-
-
[原创]x64内核实验6-进程
-
发表于: 2023-10-7 13:20 9292
-
(这里写目录标题)
首先来看一下进程结构体完整的定义,然后我会介绍几个比较重要的字段属性
下面是我从pdb文件导出的头文件,这个头文件可以直接复制到ida里导入成结构体使用的,其他结构体的头文件后面我会一起放出来给大家下载
KEPROCESS.h
EPROCESS.h
这两个结构体非常大,我们简单介绍一下比较重要的几个字段
常见的差不多就这些了
下面可以做几个实验(最近比较忙我这边还是先把知识点整理出来,代码后面有空了写一份贴上来,大家可以先自己尝试这做一下)
实验1:0环断链隐藏进程
实验2:0环清空debugport反调试
实验3:通过三环peb查找自己加载的所有模块
实验4:通过修改peb里的begindebug达到反调试
typedef struct _KPROCESS
/
/
54
elements,
0x438
bytes (sizeof)
{
/
*
0x000
*
/
struct _DISPATCHER_HEADER Header;
/
/
59
elements,
0x18
bytes (sizeof)
/
*
0x018
*
/
struct _LIST_ENTRY ProfileListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x028
*
/
UINT64 DirectoryTableBase;
/
*
0x030
*
/
struct _LIST_ENTRY ThreadListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x040
*
/
ULONG32 ProcessLock;
/
*
0x044
*
/
ULONG32 ProcessTimerDelay;
/
*
0x048
*
/
UINT64 DeepFreezeStartTime;
/
*
0x050
*
/
struct _KAFFINITY_EX Affinity;
/
/
4
elements,
0xA8
bytes (sizeof)
/
*
0x0F8
*
/
UINT64 AffinityPadding[
12
];
/
*
0x158
*
/
struct _LIST_ENTRY ReadyListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x168
*
/
struct _SINGLE_LIST_ENTRY SwapListEntry;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x170
*
/
struct _KAFFINITY_EX ActiveProcessors;
/
/
4
elements,
0xA8
bytes (sizeof)
/
*
0x218
*
/
UINT64 ActiveProcessorsPadding[
12
];
union
/
/
2
elements,
0x4
bytes (sizeof)
{
struct
/
/
10
elements,
0x4
bytes (sizeof)
{
/
*
0x278
*
/
ULONG32 AutoAlignment :
1
;
/
/
0
BitPosition
/
*
0x278
*
/
ULONG32 DisableBoost :
1
;
/
/
1
BitPosition
/
*
0x278
*
/
ULONG32 DisableQuantum :
1
;
/
/
2
BitPosition
/
*
0x278
*
/
ULONG32 DeepFreeze :
1
;
/
/
3
BitPosition
/
*
0x278
*
/
ULONG32 TimerVirtualization :
1
;
/
/
4
BitPosition
/
*
0x278
*
/
ULONG32 CheckStackExtents :
1
;
/
/
5
BitPosition
/
*
0x278
*
/
ULONG32 CacheIsolationEnabled :
1
;
/
/
6
BitPosition
/
*
0x278
*
/
ULONG32 PpmPolicy :
3
;
/
/
7
BitPosition
/
*
0x278
*
/
ULONG32 VaSpaceDeleted :
1
;
/
/
10
BitPosition
/
*
0x278
*
/
ULONG32 ReservedFlags :
21
;
/
/
11
BitPosition
};
/
*
0x278
*
/
LONG32 ProcessFlags;
};
/
*
0x27C
*
/
ULONG32 ActiveGroupsMask;
/
*
0x280
*
/
CHAR BasePriority;
/
*
0x281
*
/
CHAR QuantumReset;
/
*
0x282
*
/
CHAR Visited;
/
*
0x283
*
/
union _KEXECUTE_OPTIONS Flags;
/
/
10
elements,
0x1
bytes (sizeof)
/
*
0x284
*
/
UINT16 ThreadSeed[
20
];
/
*
0x2AC
*
/
UINT16 ThreadSeedPadding[
12
];
/
*
0x2C4
*
/
UINT16 IdealProcessor[
20
];
/
*
0x2EC
*
/
UINT16 IdealProcessorPadding[
12
];
/
*
0x304
*
/
UINT16 IdealNode[
20
];
/
*
0x32C
*
/
UINT16 IdealNodePadding[
12
];
/
*
0x344
*
/
UINT16 IdealGlobalNode;
/
*
0x346
*
/
UINT16 Spare1;
/
*
0x348
*
/
union _KSTACK_COUNT StackCount;
/
/
3
elements,
0x4
bytes (sizeof)
/
*
0x34C
*
/
UINT8 _PADDING0_[
0x4
];
/
*
0x350
*
/
struct _LIST_ENTRY ProcessListEntry;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x360
*
/
UINT64 CycleTime;
/
*
0x368
*
/
UINT64 ContextSwitches;
/
*
0x370
*
/
struct _KSCHEDULING_GROUP
*
SchedulingGroup;
/
*
0x378
*
/
ULONG32 FreezeCount;
/
*
0x37C
*
/
ULONG32 KernelTime;
/
*
0x380
*
/
ULONG32 UserTime;
/
*
0x384
*
/
ULONG32 ReadyTime;
/
*
0x388
*
/
UINT64 UserDirectoryTableBase;
/
*
0x390
*
/
UINT8 AddressPolicy;
/
*
0x391
*
/
UINT8 Spare2[
71
];
/
*
0x3D8
*
/
VOID
*
InstrumentationCallback;
/
*
0x3E0
*
/
union _<anonymous
-
tag> SecureState;
/
/
2
elements,
0x8
bytes (sizeof)
/
*
0x3E8
*
/
UINT64 KernelWaitTime;
/
*
0x3F0
*
/
UINT64 UserWaitTime;
/
*
0x3F8
*
/
UINT64 EndPadding[
8
];
}KPROCESS,
*
PKPROCESS;
typedef struct _KPROCESS
/
/
54
elements,
0x438
bytes (sizeof)
{
/
*
0x000
*
/
