|
阅读:3687回复:10
WINDOWS 核心数据结构 _EPROCESS
偶尔发现WINDOWS _EPROCESS结构,与大家分享
typedef struct _EPROCESS { KPROCESS Pcb; NTSTATUS ExitStatus; KEVENT LockEvent; ULONG LockCount; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; PKTHREAD LockOwner; ULONG UniqueProcessId; LIST_ENTRY ActiveProcessLinks; ULONGLONG QuotaPeakPoolUsage; ULONGLONG QuotaPoolUsage; ULONG PagefileUsage; ULONG CommitCharge; ULONG PeakPagefileUsage; ULONG PeakVirtualSize; ULONGLONG VirtualSize; MMSUPPORT Vm; #if (_WIN32_WINNT < 0x0500) ULONG LastProtoPteFault; #else // (_WIN32_WINNT >= 0x0500) LIST_ENTRY SessionProcessLinks; #endif // (_WIN32_WINNT >= 0x0500) ULONG DebugPort; ULONG ExceptionPort; PHANDLE_TABLE ObjectTable; PACCESS_TOKEN Token; FAST_MUTEX WorkingSetLock; ULONG WorkingSetPage; BOOLEAN ProcessOutswapEnabled; BOOLEAN ProcessOutswapped; BOOLEAN AddressSpaceInitialized; BOOLEAN AddressSpaceDeleted; FAST_MUTEX AddressCreationLock; KSPIN_LOCK HyperSpaceLock; PETHREAD ForkInProgress; USHORT VmOperation; BOOLEAN ForkWasSuccessful; UCHAR MmAgressiveWsTrimMask; PKEVENT VmOperationEvent; #if (_WIN32_WINNT < 0x0500) HARDWARE_PTE PageDirectoryPte; #else // (_WIN32_WINNT >= 0x0500) PVOID PaeTop; #endif // (_WIN32_WINNT >= 0x0500) ULONG LastFaultCount; ULONG ModifiedPageCount; PVOID VadRoot; PVOID VadHint; ULONG CloneRoot; ULONG NumberOfPrivatePages; ULONG NumberOfLockedPages; USHORT NextPageColor; BOOLEAN ExitProcessCalled; BOOLEAN CreateProcessReported; HANDLE SectionHandle; PPEB Peb; PVOID SectionBaseAddress; PEPROCESS_QUOTA_BLOCK QuotaBlock; NTSTATUS LastThreadExitStatus; PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch; HANDLE Win32WindowStation; HANDLE InheritedFromUniqueProcessId; ACCESS_MASK GrantedAccess; ULONG DefaultHardErrorProcessing; PVOID LdtInformation; PVOID VadFreeHint; PVOID VdmObjects; #if (_WIN32_WINNT < 0x0500) KMUTANT ProcessMutant; #else // (_WIN32_WINNT >= 0x0500) PVOID DeviceMap; ULONG SessionId; LIST_ENTRY PhysicalVadList; HARDWARE_PTE PageDirectoryPte; ULONG Filler; ULONG PaePageDirectoryPage; #endif // (_WIN32_WINNT >= 0x0500) UCHAR ImageFileName[16]; ULONG VmTrimFaultValue; UCHAR SetTimerResolution; UCHAR PriorityClass; union { struct { UCHAR SubSystemMinorVersion; UCHAR SubSystemMajorVersion; }; USHORT SubSystemVersion; }; PVOID Win32Process; #if (_WIN32_WINNT >= 0x0500) PEJOB Job; ULONG JobStatus; LIST_ENTRY JobLinks; PVOID LockedPageList; PVOID SecurityPort; PWOW64_PROCESS Wow64Process; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; ULONG CommitChargeLimit; ULONG CommitChargePeek; LIST_ENTRY ThreadListHead; PRTL_BITMAP VadPhysicalPagesBitMap; ULONG VadPhysicalPages; ULONG AweLock; #endif // (_WIN32_WINNT >= 0x0500) } EPROCESS, *PEPROCESS; |
|
|
沙发#
发布于:2002-04-02 19:06
感谢 !
|
|
|
|
板凳#
发布于:2002-04-03 08:55
Thank you !
|
|
|
|
地板#
发布于:2002-04-03 10:55
DDK里面在哪个头文件里面定义的啊?
我怎么找不到,还有阿,我用 PEPROCESS pProcess; pProcess = PsGetCurrentProcess(); DbgPrint( \"GetCurrentProcess-> ID: 0x%08x, ImageFileName: %s\", pProcess->UniqueProcessId, pProcess->ImageFileName ); 怎么说那两个变量不是PEPROCESS结构里面的阿 |
|
|
地下室#
发布于:2002-04-03 13:35
fracker:你首先需要在你的源代码中把这个结构定义加进来,DDK中并没有定义。
另外,这个数据结构跟操作系统的版本有关,不同版本的Windows系统(特别是考虑将来版本的Windows系统)这个数据结构是不同。 |
|
|
5楼#
发布于:2002-04-03 14:23
fracker:你首先需要在你的源代码中把这个结构定义加进来,DDK中并没有定义。 原来如此,谢谢了,可惜贴子不是我发起的,没有办法给你分。 |
|
|
6楼#
发布于:2002-04-03 15:22
把这个结构到我的程序里面,怎么 KPROCESS 都找不到在哪里声明阿?
|
|
|
7楼#
发布于:2002-04-03 15:30
哦,我找到了,原来都在ntifs.h里面,微软真TMD狗屎,我要是不装IFS KIT,岂不是永远查不到?
|
|
|
8楼#
发布于:2002-04-03 20:43
请问这个结构是属于哪个OS中的?(WIN98/NT/2000/XP)
|
|
|
9楼#
发布于:2004-05-21 14:03
楼主是怎么样找到这个数据结构的呀?用什么方法?
|
|
|
|
10楼#
发布于:2004-05-23 18:04
是呀,楼主在什么地方找到这个结构的呀?哪个地方一定不错,值得去看看
|
|
|
