EPROCESS struct (x64)

//only for Windows 7 RC x64
/*some little structs have not been introduced because you can easily get their structure with WinDbg*/

typedef struct _SE_AUDIT_PROCESS_CREATION_INFO
{
PVOID ImageFileName; // _OBJECT_NAME_INFORMATION

}SE_AUDIT_PROCESS_CREATION_INFO,*PSE_AUDIT_PROCESS_CREATION_INFO;

typedef struct _MMSUPPORT
{
ULONGLONG PushLock;
PVOID ExitGate; //_KGATE *
PVOID AccessLog;
LIST_ENTRY WorkingSetExpansionLinks;
ULONG AgeDistribution[7];
ULONG MinimumWorkingSetSize;
ULONG WorkingSetSize;
ULONG WorkingSetPrivateSize;
ULONG MaximumWorkingSetSize;
ULONG ChargedWslePages;
ULONG ActualWslePages;
ULONG WorkingSetSizeOverhead;
ULONG PeakWorkingSetSize;
ULONG HardFaultCount;
PVOID VmWorkingSetList; //_MMWSL*
USHORT NextPageColor;
USHORT LastTrimStamp;
ULONG PageFaultCount;
ULONG RepurposeCount;
ULONG Spare[2];
ULONG Flags; //_MMSUPPORT_FLAGS
}MMSUPPORT,*PMMSUPPORT;

typedef struct _EPROCESS
{
KPROCESS Pcb;
PVOID ProcessLock; //EX_PUSH_LOCK
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG ProcessQuotaUsage[2];
ULONGLONG ProcessQuotaPeak[2];
ULONGLONG CommitCharge;
PVOID QuotaBlock; //_EPROCESS_QUOTA_BLOCK *
PVOID CpuQuotaBlock; //_PS_CPU_QUOTA_BLOCK
ULONGLONG PeakVirtualSize;
ULONGLONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
//union
//{
// PVOID ExceptionPortData;
// ULONG ExceptionPortValue;
// ULONG ExceptionPortState: 3;
//};
PVOID ExceptionPortData;
PVOID ObjectTable; //PHANDLE_TABLE
BYTE Token[8]; //EX_FAST_REF
ULONGLONG WorkingSetPage;
BYTE AddressCreationLock[8]; //EX_PUSH_LOCK
PVOID RotateInProgress; //PETHREAD
PVOID ForkInProgress; //PETHREAD
ULONGLONG HardwareTrigger;
PVOID PhysicalVadRoot; //PMM_AVL_TABLE
PVOID CloneRoot;
ULONGLONG NumberOfPrivatePages;
ULONGLONG NumberOfLockedPages;
PVOID Win32Process;
PVOID Job; //PEJOB
PVOID SectionObject;
PVOID SectionBaseAddress;

ULONG Cookie;
ULONG UmsScheduledThreads;
PVOID WorkingSetWatch; //_PAGEFAULT_HISTORY *
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID Spare;
ULONGLONG ConsoleHostProcess;
PVOID DeviceMap;
PVOID EtwDataSource;
PVOID FreeTebHint;
ULONGLONG PageDirectoryPte; //_HARDWARE_PTE
//union
//{
// HARDWARE_PTE PageDirectoryPte;
// UINT64 Filler;
//};
PVOID Session;
UCHAR ImageFileName[15];
UCHAR PriorityClass;
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID Wow64Process;
ULONG ActiveThreads;
ULONG ImagePathHash;
ULONG DefaultHardErrorProcessing;
LONG LastThreadExitStatus;
PPEB Peb;
BYTE PrefetchTrace[8]; //EX_FAST_REF
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONGLONG CommitChargeLimit;
ULONGLONG CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
LIST_ENTRY MmProcessLinks;
PVOID HighestUserAddress;
ULONG ModifiedPageCount;
ULONG Flags2;
ULONG Flags;
LONG ExitStatus;
BYTE VadRoot[64]; //_MM_AVL_TABLE
BYTE AlpcContext[32]; //_ALPC_PROCESS_CONTEXT
LIST_ENTRY TimerResolutionLink;
ULONG RequestedTimerResolution;
ULONG ActiveThreadsHighWatermark;
ULONG SmallestTimerResolution;
PVOID TimerResolutionStackRecord;//_PO_DIAG_STACK_RECORD*
} EPROCESS, *PEPROCESS;

~ by KeMmIo on October 18, 2010.