执行体层位于内核层之上,它侧重于提供各种管理策略,同时为上层应用层程序提供基本的功能接口。
// Process structure.
//
// If you remove a field from this structure, please also
// remove the reference to it from within the kernel debugger
// (nt\private\sdktools\ntsd\ntkext.c)
//
typedef struct _EPROCESS {
KPROCESS Pcb;//KPROCESS内嵌结构体,所以一个进程的KPROCESS和EPROCESS对象地址是相同的。
//
// Lock used to protect:
// The list of threads in the process.
// Process token.
// Win32 process field.
// Process and thread affinity setting.
//
EX_PUSH_LOCK ProcessLock;//(push block)用于保护EPROCESS中的数据成员。
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
//
// Structure to allow lock free cross process access to the process
// handle table, process section and address space. Acquire rundown
// protection with this if you do cross process handle table, process
// section or address space references.
//
EX_RUNDOWN_REF RundownProtect;
HANDLE UniqueProcessId;//是进程的唯一编号,在进程创建时设定。
//
// Global list of all processes in the system. Processes are removed
// from this list in the object deletion routine. References to
// processes in this list must be done with ObReferenceObjectSafe
// because of this.
//
LIST_ENTRY ActiveProcessLinks;
//
// Quota Fields.
//
SIZE_T QuotaUsage[PsQuotaTypes];//一个进程内存使用量
SIZE_T QuotaPeak[PsQuotaTypes];//尖峰使用量
SIZE_T CommitCharge;//虚拟内存已提交的页面数量
//
// VmCounters.
//
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;//指定一个进程虚拟内存大小
LIST_ENTRY SessionProcessLinks;
//当一个进程中的线程发生用户模式异常时,内核的异常处理例程在处理异常过程中,将向该进程的异常端口或调试端口发//送消息,从而使这些端口的接收方(调试器或Windows子系统)能够处理该异常。
PVOID DebugPort;//指向调试端口
PVOID ExceptionPort;//指向异常端口
PHANDLE_TABLE ObjectTable;//进程的句柄表,包含了所有已被该进程打开的那些对象的引用。
//
// Security.
//
EX_FAST_REF Toke