typedef struct _EPROCESS_NT4
{
KPROCESS_NT4 Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_NT4 LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_NT4 Vm;
ULONG LastProtoPteFault;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_NT4 ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
HARDWARE_PTE PageDirectoryPte;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
KMUTANT ProcessMutant;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
} EPROCESS_NT4, *PEPROCESS_NT4;
typedef struct _EPROCESS_W2K
{
KPROCESS_W2K Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_W2K LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_W2K Vm;
LIST_ENTRY SessionProcessLinks;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_W2K ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
PVOID PaeTop;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
ULONG SessionId;
LIST_ENTRY PhysicalVadList;
HARDWARE_PTE PageDirectoryPte;
ULONG Filler;
ULONG PaePageDirectoryPage;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
PEJOB Job;
ULONG JobStatus;
LIST_ENTRY JobLinks;
PVOID LockedPageList;
PVOID SecurityPort;
PWOW64_PROCESS Wow64Process;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
LIST_ENTRY ThreadListHead;
PRTL_BITMAP VadPhysicalPagesBitMap;
ULONG VadPhysicalPages;
ULONG AweLock;
} EPROCESS_W2K, *PEPROCESS_W2K;
typedef struct _EPROCESS_XP
{
KPROCESS_XP Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage[3];
ULONG QuotaPeak[3];
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_XP ForkInProgress;
ULONG HardwareTrigger;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PSECTION_OBJECT SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
LIST_ENTRY PhysicalVadList;
union
{
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
UCHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPageList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
ULONG GrantedAccess;
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT_XP Vm;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
ULONG NumberOfVads;
ULONG JobStatus;
union
{
ULONG Flags;
struct
{
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG HasPhysicalVad : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG Unused : 11;
};
};
NTSTATUS ExitStatus;
USHORT NextPageColor;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS_XP, *PEPROCESS_XP;
typedef struct _EPROCESS_2K3
{
/*+0x000*/ KPROCESS_2K3 Pcb;
/*+0x06c*/ EX_PUSH_LOCK ProcessLock;
/*+0x070*/ LARGE_INTEGER CreateTime;
/*+0x078*/ LARGE_INTEGER ExitTime;
/*+0x080*/ EX_RUNDOWN_REF RundownProtect;
/*+0x084*/ PVOID UniqueProcessId;
/*+0x088*/ LIST_ENTRY ActiveProcessLinks;
/*+0x090*/ ULONG QuotaUsage[3];
/*+0x09c*/ ULONG QuotaPeak[3];
/*+0x0a8*/ ULONG CommitCharge;
/*+0x0ac*/ ULONG PeakVirtualSize;
/*+0x0b0*/ ULONG VirtualSize;
/*+0x0b4*/ LIST_ENTRY SessionProcessLinks;
/*+0x0bc*/ PVOID DebugPort;
/*+0x0c0*/ PVOID ExceptionPort;
/*+0x0c4*/ PHANDLE_TABLE ObjectTable;
/*+0x0c8*/ EX_FAST_REF Token;
/*+0x0cc*/ ULONG WorkingSetPage;
/*+0x0d0*/ KGUARDED_MUTEX AddressCreationLock;
/*+0x0f0*/ KSPIN_LOCK HyperSpaceLock;
/*+0x0f4*/ PETHREAD_2K3 ForkInProgress;
/*+0x0f8*/ ULONG HardwareTrigger;
/*+0x0fc*/ PMM_AVL_TABLE PhysicalVadRoot;
/*+0x100*/ PVOID CloneRoot;
/*+0x104*/ ULONG NumberOfPrivatePages;
/*+0x108*/ ULONG NumberOfLockedPages;
/*+0x10c*/ PVOID Win32Process;
/*+0x110*/ PEJOB Job;
/*+0x114*/ PSECTION_OBJECT SectionObject;
/*+0x118*/ PVOID SectionBaseAddress;
/*+0x11c*/ PEPROCESS_QUOTA_BLOCK QuotaBlock;
/*+0x120*/ PPAGEFAULT_HISTORY WorkingSetWatch;
/*+0x124*/ PVOID Win32WindowStation;
/*+0x128*/ PVOID InheritedFromUniqueProcessId;
/*+0x12c*/ PVOID LdtInformation;
/*+0x130*/ PVOID VadFreeHint;
/*+0x134*/ PVOID VdmObjects;
/*+0x138*/ PVOID DeviceMap;
/*+0x13c*/ PVOID Spare0[3];
union {
/*+0x148*/HARDWARE_PTE PageDirectoryPte;
/*+0x148*/ULONGLONG Filler;
};
/*+0x150*/ PVOID Session;
/*+0x154*/ UCHAR ImageFileName[16];
/*+0x164*/ LIST_ENTRY JobLinks;
/*+0x16c*/ PVOID LockedPagesList;
/*+0x170*/ LIST_ENTRY ThreadListHead;
/*+0x178*/ PVOID SecurityPort;
/*+0x17c*/ PVOID PaeTop;
/*+0x180*/ ULONG ActiveThreads;
/*+0x184*/ ULONG GrantedAccess;
/*+0x188*/ ULONG DefaultHardErrorProcessing;
/*+0x18c*/ NTSTATUS LastThreadExitStatus;
/*+0x190*/ PPEB Peb;
/*+0x194*/ EX_FAST_REF PrefetchTrace;
/*+0x198*/ LARGE_INTEGER ReadOperationCount;
/*+0x1a0*/ LARGE_INTEGER WriteOperationCount;
/*+0x1a8*/ LARGE_INTEGER OtherOperationCount;
/*+0x1b0*/ LARGE_INTEGER ReadTransferCount;
/*+0x1b8*/ LARGE_INTEGER WriteTransferCount;
/*+0x1c0*/ LARGE_INTEGER OtherTransferCount;
/*+0x1c8*/ ULONG CommitChargeLimit;
/*+0x1cc*/ ULONG CommitChargePeak;
/*+0x1d0*/ PVOID AweInfo;
/*+0x1d4*/ SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
/*+0x1d8*/ MMSUPPORT_2K3 Vm;
/*+0x238*/ LIST_ENTRY MmProcessLinks;
/*+0x240*/ ULONG ModifiedPageCount;
/*+0x244*/ ULONG JobStatus;
union{
/*+0x248*/ ULONG Flags;
struct{
/*+0x248*/ ULONG CreateReported : 1;
/*+0x248*/ ULONG NoDebugInherit : 1;
/*+0x248*/ ULONG ProcessExiting : 1;
/*+0x248*/ ULONG ProcessDelete : 1;
/*+0x248*/ ULONG Wow64SplitPages : 1;
/*+0x248*/ ULONG VmDeleted : 1;
/*+0x248*/ ULONG OutswapEnabled : 1;
/*+0x248*/ ULONG Outswapped : 1;
/*+0x248*/ ULONG ForkFailed : 1;
/*+0x248*/ ULONG Wow64VaSpace4Gb : 1;
/*+0x248*/ ULONG AddressSpaceInitialized :2;
/*+0x248*/ ULONG SetTimerResolution : 1;
/*+0x248*/ ULONG BreakOnTermination : 1;
/*+0x248*/ ULONG SessionCreationUnderway :1;
/*+0x248*/ ULONG WriteWatch : 1;
/*+0x248*/ ULONG ProcessInSession : 1;
/*+0x248*/ ULONG OverrideAddressSpace : 1;
/*+0x248*/ ULONG HasAddressSpace : 1;
/*+0x248*/ ULONG LaunchPrefetched : 1;
/*+0x248*/ ULONG InjectInpageErrors : 1;
/*+0x248*/ ULONG VmTopDown : 1;
/*+0x248*/ ULONG ImageNotifyDone : 1;
/*+0x248*/ ULONG PdeUpdateNeeded : 1;
/*+0x248*/ ULONG VdmAllowed : 1;
/*+0x248*/ ULONG Unused : 7;
};
};
/*+0x24c*/ NTSTATUS ExitStatus;
/*+0x250*/ USHORT NextPageColor;
union {
struct {
/*+0x252*/ UCHAR SubSystemMinorVersion;
/*+0x253*/ UCHAR SubSystemMajorVersion;
};
/*+0x252*/ USHORT SubSystemVersion;
};
/*+0x254*/ UCHAR PriorityClass;
/*+0x258*/ MM_AVL_TABLE VadRoot;
} EPROCESS_2K3, *PEPROCESS_2K3;
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment