📄 jiurl玩玩win2k进程线程篇 eprocess.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0071)http://jiurl.cosoft.org.cn/jiurl/document/JiurlPlayWin2k/PsEprocess.htm -->
<HTML><HEAD><TITLE>JIURL玩玩Win2k进程线程篇 EPROCESS</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE type=text/css>.title {
FONT-FAMILY: "黑体", Arial, sans-serif; FONT-SIZE: 21px; FONT-WEIGHT: bold; LINE-HEIGHT: 48px; TEXT-DECORATION: none
}
.author {
FONT-FAMILY: "宋体"; FONT-SIZE: 12px; LINE-HEIGHT: 16px
}
.content {
FONT-SIZE: 14px; LINE-HEIGHT: 20px
}
</STYLE>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR></HEAD>
<BODY bgColor=#f7f7f7 topMargin=5>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=29 width="96%">
<TBODY>
<TR>
<TD class=title height=41 width="100%">
<P align=center><FONT face=宋体>JIURL玩玩Win2k进程线程篇 </FONT><FONT
face=宋体>EPROCESS</FONT></P></TD></TR></CENTER>
<TR>
<TD class=author height=9 width="100%">
<P align=center><FONT face=宋体>作者: <A
href="mailto:jiurl@mail.china.com">JIURL</A> </FONT></P></TD></TR>
<TR>
<TD class=author height=6 width="100%">
<P align=center><FONT
face=宋体>
主页: <A href="http://jiurl.yeah.net/">http://jiurl.yeah.net/</A>
</FONT></P></TD></TR>
<TR>
<TD class=author height=2 width="100%">
<P align=center><FONT face=宋体> 日期: 2003-7-30</FONT>
</P></TD></TR></TBODY></TABLE></DIV>
<DIV align=center>
<CENTER>
<TABLE border=0 cellPadding=0 cellSpacing=0 height=1 width="96%">
<TBODY>
<TR>
<TD height=1 width="100%">
<HR color=#396da5 SIZE=3>
</TD></TR></TBODY></TABLE></CENTER></DIV>
<DIV align=center>
<TABLE border=0 cellPadding=0 cellSpacing=0 class=content height=4300
width="96%">
<TBODY>
<TR>
<TD height=2132 vAlign=top width="131%">
<P> 每个进程都有一个 EPROCESS 结构,里面保存着进程的各种信息,和相关结构的指针。EPROCESS
结构位于系统地址空间,所以访问这个结构需要有ring0的权限。使用 Win2k DDK 的 KD (内核调试器)我们可以得到 EPROCESS
结构的定义。注意下面的是 Win2k Build 2195 下的 EPROCESS 结构定义。<BR><BR>kd> !strct
eprocess<BR>!strct eprocess<BR>struct _EPROCESS (sizeof=648)<BR>+000
struct _KPROCESS Pcb<BR>+000 struct _DISPATCHER_HEADER Header<BR>+000 byte
Type<BR>+001 byte Absolute<BR>+002 byte Size<BR>+003 byte Inserted<BR>+004
int32 SignalState<BR>+008 struct _LIST_ENTRY WaitListHead<BR>+008 struct
_LIST_ENTRY *Flink<BR>+00c struct _LIST_ENTRY *Blink<BR>+010 struct
_LIST_ENTRY ProfileListHead<BR>+010 struct _LIST_ENTRY *Flink<BR>+014
struct _LIST_ENTRY *Blink<BR>+018 uint32 DirectoryTableBase[2]<BR>+020
struct _KGDTENTRY LdtDescriptor<BR>+020 uint16 LimitLow<BR>+022 uint16
BaseLow<BR>+024 union __unnamed9 HighWord<BR>+024 struct __unnamed10
Bytes<BR>+024 byte BaseMid<BR>+025 byte Flags1<BR>+026 byte Flags2<BR>+027
byte BaseHi<BR>+024 struct __unnamed11 Bits<BR>+024 bits0-7
