My goal is to convert interrupt time (that is used extensively in the kernel) into system-time (or FILETIME struct in Win32.)
Just as a short aside, the interrupt time is the number of 100-ns intervals that elapsed since the OS booted up. (It is incremented at each timer interrupt.)
And the system-time, or FILETIME, is the number of 100-ns intervals since the midnight of Jan 1, 1601 (UTC).
I learned that I can use the following globals: SharedSystemTime (address 0xFFFFF78000000014, that keeps current system-time) and SharedInterruptTime (address 0xFFFFF78000000008, that keeps current interrupt-time) to do the conversion as such:
InterruptTime - *SharedInterruptTime + *SharedSystemTime
This should technically give me system-time corresponding to my InterruptTime.
The problem is that the result seems to grow with time as I try to calculate it.
I did some testing, and it turns out that every time I halt the OS with the kernel debugger (KD), and then resume execution, the value of the current interrupt-time, stored in SharedInterruptTime is not updated. But the value of the current system time, stored in SharedSystemTime is updated. This creates a "float" in my formula above.
Thus, if I could determine how long the system spent suspended under the KD, I can account for this discrepancy.
Any idea how to get it though?