Dereference the pointer
dx (*(nt!_KTHREAD*)ADDRESS_HERE).PreviousMode
Put a hardware breakpoint on a process for a specific WinAPI (kernel)
ba e1 /p ffff8009bbf4c080 nt!NtWriteVirtualmemory
Show threads in a process
~ , ~1k show 1st thread w/o switching thread, ~0s switching to 0 thread.
!process 0 0 show all processes
nt_ stands for kernel
!trueref and !object ADDRESS_HERE
!irql for IRQL level of current thread.
!idt viewing the registered interrupts