struct _DISPATCHER_HEADER Header;
/
/
59
elements,
0x18
bytes (sizeof)
/
*
0x018
*
/
struct _LIST_ENTRY ProfileListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x028
*
/
UINT64 DirectoryTableBase;
/
*
0x030
*
/
struct _LIST_ENTRY ThreadListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x040
*
/
ULONG32 ProcessLock;
/
*
0x044
*
/
ULONG32 ProcessTimerDelay;
/
*
0x048
*
/
UINT64 DeepFreezeStartTime;
/
*
0x050
*
/
struct _KAFFINITY_EX Affinity;
/
/
4
elements,
0xA8
bytes (sizeof)
/
*
0x0F8
*
/
UINT64 AffinityPadding[
12
];
/
*
0x158
*
/
struct _LIST_ENTRY ReadyListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x168
*
/
struct _SINGLE_LIST_ENTRY SwapListEntry;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x170
*
/
struct _KAFFINITY_EX ActiveProcessors;
/
/
4
elements,
0xA8
bytes (sizeof)
/
*
0x218
*
/
UINT64 ActiveProcessorsPadding[
12
];
union
/
/
2
elements,
0x4
bytes (sizeof)
{
struct
/
/
10
elements,
0x4
bytes (sizeof)
{
/
*
0x278
*
/
ULONG32 AutoAlignment :
1
;
/
/
0
BitPosition
/
*
0x278
*
/
ULONG32 DisableBoost :
1
;
/
/
1
BitPosition
/
*
0x278
*
/
ULONG32 DisableQuantum :
1
;
/
/
2
BitPosition
/
*
0x278
*
/
ULONG32 DeepFreeze :
1
;
/
/
3
BitPosition
/
*
0x278
*
/
ULONG32 TimerVirtualization :
1
;
/
/
4
BitPosition
/
*
0x278
*
/
ULONG32 CheckStackExtents :
1
;
/
/
5
BitPosition
/
*
0x278
*
/
ULONG32 CacheIsolationEnabled :
1
;
/
/
6
BitPosition
/
*
0x278
*
/
ULONG32 PpmPolicy :
3
;
/
/
7
BitPosition
/
*
0x278
*
/
ULONG32 VaSpaceDeleted :
1
;
/
/
10
BitPosition
/
*
0x278
*
/
ULONG32 ReservedFlags :
21
;
/
/
11
BitPosition
};
/
*
0x278
*
/
LONG32 ProcessFlags;
};
/
*
0x27C
*
/
ULONG32 ActiveGroupsMask;
/
*
0x280
*
/
CHAR BasePriority;
/
*
0x281
*
/
CHAR QuantumReset;
/
*
0x282
*
/
CHAR Visited;
/
*
0x283
*
/
union _KEXECUTE_OPTIONS Flags;
/
/
10
elements,
0x1
bytes (sizeof)
/
*
0x284
*
/
UINT16 ThreadSeed[
20
];
/
*
0x2AC
*
/
UINT16 ThreadSeedPadding[
12
];
/
*
0x2C4
*
/
UINT16 IdealProcessor[
20
];
/
*
0x2EC
*
/
UINT16 IdealProcessorPadding[
12
];
/
*
0x304
*
/
UINT16 IdealNode[
20
];
/
*
0x32C
*
/
UINT16 IdealNodePadding[
12
];
/
*
0x344
*
/
UINT16 IdealGlobalNode;
/
*
0x346
*
/
UINT16 Spare1;
/
*
0x348
*
/
union _KSTACK_COUNT StackCount;
/
/
3
elements,
0x4
bytes (sizeof)
/
*
0x34C
*
/
UINT8 _PADDING0_[
0x4
];
/
*
0x350
*
/
struct _LIST_ENTRY ProcessListEntry;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x360
*
/
UINT64 CycleTime;
/
*
0x368
*
/
UINT64 ContextSwitches;
/
*
0x370
*
/
struct _KSCHEDULING_GROUP
*
SchedulingGroup;
/
*
0x378
*
/
ULONG32 FreezeCount;
/
*
0x37C
*
/
ULONG32 KernelTime;
/
*
0x380
*
/
ULONG32 UserTime;
/
*
0x384
*
/
ULONG32 ReadyTime;
/
*
0x388
*
/
UINT64 UserDirectoryTableBase;
/
*
0x390
*
/
UINT8 AddressPolicy;
/
*
0x391
*
/
UINT8 Spare2[
71
];
/
*
0x3D8
*
/
VOID
*
InstrumentationCallback;
/
*
0x3E0
*
/
union _<anonymous
-
tag> SecureState;
/
/
2
elements,
0x8
bytes (sizeof)
/
*
0x3E8
*
/
UINT64 KernelWaitTime;
/
*
0x3F0
*
/
UINT64 UserWaitTime;
/
*
0x3F8
*
/
UINT64 EndPadding[
8
];
}KPROCESS,
*
PKPROCESS;
typedef struct _EPROCESS
/
/
235
elements,
0xA40
bytes (sizeof)
{
/
*
0x000
*
/
struct _KPROCESS Pcb;
/
/
54
elements,
0x438
bytes (sizeof)
/
*
0x438
*
/
struct _EX_PUSH_LOCK ProcessLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x440
*
/
VOID
*
UniqueProcessId;
/
*
0x448
*
/
struct _LIST_ENTRY ActiveProcessLinks;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x458
*
/
struct _EX_RUNDOWN_REF RundownProtect;
/
/
2
elements,
0x8
bytes (sizeof)
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x460
*
/
ULONG32 Flags2;
struct
/
/
28
elements,
0x4
bytes (sizeof)
{
/
*
0x460
*
/
ULONG32 JobNotReallyActive :
1
;
/
/
0
BitPosition
/
*
0x460
*
/
ULONG32 AccountingFolded :
1
;
/
/
1
BitPosition
/
*
0x460
*
/
ULONG32 NewProcessReported :
1
;
/
/
2
BitPosition
/
*
0x460
*
/
ULONG32 ExitProcessReported :
1
;
/
/
3
BitPosition
/
*
0x460
*
/
ULONG32 ReportCommitChanges :
1
;
/
/
4
BitPosition
/
*
0x460
*
/
ULONG32 LastReportMemory :
1
;
/
/
5
BitPosition
/
*
0x460
*
/
ULONG32 ForceWakeCharge :
1
;
/
/
6
BitPosition
/
*
0x460
*
/
ULONG32 CrossSessionCreate :
1
;
/
/
7
BitPosition
/
*
0x460
*
/
ULONG32 NeedsHandleRundown :
1
;
/
/
8
BitPosition
/
*
0x460
*
/
ULONG32 RefTraceEnabled :
1
;
/
/
9
BitPosition
/
*
0x460
*
/
ULONG32 PicoCreated :
1
;
/
/
10
BitPosition
/
*
0x460
*
/
ULONG32 EmptyJobEvaluated :
1
;
/
/
11
BitPosition
/
*
0x460
*
/
ULONG32 DefaultPagePriority :
3
;
/
/
12
BitPosition
/
*
0x460
*
/
ULONG32 PrimaryTokenFrozen :
1
;
/
/
15
BitPosition
/
*
0x460
*
/
ULONG32 ProcessVerifierTarget :
1
;
/
/
16
BitPosition
/
*
0x460
*
/
ULONG32 RestrictSetThreadContext :
1
;
/
/
17
BitPosition
/
*
0x460
*
/
ULONG32 AffinityPermanent :
1
;
/
/
18
BitPosition
/
*
0x460
*
/
ULONG32 AffinityUpdateEnable :
1
;
/
/
19
BitPosition
/
*
0x460
*
/
ULONG32 PropagateNode :
1
;
/
/
20
BitPosition
/
*
0x460
*
/
ULONG32 ExplicitAffinity :
1
;
/
/
21
BitPosition
/
*
0x460
*
/
ULONG32 ProcessExecutionState :
2
;
/
/
22
BitPosition
/
*
0x460
*
/
ULONG32 EnableReadVmLogging :
1
;
/
/
24
BitPosition
/
*
0x460
*
/
ULONG32 EnableWriteVmLogging :
1
;
/
/
25
BitPosition
/
*
0x460
*
/
ULONG32 FatalAccessTerminationRequested :
1
;
/
/
26
BitPosition
/
*
0x460
*
/
ULONG32 DisableSystemAllowedCpuSet :
1
;
/
/
27
BitPosition
/
*
0x460
*
/
ULONG32 ProcessStateChangeRequest :
2
;
/
/
28
BitPosition
/
*
0x460
*
/
ULONG32 ProcessStateChangeInProgress :
1
;
/
/
30
BitPosition
/
*
0x460
*
/
ULONG32 InPrivate :
1
;
/
/
31
BitPosition
};
};
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x464
*
/
ULONG32 Flags;
struct
/
/
29
elements,
0x4
bytes (sizeof)
{
/
*
0x464
*
/
ULONG32 CreateReported :
1
;
/
/
0
BitPosition
/
*
0x464
*
/
ULONG32 NoDebugInherit :
1
;
/
/
1
BitPosition
/
*
0x464
*
/
ULONG32 ProcessExiting :
1
;
/
/
2
BitPosition
/
*
0x464
*
/
ULONG32 ProcessDelete :
1
;
/
/
3
BitPosition
/
*
0x464
*
/
ULONG32 ManageExecutableMemoryWrites :
1
;
/
/
4
BitPosition
/
*
0x464
*
/
ULONG32 VmDeleted :
1
;
/
/
5
BitPosition
/
*
0x464
*
/
ULONG32 OutswapEnabled :
1
;
/
/
6
BitPosition
/
*
0x464
*
/
ULONG32 Outswapped :
1
;
/
/
7
BitPosition
/
*
0x464
*
/
ULONG32 FailFastOnCommitFail :
1
;
/
/
8
BitPosition
/
*
0x464
*
/
ULONG32 Wow64VaSpace4Gb :
1
;
/
/
9
BitPosition
/
*
0x464
*
/
ULONG32 AddressSpaceInitialized :
2
;
/
/
10
BitPosition
/
*
0x464
*
/
ULONG32 SetTimerResolution :
1
;
/
/
12
BitPosition
/
*
0x464
*
/
ULONG32 BreakOnTermination :
1
;
/
/
13
BitPosition
/
*
0x464
*
/
ULONG32 DeprioritizeViews :
1
;
/
/
14
BitPosition
/
*
0x464
*
/
ULONG32 WriteWatch :
1
;
/
/
15
BitPosition
/
*
0x464
*
/
ULONG32 ProcessInSession :
1
;
/
/
16
BitPosition
/
*
0x464
*
/
ULONG32 OverrideAddressSpace :
1
;
/
/
17
BitPosition
/
*
0x464
*
/
ULONG32 HasAddressSpace :
1
;
/
/
18
BitPosition
/
*
0x464
*
/
ULONG32 LaunchPrefetched :
1
;
/
/
19
BitPosition
/
*
0x464
*
/
ULONG32 Background :
1
;
/
/
20
BitPosition
/
*
0x464
*
/
ULONG32 VmTopDown :
1
;
/
/
21
BitPosition
/
*
0x464
*
/
ULONG32 ImageNotifyDone :
1
;
/
/
22
BitPosition
/
*
0x464
*
/
ULONG32 PdeUpdateNeeded :
1
;
/
/
23
BitPosition
/
*
0x464
*
/
ULONG32 VdmAllowed :
1
;
/
/
24
BitPosition
/
*
0x464
*
/
