$$ Author: Matthieu Suiche (msuiche / MoonSols)

$$ October 2011

$$ v 1.1

.printf "Offset DueTime Period(ms) Routine Signaled Module

"

r? $t2 = 256

.for (r $t1 = 0; @$t1 < @$t2; r $t1 = @$t1 + 1)

{

.block

{

.if (low(dwo(nt!NtBuildNumber)) >= 0n7600)

{

$$ Windows 7

r? $t3 = @$pcr->PrcbData.TimerTable.TimerEntries[@$t1].Entry.Flink

}

.else

{

$$ Windows XP

r $t3 = nt!KiTimerTableListHead + (@@c++(sizeof(nt!_LIST_ENTRY)) * @$t1)

r? $t3 = ((nt!_LIST_ENTRY *)@$t3)->Flink

}

}

r? $t4 = @$t3

r? $t5 = 0

r $t8 = 0

.while (@$t5 != @$t3)

{

r $t5 = (@$t4 - @@c++(#FIELD_OFFSET(nt!_KTIMER, TimerListEntry)));

r? $t5 = (nt!_KTIMER *)@$t5;

$$ ? @$t5

r? $t6 = @$t5->Dpc

.if ($vvalid(@$t5, 1))

{

r $t7 = 0

$$ TimerNotificationObject

.if (@@c++(@$t5->Header.Type) == 8) { r $t7 = 1 }

$$ TimerSynchronizationObject

.if (@@c++(@$t5->Header.Type) == 8-9) { r $t7 = 1 }

$$ Is type valid

.if (@$t7)

{

.if ($vvalid(@$t6, 1))

{

r $t8 = 0

.if (@@c++(@$t6->DeferredRoutine))

{

$$ http://msdn.moonsols.com/win7rtm_x86/KOBJECTS.html

$$ DpcObject = 19 /*0x13*/,

.if (@@c++(@$t6->Type) == 0n19) { r $t8 = 1 }

$$ ThreadedDpcObject = 24 /*0x18*/

.if (@@c++(@$t6->Type) == 0n24) { r $t8 = 1 }

}

.if (@$t8)

{

.printf "%p %08X:%08X ", @$t5, @@c++(@$t5->DueTime.HighPart), @@c++(@$t5->DueTime.LowPart)

.if (@@c++(@$t5->Period) > 0)

{

.printf "%8d ", @@c++(@$t5->Period) }

.else

{

.printf "-------- "

}

.printf " %p ", @$t6

.if (@@c++(@$t5->Header.SignalState)) { .printf "Yes" } .else { .printf "---" }

.printf " %ly ", @@c++(@$t6->DeferredRoutine)

.printf "

"

}

}

r $t8 = @$t8 + 1

}

$$ .else

$$ {

$$ .printf "(%3d) %p %08X:%08X ", @$t1, @$t5, @@c++(@$t5->DueTime.HighPart), @@c++(@$t5->DueTime.LowPart)

$$ .if (@@c++(@$t5->Header.SignalState)) { .printf "Yes" } .else { .printf "---" }

$$ }

}

r? $t4 = @$t5->TimerListEntry.Flink

r? $t5 = @$t4

.if (@$t5 == poi(@$t5)) { .break }

$$ Ugly hack to avoid infinite loop, in case a linked list is broken.

.if (@$t8 > 10) { .break }

}