当前位置: 代码迷 >> 综合 >> 【转】 Windows XPSP2(build 2600)未公开的核心数据结构定义文件
  详细解决方案

【转】 Windows XPSP2(build 2600)未公开的核心数据结构定义文件

热度:77   发布时间:2023-12-21 07:59:36.0

项目刚完, 比较空闲, 翻出以前写的一个DDK辅助定义文件, 自己命名为ntddkex.h, 主要给出xpsp2的未公开核心数据结构的定义(_EPROCESS etc.).
没法上传附件, 直接贴在下面:


// ntddkex.h

//
//
//  Author:      Eddy Zhang
//  Create Date:  2006/01/7
//  Contact:    eddyz@126.com
//  Usage:      Declare Undocument Kernel Data Structure
//
//


#ifndef _NTDDK_EX_
#define  _NTDDK_EX_

#include <ntddk.h>

#ifndef _KERNEL_2600_    // xp sp2
#define  _KERNEL_2600_

typedef struct _KTHREAD*  PKTHREAD;
typedef struct _MMWSLE*    PMMWSLE;

//typedef struct _MMWSLE
//{
//  UINT32    FirstFree;
//  UINT32    FirstDynamic;
//  UINT32    LastEntry;
//  UINT32    NextSlot;
//  UINT32    LastInitialized;
//  UINT32    NonDirect;
//  PVOID    HashTable;
//  UINT32    HashTableSize;
//} MMWSLE;

typedef struct   _KGDTENTRY
{
  USHORT    LimitLow;
  USHORT    BaseLow;
  struct 
  {
    UCHAR  BaseMid;
    UCHAR  Flags1;    // bit0-4 - Type
              // bit5-6 - Dpl
              // bit7    - Pres
    UCHAR  Flags2;    // bit0-3 - LimitHi
              // bit4   - Sys
              // bit5   - Reserved_0
              // bit6   - Default_Big
              // bit7   - Granularity
    UCHAR  BaseHi;
  } HighWord;
} KGDTENTRY, *PKGDTENTRY;

typedef struct   _KIDTENTRY
{
  USHORT    Offset;
  USHORT    Selector;
  USHORT    Access;
  USHORT    ExtendedOffset;
} KIDTENTRY, *PKIDTENTRY;

typedef struct _KEXECUTE_OPTIONS
{
  UCHAR    Value;    // bit0 - ExecuteEnable 
              // bit1 - DisableThunkEmulation
              // bit3 - Permanent
              // bit4 - ExecuteDispatchEnable
              // bit5 - ImageDispatchEnable
              // bit6,7 - Spare
} KEXECUTE_OPTIONS;
  
typedef struct _KPROCESS
{
  DISPATCHER_HEADER  Header;
  LIST_ENTRY      ProfileListHead;
  UINT32        DirectoryTableBase[2];
  KGDTENTRY      LdtDescriptor;
  KIDTENTRY      Int21Descriptor;
  USHORT        IopmOffset;
  UCHAR        Iopl;
  UCHAR        Unused;
  ULONG        ActiveProcessors;
  ULONG        KernelTime;
  ULONG        UserTime;
  LIST_ENTRY      ReadyListHead;
  SINGLE_LIST_ENTRY  SwapListEntry;
  PVOID        VdmTrapcHandler;
  LIST_ENTRY      ThreadListHead;
  ULONG        ProcessLock;
  ULONG        Affinity;
  USHORT        StackCount;
  CHAR        BasePriority;
  CHAR        ThreadQuantum;
  UCHAR        AutoAlignment;
  UCHAR        State;
  UCHAR        ThreadSeed;
  UCHAR        DisableBoost;
  UCHAR        PowerState;
  UCHAR        DisableQuantum;
  UCHAR        IdealNode;
  union
  {
    KEXECUTE_OPTIONS  Flags; 
    UCHAR        ExecuteOptions;  
  };
} KPROCESS, *PKPROCESS;

typedef struct _KAPC_STATE
{
   LIST_ENTRY      ApcListHead[2]; 
   PKPROCESS      Process;         
   UCHAR        KernelApcInProgress;
   UCHAR        KernelApcPending;
   UCHAR        UserApcPending;
} KAPC_STATE, *PKAPC_STATE;

typedef struct _KQUEUE
{
  DISPATCHER_HEADER  Header;  
  LIST_ENTRY      EntryListHead;
  UINT32        CurrentCount;    
  UINT32        MaximumCount;    
  LIST_ENTRY      ThreadListHead; 
} KQUEUE, *PKQUEUE;

typedef struct _EXCEPTION_REGISTRATION_RECORD
{
  struct _EXCEPTION_REGISTRATION_RECORD  *Next;            
  PVOID                  Handler;         
} EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

typedef struct _KTRAP_FRAME
{
  UINT32              DbgEbp;          
  UINT32              DbgEip;          
  UINT32              DbgArgMark;      
  UINT32              DbgArgPointer;   
  UINT32              TempSegCs;       
  UINT32              TempEsp;        
  UINT32              Dr0;             
  UINT32              Dr1;             
  UINT32              Dr2;             
  UINT32              Dr3;             
  UINT32              Dr6;            
  UINT32              Dr7;             
  UINT32              SegGs;           
  UINT32              SegEs;           
  UINT32              SegDs;           
  UINT32              Edx;             
  UINT32              Ecx;             
  UINT32              Eax;             
  UINT32              PreviousPreviousMode;
  PEXCEPTION_REGISTRATION_RECORD  ExceptionList;
  UINT32              SegFs;           
  UINT32              Edi;             
  UINT32              Esi;             
  UINT32              Ebx;             
  UINT32              Ebp;             
  UINT32              ErrCode;         
  UINT32              Eip;             
  UINT32              SegCs;           
  UINT32              EFlags;          
  UINT32              HardwareEsp;     
  UINT32              HardwareSegSs;   
  UINT32              V86Es;           
  UINT32              V86Ds;           
  UINT32              V86Fs;           
  UINT32              V86Gs;           
} KTRAP_FRAME, *PKTRAP_FRAME;

typedef struct _KTHREAD
{
  DISPATCHER_HEADER  Header;
  LIST_ENTRY      MutantListHead;
  PVOID        InitialStack;
  PVOID        StackLimit;     
  PVOID        Teb;            
  PVOID        TlsArray;       
  PVOID        KernelStack;    
  UCHAR        DebugActive;    
  UCHAR        State;          
  UCHAR        Alerted[2];     
  UCHAR        Iopl;           
  UCHAR        NpxState;       
  CHAR        Saturation;      
  CHAR        Priority;        
  KAPC_STATE      ApcState;  
  UINT32        ContextSwitches;
  UCHAR        IdleSwapBlock;   
  UCHAR        Spare0[3];       
  INT32        WaitStatus;      
  UCHAR        WaitIrql;        
  CHAR        WaitMode;        
  UCHAR        WaitNext;        
  UCHAR        WaitReason;      
  PKWAIT_BLOCK    WaitBlockList;
  union
  {
    LIST_ENTRY        WaitListEntry;  
    SINGLE_LIST_ENTRY    SwapListEntry; 
  };
  UINT32        WaitTime;      
  CHAR        BasePriority;    
  UCHAR        DecrementCount; 
  CHAR        PriorityDecrement;
  CHAR        Quantum;         
  KWAIT_BLOCK      WaitBlock[4];
  PVOID        LegoData;        
  UINT32        KernelApcDisable;
  UINT32        UserAffinity;    
  UCHAR        SystemAffinityActive;
  UCHAR        PowerState;      
  UCHAR        NpxIrql;         
  UCHAR        InitialNode;     
  PVOID        ServiceTable;    
  PKQUEUE        Queue;         
  UINT32        ApcQueueLock;   
  KTIMER        Timer;          
  LIST_ENTRY      QueueListEntry; 
  UINT32        SoftAffinity;    
  UINT32        Affinity;        
  UCHAR        Preempted;        
  UCHAR        ProcessReadyQueue;
  UCHAR        KernelStackResident;
  UCHAR        NextProcessor;   
  PVOID        CallbackStack;   
  PVOID        Win32Thread;     
  PKTRAP_FRAME    TrapFrame;
  PKAPC_STATE      ApcStatePointer[2];
  CHAR        PreviousMode;    
  UCHAR        EnableStackSwap;
  UCHAR        LargeStack;     
  UCHAR        ResourceIndex;  
  UINT32        KernelTime;    
  UINT32        UserTime;      
  KAPC_STATE      SavedApcState; 
  UCHAR        Alertable;       
  UCHAR        ApcStateIndex;   
  UCHAR        ApcQueueable;    
  UCHAR        AutoAlignment;   
  PVOID        StackBase;       
  KAPC        SuspendApc;      
  KSEMAPHORE      SuspendSemaphore;
  LIST_ENTRY      ThreadListEntry; 
  CHAR        FreezeCount;     
  CHAR        SuspendCount;    
  UCHAR        IdealProcessor; 
  UCHAR        DisableBoost; 
} KTHREAD;

typedef struct _TERMINATION_PORT
{
   struct _TERMINATION_PORT *Next;           
   PVOID          Port;            
}TERMINATION_PORT, *PTERMINATION_PORT;

typedef struct _PS_IMPERSONATION_INFORMATION
{
   PVOID            Token;           
   UCHAR            CopyOnOpen;      
   UCHAR            EffectiveOnly;   
   SECURITY_IMPERSONATION_LEVEL  ImpersonationLevel;
} PS_IMPERSONATION_INFORMATION, *PPS_IMPERSONATION_INFORMATION;

typedef struct _EX_RUNDOWN_REF
{
  UINT32        Count;         
  PVOID        Ptr;            
} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;

typedef union _EX_PUSH_LOCK
{     
   UINT32        Value;    // bit0 -  Waiting
                  // bit1 - Exclusive
                  // bit2-31 - Shared
   PVOID        Ptr;            
} EX_PUSH_LOCK;

typedef struct _ETHREAD
{
  KTHREAD            Tcb;             
  LARGE_INTEGER        CreateTime;    // bit0-1 - NestedFaultCount   
                           // bit2 - ApcNeeded      
  union
  {
    LARGE_INTEGER      ExitTime;        
    LIST_ENTRY        LpcReplyChain;   
    LIST_ENTRY        KeyedWaitChain; 
  };
  union
  {
    INT32          ExitStatus;      
    PVOID          OfsChain;   
  };   
  LIST_ENTRY          PostBlockList;
  union
  {
    TERMINATION_PORT    TerminationPort; 
    struct _ETHREAD*    ReaperLink;      
    PVOID          KeyedWaitValue;  
  };
  UINT32            ActiveTimerListLock;
  LIST_ENTRY          ActiveTimerListHead;
  CLIENT_ID          Cid;
  union
  {
    KSEMAPHORE        LpcReplySemaphore;
    KSEMAPHORE        KeyedWaitSemaphore;
  };
  union
  {
    PVOID          LpcReplyMessage; 
    PVOID          LpcWaitingOnPort;
  };
  PS_IMPERSONATION_INFORMATION ImpersonationInfo;
  LIST_ENTRY          IrpList;         
  UINT32            TopLevelIrp;    
  PDEVICE_OBJECT        DeviceToVerify; 
  PEPROCESS          ThreadsProcess; 
  PVOID            StartAddress;
  union
  {
    PVOID          Win32StartAddress;
    UINT32          LpcReceivedMessageId;
  };
  LIST_ENTRY          ThreadListEntry; 
  EX_RUNDOWN_REF        RundownProtect;
  EX_PUSH_LOCK          ThreadLock;      
  UINT32            LpcReplyMessageId;
  UINT32            ReadClusterSize; 
  UINT32            GrantedAccess;   
  UINT32            CrossThreadFlags;      // bit0 - Terminated      
                                // bit1 - DeadThread      
                                 // bit2 - HideFromDebugger
                                 // bit3 - ActiveImpersonationInfo
                                 // bit4 - SystemThread    
                                 // bit5 - HardErrorsAreDisabled
                                 // bit6 - BreakOnTermination
                                 // bit7 - SkipCreationMsg 
                                 // bit8 - SkipTerminationMsg
  UINT32            SameThreadPassiveFlags;    // bit0 - ActiveExWorker;                                   
                                 // bit1 - ExWorkerCanWaitUser;
                                 // bit2 - MemoryMaker;     
  UINT32            SameThreadApcFlags;      // bit0 - LpcReceivedMsgIdValid;
                                 // bit1 - LpcExitThreadCalled;
                                 // bit2 - AddressSpaceOwner;
  UCHAR            ForwardClusterOnly;
  UCHAR            DisablePageFaultClustering;
} ETHREAD;

typedef struct _SID_AND_ATTRIBUTES
{
    PSID      Sid;
    UINT32      Attributes;
} SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;

typedef struct _PS_JOB_TOKEN_FILTER
{
  UINT32          CapturedSidCount;
  PSID_AND_ATTRIBUTES    CapturedSids;   
  UINT32          CapturedSidsLength;
  UINT32          CapturedGroupCount;
  PSID_AND_ATTRIBUTES    CapturedGroups;
  UINT32          CapturedGroupsLength;
  UINT32          CapturedPrivilegeCount;
  PLUID_AND_ATTRIBUTES  CapturedPrivileges;
  UINT32          CapturedPrivilegesLength;
} PS_JOB_TOKEN_FILTER, *PPS_JOB_TOKEN_FILTER;

typedef struct _EJOB
{
  KEVENT          Event;    
  LIST_ENTRY        JobLinks;       
  LIST_ENTRY        ProcessListHead;
  ERESOURCE        JobLock;         
  LARGE_INTEGER      TotalUserTime;   
  LARGE_INTEGER      TotalKernelTime;
  LARGE_INTEGER      ThisPeriodTotalUserTime;
  LARGE_INTEGER      ThisPeriodTotalKernelTime;
  UINT32          TotalPageFaultCount;
  UINT32          TotalProcesses;  
  UINT32          ActiveProcesses; 
  UINT32          TotalTerminatedProcesses;
  LARGE_INTEGER      PerProcessUserTimeLimit;
  LARGE_INTEGER      PerJobUserTimeLimit;
  UINT32          LimitFlags;     
  UINT32          MinimumWorkingSetSize;
  UINT32          MaximumWorkingSetSize;
  UINT32          ActiveProcessLimit;
  UINT32          Affinity;       
  UCHAR          PriorityClass;   
  UINT32          UIRestrictionsClass;
  UINT32          SecurityLimitFlags;
  PVOID          Token;           
  PPS_JOB_TOKEN_FILTER  Filter;          
  UINT32          EndOfJobTimeAction;
  PVOID          CompletionPort;  
  PVOID          CompletionKey;   
  UINT32          SessionId;      
  UINT32          SchedulingClass;
  UINT64          ReadOperationCount;
  UINT64          WriteOperationCount;
  UINT64          OtherOperationCount;
  UINT64          ReadTransferCount;
  UINT64          WriteTransferCount;
  UINT64          OtherTransferCount;
  IO_COUNTERS        IoInfo;         
  UINT32          ProcessMemoryLimit;
  UINT32          JobMemoryLimit; 
  UINT32          PeakProcessMemoryUsed;
  UINT32          PeakJobMemoryUsed;
  UINT32          CurrentJobMemoryUsed;
  FAST_MUTEX        MemoryLimitsLock;
  LIST_ENTRY        JobSetLinks;     
  UINT32          MemberLevel;     
  UINT32          JobFlags;        
} EJOB, *PEJOB;

typedef struct _EPROCESS_QUOTA_ENTRY
{
  UINT32    Usage;           
  UINT32    Limit;           
  UINT32    Peak;            
  UINT32    Return;          
} EPROCESS_QUOTA_ENTRY, *PEPROCESS_QUOTA_ENTRY;

typedef struct _EPROCESS_QUOTA_BLOCK
{
  EPROCESS_QUOTA_ENTRY QuotaEntry;
  LIST_ENTRY  QuotaList;   
  UINT32    ReferenceCount;  
  UINT32    ProcessCount;    
} EPROCESS_QUOTA_BLOCK, *PEPROCESS_QUOTA_BLOCK;

typedef struct _PAGEFAULT_HISTORY
{
  UINT32              CurrentIndex;   
  UINT32              MaxIndex;       
  UINT32              SpinLock;       
  PVOID              Reserved;        
  PROCESS_WS_WATCH_INFORMATION    WatchInfo[1];    
} PAGEFAULT_HISTORY, *PPAGEFAULT_HISTORY;

typedef struct _HARDWARE_PTE_X86
{
  UINT32    Value;    // bit0 - Valid           
              // bit1 - Write           
              // bit2 - Owner           
              // bit3 - WriteThrough    
              // bit4 - CacheDisable    
              // bit5 - Accessed        
              // bit6 - Dirty           
              // bit7 - LargePage       
              // bit8 - Global          
              // bit9 - CopyOnWrite     
              // bit10 - Prototype       
              // bit11 - reserved        
              // bit12-31 - PageFrameNumber 
} HARDWARE_PTE_X86;

typedef struct _EX_FAST_REF
{
  PVOID    Object;    
  UINT32    Value;    //bit0-2 - RefCnt          
} EX_FAST_REF, *PEX_FAST_REF;

typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
{
   POBJECT_NAME_INFORMATION ImageFileName;
} SE_AUDIT_PROCESS_CREATION_INFO;

typedef struct _MMSUPPORT_FLAGS
{
  UINT32    Value;    // bit0 - SessionSpace  
              // bit1 - BeingTrimmed  
              // bit2 - SessionLeader 
              // bit3 - TrimHard      
              // bit4 - WorkingSetHard
              // bit5 - AddressSpaceBeingDeleted
              // bit6-15 - Available    
              // bit16-23 - AllowWorkingSetAdjustment
              // bit24-31 - MemoryPriority
} MMSUPPORT_FLAGS;

typedef struct _MMWSLE_HASH
{
  PVOID    Key;             
  UINT32    Index;          
} MMWSLE_HASH, *PMMWSLE_HASH;

typedef struct _MMWSL
{
  UINT32      Quota;           
  UINT32      FirstFree;       
  UINT32      FirstDynamic;    
  UINT32      LastEntry;       
  UINT32      NextSlot;        
  PMMWSLE      Wsle;           
  UINT32      LastInitializedWsle;
  UINT32      NonDirectCount;  
  PMMWSLE_HASH  HashTable; 
  UINT32      HashTableSize;   
  UINT32      NumberOfCommittedPageTables;
  PVOID      HashTableStart;  
  PVOID      HighestPermittedHashAddress;
  UINT32      NumberOfImageWaiters;
  UINT32      VadBitMapHint;
  union
  {
    USHORT    UsedPageTableEntries[1536];
    UINT32    CommittedPageTables[48];
  };
} MMWSL, *PMMWSL;

typedef struct _MMSUPPORT
{
  LARGE_INTEGER    LastTrimTime;
  MMSUPPORT_FLAGS    Flags;    
  UINT32        PageFaultCount;  
  UINT32        PeakWorkingSetSize;
  UINT32        WorkingSetSize;  
  UINT32        MinimumWorkingSetSize;
  UINT32        MaximumWorkingSetSize;
  PMMWSL        VmWorkingSetList;
  LIST_ENTRY      WorkingSetExpansionLinks;
  UINT32        Claim;           
  UINT32        NextEstimationSlot;
  UINT32        NextAgingSlot;   
  UINT32        EstimatedAvailable;
  UINT32        GrowthSinceLastEstimate;
} MMSUPPORT;

typedef struct _HANDLE_TRACE_DB_ENTRY
{
  CLIENT_ID      ClientId;    
  PVOID        Handle;          
  UINT32        Type;           
  PVOID        StackTrace; 
} HANDLE_TRACE_DB_ENTRY, *PHANDLE_TRACE_DB_ENTRY;

typedef struct _HANDLE_TRACE_DEBUG_INFO
{
  UINT32          CurrentStackIndex;
  HANDLE_TRACE_DB_ENTRY  TraceDb[4096];       
} HANDLE_TRACE_DEBUG_INFO, *PHANDLE_TRACE_DEBUG_INFO;

typedef struct _HANDLE_TABLE_ENTRY
{
  union
  {
    PVOID    Object;          
    UINT32    ObAttributes;   
    struct _HANDLE_TABLE_ENTRY *InfoTable;      
    UINT32    Value;
  };
  union
  {
    UINT32    GrantedAccess;
    struct 
    {
      USHORT    GrantedAccessIndex;
      USHORT    CreatorBackTraceIndex;
    };
    INT32    NextFreeTableEntry;
  }; 
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _HANDLE_TABLE
{
  UINT32            TableCode;       
  PEPROCESS          QuotaProcess; 
  PVOID            UniqueProcessId; 
  EX_PUSH_LOCK        HandleTableLock[4];
  LIST_ENTRY          HandleTableList;
  EX_PUSH_LOCK        HandleContentionEvent;
  PHANDLE_TRACE_DEBUG_INFO  DebugInfo;       
  UINT32            FirstFree;       
  UINT32            LastFree;        
  UINT32            NextHandleNeedingPool;
  INT32            HandleCount;     
  UINT32            Flags;    // bit0 - StrictFIFO
} HANDLE_TABLE, *PHANDLE_TABLE;

typedef struct _EPROCESS
{
    KPROCESS              Pcb;           
    EX_PUSH_LOCK            ProcessLock;     
    LARGE_INTEGER            CreateTime;     
    LARGE_INTEGER            ExitTime;     
    EX_RUNDOWN_REF            RundownProtect;   
    PVOID                UniqueProcessId;       
    LIST_ENTRY              ActiveProcessLinks;   
    UINT32                QuotaUsage[3];       
    UINT32                QuotaPeak[3];       
    UINT32                CommitCharge;       
    UINT32                PeakVirtualSize;     
    UINT32                VirtualSize;       
    LIST_ENTRY              SessionProcessLinks; 
    PVOID                DebugPort;         
    PVOID                ExceptionPort;       
    PHANDLE_TABLE            ObjectTable;   
    EX_FAST_REF              Token;         
    FAST_MUTEX              WorkingSetLock;     
    UINT32                WorkingSetPage;       
    FAST_MUTEX              AddressCreationLock; 
    UINT32                HyperSpaceLock;       
    PETHREAD              ForkInProgress;     
    UINT32                HardwareTrigger;     
    PVOID                VadRoot;           
    PVOID                VadHint;           
    PVOID                CloneRoot;         
    UINT32                NumberOfPrivatePages;   
    UINT32                NumberOfLockedPages;   
    PVOID                Win32Process;       
    PEJOB                Job;             
    PVOID                SectionObject;       
    PVOID                SectionBaseAddress;     
    PEPROCESS_QUOTA_BLOCK        QuotaBlock;     
    PPAGEFAULT_HISTORY          WorkingSetWatch; 
    PVOID                Win32WindowStation;       
    PVOID                InheritedFromUniqueProcessId; 
    PVOID                LdtInformation;         
    PVOID                VadFreeHint;           
    PVOID                VdmObjects;           
    PVOID                DeviceMap;           
    LIST_ENTRY              PhysicalVadList; 
  union
  {
    HARDWARE_PTE_X86  PageDirectoryPte;   
    UINT64        Filler; 
  };
    PVOID                Session;             
    UCHAR                ImageFileName[16];         
    LIST_ENTRY              JobLinks;         
    PVOID                LockedPagesList;         
    LIST_ENTRY              ThreadListHead;       
    PVOID                SecurityPort;         
    PVOID                PaeTop;             
    UINT32                ActiveThreads;         
    UINT32                GrantedAccess;         
    UINT32                DefaultHardErrorProcessing;   
    INT32                LastThreadExitStatus;     
    PPEB                Peb;               
    EX_FAST_REF              PrefetchTrace;       
    LARGE_INTEGER            ReadOperationCount;   
    LARGE_INTEGER            WriteOperationCount;   
    LARGE_INTEGER            OtherOperationCount;   
    LARGE_INTEGER            ReadTransferCount;   
    LARGE_INTEGER            WriteTransferCount;   
    LARGE_INTEGER            OtherTransferCount;   
    UINT32                CommitChargeLimit;     
    UINT32                CommitChargePeak;     
    PVOID                AweInfo;           
    SE_AUDIT_PROCESS_CREATION_INFO    SeAuditProcessCreationInfo;
    MMSUPPORT              Vm;          
    UINT32                LastFaultCount;  
    UINT32                ModifiedPageCount;
    UINT32                NumberOfVads;    
    UINT32                JobStatus;       
  UINT32                Flags;      // bit0 - CreateReported  
                          // bit1 - NoDebugInherit  
                          // bit2 - ProcessExiting  
                          // bit3 - ProcessDelete   
                          // bit4 - Wow64SplitPages 
                          // bit5 - VmDeleted       
                          // bit6 - OutswapEnabled  
                          // bit7 - Outswapped      
                          // bit8 - ForkFailed      
                          // bit9 - HasPhysicalVad  
                          // bit10-11 - AddressSpaceInitialized
                          // bit12 - SetTimerResolution
                          // bit13 - BreakOnTermination
                          // bit14 - SessionCreationUnderway
                          // bit15 - WriteWatch      
                          // bit16 - ProcessInSession
                          // bit17 - OverrideAddressSpace
                          // bit18 - HasAddressSpace 
                          // bit19 - LaunchPrefetched
                          // bit20 - InjectInpageErrors
                          // bit21 - VmTopDown       
                          // bit22 - Unused3         
                          // bit23 - Unused4         
                          // bit24 - VdmAllowed      
                          // bit25-29 - Unused          
                          // bit30 - Unused1         
                          // bit31 - Unused2         
    INT32                ExitStatus;         
    USHORT                NextPageColor;
  union
  {
    struct
    {
      UCHAR    SubSystemMinorVersion;   
      UCHAR    SubSystemMajorVersion; 
    };
    USHORT    SubSystemVersion;
  };   
  UCHAR                PriorityClass;       
  UCHAR                WorkingSetAcquiredUnsafe; 
  UCHAR                Unknow1;
  UCHAR                Unknow2;
  UINT32                Cookie; 
} EPROCESS, *PEPROCESS;

#endif

#endif

  相关解决方案