- : kd> dt _EPROCESS
- nt!_EPROCESS
- +0x000 Pcb : _KPROCESS
- +0x2e0 ProcessLock : _EX_PUSH_LOCK
- +0x2e8 UniqueProcessId : Ptr64 Void
- +0x2f0 ActiveProcessLinks : _LIST_ENTRY
- +0x300 RundownProtect : _EX_RUNDOWN_REF
- +0x308 Flags2 : Uint4B
- +0x308 JobNotReallyActive : Pos 0, 1 Bit
- +0x308 AccountingFolded : Pos 1, 1 Bit
- +0x308 NewProcessReported : Pos 2, 1 Bit
- +0x308 ExitProcessReported : Pos 3, 1 Bit
- +0x308 ReportCommitChanges : Pos 4, 1 Bit
- +0x308 LastReportMemory : Pos 5, 1 Bit
- +0x308 ForceWakeCharge : Pos 6, 1 Bit
- +0x308 CrossSessionCreate : Pos 7, 1 Bit
- +0x308 NeedsHandleRundown : Pos 8, 1 Bit
- +0x308 RefTraceEnabled : Pos 9, 1 Bit
- +0x308 PicoCreated : Pos 10, 1 Bit
- +0x308 EmptyJobEvaluated : Pos 11, 1 Bit
- +0x308 DefaultPagePriority : Pos 12, 3 Bits
- +0x308 PrimaryTokenFrozen : Pos 15, 1 Bit
- +0x308 ProcessVerifierTarget : Pos 16, 1 Bit
- +0x308 RestrictSetThreadContext : Pos 17, 1 Bit
- +0x308 AffinityPermanent : Pos 18, 1 Bit
- +0x308 AffinityUpdateEnable : Pos 19, 1 Bit
- +0x308 PropagateNode : Pos 20, 1 Bit
- +0x308 ExplicitAffinity : Pos 21, 1 Bit
- +0x308 ProcessExecutionState : Pos 22, 2 Bits
- +0x308 EnableReadVmLogging : Pos 24, 1 Bit
- +0x308 EnableWriteVmLogging : Pos 25, 1 Bit
- +0x308 FatalAccessTerminationRequested : Pos 26, 1 Bit
- +0x308 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
- +0x308 ProcessStateChangeRequest : Pos 28, 2 Bits
- +0x308 ProcessStateChangeInProgress : Pos 30, 1 Bit
- +0x308 InPrivate : Pos 31, 1 Bit
- +0x30c Flags : Uint4B
- +0x30c CreateReported : Pos 0, 1 Bit
- +0x30c NoDebugInherit : Pos 1, 1 Bit
- +0x30c ProcessExiting : Pos 2, 1 Bit
- +0x30c ProcessDelete : Pos 3, 1 Bit
- +0x30c ManageExecutableMemoryWrites : Pos 4, 1 Bit
- +0x30c VmDeleted : Pos 5, 1 Bit
- +0x30c OutswapEnabled : Pos 6, 1 Bit
- +0x30c Outswapped : Pos 7, 1 Bit
- +0x30c FailFastOnCommitFail : Pos 8, 1 Bit
- +0x30c Wow64VaSpace4Gb : Pos 9, 1 Bit
- +0x30c AddressSpaceInitialized : Pos 10, 2 Bits
- +0x30c SetTimerResolution : Pos 12, 1 Bit
- +0x30c BreakOnTermination : Pos 13, 1 Bit
- +0x30c DeprioritizeViews : Pos 14, 1 Bit
- +0x30c WriteWatch : Pos 15, 1 Bit
- +0x30c ProcessInSession : Pos 16, 1 Bit
- +0x30c OverrideAddressSpace : Pos 17, 1 Bit
- +0x30c HasAddressSpace : Pos 18, 1 Bit
- +0x30c LaunchPrefetched : Pos 19, 1 Bit
- +0x30c Background : Pos 20, 1 Bit
- +0x30c VmTopDown : Pos 21, 1 Bit
- +0x30c ImageNotifyDone : Pos 22, 1 Bit
- +0x30c PdeUpdateNeeded : Pos 23, 1 Bit
- +0x30c VdmAllowed : Pos 24, 1 Bit
- +0x30c ProcessRundown : Pos 25, 1 Bit
- +0x30c ProcessInserted : Pos 26, 1 Bit
- +0x30c DefaultIoPriority : Pos 27, 3 Bits
- +0x30c ProcessSelfDelete : Pos 30, 1 Bit
- +0x30c SetTimerResolutionLink : Pos 31, 1 Bit
- +0x310 CreateTime : _LARGE_INTEGER
- +0x318 ProcessQuotaUsage : [2] Uint8B
- +0x328 ProcessQuotaPeak : [2] Uint8B
- +0x338 PeakVirtualSize : Uint8B
- +0x340 VirtualSize : Uint8B
- +0x348 SessionProcessLinks : _LIST_ENTRY
- +0x358 ExceptionPortData : Ptr64 Void
- +0x358 ExceptionPortValue : Uint8B
- +0x358 ExceptionPortState : Pos 0, 3 Bits
- +0x360 Token : _EX_FAST_REF
- +0x368 MmReserved : Uint8B
- +0x370 AddressCreationLock : _EX_PUSH_LOCK
- +0x378 PageTableCommitmentLock : _EX_PUSH_LOCK
- +0x380 RotateInProgress : Ptr64 _ETHREAD
- +0x388 ForkInProgress : Ptr64 _ETHREAD
- +0x390 CommitChargeJob : Ptr64 _EJOB
- +0x398 CloneRoot : _RTL_AVL_TREE
- +0x3a0 NumberOfPrivatePages : Uint8B
- +0x3a8 NumberOfLockedPages : Uint8B
- +0x3b0 Win32Process : Ptr64 Void
- +0x3b8 Job : Ptr64 _EJOB
- +0x3c0 SectionObject : Ptr64 Void
- +0x3c8 SectionBaseAddress : Ptr64 Void
- +0x3d0 Cookie : Uint4B
- +0x3d8 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
- +0x3e0 Win32WindowStation : Ptr64 Void
- +0x3e8 InheritedFromUniqueProcessId : Ptr64 Void
- +0x3f0 OwnerProcessId : Uint8B
- +0x3f8 Peb : Ptr64 _PEB
- +0x400 Session : Ptr64 _MM_SESSION_SPACE
- +0x408 Spare1 : Ptr64 Void
- +0x410 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
- +0x418 ObjectTable : Ptr64 _HANDLE_TABLE
- +0x420 DebugPort : Ptr64 Void
- +0x428 WoW64Process : Ptr64 _EWOW64PROCESS
- +0x430 DeviceMap : Ptr64 Void
- +0x438 EtwDataSource : Ptr64 Void
- +0x440 PageDirectoryPte : Uint8B
- +0x448 ImageFilePointer : Ptr64 _FILE_OBJECT
- +0x450 ImageFileName : [15] UChar
- +0x45f PriorityClass : UChar
- +0x460 SecurityPort : Ptr64 Void
- +0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
- +0x470 JobLinks : _LIST_ENTRY
- +0x480 HighestUserAddress : Ptr64 Void
- +0x488 ThreadListHead : _LIST_ENTRY
- +0x498 ActiveThreads : Uint4B
- +0x49c ImagePathHash : Uint4B
- +0x4a0 DefaultHardErrorProcessing : Uint4B
- +0x4a4 LastThreadExitStatus : Int4B
- +0x4a8 PrefetchTrace : _EX_FAST_REF
- +0x4b0 LockedPagesList : Ptr64 Void
- +0x4b8 ReadOperationCount : _LARGE_INTEGER
- +0x4c0 WriteOperationCount : _LARGE_INTEGER
- +0x4c8 OtherOperationCount : _LARGE_INTEGER
- +0x4d0 ReadTransferCount : _LARGE_INTEGER
- +0x4d8 WriteTransferCount : _LARGE_INTEGER
- +0x4e0 OtherTransferCount : _LARGE_INTEGER
- +0x4e8 CommitChargeLimit : Uint8B
- +0x4f0 CommitCharge : Uint8B
- +0x4f8 CommitChargePeak : Uint8B
- +0x500 Vm : _MMSUPPORT_FULL
- +0x640 MmProcessLinks : _LIST_ENTRY
- +0x650 ModifiedPageCount : Uint4B
- +0x654 ExitStatus : Int4B
- +0x658 VadRoot : _RTL_AVL_TREE
- +0x660 VadHint : Ptr64 Void
- +0x668 VadCount : Uint8B
- +0x670 VadPhysicalPages : Uint8B
- +0x678 VadPhysicalPagesLimit : Uint8B
- +0x680 AlpcContext : _ALPC_PROCESS_CONTEXT
- +0x6a0 TimerResolutionLink : _LIST_ENTRY
- +0x6b0 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
- +0x6b8 RequestedTimerResolution : Uint4B
- +0x6bc SmallestTimerResolution : Uint4B
- +0x6c0 ExitTime : _LARGE_INTEGER
- +0x6c8 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
- +0x6d0 InvertedFunctionTableLock : _EX_PUSH_LOCK
- +0x6d8 ActiveThreadsHighWatermark : Uint4B
- +0x6dc LargePrivateVadCount : Uint4B
- +0x6e0 ThreadListLock : _EX_PUSH_LOCK
- +0x6e8 WnfContext : Ptr64 Void
- +0x6f0 ServerSilo : Ptr64 _EJOB
- +0x6f8 SignatureLevel : UChar
- +0x6f9 SectionSignatureLevel : UChar
- +0x6fa Protection : _PS_PROTECTION
- +0x6fb HangCount : Pos 0, 3 Bits
- +0x6fb GhostCount : Pos 3, 3 Bits
- +0x6fb PrefilterException : Pos 6, 1 Bit
- +0x6fc Flags3 : Uint4B
- +0x6fc Minimal : Pos 0, 1 Bit
- +0x6fc ReplacingPageRoot : Pos 1, 1 Bit
- +0x6fc Crashed : Pos 2, 1 Bit
- +0x6fc JobVadsAreTracked : Pos 3, 1 Bit
- +0x6fc VadTrackingDisabled : Pos 4, 1 Bit
- +0x6fc AuxiliaryProcess : Pos 5, 1 Bit
- +0x6fc SubsystemProcess : Pos 6, 1 Bit
- +0x6fc IndirectCpuSets : Pos 7, 1 Bit
- +0x6fc RelinquishedCommit : Pos 8, 1 Bit
- +0x6fc HighGraphicsPriority : Pos 9, 1 Bit
- +0x6fc CommitFailLogged : Pos 10, 1 Bit
- +0x6fc ReserveFailLogged : Pos 11, 1 Bit
- +0x6fc SystemProcess : Pos 12, 1 Bit
- +0x6fc HideImageBaseAddresses : Pos 13, 1 Bit
- +0x6fc AddressPolicyFrozen : Pos 14, 1 Bit
- +0x6fc ProcessFirstResume : Pos 15, 1 Bit
- +0x6fc ForegroundExternal : Pos 16, 1 Bit
- +0x6fc ForegroundSystem : Pos 17, 1 Bit
- +0x6fc HighMemoryPriority : Pos 18, 1 Bit
- +0x6fc EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
- +0x6fc EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
- +0x6fc SecurityDomainChanged : Pos 21, 1 Bit
- +0x6fc SecurityFreezeComplete : Pos 22, 1 Bit
- +0x6fc VmProcessorHost : Pos 23, 1 Bit
- +0x700 DeviceAsid : Int4B
- +0x708 SvmData : Ptr64 Void
- +0x710 SvmProcessLock : _EX_PUSH_LOCK
- +0x718 SvmLock : Uint8B
- +0x720 SvmProcessDeviceListHead : _LIST_ENTRY
- +0x730 LastFreezeInterruptTime : Uint8B
- +0x738 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS
- +0x740 PicoContext : Ptr64 Void
- +0x748 EnclaveTable : Ptr64 Void
