Структуры ядра
От: Аноним  
Дата: 16.09.06 11:01
Оценка:
Подскажите, где можно найти описание структур EPROCESS, KPROCESS и ETHREAD для Windows 2000, XP и 2003.
Поиск по Интернету ничего не дал.
Есть книга Шрайбера, но там описание только для Win2k и не все структуры описаны на 100% верно.

Заранее спасибо.
Re: Структуры ядра для 2k3
От: __INFINITE Россия  
Дата: 16.09.06 16:51
Оценка: 7 (2)
Здравствуйте, Аноним, Вы писали:

А>Подскажите, где можно найти описание структур EPROCESS, KPROCESS и ETHREAD для Windows 2000, XP и 2003.
А>Поиск по Интернету ничего не дал.
А>Есть книга Шрайбера, но там описание только для Win2k и не все структуры описаны на 100% верно.

А>Заранее спасибо.

Лови. Однажды было дело сам искал... Мне один человек дал — у него исходники были... А вообще, сами исходники, говорят, гуляют в p2p сетях — надо бы поискать.

typedef struct _EPROCESS {
    KPROCESS Pcb;

    //
    // Lock used to protect:
    // The list of threads in the process.
    // Process token.
    // Win32 process field.
    // Process and thread affinity setting.
    //

    EX_PUSH_LOCK ProcessLock;

    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;

    //
    // Structure to allow lock free cross process access to the process
    // handle table, process section and address space. Acquire rundown
    // protection with this if you do cross process handle table, process
    // section or address space references.
    //

    EX_RUNDOWN_REF RundownProtect;

    HANDLE UniqueProcessId;

    //
    // Global list of all processes in the system. Processes are removed
    // from this list in the object deletion routine.  References to
    // processes in this list must be done with ObReferenceObjectSafe
    // because of this.
    //

    LIST_ENTRY ActiveProcessLinks;

    //
    // Quota Fields.
    //

    SIZE_T QuotaUsage[PsQuotaTypes];
    SIZE_T QuotaPeak[PsQuotaTypes];
    SIZE_T CommitCharge;

    //
    // VmCounters.
    //

    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;

    LIST_ENTRY SessionProcessLinks;

    PVOID DebugPort;
    PVOID ExceptionPort;
    PHANDLE_TABLE ObjectTable;

    //
    // Security.
    //

    EX_FAST_REF Token;

    PFN_NUMBER WorkingSetPage;
    KGUARDED_MUTEX AddressCreationLock;
    KSPIN_LOCK HyperSpaceLock;

    struct _ETHREAD *ForkInProgress;
    ULONG_PTR HardwareTrigger;

    PMM_AVL_TABLE PhysicalVadRoot;
    PVOID CloneRoot;
    PFN_NUMBER NumberOfPrivatePages;
    PFN_NUMBER NumberOfLockedPages;
    PVOID Win32Process;
    struct _EJOB *Job;
    PVOID SectionObject;

    PVOID SectionBaseAddress;

    PEPROCESS_QUOTA_BLOCK QuotaBlock;

    PPAGEFAULT_HISTORY WorkingSetWatch;
    HANDLE Win32WindowStation;
    HANDLE InheritedFromUniqueProcessId;

    PVOID LdtInformation;
    PVOID VadFreeHint;
    PVOID VdmObjects;
    PVOID DeviceMap;

    PVOID Spare0[3];
    union {
        HARDWARE_PTE PageDirectoryPte;
        ULONGLONG Filler;
    };
    PVOID Session;
    UCHAR ImageFileName[ 16 ];

    LIST_ENTRY JobLinks;
    PVOID LockedPagesList;

    LIST_ENTRY ThreadListHead;

    //
    // Used by rdr/security for authentication.
    //

    PVOID SecurityPort;

#ifdef _WIN64
    PWOW64_PROCESS Wow64Process;
#else
    PVOID PaeTop;
#endif

    ULONG ActiveThreads;

    ACCESS_MASK GrantedAccess;

    ULONG DefaultHardErrorProcessing;

    NTSTATUS LastThreadExitStatus;

    //
    // Peb
    //

    PPEB Peb;

    //
    // Pointer to the prefetches trace block.
    //
    EX_FAST_REF PrefetchTrace;

    LARGE_INTEGER ReadOperationCount;
    LARGE_INTEGER WriteOperationCount;
    LARGE_INTEGER OtherOperationCount;
    LARGE_INTEGER ReadTransferCount;
    LARGE_INTEGER WriteTransferCount;
    LARGE_INTEGER OtherTransferCount;

    SIZE_T CommitChargeLimit;
    SIZE_T CommitChargePeak;

    PVOID AweInfo;

    //
    // This is used for SeAuditProcessCreation.
    // It contains the full path to the image file.
    //

    SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

    MMSUPPORT Vm;

#if !defined(_WIN64)
    LIST_ENTRY MmProcessLinks;
#else
    ULONG Spares[2];
#endif

    ULONG ModifiedPageCount;

    #define PS_JOB_STATUS_NOT_REALLY_ACTIVE      0x00000001UL
    #define PS_JOB_STATUS_ACCOUNTING_FOLDED      0x00000002UL
    #define PS_JOB_STATUS_NEW_PROCESS_REPORTED   0x00000004UL
    #define PS_JOB_STATUS_EXIT_PROCESS_REPORTED  0x00000008UL
    #define PS_JOB_STATUS_REPORT_COMMIT_CHANGES  0x00000010UL
    #define PS_JOB_STATUS_LAST_REPORT_MEMORY     0x00000020UL
    #define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES  0x00000040UL

    ULONG JobStatus;


    //
    // Process flags. Use interlocked operations with PS_SET_BITS, etc
    // to modify these.
    //

    #define PS_PROCESS_FLAGS_CREATE_REPORTED        0x00000001UL // Create process debug call has occurred
    #define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT       0x00000002UL // Don't inherit debug port
    #define PS_PROCESS_FLAGS_PROCESS_EXITING        0x00000004UL // PspExitProcess entered
    #define PS_PROCESS_FLAGS_PROCESS_DELETE         0x00000008UL // Delete process has been issued
    #define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES      0x00000010UL // Wow64 split pages
    #define PS_PROCESS_FLAGS_VM_DELETED             0x00000020UL // VM is deleted
    #define PS_PROCESS_FLAGS_OUTSWAP_ENABLED        0x00000040UL // Outswap enabled
    #define PS_PROCESS_FLAGS_OUTSWAPPED             0x00000080UL // Outswapped
    #define PS_PROCESS_FLAGS_FORK_FAILED            0x00000100UL // Fork status
    #define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE     0x00000200UL // Wow64 process with 4gb virtual address space
    #define PS_PROCESS_FLAGS_ADDRESS_SPACE1         0x00000400UL // Addr space state1
    #define PS_PROCESS_FLAGS_ADDRESS_SPACE2         0x00000800UL // Addr space state2
    #define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION   0x00001000UL // SetTimerResolution has been called
    #define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION   0x00002000UL // Break on process termination
    #define PS_PROCESS_FLAGS_CREATING_SESSION       0x00004000UL // Process is creating a session
    #define PS_PROCESS_FLAGS_USING_WRITE_WATCH      0x00008000UL // Process is using the write watch APIs
    #define PS_PROCESS_FLAGS_IN_SESSION             0x00010000UL // Process is in a session
    #define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)
    #define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE      0x00040000UL // This process has an address space
    #define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED      0x00080000UL // Process launch was prefetched
    #define PS_PROCESS_INJECT_INPAGE_ERRORS         0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too
    #define PS_PROCESS_FLAGS_VM_TOP_DOWN            0x00200000UL // Process memory allocations default to top-down
    #define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE      0x00400000UL // We have sent a message for this image
    #define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED      0x00800000UL // The system PDEs need updating for this process (NT32 only)
    #define PS_PROCESS_FLAGS_VDM_ALLOWED            0x01000000UL // Process allowed to invoke NTVDM support
    #define PS_PROCESS_FLAGS_SMAP_ALLOWED           0x02000000UL // Process allowed to invoke SMAP support
    #define PS_PROCESS_FLAGS_CREATE_FAILED          0x04000000UL // Process create failed

    #define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY    0x38000000UL // The default I/O priority for created threads. (3 bits)

    #define PS_PROCESS_FLAGS_PRIORITY_SHIFT         27
    
    #define PS_PROCESS_FLAGS_EXECUTE_SPARE1         0x40000000UL //
    #define PS_PROCESS_FLAGS_EXECUTE_SPARE2         0x80000000UL //


    union {

        ULONG Flags;

