EPROCESS结构

EPROCESS的结构定义
typedef struct _EPROCESS {
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD LockOwner;

HANDLE UniqueProcessId;
//关键成员:活动进程链表
LIST_ENTRY ActiveProcessLinks;

SIZE_T QuotaPeakPoolUsage[2];
SIZE_T QuotaPoolUsage[2];

SIZE_T PagefileUsage;
SIZE_T CommitCharge;
SIZE_T PeakPagefileUsage;

SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;

MMSUPPORT Vm;
LIST_ENTRY SessionProcessLinks;

PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;

PACCESS_TOKEN Token;

FAST_MUTEX WorkingSetLock;
PFN_NUMBER WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
UCHAR AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
struct _ETHREAD *ForkInProgress;
USHORT VmOperation;
UCHAR ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
PVOID PaeTop;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
PFN_NUMBER NumberOfPrivatePages;
PFN_NUMBER NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;

BOOLEAN CreateProcessReported;
HANDLE SectionHandle;

PPEB Peb;
PVOID SectionBaseAddress;

PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPAGEFAULT_HISTORY WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;

ULONG SessionId;

LIST_ENTRY PhysicalVadList;
union {
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
ULONG PaePageDirectoryPage;

//镜像文件名
UCHAR ImageFileName[ 16 ];
ULONG VmTrimFaultValue;
BOOLEAN SetTimerResolution;
UCHAR PriorityClass;
union {
struct {
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
struct _EJOB *Job;
ULONG JobStatus;
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
PVOID SecurityPort ;
PWOW64_PROCESS Wow64Process;

LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;

SIZE_T CommitChargeLimit;
SIZE_T CommitChargePeak;
//线程链表头
LIST_ENTRY ThreadListHead;

PRTL_BITMAP VadPhysicalPagesBitMap;
ULONG_PTR VadPhysicalPages;
KSPIN_LOCK AweLock;
} EPROCESS;

文章来自: 本站原创
Tags:
评论: 2 | 查看次数: 11693