users"},
1567 | 	{ "S-1-5-32-578",		"BUILTIN/Hyper-V Administrators" },
1568 | 	{ "S-1-5-80-0",			"All Services"},
1569 | 	{ "S-1-5-113",			"Local Account"},
1570 | 	{ "S-1-5-114",			"Local Account&Member of Admins Group"},
1571 | 	{ "S-1-5-64-10",		"NTLM Authentication"},
1572 | } };
1573 | 


--------------------------------------------------------------------------------
/inc/extsfns.h:
--------------------------------------------------------------------------------
   1 | /*++
   2 | 
   3 | Copyright (c) 2006  Microsoft Corporation
   4 | 
   5 | Module Name:
   6 | 
   7 |     extsfns.h
   8 | 
   9 | Abstract:
  10 | 
  11 |     This header file must be included after "windows.h", "dbgeng.h", and
  12 |     "wdbgexts.h".
  13 | 
  14 |     This file contains headers for various known extension functions defined
  15 |     in different extension dlls. To use these functions, the appropriate
  16 |     extension dll must be loaded in the debugger. IDebugSymbols->GetExtension
  17 |     (declared in dbgeng.h) method could be used to retrieve these functions.
  18 | 
  19 |     Please see the Debugger documentation for specific information about how
  20 |     to write your own debugger extension DLL.
  21 | 
  22 | Environment:
  23 | 
  24 |     Win32 only.
  25 | 
  26 | Revision History:
  27 | 
  28 | --*/
  29 | 
  30 | #ifndef _EXTFNS_H
  31 | #define _EXTFNS_H
  32 | 
  33 | #define _EXTSAPI_VER_ 10
  34 | 
  35 | #ifndef _KDEXTSFN_H
  36 | #define _KDEXTSFN_H
  37 | 
  38 | /*
  39 |  *  Extension functions defined in kdexts.dll
  40 |  */
  41 | 
  42 | //
  43 | // device.c
  44 | //
  45 | typedef struct _DEBUG_DEVICE_OBJECT_INFO {
  46 |     ULONG      SizeOfStruct; // must be == sizeof(DEBUG_DEVICE_OBJECT_INFO)
  47 |     ULONG64    DevObjAddress;
  48 |     ULONG      ReferenceCount;
  49 |     BOOL       QBusy;
  50 |     ULONG64    DriverObject;
  51 |     ULONG64    CurrentIrp;
  52 |     ULONG64    DevExtension;
  53 |     ULONG64    DevObjExtension;
  54 | } DEBUG_DEVICE_OBJECT_INFO, *PDEBUG_DEVICE_OBJECT_INFO;
  55 | 
  56 | 
  57 | // GetDevObjInfo
  58 | typedef HRESULT
  59 | (WINAPI *PGET_DEVICE_OBJECT_INFO)(
  60 |     IN PDEBUG_CLIENT Client,
  61 |     IN ULONG64 DeviceObject,
  62 |     OUT PDEBUG_DEVICE_OBJECT_INFO pDevObjInfo);
  63 | 
  64 | 
  65 | //
  66 | // driver.c
  67 | //
  68 | typedef struct _DEBUG_DRIVER_OBJECT_INFO {
  69 |     ULONG     SizeOfStruct; // must be == sizeof(DEBUG_DRIVER_OBJECT_INFO)
  70 |     ULONG     DriverSize;
  71 |     ULONG64   DriverObjAddress;
  72 |     ULONG64   DriverStart;
  73 |     ULONG64   DriverExtension;
  74 |     ULONG64   DeviceObject;
  75 |     struct {
  76 |         USHORT Length;
  77 |         USHORT MaximumLength;
  78 |         ULONG64 Buffer;
  79 |     } DriverName;
  80 | } DEBUG_DRIVER_OBJECT_INFO, *PDEBUG_DRIVER_OBJECT_INFO;
  81 | 
  82 | // GetDrvObjInfo
  83 | typedef HRESULT
  84 | (WINAPI *PGET_DRIVER_OBJECT_INFO)(
  85 |     IN PDEBUG_CLIENT Client,
  86 |     IN ULONG64 DriverObject,
  87 |     OUT PDEBUG_DRIVER_OBJECT_INFO pDrvObjInfo);
  88 | 
  89 | //
  90 | // dump.cpp
  91 | //
  92 | typedef struct _DEBUG_CPU_SPEED_INFO {
  93 |     ULONG SizeOfStruct; // must be == sizeof(DEBUG_CPU_SPEED_INFO)
  94 |     ULONG CurrentSpeed;
  95 |     ULONG RatedSpeed;
  96 |     WCHAR NameString[256];
  97 | } DEBUG_CPU_SPEED_INFO, *PDEBUG_CPU_SPEED_INFO;
  98 | 
  99 | typedef HRESULT
 100 | (WINAPI *PGET_CPU_PSPEED_INFO)(
 101 |     IN  PDEBUG_CLIENT         Client,
 102 |     OUT PDEBUG_CPU_SPEED_INFO pCpuSpeedInfo);
 103 | 
 104 | typedef struct _DEBUG_CPU_MICROCODE_VERSION {
 105 |     ULONG         SizeOfStruct; // must be == sizeof(DEBUG_CPU_MICROCODE_VERSION)
 106 |     LARGE_INTEGER CachedSignature;
 107 |     LARGE_INTEGER InitialSignature;
 108 |     ULONG         ProcessorModel;
 109 |     ULONG         ProcessorFamily;
 110 |     ULONG         ProcessorStepping;    // ProcessorRevision on IA64
 111 |     ULONG         ProcessorArchRev;     // IA64?
 112 | } DEBUG_CPU_MICROCODE_VERSION, *PDEBUG_CPU_MICROCODE_VERSION;
 113 | 
 114 | typedef HRESULT
 115 | (WINAPI *PGET_CPU_MICROCODE_VERSION)(
 116 |     IN  PDEBUG_CLIENT                Client,
 117 |     OUT PDEBUG_CPU_MICROCODE_VERSION pCpuMicrocodeVersion);
 118 | 
 119 | typedef struct _DEBUG_SMBIOS_INFO {
 120 |     ULONG SizeOfStruct;
 121 |     UCHAR SmbiosMajorVersion;
 122 |     UCHAR SmbiosMinorVersion;
 123 |     UCHAR DMIVersion;
 124 |     ULONG TableSize;
 125 |     UCHAR BiosMajorRelease;
 126 |     UCHAR BiosMinorRelease;
 127 |     UCHAR FirmwareMajorRelease;
 128 |     UCHAR FirmwareMinorRelease;
 129 |     CHAR  BaseBoardManufacturer[64];
 130 |     CHAR  BaseBoardProduct[64];
 131 |     CHAR  BaseBoardVersion[64];
 132 |     CHAR  BiosReleaseDate[64];
 133 |     CHAR  BiosVendor[64];
 134 |     CHAR  BiosVersion[64];
 135 |     CHAR  SystemFamily[64];
 136 |     CHAR  SystemManufacturer[64];
 137 |     CHAR  SystemProductName[64];
 138 |     CHAR  SystemSKU[64];
 139 |     CHAR  SystemVersion[64];
 140 | } DEBUG_SMBIOS_INFO, *PDEBUG_SMBIOS_INFO;
 141 | 
 142 | //
 143 | // GetSmbiosInfo extension function from kdexts
 144 | //
 145 | typedef HRESULT
 146 | (WINAPI *PGET_SMBIOS_INFO)(
 147 |     IN  PDEBUG_CLIENT       Client,
 148 |     OUT PDEBUG_SMBIOS_INFO  pSmbiosInfo
 149 |     );
 150 | 
 151 | //
 152 | // irp.c
 153 | //
 154 | typedef struct _DEBUG_IRP_STACK_INFO {
 155 |     UCHAR     Major;
 156 |     UCHAR     Minor;
 157 |     ULONG64   DeviceObject;
 158 |     ULONG64   FileObject;
 159 |     ULONG64   CompletionRoutine;
 160 |     ULONG64   StackAddress;
 161 | } DEBUG_IRP_STACK_INFO, *PDEBUG_IRP_STACK_INFO;
 162 | 
 163 | typedef struct _DEBUG_IRP_INFO {
 164 |     ULONG     SizeOfStruct;  // Must be == sizeof(DEBUG_IRP_INFO)
 165 |     ULONG64   IrpAddress;
 166 |     ULONG     IoStatus;
 167 |     ULONG     StackCount;
 168 |     ULONG     CurrentLocation;
 169 |     ULONG64   MdlAddress;
 170 |     ULONG64   Thread;
 171 |     ULONG64   CancelRoutine;
 172 |     DEBUG_IRP_STACK_INFO CurrentStack;
 173 |     DEBUG_IRP_STACK_INFO Stack[10]; // Top 10 frames of irp stack
 174 | } DEBUG_IRP_INFO, *PDEBUG_IRP_INFO;
 175 | 
 176 | // GetIrpInfo
 177 | typedef HRESULT
 178 | (WINAPI * PGET_IRP_INFO)(
 179 |     IN PDEBUG_CLIENT Client,
 180 |     IN ULONG64 Irp,
 181 |     OUT PDEBUG_IRP_INFO IrpInfo
 182 |     );
 183 | 
 184 | //
 185 | // pnpexts.cpp
 186 | //
 187 | typedef struct _DDEBUG_PNP_TRIAGE_INFO {
 188 |     ULONG   SizeOfStruct; // must be == sizeof(DEBUG_PNP_TRIAGE_INFO)
 189 |     ULONG64 Lock_Address;
 190 |     LONG    Lock_ActiveCount;
 191 |     ULONG   Lock_ContentionCount;
 192 |     ULONG   Lock_NumberOfExclusiveWaiters;
 193 |     ULONG   Lock_NumberOfSharedWaiters;
 194 |     USHORT  Lock_Flag;
 195 |     ULONG64 TriagedThread;
 196 |     LONG    ThreadCount;
 197 |     ULONG64 TriagedThread_WaitTime;
 198 |     //ULONG64 PpDeviceActionThread;
 199 |     //ULONG64 PpDeviceEventThread;
 200 | } DEBUG_PNP_TRIAGE_INFO, *PDEBUG_PNP_TRIAGE_INFO;
 201 | 
 202 | //
 203 | // pnpexts.cpp (GetPNPTriageInfo)
 204 | //
 205 | typedef HRESULT
 206 | (WINAPI *PGET_PNP_TRIAGE_INFO)(
 207 |     IN PDEBUG_CLIENT Client,
 208 |     OUT PDEBUG_PNP_TRIAGE_INFO pPNPTriageInfo);
 209 | 
 210 | 
 211 | //
 212 | // pool.c
 213 | //
 214 | #if defined(_MSC_VER)
 215 | #if _MSC_VER >= 1200
 216 | #pragma warning(push)
 217 | #endif
 218 | #pragma warning(disable:4201) /* nonstandard extension used : nameless struct/union */
 219 | #endif // defined(_MSC_VER)
 220 | 
 221 | typedef struct _DEBUG_POOL_DATA {
 222 |     ULONG   SizeofStruct;
 223 |     ULONG64 PoolBlock;
 224 |     ULONG64 Pool;
 225 |     ULONG   PreviousSize;
 226 |     ULONG   Size;
 227 |     ULONG   PoolTag;
 228 |     ULONG64 ProcessBilled;
 229 |     union {
 230 |         struct {
 231 |             ULONG   Free:1;
 232 |             ULONG   LargePool:1;
 233 |             ULONG   SpecialPool:1;
 234 |             ULONG   Pageable:1;
 235 |             ULONG   Protected:1;
 236 |             ULONG   Allocated:1;
 237 |             ULONG   Session:1;
 238 |             ULONG   Reserved:25;
 239 |         };
 240 |         ULONG AsUlong;
 241 |     };
 242 |     ULONG64 Reserved2[4];
 243 |     CHAR    PoolTagDescription[64];
 244 | } DEBUG_POOL_DATA, *PDEBUG_POOL_DATA;
 245 | 
 246 | #if defined(_MSC_VER)
 247 | #if _MSC_VER >= 1200
 248 | #pragma warning(pop)
 249 | #endif
 250 | #endif // defined(_MSC_VER)
 251 | 
 252 | // GetPoolData
 253 | typedef HRESULT
 254 | (WINAPI *PGET_POOL_DATA)(
 255 |     PDEBUG_CLIENT Client,
 256 |     ULONG64 Pool,
 257 |     PDEBUG_POOL_DATA PoolData
 258 |     );
 259 | 
 260 | typedef enum _DEBUG_POOL_REGION {
 261 |     DbgPoolRegionUnknown,
 262 |     DbgPoolRegionSpecial,
 263 |     DbgPoolRegionPaged,
 264 |     DbgPoolRegionNonPaged,
 265 |     DbgPoolRegionNonPagedExpansion,
 266 |     DbgPoolRegionSessionPaged,
 267 |     DbgPoolRegionMax,
 268 | } DEBUG_POOL_REGION;
 269 | 
 270 | // GetPoolRegion
 271 | typedef HRESULT
 272 | (WINAPI  *PGET_POOL_REGION)(
 273 |      PDEBUG_CLIENT Client,
 274 |      ULONG64 Pool,
 275 |      DEBUG_POOL_REGION *PoolRegion
 276 |      );
 277 | 
 278 | //
 279 | // Proces.c: FindMatchingThread
 280 | //
 281 | typedef struct _KDEXT_THREAD_FIND_PARAMS {
 282 |     ULONG    SizeofStruct;
 283 |     ULONG64  StackPointer;
 284 |     ULONG    Cid;
 285 |     ULONG64  Thread;
 286 | } KDEXT_THREAD_FIND_PARAMS, *PKDEXT_THREAD_FIND_PARAMS;
 287 | 
 288 | typedef HRESULT
 289 | (WINAPI *PFIND_MATCHING_THREAD)(
 290 |     PDEBUG_CLIENT Client,
 291 |     PKDEXT_THREAD_FIND_PARAMS ThreadInfo
 292 |     );
 293 | 
 294 | //
 295 | // Proces.c: FindMatchingProcess
 296 | //
 297 | typedef struct _KDEXT_PROCESS_FIND_PARAMS {
 298 |     ULONG    SizeofStruct;
 299 |     ULONG    Pid;
 300 |     ULONG    Session;
 301 |     PCHAR    ImageName;
 302 | } KDEXT_PROCESS_FIND_PARAMS, *PKDEXT_PROCESS_FIND_PARAMS;
 303 | 
 304 | typedef HRESULT
 305 | (WINAPI *PFIND_MATCHING_PROCESS)(
 306 |     _In_ PDEBUG_CLIENT Client,
 307 |     _In_ PKDEXT_PROCESS_FIND_PARAMS ProcessInfo,
 308 |     _Out_ PULONG64 Process
 309 |     );
 310 | 
 311 | //
 312 | // EnumerateJobProcesses
 313 | //     Enumerate Processes within a job tree.
