Hello,

I'm looking for an .inc file that contains a valid EPROCESS struct and perhaps KTHREAD etc.. I have a C header that describes this stuff but a full fledged .inc would be a thing nice-to-have.
Posted on 2001-12-02 01:47:10 by jmp $FCE2
Post the C header.... ??? I have no clue what your getting at..

NaN
Posted on 2001-12-02 18:11:27 by NaN
This is EPROCESS structure, a NT / W2K / XP internal, undocumented process structure. Apparently it refers to tons of other definitions like KEVENT, PEB, KPROCESS and so on. It's taken from a C-Header file describing all this stuff and more, but I'm hesitating to convert it by hand and alas H2INC doesn't work of course.

// =================================================================
// EXECUTIVE PROCESSES AND THREADS
// =================================================================

typedef struct _EPROCESS
{
/*000*/ KPROCESS Pcb;
/*06C*/ NTSTATUS ExitStatus;
/*070*/ KEVENT LockEvent;
/*080*/ DWORD LockCount;
/*084*/ DWORD d084;
/*088*/ LARGE_INTEGER CreateTime;
/*090*/ LARGE_INTEGER ExitTime;
/*098*/ PVOID LockOwner;
/*09C*/ DWORD UniqueProcessId;
/*0A0*/ LIST_ENTRY ActiveProcessLinks;
/*0A8*/ DWORD QuotaPeakPoolUsage [2]; // NP, P
/*0B0*/ DWORD QuotaPoolUsage [2]; // NP, P
/*0B8*/ DWORD PagefileUsage;
/*0BC*/ DWORD CommitCharge;
/*0C0*/ DWORD PeakPagefileUsage;
/*0C4*/ DWORD PeakVirtualSize;
/*0C8*/ LARGE_INTEGER VirtualSize;
/*0D0*/ MMSUPPORT Vm;
/*100*/ DWORD d100;
/*104*/ DWORD d104;
/*108*/ DWORD d108;
/*10C*/ DWORD d10C;
/*110*/ DWORD d110;
/*114*/ DWORD d114;
/*118*/ DWORD d118;
/*11C*/ DWORD d11C;
/*120*/ PVOID DebugPort;
/*124*/ PVOID ExceptionPort;
/*128*/ PHANDLE_TABLE ObjectTable;
/*12C*/ PVOID Token;
/*130*/ FAST_MUTEX WorkingSetLock;
/*150*/ DWORD WorkingSetPage;
/*154*/ BOOLEAN ProcessOutswapEnabled;
/*155*/ BOOLEAN ProcessOutswapped;
/*156*/ BOOLEAN AddressSpaceInitialized;
/*157*/ BOOLEAN AddressSpaceDeleted;
/*158*/ FAST_MUTEX AddressCreationLock;
/*178*/ KSPIN_LOCK HyperSpaceLock;
/*17C*/ DWORD ForkInProgress;
/*180*/ WORD VmOperation;
/*182*/ BOOLEAN ForkWasSuccessful;
/*183*/ BYTE MmAgressiveWsTrimMask;
/*184*/ DWORD VmOperationEvent;
/*188*/ HARDWARE_PTE PageDirectoryPte;
/*18C*/ DWORD LastFaultCount;
/*190*/ DWORD ModifiedPageCount;
/*194*/ PVOID VadRoot;
/*198*/ PVOID VadHint;
/*19C*/ PVOID CloneRoot;
/*1A0*/ DWORD NumberOfPrivatePages;
/*1A4*/ DWORD NumberOfLockedPages;
/*1A8*/ WORD NextPageColor;
/*1AA*/ BOOLEAN ExitProcessCalled;
/*1AB*/ BOOLEAN CreateProcessReported;
/*1AC*/ HANDLE SectionHandle;
/*1B0*/ struct _PEB *Peb;
/*1B4*/ PVOID SectionBaseAddress;
/*1B8*/ PQUOTA_BLOCK QuotaBlock;
/*1BC*/ NTSTATUS LastThreadExitStatus;
/*1C0*/ DWORD WorkingSetWatch;
/*1C4*/ HANDLE Win32WindowStation;
/*1C8*/ DWORD InheritedFromUniqueProcessId;
/*1CC*/ ACCESS_MASK GrantedAccess;
/*1D0*/ DWORD DefaultHardErrorProcessing; // HEM_*
/*1D4*/ DWORD LdtInformation;
/*1D8*/ PVOID VadFreeHint;
/*1DC*/ DWORD VdmObjects;
/*1E0*/ PVOID DeviceMap; // 0x24 bytes
/*1E4*/ DWORD SessionId;
/*1E8*/ DWORD d1E8;
/*1EC*/ DWORD d1EC;
/*1F0*/ DWORD d1F0;
/*1F4*/ DWORD d1F4;
/*1F8*/ DWORD d1F8;
/*1FC*/ BYTE ImageFileName [16];
/*20C*/ DWORD VmTrimFaultValue;
/*210*/ BYTE SetTimerResolution;
/*211*/ BYTE PriorityClass;
/*212*/ union
{
struct
{
/*212*/ BYTE SubSystemMinorVersion;
/*213*/ BYTE SubSystemMajorVersion;
};
struct
{
/*212*/ WORD SubSystemVersion;
};
};
/*214*/ struct _WIN32_PROCESS *Win32Process;
/*218*/ DWORD d218;
/*21C*/ DWORD d21C;
/*220*/ DWORD d220;
/*224*/ DWORD d224;
/*228*/ DWORD d228;
/*22C*/ DWORD d22C;
/*230*/ PVOID Wow64;
/*234*/ DWORD d234;
/*238*/ IO_COUNTERS IoCounters;
/*268*/ DWORD d268;
/*26C*/ DWORD d26C;
/*270*/ DWORD d270;
/*274*/ DWORD d274;
/*278*/ DWORD d278;
/*27C*/ DWORD d27C;
/*280*/ DWORD d280;
/*284*/ DWORD d284;
/*288*/ }
EPROCESS,
* PEPROCESS,
**PPEPROCESS;

#define EPROCESS_ \
sizeof (EPROCESS)
Posted on 2001-12-02 20:38:04 by jmp $FCE2
When you're done, are ya gonna donate it to MASM32 7.1 :grin: :grin: :grin:
Posted on 2001-12-03 00:38:20 by S/390
Well its not finished, and i dont have NT, but took me bout 5 min to fix up with Ultra Edits' macro features...

; ==================================================

; EXECUTIVE PROCESSES AND THREADS
; ==================================================

EPROCESS struct
KPROCESS Pcb; /*000*/ MUST VERIFY
NTSTATUS ExitStatus; /*06C*/ MUST VERIFY
KEVENT LockEvent; /*070*/ MUST VERIFY
DWORD LockCount; /*080*/
DWORD d084; /*084*/
LARGE_INTEGER CreateTime; /*088*/ MUST BE CREATED (8 BYTES)
LARGE_INTEGER ExitTime; /*090*/ MUST BE CREATED (8 BYTES)
DWORD LockOwner; /*098*/
DWORD UniqueProcessId; /*09C*/
LIST_ENTRY ActiveProcessLinks; /*0A0*/ MUST VERIFY
DWORD QuotaPeakPoolUsage [2]; // NP, P /*0A8*/
DWORD QuotaPoolUsage [2]; // NP, P /*0B0*/
DWORD PagefileUsage; /*0B8*/
DWORD CommitCharge; /*0BC*/
DWORD PeakPagefileUsage; /*0C0*/
DWORD PeakVirtualSize; /*0C4*/
LARGE_INTEGER VirtualSize; /*0C8*/ MUST BE CREATED (8 BYTES)
MMSUPPORT Vm; /*0D0*/ MUST VERIFY
DWORD d100; /*100*/
DWORD d104; /*104*/
DWORD d108; /*108*/
DWORD d10C; /*10C*/
DWORD d110; /*110*/
DWORD d114; /*114*/
DWORD d118; /*118*/
DWORD d11C; /*11C*/
DWORD DebugPort; /*120*/
DWORD ExceptionPort; /*124*/
DWORD lpObjectTable; /*128*/ HAND MODIFIED to lp
DWORD Token; /*12C*/
FAST_MUTEX WorkingSetLock; /*130*/ BIG STRUCT! MUST VERIFY
DWORD WorkingSetPage; /*150*/
BYTE ProcessOutswapEnabled; /*154*/
BYTE ProcessOutswapped; /*155*/
BYTE AddressSpaceInitialized; /*156*/
BYTE AddressSpaceDeleted; /*157*/
FAST_MUTEX AddressCreationLock; /*158*/ BIT STRUCT MUST VERIFY
DWORD HyperSpaceLock; /*178*/ Hand modified (should verify)
DWORD ForkInProgress; /*17C*/
WORD VmOperation; /*180*/
BYTE ForkWasSuccessful; /*182*/
BYTE MmAgressiveWsTrimMask; /*183*/
DWORD VmOperationEvent; /*184*/
DWORD PageDirectoryPte; /*188*/ Hand modified (should verify)
DWORD LastFaultCount; /*18C*/
DWORD ModifiedPageCount; /*190*/
DWORD VadRoot; /*194*/
DWORD VadHint; /*198*/
DWORD CloneRoot; /*19C*/
DWORD NumberOfPrivatePages; /*1A0*/
DWORD NumberOfLockedPages; /*1A4*/
WORD NextPageColor; /*1A8*/
BYTE ExitProcessCalled; /*1AA*/
BYTE CreateProcessReported; /*1AB*/
DWORD SectionHandle; /*1AC*/
DWORD lpPeb; /*1B0*/ Hand modified to lpPeb...
DWORD SectionBaseAddress; /*1B4*/
DWORD QuotaBlock; /*1B8*/ Hand modified (should verify)
DWORD LastThreadExitStatus; /*1BC*/ Hand modified (should verify)
DWORD WorkingSetWatch; /*1C0*/
DWORD Win32WindowStation; /*1C4*/
DWORD InheritedFromUniqueProcessId; /*1C8*/
DWORD GrantedAccess; /*1CC*/ Hand modified (should verify)
DWORD DefaultHardErrorProcessing; // HEM_* /*1D0*/
DWORD LdtInformation; /*1D4*/
DWORD VadFreeHint; /*1D8*/
DWORD VdmObjects; /*1DC*/
DWORD DeviceMap; // 0x24 bytes /*1E0*/
DWORD SessionId; /*1E4*/
DWORD d1E8; /*1E8*/
DWORD d1EC; /*1EC*/
DWORD d1F0; /*1F0*/
DWORD d1F4; /*1F4*/
DWORD d1F8; /*1F8*/
BYTE ImageFileName [16]; /*1FC*/
DWORD VmTrimFaultValue; /*20C*/
BYTE SetTimerResolution; /*210*/
BYTE PriorityClass; /*211*/

union ;/*212*/
struct
BYTE SubSystemMinorVersion; /*212*/
BYTE SubSystemMajorVersion; /*213*/
ends
struct
WORD SubSystemVersion; /*212*/
ends
ends

DWORD lpWin32Process ; /*214*/ HAND MODIFIED!!
DWORD d218; /*218*/
DWORD d21C; /*21C*/
DWORD d220; /*220*/
DWORD d224; /*224*/
DWORD d228; /*228*/
DWORD d22C; /*22C*/
DWORD Wow64; /*230*/
DWORD d234; /*234*/
IO_COUNTERS IoCounters; /*238*/ BIT STRUCT!! VERIFY IT
DWORD d268; /*268*/
DWORD d26C; /*26C*/
DWORD d270; /*270*/
DWORD d274; /*274*/
DWORD d278; /*278*/
DWORD d27C; /*27C*/
DWORD d280; /*280*/
DWORD d284; /*284*/
ENDS ; /*288*/

EPROCESS_ equ sizeof EPROCESS ; pretty useless in my opinion... :)


Things to look for:

    [*]KPROCESS
    [*]NTSTATUS
    [*]KEVENT
    [*]LIST_ENTRY
    [*]MMSUPPORT
    [*]FAST_MUTEX
    [*]IO_COUNTERS

    These NEED to be defined to get this struct to work. I have no time to hunt them down for you, or if they are even in Windows.inc... At any rate they are probably in your other headers somewhere (all convolutied with C++ crap :) ).

    The LARGE_INTEGER i didnt want to change right away. You should verify its uses before making a struct for it, but i was about to define:
    LARGE_INTEGER struct
    
    a DWORD
    b DWORD
    LARGE_INTEGER ends

    I have a hunch its only needed for its size, and this struct would never actually be *used* in code.

    Things marked hand modified was my once over after done macro'n it to death :) They are mostly fancy C++ lables that (i think) wont amount to nothing in MASM, so they were converted to DWORD's... they shouldnt cause you grief, but if they do, i've marked them so you'll know it was me :)

    Aside from that... consider it a x-max gift :grin:
    NaN
Posted on 2001-12-03 01:52:36 by NaN
NaN, trust me, 64bit integers *are* used in the NT kernel. How do
you think they'd support the 64GB ram the x86 supports since the
ppro core? :).

