2. Tech
  3. JIURL play Win2K process threads EPROCESS

JIURL play Win2K process threads EPROCESS

zhaozj2021-02-16  40

JIURL play Win2k process thread of articles EPROCESS: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30

Each process has an EPROCESS structure, which saves various information of the process, and pointers of the related structure. The EPROCESS structure is located in the system address space, so access this structure requires RING0 permissions. We can get the definition of the EPRocess structure using the Kd (kernel modulator) of Win2K DDK. Note The following is the EPRocess structure definition under Win2K Build 2195.

kd>! strct eprocess! strct eprocessstruct _EPROCESS (sizeof = 648) 000 struct _KPROCESS Pcb 000 struct _DISPATCHER_HEADER Header 000 byte Type 001 byte Absolute 002 byte Size 003 byte Inserted 004 int32 SignalState 008 struct _LIST_ENTRY WaitListHead 008 struct _LIST_ENTRY * Flink 00c struct _LIST_ENTRY * Blink 010 struct _LIST_ENTRY ProfileListHead 010 struct _LIST_ENTRY * Flink 014 struct _LIST_ENTRY * Blink 018 uint32 DirectoryTableBase [2] 020 struct _KGDTENTRY LdtDescriptor 020 uint16 LimitLow 022 uint16 BaseLow 024 union __unnamed9 HighWord 024 struct __unnamed10 Bytes 024 byte BaseMid 025 byte Flags1 026 byte Flags2 027 byte BaseHi 024 struct __unnamed11 Bits 024 bits0-7 BaseMid 024 bits8-12 Type 024 bits13-14 Dpl 024 bits15 -15 Pres 024 bits16-19 LimitHi 024 bits20-20 Sys 024 bits21-21 Reserved_0 024 bits22-22 Default_Big 024 bits23-23 Granularity 024 bits24-31 BaseHi 028 struct _KIDTENTRY Int21Descriptor 028 uint16 Offset 02a UINT16 SELECTOR 02C uint16 Access 02e uint16 extendedoffset 030 uint16 IopmOffset 032 byte Iopl 033 byte VdmFlag 034 uint32 ActiveProcessors 038 uint32 KernelTime 03c uint32 UserTime 040 struct _LIST_ENTRY ReadyListHead 040 struct _LIST_ENTRY * Flink 044 struct _LIST_ENTRY * Blink 048 struct _LIST_ENTRY SwapListEntry 048 struct _LIST_ENTRY * Flink 04c struct _LIST_ENTRY * Blink 050 struct _LIST_ENTRY ThreadListHead 050 struct _LIST_ENTRY * Flink 054 struct _LIST_ENTRY * Blink 058 uint32 ProcessLock 05c uint32 Affinity 060 uint16 StackCount 062 char BasePriority

063 char ThreadQuantum 064 byte AutoAlignment 065 byte State 066 byte ThreadSeed 067 byte DisableBoost 068 byte PowerState 069 byte DisableQuantum 06a byte Spare [2] 06c int32 ExitStatus 070 struct _KEVENT LockEvent 070 struct _DISPATCHER_HEADER Header 070 byte Type 071 byte Absolute 072 byte Size 073 byte Inserted 074 int32 SignalState 078 struct _LIST_ENTRY WaitListHead 078 struct _LIST_ENTRY * Flink 07c struct _LIST_ENTRY * Blink 080 uint32 LockCount 088 union _LARGE_INTEGER CreateTime 088 uint32 LowPart 08c int32 HighPart 088 struct __unnamed3 u 088 uint32 LowPart 08c int32 HighPart 088 int64 QuadPart 090 union _LARGE_INTEGER ExitTime 090 uint32 LowPart 094 int32 HighPart 090 struct __unnamed3 u 090 uint32 LowPart 094 int32 HighPart 090 int64 QuadPart 098 struct _KTHREAD * LockOwner 09c void * UniqueProcessId 0a0 struct _LIST_ENTRY ActiveProcessLinks 0a0 struct _LIST_ENTRY * Flink 0a4 struct _LIST_ENTRY * Blink 0a8 uint32 QuotaPeakPoolUsage [2] 0b0 uint32 QuotaPoolUsage [2] 0b8 uint32 Pagef ileUsage 0bc uint32 CommitCharge 0c0 uint32 PeakPagefileUsage 0c4 uint32 PeakVirtualSize 0c8 uint32 VirtualSize 0d0 struct _MMSUPPORT Vm 0d0 union _LARGE_INTEGER LastTrimTime 0d0 uint32 LowPart 0d4 int32 HighPart 0d0 struct __unnamed3 u 0d0 uint32 LowPart 0d4 int32 HighPart 0d0 int64 QuadPart 0d8 uint32 LastTrimFaultCount 0dc uint32 PageFaultCount 0e0 uint32 PeakWorkingSetSize 0e4 uint32 WorkingSetSize 0e8 uint32 MinimumWorkingSetSize 0ec uint32 MaximumWorkingSetSize 0f0 * VmWorkingSetList