        //
        // Fields can only be set by the PS_SET_BITS and other interlocked
        // macros.  Reading fields is best done via the bit definitions so
        // references are easy to locate.
        //

        struct {
            ULONG CreateReported            : 1;
            ULONG NoDebugInherit            : 1;
            ULONG ProcessExiting            : 1;
            ULONG ProcessDelete             : 1;
            ULONG Wow64SplitPages           : 1;
            ULONG VmDeleted                 : 1;
            ULONG OutswapEnabled            : 1;
            ULONG Outswapped                : 1;
            ULONG ForkFailed                : 1;
            ULONG Wow64VaSpace4Gb           : 1;
            ULONG AddressSpaceInitialized   : 2;
            ULONG SetTimerResolution        : 1;
            ULONG BreakOnTermination        : 1;
            ULONG SessionCreationUnderway   : 1;
            ULONG WriteWatch                : 1;
            ULONG ProcessInSession          : 1;
            ULONG OverrideAddressSpace      : 1;
            ULONG HasAddressSpace           : 1;
            ULONG LaunchPrefetched          : 1;
            ULONG InjectInpageErrors        : 1;
            ULONG VmTopDown                 : 1;
            ULONG ImageNotifyDone           : 1;
            ULONG PdeUpdateNeeded           : 1;    // NT32 only
            ULONG VdmAllowed                : 1;
            ULONG SmapAllowed               : 1;
            ULONG CreateFailed              : 1;
            ULONG DefaultIoPriority         : 3;
            ULONG Spare1                    : 1;
            ULONG Spare2                    : 1;
        };
    };

    NTSTATUS ExitStatus;

    USHORT NextPageColor;
    union {
        struct {
            UCHAR SubSystemMinorVersion;
            UCHAR SubSystemMajorVersion;
        };
        USHORT SubSystemVersion;
    };
    UCHAR PriorityClass;

    MM_AVL_TABLE VadRoot;

    ULONG Cookie;

} EPROCESS, *PEPROCESS;

typedef struct _KPROCESS {

    //
    // The dispatch header and profile listhead are fairly infrequently
    // referenced.
    //

    DISPATCHER_HEADER Header;
    LIST_ENTRY ProfileListHead;

    //
    // The following fields are referenced during context switches.
    //

    ULONG_PTR DirectoryTableBase[2];

#if defined(_X86_)

    KGDTENTRY LdtDescriptor;
    KIDTENTRY Int21Descriptor;
    USHORT IopmOffset;
    UCHAR Iopl;
    BOOLEAN Unused;

#endif

#if defined(_AMD64_)

    USHORT IopmOffset;

#endif

    volatile KAFFINITY ActiveProcessors;

    //
    // The following fields are referenced during clock interrupts.
    //

    ULONG KernelTime;
    ULONG UserTime;

    //
    // The following fields are referenced infrequently.
    //

    LIST_ENTRY ReadyListHead;
    SINGLE_LIST_ENTRY SwapListEntry;

#if defined(_X86_)

    PVOID VdmTrapcHandler;

#else

    PVOID Reserved1;

#endif

    LIST_ENTRY ThreadListHead;
    KSPIN_LOCK ProcessLock;
    KAFFINITY Affinity;

    //
    // N.B. The following bit number definitions must match the following
    //      bit field.
    //
    // N.B. These bits can only be written with interlocked operations.
    //

#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2

    union {
        struct {
            LONG AutoAlignment : 1;
            LONG DisableBoost : 1;
            LONG DisableQuantum : 1;
            LONG ReservedFlags : 29;
        };
   
        LONG ProcessFlags;
    };

    SCHAR BasePriority;
    SCHAR QuantumReset;
    UCHAR State;
    UCHAR ThreadSeed;
    UCHAR PowerState;
    UCHAR IdealNode;
    BOOLEAN Visited;
    union {
        KEXECUTE_OPTIONS Flags;
        UCHAR ExecuteOptions;
    };

#if !defined(_X86_) && !defined(_AMD64_)

    PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;

#endif

    ULONG_PTR StackCount;
    LIST_ENTRY ProcessListEntry;
} KPROCESS, *PKPROCESS, *PRKPROCESS;

typedef struct _ETHREAD {
    KTHREAD Tcb;

    LARGE_INTEGER CreateTime;

    union {
        LARGE_INTEGER ExitTime;
        LIST_ENTRY LpcReplyChain;
        LIST_ENTRY KeyedWaitChain;
    };
    union {
        NTSTATUS ExitStatus;
        PVOID OfsChain;
    };

    //
    // Registry
    //

    LIST_ENTRY PostBlockList;

    //
    // Single linked list of termination blocks
    //

    union {
        //
        // List of termination ports
        //

        PTERMINATION_PORT TerminationPort;

        //
        // List of threads to be reaped. Only used at thread exit
        //

        struct _ETHREAD *ReaperLink;

        //
        // Keyvalue being waited for
        //
        PVOID KeyedWaitValue;

    };

    KSPIN_LOCK ActiveTimerListLock;
    LIST_ENTRY ActiveTimerListHead;

    CLIENT_ID Cid;

    //
    // Lpc
    //

    union {
        KSEMAPHORE LpcReplySemaphore;
        KSEMAPHORE KeyedWaitSemaphore;
    };

    union {
        PVOID LpcReplyMessage;          // -> Message that contains the reply
        PVOID LpcWaitingOnPort;
    };

    //
    // Security
    //
    //
    //    Client - If non null, indicates the thread is impersonating
    //        a client.
    //

    PPS_IMPERSONATION_INFORMATION ImpersonationInfo;

    //
    // Io
    //

    LIST_ENTRY IrpList;

    //
    //  File Systems
    //

    ULONG_PTR TopLevelIrp;  // either NULL, an Irp or a flag defined in FsRtl.h
    struct _DEVICE_OBJECT *DeviceToVerify;

    PEPROCESS ThreadsProcess;
    PVOID StartAddress;
    union {
        PVOID Win32StartAddress;
        ULONG LpcReceivedMessageId;
    };
    //
    // Ps
    //

    LIST_ENTRY ThreadListEntry;

    //
    // Rundown protection structure. Acquire this to do cross thread
    // TEB, TEB32 or stack references.
    //

    EX_RUNDOWN_REF RundownProtect;

    //
    // Lock to protect thread impersonation information
    //
    EX_PUSH_LOCK ThreadLock;

    ULONG LpcReplyMessageId;    // MessageId this thread is waiting for reply to

    ULONG ReadClusterSize;

    //
    // Client/server
    //

    ACCESS_MASK GrantedAccess;

    //
    // Flags for cross thread access. Use interlocked operations
    // via PS_SET_BITS etc.
    //

    //
    // Used to signify that the delete APC has been queued or the
    // thread has called PspExitThread itself.
    //

    #define PS_CROSS_THREAD_FLAGS_TERMINATED           0x00000001UL

    //
    // Thread create failed
    //

    #define PS_CROSS_THREAD_FLAGS_DEADTHREAD           0x00000002UL

    //
    // Debugger isn't shown this thread
    //

    #define PS_CROSS_THREAD_FLAGS_HIDEFROMDBG          0x00000004UL

    //
    // Thread is impersonating
    //

    #define PS_CROSS_THREAD_FLAGS_IMPERSONATING        0x00000008UL

    //
    // This is a system thread
    //

    #define PS_CROSS_THREAD_FLAGS_SYSTEM               0x00000010UL

    //
    // Hard errors are disabled for this thread
    //

    #define PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED 0x00000020UL

    //
    // We should break in when this thread is terminated
    //

    #define PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION 0x00000040UL

    //
    // This thread should skip sending its create thread message
    //
    #define PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG    0x00000080UL

    //
    // This thread should skip sending its final thread termination message
    //
    #define PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG 0x00000100UL

    union {

        ULONG CrossThreadFlags;

        //
        // The following fields are for the debugger only. Do not use.
        // Use the bit definitions instead.
        //

        struct {
            ULONG Terminated              : 1;
            ULONG DeadThread              : 1;
            ULONG HideFromDebugger        : 1;
            ULONG ActiveImpersonationInfo : 1;
            ULONG SystemThread            : 1;
            ULONG HardErrorsAreDisabled   : 1;
            ULONG BreakOnTermination      : 1;
            ULONG SkipCreationMsg         : 1;
            ULONG SkipTerminationMsg      : 1;
        };
    };

    //
    // Flags to be accessed in this thread's context only at PASSIVE
    // level -- no need to use interlocked operations.
    //

    union {
        ULONG SameThreadPassiveFlags;

        struct {

            //
            // This thread is an active Ex worker thread; it should
            // not terminate.
            //

            ULONG ActiveExWorker : 1;
            ULONG ExWorkerCanWaitUser : 1;
            ULONG MemoryMaker : 1;

            //
            // Thread is active in the keyed event code. LPC should not run above this in an APC.
            //
            ULONG KeyedEventInUse : 1;
        };
    };

    //
    // Flags to be accessed in this thread's context only at APC_LEVEL.
    // No need to use interlocked operations.
    //

    union {
        ULONG SameThreadApcFlags;
        struct {

            //
            // The stored thread's MSGID is valid. This is only accessed
            // while the LPC mutex is held so it's an APC_LEVEL flag.
            //

            BOOLEAN LpcReceivedMsgIdValid : 1;
            BOOLEAN LpcExitThreadCalled   : 1;
            BOOLEAN AddressSpaceOwner     : 1;
            BOOLEAN OwnsProcessWorkingSetExclusive  : 1;
            BOOLEAN OwnsProcessWorkingSetShared     : 1;
            BOOLEAN OwnsSystemWorkingSetExclusive   : 1;
            BOOLEAN OwnsSystemWorkingSetShared      : 1;
            BOOLEAN OwnsSessionWorkingSetExclusive  : 1;
            BOOLEAN OwnsSessionWorkingSetShared     : 1;

            #define PS_SAME_THREAD_FLAGS_OWNS_A_WORKING_SET    0x000001F8UL

            BOOLEAN ApcNeeded                       : 1;
        };
    };

    BOOLEAN ForwardClusterOnly;
    BOOLEAN DisablePageFaultClustering;
    UCHAR ActiveFaultCount;

#if defined (PERF_DATA)
    ULONG PerformanceCountLow;
    LONG PerformanceCountHigh;
#endif

} ETHREAD, *PETHREAD;


typedef struct _KTHREAD {

    //
    // The dispatcher header and mutant listhead are fairly infrequently
    // referenced.
    //

    DISPATCHER_HEADER Header;
    LIST_ENTRY MutantListHead;

    //
    // The following fields are referenced during context switches and wait
    // operatings. They have been carefully laid out to get the best cache
    // hit ratios.
    //

    PVOID InitialStack;
    PVOID StackLimit;
    PVOID KernelStack;

    KSPIN_LOCK ThreadLock;
    union {
        KAPC_STATE ApcState;
        struct {
            UCHAR ApcStateFill[KAPC_STATE_ACTUAL_LENGTH];
            BOOLEAN ApcQueueable;
            volatile UCHAR NextProcessor;
            volatile UCHAR DeferredProcessor;
            UCHAR AdjustReason;
            SCHAR AdjustIncrement;
        };
    };

    KSPIN_LOCK ApcQueueLock;

#if !defined(_AMD64_)

    ULONG ContextSwitches;
    volatile UCHAR State;
    UCHAR NpxState;
    KIRQL WaitIrql;
    KPROCESSOR_MODE WaitMode;

#endif

    LONG_PTR WaitStatus;
    union {
        PKWAIT_BLOCK WaitBlockList;
        PKGATE GateObject;
    };

    BOOLEAN Alertable;
    BOOLEAN WaitNext;
    UCHAR WaitReason;
    SCHAR Priority;
    UCHAR EnableStackSwap;
    volatile UCHAR SwapBusy;
    BOOLEAN Alerted[MaximumMode];
    union {
        LIST_ENTRY WaitListEntry;
        SINGLE_LIST_ENTRY SwapListEntry;
    };

    PRKQUEUE Queue;

#if !defined(_AMD64_)

    ULONG WaitTime;
    union {
        struct {
            SHORT KernelApcDisable;
            SHORT SpecialApcDisable;
        };

        ULONG CombinedApcDisable;
    };

#endif

    PVOID Teb;
    union {
        KTIMER Timer;
        struct {
            UCHAR TimerFill[KTIMER_ACTUAL_LENGTH];

            //
            // N.B. The following bit number definitions must match the
            //      following bit field.
            //
            // N.B. These bits can only be written with interlocked
            //      operations.
            //
    
#define KTHREAD_AUTO_ALIGNMENT_BIT 0
#define KTHREAD_DISABLE_BOOST_BIT 1
    
            union {
                struct {
                    LONG AutoAlignment : 1;
                    LONG DisableBoost : 1;
                    LONG ReservedFlags : 30;
                };
        
                LONG ThreadFlags;
            };
        };
    };

    union {
        KWAIT_BLOCK WaitBlock[THREAD_WAIT_OBJECTS + 1];
        struct {
            UCHAR WaitBlockFill0[KWAIT_BLOCK_OFFSET_TO_BYTE0];
            BOOLEAN SystemAffinityActive;
        };

        struct {
            UCHAR WaitBlockFill1[KWAIT_BLOCK_OFFSET_TO_BYTE1];
            CCHAR PreviousMode;
        };

        struct {
            UCHAR WaitBlockFill2[KWAIT_BLOCK_OFFSET_TO_BYTE2];
            UCHAR ResourceIndex;
        };

        struct {
            UCHAR WaitBlockFill3[KWAIT_BLOCK_OFFSET_TO_BYTE3];
            UCHAR LargeStack;
        };

#if defined(_AMD64_)

        struct {
            UCHAR WaitBlockFill4[KWAIT_BLOCK_OFFSET_TO_LONG0];
            ULONG ContextSwitches;
        };

        struct {
            UCHAR WaitBlockFill5[KWAIT_BLOCK_OFFSET_TO_LONG1];
            volatile UCHAR State;
            UCHAR NpxState;
            KIRQL WaitIrql;
            KPROCESSOR_MODE WaitMode;
        };

        struct {
            UCHAR WaitBlockFill6[KWAIT_BLOCK_OFFSET_TO_LONG2];
            ULONG WaitTime;
        };

        struct {
            UCHAR WaitBlockFill7[KWAIT_BLOCK_OFFSET_TO_LONG3];
             union {
                 struct {
                     SHORT KernelApcDisable;
                     SHORT SpecialApcDisable;
                 };
         
                 ULONG CombinedApcDisable;
             };
        };

#endif

    };

    LIST_ENTRY QueueListEntry;

    //
    // The following fields are accessed during system service dispatch.
    //

    PKTRAP_FRAME TrapFrame;
    PVOID CallbackStack;
    PVOID ServiceTable;

#if defined(_AMD64_)

    ULONG KernelLimit;

#endif

    //
    // The following fields are referenced during ready thread and wait
    // completion.
    //

    UCHAR ApcStateIndex;
    UCHAR IdealProcessor;
    BOOLEAN Preempted;
    BOOLEAN ProcessReadyQueue;

#if defined(_AMD64_)

    PVOID Win32kTable;
    ULONG Win32kLimit;

#endif

    BOOLEAN KernelStackResident;
    SCHAR BasePriority;
    SCHAR PriorityDecrement;
    CHAR Saturation;
    KAFFINITY UserAffinity;
    PKPROCESS Process;
    KAFFINITY Affinity;

    //
    // The below fields are infrequently referenced.
    //

    PKAPC_STATE ApcStatePointer[2];
    union {
        KAPC_STATE SavedApcState;
        struct {
            UCHAR SavedApcStateFill[KAPC_STATE_ACTUAL_LENGTH];
            CCHAR FreezeCount;
            CCHAR SuspendCount;
            UCHAR UserIdealProcessor;
            UCHAR CalloutActive;

#if defined(_AMD64_)

            BOOLEAN CodePatchInProgress;

#elif defined(_X86_)

            UCHAR Iopl;

#else

            UCHAR OtherPlatformFill;

#endif

        };
    };

    PVOID Win32Thread;
    PVOID StackBase;
    union {
        KAPC SuspendApc;
        struct {
            UCHAR SuspendApcFill0[KAPC_OFFSET_TO_SPARE_BYTE0];
            SCHAR Quantum;
        };

        struct {
            UCHAR SuspendApcFill1[KAPC_OFFSET_TO_SPARE_BYTE1];
            UCHAR QuantumReset;
        };

        struct {
            UCHAR SuspendApcFill2[KAPC_OFFSET_TO_SPARE_LONG];
            ULONG KernelTime;
        };

        struct {
            UCHAR SuspendApcFill3[KAPC_OFFSET_TO_SYSTEMARGUMENT1];
            PVOID TlsArray;
        };

        struct {
            UCHAR SuspendApcFill4[KAPC_OFFSET_TO_SYSTEMARGUMENT2];
            PVOID BBTData;
        };

        struct {
            UCHAR SuspendApcFill5[KAPC_ACTUAL_LENGTH];
            UCHAR PowerState;
            ULONG UserTime;
        };
    };

    union {
        KSEMAPHORE SuspendSemaphore;
        struct {
            UCHAR SuspendSemaphorefill[KSEMAPHORE_ACTUAL_LENGTH];
            ULONG SListFaultCount;
        };
    };

    LIST_ENTRY ThreadListEntry;
    PVOID SListFaultAddress;

#if defined(_WIN64)

    LONG64 ReadOperationCount;
    LONG64 WriteOperationCount;
    LONG64 OtherOperationCount;
    LONG64 ReadTransferCount;
    LONG64 WriteTransferCount;
    LONG64 OtherTransferCount;

#endif

} KTHREAD, *PKTHREAD, *PRKTHREAD;
Re[2]: Структуры ядра для 2k3
От: Аноним  
Дата: 16.09.06 20:48
Оценка:
Здравствуйте, __INFINITE, Вы писали:

__I>Лови.

Огромное спасибо, а для XP нет?
Re: Структуры ядра
От: Chopin Украина  
Дата: 18.09.06 08:13
Оценка: 1 (1) +2
Здравствуйте, Аноним, Вы писали:

А>Подскажите, где можно найти описание структур EPROCESS, KPROCESS и ETHREAD для Windows 2000, XP и 2003.
А>Заранее спасибо.

Скачать символы для каждого конкретного ядра и воспользоваться pdbdump или в WinDbg посмотреть. Придется, конечно, руками поработать, но это, по-моему, самый верный способ получить то, что тебе нужно.
Re[3]: Структуры ядра для 2k3
От: gear nuke  
Дата: 19.09.06 04:17
Оценка:
Здравствуйте, <Аноним>, Вы писали:

А>а для XP нет?

здесь (218 Kb) дамп PDB ntoskrnl от XP и 2K3
People who are more than casually interested in computers should have at least some idea of what the underlying hardware is like. Otherwise the programs they write will be pretty weird (c) D.Knuth
Re[2]: Структуры ядра для 2k3
От: gear nuke  
Дата: 19.09.06 04:23
Оценка:
Здравствуйте, __INFINITE, Вы писали:

__I>Однажды было дело сам искал... Мне один человек дал — у него исходники были... А вообще, сами исходники, говорят, гуляют в p2p сетях — надо бы поискать.

Исходники 2003?
People who are more than casually interested in computers should have at least some idea of what the underlying hardware is like. Otherwise the programs they write will be pretty weird (c) D.Knuth
Re: Структуры ядра
От: SerpentFly  
Дата: 24.09.06 12:29
Оценка:
А>Заранее спасибо.

Пожалуста 

typedef struct _KTHREAD_NT4
{
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    USHORT                      Alerted;
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    UCHAR                       Saturation;
    UCHAR                       Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    UCHAR                       WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    LIST_ENTRY                  WaitListEntry;
    ULONG                       WaitTime;
    UCHAR                       BasePriority;
    UCHAR                       DecrementCount;
    UCHAR                       PriorityDecrement;
    UCHAR                       Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    ULONG                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
    UCHAR                       Pad[3];
    PSERVICE_DESCRIPTOR_TABLE   ServiceDescriptorTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
    UCHAR                       PreviousMode;
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    UCHAR                       FreezeCount;
    UCHAR                       SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD_NT4, *PKTHREAD_NT4;

typedef struct _KTHREAD_W2K
{
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    USHORT                      Alerted;
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    UCHAR                       Saturation;
    UCHAR                       Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    UCHAR                       WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    LIST_ENTRY                  WaitListEntry;
    ULONG                       WaitTime;
    UCHAR                       BasePriority;
    UCHAR                       DecrementCount;
    UCHAR                       PriorityDecrement;
    UCHAR                       Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    ULONG                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       Pad[1];
    PSERVICE_DESCRIPTOR_TABLE   ServiceDescriptorTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
    UCHAR                       PreviousMode;
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    UCHAR                       FreezeCount;
    UCHAR                       SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD_W2K, *PKTHREAD_W2K;

typedef struct _KTHREAD_XP
{
    DISPATCHER_HEADER           Header;
    LIST_ENTRY                  MutantListHead;
    PVOID                       InitialStack;
    PVOID                       StackLimit;
    struct _TEB                 *Teb;
    PVOID                       TlsArray;
    PVOID                       KernelStack;
    BOOLEAN                     DebugActive;
    UCHAR                       State;
    UCHAR                       Alerted[2];
    UCHAR                       Iopl;
    UCHAR                       NpxState;
    CHAR                        Saturation;
    CHAR                        Priority;
    KAPC_STATE                  ApcState;
    ULONG                       ContextSwitches;
    UCHAR                       IdleSwapBlock;
    UCHAR                       Spare0[3];
    NTSTATUS                    WaitStatus;
    UCHAR                       WaitIrql;
    CHAR                        WaitMode;
    UCHAR                       WaitNext;
    UCHAR                       WaitReason;
    PKWAIT_BLOCK                WaitBlockList;
    union
    {
        LIST_ENTRY              WaitListEntry;
        SINGLE_LIST_ENTRY       SwapListEntry;
    };
    ULONG                       WaitTime;
    CHAR                        BasePriority;
    UCHAR                       DecrementCount;
    CHAR                        PriorityDecrement;
    CHAR                        Quantum;
    KWAIT_BLOCK                 WaitBlock[4];
    PVOID                       LegoData;
    ULONG                       KernelApcDisable;
    ULONG                       UserAffinity;
    BOOLEAN                     SystemAffinityActive;
    UCHAR                       PowerState;
    UCHAR                       NpxIrql;
    UCHAR                       InitialNode;
    PSERVICE_DESCRIPTOR_TABLE   ServiceTable;
    PKQUEUE                     Queue;
    KSPIN_LOCK                  ApcQueueLock;
    KTIMER                      Timer;
    LIST_ENTRY                  QueueListEntry;
    ULONG                       SoftAffinity;
    ULONG                       Affinity;
    BOOLEAN                     Preempted;
    BOOLEAN                     ProcessReadyQueue;
    BOOLEAN                     KernelStackResident;
    UCHAR                       NextProcessor;
    PVOID                       CallbackStack;
    PVOID                       Win32Thread;
    PKTRAP_FRAME                TrapFrame;
    PKAPC_STATE                 ApcStatePointer[2];
    CHAR                        PreviousMode;
    BOOLEAN                     EnableStackSwap;
    BOOLEAN                     LargeStack;
    UCHAR                       ResourceIndex;
    ULONG                       KernelTime;
    ULONG                       UserTime;
    KAPC_STATE                  SavedApcState;
    BOOLEAN                     Alertable;
    UCHAR                       ApcStateIndex;
    BOOLEAN                     ApcQueueable;
    BOOLEAN                     AutoAlignment;
    PVOID                       StackBase;
    KAPC                        SuspendApc;
    KSEMAPHORE                  SuspendSemaphore;
    LIST_ENTRY                  ThreadListEntry;
    CHAR                        FreezeCount;
    CHAR                        SuspendCount;
    UCHAR                       IdealProcessor;
    BOOLEAN                     DisableBoost;
} KTHREAD_XP, *PKTHREAD_XP;


typedef struct _KTHREAD_2K3
{   
   /*+0x000*/ DISPATCHER_HEADER  Header;
   /*+0x010*/ LIST_ENTRY         MutantListHead;
   /*+0x018*/ PVOID              InitialStack;
   /*+0x01c*/ PVOID              StackLimit;
   /*+0x020*/ PVOID              KernelStack;
   /*+0x024*/ ULONG              ThreadLock;
   /*+0x028*/ ULONG              ContextSwitches;
   /*+0x02c*/ UCHAR              State;
   /*+0x02d*/ UCHAR              NpxState;
   /*+0x02e*/ UCHAR              WaitIrql;
   /*+0x02f*/ CHAR               WaitMode;
   /*+0x030*/ struct _TEB        *Teb;
   /*+0x034*/ KAPC_STATE         ApcState;
   /*+0x04c*/ KSPIN_LOCK         ApcQueueLock;
   /*+0x050*/ NTSTATUS           WaitStatus;
   /*+0x054*/ PKWAIT_BLOCK       WaitBlockList;
   /*+0x058*/ BOOLEAN            Alertable;
   /*+0x059*/ UCHAR              WaitNext;
   /*+0x05a*/ UCHAR              WaitReason;
   /*+0x05b*/ CHAR               Priority;
   /*+0x05c*/ BOOLEAN            EnableStackSwap;
   /*+0x05d*/ UCHAR              SwapBusy;
   /*+0x05e*/ BOOLEAN            Alerted[2];
   union{
   /*+0x060*/    LIST_ENTRY        WaitListEntry;
   /*+0x060*/    SINGLE_LIST_ENTRY SwapListEntry;
   };
   /*+0x068*/ PKQUEUE            Queue;
   /*+0x06c*/ ULONG              WaitTime;
   union {
   /*+0x070*/    LONG              KernelApcDisable;   
   /*+0x070*/    ULONG             CombinedApcDisable;
   };
   /*+0x072*/ LONG               SpecialApcDisable;
   /*+0x078*/ KTIMER             Timer;
   /*+0x0a0*/ KWAIT_BLOCK        WaitBlock[4];
   /*+0x100*/ LIST_ENTRY         QueueListEntry;
   /*+0x108*/ UCHAR              ApcStateIndex;
   /*+0x109*/ BOOLEAN            ApcQueueable;
   /*+0x10a*/ BOOLEAN            Preempted;
   /*+0x10b*/ BOOLEAN            ProcessReadyQueue;
   /*+0x10c*/ BOOLEAN            KernelStackResident;
   /*+0x10d*/ CHAR               Saturation;
   /*+0x10e*/ CHAR               IdealProcessor;
   /*+0x10f*/ UCHAR              NextProcessor;
   /*+0x110*/ CHAR               BasePriority;
   /*+0x111*/ UCHAR              Spare4;
   /*+0x112*/ CHAR               PriorityDecrement;
   /*+0x113*/ CHAR               Quantum;
   /*+0x114*/ BOOLEAN            SystemAffinityActive;
   /*+0x115*/ KPROCESSOR_MODE    PreviousMode;
   /*+0x116*/ UCHAR              ResourceIndex;
   /*+0x117*/ BOOLEAN            DisableBoost;
   /*+0x118*/ ULONG              UserAffinity;
   /*+0x11c*/ PKPROCESS          Process;
   /*+0x120*/ ULONG              Affinity;
   /*+0x124*/ PSERVICE_DESCRIPTOR_TABLE ServiceTable;
   /*+0x128*/ PKAPC_STATE        ApcStatePointer[2];
   /*+0x130*/ KAPC_STATE         SavedApcState;
   /*+0x148*/ PVOID              CallbackStack;
   /*+0x14c*/ PVOID              Win32Thread;
   /*+0x150*/ PKTRAP_FRAME       TrapFrame;
   /*+0x154*/ ULONG              KernelTime;
   /*+0x158*/ ULONG              UserTime;
   /*+0x15c*/ PVOID              StackBase;
   /*+0x160*/ KAPC               SuspendApc;
   /*+0x190*/ KSEMAPHORE         SuspendSemaphore;
   /*+0x1a4*/ PVOID              TlsArray;
   /*+0x1a8*/ PVOID              LegoData;
   /*+0x1ac*/ LIST_ENTRY         ThreadListEntry;
   /*+0x1b4*/ BOOLEAN            LargeStack;
   /*+0x1b5*/ UCHAR              PowerState;
   /*+0x1b6*/ UCHAR              NpxIrql;
   /*+0x1b7*/ UCHAR              Spare5;
   /*+0x1b8*/ BOOLEAN            AutoAlignment;
   /*+0x1b9*/ UCHAR              Iopl;
   /*+0x1ba*/ CHAR               FreezeCount;
   /*+0x1bb*/ CHAR               SuspendCount;
   /*+0x1bc*/ UCHAR              Spare0;
   /*+0x1bd*/ UCHAR              UserIdealProcessor;
   /*+0x1be*/ UCHAR              DeferredProcessor;
   /*+0x1bf*/ UCHAR              AdjustReason;
   /*+0x1c0*/ CHAR               AdjustIncrement;
   /*+0x1c1*/ UCHAR              Spare2[3];
}KTHREAD_2K3,*PKTHREAD_2K3;

typedef struct _ETHREAD_NT4
{
    KTHREAD_NT4                     Tcb;
    LARGE_INTEGER                   CreateTime;
    union
    {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
    };
    union
    {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    LIST_ENTRY                      TerminationPortList;
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    KSEMAPHORE                      LpcReplySemaphore;
    PLPC_MESSAGE                    LpcReplyMessage;
    ULONG                           LpcReplyMessageId;
    ULONG                           PerformanceCountLow;
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    PVOID                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    ULONG                           ReadClusterSize;
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
    BOOLEAN                         DeadThread;
    BOOLEAN                         HasTerminated;
    PKEVENT_PAIR                    EventPair;
    ACCESS_MASK                     GrantedAccess;
    PEPROCESS_NT4                   ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union
    {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    BOOLEAN                         LpcExitThreadCalled;
    BOOLEAN                         HardErrorsAreDisabled;
    BOOLEAN                         LpcReceivedMsgIdValid;
    BOOLEAN                         ActiveImpersonationInfo;
    ULONG                           PerformanceCountHigh;
} ETHREAD_NT4, *PETHREAD_NT4;

typedef struct _ETHREAD_W2K
{
    KTHREAD_W2K                     Tcb;
    LARGE_INTEGER                   CreateTime;
    union
    {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
    };
    union
    {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    LIST_ENTRY                      TerminationPortList;
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    KSEMAPHORE                      LpcReplySemaphore;
    PLPC_MESSAGE                    LpcReplyMessage;
    ULONG                           LpcReplyMessageId;
    ULONG                           PerformanceCountLow;
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    PVOID                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    ULONG                           ReadClusterSize;
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
    BOOLEAN                         DeadThread;
    BOOLEAN                         HideFromDebugger;
    ULONG                           HasTerminated;
    ACCESS_MASK                     GrantedAccess;
    PEPROCESS_W2K                   ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union
    {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    BOOLEAN                         LpcExitThreadCalled;
    BOOLEAN                         HardErrorsAreDisabled;
    BOOLEAN                         LpcReceivedMsgIdValid;
    BOOLEAN                         ActiveImpersonationInfo;
    ULONG                           PerformanceCountHigh;
    LIST_ENTRY                      ThreadListEntry;
} ETHREAD_W2K, *PETHREAD_W2K;

typedef struct _ETHREAD_XP
{
    KTHREAD_XP                      Tcb;
    union
    {
        LARGE_INTEGER               CreateTime;
        struct
        {
            ULONG                   NestedFaultCount    : 2;
            ULONG                   ApcNeeded           : 1;
        };
    };
    union
    {
        LARGE_INTEGER               ExitTime;
        LIST_ENTRY                  LpcReplyChain;
        LIST_ENTRY                  KeyedWaitChain;
    };
    union
    {
        NTSTATUS                    ExitStatus;
        PVOID                       OfsChain;
    };
    LIST_ENTRY                      PostBlockList;
    union
    {
        PTERMINATION_PORT           TerminationPort;
        PETHREAD_XP                 ReaperLink;
        PVOID                       KeyedWaitValue;
    };
    KSPIN_LOCK                      ActiveTimerListLock;
    LIST_ENTRY                      ActiveTimerListHead;
    CLIENT_ID                       Cid;
    union
    {
        KSEMAPHORE                  LpcReplySemaphore;
        KSEMAPHORE                  KeyedWaitSemaphore;
    };
    union
    {
        PLPC_MESSAGE                LpcReplyMessage;
        PVOID                       LpcWaitingOnPort;
    };
    PPS_IMPERSONATION_INFORMATION   ImpersonationInfo;
    LIST_ENTRY                      IrpList;
    ULONG                           TopLevelIrp;
    PDEVICE_OBJECT                  DeviceToVerify;
    PEPROCESS_XP                    ThreadsProcess;
    PKSTART_ROUTINE                 StartAddress;
    union
    {
        PVOID                       Win32StartAddress;
        ULONG                       LpcReceivedMessageId;
    };
    LIST_ENTRY                      ThreadListEntry;
    EX_RUNDOWN_REF                  RundownProtect;
    EX_PUSH_LOCK                    ThreadLock;
    ULONG                           LpcReplyMessageId;
    ULONG                           ReadClusterSize;
    ACCESS_MASK                     GrantedAccess;
    union
    {
        ULONG                       CrossThreadFlags;
        struct
        {
            ULONG                   Terminated              : 1;
            ULONG                   DeadThread              : 1;
            ULONG                   HideFromDebugger        : 1;
            ULONG                   ActiveImpersonationInfo : 1;
            ULONG                   SystemThread            : 1;
            ULONG                   HardErrorsAreDisabled   : 1;
            ULONG                   BreakOnTermination      : 1;
            ULONG                   SkipCreationMsg         : 1;
            ULONG                   SkipTerminationMsg      : 1;
        };
    };
    union
    {
        ULONG                       SameThreadPassiveFlags;
        struct
        {
            ULONG                   ActiveExWorker          : 1;
            ULONG                   ExWorkerCanWaitUser     : 1;
            ULONG                   MemoryMaker             : 1;
        };
    };
    union
    {
        ULONG                       SameThreadApcFlags;
        struct
        {
            BOOLEAN                 LpcReceivedMsgIdValid   : 1;
            BOOLEAN                 LpcExitThreadCalled     : 1;
            BOOLEAN                 AddressSpaceOwner       : 1;
        };
    };
    BOOLEAN                         ForwardClusterOnly;
    BOOLEAN                         DisablePageFaultClustering;
} ETHREAD_XP, *PETHREAD_XP;