 314 | //
 315 | 
 316 | typedef BOOLEAN
 317 | (WINAPI *EXTS_JOB_PROCESS_CALLBACK)(
 318 |     _In_ ULONG64 Job,
 319 |     _In_ ULONG64 Process,
 320 |     _Inout_opt_ PVOID Context
 321 |     );
 322 | 
 323 | typedef HRESULT
 324 | (WINAPI *PENUMERATE_JOB_PROCESSES)(
 325 |     _In_ PDEBUG_CLIENT Client,
 326 |     _In_ ULONG64 Job,
 327 |     _In_ EXTS_JOB_PROCESS_CALLBACK Callback,
 328 |     _In_opt_ PVOID Context
 329 |     );
 330 | 
 331 | //
 332 | // EnumerateHashTable
 333 | //     Enumerate _RTL_DYNAMIC_HASH_TABLE entries.
 334 | //
 335 | 
 336 | typedef BOOLEAN
 337 | (WINAPI *EXTS_TABLE_ENTRY_CALLBACK)(
 338 |     _In_ ULONG64 Entry,
 339 |     _Inout_opt_ PVOID Context
 340 |     );
 341 | 
 342 | typedef HRESULT
 343 | (WINAPI *PENUMERATE_HASH_TABLE)(
 344 |     _In_ PDEBUG_CLIENT Client,
 345 |     _In_ ULONG64 HashTable,
 346 |     _In_ EXTS_TABLE_ENTRY_CALLBACK Callback,
 347 |     _Inout_opt_ PVOID Context
 348 |     );
 349 | 
 350 | //
 351 | // EnumerateHandles
 352 | //     Enumerte Ob handle table entries.
 353 | //
 354 | 
 355 | typedef struct _KDEXT_HANDLE_INFORMATION {
 356 |     ULONG64 HandleTableEntry;
 357 |     ULONG64 Handle;
 358 |     ULONG64 Object;
 359 |     ULONG64 ObjectBody;
 360 |     ULONG64 GrantedAccess;
 361 |     ULONG   HandleAttributes;
 362 |     BOOLEAN PagedOut;
 363 | } KDEXT_HANDLE_INFORMATION, *PKDEXT_HANDLE_INFORMATION;
 364 | 
 365 | typedef
 366 | BOOLEAN
 367 | (*KDEXT_DUMP_HANDLE_CALLBACK)(
 368 |     _In_ PKDEXT_HANDLE_INFORMATION HandleInfo,
 369 |     _In_ ULONG Flags,
 370 |     _Inout_opt_ PVOID Context
 371 |     );
 372 | 
 373 | typedef HRESULT
 374 | (WINAPI *PENUMERATE_HANDLES)(
 375 |     _In_ PDEBUG_CLIENT Client,
 376 |     _In_ ULONG64 Process,
 377 |     _In_ ULONG64 HandleToDump,
 378 |     _In_ ULONG Flags,
 379 |     _In_ KDEXT_DUMP_HANDLE_CALLBACK Callback,
 380 |     _In_opt_ PVOID Context
 381 |     );
 382 | 
 383 | //
 384 | // FindFileLockOwnerInfo
 385 | //
 386 | typedef struct _KDEXT_FILELOCK_OWNER {
 387 |     ULONG Sizeofstruct;
 388 |     ULONG64 FileObject;            // IN  File object whose owner is to be searched
 389 |     ULONG64 OwnerThread;           // OUT Thread owning file object
 390 |     ULONG64 WaitIrp;               // OUT Irp associated with file object in hte thread
 391 |     ULONG64 DeviceObject;          // OUT Device object on which IRP is blocked
 392 |     CHAR    BlockingDirver[32];    // OUT Driver for the device object
 393 | } KDEXT_FILELOCK_OWNER, *PKDEXT_FILELOCK_OWNER;
 394 | 
 395 | typedef HRESULT
 396 | (WINAPI *PFIND_FILELOCK_OWNERINFO)(
 397 |     PDEBUG_CLIENT Client,
 398 |     PKDEXT_FILELOCK_OWNER pFileLockOwner
 399 |     );
 400 | 
 401 | //
 402 | // locks
 403 | //
 404 | typedef struct _KDEXTS_LOCK_INFO {
 405 |     ULONG SizeOfStruct;
 406 |     ULONG64 Address;
 407 |     ULONG64 OwningThread;
 408 |     BOOL  ExclusiveOwned;
 409 |     ULONG NumOwners;
 410 |     ULONG ContentionCount;
 411 |     ULONG NumExclusiveWaiters;     // threads waiting on exclusive access
 412 |     ULONG NumSharedWaiters;        // threads waiting on shared access
 413 |     PULONG64 pOwnerThreads;        // Array of thread addresses [NumOwners] owning lock
 414 |                                    // Set by Lock enumerator, caller needs to preserve value before return
 415 |     PULONG64 pWaiterThreads;       // Array of thread addresses [NumExclusiveWaiters]
 416 |                                    // Set by Lock enumerator, caller needs to preserve value before return
 417 | } KDEXTS_LOCK_INFO,*PKDEXTS_LOCK_INFO;
 418 | 
 419 | typedef HRESULT
 420 | (WINAPI *KDEXTS_LOCK_CALLBACKROUTINE)(PKDEXTS_LOCK_INFO pLock,
 421 |                                       PVOID Context);
 422 | 
 423 | #define KDEXTS_LOCK_CALLBACKROUTINE_DEFINED 2
 424 | 
 425 | //
 426 | // EnumerateSystemLocks
 427 | //     Enumerates owned locks and calls CallbackRoutine on all owned/active locks.
 428 | //
 429 | typedef HRESULT
 430 | (WINAPI *PENUMERATE_SYSTEM_LOCKS)(
 431 |     PDEBUG_CLIENT Client,
 432 |     ULONG Flags,
 433 |     KDEXTS_LOCK_CALLBACKROUTINE Callback,
 434 |     PVOID Context
 435 |     );
 436 | 
 437 | //
 438 | // pte information
 439 | //
 440 | typedef struct _KDEXTS_PTE_INFO {
 441 |     ULONG   SizeOfStruct;       // Must be sizeof(_KDEXTS_PTE_INFO)
 442 |     ULONG64 VirtualAddress;     // Virtual address to lookup PTE
 443 |     ULONG64 PpeAddress;
 444 |     ULONG64 PdeAddress;
 445 |     ULONG64 PteAddress;
 446 |     ULONG64 Pfn;
 447 |     ULONG64 Levels;
 448 |     ULONG   PteValid:1;
 449 |     ULONG   PteTransition:1;
 450 |     ULONG   Prototype:1;
 451 |     ULONG   Protection:1;
 452 |     ULONG   Reserved:28;
 453 | 
 454 |     // Pte Pfn info
 455 |     ULONG   ReadInProgress:1;
 456 |     ULONG   WriteInProgress:1;
 457 |     ULONG   Modified:1;
 458 | } KDEXTS_PTE_INFO, *PKDEXTS_PTE_INFO;
 459 | 
 460 | //
 461 | // GetPteInfo
 462 | //
 463 | typedef HRESULT
 464 | (WINAPI *PKDEXTS_GET_PTE_INFO)(
 465 |     _In_ PDEBUG_CLIENT Client,
 466 |     _In_ ULONG64 Virtual,
 467 |     _Out_ PKDEXTS_PTE_INFO PteInfo
 468 |     );
 469 | 
 470 | #endif // _KDEXTSFN_H
 471 | 
 472 | 
 473 | #ifndef _KEXTFN_H
 474 | #define _KEXTFN_H
 475 | 
 476 | /*
 477 |  *  Extension functions defined in kext.dll
 478 |  */
 479 | 
 480 | /*****************************************************************************
 481 |         PoolTag definitions
 482 |  *****************************************************************************/
 483 | 
 484 | typedef struct _DEBUG_POOLTAG_DESCRIPTION {
 485 |     ULONG  SizeOfStruct; // must be == sizeof(DEBUG_POOLTAG_DESCRIPTION)
 486 |     ULONG  PoolTag;
 487 |     CHAR   Description[MAX_PATH];
 488 |     CHAR   Binary[32];
 489 |     CHAR   Owner[32];
 490 | } DEBUG_POOLTAG_DESCRIPTION, *PDEBUG_POOLTAG_DESCRIPTION;
 491 | 
 492 | // GetPoolTagDescription
 493 | typedef HRESULT
 494 | (WINAPI *PGET_POOL_TAG_DESCRIPTION)(
 495 |     ULONG PoolTag,
 496 |     PDEBUG_POOLTAG_DESCRIPTION pDescription
 497 |     );
 498 | 
 499 | #endif // _KEXTFN_H
 500 | 
 501 | #ifndef _EXTAPIS_H
 502 | #define _EXTAPIS_H
 503 | 
 504 | /*
 505 |  *  Extension functions defined in ext.dll
 506 |  */
 507 | 
 508 | /*****************************************************************************
 509 |         Failure analysis definitions
 510 |  *****************************************************************************/
 511 | #ifndef AUTOBUG_PROCESSING_SUPPORT
 512 | #define AUTOBUG_PROCESSING_SUPPORT
 513 | #endif
 514 | 
 515 | typedef enum _DEBUG_FAILURE_TYPE {
 516 |     DEBUG_FLR_UNKNOWN,
 517 |     DEBUG_FLR_KERNEL,
 518 |     DEBUG_FLR_USER_CRASH,
 519 |     DEBUG_FLR_IE_CRASH,
 520 | } DEBUG_FAILURE_TYPE;
 521 | 
 522 | /*
 523 |     Each analysis entry can have associated data with it.  The
 524 |     analyzer knows how to handle each of these entries.
 525 |     For example it could do a !driver on a DEBUG_FLR_DRIVER_OBJECT
 526 |     or it could do a .cxr and k on a DEBUG_FLR_CONTEXT.
 527 | */
 528 | typedef enum _DEBUG_FLR_PARAM_TYPE {
 529 |     DEBUG_FLR_INVALID = 0,
 530 |     DEBUG_FLR_RESERVED,
 531 |     DEBUG_FLR_DRIVER_OBJECT,
 532 |     DEBUG_FLR_DEVICE_OBJECT,
 533 |     DEBUG_FLR_INVALID_PFN,
 534 |     DEBUG_FLR_WORKER_ROUTINE,
 535 |     DEBUG_FLR_WORK_ITEM,
 536 |     DEBUG_FLR_INVALID_DPC_FOUND,
 537 |     DEBUG_FLR_PROCESS_OBJECT,
 538 |     // Address for which an instruction could not be executed,
 539 |     // such as invalid instructions or attempts to execute
 540 |     // non-instruction memory.
