Author is Lu Lin
It was written in 2000. The article was silent for a long time, once again. It is written today. It is an unprecedable WIN2000 EPROCESS structure. EPRocess is the core of the NT process. This structure defines all processes related Data. I know that the core confidence of NT is open. The following is the mystery that I dig into the early morning. :))) See where. Big supplement.: DDD This structure is only in English WIN2000 Retail Edition Verify it. If Win2000 has Service Pack, it is not guaranteed. Users please pay attention.
Typedef struct _dispatcher_header {uchar type; uchar absolute; uchar size; uchar inserted; long signage; list_entry waitlisthead;} dispatcher_header;
Typedef struct _firstpart_obj {unsigned inheritable: 1; unsigned protected: 1; unsigned pobj: 14;} firstpart_obj;
TypedEf struct _objtbl {firstpart_obj firstpart_obj; dword access_control_mask;} Objtbl, * pobjtbl;
Typedef strungaddress; void * endingaddress; struct vad * parentLink; struct vad * leftlink; struct vad * rightlink; ulong flags;} VAD, * PVAD;
typedef struct {struct KPCB Pcb; // 0x0 INT ExitStatus; // 0x6c DISPATCHER_HEADER LockEvent; // 0x70 __int64 LockCount; // 0x80 __int64 CreateTime; // 0x88 __int64 ExitTime; // 0x90 UINT LockOwner; // 0x98 UINT UniqueProcessId; / / 0x9c LIST_ENTRY ActiveProcessLinks; // 0xa0 __int64 QuotaPeakPoolUsage [0]; // 0xa8 __int64 QuotaPoolUsage [0]; // 0xb0 UINT PagefileUsage; // 0xb8 UINT CommitCharge; // 0xbc UINT PeakPagefileUsage; // 0xc0 UINT PeakVirtualSize; // 0xc4 UINT VirtualSize; // 0xc8 __int64 Vm; // 0xd0 BYTE UNKNOW [0x48]; // 0xd8 HANDLE DebugPort; // 0x120 UINT ExceptionPort; // 0x124 POBJTBL ObjectTable; // 0x128 PTOKEN Token; // 0x12c BYTE WorkingSetLock [0x20] ; // 0x130 UINT WorkingSetPage; // 0x150 BYTE ProcessOutswapEnabled; // 0x154 BYTE ProcessOutswapped; // 0x155 BYTE AddressSpaceInitialized; // 0x156 BYTE AddressSpaceDeleted; // 0x157 BYTE AddressCreationLock; // 0x158 BYTE UNKNOWN2 [0x23]; // 0x159 UINT ForkinProgress; // 0x17c word vmoperty; // 0x180 word forkwassuccessful; // 0x182 uint VMOPERATIONEven t; // 0x184 UINT LastFaultCount; // 0x188 BYTE UNKNOW3 [8]; // 0x18c PVAD VadRoot; // 0x194 UINT VadHint; // 0x198 UINT CloneRoot; // 0x19c UINT NumberOfPrivatePages; // 0x1a0 UINT NumberOfLockedPages; // 0x1a4 BYTE ExitProcessCalled; // 0x1aa BYTE CreateProcessReported; // 0x1ab HANDLE SectionHandle; // 0x1ac PPEB Peb; // 0x1b0 PVOID SectionBaseAddress; // 0x1b4 UINT QuotaBlock; // 0x1b8 UINT LastThreadExitStatus; // 0x1bc PVOID WorkingSetWatch; // 0x1c0 PVOID Win32WindowStation ; // 0x1c4 UINT InheritedFromUniqueProcessId; // 0x1c8 UINT GrantedAccess; // 0x1cc UINT DefaultHardErrorProcessing; // 0x1d0 PLDT_ENTRY LdtInformation; // 0x1d4 UINT VadFreeHint; // 0x1d8 PVOID VdmObjects; // 0x1dc PPROCESS_DEVICEMAP_INFORMATION DeviceMap; // 0x1e0 DWORD * PageDirectoryPte;
// 0x1f0 word * imagefilename; // 0x1fc byte unknown4 [0xc]; // 200 __int64 vmtrimfaultValue; // 0x20c pvoid win32process; // 0x214} eProcess, * peprocess; // --------- -------------------------------------------------- --------------------------------------------
The following structure is in Fair:
typedef struct _EPROCESS {KPROCESS Pcb; NTSTATUS ExitStatus; KEVENT LockEvent; DWORD LockCount; QWORD CreateTime; QWORD ExitTime; PVOID LockOwner; DWORD UniqueProcessId; QWORD ActiveProcessLinks; DWORD QuotaPeakPoolUsage [2]; // NP, PDWORD QuotaPoolUsage [2]; // NP , PDWORD PagefileUsage; DWORD CommitCharge; DWORD PeakPagefileUsage; DWORD PeakVirtualSize; QWORD VirtualSize; DWORD Vm [12]; DWORD LastProtoPteFault; DWORD DebugPort; DWORD ExceptionPort; DWORD ObjectTable; DWORD Token; DWORD WorkingSetLock [8]; DWORD WorkingSetPage; BOOLEAN ProcessOutswapEnabled; BOOLEAN ProcessOutswapped; BOOLEAN AddressSpaceInitialized; BOOLEAN AddressSpaceDeleted; DWORD AddressCreationLock [9]; DWORD ForkInProgress; DWORD VmOperation; DWORD VmOperationEvent; DWORD PageDirectoryPte; QWORD LastFaultCount; PVOID VadRoot; DWORD VadHint; DWORD CloneRoot; DWORD NumberOfPrivatePages; DWORD NumberOfLockedPages; WORD w184; BOOLEAN ExitProcessCalled; Boolean CreateProcessReported; Handle SectionHandle; Struct_peb * peb; // offset 0x1b0PVOID SectionBaseAdd ress; PVOID QuotaBlock; NTSTATUS LastThreadExitStatus; PROCESS_WS_WATCH_INFORMATION WorkingSetWatch; DWORD InheritedFromUniqueProcessId; ACCESS_MASK GrantedAccess; DWORD DefaultHardErrorProcessing; DWORD LdtInformation; DWORD VadFreeHint; DWORD VdmObjects; KMUTANT ProcessMutant; BYTE ImageFileName [16]; // offset 0x1FCDWORD VmTrimFaultValue [2]; PVOID Win32Process; DWORD D1F8; DWORD D1FC;} Eprocess, * peprocess, ** ppeprocess
