Windows 2000 Kernel KPEB / KTEB Details Webcrazy (http://webcrazy.yeah.net/) The status of the Ethread structure in the Windows NT / 2000 kernel is self-evident. The members in their structure contain all the squares of the kernel, two relatively large structures. In Windows 2000 Server Build 2195 Free Kernel, their size reaches 648 and 584 bytes, respectively. Part of the applications I have provided in a large number of applications. Specifically, refer to "Site Navigation". I should have the requirements of some netizens, here I will list their detailed structures in the bottom. Structure Source: Microsoft Windbg's Extension Kdex2x86.dll This Kernel Debugger Extensions contains more only EPRocess / Ethread, but also many internal data structures such as EJOB. The format listed is not a C language format, just provides the offset of the structural member and the member name and member type. For details, please refer to the Windows NT / 2000 OEM Support Tools Documention provided by Microsoft. Please read the MicroSFT related documentation about Windbg.
!> Listexts Default extension: D: / Program Files / Debuggers / bin / w2kfre / kdex2x86 kdex2x86 loaded D: / Program Files / Debuggers / bin / w2kfre / kdex2x86> kdex2x86.version Free Extension dll for build 2195 debugging Free kernel for build! 2195>! kdex2x86.strct EPROCESS struct _EPROCESS (sizeof = 648) 000 struct _KPROCESS Pcb 000 struct _DISPATCHER_HEADER Header 000 byte Type 001 byte Absolute 002 byte Size 003 byte Inserted 004 int32 SignalState 008 struct _LIST_ENTRY WaitListHead 008 struct _LIST_ENTRY * Flink 00c struct _LIST_ENTRY * Blink 010 struct _LIST_ENTRY ProfileListHead 010 struct _LIST_ENTRY * Flink 014 struct _LIST_ENTRY * Blink 018 uint32 DirectoryTableBase [2] 020 struct _KGDTENTRY LdtDescriptor 020 uint16 LimitLow 022 uint16 BaseLow 024 Union _ _unnamed9 HighWord 024 struct __unnamed10 Bytes 024 byte BaseMid 025 byte Flags1 026 byte Flags2 027 byte BaseHi 024 struct __unnamed11 Bits 024 bits0-7 BaseMid 024 bits8-12 Type 024 bits13-14 Dpl 024 bits15- 15 PRES 024 BITS16-19 LIMITHI 024 BITS20-20 SYS 024 BITS21-21 Reserved_0 024 BITS22-22 Default_big 024 Bits23-23 Gran Guity
024 bits24-31 BaseHi 028 struct _KIDTENTRY Int21Descriptor 028 uint16 Offset 02a uint16 Selector 02c uint16 Access 02e uint16 ExtendedOffset 030 uint16 IopmOffset 032 byte Iopl 033 byte VdmFlag 034 uint32 ActiveProcessors 038 uint32 KernelTime 03c uint32 UserTime 040 struct _LIST_ENTRY ReadyListHead 040 struct _LIST_ENTRY * Flink 044 struct _LIST_ENTRY * Blink 048 struct _LIST_ENTRY SwapListEntry 048 struct _LIST_ENTRY * Flink 04c struct _LIST_ENTRY * Blink 050 struct _LIST_ENTRY ThreadListHead 050 struct _LIST_ENTRY * Flink 054 struct _LIST_ENTRY * BLINK 058 UINT32 ProcessLock 05c uint32 Affinity 060 UINT16 StackCount 062 Char Basepriority 063 Char Threadquantum 064 Byte AutoAlignment 065 Byte State 066 byte ThreadSeed 067 byte DisableBoost 068 byte PowerState 069 byte DisableQuantum 06a byte Spare [2] 06c int32 ExitStatus 070 struct _KEVENT LockEvent 070 struct _DISPATCHER_HEADER Header 070 byte Type 071 byte Absolute 072 byte Size 073 BYTE INSERTED 074 INT32 SIGNALSTATE 078 STRUCT _LIST_ENTRY WAITLISTHEAD 078 STRUCT _LIST_ENTRY * FLINK 07C STRUCT _LIST_ENTRY * BLINK