BaseMid<BR>+024 bits8-12 Type<BR>+024 bits13-14 Dpl<BR>+024 bits15-15
Pres<BR>+024 bits16-19 LimitHi<BR>+024 bits20-20 Sys<BR>+024 bits21-21
Reserved_0<BR>+024 bits22-22 Default_Big<BR>+024 bits23-23
Granularity<BR>+024 bits24-31 BaseHi<BR>+028 struct _KIDTENTRY
Int21Descriptor<BR>+028 uint16 Offset<BR>+02a uint16 Selector<BR>+02c
uint16 Access<BR>+02e uint16 ExtendedOffset<BR>+030 uint16
IopmOffset<BR>+032 byte Iopl<BR>+033 byte VdmFlag<BR>+034 uint32
ActiveProcessors<BR>+038 uint32 KernelTime<BR>+03c uint32 UserTime<BR>+040
struct _LIST_ENTRY ReadyListHead<BR>+040 struct _LIST_ENTRY *Flink<BR>+044
struct _LIST_ENTRY *Blink<BR>+048 struct _LIST_ENTRY SwapListEntry<BR>+048
struct _LIST_ENTRY *Flink<BR>+04c struct _LIST_ENTRY *Blink<BR>+050 struct
_LIST_ENTRY ThreadListHead<BR>+050 struct _LIST_ENTRY *Flink<BR>+054
struct _LIST_ENTRY *Blink<BR>+058 uint32 ProcessLock<BR>+05c uint32
Affinity<BR>+060 uint16 StackCount<BR>+062 char BasePriority<BR>+063 char
ThreadQuantum<BR>+064 byte AutoAlignment<BR>+065 byte State<BR>+066 byte
ThreadSeed<BR>+067 byte DisableBoost<BR>+068 byte PowerState<BR>+069 byte
DisableQuantum<BR>+06a byte Spare[2]<BR>+06c int32 ExitStatus<BR>+070
struct _KEVENT LockEvent<BR>+070 struct _DISPATCHER_HEADER Header<BR>+070
byte Type<BR>+071 byte Absolute<BR>+072 byte Size<BR>+073 byte
Inserted<BR>+074 int32 SignalState<BR>+078 struct _LIST_ENTRY
WaitListHead<BR>+078 struct _LIST_ENTRY *Flink<BR>+07c struct _LIST_ENTRY
*Blink<BR>+080 uint32 LockCount<BR>+088 union _LARGE_INTEGER
CreateTime<BR>+088 uint32 LowPart<BR>+08c int32 HighPart<BR>+088 struct
__unnamed3 u<BR>+088 uint32 LowPart<BR>+08c int32 HighPart<BR>+088 int64
QuadPart<BR>+090 union _LARGE_INTEGER ExitTime<BR>+090 uint32
LowPart<BR>+094 int32 HighPart<BR>+090 struct __unnamed3 u<BR>+090 uint32
LowPart<BR>+094 int32 HighPart<BR>+090 int64 QuadPart<BR>+098 struct
_KTHREAD *LockOwner<BR>+09c void *UniqueProcessId<BR>+0a0 struct
_LIST_ENTRY ActiveProcessLinks<BR>+0a0 struct _LIST_ENTRY *Flink<BR>+0a4
struct _LIST_ENTRY *Blink<BR>+0a8 uint32 QuotaPeakPoolUsage[2]<BR>+0b0
uint32 QuotaPoolUsage[2]<BR>+0b8 uint32 PagefileUsage<BR>+0bc uint32
CommitCharge<BR>+0c0 uint32 PeakPagefileUsage<BR>+0c4 uint32
PeakVirtualSize<BR>+0c8 uint32 VirtualSize<BR>+0d0 struct _MMSUPPORT
Vm<BR>+0d0 union _LARGE_INTEGER LastTrimTime<BR>+0d0 uint32
LowPart<BR>+0d4 int32 HighPart<BR>+0d0 struct __unnamed3 u<BR>+0d0 uint32
LowPart<BR>+0d4 int32 HighPart<BR>+0d0 int64 QuadPart<BR>+0d8 uint32
LastTrimFaultCount<BR>+0dc uint32 PageFaultCount<BR>+0e0 uint32
PeakWorkingSetSize<BR>+0e4 uint32 WorkingSetSize<BR>+0e8 uint32
MinimumWorkingSetSize<BR>+0ec uint32 MaximumWorkingSetSize<BR>+0f0
*VmWorkingSetList<BR>+0f4 struct _LIST_ENTRY
WorkingSetExpansionLinks<BR>+0f4 struct _LIST_ENTRY *Flink<BR>+0f8 struct
_LIST_ENTRY *Blink<BR>+0fc byte AllowWorkingSetAdjustment<BR>+0fd byte
AddressSpaceBeingDeleted<BR>+0fe byte ForegroundSwitchCount<BR>+0ff byte
MemoryPriority<BR>+100 union __unnamed13 u<BR>+100 uint32
LongFlags<BR>+100 struct _MMSUPPORT_FLAGS Flags<BR>+100 bits0-0
SessionSpace<BR>+100 bits1-1 BeingTrimmed<BR>+100 bits2-2
ProcessInSession<BR>+100 bits3-3 SessionLeader<BR>+100 bits4-4
TrimHard<BR>+100 bits5-5 WorkingSetHard<BR>+100 bits6-6 WriteWatch<BR>+100
bits7-31 Filler<BR>+104 uint32 Claim<BR>+108 uint32
NextEstimationSlot<BR>+10c uint32 NextAgingSlot<BR>+110 uint32
EstimatedAvailable<BR>+114 uint32 GrowthSinceLastEstimate<BR>+118 struct
_LIST_ENTRY SessionProcessLinks<BR>+118 struct _LIST_ENTRY *Flink<BR>+11c
struct _LIST_ENTRY *Blink<BR>+120 void *DebugPort<BR>+124 void
*ExceptionPort<BR>+128 struct _HANDLE_TABLE *ObjectTable<BR>+12c void
*Token<BR>+130 struct _FAST_MUTEX WorkingSetLock<BR>+130 int32
Count<BR>+134 struct _KTHREAD *Owner<BR>+138 uint32 Contention<BR>+13c
struct _KEVENT Event<BR>+13c struct _DISPATCHER_HEADER Header<BR>+13c byte
Type<BR>+13d byte Absolute<BR>+13e byte Size<BR>+13f byte Inserted<BR>+140
int32 SignalState<BR>+144 struct _LIST_ENTRY WaitListHead<BR>+144 struct
_LIST_ENTRY *Flink<BR>+148 struct _LIST_ENTRY *Blink<BR>+14c uint32
OldIrql<BR>+150 uint32 WorkingSetPage<BR>+154 byte
ProcessOutswapEnabled<BR>+155 byte ProcessOutswapped<BR>+156 byte
AddressSpaceInitialized<BR>+157 byte AddressSpaceDeleted<BR>+158 struct
_FAST_MUTEX AddressCreationLock<BR>+158 int32 Count<BR>+15c struct
_KTHREAD *Owner<BR>+160 uint32 Contention<BR>+164 struct _KEVENT
Event<BR>+164 struct _DISPATCHER_HEADER Header<BR>+164 byte Type<BR>+165
byte Absolute<BR>+166 byte Size<BR>+167 byte Inserted<BR>+168 int32
SignalState<BR>+16c struct _LIST_ENTRY WaitListHead<BR>+16c struct
_LIST_ENTRY *Flink<BR>+170 struct _LIST_ENTRY *Blink<BR>+174 uint32
OldIrql<BR>+178 uint32 HyperSpaceLock<BR>+17c struct _ETHREAD
*ForkInProgress<BR>+180 uint16 VmOperation<BR>+182 byte
ForkWasSuccessful<BR>+183 byte MmAgressiveWsTrimMask<BR>+184 struct
_KEVENT *VmOperationEvent<BR>+188 void *PaeTop<BR>+18c uint32
LastFaultCount<BR>+190 uint32 ModifiedPageCount<BR>+194 void
*VadRoot<BR>+198 void *VadHint<BR>+19c void *CloneRoot<BR>+1a0 uint32
NumberOfPrivatePages<BR>+1a4 uint32 NumberOfLockedPages<BR>+1a8 uint16
NextPageColor<BR>+1aa byte ExitProcessCalled<BR>+1ab byte
CreateProcessReported<BR>+1ac void *SectionHandle<BR>+1b0 struct _PEB