typedef struct _ETHREAD_2K3
{
    /*+0x000*/ KTHREAD_2K3        Tcb;
    union {
    /*+0x1c8*/    LARGE_INTEGER    CreateTime;
        struct
        {
    /*+0x1c8*/    ULONG            NestedFaultCount    : 2;
    /*+0x1c8*/    ULONG            ApcNeeded           : 1;
        };
    };
    union {
    /*+0x1d0*/ LARGE_INTEGER    ExitTime;
    /*+0x1d0*/ LIST_ENTRY        LpcReplyChain;
    /*+0x1d0*/ LIST_ENTRY        KeyedWaitChain;
    };
    union {
    /*+0x1d8*/ NTSTATUS            ExitStatus;
    /*+0x1d8*/ PVOID            OfsChain;
    };
    /*+0x1dc*/ LIST_ENTRY        PostBlockList;
    union {
    /*+0x1e4*/ PTERMINATION_PORT    TerminationPort;
    /*+0x1e4*/ PETHREAD_2K3        ReaperLink;
    /*+0x1e4*/ PVOID            KeyedWaitValue;
    };
    /*+0x1e8*/ KSPIN_LOCK        ActiveTimerListLock;
    /*+0x1ec*/ LIST_ENTRY        ActiveTimerListHead;
    /*+0x1f4*/ CLIENT_ID        Cid;
    union {
    /*+0x1fc*/ KSEMAPHORE        LpcReplySemaphore;
    /*+0x1fc*/ KSEMAPHORE        KeyedWaitSemaphore;
    };
    union {
    /*+0x210*/ PLPC_MESSAGE        LpcReplyMessage;
    /*+0x210*/ PVOID            LpcWaitingOnPort;
    };
    /*+0x214*/ PPS_IMPERSONATION_INFORMATION ImpersonationInfo;
    /*+0x218*/ LIST_ENTRY        IrpList;
    /*+0x220*/ ULONG            TopLevelIrp;
    /*+0x224*/ PDEVICE_OBJECT    DeviceToVerify;
    /*+0x228*/ PEPROCESS_2K3    ThreadsProcess;
    /*+0x22c*/ PKSTART_ROUTINE    StartAddress;
    union {
    /*+0x230*/ PVOID            Win32StartAddress;
    /*+0x230*/ ULONG            LpcReceivedMessageId;
    };
    /*+0x234*/ LIST_ENTRY        ThreadListEntry;
    /*+0x23c*/ EX_RUNDOWN_REF    RundownProtect;
    /*+0x240*/ EX_PUSH_LOCK        ThreadLock;
    /*+0x244*/ ULONG            LpcReplyMessageId;
    /*+0x248*/ ULONG            ReadClusterSize;
    /*+0x24c*/ ACCESS_MASK        GrantedAccess;
    union
    {
    /*+0x250*/ ULONG            CrossThreadFlags;
        struct
        {
            ULONG                   Terminated              : 1;
            ULONG                   DeadThread              : 1;
            ULONG                   HideFromDebugger        : 1;
            ULONG                   ActiveImpersonationInfo : 1;
            ULONG                   SystemThread            : 1;
            ULONG                   HardErrorsAreDisabled   : 1;
            ULONG                   BreakOnTermination      : 1;
            ULONG                   SkipCreationMsg         : 1;
            ULONG                   SkipTerminationMsg      : 1;
        };
    };
    union {
    /*+0x254*/ ULONG                       SameThreadPassiveFlags;
        struct
        {
            ULONG                   ActiveExWorker          : 1;
            ULONG                   ExWorkerCanWaitUser     : 1;
            ULONG                   MemoryMaker             : 1;
            ULONG                    KeyedEventInUse            :1;
        };
    };
    union {
    /*+0x258*/ ULONG                      SameThreadApcFlags;
        struct
        {
            BOOLEAN                 LpcReceivedMsgIdValid   : 1;
            BOOLEAN                 LpcExitThreadCalled     : 1;
            BOOLEAN                 AddressSpaceOwner       : 1;
        };
    };

    /*+0x25c*/ BOOLEAN            ForwardClusterOnly;
    /*+0x25d*/ BOOLEAN            DisablePageFaultClustering;
}ETHREAD_2K3,*PETHREAD_2K3;

typedef struct _KPROCESS_NT4
{
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               VdmFlag;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               Reserved1;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    UCHAR               BasePriority;
    UCHAR               ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
} KPROCESS_NT4, *PKPROCESS_NT4;

typedef struct _KPROCESS_W2K
{
    DISPATCHER_HEADER   Header;
    LIST_ENTRY          ProfileListHead;
    ULONG               DirectoryTableBase[2];
    KGDTENTRY           LdtDescriptor;
    KIDTENTRY           Int21Descriptor;
    USHORT              IopmOffset;
    UCHAR               Iopl;
    UCHAR               VdmFlag;
    ULONG               ActiveProcessors;
    ULONG               KernelTime;
    ULONG               UserTime;
    LIST_ENTRY          ReadyListHead;  
    SINGLE_LIST_ENTRY   SwapListEntry;
    PVOID               Reserved1;
    LIST_ENTRY          ThreadListHead;
    KSPIN_LOCK          ProcessLock;
    KAFFINITY           Affinity;
    USHORT              StackCount;
    UCHAR               BasePriority;
    UCHAR               ThreadQuantum;
    BOOLEAN             AutoAlignment;
    UCHAR               State;
    UCHAR               ThreadSeed;
    BOOLEAN             DisableBoost;
    UCHAR               PowerState;
    BOOLEAN             DisableQuantum;
    UCHAR               IdealNode;
    UCHAR               Spare;
} KPROCESS_W2K, *PKPROCESS_W2K;

typedef struct _KPROCESS_XP
{
    /*+0x000*/ DISPATCHER_HEADER    Header;
    /*+0x010*/ LIST_ENTRY            ProfileListHead;
    /*+0x018*/ ULONG                DirectoryTableBase[2];
    /*+0x020*/ KGDTENTRY            LdtDescriptor;
    /*+0x028*/ KIDTENTRY            Int21Descriptor;
    /*+0x030*/ USHORT                IopmOffset;
    /*+0x032*/ UCHAR                Iopl;
    /*+0x033*/ UCHAR                Unused;
    /*+0x034*/ ULONG                ActiveProcessors;
    /*+0x038*/ ULONG                KernelTime;
    /*+0x03c*/ ULONG                UserTime;
    /*+0x040*/ LIST_ENTRY            ReadyListHead;
    /*+0x048*/ SINGLE_LIST_ENTRY    SwapListEntry;
    /*+0x04c*/ PVOID                VdmTrapcHandler;
    /*+0x050*/ LIST_ENTRY            ThreadListHead;
    /*+0x058*/ KSPIN_LOCK            ProcessLock;
    /*+0x05c*/ KAFFINITY            Affinity;
    /*+0x060*/ USHORT                StackCount;
    /*+0x062*/ CHAR                    BasePriority;
    /*+0x063*/ CHAR                    ThreadQuantum;
    /*+0x064*/ BOOLEAN                AutoAlignment;
    /*+0x065*/ UCHAR                State;
    /*+0x066*/ UCHAR                ThreadSeed;
    /*+0x067*/ BOOLEAN                DisableBoost;
    /*+0x068*/ UCHAR                PowerState;
    /*+0x069*/ BOOLEAN                DisableQuantum;
    /*+0x06a*/ UCHAR                IdealNode;
    /*+0x06b*/ UCHAR                Spare;
} KPROCESS_XP, *PKPROCESS_XP;

typedef struct _KPROCESS_2K3
{
    /*+0x000*/ DISPATCHER_HEADER    Header;
    /*+0x010*/ LIST_ENTRY            ProfileListHead;
    /*+0x018*/ ULONG                DirectoryTableBase[2];
    /*+0x020*/ KGDTENTRY            LdtDescriptor;
    /*+0x028*/ KIDTENTRY            Int21Descriptor;
    /*+0x030*/ USHORT                IopmOffset;
    /*+0x032*/ UCHAR                Iopl;
    /*+0x033*/ UCHAR                Unused;
    /*+0x034*/ ULONG                ActiveProcessors;
    /*+0x038*/ ULONG                KernelTime;
    /*+0x03c*/ ULONG                UserTime;
    /*+0x040*/ LIST_ENTRY            ReadyListHead;
    /*+0x048*/ SINGLE_LIST_ENTRY    SwapListEntry;
    /*+0x04c*/ PVOID                VdmTrapcHandler;
    /*+0x050*/ LIST_ENTRY            ThreadListHead;
    /*+0x058*/ KSPIN_LOCK            ProcessLock;
    /*+0x05c*/ KAFFINITY            Affinity;
    /*+0x060*/ USHORT                StackCount;
    /*+0x062*/ CHAR                    BasePriority;
    /*+0x063*/ CHAR                    ThreadQuantum;
    /*+0x064*/ BOOLEAN                AutoAlignment;
    /*+0x065*/ UCHAR                State;
    /*+0x066*/ UCHAR                ThreadSeed;
    /*+0x067*/ BOOLEAN                DisableBoost;
    /*+0x068*/ UCHAR                PowerState;
    /*+0x069*/ BOOLEAN                DisableQuantum;
    /*+0x06a*/ UCHAR                IdealNode;
    /*+0x06b*/ UCHAR                Spare;
}KPROCESS_2K3,*PKPROCESS_2K3;

typedef struct _EPROCESS_NT4
{
    KPROCESS_NT4                    Pcb;
    NTSTATUS                        ExitStatus;
    KEVENT                          LockEvent;
    ULONG                           LockCount;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    PKTHREAD_NT4                    LockOwner;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONGLONG                       QuotaPeakPoolUsage;
    ULONGLONG                       QuotaPoolUsage;
    ULONG                           PagefileUsage;
    ULONG                           CommitCharge;
    ULONG                           PeakPagefileUsage;
    ULONG                           PeakVirtualSize;
    ULONGLONG                       VirtualSize;
    MMSUPPORT_NT4                   Vm;
    ULONG                           LastProtoPteFault;
    ULONG                           DebugPort;
    ULONG                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    PACCESS_TOKEN                   Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    BOOLEAN                         ProcessOutswapEnabled;
    BOOLEAN                         ProcessOutswapped;
    BOOLEAN                         AddressSpaceInitialized;
    BOOLEAN                         AddressSpaceDeleted;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD_NT4                    ForkInProgress;
    USHORT                          VmOperation;
    BOOLEAN                         ForkWasSuccessful;
    UCHAR                           MmAgressiveWsTrimMask;
    PKEVENT                         VmOperationEvent;
    HARDWARE_PTE                    PageDirectoryPte;
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    ULONG                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    USHORT                          NextPageColor;
    BOOLEAN                         ExitProcessCalled;
    BOOLEAN                         CreateProcessReported;
    HANDLE                          SectionHandle;
    PPEB                            Peb;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    NTSTATUS                        LastThreadExitStatus;
    PPROCESS_WS_WATCH_INFORMATION   WorkingSetWatch;
    HANDLE                          Win32WindowStation;
    HANDLE                          InheritedFromUniqueProcessId;
    ACCESS_MASK                     GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    KMUTANT                         ProcessMutant;
    UCHAR                           ImageFileName[16];
    ULONG                           VmTrimFaultValue;
    UCHAR                           SetTimerResolution;
    UCHAR                           PriorityClass;
    union
    {
        struct
        {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    PVOID                           Win32Process;
} EPROCESS_NT4, *PEPROCESS_NT4;

typedef struct _EPROCESS_W2K
{
    KPROCESS_W2K                    Pcb;
    NTSTATUS                        ExitStatus;
    KEVENT                          LockEvent;
    ULONG                           LockCount;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    PKTHREAD_W2K                    LockOwner;
    ULONG                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONGLONG                       QuotaPeakPoolUsage;
    ULONGLONG                       QuotaPoolUsage;
    ULONG                           PagefileUsage;
    ULONG                           CommitCharge;
    ULONG                           PeakPagefileUsage;
    ULONG                           PeakVirtualSize;
    ULONGLONG                       VirtualSize;
    MMSUPPORT_W2K                   Vm;
    LIST_ENTRY                      SessionProcessLinks;
    ULONG                           DebugPort;
    ULONG                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    PACCESS_TOKEN                   Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    BOOLEAN                         ProcessOutswapEnabled;
    BOOLEAN                         ProcessOutswapped;
    BOOLEAN                         AddressSpaceInitialized;
    BOOLEAN                         AddressSpaceDeleted;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD_W2K                    ForkInProgress;
    USHORT                          VmOperation;
    BOOLEAN                         ForkWasSuccessful;
    UCHAR                           MmAgressiveWsTrimMask;
    PKEVENT                         VmOperationEvent;
    PVOID                           PaeTop;
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    ULONG                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    USHORT                          NextPageColor;
    BOOLEAN                         ExitProcessCalled;
    BOOLEAN                         CreateProcessReported;
    HANDLE                          SectionHandle;
    PPEB                            Peb;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    NTSTATUS                        LastThreadExitStatus;
    PPROCESS_WS_WATCH_INFORMATION   WorkingSetWatch;
    HANDLE                          Win32WindowStation;
    HANDLE                          InheritedFromUniqueProcessId;
    ACCESS_MASK                     GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    PDEVICE_MAP                     DeviceMap;
    ULONG                           SessionId;
    LIST_ENTRY                      PhysicalVadList;
    HARDWARE_PTE                    PageDirectoryPte;
    ULONG                           Filler;
    ULONG                           PaePageDirectoryPage;
    UCHAR                           ImageFileName[16];
    ULONG                           VmTrimFaultValue;
    UCHAR                           SetTimerResolution;
    UCHAR                           PriorityClass;
    union
    {
        struct
        {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    PVOID                           Win32Process;
    PEJOB                           Job;
    ULONG                           JobStatus;
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    PVOID                           SecurityPort;
    PWOW64_PROCESS                  Wow64Process;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    LIST_ENTRY                      ThreadListHead;
    PRTL_BITMAP                     VadPhysicalPagesBitMap;
    ULONG                           VadPhysicalPages;
    ULONG                           AweLock;
} EPROCESS_W2K, *PEPROCESS_W2K;

typedef struct _EPROCESS_XP
{
    KPROCESS_XP                     Pcb;
    EX_PUSH_LOCK                    ProcessLock;
    LARGE_INTEGER                   CreateTime;
    LARGE_INTEGER                   ExitTime;
    EX_RUNDOWN_REF                  RundownProtect;
    PVOID                           UniqueProcessId;
    LIST_ENTRY                      ActiveProcessLinks;
    ULONG                           QuotaUsage[3];
    ULONG                           QuotaPeak[3];
    ULONG                           CommitCharge;
    ULONG                           PeakVirtualSize;
    ULONG                           VirtualSize;
    LIST_ENTRY                      SessionProcessLinks;
    PVOID                           DebugPort;
    PVOID                           ExceptionPort;
    PHANDLE_TABLE                   ObjectTable;
    EX_FAST_REF                     Token;
    FAST_MUTEX                      WorkingSetLock;
    ULONG                           WorkingSetPage;
    FAST_MUTEX                      AddressCreationLock;
    KSPIN_LOCK                      HyperSpaceLock;
    PETHREAD_XP                     ForkInProgress;
    ULONG                           HardwareTrigger;
    PVOID                           VadRoot;
    PVOID                           VadHint;
    PVOID                           CloneRoot;
    ULONG                           NumberOfPrivatePages;
    ULONG                           NumberOfLockedPages;
    PVOID                           Win32Process;
    PEJOB                           Job;
    PSECTION_OBJECT                 SectionObject;
    PVOID                           SectionBaseAddress;
    PEPROCESS_QUOTA_BLOCK           QuotaBlock;
    PPAGEFAULT_HISTORY              WorkingSetWatch;
    PVOID                           Win32WindowStation;
    PVOID                           InheritedFromUniqueProcessId;
    PVOID                           LdtInformation;
    PVOID                           VadFreeHint;
    PVOID                           VdmObjects;
    PDEVICE_MAP                     DeviceMap;
    LIST_ENTRY                      PhysicalVadList;
    union
    {
        HARDWARE_PTE                PageDirectoryPte;
        ULONGLONG                   Filler;
    };
    PVOID                           Session;
    UCHAR                           ImageFileName[16];
    LIST_ENTRY                      JobLinks;
    PVOID                           LockedPageList;
    LIST_ENTRY                      ThreadListHead;
    PVOID                           SecurityPort;
    PVOID                           PaeTop;
    ULONG                           ActiveThreads;
    ULONG                           GrantedAccess;
    ULONG                           DefaultHardErrorProcessing;
    NTSTATUS                        LastThreadExitStatus;
    PPEB                            Peb;
    EX_FAST_REF                     PrefetchTrace;
    LARGE_INTEGER                   ReadOperationCount;
    LARGE_INTEGER                   WriteOperationCount;
    LARGE_INTEGER                   OtherOperationCount;
    LARGE_INTEGER                   ReadTransferCount;
    LARGE_INTEGER                   WriteTransferCount;
    LARGE_INTEGER                   OtherTransferCount;
    ULONG                           CommitChargeLimit;
    ULONG                           CommitChargePeek;
    PVOID                           AweInfo;
    SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo;
    MMSUPPORT_XP                    Vm;
    ULONG                           LastFaultCount;
    ULONG                           ModifiedPageCount;
    ULONG                           NumberOfVads;
    ULONG                           JobStatus;
    union
    {
        ULONG                       Flags;
        struct
        {
            ULONG                   CreateReported              : 1;
            ULONG                   NoDebugInherit              : 1;
            ULONG                   ProcessExiting              : 1;
            ULONG                   ProcessDelete               : 1;
            ULONG                   Wow64SplitPages             : 1;
            ULONG                   VmDeleted                   : 1;
            ULONG                   OutswapEnabled              : 1;
            ULONG                   Outswapped                  : 1;
            ULONG                   ForkFailed                  : 1;
            ULONG                   HasPhysicalVad              : 1;
            ULONG                   AddressSpaceInitialized     : 2;
            ULONG                   SetTimerResolution          : 1;
            ULONG                   BreakOnTermination          : 1;
            ULONG                   SessionCreationUnderway     : 1;
            ULONG                   WriteWatch                  : 1;
            ULONG                   ProcessInSession            : 1;
            ULONG                   OverrideAddressSpace        : 1;
            ULONG                   HasAddressSpace             : 1;
            ULONG                   LaunchPrefetched            : 1;
            ULONG                   InjectInpageErrors          : 1;
            ULONG                   Unused                      : 11;
        };
    };
    NTSTATUS                        ExitStatus;
    USHORT                          NextPageColor;
    union
    {
        struct
        {
            UCHAR                   SubSystemMinorVersion;
            UCHAR                   SubSystemMajorVersion;
        };
        USHORT                      SubSystemVersion;
    };
    UCHAR                           PriorityClass;
    BOOLEAN                         WorkingSetAcquiredUnsafe;
} EPROCESS_XP, *PEPROCESS_XP;

typedef struct _EPROCESS_2K3
{
    /*+0x000*/ KPROCESS_2K3            Pcb;
    /*+0x06c*/ EX_PUSH_LOCK            ProcessLock;
    /*+0x070*/ LARGE_INTEGER        CreateTime;
    /*+0x078*/ LARGE_INTEGER        ExitTime;
    /*+0x080*/ EX_RUNDOWN_REF        RundownProtect;
    /*+0x084*/ PVOID                UniqueProcessId;
    /*+0x088*/ LIST_ENTRY            ActiveProcessLinks;
    /*+0x090*/ ULONG                QuotaUsage[3];
    /*+0x09c*/ ULONG                QuotaPeak[3];
    /*+0x0a8*/ ULONG                CommitCharge;
    /*+0x0ac*/ ULONG                PeakVirtualSize;
    /*+0x0b0*/ ULONG                VirtualSize;
    /*+0x0b4*/ LIST_ENTRY            SessionProcessLinks;
    /*+0x0bc*/ PVOID                DebugPort;
    /*+0x0c0*/ PVOID                ExceptionPort;
    /*+0x0c4*/ PHANDLE_TABLE        ObjectTable;
    /*+0x0c8*/ EX_FAST_REF            Token;
    /*+0x0cc*/ ULONG                WorkingSetPage;
    /*+0x0d0*/ KGUARDED_MUTEX        AddressCreationLock;
    /*+0x0f0*/ KSPIN_LOCK            HyperSpaceLock;
    /*+0x0f4*/ PETHREAD_2K3            ForkInProgress;
    /*+0x0f8*/ ULONG                HardwareTrigger;
    /*+0x0fc*/ PMM_AVL_TABLE        PhysicalVadRoot;
    /*+0x100*/ PVOID                CloneRoot;
    /*+0x104*/ ULONG                NumberOfPrivatePages;
    /*+0x108*/ ULONG                NumberOfLockedPages;
    /*+0x10c*/ PVOID                Win32Process;
    /*+0x110*/ PEJOB                Job;
    /*+0x114*/ PSECTION_OBJECT        SectionObject;
    /*+0x118*/ PVOID                SectionBaseAddress;
    /*+0x11c*/ PEPROCESS_QUOTA_BLOCK    QuotaBlock;
    /*+0x120*/ PPAGEFAULT_HISTORY    WorkingSetWatch;
    /*+0x124*/ PVOID                Win32WindowStation;
    /*+0x128*/ PVOID                InheritedFromUniqueProcessId;
    /*+0x12c*/ PVOID                LdtInformation;
    /*+0x130*/ PVOID                VadFreeHint;
    /*+0x134*/ PVOID                VdmObjects;
    /*+0x138*/ PVOID                DeviceMap; 
    /*+0x13c*/ PVOID                Spare0[3];
    union {
    /*+0x148*/HARDWARE_PTE                PageDirectoryPte;
    /*+0x148*/ULONGLONG                   Filler;
    };
    /*+0x150*/ PVOID                Session;
    /*+0x154*/ UCHAR                ImageFileName[16];
    /*+0x164*/ LIST_ENTRY            JobLinks;
    /*+0x16c*/ PVOID                LockedPagesList;
    /*+0x170*/ LIST_ENTRY            ThreadListHead;
    /*+0x178*/ PVOID                SecurityPort;
    /*+0x17c*/ PVOID                PaeTop;
    /*+0x180*/ ULONG                ActiveThreads;
    /*+0x184*/ ULONG                GrantedAccess;
    /*+0x188*/ ULONG                DefaultHardErrorProcessing;
    /*+0x18c*/ NTSTATUS                LastThreadExitStatus;
    /*+0x190*/ PPEB                    Peb;
    /*+0x194*/ EX_FAST_REF            PrefetchTrace;
    /*+0x198*/ LARGE_INTEGER        ReadOperationCount;
    /*+0x1a0*/ LARGE_INTEGER        WriteOperationCount;
    /*+0x1a8*/ LARGE_INTEGER        OtherOperationCount;
    /*+0x1b0*/ LARGE_INTEGER        ReadTransferCount;
    /*+0x1b8*/ LARGE_INTEGER        WriteTransferCount;
    /*+0x1c0*/ LARGE_INTEGER        OtherTransferCount;
    /*+0x1c8*/ ULONG                CommitChargeLimit;
    /*+0x1cc*/ ULONG                CommitChargePeak;
    /*+0x1d0*/ PVOID                AweInfo;
    /*+0x1d4*/ SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
    /*+0x1d8*/ MMSUPPORT_2K3        Vm;
    /*+0x238*/ LIST_ENTRY            MmProcessLinks;
    /*+0x240*/ ULONG                ModifiedPageCount;
    /*+0x244*/ ULONG                JobStatus;    
    union{
    /*+0x248*/ ULONG                Flags;
        struct{
    /*+0x248*/ ULONG                CreateReported        : 1;
    /*+0x248*/ ULONG                NoDebugInherit        : 1;
    /*+0x248*/ ULONG                ProcessExiting        : 1;
    /*+0x248*/ ULONG                ProcessDelete        : 1;
    /*+0x248*/ ULONG                Wow64SplitPages        : 1;
    /*+0x248*/ ULONG                VmDeleted            : 1;
    /*+0x248*/ ULONG                OutswapEnabled        : 1;
    /*+0x248*/ ULONG                Outswapped            : 1;
    /*+0x248*/ ULONG                ForkFailed            : 1;
    /*+0x248*/ ULONG                Wow64VaSpace4Gb        : 1;
    /*+0x248*/ ULONG                AddressSpaceInitialized :2;
    /*+0x248*/ ULONG                SetTimerResolution    : 1;
    /*+0x248*/ ULONG                BreakOnTermination    : 1;
    /*+0x248*/ ULONG                SessionCreationUnderway :1;
    /*+0x248*/ ULONG                WriteWatch            : 1;
    /*+0x248*/ ULONG                ProcessInSession    : 1;
    /*+0x248*/ ULONG                OverrideAddressSpace    : 1;
    /*+0x248*/ ULONG                HasAddressSpace        : 1;
    /*+0x248*/ ULONG                LaunchPrefetched    : 1;
    /*+0x248*/ ULONG                InjectInpageErrors    : 1;
    /*+0x248*/ ULONG                VmTopDown            : 1;
    /*+0x248*/ ULONG                ImageNotifyDone        : 1;
    /*+0x248*/ ULONG                PdeUpdateNeeded        : 1;
    /*+0x248*/ ULONG                VdmAllowed            : 1;
    /*+0x248*/ ULONG                Unused                : 7;
        };
    };
    /*+0x24c*/ NTSTATUS                ExitStatus;
    /*+0x250*/ USHORT                NextPageColor;
    union    {
        struct    {
    /*+0x252*/        UCHAR                   SubSystemMinorVersion;
    /*+0x253*/        UCHAR                   SubSystemMajorVersion;
        };
    /*+0x252*/    USHORT                      SubSystemVersion;
    };

    /*+0x254*/ UCHAR                PriorityClass;
    /*+0x258*/ MM_AVL_TABLE            VadRoot;
} EPROCESS_2K3, *PEPROCESS_2K3;
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.