ULONG32 ProcessRundown :
1
;
/
/
25
BitPosition
/
*
0x464
*
/
ULONG32 ProcessInserted :
1
;
/
/
26
BitPosition
/
*
0x464
*
/
ULONG32 DefaultIoPriority :
3
;
/
/
27
BitPosition
/
*
0x464
*
/
ULONG32 ProcessSelfDelete :
1
;
/
/
30
BitPosition
/
*
0x464
*
/
ULONG32 SetTimerResolutionLink :
1
;
/
/
31
BitPosition
};
};
/
*
0x468
*
/
union _LARGE_INTEGER CreateTime;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x470
*
/
UINT64 ProcessQuotaUsage[
2
];
/
*
0x480
*
/
UINT64 ProcessQuotaPeak[
2
];
/
*
0x490
*
/
UINT64 PeakVirtualSize;
/
*
0x498
*
/
UINT64 VirtualSize;
/
*
0x4A0
*
/
struct _LIST_ENTRY SessionProcessLinks;
/
/
2
elements,
0x10
bytes (sizeof)
union
/
/
3
elements,
0x8
bytes (sizeof)
{
/
*
0x4B0
*
/
VOID
*
ExceptionPortData;
/
*
0x4B0
*
/
UINT64 ExceptionPortValue;
/
*
0x4B0
*
/
UINT64 ExceptionPortState :
3
;
/
/
0
BitPosition
};
/
*
0x4B8
*
/
struct _EX_FAST_REF Token;
/
/
3
elements,
0x8
bytes (sizeof)
/
*
0x4C0
*
/
UINT64 MmReserved;
/
*
0x4C8
*
/
struct _EX_PUSH_LOCK AddressCreationLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x4D0
*
/
struct _EX_PUSH_LOCK PageTableCommitmentLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x4D8
*
/
struct _ETHREAD
*
RotateInProgress;
/
*
0x4E0
*
/
struct _ETHREAD
*
ForkInProgress;
/
*
0x4E8
*
/
struct _EJOB
*
CommitChargeJob;
/
*
0x4F0
*
/
struct _RTL_AVL_TREE CloneRoot;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x4F8
*
/
UINT64 NumberOfPrivatePages;
/
*
0x500
*
/
UINT64 NumberOfLockedPages;
/
*
0x508
*
/
VOID
*
Win32Process;
/
*
0x510
*
/
struct _EJOB
*
Job;
/
*
0x518
*
/
VOID
*
SectionObject;
/
*
0x520
*
/
VOID
*
SectionBaseAddress;
/
*
0x528
*
/
ULONG32 Cookie;
/
*
0x52C
*
/
UINT8 _PADDING0_[
0x4
];
/
*
0x530
*
/
struct _PAGEFAULT_HISTORY
*
WorkingSetWatch;
/
*
0x538
*
/
VOID
*
Win32WindowStation;
/
*
0x540
*
/
VOID
*
InheritedFromUniqueProcessId;
/
*
0x548
*
/
UINT64 OwnerProcessId;
/
*
0x550
*
/
struct _PEB
*
Peb;
/
*
0x558
*
/
struct _MM_SESSION_SPACE
*
Session;
/
*
0x560
*
/
VOID
*
Spare1;
/
*
0x568
*
/
struct _EPROCESS_QUOTA_BLOCK
*
QuotaBlock;
/
*
0x570
*
/
struct _HANDLE_TABLE
*
ObjectTable;
/
*
0x578
*
/
VOID
*
DebugPort;
/
*
0x580
*
/
struct _EWOW64PROCESS
*
WoW64Process;
/
*
0x588
*
/
VOID
*
DeviceMap;
/
*
0x590
*
/
VOID
*
EtwDataSource;
/
*
0x598
*
/
UINT64 PageDirectoryPte;
/
*
0x5A0
*
/
struct _FILE_OBJECT
*
ImageFilePointer;
/
*
0x5A8
*
/
UINT8 ImageFileName[
15
];
/
*
0x5B7
*
/
UINT8 PriorityClass;
/
*
0x5B8
*
/
VOID
*
SecurityPort;
/
*
0x5C0
*
/
struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x5C8
*
/
struct _LIST_ENTRY JobLinks;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x5D8
*
/
VOID
*
HighestUserAddress;
/
*
0x5E0
*
/
struct _LIST_ENTRY ThreadListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x5F0
*
/
ULONG32 ActiveThreads;
/
*
0x5F4
*
/
ULONG32 ImagePathHash;
/
*
0x5F8
*
/
ULONG32 DefaultHardErrorProcessing;
/
*
0x5FC
*
/
LONG32 LastThreadExitStatus;
/
*
0x600
*
/
struct _EX_FAST_REF PrefetchTrace;
/
/
3
elements,
0x8
bytes (sizeof)
/
*
0x608
*
/
VOID
*
LockedPagesList;
/
*
0x610
*
/
union _LARGE_INTEGER ReadOperationCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x618
*
/
union _LARGE_INTEGER WriteOperationCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x620
*
/
union _LARGE_INTEGER OtherOperationCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x628
*
/
union _LARGE_INTEGER ReadTransferCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x630
*
/
union _LARGE_INTEGER WriteTransferCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x638
*
/
