https://www.vergiliusproject.com/kernels/x86/Windows%202003/SP2/_KTHREAD

search DisableBoost

notice its offset is 0xa0

next struct _KWAIT_BLOCK WaitBlock[4]; //0xa8

i think it should be 0xa4, is there sth wrong ?

Version

Edition Windows 10 Pro
Version 20H2
OS build 19042.746

lkd> version
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406

Problem

Home / Kernels / x64 / Windows 10 | 2016 / 2009 20H2 (October 2020 Update) / _MIPFNBLINK
build: 10.0.19041.508 - I'm not sure if the reason for the change is in the build version.
date: 2020-09-27

Described structure

Fix solution

Move the fields ShareCount, PageShareCountDeleteBit, PageShareCountLockBit to a separate structure inside the union.

//0x8 bytes (sizeof)
    struct _MIPFNBLINK
    {
        union
        {
            struct
            {
                ULONGLONG Blink : 36;                                             //0x0
                ULONGLONG NodeBlinkHigh : 20;                                     //0x0
                ULONGLONG TbFlushStamp : 4;                                       //0x0
                ULONGLONG Unused : 2;                                             //0x0
                ULONGLONG PageBlinkDeleteBit : 1;                                 //0x0
                ULONGLONG PageBlinkLockBit : 1;                                   //0x0
            };
            struct
            {
                ULONGLONG ShareCount : 62;                                        //0x0
                ULONGLONG PageShareCountDeleteBit : 1;                            //0x0
                ULONGLONG PageShareCountLockBit : 1;                              //0x0
            };
            ULONGLONG EntireField;                                              //0x0
            volatile LONGLONG Lock;                                             //0x0
            struct
            {
                ULONGLONG LockNotUsed : 62;                                       //0x0
                ULONGLONG DeleteBit : 1;                                          //0x0
                ULONGLONG LockBit : 1;                                            //0x0
            };
        };
    };

I often find myself looking at an x64 version of a structure and quickly want to check the x86 version for the same Windows release. My default instinct is always to swap the value in URL, but because the paths differ this doesn't typically work.

Ex:

• x86 url: https://www.vergiliusproject.com/kernels/x86/Windows%2010/1809%20Redstone%205%20(October%20Update)/_KTHREAD
• x64 url: https://www.vergiliusproject.com/kernels/x64/Windows%2010%20|%202016/1809%20Redstone%205%20(October%20Update)/_KTHREAD

It would be nice if the URLs used consistent paths across architectures or a button was added to quickly switch to the same Windows version and structure on the other architecture.

it seems Microsoft treats ARM64 seriously, so it makes sense to add ARM64 kernel structure too.

sometimes is needed to get the struct in a C header file - for loading it to Ida Pro or something.
However there are a lot of dependencies for each struct and in could lead for a dependencies hell trying to this manually.
An Export feature will be great

Windows 10 1903 is now out and in the public, it would be a good idea to update the website with the info for this version of the OS.

Having something like what the Terminus Project supports for readily showing changes made to a structure over time might be useful. At the moment one has to copy the text into a file and then diff these changes manually which is not a huge issue but from a usability perspective this could be done server side.

After a random click on a current web-page "copy" button stops working.

However it the raw data it's not:

    name: _ADAPTER_OBJECT
    id: 1339
    kind: STRUCT
    sizeof: 640
    data:
      -
        name: AdapterObject
        id: 1340
        offset: 0
        ordinal: 0

I’m interested whether or not it’s possible to retrieve structs based on Windows version from your website using an API.

Problem

https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2104%2021H1%20(May%202021%20Update)/_KPROCESS

Hi, Can you add new windows versions please?

• Windows 10 21H2 (19044.x)
• Windows 11 21H2 (22000.376)

Thank you in advance for your interest. - Furkan Kadir Güzeloğlu

Possibility to search by the size of a structure would help in cases when you know its size but not which structure it exactly is(or which possible structures there are with that size).

Thank you!

Could you add Windows 11 x64, please?
https://www.vergiliusproject.com/kernels/x64

Only the Startpage is loading, nothing else:
https://www.vergiliusproject.com

Right now the DIA SDK is only being run against ntoskrnl.exe, and not against other files such as win32kfull.sys. This means that often times more undocumented or hidden structures aren't being picked up and documented, despite tools from Microsoft themselves being available to gather this information.

Would like to propose that updates be made so that this tool is run against these extra files and the information be uploaded to the public website.

Speaking to the maintainers I was told that whilst one can do this with dia2dump.exe, they are using their own custom tool which uses the same DIA SDK that dia2dump.exe uses but outputs the data into YAML for easier parsing.

I think I found a small bug - when searching for kprcb (In the latest Win10 - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2004%2020H1%20(May%202020%20Update), didn't test with other versions), there are 2 results for struct _KPRCB, both leading to the same page. In addition, in that page, under "Used in" section, the same struct (_KPRCB ) is listed, even though it doesn't appear in the struct...

As mentioned in issue #3, the ability to view differences between kernels would be very welcomed.
It helps interested readers to distinguish changes, especially when there's a git-alike diff view between structs.

VERSION
Windows 10 21H1

PROBLEM

the current union _KIDTENTRY64 is different from WinDbg and Intel Manual (p.3014 of 4778)

FIX

//0x10 bytes (sizeof)
union _KIDTENTRY64
{
    struct
    {
        USHORT OffsetLow;                                                   //0x0
        USHORT Selector;                                                    //0x2
        struct
        {
            USHORT IstIndex:3;                                              //0x4
            USHORT Reserved0:5;                                             //0x4
            USHORT Type:5;                                                  //0x4
            USHORT Dpl:2;                                                   //0x4
            USHORT Present:1;                                               //0x4
        };
                                                                                                             
        USHORT OffsetMiddle;                                                //0x6
        ULONG OffsetHigh;                                                   //0x8
        ULONG Reserved1;                                                    //0xc
    };
    ULONGLONG Alignment;                                                    //0x0
}; 

No semicolons after unnamed structures and unions.