//
// Executive Process (EPROCESS)
//
typedef struct _EPROCESS
{
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
HANDLE UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage[3];
ULONG QuotaPeak[3];
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
union
{
PVOID ExceptionPortData;
ULONG ExceptionPortValue;
UCHAR ExceptionPortState:3;
};
#else
PVOID ExceptionPort;
#endif
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
ULONG WorkingSetPage;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
EX_PUSH_LOCK AddressCreationLock;
PETHREAD RotateInProgress;
#else
FAST_MUTEX AddressCreationLock;
// FIXME: FAST_MUTEX for XP, KGUARDED_MUTEX for 2K3
KSPIN_LOCK HyperSpaceLock;
#endif
PETHREAD ForkInProgress;
ULONG HardwareTrigger;
MM_AVL_TABLE PhysicalVadroot;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID *Win32Process;
struct _EJOB *Job;
PVOID SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG AlpcPagedPoolQuotaCache;
PVOID EtwDataSource;
PVOID FreeTebHint;
#else
PVOID Spare0[3];
#endif
union
{
HARDWARE_PTE_X86 PagedirectoryPte;
ULONGLONG Filler;
};
ULONG Session;
CHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG ImagePathHash;
#else
ACCESS_MASK GrantedAccess;
#endif
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
struct _PEB* Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
LIST_ENTRY MmProcessLinks;
ULONG ModifiedPageCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
union
{
struct
{
ULONG JobNotReallyActive:1;
ULONG AccountingFolded:1;
ULONG NewProcessReported:1;
ULONG ExitProcessReported:1;
ULONG ReportCommitChanges:1;
ULONG LastReportMemory:1;
ULONG ReportPhysicalPageChanges:1;
ULONG HandleTableRundown:1;
ULONG NeedsHandleRundown:1;
ULONG RefTraceEnabled:1;
ULONG NumaAware:1;
ULONG ProtectedProcess:1;
ULONG DefaultPagePriority:3;
ULONG ProcessDeleteSelf:1;
ULONG ProcessVerifierTarget:1;
};
ULONG Flags2;
};
#else
ULONG JobStatus;
#endif
union
{
struct
{
ULONG CreateReported:1;
ULONG NoDebugInherit:1;
ULONG ProcessExiting:1;
ULONG ProcessDelete:1;
ULONG Wow64SplitPages:1;
ULONG VmDeleted:1;
ULONG OutswapEnabled:1;
ULONG Outswapped:1;
ULONG ForkFailed:1;
ULONG Wow64VaSpace4Gb:1;
ULONG AddressSpaceInitialized:2;
ULONG SetTimerResolution:1;
ULONG BreakOnTermination:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG DeprioritizeViews:1;
#else
ULONG SessionCreationUnderway:1;
#endif
ULONG WriteWatch:1;
ULONG ProcessInSession:1;
ULONG OverrideAddressSpace:1;
ULONG HasAddressSpace:1;
ULONG LaunchPrefetched:1;
ULONG InjectInpageErrors:1;
ULONG VmTopDown:1;
ULONG ImageNotifyDone:1;
ULONG PdeUpdateNeeded:1;
ULONG VdmAllowed:1;
ULONG SmapAllowed:1;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG ProcessInserted:1;
#else
ULONG CreateFailed:1;
#endif
ULONG DefaultIoPriority:3;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
ULONG SparePsFlags1:2;
#else
ULONG Spare1:1;
ULONG Spare2:1;
#endif
};
ULONG Flags;
};
NTSTATUS ExitStatus;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
USHORT Spare7;
#else
USHORT NextPageColor;
#endif
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
MM_AVL_TABLE VadRoot;
ULONG Cookie;
} EPROCESS, *PEPROCESS;
Documented By :
ReactOS
P.S : 이 EPROCESS 구조체는 Windows 버전에 따라서 호환이 될수도 있고, 안될수도 있습니다
[출처] EPROCESS 구조체.