各系统 EPROCESS 结构

最新推荐文章于 2023-05-08 09:53:07 发布

trents

最新推荐文章于 2023-05-08 09:53:07 发布

阅读量4.7k

点赞数

分类专栏：驱动文章标签： integer null list struct descriptor c

驱动专栏收录该内容

30 篇文章 0 订阅

订阅专栏

2000操作系统
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x06c ExitStatus    : 259
+0x070 LockEvent       : _KEVENT
+0x080 LockCount       : 1
+0x088 CreateTime    : _LARGE_INTEGER 0x1c87e74`e265cc4c
+0x090 ExitTime       : _LARGE_INTEGER 0x0
+0x098 LockOwner       : (null)
+0x09c UniqueProcessId  : 0x000001c8
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8046dcb0 - 0x81672a60 ]
+0x0a8 QuotaPeakPoolUsage : [2] 0x824
+0x0b0 QuotaPoolUsage : [2] 0x684
+0x0b8 PagefileUsage : 0x39
+0x0bc CommitCharge    : 0x39
+0x0c0 PeakPagefileUsage : 0x39
+0x0c4 PeakVirtualSize  : 0x8f0000
+0x0c8 VirtualSize    : 0x8f0000
+0x0d0 Vm             : _MMSUPPORT
+0x118 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x120 DebugPort       : (null)
+0x124 ExceptionPort : 0xe19c2b20
+0x128 ObjectTable    : 0x8166ef48 _HANDLE_TABLE
+0x12c Token          : 0xe1b61250
+0x130 WorkingSetLock : _FAST_MUTEX
+0x150 WorkingSetPage : 0x4886
+0x154 ProcessOutswapEnabled : 0 ''
+0x155 ProcessOutswapped : 0 ''
+0x156 AddressSpaceInitialized : 0x2 ''
+0x157 AddressSpaceDeleted : 0 ''
+0x158 AddressCreationLock : _FAST_MUTEX
+0x178 HyperSpaceLock : 0
+0x17c ForkInProgress : (null)
+0x180 VmOperation    : 0
+0x182 ForkWasSuccessful : 0 ''
+0x183 MmAgressiveWsTrimMask : 0 ''
+0x184 VmOperationEvent : (null)
+0x188 PaeTop          : (null)
+0x18c LastFaultCount : 0
+0x190 ModifiedPageCount : 0
+0x194 VadRoot       : 0x8166f928
+0x198 VadHint       : 0x8166c788
+0x19c CloneRoot       : (null)
+0x1a0 NumberOfPrivatePages : 0x31
+0x1a4 NumberOfLockedPages : 0
+0x1a8 NextPageColor : 0x20c4
+0x1aa ExitProcessCalled : 0 ''
+0x1ab CreateProcessReported : 0 ''
+0x1ac SectionHandle : 0x00000004
+0x1b0 Peb             : 0x7ffdf000 _PEB
+0x1b4 SectionBaseAddress : 0x01000000
+0x1b8 QuotaBlock    : 0x8046dd00 _EPROCESS_QUOTA_BLOCK
+0x1bc LastThreadExitStatus : 0
+0x1c0 WorkingSetWatch  : (null)
+0x1c4 Win32WindowStation : 0x00000040
+0x1c8 InheritedFromUniqueProcessId : 0x000000d4
+0x1cc GrantedAccess : 0x1f0fff
+0x1d0 DefaultHardErrorProcessing : 0
+0x1d4 LdtInformation : (null)
+0x1d8 VadFreeHint    : 0x8166c768
+0x1dc VdmObjects    : (null)
+0x1e0 DeviceMap       : 0x8187dee8
+0x1e4 SessionId       : 0
+0x1e8 PhysicalVadList  : _LIST_ENTRY [ 0x8167db08 - 0x8167db08 ]
+0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86
+0x1f0 Filler          : 0
+0x1f8 PaePageDirectoryPage : 0
+0x1fc ImageFileName : [16]  "svchost.exe"
+0x20c VmTrimFaultValue : 0
+0x210 SetTimerResolution : 0 ''
+0x211 PriorityClass : 0x2 ''
+0x212 SubSystemMinorVersion : 0 ''
+0x213 SubSystemMajorVersion : 0x4 ''
+0x212 SubSystemVersion : 0x400
+0x214 Win32Process    : 0xe1b64508
+0x218 Job             : (null)
+0x21c JobStatus       : 0
+0x220 JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x228 LockedPagesList  : (null)
+0x22c SecurityPort    : (null)
+0x230 Wow64Process    : (null)
+0x238 ReadOperationCount : _LARGE_INTEGER 0x2
+0x240 WriteOperationCount : _LARGE_INTEGER 0x2
+0x248 OtherOperationCount : _LARGE_INTEGER 0x39
+0x250 ReadTransferCount : _LARGE_INTEGER 0x30
+0x258 WriteTransferCount : _LARGE_INTEGER 0xc
+0x260 OtherTransferCount : _LARGE_INTEGER 0x920
+0x268 CommitChargeLimit : 0
+0x26c CommitChargePeak : 0x39
+0x270 ThreadListHead : _LIST_ENTRY [ 0x8166dfe0 - 0x8166be80 ]
+0x278 VadPhysicalPagesBitMap : (null)
+0x27c VadPhysicalPages : 0
+0x280 AweLock       : 0
+0x284 pImageFileName : 0x8167c818 _UNICODE_STRING "\WINNT\system32\svchost.exe"
kd> dt nt!_KPROCESS 8167d920
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x8167d930 - 0x8167d930 ]
+0x018 DirectoryTableBase : [2] 0x47c4000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 VdmFlag       : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 0
+0x03c UserTime       : 1
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8167d960 - 0x8167d960 ]
+0x048 SwapListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x050 ThreadListHead : _LIST_ENTRY [ 0x8166df44 - 0x8166bde4 ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 StackCount    : 2
+0x062 BasePriority    : 8 ''
+0x063 ThreadQuantum : 6 ''
+0x064 AutoAlignment : 0 ''
+0x065 State          : 0 ''
+0x066 ThreadSeed    : 0x62 'b'
+0x067 DisableBoost    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 DisableQuantum : 0 ''

+0x06a Spare : [2] ""

XP操作系统
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x06c ProcessLock    : _EX_PUSH_LOCK
+0x070 CreateTime    : _LARGE_INTEGER 0x1c87e9b`afdd9828
+0x078 ExitTime       : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId  : 0x000005bc
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8149c6f8 - 0x814a86c0 ]
+0x090 QuotaUsage    : [3] 0x1e28
+0x09c QuotaPeak       : [3] 0x1ef0
+0x0a8 CommitCharge    : 0x793
+0x0ac PeakVirtualSize  : 0x3b37000
+0x0b0 VirtualSize    : 0x3a37000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x8149c724 - 0x814a86ec ]
+0x0bc DebugPort       : (null)
+0x0c0 ExceptionPort : 0xe13c5bb8
+0x0c4 ObjectTable    : 0xe1708f10 _HANDLE_TABLE
+0x0c8 Token          : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0x9ceb
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger  : 0
+0x11c VadRoot       : 0x81595c90
+0x120 VadHint       : 0x814968a0
+0x124 CloneRoot       : (null)
+0x128 NumberOfPrivatePages : 0x53c
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process    : 0xe1844e68
+0x134 Job             : (null)
+0x138 SectionObject : 0xe18947e0
+0x13c SectionBaseAddress : 0x01000000
+0x140 QuotaBlock    : 0x814b0b90 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch  : (null)
+0x148 Win32WindowStation : 0x00000030
+0x14c InheritedFromUniqueProcessId : 0x000005ac
+0x150 LdtInformation : (null)
+0x154 VadFreeHint    : (null)
+0x158 VdmObjects    : (null)
+0x15c DeviceMap       : 0xe18de910
+0x160 PhysicalVadList  : _LIST_ENTRY [ 0x815a3f00 - 0x815a3f00 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler          : 0
+0x170 Session       : 0xf9eb8000
+0x174 ImageFileName : [16]  "explorer.exe"
+0x184 JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList  : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x815a2fd4 - 0x815ad58c ]
+0x198 SecurityPort    : (null)
+0x19c PaeTop          : 0xf9fc91a0
+0x1a0 ActiveThreads : 0xc
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 0
+0x1ac LastThreadExitStatus : 0
+0x1b0 Peb             : 0x7ffdb000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0xd0
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x6d1
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x31b8bb
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x184
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x7757
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x7b7
+0x1f0 AweInfo       : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm             : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 0x26
+0x240 NumberOfVads    : 0xa5
+0x244 JobStatus       : 0
+0x248 Flags          : 0xd0800
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages  : 0y0
+0x248 VmDeleted       : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped    : 0y0
+0x248 ForkFailed    : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch    : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace  : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown       : 0y0
+0x248 Unused3       : 0y0
+0x248 Unused4       : 0y0
+0x248 VdmAllowed    : 0y0
+0x248 Unused          : 0y00000 (0)
+0x248 Unused1       : 0y0
+0x248 Unused2       : 0y0
+0x24c ExitStatus    : 259
+0x250 NextPageColor : 0x3eca
+0x252 SubSystemMinorVersion : 0xa ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x40a
+0x254 PriorityClass : 0x2 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie          : 0xae152c49
kd> dt nt!_KPROCESS 815a3da0
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x815a3db0 - 0x815a3db0 ]
+0x018 DirectoryTableBase : [2] 0x62001a0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 Unused          : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 0x2e
+0x03c UserTime       : 3
+0x040 ReadyListHead : _LIST_ENTRY [ 0x815a3de0 - 0x815a3de0 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x815a2f58 - 0x815ad510 ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 StackCount    : 0xc
+0x062 BasePriority    : 8 ''
+0x063 ThreadQuantum : 18 ''
+0x064 AutoAlignment : 0 ''
+0x065 State          : 0 ''
+0x066 ThreadSeed    : 0 ''
+0x067 DisableBoost    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode       : 0 ''
+0x06b Flags          : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''

2003 sp0
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x06c ProcessLock    : _EX_PUSH_LOCK
+0x070 CreateTime    : _LARGE_INTEGER 0x1c87ebc`04c7e13e
+0x078 ExitTime       : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId  : 0x00000100
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x80570de8 - 0x82094e10 ]
+0x090 QuotaUsage    : [3] 0xef0
+0x09c QuotaPeak       : [3] 0xfb8
+0x0a8 CommitCharge    : 0x19f
+0x0ac PeakVirtualSize  : 0x1836000
+0x0b0 VirtualSize    : 0x17ae000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xf799b010 - 0x82094e3c ]
+0x0bc DebugPort       : (null)
+0x0c0 ExceptionPort : 0xe1342030
+0x0c4 ObjectTable    : 0xe19275e0 _HANDLE_TABLE
+0x0c8 Token          : _EX_FAST_REF
+0x0cc WorkingSetPage : 0x2b89
+0x0d0 AddressCreationLock : _KGUARDED_MUTEX
+0x0f0 HyperSpaceLock : 0
+0x0f4 ForkInProgress : (null)
+0x0f8 HardwareTrigger  : 0
+0x0fc PhysicalVadRoot  : (null)
+0x100 CloneRoot       : (null)
+0x104 NumberOfPrivatePages : 0x120
+0x108 NumberOfLockedPages : 0
+0x10c Win32Process    : 0xe1937008
+0x110 Job             : 0x82328030 _EJOB
+0x114 SectionObject : 0xe170d030
+0x118 SectionBaseAddress : 0x01000000
+0x11c QuotaBlock    : 0x80570ea0 _EPROCESS_QUOTA_BLOCK
+0x120 WorkingSetWatch  : (null)
+0x124 Win32WindowStation : 0x0000002c
+0x128 InheritedFromUniqueProcessId : 0x00000298
+0x12c LdtInformation : (null)
+0x130 VadFreeHint    : (null)
+0x134 VdmObjects    : (null)
+0x138 DeviceMap       : 0xe1001138
+0x13c Spare0          : [3] (null)
+0x148 PageDirectoryPte : _HARDWARE_PTE
+0x148 Filler          : 0
+0x150 Session       : 0xf799b000
+0x154 ImageFileName : [16]  "wmiprvse.exe"
+0x164 JobLinks       : _LIST_ENTRY [ 0x82328048 - 0x82328048 ]
+0x16c LockedPagesList  : (null)
+0x170 ThreadListHead : _LIST_ENTRY [ 0x823edae4 - 0x8246cfd4 ]
+0x178 SecurityPort    : (null)
+0x17c PaeTop          : (null)
+0x180 ActiveThreads : 7
+0x184 GrantedAccess : 0x1f0fff
+0x188 DefaultHardErrorProcessing : 0
+0x18c LastThreadExitStatus : 0
+0x190 Peb             : 0x7ffdf000 _PEB
+0x194 PrefetchTrace : _EX_FAST_REF
+0x198 ReadOperationCount : _LARGE_INTEGER 0x14d
+0x1a0 WriteOperationCount : _LARGE_INTEGER 0x14e
+0x1a8 OtherOperationCount : _LARGE_INTEGER 0x1da
+0x1b0 ReadTransferCount : _LARGE_INTEGER 0x7230
+0x1b8 WriteTransferCount : _LARGE_INTEGER 0x5a9f
+0x1c0 OtherTransferCount : _LARGE_INTEGER 0x3e54
+0x1c8 CommitChargeLimit : 0x8000
+0x1cc CommitChargePeak : 0x220
+0x1d0 AweInfo       : (null)
+0x1d4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d8 Vm             : _MMSUPPORT
+0x238 MmProcessLinks : _LIST_ENTRY [ 0x8056abc8 - 0x82094fc0 ]
+0x240 ModifiedPageCount : 0
+0x244 JobStatus       : 0x10
+0x248 Flags          : 0x450801
+0x248 CreateReported : 0y1
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages  : 0y0
+0x248 VmDeleted       : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped    : 0y0
+0x248 ForkFailed    : 0y0
+0x248 Wow64VaSpace4Gb  : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch    : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace  : 0y1
+0x248 LaunchPrefetched : 0y0
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown       : 0y0
+0x248 ImageNotifyDone  : 0y1
+0x248 PdeUpdateNeeded  : 0y0
+0x248 VdmAllowed    : 0y0
+0x248 Unused          : 0y0000000 (0)
+0x24c ExitStatus    : 259
+0x250 NextPageColor : 0xfc2a
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x2 ''
+0x258 VadRoot       : _MM_AVL_TABLE
kd> dt nt!_KPROCESS 824da270
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x824da280 - 0x824da280 ]
+0x018 DirectoryTableBase : [2] 0x46000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 Unused          : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 0x10
+0x03c UserTime       : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x824da2b0 - 0x824da2b0 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x823eda5c - 0x8246cf4c ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 StackCount    : 7
+0x062 BasePriority    : 8 ''
+0x063 ThreadQuantum : 36 '$'
+0x064 AutoAlignment : 0 ''
+0x065 State          : 0 ''
+0x066 ThreadSeed    : 0 ''
+0x067 DisableBoost    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode       : 0 ''
+0x06b Spare          : 0 ''

2003 sp1
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x078 ProcessLock    : _EX_PUSH_LOCK
+0x080 CreateTime    : _LARGE_INTEGER 0x1c87ebe`2c3522e8
+0x088 ExitTime       : _LARGE_INTEGER 0x0
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x094 UniqueProcessId  : 0x000001cc
+0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x82370e20 - 0x81f6fde0 ]
+0x0a0 QuotaUsage    : [3] 0x1ca0
+0x0ac QuotaPeak       : [3] 0x1e30
+0x0b8 CommitCharge    : 0x684
+0x0bc PeakVirtualSize  : 0x3ce8000
+0x0c0 VirtualSize    : 0x3ca0000
+0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0x82370e4c - 0x81f6fe0c ]
+0x0cc DebugPort       : (null)
+0x0d0 ExceptionPort : 0xe1439470
+0x0d4 ObjectTable    : 0xe1529d38 _HANDLE_TABLE
+0x0d8 Token          : _EX_FAST_REF
+0x0dc WorkingSetPage : 0x3877
+0x0e0 AddressCreationLock : _KGUARDED_MUTEX
+0x100 HyperSpaceLock : 0
+0x104 ForkInProgress : (null)
+0x108 HardwareTrigger  : 0
+0x10c PhysicalVadRoot  : (null)
+0x110 CloneRoot       : (null)
+0x114 NumberOfPrivatePages : 0x466
+0x118 NumberOfLockedPages : 0
+0x11c Win32Process    : 0xe18dbcc8
+0x120 Job             : (null)
+0x124 SectionObject : 0xe1720ba0
+0x128 SectionBaseAddress : 0x01000000
+0x12c QuotaBlock    : 0x82438cc8 _EPROCESS_QUOTA_BLOCK
+0x130 WorkingSetWatch  : (null)
+0x134 Win32WindowStation : 0x00000034
+0x138 InheritedFromUniqueProcessId : 0x000001b0
+0x13c LdtInformation : (null)
+0x140 VadFreeHint    : (null)
+0x144 VdmObjects    : (null)
+0x148 DeviceMap       : 0xe1766a58
+0x14c Spare0          : [3] (null)
+0x158 PageDirectoryPte : _HARDWARE_PTE
+0x158 Filler          : 0
+0x160 Session       : 0xf79bd000
+0x164 ImageFileName : [16]  "explorer.exe"
+0x174 JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x17c LockedPagesList  : (null)
+0x180 ThreadListHead : _LIST_ENTRY [ 0x81f44fd4 - 0x81f1952c ]
+0x188 SecurityPort    : (null)
+0x18c PaeTop          : 0xf7aa1240
+0x190 ActiveThreads : 0xa
+0x194 GrantedAccess : 0x1f0fff
+0x198 DefaultHardErrorProcessing : 0
+0x19c LastThreadExitStatus : 0
+0x1a0 Peb             : 0x7ffdc000 _PEB
+0x1a4 PrefetchTrace : _EX_FAST_REF
+0x1a8 ReadOperationCount : _LARGE_INTEGER 0xc7
+0x1b0 WriteOperationCount : _LARGE_INTEGER 0x8
+0x1b8 OtherOperationCount : _LARGE_INTEGER 0x8f2
+0x1c0 ReadTransferCount : _LARGE_INTEGER 0x29dc8a
+0x1c8 WriteTransferCount : _LARGE_INTEGER 0x338
+0x1d0 OtherTransferCount : _LARGE_INTEGER 0x12011
+0x1d8 CommitChargeLimit : 0
+0x1dc CommitChargePeak : 0x695
+0x1e0 AweInfo       : (null)
+0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1e8 Vm             : _MMSUPPORT
+0x230 MmProcessLinks : _LIST_ENTRY [ 0x82370fb8 - 0x81f6ff78 ]
+0x238 ModifiedPageCount : 0x58
+0x23c JobStatus       : 0
+0x240 Flags          : 0x450801
+0x240 CreateReported : 0y1
+0x240 NoDebugInherit : 0y0
+0x240 ProcessExiting : 0y0
+0x240 ProcessDelete : 0y0
+0x240 Wow64SplitPages  : 0y0
+0x240 VmDeleted       : 0y0
+0x240 OutswapEnabled : 0y0
+0x240 Outswapped    : 0y0
+0x240 ForkFailed    : 0y0
+0x240 Wow64VaSpace4Gb  : 0y0
+0x240 AddressSpaceInitialized : 0y10
+0x240 SetTimerResolution : 0y0
+0x240 BreakOnTermination : 0y0
+0x240 SessionCreationUnderway : 0y0
+0x240 WriteWatch    : 0y0
+0x240 ProcessInSession : 0y1
+0x240 OverrideAddressSpace : 0y0
+0x240 HasAddressSpace  : 0y1
+0x240 LaunchPrefetched : 0y0
+0x240 InjectInpageErrors : 0y0
+0x240 VmTopDown       : 0y0
+0x240 ImageNotifyDone  : 0y1
+0x240 PdeUpdateNeeded  : 0y0
+0x240 VdmAllowed    : 0y0
+0x240 SmapAllowed    : 0y0
+0x240 CreateFailed    : 0y0
+0x240 DefaultIoPriority : 0y000
+0x240 Spare1          : 0y0
+0x240 Spare2          : 0y0
+0x244 ExitStatus    : 259
+0x248 NextPageColor : 0x57a1
+0x24a SubSystemMinorVersion : 0xa ''
+0x24b SubSystemMajorVersion : 0x4 ''
+0x24a SubSystemVersion : 0x40a
+0x24c PriorityClass : 0x2 ''
+0x250 VadRoot       : _MM_AVL_TABLE
+0x270 Cookie          : 0x2dfee548
kd> dt nt!_KPROCESS 81f43d88
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x81f43d98 - 0x81f43d98 ]
+0x018 DirectoryTableBase : [2] 0x14b04240
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 Unused          : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 7
+0x03c UserTime       : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x81f43dc8 - 0x81f43dc8 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x81f44f58 - 0x81f194b0 ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost    : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags    : 0
+0x064 BasePriority    : 8 ''
+0x065 QuantumReset    : 36 '$'
+0x066 State          : 0 ''
+0x067 ThreadSeed    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 IdealNode       : 0 ''
+0x06a Visited       : 0 ''
+0x06b Flags          : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
+0x06c StackCount    : 0xa
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]

2003 sp2
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x078 ProcessLock    : _EX_PUSH_LOCK
+0x080 CreateTime    : _LARGE_INTEGER 0x1c87ebf`670a897a
+0x088 ExitTime       : _LARGE_INTEGER 0x0
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x094 UniqueProcessId  : 0x00000618
+0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x8256f680 - 0x824a16d8 ]
+0x0a0 QuotaUsage    : [3] 0x1ca0
+0x0ac QuotaPeak       : [3] 0x1e68
+0x0b8 CommitCharge    : 0x69d
+0x0bc PeakVirtualSize  : 0x3cd8000
+0x0c0 VirtualSize    : 0x3c91000
+0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0x8256f6ac - 0x824a1704 ]
+0x0cc DebugPort       : (null)
+0x0d0 ExceptionPort : 0xe14544a8
+0x0d4 ObjectTable    : 0xe1898bf8 _HANDLE_TABLE
+0x0d8 Token          : _EX_FAST_REF
+0x0dc WorkingSetPage : 0x5df
+0x0e0 AddressCreationLock : _KGUARDED_MUTEX
+0x100 HyperSpaceLock : 0
+0x104 ForkInProgress : (null)
+0x108 HardwareTrigger  : 0
+0x10c PhysicalVadRoot  : (null)
+0x110 CloneRoot       : (null)
+0x114 NumberOfPrivatePages : 0x472
+0x118 NumberOfLockedPages : 0
+0x11c Win32Process    : 0xe18aa2d8
+0x120 Job             : (null)
+0x124 SectionObject : 0xe188d6e8
+0x128 SectionBaseAddress : 0x01000000
+0x12c QuotaBlock    : 0x827eece8 _EPROCESS_QUOTA_BLOCK
+0x130 WorkingSetWatch  : (null)
+0x134 Win32WindowStation : 0x0000004c
+0x138 InheritedFromUniqueProcessId : 0x00000608
+0x13c LdtInformation : (null)
+0x140 VadFreeHint    : (null)
+0x144 VdmObjects    : (null)
+0x148 DeviceMap       : 0xe151d140
+0x14c Spare0          : [3] (null)
+0x158 PageDirectoryPte : _HARDWARE_PTE
+0x158 Filler          : 0
+0x160 Session       : 0xf79a5000
+0x164 ImageFileName : [16]  "explorer.exe"
+0x174 JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x17c LockedPagesList  : (null)
+0x180 ThreadListHead : _LIST_ENTRY [ 0x824524f4 - 0x8262cfd4 ]
+0x188 SecurityPort    : (null)
+0x18c PaeTop          : 0xf7aae240
+0x190 ActiveThreads : 0xb
+0x194 GrantedAccess : 0x1f0fff
+0x198 DefaultHardErrorProcessing : 0
+0x19c LastThreadExitStatus : 0
+0x1a0 Peb             : 0x7ffdf000 _PEB
+0x1a4 PrefetchTrace : _EX_FAST_REF
+0x1a8 ReadOperationCount : _LARGE_INTEGER 0x10c
+0x1b0 WriteOperationCount : _LARGE_INTEGER 0x7
+0x1b8 OtherOperationCount : _LARGE_INTEGER 0x96a
+0x1c0 ReadTransferCount : _LARGE_INTEGER 0x2afac0
+0x1c8 WriteTransferCount : _LARGE_INTEGER 0x2c4
+0x1d0 OtherTransferCount : _LARGE_INTEGER 0xcc41
+0x1d8 CommitChargeLimit : 0
+0x1dc CommitChargePeak : 0x6ad
+0x1e0 AweInfo       : (null)
+0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1e8 Vm             : _MMSUPPORT
+0x230 MmProcessLinks : _LIST_ENTRY [ 0x8256f818 - 0x824a1870 ]
+0x238 ModifiedPageCount : 0x3a
+0x23c JobStatus       : 0
+0x240 Flags          : 0x450801
+0x240 CreateReported : 0y1
+0x240 NoDebugInherit : 0y0
+0x240 ProcessExiting : 0y0
+0x240 ProcessDelete : 0y0
+0x240 Wow64SplitPages  : 0y0
+0x240 VmDeleted       : 0y0
+0x240 OutswapEnabled : 0y0
+0x240 Outswapped    : 0y0
+0x240 ForkFailed    : 0y0
+0x240 Wow64VaSpace4Gb  : 0y0
+0x240 AddressSpaceInitialized : 0y10
+0x240 SetTimerResolution : 0y0
+0x240 BreakOnTermination : 0y0
+0x240 SessionCreationUnderway : 0y0
+0x240 WriteWatch    : 0y0
+0x240 ProcessInSession : 0y1
+0x240 OverrideAddressSpace : 0y0
+0x240 HasAddressSpace  : 0y1
+0x240 LaunchPrefetched : 0y0
+0x240 InjectInpageErrors : 0y0
+0x240 VmTopDown       : 0y0
+0x240 ImageNotifyDone  : 0y1
+0x240 PdeUpdateNeeded  : 0y0
+0x240 VdmAllowed    : 0y0
+0x240 SmapAllowed    : 0y0
+0x240 CreateFailed    : 0y0
+0x240 DefaultIoPriority : 0y000
+0x240 Spare1          : 0y0
+0x240 Spare2          : 0y0
+0x244 ExitStatus    : 259
+0x248 NextPageColor : 0xf1e2
+0x24a SubSystemMinorVersion : 0xa ''
+0x24b SubSystemMajorVersion : 0x4 ''
+0x24a SubSystemVersion : 0x40a
+0x24c PriorityClass : 0x2 ''
+0x250 VadRoot       : _MM_AVL_TABLE
+0x270 Cookie          : 0x66c14914
kd> dt nt!_KPROCESS 82479a78
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x82479a88 - 0x82479a88 ]
+0x018 DirectoryTableBase : [2] 0xfe96240
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 Unused          : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 4
+0x03c UserTime       : 0
+0x040 ReadyListHead : _LIST_ENTRY [ 0x82479ab8 - 0x82479ab8 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x82452478 - 0x8262cf58 ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost    : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags    : 0
+0x064 BasePriority    : 8 ''
+0x065 QuantumReset    : 36 '$'
+0x066 State          : 0 ''
+0x067 ThreadSeed    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 IdealNode       : 0 ''
+0x06a Visited       : 0 ''
+0x06b Flags          : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0 ''
+0x06c StackCount    : 0xb
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]

vista sp0
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x080 ProcessLock    : _EX_PUSH_LOCK
+0x088 CreateTime    : _LARGE_INTEGER 0x1c87ec7`5cb74e5b
+0x090 ExitTime       : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId  : 0x00000660
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8b441e30 - 0x843c9e30 ]
+0x0a8 QuotaUsage    : [3] 0x4b80
+0x0b4 QuotaPeak       : [3] 0x59a0
+0x0c0 CommitCharge    : 0x10e1
+0x0c4 PeakVirtualSize  : 0xb2cf000
+0x0c8 VirtualSize    : 0x9d6c000
+0x0cc SessionProcessLinks : _LIST_ENTRY [ 0x8489faf4 - 0x8b438b7c ]
+0x0d4 DebugPort       : (null)
+0x0d8 ExceptionPortData : 0x847e86d8
+0x0d8 ExceptionPortValue : 0x847e86d8
+0x0d8 ExceptionPortState : 0y000
+0x0dc ObjectTable    : 0x8fe393f0 _HANDLE_TABLE
+0x0e0 Token          : _EX_FAST_REF
+0x0e4 WorkingSetPage : 0xd5eb
+0x0e8 AddressCreationLock : _EX_PUSH_LOCK
+0x0ec RotateInProgress : (null)
+0x0f0 ForkInProgress : (null)
+0x0f4 HardwareTrigger  : 0
+0x0f8 PhysicalVadRoot  : (null)
+0x0fc CloneRoot       : (null)
+0x100 NumberOfPrivatePages : 0xa93
+0x104 NumberOfLockedPages : 0
+0x108 Win32Process    : 0xffbfc908
+0x10c Job             : (null)
+0x110 SectionObject : 0x8fe39ac0
+0x114 SectionBaseAddress : 0x00760000
+0x118 QuotaBlock    : 0x8b48f828 _EPROCESS_QUOTA_BLOCK
+0x11c WorkingSetWatch  : (null)
+0x120 Win32WindowStation : 0x00000034
+0x124 InheritedFromUniqueProcessId : 0x00000610
+0x128 LdtInformation : (null)
+0x12c VadFreeHint    : 0x849b53c8
+0x130 VdmObjects    : (null)
+0x134 DeviceMap       : 0x8cb48870
+0x138 EtwDataSource : 0x848982a0
+0x13c FreeTebHint    : 0x7ffd9000
+0x140 PageDirectoryPte : _HARDWARE_PTE
+0x140 Filler          : 0
+0x148 Session       : 0x84aec000
+0x14c ImageFileName : [16]  "explorer.exe"
+0x15c JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x164 LockedPagesList  : (null)
+0x168 ThreadListHead : _LIST_ENTRY [ 0x8b5a04c0 - 0x848ec278 ]
+0x170 SecurityPort    : (null)
+0x174 PaeTop          : 0x822ad300
+0x178 ActiveThreads : 0x1a
+0x17c ImagePathHash : 0x7a3328da
+0x180 DefaultHardErrorProcessing : 0
+0x184 LastThreadExitStatus : 0
+0x188 Peb             : 0x7ffdd000 _PEB
+0x18c PrefetchTrace : _EX_FAST_REF
+0x190 ReadOperationCount : _LARGE_INTEGER 0x36e
+0x198 WriteOperationCount : _LARGE_INTEGER 0xe
+0x1a0 OtherOperationCount : _LARGE_INTEGER 0x3693
+0x1a8 ReadTransferCount : _LARGE_INTEGER 0x193e99
+0x1b0 WriteTransferCount : _LARGE_INTEGER 0x8718
+0x1b8 OtherTransferCount : _LARGE_INTEGER 0xaa92cf
+0x1c0 CommitChargeLimit : 0
+0x1c4 CommitChargePeak : 0x1357
+0x1c8 AweInfo       : (null)
+0x1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d0 Vm             : _MMSUPPORT
+0x218 MmProcessLinks : _LIST_ENTRY [ 0x8b441fa8 - 0x843c9fa8 ]
+0x220 ModifiedPageCount : 0x5f8
+0x224 Flags2          : 0xd000
+0x224 JobNotReallyActive : 0y0
+0x224 AccountingFolded : 0y0
+0x224 NewProcessReported : 0y0
+0x224 ExitProcessReported : 0y0
+0x224 ReportCommitChanges : 0y0
+0x224 LastReportMemory : 0y0
+0x224 ReportPhysicalPageChanges : 0y0
+0x224 HandleTableRundown : 0y0
+0x224 NeedsHandleRundown : 0y0
+0x224 RefTraceEnabled  : 0y0
+0x224 NumaAware       : 0y0
+0x224 ProtectedProcess : 0y0
+0x224 DefaultPagePriority : 0y101
+0x224 PrimaryTokenFrozen : 0y1
+0x224 ProcessVerifierTarget : 0y0
+0x224 StackRandomizationDisabled : 0y0
+0x228 Flags          : 0x144d0801
+0x228 CreateReported : 0y1
+0x228 NoDebugInherit : 0y0
+0x228 ProcessExiting : 0y0
+0x228 ProcessDelete : 0y0
+0x228 Wow64SplitPages  : 0y0
+0x228 VmDeleted       : 0y0
+0x228 OutswapEnabled : 0y0
+0x228 Outswapped    : 0y0
+0x228 ForkFailed    : 0y0
+0x228 Wow64VaSpace4Gb  : 0y0
+0x228 AddressSpaceInitialized : 0y10
+0x228 SetTimerResolution : 0y0
+0x228 BreakOnTermination : 0y0
+0x228 DeprioritizeViews : 0y0
+0x228 WriteWatch    : 0y0
+0x228 ProcessInSession : 0y1
+0x228 OverrideAddressSpace : 0y0
+0x228 HasAddressSpace  : 0y1
+0x228 LaunchPrefetched : 0y1
+0x228 InjectInpageErrors : 0y0
+0x228 VmTopDown       : 0y0
+0x228 ImageNotifyDone  : 0y1
+0x228 PdeUpdateNeeded  : 0y0
+0x228 VdmAllowed    : 0y0
+0x228 SmapAllowed    : 0y0
+0x228 ProcessInserted  : 0y1
+0x228 DefaultIoPriority : 0y010
+0x228 SparePsFlags1 : 0y00
+0x22c ExitStatus    : 259
+0x230 Spare7          : 0
+0x232 SubSystemMinorVersion : 0 ''
+0x233 SubSystemMajorVersion : 0x6 ''
+0x232 SubSystemVersion : 0x600
+0x234 PriorityClass : 0x2 ''
+0x238 VadRoot       : _MM_AVL_TABLE
+0x258 Cookie          : 0xf71da56b
+0x25c AlpcContext    : _ALPC_PROCESS_CONTEXT
kd> dt nt!_KPROCESS 8473d020
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x8473d030 - 0x8473d030 ]
+0x018 DirectoryTableBase : 0x1d35b300
+0x01c Unused0       : 0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Iopl          : 0 ''
+0x033 Unused          : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 0x124
+0x03c UserTime       : 0x50
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8473d060 - 0x8473d060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x8b5a043c - 0x848ec1f4 ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost    : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags    : 0
+0x064 BasePriority    : 8 ''
+0x065 QuantumReset    : 6 ''
+0x066 State          : 0 ''
+0x067 ThreadSeed    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 IdealNode       : 0 ''
+0x06a Visited       : 0 ''
+0x06b Flags          : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x32 '2'
+0x06c StackCount    : 0x1a
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x078 CycleTime       : 0x2`539d00ea

vista sp1
nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x080 ProcessLock    : _EX_PUSH_LOCK
+0x088 CreateTime    : _LARGE_INTEGER 0x1c87ec2`f35608ed
+0x090 ExitTime       : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId  : 0x00000768
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x8532d260 - 0x8533d0c0 ]
+0x0a8 QuotaUsage    : [3] 0x4c88
+0x0b4 QuotaPeak       : [3] 0x50e8
+0x0c0 CommitCharge    : 0xd13
+0x0c4 PeakVirtualSize  : 0xa09d000
+0x0c8 VirtualSize    : 0x9445000
+0x0cc SessionProcessLinks : _LIST_ENTRY [ 0x85311b64 - 0x8533d0ec ]
+0x0d4 DebugPort       : (null)
+0x0d8 ExceptionPortData : 0x851a5030
+0x0d8 ExceptionPortValue : 0x851a5030
+0x0d8 ExceptionPortState : 0y000
+0x0dc ObjectTable    : 0x92ef1260 _HANDLE_TABLE
+0x0e0 Token          : _EX_FAST_REF
+0x0e4 WorkingSetPage : 0x84c1
+0x0e8 AddressCreationLock : _EX_PUSH_LOCK
+0x0ec RotateInProgress : (null)
+0x0f0 ForkInProgress : (null)
+0x0f4 HardwareTrigger  : 0
+0x0f8 PhysicalVadRoot  : (null)
+0x0fc CloneRoot       : (null)
+0x100 NumberOfPrivatePages : 0x76e
+0x104 NumberOfLockedPages : 0
+0x108 Win32Process    : 0xfe6847c0
+0x10c Job             : (null)
+0x110 SectionObject : 0x92ef1030
+0x114 SectionBaseAddress : 0x006d0000
+0x118 QuotaBlock    : 0x84fd6370 _EPROCESS_QUOTA_BLOCK
+0x11c WorkingSetWatch  : (null)
+0x120 Win32WindowStation : 0x00000034
+0x124 InheritedFromUniqueProcessId : 0x00000728
+0x128 LdtInformation : (null)
+0x12c Spare          : (null)
+0x130 VdmObjects    : (null)
+0x134 DeviceMap       : 0x8f5d9990
+0x138 EtwDataSource : (null)
+0x13c FreeTebHint    : 0x7ffde000
+0x140 PageDirectoryPte : _HARDWARE_PTE
+0x140 Filler          : 0
+0x148 Session       : 0x8970c000
+0x14c ImageFileName : [16]  "explorer.exe"
+0x15c JobLinks       : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x164 LockedPagesList  : (null)
+0x168 ThreadListHead : _LIST_ENTRY [ 0x85308278 - 0x852f0950 ]
+0x170 SecurityPort    : (null)
+0x174 PaeTop          : 0x84b5b340
+0x178 ActiveThreads : 0x19
+0x17c ImagePathHash : 0x7a3328da
+0x180 DefaultHardErrorProcessing : 0
+0x184 LastThreadExitStatus : 0
+0x188 Peb             : 0x7ffd8000 _PEB
+0x18c PrefetchTrace : _EX_FAST_REF
+0x190 ReadOperationCount : _LARGE_INTEGER 0x2b0
+0x198 WriteOperationCount : _LARGE_INTEGER 0xa
+0x1a0 OtherOperationCount : _LARGE_INTEGER 0x2f54
+0x1a8 ReadTransferCount : _LARGE_INTEGER 0x63ef8
+0x1b0 WriteTransferCount : _LARGE_INTEGER 0x420
+0x1b8 OtherTransferCount : _LARGE_INTEGER 0xaafc45
+0x1c0 CommitChargeLimit : 0
+0x1c4 CommitChargePeak : 0xd99
+0x1c8 AweInfo       : (null)
+0x1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d0 Vm             : _MMSUPPORT
+0x218 MmProcessLinks : _LIST_ENTRY [ 0x8532d3d8 - 0x8533d238 ]
+0x220 ModifiedPageCount : 0x5a7
+0x224 Flags2          : 0xd000
+0x224 JobNotReallyActive : 0y0
+0x224 AccountingFolded : 0y0
+0x224 NewProcessReported : 0y0
+0x224 ExitProcessReported : 0y0
+0x224 ReportCommitChanges : 0y0
+0x224 LastReportMemory : 0y0
+0x224 ReportPhysicalPageChanges : 0y0
+0x224 HandleTableRundown : 0y0
+0x224 NeedsHandleRundown : 0y0
+0x224 RefTraceEnabled  : 0y0
+0x224 NumaAware       : 0y0
+0x224 ProtectedProcess : 0y0
+0x224 DefaultPagePriority : 0y101
+0x224 PrimaryTokenFrozen : 0y1
+0x224 ProcessVerifierTarget : 0y0
+0x224 StackRandomizationDisabled : 0y0
+0x224 AffinityPermanent : 0y0
+0x224 AffinityUpdateEnable : 0y0
+0x224 CrossSessionCreate : 0y0
+0x228 Flags          : 0x144d0801
+0x228 CreateReported : 0y1
+0x228 NoDebugInherit : 0y0
+0x228 ProcessExiting : 0y0
+0x228 ProcessDelete : 0y0
+0x228 Wow64SplitPages  : 0y0
+0x228 VmDeleted       : 0y0
+0x228 OutswapEnabled : 0y0
+0x228 Outswapped    : 0y0
+0x228 ForkFailed    : 0y0
+0x228 Wow64VaSpace4Gb  : 0y0
+0x228 AddressSpaceInitialized : 0y10
+0x228 SetTimerResolution : 0y0
+0x228 BreakOnTermination : 0y0
+0x228 DeprioritizeViews : 0y0
+0x228 WriteWatch    : 0y0
+0x228 ProcessInSession : 0y1
+0x228 OverrideAddressSpace : 0y0
+0x228 HasAddressSpace  : 0y1
+0x228 LaunchPrefetched : 0y1
+0x228 InjectInpageErrors : 0y0
+0x228 VmTopDown       : 0y0
+0x228 ImageNotifyDone  : 0y1
+0x228 PdeUpdateNeeded  : 0y0
+0x228 VdmAllowed    : 0y0
+0x228 SmapAllowed    : 0y0
+0x228 ProcessInserted  : 0y1
+0x228 DefaultIoPriority : 0y010
+0x228 ProcessSelfDelete : 0y0
+0x228 SpareProcessFlags : 0y0
+0x22c ExitStatus    : 259
+0x230 Spare7          : 0
+0x232 SubSystemMinorVersion : 0 ''
+0x233 SubSystemMajorVersion : 0x6 ''
+0x232 SubSystemVersion : 0x600
+0x234 PriorityClass : 0x2 ''
+0x238 VadRoot       : _MM_AVL_TABLE
+0x258 Cookie          : 0x72607a1f
+0x25c AlpcContext    : _ALPC_PROCESS_CONTEXT
kd> dt nt!_KPROCESS 8535f020
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY [ 0x8535f030 - 0x8535f030 ]
+0x018 DirectoryTableBase : 0x1f75b340
+0x01c Unused0       : 0
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor  : _KIDTENTRY
+0x030 IopmOffset    : 0x20ac
+0x032 Unused1       : 0 ''
+0x033 Unused2       : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime    : 0x7e
+0x03c UserTime       : 0x22
+0x040 ReadyListHead : _LIST_ENTRY [ 0x8535f060 - 0x8535f060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler  : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x853081f4 - 0x852f08cc ]
+0x058 ProcessLock    : 0
+0x05c Affinity       : 1
+0x060 AutoAlignment : 0y0
+0x060 DisableBoost    : 0y0
+0x060 DisableQuantum : 0y0
+0x060 ReservedFlags : 0y00000000000000000000000000000 (0)
+0x060 ProcessFlags    : 0
+0x064 BasePriority    : 8 ''
+0x065 QuantumReset    : 6 ''
+0x066 State          : 0 ''
+0x067 ThreadSeed    : 0 ''
+0x068 PowerState    : 0 ''
+0x069 IdealNode       : 0 ''
+0x06a Visited       : 0 ''
+0x06b Flags          : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x72 'r'
+0x06c StackCount    : 0x19
+0x070 ProcessListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x078 CycleTime       : 0x1`236c8e36

win7 build 7000 :

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      typedef struct _EPROCESS                                              // 136 elements, 0x2C0 bytes (sizeof)
      {
/*0x000*/    struct _KPROCESS Pcb;                                           // 35 elements, 0x98 bytes (sizeof)
/*0x098*/    struct _EX_PUSH_LOCK ProcessLock;                               // 7 elements, 0x4 bytes (sizeof)
/*0x09C*/    UINT8       _PADDING0_[0x4];
/*0x0A0*/    union _LARGE_INTEGER CreateTime;                                  // 4 elements, 0x8 bytes (sizeof)
/*0x0A8*/    union _LARGE_INTEGER ExitTime;                                  // 4 elements, 0x8 bytes (sizeof)
/*0x0B0*/    struct _EX_RUNDOWN_REF RundownProtect;                            // 2 elements, 0x4 bytes (sizeof)
/*0x0B4*/    VOID*       UniqueProcessId;
/*0x0B8*/    struct _LIST_ENTRY ActiveProcessLinks;                            // 2 elements, 0x8 bytes (sizeof)
/*0x0C0*/    ULONG32    ProcessQuotaUsage[2];
/*0x0C8*/    ULONG32    ProcessQuotaPeak[2];
/*0x0D0*/    ULONG32    CommitCharge;
/*0x0D4*/    ULONG32    SpareUlongPtr[2];
/*0x0DC*/    ULONG32    PeakVirtualSize;
/*0x0E0*/    ULONG32    VirtualSize;
/*0x0E4*/    struct _LIST_ENTRY SessionProcessLinks;                         // 2 elements, 0x8 bytes (sizeof)
/*0x0EC*/    VOID*       DebugPort;
            union                                                             // 3 elements, 0x4 bytes (sizeof)
            {
/*0x0F0*/       VOID*       ExceptionPortData;
/*0x0F0*/       ULONG32    ExceptionPortValue;
/*0x0F0*/       ULONG32    ExceptionPortState : 3;                         // 0 BitPosition
            };
/*0x0F4*/    struct _HANDLE_TABLE* ObjectTable;
/*0x0F8*/    struct _EX_FAST_REF Token;                                        // 3 elements, 0x4 bytes (sizeof)
/*0x0FC*/    ULONG32    WorkingSetPage;
/*0x100*/    struct _EX_PUSH_LOCK AddressCreationLock;                         // 7 elements, 0x4 bytes (sizeof)
/*0x104*/    struct _ETHREAD* RotateInProgress;
/*0x108*/    struct _ETHREAD* ForkInProgress;
/*0x10C*/    ULONG32    HardwareTrigger;
/*0x110*/    struct _MM_AVL_TABLE* PhysicalVadRoot;
/*0x114*/    VOID*       CloneRoot;
/*0x118*/    ULONG32    NumberOfPrivatePages;
/*0x11C*/    ULONG32    NumberOfLockedPages;
/*0x120*/    VOID*       Win32Process;
/*0x124*/    struct _EJOB* Job;
/*0x128*/    VOID*       SectionObject;
/*0x12C*/    VOID*       SectionBaseAddress;
/*0x130*/    struct _EPROCESS_QUOTA_BLOCK* QuotaBlock;
/*0x134*/    struct _PAGEFAULT_HISTORY* WorkingSetWatch;
/*0x138*/    VOID*       Win32WindowStation;
/*0x13C*/    VOID*       InheritedFromUniqueProcessId;
/*0x140*/    VOID*       LdtInformation;
/*0x144*/    VOID*       Spare;
/*0x148*/    VOID*       VdmObjects;
/*0x14C*/    VOID*       DeviceMap;
/*0x150*/    VOID*       EtwDataSource;
/*0x154*/    VOID*       FreeTebHint;
            union                                                             // 2 elements, 0x8 bytes (sizeof)
            {
/*0x158*/       struct _HARDWARE_PTE PageDirectoryPte;                      // 16 elements, 0x8 bytes (sizeof)
/*0x158*/       UINT64    Filler;
            };
/*0x160*/    VOID*       Session;
/*0x164*/    UINT8       ImageFileName[16];
/*0x174*/    struct _LIST_ENTRY JobLinks;                                     // 2 elements, 0x8 bytes (sizeof)
/*0x17C*/    VOID*       LockedPagesList;
/*0x180*/    struct _LIST_ENTRY ThreadListHead;                               // 2 elements, 0x8 bytes (sizeof)
/*0x188*/    VOID*       SecurityPort;
/*0x18C*/    VOID*       PaeTop;
/*0x190*/    ULONG32    ActiveThreads;
/*0x194*/    ULONG32    ImagePathHash;
/*0x198*/    ULONG32    DefaultHardErrorProcessing;
/*0x19C*/    LONG32    LastThreadExitStatus;
/*0x1A0*/    struct _PEB* Peb;
/*0x1A4*/    struct _EX_FAST_REF PrefetchTrace;                               // 3 elements, 0x4 bytes (sizeof)
/*0x1A8*/    union _LARGE_INTEGER ReadOperationCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1B0*/    union _LARGE_INTEGER WriteOperationCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1B8*/    union _LARGE_INTEGER OtherOperationCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1C0*/    union _LARGE_INTEGER ReadTransferCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1C8*/    union _LARGE_INTEGER WriteTransferCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1D0*/    union _LARGE_INTEGER OtherTransferCount;                         // 4 elements, 0x8 bytes (sizeof)
/*0x1D8*/    ULONG32    CommitChargeLimit;
/*0x1DC*/    ULONG32    CommitChargePeak;
/*0x1E0*/    VOID*       AweInfo;
/*0x1E4*/    struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // 1 elements, 0x4 bytes (sizeof)
/*0x1E8*/    struct _MMSUPPORT Vm;                                           // 20 elements, 0x68 bytes (sizeof)
/*0x250*/    struct _LIST_ENTRY MmProcessLinks;                               // 2 elements, 0x8 bytes (sizeof)
/*0x258*/    ULONG32    ModifiedPageCount;
            union                                                             // 2 elements, 0x4 bytes (sizeof)
            {
/*0x25C*/       ULONG32    Flags2;
               struct                                                       // 19 elements, 0x4 bytes (sizeof)
               {
/*0x25C*/          ULONG32    JobNotReallyActive : 1;                      // 0 BitPosition
/*0x25C*/          ULONG32    AccountingFolded : 1;                      // 1 BitPosition
/*0x25C*/          ULONG32    NewProcessReported : 1;                      // 2 BitPosition
/*0x25C*/          ULONG32    ExitProcessReported : 1;                   // 3 BitPosition
/*0x25C*/          ULONG32    ReportCommitChanges : 1;                   // 4 BitPosition
/*0x25C*/          ULONG32    LastReportMemory : 1;                      // 5 BitPosition
/*0x25C*/          ULONG32    ReportPhysicalPageChanges : 1;             // 6 BitPosition
/*0x25C*/          ULONG32    HandleTableRundown : 1;                      // 7 BitPosition
/*0x25C*/          ULONG32    NeedsHandleRundown : 1;                      // 8 BitPosition
/*0x25C*/          ULONG32    RefTraceEnabled : 1;                         // 9 BitPosition
/*0x25C*/          ULONG32    NumaAware : 1;                               // 10 BitPosition
/*0x25C*/          ULONG32    ProtectedProcess : 1;                      // 11 BitPosition
/*0x25C*/          ULONG32    DefaultPagePriority : 3;                   // 12 BitPosition
/*0x25C*/          ULONG32    PrimaryTokenFrozen : 1;                      // 15 BitPosition
/*0x25C*/          ULONG32    ProcessVerifierTarget : 1;                   // 16 BitPosition
/*0x25C*/          ULONG32    StackRandomizationDisabled : 1;             // 17 BitPosition
/*0x25C*/          ULONG32    AffinityPermanent : 1;                      // 18 BitPosition
/*0x25C*/          ULONG32    AffinityUpdateEnable : 1;                   // 19 BitPosition
/*0x25C*/          ULONG32    CrossSessionCreate : 1;                      // 20 BitPosition
               };
            };
            union                                                             // 2 elements, 0x4 bytes (sizeof)
            {
/*0x260*/       ULONG32    Flags;
               struct                                                       // 29 elements, 0x4 bytes (sizeof)
               {
/*0x260*/          ULONG32    CreateReported : 1;                         // 0 BitPosition
/*0x260*/          ULONG32    NoDebugInherit : 1;                         // 1 BitPosition
/*0x260*/          ULONG32    ProcessExiting : 1;                         // 2 BitPosition
/*0x260*/          ULONG32    ProcessDelete : 1;                         // 3 BitPosition
/*0x260*/          ULONG32    Wow64SplitPages : 1;                         // 4 BitPosition
/*0x260*/          ULONG32    VmDeleted : 1;                               // 5 BitPosition
/*0x260*/          ULONG32    OutswapEnabled : 1;                         // 6 BitPosition
/*0x260*/          ULONG32    Outswapped : 1;                            // 7 BitPosition
/*0x260*/          ULONG32    ForkFailed : 1;                            // 8 BitPosition
/*0x260*/          ULONG32    Wow64VaSpace4Gb : 1;                         // 9 BitPosition
/*0x260*/          ULONG32    AddressSpaceInitialized : 2;                // 10 BitPosition
/*0x260*/          ULONG32    SetTimerResolution : 1;                      // 12 BitPosition
/*0x260*/          ULONG32    BreakOnTermination : 1;                      // 13 BitPosition
/*0x260*/          ULONG32    DeprioritizeViews : 1;                      // 14 BitPosition
/*0x260*/          ULONG32    WriteWatch : 1;                            // 15 BitPosition
/*0x260*/          ULONG32    ProcessInSession : 1;                      // 16 BitPosition
/*0x260*/          ULONG32    OverrideAddressSpace : 1;                   // 17 BitPosition
/*0x260*/          ULONG32    HasAddressSpace : 1;                         // 18 BitPosition
/*0x260*/          ULONG32    LaunchPrefetched : 1;                      // 19 BitPosition
/*0x260*/          ULONG32    InjectInpageErrors : 1;                      // 20 BitPosition
/*0x260*/          ULONG32    VmTopDown : 1;                               // 21 BitPosition
/*0x260*/          ULONG32    ImageNotifyDone : 1;                         // 22 BitPosition
/*0x260*/          ULONG32    PdeUpdateNeeded : 1;                         // 23 BitPosition
/*0x260*/          ULONG32    VdmAllowed : 1;                            // 24 BitPosition
/*0x260*/          ULONG32    PropagateNode : 1;                         // 25 BitPosition
/*0x260*/          ULONG32    ProcessInserted : 1;                         // 26 BitPosition
/*0x260*/          ULONG32    DefaultIoPriority : 3;                      // 27 BitPosition
/*0x260*/          ULONG32    ProcessSelfDelete : 1;                      // 30 BitPosition
/*0x260*/          ULONG32    SpareProcessFlags : 1;                      // 31 BitPosition
               };
            };
/*0x264*/    LONG32    ExitStatus;
/*0x268*/    UINT16    Spare7;
            union                                                             // 2 elements, 0x2 bytes (sizeof)
            {
               struct                                                       // 2 elements, 0x2 bytes (sizeof)
               {
/*0x26A*/          UINT8       SubSystemMinorVersion;
/*0x26B*/          UINT8       SubSystemMajorVersion;
               };
/*0x26A*/       UINT16    SubSystemVersion;
            };
/*0x26C*/    UINT8       PriorityClass;
/*0x26D*/    UINT8       _PADDING1_[0x3];
/*0x270*/    struct _MM_AVL_TABLE VadRoot;                                     // 6 elements, 0x20 bytes (sizeof)
/*0x290*/    ULONG32    Cookie;
/*0x294*/    ULONG32    Spare8;
/*0x298*/    struct _ALPC_PROCESS_CONTEXT AlpcContext;                         // 3 elements, 0x10 bytes (sizeof)
/*0x2A8*/    struct _LIST_ENTRY TimerResolutionLink;                         // 2 elements, 0x8 bytes (sizeof)
/*0x2B0*/    ULONG32    RequestedTimerResolution;
/*0x2B4*/    ULONG32    ActiveThreadsHighWatermark;
/*0x2B8*/    ULONG32    ConsoleHostProcess;
/*0x2BC*/    struct _PS_CPU_QUOTA_BLOCK* CpuQuotaBlock;
      }EPROCESS, *PEPROCESS;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      typedef struct _KPROCESS                      // 35 elements, 0x98 bytes (sizeof)
      {
/*0x000*/    struct _DISPATCHER_HEADER Header;       // 24 elements, 0x10 bytes (sizeof)
/*0x010*/    struct _LIST_ENTRY ProfileListHead;       // 2 elements, 0x8 bytes (sizeof)
/*0x018*/    ULONG32    DirectoryTableBase;
/*0x01C*/    struct _KGDTENTRY LdtDescriptor;          // 3 elements, 0x8 bytes (sizeof)
/*0x024*/    struct _KIDTENTRY Int21Descriptor;       // 4 elements, 0x8 bytes (sizeof)
/*0x02C*/    struct _KAFFINITY_EX ActiveProcessors;    // 4 elements, 0xC bytes (sizeof)
/*0x038*/    ULONG32    KernelTime;
/*0x03C*/    ULONG32    UserTime;
/*0x040*/    struct _LIST_ENTRY ReadyListHead;       // 2 elements, 0x8 bytes (sizeof)
/*0x048*/    struct _SINGLE_LIST_ENTRY SwapListEntry; // 1 elements, 0x4 bytes (sizeof)
/*0x04C*/    VOID*       VdmTrapcHandler;
/*0x050*/    struct _LIST_ENTRY ThreadListHead;       // 2 elements, 0x8 bytes (sizeof)
/*0x058*/    ULONG32    ProcessLock;
/*0x05C*/    struct _KAFFINITY_EX Affinity;          // 4 elements, 0xC bytes (sizeof)
            union                                     // 2 elements, 0x4 bytes (sizeof)
            {
               struct                               // 5 elements, 0x4 bytes (sizeof)
               {
/*0x068*/          LONG32    AutoAlignment : 1; // 0 BitPosition
/*0x068*/          LONG32    DisableBoost : 1;    // 1 BitPosition
/*0x068*/          LONG32    DisableQuantum : 1; // 2 BitPosition
/*0x068*/          ULONG32    ActiveGroupsMask : 1; // 3 BitPosition
/*0x068*/          LONG32    ReservedFlags : 28; // 4 BitPosition
               };
/*0x068*/       LONG32    ProcessFlags;
            };
/*0x06C*/    CHAR       BasePriority;
/*0x06D*/    CHAR       QuantumReset;
/*0x06E*/    UINT8       Visited;
/*0x06F*/    UINT8       Unused3;
/*0x070*/    ULONG32    ThreadSeed[1];
/*0x074*/    UINT16    IdealNode[1];
/*0x076*/    UINT16    IdealGlobalNode;
            union                                     // 2 elements, 0x1 bytes (sizeof)
            {
/*0x078*/       struct _KEXECUTE_OPTIONS Flags;       // 8 elements, 0x1 bytes (sizeof)
/*0x078*/       UINT8       ExecuteOptions;
            };
/*0x079*/    UINT8       Unused1;
/*0x07A*/    UINT16    IopmOffset;
/*0x07C*/    ULONG32    Unused4;
/*0x080*/    union _KSTACK_COUNT StackCount;          // 3 elements, 0x4 bytes (sizeof)
/*0x084*/    struct _LIST_ENTRY ProcessListEntry;    // 2 elements, 0x8 bytes (sizeof)
/*0x08C*/    UINT8       _PADDING0_[0x4];
/*0x090*/    UINT64    CycleTime;
      }KPROCESS, *PKPROCESS;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      typedef struct _KTHREAD                               // 113 elements, 0x200 bytes (sizeof)
      {
/*0x000*/    struct _DISPATCHER_HEADER Header;                // 24 elements, 0x10 bytes (sizeof)
/*0x010*/    UINT64    CycleTime;
/*0x018*/    ULONG32    HighCycleTime;
/*0x01C*/    UINT8       _PADDING0_[0x4];
/*0x020*/    UINT64    QuantumTarget;
/*0x028*/    VOID*       InitialStack;
/*0x02C*/    VOID*       StackLimit;
/*0x030*/    VOID*       KernelStack;
/*0x034*/    ULONG32    ThreadLock;
/*0x038*/    union _KWAIT_STATUS_REGISTER WaitRegister;       // 8 elements, 0x1 bytes (sizeof)
/*0x039*/    UINT8       Running;
/*0x03A*/    UINT8       Alerted[2];
            union                                              // 2 elements, 0x4 bytes (sizeof)
            {

