通過EPROCESS獲取程式名
Ox9A82發表於2016-03-18
上一篇寫自我保護時用到了,主要是不同版本的位置不同。找了一下,發現XP和win7的情況分別如下。
1 WIN7 2 lkd> dt nt!_EPROCESS 3 +0x000 Pcb : _KPROCESS 4 +0x098 ProcessLock : _EX_PUSH_LOCK 5 +0x0a0 CreateTime : _LARGE_INTEGER 6 +0x0a8 ExitTime : _LARGE_INTEGER 7 +0x0b0 RundownProtect : _EX_RUNDOWN_REF 8 +0x0b4 UniqueProcessId : Ptr32 Void 9 +0x0b8 ActiveProcessLinks : _LIST_ENTRY 10 +0x0c0 ProcessQuotaUsage : [2] Uint4B 11 +0x0c8 ProcessQuotaPeak : [2] Uint4B 12 +0x0d0 CommitCharge : Uint4B 13 +0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK 14 +0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK 15 +0x0dc PeakVirtualSize : Uint4B 16 +0x0e0 VirtualSize : Uint4B 17 +0x0e4 SessionProcessLinks : _LIST_ENTRY 18 +0x0ec DebugPort : Ptr32 Void 19 +0x0f0 ExceptionPortData : Ptr32 Void 20 +0x0f0 ExceptionPortValue : Uint4B 21 +0x0f0 ExceptionPortState : Pos 0, 3 Bits 22 +0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE 23 +0x0f8 Token : _EX_FAST_REF 24 +0x0fc WorkingSetPage : Uint4B 25 +0x100 AddressCreationLock : _EX_PUSH_LOCK 26 +0x104 RotateInProgress : Ptr32 _ETHREAD 27 +0x108 ForkInProgress : Ptr32 _ETHREAD 28 +0x10c HardwareTrigger : Uint4B 29 +0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE 30 +0x114 CloneRoot : Ptr32 Void 31 +0x118 NumberOfPrivatePages : Uint4B 32 +0x11c NumberOfLockedPages : Uint4B 33 +0x120 Win32Process : Ptr32 Void 34 +0x124 Job : Ptr32 _EJOB 35 +0x128 SectionObject : Ptr32 Void 36 +0x12c SectionBaseAddress : Ptr32 Void 37 +0x130 Cookie : Uint4B 38 +0x134 Spare8 : Uint4B 39 +0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY 40 +0x13c Win32WindowStation : Ptr32 Void 41 +0x140 InheritedFromUniqueProcessId : Ptr32 Void 42 +0x144 LdtInformation : Ptr32 Void 43 +0x148 VdmObjects : Ptr32 Void 44 +0x14c ConsoleHostProcess : Uint4B 45 +0x150 DeviceMap : Ptr32 Void 46 +0x154 EtwDataSource : Ptr32 Void 47 +0x158 FreeTebHint : Ptr32 Void 48 +0x160 PageDirectoryPte : _HARDWARE_PTE 49 +0x160 Filler : Uint8B 50 +0x168 Session : Ptr32 Void 51 +0x16c ImageFileName : [15] UChar 52 +0x17b PriorityClass : UChar 53 +0x17c JobLinks : _LIST_ENTRY 54 +0x184 LockedPagesList : Ptr32 Void 55 +0x188 ThreadListHead : _LIST_ENTRY 56 +0x190 SecurityPort : Ptr32 Void 57 +0x194 PaeTop : Ptr32 Void 58 +0x198 ActiveThreads : Uint4B 59 +0x19c ImagePathHash : Uint4B 60 +0x1a0 DefaultHardErrorProcessing : Uint4B 61 +0x1a4 LastThreadExitStatus : Int4B 62 +0x1a8 Peb : Ptr32 _PEB 63 +0x1ac PrefetchTrace : _EX_FAST_REF 64 +0x1b0 ReadOperationCount : _LARGE_INTEGER 65 +0x1b8 WriteOperationCount : _LARGE_INTEGER 66 +0x1c0 OtherOperationCount : _LARGE_INTEGER 67 +0x1c8 ReadTransferCount : _LARGE_INTEGER 68 +0x1d0 WriteTransferCount : _LARGE_INTEGER 69 +0x1d8 OtherTransferCount : _LARGE_INTEGER 70 +0x1e0 CommitChargeLimit : Uint4B 71 +0x1e4 CommitChargePeak : Uint4B 72 +0x1e8 AweInfo : Ptr32 Void 73 +0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO 74 +0x1f0 Vm : _MMSUPPORT 75 +0x25c MmProcessLinks : _LIST_ENTRY 76 +0x264 HighestUserAddress : Ptr32 Void 77 +0x268 ModifiedPageCount : Uint4B 78 +0x26c Flags2 : Uint4B 79 +0x26c JobNotReallyActive : Pos 0, 1 Bit 80 +0x26c AccountingFolded : Pos 1, 1 Bit 81 +0x26c NewProcessReported : Pos 2, 1 Bit 82 +0x26c ExitProcessReported : Pos 3, 1 Bit 83 +0x26c ReportCommitChanges : Pos 4, 1 Bit 84 +0x26c LastReportMemory : Pos 5, 1 Bit 85 +0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit 86 +0x26c HandleTableRundown : Pos 7, 1 Bit 87 +0x26c NeedsHandleRundown : Pos 8, 1 Bit 88 +0x26c RefTraceEnabled : Pos 9, 1 Bit 89 +0x26c NumaAware : Pos 10, 1 Bit 90 +0x26c ProtectedProcess : Pos 11, 1 Bit 91 +0x26c DefaultPagePriority : Pos 12, 3 Bits 92 +0x26c PrimaryTokenFrozen : Pos 15, 1 Bit 93 +0x26c ProcessVerifierTarget : Pos 16, 1 Bit 94 +0x26c StackRandomizationDisabled : Pos 17, 1 Bit 95 +0x26c AffinityPermanent : Pos 18, 1 Bit 96 +0x26c AffinityUpdateEnable : Pos 19, 1 Bit 97 +0x26c PropagateNode : Pos 20, 1 Bit 98 +0x26c ExplicitAffinity : Pos 21, 1 Bit 99 +0x270 Flags : Uint4B 100 +0x270 CreateReported : Pos 0, 1 Bit 101 +0x270 NoDebugInherit : Pos 1, 1 Bit 102 +0x270 ProcessExiting : Pos 2, 1 Bit 103 +0x270 ProcessDelete : Pos 3, 1 Bit 104 +0x270 Wow64SplitPages : Pos 4, 1 Bit 105 +0x270 VmDeleted : Pos 5, 1 Bit 106 +0x270 OutswapEnabled : Pos 6, 1 Bit 107 +0x270 Outswapped : Pos 7, 1 Bit 108 +0x270 ForkFailed : Pos 8, 1 Bit 109 +0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit 110 +0x270 AddressSpaceInitialized : Pos 10, 2 Bits 111 +0x270 SetTimerResolution : Pos 12, 1 Bit 112 +0x270 BreakOnTermination : Pos 13, 1 Bit 113 +0x270 DeprioritizeViews : Pos 14, 1 Bit 114 +0x270 WriteWatch : Pos 15, 1 Bit 115 +0x270 ProcessInSession : Pos 16, 1 Bit 116 +0x270 OverrideAddressSpace : Pos 17, 1 Bit 117 +0x270 HasAddressSpace : Pos 18, 1 Bit 118 +0x270 LaunchPrefetched : Pos 19, 1 Bit 119 +0x270 InjectInpageErrors : Pos 20, 1 Bit 120 +0x270 VmTopDown : Pos 21, 1 Bit 121 +0x270 ImageNotifyDone : Pos 22, 1 Bit 122 +0x270 PdeUpdateNeeded : Pos 23, 1 Bit 123 +0x270 VdmAllowed : Pos 24, 1 Bit 124 +0x270 CrossSessionCreate : Pos 25, 1 Bit 125 +0x270 ProcessInserted : Pos 26, 1 Bit 126 +0x270 DefaultIoPriority : Pos 27, 3 Bits 127 +0x270 ProcessSelfDelete : Pos 30, 1 Bit 128 +0x270 SetTimerResolutionLink : Pos 31, 1 Bit 129 +0x274 ExitStatus : Int4B 130 +0x278 VadRoot : _MM_AVL_TABLE 131 +0x298 AlpcContext : _ALPC_PROCESS_CONTEXT 132 +0x2a8 TimerResolutionLink : _LIST_ENTRY 133 +0x2b0 RequestedTimerResolution : Uint4B 134 +0x2b4 ActiveThreadsHighWatermark : Uint4B 135 +0x2b8 SmallestTimerResolution : Uint4B 136 +0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
