Software Generalist

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

ChangeServiceConfig2 (p. 292) - http://msdn.microsoft.com/en-us/library/ms681988(VS.85).aspx

sc qprivs <service name> (p. 293) - example for Terminal Service:

C:\Users\Administrator>sc qprivs TermService
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: TermService
        PRIVILEGES       : SeAssignPrimaryTokenPrivilege
                         : SeAuditPrivilege
                         : SeChangeNotifyPrivilege
                         : SeCreateGlobalPrivilege
                         : SeImpersonatePrivilege
                         : SeIncreaseQuotaPrivilege

Union of privileges for svchost.exe (p. 294)

Service SID (restricted and unrestricted) (p. 295)

process - window station - desktop - windows (p. 297) - an entity relationship diagram on slide 14 (Intro: Windows) in my past Selected Citrix Tools presentation: http://www.dumpanalysis.org/CitrixTools/Selected%20Citrix%20Troubleshooting%20Tools.htm

Hung non-interactive services waiting for user input (p. 298) - this partially inspired Message Box crash dump analysis pattern: http://www.dumpanalysis.org/blog/index.php/2008/02/19/crash-dump-analysis-patterns-part-51/

SERVICE_INTERACTIVE_PROCESS Type modifier only for local system accounts (p. 298)

Shatter attacks by window messages (p. 299)

Interactive Services Detection (UI0Detect) service (p. 299)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

SApp - SCP - SCM (p. 282)

HKLM\S\CCS\Ss\<>\ErrorControl = 3, SERVICE_ERROR_CRITICAL (p. 284) - can be used to force BSOD if service startup fails for postmortem memory dump analysis of the failure

HKLM\S\CCS\Ss\<>\PreshutdownTimeout (p. 286)

HKLM\S\CCS\Ss\<>\RequiredPrivileges (p. 286)

Service threads (p. 287) - some typical thread stack traces can be seen in this case study that also show that service main thread calls control handler functions: http://www.dumpanalysis.org/blog/index.php/2007/10/01/windows-service-crash-dumps-on-vista/

Service accounts (p. 288) - attached WinDbg will not download symbols from MS symbol server unless Run as Administrator

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

!reg hivelist -> viewlist -> db (pp. 274 - 275)

Registry cell index mapping as directory:table:offset (p. 275)

Registry key handle -> kcb (pp. 276 - 278)

Hive sync every 5 seconds, *.log{1|2} (pp. 278 - 279)

Registry filtering altitudes (p. 280)

Internal registry optimizations (pp. 280 - 281) - good implementation case study if you need to devise your own database. I perhaps borrow some ideas for the next version of PDBFinder.

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

TxR -> CLFS + \System32\Config\Txr (pp. 260 - 261)

Precedence of a non-transactional writer (p. 261)

Read-commit vs. predictable-read (p. 261)

Process Monitor internals (p. 262) - rather short section but inspired yet another DebugWare pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/28/debugware-patterns-part-11-2/

Process Monitor troubleshooting techniques (pp. 264 - 265) - PM log is a kind of a software trace so the following growing list of patterns may be useful to keep in mind: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/

Surviving logoff (persistent processes) (pp. 265 - 266)

Service profiles are stored in \ServiceProfiles\{Local|Network}Service\Ntuser.dat (p. 267)

HKLM\S\CCS\C\hivelist shows hive to file name mapping (p. 267)

x64 paged pol for registry - x86 mapped views (p. 268)

System and Software hives support values of >1Mb (p. 269)

Bin - block - cell - cell index (pp. 270 - 272)

Disk Probe, dskprobe.exe (pp. 271 - 272)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

REG_NONE and REG_QWORD (p. 251) - the former should have a purpose as a name switch

REG_LINK (pp. 251 - 252)

HKU\.DEFAULT as a local system profile (p. 253)

\Users location can be changed in HKLM\So\M\WNT\CV\ProfileList\ProfilesDirectory (p. 254)

BCDEdit is for HKLM\BCD, how to enable /DEBUG (pp. 255 - 257) - I also had to add more permissions to Administrators for Elements key to be able to add modifications. Before editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {current}

After editing:

C:\Users\Administrator>bcdedit

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
resume                  No

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Server 2008
locale                  en-US
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {cc03280e-0762-11de-b63a-af7e963a0201}
nx                      OptOut
debug                   Yes

Pdh.dll (p. 260) - Typical stack trace in TS environments:

[...]
winsta!WinStationQueryInformationW+0x2a
perfts!CollectTSObjectData+0x12f
advapi32!QueryExtensibleData+0x617
advapi32!PerfRegQueryValue+0x536
advapi32!LocalBaseRegQueryValue+0x306
advapi32!RegQueryValueExW+0x96
pdh!GetSystemPerfData+0x83
pdh!GetQueryPerfData+0x7f
pdh!PdhiCollectQueryData+0x40
pdh!PdhCollectQueryData+0x42
[...]

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

TxF <-> KTM <-> TxR (pp. 240 - 241) - how to use files transactionally (CreateFileTransacted): http://msdn.microsoft.com/en-us/library/aa365008(VS.85).aspx

hotpatching is actually 7 bytes: 2 from mov edi, edi and 5 from the previous function (p. 243)  - impressive combination of near and far jumps

KPP (PatchGuard) (pp. 244 - 246)

DKOM, direct kernel object modification (p. 245) - looks like subclassing in kernel

Bugcheck 109 - CRITICAL_STRUCTURE_CORRUPTION (p. 245) - used to be not very frequent but increased in frequency since the time of this post: http://www.dumpanalysis.org/blog/index.php/2008/03/12/bug-check-frequencies/

Enhanced process notifications since Vista SP1 to block process launch (p. 246)

Two driver signing policies (KMCS and PnP) (p. 247)

Protected Media Path (p. 247) - more information is here: http://msdn.microsoft.com/en-us/library/aa376846(VS.85).aspx

Per-page image authentication (p. 247)

- Dmitry Vostokov @ SoftwareGeneralist.com -

This is the notion of a collective applied to the realm of computation where a set of computation processes (and possibly hardware, people and other entities, forming a hybrid entity) share the common goal and use interface bonds (relations). Sometimes certain research needs to be done to identify hidden relations to draw or to rethink boundaries between a collective and its environment, as in a simple and low-level example of coupled processes or wait chains. Note that this is not the same and it is not used in the same sense as a computational collective intelligence although certain computational collectives can give that impression.

See also: interface relations

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

.local file (p. 226) - found this explanation: http://msdn.microsoft.com/en-us/library/aa375142(VS.85).aspx

bound import table, forwarder entries (pp. 226 - 227)

TLS initializers as possible causes of DLL load failures (p. 228)

Hyper-V architectural stack (p. 229) - running processes inside W2K8 Hyper-V host running additional instance of W2K8:

         063c vmwp.exe         13755 (     55020 Kb)
         0750 vmconnect.exe    13445 (     53780 Kb)
         0aa4 mmc.exe          13184 (     52736 Kb)
         0714 vmms.exe         12228 (     48912 Kb)
         011c svchost.exe       7930 (     31720 Kb)
         09c0 explorer.exe      4603 (     18412 Kb)
         0340 svchost.exe       4525 (     18100 Kb)
         0ba4 WmiPrvSE.exe      2485 (      9940 Kb)
         04b0 svchost.exe       2321 (      9284 Kb)
         03e4 svchost.exe       2222 (      8888 Kb)
         0158 SLsvc.exe         2220 (      8880 Kb)
         01ec svchost.exe       1858 (      7432 Kb)
         0238 svchost.exe       1753 (      7012 Kb)
         05a8 spoolsv.exe       1698 (      6792 Kb)
         029c lsass.exe         1630 (      6520 Kb)
         0530 taskeng.exe       1275 (      5100 Kb)
         0768 svchost.exe       1120 (      4480 Kb)
         06cc WmiPrvSE.exe      1018 (      4072 Kb)
         03cc msdtc.exe         1007 (      4028 Kb)
         0384 svchost.exe        979 (      3916 Kb)
         0944 taskeng.exe        953 (      3812 Kb)
         0104 svchost.exe        910 (      3640 Kb)
         02a8 lsm.exe            877 (      3508 Kb)
         0708 svchost.exe        820 (      3280 Kb)
         0290 services.exe       802 (      3208 Kb)
         0348 svchost.exe        696 (      2784 Kb)
         0628 svchost.exe        680 (      2720 Kb)
         0004 System             673 (      2692 Kb)
         0214 csrss.exe          579 (      2316 Kb)
         0240 csrss.exe          531 (      2124 Kb)
         0274 winlogon.exe       520 (      2080 Kb)
         0980 dwm.exe            482 (      1928 Kb)
         0248 wininit.exe        472 (      1888 Kb)
         0634 svchost.exe        347 (      1388 Kb)
         068c svchost.exe        306 (      1224 Kb)
         01d0 smss.exe           117 (       468 Kb)
         0b7c wlrmdr.exe           0 (         0 Kb)