rc7100与7000已经有所不同,大家可以自己对比下.
Windows 7 Kernel Version 7100 MP (1 procs) Checked x86 compatible
Built by: 7100.0.x86chk.winmain_win7rc.090421-1700
dt nt!_EPROCESS
+0x000 Pcb             : _KPROCESS
+0x098 ProcessLock    : _EX_PUSH_LOCK
+0x0a0 CreateTime    : _LARGE_INTEGER
+0x0a8 ExitTime       : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId  : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
+0x0c0 ProcessQuotaUsage : [2] Uint4B
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge    : Uint4B
+0x0d4 QuotaBlock    : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize  : Uint4B
+0x0e0 VirtualSize    : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort       : Ptr32 Void
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable    : Ptr32 _HANDLE_TABLE
+0x0f8 Token          : _EX_FAST_REF
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger  : Uint4B
+0x110 PhysicalVadRoot  : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot       : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process    : Ptr32 Void
+0x124 Job             : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie          : Uint4B
+0x134 Spare8          : Uint4B
+0x138 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects    : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap       : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint    : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler          : Uint8B
+0x168 Session       : Ptr32 Void
+0x16c ImageFileName : [15] UChar
+0x17b PriorityClass : UChar
+0x17c JobLinks       : _LIST_ENTRY
+0x184 LockedPagesList  : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY
+0x190 SecurityPort    : Ptr32 Void
+0x194 PaeTop          : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb             : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo       : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm             : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 ModifiedPageCount : Uint4B
+0x268 Flags2          : Uint4B
+0x268 JobNotReallyActive : Pos 0, 1 Bit
+0x268 AccountingFolded : Pos 1, 1 Bit
+0x268 NewProcessReported : Pos 2, 1 Bit
+0x268 ExitProcessReported : Pos 3, 1 Bit
+0x268 ReportCommitChanges : Pos 4, 1 Bit
+0x268 LastReportMemory : Pos 5, 1 Bit
+0x268 ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x268 HandleTableRundown : Pos 7, 1 Bit
+0x268 NeedsHandleRundown : Pos 8, 1 Bit
+0x268 RefTraceEnabled  : Pos 9, 1 Bit
+0x268 NumaAware       : Pos 10, 1 Bit
+0x268 ProtectedProcess : Pos 11, 1 Bit
+0x268 DefaultPagePriority : Pos 12, 3 Bits
+0x268 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x268 ProcessVerifierTarget : Pos 16, 1 Bit
+0x268 StackRandomizationDisabled : Pos 17, 1 Bit
+0x268 AffinityPermanent : Pos 18, 1 Bit
+0x268 AffinityUpdateEnable : Pos 19, 1 Bit
+0x268 PropagateNode : Pos 20, 1 Bit
+0x268 ExplicitAffinity : Pos 21, 1 Bit
+0x26c Flags          : Uint4B
+0x26c CreateReported : Pos 0, 1 Bit
+0x26c NoDebugInherit : Pos 1, 1 Bit
+0x26c ProcessExiting : Pos 2, 1 Bit
+0x26c ProcessDelete : Pos 3, 1 Bit
+0x26c Wow64SplitPages  : Pos 4, 1 Bit
+0x26c VmDeleted       : Pos 5, 1 Bit
+0x26c OutswapEnabled : Pos 6, 1 Bit
+0x26c Outswapped    : Pos 7, 1 Bit
+0x26c ForkFailed    : Pos 8, 1 Bit
+0x26c Wow64VaSpace4Gb  : Pos 9, 1 Bit
+0x26c AddressSpaceInitialized : Pos 10, 2 Bits
+0x26c SetTimerResolution : Pos 12, 1 Bit
+0x26c BreakOnTermination : Pos 13, 1 Bit
+0x26c DeprioritizeViews : Pos 14, 1 Bit
+0x26c WriteWatch    : Pos 15, 1 Bit
+0x26c ProcessInSession : Pos 16, 1 Bit
+0x26c OverrideAddressSpace : Pos 17, 1 Bit
+0x26c HasAddressSpace  : Pos 18, 1 Bit
+0x26c LaunchPrefetched : Pos 19, 1 Bit
+0x26c InjectInpageErrors : Pos 20, 1 Bit
+0x26c VmTopDown       : Pos 21, 1 Bit
+0x26c ImageNotifyDone  : Pos 22, 1 Bit
+0x26c PdeUpdateNeeded  : Pos 23, 1 Bit
+0x26c VdmAllowed    : Pos 24, 1 Bit
+0x26c CrossSessionCreate : Pos 25, 1 Bit
+0x26c ProcessInserted  : Pos 26, 1 Bit
+0x26c DefaultIoPriority : Pos 27, 3 Bits
+0x26c ProcessSelfDelete : Pos 30, 1 Bit
+0x26c SetTimerResolutionLink : Pos 31, 1 Bit
+0x270 ExitStatus    : Int4B
+0x274 VadRoot       : _MM_AVL_TABLE
+0x294 AlpcContext    : _ALPC_PROCESS_CONTEXT
+0x2a4 TimerResolutionLink : _LIST_ENTRY
+0x2ac RequestedTimerResolution : Uint4B
+0x2b0 ActiveThreadsHighWatermark : Uint4B
+0x2b4 SmallestTimerResolution : Uint4B
+0x2b8 TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
dt nt!_KPROCESS
+0x000 Header          : _DISPATCHER_HEADER
+0x010 ProfileListHead  : _LIST_ENTRY
+0x018 DirectoryTableBase : Uint4B
+0x01c LdtDescriptor : _KGDTENTRY
+0x024 Int21Descriptor  : _KIDTENTRY
+0x02c ThreadListHead : _LIST_ENTRY
+0x034 ProcessLock    : Uint4B
+0x038 Affinity       : _KAFFINITY_EX
+0x044 ReadyListHead : _LIST_ENTRY
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY
+0x050 ActiveProcessors : _KAFFINITY_EX
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost    : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags    : Int4B
+0x060 BasePriority    : Char
+0x061 QuantumReset    : Char
+0x062 Visited       : UChar
+0x063 Unused3       : UChar
+0x064 ThreadSeed    : [1] Uint4B
+0x068 IdealNode       : [1] Uint2B
+0x06a IdealGlobalNode  : Uint2B
+0x06c Flags          : _KEXECUTE_OPTIONS
+0x06d Unused1       : UChar
+0x06e IopmOffset    : Uint2B
+0x070 Unused4       : Uint4B
+0x074 StackCount    : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY
+0x080 CycleTime       : Uint8B
+0x088 KernelTime    : Uint4B
+0x08c UserTime       : Uint4B
+0x090 VdmTrapcHandler  : Ptr32 Void

trents

关注

0
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
各系统 EPROCESS 结构

2000操作系统nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ExitStatus : 259 +0x070 LockEvent : _KEVENT +0x080 LockCount : 1 +0x088 CreateTime : _LA
复制链接

扫一扫

专栏目录