1 WIN XP SP3 2 kd> dt -r1 _Eprocess 3 nt!_EPROCESS 4 +0x000 Pcb : _KPROCESS 5 +0x000 Header : _DISPATCHER_HEADER 6 +0x010 ProfileListHead : _LIST_ENTRY 7 +0x018 DirectoryTableBase : [2] Uint4B 8 +0x020 LdtDescriptor : _KGDTENTRY 9 +0x028 Int21Descriptor : _KIDTENTRY 10 +0x030 IopmOffset : Uint2B 11 +0x032 Iopl : UChar 12 +0x033 Unused : UChar 13 +0x034 ActiveProcessors : Uint4B 14 +0x038 KernelTime : Uint4B 15 +0x03c UserTime : Uint4B 16 +0x040 ReadyListHead : _LIST_ENTRY 17 +0x048 SwapListEntry : _SINGLE_LIST_ENTRY 18 +0x04c VdmTrapcHandler : Ptr32 Void 19 +0x050 ThreadListHead : _LIST_ENTRY 20 +0x058 ProcessLock : Uint4B 21 +0x05c Affinity : Uint4B 22 +0x060 StackCount : Uint2B 23 +0x062 BasePriority : Char 24 +0x063 ThreadQuantum : Char 25 +0x064 AutoAlignment : UChar 26 +0x065 State : UChar 27 +0x066 ThreadSeed : UChar 28 +0x067 DisableBoost : UChar 29 +0x068 PowerState : UChar 30 +0x069 DisableQuantum : UChar 31 +0x06a IdealNode : UChar 32 +0x06b Flags : _KEXECUTE_OPTIONS 33 +0x06b ExecuteOptions : UChar 34 +0x06c ProcessLock : _EX_PUSH_LOCK 35 +0x000 Waiting : Pos 0, 1 Bit 36 +0x000 Exclusive : Pos 1, 1 Bit 37 +0x000 Shared : Pos 2, 30 Bits 38 +0x000 Value : Uint4B 39 +0x000 Ptr : Ptr32 Void 40 +0x070 CreateTime : _LARGE_INTEGER 41 +0x000 LowPart : Uint4B 42 +0x004 HighPart : Int4B 43 +0x000 u : __unnamed 44 +0x000 QuadPart : Int8B 45 +0x078 ExitTime : _LARGE_INTEGER 46 +0x000 LowPart : Uint4B 47 +0x004 HighPart : Int4B 48 +0x000 u : __unnamed 49 +0x000 QuadPart : Int8B 50 +0x080 RundownProtect : _EX_RUNDOWN_REF 51 +0x000 Count : Uint4B 52 +0x000 Ptr : Ptr32 Void 53 +0x084 UniqueProcessId : Ptr32 Void 54 +0x088 ActiveProcessLinks : _LIST_ENTRY 55 +0x000 Flink : Ptr32 _LIST_ENTRY 56 +0x004 Blink : Ptr32 _LIST_ENTRY 57 +0x090 QuotaUsage : [3] Uint4B 58 +0x09c QuotaPeak : [3] Uint4B 59 +0x0a8 CommitCharge : Uint4B 60 +0x0ac PeakVirtualSize : Uint4B 61 +0x0b0 VirtualSize : Uint4B 62 +0x0b4 SessionProcessLinks : _LIST_ENTRY 63 +0x000 Flink : Ptr32 _LIST_ENTRY 64 +0x004 Blink : Ptr32 _LIST_ENTRY 65 +0x0bc DebugPort : Ptr32 Void 66 +0x0c0 ExceptionPort : Ptr32 Void 67 +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE 68 +0x000 TableCode : Uint4B 69 +0x004 QuotaProcess : Ptr32 _EPROCESS 70 +0x008 UniqueProcessId : Ptr32 Void 71 +0x00c HandleTableLock : [4] _EX_PUSH_LOCK 72 +0x01c HandleTableList : _LIST_ENTRY 73 +0x024 HandleContentionEvent : _EX_PUSH_LOCK 74 +0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO 75 +0x02c ExtraInfoPages : Int4B 76 +0x030 FirstFree : Uint4B 77 +0x034 LastFree : Uint4B 78 +0x038 NextHandleNeedingPool : Uint4B 79 +0x03c HandleCount : Int4B 80 +0x040 Flags : Uint4B 81 +0x040 StrictFIFO : Pos 0, 1 Bit 82 +0x0c8 Token : _EX_FAST_REF 83 +0x000 Object : Ptr32 Void 84 +0x000 RefCnt : Pos 0, 3 Bits 85 +0x000 Value : Uint4B 86 +0x0cc WorkingSetLock : _FAST_MUTEX 87 +0x000 Count : Int4B 88 +0x004 Owner : Ptr32 _KTHREAD 89 +0x008 Contention : Uint4B 90 +0x00c Event : _KEVENT 91 +0x01c OldIrql : Uint4B 92 +0x0ec WorkingSetPage : Uint4B 93 +0x0f0 AddressCreationLock : _FAST_MUTEX 94 +0x000 Count : Int4B 95 +0x004 Owner : Ptr32 _KTHREAD 96 +0x008 Contention : Uint4B 97 +0x00c Event : _KEVENT 98 +0x01c OldIrql : Uint4B 99 +0x110 HyperSpaceLock : Uint4B 100 +0x114 ForkInProgress : Ptr32 _ETHREAD 101 +0x000 Tcb : _KTHREAD 102 +0x1c0 CreateTime : _LARGE_INTEGER 103 +0x1c0 NestedFaultCount : Pos 0, 2 Bits 104 +0x1c0 ApcNeeded : Pos 2, 1 Bit 105 +0x1c8 ExitTime : _LARGE_INTEGER 106 +0x1c8 LpcReplyChain : _LIST_ENTRY 107 +0x1c8 KeyedWaitChain : _LIST_ENTRY 108 +0x1d0 ExitStatus : Int4B 109 +0x1d0 OfsChain : Ptr32 Void 110 +0x1d4 PostBlockList : _LIST_ENTRY 111 +0x1dc TerminationPort : Ptr32 _TERMINATION_PORT 112 +0x1dc ReaperLink : Ptr32 _ETHREAD 113 +0x1dc KeyedWaitValue : Ptr32 Void 114 +0x1e0 ActiveTimerListLock : Uint4B 115 +0x1e4 ActiveTimerListHead : _LIST_ENTRY 116 +0x1ec Cid : _CLIENT_ID 117 +0x1f4 LpcReplySemaphore : _KSEMAPHORE 118 +0x1f4 KeyedWaitSemaphore : _KSEMAPHORE 119 +0x208 LpcReplyMessage : Ptr32 Void 120 +0x208 LpcWaitingOnPort : Ptr32 Void 121 +0x20c ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION 122 +0x210 IrpList : _LIST_ENTRY 123 +0x218 TopLevelIrp : Uint4B 124 +0x21c DeviceToVerify : Ptr32 _DEVICE_OBJECT 125 +0x220 ThreadsProcess : Ptr32 _EPROCESS 126 +0x224 StartAddress : Ptr32 Void 127 +0x228 Win32StartAddress : Ptr32 Void 128 +0x228 LpcReceivedMessageId : Uint4B 129 +0x22c ThreadListEntry : _LIST_ENTRY 130 +0x234 RundownProtect : _EX_RUNDOWN_REF 131 +0x238 ThreadLock : _EX_PUSH_LOCK 132 +0x23c LpcReplyMessageId : Uint4B 133 +0x240 ReadClusterSize : Uint4B 134 +0x244 GrantedAccess : Uint4B 135 +0x248 CrossThreadFlags : Uint4B 136 +0x248 Terminated : Pos 0, 1 Bit 137 +0x248 DeadThread : Pos 1, 1 Bit 138 +0x248 HideFromDebugger : Pos 2, 1 Bit 139 +0x248 ActiveImpersonationInfo : Pos 3, 1 Bit 140 +0x248 SystemThread : Pos 4, 1 Bit 141 +0x248 HardErrorsAreDisabled : Pos 5, 1 Bit 142 +0x248 BreakOnTermination : Pos 6, 1 Bit 143 +0x248 SkipCreationMsg : Pos 7, 1 Bit 144 +0x248 SkipTerminationMsg : Pos 8, 1 Bit 145 +0x24c SameThreadPassiveFlags : Uint4B 146 +0x24c ActiveExWorker : Pos 0, 1 Bit 147 +0x24c ExWorkerCanWaitUser : Pos 1, 1 Bit 148 +0x24c MemoryMaker : Pos 2, 1 Bit 149 +0x250 SameThreadApcFlags : Uint4B 150 +0x250 LpcReceivedMsgIdValid : Pos 0, 1 Bit 151 +0x250 LpcExitThreadCalled : Pos 1, 1 Bit 152 +0x250 AddressSpaceOwner : Pos 2, 1 Bit 153 +0x254 ForwardClusterOnly : UChar 154 +0x255 DisablePageFaultClustering : UChar 155 +0x118 HardwareTrigger : Uint4B 156 +0x11c VadRoot : Ptr32 Void 157 +0x120 VadHint : Ptr32 Void 158 +0x124 CloneRoot : Ptr32 Void 159 +0x128 NumberOfPrivatePages : Uint4B 160 +0x12c NumberOfLockedPages : Uint4B 161 +0x130 Win32Process : Ptr32 Void 162 +0x134 Job : Ptr32 _EJOB 163 +0x000 Event : _KEVENT 164 +0x010 JobLinks : _LIST_ENTRY 165 +0x018 ProcessListHead : _LIST_ENTRY 166 +0x020 JobLock : _ERESOURCE 167 +0x058 TotalUserTime : _LARGE_INTEGER 168 +0x060 TotalKernelTime : _LARGE_INTEGER 169 +0x068 ThisPeriodTotalUserTime : _LARGE_INTEGER 170 +0x070 ThisPeriodTotalKernelTime : _LARGE_INTEGER 171 +0x078 TotalPageFaultCount : Uint4B 172 +0x07c TotalProcesses : Uint4B 173 +0x080 ActiveProcesses : Uint4B 174 +0x084 TotalTerminatedProcesses : Uint4B 175 +0x088 PerProcessUserTimeLimit : _LARGE_INTEGER 176 +0x090 PerJobUserTimeLimit : _LARGE_INTEGER 177 +0x098 LimitFlags : Uint4B 178 +0x09c MinimumWorkingSetSize : Uint4B 179 +0x0a0 MaximumWorkingSetSize : Uint4B 180 +0x0a4 ActiveProcessLimit : Uint4B 181 +0x0a8 Affinity : Uint4B 182 +0x0ac PriorityClass : UChar 183 +0x0b0 UIRestrictionsClass : Uint4B 184 +0x0b4 SecurityLimitFlags : Uint4B 185 +0x0b8 Token : Ptr32 Void 186 +0x0bc Filter : Ptr32 _PS_JOB_TOKEN_FILTER 187 +0x0c0 EndOfJobTimeAction : Uint4B 188 +0x0c4 CompletionPort : Ptr32 Void 189 +0x0c8 CompletionKey : Ptr32 Void 190 +0x0cc SessionId : Uint4B 191 +0x0d0 SchedulingClass : Uint4B 192 +0x0d8 ReadOperationCount : Uint8B 193 +0x0e0 WriteOperationCount : Uint8B 194 +0x0e8 OtherOperationCount : Uint8B 195 +0x0f0 ReadTransferCount : Uint8B 196 +0x0f8 WriteTransferCount : Uint8B 197 +0x100 OtherTransferCount : Uint8B 198 +0x108 IoInfo : _IO_COUNTERS 199 +0x138 ProcessMemoryLimit : Uint4B 200 +0x13c JobMemoryLimit : Uint4B 201 +0x140 PeakProcessMemoryUsed : Uint4B 202 +0x144 PeakJobMemoryUsed : Uint4B 203 +0x148 CurrentJobMemoryUsed : Uint4B 204 +0x14c MemoryLimitsLock : _FAST_MUTEX 205 +0x16c JobSetLinks : _LIST_ENTRY 206 +0x174 MemberLevel : Uint4B 207 +0x178 JobFlags : Uint4B 208 +0x138 SectionObject : Ptr32 Void 209 +0x13c SectionBaseAddress : Ptr32 Void 210 +0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK 211 +0x000 QuotaEntry : [3] _EPROCESS_QUOTA_ENTRY 212 +0x030 QuotaList : _LIST_ENTRY 213 +0x038 ReferenceCount : Uint4B 214 +0x03c ProcessCount : Uint4B 215 +0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY 216 +0x000 CurrentIndex : Uint4B 217 +0x004 MaxIndex : Uint4B 218 +0x008 SpinLock : Uint4B 219 +0x00c Reserved : Ptr32 Void 220 +0x010 WatchInfo : [1] _PROCESS_WS_WATCH_INFORMATION 221 +0x148 Win32WindowStation : Ptr32 Void 222 +0x14c InheritedFromUniqueProcessId : Ptr32 Void 223 +0x150 LdtInformation : Ptr32 Void 224 +0x154 VadFreeHint : Ptr32 Void 225 +0x158 VdmObjects : Ptr32 Void 226 +0x15c DeviceMap : Ptr32 Void 227 +0x160 PhysicalVadList : _LIST_ENTRY 228 +0x000 Flink : Ptr32 _LIST_ENTRY 229 +0x004 Blink : Ptr32 _LIST_ENTRY 230 +0x168 PageDirectoryPte : _HARDWARE_PTE 231 +0x000 Valid : Pos 0, 1 Bit 232 +0x000 Write : Pos 1, 1 Bit 233 +0x000 Owner : Pos 2, 1 Bit 234 +0x000 WriteThrough : Pos 3, 1 Bit 235 +0x000 CacheDisable : Pos 4, 1 Bit 236 +0x000 Accessed : Pos 5, 1 Bit 237 +0x000 Dirty : Pos 6, 1 Bit 238 +0x000 LargePage : Pos 7, 1 Bit 239 +0x000 Global : Pos 8, 1 Bit 240 +0x000 CopyOnWrite : Pos 9, 1 Bit 241 +0x000 Prototype : Pos 10, 1 Bit 242 +0x000 reserved : Pos 11, 1 Bit 243 +0x000 PageFrameNumber : Pos 12, 20 Bits 244 +0x168 Filler : Uint8B 245 +0x170 Session : Ptr32 Void 246 +0x174 ImageFileName : [16] UChar 247 +0x184 JobLinks : _LIST_ENTRY 248 +0x000 Flink : Ptr32 _LIST_ENTRY 249 +0x004 Blink : Ptr32 _LIST_ENTRY 250 +0x18c LockedPagesList : Ptr32 Void 251 +0x190 ThreadListHead : _LIST_ENTRY 252 +0x000 Flink : Ptr32 _LIST_ENTRY 253 +0x004 Blink : Ptr32 _LIST_ENTRY 254 +0x198 SecurityPort : Ptr32 Void 255 +0x19c PaeTop : Ptr32 Void 256 +0x1a0 ActiveThreads : Uint4B 257 +0x1a4 GrantedAccess : Uint4B 258 +0x1a8 DefaultHardErrorProcessing : Uint4B 259 +0x1ac LastThreadExitStatus : Int4B 260 +0x1b0 Peb : Ptr32 _PEB 261 +0x000 InheritedAddressSpace : UChar 262 +0x001 ReadImageFileExecOptions : UChar 263 +0x002 BeingDebugged : UChar 264 +0x003 SpareBool : UChar 265 +0x004 Mutant : Ptr32 Void 266 +0x008 ImageBaseAddress : Ptr32 Void 267 +0x00c Ldr : Ptr32 _PEB_LDR_DATA 268 +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS 269 +0x014 SubSystemData : Ptr32 Void 270 +0x018 ProcessHeap : Ptr32 Void 271 +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION 272 +0x020 FastPebLockRoutine : Ptr32 Void 273 +0x024 FastPebUnlockRoutine : Ptr32 Void 274 +0x028 EnvironmentUpdateCount : Uint4B 275 +0x02c KernelCallbackTable : Ptr32 Void 276 +0x030 SystemReserved : [1] Uint4B 277 +0x034 AtlThunkSListPtr32 : Uint4B 278 +0x038 FreeList : Ptr32 _PEB_FREE_BLOCK 279 +0x03c TlsExpansionCounter : Uint4B 280 +0x040 TlsBitmap : Ptr32 Void 281 +0x044 TlsBitmapBits : [2] Uint4B 282 +0x04c ReadOnlySharedMemoryBase : Ptr32 Void 283 +0x050 ReadOnlySharedMemoryHeap : Ptr32 Void 284 +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void 285 +0x058 AnsiCodePageData : Ptr32 Void 286 +0x05c OemCodePageData : Ptr32 Void 287 +0x060 UnicodeCaseTableData : Ptr32 Void 288 +0x064 NumberOfProcessors : Uint4B 289 +0x068 NtGlobalFlag : Uint4B 290 +0x070 CriticalSectionTimeout : _LARGE_INTEGER 291 +0x078 HeapSegmentReserve : Uint4B 292 +0x07c HeapSegmentCommit : Uint4B 293 +0x080 HeapDeCommitTotalFreeThreshold : Uint4B 294 +0x084 HeapDeCommitFreeBlockThreshold : Uint4B 295 +0x088 NumberOfHeaps : Uint4B 296 +0x08c MaximumNumberOfHeaps : Uint4B 297 +0x090 ProcessHeaps : Ptr32 Ptr32 Void 298 +0x094 GdiSharedHandleTable : Ptr32 Void 299 +0x098 ProcessStarterHelper : Ptr32 Void 300 +0x09c GdiDCAttributeList : Uint4B 301 +0x0a0 LoaderLock : Ptr32 Void 302 +0x0a4 OSMajorVersion : Uint4B 303 +0x0a8 OSMinorVersion : Uint4B 304 +0x0ac OSBuildNumber : Uint2B 305 +0x0ae OSCSDVersion : Uint2B 306 +0x0b0 OSPlatformId : Uint4B 307 +0x0b4 ImageSubsystem : Uint4B 308 +0x0b8 ImageSubsystemMajorVersion : Uint4B 309 +0x0bc ImageSubsystemMinorVersion : Uint4B 310 +0x0c0 ImageProcessAffinityMask : Uint4B 311 +0x0c4 GdiHandleBuffer : [34] Uint4B 312 +0x14c PostProcessInitRoutine : Ptr32 void 313 +0x150 TlsExpansionBitmap : Ptr32 Void 314 +0x154 TlsExpansionBitmapBits : [32] Uint4B 315 +0x1d4 SessionId : Uint4B 316 +0x1d8 AppCompatFlags : _ULARGE_INTEGER 317 +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 318 +0x1e8 pShimData : Ptr32 Void 319 +0x1ec AppCompatInfo : Ptr32 Void 320 +0x1f0 CSDVersion : _UNICODE_STRING 321 +0x1f8 ActivationContextData : Ptr32 Void 322 +0x1fc ProcessAssemblyStorageMap : Ptr32 Void 323 +0x200 SystemDefaultActivationContextData : Ptr32 Void 324 +0x204 SystemAssemblyStorageMap : Ptr32 Void 325 +0x208 MinimumStackCommit : Uint4B 326 +0x1b4 PrefetchTrace : _EX_FAST_REF 327 +0x000 Object : Ptr32 Void 328 +0x000 RefCnt : Pos 0, 3 Bits 329 +0x000 Value : Uint4B 330 +0x1b8 ReadOperationCount : _LARGE_INTEGER 331 +0x000 LowPart : Uint4B 332 +0x004 HighPart : Int4B 333 +0x000 u : __unnamed 334 +0x000 QuadPart : Int8B 335 +0x1c0 WriteOperationCount : _LARGE_INTEGER 336 +0x000 LowPart : Uint4B 337 +0x004 HighPart : Int4B 338 +0x000 u : __unnamed 339 +0x000 QuadPart : Int8B 340 +0x1c8 OtherOperationCount : _LARGE_INTEGER 341 +0x000 LowPart : Uint4B 342 +0x004 HighPart : Int4B 343 +0x000 u : __unnamed 344 +0x000 QuadPart : Int8B 345 +0x1d0 ReadTransferCount : _LARGE_INTEGER 346 +0x000 LowPart : Uint4B 347 +0x004 HighPart : Int4B 348 +0x000 u : __unnamed 349 +0x000 QuadPart : Int8B 350 +0x1d8 WriteTransferCount : _LARGE_INTEGER 351 +0x000 LowPart : Uint4B 352 +0x004 HighPart : Int4B 353 +0x000 u : __unnamed 354 +0x000 QuadPart : Int8B 355 +0x1e0 OtherTransferCount : _LARGE_INTEGER 356 +0x000 LowPart : Uint4B 357 +0x004 HighPart : Int4B 358 +0x000 u : __unnamed 359 +0x000 QuadPart : Int8B 360 +0x1e8 CommitChargeLimit : Uint4B 361 +0x1ec CommitChargePeak : Uint4B 362 +0x1f0 AweInfo : Ptr32 Void 363 +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO 364 +0x000 ImageFileName : Ptr32 _OBJECT_NAME_INFORMATION 365 +0x1f8 Vm : _MMSUPPORT 366 +0x000 LastTrimTime : _LARGE_INTEGER 367 +0x008 Flags : _MMSUPPORT_FLAGS 368 +0x00c PageFaultCount : Uint4B 369 +0x010 PeakWorkingSetSize : Uint4B 370 +0x014 WorkingSetSize : Uint4B 371 +0x018 MinimumWorkingSetSize : Uint4B 372 +0x01c MaximumWorkingSetSize : Uint4B 373 +0x020 VmWorkingSetList : Ptr32 _MMWSL 374 +0x024 WorkingSetExpansionLinks : _LIST_ENTRY 375 +0x02c Claim : Uint4B 376 +0x030 NextEstimationSlot : Uint4B 377 +0x034 NextAgingSlot : Uint4B 378 +0x038 EstimatedAvailable : Uint4B 379 +0x03c GrowthSinceLastEstimate : Uint4B 380 +0x238 LastFaultCount : Uint4B 381 +0x23c ModifiedPageCount : Uint4B 382 +0x240 NumberOfVads : Uint4B 383 +0x244 JobStatus : Uint4B 384 +0x248 Flags : Uint4B 385 +0x248 CreateReported : Pos 0, 1 Bit 386 +0x248 NoDebugInherit : Pos 1, 1 Bit 387 +0x248 ProcessExiting : Pos 2, 1 Bit 388 +0x248 ProcessDelete : Pos 3, 1 Bit 389 +0x248 Wow64SplitPages : Pos 4, 1 Bit 