通过EPROCESS获取进程名
上一篇写自我保护时用到了,主要是不同版本的位置不同。找了一下,发现XP和win7的情况分别如下。
WIN7
lkd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
+0x0c0 ProcessQuotaUsage : [] Uint4B
+0x0c8 ProcessQuotaPeak : [] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort : Ptr32 Void
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos , Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void
+0x16c ImageFileName : [] UChar
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos , Bit
+0x26c AccountingFolded : Pos , Bit
+0x26c NewProcessReported : Pos , Bit
+0x26c ExitProcessReported : Pos , Bit
+0x26c ReportCommitChanges : Pos , Bit
+0x26c LastReportMemory : Pos , Bit
+0x26c ReportPhysicalPageChanges : Pos , Bit
+0x26c HandleTableRundown : Pos , Bit
+0x26c NeedsHandleRundown : Pos , Bit
+0x26c RefTraceEnabled : Pos , Bit
+0x26c NumaAware : Pos , Bit
+0x26c ProtectedProcess : Pos , Bit
+0x26c DefaultPagePriority : Pos , Bits
+0x26c PrimaryTokenFrozen : Pos , Bit
+0x26c ProcessVerifierTarget : Pos , Bit
+0x26c StackRandomizationDisabled : Pos , Bit
+0x26c AffinityPermanent : Pos , Bit
+0x26c AffinityUpdateEnable : Pos , Bit
+0x26c PropagateNode : Pos , Bit
+0x26c ExplicitAffinity : Pos , Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos , Bit
+0x270 NoDebugInherit : Pos , Bit
+0x270 ProcessExiting : Pos , Bit
+0x270 ProcessDelete : Pos , Bit
+0x270 Wow64SplitPages : Pos , Bit
+0x270 VmDeleted : Pos , Bit
+0x270 OutswapEnabled : Pos , Bit
+0x270 Outswapped : Pos , Bit
+0x270 ForkFailed : Pos , Bit
+0x270 Wow64VaSpace4Gb : Pos , Bit
+0x270 AddressSpaceInitialized : Pos , Bits
+0x270 SetTimerResolution : Pos , Bit
+0x270 BreakOnTermination : Pos , Bit
+0x270 DeprioritizeViews : Pos , Bit
+0x270 WriteWatch : Pos , Bit
+0x270 ProcessInSession : Pos , Bit
+0x270 OverrideAddressSpace : Pos , Bit
+0x270 HasAddressSpace : Pos , Bit
+0x270 LaunchPrefetched : Pos , Bit
+0x270 InjectInpageErrors : Pos , Bit
+0x270 VmTopDown : Pos , Bit
+0x270 ImageNotifyDone : Pos , Bit
+0x270 PdeUpdateNeeded : Pos , Bit
+0x270 VdmAllowed : Pos , Bit
+0x270 CrossSessionCreate : Pos , Bit
+0x270 ProcessInserted : Pos , Bit
+0x270 DefaultIoPriority : Pos , Bits
+0x270 ProcessSelfDelete : Pos , Bit
+0x270 SetTimerResolutionLink : Pos , Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
WIN XP SP3
kd> dt -r1 _Eprocess
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : [] Uint4B
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : _LIST_ENTRY
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : Ptr32 Void
+0x050 ThreadListHead : _LIST_ENTRY
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a IdealNode : UChar
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : UChar
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x000 Waiting : Pos , Bit
+0x000 Exclusive : Pos , Bit
+0x000 Shared : Pos , Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 Void
+0x070 CreateTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x078 ExitTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : Uint4B
+0x000 Ptr : Ptr32 Void
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x090 QuotaUsage : [] Uint4B
+0x09c QuotaPeak : [] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x000 TableCode : Uint4B
+0x004 QuotaProcess : Ptr32 _EPROCESS
+0x008 UniqueProcessId : Ptr32 Void
+0x00c HandleTableLock : [] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO
+0x02c ExtraInfoPages : Int4B
+0x030 FirstFree : Uint4B
+0x034 LastFree : Uint4B
+0x038 NextHandleNeedingPool : Uint4B
+0x03c HandleCount : Int4B
+0x040 Flags : Uint4B
+0x040 StrictFIFO : Pos , Bit
+0x0c8 Token : _EX_FAST_REF
+0x000 Object : Ptr32 Void
+0x000 RefCnt : Pos , Bits
+0x000 Value : Uint4B
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x000 Count : Int4B
+0x004 Owner : Ptr32 _KTHREAD
+0x008 Contention : Uint4B
+0x00c Event : _KEVENT
+0x01c OldIrql : Uint4B
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x000 Count : Int4B
+0x004 Owner : Ptr32 _KTHREAD
+0x008 Contention : Uint4B
+0x00c Event : _KEVENT
+0x01c OldIrql : Uint4B
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x000 Tcb : _KTHREAD
+0x1c0 CreateTime : _LARGE_INTEGER
+0x1c0 NestedFaultCount : Pos , Bits
+0x1c0 ApcNeeded : Pos , Bit
+0x1c8 ExitTime : _LARGE_INTEGER
+0x1c8 LpcReplyChain : _LIST_ENTRY
+0x1c8 KeyedWaitChain : _LIST_ENTRY
+0x1d0 ExitStatus : Int4B
+0x1d0 OfsChain : Ptr32 Void
+0x1d4 PostBlockList : _LIST_ENTRY
+0x1dc TerminationPort : Ptr32 _TERMINATION_PORT
+0x1dc ReaperLink : Ptr32 _ETHREAD
+0x1dc KeyedWaitValue : Ptr32 Void
+0x1e0 ActiveTimerListLock : Uint4B
+0x1e4 ActiveTimerListHead : _LIST_ENTRY
+0x1ec Cid : _CLIENT_ID
+0x1f4 LpcReplySemaphore : _KSEMAPHORE
+0x1f4 KeyedWaitSemaphore : _KSEMAPHORE
+0x208 LpcReplyMessage : Ptr32 Void
+0x208 LpcWaitingOnPort : Ptr32 Void
+0x20c ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION
+0x210 IrpList : _LIST_ENTRY
+0x218 TopLevelIrp : Uint4B
+0x21c DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x220 ThreadsProcess : Ptr32 _EPROCESS
+0x224 StartAddress : Ptr32 Void
+0x228 Win32StartAddress : Ptr32 Void
+0x228 LpcReceivedMessageId : Uint4B
+0x22c ThreadListEntry : _LIST_ENTRY
+0x234 RundownProtect : _EX_RUNDOWN_REF
+0x238 ThreadLock : _EX_PUSH_LOCK
+0x23c LpcReplyMessageId : Uint4B
+0x240 ReadClusterSize : Uint4B
+0x244 GrantedAccess : Uint4B
+0x248 CrossThreadFlags : Uint4B
+0x248 Terminated : Pos , Bit
+0x248 DeadThread : Pos , Bit
+0x248 HideFromDebugger : Pos , Bit
+0x248 ActiveImpersonationInfo : Pos , Bit
+0x248 SystemThread : Pos , Bit
+0x248 HardErrorsAreDisabled : Pos , Bit
+0x248 BreakOnTermination : Pos , Bit
+0x248 SkipCreationMsg : Pos , Bit
+0x248 SkipTerminationMsg : Pos , Bit
+0x24c SameThreadPassiveFlags : Uint4B
+0x24c ActiveExWorker : Pos , Bit
+0x24c ExWorkerCanWaitUser : Pos , Bit
+0x24c MemoryMaker : Pos , Bit
+0x250 SameThreadApcFlags : Uint4B
+0x250 LpcReceivedMsgIdValid : Pos , Bit
+0x250 LpcExitThreadCalled : Pos , Bit
+0x250 AddressSpaceOwner : Pos , Bit
+0x254 ForwardClusterOnly : UChar
+0x255 DisablePageFaultClustering : UChar
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x000 Event : _KEVENT
+0x010 JobLinks : _LIST_ENTRY
+0x018 ProcessListHead : _LIST_ENTRY
+0x020 JobLock : _ERESOURCE
+0x058 TotalUserTime : _LARGE_INTEGER
+0x060 TotalKernelTime : _LARGE_INTEGER
+0x068 ThisPeriodTotalUserTime : _LARGE_INTEGER
+0x070 ThisPeriodTotalKernelTime : _LARGE_INTEGER
+0x078 TotalPageFaultCount : Uint4B
+0x07c TotalProcesses : Uint4B
+0x080 ActiveProcesses : Uint4B
+0x084 TotalTerminatedProcesses : Uint4B
+0x088 PerProcessUserTimeLimit : _LARGE_INTEGER
+0x090 PerJobUserTimeLimit : _LARGE_INTEGER
+0x098 LimitFlags : Uint4B
+0x09c MinimumWorkingSetSize : Uint4B
+0x0a0 MaximumWorkingSetSize : Uint4B
+0x0a4 ActiveProcessLimit : Uint4B
+0x0a8 Affinity : Uint4B
+0x0ac PriorityClass : UChar
+0x0b0 UIRestrictionsClass : Uint4B
+0x0b4 SecurityLimitFlags : Uint4B
+0x0b8 Token : Ptr32 Void
+0x0bc Filter : Ptr32 _PS_JOB_TOKEN_FILTER
+0x0c0 EndOfJobTimeAction : Uint4B
+0x0c4 CompletionPort : Ptr32 Void
+0x0c8 CompletionKey : Ptr32 Void
+0x0cc SessionId : Uint4B
+0x0d0 SchedulingClass : Uint4B
+0x0d8 ReadOperationCount : Uint8B
+0x0e0 WriteOperationCount : Uint8B
+0x0e8 OtherOperationCount : Uint8B
+0x0f0 ReadTransferCount : Uint8B
+0x0f8 WriteTransferCount : Uint8B
+0x100 OtherTransferCount : Uint8B
+0x108 IoInfo : _IO_COUNTERS
+0x138 ProcessMemoryLimit : Uint4B
+0x13c JobMemoryLimit : Uint4B
+0x140 PeakProcessMemoryUsed : Uint4B
+0x144 PeakJobMemoryUsed : Uint4B
+0x148 CurrentJobMemoryUsed : Uint4B
+0x14c MemoryLimitsLock : _FAST_MUTEX
+0x16c JobSetLinks : _LIST_ENTRY
+0x174 MemberLevel : Uint4B
+0x178 JobFlags : Uint4B
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x000 QuotaEntry : [] _EPROCESS_QUOTA_ENTRY
+0x030 QuotaList : _LIST_ENTRY
+0x038 ReferenceCount : Uint4B
+0x03c ProcessCount : Uint4B
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x000 CurrentIndex : Uint4B
+0x004 MaxIndex : Uint4B
+0x008 SpinLock : Uint4B
+0x00c Reserved : Ptr32 Void
+0x010 WatchInfo : [] _PROCESS_WS_WATCH_INFORMATION
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x000 Valid : Pos , Bit
+0x000 Write : Pos , Bit
+0x000 Owner : Pos , Bit
+0x000 WriteThrough : Pos , Bit
+0x000 CacheDisable : Pos , Bit
+0x000 Accessed : Pos , Bit
+0x000 Dirty : Pos , Bit
+0x000 LargePage : Pos , Bit
+0x000 Global : Pos , Bit
+0x000 CopyOnWrite : Pos , Bit
+0x000 Prototype : Pos , Bit
+0x000 reserved : Pos , Bit
+0x000 PageFrameNumber : Pos , Bits
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [] UChar
+0x184 JobLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : Ptr32 Void
+0x024 FastPebUnlockRoutine : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved : [] Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 Void
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ImageProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [] Uint4B
+0x14c PostProcessInitRoutine : Ptr32 void
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 Void
+0x1fc ProcessAssemblyStorageMap : Ptr32 Void
+0x200 SystemDefaultActivationContextData : Ptr32 Void
+0x204 SystemAssemblyStorageMap : Ptr32 Void
+0x208 MinimumStackCommit : Uint4B
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x000 Object : Ptr32 Void
+0x000 RefCnt : Pos , Bits
+0x000 Value : Uint4B
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : Ptr32 _OBJECT_NAME_INFORMATION
+0x1f8 Vm : _MMSUPPORT
+0x000 LastTrimTime : _LARGE_INTEGER
+0x008 Flags : _MMSUPPORT_FLAGS
+0x00c PageFaultCount : Uint4B
+0x010 PeakWorkingSetSize : Uint4B
+0x014 WorkingSetSize : Uint4B
+0x018 MinimumWorkingSetSize : Uint4B
+0x01c MaximumWorkingSetSize : Uint4B
+0x020 VmWorkingSetList : Ptr32 _MMWSL
+0x024 WorkingSetExpansionLinks : _LIST_ENTRY
+0x02c Claim : Uint4B
+0x030 NextEstimationSlot : Uint4B
+0x034 NextAgingSlot : Uint4B
+0x038 EstimatedAvailable : Uint4B
+0x03c GrowthSinceLastEstimate : Uint4B
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos , Bit
+0x248 NoDebugInherit : Pos , Bit
+0x248 ProcessExiting : Pos , Bit
+0x248 ProcessDelete : Pos , Bit
+0x248 Wow64SplitPages : Pos , Bit
+0x248 VmDeleted : Pos , Bit
+0x248 OutswapEnabled : Pos , Bit
+0x248 Outswapped : Pos , Bit
+0x248 ForkFailed : Pos , Bit
+0x248 HasPhysicalVad : Pos , Bit
+0x248 AddressSpaceInitialized : Pos , Bits
+0x248 SetTimerResolution : Pos , Bit
+0x248 BreakOnTermination : Pos , Bit
+0x248 SessionCreationUnderway : Pos , Bit
+0x248 WriteWatch : Pos , Bit
+0x248 ProcessInSession : Pos , Bit
+0x248 OverrideAddressSpace : Pos , Bit
+0x248 HasAddressSpace : Pos , Bit
+0x248 LaunchPrefetched : Pos , Bit
+0x248 InjectInpageErrors : Pos , Bit
+0x248 VmTopDown : Pos , Bit
+0x248 Unused3 : Pos , Bit
+0x248 Unused4 : Pos , Bit
+0x248 VdmAllowed : Pos , Bit
+0x248 Unused : Pos , Bits
+0x248 Unused1 : Pos , Bit
+0x248 Unused2 : Pos , Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
通过EPROCESS获取进程名的更多相关文章
- 根据PID获取进程名&根据进程名获取PID
Liunx中 通过进程名查找进程PID可以通过 pidof [进程名] 来查找.反过来 ,相同通过PID查找进程名则没有相关命令.在linux根目录中,有一个/proc的VFS(虚拟文件系统),系统当 ...
- PHP脚本设置及获取进程名
今天来学习的是两个非常简单的函数,一个可以用来设置我们执行脚本时运行的进程名.而另一个就是简单的获取当前运行的进程名.这两个函数对于大量的脚本运行代码有很大的作用,比如我们需要 kill 掉某个进程时 ...
- x64内核HOOK技术之拦截进程.拦截线程.拦截模块
x64内核HOOK技术之拦截进程.拦截线程.拦截模块 一丶为什么讲解HOOK技术. 在32系统下, 例如我们要HOOK SSDT表,那么直接讲CR0的内存保护属性去掉. 直接讲表的地址修改即可. 但是 ...
- 从应用到内核,分析top命令显示的进程名包含中括号"[]"的含义
背景 在执行top/ps命令的时候,在COMMAND一列,我们会发现,有些进程名被[]括起来了,例如 PID PPID USER STAT VSZ %VSZ %CPU COMMAND 1542 928 ...
- SSDT Hook结构
目录 SSDT Hook效果图 SSDT简介 SSDT结构 SSDT HOOK原理 Hook前准备 如何获得SSDT中函数的地址呢 SSDT Hook流程 SSDT Hook实现进程保护 Ring3与 ...
- CMStepCounter Class Refernce
CMStepCounter Class Refernce https://developer.apple.com/library/ios/documentation/CoreMotion/Refere ...
- ssdt_hook NtOpenProcess
获取ssdt表中所有函数的地址 for (int i = 0; i < KeServiceDescriptorTable->NumberOfServices; i++) { ...
- SSDT Hook实现内核级的进程保护
目录 SSDT Hook效果图 SSDT简介 SSDT结构 SSDT HOOK原理 Hook前准备 如何获得SSDT中函数的地址呢 SSDT Hook流程 SSDT Hook实现进程保护 Ring3与 ...
- 枚举进程——暴力搜索内存(Ring0)
上面说过了隐藏进程,这篇博客我们就简单描述一下暴力搜索进程. 一个进程要运行,必然会加载到内存中,断链隐藏进程只是把EPROCESS从链表上摘除了,但它还是驻留在内存中的.这样我们就有了找到它的方法. ...
随机推荐
- 【poj2068】Nim
Portal -->poj2068 Description 给你\(S\)个石子,有\(2n\)个人分成两队,编号为奇数的一队,编号为偶数的一队,\(2n\)个人按照编号从小到大的顺序拿石 ...
- Caffe框架详细梳理
protobuf是google公司开发的,并在Google内部久经考验的一个东西,在08年google把它贡献给了开源社区,随后便有越来越多的人使用它.protobuf是一个结构化信息传递的工具,主要 ...
- NOIP2017
NOIP2017游记 记得开始学OI是今年的6月,那时候纯粹是抱着好玩的心态来学的,但是渐渐地,我发现我好像喜欢上了OI,喜欢敲键盘时的声音,喜欢手指触碰键盘时的手感,喜欢这个奥赛班与其他科目学习气氛 ...
- ppt述职摘要
1.工作总结 1)做了什么 2)做的怎么样 3)还要做什么 2.个人成长和团队成长 3.个人目标和团队目标 1)时间+量化(具体说明) 2)预期效果 3)团队凝聚力 4.展望
- jdk1.5后枚举类的定义规则
转: http://blog.csdn.net/willcold/article/details/12844487 JDK1.5 新增的enum关键字用于定义枚举类 枚举类也 ...
- 数据分析与展示---Numpy入门
概括: 一:数据维度 (一)一维数据 (二)二维数据 (三)多维数据 (四)高维数据 二:Numpy的数组对象:ndarray (一)Numpy介绍 (二)N维数组对象ndarray (三)ndarr ...
- OpenCV---色彩空间(二)HSV追踪颜色对象和通道分离与合并
一:HSV追踪有颜色对象 def inRange(src, lowerb, upperb, dst=None) #lowerb是上面每个颜色分段的最小值,upperb是上面每个颜色分段的最大值,都是列 ...
- 学习 C++的用途,(前辈总结)
C++准确说是一门中级语言,介于汇编和高级语言之间吧,要求程序员了解计算机的内部数据存储.个人认为,作为学生还是花功夫学C++,因为<设计模式><数据结构>这些课程基本上还是C ...
- Flying to the Mars
D - Flying to the Mars Time Limit:1000MS Memory Limit:32768KB 64bit IO Format:%I64d & %I ...
- 三星c7换屏幕教程
https://jingyan.baidu.com/article/20b68a88f49cb9796cec6282.html