Win2008 EProcess

You might also like

Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1of 9


_EPROCESS struct _EPROCESS, 134 elements, 0x4c8 bytes +0x000 Pcb : struct _KPROCESS, 37 elements, 0x160 bytes +0x000 Header : struct _DISPATCHER_HEADER, 29 elements , 0x18 bytes +0x000 Type : UChar +0x001 TimerControlFlags : UChar +0x001 Absolute : Bitfield Pos 0, 1 Bit +0x001 Coalescable : Bitfield Pos 1, 1 Bit +0x001 KeepShifting : Bitfield Pos 2, 1 Bit +0x001 EncodedTolerableDelay : Bitfield Pos 3, 5 Bits +0x001 Abandoned : UChar +0x001 Signalling : UChar +0x002 ThreadControlFlags : UChar +0x002 CpuThrottled : Bitfield Pos 0, 1 Bit +0x002 CycleProfiling : Bitfield Pos 1, 1 Bit +0x002 CounterProfiling : Bitfield Pos 2, 1 Bit +0x002 Reserved : Bitfield Pos 3, 5 Bits +0x002 Hand : UChar +0x002 Size : UChar +0x003 TimerMiscFlags : UChar +0x003 Index : Bitfield Pos 0, 6 Bits +0x003 Inserted : Bitfield Pos 6, 1 Bit +0x003 Expired : Bitfield Pos 7, 1 Bit +0x003 DebugActive : UChar +0x003 ActiveDR7 : Bitfield Pos 0, 1 Bit +0x003 Instrumented : Bitfield Pos 1, 1 Bit +0x003 Reserved2 : Bitfield Pos 2, 4 Bits +0x003 UmsScheduled : Bitfield Pos 6, 1 Bit +0x003 UmsPrimary : Bitfield Pos 7, 1 Bit +0x003 DpcActive : UChar +0x000 Lock : Int4B +0x004 SignalState : Int4B +0x008 WaitListHead : struct _LIST_ENTRY, 2 elements , 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x018 ProfileListHead : struct _LIST_ENTRY, 2 elements, 0x10 b ytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x028 DirectoryTableBase : Uint8B +0x030 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x10 b ytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x040 ProcessLock : Uint8B +0x048 Affinity : struct _KAFFINITY_EX, 4 elements, 0x28 bytes +0x000 Count : Uint2B +0x002 Size : Uint2B +0x004 Reserved : Uint4B +0x008 Bitmap : (4 elements) Uint8B +0x070 ReadyListHead : struct _LIST_ENTRY, 2 elements, 0x10 b ytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x080 SwapListEntry : struct _SINGLE_LIST_ENTRY, 1 elements, 0x8 bytes +0x000 Next : Ptr64 to

+0x088 ActiveProcessors : struct _KAFFINITY_EX, 4 elements, 0x28 bytes +0x000 Count +0x002 Size +0x004 Reserved +0x008 Bitmap AutoAlignment DisableBoost DisableQuantum ActiveGroupsMask ReservedFlags ProcessFlags BasePriority QuantumReset Visited Unused3 ThreadSeed IdealNode IdealGlobalNode Flags +0x000 +0x000 +0x000 +0x000 +0x000 +0x000 +0x000 1 Bit +0x0d3 +0x0d4 +0x0d8 +0x0dc ytes +0x000 Value : Int4B +0x000 State : Bitfield Pos 0, 3 Bits +0x000 StackCount : Bitfield Pos 3, 29 Bits +0x0e0 ProcessListEntry : struct _LIST_ENTRY, 2 elements, 0x10 b ytes +0x0f0 +0x0f8 +0x0fc +0x100 +0x108 0 bytes +0x000 LimitLow +0x002 BaseLow +0x004 Bytes ts, 0x4 bytes +0x000 +0x001 +0x002 +0x003 +0x004 Bits nts, 0x4 bytes +0x000 BaseMiddle : Bitfield Pos 0, 8 Bits BaseMiddle : UChar Flags1 : UChar Flags2 : UChar BaseHigh : UChar : struct <unnamed-tag>, 10 eleme : Uint2B : Uint2B : struct <unnamed-tag>, 4 elemen +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to CycleTime : Uint8B KernelTime : Uint4B UserTime : Uint4B InstrumentationCallback : Ptr64 to LdtSystemDescriptor : union _KGDTENTRY64, 7 elements, 0x1 +0x000 Spare : Bitfield Pos 7, 1 Bit +0x000 ExecuteOptions : UChar Unused1 : UChar Unused2 : Uint4B Unused4 : Uint4B StackCount : union _KSTACK_COUNT, 3 elements, 0x4 b : Uint2B : Uint2B : Uint4B : (4 elements) Uint8B Bitfield Pos 0, 1 Bit Bitfield Pos 1, 1 Bit Bitfield Pos 2, 1 Bit Bitfield Pos 3, 4 Bits Bitfield Pos 7, 25 Bits Int4B Char Char UChar UChar (4 elements) Uint4B (4 elements) Uint2B Uint2B union _KEXECUTE_OPTIONS, 9 elements, 0

