Umut Tosun

I love low level stuffs and cyber security

EPROCESS Structure

22 Aug 2017 » Operating System, Reverse Engineering

Every Windows processes represented by an executive process block (EPROCESS). This block contains a lot of information about process and pointers to related structures such as ETHREAD, PEB, Pcb structures.

In Windbg start kernel debugging with Win+K (or you can click File and then Kernel Debug). To see EPROCESS structure type  “dt nt!_eprocess“.

+0x000 Pcb              : _KPROCESS
+0x2d8 ProcessLock      : _EX_PUSH_LOCK
+0x2e0 RundownProtect   : _EX_RUNDOWN_REF
+0x2e8 UniqueProcessId  : Ptr64 Void
+0x2f0 ActiveProcessLinks : _LIST_ENTRY
+0x300 Flags2           : Uint4B
+0x300 JobNotReallyActive : Pos 0, 1 Bit
+0x300 AccountingFolded : Pos 1, 1 Bit
+0x300 NewProcessReported : Pos 2, 1 Bit
+0x300 ExitProcessReported : Pos 3, 1 Bit
+0x300 ReportCommitChanges : Pos 4, 1 Bit
+0x300 LastReportMemory : Pos 5, 1 Bit
+0x300 ForceWakeCharge  : Pos 6, 1 Bit
+0x300 CrossSessionCreate : Pos 7, 1 Bit
+0x300 NeedsHandleRundown : Pos 8, 1 Bit
+0x300 RefTraceEnabled  : Pos 9, 1 Bit
+0x300 DisableDynamicCode : Pos 10, 1 Bit
+0x300 EmptyJobEvaluated : Pos 11, 1 Bit
+0x300 DefaultPagePriority : Pos 12, 3 Bits
+0x300 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x300 ProcessVerifierTarget : Pos 16, 1 Bit
+0x300 StackRandomizationDisabled : Pos 17, 1 Bit
+0x300 AffinityPermanent : Pos 18, 1 Bit
+0x300 AffinityUpdateEnable : Pos 19, 1 Bit
+0x300 PropagateNode    : Pos 20, 1 Bit
+0x300 ExplicitAffinity : Pos 21, 1 Bit
+0x300 ProcessExecutionState : Pos 22, 2 Bits
+0x300 DisallowStrippedImages : Pos 24, 1 Bit
+0x300 HighEntropyASLREnabled : Pos 25, 1 Bit
+0x300 ExtensionPointDisable : Pos 26, 1 Bit
+0x300 ForceRelocateImages : Pos 27, 1 Bit
+0x300 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x300 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x300 DisallowWin32kSystemCalls : Pos 31, 1 Bit
+0x304 Flags            : Uint4B
+0x304 CreateReported   : Pos 0, 1 Bit
+0x304 NoDebugInherit   : Pos 1, 1 Bit
+0x304 ProcessExiting   : Pos 2, 1 Bit
+0x304 ProcessDelete    : Pos 3, 1 Bit
+0x304 ControlFlowGuardEnabled : Pos 4, 1 Bit
+0x304 VmDeleted        : Pos 5, 1 Bit
+0x304 OutswapEnabled   : Pos 6, 1 Bit
+0x304 Outswapped       : Pos 7, 1 Bit
+0x304 FailFastOnCommitFail : Pos 8, 1 Bit
+0x304 Wow64VaSpace4Gb  : Pos 9, 1 Bit
+0x304 AddressSpaceInitialized : Pos 10, 2 Bits
+0x304 SetTimerResolution : Pos 12, 1 Bit
+0x304 BreakOnTermination : Pos 13, 1 Bit
+0x304 DeprioritizeViews : Pos 14, 1 Bit
+0x304 WriteWatch       : Pos 15, 1 Bit
+0x304 ProcessInSession : Pos 16, 1 Bit
+0x304 OverrideAddressSpace : Pos 17, 1 Bit<
+0x304 HasAddressSpace  : Pos 18, 1 Bit
+0x304 LaunchPrefetched : Pos 19, 1 Bit
+0x304 Background       : Pos 20, 1 Bit
+0x304 VmTopDown        : Pos 21, 1 Bit
+0x304 ImageNotifyDone  : Pos 22, 1 Bit
+0x304 PdeUpdateNeeded  : Pos 23, 1 Bit
+0x304 VdmAllowed       : Pos 24, 1 Bit
+0x304 ProcessRundown   : Pos 25, 1 Bit
+0x304 ProcessInserted  : Pos 26, 1 Bit
+0x304 DefaultIoPriority : Pos 27, 3 Bit
+0x304 ProcessSelfDelete : Pos 30, 1 Bit
+0x304 SetTimerResolutionLink : Pos 31, 1 Bit
+0x308 CreateTime       : _LARGE_INTEGER
+0x310 ProcessQuotaUsage : [2] Uint8B<
+0x320 ProcessQuotaPeak : [2] Uint8B
+0x330 PeakVirtualSize  : Uint8B
+0x338 VirtualSize      : Uint8B
+0x340 SessionProcessLinks : _LIST_ENTRY
+0x350 ExceptionPortData : Ptr64 Void
+0x350 ExceptionPortValue : Uint8B
+0x350 ExceptionPortState : Pos 0, 3 Bits
+0x358 Token            : _EX_FAST_REF
+0x360 WorkingSetPage   : Uint8B
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : Ptr64 _ETHREAD
+0x380 ForkInProgress   : Ptr64 _ETHREAD
+0x388 CommitChargeJob  : Ptr64 _EJOB
+0x390 CloneRoot        : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : Uint8B
+0x3a0 NumberOfLockedPages : Uint8B
+0x3a8 Win32Process     : Ptr64 Void<
+0x3b0 Job              : Ptr64 _EJOB
+0x3b8 SectionObject    : Ptr64 Void
+0x3c0 SectionBaseAddress : Ptr64 Void
+0x3c8 Cookie           : Uint4B
+0x3d0 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
+0x3d8 Win32WindowStation : Ptr64 Void
+0x3e0 InheritedFromUniqueProcessId : Ptr64 Void
+0x3e8 LdtInformation   : Ptr64 Void
+0x3f0 OwnerProcessId   : Uint8
+0x3f8 Peb              : Ptr64 _PEB
+0x400 Session          : Ptr64 Void
+0x408 AweInfo          : Ptr64 Void
+0x410 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable      : Ptr64 _HANDLE_TABL
+0x420 DebugPort        : Ptr64 Void<
+0x428 WoW64Process     : Ptr64 _EWOW64PROCESS
+0x430 DeviceMap        : Ptr64 Voi
+0x438 EtwDataSource    : Ptr64 Void
+0x440 PageDirectoryPte : Uint8B<
+0x448 ImageFilePointer : Ptr64 _FILE_OBJECT
+0x450 ImageFileName    : [15] UChar
+0x45f PriorityClass    : UChar
+0x460 SecurityPort     : Ptr64 Void
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks         : _LIST_ENTRY
+0x480 HighestUserAddress : Ptr64 Voi
+0x488 ThreadListHead   : _LIST_ENTRY
+0x498 ActiveThreads    : Uint4B
+0x49c ImagePathHash    : Uint4B
+0x4a0 DefaultHardErrorProcessing : Uint4B
+0x4a4 LastThreadExitStatus : Int4
+0x4a8 PrefetchTrace    : _EX_FAST_REF
+0x4b0 LockedPagesList  : Ptr64 Void
+0x4b8 ReadOperationCount : _LARGE_INTEGER
+0x4c0 WriteOperationCount : _LARGE_INTEGER
+0x4c8 OtherOperationCount : _LARGE_INTEGER
+0x4d0 ReadTransferCount : _LARGE_INTEGER
+0x4d8 WriteTransferCount : _LARGE_INTEGER
+0x4e0 OtherTransferCount : _LARGE_INTEGER
+0x4e8 CommitChargeLimit : Uint8B
+0x4f0 CommitCharge     : Uint8B
+0x4f8 CommitChargePeak : Uint8B
+0x500 Vm               : _MMSUPPORT
+0x5f8 MmProcessLinks   : _LIST_ENTRY
+0x608 ModifiedPageCount : Uint4B
+0x60c ExitStatus       : Int4B
+0x610 VadRoot          : _RTL_AVL_TREE
+0x618 VadHint          : Ptr64 Void
+0x620 VadCount         : Uint8B
+0x628 VadPhysicalPages : Uint8B
+0x630 VadPhysicalPagesLimit : Uint8B
+0x638 AlpcContext      : _ALPC_PROCESS_CONTEXT
+0x658 TimerResolutionLink : _LIST_ENTRY
+0x668 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
+0x670 RequestedTimerResolution : Uint4B
+0x674 SmallestTimerResolution : Uint4B
+0x678 ExitTime         : _LARGE_INTEGER
+0x680 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
+0x688 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x690 ActiveThreadsHighWatermark : Uint4B
+0x694 LargePrivateVadCount : Uint4B
+0x698 ThreadListLock   : _EX_PUSH_LOCK
+0x6a0 WnfContext       : Ptr64 Void
+0x6a8 Spare0           : Uint8B
+0x6b0 SignatureLevel   : UChar
+0x6b1 SectionSignatureLevel : UChar
+0x6b2 Protection       : _PS_PROTECTION
+0x6b3 HangCount        : UChar
+0x6b4 Flags3           : Uint4B
+0x6b4 Minimal          : Pos 0, 1 Bit
+0x6b4 ReplacingPageRoot : Pos 1, 1 Bit
+0x6b4 DisableNonSystemFonts : Pos 2, 1 Bit
+0x6b4 AuditNonSystemFontLoading : Pos 3, 1 Bit
+0x6b4 Crashed          : Pos 4, 1 Bit
+0x6b4 JobVadsAreTracked : Pos 5, 1 Bit
+0x6b4 VadTrackingDisabled : Pos 6, 1 Bit
+0x6b4 AuxiliaryProcess : Pos 7, 1 Bit
+0x6b4 SubsystemProcess : Pos 8, 1 Bit
+0x6b4 IndirectCpuSets  : Pos 9, 1 Bit
+0x6b4 InPrivate        : Pos 10, 1 Bit
+0x6b4 ProhibitRemoteImageMap : Pos 11, 1 Bit<
+0x6b4 ProhibitLowILImageMap : Pos 12, 1 Bit
+0x6b4 SignatureMitigationOptIn : Pos 13, 1 Bit
+0x6b8 DeviceAsid       : Int4B
+0x6c0 SvmData          : Ptr64 Void
+0x6c8 SvmProcessLock   : _EX_PUSH_LOCK
+0x6d0 SvmLock          : Uint8B
+0x6d8 SvmProcessDeviceListHead : _LIST_ENTRY
+0x6e8 LastFreezeInterruptTime : Uint8B
+0x6f0 DiskCounters     : Ptr64 _PROCESS_DISK_COUNTERS
+0x6f8 PicoContext      : Ptr64 Void
+0x700 TrustletIdentity : Uint8B
+0x708 KeepAliveCounter : Uint4B
+0x70c NoWakeKeepAliveCounter : Uint4B
+0x710 HighPriorityFaultsAllowed : Uint4B
+0x718 EnergyValues     : Ptr64 _PROCESS_ENERGY_VALUES
+0x720 VmContext        : Ptr64 Void
+0x728 SequenceNumber   : Uint8B
+0x730 CreateInterruptTime : Uint8B
+0x738 CreateUnbiasedInterruptTime : Uint8B
+0x740 TotalUnbiasedFrozenTime : Uint8B
+0x748 LastAppStateUpdateTime : Uint8B
+0x750 LastAppStateUptime : Pos 0, 61 Bits
+0x750 LastAppState     : Pos 61, 3 Bits
+0x758 SharedCommitCharge : Uint8B
+0x760 SharedCommitLock : _EX_PUSH_LOCK
+0x768 SharedCommitLinks : _LIST_ENTRY
+0x778 AllowedCpuSets   : Uint8B
+0x780 DefaultCpuSets   : Uint8B
+0x778 AllowedCpuSetsIndirect : Ptr64 Uint8B
+0x780 DefaultCpuSetsIndirect : Ptr64 Uint8B

As you can see there are a lot of entries. And some entries are just pointer to other related structures.

If you want to see a EPROCESS structure of specific process you must type “dt nt!_eprocess AddressOfProcess“.

You can get the all running process addresses by typing “!process 0 0“. And then you can use the address which you want to get eprocess structure to get EPROCESS structure.

Eprocess

As you can see we got all the process addresses. Now, we can get the EPROCESS structure.

Eprocess