首页
社区
课程
招聘
[原创]x64内核实验6-进程
发表于: 2023-10-7 13:20 9292

[原创]x64内核实验6-进程

2023-10-7 13:20
9292

(这里写目录标题)

首先来看一下进程结构体完整的定义,然后我会介绍几个比较重要的字段属性
下面是我从pdb文件导出的头文件,这个头文件可以直接复制到ida里导入成结构体使用的,其他结构体的头文件后面我会一起放出来给大家下载
KEPROCESS.h

EPROCESS.h

这两个结构体非常大,我们简单介绍一下比较重要的几个字段

常见的差不多就这些了
下面可以做几个实验(最近比较忙我这边还是先把知识点整理出来,代码后面有空了写一份贴上来,大家可以先自己尝试这做一下)
实验1:0环断链隐藏进程
实验2:0环清空debugport反调试
实验3:通过三环peb查找自己加载的所有模块
实验4:通过修改peb里的begindebug达到反调试

typedef struct _KPROCESS                            // 54 elements, 0x438 bytes (sizeof)
          {                                                                                       
/*0x000*/     struct _DISPATCHER_HEADER Header;               // 59 elements, 0x18 bytes (sizeof) 
/*0x018*/     struct _LIST_ENTRY ProfileListHead;             // 2 elements, 0x10 bytes (sizeof)  
/*0x028*/     UINT64       DirectoryTableBase;                                                    
/*0x030*/     struct _LIST_ENTRY ThreadListHead;              // 2 elements, 0x10 bytes (sizeof)  
/*0x040*/     ULONG32      ProcessLock;                                                           
/*0x044*/     ULONG32      ProcessTimerDelay;                                                     
/*0x048*/     UINT64       DeepFreezeStartTime;                                                   
/*0x050*/     struct _KAFFINITY_EX Affinity;                  // 4 elements, 0xA8 bytes (sizeof)  
/*0x0F8*/     UINT64       AffinityPadding[12];                                                   
/*0x158*/     struct _LIST_ENTRY ReadyListHead;               // 2 elements, 0x10 bytes (sizeof)  
/*0x168*/     struct _SINGLE_LIST_ENTRY SwapListEntry;        // 1 elements, 0x8 bytes (sizeof)   
/*0x170*/     struct _KAFFINITY_EX ActiveProcessors;          // 4 elements, 0xA8 bytes (sizeof)  
/*0x218*/     UINT64       ActiveProcessorsPadding[12];                                           
              union                                           // 2 elements, 0x4 bytes (sizeof)   
              {                                                                                   
                  struct                                      // 10 elements, 0x4 bytes (sizeof)  
                  {                                                                               
/*0x278*/             ULONG32      AutoAlignment : 1;         // 0 BitPosition                    
/*0x278*/             ULONG32      DisableBoost : 1;          // 1 BitPosition                    
/*0x278*/             ULONG32      DisableQuantum : 1;        // 2 BitPosition                    
/*0x278*/             ULONG32      DeepFreeze : 1;            // 3 BitPosition                    
/*0x278*/             ULONG32      TimerVirtualization : 1;   // 4 BitPosition                    
/*0x278*/             ULONG32      CheckStackExtents : 1;     // 5 BitPosition                    
/*0x278*/             ULONG32      CacheIsolationEnabled : 1; // 6 BitPosition                    
/*0x278*/             ULONG32      PpmPolicy : 3;             // 7 BitPosition                    
/*0x278*/             ULONG32      VaSpaceDeleted : 1;        // 10 BitPosition                   
/*0x278*/             ULONG32      ReservedFlags : 21;        // 11 BitPosition                   
                  };                                                                              
/*0x278*/         LONG32       ProcessFlags;                                                      
              };                                                                                  
/*0x27C*/     ULONG32      ActiveGroupsMask;                                                      
/*0x280*/     CHAR         BasePriority;                                                          
/*0x281*/     CHAR         QuantumReset;                                                          
/*0x282*/     CHAR         Visited;                                                               
/*0x283*/     union _KEXECUTE_OPTIONS Flags;                  // 10 elements, 0x1 bytes (sizeof)  
/*0x284*/     UINT16       ThreadSeed[20];                                                        
/*0x2AC*/     UINT16       ThreadSeedPadding[12];                                                 
/*0x2C4*/     UINT16       IdealProcessor[20];                                                    
/*0x2EC*/     UINT16       IdealProcessorPadding[12];                                             
/*0x304*/     UINT16       IdealNode[20];                                                         
/*0x32C*/     UINT16       IdealNodePadding[12];                                                  
/*0x344*/     UINT16       IdealGlobalNode;                                                       
/*0x346*/     UINT16       Spare1;                                                                
/*0x348*/     union _KSTACK_COUNT StackCount;                 // 3 elements, 0x4 bytes (sizeof)   
/*0x34C*/     UINT8        _PADDING0_[0x4];                                                       
/*0x350*/     struct _LIST_ENTRY ProcessListEntry;            // 2 elements, 0x10 bytes (sizeof)  
/*0x360*/     UINT64       CycleTime;                                                             
/*0x368*/     UINT64       ContextSwitches;                                                       
/*0x370*/     struct _KSCHEDULING_GROUP* SchedulingGroup;                                         
/*0x378*/     ULONG32      FreezeCount;                                                           
/*0x37C*/     ULONG32      KernelTime;                                                            
/*0x380*/     ULONG32      UserTime;                                                              
/*0x384*/     ULONG32      ReadyTime;                                                             
/*0x388*/     UINT64       UserDirectoryTableBase;                                                
/*0x390*/     UINT8        AddressPolicy;                                                         
/*0x391*/     UINT8        Spare2[71];                                                            
/*0x3D8*/     VOID*        InstrumentationCallback;                                               
/*0x3E0*/     union _<anonymous-tag> SecureState;             // 2 elements, 0x8 bytes (sizeof)   
/*0x3E8*/     UINT64       KernelWaitTime;                                                        
/*0x3F0*/     UINT64       UserWaitTime;                                                          
/*0x3F8*/     UINT64       EndPadding[8];                                                         
          }KPROCESS, *PKPROCESS;
typedef struct _KPROCESS                            // 54 elements, 0x438 bytes (sizeof)
          {                                                                                       
/*0x000*/     struct _DISPATCHER_HEADER Header;               // 59 elements, 0x18 bytes (sizeof) 
/*0x018*/     struct _LIST_ENTRY ProfileListHead;             // 2 elements, 0x10 bytes (sizeof)  
/*0x028*/     UINT64       DirectoryTableBase;                                                    
/*0x030*/     struct _LIST_ENTRY ThreadListHead;              // 2 elements, 0x10 bytes (sizeof)  
/*0x040*/     ULONG32      ProcessLock;                                                           
/*0x044*/     ULONG32      ProcessTimerDelay;                                                     
/*0x048*/     UINT64       DeepFreezeStartTime;                                                   
/*0x050*/     struct _KAFFINITY_EX Affinity;                  // 4 elements, 0xA8 bytes (sizeof)  
/*0x0F8*/     UINT64       AffinityPadding[12];                                                   
/*0x158*/     struct _LIST_ENTRY ReadyListHead;               // 2 elements, 0x10 bytes (sizeof)  
/*0x168*/     struct _SINGLE_LIST_ENTRY SwapListEntry;        // 1 elements, 0x8 bytes (sizeof)   
/*0x170*/     struct _KAFFINITY_EX ActiveProcessors;          // 4 elements, 0xA8 bytes (sizeof)  
/*0x218*/     UINT64       ActiveProcessorsPadding[12];                                           
              union                                           // 2 elements, 0x4 bytes (sizeof)   
