主要数据结构.doc

struct PROCESStypedef struct _EPROCESS KPROCESS Pcb; EX_PUSH_LOCK ProcessLock; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; EX_RUNDOWN_REF RundownProtect; PVOID UniqueProcessId; LIST_ENTRY ActiveProcessLinks; ULONG QuotaUsage3; ULONG QuotaPeak3; ULONG CommitCharge; ULONG PeakVirtualSize; ULONG VirtualSize; LIST_ENTRY SessionProcessLinks; PVOID DebugPort; union PVOID ExceptionPortData; ULONG ExceptionPortValue; ULONG ExceptionPortState: 3; ; PHANDLE_TABLE ObjectTable; EX_FAST_REF Token; ULONG WorkingSetPage; EX_PUSH_LOCK AddressCreationLock; PETHREAD RotateInProgress; PETHREAD ForkInProgress; ULONG HardwareTrigger; PMM_AVL_TABLE PhysicalVadRoot; PVOID CloneRoot; ULONG NumberOfPrivatePages; ULONG NumberOfLockedPages; PVOID Win32Process; PEJOB Job; PVOID SectionObject; PVOID SectionBaseAddress; _EPROCESS_QUOTA_BLOCK * QuotaBlock; _PAGEFAULT_HISTORY * WorkingSetWatch; PVOID Win32WindowStation; PVOID InheritedFromUniqueProcessId; PVOID LdtInformation; PVOID VadFreeHint; PVOID VdmObjects; PVOID DeviceMap; PVOID EtwDataSource; PVOID FreeTebHint; union HARDWARE_PTE PageDirectoryPte; UINT64 Filler; ; PVOID Session; UCHAR ImageFileName16; LIST_ENTRY JobLinks; PVOID LockedPagesList; LIST_ENTRY ThreadListHead; PVOID SecurityPort; PVOID PaeTop; ULONG ActiveThreads; ULONG ImagePathHash; ULONG DefaultHardErrorProcessing; LONG LastThreadExitStatus; PPEB Peb; EX_FAST_REF PrefetchTrace; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; ULONG CommitChargeLimit; ULONG CommitChargePeak; PVOID AweInfo; SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; MMSUPPORT Vm; LIST_ENTRY MmProcessLinks; ULONG ModifiedPageCount; ULONG Flags2; ULONG JobNotReallyActive: 1; ULONG AccountingFolded: 1; ULONG NewProcessReported: 1; ULONG ExitProcessReported: 1; ULONG ReportCommitChanges: 1; ULONG LastReportMemory: 1; ULONG ReportPhysicalPageChanges: 1; ULONG HandleTableRundown: 1; ULONG NeedsHandleRundown: 1; ULONG RefTraceEnabled: 1; ULONG NumaAware: 1; ULONG ProtectedProcess: 1; ULONG DefaultPagePriority: 3; ULONG PrimaryTokenFrozen: 1; ULONG ProcessVerifierTarget: 1; ULONG StackRandomizationDisabled: 1; ULONG Flags; ULONG CreateReported: 1; ULONG NoDebugInherit: 1; ULONG ProcessExiting: 1; ULONG ProcessDelete: 1; ULONG Wow64SplitPages: 1; ULONG VmDeleted: 1; ULONG OutswapEnabled: 1; ULONG Outswapped: 1; ULONG ForkFailed: 1; ULONG Wow64VaSpace4Gb: 1; ULONG AddressSpaceInitialized: 2; ULONG SetTimerResolution: 1; ULONG BreakOnTermination: 1; ULONG DeprioritizeViews: 1; ULONG WriteWatch: 1; ULONG ProcessInSession: 1; ULONG OverrideAddressSpace: 1; ULONG HasAddressSpace: 1; ULONG LaunchPrefetched: 1; ULONG InjectInpageErrors: 1; ULONG VmTopDown: 1; ULONG ImageNotifyDone: 1; ULONG PdeUpdateNeeded: 1; ULONG VdmAllowed: 1; ULONG SmapAllowed: 1; ULONG ProcessInserted: 1; ULONG DefaultIoPriority: 3; ULONG SparePsFlags1: 2; LONG ExitStatus; WORD Spare7; union struct UCHAR SubSystemMinorVersion; UCHAR SubSystemMajorVersion; ; WORD SubSystemVersion; ; UCHAR PriorityClass; MM_AVL_TABLE VadRoot; ULONG Cookie; ALPC_PROCESS_CONTEXT AlpcContext; EPROCESS, *PEPROCESS;struct KPROCESStypedef struct _KPROCESS DISPATCHER_HEADER Header; LIST_ENTRY ProfileListHead; ULONG DirectoryTableBase; ULONG Unused0; KGDTENTRY LdtDescriptor; KIDTENTRY Int21Descriptor; WORD IopmOffset; UCHAR Iopl; UCHAR Unused; ULONG ActiveProcessors; ULONG KernelTime; ULONG UserTime; LIST_ENTRY ReadyListHead; SINGLE_LIST_ENTRY SwapListEntry; PVOID VdmTrapcHandler; LIST_ENTRY ThreadListHead; ULONG ProcessLock; ULONG Affinity; union ULONG AutoAlignment: 1; ULONG DisableBoost: 1; ULONG DisableQuantum: 1; ULONG ReservedFlags: 29; LONG ProcessFlags; ; CHAR BasePriority; CHAR QuantumReset; UCHAR State; UCHAR ThreadSeed; UCHAR PowerState; UCHAR IdealNode; UCHAR Visited; union KEXECUTE_OPTIONS Flags; UCHAR ExecuteOptions; ; ULONG StackCount; LIST_ENTRY ProcessListEntry; UINT64 CycleTime; KPROCESS, *PKPROCESS;Struct PEBtypedef struct _PEB UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG ImageUsesLargePages: 1; ULONG IsProtectedProcess: 1; ULONG IsLegacyProcess: 1; ULONG IsImageDynamicallyRelocated: 1; ULONG SpareBits: 4; PVOID Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PRTL_CRITICAL_SECTION FastPebLock; PVOID AtlThunkSListPtr; PVOID IFEOKey; ULONG CrossProcessFlags; ULONG ProcessInJob: 1; ULONG ProcessInitializing: 1; ULONG ReservedBits0: 30; union PVOID KernelCallbackTable; PVOID UserSharedInfoPtr; ; ULONG SystemReserved1; ULONG SpareUlong; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits2; PVOID ReadOnlySharedMemoryBase; PVOID HotpatchInformation; VOID * * ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; VOID * * ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; ULONG GdiDCAttributeList; PRTL_CRITICAL_SECTION LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; WORD OSBuildNumber; WORD OSCSDVersion; ULONG OSPlatformId; ULONG ImageSubsystem; ULONG ImageSubsystemMajorVersion; ULONG ImageSubsystemMinorVersion; ULONG ImageProcessAffinityMask; ULONG GdiHandleBuffer34; PVOID PostProcessInitRoutine; PVOID TlsExpansionBitmap; ULONG TlsExpansionBitmapBits32; ULONG SessionId; ULARGE_INTEGER AppCompatFlags; ULARGE_INTEGER AppCompatFlagsUser; PVOID pShimData; PVOID AppCompatInfo; UNICODE_STRING CSDVersion; _ACTIVATION_CONTEXT_DATA * ActivationContextData; _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap; _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData; _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap; ULONG MinimumStackCommit; _FLS_CALLBACK_INFO * FlsCallback; LIST_ENTRY FlsListHead; PVOID FlsBitmap; ULONG FlsBitmapBits4; ULONG FlsHighIndex; PVOID WerRegistrationData; PVOID WerShipAssertPtr; PEB, *PPEB;struct ETHREADtypedef struct _ETHREAD KTHREAD Tcb; LARGE_INTEGER CreateTime; union LARGE_INTEGER ExitTime; LIST_ENTRY KeyedWaitChain; ; union LONG ExitStatus; PVOID OfsChain; ; union LIST_ENTRY PostBlockList; struct PVOID ForwardLinkShadow; PVOID StartAddress; ; ; union PTERMINATION_PORT TerminationPort; PETHREAD ReaperLink; PVOID KeyedWaitValue; PVOID Win32StartParameter; ; ULONG ActiveTimerListLock; LIST_ENTRY ActiveTimerListHead; CLIENT_ID Cid; union KSEMAPHORE KeyedWaitSemaphore; KSEMAPHORE AlpcWaitSemaphore; ; PS_CLIENT_SECURITY_CONTEXT ClientSecurity; LIST_ENTRY IrpList; ULONG TopLevelIrp; PDEVICE_OBJECT DeviceToVerify; _PSP_RATE_APC * RateControlApc; PVOID Win32StartAddress; PVOID SparePtr0; LIST_ENTRY ThreadListEntry; EX_RUNDOWN_REF RundownProtect; EX_PUSH_LOCK ThreadLock; ULONG ReadClusterSize; LONG MmLockOrdering; ULONG CrossThreadFlags; ULONG Terminated: 1; ULONG ThreadInserted: 1; ULONG HideFromDebugger: 1; ULONG ActiveImpersonationInfo: 1; ULONG SystemThread: 1; ULONG HardErrorsAreDisabled: 1; ULONG BreakOnTermination: 1; ULONG SkipCreationMsg: 1; ULONG SkipTerminationMsg: 1; ULONG CopyTokenOnOpen: 1; ULONG ThreadIoPriority: 3; ULONG ThreadPagePriority: 3; ULONG RundownFail: 1; ULONG SameThreadPassiveFlags; ULONG ActiveExWorker: 1; ULONG ExWorkerCanWaitUser: 1; ULONG MemoryMaker: 1; ULONG ClonedThread: 1; ULONG KeyedEventInUse: 1; ULONG RateApcState: 2; ULONG SelfTerminate: 1; ULONG SameThreadApcFlags; ULONG Spare: 1; ULONG StartAddressInvalid: 1; ULONG EtwPageFaultCalloutActive: 1; ULONG OwnsProcessWorkingSetExclusive: 1; ULONG OwnsProcessWorkingSetShared: 1; ULONG OwnsSystemWorkingSetExclusive: 1; ULONG OwnsSystemWorkingSetShared: 1; ULONG OwnsSessionWorkingSetExclusive: 1; ULONG OwnsSessionWorkingSetShared: 1; ULONG OwnsProcessAddressSpaceExclusive: 1; ULONG OwnsProcessAddressSpaceShared: 1; ULONG SuppressSymbolLoad: 1; ULONG Prefetching: 1; ULONG OwnsDynamicMemoryShared: 1; ULONG OwnsChangeControlAreaExclusive: 1; ULONG OwnsChangeControlAreaShared: 1; ULONG PriorityRegionActive: 4; UCHAR CacheManagerActive; UCHAR DisablePageFaultClustering; UCHAR ActiveFaultCount; ULONG AlpcMessageId; union PVOID AlpcMessage; ULONG AlpcReceiveAttributeSet; ; LIST_ENTRY AlpcWaitListEntry; ULONG CacheManagerCount; ETHREAD, *PETHREAD;struct KTHREADtypedef struct _KTHREAD DISPATCHER_HEADER Header; UINT64 CycleTime; ULONG HighCycleTime; UINT64 QuantumTarget; PVOID InitialStack; PVOID StackLimit; PVOID KernelStack; ULONG ThreadLock; union KAPC_STATE ApcState; UCHAR ApcStateFill23; ; CHAR Priority; WORD NextProcessor; WORD DeferredProcessor; ULONG ApcQueueLock; ULONG ContextSwitches; UCHAR State; UCHAR NpxState; UCHAR WaitIrql; CHAR WaitMode; LONG WaitStatus; union PKWAIT_BLOCK WaitBlockList; PKGATE GateObject; ; union ULONG KernelStackResident: 1; ULONG ReadyTransition: 1; ULONG ProcessReadyQueue: 1; ULONG WaitNext: 1; ULONG SystemAffinityActive: 1; ULONG Alertable: 1; ULONG GdiFlushActive: 1; ULONG Reserved: 25; LONG MiscFlags; ; UCHAR WaitReason; UCHAR SwapBusy; UCHAR Alerted2; union LIST_ENTRY WaitListEntry; SINGLE_LIST_ENTRY SwapListEntry; ; PKQUEUE Queue; ULONG WaitTime; union struct SHORT KernelApcDisable; SHORT SpecialApcDisable; ; ULONG CombinedApcDisable; ; PVOID Teb; union KTIMER Timer; UCHAR TimerFill40; ; union ULONG AutoAlignment: 1; ULONG DisableBoost: 1; ULONG EtwStackTraceApc1Inserted: 1; ULONG EtwStackTraceApc2Inserted: 1; ULONG CycleChargePending: 1; ULONG CalloutActive: 1; ULONG ApcQueueable: 1; ULONG EnableStackSwap: 1; ULONG GuiThread: 1; ULONG ReservedFlags: 23; LONG ThreadFlags; ; union KWAIT_BLOCK WaitBlock4; struct UCHAR WaitBlockFill023; UCHAR IdealProcessor; ; struct UCHAR WaitBlockFill147; CHAR PreviousMode; ; struct UCHAR WaitBlockFill271; UCHAR ResourceIndex; ; UCHAR WaitBlockFill395; ; UCHAR LargeStack; LIST_ENTRY QueueListEntry; PKTRAP_FRAME TrapFrame; PVOID FirstArgument; union PVOID CallbackStack; ULONG CallbackDepth; ; PVOID ServiceTable; UCHAR ApcStateIndex; CHAR BasePriority; CHAR PriorityDecrement; UCHAR Preempted; UCHAR AdjustReason; CHAR AdjustIncrement; UCHAR Spare01; CHAR Saturation; ULONG SystemCallNumber; ULONG Spare02; ULONG UserAffinity; PKPROCESS Process; ULONG Affinity; PKAPC_STATE ApcStatePointer2; union KAPC_STATE SavedApcState; UCHAR SavedApcStateFill23; ; CHAR FreezeCount; CHAR SuspendCount; UCHAR UserIdealProcessor; UCHAR Spare03; UCHAR Iopl; PVOID Win32Thread; PVOID StackBase; union KAPC SuspendApc; struct UCHAR SuspendApcFill01; CHAR Spare04; ; struct UCHAR SuspendApcFill13; UCHAR QuantumReset; ; struct UCHAR SuspendApcFill24; ULONG KernelTime; ; struct UCHAR SuspendApcFill336; PKPRCB WaitPrcb; ; struct UCHAR SuspendApcFill440; PVOID LegoData; ; UCHAR SuspendApcFill547; ; UCHAR PowerState; ULONG UserTime; union KSEMAPHORE SuspendSemaphore; UCHAR SuspendSemaphorefill20; ; ULONG SListFaultCount; LIST_ENTRY ThreadListEntry; LIST_ENTRY MutantListHead; PVOID SListFaultAddress; PVOID MdlForLockedTeb; KTHREAD, *PKTHREAD;struct TEBtypedef struct _TEB NT_TIB NtTib; PVOID EnvironmentPointer; CLIENT_ID ClientId; PVOID ActiveRpcHandle; PVOID ThreadLocalStoragePointer; PPEB ProcessEnvironmentBlock; ULONG LastErrorValue; ULONG CountOfOwnedCriticalSections; PVOID CsrClientThread; PVOID Win32ThreadInfo; ULONG User32Reserved26; ULONG UserReserved5; PVOID WOW32Reserved; ULONG CurrentLocale; ULONG FpSoftwareStatusRegister; VOID * SystemReserved154; LONG ExceptionCode; PACTIVATION_CONTEXT_STACK ActivationContextStackPointer; UCHAR SpareBytes136; ULONG TxFsContext; GDI_TEB_BATCH GdiTebBatch; CLIENT_ID RealClientId; PVOID GdiCachedProcessHandle; ULONG GdiClientPID; ULONG GdiClientTID; PVOID GdiThreadLocalInfo; ULONG Win32ClientInfo62; VOID * glDispatchTable233; ULONG glReserved129; PVOID glReserved2; PVOID glSectionInfo; PVOID glSection; PVOID glTable; PVOID glCurrentRC; PVOID glContext; ULONG LastStatusValue; UNICODE_STRING StaticUnicodeString; WCHAR StaticUnicodeBuffer261; PVOID DeallocationStack