optimization enlightments (p. 229)

VM Infrastructure driver vid.sys and hypervisor API winhv.sys (p. 232)

Vdev virtual devices (p. 234) - here is the list of loaded modules in the virtualization worker process vmwp.exe:

0: kd> lm1m
odbcint
kernel32
USER32
ntdll
PSAPI
vmwp
dssenh
vmbusvdev
rdp4vs
vmicshutdown
vmicvss
vmickvpexchange
synthnic
vmictimesync
vmicheartbeat
azroles
cryptnet
ODBC32
fastprox
wbemsvc
msxml3
SensApi
wbemprox
vsconfig
framedynos
wbemcomn
vmprox
vmwpctrl
vid_7fefb420000
vmbuspipe
COMCTL32_7fefbb80000
napinsp
winrnr
rasadhlp
WINTRUST
XmlLite
comctl32
NLAapi
wshtcpip
NTMARTA
GPAPI
rsaenh
schannel
mswsock
wship6
kerberos
bcrypt
ncrypt
dhcpcsvc6
dhcpcsvc
tspkg
wevtapi
slc
credssp
IPHLPAPI
CRYPT32
MPR
NTDSAPI
MSASN1
SAMLIB
DNSAPI
cryptdll
NETAPI32
WINNSI
AUTHZ
Secur32
USERENV
GDI32
MSCTF
SETUPAPI
ole32
SHLWAPI
msvcrt
ADVAPI32
CLBCatQ
USP10
RPCRT4
IMM32
LPK
imagehlp
WS2_32
OLEAUT32
COMDLG32
NSI
SHELL32
WLDAP32

0: kd> lmv m vmicheartbeat
start             end                 module name
000007fe`fa540000 000007fe`fa57c000   vmicheartbeat   (deferred)            
    Image path: C:\Windows\System32\vmicheartbeat.dll
    Image name: vmicheartbeat.dll
    Timestamp:        Wed Jun 11 15:27:36 2008 (484FE0D8)
    CheckSum:         00033B40
    ImageSize:        0003C000
    File version:     6.0.6001.18016
    Product version:  6.0.6001.18016
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     vmicheartbeat
    OriginalFilename: vmicheartbeat.dll
    ProductVersion:   6.0.6001.18016
    FileVersion:      6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040)
    FileDescription:  Virtual Machine Integration Service Heartbeat Vdev
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

emulated and synthetic (enlightened I/O) devices (pp. 234 - 237):

0: kd> lmv m synthnic
start             end                 module name
000007fe`fa340000 000007fe`fa38a000   synthnic   (deferred)            
    Image path: C:\Windows\System32\synthnic.dll
    Image name: synthnic.dll
    Timestamp:        Wed Jun 11 15:27:30 2008 (484FE0D2)
    CheckSum:         0003D7AA
    ImageSize:        0004A000
    File version:     6.0.6001.18016
    Product version:  6.0.6001.18016
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     SynthNic.dll
    OriginalFilename: SynthNic.dll
    ProductVersion:   6.0.6001.18016
    FileVersion:      6.0.6001.18016 (vistasp1_gdr_vm_rtm.080611-0040)
    FileDescription:  Microsoft Synthetic Network Card
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