390 +0x248 VmDeleted : Pos 5, 1 Bit 391 +0x248 OutswapEnabled : Pos 6, 1 Bit 392 +0x248 Outswapped : Pos 7, 1 Bit 393 +0x248 ForkFailed : Pos 8, 1 Bit 394 +0x248 HasPhysicalVad : Pos 9, 1 Bit 395 +0x248 AddressSpaceInitialized : Pos 10, 2 Bits 396 +0x248 SetTimerResolution : Pos 12, 1 Bit 397 +0x248 BreakOnTermination : Pos 13, 1 Bit 398 +0x248 SessionCreationUnderway : Pos 14, 1 Bit 399 +0x248 WriteWatch : Pos 15, 1 Bit 400 +0x248 ProcessInSession : Pos 16, 1 Bit 401 +0x248 OverrideAddressSpace : Pos 17, 1 Bit 402 +0x248 HasAddressSpace : Pos 18, 1 Bit 403 +0x248 LaunchPrefetched : Pos 19, 1 Bit 404 +0x248 InjectInpageErrors : Pos 20, 1 Bit 405 +0x248 VmTopDown : Pos 21, 1 Bit 406 +0x248 Unused3 : Pos 22, 1 Bit 407 +0x248 Unused4 : Pos 23, 1 Bit 408 +0x248 VdmAllowed : Pos 24, 1 Bit 409 +0x248 Unused : Pos 25, 5 Bits 410 +0x248 Unused1 : Pos 30, 1 Bit 411 +0x248 Unused2 : Pos 31, 1 Bit 412 +0x24c ExitStatus : Int4B 413 +0x250 NextPageColor : Uint2B 414 +0x252 SubSystemMinorVersion : UChar 415 +0x253 SubSystemMajorVersion : UChar 416 +0x252 SubSystemVersion : Uint2B 417 +0x254 PriorityClass : UChar 418 +0x255 WorkingSetAcquiredUnsafe : UChar 419 +0x258 Cookie : Uint4B
相關文章
- C獲取程式名稱的方法2024-11-10
- 通過用shellcode獲取shell2020-10-08
- Grails通過sessionId獲取session物件2019-02-22AISession物件
- JavaScript 通過class獲取元素物件2019-05-16JavaScript物件
- Universal-Image-Loader原始碼解解析---display過程 + 獲取bitmap過程2018-03-30原始碼
- Android 通過名稱獲取資源ID2018-09-21Android
- 通過反射獲取私有內部類物件2018-05-10反射物件
- 通過web url獲取檔案資訊2019-05-11Web
- Unity通過子物件獲取父物件例子2018-03-28Unity物件
- 如何通過WinDbg獲取方法引數值2022-06-29
- android通過MediaProjection獲取螢幕內容2020-12-06AndroidProject
- PostgreSQL獲取建表語句儲存過程2021-06-07SQL儲存過程
- 通過JQuery ajax獲取伺服器時間2018-10-22jQuery伺服器
- Mac下通過Apple Configurator 2獲取ipa包2019-02-21MacAPP
- select通過onchange獲取每次改變的值2020-11-13
- java web 通過request獲取客戶端IP2020-09-29JavaWeb客戶端
- 透過硬體識別符號獲取過程映像輸入2024-04-30符號
- 在Spring boot中通過ApplicationContext獲取bean失敗2018-12-31Spring BootAPPContextBean
- vue+axio通過獲取dom元素上傳檔案2019-04-25Vue
- 聊天平臺原始碼,通過MediaStore獲取縮圖模糊2021-10-29原始碼AST
- MacOS Big Sur系統不需要通過獲取系統許可權而獲取Hidpi2020-10-30Mac
- 通過url動態獲取圖片大小方法總結2018-10-31
- hive學習之五:java通過zookeeper獲取active namenode地址。2018-05-22HiveJava
- flutter 總結: 通過 GlobalKey 獲取介面任意元素座標尺寸2021-07-29Flutter
- 通過網址獲取ES最近10分鐘的資料量2020-12-15
- Spring原始碼剖析4:其餘方式獲取Bean的過程分析2019-08-25Spring原始碼Bean
- https的通訊過程2018-10-28HTTP
- Flink - 元件通訊過程2023-03-25元件
- 通過身份證號碼獲取人的年齡和性別2018-07-02
- org.reflections 介面通過反射獲取實現類原始碼研究2022-01-07反射原始碼
- ES系列(五):獲取單條資料get處理過程實現2021-05-24
- iOS 通過runtime獲取某個類中所有的變數和方法2019-02-25iOS變數
- 通過 gitlab 介面獲取程式碼提交記錄和改動行數2020-11-16Gitlab
- 通過反射獲取上傳檔案方法引數中的檔名2022-01-11反射
- Spring原始碼剖析4:懶載入的單例Bean獲取過程分析2019-11-15Spring原始碼單例Bean
- 通過HTTP Header控制快取2019-05-15HTTPHeader快取
- 通過可寫檔案獲取 Linux root 許可權的 5 種方法2018-06-26Linux
- Java程式設計:通過獲取當前時間,判斷今天星期幾2020-11-10Java程式設計
- Gson通過藉助TypeToken獲取泛型引數的型別的方法2018-03-22泛型型別