0f4 struct _LIST_ENTRY WorkingSetExpansionLinks 0f4 struct _LIST_ENTRY * Flink 0f8 struct _LIST_ENTRY * Blink 0fc byte AllowWorkingSetAdjustment 0fd byte AddressSpaceBeingDeleted 0fe byte ForegroundSwitchCount 0ff byte MemoryPriority 100 union __unnamed13 u 100 uint32 LongFlags 100 struct _MMSUPPORT_FLAGS Flags 100 bits0- 0 SessionSpace 100 bits1-1 BeingTrimmed 100 bits2-2 ProcessInSession 100 bits3-3 SessionLeader 100 bits4-4 TrimHard 100 bits5-5 WorkingSetHard 100 bits6-6 WriteWatch 100 bits7-31 Filler 104 uint32 Claim 108 uint32 NextEstimationSlot 10c uint32 NextAgingSlot 110 uint32 EstimatedAvailable 114 uint32 GrowthSinceLastEstimate 118 struct _LIST_ENTRY SessionProcessLinks 118 struct _LIST_ENTRY * Flink 11c struct _LIST_ENTRY * Blink 120 void * DebugPort 124 void * ExceptionPort 128 struct _HANDLE_TABLE * ObjectTable 12c void * Token 130 struct _fast_mutex workingsetlock 130 INT32 count 134 struct _kthread * Owner 138 uint32 contection 13c struct _kevent Event 13c struct _dispatcher_head ER Header 13c byte Type 13d byte Absolute 13e byte Size 13f byte Inserted 140 int32 SignalState 144 struct _LIST_ENTRY WaitListHead 144 struct _LIST_ENTRY * Flink 148 struct _LIST_ENTRY * Blink 14c uint32 OldIrql 150 uint32 WorkingSetPage 154 byte ProcessOutswapEnabled 155 byte ProcessOutswapped 156 byte AddressSpaceInitialized 157 byte AddressSpaceDeleted 158 struct _FAST_MUTEX AddressCreationLock 158 int32 Count 15c struct _KTHREAD * Owner 160 uint32 Contention 164 struct _KEVENT Event 164 struct _DISPATCHER_HEADER Header

164 byte Type 165 byte Absolute 166 byte Size 167 byte Inserted 168 int32 SignalState 16c struct _LIST_ENTRY WaitListHead 16c struct _LIST_ENTRY * Flink 170 struct _LIST_ENTRY * Blink 174 uint32 OldIrql 178 uint32 HyperSpaceLock 17c struct _ETHREAD * ForkInProgress 180 uint16 VmOperation 182 byte ForkWasSuccessful 183 byte MmAgressiveWsTrimMask 184 struct _KEVENT * VmOperationEvent 188 void * PaeTop 18c uint32 LastFaultCount 190 uint32 ModifiedPageCount 194 void * VadRoot 198 void * VadHint 19c void * CloneRoot 1a0 uint32 NumberOfPrivatePages 1a4 uint32 NumberOfLockedPages 1a8 uint16 NextPageColor 1aa byte ExitProcessCalled 1ab byte CreateProcessReported 1ac void * SectionHandle 1b0 struct _PEB * Peb 1b4 void * SectionBaseAddress 1b8 struct _EPROCESS_QUOTA_BLOCK * QuotaBlock 1bc int32 LastThreadExitStatus 1c0 struct _PAGEFAULT_HISTORY * WorkingSetWatch 1c4 Void * Win32WindowStation 1C8 void * inheritedFromuniqueProcessid 1cc uint32 grantedAccess 1D0 uint32 defaulthardErrorProcessing 1D4 VOID * LDTINFO rmation 1d8 void * VadFreeHint 1dc void * VdmObjects 1e0 void * DeviceMap 1e4 uint32 SessionId 1e8 struct _LIST_ENTRY PhysicalVadList 1e8 struct _LIST_ENTRY * Flink 1ec struct _LIST_ENTRY * Blink 1f0 struct _HARDWARE_PTE_X86 PageDirectoryPte 1f0 bits0-0 Valid 1f0 BITS1-1 WRITE 1F0 BITS2-2 OWNER 1F0 BITS3-3 WriteTHROUGH 1F0 BITS4-4 Cachedisable 1F0 BITS5-6 DIRTY 1F0 BITS7-7 LARGEPAGE 1F0 BITS8-8 Global 1F0 bits9- 9 CopyonWrite 1F0 bits10-10 prototype 1F0 bits11-11 reserved