VSC vs. VSP, VSC driver re-routes requests to VMBus (PnP enum for synthetic devices) (pp. 236 - 237)

Virtualized processors, virtual APIC, dynamic processor addition (pp. 237 - 238)

GVA, guest virtual address space -> GPA, guest physical address space -> SPA, system physical address space (pp. 238 - 239) - need to add this to my debugging dictionary: http://www.dumpanalysis.org/blog/index.php/category/dictionary-of-debugging/

SPT. shadow page tables, for direct GVA -> SPA

- Dmitry Vostokov @ SoftwareGeneralist.com -

I was recently revisiting my old post about model-based definition of software defects in relation to their forthcoming classification. When thinking I recalled a three worlds diagram in Roger Penrose’s The Road to Reality book depicting the Platonic mathematical, the physical and the mental and came up with Software Generalist three worlds: World, Models and Software:

- Dmitry Vostokov @ SoftwareGeneralist.com -

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Injected debugging thread to generate int 3 event (p. 218)

0:001> kL
Child-SP          RetAddr           Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x21

DbgSSReserved[1] as the handle to a debug object (p. 218) - It is NULL when I break into notepad.exe in both debuggee and debugger TEBs:

0:001> ~*kL

   0  Id: cf0.aa0 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0016f788 00000000`7753d5be USER32!ZwUserGetMessage+0xa
00000000`0016f790 00000000`ffec6f4a USER32!GetMessageW+0x34
00000000`0016f7c0 00000000`ffecd00b notepad!WinMain+0x176
00000000`0016f840 00000000`7740be3d notepad!IsTextUTF8+0x24f
00000000`0016f900 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0016f930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

#  1  Id: cf0.974 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:001> dt _TEB DbgSsReserved 000007fffffdc000
ntdll!_TEB
   +0x16a0 DbgSsReserved : [2] (null)

0:001> dq 000007fffffdc000+0x16a0 l2
000007ff`fffdd6a0  00000000`00000000 00000000`00000000

0:001> .dbgdbg
Debugger spawned, connect with
    "-remote npipe:icfenable,pipe=cdb_pipe,server=Computer"

0:003> ~*kL

   0  Id: 268.d70 Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`000fd660 00000000`7740fc13 ntdll!RtlLockHeap+0x1e
00000000`000fd6c0 000007fe`ff77218e kernel32!LocalLock+0x23
00000000`000fd700 000007fe`fe014772 IMM32!InternalImmLockIMC+0x138
00000000`000fd730 000007fe`fe014743 MSCTF!IMCLock::_LockIMC+0x1d
00000000`000fd760 000007fe`fe01a8fb MSCTF!IMCLock::IMCLock+0x33
00000000`000fd790 00000000`7753d53e MSCTF!CIMEUIWindowHandler::ImeUIWndProcWorke
r+0x2cd
00000000`000fd820 00000000`7753d7c6 USER32!UserCallWinProcCheckWow+0x1ad
00000000`000fd8e0 00000001`3f5a1bf0 USER32!DispatchMessageWorker+0x389
00000000`000fd960 00000001`3f5a1c70 windbg!ProcessNonDlgMessage+0x330
00000000`000fd9b0 00000001`3f5a850d windbg!ProcessPendingMessages+0x70
00000000`000fda20 00000001`3f5b3739 windbg!wmain+0x29d
00000000`000ffae0 00000000`7740be3d windbg!_CxxFrameHandler3+0x291
00000000`000ffb20 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`000ffb50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

   1  Id: 268.a6c Suspend: 1 Teb: 000007ff`fffdb000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`032bfa88 00000000`7741c0b0 ntdll!ZwWaitForSingleObject+0xa
00000000`032bfa90 00000000`7293e711 kernel32!WaitForSingleObjectEx+0x9c
00000000`032bfb50 00000001`3f575a4a dbgeng!DebugClient::DispatchCallbacks+0x61
00000000`032bfb90 00000000`7740be3d windbg!EngineLoop+0x37a
00000000`032bfbd0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`032bfc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

   2  Id: 268.bfc Suspend: 1 Teb: 000007ff`fffd7000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0699f6c8 00000000`7740f65c ntdll!NtRemoveIoCompletion+0xa
00000000`0699f6d0 000007fe`fe165d0d kernel32!GetQueuedCompletionStatus+0x48
00000000`0699f730 000007fe`fe165b93 RPCRT4!COMMON_ProcessCalls+0x7d
00000000`0699f7c0 000007fe`fe147769 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0
x133
00000000`0699f870 000007fe`fe147714 RPCRT4!ProcessIOEventsWrapper+0x9
00000000`0699f8a0 000007fe`fe1477a4 RPCRT4!BaseCachedThreadRoutine+0x94
00000000`0699f8e0 00000000`7740be3d RPCRT4!ThreadStartRoutine+0x24
00000000`0699f910 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0699f940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

#  3  Id: 268.f34 Suspend: 1 Teb: 000007ff`fffd9000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`06b6fb68 00000000`776c0038 ntdll!DbgBreakPoint
00000000`06b6fb70 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`06b6fba0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`06b6fbd0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:003> dt _TEB DbgSsReserved 000007ff`fffdb000
ntdll!_TEB
   +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffdd000
ntdll!_TEB
   +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffd7000
ntdll!_TEB
   +0x16a0 DbgSsReserved : [2] (null)

0:003> dt _TEB DbgSsReserved 000007ff`fffd9000
ntdll!_TEB
   +0x16a0 DbgSsReserved : [2] (null)

Image loader (pp. 220 - 221) - We can see loader functions (LdrXXX) in crash dumps when it fails due to 3rd-party hooksware and corrupt images or in memory dumps taken when we have deadlocks involving module load. Also in WOW64 processes we can see it on stack traces:

0:000> kL
Child-SP          RetAddr           Call Site
00000000`0010eb98 00000000`7572ab46 wow64cpu!WaitForMultipleObjects32+0x3a
00000000`0010ec40 00000000`7572a14c wow64!RunCpuSimulation+0xa
00000000`0010ec70 00000000`7762bf9d wow64!Wow64LdrpInitialize+0x4b4
00000000`0010f1d0 00000000`7762bb9c ntdll!LdrpInitializeProcess+0x1568
00000000`0010f490 00000000`776168de ntdll! ?? ::FNODOBFM::`string'+0x20959
00000000`0010f540 00000000`00000000 ntdll!LdrInitializeThunk+0xe

There are some patterns related to DLL load and linkage: http://www.dumpanalysis.org/blog/index.php/2009/02/17/dll-link-patterns/

_LDR_DATA_TABLE_ENTRY field description (p. 223)

0:000> dt _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x010 InMemoryOrderLinks : _LIST_ENTRY
   +0x020 InInitializationOrderLinks : _LIST_ENTRY
   +0x030 DllBase          : Ptr64 Void
   +0x038 EntryPoint       : Ptr64 Void
   +0x040 SizeOfImage      : Uint4B
   +0x048 FullDllName      : _UNICODE_STRING
   +0x058 BaseDllName      : _UNICODE_STRING
   +0x068 Flags            : Uint4B
   +0x06c LoadCount        : Uint2B
   +0x06e TlsIndex         : Uint2B
   +0x070 HashLinks        : _LIST_ENTRY
   +0x070 SectionPointer   : Ptr64 Void
   +0x078 CheckSum         : Uint4B
   +0x080 TimeDateStamp    : Uint4B
   +0x080 LoadedImports    : Ptr64 Void
   +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
   +0x090 PatchInformation : Ptr64 Void
   +0x098 ForwarderLinks   : _LIST_ENTRY
   +0x0a8 ServiceTagLinks  : _LIST_ENTRY
   +0x0b8 StaticLinks      : _LIST_ENTRY

Handy full !list command for listing module linked lists (pp. 224 - 225) - I was thinking about writing it myself while reading the previous page :-) 

Loader entry flags (p. 225)

- Dmitry Vostokov @ SoftwareGeneralist.com -