080 uint32 LockCount 088 union _LARGE_INTEGER CreateTime 088 uint32 LowPart 08c int32 HighPart 088 struct __unnamed3 u 088 uint32 LowPart 08c int32 HighPart 088 int64 QuadPart 090 union _LARGE_INTEGER ExitTime 090 uint32 LowPart 094 int32 HighPart 090 struct __unnamed3 u 090 uint32 LowPart 094 int32 HighPart 090 int64 QuadPart 098 struct _KTHREAD * LockOwner 09c void * UniqueProcessId 0a0 struct _LIST_ENTRY ActiveProcessLinks 0a0 struct _LIST_ENTRY * Flink 0a4 struct _LIST_ENTRY * Blink 0a8 uint32 QuotaPeakPoolUsage [2] 0b0 uint32 QuotaPoolUsage [2] 0b8 uint32 PagefileUsage 0bc uint32 CommitCharge 0c0 uint32 PeakPagefileUsage 0c4 uint32 PeakVirtualSize 0c8 uint32 VirtualSize 0d0 struct _MMSUPPORT Vm 0d0 union _LARGE_INTEGER LastTrimTime 0d0 uint32 LowPart 0d4 int32 HighPart 0d0 struct __unnamed3 u 0d0 uint32 LowPart 0d4 int32 HighPart 0d0 int64 QuadPart 0d8 uint32 LastTrimFaultCount 0dc uint32 PageFaultCount 0e0 uint32 PeakWorkingSetSize 0e4 uint32 WorkingSetSize 0e8 uint32 MinimumWorkingSetSize 0ec uint32 MaximumWorkingSetSize 0f0 * VmWorkingSetList 0F4 struct _List_entry WorkingseTexpansionLinks 0F4 Struct _List_ENTRY * FLINK
0f8 struct _LIST_ENTRY * Blink 0fc byte AllowWorkingSetAdjustment 0fd byte AddressSpaceBeingDeleted 0fe byte ForegroundSwitchCount 0ff byte MemoryPriority 100 union __unnamed13 u 100 uint32 LongFlags 100 struct _MMSUPPORT_FLAGS Flags 100 bits0-0 SessionSpace 100 bits1-1 BeingTrimmed 100 bits2 -2 ProcessInSession 100 bits3-3 SessionLeader 100 bits4-4 TrimHard 100 bits5-5 WorkingSetHard 100 bits6-6 WriteWatch 100 bits7-31 Filler 104 uint32 Claim 108 uint32 NextEstimationSlot 10c uint32 NextAgingSlot 110 uint32 EstimatedAvailable 114 uint32 GrowthSinceLastEstimate 118 struct _LIST_ENTRY SessionProcessLinks 118 struct _LIST_ENTRY * Flink 11c struct _LIST_ENTRY * Blink 120 void * DebugPort 124 void * ExceptionPort 128 stru ct _HANDLE_TABLE * ObjectTable 12c void * Token 130 struct _FAST_MUTEX WorkingSetLock 130 int32 Count 134 struct _KTHREAD * Owner 138 uint32 Contention 13c struct _KEVENT Event 13c struct _DISPATCHER_HEADER Header 13c byte Type 13d byte Absolute 13e byte Size 13F BYTE INSERTED 140 INT32 SIGNALSTATE 144 STRUCT _LIST_ENTRY WAITLISTHEAD 144 STRUCT _LIST_ENTRY * FLINK