union _LARGE_INTEGER OtherTransferCount;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x640
*
/
UINT64 CommitChargeLimit;
/
*
0x648
*
/
UINT64 CommitCharge;
/
*
0x650
*
/
UINT64 CommitChargePeak;
/
*
0x658
*
/
UINT8 _PADDING1_[
0x28
];
/
*
0x680
*
/
struct _MMSUPPORT_FULL Vm;
/
/
2
elements,
0x140
bytes (sizeof)
/
*
0x7C0
*
/
struct _LIST_ENTRY MmProcessLinks;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x7D0
*
/
ULONG32 ModifiedPageCount;
/
*
0x7D4
*
/
LONG32 ExitStatus;
/
*
0x7D8
*
/
struct _RTL_AVL_TREE VadRoot;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x7E0
*
/
VOID
*
VadHint;
/
*
0x7E8
*
/
UINT64 VadCount;
/
*
0x7F0
*
/
UINT64 VadPhysicalPages;
/
*
0x7F8
*
/
UINT64 VadPhysicalPagesLimit;
/
*
0x800
*
/
struct _ALPC_PROCESS_CONTEXT AlpcContext;
/
/
3
elements,
0x20
bytes (sizeof)
/
*
0x820
*
/
struct _LIST_ENTRY TimerResolutionLink;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x830
*
/
struct _PO_DIAG_STACK_RECORD
*
TimerResolutionStackRecord;
/
*
0x838
*
/
ULONG32 RequestedTimerResolution;
/
*
0x83C
*
/
ULONG32 SmallestTimerResolution;
/
*
0x840
*
/
union _LARGE_INTEGER ExitTime;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x848
*
/
struct _INVERTED_FUNCTION_TABLE
*
InvertedFunctionTable;
/
*
0x850
*
/
struct _EX_PUSH_LOCK InvertedFunctionTableLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x858
*
/
ULONG32 ActiveThreadsHighWatermark;
/
*
0x85C
*
/
ULONG32 LargePrivateVadCount;
/
*
0x860
*
/
struct _EX_PUSH_LOCK ThreadListLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x868
*
/
VOID
*
WnfContext;
/
*
0x870
*
/
struct _EJOB
*
ServerSilo;
/
*
0x878
*
/
UINT8 SignatureLevel;
/
*
0x879
*
/
UINT8 SectionSignatureLevel;
/
*
0x87A
*
/
struct _PS_PROTECTION Protection;
/
/
4
elements,
0x1
bytes (sizeof)
struct
/
/
3
elements,
0x1
bytes (sizeof)
{
/
*
0x87B
*
/
UINT8 HangCount :
3
;
/
/
0
BitPosition
/
*
0x87B
*
/
UINT8 GhostCount :
3
;
/
/
3
BitPosition
/
*
0x87B
*
/
UINT8 PrefilterException :
1
;
/
/
6
BitPosition
};
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x87C
*
/
ULONG32 Flags3;
struct
/
/
28
elements,
0x4
bytes (sizeof)
{
/
*
0x87C
*
/
ULONG32 Minimal :
1
;
/
/
0
BitPosition
/
*
0x87C
*
/
ULONG32 ReplacingPageRoot :
1
;
/
/
1
BitPosition
/
*
0x87C
*
/
ULONG32 Crashed :
1
;
/
/
2
BitPosition
/
*
0x87C
*
/
ULONG32 JobVadsAreTracked :
1
;
/
/
3
BitPosition
/
*
0x87C
*
/
ULONG32 VadTrackingDisabled :
1
;
/
/
4
BitPosition
/
*
0x87C
*
/
ULONG32 AuxiliaryProcess :
1
;
/
/
5
BitPosition
/
*
0x87C
*
/
ULONG32 SubsystemProcess :
1
;
/
/
6
BitPosition
/
*
0x87C
*
/
ULONG32 IndirectCpuSets :
1
;
/
/
7
BitPosition
/
*
0x87C
*
/
ULONG32 RelinquishedCommit :
1
;
/
/
8
BitPosition
/
*
0x87C
*
/
ULONG32 HighGraphicsPriority :
1
;
/
/
9
BitPosition
/
*
0x87C
*
/
ULONG32 CommitFailLogged :
1
;
/
/
10
BitPosition
/
*
0x87C
*
/
ULONG32 ReserveFailLogged :
1
;
/
/
11
BitPosition
/
*
0x87C
*
/
ULONG32 SystemProcess :
1
;
/
/
12
BitPosition
/
*
0x87C
*
/
ULONG32 HideImageBaseAddresses :
1
;
/
/
13
BitPosition
/
*
0x87C
*
/
ULONG32 AddressPolicyFrozen :
1
;
/
/
14
BitPosition
/
*
0x87C
*
/
ULONG32 ProcessFirstResume :
1
;
/
/
15
BitPosition
/
*
0x87C
*
/
ULONG32 ForegroundExternal :
1
;
/
/
16
BitPosition
/
*
0x87C
*
/
ULONG32 ForegroundSystem :
1
;
/
/
17
BitPosition
/
*
0x87C
*
/
ULONG32 HighMemoryPriority :
1
;
/
/
18
BitPosition
/
*
0x87C
*
/
ULONG32 EnableProcessSuspendResumeLogging :
1
;
/
/
19
BitPosition
/
*
0x87C
*
/
ULONG32 EnableThreadSuspendResumeLogging :
1
;
/
/
20
BitPosition
/
*
0x87C
*
/
ULONG32 SecurityDomainChanged :
1
;
/
/
21
BitPosition
/
*
0x87C
*
/
ULONG32 SecurityFreezeComplete :
1
;
/
/
22
BitPosition
/
*
0x87C
*
/
ULONG32 VmProcessorHost :
1
;
/
/
23
BitPosition
/
*
0x87C
*
/
ULONG32 VmProcessorHostTransition :
1
;
/
/
24
BitPosition
/
*
0x87C
*
/
ULONG32 AltSyscall :
1
;
/
/
25
BitPosition
/
*
0x87C
*
/
ULONG32 TimerResolutionIgnore :
1
;
/
/
26
BitPosition
/
*
0x87C
*
/
ULONG32 DisallowUserTerminate :
1
;
/
/
27
BitPosition
};
};
/
*
0x880
*
/
LONG32 DeviceAsid;
/
*
0x884
*
/
UINT8 _PADDING2_[
0x4
];
/
*
0x888
*
/
VOID
*
SvmData;
/
*
0x890
*
/
struct _EX_PUSH_LOCK SvmProcessLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x898
*
/
UINT64 SvmLock;
/
*
0x8A0
*
/
struct _LIST_ENTRY SvmProcessDeviceListHead;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x8B0
*
/
UINT64 LastFreezeInterruptTime;
/
*
0x8B8
*
/
struct _PROCESS_DISK_COUNTERS
*
DiskCounters;
/
*
0x8C0
*
/
VOID
*
PicoContext;
/
*
0x8C8
*
/
VOID
*
EnclaveTable;
/
*
0x8D0
*
/
UINT64 EnclaveNumber;
/
*
0x8D8
*
/
struct _EX_PUSH_LOCK EnclaveLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x8E0
*
/
ULONG32 HighPriorityFaultsAllowed;
/
*
0x8E4
*
/
UINT8 _PADDING3_[
0x4
];
/
*
0x8E8
*
/
struct _PO_PROCESS_ENERGY_CONTEXT
*
EnergyContext;
/
*
0x8F0
*
/
VOID
*
VmContext;
/
*
0x8F8
*
/
UINT64 SequenceNumber;
/
*
0x900
*
/
UINT64 CreateInterruptTime;
/
*
0x908
*
/
UINT64 CreateUnbiasedInterruptTime;
/
*
0x910
*
/
UINT64 TotalUnbiasedFrozenTime;
/
*
0x918
*
/
UINT64 LastAppStateUpdateTime;
struct
/
/
2
elements,
0x8
bytes (sizeof)
{
/
*
0x920
*
/
UINT64 LastAppStateUptime :
61
;
/
/
0
BitPosition
/
*
0x920
*
/
UINT64 LastAppState :
3
;
/
/
61
BitPosition
};
/
*
0x928
*
/
UINT64 SharedCommitCharge;
/
*
0x930
*
/
struct _EX_PUSH_LOCK SharedCommitLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x938
*
/
struct _LIST_ENTRY SharedCommitLinks;
/
/
2
elements,
0x10
bytes (sizeof)
union
/
/
2
elements,
0x10
bytes (sizeof)
{
struct
/
/
2
elements,
0x10
bytes (sizeof)
{
/
*
0x948
*
/
UINT64 AllowedCpuSets;
/
*
0x950
*
/
UINT64 DefaultCpuSets;
};
struct
/
/
2
elements,
0x10
bytes (sizeof)
{
/
*
0x948
*
/
UINT64
*
AllowedCpuSetsIndirect;
/
*
0x950
*
/
UINT64
*
DefaultCpuSetsIndirect;
};
};
/
*
0x958
*
/
VOID
*
DiskIoAttribution;
/
*
0x960
*
/
VOID
*
DxgProcess;
/
*
0x968
*
/
ULONG32 Win32KFilterSet;
/
*
0x96C
*
/
UINT8 _PADDING4_[
0x4
];
/
*
0x970
*
/
union _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x978
*
/
ULONG32 KTimerSets;
/
*
0x97C
*
/
ULONG32 KTimer2Sets;
/
*
0x980
*
/
ULONG32 ThreadTimerSets;
/
*
0x984
*
/
UINT8 _PADDING5_[
0x4
];
/
*
0x988
*
/
UINT64 VirtualTimerListLock;
/
*
0x990
*
/
struct _LIST_ENTRY VirtualTimerListHead;
/
/
2
elements,
0x10
bytes (sizeof)
union
/
/
2
elements,
0x30
bytes (sizeof)
{
/
*
0x9A0
*
/
struct _WNF_STATE_NAME WakeChannel;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x9A0
*
/
struct _PS_PROCESS_WAKE_INFORMATION WakeInfo;
/
/
4
elements,
0x30
bytes (sizeof)
};
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x9D0
*
/
ULONG32 MitigationFlags;
/
*
0x9D0
*
/
struct _<anonymous
-
tag> MitigationFlagsValues;
/
/
32
elements,
0x4
bytes (sizeof)
};
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x9D4
*
/
ULONG32 MitigationFlags2;
/
*
0x9D4
*
/
struct _<anonymous
-
tag> MitigationFlags2Values;
/
/
32
elements,
0x4
bytes (sizeof)
};
/
*
0x9D8
*
/
VOID
*
PartitionObject;
/
*
0x9E0
*
/
UINT64 SecurityDomain;
/
*
0x9E8
*
/
UINT64 ParentSecurityDomain;
/
*
0x9F0
*
/
VOID
*
CoverageSamplerContext;
/
*
0x9F8
*
/
VOID
*
MmHotPatchContext;
/
*
0xA00
*
/
struct _RTL_AVL_TREE DynamicEHContinuationTargetsTree;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0xA08