Good luck FCE2... I'd code NT kernel stuff in (pure) C with asm where
"absolutely necessary" (or where it makes my life *easier*). But
if you really want to go asm, I guess I can't stop you ;).
Posted on 2001-12-03 03:11:22 by f0dder
f0dder,

Didnt know any of that ;) . Thanx (Im really NT illiterate.)

NaN
Posted on 2001-12-03 10:24:05 by NaN
WOW ! Big Thanks NAN !

I feel embarassed now, I should have done this myself. I'll take a look at UltraEdits Macro feature and hopefully be able to convert the rest of those structs on my own. Once my KMD reaches 'production stability' I will contribute something to masm32, I think I should give something back for all the useful information I've picked up in these forums.

Thanks again.
Posted on 2001-12-03 19:15:28 by jmp $FCE2
When you're done, are ya gonna donate it to MASM32 7.1


All:

Here is my controbution, which compiles under MASM32. The attached file is an include file that I use for Windows 2000/XP system internal structures.

Hope they are of use.

BTW:

If anyone improves upon the include file, please post a copy.

Thanks.
Posted on 2001-12-04 13:14:58 by madprgmr
Awesome !!!!

When / if I add enough useful stuff I will post it here. :alright:
Posted on 2001-12-05 00:50:10 by jmp $FCE2
Here's a question to madprgmr :

This struct is taken from your .inc file

KAPC_STATE Struct
ApcListHead LIST__ENTRY 2 DUP (<?>)
kapcProcess pKPROCESS ?;
KernelApcInProgress BYTE ?;
KernelApcPending BYTE ?;
UserApcPending BYTE ?;
KAPC_STATE ENDS

That would make KAPC_STATE 23 bytes. Are you sure that this is correct ? I suspect there's a 'padding' byte missing somewhere (after UserApcPending ?)
Posted on 2001-12-05 06:31:43 by jmp $FCE2
That would make KAPC_STATE 23 bytes. Are you sure that this is correct ? I suspect there's a 'padding' byte missing somewhere


jmp $FCE2, thanks pointing this out as you are correct. While going back to fix this little error I also noticed a type in my
KTHREAD Struct which I am in the process of fixing. Once verified I will post the new include file.

Sorry for any problems that the above mentioned errors may have caused anyone.
Posted on 2001-12-05 12:01:20 by madprgmr
I just found out that M$ seems to have changed EPROCESS for XP. In my driver I rely on ActiveProcessLinks.Flink being at offset A0h.

This is output from running my Driver on XP :

PsInitialSystemProcess: 0xF8AD2BE4
EPROCESS Link: 0x80547C54
EPROCESS: 0x823CE838
ActiveProcessLinks.Flink: 0x00000000

whereas the W2K output looks like :

PsInitialSystemProcess: 0xEB922BE4
EPROCESS Link: 0x8046CDA8
EPROCESS: 0xF858C6E0
ActiveProcessLinks.Flink: 0x8046DBE0

Apparently ActiveProcessLinks.Flink is not under XP where it is on W2K and unfortunately I do not have the XPDDK to check the 'new' layout of EPROCESS.

Can anybody help ?
Posted on 2001-12-05 13:46:26 by jmp $FCE2
Can anybody help ?


I am currently working on a complete WinXP internals include file. As to the Win2K one that I posted on Tue; here is the corrected version.

As always, please let me know if you improve upon the file or find any other "Stupid programmer" bugs

:grin:
Posted on 2001-12-05 16:21:58 by madprgmr
Thanks alot. A friend of mine works for a software company and they've got an MSDN subscription. I asked him to look for the XP DKK and as soon as he gets back to me with the informarion, I'll post it here.
Posted on 2001-12-06 01:47:35 by jmp $FCE2
No problem. I am just about finished with a major update to the third installment of Win2KInternals.inc. After I complete it, I am moving on to the XP version.

BTW:

Does anyone know what the procedure is for submitting include files for use in Masm32?
Posted on 2001-12-06 09:11:40 by madprgmr
Ok....here is two days worth of work (I have tried my best to verify that all structs are of the proper size).

For this version, here is what has been done:

Rev 1.02 - 12/06/01: Modified/Added
- MODIFIED:
WORKING_SET Struct
FAST_MUTEX
EPROCESS
HARDWARE_PTE_X86
- ADDED:
WSLE_HASH,
HANDLE_TABLE,
ERESOURCE,
HANDLE_TABLE_ENTRY,
OWNER_ENTRY,
PEB,
PEB_LDR_DATA,
UNICODE_STRING,
EPROCESS_QUOTA_BLOCK,
PROCESS_WS_WATCH_INFORMATION,
PAGEFAULT_HISTORY,
EJOB,
IO_COUNTERS,
WOW64_PROCESS,
RTL_BITMAP,
PS_JOB_TOKEN_FILTER,
SID_AND_ATTRIBUTES,
LUID,
PS_IMPERSONATION_INFORMATION,
DEVICE_OBJECT,
WAIT_CONTEXT_BLOCK,
DEVICE_OBJECT,
KDPC,
POWER_CHANNEL_SUMMARY,
DEVICE_OBJECT_POWER_EXTENSION,
DEVOBJ_EXTENSION,
KDEVICE_QUEUE,
IO_TIMER,
VPB,
IO_STATUS_BLOCK,
_IRP,
MDL,
IO_STACK_LOCATION,
UNICODE_STRING,
CURDIR,
RTL_DRIVE_LETTER_CURDIR,
STRING,
RTL_USER_PROCESS_PARAMETERS,
PEB_FREE_BLOCK,
PS_JOB_TOKEN_FILTER,
EXCEPTION_REGISTRATION_RECORD,
KTRAP_FRAME,
DRIVER_OBJECT,
DRIVER_EXTENSION,
FAST_IO_DISPATCH,
IO_CLIENT_EXTENSION,
FILE_OBJECT,
SECTION_OBJECT_POINTERS,
NAMED_PIPE_CREATE_PARAMETERS,
MAILSLOT_CREATE_PARAMETERS,
SID_IDENTIFIER_AUTHORITY,
FILE_GET_QUOTA_INFORMATION,
KQUEUE,
INTERFACE,
DEVICE_CAPABILITIES,
IO_RESOURCE_REQUIREMENTS_LIST,
IO_RESOURCE_LIST,
IO_RESOURCE_DESCRIPTOR,
POWER_SEQUENCE,
CM_FULL_RESOURCE_DESCRIPTOR,
CM_RESOURCE_LIST,
CM_PARTIAL_RESOURCE_LIST,
CM_PARTIAL_RESOURCE_DESCRIPTOR

--

As always, please let me know if you have any comments or suggestions.
Posted on 2001-12-06 16:53:22 by madprgmr
I really appreciate your work ! Great stuff.
Posted on 2001-12-06 17:54:14 by jmp $FCE2
jmp $FCE2:

I just noticed another stupid programmer bug, this one has to do with the RECORD field (sorry for all of the bugs - I should have taken more breaks while working on it).

:stupid:

The bug has to do with the fileds in the RECORD are in backwards order. Here is the corrected version of those var's (just cut and paste):

unnamed11_Bits RECORD uBaseHi:8, uGranularity:1, uDefault_Big:1, uReserved_0:1, uSys:1, uLimitHi:4, uPres:1, uDpl:2, uType:5, BaseMid:8

MMSUPPORT_FLAGS RECORD Filler:25, WriteWatch:1, WorkingSetHard:1, TrimHard:1, SessionLeader:1, ProcessInSession:1, BeingTrimmed:1, SessionSpace:1

_HARDWARE_PTE_X86 RECORD PageFrameNumber:20, Reserved_1:1, Prototype:1, CopyOnWrite:1, Global:1, LargePage:1, Dirty:1, Accessed:1, CacheDisable:1, WriteThrough:1, Owner:1, Write:1, Valid:1

DC_BITS Record dcReserved:15, WarmEjectSupported:1, NonDynamic:1, HardwareDisabled:1, WakeFromD3:1, WakeFromD2:1, WakeFromD1:1, WakeFromD0:1, SurpriseRemovalOK:1, RawDeviceOK:1, SilentInstall:1, UniqueID:1, DockDevice:1, Removable:1, EjectSupported:1, LockSupported:1, DeviceD2:1, DeviceD1:1,
Posted on 2001-12-07 14:03:20 by madprgmr
I've gotten my hands on the DDK for XP finally. Yet I had no chance to install it because I'm not going to mess with XP on my development machine. In the meantime I've rewritten parts of my driver using only "official" ntoskrnl structs and calls. Eventually I will have to look at EPROCESS again. Hopefully I'm able to post XP structs next week.
Posted on 2001-12-08 03:49:54 by jmp $FCE2