win: Add thread snapshot and memory snapshot for stacks

util/win/process_structs.h

Index: util/win/process_structs.h
diff --git a/util/win/process_structs.h b/util/win/process_structs.h
index ece6089601ce08d4afa3af9057e46d3a32b47e2b..750c698f78026b359182b122cf39fa66471189f2 100644
--- a/util/win/process_structs.h
+++ b/util/win/process_structs.h
@@ -281,6 +281,102 @@ struct PEB {
   DWORD FlsHighIndex;
 };
 
+template <class Traits>
+struct NT_TIB {
+  typename Traits::Pointer ExceptionList;
+  typename Traits::Pointer StackBase;
+  typename Traits::Pointer StackLimit;

[Mark Mentovai, 2015/05/08 16:54:21]

This is a size, so it’s more of an UnsignedIntegral, right?

[scottmg, 2015/05/08 18:24:02]

No, they're start/end pointers. Size is calculated in snapshot by subtracting.

+  typename Traits::Pointer SubSystemTib;
+  union {
+    typename Traits::Pointer FiberData;
+    BYTE Version[4];
+  };
+  typename Traits::Pointer ArbitraryUserPointer;
+  typename Traits::Pointer Self;
+};
+
+template <class Traits>
+struct CLIENT_ID {
+  typename Traits::Pointer UniqueProcess;
+  typename Traits::Pointer UniqueThread;
+};
+
+template <class Traits>
+struct SYSTEM_EXTENDED_THREAD_INFORMATION{

[Mark Mentovai, 2015/05/08 16:54:21]

Put a space before the {.

[Mark Mentovai, 2015/05/08 16:54:21]

I don’t see this in the SDK. If there’s a good reference for it, can you leave
it in a comment? Same (although less important) for CLIENT_ID.

[scottmg, 2015/05/08 18:24:02]

Done.

[scottmg, 2015/05/08 18:24:02]

Done.

+  LARGE_INTEGER KernelTime;
+  LARGE_INTEGER UserTime;
+  LARGE_INTEGER CreateTime;
+  union {
+    DWORD WaitTime;
+    typename Traits::Pad padding_for_x64_0;
+  };
+  typename Traits::Pointer StartAddress;
+  CLIENT_ID<Traits> ClientId;
+  LONG Priority;
+  LONG BasePriority;
+  ULONG ContextSwitches;
+  ULONG ThreadState;
+  union {
+    ULONG WaitReason;
+    typename Traits::Pad padding_for_x64_1;
+  };
+  typename Traits::Pointer StackBase;  // These don't appear to be correct.
+  typename Traits::Pointer StackLimit;

[Mark Mentovai, 2015/05/08 16:54:20]

This would be an UnsignedIntegral too.

[scottmg, 2015/05/08 18:24:02]

See above.

+  typename Traits::Pointer Win32StartAddress;
+  typename Traits::Pointer TebBase;
+  typename Traits::Pointer Reserved;

[Mark Mentovai, 2015/05/08 16:54:21]

No suspend count hiding out in any of these?

[scottmg, 2015/05/08 18:24:02]

They seem to be all 0 most of the time unfortunately. It has to be somewhere
nearby though, as it's the return value from Suspend/ResumeThread.

+  typename Traits::Pointer Reserved2;
+  typename Traits::Pointer Reserved3;
+};
+
+// See http://undocumented.ntinternals.net/source/usermode/undocumented%20functions/system%20information/structures/system_process_information.html
+template <class Traits>
+struct SYSTEM_PROCESS_INFORMATION {
+  ULONG NextEntryOffset;
+  ULONG NumberOfThreads;
+  LARGE_INTEGER Reserved[3];

[Mark Mentovai, 2015/05/08 16:54:21]

Some of the ntexapi.h things I found explain the reserved fields, but I’m not
sure if they’re reliable or less canonical.

[scottmg, 2015/05/08 18:24:02]

It seems like they were unused on older OSs, and have been filled in later. I
think I'll just leave them as unknown for now as I don't think we need any of
that data anyway.

+  LARGE_INTEGER CreateTime;
+  LARGE_INTEGER UserTime;
+  LARGE_INTEGER KernelTime;
+  UNICODE_STRING<Traits> ImageName;
+  union {
+    LONG BasePriority;
+    typename Traits::Pad padding_for_x64_0;
+  };
+  union {
+    DWORD UniqueProcessId;
+    typename Traits::Pad padding_for_x64_1;
+  };
+  union {
+    DWORD InheritedFromUniqueProcessId;
+    typename Traits::Pad padding_for_x64_2;
+  };
+  ULONG HandleCount;
+  ULONG Reserved2[3];
+  SIZE_T PeakVirtualSize;
+  SIZE_T VirtualSize;
+  union {
+    ULONG PageFaultCount;
+    typename Traits::Pad padding_for_x64_3;
+  };
+  SIZE_T PeakWorkingSetSize;
+  SIZE_T WorkingSetSize;
+  SIZE_T QuotaPeakPagedPoolUsage;
+  SIZE_T QuotaPagedPoolUsage;
+  SIZE_T QuotaPeakNonPagedPoolUsage;
+  SIZE_T QuotaNonPagedPoolUsage;
+  SIZE_T PagefileUsage;
+  SIZE_T PeakPagefileUsage;
+  SIZE_T PrivatePageCount;
+  LARGE_INTEGER ReadOperationCount;
+  LARGE_INTEGER WriteOperationCount;
+  LARGE_INTEGER OtherOperationCount;
+  LARGE_INTEGER ReadTransferCount;
+  LARGE_INTEGER WriteTransferCount;
+  LARGE_INTEGER OtherTransferCount;
+  SYSTEM_EXTENDED_THREAD_INFORMATION<Traits> Threads[1];
+};
+
 #pragma pack(pop)
 
 //! \}