А>Заранее спасибо.
Пожалуста
typedef struct _KTHREAD_NT4
{
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
struct _TEB *Teb;
PVOID TlsArray;
PVOID KernelStack;
BOOLEAN DebugActive;
UCHAR State;
USHORT Alerted;
UCHAR Iopl;
UCHAR NpxState;
UCHAR Saturation;
UCHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
NTSTATUS WaitStatus;
UCHAR WaitIrql;
UCHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
LIST_ENTRY WaitListEntry;
ULONG WaitTime;
UCHAR BasePriority;
UCHAR DecrementCount;
UCHAR PriorityDecrement;
UCHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
ULONG LegoData;
ULONG KernelApcDisable;
ULONG UserAffinity;
BOOLEAN SystemAffinityActive;
UCHAR Pad[3];
PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
PKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
ULONG Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
BOOLEAN EnableStackSwap;
BOOLEAN LargeStack;
UCHAR ResourceIndex;
UCHAR PreviousMode;
ULONG KernelTime;
ULONG UserTime;
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
UCHAR FreezeCount;
UCHAR SuspendCount;
UCHAR IdealProcessor;
BOOLEAN DisableBoost;
} KTHREAD_NT4, *PKTHREAD_NT4;
typedef struct _KTHREAD_W2K
{
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
struct _TEB *Teb;
PVOID TlsArray;
PVOID KernelStack;
BOOLEAN DebugActive;
UCHAR State;
USHORT Alerted;
UCHAR Iopl;
UCHAR NpxState;
UCHAR Saturation;
UCHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
NTSTATUS WaitStatus;
UCHAR WaitIrql;
UCHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
LIST_ENTRY WaitListEntry;
ULONG WaitTime;
UCHAR BasePriority;
UCHAR DecrementCount;
UCHAR PriorityDecrement;
UCHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
ULONG LegoData;
ULONG KernelApcDisable;
ULONG UserAffinity;
BOOLEAN SystemAffinityActive;
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR Pad[1];
PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
PKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
ULONG Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
UCHAR PreviousMode;
BOOLEAN EnableStackSwap;
BOOLEAN LargeStack;
UCHAR ResourceIndex;
ULONG KernelTime;
ULONG UserTime;
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
UCHAR FreezeCount;
UCHAR SuspendCount;
UCHAR IdealProcessor;
BOOLEAN DisableBoost;
} KTHREAD_W2K, *PKTHREAD_W2K;
typedef struct _KTHREAD_XP
{
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
PVOID InitialStack;
PVOID StackLimit;
struct _TEB *Teb;
PVOID TlsArray;
PVOID KernelStack;
BOOLEAN DebugActive;
UCHAR State;
UCHAR Alerted[2];
UCHAR Iopl;
UCHAR NpxState;
CHAR Saturation;
CHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
UCHAR IdleSwapBlock;
UCHAR Spare0[3];
NTSTATUS WaitStatus;
UCHAR WaitIrql;
CHAR WaitMode;
UCHAR WaitNext;
UCHAR WaitReason;
PKWAIT_BLOCK WaitBlockList;
union
{
LIST_ENTRY WaitListEntry;
SINGLE_LIST_ENTRY SwapListEntry;
};
ULONG WaitTime;
CHAR BasePriority;
UCHAR DecrementCount;
CHAR PriorityDecrement;
CHAR Quantum;
KWAIT_BLOCK WaitBlock[4];
PVOID LegoData;
ULONG KernelApcDisable;
ULONG UserAffinity;
BOOLEAN SystemAffinityActive;
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR InitialNode;
PSERVICE_DESCRIPTOR_TABLE ServiceTable;
PKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
ULONG SoftAffinity;
ULONG Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
PVOID CallbackStack;
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
CHAR PreviousMode;
BOOLEAN EnableStackSwap;
BOOLEAN LargeStack;
UCHAR ResourceIndex;
ULONG KernelTime;
ULONG UserTime;
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
CHAR FreezeCount;
CHAR SuspendCount;
UCHAR IdealProcessor;
BOOLEAN DisableBoost;
} KTHREAD_XP, *PKTHREAD_XP;
typedef struct _KTHREAD_2K3
{
/*+0x000*/ DISPATCHER_HEADER Header;
/*+0x010*/ LIST_ENTRY MutantListHead;
/*+0x018*/ PVOID InitialStack;
/*+0x01c*/ PVOID StackLimit;
/*+0x020*/ PVOID KernelStack;
/*+0x024*/ ULONG ThreadLock;
/*+0x028*/ ULONG ContextSwitches;
/*+0x02c*/ UCHAR State;
/*+0x02d*/ UCHAR NpxState;
/*+0x02e*/ UCHAR WaitIrql;
/*+0x02f*/ CHAR WaitMode;
/*+0x030*/ struct _TEB *Teb;
/*+0x034*/ KAPC_STATE ApcState;
/*+0x04c*/ KSPIN_LOCK ApcQueueLock;
/*+0x050*/ NTSTATUS WaitStatus;
/*+0x054*/ PKWAIT_BLOCK WaitBlockList;
/*+0x058*/ BOOLEAN Alertable;
/*+0x059*/ UCHAR WaitNext;
/*+0x05a*/ UCHAR WaitReason;
/*+0x05b*/ CHAR Priority;
/*+0x05c*/ BOOLEAN EnableStackSwap;
/*+0x05d*/ UCHAR SwapBusy;
/*+0x05e*/ BOOLEAN Alerted[2];
union{
/*+0x060*/ LIST_ENTRY WaitListEntry;
/*+0x060*/ SINGLE_LIST_ENTRY SwapListEntry;
};
/*+0x068*/ PKQUEUE Queue;
/*+0x06c*/ ULONG WaitTime;
union {
/*+0x070*/ LONG KernelApcDisable;
/*+0x070*/ ULONG CombinedApcDisable;
};
/*+0x072*/ LONG SpecialApcDisable;
/*+0x078*/ KTIMER Timer;
/*+0x0a0*/ KWAIT_BLOCK WaitBlock[4];
/*+0x100*/ LIST_ENTRY QueueListEntry;
/*+0x108*/ UCHAR ApcStateIndex;
/*+0x109*/ BOOLEAN ApcQueueable;
/*+0x10a*/ BOOLEAN Preempted;
/*+0x10b*/ BOOLEAN ProcessReadyQueue;
/*+0x10c*/ BOOLEAN KernelStackResident;
/*+0x10d*/ CHAR Saturation;
/*+0x10e*/ CHAR IdealProcessor;
/*+0x10f*/ UCHAR NextProcessor;
/*+0x110*/ CHAR BasePriority;
/*+0x111*/ UCHAR Spare4;
/*+0x112*/ CHAR PriorityDecrement;
/*+0x113*/ CHAR Quantum;
/*+0x114*/ BOOLEAN SystemAffinityActive;
/*+0x115*/ KPROCESSOR_MODE PreviousMode;
/*+0x116*/ UCHAR ResourceIndex;
/*+0x117*/ BOOLEAN DisableBoost;
/*+0x118*/ ULONG UserAffinity;
/*+0x11c*/ PKPROCESS Process;
/*+0x120*/ ULONG Affinity;
/*+0x124*/ PSERVICE_DESCRIPTOR_TABLE ServiceTable;
/*+0x128*/ PKAPC_STATE ApcStatePointer[2];
/*+0x130*/ KAPC_STATE SavedApcState;
/*+0x148*/ PVOID CallbackStack;
/*+0x14c*/ PVOID Win32Thread;
/*+0x150*/ PKTRAP_FRAME TrapFrame;
/*+0x154*/ ULONG KernelTime;
/*+0x158*/ ULONG UserTime;
/*+0x15c*/ PVOID StackBase;
/*+0x160*/ KAPC SuspendApc;
/*+0x190*/ KSEMAPHORE SuspendSemaphore;
/*+0x1a4*/ PVOID TlsArray;
/*+0x1a8*/ PVOID LegoData;
/*+0x1ac*/ LIST_ENTRY ThreadListEntry;
/*+0x1b4*/ BOOLEAN LargeStack;
/*+0x1b5*/ UCHAR PowerState;
/*+0x1b6*/ UCHAR NpxIrql;
/*+0x1b7*/ UCHAR Spare5;
/*+0x1b8*/ BOOLEAN AutoAlignment;
/*+0x1b9*/ UCHAR Iopl;
/*+0x1ba*/ CHAR FreezeCount;
/*+0x1bb*/ CHAR SuspendCount;
/*+0x1bc*/ UCHAR Spare0;
/*+0x1bd*/ UCHAR UserIdealProcessor;
/*+0x1be*/ UCHAR DeferredProcessor;
/*+0x1bf*/ UCHAR AdjustReason;
/*+0x1c0*/ CHAR AdjustIncrement;
/*+0x1c1*/ UCHAR Spare2[3];
}KTHREAD_2K3,*PKTHREAD_2K3;
typedef struct _ETHREAD_NT4
{
KTHREAD_NT4 Tcb;
LARGE_INTEGER CreateTime;
union
{
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
};
union
{
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
LIST_ENTRY TerminationPortList;
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
KSEMAPHORE LpcReplySemaphore;
PLPC_MESSAGE LpcReplyMessage;
ULONG LpcReplyMessageId;
ULONG PerformanceCountLow;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
PVOID TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
ULONG ReadClusterSize;
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
BOOLEAN DeadThread;
BOOLEAN HasTerminated;
PKEVENT_PAIR EventPair;
ACCESS_MASK GrantedAccess;
PEPROCESS_NT4 ThreadsProcess;
PKSTART_ROUTINE StartAddress;
union
{
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
BOOLEAN LpcExitThreadCalled;
BOOLEAN HardErrorsAreDisabled;
BOOLEAN LpcReceivedMsgIdValid;
BOOLEAN ActiveImpersonationInfo;
ULONG PerformanceCountHigh;
} ETHREAD_NT4, *PETHREAD_NT4;
typedef struct _ETHREAD_W2K
{
KTHREAD_W2K Tcb;
LARGE_INTEGER CreateTime;
union
{
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
};
union
{
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
LIST_ENTRY TerminationPortList;
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
KSEMAPHORE LpcReplySemaphore;
PLPC_MESSAGE LpcReplyMessage;
ULONG LpcReplyMessageId;
ULONG PerformanceCountLow;
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
PVOID TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
ULONG ReadClusterSize;
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
BOOLEAN DeadThread;
BOOLEAN HideFromDebugger;
ULONG HasTerminated;
ACCESS_MASK GrantedAccess;
PEPROCESS_W2K ThreadsProcess;
PKSTART_ROUTINE StartAddress;
union
{
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
BOOLEAN LpcExitThreadCalled;
BOOLEAN HardErrorsAreDisabled;
BOOLEAN LpcReceivedMsgIdValid;
BOOLEAN ActiveImpersonationInfo;
ULONG PerformanceCountHigh;
LIST_ENTRY ThreadListEntry;
} ETHREAD_W2K, *PETHREAD_W2K;
typedef struct _ETHREAD_XP
{
KTHREAD_XP Tcb;
union
{
LARGE_INTEGER CreateTime;
struct
{
ULONG NestedFaultCount : 2;
ULONG ApcNeeded : 1;
};
};
union
{
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
LIST_ENTRY KeyedWaitChain;
};
union
{
NTSTATUS ExitStatus;
PVOID OfsChain;
};
LIST_ENTRY PostBlockList;
union
{
PTERMINATION_PORT TerminationPort;
PETHREAD_XP ReaperLink;
PVOID KeyedWaitValue;
};
KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;
CLIENT_ID Cid;
union
{
KSEMAPHORE LpcReplySemaphore;
KSEMAPHORE KeyedWaitSemaphore;
};
union
{
PLPC_MESSAGE LpcReplyMessage;
PVOID LpcWaitingOnPort;
};
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
LIST_ENTRY IrpList;
ULONG TopLevelIrp;
PDEVICE_OBJECT DeviceToVerify;
PEPROCESS_XP ThreadsProcess;
PKSTART_ROUTINE StartAddress;
union
{
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
LIST_ENTRY ThreadListEntry;
EX_RUNDOWN_REF RundownProtect;
EX_PUSH_LOCK ThreadLock;
ULONG LpcReplyMessageId;
ULONG ReadClusterSize;
ACCESS_MASK GrantedAccess;
union
{
ULONG CrossThreadFlags;
struct
{
ULONG Terminated : 1;
ULONG DeadThread : 1;
ULONG HideFromDebugger : 1;
ULONG ActiveImpersonationInfo : 1;
ULONG SystemThread : 1;
ULONG HardErrorsAreDisabled : 1;
ULONG BreakOnTermination : 1;
ULONG SkipCreationMsg : 1;
ULONG SkipTerminationMsg : 1;
};
};
union
{
ULONG SameThreadPassiveFlags;
struct
{
ULONG ActiveExWorker : 1;
ULONG ExWorkerCanWaitUser : 1;
ULONG MemoryMaker : 1;
};
};
union
{
ULONG SameThreadApcFlags;
struct
{
BOOLEAN LpcReceivedMsgIdValid : 1;
BOOLEAN LpcExitThreadCalled : 1;
BOOLEAN AddressSpaceOwner : 1;
};
};
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
} ETHREAD_XP, *PETHREAD_XP;
typedef struct _ETHREAD_2K3
{
/*+0x000*/ KTHREAD_2K3 Tcb;
union {
/*+0x1c8*/ LARGE_INTEGER CreateTime;
struct
{
/*+0x1c8*/ ULONG NestedFaultCount : 2;
/*+0x1c8*/ ULONG ApcNeeded : 1;
};
};
union {
/*+0x1d0*/ LARGE_INTEGER ExitTime;
/*+0x1d0*/ LIST_ENTRY LpcReplyChain;
/*+0x1d0*/ LIST_ENTRY KeyedWaitChain;
};
union {
/*+0x1d8*/ NTSTATUS ExitStatus;
/*+0x1d8*/ PVOID OfsChain;
};
/*+0x1dc*/ LIST_ENTRY PostBlockList;
union {
/*+0x1e4*/ PTERMINATION_PORT TerminationPort;
/*+0x1e4*/ PETHREAD_2K3 ReaperLink;
/*+0x1e4*/ PVOID KeyedWaitValue;
};
/*+0x1e8*/ KSPIN_LOCK ActiveTimerListLock;
/*+0x1ec*/ LIST_ENTRY ActiveTimerListHead;
/*+0x1f4*/ CLIENT_ID Cid;
union {
/*+0x1fc*/ KSEMAPHORE LpcReplySemaphore;
/*+0x1fc*/ KSEMAPHORE KeyedWaitSemaphore;
};
union {
/*+0x210*/ PLPC_MESSAGE LpcReplyMessage;
/*+0x210*/ PVOID LpcWaitingOnPort;
};
/*+0x214*/ PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
/*+0x218*/ LIST_ENTRY IrpList;
/*+0x220*/ ULONG TopLevelIrp;
/*+0x224*/ PDEVICE_OBJECT DeviceToVerify;
/*+0x228*/ PEPROCESS_2K3 ThreadsProcess;
/*+0x22c*/ PKSTART_ROUTINE StartAddress;
union {
/*+0x230*/ PVOID Win32StartAddress;
/*+0x230*/ ULONG LpcReceivedMessageId;
};
/*+0x234*/ LIST_ENTRY ThreadListEntry;
/*+0x23c*/ EX_RUNDOWN_REF RundownProtect;
/*+0x240*/ EX_PUSH_LOCK ThreadLock;
/*+0x244*/ ULONG LpcReplyMessageId;
/*+0x248*/ ULONG ReadClusterSize;
/*+0x24c*/ ACCESS_MASK GrantedAccess;
union
{
/*+0x250*/ ULONG CrossThreadFlags;
struct
{
ULONG Terminated : 1;
ULONG DeadThread : 1;
ULONG HideFromDebugger : 1;
ULONG ActiveImpersonationInfo : 1;
ULONG SystemThread : 1;
ULONG HardErrorsAreDisabled : 1;
ULONG BreakOnTermination : 1;
ULONG SkipCreationMsg : 1;
ULONG SkipTerminationMsg : 1;
};
};
union {
/*+0x254*/ ULONG SameThreadPassiveFlags;
struct
{
ULONG ActiveExWorker : 1;
ULONG ExWorkerCanWaitUser : 1;
ULONG MemoryMaker : 1;
ULONG KeyedEventInUse :1;
};
};
union {
/*+0x258*/ ULONG SameThreadApcFlags;
struct
{
BOOLEAN LpcReceivedMsgIdValid : 1;
BOOLEAN LpcExitThreadCalled : 1;
BOOLEAN AddressSpaceOwner : 1;
};
};
/*+0x25c*/ BOOLEAN ForwardClusterOnly;
/*+0x25d*/ BOOLEAN DisablePageFaultClustering;
}ETHREAD_2K3,*PETHREAD_2K3;
typedef struct _KPROCESS_NT4
{
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
ULONG DirectoryTableBase[2];
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
UCHAR VdmFlag;
ULONG ActiveProcessors;
ULONG KernelTime;
ULONG UserTime;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
PVOID Reserved1;
LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;
USHORT StackCount;
UCHAR BasePriority;
UCHAR ThreadQuantum;
BOOLEAN AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
BOOLEAN DisableBoost;
} KPROCESS_NT4, *PKPROCESS_NT4;
typedef struct _KPROCESS_W2K
{
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
ULONG DirectoryTableBase[2];
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
UCHAR VdmFlag;
ULONG ActiveProcessors;
ULONG KernelTime;
ULONG UserTime;
LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;
PVOID Reserved1;
LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;
USHORT StackCount;
UCHAR BasePriority;
UCHAR ThreadQuantum;
BOOLEAN AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
BOOLEAN DisableBoost;
UCHAR PowerState;
BOOLEAN DisableQuantum;
UCHAR IdealNode;
UCHAR Spare;
} KPROCESS_W2K, *PKPROCESS_W2K;
typedef struct _KPROCESS_XP
{
/*+0x000*/ DISPATCHER_HEADER Header;
/*+0x010*/ LIST_ENTRY ProfileListHead;
/*+0x018*/ ULONG DirectoryTableBase[2];
/*+0x020*/ KGDTENTRY LdtDescriptor;
/*+0x028*/ KIDTENTRY Int21Descriptor;
/*+0x030*/ USHORT IopmOffset;
/*+0x032*/ UCHAR Iopl;
/*+0x033*/ UCHAR Unused;
/*+0x034*/ ULONG ActiveProcessors;
/*+0x038*/ ULONG KernelTime;
/*+0x03c*/ ULONG UserTime;
/*+0x040*/ LIST_ENTRY ReadyListHead;
/*+0x048*/ SINGLE_LIST_ENTRY SwapListEntry;
/*+0x04c*/ PVOID VdmTrapcHandler;
/*+0x050*/ LIST_ENTRY ThreadListHead;
/*+0x058*/ KSPIN_LOCK ProcessLock;
/*+0x05c*/ KAFFINITY Affinity;
/*+0x060*/ USHORT StackCount;
/*+0x062*/ CHAR BasePriority;
/*+0x063*/ CHAR ThreadQuantum;
/*+0x064*/ BOOLEAN AutoAlignment;
/*+0x065*/ UCHAR State;
/*+0x066*/ UCHAR ThreadSeed;
/*+0x067*/ BOOLEAN DisableBoost;
/*+0x068*/ UCHAR PowerState;
/*+0x069*/ BOOLEAN DisableQuantum;
/*+0x06a*/ UCHAR IdealNode;
/*+0x06b*/ UCHAR Spare;
} KPROCESS_XP, *PKPROCESS_XP;
typedef struct _KPROCESS_2K3
{
/*+0x000*/ DISPATCHER_HEADER Header;
/*+0x010*/ LIST_ENTRY ProfileListHead;
/*+0x018*/ ULONG DirectoryTableBase[2];
/*+0x020*/ KGDTENTRY LdtDescriptor;
/*+0x028*/ KIDTENTRY Int21Descriptor;
/*+0x030*/ USHORT IopmOffset;
/*+0x032*/ UCHAR Iopl;
/*+0x033*/ UCHAR Unused;
/*+0x034*/ ULONG ActiveProcessors;
/*+0x038*/ ULONG KernelTime;
/*+0x03c*/ ULONG UserTime;
/*+0x040*/ LIST_ENTRY ReadyListHead;
/*+0x048*/ SINGLE_LIST_ENTRY SwapListEntry;
/*+0x04c*/ PVOID VdmTrapcHandler;
/*+0x050*/ LIST_ENTRY ThreadListHead;
/*+0x058*/ KSPIN_LOCK ProcessLock;
/*+0x05c*/ KAFFINITY Affinity;
/*+0x060*/ USHORT StackCount;
/*+0x062*/ CHAR BasePriority;
/*+0x063*/ CHAR ThreadQuantum;
/*+0x064*/ BOOLEAN AutoAlignment;
/*+0x065*/ UCHAR State;
/*+0x066*/ UCHAR ThreadSeed;
/*+0x067*/ BOOLEAN DisableBoost;
/*+0x068*/ UCHAR PowerState;
/*+0x069*/ BOOLEAN DisableQuantum;
/*+0x06a*/ UCHAR IdealNode;
/*+0x06b*/ UCHAR Spare;
}KPROCESS_2K3,*PKPROCESS_2K3;
typedef struct _EPROCESS_NT4
{
KPROCESS_NT4 Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_NT4 LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_NT4 Vm;
ULONG LastProtoPteFault;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_NT4 ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
HARDWARE_PTE PageDirectoryPte;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
KMUTANT ProcessMutant;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
} EPROCESS_NT4, *PEPROCESS_NT4;
typedef struct _EPROCESS_W2K
{
KPROCESS_W2K Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_W2K LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_W2K Vm;
LIST_ENTRY SessionProcessLinks;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_W2K ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
PVOID PaeTop;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
ULONG SessionId;
LIST_ENTRY PhysicalVadList;
HARDWARE_PTE PageDirectoryPte;
ULONG Filler;
ULONG PaePageDirectoryPage;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
PEJOB Job;
ULONG JobStatus;
LIST_ENTRY JobLinks;
PVOID LockedPageList;
PVOID SecurityPort;
PWOW64_PROCESS Wow64Process;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
LIST_ENTRY ThreadListHead;
PRTL_BITMAP VadPhysicalPagesBitMap;
ULONG VadPhysicalPages;
ULONG AweLock;
} EPROCESS_W2K, *PEPROCESS_W2K;
typedef struct _EPROCESS_XP
{
KPROCESS_XP Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage[3];
ULONG QuotaPeak[3];
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_XP ForkInProgress;
ULONG HardwareTrigger;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PSECTION_OBJECT SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
LIST_ENTRY PhysicalVadList;
union
{
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
UCHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPageList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
ULONG GrantedAccess;
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT_XP Vm;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
ULONG NumberOfVads;
ULONG JobStatus;
union
{
ULONG Flags;
struct
{
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG HasPhysicalVad : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG Unused : 11;
};
};
NTSTATUS ExitStatus;
USHORT NextPageColor;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS_XP, *PEPROCESS_XP;
typedef struct _EPROCESS_2K3
{
/*+0x000*/ KPROCESS_2K3 Pcb;
/*+0x06c*/ EX_PUSH_LOCK ProcessLock;
/*+0x070*/ LARGE_INTEGER CreateTime;
/*+0x078*/ LARGE_INTEGER ExitTime;
/*+0x080*/ EX_RUNDOWN_REF RundownProtect;
/*+0x084*/ PVOID UniqueProcessId;
/*+0x088*/ LIST_ENTRY ActiveProcessLinks;
/*+0x090*/ ULONG QuotaUsage[3];
/*+0x09c*/ ULONG QuotaPeak[3];
/*+0x0a8*/ ULONG CommitCharge;
/*+0x0ac*/ ULONG PeakVirtualSize;
/*+0x0b0*/ ULONG VirtualSize;
/*+0x0b4*/ LIST_ENTRY SessionProcessLinks;
/*+0x0bc*/ PVOID DebugPort;
/*+0x0c0*/ PVOID ExceptionPort;
/*+0x0c4*/ PHANDLE_TABLE ObjectTable;
/*+0x0c8*/ EX_FAST_REF Token;
/*+0x0cc*/ ULONG WorkingSetPage;
/*+0x0d0*/ KGUARDED_MUTEX AddressCreationLock;
/*+0x0f0*/ KSPIN_LOCK HyperSpaceLock;
/*+0x0f4*/ PETHREAD_2K3 ForkInProgress;
/*+0x0f8*/ ULONG HardwareTrigger;
/*+0x0fc*/ PMM_AVL_TABLE PhysicalVadRoot;
/*+0x100*/ PVOID CloneRoot;
/*+0x104*/ ULONG NumberOfPrivatePages;
/*+0x108*/ ULONG NumberOfLockedPages;
/*+0x10c*/ PVOID Win32Process;
/*+0x110*/ PEJOB Job;
/*+0x114*/ PSECTION_OBJECT SectionObject;
/*+0x118*/ PVOID SectionBaseAddress;
/*+0x11c*/ PEPROCESS_QUOTA_BLOCK QuotaBlock;
/*+0x120*/ PPAGEFAULT_HISTORY WorkingSetWatch;
/*+0x124*/ PVOID Win32WindowStation;
/*+0x128*/ PVOID InheritedFromUniqueProcessId;
/*+0x12c*/ PVOID LdtInformation;
/*+0x130*/ PVOID VadFreeHint;
/*+0x134*/ PVOID VdmObjects;
/*+0x138*/ PVOID DeviceMap;
/*+0x13c*/ PVOID Spare0[3];
union {
/*+0x148*/HARDWARE_PTE PageDirectoryPte;
/*+0x148*/ULONGLONG Filler;
};
/*+0x150*/ PVOID Session;
/*+0x154*/ UCHAR ImageFileName[16];
/*+0x164*/ LIST_ENTRY JobLinks;
/*+0x16c*/ PVOID LockedPagesList;
/*+0x170*/ LIST_ENTRY ThreadListHead;
/*+0x178*/ PVOID SecurityPort;
/*+0x17c*/ PVOID PaeTop;
/*+0x180*/ ULONG ActiveThreads;
/*+0x184*/ ULONG GrantedAccess;
/*+0x188*/ ULONG DefaultHardErrorProcessing;
/*+0x18c*/ NTSTATUS LastThreadExitStatus;
/*+0x190*/ PPEB Peb;
/*+0x194*/ EX_FAST_REF PrefetchTrace;
/*+0x198*/ LARGE_INTEGER ReadOperationCount;
/*+0x1a0*/ LARGE_INTEGER WriteOperationCount;
/*+0x1a8*/ LARGE_INTEGER OtherOperationCount;
/*+0x1b0*/ LARGE_INTEGER ReadTransferCount;
/*+0x1b8*/ LARGE_INTEGER WriteTransferCount;
/*+0x1c0*/ LARGE_INTEGER OtherTransferCount;
/*+0x1c8*/ ULONG CommitChargeLimit;
/*+0x1cc*/ ULONG CommitChargePeak;
/*+0x1d0*/ PVOID AweInfo;
/*+0x1d4*/ SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
/*+0x1d8*/ MMSUPPORT_2K3 Vm;
/*+0x238*/ LIST_ENTRY MmProcessLinks;
/*+0x240*/ ULONG ModifiedPageCount;
/*+0x244*/ ULONG JobStatus;
union{
/*+0x248*/ ULONG Flags;
struct{
/*+0x248*/ ULONG CreateReported : 1;
/*+0x248*/ ULONG NoDebugInherit : 1;
/*+0x248*/ ULONG ProcessExiting : 1;
/*+0x248*/ ULONG ProcessDelete : 1;
/*+0x248*/ ULONG Wow64SplitPages : 1;
/*+0x248*/ ULONG VmDeleted : 1;
/*+0x248*/ ULONG OutswapEnabled : 1;
/*+0x248*/ ULONG Outswapped : 1;
/*+0x248*/ ULONG ForkFailed : 1;
/*+0x248*/ ULONG Wow64VaSpace4Gb : 1;
/*+0x248*/ ULONG AddressSpaceInitialized :2;
/*+0x248*/ ULONG SetTimerResolution : 1;
/*+0x248*/ ULONG BreakOnTermination : 1;
/*+0x248*/ ULONG SessionCreationUnderway :1;
/*+0x248*/ ULONG WriteWatch : 1;
/*+0x248*/ ULONG ProcessInSession : 1;
/*+0x248*/ ULONG OverrideAddressSpace : 1;
/*+0x248*/ ULONG HasAddressSpace : 1;
/*+0x248*/ ULONG LaunchPrefetched : 1;
/*+0x248*/ ULONG InjectInpageErrors : 1;
/*+0x248*/ ULONG VmTopDown : 1;
/*+0x248*/ ULONG ImageNotifyDone : 1;
/*+0x248*/ ULONG PdeUpdateNeeded : 1;
/*+0x248*/ ULONG VdmAllowed : 1;
/*+0x248*/ ULONG Unused : 7;
};
};
/*+0x24c*/ NTSTATUS ExitStatus;
/*+0x250*/ USHORT NextPageColor;
union {
struct {
/*+0x252*/ UCHAR SubSystemMinorVersion;
/*+0x253*/ UCHAR SubSystemMajorVersion;
};
/*+0x252*/ USHORT SubSystemVersion;
};
/*+0x254*/ UCHAR PriorityClass;
/*+0x258*/ MM_AVL_TABLE VadRoot;
} EPROCESS_2K3, *PEPROCESS_2K3;