 541 |     DEBUG_FLR_FAILED_INSTRUCTION_ADDRESS,
 542 |     DEBUG_FLR_LAST_CONTROL_TRANSFER,
 543 |     DEBUG_FLR_ACPI_EXTENSION,
 544 |     DEBUG_FLR_ACPI_RESCONFLICT,
 545 |     DEBUG_FLR_ACPI_OBJECT,
 546 |     DEBUG_FLR_READ_ADDRESS,
 547 |     DEBUG_FLR_WRITE_ADDRESS,
 548 |     DEBUG_FLR_CRITICAL_SECTION,
 549 |     DEBUG_FLR_BAD_HANDLE,
 550 |     DEBUG_FLR_INVALID_HEAP_ADDRESS,
 551 |     DEBUG_FLR_CHKIMG_EXTENSION,
 552 |     DEBUG_FLR_USBPORT_OCADATA,
 553 |     DEBUG_FLR_WORK_QUEUE_ITEM,
 554 |     DEBUG_FLR_ERESOURCE_ADDRESS,  // ERESOURCE, use !locks to display this
 555 |     DEBUG_FLR_PNP_TRIAGE_DATA, // DEBUG_PNP_TRIAGE_INFO struct
 556 |     DEBUG_FLR_HANDLE_VALUE,
 557 |     DEBUG_FLR_WHEA_ERROR_RECORD, // WHEA_ERROR_RECORD for bugcheck 0x124
 558 |     DEBUG_FLR_VERIFIER_FOUND_DEADLOCK, // Possible deadlock found, run !deadlock
 559 |     DEBUG_FLR_PG_MISMATCH,  // Patchguard nt!KiMismatchSummary
 560 |     DEBUG_FLR_DEVICE_NODE,
 561 | 
 562 |     DEBUG_FLR_IRP_ADDRESS = 0x100,
 563 |     DEBUG_FLR_IRP_MAJOR_FN,
 564 |     DEBUG_FLR_IRP_MINOR_FN,
 565 |     DEBUG_FLR_IRP_CANCEL_ROUTINE,
 566 |     DEBUG_FLR_IOSB_ADDRESS,
 567 |     DEBUG_FLR_INVALID_USEREVENT,
 568 |     DEBUG_FLR_VIDEO_TDR_CONTEXT,
 569 |     DEBUG_FLR_VERIFIER_DRIVER_ENTRY,
 570 |     DEBUG_FLR_PNP_IRP_ADDRESS,
 571 | 
 572 | 
 573 |     // Previous mode 0 == KernelMode , 1 == UserMode
 574 |     DEBUG_FLR_PREVIOUS_MODE,
 575 | 
 576 |     // Irql
 577 |     DEBUG_FLR_CURRENT_IRQL = 0x200,
 578 |     DEBUG_FLR_PREVIOUS_IRQL,
 579 |     DEBUG_FLR_REQUESTED_IRQL,
 580 | 
 581 |     // Exceptions
 582 |     DEBUG_FLR_ASSERT_DATA = 0x300,
 583 |     DEBUG_FLR_ASSERT_FILE,
 584 |     DEBUG_FLR_EXCEPTION_PARAMETER1,
 585 |     DEBUG_FLR_EXCEPTION_PARAMETER2,
 586 |     DEBUG_FLR_EXCEPTION_PARAMETER3,
 587 |     DEBUG_FLR_EXCEPTION_PARAMETER4,
 588 |     DEBUG_FLR_EXCEPTION_RECORD,
 589 |     DEBUG_FLR_IO_ERROR_CODE,
 590 |     DEBUG_FLR_EXCEPTION_STR,
 591 |     DEBUG_FLR_EXCEPTION_DOESNOT_MATCH_CODE, // address causing read/write av was'nt referred in code
 592 |     DEBUG_FLR_ASSERT_INSTRUCTION,
 593 | 
 594 |     // Pool
 595 |     DEBUG_FLR_POOL_ADDRESS = 0x400,
 596 |     DEBUG_FLR_SPECIAL_POOL_CORRUPTION_TYPE,
 597 |     DEBUG_FLR_CORRUPTING_POOL_ADDRESS,
 598 |     DEBUG_FLR_CORRUPTING_POOL_TAG,
 599 |     DEBUG_FLR_FREED_POOL_TAG,
 600 |     DEBUG_FLR_LEAKED_SESSION_POOL_TAG,
 601 |     DEBUG_FLR_CLIENT_DRIVER,
 602 | 
 603 |     // Filesystem
 604 |     DEBUG_FLR_FILE_ID = 0x500,
 605 |     DEBUG_FLR_FILE_LINE,
 606 | 
 607 |     // bugcheck data
 608 |     DEBUG_FLR_BUGCHECK_STR = 0x600,
 609 |     DEBUG_FLR_BUGCHECK_SPECIFIER,
 610 |     DEBUG_FLR_BUGCHECK_DESC,
 611 | 
 612 |     // Managed code stuff
 613 |     DEBUG_FLR_MANAGED_CODE = 0x700,
 614 |     DEBUG_FLR_MANAGED_OBJECT,
 615 |     DEBUG_FLR_MANAGED_EXCEPTION_OBJECT,
 616 |     DEBUG_FLR_MANAGED_EXCEPTION_MESSAGE,
 617 |     DEBUG_FLR_MANAGED_STACK_STRING,
 618 |     DEBUG_FLR_MANAGED_BITNESS_MISMATCH,
 619 |     DEBUG_FLR_MANAGED_OBJECT_NAME,
 620 |     DEBUG_FLR_MANAGED_EXCEPTION_CONTEXT_MESSAGE,
 621 |     DEBUG_FLR_MANAGED_STACK_COMMAND,
 622 | 
 623 | 
 624 |     // Constant values / exception code / bugcheck subtypes etc
 625 |     DEBUG_FLR_DRIVER_VERIFIER_IO_VIOLATION_TYPE = 0x1000,
 626 |     DEBUG_FLR_EXCEPTION_CODE,
 627 |     DEBUG_FLR_EXCEPTION_CODE_STR,
 628 |     DEBUG_FLR_IOCONTROL_CODE,
 629 |     DEBUG_FLR_MM_INTERNAL_CODE,
 630 |     DEBUG_FLR_DRVPOWERSTATE_SUBCODE,
 631 |     DEBUG_FLR_STATUS_CODE,
 632 |     DEBUG_FLR_SYMBOL_STACK_INDEX,
 633 |     DEBUG_FLR_SYMBOL_ON_RAW_STACK,
 634 |     DEBUG_FLR_SECURITY_COOKIES,
 635 |     DEBUG_FLR_THREADPOOL_WAITER,
 636 |     DEBUG_FLR_TARGET_MODE,  // Value is DEBUG_FAILURE_TYPE
 637 |     DEBUG_FLR_BUGCHECK_CODE,
 638 |     DEBUG_FLR_BADPAGES_DETECTED,
 639 |     DEBUG_FLR_DPC_TIMEOUT_TYPE,
 640 |     DEBUG_FLR_DPC_RUNTIME,
 641 |     DEBUG_FLR_DPC_TIMELIMIT,  
 642 |     DEBUG_FLR_DUMP_FILE_ATTRIBUTES,
 643 | 
 644 |     // Notification IDs, values under it doesn't have significance
 645 |     DEBUG_FLR_CORRUPT_MODULE_LIST = 0x2000,
 646 |     DEBUG_FLR_BAD_STACK,
 647 |     DEBUG_FLR_ZEROED_STACK,
 648 |     DEBUG_FLR_WRONG_SYMBOLS,
 649 |     DEBUG_FLR_FOLLOWUP_DRIVER_ONLY,   //bugcheckEA indicates a general driver failure
 650 |     DEBUG_FLR_UNUSED001,             //bucket include timestamp, so each drive is tracked
 651 |     DEBUG_FLR_CPU_OVERCLOCKED,
 652 |     DEBUG_FLR_POSSIBLE_INVALID_CONTROL_TRANSFER,
 653 |     DEBUG_FLR_POISONED_TB,
 654 |     DEBUG_FLR_UNKNOWN_MODULE,
 655 |     DEBUG_FLR_ANALYZAABLE_POOL_CORRUPTION,
 656 |     DEBUG_FLR_SINGLE_BIT_ERROR,
 657 |     DEBUG_FLR_TWO_BIT_ERROR,
 658 |     DEBUG_FLR_INVALID_KERNEL_CONTEXT,
 659 |     DEBUG_FLR_DISK_HARDWARE_ERROR,
 660 |     DEBUG_FLR_SHOW_ERRORLOG,
 661 |     DEBUG_FLR_MANUAL_BREAKIN,
 662 |     DEBUG_FLR_HANG,
 663 |     DEBUG_FLR_BAD_MEMORY_REFERENCE,
 664 |     DEBUG_FLR_BAD_OBJECT_REFERENCE,
 665 |     DEBUG_FLR_APPKILL,
 666 |     DEBUG_FLR_SINGLE_BIT_PFN_PAGE_ERROR,
 667 |     DEBUG_FLR_HARDWARE_ERROR,
 668 |     DEBUG_FLR_NO_IMAGE_IN_BUCKET,        // do not add image name in bucket
 669 |     DEBUG_FLR_NO_BUGCHECK_IN_BUCKET,     // do not add bugcheck string in bucket
 670 |     DEBUG_FLR_SKIP_STACK_ANALYSIS,       // do not look at stack
 671 |     DEBUG_FLR_INVALID_OPCODE,            // Bad op code instruction
 672 |     DEBUG_FLR_ADD_PROCESS_IN_BUCKET,
 673 |     DEBUG_FLR_RAISED_IRQL_USER_FAULT,
 674 |     DEBUG_FLR_USE_DEFAULT_CONTEXT,
 675 |     DEBUG_FLR_BOOST_FOLLOWUP_TO_SPECIFIC,
 676 |     DEBUG_FLR_SWITCH_PROCESS_CONTEXT,    // Set process context when getting tread stack
 677 |     DEBUG_FLR_VERIFIER_STOP,
 678 |     DEBUG_FLR_USERBREAK_PEB_PAGEDOUT,
 679 |     DEBUG_FLR_MOD_SPECIFIC_DATA_ONLY,
 680 |     DEBUG_FLR_OVERLAPPED_MODULE,         // Module with overlapping address space
 681 |     DEBUG_FLR_CPU_MICROCODE_ZERO_INTEL,
 682 |     DEBUG_FLR_INTEL_CPU_BIOS_UPGRADE_NEEDED,
 683 |     DEBUG_FLR_OVERLAPPED_UNLOADED_MODULE,
 684 |     DEBUG_FLR_INVALID_USER_CONTEXT,
 685 |     DEBUG_FLR_MILCORE_BREAK,
 686 |     DEBUG_FLR_NO_IMAGE_TIMESTAMP_IN_BUCKET, // do not add _DATE_#### to bucket (aplicable for
 687 |                                             // buckets containing just the image name)
 688 |     DEBUG_FLR_KERNEL_VERIFIER_ENABLED,      // Set for kernel targets which have verifier enabled
 689 |     DEBUG_FLR_SKIP_CORRUPT_MODULE_DETECTION, // do not look at module list for known corrupt modules
 690 |     DEBUG_FLR_GSFAILURE_FALSE_POSITIVE,
 691 |     DEBUG_FLR_IGNORE_LARGE_MODULE_CORRUPTION,
 692 |     DEBUG_FLR_IGNORE_BUCKET_ID_OFFSET,  // set to prevent the function offset from being set in the bucket ID
 693 |     DEBUG_FLR_NO_ARCH_IN_BUCKET,        // do not add the architecture name to the bucket
 694 |     DEBUG_FLR_IGNORE_MODULE_HARDWARE_ID, // do not set Hardware ID info from sysdata.xml. (used if the hardware ID was already set)
 695 |     DEBUG_FLR_ARM_WRITE_AV_CAVEAT,       // Add note that ARM may incorrectly label read AV as write AV in some cases.
 696 |     DEBUG_FLR_ON_DPC_STACK,           // Note if the stack pointer is currently on a DPC stack.
 697 |     DEBUG_FLR_LIVE_KERNEL_DUMP,       // This is a live kernel dump, not a bugcheck.
 698 |     DEBUG_FLR_COVERAGE_BUILD,         // This is an instrumented coverage build
 699 | 
 700 |     // Known analyzed failure cause or problem that bucketing could be
 701 |     // applied against.
 702 |     DEBUG_FLR_POOL_CORRUPTOR = 0x3000,
 703 |     DEBUG_FLR_MEMORY_CORRUPTOR,
 704 |     DEBUG_FLR_UNALIGNED_STACK_POINTER,
 705 |     DEBUG_FLR_OLD_OS_VERSION,
 706 |     DEBUG_FLR_BUGCHECKING_DRIVER,
 707 |     DEBUG_FLR_SOLUTION_ID,
 708 |     DEBUG_FLR_DEFAULT_SOLUTION_ID,
 709 |     DEBUG_FLR_SOLUTION_TYPE,
 710 |     DEBUG_FLR_RECURRING_STACK,
 711 |     DEBUG_FLR_FAULTING_INSTR_CODE,
 712 |     DEBUG_FLR_SYSTEM_LOCALE,
 713 |     DEBUG_FLR_CUSTOMER_CRASH_COUNT,
 714 |     DEBUG_FLR_TRAP_FRAME_RECURSION,
 715 |     DEBUG_FLR_STACK_OVERFLOW,
 716 |     DEBUG_FLR_STACK_POINTER_ERROR,
 717 |     DEBUG_FLR_STACK_POINTER_ONEBIT_ERROR,
 718 |     DEBUG_FLR_STACK_POINTER_MISALIGNED,
 719 |     DEBUG_FLR_INSTR_POINTER_MISALIGNED,
 720 |     DEBUG_FLR_INSTR_POINTER_CLIFAULT,
 721 |     DEBUG_FLR_REGISTRYTXT_STRESS_ID,
 722 |     DEBUG_FLR_CORRUPT_SERVICE_TABLE,
 723 |     DEBUG_FLR_LOP_STACKHASH,
 724 |     DEBUG_FLR_GSFAILURE_FUNCTION,
 725 |     DEBUG_FLR_GSFAILURE_MODULE_COOKIE,
 726 |     DEBUG_FLR_GSFAILURE_FRAME_COOKIE,
 727 |     DEBUG_FLR_GSFAILURE_FRAME_COOKIE_COMPLEMENT,
 728 |     DEBUG_FLR_GSFAILURE_CORRUPTED_COOKIE,
 729 |     DEBUG_FLR_GSFAILURE_CORRUPTED_EBP,
 730 |     DEBUG_FLR_GSFAILURE_OVERRUN_LOCAL,
 731 |     DEBUG_FLR_GSFAILURE_OVERRUN_LOCAL_NAME,
 732 |     DEBUG_FLR_GSFAILURE_CORRUPTED_EBPESP,
 733 |     DEBUG_FLR_GSFAILURE_POSITIVELY_CORRUPTED_EBPESP,
 734 |     DEBUG_FLR_GSFAILURE_MEMORY_READ_ERROR,
 735 |     DEBUG_FLR_GSFAILURE_PROBABLY_NOT_USING_GS,
 736 |     DEBUG_FLR_GSFAILURE_POSITIVE_BUFFER_OVERFLOW,
 737 |     DEBUG_FLR_GSFAILURE_ANALYSIS_TEXT,
 738 |     DEBUG_FLR_GSFAILURE_OFF_BY_ONE_OVERRUN,
 739 |     DEBUG_FLR_GSFAILURE_RA_SMASHED,
 740 |     DEBUG_FLR_GSFAILURE_NOT_UP2DATE,
 741 |     DEBUG_FLR_GSFAILURE_UP2DATE_UNKNOWN,
 742 |     DEBUG_FLR_OS_BUILD_NAME,
 743 |     DEBUG_FLR_CPU_MICROCODE_VERSION,
 744 |     DEBUG_FLR_INSTR_POINTER_ON_STACK,
 745 |     DEBUG_FLR_INSTR_POINTER_ON_HEAP,
 746 |     DEBUG_FLR_EVENT_CODE_DATA_MISMATCH,
 747 |     DEBUG_FLR_PROCESSOR_INFO,              // Data is DEBUG_ANALYSIS_PROCESSOR_INFO
 748 |     DEBUG_FLR_INSTR_POINTER_IN_UNLOADED_MODULE,
 749 |     DEBUG_FLR_MEMDIAG_LASTRUN_STATUS,
 750 |     DEBUG_FLR_MEMDIAG_LASTRUN_TIME,
 751 |     DEBUG_FLR_INSTR_POINTER_IN_FREE_BLOCK,
 752 |     DEBUG_FLR_INSTR_POINTER_IN_RESERVED_BLOCK,
 753 |     DEBUG_FLR_INSTR_POINTER_IN_VM_MAPPED_MODULE,
 754 |     DEBUG_FLR_INSTR_POINTER_IN_MODULE_NOT_IN_LIST,
 755 |     DEBUG_FLR_INSTR_POINTER_NOT_IN_STREAM,
 756 |     DEBUG_FLR_MEMORY_CORRUPTION_SIGNATURE, // Memory corruption address, size and pattern (bit, byte, word, stride or large)
 757 |     DEBUG_FLR_BUILDNAME_IN_BUCKET,
 758 |     DEBUG_FLR_CANCELLATION_NOT_SUPPORTED,
 759 |     DEBUG_FLR_DETOURED_IMAGE, // At least one of images on target is detoured
 760 |     DEBUG_FLR_EXCEPTION_CONTEXT_RECURSION,
 761 |     DEBUG_FLR_DISKIO_READ_FAILURE,
 762 |     DEBUG_FLR_DISKIO_WRITE_FAILURE,
 763 |     // this belongs with the GS related tags above, but here so that we dont disturb the order
 764 |     DEBUG_FLR_GSFAILURE_MISSING_ESTABLISHER_FRAME,
 765 |     DEBUG_FLR_GSFAILURE_COOKIES_MATCH_EXH,
 766 |     DEBUG_FLR_GSFAILURE_MANAGED,
 767 |     DEBUG_FLR_MANAGED_FRAME_CHAIN_CORRUPTION,  // not really a GS Failure, but reported and analyzed detected in the same way
 768 |     DEBUG_FLR_GSFAILURE_MANAGED_THREADID,
 769 |     DEBUG_FLR_GSFAILURE_MANAGED_FRAMEID,
 770 | 
 771 |     // Xbox specific string values
 772 |     DEBUG_FLR_XBOX_SYSTEM_UPTIME,
 773 |     DEBUG_FLR_XBOX_SYSTEM_CRASHTIME,
 774 |     DEBUG_FLR_XBOX_LIVE_ENVIRONMENT,
 775 | 
 776 |     // These should be in the analyzed failure cause, but here to not disturb order
 777 |     DEBUG_FLR_LARGE_TICK_INCREMENT,            // Value is the number of ticks incremented by KeUpdateRunTime
 778 |     DEBUG_FLR_INSTR_POINTER_IN_PAGED_CODE,     // Code is marked pagable, but attempted to execute at IRQL >= DPC_LEVEL    
 779 |     DEBUG_FLR_SERVICETABLE_MODIFIED,           // Kernel service table modification/hooking has been detected
 780 |     DEBUG_FLR_ALUREON,                         // KDCOM is incorrect size, suspect Alureon
 781 | 
 782 |     // Internal data, retated to the OCA database
 783 |     DEBUG_FLR_INTERNAL_RAID_BUG = 0x4000,
 784 |     DEBUG_FLR_INTERNAL_BUCKET_URL,
 785 |     DEBUG_FLR_INTERNAL_SOLUTION_TEXT,
 786 |     DEBUG_FLR_INTERNAL_BUCKET_HITCOUNT,
 787 |     DEBUG_FLR_INTERNAL_RAID_BUG_DATABASE_STRING,
 788 |     DEBUG_FLR_INTERNAL_BUCKET_CONTINUABLE,
 789 |     DEBUG_FLR_INTERNAL_BUCKET_STATUS_TEXT,
 790 | 
 791 |     // Data corelating a user target to watson DB
 792 |     DEBUG_FLR_WATSON_MODULE = 0x4100,
 793 |     DEBUG_FLR_WATSON_MODULE_VERSION,
 794 |     DEBUG_FLR_WATSON_MODULE_OFFSET,
 795 |     DEBUG_FLR_WATSON_PROCESS_VERSION,
 796 |     DEBUG_FLR_WATSON_IBUCKET,
 797 |     DEBUG_FLR_WATSON_MODULE_TIMESTAMP,
 798 |     DEBUG_FLR_WATSON_PROCESS_TIMESTAMP,
 799 |     DEBUG_FLR_WATSON_GENERIC_EVENT_NAME,
 800 |     DEBUG_FLR_WATSON_STAGEONE_STR,
 801 | 
 802 |     // Data extracted from cabbed files with dump
 803 |     DEBUG_FLR_SYSXML_LOCALEID = 0x4200,
 804 |     DEBUG_FLR_SYSXML_CHECKSUM,
 805 |     DEBUG_FLR_WQL_EVENT_COUNT,
 806 |     DEBUG_FLR_WQL_EVENTLOG_INFO,
 807 | 
 808 |     // System information such as bios data, manufactures (from !sysinfo)
 809 |     DEBUG_FLR_SYSINFO_SYSTEM_MANUFACTURER = 0x4300,
 810 |     DEBUG_FLR_SYSINFO_SYSTEM_PRODUCT,
 811 |     DEBUG_FLR_SYSINFO_BASEBOARD_MANUFACTURER,
 812 |     DEBUG_FLR_SYSINFO_BIOS_VENDOR,
 813 |     DEBUG_FLR_SYSINFO_BIOS_VERSION,
 814 | 
 815 |     // Strings.