+0x0b0 +0x0b0 +0x0b0 +0x0b0 +0x0b0 +0x0b0 +0x0b4 +0x0b5 +0x0b6 +0x0b7 +0x0b8 +0x0c8 +0x0d0 +0x0d2 x1 bytes

: : : : : : : : : : : : : :

ExecuteDisable : Bitfield Pos 0, 1 Bit ExecuteEnable : Bitfield Pos 1, 1 Bit DisableThunkEmulation : Bitfield Pos 2, 1 Bit Permanent : Bitfield Pos 3, 1 Bit ExecuteDispatchEnable : Bitfield Pos 4, 1 Bit ImageDispatchEnable : Bitfield Pos 5, 1 Bit DisableExceptionChainValidation : Bitfield Pos 6,

+0x000 Type +0x000 Dpl s +0x000 Present +0x000 LimitHigh s +0x000 +0x000 +0x000 +0x000 +0x000 s System LongMode DefaultBig Granularity BaseHigh

: Bitfield Pos 8, 5 Bits : Bitfield Pos 13, 2 Bit : Bitfield Pos 15, 1 Bit : Bitfield Pos 16, 4 Bit : : : : : Bitfield Bitfield Bitfield Bitfield Bitfield Pos Pos Pos Pos Pos 20, 21, 22, 23, 24, 1 1 1 1 8 Bit Bit Bit Bit Bit

+0x008 BaseUpper : Uint4B +0x00c MustBeZero : Uint4B +0x000 Alignment : Uint8B +0x118 LdtBaseAddress : Ptr64 to +0x120 LdtProcessLock : struct _KGUARDED_MUTEX, 7 elements, 0x 38 bytes +0x000 +0x008 +0x010 +0x018 8 bytes +0x000 Header DER, 29 elements, 0x18 bytes +0x000 Type : UChar +0x001 TimerControlFlags : UChar +0x001 Absolute : Bitfield Pos 0 , 1 Bit +0x001 Coalescable , 1 Bit +0x001 KeepShifting , 1 Bit +0x001 EncodedTolerableDelay : Bitfield Pos 3, 5 Bits +0x001 +0x001 +0x002 +0x002 , 1 Bit +0x002 CycleProfiling , 1 Bit +0x002 CounterProfiling : Bitfield Pos 2 , 1 Bit +0x002 Reserved , 5 Bits +0x002 +0x002 +0x003 +0x003 , 6 Bits +0x003 Inserted , 1 Bit +0x003 Expired , 1 Bit +0x003 DebugActive +0x003 ActiveDR7 , 1 Bit +0x003 Instrumented , 1 Bit : Bitfield Pos 1 : UChar : Bitfield Pos 0 : Bitfield Pos 7 : Bitfield Pos 6 Hand Size TimerMiscFlags Index : : : : UChar UChar UChar Bitfield Pos 0 : Bitfield Pos 3 : Bitfield Pos 1 Abandoned : Signalling : ThreadControlFlags CpuThrottled : UChar UChar : UChar Bitfield Pos 0 : Bitfield Pos 2 : Bitfield Pos 1 : struct _DISPATCHER_HEA Count Owner Contention Gate : : : : Int4B Ptr64 to Uint4B struct _KGATE, 1 elements, 0x1