1f0 bits12-31 PageFrameNumber 1f0 uint64 Filler 1f8 uint32 PaePageDirectoryPage 1fc byte ImageFileName [16] 20c uint32 VmTrimFaultValue 210 byte SetTimerResolution 211 byte PriorityClass 212 byte SubSystemMinorVersion 213 byte SubSystemMajorVersion 212 uint16 SubSystemVersion 214 void * Win32Process 218 struct _EJOB * Job 21c uint32 JobStatus 220 struct _LIST_ENTRY JobLinks 220 struct _LIST_ENTRY * Flink 224 struct _LIST_ENTRY * Blink 228 void * LockedPagesList 22c void * SecurityPort 230 struct _WOW64_PROCESS * Wow64Process 238 union _LARGE_INTEGER ReadOperationCount 238 uint32 LowPart 23c int32 HighPart 238 struct __unnamed3 u 238 uint32 LowPart 23c int32 HighPart 238 int64 QuadPart 240 union _LARGE_INTEGER WriteOperationCount 240 uint32 LowPart 244 int32 HighPart 240 struct __unnamed3 u 240 uint32 LowPart 244 int32 HighPart 240 INT64 Quadpart 248 Union _large_integer OtherOperationCount 248 uint32 lowpart 24c INT32 Highpart 248 Struct__unnamed3 U 248 uint32 lowpart 24c Int32 Highpart 248 i nt64 QuadPart 250 union _LARGE_INTEGER ReadTransferCount 250 uint32 LowPart 254 int32 HighPart 250 struct __unnamed3 u 250 uint32 LowPart 254 int32 HighPart 250 int64 QuadPart 258 union _LARGE_INTEGER WriteTransferCount 258 uint32 LowPart 25c int32 HighPart 258 struct __unnamed3 u 258 uint32 LowPart 25c int32 HighPart 258 int64 QuadPart 260 union _LARGE_INTEGER OtherTransferCount 260 uint32 LowPart 264 int32 HighPart 260 struct __unnamed3 u 260 uint32 LowPart 264 int32 HighPart 260 int64 QuadPart

268 uint32 CommitChargeLimit 26c uint32 CommitChargePeak 270 struct _LIST_ENTRY ThreadListHead 270 struct _LIST_ENTRY * Flink 274 struct _LIST_ENTRY * Blink 278 struct _RTL_BITMAP * VadPhysicalPagesBitMap 27c uint32 VadPhysicalPages 280 uint32 AweLock traverse all processes need to be able easily to traverse all processes. So the eProcess structure of the process uses the chain chain. All processes (except for the IDLE process) EPROCESS offset by EPROCESS structural offset A0's list_entry ActiveProcessLinks chain. 0A0 STRUCT _LIST_ENTRY ACTIVEPROCESSLINKS 0A0 STRUCT _LIST_ENTRY * FLINK 0A4 STRUCT _LIST_ENTRY * BLINK can find this chain through global variables PSactiveProcesshead. PID is 0 IDLE process and has no chain on this chain. We can find the eProcess for your IDLE process through global variables psidleprocess. The List_Entry structure is used to organize the linked list very common in Win2k. FLINK, Blink points to another list_entry structure. For Win2K Build 2195, the address of the global variable PSACTIVEPROCESSHEAD is 0x8046A180, and the beginning is a list_entry structure. Walking along this list_entry structure, we can find List_entry ActiveProcessLinks in each process (except for the iDle). This ActiveProcessLinks address offset -0A0 is the address of the EPROCESS structure. Starting from PSACTIVEPROCESSHEAD, it is always going back until returning to psactiveprocesshead, the chain has been looped, and the entire chain has been traversed. Let's look at a practical example kd> PsActiveProcessHead PsActiveProcessHeadEvaluate expression:?? -2142854784 = 8046a180 // Win2k Build PsActiveProcessHead 2195 located at address 8046a180kd> dd LIST_ENTRY 8046a180 at 8046a180 l 2dd 8046a180 l 28046a180 8141e0c0 82fa4b00 //, not a note PsActiveProcessHead Take a process of 0A0 ActiveProcessLinks // Let's take a look at the process Kd>? 8141E0c0-A0? 8141E0C0-A0EVALUATE EXPRESSION: -2126389216 = 8141E020 // ActiveProcessLinks is located in EPRocess 0A0. // We get the address of ActiveProcessLinks, so EPRocess is getting address -0a0.

kd> process 8141e020 0 process 8141e020 0PROCESS 8141e020 SessionId:!! 0 Cid: 0008 Peb: 00000000 ParentCid: 0000DirBase: 00030000 ObjectTable: 81452a68 TableSize: 46.Image: System // PID for the process is 8 System ... // Shun Flink keep going forward, we are eliminating the middle of the process kd> dd 82fa4b00 l 2dd 82fa4b00 l 282fa4b00 8046a180 807e90c0 // see this ActiveProcessLinks of Flink is 8046a180, is PsActiveProcessHead // explained that it had traversed the entire ActiveProcessLinks chain for Win2k Build 2195 For the address of the global variable psidleprocess, the address of 0x8046A1FC is an EPROCESS pointer to directly point to the eProcess structure of the iDLE process. kd> PsIdleProcess PsIdleProcessEvaluate expression:?? -2142854660 = 8046a1fc // Win2k Build 2195 is located PsIdleProcess address 8046a1fckd> dd 8046a1fc l 1dd 8046a1fc l 18046a1fc 8046bb60 // PsIdleProcess value 8046bb60kd> process 8046bb60 0 process 8046bb60 0PROCESS 8046bb60 SessionId!!: 0 CID: 0000 PEB: 00000000 ParentCID: 0000Dirbase: 00030000 ObjectTable: 81452a68 TableSize: 46.image: IDLE / / You can see 8046bb60 is the EPRocess, which is pointing to EPRocess, and this eProcess is an eProcess for the PID. The process name to be seen in the process name EPRocess, the process name displayed in the Windows Task Manager is obtained from here. More accurate call is the image name. 1FC Byte ImageFileName [16] ImageFileName [16] is a 16-word thrower array that saves the process name. When the length of the process name is greater than or equal to 16 bytes, only the first 15 bytes of the process name only, the last byte of the last byte is 0, the end of the string. The process names of different processes can be the same, such as opening multiple notepads, then the imagefilename [16] of each notepad is "notepad.exe", the process name is only given, the process ID of each process is different. of.

!! Kd> process 200 0 process 200 0Searching for Process with Cid == 200PROCESS 8105c2e0 SessionId: 0 Cid: 0200 Peb: 7ffdf000 ParentCid: 01f0DirBase: 00564000 ObjectTable: 81090c48 TableSize: 298.Image: Explorer.exekd> db 8105c2e0 1fc l 10DB 8105C2E0 1FC L 108105C4DC 45 78 70 6C 6F 72 65 72-2e 65 78 65 00 00 00 00 Explorer.exe .... process ID (PID) 09c void * UniqueProcessID Parent Process ID 1C8 Void * InheritedFromuniQueProcessID page directory 018 uint32 DirectoryTableBase [2] Each process has its own 4G address space. When the process switches, you need to switch the address space. That is toggle the page directory page. So each process needs to save your own page directory. The physical address of the physical page where each process is located, saved in the 0th item of the process EPROCESS offset 018 DirectoryTableBase array, namely DirectoryTableBase [0]. The physical address of the physical page where the page directory is located is required to know the physical address of the physical page where the page directory is located. For the page directory and page table of the maintenance process, you need to map the physical page where the page directory and the page table is in the address space. The following uses Softice to explain the DirectoryTableBase array in the process eProcess, with 2 elements, where DirectoryTableBase [0] is the physical address of the page directory of the process, that is, the value of the process CR3.

: AddrCR3 LDT Base: Limit KPEB Addr PID Name00030000 8141E020 0008 System04E4B000 810F7580 008C smss06582000 810E8D60 00A8 csrss07607000 810CC2C0 00BC winlogon07A49000 810C1500 00D8 services0799A000 810BFD60 00E4 lsass00AFD000 810A2D60 0174 svchost00F21000 81092940 0190 svchost007C4000 8105D600 0200 Explorer024B9000 824D0020 0260 internat042B2000 8423E860 0180 conime * 00030000 8046BB60 0000 Idle // AddR lists the current process, pay attention to the CR3 of each process, and the KPEB AddR displayed by Softice is the address of EPRocess / /. Eprocess is the address space of Explorer, and EPRocess is at 8105D600 // Offset 018 is uint32 directoryTableBase [2] array: AddR Explorer: DD 8105D600 18 L 1000: 8105D618 007C4000 06165000 00000000 00000000. @ | ..p ........ // DirectoryTableBase [0] The physical address is 007C4000 to see this physical address, which is mapped? Virtual Address: Phys 7C4000807C4000C0300000 // C0300000 is the address space mapped by the process page directory: Phys 616500086165000c0301000 // case: Addr INTERNAT: DD 824D0020 18 L 1000: 824D0038 024B9000 024BA000 00000000 00000000 ..k ... k .. .......: Phys 24B9000824B9000C0300000: Phys 24ba000824ba000c0301000 // case: Addr CSRSS: DD 810E8D60 18 L 100010 : 810E8D78 06582000 06563000 00000000 00000000 X..0V .........:. Phys 658200086582000C0300000: phys 656300086563000C0301000 // Note that this is the System process // System of DirectoryTableBase [0] is still mapped to the C0300000 // But System of DirectoryTableBase [1] and the other processes are not the same situation: addr system: dd 8141e020 18 l 100010: 8141E038 00030000 00000000 00000000 00000000 ................: phys 3000080030000C0300000C04FB000EB3F1000F09CA000: phys 0000000080000000C0200000EB3C1000F09D4000 us You can see the physical address of the physical page where the page directory is located in DirectoryTableBase [0]. The value of 4 bytes of each process EPROCESS 18 and the value in the process CR3 are the same. EPRocess 18 At 4 bytes of physical addresses are mapped to C0300000, and the c0300000 is the virtual address in which the page directory is located in the physical page mapped to the address space.

I also checked a process of DirectoryTableBase [0] (4 bytes of EPRocess 18) refers to the content in the physical page referred to, which is indeed the content of the process page directory. From the output of Softice, we can see the physical page referred to in DirectoryTableBase [1], which is mapped to the address space C0301000, which is the page table of the C0301000-C0301FFF. We calculate this page table is responsible for Is the 4m virtual address space of the C0400000-C07FFFF. We know that every process of working set begins in C0502000, falling within this range, and each process has its own working set. In fact, a process saves your own page directory is enough. Since the Working SET of each process is within the range of C0400000-C07FFFF, each process is different, so the page table responsible for this range is also different, so there is a reason to save a page table responsible for address space mapping. Physical address. However, it is important to note that the process System's DirectoryTableBase [1] value is 0, which is not the physical address of the physical page where the page table of the address spatial range C0400000-C07FFFF is located. Do not switch the process, directly accessing the address space of other processes We use kettachProcess () kettachProcess (), kedetachProcess () toggle address space to a specified address space, then access the memory in this process address. Now that we have a system that does not exceed 512mm, we have a method that directly accesses the memory in the address space of the specified process without switching address space. We know that Win2K maps each physical page of the first 512M of the physical memory, and maps the 80000000-9FFFFFFFFFFFFFFFffffffffffffffffffffffffffffffffff. How much is the physical memory is less than 512m. This allows us to access all physical memory not more than 512M (of course, 80000000-9FFFFFFFF is in the system address space, access to RING0 permissions). For a physical address of less than 512M, we can use this physical address plus 80000000 to get a virtual address of a page address space of the physical page map, we can use this virtual address to access this physical content. From the previous analysis of DirectoryTableBase, the output of Softice can also see this, for example, physical address 7C4000, corresponding virtual address 807c4000. For a specified process, we can find it through the process linked list and calculate the address of its EPRocess. You can find the physical address of the physical page where the process page directory in EPRocess is located, the value of DirectoryTableBase [0]. If the physical address of the physical page where the process page directory is located, if we can calculate the virtual address in which this physical page is mapped to the address space 800000-9FFFFFF, you can access the page directory of the process. You can find the physical address of all page tables of the process, as well as the physical address of the page table, you can calculate the virtual address in the page table in 80000000-9FFFFFFFFFFFFff, you can access all page tables of the process. You can find the physical address of the physical page corresponding to all pages of the process. According to this physical address, we can calculate the virtual address in the physical page in 80000000-9FFFFFFFFFFFFFffffFF to access the data in a page of the process.