*
/
struct _EX_PUSH_LOCK DynamicEHContinuationTargetsLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0xA10
*
/
struct _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES DynamicEnforcedCetCompatibleRanges;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0xA20
*
/
ULONG32 DisabledComponentFlags;
/
*
0xA24
*
/
UINT8 _PADDING6_[
0x4
];
/
*
0xA28
*
/
ULONG32
*
PathRedirectionHashes;
/
*
0xA30
*
/
UINT8 _PADDING7_[
0x10
];
}EPROCESS,
*
PEPROCESS;
typedef struct _EPROCESS
/
/
235
elements,
0xA40
bytes (sizeof)
{
/
*
0x000
*
/
struct _KPROCESS Pcb;
/
/
54
elements,
0x438
bytes (sizeof)
/
*
0x438
*
/
struct _EX_PUSH_LOCK ProcessLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x440
*
/
VOID
*
UniqueProcessId;
/
*
0x448
*
/
struct _LIST_ENTRY ActiveProcessLinks;
/
/
2
elements,
0x10
bytes (sizeof)
/
*
0x458
*
/
struct _EX_RUNDOWN_REF RundownProtect;
/
/
2
elements,
0x8
bytes (sizeof)
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x460
*
/
ULONG32 Flags2;
struct
/
/
28
elements,
0x4
bytes (sizeof)
{
/
*
0x460
*
/
ULONG32 JobNotReallyActive :
1
;
/
/
0
BitPosition
/
*
0x460
*
/
ULONG32 AccountingFolded :
1
;
/
/
1
BitPosition
/
*
0x460
*
/
ULONG32 NewProcessReported :
1
;
/
/
2
BitPosition
/
*
0x460
*
/
ULONG32 ExitProcessReported :
1
;
/
/
3
BitPosition
/
*
0x460
*
/
ULONG32 ReportCommitChanges :
1
;
/
/
4
BitPosition
/
*
0x460
*
/
ULONG32 LastReportMemory :
1
;
/
/
5
BitPosition
/
*
0x460
*
/
ULONG32 ForceWakeCharge :
1
;
/
/
6
BitPosition
/
*
0x460
*
/
ULONG32 CrossSessionCreate :
1
;
/
/
7
BitPosition
/
*
0x460
*
/
ULONG32 NeedsHandleRundown :
1
;
/
/
8
BitPosition
/
*
0x460
*
/
ULONG32 RefTraceEnabled :
1
;
/
/
9
BitPosition
/
*
0x460
*
/
ULONG32 PicoCreated :
1
;
/
/
10
BitPosition
/
*
0x460
*
/
ULONG32 EmptyJobEvaluated :
1
;
/
/
11
BitPosition
/
*
0x460
*
/
ULONG32 DefaultPagePriority :
3
;
/
/
12
BitPosition
/
*
0x460
*
/
ULONG32 PrimaryTokenFrozen :
1
;
/
/
15
BitPosition
/
*
0x460
*
/
ULONG32 ProcessVerifierTarget :
1
;
/
/
16
BitPosition
/
*
0x460
*
/
ULONG32 RestrictSetThreadContext :
1
;
/
/
17
BitPosition
/
*
0x460
*
/
ULONG32 AffinityPermanent :
1
;
/
/
18
BitPosition
/
*
0x460
*
/
ULONG32 AffinityUpdateEnable :
1
;
/
/
19
BitPosition
/
*
0x460
*
/
ULONG32 PropagateNode :
1
;
/
/
20
BitPosition
/
*
0x460
*
/
ULONG32 ExplicitAffinity :
1
;
/
/
21
BitPosition
/
*
0x460
*
/
ULONG32 ProcessExecutionState :
2
;
/
/
22
BitPosition
/
*
0x460
*
/
ULONG32 EnableReadVmLogging :
1
;
/
/
24
BitPosition
/
*
0x460
*
/
ULONG32 EnableWriteVmLogging :
1
;
/
/
25
BitPosition
/
*
0x460
*
/
ULONG32 FatalAccessTerminationRequested :
1
;
/
/
26
BitPosition
/
*
0x460
*
/
ULONG32 DisableSystemAllowedCpuSet :
1
;
/
/
27
BitPosition
/
*
0x460
*
/
ULONG32 ProcessStateChangeRequest :
2
;
/
/
28
BitPosition
/
*
0x460
*
/
ULONG32 ProcessStateChangeInProgress :
1
;
/
/
30
BitPosition
/
*
0x460
*
/
ULONG32 InPrivate :
1
;
/
/
31
BitPosition
};
};
union
/
/
2
elements,
0x4
bytes (sizeof)
{
/
*
0x464
*
/
ULONG32 Flags;
struct
/
/
29
elements,
0x4
bytes (sizeof)
{
/
*
0x464
*
/
ULONG32 CreateReported :
1
;
/
/
0
BitPosition
/
*
0x464
*
/
ULONG32 NoDebugInherit :
1
;
/
/
1
BitPosition
/
*
0x464
*
/
ULONG32 ProcessExiting :
1
;
/
/
2
BitPosition
/
*
0x464
*
/
ULONG32 ProcessDelete :
1
;
/
/
3
BitPosition
/
*
0x464
*
/
ULONG32 ManageExecutableMemoryWrites :
1
;
/
/
4
BitPosition
/
*
0x464
*
/
ULONG32 VmDeleted :
1
;
/
/
5
BitPosition
/
*
0x464
*
/
ULONG32 OutswapEnabled :
1
;
/
/
6
BitPosition
/
*
0x464
*
/
ULONG32 Outswapped :
1
;
/
/
7
BitPosition
