EPROCESS:NT进程的核心
作者:陆麟
转载请征得作者同意.
2000.7.28

内核类的文章沉寂了好长一段时间,再度开写.今天写的乃是未公开的WIN2000的EPROCESS结构.
EPROCESS乃是NT进程的核心.该结构定义了所有进程相关的数据.知道了该结构,NT的核心机密就公开了一半.下面乃是我于7.26挖到凌晨的奥秘.:)))看哪.大补啊.:DDD
该结构仅在英文WIN2000零售版上验证通过.如果以后WIN2000有了SERVICE PACK,并不保证兼容.使用者请自己注意.

typedef struct _DISPATCHER_HEADER {
    UCHAR Type;
    UCHAR Absolute;
    UCHAR Size;
    UCHAR Inserted;
    LONG SignalState;
    LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER;

typedef struct _FIRSTPART_OBJ{
    unsigned inheritable : 1;
    unsigned protected :1;
    unsigned pobj :14;
}FIRSTPART_OBJ;

typedef struct _OBJTBL{
    FIRSTPART_OBJ firstpart_obj;
    DWORD access_control_mask;
}OBJTBL,*POBJTBL;

typedef struct vad {
 void *StartingAddress;
 void *EndingAddress;
 struct vad *ParentLink;
 struct vad *LeftLink;
 struct vad *RightLink;
 ULONG Flags;
}VAD, *PVAD;

typedef struct{
    struct KPCB Pcb;   //0x0
    INT ExitStatus;   //0x6c
    DISPATCHER_HEADER LockEvent; //0x70
    __int64 LockCount;   //0x80
    __int64 CreateTime;   //0x88
    __int64 ExitTime;   //0x90
    UINT LockOwner;   //0x98
    UINT UniqueProcessId;  //0x9c
    LIST_ENTRY ActiveProcessLinks; //0xa0
    __int64 QuotaPeakPoolUsage[0]; //0xa8
    __int64 QuotaPoolUsage[0];  //0xb0
    UINT PagefileUsage;   //0xb8
    UINT CommitCharge;   //0xbc
    UINT PeakPagefileUsage;  //0xc0
    UINT PeakVirtualSize;  //0xc4
    UINT VirtualSize;   //0xc8
    __int64 Vm;    //0xd0
    BYTE UNKNOW[0x48];   //0xd8
    HANDLE DebugPort;   //0x120
    UINT ExceptionPort;   //0x124
    POBJTBL ObjectTable;  //0x128
    PTOKEN Token;   //0x12c
    BYTE WorkingSetLock[0x20];  //0x130
    UINT WorkingSetPage;  //0x150
    BYTE ProcessOutswapEnabled;  //0x154
    BYTE ProcessOutswapped;  //0x155
    BYTE AddressSpaceInitialized; //0x156
    BYTE AddressSpaceDeleted;  //0x157
    BYTE AddressCreationLock;  //0x158
    BYTE UNKNOWN2[0x23];  //0x159
    UINT ForkInProgress;  //0x17c
    WORD VmOperation;   //0x180
    WORD ForkWasSuccessful;  //0x182
    UINT VmOperationEvent;  //0x184
    UINT LastFaultCount;  //0x188
    BYTE UNKNOW3[8];   //0x18c
    PVAD VadRoot;   //0x194
    UINT VadHint;   //0x198
    UINT CloneRoot;   //0x19c
    UINT NumberOfPrivatePages;  //0x1a0
    UINT NumberOfLockedPages;  //0x1a4
    BYTE ExitProcessCalled;  //0x1aa
    BYTE CreateProcessReported;  //0x1ab
    HANDLE SectionHandle;  //0x1ac
    PPEB Peb;    //0x1b0
    PVOID SectionBaseAddress;  //0x1b4
    UINT QuotaBlock;   //0x1b8
    UINT LastThreadExitStatus;  //0x1bc
    PVOID WorkingSetWatch;  //0x1c0
    PVOID Win32WindowStation;  //0x1c4
    UINT InheritedFromUniqueProcessId; //0x1c8
    UINT GrantedAccess;   //0x1cc
    UINT DefaultHardErrorProcessing; //0x1d0
    PLDT_ENTRY LdtInformation;  //0x1d4
    UINT VadFreeHint;   //0x1d8
    PVOID VdmObjects;   //0x1dc
    PPROCESS_DEVICEMAP_INFORMATION DeviceMap;//0x1e0
    DWORD *PageDirectoryPte;  //0x1f0
    WORD *ImageFileName;  //0x1fc
    BYTE UNKNOWN4[0xc];   //200
    __int64 VmTrimFaultValue;  //0x20c
    PVOID Win32Process;   //0x214
}EPROCESS,*PEPROCESS;