              {                                                                                   
                  struct                                      // 10 elements, 0x4 bytes (sizeof)  
                  {                                                                               
/*0x278*/             ULONG32      AutoAlignment : 1;         // 0 BitPosition                    
/*0x278*/             ULONG32      DisableBoost : 1;          // 1 BitPosition                    
/*0x278*/             ULONG32      DisableQuantum : 1;        // 2 BitPosition                    
/*0x278*/             ULONG32      DeepFreeze : 1;            // 3 BitPosition                    
/*0x278*/             ULONG32      TimerVirtualization : 1;   // 4 BitPosition                    
/*0x278*/             ULONG32      CheckStackExtents : 1;     // 5 BitPosition                    
/*0x278*/             ULONG32      CacheIsolationEnabled : 1; // 6 BitPosition                    
/*0x278*/             ULONG32      PpmPolicy : 3;             // 7 BitPosition                    
/*0x278*/             ULONG32      VaSpaceDeleted : 1;        // 10 BitPosition                   
/*0x278*/             ULONG32      ReservedFlags : 21;        // 11 BitPosition                   
                  };                                                                              
/*0x278*/         LONG32       ProcessFlags;                                                      
              };                                                                                  
/*0x27C*/     ULONG32      ActiveGroupsMask;                                                      
/*0x280*/     CHAR         BasePriority;                                                          
/*0x281*/     CHAR         QuantumReset;                                                          
/*0x282*/     CHAR         Visited;                                                               
/*0x283*/     union _KEXECUTE_OPTIONS Flags;                  // 10 elements, 0x1 bytes (sizeof)  
/*0x284*/     UINT16       ThreadSeed[20];                                                        
/*0x2AC*/     UINT16       ThreadSeedPadding[12];                                                 
/*0x2C4*/     UINT16       IdealProcessor[20];                                                    
/*0x2EC*/     UINT16       IdealProcessorPadding[12];                                             
/*0x304*/     UINT16       IdealNode[20];                                                         
/*0x32C*/     UINT16       IdealNodePadding[12];                                                  
/*0x344*/     UINT16       IdealGlobalNode;                                                       
/*0x346*/     UINT16       Spare1;                                                                
/*0x348*/     union _KSTACK_COUNT StackCount;                 // 3 elements, 0x4 bytes (sizeof)   
/*0x34C*/     UINT8        _PADDING0_[0x4];                                                       
/*0x350*/     struct _LIST_ENTRY ProcessListEntry;            // 2 elements, 0x10 bytes (sizeof)  
/*0x360*/     UINT64       CycleTime;                                                             
/*0x368*/     UINT64       ContextSwitches;                                                       
/*0x370*/     struct _KSCHEDULING_GROUP* SchedulingGroup;                                         
/*0x378*/     ULONG32      FreezeCount;                                                           
/*0x37C*/     ULONG32      KernelTime;                                                            
/*0x380*/     ULONG32      UserTime;                                                              
/*0x384*/     ULONG32      ReadyTime;                                                             
/*0x388*/     UINT64       UserDirectoryTableBase;                                                
/*0x390*/     UINT8        AddressPolicy;                                                         
/*0x391*/     UINT8        Spare2[71];                                                            
/*0x3D8*/     VOID*        InstrumentationCallback;                                               
/*0x3E0*/     union _<anonymous-tag> SecureState;             // 2 elements, 0x8 bytes (sizeof)   
/*0x3E8*/     UINT64       KernelWaitTime;                                                        
/*0x3F0*/     UINT64       UserWaitTime;                                                          
/*0x3F8*/     UINT64       EndPadding[8];                                                         
          }KPROCESS, *PKPROCESS;
typedef struct _EPROCESS                                                           // 235 elements, 0xA40 bytes (sizeof)
          {                                                                                                                       
/*0x000*/     struct _KPROCESS Pcb;                                                          // 54 elements, 0x438 bytes (sizeof) 
/*0x438*/     struct _EX_PUSH_LOCK ProcessLock;                                              // 7 elements, 0x8 bytes (sizeof)    
/*0x440*/     VOID*        UniqueProcessId;                                                                                       
/*0x448*/     struct _LIST_ENTRY ActiveProcessLinks;                                         // 2 elements, 0x10 bytes (sizeof)   
/*0x458*/     struct _EX_RUNDOWN_REF RundownProtect;                                         // 2 elements, 0x8 bytes (sizeof)    
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x460*/         ULONG32      Flags2;                                                                                            
                  struct                                                                     // 28 elements, 0x4 bytes (sizeof)   
                  {                                                                                                               
/*0x460*/             ULONG32      JobNotReallyActive : 1;                                   // 0 BitPosition                     
/*0x460*/             ULONG32      AccountingFolded : 1;                                     // 1 BitPosition                     
/*0x460*/             ULONG32      NewProcessReported : 1;                                   // 2 BitPosition                     
/*0x460*/             ULONG32      ExitProcessReported : 1;                                  // 3 BitPosition                     
/*0x460*/             ULONG32      ReportCommitChanges : 1;                                  // 4 BitPosition                     
/*0x460*/             ULONG32      LastReportMemory : 1;                                     // 5 BitPosition                     
/*0x460*/             ULONG32      ForceWakeCharge : 1;                                      // 6 BitPosition                     
/*0x460*/             ULONG32      CrossSessionCreate : 1;                                   // 7 BitPosition                     
/*0x460*/             ULONG32      NeedsHandleRundown : 1;                                   // 8 BitPosition                     
/*0x460*/             ULONG32      RefTraceEnabled : 1;                                      // 9 BitPosition                     
/*0x460*/             ULONG32      PicoCreated : 1;                                          // 10 BitPosition                    
/*0x460*/             ULONG32      EmptyJobEvaluated : 1;                                    // 11 BitPosition                    
/*0x460*/             ULONG32      DefaultPagePriority : 3;                                  // 12 BitPosition                    
/*0x460*/             ULONG32      PrimaryTokenFrozen : 1;                                   // 15 BitPosition                    
/*0x460*/             ULONG32      ProcessVerifierTarget : 1;                                // 16 BitPosition                    
/*0x460*/             ULONG32      RestrictSetThreadContext : 1;                             // 17 BitPosition                    
/*0x460*/             ULONG32      AffinityPermanent : 1;                                    // 18 BitPosition                    
/*0x460*/             ULONG32      AffinityUpdateEnable : 1;                                 // 19 BitPosition                    
/*0x460*/             ULONG32      PropagateNode : 1;                                        // 20 BitPosition                    
/*0x460*/             ULONG32      ExplicitAffinity : 1;                                     // 21 BitPosition                    
/*0x460*/             ULONG32      ProcessExecutionState : 2;                                // 22 BitPosition                    
/*0x460*/             ULONG32      EnableReadVmLogging : 1;                                  // 24 BitPosition                    
/*0x460*/             ULONG32      EnableWriteVmLogging : 1;                                 // 25 BitPosition                    
/*0x460*/             ULONG32      FatalAccessTerminationRequested : 1;                      // 26 BitPosition                    
/*0x460*/             ULONG32      DisableSystemAllowedCpuSet : 1;                           // 27 BitPosition                    
/*0x460*/             ULONG32      ProcessStateChangeRequest : 2;                            // 28 BitPosition                    
/*0x460*/             ULONG32      ProcessStateChangeInProgress : 1;                         // 30 BitPosition                    
/*0x460*/             ULONG32      InPrivate : 1;                                            // 31 BitPosition                    
                  };                                                                                                              
              };                                                                                                                  
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x464*/         ULONG32      Flags;                                                                                             
                  struct                                                                     // 29 elements, 0x4 bytes (sizeof)   
                  {                                                                                                               
/*0x464*/             ULONG32      CreateReported : 1;                                       // 0 BitPosition                     
/*0x464*/             ULONG32      NoDebugInherit : 1;                                       // 1 BitPosition                     
/*0x464*/             ULONG32      ProcessExiting : 1;                                       // 2 BitPosition                     
/*0x464*/             ULONG32      ProcessDelete : 1;                                        // 3 BitPosition                     
/*0x464*/             ULONG32      ManageExecutableMemoryWrites : 1;                         // 4 BitPosition                     
/*0x464*/             ULONG32      VmDeleted : 1;                                            // 5 BitPosition                     
/*0x464*/             ULONG32      OutswapEnabled : 1;                                       // 6 BitPosition                     
/*0x464*/             ULONG32      Outswapped : 1;                                           // 7 BitPosition                     
/*0x464*/             ULONG32      FailFastOnCommitFail : 1;                                 // 8 BitPosition                     
/*0x464*/             ULONG32      Wow64VaSpace4Gb : 1;                                      // 9 BitPosition                     
/*0x464*/             ULONG32      AddressSpaceInitialized : 2;                              // 10 BitPosition                    
/*0x464*/             ULONG32      SetTimerResolution : 1;                                   // 12 BitPosition                    
/*0x464*/             ULONG32      BreakOnTermination : 1;                                   // 13 BitPosition                    
/*0x464*/             ULONG32      DeprioritizeViews : 1;                                    // 14 BitPosition                    
/*0x464*/             ULONG32      WriteWatch : 1;                                           // 15 BitPosition                    
/*0x464*/             ULONG32      ProcessInSession : 1;                                     // 16 BitPosition                    
/*0x464*/             ULONG32      OverrideAddressSpace : 1;                                 // 17 BitPosition                    
/*0x464*/             ULONG32      HasAddressSpace : 1;                                      // 18 BitPosition                    
/*0x464*/             ULONG32      LaunchPrefetched : 1;                                     // 19 BitPosition                    
/*0x464*/             ULONG32      Background : 1;                                           // 20 BitPosition                    
/*0x464*/             ULONG32      VmTopDown : 1;                                            // 21 BitPosition                    
/*0x464*/             ULONG32      ImageNotifyDone : 1;                                      // 22 BitPosition                    
/*0x464*/             ULONG32      PdeUpdateNeeded : 1;                                      // 23 BitPosition                    
/*0x464*/             ULONG32      VdmAllowed : 1;                                           // 24 BitPosition                    
/*0x464*/             ULONG32      ProcessRundown : 1;                                       // 25 BitPosition                    
/*0x464*/             ULONG32      ProcessInserted : 1;                                      // 26 BitPosition                    
/*0x464*/             ULONG32      DefaultIoPriority : 3;                                    // 27 BitPosition                    
/*0x464*/             ULONG32      ProcessSelfDelete : 1;                                    // 30 BitPosition                    
/*0x464*/             ULONG32      SetTimerResolutionLink : 1;                               // 31 BitPosition                    
                  };                                                                                                              
              };                                                                                                                  
/*0x468*/     union _LARGE_INTEGER CreateTime;                                               // 4 elements, 0x8 bytes (sizeof)    
/*0x470*/     UINT64       ProcessQuotaUsage[2];                                                                                  
/*0x480*/     UINT64       ProcessQuotaPeak[2];                                                                                   
/*0x490*/     UINT64       PeakVirtualSize;                                                                                       
/*0x498*/     UINT64       VirtualSize;                                                                                           
/*0x4A0*/     struct _LIST_ENTRY SessionProcessLinks;                                        // 2 elements, 0x10 bytes (sizeof)   
              union                                                                          // 3 elements, 0x8 bytes (sizeof)    
              {                                                                                                                   
/*0x4B0*/         VOID*        ExceptionPortData;                                                                                 
/*0x4B0*/         UINT64       ExceptionPortValue;                                                                                
/*0x4B0*/         UINT64       ExceptionPortState : 3;                                       // 0 BitPosition                     
              };                                                                                                                  
/*0x4B8*/     struct _EX_FAST_REF Token;                                                     // 3 elements, 0x8 bytes (sizeof)    
/*0x4C0*/     UINT64       MmReserved;                                                                                            
/*0x4C8*/     struct _EX_PUSH_LOCK AddressCreationLock;                                      // 7 elements, 0x8 bytes (sizeof)    
/*0x4D0*/     struct _EX_PUSH_LOCK PageTableCommitmentLock;                                  // 7 elements, 0x8 bytes (sizeof)    
/*0x4D8*/     struct _ETHREAD* RotateInProgress;                                                                                  
/*0x4E0*/     struct _ETHREAD* ForkInProgress;                                                                                    
/*0x4E8*/     struct _EJOB* CommitChargeJob;                                                                                      
/*0x4F0*/     struct _RTL_AVL_TREE CloneRoot;                                                // 1 elements, 0x8 bytes (sizeof)    
/*0x4F8*/     UINT64       NumberOfPrivatePages;                                                                                  
/*0x500*/     UINT64       NumberOfLockedPages;                                                                                   
/*0x508*/     VOID*        Win32Process;                                                                                          
/*0x510*/     struct _EJOB* Job;                                                                                                  
/*0x518*/     VOID*        SectionObject;                                                                                         
/*0x520*/     VOID*        SectionBaseAddress;                                                                                    
/*0x528*/     ULONG32      Cookie;                                                                                                
/*0x52C*/     UINT8        _PADDING0_[0x4];                                                                                       
/*0x530*/     struct _PAGEFAULT_HISTORY* WorkingSetWatch;                                                                         
/*0x538*/     VOID*        Win32WindowStation;                                                                                    
/*0x540*/     VOID*        InheritedFromUniqueProcessId;                                                                          
/*0x548*/     UINT64       OwnerProcessId;                                                                                        
/*0x550*/     struct _PEB* Peb;                                                                                                   
/*0x558*/     struct _MM_SESSION_SPACE* Session;                                                                                  
/*0x560*/     VOID*        Spare1;                                                                                                
/*0x568*/     struct _EPROCESS_QUOTA_BLOCK* QuotaBlock;                                                                           
/*0x570*/     struct _HANDLE_TABLE* ObjectTable;                                                                                  
/*0x578*/     VOID*        DebugPort;                                                                                             
/*0x580*/     struct _EWOW64PROCESS* WoW64Process;                                                                                
/*0x588*/     VOID*        DeviceMap;                                                                                             
/*0x590*/     VOID*        EtwDataSource;                                                                                         
/*0x598*/     UINT64       PageDirectoryPte;                                                                                      
/*0x5A0*/     struct _FILE_OBJECT* ImageFilePointer;                                                                              
/*0x5A8*/     UINT8        ImageFileName[15];                                                                                     
/*0x5B7*/     UINT8        PriorityClass;                                                                                         
/*0x5B8*/     VOID*        SecurityPort;                                                                                          
/*0x5C0*/     struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;             // 1 elements, 0x8 bytes (sizeof)    
/*0x5C8*/     struct _LIST_ENTRY JobLinks;                                                   // 2 elements, 0x10 bytes (sizeof)   
/*0x5D8*/     VOID*        HighestUserAddress;                                                                                    
/*0x5E0*/     struct _LIST_ENTRY ThreadListHead;                                             // 2 elements, 0x10 bytes (sizeof)   
/*0x5F0*/     ULONG32      ActiveThreads;                                                                                         
/*0x5F4*/     ULONG32      ImagePathHash;                                                                                         
/*0x5F8*/     ULONG32      DefaultHardErrorProcessing;                                                                            
/*0x5FC*/     LONG32       LastThreadExitStatus;                                                                                  
/*0x600*/     struct _EX_FAST_REF PrefetchTrace;                                             // 3 elements, 0x8 bytes (sizeof)    
/*0x608*/     VOID*        LockedPagesList;                                                                                       
/*0x610*/     union _LARGE_INTEGER ReadOperationCount;                                       // 4 elements, 0x8 bytes (sizeof)    
/*0x618*/     union _LARGE_INTEGER WriteOperationCount;                                      // 4 elements, 0x8 bytes (sizeof)    
/*0x620*/     union _LARGE_INTEGER OtherOperationCount;                                      // 4 elements, 0x8 bytes (sizeof)    
/*0x628*/     union _LARGE_INTEGER ReadTransferCount;                                        // 4 elements, 0x8 bytes (sizeof)    
/*0x630*/     union _LARGE_INTEGER WriteTransferCount;                                       // 4 elements, 0x8 bytes (sizeof)    
/*0x638*/     union _LARGE_INTEGER OtherTransferCount;                                       // 4 elements, 0x8 bytes (sizeof)    
/*0x640*/     UINT64       CommitChargeLimit;                                                                                     
/*0x648*/     UINT64       CommitCharge;                                                                                          
/*0x650*/     UINT64       CommitChargePeak;                                                                                      
/*0x658*/     UINT8        _PADDING1_[0x28];                                                                                      
/*0x680*/     struct _MMSUPPORT_FULL Vm;                                                     // 2 elements, 0x140 bytes (sizeof)  
/*0x7C0*/     struct _LIST_ENTRY MmProcessLinks;                                             // 2 elements, 0x10 bytes (sizeof)   
/*0x7D0*/     ULONG32      ModifiedPageCount;                                                                                     
/*0x7D4*/     LONG32       ExitStatus;                                                                                            
/*0x7D8*/     struct _RTL_AVL_TREE VadRoot;                                                  // 1 elements, 0x8 bytes (sizeof)    
/*0x7E0*/     VOID*        VadHint;                                                                                               
/*0x7E8*/     UINT64       VadCount;                                                                                              
/*0x7F0*/     UINT64       VadPhysicalPages;                                                                                      
/*0x7F8*/     UINT64       VadPhysicalPagesLimit;                                                                                 
/*0x800*/     struct _ALPC_PROCESS_CONTEXT AlpcContext;                                      // 3 elements, 0x20 bytes (sizeof)   
/*0x820*/     struct _LIST_ENTRY TimerResolutionLink;                                        // 2 elements, 0x10 bytes (sizeof)   
/*0x830*/     struct _PO_DIAG_STACK_RECORD* TimerResolutionStackRecord;                                                           
/*0x838*/     ULONG32      RequestedTimerResolution;                                                                              
/*0x83C*/     ULONG32      SmallestTimerResolution;                                                                               
/*0x840*/     union _LARGE_INTEGER ExitTime;                                                 // 4 elements, 0x8 bytes (sizeof)    
/*0x848*/     struct _INVERTED_FUNCTION_TABLE* InvertedFunctionTable;                                                             
/*0x850*/     struct _EX_PUSH_LOCK InvertedFunctionTableLock;                                // 7 elements, 0x8 bytes (sizeof)    
/*0x858*/     ULONG32      ActiveThreadsHighWatermark;                                                                            
/*0x85C*/     ULONG32      LargePrivateVadCount;                                                                                  
/*0x860*/     struct _EX_PUSH_LOCK ThreadListLock;                                           // 7 elements, 0x8 bytes (sizeof)    
/*0x868*/     VOID*        WnfContext;                                                                                            
/*0x870*/     struct _EJOB* ServerSilo;                                                                                           
/*0x878*/     UINT8        SignatureLevel;                                                                                        
/*0x879*/     UINT8        SectionSignatureLevel;                                                                                 
/*0x87A*/     struct _PS_PROTECTION Protection;                                              // 4 elements, 0x1 bytes (sizeof)    
              struct                                                                         // 3 elements, 0x1 bytes (sizeof)    
              {                                                                                                                   
/*0x87B*/         UINT8        HangCount : 3;                                                // 0 BitPosition                     
/*0x87B*/         UINT8        GhostCount : 3;                                               // 3 BitPosition                     
/*0x87B*/         UINT8        PrefilterException : 1;                                       // 6 BitPosition                     
              };                                                                                                                  
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x87C*/         ULONG32      Flags3;                                                                                            
                  struct                                                                     // 28 elements, 0x4 bytes (sizeof)   
                  {                                                                                                               
/*0x87C*/             ULONG32      Minimal : 1;                                              // 0 BitPosition                     
/*0x87C*/             ULONG32      ReplacingPageRoot : 1;                                    // 1 BitPosition                     
/*0x87C*/             ULONG32      Crashed : 1;                                              // 2 BitPosition                     
/*0x87C*/             ULONG32      JobVadsAreTracked : 1;                                    // 3 BitPosition                     
/*0x87C*/             ULONG32      VadTrackingDisabled : 1;                                  // 4 BitPosition                     
/*0x87C*/             ULONG32      AuxiliaryProcess : 1;                                     // 5 BitPosition                     
/*0x87C*/             ULONG32      SubsystemProcess : 1;                                     // 6 BitPosition                     
/*0x87C*/             ULONG32      IndirectCpuSets : 1;                                      // 7 BitPosition                     
/*0x87C*/             ULONG32      RelinquishedCommit : 1;                                   // 8 BitPosition                     
/*0x87C*/             ULONG32      HighGraphicsPriority : 1;                                 // 9 BitPosition                     
/*0x87C*/             ULONG32      CommitFailLogged : 1;                                     // 10 BitPosition                    
/*0x87C*/             ULONG32      ReserveFailLogged : 1;                                    // 11 BitPosition                    
/*0x87C*/             ULONG32      SystemProcess : 1;                                        // 12 BitPosition                    
/*0x87C*/             ULONG32      HideImageBaseAddresses : 1;                               // 13 BitPosition                    
/*0x87C*/             ULONG32      AddressPolicyFrozen : 1;                                  // 14 BitPosition                    
/*0x87C*/             ULONG32      ProcessFirstResume : 1;                                   // 15 BitPosition                    
/*0x87C*/             ULONG32      ForegroundExternal : 1;                                   // 16 BitPosition                    
/*0x87C*/             ULONG32      ForegroundSystem : 1;                                     // 17 BitPosition                    
/*0x87C*/             ULONG32      HighMemoryPriority : 1;                                   // 18 BitPosition                    
/*0x87C*/             ULONG32      EnableProcessSuspendResumeLogging : 1;                    // 19 BitPosition                    
/*0x87C*/             ULONG32      EnableThreadSuspendResumeLogging : 1;                     // 20 BitPosition                    
/*0x87C*/             ULONG32      SecurityDomainChanged : 1;                                // 21 BitPosition                    
/*0x87C*/             ULONG32      SecurityFreezeComplete : 1;                               // 22 BitPosition                    
/*0x87C*/             ULONG32      VmProcessorHost : 1;                                      // 23 BitPosition                    
/*0x87C*/             ULONG32      VmProcessorHostTransition : 1;                            // 24 BitPosition                    
/*0x87C*/             ULONG32      AltSyscall : 1;                                           // 25 BitPosition                    
/*0x87C*/             ULONG32      TimerResolutionIgnore : 1;                                // 26 BitPosition                    
/*0x87C*/             ULONG32      DisallowUserTerminate : 1;                                // 27 BitPosition                    
                  };                                                                                                              
              };                                                                                                                  
/*0x880*/     LONG32       DeviceAsid;                                                                                            
/*0x884*/     UINT8        _PADDING2_[0x4];                                                                                       
/*0x888*/     VOID*        SvmData;                                                                                               
/*0x890*/     struct _EX_PUSH_LOCK SvmProcessLock;                                           // 7 elements, 0x8 bytes (sizeof)    
/*0x898*/     UINT64       SvmLock;                                                                                               
/*0x8A0*/     struct _LIST_ENTRY SvmProcessDeviceListHead;                                   // 2 elements, 0x10 bytes (sizeof)   
/*0x8B0*/     UINT64       LastFreezeInterruptTime;                                                                               
/*0x8B8*/     struct _PROCESS_DISK_COUNTERS* DiskCounters;                                                                        
/*0x8C0*/     VOID*        PicoContext;                                                                                           
/*0x8C8*/     VOID*        EnclaveTable;                                                                                          
/*0x8D0*/     UINT64       EnclaveNumber;                                                                                         
/*0x8D8*/     struct _EX_PUSH_LOCK EnclaveLock;                                              // 7 elements, 0x8 bytes (sizeof)    
/*0x8E0*/     ULONG32      HighPriorityFaultsAllowed;                                                                             
/*0x8E4*/     UINT8        _PADDING3_[0x4];                                                                                       
/*0x8E8*/     struct _PO_PROCESS_ENERGY_CONTEXT* EnergyContext;                                                                   
/*0x8F0*/     VOID*        VmContext;                                                                                             
/*0x8F8*/     UINT64       SequenceNumber;                                                                                        
/*0x900*/     UINT64       CreateInterruptTime;                                                                                   
/*0x908*/     UINT64       CreateUnbiasedInterruptTime;                                                                           
/*0x910*/     UINT64       TotalUnbiasedFrozenTime;                                                                               
/*0x918*/     UINT64       LastAppStateUpdateTime;                                                                                
              struct                                                                         // 2 elements, 0x8 bytes (sizeof)    
              {                                                                                                                   
/*0x920*/         UINT64       LastAppStateUptime : 61;                                      // 0 BitPosition                     
/*0x920*/         UINT64       LastAppState : 3;                                             // 61 BitPosition                    
              };                                                                                                                  
/*0x928*/     UINT64       SharedCommitCharge;                                                                                    
/*0x930*/     struct _EX_PUSH_LOCK SharedCommitLock;                                         // 7 elements, 0x8 bytes (sizeof)    
/*0x938*/     struct _LIST_ENTRY SharedCommitLinks;                                          // 2 elements, 0x10 bytes (sizeof)   
              union                                                                          // 2 elements, 0x10 bytes (sizeof)   
              {                                                                                                                   
                  struct                                                                     // 2 elements, 0x10 bytes (sizeof)   
                  {                                                                                                               
/*0x948*/             UINT64       AllowedCpuSets;                                                                                
/*0x950*/             UINT64       DefaultCpuSets;                                                                                
                  };                                                                                                              
                  struct                                                                     // 2 elements, 0x10 bytes (sizeof)   
                  {                                                                                                               
/*0x948*/             UINT64*      AllowedCpuSetsIndirect;                                                                        
/*0x950*/             UINT64*      DefaultCpuSetsIndirect;                                                                        
                  };                                                                                                              
              };                                                                                                                  
/*0x958*/     VOID*        DiskIoAttribution;                                                                                     
/*0x960*/     VOID*        DxgProcess;                                                                                            
/*0x968*/     ULONG32      Win32KFilterSet;                                                                                       
/*0x96C*/     UINT8        _PADDING4_[0x4];                                                                                       
/*0x970*/     union _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay;                    // 7 elements, 0x8 bytes (sizeof)    
/*0x978*/     ULONG32      KTimerSets;                                                                                            
/*0x97C*/     ULONG32      KTimer2Sets;                                                                                           
/*0x980*/     ULONG32      ThreadTimerSets;                                                                                       
/*0x984*/     UINT8        _PADDING5_[0x4];                                                                                       
/*0x988*/     UINT64       VirtualTimerListLock;                                                                                  
/*0x990*/     struct _LIST_ENTRY VirtualTimerListHead;                                       // 2 elements, 0x10 bytes (sizeof)   
              union                                                                          // 2 elements, 0x30 bytes (sizeof)   
              {                                                                                                                   
/*0x9A0*/         struct _WNF_STATE_NAME WakeChannel;                                        // 1 elements, 0x8 bytes (sizeof)    
/*0x9A0*/         struct _PS_PROCESS_WAKE_INFORMATION WakeInfo;                              // 4 elements, 0x30 bytes (sizeof)   
              };                                                                                                                  
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x9D0*/         ULONG32      MitigationFlags;                                                                                   
/*0x9D0*/         struct _<anonymous-tag> MitigationFlagsValues;                             // 32 elements, 0x4 bytes (sizeof)   
              };                                                                                                                  
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x9D4*/         ULONG32      MitigationFlags2;                                                                                  
/*0x9D4*/         struct _<anonymous-tag> MitigationFlags2Values;                            // 32 elements, 0x4 bytes (sizeof)   
              };                                                                                                                  
/*0x9D8*/     VOID*        PartitionObject;                                                                                       
/*0x9E0*/     UINT64       SecurityDomain;                                                                                        
/*0x9E8*/     UINT64       ParentSecurityDomain;                                                                                  
/*0x9F0*/     VOID*        CoverageSamplerContext;                                                                                
/*0x9F8*/     VOID*        MmHotPatchContext;                                                                                     
/*0xA00*/     struct _RTL_AVL_TREE DynamicEHContinuationTargetsTree;                         // 1 elements, 0x8 bytes (sizeof)    
/*0xA08*/     struct _EX_PUSH_LOCK DynamicEHContinuationTargetsLock;                         // 7 elements, 0x8 bytes (sizeof)    
/*0xA10*/     struct _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES DynamicEnforcedCetCompatibleRanges; // 2 elements, 0x10 bytes (sizeof)   
/*0xA20*/     ULONG32      DisabledComponentFlags;                                                                                
/*0xA24*/     UINT8        _PADDING6_[0x4];                                                                                       
/*0xA28*/     ULONG32*     PathRedirectionHashes;                                                                                 
/*0xA30*/     UINT8        _PADDING7_[0x10];                                                                                      
          }EPROCESS, *PEPROCESS;   
typedef struct _EPROCESS                                                           // 235 elements, 0xA40 bytes (sizeof)
          {                                                                                                                       
/*0x000*/     struct _KPROCESS Pcb;                                                          // 54 elements, 0x438 bytes (sizeof) 
/*0x438*/     struct _EX_PUSH_LOCK ProcessLock;                                              // 7 elements, 0x8 bytes (sizeof)    
/*0x440*/     VOID*        UniqueProcessId;                                                                                       
/*0x448*/     struct _LIST_ENTRY ActiveProcessLinks;                                         // 2 elements, 0x10 bytes (sizeof)   
/*0x458*/     struct _EX_RUNDOWN_REF RundownProtect;                                         // 2 elements, 0x8 bytes (sizeof)    
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x460*/         ULONG32      Flags2;                                                                                            
                  struct                                                                     // 28 elements, 0x4 bytes (sizeof)   
                  {                                                                                                               
/*0x460*/             ULONG32      JobNotReallyActive : 1;                                   // 0 BitPosition                     
/*0x460*/             ULONG32      AccountingFolded : 1;                                     // 1 BitPosition                     
/*0x460*/             ULONG32      NewProcessReported : 1;                                   // 2 BitPosition                     
/*0x460*/             ULONG32      ExitProcessReported : 1;                                  // 3 BitPosition                     
/*0x460*/             ULONG32      ReportCommitChanges : 1;                                  // 4 BitPosition                     
/*0x460*/             ULONG32      LastReportMemory : 1;                                     // 5 BitPosition                     
/*0x460*/             ULONG32      ForceWakeCharge : 1;                                      // 6 BitPosition                     
/*0x460*/             ULONG32      CrossSessionCreate : 1;                                   // 7 BitPosition                     
/*0x460*/             ULONG32      NeedsHandleRundown : 1;                                   // 8 BitPosition                     
/*0x460*/             ULONG32      RefTraceEnabled : 1;                                      // 9 BitPosition                     
/*0x460*/             ULONG32      PicoCreated : 1;                                          // 10 BitPosition                    
/*0x460*/             ULONG32      EmptyJobEvaluated : 1;                                    // 11 BitPosition                    
/*0x460*/             ULONG32      DefaultPagePriority : 3;                                  // 12 BitPosition                    
/*0x460*/             ULONG32      PrimaryTokenFrozen : 1;                                   // 15 BitPosition                    
/*0x460*/             ULONG32      ProcessVerifierTarget : 1;                                // 16 BitPosition                    
/*0x460*/             ULONG32      RestrictSetThreadContext : 1;                             // 17 BitPosition                    
/*0x460*/             ULONG32      AffinityPermanent : 1;                                    // 18 BitPosition                    
/*0x460*/             ULONG32      AffinityUpdateEnable : 1;                                 // 19 BitPosition                    
/*0x460*/             ULONG32      PropagateNode : 1;                                        // 20 BitPosition                    
/*0x460*/             ULONG32      ExplicitAffinity : 1;                                     // 21 BitPosition                    
/*0x460*/             ULONG32      ProcessExecutionState : 2;                                // 22 BitPosition                    
/*0x460*/             ULONG32      EnableReadVmLogging : 1;                                  // 24 BitPosition                    
/*0x460*/             ULONG32      EnableWriteVmLogging : 1;                                 // 25 BitPosition                    
/*0x460*/             ULONG32      FatalAccessTerminationRequested : 1;                      // 26 BitPosition                    
/*0x460*/             ULONG32      DisableSystemAllowedCpuSet : 1;                           // 27 BitPosition                    
/*0x460*/             ULONG32      ProcessStateChangeRequest : 2;                            // 28 BitPosition                    
/*0x460*/             ULONG32      ProcessStateChangeInProgress : 1;                         // 30 BitPosition                    
/*0x460*/             ULONG32      InPrivate : 1;                                            // 31 BitPosition                    
                  };                                                                                                              
              };                                                                                                                  
              union                                                                          // 2 elements, 0x4 bytes (sizeof)    
              {                                                                                                                   
/*0x464*/         ULONG32      Flags;                                                                                             
                  struct                                                                     // 29 elements, 0x4 bytes (sizeof)   
                  {                                                                                                               
/*0x464*/             ULONG32      CreateReported : 1;                                       // 0 BitPosition                     
/*0x464*/             ULONG32      NoDebugInherit : 1;                                       // 1 BitPosition                     
/*0x464*/             ULONG32      ProcessExiting : 1;                                       // 2 BitPosition                     
/*0x464*/             ULONG32      ProcessDelete : 1;                                        // 3 BitPosition                     
/*0x464*/             ULONG32      ManageExecutableMemoryWrites : 1;                         // 4 BitPosition                     
/*0x464*/             ULONG32      VmDeleted : 1;                                            // 5 BitPosition                     
/*0x464*/             ULONG32      OutswapEnabled : 1;                                       // 6 BitPosition                     
/*0x464*/             ULONG32      Outswapped : 1;                                           // 7 BitPosition                     
/*0x464*/             ULONG32      FailFastOnCommitFail : 1;                                 // 8 BitPosition                     
/*0x464*/             ULONG32      Wow64VaSpace4Gb : 1;                                      // 9 BitPosition                     
/*0x464*/             ULONG32      AddressSpaceInitialized : 2;                              // 10 BitPosition                    
/*0x464*/             ULONG32      SetTimerResolution : 1;                                   // 12 BitPosition                    
/*0x464*/             ULONG32      BreakOnTermination : 1;                                   // 13 BitPosition                    
/*0x464*/             ULONG32      DeprioritizeViews : 1;                                    // 14 BitPosition                    
/*0x464*/             ULONG32      WriteWatch : 1;                                           // 15 BitPosition                    
/*0x464*/             ULONG32      ProcessInSession : 1;                                     // 16 BitPosition                    
/*0x464*/             ULONG32      OverrideAddressSpace : 1;                                 // 17 BitPosition                    
/*0x464*/             ULONG32      HasAddressSpace : 1;                                      // 18 BitPosition                    
/*0x464*/             ULONG32      LaunchPrefetched : 1;                                     // 19 BitPosition                    
/*0x464*/             ULONG32      Background : 1;                                           // 20 BitPosition                    
/*0x464*/             ULONG32      VmTopDown : 1;                                            // 21 BitPosition                    
/*0x464*/             ULONG32      ImageNotifyDone : 1;                                      // 22 BitPosition                    
/*0x464*/             ULONG32      PdeUpdateNeeded : 1;                                      // 23 BitPosition                    
/*0x464*/             ULONG32      VdmAllowed : 1;                                           // 24 BitPosition                    
/*0x464*/             ULONG32      ProcessRundown : 1;                                       // 25 BitPosition                    
/*0x464*/             ULONG32      ProcessInserted : 1;                                      // 26 BitPosition                    
/*0x464*/             ULONG32      DefaultIoPriority : 3;                                    // 27 BitPosition                    
/*0x464*/             ULONG32      ProcessSelfDelete : 1;                                    // 30 BitPosition                    
/*0x464*/             ULONG32      SetTimerResolutionLink : 1;                               // 31 BitPosition                    
                  };                                                                                                              
              };                                                                                                                  
/*0x468*/     union _LARGE_INTEGER CreateTime;                                               // 4 elements, 0x8 bytes (sizeof)    
/*0x470*/     UINT64       ProcessQuotaUsage[2];                                                                                  
/*0x480*/     UINT64       ProcessQuotaPeak[2];                                                                                   
/*0x490*/     UINT64       PeakVirtualSize;                                                                                       
/*0x498*/     UINT64       VirtualSize;                                                                                           
/*0x4A0*/     struct _LIST_ENTRY SessionProcessLinks;                                        // 2 elements, 0x10 bytes (sizeof)   
              union                                                                          // 3 elements, 0x8 bytes (sizeof)    
              {                                                                                                                   
/*0x4B0*/         VOID*        ExceptionPortData;                                                                                 
/*0x4B0*/         UINT64       ExceptionPortValue;                                                                                
/*0x4B0*/         UINT64       ExceptionPortState : 3;                                       // 0 BitPosition                     
              };                                                                                                                  
/*0x4B8*/     struct _EX_FAST_REF Token;                                                     // 3 elements, 0x8 bytes (sizeof)    
/*0x4C0*/     UINT64       MmReserved;                                                                                            
/*0x4C8*/     struct _EX_PUSH_LOCK AddressCreationLock;                                      // 7 elements, 0x8 bytes (sizeof)    
/*0x4D0*/     struct _EX_PUSH_LOCK PageTableCommitmentLock;                                  // 7 elements, 0x8 bytes (sizeof)    
/*0x4D8*/     struct _ETHREAD* RotateInProgress;                                                                                  
/*0x4E0*/     struct _ETHREAD* ForkInProgress;                                                                                    
/*0x4E8*/     struct _EJOB* CommitChargeJob;                                                                                      
/*0x4F0*/     struct _RTL_AVL_TREE CloneRoot;                                                // 1 elements, 0x8 bytes (sizeof)    
/*0x4F8*/     UINT64       NumberOfPrivatePages;                                                                                  
/*0x500*/     UINT64       NumberOfLockedPages;                                                                                   
/*0x508*/     VOID*        Win32Process;                                                                                          
/*0x510*/     struct _EJOB* Job;                                                                                                  
/*0x518*/     VOID*        SectionObject;                                                                                         
/*0x520*/     VOID*        SectionBaseAddress;                                                                                    
/*0x528*/     ULONG32      Cookie;                                                                                                
/*0x52C*/     UINT8        _PADDING0_[0x4];                                                                                       
/*0x530*/     struct _PAGEFAULT_HISTORY* WorkingSetWatch;                                                                         
/*0x538*/     VOID*        Win32WindowStation;                                                                                    
/*0x540*/     VOID*        InheritedFromUniqueProcessId;                                                                          
/*0x548*/     UINT64       OwnerProcessId;                                                                                        
/*0x550*/     struct _PEB* Peb;                                                                                                   
/*0x558*/     struct _MM_SESSION_SPACE* Session;                                                                                  
/*0x560*/     VOID*        Spare1;                                                                                                
/*0x568*/     struct _EPROCESS_QUOTA_BLOCK* QuotaBlock;                                                                           
/*0x570*/     struct _HANDLE_TABLE* ObjectTable;                                                                                  
/*0x578*/     VOID*        DebugPort;                                                                                             
/*0x580*/     struct _EWOW64PROCESS* WoW64Process;                                                                                
/*0x588*/     VOID*        DeviceMap;                                                                                             
/*0x590*/     VOID*        EtwDataSource;                                                                                         
/*0x598*/     UINT64       PageDirectoryPte;                                                                                      
/*0x5A0*/     struct _FILE_OBJECT* ImageFilePointer;                                                                              
/*0x5A8*/     UINT8        ImageFileName[15];                                                                                     

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 2
支持
分享
最新回复 (1)
雪    币: 2119
活跃值: (1890)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2023-10-7 16:54
1
游客
登录 | 注册 方可回帖
返回
//