/
*
0x464
*
/
ULONG32 FailFastOnCommitFail :
1
;
/
/
8
BitPosition
/
*
0x464
*
/
ULONG32 Wow64VaSpace4Gb :
1
;
/
/
9
BitPosition
/
*
0x464
*
/
ULONG32 AddressSpaceInitialized :
2
;
/
/
10
BitPosition
/
*
0x464
*
/
ULONG32 SetTimerResolution :
1
;
/
/
12
BitPosition
/
*
0x464
*
/
ULONG32 BreakOnTermination :
1
;
/
/
13
BitPosition
/
*
0x464
*
/
ULONG32 DeprioritizeViews :
1
;
/
/
14
BitPosition
/
*
0x464
*
/
ULONG32 WriteWatch :
1
;
/
/
15
BitPosition
/
*
0x464
*
/
ULONG32 ProcessInSession :
1
;
/
/
16
BitPosition
/
*
0x464
*
/
ULONG32 OverrideAddressSpace :
1
;
/
/
17
BitPosition
/
*
0x464
*
/
ULONG32 HasAddressSpace :
1
;
/
/
18
BitPosition
/
*
0x464
*
/
ULONG32 LaunchPrefetched :
1
;
/
/
19
BitPosition
/
*
0x464
*
/
ULONG32 Background :
1
;
/
/
20
BitPosition
/
*
0x464
*
/
ULONG32 VmTopDown :
1
;
/
/
21
BitPosition
/
*
0x464
*
/
ULONG32 ImageNotifyDone :
1
;
/
/
22
BitPosition
/
*
0x464
*
/
ULONG32 PdeUpdateNeeded :
1
;
/
/
23
BitPosition
/
*
0x464
*
/
ULONG32 VdmAllowed :
1
;
/
/
24
BitPosition
/
*
0x464
*
/
ULONG32 ProcessRundown :
1
;
/
/
25
BitPosition
/
*
0x464
*
/
ULONG32 ProcessInserted :
1
;
/
/
26
BitPosition
/
*
0x464
*
/
ULONG32 DefaultIoPriority :
3
;
/
/
27
BitPosition
/
*
0x464
*
/
ULONG32 ProcessSelfDelete :
1
;
/
/
30
BitPosition
/
*
0x464
*
/
ULONG32 SetTimerResolutionLink :
1
;
/
/
31
BitPosition
};
};
/
*
0x468
*
/
union _LARGE_INTEGER CreateTime;
/
/
4
elements,
0x8
bytes (sizeof)
/
*
0x470
*
/
UINT64 ProcessQuotaUsage[
2
];
/
*
0x480
*
/
UINT64 ProcessQuotaPeak[
2
];
/
*
0x490
*
/
UINT64 PeakVirtualSize;
/
*
0x498
*
/
UINT64 VirtualSize;
/
*
0x4A0
*
/
struct _LIST_ENTRY SessionProcessLinks;
/
/
2
elements,
0x10
bytes (sizeof)
union
/
/
3
elements,
0x8
bytes (sizeof)
{
/
*
0x4B0
*
/
VOID
*
ExceptionPortData;
/
*
0x4B0
*
/
UINT64 ExceptionPortValue;
/
*
0x4B0
*
/
UINT64 ExceptionPortState :
3
;
/
/
0
BitPosition
};
/
*
0x4B8
*
/
struct _EX_FAST_REF Token;
/
/
3
elements,
0x8
bytes (sizeof)
/
*
0x4C0
*
/
UINT64 MmReserved;
/
*
0x4C8
*
/
struct _EX_PUSH_LOCK AddressCreationLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x4D0
*
/
struct _EX_PUSH_LOCK PageTableCommitmentLock;
/
/
7
elements,
0x8
bytes (sizeof)
/
*
0x4D8
*
/
struct _ETHREAD
*
RotateInProgress;
/
*
0x4E0
*
/
struct _ETHREAD
*
ForkInProgress;
/
*
0x4E8
*
/
struct _EJOB
*
CommitChargeJob;
/
*
0x4F0
*
/
struct _RTL_AVL_TREE CloneRoot;
/
/
1
elements,
0x8
bytes (sizeof)
/
*
0x4F8
*
/
UINT64 NumberOfPrivatePages;
/
*
0x500
*
/
UINT64 NumberOfLockedPages;
/
*
0x508
*
/
VOID
*
Win32Process;
/
*
0x510
*
/
struct _EJOB
*
Job;
/
*
0x518
*
/
VOID
*
SectionObject;
/
*
0x520
*
/
VOID
*
SectionBaseAddress;
/
*
0x528
*
/
ULONG32 Cookie;
/
*
0x52C
*
/
UINT8 _PADDING0_[
0x4
];
/
*
0x530
*
/
struct _PAGEFAULT_HISTORY
*
WorkingSetWatch;
/
*
0x538
*
/
VOID
*
Win32WindowStation;
/
*
0x540
*
/
VOID
*
InheritedFromUniqueProcessId;
/
*
0x548
*
/
UINT64 OwnerProcessId;
/
*
0x550
*
/
struct _PEB
*
Peb;
/
*
0x558
*
/
struct _MM_SESSION_SPACE
*
Session;
/
*
0x560
*
/
VOID
*
Spare1;
/
*
0x568
*
/
struct _EPROCESS_QUOTA_BLOCK
*
QuotaBlock;
/
*
0x570
*
/
struct _HANDLE_TABLE
*
ObjectTable;
/
*
0x578
*
/
VOID
*
DebugPort;
/
*
0x580
*
/
struct _EWOW64PROCESS
*
WoW64Process;
/
*
0x588
*
/
VOID
*
DeviceMap;
/
*
0x590
*
/
VOID
*
EtwDataSource;
/
*
0x598
*
/
UINT64 PageDirectoryPte;
/
*
0x5A0
*
/
struct _FILE_OBJECT
*
ImageFilePointer;
/
*
0x5A8
*
/
UINT8 ImageFileName[
15
];
赞赏
他的文章
- [原创]linux内核获取未导出函数地址的两种方法 7619
- [原创]x64内核实验7.1补充-句柄表 9123
- [原创]x64内核实验5.1-API进0环(补充) 9803
- [原创]x64内核实验7-线程 11275
- [原创]x64内核实验6-进程 9293
看原图
赞赏
雪币:
留言: