虽然时常看到有新手询问各OS版本_EPROCESS _ETHREAD之类的结构.但本文的目的却绝对不是告诉你这些结构到底是怎样的.也不会介绍如何获得.实在是太白痴的问题.自己随便百度下”VM Windbg 双机调试”之类,然后
Kd>dt nt!_*
就好.
实际是为了速查跟备忘,自己常遇到为了查一个偏移需要装一个系统的郁闷事件.Baidu不到也google不到的.
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ExitStatus : Int4B
+0x070 LockEvent : _KEVENT
+0x080 LockCount : Uint4B
+0x088 CreateTime : _LARGE_INTEGER
+0x090 ExitTime : _LARGE_INTEGER
+0x098 LockOwner : Ptr32 _KTHREAD
+0x09c UniqueProcessId : Ptr32 Void
+0x0a0 ActiveProcessLinks : _LIST_ENTRY
+0x0a8 QuotaPeakPoolUsage : [2] Uint4B
+0x0b0 QuotaPoolUsage : [2] Uint4B
+0x0b8 PagefileUsage : Uint4B
+0x0bc CommitCharge : Uint4B
+0x0c0 PeakPagefileUsage : Uint4B
+0x0c4 PeakVirtualSize : Uint4B
+0x0c8 VirtualSize : Uint4B
+0x0d0 Vm : _MMSUPPORT
+0x118 SessionProcessLinks : _LIST_ENTRY
+0x120 DebugPort : Ptr32 Void
+0x124 ExceptionPort : Ptr32 Void
+0x128 ObjectTable : Ptr32 _HANDLE_TABLE
+0x12c Token : Ptr32 Void
+0x130 WorkingSetLock : _FAST_MUTEX
+0x150 WorkingSetPage : Uint4B
+0x154 ProcessOutswapEnabled : UChar
+0x155 ProcessOutswapped : UChar
+0x156 AddressSpaceInitialized : UChar
+0x157 AddressSpaceDeleted : UChar
+0x158 AddressCreationLock : _FAST_MUTEX
+0x178 HyperSpaceLock : Uint4B
+0x17c ForkInProgress : Ptr32 _ETHREAD
+0x180 VmOperation : Uint2B
+0x182 ForkWasSuccessful : UChar
+0x183 MmAgressiveWsTrimMask : UChar
+0x184 VmOperationEvent : Ptr32 _KEVENT
+0x188 PaeTop : Ptr32 Void
+0x18c LastFaultCount : Uint4B
+0x190 ModifiedPageCount : Uint4B
+0x194 VadRoot : Ptr32 Void
+0x198 VadHint : Ptr32 Void
+0x19c CloneRoot : Ptr32 Void
+0x1a0 NumberOfPrivatePages : Uint4B
+0x1a4 NumberOfLockedPages : Uint4B
+0x1a8 NextPageColor : Uint2B
+0x1aa ExitProcessCalled : UChar
+0x1ab CreateProcessReported : UChar
+0x1ac SectionHandle : Ptr32 Void
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 SectionBaseAddress : Ptr32 Void
+0x1b8 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x1bc LastThreadExitStatus : Int4B
+0x1c0 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x1c4 Win32WindowStation : Ptr32 Void
+0x1c8 InheritedFromUniqueProcessId : Ptr32 Void
+0x1cc GrantedAccess : Uint4B
+0x1d0 DefaultHardErrorProcessing : Uint4B
+0x1d4 LdtInformation : Ptr32 Void
+0x1d8 VadFreeHint : Ptr32 Void
+0x1dc VdmObjects : Ptr32 Void
+0x1e0 DeviceMap : Ptr32 Void
+0x1e4 SessionId : Uint4B
+0x1e8 PhysicalVadList : _LIST_ENTRY
+0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86
+0x1f0 Filler : Uint8B
+0x1f8 PaePageDirectoryPage : Uint4B
+0x1fc ImageFileName : [16] UChar
+0x20c VmTrimFaultValue : Uint4B
+0x210 SetTimerResolution : UChar
+0x211 PriorityClass : UChar
+0x212 SubSystemMinorVersion : UChar
+0x213 SubSystemMajorVersion : UChar
+0x212 SubSystemVersion : Uint2B
+0x214 Win32Process : Ptr32 Void
+0x218 Job : Ptr32 _EJOB
+0x21c JobStatus : Uint4B
+0x220 JobLinks : _LIST_ENTRY
+0x228 LockedPagesList : Ptr32 Void
+0x22c SecurityPort : Ptr32 Void
+0x230 Wow64Process : Ptr32 _WOW64_PROCESS
+0x238 ReadOperationCount : _LARGE_INTEGER
+0x240 WriteOperationCount : _LARGE_INTEGER
+0x248 OtherOperationCount : _LARGE_INTEGER
+0x250 ReadTransferCount : _LARGE_INTEGER
+0x258 WriteTransferCount : _LARGE_INTEGER
+0x260 OtherTransferCount : _LARGE_INTEGER
+0x268 CommitChargeLimit : Uint4B
+0x26c CommitChargePeak : Uint4B
+0x270 ThreadListHead : _LIST_ENTRY
+0x278 VadPhysicalPagesBitMap : Ptr32 _RTL_BITMAP
+0x27c VadPhysicalPages : Uint4B
+0x280 AweLock : Uint4B
+0x284 pImageFileName : Ptr32 _UNICODE_STRING
_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : [2] Uint4B
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 VdmFlag : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : _LIST_ENTRY
+0x048 SwapListEntry : _LIST_ENTRY
+0x050 ThreadListHead : _LIST_ENTRY
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a Spare : [2] UChar
_ETHREAD
+0x000 Tcb : _KTHREAD
+0x1b0 CreateTime : _LARGE_INTEGER
+0x1b0 NestedFaultCount : Pos 0, 2 Bits
+0x1b0 ApcNeeded : Pos 2, 1 Bit
+0x1b8 ExitTime : _LARGE_INTEGER
+0x1b8 LpcReplyChain : _LIST_ENTRY
+0x1c0 ExitStatus : Int4B
+0x1c0 OfsChain : Ptr32 Void
+0x1c4 PostBlockList : _LIST_ENTRY
+0x1cc TerminationPortList : _LIST_ENTRY
+0x1d4 ActiveTimerListLock : Uint4B
+0x1d8 ActiveTimerListHead : _LIST_ENTRY
+0x1e0 Cid : _CLIENT_ID
+0x1e8 LpcReplySemaphore : _KSEMAPHORE
+0x1fc LpcReplyMessage : Ptr32 Void
+0x1fc LpcWaitingOnPort : Ptr32 Void
+0x200 LpcReplyMessageId : Uint4B
+0x204 PerformanceCountLow : Uint4B
+0x208 ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION
+0x20c IrpList : _LIST_ENTRY
+0x214 TopLevelIrp : Uint4B
+0x218 DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x21c ReadClusterSize : Uint4B
+0x220 ForwardClusterOnly : UChar
+0x221 DisablePageFaultClustering : UChar
+0x222 DeadThread : UChar
+0x223 HideFromDebugger : UChar
+0x224 HasTerminated : Uint4B
+0x228 GrantedAccess : Uint4B
+0x22c ThreadsProcess : Ptr32 _EPROCESS
+0x230 StartAddress : Ptr32 Void
+0x234 Win32StartAddress : Ptr32 Void
+0x234 LpcReceivedMessageId : Uint4B
+0x238 LpcExitThreadCalled : UChar
+0x239 HardErrorsAreDisabled : UChar
+0x23a LpcReceivedMsgIdValid : UChar
+0x23b ActiveImpersonationInfo : UChar
+0x23c PerformanceCountHigh : Int4B
+0x240 ThreadListEntry : _LIST_ENTRY
_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY
+0x018 InitialStack : Ptr32 Void
+0x01c StackLimit : Ptr32 Void
+0x020 Teb : Ptr32 Void
+0x024 TlsArray : Ptr32 Void
+0x028 KernelStack : Ptr32 Void
+0x02c DebugActive : UChar
+0x02d State : UChar
+0x02e Alerted : [2] UChar
+0x030 Iopl : UChar
+0x031 NpxState : UChar
+0x032 Saturation : Char
+0x033 Priority : Char
+0x034 ApcState : _KAPC_STATE
+0x04c ContextSwitches : Uint4B
+0x050 WaitStatus : Int4B
+0x054 WaitIrql : UChar
+0x055 WaitMode : Char
+0x056 WaitNext : UChar
+0x057 WaitReason : UChar
+0x058 WaitBlockList : Ptr32 _KWAIT_BLOCK
+0x05c WaitListEntry : _LIST_ENTRY
+0x064 WaitTime : Uint4B
+0x068 BasePriority : Char
+0x069 DecrementCount : UChar
+0x06a PriorityDecrement : Char
+0x06b Quantum : Char
+0x06c WaitBlock : [4] _KWAIT_BLOCK
+0x0cc LegoData : Ptr32 Void
+0x0d0 KernelApcDisable : Uint4B
+0x0d4 UserAffinity : Uint4B
+0x0d8 SystemAffinityActive : UChar
+0x0d9 PowerState : UChar
+0x0da NpxIrql : UChar
+0x0db Pad : [1] UChar
+0x0dc ServiceTable : Ptr32 Void
+0x0e0 Queue : Ptr32 _KQUEUE
+0x0e4 ApcQueueLock : Uint4B
+0x0e8 Timer : _KTIMER
+0x110 QueueListEntry : _LIST_ENTRY
+0x118 Affinity : Uint4B
+0x11c Preempted : UChar
+0x11d ProcessReadyQueue : UChar
+0x11e KernelStackResident : UChar
+0x11f NextProcessor : UChar
+0x120 CallbackStack : Ptr32 Void
+0x124 Win32Thread : Ptr32 Void
+0x128 TrapFrame : Ptr32 _KTRAP_FRAME
+0x12c ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0x134 PreviousMode : Char
+0x135 EnableStackSwap : UChar
+0x136 LargeStack : UChar
+0x137 ResourceIndex : UChar
+0x138 KernelTime : Uint4B
+0x13c UserTime : Uint4B
+0x140 SavedApcState : _KAPC_STATE
+0x158 Alertable : UChar
+0x159 ApcStateIndex : UChar
+0x15a ApcQueueable : UChar
+0x15b AutoAlignment : UChar
+0x15c StackBase : Ptr32 Void
+0x160 SuspendApc : _KAPC
+0x190 SuspendSemaphore : _KSEMAPHORE
+0x1a4 ThreadListEntry : _LIST_ENTRY
+0x1ac FreezeCount : Char
+0x1ad SuspendCount : Char
+0x1ae IdealProcessor : UChar
+0x1af DisableBoost : UChar
_HANDLE_TABLE
+0x000 Flags : Uint4B
+0x004 HandleCount : Int4B
+0x008 Table : Ptr32 Ptr32 Ptr32 _HANDLE_TABLE_ENTRY
+0x00c QuotaProcess : Ptr32 _EPROCESS
+0x010 UniqueProcessId : Ptr32 Void
+0x014 FirstFreeTableEntry : Int4B
+0x018 NextIndexNeedingPool : Int4B
+0x01c HandleTableLock : _ERESOURCE
+0x054 HandleTableList : _LIST_ENTRY
+0x05c HandleContentionEvent : _KEVENT