Created
May 31, 2022 13:28
-
-
Save HACKE-RC/ac54ecc7215290f649cb7bccf122795b to your computer and use it in GitHub Desktop.
The Windows EPROCESS data structure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _EPROCESS { | |
| struct _KPROCESS Pcb; | |
| struct _EX_PUSH_LOCK ProcessLock; | |
| PVOID UniqueProcessId; | |
| struct _LIST_ENTRY ActiveProcessLinks; | |
| struct _EX_RUNDOWN_REF RundownProtect; | |
| ULONG Flags2; | |
| ULONG JobNotReallyActive: 1; | |
| ULONG AccountingFolded: 1; | |
| ULONG NewProcessReported: 1; | |
| ULONG ExitProcessReported: 1; | |
| ULONG ReportCommitChanges: 1; | |
| ULONG LastReportMemory: 1; | |
| ULONG ForceWakeCharge: 1; | |
| ULONG CrossSessionCreate: 1; | |
| ULONG NeedsHandleRundown: 1; | |
| ULONG RefTraceEnabled: 1; | |
| ULONG PicoCreated: 1; | |
| ULONG EmptyJobEvaluated: 1; | |
| ULONG DefaultPagePriority: 3; | |
| ULONG PrimaryTokenFrozen: 1; | |
| ULONG ProcessVerifierTarget: 1; | |
| ULONG RestrictSetThreadContext: 1; | |
| ULONG AffinityPermanent: 1; | |
| ULONG AffinityUpdateEnable: 1; | |
| ULONG PropagateNode: 1; | |
| ULONG ExplicitAffinity: 1; | |
| ULONG ProcessExecutionState: 2; | |
| ULONG EnableReadVmLogging: 1; | |
| ULONG EnableWriteVmLogging: 1; | |
| ULONG FatalAccessTerminationRequested: 1; | |
| ULONG DisableSystemAllowedCpuSet: 1; | |
| ULONG ProcessStateChangeRequest: 2; | |
| ULONG ProcessStateChangeInProgress: 1; | |
| ULONG InPrivate: 1; | |
| ULONG Flags; | |
| ULONG CreateReported: 1; | |
| ULONG NoDebugInherit: 1; | |
| ULONG ProcessExiting: 1; | |
| ULONG ProcessDelete: 1; | |
| ULONG ManageExecutableMemoryWrites: 1; | |
| ULONG VmDeleted: 1; | |
| ULONG OutswapEnabled: 1; | |
| ULONG Outswapped: 1; | |
| ULONG FailFastOnCommitFail: 1; | |
| ULONG Wow64VaSpace4Gb: 1; | |
| ULONG AddressSpaceInitialized: 2; | |
| ULONG SetTimerResolution: 1; | |
| ULONG BreakOnTermination: 1; | |
| ULONG DeprioritizeViews: 1; | |
| ULONG WriteWatch: 1; | |
| ULONG ProcessInSession: 1; | |
| ULONG OverrideAddressSpace: 1; | |
| ULONG HasAddressSpace: 1; | |
| ULONG LaunchPrefetched: 1; | |
| ULONG Background: 1; | |
| ULONG VmTopDown: 1; | |
| ULONG ImageNotifyDone: 1; | |
| ULONG PdeUpdateNeeded: 1; | |
| ULONG VdmAllowed: 1; | |
| ULONG ProcessRundown: 1; | |
| ULONG ProcessInserted: 1; | |
| ULONG DefaultIoPriority: 3; | |
| ULONG ProcessSelfDelete: 1; | |
| ULONG SetTimerResolutionLink: 1; | |
| union _LARGE_INTEGER CreateTime; | |
| ULONG64 ProcessQuotaUsage[2]; | |
| ULONG64 ProcessQuotaPeak[2]; | |
| ULONG64 PeakVirtualSize; | |
| ULONG64 VirtualSize; | |
| struct _LIST_ENTRY SessionProcessLinks; | |
| PVOID ExceptionPortData; | |
| ULONG64 ExceptionPortValue; | |
| ULONG64 ExceptionPortState: 3; | |
| struct _EX_FAST_REF Token; | |
| ULONG64 MmReserved; | |
| struct _EX_PUSH_LOCK AddressCreationLock; | |
| struct _EX_PUSH_LOCK PageTableCommitmentLock; | |
| struct _ETHREAD * RotateInProgress; | |
| struct _ETHREAD * ForkInProgress; | |
| struct _EJOB * CommitChargeJob; | |
| struct _RTL_AVL_TREE CloneRoot; | |
| ULONG64 NumberOfPrivatePages; | |
| ULONG64 NumberOfLockedPages; | |
| PVOID Win32Process; | |
| struct _EJOB * Job; | |
| PVOID SectionObject; | |
| PVOID SectionBaseAddress; | |
| ULONG Cookie; | |
| struct _PAGEFAULT_HISTORY * WorkingSetWatch; | |
| PVOID Win32WindowStation; | |
| PVOID InheritedFromUniqueProcessId; | |
| ULONG64 OwnerProcessId; | |
| struct _PEB * Peb; | |
| struct _MM_SESSION_SPACE * Session; | |
| PVOID Spare1; | |
| struct _EPROCESS_QUOTA_BLOCK * QuotaBlock; | |
| struct _HANDLE_TABLE * ObjectTable; | |
| PVOID DebugPort; | |
| struct _EWOW64PROCESS * WoW64Process; | |
| struct _EX_FAST_REF DeviceMap; | |
| PVOID EtwDataSource; | |
| ULONG64 PageDirectoryPte; | |
| struct _FILE_OBJECT * ImageFilePointer; | |
| UCHAR ImageFileName[15]; | |
| UCHAR PriorityClass; | |
| PVOID SecurityPort; | |
| struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; | |
| struct _LIST_ENTRY JobLinks; | |
| PVOID HighestUserAddress; | |
| struct _LIST_ENTRY ThreadListHead; | |
| ULONG ActiveThreads; | |
| ULONG ImagePathHash; | |
| ULONG DefaultHardErrorProcessing; | |
| LONG LastThreadExitStatus; | |
| struct _EX_FAST_REF PrefetchTrace; | |
| PVOID LockedPagesList; | |
| union _LARGE_INTEGER ReadOperationCount; | |
| union _LARGE_INTEGER WriteOperationCount; | |
| union _LARGE_INTEGER OtherOperationCount; | |
| union _LARGE_INTEGER ReadTransferCount; | |
| union _LARGE_INTEGER WriteTransferCount; | |
| union _LARGE_INTEGER OtherTransferCount; | |
| ULONG64 CommitChargeLimit; | |
| ULONG64 CommitCharge; | |
| ULONG64 CommitChargePeak; | |
| struct _MMSUPPORT_FULL Vm; | |
| struct _LIST_ENTRY MmProcessLinks; | |
| ULONG ModifiedPageCount; | |
| LONG ExitStatus; | |
| struct _RTL_AVL_TREE VadRoot; | |
| PVOID VadHint; | |
| ULONG64 VadCount; | |
| ULONG64 VadPhysicalPages; | |
| ULONG64 VadPhysicalPagesLimit; | |
| struct _ALPC_PROCESS_CONTEXT AlpcContext; | |
| struct _LIST_ENTRY TimerResolutionLink; | |
| struct _PO_DIAG_STACK_RECORD * TimerResolutionStackRecord; | |
| ULONG RequestedTimerResolution; | |
| ULONG SmallestTimerResolution; | |
| union _LARGE_INTEGER ExitTime; | |
| struct _INVERTED_FUNCTION_TABLE * InvertedFunctionTable; | |
| struct _EX_PUSH_LOCK InvertedFunctionTableLock; | |
| ULONG ActiveThreadsHighWatermark; | |
| ULONG LargePrivateVadCount; | |
| struct _EX_PUSH_LOCK ThreadListLock; | |
| PVOID WnfContext; | |
| struct _EJOB * ServerSilo; | |
| UCHAR SignatureLevel; | |
| UCHAR SectionSignatureLevel; | |
| struct _PS_PROTECTION Protection; | |
| UCHAR HangCount: 3; | |
| UCHAR GhostCount: 3; | |
| UCHAR PrefilterException: 1; | |
| ULONG Flags3; | |
| ULONG Minimal: 1; | |
| ULONG ReplacingPageRoot: 1; | |
| ULONG Crashed: 1; | |
| ULONG JobVadsAreTracked: 1; | |
| ULONG VadTrackingDisabled: 1; | |
| ULONG AuxiliaryProcess: 1; | |
| ULONG SubsystemProcess: 1; | |
| ULONG IndirectCpuSets: 1; | |
| ULONG RelinquishedCommit: 1; | |
| ULONG HighGraphicsPriority: 1; | |
| ULONG CommitFailLogged: 1; | |
| ULONG ReserveFailLogged: 1; | |
| ULONG SystemProcess: 1; | |
| ULONG HideImageBaseAddresses: 1; | |
| ULONG AddressPolicyFrozen: 1; | |
| ULONG ProcessFirstResume: 1; | |
| ULONG ForegroundExternal: 1; | |
| ULONG ForegroundSystem: 1; | |
| ULONG HighMemoryPriority: 1; | |
| ULONG EnableProcessSuspendResumeLogging: 1; | |
| ULONG EnableThreadSuspendResumeLogging: 1; | |
| ULONG SecurityDomainChanged: 1; | |
| ULONG SecurityFreezeComplete: 1; | |
| ULONG VmProcessorHost: 1; | |
| ULONG VmProcessorHostTransition: 1; | |
| ULONG AltSyscall: 1; | |
| ULONG TimerResolutionIgnore: 1; | |
| ULONG DisallowUserTerminate: 1; | |
| ULONG EnableProcessRemoteExecProtectVmLogging: 1; | |
| ULONG EnableProcessLocalExecProtectVmLogging: 1; | |
| ULONG EmulationDebugEmulator: 1; | |
| LONG DeviceAsid; | |
| PVOID SvmData; | |
| struct _EX_PUSH_LOCK SvmProcessLock; | |
| ULONG64 SvmLock; | |
| struct _LIST_ENTRY SvmProcessDeviceListHead; | |
| ULONG64 LastFreezeInterruptTime; | |
| struct _PROCESS_DISK_COUNTERS * DiskCounters; | |
| PVOID PicoContext; | |
| PVOID EnclaveTable; | |
| ULONG64 EnclaveNumber; | |
| struct _EX_PUSH_LOCK EnclaveLock; | |
| ULONG HighPriorityFaultsAllowed; | |
| struct _PO_PROCESS_ENERGY_CONTEXT * EnergyContext; | |
| PVOID VmContext; | |
| ULONG64 SequenceNumber; | |
| ULONG64 CreateInterruptTime; | |
| ULONG64 CreateUnbiasedInterruptTime; | |
| ULONG64 TotalUnbiasedFrozenTime; | |
| ULONG64 LastAppStateUpdateTime; | |
| ULONG64 LastAppStateUptime: 61; | |
| ULONG64 LastAppState: 3; | |
| ULONG64 SharedCommitCharge; | |
| struct _EX_PUSH_LOCK SharedCommitLock; | |
| struct _LIST_ENTRY SharedCommitLinks; | |
| ULONG64 AllowedCpuSets; | |
| ULONG64 DefaultCpuSets; | |
| PULONG64 AllowedCpuSetsIndirect; | |
| PULONG64 DefaultCpuSetsIndirect; | |
| PVOID DiskIoAttribution; | |
| PVOID DxgProcess; | |
| ULONG Win32KFilterSet; | |
| USHORT Machine; | |
| USHORT Spare0; | |
| union _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay; | |
| ULONG KTimerSets; | |
| ULONG KTimer2Sets; | |
| ULONG ThreadTimerSets; | |
| ULONG64 VirtualTimerListLock; | |
| struct _LIST_ENTRY VirtualTimerListHead; | |
| struct _WNF_STATE_NAME WakeChannel; | |
| struct _PS_PROCESS_WAKE_INFORMATION WakeInfo; | |
| ULONG MitigationFlags; | |
| struct { | |
| ULONG ControlFlowGuardEnabled: 1; | |
| ULONG ControlFlowGuardExportSuppressionEnabled: 1; | |
| ULONG ControlFlowGuardStrict: 1; | |
| ULONG DisallowStrippedImages: 1; | |
| ULONG ForceRelocateImages: 1; | |
| ULONG HighEntropyASLREnabled: 1; | |
| ULONG StackRandomizationDisabled: 1; | |
| ULONG ExtensionPointDisable: 1; | |
| ULONG DisableDynamicCode: 1; | |
| ULONG DisableDynamicCodeAllowOptOut: 1; | |
| ULONG DisableDynamicCodeAllowRemoteDowngrade: 1; | |
| ULONG AuditDisableDynamicCode: 1; | |
| ULONG DisallowWin32kSystemCalls: 1; | |
| ULONG AuditDisallowWin32kSystemCalls: 1; | |
| ULONG EnableFilteredWin32kAPIs: 1; | |
| ULONG AuditFilteredWin32kAPIs: 1; | |
| ULONG DisableNonSystemFonts: 1; | |
| ULONG AuditNonSystemFontLoading: 1; | |
| ULONG PreferSystem32Images: 1; | |
| ULONG ProhibitRemoteImageMap: 1; | |
| ULONG AuditProhibitRemoteImageMap: 1; | |
| ULONG ProhibitLowILImageMap: 1; | |
| ULONG AuditProhibitLowILImageMap: 1; | |
| ULONG SignatureMitigationOptIn: 1; | |
| ULONG AuditBlockNonMicrosoftBinaries: 1; | |
| ULONG AuditBlockNonMicrosoftBinariesAllowStore: 1; | |
| ULONG LoaderIntegrityContinuityEnabled: 1; | |
| ULONG AuditLoaderIntegrityContinuity: 1; | |
| ULONG EnableModuleTamperingProtection: 1; | |
| ULONG EnableModuleTamperingProtectionNoInherit: 1; | |
| ULONG RestrictIndirectBranchPrediction: 1; | |
| ULONG IsolateSecurityDomain: 1; | |
| } | |
| MitigationFlagsValues; | |
| ULONG MitigationFlags2; | |
| struct { | |
| ULONG EnableExportAddressFilter: 1; | |
| ULONG AuditExportAddressFilter: 1; | |
| ULONG EnableExportAddressFilterPlus: 1; | |
| ULONG AuditExportAddressFilterPlus: 1; | |
| ULONG EnableRopStackPivot: 1; | |
| ULONG AuditRopStackPivot: 1; | |
| ULONG EnableRopCallerCheck: 1; | |
| ULONG AuditRopCallerCheck: 1; | |
| ULONG EnableRopSimExec: 1; | |
| ULONG AuditRopSimExec: 1; | |
| ULONG EnableImportAddressFilter: 1; | |
| ULONG AuditImportAddressFilter: 1; | |
| ULONG DisablePageCombine: 1; | |
| ULONG SpeculativeStoreBypassDisable: 1; | |
| ULONG CetUserShadowStacks: 1; | |
| ULONG AuditCetUserShadowStacks: 1; | |
| ULONG AuditCetUserShadowStacksLogged: 1; | |
| ULONG UserCetSetContextIpValidation: 1; | |
| ULONG AuditUserCetSetContextIpValidation: 1; | |
| ULONG AuditUserCetSetContextIpValidationLogged: 1; | |
| ULONG CetUserShadowStacksStrictMode: 1; | |
| ULONG BlockNonCetBinaries: 1; | |
| ULONG BlockNonCetBinariesNonEhcont: 1; | |
| ULONG AuditBlockNonCetBinaries: 1; | |
| ULONG AuditBlockNonCetBinariesLogged: 1; | |
| ULONG XtendedControlFlowGuard: 1; | |
| ULONG AuditXtendedControlFlowGuard: 1; | |
| ULONG PointerAuthUserIp: 1; | |
| ULONG AuditPointerAuthUserIp: 1; | |
| ULONG AuditPointerAuthUserIpLogged: 1; | |
| ULONG CetDynamicApisOutOfProcOnly: 1; | |
| ULONG UserCetSetContextIpValidationRelaxedMode: 1; | |
| } | |
| MitigationFlags2Values; | |
| PVOID PartitionObject; | |
| ULONG64 SecurityDomain; | |
| ULONG64 ParentSecurityDomain; | |
| PVOID CoverageSamplerContext; | |
| PVOID MmHotPatchContext; | |
| struct _KE_IDEAL_PROCESSOR_ASSIGNMENT_BLOCK IdealProcessorAssignmentBlock; | |
| struct _RTL_AVL_TREE DynamicEHContinuationTargetsTree; | |
| struct _EX_PUSH_LOCK DynamicEHContinuationTargetsLock; | |
| struct _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES DynamicEnforcedCetCompatibleRanges; | |
| ULONG DisabledComponentFlags; | |
| LONG PageCombineSequence; | |
| struct _EX_PUSH_LOCK EnableOptionalXStateFeaturesLock; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment