typedef struct _EPROCESS { 
讯享网KPROCESS Pcb; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">KPROCESS被内核用来进行线程调度使用</span> 
  
EX_PUSH_LOCK ProcessLock;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ProcessLock域是一个推锁(push lock)对象，用于保护EPROCESS中的数据成员。用来对可能产生的并行事件强制串行化。</span> 
  
讯享网LARGE_INTEGER CreateTime; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">这两个域分别代表了进程的创建时间和退出时间</span> 
  LARGE_INTEGER ExitTime; 
EX_RUNDOWN_REF RundownProtect; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">RundownProtect域是进程的停止保护锁，当一个进程到最后被销毁时，它要等到所有其他进程和线程已经释放了此锁，才可以继续进行，否则就会产生孤儿线程</span> 
  
讯享网HANDLE UniqueProcessId; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">UniqueProcessId域是进程的唯一编号，在进程创建时就设定好了，我们在"任务管理器"中看到的PID就是从这个域中获取的值</span> 
  
LIST_ENTRY ActiveProcessLinks; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ActiveProcessLinks域是一个双链表节点(注意是双链表中的一个节点)，在windows系统中，所有的活动进程都连接在一起，构成了一个链表。</span> 
  
讯享网SIZE_T QuotaUsage[PsQuotaTypes];</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">QuotaUsage和QuotaPeak域是指一个进程的内存使用量和尖峰使用量</span> 
  SIZE_T QuotaPeak[PsQuotaTypes]; 
SIZE_T CommitCharge; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">CommitCharge域中存储了一个进程的虚拟内存已提交的"页面数量"</span> SIZE_T PeakVirtualSize;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">PeakVirtualSize域是指虚拟内存大小的尖峰值。</span> SIZE_T VirtualSize;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">VirtualSize域是指一个进程的虚拟内存大小。</span> 
  
讯享网LIST_ENTRY SessionProcessLinks;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">SessionProcessLinks域是一个双链表节点，当进程加入到一个系统会话中时，这个进程的SessionProcessLinks域将作为一个节点(LIST_ENTRY在内核中很常见)加入到该会话的进程链表中。</span> 
  
PVOID DebugPort; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">DebugPort和ExceptionPort域是两个句柄(指针)，分别指向当前进程对应的调试端口和异常端口。</span> 
  PVOID ExceptionPort; 
讯享网PHANDLE_TABLE ObjectTable; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ObjectTable域是当前进程的句柄表。</span> 
  
EX_FAST_REF Token; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Token域是一个快速引用，指向该进程的访问令牌，用于该进程的安全访问检查。</span> 
  
讯享网PFN_NUMBER WorkingSetPage; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">WorkingSetPage域是指包含进程工作集的页面</span> KGUARDED_MUTEX AddressCreationLock;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">AddressCreationLock域是一个守护互斥体锁(guard mutex)，用于保护对地址空间的操作。</span> KSPIN_LOCK HyperSpaceLock;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">HyperSpaceLock是一个自旋锁，用于保护进程的超空间</span> <span style="color: rgba(0, 0, 255, 1)">struct</span> _ETHREAD *ForkInProgress;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ForkInProgress指向正在复制地址空间的那个线程，仅当在地址空间复制过程中，此域才会被赋值，在其他情况下为NULL。</span> ULONG_PTR HardwareTrigger;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">HardwareTrigger用于记录硬件错误性能分析次数</span> 
  
PMM_AVL_TABLE PhysicalVadRoot;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">PhysicalVadRoot域指向进程的物理VAD的根。它并不总是存在，只有当确实需要映射物理内存时才会被创建。</span> PVOID CloneRoot;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">CloneRoot指向一个平衡树的根，当进程地址空间复制时，此树被创建，创建出来后，一直到进程退出的时候才被销毁。CloneRoot域完全是为了支持fork语义而引入。</span> PFN_NUMBER NumberOfPrivatePages;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">指进程私有页面的数量</span> PFN_NUMBER NumberOfLockedPages;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">指进程被锁住的页面的数量</span> PVOID Win32Process;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Win32Process域是一个指针，指向由windows子系统管理的进程区域，如果此值不为NULL，说明这是一个windows子系统进程(GUI进程)</span> <span style="color: rgba(0, 0, 255, 1)">struct</span> _EJOB *Job;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">对于job域，只有当一个进程属于一个job(作业)的时候，它才会指向一个_EJOB对象。</span> PVOID SectionObject;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">SectionObject域也是一个指针，代表进程的内存去对象(进程的可执行映像文件的内存区对象)</span> 
 
讯享网 
讯享网PVOID SectionBaseAddress;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> SectionBaseAddress域为该内存区对象的基地址</span> 
  
PEPROCESS_QUOTA_BLOCK QuotaBlock;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">QuotaBlock域指向进程的配额块，进程的配额块类型为: EPROCESS_QUOTA_BLOCK</span> 
  
讯享网PPAGEFAULT_HISTORY WorkingSetWatch;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">WorkingSetWatch域用于监视一个进程的页面错误，一旦启用了页面错误监视功能(由全局变量PsWatchEnabled开关来控制)，则每次发生页面错误都会将该页面错误记录到WorkingSetWatch域的WatchInfo成员数组中，知道数组满为止。</span> HANDLE Win32WindowStation;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Win32WindowStation域是一个进程所属的窗口站的句柄。由于句柄的值是由每个进程的句柄表来决定的，所以，两个进程即使同属于一个窗口站，它们的Win32WindowStation也可能不同，但指向的窗口站对象是相同的。窗口站是由windows子系统来管理和控制的。</span> HANDLE InheritedFromUniqueProcessId;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">InheritedFromUniqueProcessId域说明了一个进程是从哪里继承来的，即父进程的标识符。</span> 
  
PVOID LdtInformation;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">LdtInformation用来维护一个进程的LDT(局部描述符表)信息。</span> PVOID VadFreeHint;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">VadFreeHint域指向一个提示VAD(虚拟地址描述符)节点，用于加速在VAD树中执行查找操作。</span> PVOID VdmObjects;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">VdmObjects域指向当前进程的VDM数据区，其类型为VMD_PROCESS_OBJECTS，进程可通过NtVdmControl系统服务来初始化VDM。</span> PVOID DeviceMap;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">DeviceMap域指向进程使用的设备表，通常情况下同一个会话中的进程共享同样的设备表。</span> 
  
讯享网PVOID Spare0[</span><span style="color: rgba(128, 0, 128, 1)">3</span>];<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Spare0域是一个备用域</span> union <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">页表项</span> 
  { 
 HARDWARE_PTE PageDirectoryPte; ULONGLONG Filler; }; PVOID Session;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Session指向进程所在的系统会话，实际上它是一个指向MM_SESSION_SPACE的指针。base 
 tosmmmi.h 中相关的结构体定义 
讯享网UCHAR ImageFileName[ <span style="color: rgba(128, 0, 128, 1)">16</span> ];<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ImageFileName域包含了进程的映像文件名，仅包含最后一个路径分隔符之后的字符串，不超过16字节。</span> 
  
LIST_ENTRY JobLinks;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">JobLinks域是一个双链表节点，通过此节点，一个job中的所有进程构成了一个链表。在windows中，所有的job构成了一个双链表，其链表头为全局变量PspJobList。每个job中的进程又构成了一个双链表。</span> PVOID LockedPagesList;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">LockedPagesList域是一个指向LOCK_HEADER结构的指针，该结构包含了一个链表头，windows通过此链表来记录哪些页面已被锁住(这里所谓的锁住和Mdll中的映射机制有关，本质上就是把用户空间下的内存地址锁定到内核空间中以便访问)</span> 
  
讯享网LIST_ENTRY ThreadListHead; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ThreadListHead域是一个双链表的"头结点"，该链表中包含了一个进程中的所有"线程"。</span> 
  
PVOID SecurityPort; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">SecurityPort域是一个安全端口，指向该进程域lsass.exe进程之间的跨进程通信端口。</span> PVOID PaeTop; <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">PaeTop域用于支持PAE内存访问机制。</span> 
  
讯享网ULONG ActiveThreads;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ActiveThreads域记录了当前进程有多少活动线程。当该值减为0时，所有的线程将退出，于是进程也退出。</span> 
  
ACCESS_MASK GrantedAccess;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">GrantedAccess域包含了进程的访问权限，访问权限是一个"位组合"。 publicsdkinc 
 tpsapi.h 中的宏 PROCESS_XXX  
讯享网ULONG DefaultHardErrorProcessing;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">DefaultHardErrorProcessing域指定了默认的硬件错误处理，默认为1</span> 
  
NTSTATUS LastThreadExitStatus; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">LastThreadExitStatus域记录了刚才最后一个线程的退出状态。</span> 
  
讯享网PPEB Peb; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Peb域是一个进程的"进程环境块</span> 
  
EX_FAST_REF PrefetchTrace;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">PrefetchTrace域是一个快速引用，指向与该进程关联的一个"预取痕迹结构"，以支持该进程的预取。</span> LARGE_INTEGER ReadOperationCount;<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ReadOperationCount，WriteOperationCount记录了当前进程NtReadFile和NtWriteFile系统服务被调用的次数，OtherOperationCount记录了除读写操作以外的其他IO服务的次数(文件信息设置.)</span> 
  LARGE_INTEGER WriteOperationCount; 
讯享网LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ReadTransferCount，WriteTransferCount记录了IO读写操作"完成"的次数，OtherTransferCount记录了除读写操作以外操作完成的次数。</span> 
  LARGE_INTEGER WriteTransferCount; 
LARGE_INTEGER OtherTransferCount; SIZE_T CommitChargeLimit; SIZE_T CommitChargePeak; PVOID AweInfo; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">AweInfo域是一个指向AWEINFO结构的指针，其目的是支持AWE(Adress Windowing Extension 地址窗口扩展)</span> 
  
讯享网SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">SeAuditProcessCreationInfo域包含了创建进程时指定的进程映像全路径名</span> 
  
MMSUPPORT Vm;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Vm域是windows为每个进程管理虚拟内存的重要数据结构成员，其类型为MMSUPPORT， base 
 tosincps.h 中有相关定义  
讯享网LIST_ENTRY MmProcessLinks; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">MmProcessLinks域代表一个双链表节点，所有拥有自己地址空间的进程都将加入到一个双链表中，链表头是全局变量MmProcessList</span> 
  
ULONG ModifiedPageCount; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ModifiedPageCount域记录了该进程中已修改的页面的数量，即"脏页面数量"，这和缓存的读写有关。</span> 
  
讯享网ULONG JobStatus; </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">49. ULONG JobStatus</span> 
  JobStatus域记录了进程所属job的状态。 
union </span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Flags域包含了进程的标志位，这些标志位反映了进程的当前状态和配置。 base 
 tosincps.h 中的宏定义 PS_PROCESS_FLAGS_XXX  { 
讯享网 ULONG Flags; </span><span style="color: rgba(0, 0, 255, 1)">struct</span><span style="color: rgba(0, 0, 0, 1)"> { ULONG CreateReported : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG NoDebugInherit : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG ProcessExiting : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG ProcessDelete : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG Wow64SplitPages : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG VmDeleted : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG OutswapEnabled : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG Outswapped : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG ForkFailed : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG Wow64VaSpace4Gb : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG AddressSpaceInitialized : </span><span style="color: rgba(128, 0, 128, 1)">2</span><span style="color: rgba(0, 0, 0, 1)">; ULONG SetTimerResolution : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG BreakOnTermination : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG SessionCreationUnderway : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG WriteWatch : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG ProcessInSession : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG OverrideAddressSpace : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG HasAddressSpace : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG LaunchPrefetched : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG InjectInpageErrors : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG VmTopDown : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG ImageNotifyDone : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG PdeUpdateNeeded : </span><span style="color: rgba(128, 0, 128, 1)">1</span>; <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> NT32 only</span> ULONG VdmAllowed : <span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG SmapAllowed : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG CreateFailed : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG DefaultIoPriority : </span><span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)">; ULONG Spare1 : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; ULONG Spare2 : </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">; }; }; NTSTATUS ExitStatus;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">ExitStatus域包含了进程的退出状态，从进程的退出状态通常可以获知进程非正常退出的大致原因。反映退出状态的一些宏定义位于 publicsdkinc 
 tstatus.h  
USHORT NextPageColor;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">NextPageColor域用于物理页面分配算法。</span> 
  union 
讯享网{ </span><span style="color: rgba(0, 0, 255, 1)">struct</span><span style="color: rgba(0, 0, 0, 1)"> { UCHAR SubSystemMinorVersion; UCHAR SubSystemMajorVersion; }; USHORT SubSystemVersion; }; UCHAR PriorityClass;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">PriorityClass域是一个单字节值，它说明了一个进程的优先级程度</span> 
  
MM_AVL_TABLE VadRoot;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">VadRoot域指向一个平衡二叉树的根，用于管理该进程的虚拟地址空间。</span> 
  
讯享网ULONG Cookie;</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">Cookie域存放的是一个代表该进程的随机值，当第一次通过NtQueryInformationProcess函数获取此Cookie值的时候，系统会生成一个随机值，以后就用此值代表此进程</span> 
  } EPROCESS, *PEPROCESS;