We use the Softice actual demo to read the contents of the process Explorer address space 0x400000. : AddrCR3 LDT Base: Limit KPEB Addr PID Name00030000 8141E020 0008 System04E4B000 810F7580 008C smss06582000 810E8D60 00A8 csrss07607000 810CC2C0 00BC winlogon07A49000 810C1500 00D8 services0799A000 810BFD60 00E4 lsass00AFD000 810A2D60 0174 svchost00F21000 81092940 0190 svchost007C4000 8105D600 0200 Explorer024B9000 824D0020 0260 internat06A45000 84090220 02A8 conime * 00030000 8046BB60 0000 Idle // EPROCESS Explorer address for 8105D600, we can also be found through the process list: dd 8105d600 18 l 100010:. 8105D618 007C4000 06165000 00000000 00000000 @ | ..P .......... // Explorer page directory is located The address of the physical page is 007C4000: DD (800000 7C4000) (400000> 22) * 4 L 1000: 807C4004 028D4067 0268E067 01E35067 0219B067 g @ .. ghgp..g ... // (80000000 7C4000) is Explorer The page directory of virtual address // (400000> 22) Take the virtual address 400000 high 10bit, which is a page directory index. // A page directory item size is 4 bytes, so (400000> 22) * 4 is 400000 correspondence page directory item in the page directory offset address // The physical address of the page table of 400000 is 028d4000 (Don't forget The lower 12 digits of the page directory entry and page items are markers): DD (80000000 28D4000) (400000 & 3FF000)> 12) * 4 L 1000: 828D4000 02963005 00612025 08332C34 02954025 .0 ..% A.4, 3 .% @ .. // ((400000 & 3FF000)> 12), take the virtual address 400000 as a 10bit index of the page table, / / ​​(((400000 & 3FF000)> 12) * 4 is 400000 in the corresponding page entry to the page table Address // So the physical address of the physical page corresponding to 400000 is 02963000: DD (80000000 2963000) (400000 & fff) L 1000: 82963000 00905A4D 00000003 00000004 0000FFFFM ............ // (400000 & fff), take the low 12bit of the virtual address 400000 as the page offset.

// Finally, the 4-byte value of the process Explorer virtual address 400000 is 00905A4D, which is "MZ .." // Switch to the Explorer address space, verify: Addr Explorer: DD 400000 L 1000: 0000000 0000004 0000FFFFM ............ // You can see the value of the Explorer address space virtual address 00400000 is 00905A4D, "MZ .." process _handle_table 128 struct_handle_table * ObjectTable process PEB 1B0 STRUCT _PEB * PEB threads All threads in the table process are on a two-way circular list through the list_entry structural chain. A linked list is a linked list of Threadlisthead in the KProcess PCB of the EPRocess structure. Each of the chain is a threadlistentry in the TCB of the KThread Ethread structure. Another chain list is a chain header with Threadlisthead in the EPRocess structure. Each of the chain is a threadListentry in a thread's Ethread structure. Through any of these two laylings, you can find all threads of a process. Of course, find the Ethread structure, you can find KThread in the Ethread structure. KTHREAD list struct _EPROCESS (sizeof = 648) 000 struct _KPROCESS Pcb 050 struct _LIST_ENTRY ThreadListHead 050 struct _LIST_ENTRY * Flink 054 struct _LIST_ENTRY * Blinkstruct _ETHREAD (sizeof = 584) 000 struct _KTHREAD Tcb 1a4 struct _LIST_ENTRY ThreadListEntry 1a4 struct _LIST_ENTRY * Flink 1a8 struct _LIST_ENTRY * BlinkETHREAD list struct _EPROCESS (sizeof = 648) 270 struct _LIST_ENTRY ThreadListHead 270 struct _LIST_ENTRY * Flink 274 struct _LIST_ENTRY * Blinkstruct _ETHREAD (sizeof = 584) 240 struct _LIST_ENTRY ThreadListEntry 240 struct _LIST_ENTRY * FLINK 244 STRUCT _LIST_ENTRY * Blinkvad 194 void * VAdroot 198 Void * Vadhintvadroot is the root node of the process VAD binary tree. By disassembly and analysis functions, MiLocateAddress (), VADHINT is the Pointer of the VAD found by MiLocateAddress (). WorkingSet 0e0 uint32 peakkingsetsize 0e4 uint32 WorkingsetSize 0e8 uint32 minimumWorkingSize 0ec uint32 maximumworkingsetsize 0F0 * VMworkingSetListworkingSet information. VMworkingSetList is a pointer to the MMWSL structure.

转载请注明原文地址:https://www.9cbs.com/read-26144.html

9cbs

New Post(0)