Dieser Artikel listet die Struktur _EPROCESS von Windows 2000, Service Pack 4. Die Daten wurden mit dem Windows-Kerneldebugger und ntoskrnl.exe Version 5.0.2195.7045 gewonnen. Sie dienen als Grundlage zur forensischen Analyse des Arbeitsspeichers.
kd> dt -a -b -v _EPROCESS
struct _EPROCESS, 94 elements, 0x290 bytes
+0x000 Pcb : struct _KPROCESS, 26 elements, 0x6c bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 ProfileListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 DirectoryTableBase : (2 elements) Uint4B
+0x020 LdtDescriptor : struct _KGDTENTRY, 3 elements, 0x8 bytes
+0x000 LimitLow : Uint2B
+0x002 BaseLow : Uint2B
+0x004 HighWord : union __unnamed, 2 elements, 0x4 bytes
+0x000 Bytes : struct __unnamed, 4 elements, 0x4 bytes
+0x000 BaseMid : UChar
+0x001 Flags1 : UChar
+0x002 Flags2 : UChar
+0x003 BaseHi : UChar
+0x000 Bits : struct __unnamed, 10 elements, 0x4 bytes
+0x000 BaseMid : Bitfield Pos 0, 8 Bits
+0x000 Type : Bitfield Pos 8, 5 Bits
+0x000 Dpl : Bitfield Pos 13, 2 Bits
+0x000 Pres : Bitfield Pos 15, 1 Bit
+0x000 LimitHi : Bitfield Pos 16, 4 Bits
+0x000 Sys : Bitfield Pos 20, 1 Bit
+0x000 Reserved_0 : Bitfield Pos 21, 1 Bit
+0x000 Default_Big : Bitfield Pos 22, 1 Bit
+0x000 Granularity : Bitfield Pos 23, 1 Bit
+0x000 BaseHi : Bitfield Pos 24, 8 Bits
+0x028 Int21Descriptor : struct _KIDTENTRY, 4 elements, 0x8 bytes
+0x000 Offset : Uint2B
+0x002 Selector : Uint2B
+0x004 Access : Uint2B
+0x006 ExtendedOffset : Uint2B
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 VdmFlag : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x048 SwapListEntry : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x050 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a Spare : (2 elements) UChar
+0x06c ExitStatus : Int4B
+0x070 LockEvent : struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x080 LockCount : Uint4B
+0x088 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x090 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x098 LockOwner : Ptr32 to
+0x09c UniqueProcessId : Ptr32 to
+0x0a0 ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x0a8 QuotaPeakPoolUsage : (2 elements) Uint4B
+0x0b0 QuotaPoolUsage : (2 elements) Uint4B
+0x0b8 PagefileUsage : Uint4B
+0x0bc CommitCharge : Uint4B
+0x0c0 PeakPagefileUsage : Uint4B
+0x0c4 PeakVirtualSize : Uint4B
+0x0c8 VirtualSize : Uint4B
+0x0d0 Vm : struct _MMSUPPORT, 19 elements, 0x48 bytes
+0x000 LastTrimTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x008 LastTrimFaultCount : Uint4B
+0x00c PageFaultCount : Uint4B
+0x010 PeakWorkingSetSize : Uint4B
+0x014 WorkingSetSize : Uint4B
+0x018 MinimumWorkingSetSize : Uint4B
+0x01c MaximumWorkingSetSize : Uint4B
+0x020 VmWorkingSetList : Ptr32 to
+0x024 WorkingSetExpansionLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x02c AllowWorkingSetAdjustment : UChar
+0x02d AddressSpaceBeingDeleted : UChar
+0x02e ForegroundSwitchCount : UChar
+0x02f MemoryPriority : UChar
+0x030 u : union __unnamed, 2 elements, 0x4 bytes
+0x000 LongFlags : Uint4B
+0x000 Flags : struct _MMSUPPORT_FLAGS, 8 elements, 0x4 bytes
+0x000 SessionSpace : Bitfield Pos 0, 1 Bit
+0x000 BeingTrimmed : Bitfield Pos 1, 1 Bit
+0x000 ProcessInSession : Bitfield Pos 2, 1 Bit
+0x000 SessionLeader : Bitfield Pos 3, 1 Bit
+0x000 TrimHard : Bitfield Pos 4, 1 Bit
+0x000 WorkingSetHard : Bitfield Pos 5, 1 Bit
+0x000 WriteWatch : Bitfield Pos 6, 1 Bit
+0x000 Filler : Bitfield Pos 7, 25 Bits
+0x034 Claim : Uint4B
+0x038 NextEstimationSlot : Uint4B
+0x03c NextAgingSlot : Uint4B
+0x040 EstimatedAvailable : Uint4B
+0x044 GrowthSinceLastEstimate : Uint4B
+0x118 SessionProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x120 DebugPort : Ptr32 to
+0x124 ExceptionPort : Ptr32 to
+0x128 ObjectTable : Ptr32 to
+0x12c Token : Ptr32 to
+0x130 WorkingSetLock : struct _FAST_MUTEX, 5 elements, 0x20 bytes
+0x000 Count : Int4B
+0x004 Owner : Ptr32 to
+0x008 Contention : Uint4B
+0x00c Event : struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x01c OldIrql : Uint4B
+0x150 WorkingSetPage : Uint4B
+0x154 ProcessOutswapEnabled : UChar
+0x155 ProcessOutswapped : UChar
+0x156 AddressSpaceInitialized : UChar
+0x157 AddressSpaceDeleted : UChar
+0x158 AddressCreationLock : struct _FAST_MUTEX, 5 elements, 0x20 bytes
+0x000 Count : Int4B
+0x004 Owner : Ptr32 to
+0x008 Contention : Uint4B
+0x00c Event : struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x01c OldIrql : Uint4B
+0x178 HyperSpaceLock : Uint4B
+0x17c ForkInProgress : Ptr32 to
+0x180 VmOperation : Uint2B
+0x182 ForkWasSuccessful : UChar
+0x183 MmAgressiveWsTrimMask : UChar
+0x184 VmOperationEvent : Ptr32 to
+0x188 PaeTop : Ptr32 to
+0x18c LastFaultCount : Uint4B
+0x190 ModifiedPageCount : Uint4B
+0x194 VadRoot : Ptr32 to
+0x198 VadHint : Ptr32 to
+0x19c CloneRoot : Ptr32 to
+0x1a0 NumberOfPrivatePages : Uint4B
+0x1a4 NumberOfLockedPages : Uint4B
+0x1a8 NextPageColor : Uint2B
+0x1aa ExitProcessCalled : UChar
+0x1ab CreateProcessReported : UChar
+0x1ac SectionHandle : Ptr32 to
+0x1b0 Peb : Ptr32 to
+0x1b4 SectionBaseAddress : Ptr32 to
+0x1b8 QuotaBlock : Ptr32 to
+0x1bc LastThreadExitStatus : Int4B
+0x1c0 WorkingSetWatch : Ptr32 to
+0x1c4 Win32WindowStation : Ptr32 to
+0x1c8 InheritedFromUniqueProcessId : Ptr32 to
+0x1cc GrantedAccess : Uint4B
+0x1d0 DefaultHardErrorProcessing : Uint4B
+0x1d4 LdtInformation : Ptr32 to
+0x1d8 VadFreeHint : Ptr32 to
+0x1dc VdmObjects : Ptr32 to
+0x1e0 DeviceMap : Ptr32 to
+0x1e4 SessionId : Uint4B
+0x1e8 PhysicalVadList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x1f0 PageDirectoryPte : struct _HARDWARE_PTE_X86, 13 elements, 0x4 bytes
+0x000 Valid : Bitfield Pos 0, 1 Bit
+0x000 Write : Bitfield Pos 1, 1 Bit
+0x000 Owner : Bitfield Pos 2, 1 Bit
+0x000 WriteThrough : Bitfield Pos 3, 1 Bit
+0x000 CacheDisable : Bitfield Pos 4, 1 Bit
+0x000 Accessed : Bitfield Pos 5, 1 Bit
+0x000 Dirty : Bitfield Pos 6, 1 Bit
+0x000 LargePage : Bitfield Pos 7, 1 Bit
+0x000 Global : Bitfield Pos 8, 1 Bit
+0x000 CopyOnWrite : Bitfield Pos 9, 1 Bit
+0x000 Prototype : Bitfield Pos 10, 1 Bit
+0x000 reserved : Bitfield Pos 11, 1 Bit
+0x000 PageFrameNumber : Bitfield Pos 12, 20 Bits
+0x1f0 Filler : Uint8B
+0x1f8 PaePageDirectoryPage : Uint4B
+0x1fc ImageFileName : (16 elements) UChar
+0x20c VmTrimFaultValue : Uint4B
+0x210 SetTimerResolution : UChar
+0x211 PriorityClass : UChar
+0x212 SubSystemMinorVersion : UChar
+0x213 SubSystemMajorVersion : UChar
+0x212 SubSystemVersion : Uint2B
+0x214 Win32Process : Ptr32 to
+0x218 Job : Ptr32 to
+0x21c JobStatus : Uint4B
+0x220 JobLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x228 LockedPagesList : Ptr32 to
+0x22c SecurityPort : Ptr32 to
+0x230 Wow64Process : Ptr32 to
+0x238 ReadOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x240 WriteOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x248 OtherOperationCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x250 ReadTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x258 WriteTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x260 OtherTransferCount : union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : struct __unnamed, 2 elements, 0x8 bytes
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 QuadPart : Int8B
+0x268 CommitChargeLimit : Uint4B
+0x26c CommitChargePeak : Uint4B
+0x270 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x278 VadPhysicalPagesBitMap : Ptr32 to
+0x27c VadPhysicalPages : Uint4B
+0x280 AweLock : Uint4B
+0x284 pImageFileName : Ptr32 to
+0x288 Session : Ptr32 to
+0x28c Flags : Uint4B
