-
-
[求助]windbg dt strct _EPROCESS 不一样
-
发表于:
2013-8-15 17:34
6405
-
[求助]windbg dt strct _EPROCESS 不一样
dt是对的,strct出来的不知道是怎么回事.求前辈解惑.
0: kd> dt _eprocess
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : Ptr32 Void //进程ID
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : [3] Uint4B
+0x09c QuotaPeak : [3] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void //父进程ID
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [16] UChar //是一个16个字节长的字节数组,保存着进程名。
+0x184 JobLinks : _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages : Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 HasPhysicalVad : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace : Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 Unused3 : Pos 22, 1 Bit
+0x248 Unused4 : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 5 Bits
+0x248 Unused1 : Pos 30, 1 Bit
+0x248 Unused2 : Pos 31, 1 Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
0: kd> !strct _eprocess
struct _EPROCESS (sizeof=504)
+000 struct _KPROCESS Pcb
+000 struct _DISPATCHER_HEADER Header
+000 byte Type
+001 byte Absolute
+002 byte Size
+003 byte Inserted
+004 int32 SignalState
+008 struct _LIST_ENTRY WaitListHead
+008 struct _LIST_ENTRY *Flink
+00c struct _LIST_ENTRY *Blink
+010 struct _LIST_ENTRY ProfileListHead
+010 struct _LIST_ENTRY *Flink
+014 struct _LIST_ENTRY *Blink
+018 uint32 DirectoryTableBase[2]
+020 struct _KGDTENTRY LdtDescriptor
+020 uint16 LimitLow
+022 uint16 BaseLow
+024 union __unnamed7 HighWord
+024 struct __unnamed8 Bytes
+024 byte BaseMid
+025 byte Flags1
+026 byte Flags2
+027 byte BaseHi
+024 struct __unnamed9 Bits
+024 bits0-7 BaseMid
+024 bits8-12 Type
+024 bits13-14 Dpl
+024 bits15-15 Pres
+024 bits16-19 LimitHi
+024 bits20-20 Sys
+024 bits21-21 Reserved_0
+024 bits22-22 Default_Big
+024 bits23-23 Granularity
+024 bits24-31 BaseHi
+028 struct _KIDTENTRY Int21Descriptor
+028 uint16 Offset
+02a uint16 Selector
+02c uint16 Access
+02e uint16 ExtendedOffset
+030 uint16 IopmOffset
+032 byte Iopl
+033 byte VdmFlag
+034 uint32 ActiveProcessors
+038 uint32 KernelTime
+03c uint32 UserTime
+040 struct _LIST_ENTRY ReadyListHead
+040 struct _LIST_ENTRY *Flink
+044 struct _LIST_ENTRY *Blink
+048 struct _LIST_ENTRY SwapListEntry
+048 struct _LIST_ENTRY *Flink
+04c struct _LIST_ENTRY *Blink
+050 struct _LIST_ENTRY ThreadListHead
+050 struct _LIST_ENTRY *Flink
+054 struct _LIST_ENTRY *Blink
+058 uint32 ProcessLock
+05c uint32 Affinity
+060 uint16 StackCount
+062 char BasePriority
+063 char ThreadQuantum
+064 byte AutoAlignment
+065 byte State
+066 byte ThreadSeed
+067 byte DisableBoost
+068 int32 ExitStatus
+06c struct _KEVENT LockEvent
+06c struct _DISPATCHER_HEADER Header
+06c byte Type
+06d byte Absolute
+06e byte Size
+06f byte Inserted
+070 int32 SignalState
+074 struct _LIST_ENTRY WaitListHead
+074 struct _LIST_ENTRY *Flink
+078 struct _LIST_ENTRY *Blink
+07c uint32 LockCount
+080 union _LARGE_INTEGER CreateTime
+080 uint32 LowPart
+084 int32 HighPart
+080 struct __unnamed3 u
+080 uint32 LowPart
+084 int32 HighPart
+080 int64 QuadPart
+088 union _LARGE_INTEGER ExitTime
+088 uint32 LowPart
+08c int32 HighPart
+088 struct __unnamed3 u
+088 uint32 LowPart
+08c int32 HighPart
+088 int64 QuadPart
+090 struct _KTHREAD *LockOwner
+094 void *UniqueProcessId
+098 struct _LIST_ENTRY ActiveProcessLinks
+098 struct _LIST_ENTRY *Flink
+09c struct _LIST_ENTRY *Blink
+0a0 uint32 QuotaPeakPoolUsage[2]
+0a8 uint32 QuotaPoolUsage[2]
+0b0 uint32 PagefileUsage
+0b4 uint32 CommitCharge
+0b8 uint32 PeakPagefileUsage
+0bc uint32 PeakVirtualSize
+0c0 uint32 VirtualSize
+0c8 struct _MMSUPPORT Vm
+0c8 union _LARGE_INTEGER LastTrimTime
+0c8 uint32 LowPart
+0cc int32 HighPart
+0c8 struct __unnamed3 u
+0c8 uint32 LowPart
+0cc int32 HighPart
+0c8 int64 QuadPart
+0d0 uint32 LastTrimFaultCount
+0d4 uint32 PageFaultCount
+0d8 uint32 PeakWorkingSetSize
+0dc uint32 WorkingSetSize
+0e0 uint32 MinimumWorkingSetSize
+0e4 uint32 MaximumWorkingSetSize
+0e8 *VmWorkingSetList
+0ec struct _LIST_ENTRY WorkingSetExpansionLinks
+0ec struct _LIST_ENTRY *Flink
+0f0 struct _LIST_ENTRY *Blink
+0f4 byte AllowWorkingSetAdjustment
+0f5 byte AddressSpaceBeingDeleted
+0f6 byte ForegroundSwitchCount
+0f7 byte MemoryPriority
+0f8 void *LastProtoPteFault
+0fc void *DebugPort
+100 void *ExceptionPort
+104 struct _HANDLE_TABLE *ObjectTable
+108 void *Token
+10c struct _FAST_MUTEX WorkingSetLock
+10c int32 Count
+110 struct _KTHREAD *Owner
+114 uint32 Contention
+118 struct _KEVENT Event
+118 struct _DISPATCHER_HEADER Header
+118 byte Type
+119 byte Absolute
+11a byte Size
+11b byte Inserted
+11c int32 SignalState
+120 struct _LIST_ENTRY WaitListHead
+120 struct _LIST_ENTRY *Flink
+124 struct _LIST_ENTRY *Blink
+128 uint32 OldIrql
+12c uint32 WorkingSetPage
+130 byte ProcessOutswapEnabled
+131 byte ProcessOutswapped
+132 byte AddressSpaceInitialized
+133 byte AddressSpaceDeleted
+134 struct _FAST_MUTEX AddressCreationLock
+134 int32 Count
+138 struct _KTHREAD *Owner
+13c uint32 Contention
+140 struct _KEVENT Event
+140 struct _DISPATCHER_HEADER Header
+140 byte Type
+141 byte Absolute
+142 byte Size
+143 byte Inserted
+144 int32 SignalState
+148 struct _LIST_ENTRY WaitListHead
+148 struct _LIST_ENTRY *Flink
+14c struct _LIST_ENTRY *Blink
+150 uint32 OldIrql
+154 uint32 HyperSpaceLock
+158 struct _ETHREAD *ForkInProgress
+15c uint16 VmOperation
+15e byte ForkWasSuccessful
+15f byte MmAgressiveWsTrimMask
+160 struct _KEVENT *VmOperationEvent
+164 struct _HARDWARE_PTE PageDirectoryPte
+164 bits0-0 Valid
+164 bits1-1 Write
+164 bits2-2 Owner
+164 bits3-3 WriteThrough
+164 bits4-4 CacheDisable
+164 bits5-5 Accessed
+164 bits6-6 Dirty
+164 bits7-7 LargePage
+164 bits8-8 Global
+164 bits9-9 CopyOnWrite
+164 bits10-10 Prototype
+164 bits11-11 reserved
+164 bits12-31 PageFrameNumber
+168 uint32 LastFaultCount
+16c uint32 ModifiedPageCount
+170 void *VadRoot
+174 void *VadHint
+178 void *CloneRoot
+17c uint32 NumberOfPrivatePages
+180 uint32 NumberOfLockedPages
+184 uint16 NextPageColor
+186 byte ExitProcessCalled
+187 byte CreateProcessReported
+188 void *SectionHandle
+18c struct _PEB *Peb
+190 void *SectionBaseAddress
+194 struct _EPROCESS_QUOTA_BLOCK *QuotaBlock
+198 int32 LastThreadExitStatus
+19c struct _PAGEFAULT_HISTORY *WorkingSetWatch
+1a0 void *Win32WindowStation
+1a4 void *InheritedFromUniqueProcessId
+1a8 uint32 GrantedAccess
+1ac uint32 DefaultHardErrorProcessing
+1b0 void *LdtInformation
+1b4 void *VadFreeHint
+1b8 void *VdmObjects
+1bc struct _KMUTANT ProcessMutant
+1bc struct _DISPATCHER_HEADER Header
+1bc byte Type
+1bd byte Absolute
+1be byte Size
+1bf byte Inserted
+1c0 int32 SignalState
+1c4 struct _LIST_ENTRY WaitListHead
+1c4 struct _LIST_ENTRY *Flink
+1c8 struct _LIST_ENTRY *Blink
+1cc struct _LIST_ENTRY MutantListEntry
+1cc struct _LIST_ENTRY *Flink
+1d0 struct _LIST_ENTRY *Blink
+1d4 struct _KTHREAD *OwnerThread
+1d8 byte Abandoned
+1d9 byte ApcDisable
+1dc byte ImageFileName[16]
+1ec uint32 VmTrimFaultValue
+1f0 byte SetTimerResolution
+1f1 byte PriorityClass
+1f2 byte SubSystemMinorVersion
+1f3 byte SubSystemMajorVersion
+1f2 uint16 SubSystemVersion
+1f4 void *Win32Process
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