+0x003 Reserved2 , 4 Bits +0x003 UmsScheduled , 1 Bit +0x003 UmsPrimary , 1 Bit +0x003 +0x000 +0x004 +0x008 NTRY, 2 elements, 0x10 bytes +0x000 Flink to +0x008 Blink to DpcActive Lock SignalState WaitListHead

: Bitfield Pos 2 : Bitfield Pos 6 : Bitfield Pos 7 : : : : UChar Int4B Int4B struct _LIST_E : Ptr64 : Ptr64

+0x030 KernelApcDisable : Int2B +0x032 SpecialApcDisable : Int2B +0x030 CombinedApcDisable : Uint4B +0x158 LdtFreeSelectorHint : Uint2B +0x15a LdtTableLength : Uint2B +0x160 ProcessLock : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes +0x000 Locked : Bitfield Pos 0, 1 Bit +0x000 Waiting : Bitfield Pos 1, 1 Bit +0x000 Waking : Bitfield Pos 2, 1 Bit +0x000 MultipleShared : Bitfield Pos 3, 1 Bit +0x000 Shared : Bitfield Pos 4, 60 Bits +0x000 Value : Uint8B +0x000 Ptr : Ptr64 to +0x168 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart +0x004 HighPart +0x000 QuadPart +0x170 ExitTime : union +0x000 LowPart +0x004 HighPart +0x000 u bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B RundownProtect : struct _EX_RUNDOWN_REF, 2 elements, 0x8 bytes +0x000 Count : Uint8B +0x000 Ptr : Ptr64 to UniqueProcessId : Ptr64 to ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to ProcessQuotaUsage : (2 elements) Uint8B ProcessQuotaPeak : (2 elements) Uint8B CommitCharge : Uint8B QuotaBlock : Ptr64 to CpuQuotaBlock : Ptr64 to PeakVirtualSize : Uint8B VirtualSize : Uint8B SessionProcessLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to : Uint4B : Int4B : Int8B _LARGE_INTEGER, 4 elements, 0x8 bytes : Uint4B : Int4B : struct <unnamed-tag>, 2 elements, 0x8

+0x178 +0x180 +0x188 +0x198 +0x1a8 +0x1b8 +0x1c0 +0x1c8 +0x1d0 +0x1d8 +0x1e0

+0x1f0 +0x1f8 +0x1f8 +0x1f8 +0x200 +0x208

+0x210 +0x218

+0x220 +0x228 +0x230 +0x238 +0x240 +0x248 +0x250 +0x258 +0x260 +0x268 +0x270 +0x278 +0x27c +0x280 +0x288 +0x290 +0x298 +0x2a0 +0x2a8 +0x2b0 +0x2b8 +0x2c0 +0x2c8

+0x2c8 +0x2d0

+0x008 Blink : Ptr64 to DebugPort : Ptr64 to ExceptionPortData : Ptr64 to ExceptionPortValue : Uint8B ExceptionPortState : Bitfield Pos 0, 3 Bits ObjectTable : Ptr64 to Token : struct _EX_FAST_REF, 3 elements, 0x8 bytes +0x000 Object : Ptr64 to +0x000 RefCnt : Bitfield Pos 0, 4 Bits +0x000 Value : Uint8B WorkingSetPage : Uint8B AddressCreationLock : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes +0x000 Locked : Bitfield Pos 0, 1 Bit +0x000 Waiting : Bitfield Pos 1, 1 Bit +0x000 Waking : Bitfield Pos 2, 1 Bit +0x000 MultipleShared : Bitfield Pos 3, 1 Bit +0x000 Shared : Bitfield Pos 4, 60 Bits +0x000 Value : Uint8B +0x000 Ptr : Ptr64 to RotateInProgress : Ptr64 to ForkInProgress : Ptr64 to HardwareTrigger : Uint8B PhysicalVadRoot : Ptr64 to CloneRoot : Ptr64 to NumberOfPrivatePages : Uint8B NumberOfLockedPages : Uint8B Win32Process : Ptr64 to Job : Ptr64 to SectionObject : Ptr64 to SectionBaseAddress : Ptr64 to Cookie : Uint4B Spare8 : Uint4B WorkingSetWatch : Ptr64 to Win32WindowStation : Ptr64 to InheritedFromUniqueProcessId : Ptr64 to LdtInformation : Ptr64 to Spare : Ptr64 to ConsoleHostProcess : Uint8B DeviceMap : Ptr64 to EtwDataSource : Ptr64 to FreeTebHint : Ptr64 to PageDirectoryPte : struct _HARDWARE_PTE, 16 elements, 0x8 bytes +0x000 Valid : Bitfield Pos 0, 1 Bit +0x000 Write : Bitfield Pos 1, 1 Bit +0x000 Owner : Bitfield Pos 2, 1 Bit +0x000 WriteThrough : Bitfield Pos 3, 1 Bit +0x000 CacheDisable : Bitfield Pos 4, 1 Bit +0x000 Accessed : Bitfield Pos 5, 1 Bit +0x000 Dirty : Bitfield Pos 6, 1 Bit +0x000 LargePage : Bitfield Pos 7, 1 Bit +0x000 Global : Bitfield Pos 8, 1 Bit +0x000 CopyOnWrite : Bitfield Pos 9, 1 Bit +0x000 Prototype : Bitfield Pos 10, 1 Bit +0x000 reserved0 : Bitfield Pos 11, 1 Bit +0x000 PageFrameNumber : Bitfield Pos 12, 36 Bits +0x000 reserved1 : Bitfield Pos 48, 4 Bits +0x000 SoftwareWsIndex : Bitfield Pos 52, 11 Bits +0x000 NoExecute : Bitfield Pos 63, 1 Bit Filler : Uint8B Session : Ptr64 to

+0x2d8 ImageFileName : (15 elements) UChar +0x2e7 PriorityClass : UChar +0x2e8 JobLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x2f8 LockedPagesList : Ptr64 to +0x300 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x310 SecurityPort : Ptr64 to +0x318 Wow64Process : Ptr64 to +0x320 ActiveThreads : Uint4B +0x324 ImagePathHash : Uint4B +0x328 DefaultHardErrorProcessing : Uint4B +0x32c LastThreadExitStatus : Int4B +0x330 Peb : Ptr64 to +0x338 PrefetchTrace : struct _EX_FAST_REF, 3 elements, 0x8 bytes +0x000 Object : Ptr64 to +0x000 RefCnt : Bitfield Pos 0, 4 Bits +0x000 Value : Uint8B +0x340 ReadOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B +0x348 WriteOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B +0x350 OtherOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B +0x358 ReadTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart +0x004 HighPart +0x000 QuadPart : +0x360 WriteTransferCount : union +0x000 LowPart : +0x004 HighPart : +0x000 u : bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B : Uint4B : Int4B Int8B _LARGE_INTEGER, 4 elements, 0x8 bytes Uint4B Int4B struct <unnamed-tag>, 2 elements, 0x8

+0x368 OtherTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 u : struct <unnamed-tag>, 2 elements, 0x8 bytes +0x000 LowPart : Uint4B +0x004 HighPart : Int4B +0x000 QuadPart : Int8B +0x370 CommitChargeLimit : Uint8B +0x378 CommitChargePeak : Uint8B +0x380 AweInfo : Ptr64 to +0x388 SeAuditProcessCreationInfo : struct _SE_AUDIT_PROCESS_CREATION_IN FO, 1 elements, 0x8 bytes +0x000 ImageFileName : Ptr64 to +0x390 Vm : struct _MMSUPPORT, 21 elements, 0x88 bytes +0x000 WorkingSetMutex : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes +0x000 Locked : Bitfield Pos 0, 1 Bit +0x000 Waiting : Bitfield Pos 1, 1 Bit +0x000 Waking : Bitfield Pos 2, 1 Bit +0x000 MultipleShared : Bitfield Pos 3, 1 Bit +0x000 Shared : Bitfield Pos 4, 60 Bits +0x000 Value : Uint8B +0x000 Ptr : Ptr64 to +0x008 ExitGate : Ptr64 to +0x010 AccessLog : Ptr64 to +0x018 WorkingSetExpansionLinks : struct _LIST_ENTRY, 2 elements , 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x028 AgeDistribution : (7 elements) Uint4B +0x044 MinimumWorkingSetSize : Uint4B +0x048 WorkingSetSize : Uint4B +0x04c WorkingSetPrivateSize : Uint4B +0x050 MaximumWorkingSetSize : Uint4B +0x054 ChargedWslePages : Uint4B +0x058 ActualWslePages : Uint4B +0x05c WorkingSetSizeOverhead : Uint4B +0x060 PeakWorkingSetSize : Uint4B +0x064 HardFaultCount : Uint4B +0x068 VmWorkingSetList : Ptr64 to +0x070 NextPageColor : Uint2B +0x072 LastTrimStamp : Uint2B +0x074 PageFaultCount : Uint4B +0x078 RepurposeCount : Uint4B +0x07c Spare : (2 elements) Uint4B +0x084 Flags : struct _MMSUPPORT_FLAGS, 15 elements, 0x4 bytes +0x000 WorkingSetType : Bitfield Pos 0, 3 Bits +0x000 ModwriterAttached : Bitfield Pos 3, 1 Bit +0x000 TrimHard : Bitfield Pos 4, 1 Bit +0x000 MaximumWorkingSetHard : Bitfield Pos 5, 1 Bit +0x000 ForceTrim : Bitfield Pos 6, 1 Bit +0x000 MinimumWorkingSetHard : Bitfield Pos 7, 1 Bit +0x001 SessionMaster : Bitfield Pos 0, 1 Bit +0x001 TrimmerState : Bitfield Pos 1, 2 Bits +0x001 Reserved : Bitfield Pos 3, 1 Bit +0x001 PageStealers : Bitfield Pos 4, 4 Bits +0x002 MemoryPriority : Bitfield Pos 0, 8 Bits +0x003 WsleDeleted : Bitfield Pos 0, 1 Bit

+0x418 +0x428 +0x430 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x434 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x438 +0x43c

+0x003 VmExiting : Bitfield Pos 1, 1 Bit +0x003 ExpansionFailed : Bitfield Pos 2, 1 Bit +0x003 Available : Bitfield Pos 3, 5 Bits MmProcessLinks : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to HighestUserAddress : Ptr64 to ModifiedPageCount : Uint4B Flags2 : Uint4B JobNotReallyActive : Bitfield Pos 0, 1 Bit AccountingFolded : Bitfield Pos 1, 1 Bit NewProcessReported : Bitfield Pos 2, 1 Bit ExitProcessReported : Bitfield Pos 3, 1 Bit ReportCommitChanges : Bitfield Pos 4, 1 Bit LastReportMemory : Bitfield Pos 5, 1 Bit ReportPhysicalPageChanges : Bitfield Pos 6, 1 Bit HandleTableRundown : Bitfield Pos 7, 1 Bit NeedsHandleRundown : Bitfield Pos 8, 1 Bit RefTraceEnabled : Bitfield Pos 9, 1 Bit NumaAware : Bitfield Pos 10, 1 Bit ProtectedProcess : Bitfield Pos 11, 1 Bit DefaultPagePriority : Bitfield Pos 12, 3 Bits PrimaryTokenFrozen : Bitfield Pos 15, 1 Bit ProcessVerifierTarget : Bitfield Pos 16, 1 Bit StackRandomizationDisabled : Bitfield Pos 17, 1 Bit AffinityPermanent : Bitfield Pos 18, 1 Bit AffinityUpdateEnable : Bitfield Pos 19, 1 Bit PropagateNode : Bitfield Pos 20, 1 Bit ExplicitAffinity : Bitfield Pos 21, 1 Bit Flags : Uint4B CreateReported : Bitfield Pos 0, 1 Bit NoDebugInherit : Bitfield Pos 1, 1 Bit ProcessExiting : Bitfield Pos 2, 1 Bit ProcessDelete : Bitfield Pos 3, 1 Bit Wow64SplitPages : Bitfield Pos 4, 1 Bit VmDeleted : Bitfield Pos 5, 1 Bit OutswapEnabled : Bitfield Pos 6, 1 Bit Outswapped : Bitfield Pos 7, 1 Bit ForkFailed : Bitfield Pos 8, 1 Bit Wow64VaSpace4Gb : Bitfield Pos 9, 1 Bit AddressSpaceInitialized : Bitfield Pos 10, 2 Bits SetTimerResolution : Bitfield Pos 12, 1 Bit BreakOnTermination : Bitfield Pos 13, 1 Bit DeprioritizeViews : Bitfield Pos 14, 1 Bit WriteWatch : Bitfield Pos 15, 1 Bit ProcessInSession : Bitfield Pos 16, 1 Bit OverrideAddressSpace : Bitfield Pos 17, 1 Bit HasAddressSpace : Bitfield Pos 18, 1 Bit LaunchPrefetched : Bitfield Pos 19, 1 Bit InjectInpageErrors : Bitfield Pos 20, 1 Bit VmTopDown : Bitfield Pos 21, 1 Bit ImageNotifyDone : Bitfield Pos 22, 1 Bit PdeUpdateNeeded : Bitfield Pos 23, 1 Bit VdmAllowed : Bitfield Pos 24, 1 Bit CrossSessionCreate : Bitfield Pos 25, 1 Bit ProcessInserted : Bitfield Pos 26, 1 Bit DefaultIoPriority : Bitfield Pos 27, 3 Bits ProcessSelfDelete : Bitfield Pos 30, 1 Bit SetTimerResolutionLink : Bitfield Pos 31, 1 Bit ExitStatus : Int4B

+0x440 VadRoot : struct _MM_AVL_TABLE, 6 elements, 0x40 bytes +0x000 BalancedRoot : struct _MMADDRESS_NODE, 5 elements, 0x 28 bytes +0x000 u1 : union <unnamed-tag>, 2 element s, 0x8 bytes +0x000 Balance : Bitfield Pos 0, 2 Bits +0x000 Parent : Ptr64 to +0x008 LeftChild : Ptr64 to +0x010 RightChild : Ptr64 to +0x018 StartingVpn : Uint8B +0x020 EndingVpn : Uint8B +0x028 DepthOfTree : Bitfield Pos 0, 5 Bits +0x028 Unused : Bitfield Pos 5, 3 Bits +0x028 NumberGenericTableElements : Bitfield Pos 8, 56 Bits +0x030 NodeHint : Ptr64 to +0x038 NodeFreeHint : Ptr64 to +0x480 AlpcContext : struct _ALPC_PROCESS_CONTEXT, 3 elements, 0x20 bytes +0x000 Lock : struct _EX_PUSH_LOCK, 7 elements, 0x8 bytes +0x000 Locked : Bitfield Pos 0, 1 Bit +0x000 Waiting : Bitfield Pos 1, 1 Bit +0x000 Waking : Bitfield Pos 2, 1 Bit +0x000 MultipleShared : Bitfield Pos 3, 1 Bit +0x000 Shared : Bitfield Pos 4, 60 Bits +0x000 Value : Uint8B +0x000 Ptr : Ptr64 to +0x008 ViewListHead : struct _LIST_ENTRY, 2 elements, 0x10 b ytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x018 PagedPoolQuotaCache : Uint8B +0x4a0 TimerResolutionLink : struct _LIST_ENTRY, 2 elements, 0x10 bytes +0x000 Flink : Ptr64 to +0x008 Blink : Ptr64 to +0x4b0 RequestedTimerResolution : Uint4B +0x4b4 ActiveThreadsHighWatermark : Uint4B +0x4b8 SmallestTimerResolution : Uint4B +0x4c0 TimerResolutionStackRecord : Ptr64 to

You might also like