哪儿有_eprocess 的完整结构体，可以直接在ddk里使用的，ddk里好像没有导出这个结构体

yn23724002 驱动牛犊注册日期2007-04-09 最后登录2016-01-09 粉丝0 关注0 积分5分威望13点贡献值0点好评度0点原创分0分专家分0分加关注写私信	阅读：2898回复：1 哪儿有_eprocess 的完整结构体，可以直接在ddk里使用的，ddk里好像没有导出这个结构体楼主^# 更多只看楼主倒序阅读发布于：2008-06-21 15:38 哪儿有_eprocess 的完整结构体，可以直接在ddk里使用的，ddk里好像没有导出这个结构体,谢谢大家了。
	喜欢0 最新喜欢：回复

happycocol

驱动牛犊

注册日期2008-10-22
最后登录2012-03-04
粉丝1
关注1
积分22分
威望172点
贡献值1点
好评度0点
原创分0分
专家分0分

加关注写私信

沙发^#

发布于：2009-01-26 16:21

关于EPROCESS和ETHREAD的定义
在SOURCE.CODE.MICROSOFT.WINDOWS.2000.AND.NT4-BTDE\windows_2000_source_code\win2k\private\ntos\inc\ps.h
头文件中可以找到如下定义:

// Process structure.
//
// If you remove a field from this structure, please also
// remove the reference to it from within the kernel debugger
// (nt\private\sdktools\ntsd\ntkext.c)
//

typedef struct _EPROCESS {
   KPROCESS Pcb;
   NTSTATUS ExitStatus;
   KEVENT LockEvent;
   ULONG LockCount;
   LARGE_INTEGER CreateTime;
   LARGE_INTEGER ExitTime;
   PKTHREAD LockOwner;

   HANDLE UniqueProcessId;

   LIST_ENTRY ActiveProcessLinks;

   //
   // Quota Fields
   //

   SIZE_T QuotaPeakPoolUsage[2];
   SIZE_T QuotaPoolUsage[2];

   SIZE_T PagefileUsage;
   SIZE_T CommitCharge;
   SIZE_T PeakPagefileUsage;

   //
   // VmCounters
   //

   SIZE_T PeakVirtualSize;
   SIZE_T VirtualSize;

   MMSUPPORT Vm;
   LIST_ENTRY SessionProcessLinks;

   PVOID DebugPort;
   PVOID ExceptionPort;
   PHANDLE_TABLE ObjectTable;

   //
   // Security
   //

   PACCESS_TOKEN Token; // This field must never be null

   //

   FAST_MUTEX WorkingSetLock;
   PFN_NUMBER WorkingSetPage;
   BOOLEAN ProcessOutswapEnabled;
   BOOLEAN ProcessOutswapped;
   UCHAR AddressSpaceInitialized;
   BOOLEAN AddressSpaceDeleted;
   FAST_MUTEX AddressCreationLock;
   KSPIN_LOCK HyperSpaceLock;
   struct _ETHREAD *ForkInProgress;
   USHORT VmOperation;
   UCHAR ForkWasSuccessful;
   UCHAR MmAgressiveWsTrimMask;
   PKEVENT VmOperationEvent;
   PVOID PaeTop;
   ULONG LastFaultCount;
   ULONG ModifiedPageCount;
   PVOID VadRoot;
   PVOID VadHint;
   PVOID CloneRoot;
   PFN_NUMBER NumberOfPrivatePages;
   PFN_NUMBER NumberOfLockedPages;
   USHORT NextPageColor;
   BOOLEAN ExitProcessCalled;

   //
   // Used by Debug Subsystem
   //

   BOOLEAN CreateProcessReported;
   HANDLE SectionHandle;

   //
   // Peb
   //

   PPEB Peb;
   PVOID SectionBaseAddress;

   PEPROCESS_QUOTA_BLOCK QuotaBlock;
   NTSTATUS LastThreadExitStatus;
   PPAGEFAULT_HISTORY WorkingSetWatch;
   HANDLE Win32WindowStation;
   HANDLE InheritedFromUniqueProcessId;
   ACCESS_MASK GrantedAccess;
   ULONG DefaultHardErrorProcessing;
   PVOID LdtInformation;
   PVOID VadFreeHint;
   PVOID VdmObjects;
   PVOID DeviceMap;

   //
   // Id of the Hydra session in which this process is running
   //

   ULONG SessionId;

   LIST_ENTRY PhysicalVadList;
   union {
   HARDWARE_PTE PageDirectoryPte;
   ULONGLONG Filler;
   };
   ULONG PaePageDirectoryPage;
   UCHAR ImageFileName[ 16 ];
   ULONG VmTrimFaultValue;
   BOOLEAN SetTimerResolution;
   UCHAR PriorityClass;
   union {
   struct {
   UCHAR SubSystemMinorVersion;
   UCHAR SubSystemMajorVersion;
   };
   USHORT SubSystemVersion;
   };
   PVOID Win32Process;
   struct _EJOB *Job;
   ULONG JobStatus;
   LIST_ENTRY JobLinks;
   PVOID LockedPagesList;

   //
   // Used by rdr/security for authentication
   //

   PVOID SecurityPort ;
   PWOW64_PROCESS Wow64Process;

   LARGE_INTEGER ReadOperationCount;
   LARGE_INTEGER WriteOperationCount;
   LARGE_INTEGER OtherOperationCount;
   LARGE_INTEGER ReadTransferCount;
   LARGE_INTEGER WriteTransferCount;
   LARGE_INTEGER OtherTransferCount;

   SIZE_T CommitChargeLimit;
   SIZE_T CommitChargePeak;

   LIST_ENTRY ThreadListHead;

   PRTL_BITMAP VadPhysicalPagesBitMap;
   ULONG_PTR VadPhysicalPages;
   KSPIN_LOCK AweLock;
} EPROCESS;

typedef struct _ETHREAD {
   KTHREAD Tcb;
   union {

   //
   // The fact that this is a union means that all accesses to CreateTime
   // must be sanitized using the two macros above.
   //

   LARGE_INTEGER CreateTime;

   //
   // These fields are accessed only by the owning thread, but can be
   // accessed from within a special kernel APC so IRQL protection must
   // be applied.
   //

   struct {
   unsigned NestedFaultCount : 2;
   unsigned ApcNeeded : 1;
   };
   };

   union {
   LARGE_INTEGER ExitTime;
   LIST_ENTRY LpcReplyChain;
   };
   union {
   NTSTATUS ExitStatus;
   PVOID OfsChain;
   };

   //
   // Registry
   //

   LIST_ENTRY PostBlockList;
   LIST_ENTRY TerminationPortList; // also used as reaper links

   KSPIN_LOCK ActiveTimerListLock;
   LIST_ENTRY ActiveTimerListHead;

   CLIENT_ID Cid;

   //
   // Lpc
   //

   KSEMAPHORE LpcReplySemaphore;
   PVOID LpcReplyMessage; // -> Message that contains the reply
   ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to

   //
   // Security
   //
   //
   // Client - If non null, indicates the thread is impersonating
   // a client.
   //

   ULONG PerformanceCountLow;
   PPS_IMPERSONATION_INFORMATION ImpersonationInfo;

   //
   // Io
   //

   LIST_ENTRY IrpList;

   //
   // File Systems
   //

   ULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h
   struct _DEVICE_OBJECT *DeviceToVerify;

   //
   // Mm
   //

   ULONG ReadClusterSize;
   BOOLEAN ForwardClusterOnly;
   BOOLEAN DisablePageFaultClustering;

   BOOLEAN DeadThread;
   BOOLEAN HideFromDebugger;

   ULONG HasTerminated;

   //
   // Client/server
   //

   ACCESS_MASK GrantedAccess;
   PEPROCESS ThreadsProcess;
   PVOID StartAddress;
   union {
   PVOID Win32StartAddress;
   ULONG LpcReceivedMessageId;
   };
   BOOLEAN LpcExitThreadCalled;
   BOOLEAN HardErrorsAreDisabled;
   BOOLEAN LpcReceivedMsgIdValid;
   BOOLEAN ActiveImpersonationInfo;
   LONG PerformanceCountHigh;

   LIST_ENTRY ThreadListEntry;

} ETHREAD;

努力！！！努力！！！

回复喜欢

您需要登录后才可以回帖，登录或者注册

哪儿有_eprocess 的完整结构体，可以直接在ddk里使用的，ddk里好像没有导出这个结构体

最新喜欢：