- +0x750 EnclaveNumber : Uint8B
- +0x758 EnclaveLock : _EX_PUSH_LOCK
- +0x760 HighPriorityFaultsAllowed : Uint4B
- +0x768 EnergyContext : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
- +0x770 VmContext : Ptr64 Void
- +0x778 SequenceNumber : Uint8B
- +0x780 CreateInterruptTime : Uint8B
- +0x788 CreateUnbiasedInterruptTime : Uint8B
- +0x790 TotalUnbiasedFrozenTime : Uint8B
- +0x798 LastAppStateUpdateTime : Uint8B
- +0x7a0 LastAppStateUptime : Pos 0, 61 Bits
- +0x7a0 LastAppState : Pos 61, 3 Bits
- +0x7a8 SharedCommitCharge : Uint8B
- +0x7b0 SharedCommitLock : _EX_PUSH_LOCK
- +0x7b8 SharedCommitLinks : _LIST_ENTRY
- +0x7c8 AllowedCpuSets : Uint8B
- +0x7d0 DefaultCpuSets : Uint8B
- +0x7c8 AllowedCpuSetsIndirect : Ptr64 Uint8B
- +0x7d0 DefaultCpuSetsIndirect : Ptr64 Uint8B
- +0x7d8 DiskIoAttribution : Ptr64 Void
- +0x7e0 DxgProcess : Ptr64 Void
- +0x7e8 Win32KFilterSet : Uint4B
- +0x7f0 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
- +0x7f8 KTimerSets : Uint4B
- +0x7fc KTimer2Sets : Uint4B
- +0x800 ThreadTimerSets : Uint4B
- +0x808 VirtualTimerListLock : Uint8B
- +0x810 VirtualTimerListHead : _LIST_ENTRY
- +0x820 WakeChannel : _WNF_STATE_NAME
- +0x820 WakeInfo : _PS_PROCESS_WAKE_INFORMATION
- +0x850 MitigationFlags : Uint4B
- +0x850 MitigationFlagsValues : <anonymous-tag>
- +0x854 MitigationFlags2 : Uint4B
- +0x854 MitigationFlags2Values : <anonymous-tag>
- +0x858 PartitionObject : Ptr64 Void
- +0x860 SecurityDomain : Uint8B
- +0x868 ParentSecurityDomain : Uint8B
- +0x870 CoverageSamplerContext : Ptr64 Void
- +0x878 MmHotPatchContext : Ptr64 Void
- //------------------------------------------------------------
- d> dt _EPROCESS
- ntdll!_EPROCESS
- +0x000 Pcb : _KPROCESS 内嵌的内核层进程结构体
- +0x2e0 ProcessLock : _EX_PUSH_LOCK 自旋锁 用于保护EPROCESS数据成员的同步
- +0x2e8 UniqueProcessId : Ptr64 Void 进程的唯一PID
- +0x2f0 ActiveProcessLinks : _LIST_ENTRY 双向链表 当前系统活动的所有进程 全局表头 PsActiveProcessHead
- +0x300 RundownProtect : _EX_RUNDOWN_REF 进程的停止保护锁 当进程最后被销毁时 要等到其他进程和线程释放了此锁才可以继续
- +0x308 Flags2 : Uint4B
- +0x308 JobNotReallyActive : Pos 0, 1 Bit 工作不是很活跃
- +0x308 AccountingFolded : Pos 1, 1 会计折叠
- +0x308 NewProcessReported : Pos 2, 1 Bit 新工艺报告
- +0x308 ExitProcessReported : Pos 3, 1 Bit 已报告退出过程
- +0x308 ReportCommitChanges : Pos 4, 1 Bit 报告并提交更改
- +0x308 LastReportMemory : Pos 5, 1 Bit 上次报告内存
- +0x308 ForceWakeCharge : Pos 6, 1 Bit 强制唤醒
- +0x308 CrossSessionCreate : Pos 7, 1 Bit 跨会话创建
- +0x308 NeedsHandleRundown : Pos 8, 1 Bit 需要处理故障
- +0x308 RefTraceEnabled : Pos 9, 1 Bit Ref跟踪已启用
- +0x308 PicoCreated : Pos 10, 1 Bit Pico创建
- +0x308 EmptyJobEvaluated : Pos 11, 1 Bit 已评估空作业
- +0x308 DefaultPagePriority : Pos 12, 3 Bits 默认页面优先级
- +0x308 PrimaryTokenFrozen : Pos 15, 1 Bit 主令牌已冻结
- +0x308 ProcessVerifierTarget : Pos 16, 1 Bit 进程验证目标
- +0x308 RestrictSetThreadContext : Pos 17, 1 Bit 限制设置线程上下文
- +0x308 AffinityPermanent : Pos 18, 1 Bit 永久亲和力
- +0x308 AffinityUpdateEnable : Pos 19, 1 Bit 关联更新启用
- +0x308 PropagateNode : Pos 20, 1 Bit 传播节点
- +0x308 ExplicitAffinity : Pos 21, 1 Bit 显式亲和力
- +0x308 ProcessExecutionState : Pos 22, 2 Bits 进程执行状态s
- +0x308 EnableReadVmLogging : Pos 24, 1 Bit 启用ReadVm日志记录
- +0x308 EnableWriteVmLogging : Pos 25, 1 Bit 启用WriteVm日志记录
- +0x308 FatalAccessTerminationRequested : Pos 26, 1 Bit 请求终止FatalAccess
- +0x308 DisableSystemAllowedCpuSet : Pos 27, 1 Bit 禁用系统允许的Cpu集
- +0x308 ProcessStateChangeRequest : Pos 28, 2 Bits 处理状态更改请求
- +0x308 ProcessStateChangeInProgress : Pos 30, 1 Bit 进程状态更改正在进行中s
- +0x308 InPrivate : Pos 31, 1 Bit 隐私模式
- +0x30c Flags : Uint4B 进程的标志位
- +0x30c CreateReported : Pos 0, 1 Bit 创建报告
- +0x30c NoDebugInherit : Pos 1, 1 Bit 无调试继承s
- +0x30c ProcessExiting : Pos 2, 1 Bit 进程退出
- +0x30c ProcessDelete : Pos 3, 1 Bit 进程删除 *拒绝应用层结束但是可以自己关闭
- +0x30c ManageExecutableMemoryWrites : Pos 4, 1 Bit *管理是否可执行内存写入
- +0x30c VmDeleted : Pos 5, 1 Bit 虚拟机删除
- +0x30c OutswapEnabled : Pos 6, 1 Bit 已启用Outswap
- +0x30c Outswapped : Pos 7, 1 Bit 超越
- +0x30c FailFastOnCommitFail : Pos 8, 1 Bit 提交文件时文件快速
- +0x30c Wow64VaSpace4Gb : Pos 9, 1 Bit Wow64 Va空间4Gb
- +0x30c AddressSpaceInitialized : Pos 10, 2 Bits 地址空间已初始化
- +0x30c SetTimerResolution : Pos 12, 1 Bit 设置计时器分辨率
- +0x30c BreakOnTermination : Pos 13, 1 Bit 断开端接
- +0x30c DeprioritizeViews : Pos 14, 1 Bit 取消优先权的观点
- +0x30c WriteWatch : Pos 15, 1 Bit 写表
- +0x30c ProcessInSession : Pos 16, 1 Bit 进程会话
- +0x30c OverrideAddressSpace : Pos 17, 1 Bit 覆盖地址空间
- +0x30c HasAddressSpace : Pos 18, 1 Bit 有地址空间
- +0x30c LaunchPrefetched : Pos 19, 1 Bit 启动预取
- +0x30c Background : Pos 20, 1 Bit 出身背景
- +0x30c VmTopDown : Pos 21, 1 Bit 自上而下的虚拟机
- +0x30c ImageNotifyDone : Pos 22, 1 Bit 图像通知完成
- +0x30c PdeUpdateNeeded : Pos 23, 1 Bit 需要Pde更新
- +0x30c VdmAllowed : Pos 24, 1 Bit 允许Vdm
- +0x30c ProcessRundown : Pos 25, 1 Bit 进程耗尽
- +0x30c ProcessInserted : Pos 26, 1 Bit 插入的进程
- +0x30c DefaultIoPriority : Pos 27, 3 Bits 默认优先级s
- +0x30c ProcessSelfDelete : Pos 30, 1 Bit 进程自删除
- +0x30c SetTimerResolutionLink : Pos 31, 1 Bit 设置计时器分辨率链接s
- +0x310 CreateTime : _LARGE_INTEGER 进程创建时间
- +0x318 ProcessQuotaUsage : [2] Uint8B 进程的内存使用量 其中的元素分别对应分页内存池 非分页内存池 交换文件中的内存使用情况
- +0x328 ProcessQuotaPeak : [2] Uint8B 进程的尖峰使用量 其中的元素分别对应分页内存池 非分页内存池 交换文件中的内存使用情况
- +0x338 PeakVirtualSize : Uint8B 进程的虚拟内存大小的尖峰值
- +0x340 VirtualSize : Uint8B 进程的虚拟内存大小
- +0x348 SessionProcessLinks : _LIST_ENTRY 双向链表 当进程加入到系统会话中时 SessionProcessLinks作为一个节点加入到系统会话进程链表中
- +0x358 ExceptionPortData : Ptr64 Void 异常端口数据
- +0x358 ExceptionPortValue : Uint8B
- +0x358 ExceptionPortState : Pos 0, 3 Bits
- +0x360 Token : _EX_FAST_REF 指向该进程的访问令牌
- +0x368 MmReserved : Uint8B
- +0x370 AddressCreationLock : _EX_PUSH_LOCK 进程的守护互斥体锁 用于保护对地址空间的操作
- +0x378 PageTableCommitmentLock : _EX_PUSH_LOCK
- +0x380 RotateInProgress : Ptr64 _ETHREAD
- +0x388 ForkInProgress : Ptr64 _ETHREAD 指向正在复制地址空间的那个线程 只有在复制地址空间时此域才有值 其它时刻为NULL
- +0x390 CommitChargeJob : Ptr64 _EJOB
- +0x398 CloneRoot : _RTL_AVL_TREE 指向一个平衡树的根 当进程地址空间复制时 此树被创建 知道进程死亡
- +0x3a0 NumberOfPrivatePages : Uint8B 进程私有页面的数量
- +0x3a8 NumberOfLockedPages : Uint8B 被锁住的页面数量
- +0x3b0 Win32Process : Ptr64 Void 指向由Windows子系统管理的进程区域
- +0x3b8 Job : Ptr64 _EJOB
- +0x3c0 SectionObject : Ptr64 Void 进程的内存区对象
- +0x3c8 SectionBaseAddress : Ptr64 Void 内存区对象的基址
- +0x3d0 Cookie : Uint4B ;该进程的随机值
- +0x3d8 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY 监视进程的页面错误
- +0x3e0 Win32WindowStation : Ptr64 Void ;进程所属的窗口站句柄
- +0x3e8 InheritedFromUniqueProcessId : Ptr64 Void 父进程的标识符
- +0x3f0 OwnerProcessId : Uint8B
-
- +0x3f8 Peb : Ptr64 _PEB 指向用户模式的Peb
- +0x400 Session : Ptr64 _MM_SESSION_SPACE
- +0x408 Spare1 : Ptr64 Void
- +0x410 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK;指向进程的配额快
- +0x418 ObjectTable : Ptr64 _HANDLE_TABLE 进程的句柄表
- +0x420 DebugPort : Ptr64 Void 调试端口
- +0x428 WoW64Process : Ptr64 _EWOW64PROCESS
- +0x430 DeviceMap : Ptr64 Void 指向进程使用的设备表
- +0x438 EtwDataSource : Ptr64 Void Etw数据源
- +0x440 PageDirectoryPte : Uint8B 顶级页目录页面的页表项
- +0x448 ImageFilePointer : Ptr64 _FILE_OBJECT 图像文件指针
- +0x450 ImageFileName : [15] UChar ;进程的映像名称
- +0x45f PriorityClass : UChar ;进程的优先级程度
- +0x460 SecurityPort : Ptr64 Void ;指向该进程与lsass进程之间的跨进程通信端口
- +0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO ;创建进程时 指定的进程映像全路径名称 ImageFileName从中提取进程名
- +0x470 JobLinks : _LIST_ENTRY 双向链表 所有工作中的进程链表
- +0x480 HighestUserAddress : Ptr64 Void
- +0x488 ThreadListHead : _LIST_ENTRY 双向链表 进程中的所有线程
- +0x498 ActiveThreads : Uint4B 记录了当前进程有多少个活动线程 当该值等于0时 所有线程退出 进程随之退出
- +0x49c ImagePathHash : Uint4B
- +0x4a0 DefaultHardErrorProcessing : Uint4B 默认的硬件错误处理
- +0x4a4 LastThreadExitStatus : Int4B 进程的最后一个线程的退出状态
- +0x4a8 PrefetchTrace : _EX_FAST_REF 指向与该进程关联的预取痕迹结构
- +0x4b0 LockedPagesList : Ptr64 Void 指向LOCK_HEAD 该结构包含一个链表头 系统通过它知晓哪些物理页面被锁住
- +0x4b8 ReadOperationCount : _LARGE_INTEGER 记录进程NtReadFile被调用的次数
- +0x4c0 WriteOperationCount : _LARGE_INTEGER 记录进程NtWriteFile被调用的次数
- +0x4c8 OtherOperationCount : _LARGE_INTEGER 记录了除了读和写其他的Io服务被调用的次数
- +0x4d0 ReadTransferCount : _LARGE_INTEGER 记录了Io读操作完成的次数
- +0x4d8 WriteTransferCount : _LARGE_INTEGER 记录了Io写操作完成的次数
- +0x4e0 OtherTransferCount : _LARGE_INTEGER 记录了Io非读写操作完成的次数
- +0x4e8 CommitChargeLimit : Uint8B 已提交页面数量的限制值
- +0x4f0 CommitCharge : Uint8B 虚拟内存已提交的页面数量
- +0x4f8 CommitChargePeak : Uint8B 尖峰时刻已提交的页面数量
- +0x500 Vm : _MMSUPPORT_FULL 虚拟内存管理的重要结构
- +0x640 MmProcessLinks : _LIST_ENTRY 双向链表 指向所有拥有地址空间的进程
- +0x650 ModifiedPageCount : Uint4B 记录了进程中已修改页面的数量
- +0x654 ExitStatus : Int4B 退出状态
- +0x658 VadRoot : _RTL_AVL_TREE Vad根
- +0x660 VadHint : Ptr64 Void
- +0x668 VadCount : Uint8B
- +0x670 VadPhysicalPages : Uint8B Vad物理页面
- +0x678 VadPhysicalPagesLimit : Uint8B
- +0x680 AlpcContext : _ALPC_PROCESS_CONTEXT 阿尔卑斯语境
- +0x6a0 TimerResolutionLink : _LIST_ENTRY
- +0x6b0 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
- +0x6b8 RequestedTimerResolution : Uint4B 请求的计时器分辨率
- +0x6bc SmallestTimerResolution : Uint4B 最小定时器分辨率
- +0x6c0 ExitTime : _LARGE_INTEGER 进程退出时间
- +0x6c8 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
- +0x6d0 InvertedFunctionTableLock : _EX_PUSH_LOCK
- +0x6d8 ActiveThreadsHighWatermark : Uint4B 活动线程高水印
- +0x6dc LargePrivateVadCount : Uint4B 大型私人炫耀
- +0x6e0 ThreadListLock : _EX_PUSH_LOCK 线程列表锁
- +0x6e8 WnfContext : Ptr64 Void Wnf上下文
- +0x6f0 ServerSilo : Ptr64 _EJOB 服务器思洛存储器
- +0x6f8 SignatureLevel : UChar
- +0x6f9 SectionSignatureLevel : UChar
- +0x6fa Protection : _PS_PROTECTION
- +0x6fb HangCount : Pos 0, 3 Bits
- +0x6fb GhostCount : Pos 3, 3 Bits
- +0x6fb PrefilterException : Pos 6, 1 Bit
- +0x6fc Flags3 : Uint4B
- +0x6fc Minimal : Pos 0, 1 Bit 最小的
- +0x6fc ReplacingPageRoot : Pos 1, 1 Bit 替换页面根目录
- +0x6fc Crashed : Pos 2, 1 Bit 坠毁
- +0x6fc JobVadsAreTracked : Pos 3, 1 Bit 跟踪工作VAD
- +0x6fc VadTrackingDisabled : Pos 4, 1 Bit 禁用Vad跟踪
- +0x6fc AuxiliaryProcess : Pos 5, 1 Bit 辅助过程
- +0x6fc SubsystemProcess : Pos 6, 1 Bit 子系统进程
- +0x6fc IndirectCpuSets : Pos 7, 1 Bit 间接使用
- +0x6fc RelinquishedCommit : Pos 8, 1 Bit 放弃承诺
- +0x6fc HighGraphicsPriority : Pos 9, 1 Bit 高图形优先级
- +0x6fc CommitFailLogged : Pos 10, 1 Bit 提交失败日志
- +0x6fc ReserveFailLogged : Pos 11, 1 Bit 保留失败日志
- +0x6fc SystemProcess : Pos 12, 1 Bit 系统过程
- +0x6fc HideImageBaseAddresses : Pos 13, 1 Bit 隐藏图像基地址
- +0x6fc AddressPolicyFrozen : Pos 14, 1 Bit 地址策略冻结
- +0x6fc ProcessFirstResume : Pos 15, 1 Bit 先处理后恢复/处理第一次恢复
- +0x6fc ForegroundExternal : Pos 16, 1 Bit 前景外部
- +0x6fc ForegroundSystem : Pos 17, 1 Bit 前景系统
- +0x6fc HighMemoryPriority : Pos 18, 1 Bit 高内存优先级
- +0x6fc EnableProcessSuspendResumeLogging : Pos 19, 1 Bit 启用进程挂起恢复日志记录
- +0x6fc EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
- +0x6fc SecurityDomainChanged : Pos 21, 1 Bit 安全域已更改
- +0x6fc SecurityFreezeComplete : Pos 22, 1 Bit
- +0x6fc VmProcessorHost : Pos 23, 1 Bit 虚拟机处理器主机
- +0x700 DeviceAsid : Int4B 装置酸
- +0x708 SvmData : Ptr64 Void 支持向量机数据
- +0x710 SvmProcessLock : _EX_PUSH_LOCK 支持向量机进程锁
- +0x718 SvmLock : Uint8B 支持向量机锁
- +0x720 SvmProcessDeviceListHead : _LIST_ENTRY
- +0x730 LastFreezeInterruptTime : Uint8B 上次冻结中断时间
- +0x738 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS 磁盘计数器
- +0x740 PicoContext : Ptr64 Void 上下文
- +0x748 EnclaveTable : Ptr64 Void 飞地
- +0x750 EnclaveNumber : Uint8B
- +0x758 EnclaveLock : _EX_PUSH_LOCK
- +0x760 HighPriorityFaultsAllowed : Uint4B
- +0x768 EnergyContext : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
- +0x770 VmContext : Ptr64 Void
- +0x778 SequenceNumber : Uint8B 序列号
- +0x780 CreateInterruptTime : Uint8B 创建中断时间
- +0x788 CreateUnbiasedInterruptTime : Uint8B
- +0x790 TotalUnbiasedFrozenTime : Uint8B 总无偏冻结时间
- +0x798 LastAppStateUpdateTime : Uint8B 上次AppState更新时间
- +0x7a0 LastAppStateUptime : Pos 0, 61 Bits
- +0x7a0 LastAppState : Pos 61, 3 Bits 上次应用程序状态
- +0x7a8 SharedCommitCharge : Uint8B 共享提交费用
- +0x7b0 SharedCommitLock : _EX_PUSH_LOCK 共享提交锁
- +0x7b8 SharedCommitLinks : _LIST_ENTRY
- +0x7c8 AllowedCpuSets : Uint8B
- +0x7d0 DefaultCpuSets : Uint8B
- +0x7c8 AllowedCpuSetsIndirect : Ptr64 Uint8B
- +0x7d0 DefaultCpuSetsIndirect : Ptr64 Uint8B
- +0x7d8 DiskIoAttribution : Ptr64 Void
- +0x7e0 DxgProcess : Ptr64 Void
- +0x7e8 Win32KFilterSet : Uint4B
- +0x7f0 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES 进程计时器延迟
- +0x7f8 KTimerSets : Uint4B
- +0x7fc KTimer2Sets : Uint4B
- +0x800 ThreadTimerSets : Uint4B
- +0x808 VirtualTimerListLock : Uint8B
- +0x810 VirtualTimerListHead : _LIST_ENTRY
- +0x820 WakeChannel : _WNF_STATE_NAME
- +0x820 WakeInfo : _PS_PROCESS_WAKE_INFORMATION 唤醒信息
- +0x850 MitigationFlags : Uint4B
- +0x850 MitigationFlagsValues :
- +0x854 MitigationFlags2 : Uint4B
- +0x854 MitigationFlags2Values :
- +0x858 PartitionObject : Ptr64 Void
- +0x860 SecurityDomain : Uint8B
- +0x868 ParentSecurityDomain : Uint8B 父安全域
- +0x870 CoverageSamplerContext : Ptr64 Void
- +0x878 MmHotPatchContext : Ptr64 Void Mm热补丁上下文
|
[复制链接]
发表于 2024-3-25 00:14:22
发表于 2024-3-25 00:14:22
