Windows Process Descriptor

StackOverflow https://stackoverflow.com/questions/1152871

  •  18-09-2019
  •  | 
  •  

Question

There is a Flink and Blink (Forward Link and Backward Link) for a double-linked list of processes. There is a process identifier. All of this is packed in a struct that is referenced to as PEPROCESS or _KPROCESS. But where are those and what are the other elements in this structure?

Or, if the answer is neither short nor simple, where can one find references if not in the documentation or header files? (Which is the place i looked and probably overlooked something.)

Was it helpful?

Solution

EPROCESS reference

The EPROCESS structure is an opaque structure that serves as the process object for a process.

Some routines, such as PsGetProcessCreateTimeQuadPart, use EPROCESS to identify the process to operate on. Drivers can use the PsGetCurrentProcess routine to obtain a pointer to the process object for the current process and can use the ObReferenceObjectByHandle routine to obtain a pointer to the process object that is associated with the specified handle. The PsInitialSystemProcess global variable points to the process object for the system process.

Note that a process object is an Object Manager object. Drivers should use Object Manager routines such as ObReferenceObject and ObDereferenceObject to maintain the object’s reference count.

This means, that you shouldn't care about what the members of a the process structure are. Nevertheless there are sources which detail the layout of the process structure.

This book has a more in detail description what the individual members are.

OTHER TIPS

The EPROCESS structure is documented in the windows debugging symbols.

While connected to a kernel with windbg, assuming you have the debugging symbols properly set up, issuing the command "dt nt!_EPROCESS" should give you the layout for the EPROCESS struct specific to the version of the kernel you are attached to.

The EPROCESS structure are especially opaque and can only be found per build, by examining the data types exported by build debugging symbols.

So you could do the following:

  1. Download volatility here
  2. Run volatility on one of their sample memory dumps or your own dump if you'd want to.

  3. Using the volshell.py plug-in, run

    dt('_EPROCESS')

This would produce an output of the structure of EPROCESS and various other structures in the Windows kernel

or you could just see the structure contents here

This also might prove useful

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top