linux pe do fork,[求助]PEPROCESS定义在哪个头文件啊

2016-8-22 22:02

typedef struct _EPROCESS

{

KPROCESS Pcb;

//

// Lock used to protect:

// The list of threads in the process.

// Process token.

// Win32 process field.

// Process and thread affinity setting.

//

EX_PUSH_LOCK ProcessLock;

LARGE_INTEGER CreateTime;

LARGE_INTEGER ExitTime;

//

// Structure to allow lock free cross process access to the process

// handle table, process section and address space. Acquire rundown

// protection with this if you do cross process handle table, process

// section or address space references.

//

EX_RUNDOWN_REF RundownProtect;

HANDLE UniqueProcessId;

//

// Global list of all processes in the system. Processes are removed

// from this list in the object deletion routine.  References to

// processes in this list must be done with ObReferenceObjectSafe

// because of this.

//

LIST_ENTRY ActiveProcessLinks;

//

// Quota Fields.

//

SIZE_T QuotaUsage[PsQuotaTypes];

SIZE_T QuotaPeak[PsQuotaTypes];

SIZE_T CommitCharge;

//

// VmCounters.

//

SIZE_T PeakVirtualSize;

SIZE_T VirtualSize;

LIST_ENTRY SessionProcessLinks;

PVOID DebugPort;

PVOID ExceptionPort;

PHANDLE_TABLE ObjectTable;

//

// Security.

//

EX_FAST_REF Token;

PFN_NUMBER WorkingSetPage;

KGUARDED_MUTEX AddressCreationLock;

KSPIN_LOCK HyperSpaceLock;

struct _ETHREAD *ForkInProgress;

ULONG_PTR HardwareTrigger;

PMM_AVL_TABLE PhysicalVadRoot;

PVOID CloneRoot;

PFN_NUMBER NumberOfPrivatePages;

PFN_NUMBER NumberOfLockedPages;

PVOID Win32Process;

struct _EJOB *Job;

PVOID SectionObject;

PVOID SectionBaseAddress;

PEPROCESS_QUOTA_BLOCK QuotaBlock;

PPAGEFAULT_HISTORY WorkingSetWatch;

HANDLE Win32WindowStation;

HANDLE InheritedFromUniqueProcessId;

PVOID LdtInformation;

PVOID VadFreeHint;

PVOID VdmObjects;

PVOID DeviceMap;

PVOID Spare0[3];

union

{

HARDWARE_PTE PageDirectoryPte;

ULONGLONG Filler;

};

PVOID Session;

UCHAR ImageFileName[16];

LIST_ENTRY JobLinks;

PVOID LockedPagesList;

LIST_ENTRY ThreadListHead;

//

// Used by rdr/security for authentication.

//

PVOID SecurityPort;

#ifdef _WIN64

PWOW64_PROCESS Wow64Process;

#else

PVOID PaeTop;

#endif

ULONG ActiveThreads;

ACCESS_MASK GrantedAccess;

ULONG DefaultHardErrorProcessing;

NTSTATUS LastThreadExitStatus;

//

// Peb

//

PPEB Peb;

//

// Pointer to the prefetches trace block.

//

EX_FAST_REF PrefetchTrace;

LARGE_INTEGER ReadOperationCount;

LARGE_INTEGER WriteOperationCount;

LARGE_INTEGER OtherOperationCount;

LARGE_INTEGER ReadTransferCount;

LARGE_INTEGER WriteTransferCount;

LARGE_INTEGER OtherTransferCount;

SIZE_T CommitChargeLimit;

SIZE_T CommitChargePeak;

PVOID AweInfo;

//

// This is used for SeAuditProcessCreation.

// It contains the full path to the image file.

//

SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

MMSUPPORT Vm;

#if !defined(_WIN64)

LIST_ENTRY MmProcessLinks;

#else

ULONG Spares[2];

#endif

ULONG ModifiedPageCount;

#define PS_JOB_STATUS_NOT_REALLY_ACTIVE      0x00000001UL

#define PS_JOB_STATUS_ACCOUNTING_FOLDED      0x00000002UL

#define PS_JOB_STATUS_NEW_PROCESS_REPORTED   0x00000004UL

#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED  0x00000008UL

#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES  0x00000010UL

#define PS_JOB_STATUS_LAST_REPORT_MEMORY     0x00000020UL

#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES  0x00000040UL

ULONG JobStatus;

//

// Process flags. Use interlocked operations with PS_SET_BITS, etc

// to modify these.

//

#define PS_PROCESS_FLAGS_CREATE_REPORTED        0x00000001UL // Create process debug call has occurred

#define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT       0x00000002UL // Don't inherit debug port

#define PS_PROCESS_FLAGS_PROCESS_EXITING        0x00000004UL // PspExitProcess entered

#define PS_PROCESS_FLAGS_PROCESS_DELETE         0x00000008UL // Delete process has been issued

#define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES      0x00000010UL // Wow64 split pages

#define PS_PROCESS_FLAGS_VM_DELETED             0x00000020UL // VM is deleted

#define PS_PROCESS_FLAGS_OUTSWAP_ENABLED        0x00000040UL // Outswap enabled

#define PS_PROCESS_FLAGS_OUTSWAPPED             0x00000080UL // Outswapped

#define PS_PROCESS_FLAGS_FORK_FAILED            0x00000100UL // Fork status

#define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE     0x00000200UL // Wow64 process with 4gb virtual address space

#define PS_PROCESS_FLAGS_ADDRESS_SPACE1         0x00000400UL // Addr space state1

#define PS_PROCESS_FLAGS_ADDRESS_SPACE2         0x00000800UL // Addr space state2

#define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION   0x00001000UL // SetTimerResolution has been called

#define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION   0x00002000UL // Break on process termination

#define PS_PROCESS_FLAGS_CREATING_SESSION       0x00004000UL // Process is creating a session

#define PS_PROCESS_FLAGS_USING_WRITE_WATCH      0x00008000UL // Process is using the write watch APIs

#define PS_PROCESS_FLAGS_IN_SESSION             0x00010000UL // Process is in a session

#define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)

#define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE      0x00040000UL // This process has an address space

#define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED      0x00080000UL // Process launch was prefetched

#define PS_PROCESS_INJECT_INPAGE_ERRORS         0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too

#define PS_PROCESS_FLAGS_VM_TOP_DOWN            0x00200000UL // Process memory allocations default to top-down

#define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE      0x00400000UL // We have sent a message for this image

#define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED      0x00800000UL // The system PDEs need updating for this process (NT32 only)

#define PS_PROCESS_FLAGS_VDM_ALLOWED            0x01000000UL // Process allowed to invoke NTVDM support

#define PS_PROCESS_FLAGS_SMAP_ALLOWED           0x02000000UL // Process allowed to invoke SMAP support

#define PS_PROCESS_FLAGS_CREATE_FAILED          0x04000000UL // Process create failed

#define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY    0x38000000UL // The default I/O priority for created threads. (3 bits)

#define PS_PROCESS_FLAGS_PRIORITY_SHIFT         27

#define PS_PROCESS_FLAGS_EXECUTE_SPARE1         0x40000000UL //

#define PS_PROCESS_FLAGS_EXECUTE_SPARE2         0x80000000UL //

union

{

ULONG Flags;

//

// Fields can only be set by the PS_SET_BITS and other interlocked

// macros.  Reading fields is best done via the bit definitions so

// references are easy to locate.

//

struct

{

ULONG CreateReported : 1;

ULONG NoDebugInherit : 1;

ULONG ProcessExiting : 1;

ULONG ProcessDelete : 1;

ULONG Wow64SplitPages : 1;

ULONG VmDeleted : 1;

ULONG OutswapEnabled : 1;

ULONG Outswapped : 1;

ULONG ForkFailed : 1;

ULONG Wow64VaSpace4Gb : 1;

ULONG AddressSpaceInitialized : 2;

ULONG SetTimerResolution : 1;

ULONG BreakOnTermination : 1;

ULONG SessionCreationUnderway : 1;

ULONG WriteWatch : 1;

ULONG ProcessInSession : 1;

ULONG OverrideAddressSpace : 1;

ULONG HasAddressSpace : 1;

ULONG LaunchPrefetched : 1;

ULONG InjectInpageErrors : 1;

ULONG VmTopDown : 1;

ULONG ImageNotifyDone : 1;

ULONG PdeUpdateNeeded : 1;    // NT32 only

ULONG VdmAllowed : 1;

ULONG SmapAllowed : 1;

ULONG CreateFailed : 1;

ULONG DefaultIoPriority : 3;

ULONG Spare1 : 1;

ULONG Spare2 : 1;

};

};

NTSTATUS ExitStatus;

USHORT NextPageColor;

union

{

struct

{

UCHAR SubSystemMinorVersion;

UCHAR SubSystemMajorVersion;

};

USHORT SubSystemVersion;

};

UCHAR PriorityClass;

MM_AVL_TABLE VadRoot;

ULONG Cookie;

} EPROCESS, *PEPROCESS;

typedef struct _KPROCESS

{

//

// The dispatch header and profile listhead are fairly infrequently

// referenced.

//

DISPATCHER_HEADER Header;

LIST_ENTRY ProfileListHead;

//

// The following fields are referenced during context switches.

//

ULONG_PTR DirectoryTableBase[2];

#if defined(_X86_)

KGDTENTRY LdtDescriptor;

KIDTENTRY Int21Descriptor;

USHORT IopmOffset;

UCHAR Iopl;

BOOLEAN Unused;

#endif

#if defined(_AMD64_)

USHORT IopmOffset;

#endif

volatile KAFFINITY ActiveProcessors;

//

// The following fields are referenced during clock interrupts.

//

ULONG KernelTime;

ULONG UserTime;

//

// The following fields are referenced infrequently.

//

LIST_ENTRY ReadyListHead;

SINGLE_LIST_ENTRY SwapListEntry;

#if defined(_X86_)

PVOID VdmTrapcHandler;

#else

PVOID Reserved1;

#endif

LIST_ENTRY ThreadListHead;

KSPIN_LOCK ProcessLock;

KAFFINITY Affinity;

//

// N.B. The following bit number definitions must match the following

//      bit field.

//

// N.B. These bits can only be written with interlocked operations.

//

#define KPROCESS_AUTO_ALIGNMENT_BIT 0

#define KPROCESS_DISABLE_BOOST_BIT 1

#define KPROCESS_DISABLE_QUANTUM_BIT 2

union

{

struct

{

LONG AutoAlignment : 1;

LONG DisableBoost : 1;

LONG DisableQuantum : 1;

LONG ReservedFlags : 29;

};

LONG ProcessFlags;

};

SCHAR BasePriority;

SCHAR QuantumReset;

UCHAR State;

UCHAR ThreadSeed;

UCHAR PowerState;

UCHAR IdealNode;

BOOLEAN Visited;

union

{

KEXECUTE_OPTIONS Flags;

UCHAR ExecuteOptions;

};

#if !defined(_X86_) && !defined(_AMD64_)

PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;

#endif

ULONG_PTR StackCount;

LIST_ENTRY ProcessListEntry;

} KPROCESS, *PKPROCESS, *PRKPROCESS;