148 struct _LIST_ENTRY * Blink 14c uint32 OldIrql 150 uint32 WorkingSetPage 154 byte ProcessOutswapEnabled 155 byte ProcessOutswapped 156 byte AddressSpaceInitialized 157 byte AddressSpaceDeleted 158 struct _FAST_MUTEX AddressCreationLock 158 int32 Count 15c struct _KTHREAD * Owner 160 uint32 Contention 164 struct _KEVENT Event 164 struct _DISPATCHER_HEADER Header 164 byte Type 165 byte Absolute 166 byte Size 167 byte Inserted 168 int32 SignalState 16c struct _LIST_ENTRY WaitListHead 16c struct _LIST_ENTRY * Flink 170 struct _LIST_ENTRY * Blink 174 uint32 oldIrql 178 uint32 hyperspacelock 17c struct _ethread * forkinprogress 180 uint16 VMOPERATION 182 Byte forkwassuccessful 183 Byte MmagressiveWStrimma sk 184 struct _KEVENT * VmOperationEvent 188 void * PaeTop 18c uint32 LastFaultCount 190 uint32 ModifiedPageCount 194 void * VadRoot 198 void * VadHint 19c void * CloneRoot 1a0 uint32 NumberOfPrivatePages 1a4 uint32 NumberOfLockedPages 1a8 uint16 NextPageColor 1aa byte EXITPROCALLED 1AB BYTE CREATEPORED 1AC VOID * SectionHandle 1B0 Struct _peb * PEB 1B4 VOID * SectionBaseAddress 1B8 Struct _EPROCESS_QUOTA_BLOCK * Quotablock
1bc int32 LastThreadExitStatus 1c0 struct _PAGEFAULT_HISTORY * WorkingSetWatch 1c4 void * Win32WindowStation 1c8 void * InheritedFromUniqueProcessId 1cc uint32 GrantedAccess 1d0 uint32 DefaultHardErrorProcessing 1d4 void * LdtInformation 1d8 void * VadFreeHint 1dc void * VdmObjects 1e0 void * DeviceMap 1e4 uint32 SessionId 1e8 struct _LIST_ENTRY PhysicalVadList 1e8 struct _LIST_ENTRY * Flink 1ec struct _LIST_ENTRY * Blink 1f0 struct _HARDWARE_PTE_X86 PageDirectoryPte 1f0 bits0-0 Valid 1f0 bits1-1 Write 1f0 bits2-2 Owner 1f0 bits3-3 WriteThrough 1f0 bits4 -4 CacheDisable 1f0 bits5-5 Accessed 1f0 bits6-6 Dirty 1f0 bits7-7 LargePage 1f0 bits8-8 Global 1f0 bits9-9 CopyOnWrite 1f0 bits10-10 Prototype 1f0 bits11-11 reserved 1f0 bits12-31 PageFramenumber 1F0 uint64 filler 1f8 uint32 paneledirector yPage 1fc byte ImageFileName [16] 20c uint32 VmTrimFaultValue 210 byte SetTimerResolution 211 byte PriorityClass 212 byte SubSystemMinorVersion 213 byte SubSystemMajorVersion 212 uint16 SubSystemVersion 214 void * Win32Process 218 struct _EJOB * Job 21c uint32 JobStatus 220 struct _List_ENTRY JOBLINKS 220 STRUCT_LIST_ENTRY * FLINK 224 STRUCT _LIST_ENTRY * BLINK 228 VOID * LOCKEDPAGESLIST 22C VOID * SecurityPort
230 struct _WOW64_PROCESS * Wow64Process 238 union _LARGE_INTEGER ReadOperationCount 238 uint32 LowPart 23c int32 HighPart 238 struct __unnamed3 u 238 uint32 LowPart 23c int32 HighPart 238 int64 QuadPart 240 union _LARGE_INTEGER WriteOperationCount 240 uint32 LowPart 244 int32 HighPart 240 struct __unnamed3 u 240 uint32 LowPart 244 int32 HighPart 240 int64 QuadPart 248 union _LARGE_INTEGER OtherOperationCount 248 uint32 LowPart 24c int32 HighPart 248 struct __unnamed3 u 248 uint32 LowPart 24c int32 HighPart 248 int64 QuadPart 250 union _LARGE_INTEGER ReadTransferCount 250 uint32 lowpart 254 int32 highpart 250 struct __unnamed3 U 250 uint32 lowpart 254 INT32 highpart 250 int64 quadpart 258 union _large_i NTEGER WriteTransferCount 258 uint32 LowPart 25c int32 HighPart 258 struct __unnamed3 u 258 uint32 LowPart 25c int32 HighPart 258 int64 QuadPart 260 union _LARGE_INTEGER OtherTransferCount 260 uint32 LowPart 264 int32 HighPart 260 struct __unnamed3 u 260 uint32 LowPart 264 INT32 Highpart 260 INT64 Quadpart 268 uint32 commitchargelimit 26c uint32 commitchargepeak 270 struct_list_entry threadlisthead
270 struct _LIST_ENTRY * Flink 274 struct _LIST_ENTRY * Blink 278 struct _RTL_BITMAP * VadPhysicalPagesBitMap 27c uint32 VadPhysicalPages 280 uint32 AweLock>! Kdex2x86.strct ETHREAD struct _ETHREAD (sizeof = 584) 000 struct _KTHREAD Tcb 000 struct _DISPATCHER_HEADER Header 000 byte Type 001 byte Absolute 002 byte Size 003 byte Inserted 004 int32 SignalState 008 struct _LIST_ENTRY WaitListHead 008 struct _LIST_ENTRY * Flink 00c struct _LIST_ENTRY * Blink 010 struct _LIST_ENTRY MutantListHead 010 struct _LIST_ENTRY * Flink 014 struct _LIST_ENTRY * BLINK 018 VOID * InitialStack 01c void * stacklimit 020 void * teb 024 void * TLSArray 028 void * kernelstack 02c byte debugactive 02d byte State 02e byte alerted [2] 030 byte Iopl 031 byte NpxState 032 char Saturation 033 char Priority 034 struct _KAPC_STATE ApcState 034 struct _LIST_ENTRY ApcListHead [2] struct _LIST_ENTRY * Flink struct _LIST_ENTRY * Blink 044 struct _KPROCESS * Process 048 byte KernelApcInProgress 049 byte KernelApcPending 04A Byte Userapcpending 04c uint32 Contextswitches 050 INT32 WaitStatus 054 Byte Waitirql 055 Char Waitmode
056 byte WaitNext 057 byte WaitReason 058 struct _KWAIT_BLOCK * WaitBlockList 05c struct _LIST_ENTRY WaitListEntry 05c struct _LIST_ENTRY * Flink 060 struct _LIST_ENTRY * Blink 064 uint32 WaitTime 068 char BasePriority 069 byte DecrementCount 06a char PriorityDecrement 06b char Quantum 06c struct _KWAIT_BLOCK WaitBlock [4] struct _LIST_ENTRY WaitListEntry struct _LIST_ENTRY * Flink struct _LIST_ENTRY * Blink struct _KTHREAD * Thread void * Object struct _KWAIT_BLOCK * NextWaitBlock uint16 WaitKey uint16 WaitType 0cc void * LegoData 0d0 uint32 KernelApcDisable 0d4 uint32 UserAffinity 0d8 byte SystemaffInityActive 0D9 Byte PowerState 0DA Byte NpxiRQL 0DB Byte Pad [1] 0D c void * ServiceTable 0e0 struct _KQUEUE * Queue 0e4 uint32 ApcQueueLock 0e8 struct _KTIMER Timer 0e8 struct _DISPATCHER_HEADER Header 0e8 byte Type 0e9 byte Absolute 0ea byte Size 0eb byte Inserted 0ec int32 SignalState 0f0 struct _LIST_ENTRY WaitListHead 0F0 STRUCT _LIST_ENTRY * FLINK 0F4 STRUCT _LIST_ENTRY * BLINK 0F8 Union _ularge_integer duetime 0f8 uint32 lowpart
0fc uint32 HighPart 0f8 struct __unnamed12 u 0f8 uint32 LowPart 0fc uint32 HighPart 0f8 uint64 QuadPart 100 struct _LIST_ENTRY TimerListEntry 100 struct _LIST_ENTRY * Flink 104 struct _LIST_ENTRY * Blink 108 struct _KDPC * Dpc 10c int32 Period 110 struct _LIST_ENTRY QueueListEntry 110 struct _LIST_ENTRY * Flink 114 struct _LIST_ENTRY * Blink 118 uint32 Affinity 11c byte preempted 11d byte ProcessReadyQueue 11e byte KernelStackResident 11f byte NextProcessor 120 void * CallbackStack 124 void * Win32Thread 128 struct _KTRAP_FRAME * TrapFrame 12c struct _kapc_state * ApcStatePointer [2] 134 Char PreviousMode 135 BYTE ENABLESTACKSWAP 136 BYTE LARGESTACK 137 BYTE ResourceIndex 138 UINT 32 KernelTime 13c uint32 UserTime 140 struct _KAPC_STATE SavedApcState 140 struct _LIST_ENTRY ApcListHead [2] struct _LIST_ENTRY * Flink struct _LIST_ENTRY * Blink 150 struct _KPROCESS * Process 154 byte KernelApcInProgress 155 byte KernelApcPending 156 byte UserApcPending 158 byte Alertable 159 BYTE APCSTATEX 15A BYTE APCQUEABLE 15B BYTE AUTOALIGNMENT 15C VOID * STACKBASE
160 struct _KAPC SuspendApc 160 int16 Type 162 int16 Size 164 uint32 Spare0 168 struct _KTHREAD * Thread 16c struct _LIST_ENTRY ApcListEntry 16c struct _LIST_ENTRY * Flink 170 struct _LIST_ENTRY * Blink 174 function * KernelRoutine 178 function * RundownRoutine 17c function * NormalRoutine 180 void * NormalContext 184 void * SystemArgument1 188 void * SystemArgument2 18c char ApcStateIndex 18d char ApcMode 18e byte Inserted 190 struct _KSEMAPHORE SuspendSemaphore 190 struct _DISPATCHER_HEADER Header 190 byte Type 191 byte Absolute 192 Byte Size 193 BYTE INSERTED 194 INT32 SIGNALSTATE 198 STRUCT _LIST_ENTRY WAITLISTHEAD 198 STRUCT _LIST_ENTRY * FLINK 19c struct _LIST_ENTRY * Blink 1a0 int32 Limit 1a4 struct _LIST_ENTRY ThreadListEntry 1a4 struct _LIST_ENTRY * Flink 1a8 struct _LIST_ENTRY * Blink 1ac char FreezeCount 1ad char SuspendCount 1ae byte IdealProcessor 1af byte DisableBoost 1b0 union _LARGE_INTEGER CreateTime 1b0 UINT32 LOWPART 1B4 INT32 Highpart 1B0 STRUCT __UNNAMED3 U 1B0 UINT32 LOWPART 1B4 INT32 Highpart 1B0 INT64 Quadpart
1b0 bits0-1 NestedFaultCount 1b0 bits2-2 ApcNeeded 1b8 union _LARGE_INTEGER ExitTime 1b8 uint32 LowPart 1bc int32 HighPart 1b8 struct __unnamed3 u 1b8 uint32 LowPart 1bc int32 HighPart 1b8 int64 QuadPart 1b8 struct _LIST_ENTRY LpcReplyChain 1b8 struct _LIST_ENTRY * Flink 1bc struct _LIST_ENTRY * Blink 1c0 int32 ExitStatus 1c0 void * OfsChain 1c4 struct _LIST_ENTRY PostBlockList 1c4 struct _LIST_ENTRY * Flink 1c8 struct _LIST_ENTRY * Blink 1cc struct _LIST_ENTRY TerminationPortList 1cc struct _LIST_ENTRY * Flink 1d0 struct _LIST_ENTRY * Blink 1d4 uint32 ActiveTimerListLock 1d8 struct _LIST_ENTRY ActiveTimerListHead 1d8 struct _LIST_ENTRY * Flink 1dc struct _LIST_ENTRY * Blink 1e0 struct _CLIENT_ID Cid 1e0 void * UniqueProcess 1e4 void * UniqueThread 1e8 struct _KSEMAPHORE LpcR eplySemaphore 1e8 struct _DISPATCHER_HEADER Header 1e8 byte Type 1e9 byte Absolute 1ea byte Size 1eb byte Inserted 1ec int32 SignalState 1f0 struct _LIST_ENTRY WaitListHead 1f0 struct _LIST_ENTRY * Flink 1f4 struct _LIST_ENTRY * Blink 1f8 int32 Limit 1fc void * LPCReplyMessage 200 UINT32 LPCReplyMessageId 204 uint32 PerformanceCovernmentCouNTlow 208 Struct _ps_impersonation_information * ImpersonationInfo
