Windows各版本EPROCESS结构

Windows XP:

+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [ 0xffbcc030 - 0xffbcc030 ]
+0x018 DirectoryTableBase : [2] 0x2807000
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : 0x20ac
+0x032 Iopl : 0 ''
+0x033 Unused : 0 ''
+0x034 ActiveProcessors : 0
+0x038 KernelTime : 0xf
+0x03c UserTime : 1
+0x040 ReadyListHead : _LIST_ENTRY [ 0xffbcc060 - 0xffbcc060 ]
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : (null)
+0x050 ThreadListHead : _LIST_ENTRY [ 0x80d946b8 - 0x80ee61d0 ]
+0x058 ProcessLock : 0
+0x05c Affinity : 1
+0x060 StackCount : 2
+0x062 BasePriority : 8 ''
+0x063 ThreadQuantum : 6 ''
+0x064 AutoAlignment : 0 ''
+0x065 State : 0 ''
+0x066 ThreadSeed : 0 ''
+0x067 DisableBoost : 0 ''
+0x068 PowerState : 0 ''
+0x069 DisableQuantum : 0 ''
+0x06a IdealNode : 0 ''
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : 0x32 '2'
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x000 Waiting : 0y0
+0x000 Exclusive : 0y0
+0x000 Shared : 0y000000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
+0x070 CreateTime : _LARGE_INTEGER 0x1c8afe7`be99a666
+0x000 LowPart : 0xbe99a666
+0x004 HighPart : 29929447
+0x000 u : __unnamed
+0x000 QuadPart : 128545999250105958
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : 0
+0x000 Ptr : (null)
+0x084 UniqueProcessId : 0x000007ac
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x805616d8 - 0x80ee6840 ]
+0x000 Flink : 0x805616d8 _LIST_ENTRY [ 0x80ede0a8 - 0xffbcc0a8 ]
+0x004 Blink : 0x80ee6840 _LIST_ENTRY [ 0xffbcc0a8 - 0x80d7bcb8 ]
+0x090 QuotaUsage : [3] 0xb18
+0x09c QuotaPeak : [3] 0xbb8
+0x0a8 CommitCharge : 0x1a8
+0x0ac PeakVirtualSize : 0x203e000
+0x0b0 VirtualSize : 0x1e71000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xfb087014 - 0x80ee686c ]
+0x000 Flink : 0xfb087014 _LIST_ENTRY [ 0x80eade54 - 0xffbcc0d4 ]
+0x004 Blink : 0x80ee686c _LIST_ENTRY [ 0xffbcc0d4 - 0x80d7bce4 ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe13c96b8
+0x0c4 ObjectTable : 0xe1cd4958 _HANDLE_TABLE
+0x000 TableCode : 0xe1060000
+0x004 QuotaProcess : 0xffbcc020 _EPROCESS
+0x008 UniqueProcessId : 0x000007ac
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0x805629c8 - 0xe1640594 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0x11c
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 70
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
+0x0c8 Token : _EX_FAST_REF
+0x000 Object : 0xe10772a3
+0x000 RefCnt : 0y011
+0x000 Value : 0xe10772a3
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x000 Count : 1
+0x004 Owner : 0xfacfa608 _KTHREAD
+0x008 Contention : 0
+0x00c Event : _KEVENT
+0x01c OldIrql : 0
+0x0ec WorkingSetPage : 0x1e0a
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x000 Count : 1
+0x004 Owner : 0xfacfacf4 _KTHREAD
+0x008 Contention : 0
+0x00c Event : _KEVENT
+0x01c OldIrql : 0
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x80e2d1f0
+0x120 VadHint : 0xffb6f870
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0xd8
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1062680
+0x134 Job : (null)
+0x138 SectionObject : 0xe1cfe480
+0x13c SectionBaseAddress : 0x00400000
+0x140 QuotaBlock : 0xffbcc498 _EPROCESS_QUOTA_BLOCK
+0x000 QuotaEntry : [3] _EPROCESS_QUOTA_ENTRY
+0x030 QuotaList : _LIST_ENTRY [ 0xffb46518 - 0x80d4fda8 ]
+0x038 ReferenceCount : 0x25a
+0x03c ProcessCount : 6
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000034
+0x14c InheritedFromUniqueProcessId : 0x00000670
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe18ed570
+0x160 PhysicalVadList : _LIST_ENTRY [ 0xffb66348 - 0xffb66348 ]
+0x000 Flink : 0xffb66348 _LIST_ENTRY [ 0xffbcc180 - 0xffbcc180 ]
+0x004 Blink : 0xffb66348 _LIST_ENTRY [ 0xffbcc180 - 0xffbcc180 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x000 Valid : 0y0
+0x000 Write : 0y0
+0x000 Owner : 0y0
+0x000 WriteThrough : 0y0
+0x000 CacheDisable : 0y0
+0x000 Accessed : 0y0
+0x000 Dirty : 0y0
+0x000 LargePage : 0y0
+0x000 Global : 0y0
+0x000 CopyOnWrite : 0y0
+0x000 Prototype : 0y0
+0x000 reserved : 0y0
+0x000 PageFrameNumber : 0y00000000000000000000 (0)
+0x168 Filler : 0
+0x170 Session : 0xfb087000
+0x174 ImageFileName : [16] "Dbgview.exe"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x000 Flink : (null)
+0x004 Blink : (null)
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x80d94734 - 0x80ee624c ]
+0x000 Flink : 0x80d94734 _LIST_ENTRY [ 0x80ee624c - 0xffbcc1b0 ]
+0x004 Blink : 0x80ee624c _LIST_ENTRY [ 0xffbcc1b0 - 0x80d94734 ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 2
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 1
+0x1ac LastThreadExitStatus : 0
+0x1b0 Peb : 0x7ffde000 _PEB
+0x000 InheritedAddressSpace : 0xdc ''
+0x001 ReadImageFileExecOptions : 0xff ''
+0x002 BeingDebugged : 0xa8 ''
+0x003 SpareBool : 0 ''
+0x004 Mutant : 0x00a90000
+0x008 ImageBaseAddress : 0x00a8e000
+0x00c Ldr : (null)
+0x010 ProcessParameters : 0x00001e00 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x7ffde000
+0x01c FastPebLock : (null)
+0x020 FastPebLockRoutine : 0x0000073c
+0x024 FastPebUnlockRoutine : 0x00000760
+0x028 EnvironmentUpdateCount : 0
+0x02c KernelCallbackTable : (null)
+0x030 SystemReserved : [1] 0x7ffdd000
+0x034 AtlThunkSListPtr32 : 0
+0x038 FreeList : (null)
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0xe11a1008
+0x044 TlsBitmapBits : [2] 0
+0x04c ReadOnlySharedMemoryBase : (null)
+0x050 ReadOnlySharedMemoryHeap : (null)
+0x054 ReadOnlyStaticServerData : (null)
+0x058 AnsiCodePageData : (null)
+0x05c OemCodePageData : (null)
+0x060 UnicodeCaseTableData : (null)
+0x064 NumberOfProcessors : 0
+0x068 NtGlobalFlag : 0
+0x070 CriticalSectionTimeout : _LARGE_INTEGER 0x0
+0x078 HeapSegmentReserve : 0
+0x07c HeapSegmentCommit : 0
+0x080 HeapDeCommitTotalFreeThreshold : 0
+0x084 HeapDeCommitFreeBlockThreshold : 0
+0x088 NumberOfHeaps : 0
+0x08c MaximumNumberOfHeaps : 0
+0x090 ProcessHeaps : (null)
+0x094 GdiSharedHandleTable : (null)
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0
+0x0a0 LoaderLock : (null)
+0x0a4 OSMajorVersion : 0
+0x0a8 OSMinorVersion : 0
+0x0ac OSBuildNumber : 0
+0x0ae OSCSDVersion : 0
+0x0b0 OSPlatformId : 0
+0x0b4 ImageSubsystem : 0
+0x0b8 ImageSubsystemMajorVersion : 0
+0x0bc ImageSubsystemMinorVersion : 0
+0x0c0 ImageProcessAffinityMask : 0
+0x0c4 GdiHandleBuffer : [34] 0x804
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : (null)
+0x154 TlsExpansionBitmapBits : [32] 0
+0x1d4 SessionId : 0
+0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : _UNICODE_STRING ""
+0x1f8 ActivationContextData : (null)
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : (null)
+0x204 SystemAssemblyStorageMap : (null)
+0x208 MinimumStackCommit : 0
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x000 Object : (null)
+0x000 RefCnt : 0y000
+0x000 Value : 0
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0x4
+0x000 LowPart : 4
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 4
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x000 LowPart : 5
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x1a0
+0x000 LowPart : 0x1a0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 416
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x4f12
+0x000 LowPart : 0x4f12
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 20242
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x34d8
+0x000 LowPart : 0x34d8
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 13528
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x18420
+0x000 LowPart : 0x18420
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 99360
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x1a8
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : 0x80d4b810 _OBJECT_NAME_INFORMATION
+0x1f8 Vm : _MMSUPPORT
+0x000 LastTrimTime : _LARGE_INTEGER 0x1c8afe7`be97440c
+0x008 Flags : _MMSUPPORT_FLAGS
+0x00c PageFaultCount : 0x435
+0x010 PeakWorkingSetSize : 0x3fb
+0x014 WorkingSetSize : 0x3fb
+0x018 MinimumWorkingSetSize : 0x32
+0x01c MaximumWorkingSetSize : 0x159
+0x020 VmWorkingSetList : 0xc0503000 _MMWSL
+0x024 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x8055fc50 - 0x80ee69d4 ]
+0x02c Claim : 8
+0x030 NextEstimationSlot : 0x169
+0x034 NextAgingSlot : 0x14
+0x038 EstimatedAvailable : 8
+0x03c GrowthSinceLastEstimate : 0
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 7
+0x240 NumberOfVads : 0x45
+0x244 JobStatus : 0
+0x248 Flags : 0xd0a00
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y1
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 259
+0x250 NextPageColor : 0x79e0
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4