EPROCESS:NT进程的核心(更新)

作者是 陆麟

是2000年写的了  呵呵 
内核类的文章沉寂了好长一段时间,再度开写.今天写的乃是未公开的WIN2000的EPROCESS结构.
EPROCESS乃是NT进程的核心.该结构定义了所有进程相关的数据.知道了该结构,NT的核心机密就公开了一半.下面乃是我于7.26挖到凌晨的奥秘.:)))看哪.大补啊.:DDD
该结构仅在英文WIN2000零售版上验证通过.如果以后WIN2000有了SERVICE PACK,并不保证兼容.使用者请自己注意.

typedef struct _DISPATCHER_HEADER {
UCHAR Type;
UCHAR Absolute;
UCHAR Size;
UCHAR Inserted;
LONG SignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER;

typedef struct _FIRSTPART_OBJ{
unsigned inheritable : 1;
unsigned protected :1;
unsigned pobj :14;
}FIRSTPART_OBJ;

typedef struct _OBJTBL{
FIRSTPART_OBJ firstpart_obj;
DWORD access_control_mask;
}OBJTBL,*POBJTBL;

typedef struct vad {
void *StartingAddress;
void *EndingAddress;
struct vad *ParentLink;
struct vad *LeftLink;
struct vad *RightLink;
ULONG Flags;
}VAD, *PVAD;

typedef struct{
struct KPCB Pcb; //0x0
INT ExitStatus; //0x6c
DISPATCHER_HEADER LockEvent; //0x70
__int64 LockCount; //0x80
__int64 CreateTime; //0x88
__int64 ExitTime; //0x90
UINT LockOwner; //0x98
UINT UniqueProcessId; //0x9c
LIST_ENTRY ActiveProcessLinks; //0xa0
__int64 QuotaPeakPoolUsage[0]; //0xa8
__int64 QuotaPoolUsage[0]; //0xb0
UINT PagefileUsage; //0xb8
UINT CommitCharge; //0xbc
UINT PeakPagefileUsage; //0xc0
UINT PeakVirtualSize; //0xc4
UINT VirtualSize; //0xc8
__int64 Vm; //0xd0
BYTE UNKNOW[0x48]; //0xd8
HANDLE DebugPort; //0x120
UINT ExceptionPort; //0x124
POBJTBL ObjectTable; //0x128
PTOKEN Token; //0x12c
BYTE WorkingSetLock[0x20]; //0x130
UINT WorkingSetPage; //0x150
BYTE ProcessOutswapEnabled; //0x154
BYTE ProcessOutswapped; //0x155
BYTE AddressSpaceInitialized; //0x156
BYTE AddressSpaceDeleted; //0x157
BYTE AddressCreationLock; //0x158
BYTE UNKNOWN2[0x23]; //0x159
UINT ForkInProgress; //0x17c
WORD VmOperation; //0x180
WORD ForkWasSuccessful; //0x182
UINT VmOperationEvent; //0x184
UINT LastFaultCount; //0x188
BYTE UNKNOW3[8]; //0x18c
PVAD VadRoot; //0x194
UINT VadHint; //0x198
UINT CloneRoot; //0x19c
UINT NumberOfPrivatePages; //0x1a0
UINT NumberOfLockedPages; //0x1a4
BYTE ExitProcessCalled; //0x1aa
BYTE CreateProcessReported; //0x1ab
HANDLE SectionHandle; //0x1ac
PPEB Peb; //0x1b0
PVOID SectionBaseAddress; //0x1b4
UINT QuotaBlock; //0x1b8
UINT LastThreadExitStatus; //0x1bc
PVOID WorkingSetWatch; //0x1c0
PVOID Win32WindowStation; //0x1c4
UINT InheritedFromUniqueProcessId; //0x1c8
UINT GrantedAccess; //0x1cc
UINT DefaultHardErrorProcessing; //0x1d0
PLDT_ENTRY LdtInformation; //0x1d4
UINT VadFreeHint; //0x1d8
PVOID VdmObjects; //0x1dc
PPROCESS_DEVICEMAP_INFORMATION DeviceMap;//0x1e0
DWORD *PageDirectoryPte; //0x1f0
WORD *ImageFileName; //0x1fc
BYTE UNKNOWN4[0xc]; //200
__int64 VmTrimFaultValue; //0x20c
PVOID Win32Process; //0x214
}EPROCESS,*PEPROCESS;

//---------------------------------------------------------------------------------------------------------

下面的结构来处费尔:

typedef struct _EPROCESS
{
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
DWORD LockCount;
QWORD CreateTime;
QWORD ExitTime;
PVOID LockOwner;
DWORD UniqueProcessId;
QWORD ActiveProcessLinks;
DWORD QuotaPeakPoolUsage [2]; // NP, P
DWORD QuotaPoolUsage [2]; // NP, P
DWORD PagefileUsage;
DWORD CommitCharge;
DWORD PeakPagefileUsage;
DWORD PeakVirtualSize;
QWORD VirtualSize;
DWORD Vm [12];
DWORD LastProtoPteFault;
DWORD DebugPort;
DWORD ExceptionPort;
DWORD ObjectTable;
DWORD Token;
DWORD WorkingSetLock [8];
DWORD WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
DWORD AddressCreationLock [9];
DWORD ForkInProgress;
DWORD VmOperation;
DWORD VmOperationEvent;
DWORD PageDirectoryPte;
QWORD LastFaultCount;
PVOID VadRoot;
DWORD VadHint;
DWORD CloneRoot;
DWORD NumberOfPrivatePages;
DWORD NumberOfLockedPages;
WORD w184;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
struct _PEB *Peb; // offset 0x1B0
PVOID SectionBaseAddress;
PVOID QuotaBlock;
NTSTATUS LastThreadExitStatus;
PROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
DWORD InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
DWORD DefaultHardErrorProcessing;
DWORD LdtInformation;
DWORD VadFreeHint;
DWORD VdmObjects;
KMUTANT ProcessMutant;
BYTE ImageFileName [16]; // offset 0x1FC
DWORD VmTrimFaultValue [2];
PVOID Win32Process;
DWORD d1F8;
DWORD d1FC;
}
EPROCESS,
* PEPROCESS,
**PPEPROCESS;

阅读更多
个人分类: 技术文档
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