*Peb<BR>+1b4 void *SectionBaseAddress<BR>+1b8 struct _EPROCESS_QUOTA_BLOCK
*QuotaBlock<BR>+1bc int32 LastThreadExitStatus<BR>+1c0 struct
_PAGEFAULT_HISTORY *WorkingSetWatch<BR>+1c4 void
*Win32WindowStation<BR>+1c8 void *InheritedFromUniqueProcessId<BR>+1cc
uint32 GrantedAccess<BR>+1d0 uint32 DefaultHardErrorProcessing<BR>+1d4
void *LdtInformation<BR>+1d8 void *VadFreeHint<BR>+1dc void
*VdmObjects<BR>+1e0 void *DeviceMap<BR>+1e4 uint32 SessionId<BR>+1e8
struct _LIST_ENTRY PhysicalVadList<BR>+1e8 struct _LIST_ENTRY
*Flink<BR>+1ec struct _LIST_ENTRY *Blink<BR>+1f0 struct _HARDWARE_PTE_X86
PageDirectoryPte<BR>+1f0 bits0-0 Valid<BR>+1f0 bits1-1 Write<BR>+1f0
bits2-2 Owner<BR>+1f0 bits3-3 WriteThrough<BR>+1f0 bits4-4
CacheDisable<BR>+1f0 bits5-5 Accessed<BR>+1f0 bits6-6 Dirty<BR>+1f0
bits7-7 LargePage<BR>+1f0 bits8-8 Global<BR>+1f0 bits9-9
CopyOnWrite<BR>+1f0 bits10-10 Prototype<BR>+1f0 bits11-11 reserved<BR>+1f0
bits12-31 PageFrameNumber<BR>+1f0 uint64 Filler<BR>+1f8 uint32
PaePageDirectoryPage<BR>+1fc byte ImageFileName[16]<BR>+20c uint32
VmTrimFaultValue<BR>+210 byte SetTimerResolution<BR>+211 byte
PriorityClass<BR>+212 byte SubSystemMinorVersion<BR>+213 byte
SubSystemMajorVersion<BR>+212 uint16 SubSystemVersion<BR>+214 void
*Win32Process<BR>+218 struct _EJOB *Job<BR>+21c uint32 JobStatus<BR>+220
struct _LIST_ENTRY JobLinks<BR>+220 struct _LIST_ENTRY *Flink<BR>+224
struct _LIST_ENTRY *Blink<BR>+228 void *LockedPagesList<BR>+22c void
*SecurityPort<BR>+230 struct _WOW64_PROCESS *Wow64Process<BR>+238 union
_LARGE_INTEGER ReadOperationCount<BR>+238 uint32 LowPart<BR>+23c int32
HighPart<BR>+238 struct __unnamed3 u<BR>+238 uint32 LowPart<BR>+23c int32
HighPart<BR>+238 int64 QuadPart<BR>+240 union _LARGE_INTEGER
WriteOperationCount<BR>+240 uint32 LowPart<BR>+244 int32 HighPart<BR>+240
struct __unnamed3 u<BR>+240 uint32 LowPart<BR>+244 int32 HighPart<BR>+240
int64 QuadPart<BR>+248 union _LARGE_INTEGER OtherOperationCount<BR>+248
uint32 LowPart<BR>+24c int32 HighPart<BR>+248 struct __unnamed3 u<BR>+248
uint32 LowPart<BR>+24c int32 HighPart<BR>+248 int64 QuadPart<BR>+250 union
_LARGE_INTEGER ReadTransferCount<BR>+250 uint32 LowPart<BR>+254 int32
HighPart<BR>+250 struct __unnamed3 u<BR>+250 uint32 LowPart<BR>+254 int32
HighPart<BR>+250 int64 QuadPart<BR>+258 union _LARGE_INTEGER
WriteTransferCount<BR>+258 uint32 LowPart<BR>+25c int32 HighPart<BR>+258
struct __unnamed3 u<BR>+258 uint32 LowPart<BR>+25c int32 HighPart<BR>+258
int64 QuadPart<BR>+260 union _LARGE_INTEGER OtherTransferCount<BR>+260
uint32 LowPart<BR>+264 int32 HighPart<BR>+260 struct __unnamed3 u<BR>+260
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -