typedef struct _EPROCESS
{
        KPROCESS Pcb;

        //
        // Lock used to protect:
        // The list of threads in the process.
        // Process token.
        // Win32 process field.
        // Process and thread affinity setting.
        //

        EX_PUSH_LOCK ProcessLock;

        LARGE_INTEGER CreateTime;
        LARGE_INTEGER ExitTime;

        //
        // Structure to allow lock free cross process access to the process
        // handle table, process section and address space. Acquire rundown
        // protection with this if you do cross process handle table, process
        // section or address space references.
        //

        EX_RUNDOWN_REF RundownProtect;

        HANDLE UniqueProcessId;

        //
        // Global list of all processes in the system. Processes are removed
        // from this list in the object deletion routine.  References to
        // processes in this list must be done with ObReferenceObjectSafe
        // because of this.
        //

        LIST_ENTRY ActiveProcessLinks;

        //
        // Quota Fields.
        //

        SIZE_T QuotaUsage[PsQuotaTypes];
        SIZE_T QuotaPeak[PsQuotaTypes];
        SIZE_T CommitCharge;

        //
        // VmCounters.
        //

        SIZE_T PeakVirtualSize;
        SIZE_T VirtualSize;

        LIST_ENTRY SessionProcessLinks;

        PVOID DebugPort;
        PVOID ExceptionPort;
        PHANDLE_TABLE ObjectTable;

        //
        // Security.
        //

        EX_FAST_REF Token;

        PFN_NUMBER WorkingSetPage;
        KGUARDED_MUTEX AddressCreationLock;
        KSPIN_LOCK HyperSpaceLock;

        struct _ETHREAD *ForkInProgress;
        ULONG_PTR HardwareTrigger;

        PMM_AVL_TABLE PhysicalVadRoot;
        PVOID CloneRoot;
        PFN_NUMBER NumberOfPrivatePages;
        PFN_NUMBER NumberOfLockedPages;
        PVOID Win32Process;
        struct _EJOB *Job;
        PVOID SectionObject;

        PVOID SectionBaseAddress;

        PEPROCESS_QUOTA_BLOCK QuotaBlock;

        PPAGEFAULT_HISTORY WorkingSetWatch;
        HANDLE Win32WindowStation;
        HANDLE InheritedFromUniqueProcessId;

        PVOID LdtInformation;
        PVOID VadFreeHint;
        PVOID VdmObjects;
        PVOID DeviceMap;

        PVOID Spare0[3];
        union
        {
                HARDWARE_PTE PageDirectoryPte;
                ULONGLONG Filler;
        };
        PVOID Session;
        UCHAR ImageFileName[16];

        LIST_ENTRY JobLinks;
        PVOID LockedPagesList;

        LIST_ENTRY ThreadListHead;

        //
        // Used by rdr/security for authentication.
        //

        PVOID SecurityPort;

#ifdef _WIN64
        PWOW64_PROCESS Wow64Process;
#else
        PVOID PaeTop;
#endif

        ULONG ActiveThreads;

        ACCESS_MASK GrantedAccess;

        ULONG DefaultHardErrorProcessing;

        NTSTATUS LastThreadExitStatus;

        //
        // Peb
        //

        PPEB Peb;

        //
        // Pointer to the prefetches trace block.
        //
        EX_FAST_REF PrefetchTrace;

        LARGE_INTEGER ReadOperationCount;
        LARGE_INTEGER WriteOperationCount;
        LARGE_INTEGER OtherOperationCount;
        LARGE_INTEGER ReadTransferCount;
        LARGE_INTEGER WriteTransferCount;
        LARGE_INTEGER OtherTransferCount;

        SIZE_T CommitChargeLimit;
        SIZE_T CommitChargePeak;

        PVOID AweInfo;

        //
        // This is used for SeAuditProcessCreation.
        // It contains the full path to the image file.
        //

        SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

        MMSUPPORT Vm;

#if !defined(_WIN64)
        LIST_ENTRY MmProcessLinks;
#else
        ULONG Spares[2];
#endif

        ULONG ModifiedPageCount;

#define PS_JOB_STATUS_NOT_REALLY_ACTIVE      0x00000001UL
#define PS_JOB_STATUS_ACCOUNTING_FOLDED      0x00000002UL
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED   0x00000004UL
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED  0x00000008UL
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES  0x00000010UL
#define PS_JOB_STATUS_LAST_REPORT_MEMORY     0x00000020UL
#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES  0x00000040UL

        ULONG JobStatus;

        //
        // Process flags. Use interlocked operations with PS_SET_BITS, etc
        // to modify these.
        //

#define PS_PROCESS_FLAGS_CREATE_REPORTED        0x00000001UL // Create process debug call has occurred
#define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT       0x00000002UL // Don't inherit debug port
#define PS_PROCESS_FLAGS_PROCESS_EXITING        0x00000004UL // PspExitProcess entered
#define PS_PROCESS_FLAGS_PROCESS_DELETE         0x00000008UL // Delete process has been issued
#define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES      0x00000010UL // Wow64 split pages
#define PS_PROCESS_FLAGS_VM_DELETED             0x00000020UL // VM is deleted
#define PS_PROCESS_FLAGS_OUTSWAP_ENABLED        0x00000040UL // Outswap enabled
#define PS_PROCESS_FLAGS_OUTSWAPPED             0x00000080UL // Outswapped
#define PS_PROCESS_FLAGS_FORK_FAILED            0x00000100UL // Fork status
#define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE     0x00000200UL // Wow64 process with 4gb virtual address space
#define PS_PROCESS_FLAGS_ADDRESS_SPACE1         0x00000400UL // Addr space state1
#define PS_PROCESS_FLAGS_ADDRESS_SPACE2         0x00000800UL // Addr space state2
#define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION   0x00001000UL // SetTimerResolution has been called
#define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION   0x00002000UL // Break on process termination
#define PS_PROCESS_FLAGS_CREATING_SESSION       0x00004000UL // Process is creating a session
#define PS_PROCESS_FLAGS_USING_WRITE_WATCH      0x00008000UL // Process is using the write watch APIs
#define PS_PROCESS_FLAGS_IN_SESSION             0x00010000UL // Process is in a session
#define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)
#define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE      0x00040000UL // This process has an address space
#define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED      0x00080000UL // Process launch was prefetched
#define PS_PROCESS_INJECT_INPAGE_ERRORS         0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too
#define PS_PROCESS_FLAGS_VM_TOP_DOWN            0x00200000UL // Process memory allocations default to top-down
#define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE      0x00400000UL // We have sent a message for this image
#define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED      0x00800000UL // The system PDEs need updating for this process (NT32 only)
#define PS_PROCESS_FLAGS_VDM_ALLOWED            0x01000000UL // Process allowed to invoke NTVDM support
#define PS_PROCESS_FLAGS_SMAP_ALLOWED           0x02000000UL // Process allowed to invoke SMAP support
#define PS_PROCESS_FLAGS_CREATE_FAILED          0x04000000UL // Process create failed

#define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY    0x38000000UL // The default I/O priority for created threads. (3 bits)

#define PS_PROCESS_FLAGS_PRIORITY_SHIFT         27

#define PS_PROCESS_FLAGS_EXECUTE_SPARE1         0x40000000UL //
#define PS_PROCESS_FLAGS_EXECUTE_SPARE2         0x80000000UL //

        union
        {
                ULONG Flags;

                //
                // Fields can only be set by the PS_SET_BITS and other interlocked
                // macros.  Reading fields is best done via the bit definitions so
                // references are easy to locate.
                //

                struct
                {
                        ULONG CreateReported : 1;
                        ULONG NoDebugInherit : 1;
                        ULONG ProcessExiting : 1;
                        ULONG ProcessDelete : 1;
                        ULONG Wow64SplitPages : 1;
                        ULONG VmDeleted : 1;
                        ULONG OutswapEnabled : 1;
                        ULONG Outswapped : 1;
                        ULONG ForkFailed : 1;
                        ULONG Wow64VaSpace4Gb : 1;
                        ULONG AddressSpaceInitialized : 2;
                        ULONG SetTimerResolution : 1;
                        ULONG BreakOnTermination : 1;
                        ULONG SessionCreationUnderway : 1;
                        ULONG WriteWatch : 1;
                        ULONG ProcessInSession : 1;
                        ULONG OverrideAddressSpace : 1;
                        ULONG HasAddressSpace : 1;
                        ULONG LaunchPrefetched : 1;
                        ULONG InjectInpageErrors : 1;
                        ULONG VmTopDown : 1;
                        ULONG ImageNotifyDone : 1;
                        ULONG PdeUpdateNeeded : 1;    // NT32 only
                        ULONG VdmAllowed : 1;
                        ULONG SmapAllowed : 1;
                        ULONG CreateFailed : 1;
                        ULONG DefaultIoPriority : 3;
                        ULONG Spare1 : 1;
                        ULONG Spare2 : 1;
                };
        };

        NTSTATUS ExitStatus;

        USHORT NextPageColor;
        union
        {
                struct
                {
                        UCHAR SubSystemMinorVersion;
                        UCHAR SubSystemMajorVersion;
                };
                USHORT SubSystemVersion;
        };
        UCHAR PriorityClass;

        MM_AVL_TABLE VadRoot;

        ULONG Cookie;
} EPROCESS, *PEPROCESS;

typedef struct _KPROCESS
{
        //
        // The dispatch header and profile listhead are fairly infrequently
        // referenced.
        //

        DISPATCHER_HEADER Header;
        LIST_ENTRY ProfileListHead;

        //
        // The following fields are referenced during context switches.
        //

        ULONG_PTR DirectoryTableBase[2];

#if defined(_X86_)

        KGDTENTRY LdtDescriptor;
        KIDTENTRY Int21Descriptor;
        USHORT IopmOffset;
        UCHAR Iopl;
        BOOLEAN Unused;

#endif

#if defined(_AMD64_)

        USHORT IopmOffset;

#endif

        volatile KAFFINITY ActiveProcessors;

        //
        // The following fields are referenced during clock interrupts.
        //

        ULONG KernelTime;
        ULONG UserTime;

        //
        // The following fields are referenced infrequently.
        //

        LIST_ENTRY ReadyListHead;
        SINGLE_LIST_ENTRY SwapListEntry;

#if defined(_X86_)

        PVOID VdmTrapcHandler;

#else

        PVOID Reserved1;

#endif

        LIST_ENTRY ThreadListHead;
        KSPIN_LOCK ProcessLock;
        KAFFINITY Affinity;

        //
        // N.B. The following bit number definitions must match the following
        //      bit field.
        //
        // N.B. These bits can only be written with interlocked operations.
        //

#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2

        union
        {
                struct
                {
                        LONG AutoAlignment : 1;
                        LONG DisableBoost : 1;
                        LONG DisableQuantum : 1;
                        LONG ReservedFlags : 29;
                };

                LONG ProcessFlags;
        };

        SCHAR BasePriority;
        SCHAR QuantumReset;
        UCHAR State;
        UCHAR ThreadSeed;
        UCHAR PowerState;
        UCHAR IdealNode;
        BOOLEAN Visited;
        union
        {
                KEXECUTE_OPTIONS Flags;
                UCHAR ExecuteOptions;
        };

#if !defined(_X86_) && !defined(_AMD64_)

        PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;

#endif

        ULONG_PTR StackCount;
        LIST_ENTRY ProcessListEntry;
} KPROCESS, *PKPROCESS, *PRKPROCESS;

那个..能告诉下在哪个头文件找到的么 我查找不到..

WRK:
Ke.h
Ps.h