A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
It looks like this syscall has a different prototype on different version? I analyzed this syscall on a win10 ntoskrnl. Maybe a version determination macro is needed here.
According to my reverse engineering results, the pseudocode of NtCreateIRTimer syscall is as follows: