注:下面的某些结构因为很复杂,成员过多,有些没有写全,列在一起的成员变量不一定在
源代码中就是连续的。
1、_EPROCESS 结构 : Ps.h (/base/ntos/inc/ ) ;242
typedef struct _EPROCESS { // 执行体进程块(Executive Process Block)
KPROCESS Pcb; //进程控制块,即PCB 块
EX_PUSH_LOCK ProcessLock; //进程锁
LARGE_INTEGER CreateTime; //进程创建的时间
LARGE_INTEGER ExitTime; //进程结束的时间
EX_RUNDOWN_REF RundownProtect; //? 裁减保护结构
HANDLE UniqueProcessId; //PID 号,进程的唯一标识符
LIST_ENTRY ActiveProcessLinks; //系统中的全局进程列表
/*++
Quota Fields.
typedef enum _PS_QUOTA_TYPE {
PsNonPagedPool = 0,
PsPagedPool = 1,
PsPageFile = 2,
PsQuotaTypes = 3
} PS_QUOTA_TYPE, *PPS_QUOTA_TYPE;
--*/
SIZE_T QuotaUsage[PsQuotaTypes]; //? 配额使用量
SIZE_T QuotaPeak[PsQuotaTypes]; //? 配额峰值
SIZE_T CommitCharge; //?
SIZE_T PeakVirtualSize; //进程的虚拟内存峰值
SIZE_T VirtualSize; //进程的虚拟内存内存大小
LIST_ENTRY SessionProcessLinks; //进程会话列表
PVOID DebugPort; //调试端口
PVOID ExceptionPort; //异常端口
PHANDLE_TABLE ObjectTable; //对象句柄列表
EX_FAST_REF Token; //访问令牌
PFN_NUMBER WorkingSetPage; //工作集页面
KGUARDED_MUTEX AddressCreationLock; //Address creation lock.
ULONG_PTR HardwareTrigger; //? 硬件触发器
//Describes the status of the portions of the address space that exist in the process.
PMM_AVL_TABLE PhysicalVadRoot;
PVOID CloneRoot; //Used in process forking
PFN_NUMBER NumberOfPrivatePages; //进程私有页面数量
PFN_NUMBER NumberOfLockedPages; //进程固定的页面数量
PVOID Win32Process; //WIN32 子系统进程
struct _EJOB *Job; //与进程相关的作业信息
PVOID SectionObject; //区域对象(文件映射对象)
PVOID SectionBaseAddress; //载入地址空间的基址
//配额块,限制非页交换区、页交换区、文件的使用
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch; //缺页历史记录
//Handle to the window station object that the process is associated with
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;//父进程PID
PVOID LdtInformation; //Local Directory Table 信息
PVOID VadFreeHint; //VAD 结构指针,用于插入VAD 或移除时寻找空闲块
PVOID VdmObjects; //虚拟DOS 对象结构指针
PVOID DeviceMap; //Address of object directory to resolve device name references
PVOID Spare0[3]; //保留字节
union {
HARDWARE_PTE PageDirectoryPte; //进程页目录的硬件页表入口
ULONGLONG Filler; //填充字节
};
PVOID Session; //会话空间结构指针
UCHAR ImageFileName[ 16 ]; //进程运行的映像名称
LIST_ENTRY JobLinks; //作业的进程列表入口
PVOID LockedPagesList; //? 被锁的页面列表指针
LIST_ENTRY ThreadListHead; //进程中所有线程链表头
PVOID SecurityPort; // Used by rdr/security for authentication.
PVOID PaeTop; //PAE top level page directory
ULONG ActiveThreads; //活跃线程数
ACCESS_MASK GrantedAccess; //threads granted access
NTSTATUS LastThreadExitStatus; //最后一个线程的退出状态
ULONG DefaultHardErrorProcessing; //默认硬件错误处理
PPEB Peb; //进程环境块,存放在用户地址空间
EX_FAST_REF PrefetchTrace; //Pointer to the prefetch trace block.
//Read, write and other operation and transfer count
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
//当前页面大小加上可用物理内存的和,不包括非分页区的RAM。
SIZE_T CommitChargeLimit;
SIZE_T CommitChargePeak;
//AWE(Address windowing extensions)信息,AWE 能让应用程序访问到4GB 的内存空间
PVOID AweInfo;
//进程的安全验证信息,包括映像文件的完全路径
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm; //虚拟内存信息
LIST_ENTRY MmProcessLinks; //内存管理入口
ULONG ModifiedPageCount; //修改的页面数
#define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001UL
#define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002UL
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004UL
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008UL
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010UL
#define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020UL
#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES 0x00000040UL
ULONG JobStatus; //作业状态
??
ULONG Flags; //进程标识符,如PROCESS_EXITING、CREATE_FAILED 等
NTSTATUS ExitStatus; //进程的退出状态
//颜 {MOD}链页框号号码,通过“颜 {MOD}”(空闲或置零列表上的页面在处理器内存高速缓存
//中的位置)的字段链接物理页面
USHORT NextPageColor;
//子系统版本号信息
union {
struct {
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass; //进程所属的优先级类
MM_AVL_TABLE VadRoot; //VAD(Virtual Address Descriptor)
ULONG Cookie; //Cookie
}EPROCESS, *PEPROCESS;
2、_KPROCESS 结构 Ke.h (/base/ntos/inc) ;944
typedef struct _KPROCESS { //Pcb 块的结构
DISPATCHER_HEADER Header; //调度程序头
LIST_ENTRY ProfileListHead; //双向链表,具体用途不明
ULONG_PTR DirectoryTableBase[2];//进程的页目录表基址
KGDTENTRY LdtDescriptor; //进程的LDT 描述符
KIDTENTRY Int21Descriptor; //进程的Int21 中断IDT 描述符,保持与DOS 兼容
USHORT IopmOffset; //IO 操作起始地址
UCHAR Iopl; //IO 操作权限级
volat ile KAFFINITY ActiveProcessors;//系统中活动的处理器数目
ULONG KernelTime; //在内核模式运行的时间和
ULONG UserTime; //在用户态运行的时间和
LIST_ENTRY ReadyListHead; //就绪态进程队列链表
SINGLE_LIST_ENTRY SwapListEntry; //交换态队列链表
PVOID VdmTrapcHandler; //VDM 陷阱处理程序
LIST_ENTRY ThreadListHead; //该进程所拥有的线程列表
KSPIN_LOCK ProcessLock; //进程锁
KAFFINITY Affinity; //默认亲和处理器集合
#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2
union {
struct {
LONG AutoAlignment : 1; //内存边界自动对齐
LONG DisableBoost : 1; //禁止动态优先级增加特性
LONG DisableQuantum : 1; //禁止时间片轮转机制
LONG ReservedFlags : 29;
};
LONG ProcessFlags;
};
SCHAR BasePriority; //基本优先级
SCHAR QuantumReset; //时间片
UCHAR State; //进程所处的状态
UCHAR ThreadSeed; //线程种子
UCHAR PowerState; //电源状态
UCHAR IdealNode; //首选处理器
BOOLEAN Visited; //是否被访问
??
ULONG_PTR StackCount; //堆栈引用计数
LIST_ENTRY ProcessListEntry; //进程链表入口
} KPROCESS, *PKPROCESS, *PRKPROCESS;
3、PEB 结构 Pebteb.h (public/sdk/inc) ;75
//PEB 结构有些复杂,包含的信息比较多,在此只列出一小部分
#define PEBTEB_POINTER(x) x
#define PEBTEB_STRUCT(x) x
typedef struct PEBTEB_STRUCT(_PEB) {
BOOLEAN InheritedAddressSpace; //继承的地址空间
??
PEBTEB_POINTER(HANDLE) Mutant; // 互斥对象句柄
PEBTEB_POINTER(PVOID) ImageBaseAddress; //映像基址
PEBTEB_POINTER(PVOID) SubSystemData; //子系统数据
PEBTEB_POINTER(PVOID) ProcessHeap; //进程堆空间
PEBTEB_POINTER(struct _RTL_CRITICAL_SECTION*) FastPebLock;//临界区对象
PEBTEB_POINTER(PVOID) KernelCallbackTable; //内核调用表
PEBTEB_POINTER(PPEB_FREE_BLOCK) FreeList;//已释放的PEB 列表
ULONG NumberOfProcessors; //处理器数量
ULONG NtGlobalFlag; //全局标示符
LARGE_INTEGER CriticalSectionTimeout; //临界区域超时
PEBTEB_POINTER(PVOID) GdiSharedHandleTable;//GDI 共享的句柄列表
?? ULONG OSMajorVersion; //OS 版本号
ULONG OSMinorVersion; //OS 版本号
USHORT OSBuildNumber; //内核编译次数
USHORT OSCSDVersion; //CSD 版本号
ULONG OSPlatformId; //OS 平台信息
ULONG ImageSubsystem; //映像子系统
ULONG ImageSubsystemMajorVersion;//映像子系统版本号
ULONG ImageSubsystemMinorVersion;//映像子系统版本号
PEBTEB_POINTER(ULONG_PTR) ImageProcessAffinityMask;//映像进程相似性掩码
PEBTEB_STRUCT(GDI_HANDLE_BUFFER) GdiHandleBuffer;//GDI 句柄缓冲区
ULONG SessionId; //会话ID
PEBTEB_POINTER(SIZE_T) MinimumStackCommit; //初始化最小堆栈空间
??
} PEBTEB_STRUCT(PEB), * PEBTEB_STRUCT(PPEB);