 816 |     DEBUG_FLR_BUCKET_ID = 0x10000,
 817 |     DEBUG_FLR_IMAGE_NAME,
 818 |     DEBUG_FLR_SYMBOL_NAME,
 819 |     DEBUG_FLR_FOLLOWUP_NAME,
 820 |     DEBUG_FLR_STACK_COMMAND,
 821 |     DEBUG_FLR_STACK_TEXT,
 822 |     DEBUG_FLR_MODULE_NAME,         // Kernel Blamed module/driver name
 823 |     DEBUG_FLR_FIXED_IN_OSVERSION,
 824 |     DEBUG_FLR_DEFAULT_BUCKET_ID,
 825 |     DEBUG_FLR_MODULE_BUCKET_ID,         // Part of Bucket id specific to the culprit module
 826 |     DEBUG_FLR_ADDITIONAL_DEBUGTEXT,
 827 |     DEBUG_FLR_USER_NAME,
 828 |     DEBUG_FLR_PROCESS_NAME,
 829 |     DEBUG_FLR_MARKER_FILE,       // Marker file name from sysdata.xml in cabs
 830 |     DEBUG_FLR_INTERNAL_RESPONSE, // Response text for bucket
 831 |     DEBUG_FLR_CONTEXT_RESTORE_COMMAND, // command to restore original context as before analysis
 832 |     DEBUG_FLR_DRIVER_HARDWAREID,    // hardware id of faulting driver from sysdata.xml
 833 |     DEBUG_FLR_DRIVER_HARDWARE_VENDOR_ID,
 834 |     DEBUG_FLR_DRIVER_HARDWARE_DEVICE_ID,
 835 |     DEBUG_FLR_DRIVER_HARDWARE_SUBSYS_ID,
 836 |     DEBUG_FLR_DRIVER_HARDWARE_REV_ID,
 837 |     DEBUG_FLR_DRIVER_HARDWARE_ID_BUS_TYPE,
 838 |     DEBUG_FLR_MARKER_MODULE_FILE, // Secondary marker file name from the module list
 839 |     DEBUG_FLR_BUGCHECKING_DRIVER_IDTAG,  // Tag set during processing to identify bugchecking driver frm triage.ini
 840 |     DEBUG_FLR_MARKER_BUCKET,      // bucket id derived from machine marker
 841 |     DEBUG_FLR_FAILURE_BUCKET_ID,
 842 |     DEBUG_FLR_DRIVER_XML_DESCRIPTION,
 843 |     DEBUG_FLR_DRIVER_XML_PRODUCTNAME,
 844 |     DEBUG_FLR_DRIVER_XML_MANUFACTURER,
 845 |     DEBUG_FLR_DRIVER_XML_VERSION,
 846 |     DEBUG_FLR_BUILD_VERSION_STRING,
 847 |     DEBUG_FLR_ORIGINAL_CAB_NAME,
 848 |     DEBUG_FLR_FAULTING_SOURCE_CODE,
 849 |     DEBUG_FLR_FAULTING_SERVICE_NAME,
 850 |     DEBUG_FLR_FILE_IN_CAB, // name of file (other than dump itself) found in cab
 851 |     DEBUG_FLR_UNRESPONSIVE_UI_SYMBOL_NAME,
 852 |     DEBUG_FLR_UNRESPONSIVE_UI_FOLLOWUP_NAME,
 853 |     DEBUG_FLR_UNRESPONSIVE_UI_STACK,
 854 |     DEBUG_FLR_PROCESS_PRODUCTNAME,         // Product name string from process image version info
 855 |     DEBUG_FLR_MODULE_PRODUCTNAME,          // Product name string from module image version info
 856 |     DEBUG_FLR_COLLECT_DATA_FOR_BUCKET,              // DataWanted sproc params
 857 |     DEBUG_FLR_COMPUTER_NAME,
 858 |     DEBUG_FLR_IMAGE_CLASS,
 859 |     DEBUG_FLR_SYMBOL_ROUTINE_NAME, 
 860 |     DEBUG_FLR_HARDWARE_BUCKET_TAG,
 861 |     DEBUG_FLR_KERNEL_LOG_PROCESS_NAME,
 862 |     DEBUG_FLR_KERNEL_LOG_STATUS,
 863 |     DEBUG_FLR_REGISTRYTXT_SOURCE,
 864 |     DEBUG_FLR_FAULTING_SOURCE_LINE,
 865 |     DEBUG_FLR_FAULTING_SOURCE_FILE,             // This TAG is a duplicate of the tag above.  The former is left due to an external (Autobug) dependency
 866 |     DEBUG_FLR_FAULTING_SOURCE_LINE_NUMBER,  // This isnt a string, but it is coorelated with the tag above, so keep them together
 867 |     DEBUG_FLR_SKIP_MODULE_SPECIFIC_BUCKET_INFO, // Do not add the module name to the bucket string.
 868 |     DEBUG_FLR_BUCKET_ID_FUNC_OFFSET, // when pruning the offset from the bucket ID, it is saved in this string instead
 869 |     DEBUG_FLR_XHCI_FIRMWARE_VERSION,
 870 |     DEBUG_FLR_FAILURE_ANALYSIS_SOURCE,  // Kernel/User/TruScan/Radar/Xbox/Phone etc..
 871 |     DEBUG_FLR_FAILURE_ID_HASH,  // MD5 Hash of the Failure source + FAILURE_BUCKET_ID
 872 |     DEBUG_FLR_FAILURE_ID_HASH_STRING,  // The string used to compute the FAILURE_ID_HASH
 873 | 
 874 |     // User-mode specific stuff
 875 |     DEBUG_FLR_USERMODE_DATA = 0x100000,
 876 |     DEBUG_FLR_THREAD_ATTRIBUTES, // Thread attributes
 877 |     DEBUG_FLR_PROBLEM_CLASSES,
 878 |     DEBUG_FLR_PRIMARY_PROBLEM_CLASS,
 879 |     DEBUG_FLR_PRIMARY_PROBLEM_CLASS_DATA,
 880 |     DEBUG_FLR_UNRESPONSIVE_UI_PROBLEM_CLASS,
 881 |     DEBUG_FLR_UNRESPONSIVE_UI_PROBLEM_CLASS_DATA,
 882 |     DEBUG_FLR_DERIVED_WAIT_CHAIN,
 883 |     DEBUG_FLR_HANG_DATA_NEEDED,
 884 |     DEBUG_FLR_PROBLEM_CODE_PATH_HASH,
 885 |     DEBUG_FLR_SUSPECT_CODE_PATH_HASH,
 886 |     DEBUG_FLR_LOADERLOCK_IN_WAIT_CHAIN,
 887 |     DEBUG_FLR_XPROC_HANG,
 888 |     DEBUG_FLR_DEADLOCK_INPROC,
 889 |     DEBUG_FLR_DEADLOCK_XPROC,
 890 |     DEBUG_FLR_WCT_XML_AVAILABLE,
 891 |     DEBUG_FLR_XPROC_DUMP_AVAILABLE,
 892 |     DEBUG_FLR_DESKTOP_HEAP_MISSING,
 893 |     DEBUG_FLR_HANG_REPORT_THREAD_IS_IDLE,
 894 |     DEBUG_FLR_FAULT_THREAD_SHA1_HASH_MF,    // these fault thread hash variations are used in kernel mode too
 895 |     DEBUG_FLR_FAULT_THREAD_SHA1_HASH_MFO,
 896 |     DEBUG_FLR_FAULT_THREAD_SHA1_HASH_M,
 897 |     DEBUG_FLR_WAIT_CHAIN_COMMAND,
 898 |     DEBUG_FLR_NTGLOBALFLAG,
 899 |     DEBUG_FLR_APPVERIFERFLAGS,
 900 |     DEBUG_FLR_MODLIST_SHA1_HASH,
 901 |     DEBUG_FLR_DUMP_TYPE,
 902 |     DEBUG_FLR_XCS_PATH,
 903 |     DEBUG_FLR_LOADERLOCK_OWNER_API,
 904 |     DEBUG_FLR_LOADERLOCK_BLOCKED_API,
 905 |     DEBUG_FLR_MODLIST_TSCHKSUM_SHA1_HASH,     // hash of module list (with checksum, timestamp & size)
 906 |     DEBUG_FLR_MODLIST_UNLOADED_SHA1_HASH,     // hash of unloaded module list
 907 |     DEBUG_FLR_MACHINE_INFO_SHA1_HASH,         // hash of unloaded module list
 908 |     DEBUG_FLR_URLS_DISCOVERED,
 909 |     DEBUG_FLR_URLS,
 910 |     DEBUG_FLR_URL_ENTRY,
 911 |     DEBUG_FLR_WATSON_IBUCKET_S1_RESP,        
 912 |     DEBUG_FLR_WATSON_IBUCKETTABLE_S1_RESP,      
 913 |     DEBUG_FLR_SEARCH_HANG,
 914 |     DEBUG_FLR_WER_DATA_COLLECTION_INFO,
 915 |     DEBUG_FLR_WER_MACHINE_ID,
 916 |     DEBUG_FLR_ULS_SCRIPT_EXCEPTION,
 917 |     DEBUG_FLR_LCIE_ISO_AVAILABLE,
 918 |     DEBUG_FLR_SHOW_LCIE_ISO_DATA,
 919 |     DEBUG_FLR_URL_LCIE_ENTRY,
 920 |     DEBUG_FLR_URL_URLMON_ENTRY,
 921 |     DEBUG_FLR_URL_XMLHTTPREQ_SYNC_ENTRY,
 922 |     DEBUG_FLR_FAULTING_LOCAL_VARIABLE_NAME,
 923 |     DEBUG_FLR_MODULE_LIST,
 924 |     DEBUG_FLR_DUMP_FLAGS,
 925 | 
 926 |     // Analysis structured data
 927 |     DEBUG_FLR_STACK = 0x200000,
 928 |     DEBUG_FLR_FOLLOWUP_CONTEXT,
 929 |     DEBUG_FLR_XML_MODULE_LIST,
 930 |     DEBUG_FLR_STACK_FRAME,
 931 |     DEBUG_FLR_STACK_FRAME_NUMBER,
 932 |     DEBUG_FLR_STACK_FRAME_INSTRUCTION,
 933 |     DEBUG_FLR_STACK_FRAME_SYMBOL,
 934 |     DEBUG_FLR_STACK_FRAME_SYMBOL_OFFSET,
 935 |     DEBUG_FLR_STACK_FRAME_MODULE,
 936 |     DEBUG_FLR_STACK_FRAME_IMAGE,
 937 |     DEBUG_FLR_STACK_FRAME_FUNCTION,
 938 |     DEBUG_FLR_STACK_FRAME_FLAGS,
 939 |     DEBUG_FLR_CONTEXT_COMMAND,
 940 |     DEBUG_FLR_CONTEXT_FLAGS,
 941 |     DEBUG_FLR_CONTEXT_ORDER,
 942 |     DEBUG_FLR_CONTEXT_SYSTEM,
 943 |     DEBUG_FLR_CONTEXT_ID,
 944 |     DEBUG_FLR_XML_MODULE_INFO,
 945 |     DEBUG_FLR_XML_MODULE_INFO_INDEX,
 946 |     DEBUG_FLR_XML_MODULE_INFO_NAME,
 947 |     DEBUG_FLR_XML_MODULE_INFO_IMAGE_NAME,
 948 |     DEBUG_FLR_XML_MODULE_INFO_IMAGE_PATH,
 949 |     DEBUG_FLR_XML_MODULE_INFO_CHECKSUM,
 950 |     DEBUG_FLR_XML_MODULE_INFO_TIMESTAMP,
 951 |     DEBUG_FLR_XML_MODULE_INFO_UNLOADED,
 952 |     DEBUG_FLR_XML_MODULE_INFO_ON_STACK,    
 953 |     DEBUG_FLR_XML_MODULE_INFO_FIXED_FILE_VER,   
 954 |     DEBUG_FLR_XML_MODULE_INFO_FIXED_PROD_VER,
 955 |     DEBUG_FLR_XML_MODULE_INFO_STRING_FILE_VER,
 956 |     DEBUG_FLR_XML_MODULE_INFO_STRING_PROD_VER,
 957 |     DEBUG_FLR_XML_MODULE_INFO_COMPANY_NAME,
 958 |     DEBUG_FLR_XML_MODULE_INFO_FILE_DESCRIPTION,
 959 |     DEBUG_FLR_XML_MODULE_INFO_INTERNAL_NAME,
 960 |     DEBUG_FLR_XML_MODULE_INFO_ORIG_FILE_NAME,
 961 |     DEBUG_FLR_XML_MODULE_INFO_BASE,
 962 |     DEBUG_FLR_XML_MODULE_INFO_SIZE,
 963 |     DEBUG_FLR_XML_MODULE_INFO_PRODUCT_NAME,
 964 |     DEBUG_FLR_PROCESS_INFO,
 965 |     DEBUG_FLR_EXCEPTION_MODULE_INFO,
 966 |     DEBUG_FLR_CONTEXT_FOLLOWUP_INDEX,
 967 |     DEBUG_FLR_XML_GLOBALATTRIBUTE_LIST,
 968 |     DEBUG_FLR_XML_ATTRIBUTE_LIST,
 969 |     DEBUG_FLR_XML_ATTRIBUTE,
 970 |     DEBUG_FLR_XML_ATTRIBUTE_NAME,
 971 |     DEBUG_FLR_XML_ATTRIBUTE_VALUE,
 972 |     DEBUG_FLR_XML_ATTRIBUTE_D1VALUE,
 973 |     DEBUG_FLR_XML_ATTRIBUTE_D2VALUE,
 974 |     DEBUG_FLR_XML_ATTRIBUTE_DOVALUE,
 975 |     DEBUG_FLR_XML_ATTRIBUTE_VALUE_TYPE,
 976 |     DEBUG_FLR_XML_ATTRIBUTE_FRAME_NUMBER,
 977 |     DEBUG_FLR_XML_ATTRIBUTE_THREAD_INDEX, 
 978 |     DEBUG_FLR_XML_PROBLEMCLASS_LIST,
 979 |     DEBUG_FLR_XML_PROBLEMCLASS,
 980 |     DEBUG_FLR_XML_PROBLEMCLASS_NAME,
 981 |     DEBUG_FLR_XML_PROBLEMCLASS_VALUE,
 982 |     DEBUG_FLR_XML_PROBLEMCLASS_VALUE_TYPE,
 983 |     DEBUG_FLR_XML_PROBLEMCLASS_FRAME_NUMBER,
 984 |     DEBUG_FLR_XML_PROBLEMCLASS_THREAD_INDEX, 
 985 |     DEBUG_FLR_XML_STACK_FRAME_TRIAGE_STATUS, 
 986 |     DEBUG_FLR_CONTEXT_METADATA,
 987 |     DEBUG_FLR_STACK_FRAMES,
 988 |     DEBUG_FLR_XML_ENCODED_OFFSETS,
 989 |     DEBUG_FLR_FA_PERF_DATA,
 990 |     DEBUG_FLR_FA_PERF_ITEM,
 991 |     DEBUG_FLR_FA_PERF_ITEM_NAME,
 992 |     DEBUG_FLR_FA_PERF_ITERATIONS,
 993 |     DEBUG_FLR_FA_PERF_ELAPSED_MS,    
 994 |     DEBUG_FLR_STACK_SHA1_HASH_MF,
 995 |     DEBUG_FLR_STACK_SHA1_HASH_MFO,
 996 |     DEBUG_FLR_STACK_SHA1_HASH_M,
 997 |     DEBUG_FLR_XML_MODULE_INFO_SYMBOL_TYPE, // loaded symbol type
 998 |     DEBUG_FLR_XML_MODULE_INFO_FILE_FLAGS, // whether debug or release build
 999 |     DEBUG_FLR_STACK_FRAME_MODULE_BASE,
1000 |     DEBUG_FLR_STACK_FRAME_SRC,
1001 |     DEBUG_FLR_XML_SYSTEMINFO,
1002 |     DEBUG_FLR_XML_SYSTEMINFO_SYSTEMMANUFACTURER,
1003 |     DEBUG_FLR_XML_SYSTEMINFO_SYSTEMMODEL,
1004 |     DEBUG_FLR_XML_SYSTEMINFO_SYSTEMMARKER,
1005 |     DEBUG_FLR_FA_ADHOC_ANALYSIS_ITEMS,
1006 |     DEBUG_FLR_XML_APPLICATION_NAME,
1007 |     DEBUG_FLR_XML_PACKAGE_MONIKER,
1008 |     DEBUG_FLR_XML_PACKAGE_RELATIVE_APPLICATION_ID,
1009 |     DEBUG_FLR_XML_MODERN_ASYNC_REQUEST_OUTSTANDING,
1010 |     DEBUG_FLR_XML_EVENTTYPE,
1011 | 
1012 |     // cabbed text data / structured data
1013 |     DEBUG_FLR_REGISTRY_DATA = 0x300000,
1014 |     DEBUG_FLR_WMI_QUERY_DATA = 0x301000,
1015 |     DEBUG_FLR_USER_GLOBAL_ATTRIBUTES = 0x302000,
1016 |     DEBUG_FLR_USER_THREAD_ATTRIBUTES = 0x303000,
1017 |     DEBUG_FLR_USER_PROBLEM_CLASSES = 0x304000,
1018 | 
1019 | #ifdef AUTOBUG_PROCESSING_SUPPORT
1020 |     // tabs to support autobug cab processing
1021 |     DEBUG_FLR_EXCEPTION_CODE_STR_deprecated = 0x101000,    // This is the string representation of the exception code (ie. c0000005)
1022 |     // this is defined earlier as DEBUG_FLR_EXCEPTION_CODE_STR
1023 |     DEBUG_FLR_BUCKET_ID_PREFIX_STR,  // This is the prefix part of BUCKET_ID. Everything before the start of the module name
1024 |     DEBUG_FLR_BUCKET_ID_MODULE_STR,  // This is module, without the .dll/exe/tmp, etc. extension
1025 |     DEBUG_FLR_BUCKET_ID_MODVER_STR,  // This is version of the aforementioned module, 0.0.0.0 if none.
1026 |     DEBUG_FLR_BUCKET_ID_FUNCTION_STR,// This is same as Sym from Watson. If missing 'unknown'.
1027 |     DEBUG_FLR_AUTOBUG_BUCKET_ID_OFFSET,      // The offset portion SYMBOL_NAME
1028 |     DEBUG_FLR_OSBUILD,               // This is the OS build number.
1029 |     DEBUG_FLR_OSSERVICEPACK,         // This is the trailing part of the oca tag BUILD.
1030 |     DEBUG_FLR_BUILDLAB_STR,          // Only the build lab part of BUILD_VERSION_STRING (like winmain_idx03)
1031 |     DEBUG_FLR_BUILDDATESTAMP_STR,    // The time date stamp part of BUILD_VERSION_STRING (like 051214-1910)
1032 |     DEBUG_FLR_BUILDOSVER_STR,        // The OS version parth of BUILD_VERSION_STRING (like 6.0.5270.9).
1033 |     DEBUG_FLR_BUCKET_ID_TIMEDATESTAMP,
1034 |     DEBUG_FLR_BUCKET_ID_CHECKSUM,
1035 |     DEBUG_FLR_BUILD_FLAVOR_STR,
1036 |     DEBUG_FLR_BUCKET_ID_FLAVOR_STR,      // Is the failing module chk or fre
1037 |     DEBUG_FLR_OS_SKU,
1038 |     DEBUG_FLR_PRODUCT_TYPE,
1039 |     DEBUG_FLR_SUITE_MASK,
1040 |     DEBUG_FLR_USER_LCID,
1041 |     DEBUG_FLR_OS_REVISION,            // OS revision
1042 |     DEBUG_FLR_OS_NAME,                // OS Name
1043 |     DEBUG_FLR_OS_NAME_EDITION,        // Complete OS Name along with edition
1044 |     DEBUG_FLR_OS_PLATFORM_TYPE,       // OS type - x86 / x64 / ia64
1045 |     DEBUG_FLR_OSSERVICEPACK_NUMBER,   // This is service pack number
1046 |     DEBUG_FLR_OS_LOCALE,              // OS locale string such as en-us
1047 |     DEBUG_FLR_BUILDDATESTAMP,         // The time date stamp value for kernel
1048 |     DEBUG_FLR_USER_LCID_STR,
1049 |     DEBUG_FLR_ANALYSIS_SESSION_TIME,  // time stamp when analysis is running
1050 |     DEBUG_FLR_ANALYSIS_SESSION_HOST,  // machine on which analysis is running
1051 |     DEBUG_FLR_ANALYSIS_SESSION_ELAPSED_TIME, // processing time for analysis set in milliseconds
1052 |     DEBUG_FLR_ANALYSIS_VERSION,       // !analyze version
1053 | #endif
1054 | 
1055 |     // Windows Phone specific information
1056 |     DEBUG_FLR_PHONE_VERSIONMAJOR=0x70000000,
1057 |     DEBUG_FLR_PHONE_VERSIONMINOR,
1058 |     DEBUG_FLR_PHONE_BUILDNUMBER,
1059 |     DEBUG_FLR_PHONE_BUILDTIMESTAMP,
1060 |     DEBUG_FLR_PHONE_BUILDBRANCH,
1061 |     DEBUG_FLR_PHONE_BUILDER,
1062 |     DEBUG_FLR_PHONE_LCID,
1063 |     DEBUG_FLR_PHONE_QFE,
1064 |     DEBUG_FLR_PHONE_OPERATOR,
1065 |     DEBUG_FLR_PHONE_MCCMNC,
1066 |     DEBUG_FLR_PHONE_FIRMWAREREVISION,
1067 |     DEBUG_FLR_PHONE_RAM,
1068 |     DEBUG_FLR_PHONE_ROMVERSION,
1069 |     DEBUG_FLR_PHONE_SOCVERSION,
1070 |     DEBUG_FLR_PHONE_HARDWAREREVISION,
1071 |     DEBUG_FLR_PHONE_RADIOHARDWAREREVISION,
1072 |     DEBUG_FLR_PHONE_RADIOSOFTWAREREVISION,
1073 |     DEBUG_FLR_PHONE_BOOTLOADERVERSION,
1074 |     DEBUG_FLR_PHONE_REPORTGUID,
1075 |     DEBUG_FLR_PHONE_SOURCE,
1076 |     DEBUG_FLR_PHONE_SOURCEEXTERNAL,
1077 | 	DEBUG_FLR_PHONE_USERALIAS,
1078 | 
1079 |     // Culprit module
1080 |     DEBUG_FLR_FAULTING_IP = 0x80000000,     // Instruction where failure occurred
1081 |     DEBUG_FLR_FAULTING_MODULE,
1082 |     DEBUG_FLR_IMAGE_TIMESTAMP,
1083 |     DEBUG_FLR_FOLLOWUP_IP,
1084 |     DEBUG_FLR_FRAME_ONE_INVALID,
1085 |     DEBUG_FLR_SYMBOL_FROM_RAW_STACK_ADDRESS,
1086 |     DEBUG_FLR_IMAGE_VERSION,
1087 | 
1088 |     // custom analysis plugin tags
1089 |     DEBUG_FLR_CUSTOM_ANALYSIS_TAG_MIN = 0xA0000000,
1090 |     DEBUG_FLR_CUSTOM_ANALYSIS_TAG_MAX = 0xB0000000,
1091 | 
1092 |     // To get faulting stack
1093 |     DEBUG_FLR_FAULTING_THREAD = 0xc0000000,
1094 |     DEBUG_FLR_CONTEXT,
1095 |     DEBUG_FLR_TRAP_FRAME,
1096 |     DEBUG_FLR_TSS,
1097 |     DEBUG_FLR_BLOCKING_THREAD, // Thread which is blocking others to execute by holding locks/critsec
1098 |     DEBUG_FLR_UNRESPONSIVE_UI_THREAD,
1099 |     DEBUG_FLR_BLOCKED_THREAD0, // Threads blocked / waiting for some event / crit section
1100 |     DEBUG_FLR_BLOCKED_THREAD1,
1101 |     DEBUG_FLR_BLOCKED_THREAD2,
1102 |     DEBUG_FLR_BLOCKING_PROCESSID, // process id of processes which is blocking execution
1103 |     DEBUG_FLR_PROCESSOR_ID,  // CPU where the fault is
1104 |     DEBUG_FLR_XDV_VIOLATED_CONDITION,
1105 |     DEBUG_FLR_XDV_STATE_VARIABLE,
1106 |     DEBUG_FLR_XDV_HELP_LINK,
1107 |     DEBUG_FLR_XDV_RULE_INFO,
1108 |     DEBUG_FLR_DPC_STACK_BASE,
1109 |     DEBUG_FLR_MASK_ALL = 0xFFFFFFFF
1110 | 
1111 | } DEBUG_FLR_PARAM_TYPE;
1112 | 
1113 | #ifdef AUTOBUG_PROCESSING_SUPPORT
1114 |     // redifine older tabs to support autobug cab processing
1115 | #define DEBUG_FLR_AUTOBUG_EXCEPTION_CODE_STR    DEBUG_FLR_EXCEPTION_CODE_STR
1116 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_PREFIX_STR  DEBUG_FLR_BUCKET_ID_PREFIX_STR
1117 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_MODULE_STR  DEBUG_FLR_BUCKET_ID_MODULE_STR
1118 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_MODVER_STR  DEBUG_FLR_BUCKET_ID_MODVER_STR
1119 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_FUNCTION_STR DEBUG_FLR_BUCKET_ID_FUNCTION_STR
1120 | #define DEBUG_FLR_AUTOBUG_OSBUILD 		DEBUG_FLR_OSBUILD
1121 | #define DEBUG_FLR_AUTOBUG_OSSERVICEPACK 	DEBUG_FLR_OSSERVICEPACK
1122 | #define DEBUG_FLR_AUTOBUG_BUILDLAB_STR 		DEBUG_FLR_BUILDLAB_STR
1123 | #define DEBUG_FLR_AUTOBUG_BUILDDATESTAMP_STR 	DEBUG_FLR_BUILDDATESTAMP_STR
1124 | #define DEBUG_FLR_AUTOBUG_BUILDOSVER_STR 	DEBUG_FLR_BUILDOSVER_STR
1125 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_TIMEDATESTAMP DEBUG_FLR_BUCKET_ID_TIMEDATESTAMP
1126 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_CHECKSUM    DEBUG_FLR_BUCKET_ID_CHECKSUM
1127 | #define DEBUG_FLR_AUTOBUG_BUILD_FLAVOR_STR      DEBUG_FLR_BUILD_FLAVOR_STR
1128 | #define DEBUG_FLR_AUTOBUG_BUCKET_ID_FLAVOR_STR  DEBUG_FLR_BUCKET_ID_FLAVOR_STR
1129 | #define DEBUG_FLR_AUTOBUG_OS_SKU                DEBUG_FLR_OS_SKU
1130 | #define DEBUG_FLR_AUTOBUG_PRODUCT_TYPE          DEBUG_FLR_PRODUCT_TYPE
1131 | #define DEBUG_FLR_AUTOBUG_SUITE_MASK            DEBUG_FLR_SUITE_MASK
1132 | #define DEBUG_FLR_AUTOBUG_USER_LCID             DEBUG_FLR_USER_LCID
1133 | #define DEBUG_FLR_AUTOBUG_OS_REVISION           DEBUG_FLR_OS_REVISION
1134 | #define DEBUG_FLR_AUTOBUG_OS_NAME               DEBUG_FLR_OS_NAME
1135 | #define DEBUG_FLR_AUTOBUG_OS_NAME_EDITION       DEBUG_FLR_OS_NAME_EDITION
1136 | #define DEBUG_FLR_AUTOBUG_OS_PLATFORM_TYPE      DEBUG_FLR_OS_PLATFORM_TYPE
1137 | #define DEBUG_FLR_AUTOBUG_OSSERVICEPACK_NUMBER  DEBUG_FLR_OSSERVICEPACK_NUMBER
1138 | #define DEBUG_FLR_AUTOBUG_OS_LOCALE             DEBUG_FLR_OS_LOCALE
1139 | #define DEBUG_FLR_AUTOBUG_BUILDDATESTAMP        DEBUG_FLR_BUILDDATESTAMP
1140 | #define DEBUG_FLR_AUTOBUG_USER_LCID_STR         DEBUG_FLR_USER_LCID_STR
1141 | #endif
1142 | 
1143 | typedef struct _DBG_THREAD_ATTRIBUTES
1144 | {
1145 |     ULONG ThreadIndex;
1146 |     ULONG64 ProcessID;
1147 |     ULONG64 ThreadID;
1148 |     ULONG64 AttributeBits;
1149 | 
1150 | /*
1151 |         bHas_StringData         0x0001
1152 |         bBlockedOnPID           0x0002
1153 |         bBlockedOnTID           0x0004
1154 |         bHas_CritSecAddress     0x0008
1155 |         bHas_timeout            0x0010
1156 |         m_szSymName[0]          0x0020
1157 | */
1158 |     ULONG BoolBits;
1159 |     ULONG64 BlockedOnPID;
1160 |     ULONG64 BlockedOnTID;
1161 |     ULONG64 CritSecAddress;
1162 |     ULONG Timeout_msec;
1163 |     char StringData[100];
1164 |     char SymName[100];
1165 | } DBG_THREAD_ATTRIBUTES, *PDBG_THREAD_ATTRIBUTES;
1166 | 
1167 | //----------------------------------------------------------------------------
1168 | //
1169 | // A failure analysis is a dynamic buffer of tagged blobs.  Values
1170 | // are accessed through the Get/Set methods.
1171 | //
1172 | // Entries are always fully aligned.
1173 | //
1174 | // Set methods throw E_OUTOFMEMORY exceptions when the data
1175 | // buffer cannot be extended.
1176 | //
1177 | //----------------------------------------------------------------------------
1178 | 
1179 | typedef DEBUG_FLR_PARAM_TYPE FA_TAG;
1180 | 
1181 | //
1182 | // This is set in IDebugFAEntryTags Tag Type to determine
1183 | // type of value contained in entry
1184 | //
1185 | typedef enum _FA_ENTRY_TYPE
1186 | {
1187 |     // Undefined entry, this may be used for
1188 |     // FA_TAGs whose values do not have any significance
1189 |     DEBUG_FA_ENTRY_NO_TYPE,
1190 |     // FA_ENTRY is of ULONG type
1191 |     DEBUG_FA_ENTRY_ULONG,
1192 |     // FA_ENTRY is of ULONG64 type
1193 |     DEBUG_FA_ENTRY_ULONG64,
1194 |     // FA_ENTRY is offset in instruction stream
1195 |     DEBUG_FA_ENTRY_INSTRUCTION_OFFSET,
1196 |     // FA_ENTRY is a (ULONG64 sign-extended) pointer value
1197 |     DEBUG_FA_ENTRY_POINTER,
1198 |     // FA_ENTRY is null terminated char array
1199 |     // DataSize is size of string including null terminator
1200 |     DEBUG_FA_ENTRY_ANSI_STRING,
1201 |     // FA_ENTRY is an array of strings, each of the string
1202 |     // is null terminated char array.
1203 |     // DataSize is sum size of all string including null terminator
1204 |     DEBUG_FA_ENTRY_ANSI_STRINGs,
1205 |     // FA_ENTRY is a link to an extension command. !analyze -v
1206 |     // would run the command when showing the entry value
1207 |     // The Entry contains extension command string.
1208 |     DEBUG_FA_ENTRY_EXTENSION_CMD,
1209 |     // FA_ENTRY is a link is structured analysis data
1210 |     // The Entry contains pointer to PDEBUG_FAILURE_ANALYSIS2 object.
1211 |     DEBUG_FA_ENTRY_STRUCTURED_DATA,
1212 |     // FA_ENTRY is null terminated unicode char array
1213 |     // DataSize is size of unicode string including null terminator
1214 |     DEBUG_FA_ENTRY_UNICODE_STRING,
1215 |     // Bit flag modifier for any of the basic type
1216 |     // (ULONG/POINTER/INSTRUCTION_OFFSET). FA_ENTRY is an
1217 |     // array of any basic type other than string. DataSize
1218 |     // member of the Entry can be used to determine array length.
1219 |     DEBUG_FA_ENTRY_ARRAY = 0x8000,
1220 | } FA_ENTRY_TYPE;
1221 | 
1222 | #undef INTERFACE
1223 | #define INTERFACE IDebugFAEntryTags
1224 | DECLARE_INTERFACE(IDebugFAEntryTags)
1225 | {
1226 |     // Looksup Type associated for the failure tag
1227 |     STDMETHOD_(FA_ENTRY_TYPE, GetType)(
1228 |         THIS_
1229 |         _In_ FA_TAG Tag
1230 |         ) PURE;
1231 | 
1232 |     // Sets Type associated for the failure tag
1233 |     STDMETHOD(SetType)(
1234 |         THIS_
1235 |         _In_ FA_TAG Tag,
1236 |         _In_ FA_ENTRY_TYPE EntryType
1237 |         ) PURE;
1238 | 
1239 |     // Looksup description and name for the failure tag
1240 |     STDMETHOD(GetProperties)(
1241 |         THIS_
1242 |         _In_ FA_TAG Tag,
1243 |         _Out_writes_bytes_opt_(*NameSize) PSTR Name,
1244 |         _Inout_opt_ PULONG NameSize,
1245 |         _Out_writes_bytes_opt_(*DescSize) PSTR Description,
1246 |         _Inout_opt_ PULONG DescSize,
1247 |         _Out_opt_ PULONG Flags
1248 |         ) PURE;
1249 | 
1250 |     // Sets description and name for the failure tag
1251 |     // If the given tag already had these defined, this will overwrite
1252 |     // previous definition(s)
1253 |     STDMETHOD(SetProperties)(
1254 |         THIS_
1255 |         _In_ FA_TAG Tag,
1256 |         _In_opt_ PCSTR Name,
1257 |         _In_opt_ PCSTR Description,
1258 |         _In_opt_ ULONG Flags
1259 |         ) PURE;
1260 | 
1261 |     // This looks up default analysis tag or plugin's registered tag
1262 |     // by its name
1263 |     STDMETHOD(GetTagByName)(
1264 |         THIS_
1265 |         _In_opt_ PCSTR PluginId,
1266 |         _In_ PCSTR TagName,
1267 |         _Out_ FA_TAG* Tag
1268 |         ) PURE;
1269 | 
1270 |     // This allows extensions to check if a given failure
1271 |     // tag value can be set. This would return true for all
1272 |     // tags that were allocated via AllocateTagRange or
1273 |     // the predefined tag values in this header file
1274 |     STDMETHOD_(BOOL, IsValidTagToSet)(
1275 |         THIS_
1276 |         _In_ FA_TAG Tag
1277 |         ) PURE;
1278 | };
1279 | 
1280 | typedef struct _FA_ENTRY
1281 | {
1282 |     FA_TAG Tag;
1283 |     USHORT FullSize;
1284 |     USHORT DataSize;
1285 | } FA_ENTRY, *PFA_ENTRY;
1286 | 
1287 | #define FA_ENTRY_DATA(Type, Entry) ((Type)((Entry) + 1))
1288 | 
1289 | /* ed0de363-451f-4943-820c-62dccdfa7e6d */
1290 | DEFINE_GUID(IID_IDebugFailureAnalysis, 0xed0de363, 0x451f, 0x4943,
1291 |             0x82, 0x0c, 0x62, 0xdc, 0xcd, 0xfa, 0x7e, 0x6d);
1292 | 
1293 | typedef interface DECLSPEC_UUID("ed0de363-451f-4943-820c-62dccdfa7e6d")
1294 |     IDebugFailureAnalysis* PDEBUG_FAILURE_ANALYSIS;
1295 | 
1296 | #undef INTERFACE
1297 | #define INTERFACE IDebugFailureAnalysis
1298 | DECLARE_INTERFACE_(IDebugFailureAnalysis, IUnknown)
1299 | {
1300 |     // IUnknown.
1301 |     STDMETHOD(QueryInterface)(
1302 |         THIS_
1303 |         IN REFIID InterfaceId,
1304 |         OUT PVOID* Interface
1305 |         ) PURE;
1306 |     STDMETHOD_(ULONG, AddRef)(
1307 |         THIS
1308 |         ) PURE;
1309 |     STDMETHOD_(ULONG, Release)(
1310 |         THIS
1311 |         ) PURE;
1312 | 
1313 |     // IDebugFailureAnalysis.
1314 |     STDMETHOD_(ULONG, GetFailureClass)(
1315 |         THIS
1316 |         ) PURE;
1317 |     STDMETHOD_(DEBUG_FAILURE_TYPE, GetFailureType)(
1318 |         THIS
1319 |         ) PURE;
1320 |     STDMETHOD_(ULONG, GetFailureCode)(
1321 |         THIS
1322 |         ) PURE;
1323 |     STDMETHOD_(PFA_ENTRY, Get)(
1324 |         THIS_
1325 |         FA_TAG Tag
1326 |         ) PURE;
1327 |     STDMETHOD_(PFA_ENTRY, GetNext)(
1328 |         THIS_
1329 |         PFA_ENTRY Entry,
1330 |         FA_TAG Tag,
1331 |         FA_TAG TagMask
1332 |         ) PURE;
1333 |     STDMETHOD_(PFA_ENTRY, GetString)(
1334 |         THIS_
1335 |         FA_TAG Tag,
1336 |         _Out_writes_bytes_(MaxSize) PSTR Str,
1337 |         ULONG MaxSize
1338 |         ) PURE;
1339 |     STDMETHOD_(PFA_ENTRY, GetBuffer)(
1340 |         THIS_
1341 |         FA_TAG Tag,
1342 |         _Out_writes_bytes_(Size) PVOID Buf,
1343 |         ULONG Size
1344 |         ) PURE;
1345 |     STDMETHOD_(PFA_ENTRY, GetUlong)(
1346 |         THIS_
1347 |         FA_TAG Tag,
1348 |         _Out_ PULONG Value
1349 |         ) PURE;
1350 |     STDMETHOD_(PFA_ENTRY, GetUlong64)(
1351 |         THIS_
1352 |         FA_TAG Tag,
1353 |         _Out_ PULONG64 Value
1354 |         ) PURE;
1355 |     STDMETHOD_(PFA_ENTRY, NextEntry)(
1356 |         THIS_
1357 |         _In_opt_ PFA_ENTRY Entry
1358 |         ) PURE;
1359 | };
1360 | 
1361 | /* ea15c288-8226-4b70-acf6-0be6b189e3ad */
1362 | DEFINE_GUID(IID_IDebugFailureAnalysis2, 0xea15c288, 0x8226, 0x4b70,
1363 |             0xac, 0xf6, 0x0b, 0xe6, 0xb1, 0x89, 0xe3, 0xad);
1364 | 
1365 | 
1366 | typedef interface DECLSPEC_UUID("ea15c288-8226-4b70-acf6-0be6b189e3ad")
1367 |     IDebugFailureAnalysis2* PDEBUG_FAILURE_ANALYSIS2;
1368 | 
1369 | //
1370 | // Interface to query analysis data
1371 | //
1372 | #undef INTERFACE
1373 | #define INTERFACE IDebugFailureAnalysis2
1374 | DECLARE_INTERFACE_(IDebugFailureAnalysis2, IUnknown)
1375 | {
1376 |     // IUnknown.
1377 |     STDMETHOD(QueryInterface)(
1378 |         THIS_
1379 |         IN REFIID InterfaceId,
1380 |         OUT PVOID* Interface
1381 |         ) PURE;
1382 |     STDMETHOD_(ULONG, AddRef)(
1383 |         THIS
1384 |         ) PURE;
1385 |     STDMETHOD_(ULONG, Release)(
1386 |         THIS
1387 |         ) PURE;
1388 | 
1389 |     // IDebugFailureAnalysis2.
1390 | 
1391 |     // Target class for the given failure
1392 |     STDMETHOD_(ULONG, GetFailureClass)(
1393 |         THIS
1394 |         ) PURE;
1395 |     // Type of failure being analyzed
1396 |     STDMETHOD_(DEBUG_FAILURE_TYPE, GetFailureType)(
1397 |         THIS
1398 |         ) PURE;
1399 |     // Failure code: Bugcheck code for kernel mode,
1400 |     // exception code for user mode
1401 |     STDMETHOD_(ULONG, GetFailureCode)(
1402 |         THIS
1403 |         ) PURE;
1404 |     // Lookup FA_ENTRY by tag
1405 |     // Returns NULL if tag is not found
1406 |     STDMETHOD_(PFA_ENTRY, Get)(
1407 |         THIS_
1408 |         _In_ FA_TAG Tag
1409 |         ) PURE;
1410 |     // Looks up next FA_ENTRY after the given 'Entry' by
1411 |     // matching with Tag & and TagMask
1412 |     // Returns NULL if tag is not found
1413 |     STDMETHOD_(PFA_ENTRY, GetNext)(
1414 |         THIS_
1415 |         _In_ PFA_ENTRY Entry,
1416 |         _In_ FA_TAG Tag,
1417 |         _In_ FA_TAG TagMask
1418 |         ) PURE;
1419 |     // Looksup FA_ENTRY by tag and copies its string value
1420 |     // Returns NULL if tag is not found
1421 |     STDMETHOD_(PFA_ENTRY, GetString)(
1422 |         THIS_
1423 |         _In_ FA_TAG Tag,
1424 |         _Out_writes_(MaxSize) PSTR Str,
1425 |         _In_ ULONG MaxSize
1426 |         ) PURE;
1427 |     // Looksup FA_ENTRY by tag and copies its data value
1428 |     // Returns NULL if tag is not found
1429 |     STDMETHOD_(PFA_ENTRY, GetBuffer)(
1430 |         THIS_
1431 |         _In_ FA_TAG Tag,
1432 |         _Out_writes_bytes_(Size) PVOID Buf,
1433 |         _In_ ULONG Size
1434 |         ) PURE;
1435 |     // Looksup FA_ENTRY by tag and copies its ULONG value
1436 |     // Returns NULL if tag is not found
1437 |     STDMETHOD_(PFA_ENTRY, GetUlong)(
1438 |         THIS_
1439 |         _In_ FA_TAG Tag,
1440 |         _Out_ PULONG Value
1441 |         ) PURE;
1442 |     // Looksup FA_ENTRY by tag and copies its ULONG64 value
1443 |     // Returns NULL if tag is not found
1444 |     STDMETHOD_(PFA_ENTRY, GetUlong64)(
1445 |         THIS_
1446 |         _In_ FA_TAG Tag,
1447 |         _Out_ PULONG64 Value
1448 |         ) PURE;
1449 |     // Looks up next FA_ENTRY after the given 'Entry'
1450 |     // Returns NULL if tag is not found
1451 |     STDMETHOD_(PFA_ENTRY, NextEntry)(
1452 |         THIS_
1453 |         _In_opt_ PFA_ENTRY Entry
1454 |         ) PURE;
1455 |     // Sets the given String for corresponding tag
1456 |     // It overwrites the value if tag is already
1457 |     // present.
1458 |     STDMETHOD_(PFA_ENTRY, SetString)(
1459 |         THIS_
1460 |         FA_TAG Tag,
1461 |         PCSTR Str
1462 |         ) PURE;
1463 |     // Sets the given extension command and its
1464 |     // argument for corresponding tag
1465 |     // It overwrites the value if tag is already
1466 |     // present.
1467 |     STDMETHOD_(PFA_ENTRY, SetExtensionCommand)(
1468 |         THIS_
1469 |         FA_TAG Tag,
1470 |         PCSTR Extension
1471 |         ) PURE;
1472 |     // Sets the given ULONG value for corresponding tag
1473 |     // It overwrites the value if tag is already
1474 |     // present.
1475 |     STDMETHOD_(PFA_ENTRY, SetUlong)(
1476 |         THIS_
1477 |         FA_TAG Tag,
1478 |         _In_ ULONG Value
1479 |         ) PURE;
1480 |     // Sets the given ULONG64 value for corresponding tag
1481 |     // It overwrites the value if tag is already
1482 |     // present.
1483 |     STDMETHOD_(PFA_ENTRY, SetUlong64)(
1484 |         THIS_
1485 |         FA_TAG Tag,
1486 |         _In_ ULONG64 Value
1487 |         ) PURE;
1488 |     // Sets the given Buffer value for corresponding tag
1489 |     // It overwrites the value if tag is already
1490 |     // present.
1491 |     STDMETHOD_(PFA_ENTRY, SetBuffer)(
1492 |         THIS_
1493 |         FA_TAG Tag,
1494 |         _In_ FA_ENTRY_TYPE EntryType,
1495 |         _In_reads_bytes_(Size) PVOID Buf,
1496 |         _In_ ULONG Size
1497 |         ) PURE;
1498 |     // Sets the given String for corresponding tag
1499 |     // It adds a new entry the value if tag is already
1500 |     // present.
1501 |     STDMETHOD_(PFA_ENTRY, AddString)(
1502 |         THIS_
1503 |         FA_TAG Tag,
1504 |         _In_ PSTR Str
1505 |         ) PURE;
1506 |     // Sets the given extension command and its
1507 |     // argument for corresponding tag in a new entry
1508 |     STDMETHOD_(PFA_ENTRY, AddExtensionCommand)(
1509 |         THIS_
1510 |         FA_TAG Tag,
1511 |         _In_ PCSTR Extension
1512 |         ) PURE;
1513 |     // Sets the given ULONG value for corresponding tag
1514 |     // in a new entry
1515 |     STDMETHOD_(PFA_ENTRY, AddUlong)(
1516 |         THIS_
1517 |         FA_TAG Tag,
1518 |         _In_ ULONG Value
1519 |         ) PURE;
1520 |     // Sets the given ULONG64 value for corresponding tag
1521 |     // in a new entry
1522 |     STDMETHOD_(PFA_ENTRY, AddUlong64)(
1523 |         THIS_
1524 |         FA_TAG Tag,
1525 |         _In_ ULONG64 Value
1526 |         ) PURE;
1527 |     // Sets the given Buffer value for corresponding tag
1528 |     // in a new entry
1529 |     STDMETHOD_(PFA_ENTRY, AddBuffer)(
1530 |         THIS_
1531 |         FA_TAG Tag,
1532 |         _In_ FA_ENTRY_TYPE EntryType,
1533 |         _In_reads_bytes_(Size) PVOID Buf,
1534 |         _In_ ULONG Size
1535 |         ) PURE;
1536 |     // Get the interface to query and set meta-data about
1537 |     // failure analysis tags
1538 |     STDMETHOD(GetDebugFATagControl)(
1539 |         THIS_
1540 |         _Out_ IDebugFAEntryTags** FATagControl
1541 |         ) PURE;
1542 |     // Generates and returns XML fragment from analysis data
1543 |     STDMETHOD(GetAnalysisXml)(
1544 |         THIS_
1545 | // Do not force clients to unnecessarily include msxml, use IUnknown if its not included
1546 | #ifdef __IXMLDOMElement_FWD_DEFINED__
1547 |         _Out_ IXMLDOMElement** pAnalysisXml
1548 | #else 
1549 |         _Out_ IUnknown** pAnalysisXml
1550 | #endif
1551 |         ) PURE;
1552 | 
1553 |     // Adds another analysis object as structured data
1554 |     // in a new entry
1555 |     STDMETHOD(AddStructuredAnalysisData)(
1556 |         THIS_
1557 |         FA_TAG Tag,
1558 |         _In_ IDebugFailureAnalysis2 *Analysis
1559 |         ) PURE;
1560 | };
1561 | 
1562 | //
1563 | // Analysis control flags
1564 | //
1565 | // Analyzer doesn't lookup database for information about failure
1566 | #define FAILURE_ANALYSIS_NO_DB_LOOKUP           0x0001
1567 | // Produces verbose analysis output
1568 | #define FAILURE_ANALYSIS_VERBOSE                0x0002
1569 | // Assumes target is hung when doing analysis
1570 | #define FAILURE_ANALYSIS_ASSUME_HANG            0x0004
1571 | // Ignores manual breakin state and continues forward with analysis
1572 | #define FAILURE_ANALYSIS_IGNORE_BREAKIN         0x0008
1573 | // Sets the analysis failure context after finishing up analysis
1574 | #define FAILURE_ANALYSIS_SET_FAILURE_CONTEXT    0x0010
1575 | // Analyze the exception as if it were a hang
1576 | #define FAILURE_ANALYSIS_EXCEPTION_AS_HANG      0x0020
1577 | // Support Autobug processing
1578 | #define FAILURE_ANALYSIS_AUTOBUG_PROCESSING     0x0040
1579 | // Produces xml analysis output
1580 | #define FAILURE_ANALYSIS_XML_OUTPUT             0x0080
1581 | // produces XML representations of callstacks
1582 | #define FAILURE_ANALYSIS_CALLSTACK_XML          0x0100
1583 | // Adds cabbed registry data to analysis tags
1584 | #define FAILURE_ANALYSIS_REGISTRY_DATA          0x0200
1585 | // Adds cabbed WMI query data to analysis tags
1586 | #define FAILURE_ANALYSIS_WMI_QUERY_DATA         0x0400
1587 | // Adds user analysis attribute list as analysis data
1588 | #define FAILURE_ANALYSIS_USER_ATTRIBUTES        0x0800
1589 | // produces XML listing of loaded and unloaded modules
1590 | #define FAILURE_ANALYSIS_MODULE_INFO_XML        0x1000
1591 | // skip image corruption analysis
1592 | #define FAILURE_ANALYSIS_NO_IMAGE_CORRUPTION    0x2000
1593 | // Automatically sets symbol and image path if no symbols are currently available
1594 | #define FAILURE_ANALYSIS_AUTOSET_SYMPATH        0x4000
1595 | // All Attributes to XML 
1596 | #define FAILURE_ANALYSIS_USER_ATTRIBUTES_ALL    0x8000
1597 | //interlace stack frames with attributes for xml
1598 | #define FAILURE_ANALYSIS_USER_ATTRIBUTES_FRAMES 0x10000
1599 | // analyze multiple targets if available
1600 | #define FAILURE_ANALYSIS_MULTI_TARGET           0x20000
1601 | // Show source line information in STACK_TEXT. Switching on this option has significant perf impact otherwise
1602 | #define FAILURE_ANALYSIS_SHOW_SOURCE            0x40000
1603 | // Print wait chain stacks
1604 | #define FAILURE_ANALYSIS_SHOW_WCT_STACKS        0x80000
1605 | // Create basic DebugFailureAnalysis instance
1606 | #define FAILURE_ANALYSIS_CREATE_INSTANCE        0x100000
1607 | 
1608 | // GetFailureAnalysis Extension function, deprecated
1609 | typedef HRESULT
1610 | (WINAPI* EXT_GET_FAILURE_ANALYSIS)(
1611 |     IN PDEBUG_CLIENT4 Client,
1612 |     IN ULONG Flags,
1613 |     OUT PDEBUG_FAILURE_ANALYSIS* Analysis
1614 |     );
1615 | 
1616 | //
1617 | // Function signature for GetDebugFailureAnalysis extension-function
1618 | // from ext.dll.
1619 | // This analyzes failure state of current target and returns
1620 | // analysis results in Analysis object
1621 | //
1622 | typedef HRESULT
1623 | (WINAPI* EXT_GET_DEBUG_FAILURE_ANALYSIS)(
1624 |     _In_ PDEBUG_CLIENT4 Client,
1625 |     _In_ ULONG Flags,
1626 |     _In_ CLSID pIIdFailureAnalysis,     // must be IID_IDebugFailureAnalysis2
1627 |     _Out_ PDEBUG_FAILURE_ANALYSIS2* Analysis
1628 |     );
1629 | 
1630 | //
1631 | // This determines the analysis phase during which a registered
1632 | // analysis-plugin is invoked. The extensions can register their
1633 | // plugin along with one or more of these flags to control the
1634 | // time when the plugin gets called.
1635 | //
1636 | typedef enum _FA_EXTENSION_PLUGIN_PHASE
1637 | {
1638 |     // Extension plugin is invoked after the primary data such as
1639 |     // exception record (for user mode) / bugcheck code (for kernel
1640 |     // mode) is initialized
1641 |     FA_PLUGIN_INITILIZATION    = 0x0001,
1642 |     // Extension plugin is invoked after the stack is analyzed and
1643 |     // the analysis has the information about faulting symbol and
1644 |     // module if it were available on stack
1645 |     FA_PLUGIN_STACK_ANALYSIS   = 0x0002,
1646 |     // Extension plugin is invoked just before generating bucket.
1647 |     FA_PLUGIN_PRE_BUCKETING    = 0x0004,
1648 |     // Extension plugin is invoked just after generating bucket.
1649 |     FA_PLUGIN_POST_BUCKETING   = 0x0008,
1650 | } FA_EXTENSION_PLUGIN_PHASE;
1651 | 
1652 | //
1653 | // Function signature for custom analyzer entry point in a
1654 | // registered analysis-plugin dll.
1655 | //
1656 | typedef HRESULT
1657 | (WINAPI* EXT_ANALYSIS_PLUGIN)(
1658 |     _In_ PDEBUG_CLIENT4 Client,
1659 |     _In_ FA_EXTENSION_PLUGIN_PHASE CallPhase,
1660 |     _In_ PDEBUG_FAILURE_ANALYSIS2 pAnalysis
1661 |     );
1662 | 
1663 | typedef HRESULT
1664 | (WINAPI* EXT_GET_FA_ENTRIES_DATA)(
1665 |     IN PDEBUG_CLIENT4 Client,
1666 |     IN PULONG Count,
1667 |     OUT PFA_ENTRY* Entries
1668 |     );
1669 | 
1670 | //
1671 | // Typedef for extension function GetManagedObjectName in sos.dll
1672 | //
1673 | typedef HRESULT
1674 | (WINAPI* EXT_GET_MANAGED_OBJECTNAME)(
1675 |     PDEBUG_CLIENT Client,
1676 |     ULONG64 objAddr,
1677 |     PSTR szName,
1678 |     ULONG cbName
1679 |     );
1680 | 
1681 | //
1682 | // Typedef for extension function GetManagedObjectFieldInfo in sos.dll
1683 | //
1684 | typedef HRESULT
1685 | (WINAPI* EXT_GET_MANAGED_OBJECT_FIELDINFO)(
1686 |     PDEBUG_CLIENT Client,
1687 |     ULONG64 objAddr,
1688 |     PSTR szFieldName,
1689 |     PULONG64 pValue,
1690 |     PULONG pOffset
1691 |     );
1692 | 
1693 | //
1694 | // Typedef for extension function GetManagedExcepStack in sos.dll
1695 | //
1696 | typedef HRESULT
1697 | (WINAPI* EXT_GET_MANAGED_EXCEPSTACK)(
1698 |     PDEBUG_CLIENT Client,
1699 |     ULONG64 StackObjAddr,
1700 |     PSTR szStackString,
1701 |     ULONG cbString
1702 |     );
1703 | 
1704 | //
1705 | // Typedef for extension function StackTrace in sos.dll
1706 | //
1707 | typedef HRESULT
1708 | (WINAPI* EXT_GET_MANAGED_STACKTRACE)(
1709 |     PDEBUG_CLIENT Client,
1710 |     WCHAR wszTextOut[],
1711 |     size_t *puiTextLength,
1712 |     LPVOID pTransitionContexts,
1713 |     size_t *puiTransitionContextCount,
1714 |     size_t uiSizeOfContext,
1715 |     ULONG Flags);
1716 | 
1717 | 
1718 | /*****************************************************************************
1719 |    Target info
1720 |  *****************************************************************************/
1721 | typedef enum _OS_TYPE {
1722 |     WIN_95,
1723 |     WIN_98,
1724 |     WIN_ME,
1725 |     WIN_NT4,
1726 |     WIN_NT5,
1727 |     WIN_NT5_1,
1728 |     WIN_NT5_2, 
1729 |     WIN_NT6_0, 
1730 |     WIN_NT6_1, 
1731 |     NUM_WIN,
1732 | } OS_TYPE;
1733 | 
1734 | 
1735 | //
1736 | // Info about OS installed
1737 | //
1738 | typedef struct _OS_INFO {
1739 |     ULONG     MajorVer;      // Os major version
1740 |     ULONG     MinorVer;      // Os minor version
1741 |     ULONG     Build;         // Os build number
1742 |     ULONG     BuildQfe;      // Os build QFE number
1743 |     ULONG     ProductType; // NT, LanMan or Server
1744 |     ULONG     Suite;        // OS flavour - per, SmallBuisness etc.
1745 |     ULONG     Revision;
1746 |     struct {
1747 |         ULONG Checked:1;     // If its a checked build
1748 |         ULONG Pae:1;         // True for Pae systems
1749 |         ULONG MultiProc:1;   // True for multiproc enabled OS
1750 |         ULONG Reserved:29;
1751 |     } s;
1752 |     ULONG   SrvPackNumber;          // Service pack number of OS
1753 |     ULONG   ServicePackBuild;       // Service pack build
1754 |     ULONG   Architecture;           // Architecture name such as x86, ia64 or x64
1755 |     ULONG   Lcid;                   // Language id 
1756 |     CHAR    Name[64];               // Short name of OS
1757 |     CHAR    FullName[256];          // Full name of OS includeing SP, Suite, product
1758 |     CHAR    Language[30];           // OS language
1759 |     CHAR    BuildVersion[64];       // Build version string
1760 |     CHAR    ServicePackString[64];  // Service pack string
1761 | } OS_INFO, *POS_INFO;
1762 | 
1763 | typedef struct _CPU_INFO {
1764 |     ULONG Type;              // Processor type as in IMAGE_FILE_MACHINE types
1765 |     ULONG NumCPUs;           // Actual number of Processors
1766 |     ULONG CurrentProc;       // Current processor
1767 |     DEBUG_PROCESSOR_IDENTIFICATION_ALL ProcInfo[CROSS_PLATFORM_MAXIMUM_PROCESSORS];
1768 |     ULONG Mhz;               // Processor speed (from currentproc.prcb)
1769 | } CPU_INFO, *PCPU_INFO;
1770 | 
1771 | #define MAX_STACK_IN_BYTES 4096
1772 | 
1773 | typedef struct _TARGET_DEBUG_INFO {
1774 |     ULONG       SizeOfStruct;
1775 |     ULONG64     EntryDate;   // Date created
1776 |     ULONG       DebugeeClass;// Kernel / User mode
1777 |     ULONG64     SysUpTime;   // System Up time
1778 |     ULONG64     AppUpTime;   // Application up time
1779 |     ULONG64     CrashTime;   // Time system / app crashed
1780 |     OS_INFO     OsInfo;      // OS details
1781 |     CPU_INFO    Cpu;         // Processor details
1782 |     CHAR        DumpFile[MAX_PATH]; // Dump file name if its a dump
1783 | } TARGET_DEBUG_INFO, *PTARGET_DEBUG_INFO;
1784 | 
1785 | // GetTargetInfo
1786 | typedef HRESULT
1787 | (WINAPI* EXT_TARGET_INFO)(
1788 |     PDEBUG_CLIENT4  Client,
1789 |     PTARGET_DEBUG_INFO pTargetInfo
1790 |     );
1791 | 
1792 | 
1793 | typedef struct _DEBUG_DECODE_ERROR {
1794 |     ULONG     SizeOfStruct;   // Must be == sizeof(DEBUG_DECODE_ERROR)
1795 |     ULONG     Code;           // Error code to be decoded
1796 |     BOOL      TreatAsStatus;  // True if code is to be treated as Status
1797 |     CHAR      Source[64];     // Source from where we got decoded message
1798 |     CHAR      Message[MAX_PATH]; // Message string for error code
1799 | } DEBUG_DECODE_ERROR, *PDEBUG_DECODE_ERROR;
1800 | 
1801 | /*
1802 |    Decodes and prints the given error code - DecodeError
1803 | */
1804 | typedef VOID
1805 | (WINAPI *EXT_DECODE_ERROR)(
1806 |     PDEBUG_DECODE_ERROR pDecodeError
1807 |     );
1808 | 
1809 | //
1810 | // ext.dll: GetTriageFollowupFromSymbol
1811 | //
1812 | //       This returns owner info from a given symbol name
1813 | //
1814 | typedef struct _DEBUG_TRIAGE_FOLLOWUP_INFO {
1815 |     ULONG SizeOfStruct;      // Must be == sizeof (DEBUG_TRIAGE_FOLLOWUP_INFO)
1816 |     ULONG OwnerNameSize;     // Size of allocated buffer
1817 |     PCHAR OwnerName;         // Followup owner name returned in this
1818 |                              // Caller should initialize the name buffer
1819 | } DEBUG_TRIAGE_FOLLOWUP_INFO, *PDEBUG_TRIAGE_FOLLOWUP_INFO;
1820 | 
1821 | #define TRIAGE_FOLLOWUP_FAIL    0
1822 | #define TRIAGE_FOLLOWUP_IGNORE  1
1823 | #define TRIAGE_FOLLOWUP_DEFAULT 2
1824 | #define TRIAGE_FOLLOWUP_SUCCESS 3
1825 | 
1826 | typedef DWORD
1827 | (WINAPI *EXT_TRIAGE_FOLLOWUP)(
1828 |     _In_ PDEBUG_CLIENT4 Client,
1829 |     _In_ PCSTR SymbolName,
1830 |     OUT PDEBUG_TRIAGE_FOLLOWUP_INFO OwnerInfo
1831 |     );
1832 | 
1833 | typedef HRESULT
1834 | (WINAPI *EXT_RELOAD_TRIAGER)(
1835 |    _In_ PDEBUG_CLIENT4 Client
1836 |     );
1837 |  
1838 | 
1839 | //
1840 | // Struct to receive data from syzdata.XML file cabbed along with the dump
1841 | //
1842 | typedef struct _EXT_CAB_XML_DATA {
1843 |     ULONG SizeOfStruct;       // Must be == sizeof(_EXT_CAB_XML_DATA)
1844 |     PCWSTR XmlObjectTag;      // Look for text under this tag
1845 |     ULONG NumSubTags;         // Number of subtags
1846 |     struct _SUBTAGS {
1847 |         PCWSTR SubTag;        // Look for text under this sub-tag of XmlObjectTag
1848 |         PCWSTR MatchPattern;  // Match the text with MatchPattern according to MatchType
1849 |         PWSTR  ReturnText;    // Return the matched text in ReturnText, multiple
1850 |                               // matches are returned in multistring
1851 |         ULONG ReturnTextSize; // Size of ReturnText in bytes
1852 |         ULONG MatchType:3;    // 0: Prefix match, 2: In-text match  1: Suffix match
1853 |         ULONG Reserved:29;
1854 |         ULONG Reserved2;
1855 |     } SubTags[1];
1856 | } EXT_CAB_XML_DATA, *PEXT_CAB_XML_DATA;
1857 | 
1858 | typedef HRESULT
1859 | (WINAPI *EXT_XML_DATA)(
1860 |     PDEBUG_CLIENT4 Client,
1861 |     PEXT_CAB_XML_DATA pXmpData
1862 |     );
1863 | 
1864 | //
1865 | // Driver Info as read from sysdata.xml
1866 | //    
1867 | typedef struct XML_DRIVER_NODE_INFO {
1868 |     CHAR    FileName[64]; //MAX_MODULE_STRLEN
1869 |     ULONG64 FileSize;
1870 |     ULONG64 CreationDate;
1871 |     CHAR Version[64]; //MAX_VERSION_STRLEN
1872 |     CHAR Manufacturer[MAX_PATH];
1873 |     CHAR ProductName[MAX_PATH];
1874 |     CHAR Group[MAX_PATH];
1875 |     CHAR Altitude[MAX_PATH];
1876 | } XML_DRIVER_NODE_INFO, *PXML_DRIVER_NODE_INFO;
1877 |     
1878 | //
1879 | // Extension function type definition for dlls which want to export analyzer
1880 | // function to be used by !analyze to gather component specific data
1881 | //
1882 | 
1883 | #define EXT_ANALYZER_FLAG_MOD  0x00000001
1884 | #define EXT_ANALYZER_FLAG_ID   0x00000002
1885 | 
1886 | typedef HRESULT
1887 | (WINAPI *EXT_ANALYZER)(
1888 |    _In_opt_ PDEBUG_CLIENT Client,
1889 |    _Out_writes_bytes_(cbBucketSuffix) PSTR BucketSuffix,     // The additional suffix analyzer wants to
1890 |                               // be added to !analyze BUGCKET_ID to better distinguish this bucket
1891 |    _In_ ULONG cbBucketSuffix,   // byte count of BucketSuffix buffer supplied
1892 |    _Out_writes_bytes_(cbDebugText) PSTR DebugText,        // The debugging text (optional) which !analyze
1893 |                               // should print out to help people debugging this failure
1894 |    _In_ ULONG cbDebugText,      // byte count of DebugText buffer supplied
1895 |    _In_ PULONG Flags,           // Flags that contorl the bucketing
1896 |    _In_ PDEBUG_FAILURE_ANALYSIS pAnalysis // Data for current analysis
1897 |    );
1898 | 
1899 | //
1900 | // Data queried about processor, returned as part of analysis tag DEBUG_FLR_PROCESSOR_INFO
1901 | //
1902 | typedef struct _DEBUG_ANALYSIS_PROCESSOR_INFO {
1903 |     ULONG         SizeOfStruct; // must be == sizeof(DEBUG_ANALYSIS_PROCESSOR_INFO)
1904 |     ULONG         Model;
1905 |     ULONG         Family;
1906 |     ULONG         Stepping;
1907 |     ULONG         Architecture;
1908 |     ULONG         Revision;
1909 |     ULONG         CurrentClockSpeed;
1910 |     ULONG         CurrentVoltage;
1911 |     ULONG         MaxClockSpeed;
1912 |     ULONG         ProcessorType;
1913 |     CHAR          DeviceID[32];
1914 |     CHAR          Manufacturer[64];
1915 |     CHAR          Name[64];
1916 |     CHAR          Version[64];
1917 |     CHAR          Description[64];
1918 | } DEBUG_ANALYSIS_PROCESSOR_INFO, *PDEBUG_ANALYSIS_PROCESSOR_INFO;
1919 | 
1920 | 
1921 | // Queried target build binary dir, the build dir string is returned in pData
1922 | // pQueryInfo must be null
1923 | #define EXTDLL_DATA_QUERY_BUILD_BINDIR 1
1924 | #define EXTDLL_DATA_QUERY_BUILD_SYMDIR 2
1925 | #define EXTDLL_DATA_QUERY_BUILD_WOW64SYMDIR 3
1926 | #define EXTDLL_DATA_QUERY_BUILD_WOW64BINDIR 4
1927 | 
1928 | #define EXTDLL_DATA_QUERY_BUILD_BINDIR_SYMSRV 11
1929 | #define EXTDLL_DATA_QUERY_BUILD_SYMDIR_SYMSRV 12
1930 | #define EXTDLL_DATA_QUERY_BUILD_WOW64SYMDIR_SYMSRV 13
1931 | #define EXTDLL_DATA_QUERY_BUILD_WOW64BINDIR_SYMSRV 14
1932 | 
1933 | //
1934 | // Extension function ExtDllQueryDataByTag exported by ext.dll to query
1935 | // various data values. The alowd tags values are defined above
1936 | //
1937 | typedef HRESULT
1938 | (WINAPI *EXTDLL_QUERYDATABYTAG)(
1939 |     _In_ PDEBUG_CLIENT4 Client,
1940 |     _In_ ULONG dwDataTag,
1941 |     _In_ PVOID pQueryInfo,
1942 |     _Out_writes_bytes_(cbData) PBYTE pData,
1943 |     _In_ ULONG cbData
1944 |     );
1945 | 
1946 | //
1947 | // This is an extension of the function ExtDllQueryDataByTagEx exported by ext.dll to query
1948 | // various data values. This function will return the Path-Non_existing buildName/UNC path value.
1949 | //
1950 | typedef HRESULT
1951 | (WINAPI *EXTDLL_QUERYDATABYTAGEX)(
1952 |     _In_ PDEBUG_CLIENT4 Client,
1953 |     _In_ ULONG dwDataTag,
1954 |     _In_ PVOID pQueryInfo,
1955 |     _Out_writes_bytes_(cbData) PBYTE pData,
1956 |     _In_ ULONG cbData,
1957 |     _Out_writes_bytes_(cbDataEx) PBYTE pDataEx,
1958 |     _In_ ULONG cbDataEx
1959 |     );
1960 | 
1961 | #endif // _EXTAPIS_H
1962 | 
1963 | 
1964 | //
1965 | // Function exported from ntsdexts.dll
1966 | //
1967 | typedef HRESULT
1968 | (WINAPI *EXT_GET_HANDLE_TRACE)(
1969 |     PDEBUG_CLIENT Client,
1970 |     ULONG TraceType,
1971 |     ULONG StartIndex,
1972 |     PULONG64 HandleValue,
1973 |     PULONG64 StackFunctions,
1974 |     ULONG StackTraceSize
1975 |     );
1976 | 
1977 | 
1978 | //
1979 | // Functions exported from exts.dll
1980 | //
1981 | 
1982 | //
1983 | // GetEnvironmenttVariable - gets environment variable value from the target
1984 | //
1985 | typedef HRESULT
1986 | (WINAPI* EXT_GET_ENVIRONMENT_VARIABLE)(
1987 |     ULONG64 Peb,           // Peb address where variable resides, 0 for default
1988 |     PSTR Variable,         // Env Variable name
1989 |     PSTR Buffer,           // Buffer to receive the value in
1990 |     ULONG BufferSize       // size of buffer
1991 |     );
1992 | 
1993 | 
1994 | 
1995 | 
1996 |  /*++
1997 | 
1998 |     Structures defined that are used to pass data
1999 |     between ext.dll & wmiTrace.dll debug extensions
2000 |  
2001 |  --*/
2002 | 
2003 | 
2004 | 
2005 | typedef enum _TANALYZE_RETURN{
2006 |     NO_TYPE,
2007 |     PROCESS_END,
2008 |     EXIT_STATUS,
2009 |     DISK_READ_0_BYTES,
2010 |     DISK_WRITE,
2011 |     NT_STATUS_CODE,
2012 | }TANALYZE_RETURN;
2013 | 
2014 | 
2015 | typedef struct _CKCL_DATA{
2016 |     PVOID NextLogEvent;
2017 |     CHAR * TAnalyzeString;
2018 |     TANALYZE_RETURN TAnalyzeReturnType;
2019 | }CKCL_DATA, *PCKCL_DATA;
2020 | 
2021 | 
2022 | typedef struct _CKCL_LISTHEAD{
2023 |     PCKCL_DATA LogEventListHead;
2024 |     HANDLE  Heap;
2025 | }CKCL_LISTHEAD,*PCKCL_LISTHEAD;
2026 | 
2027 | 
2028 | #endif // _EXTFNS_H
2029 | 


--------------------------------------------------------------------------------