Eprocess
От: Аноним  
Дата: 26.05.05 11:44
Оценка:
Кто знает где можно найти поля структуры EPROCESS для Windows 2003 ?
Буду очень благодарен.
Re: Eprocess
От: Mickey  
Дата: 26.05.05 15:44
Оценка:
Здравствуйте, Аноним, Вы писали:

А>Кто знает где можно найти поля структуры EPROCESS для Windows 2003 ?
А>Буду очень благодарен.


struct _EPROCESS {

  // static data ------------------------------------

  // non-static data --------------------------------
  /*<thisrel this+0x0>*/ /*|0x6c|*/ struct _KPROCESS Pcb;
  /*<thisrel this+0x6c>*/ /*|0x4|*/ struct _EX_PUSH_LOCK ProcessLock;
  /*<thisrel this+0x70>*/ /*|0x8|*/ union _LARGE_INTEGER CreateTime;
  /*<thisrel this+0x78>*/ /*|0x8|*/ union _LARGE_INTEGER ExitTime;
  /*<thisrel this+0x80>*/ /*|0x4|*/ struct _EX_RUNDOWN_REF RundownProtect;
  /*<thisrel this+0x84>*/ /*|0x4|*/ void* UniqueProcessId;
  /*<thisrel this+0x88>*/ /*|0x8|*/ struct _LIST_ENTRY ActiveProcessLinks;
  /*<thisrel this+0x90>*/ /*|0xc|*/ unsigned long QuotaUsage[3];
  /*<thisrel this+0x9c>*/ /*|0xc|*/ unsigned long QuotaPeak[3];
  /*<thisrel this+0xa8>*/ /*|0x4|*/ unsigned long CommitCharge;
  /*<thisrel this+0xac>*/ /*|0x4|*/ unsigned long PeakVirtualSize;
  /*<thisrel this+0xb0>*/ /*|0x4|*/ unsigned long VirtualSize;
  /*<thisrel this+0xb4>*/ /*|0x8|*/ struct _LIST_ENTRY SessionProcessLinks;
  /*<thisrel this+0xbc>*/ /*|0x4|*/ void* DebugPort;
  /*<thisrel this+0xc0>*/ /*|0x4|*/ void* ExceptionPort;
  /*<thisrel this+0xc4>*/ /*|0x4|*/ struct _HANDLE_TABLE* ObjectTable;
  /*<thisrel this+0xc8>*/ /*|0x4|*/ struct _EX_FAST_REF Token;
  /*<thisrel this+0xcc>*/ /*|0x4|*/ unsigned long WorkingSetPage;
  /*<thisrel this+0xd0>*/ /*|0x20|*/ struct _KGUARDED_MUTEX AddressCreationLock;
  /*<thisrel this+0xf0>*/ /*|0x4|*/ unsigned long HyperSpaceLock;
  /*<thisrel this+0xf4>*/ /*|0x4|*/ struct _ETHREAD* ForkInProgress;
  /*<thisrel this+0xf8>*/ /*|0x4|*/ unsigned long HardwareTrigger;
  /*<thisrel this+0xfc>*/ /*|0x4|*/ struct _MM_AVL_TABLE* PhysicalVadRoot;
  /*<thisrel this+0x100>*/ /*|0x4|*/ void* CloneRoot;
  /*<thisrel this+0x104>*/ /*|0x4|*/ unsigned long NumberOfPrivatePages;
  /*<thisrel this+0x108>*/ /*|0x4|*/ unsigned long NumberOfLockedPages;
  /*<thisrel this+0x10c>*/ /*|0x4|*/ void* Win32Process;
  /*<thisrel this+0x110>*/ /*|0x4|*/ struct _EJOB* Job;
  /*<thisrel this+0x114>*/ /*|0x4|*/ void* SectionObject;
  /*<thisrel this+0x118>*/ /*|0x4|*/ void* SectionBaseAddress;
  /*<thisrel this+0x11c>*/ /*|0x4|*/ struct _EPROCESS_QUOTA_BLOCK* QuotaBlock;
  /*<thisrel this+0x120>*/ /*|0x4|*/ struct _PAGEFAULT_HISTORY* WorkingSetWatch;
  /*<thisrel this+0x124>*/ /*|0x4|*/ void* Win32WindowStation;
  /*<thisrel this+0x128>*/ /*|0x4|*/ void* InheritedFromUniqueProcessId;
  /*<thisrel this+0x12c>*/ /*|0x4|*/ void* LdtInformation;
  /*<thisrel this+0x130>*/ /*|0x4|*/ void* VadFreeHint;
  /*<thisrel this+0x134>*/ /*|0x4|*/ void* VdmObjects;
  /*<thisrel this+0x138>*/ /*|0x4|*/ void* DeviceMap;
  /*<thisrel this+0x13c>*/ /*|0xc|*/ void* Spare0[3];
  /*<thisrel this+0x148>*/ /*|0x4|*/ struct _HARDWARE_PTE PageDirectoryPte;
  /*<thisrel this+0x148>*/ /*|0x8|*/ unsigned __int64 Filler;
  /*<thisrel this+0x150>*/ /*|0x4|*/ void* Session;
  /*<thisrel this+0x154>*/ /*|0x10|*/ unsigned char ImageFileName[16];
  /*<thisrel this+0x164>*/ /*|0x8|*/ struct _LIST_ENTRY JobLinks;
  /*<thisrel this+0x16c>*/ /*|0x4|*/ void* LockedPagesList;
  /*<thisrel this+0x170>*/ /*|0x8|*/ struct _LIST_ENTRY ThreadListHead;
  /*<thisrel this+0x178>*/ /*|0x4|*/ void* SecurityPort;
  /*<thisrel this+0x17c>*/ /*|0x4|*/ void* PaeTop;
  /*<thisrel this+0x180>*/ /*|0x4|*/ unsigned long ActiveThreads;
  /*<thisrel this+0x184>*/ /*|0x4|*/ unsigned long GrantedAccess;
  /*<thisrel this+0x188>*/ /*|0x4|*/ unsigned long DefaultHardErrorProcessing;
  /*<thisrel this+0x18c>*/ /*|0x4|*/ long LastThreadExitStatus;
  /*<thisrel this+0x190>*/ /*|0x4|*/ struct _PEB* Peb;
  /*<thisrel this+0x194>*/ /*|0x4|*/ struct _EX_FAST_REF PrefetchTrace;
  /*<thisrel this+0x198>*/ /*|0x8|*/ union _LARGE_INTEGER ReadOperationCount;
  /*<thisrel this+0x1a0>*/ /*|0x8|*/ union _LARGE_INTEGER WriteOperationCount;
  /*<thisrel this+0x1a8>*/ /*|0x8|*/ union _LARGE_INTEGER OtherOperationCount;
  /*<thisrel this+0x1b0>*/ /*|0x8|*/ union _LARGE_INTEGER ReadTransferCount;
  /*<thisrel this+0x1b8>*/ /*|0x8|*/ union _LARGE_INTEGER WriteTransferCount;
  /*<thisrel this+0x1c0>*/ /*|0x8|*/ union _LARGE_INTEGER OtherTransferCount;
  /*<thisrel this+0x1c8>*/ /*|0x4|*/ unsigned long CommitChargeLimit;
  /*<thisrel this+0x1cc>*/ /*|0x4|*/ unsigned long CommitChargePeak;
  /*<thisrel this+0x1d0>*/ /*|0x4|*/ void* AweInfo;
  /*<thisrel this+0x1d4>*/ /*|0x4|*/ struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
  /*<thisrel this+0x1d8>*/ /*|0x60|*/ struct _MMSUPPORT Vm;
  /*<thisrel this+0x238>*/ /*|0x8|*/ struct _LIST_ENTRY MmProcessLinks;
  /*<thisrel this+0x240>*/ /*|0x4|*/ unsigned long ModifiedPageCount;
  /*<thisrel this+0x244>*/ /*|0x4|*/ unsigned long JobStatus;
  /*<thisrel this+0x248>*/ /*|0x4|*/ unsigned long Flags;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long CreateReported:0:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long NoDebugInherit:1:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long ProcessExiting:2:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long ProcessDelete:3:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long Wow64SplitPages:4:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long VmDeleted:5:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long OutswapEnabled:6:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long Outswapped:7:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long ForkFailed:8:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long Wow64VaSpace4Gb:9:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long AddressSpaceInitialized:a:2;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long SetTimerResolution:c:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long BreakOnTermination:d:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long SessionCreationUnderway:e:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long WriteWatch:f:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long ProcessInSession:10:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long OverrideAddressSpace:11:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long HasAddressSpace:12:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long LaunchPrefetched:13:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long InjectInpageErrors:14:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long VmTopDown:15:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long ImageNotifyDone:16:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long PdeUpdateNeeded:17:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long VdmAllowed:18:1;
  /*<bitfield this+0x248>*/ /*|0x4|*/ unsigned long Unused:19:7;
  /*<thisrel this+0x24c>*/ /*|0x4|*/ long ExitStatus;
  /*<thisrel this+0x250>*/ /*|0x2|*/ unsigned short NextPageColor;
  /*<thisrel this+0x252>*/ /*|0x1|*/ unsigned char SubSystemMinorVersion;
  /*<thisrel this+0x253>*/ /*|0x1|*/ unsigned char SubSystemMajorVersion;
  /*<thisrel this+0x252>*/ /*|0x2|*/ unsigned short SubSystemVersion;
  /*<thisrel this+0x254>*/ /*|0x1|*/ unsigned char PriorityClass;
  /*<thisrel this+0x258>*/ /*|0x20|*/ struct _MM_AVL_TABLE VadRoot;

  // base classes -----------------------------------

  // friends ----------------------------------------

  // static functions -------------------------------

  // non-virtual functions --------------------------

  // virtual functions ------------------------------
};
// <size 0x278>
Re[2]: Eprocess
От: Mickey  
Дата: 26.05.05 15:49
Оценка: 1 (1)
Здравствуйте, Mickey, Вы писали:

M>Здравствуйте, Аноним, Вы писали:

А>>Кто знает где можно найти поля структуры EPROCESS для Windows 2003 ?
А>>Буду очень благодарен.


M>
M>struct _EPROCESS {
...
M>};
M>


или можно воспользоваться командой WinDBG

dt nt!_EPROCESS
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.