//0x500 bytes (sizeof)
struct _EPROCESS
{
struct
_KPROCESS Pcb; //0x0
struct
_EX_PUSH_LOCK ProcessLock; //0xe0
VOID* UniqueProcessId; //0xe4
struct
_LIST_ENTRY ActiveProcessLinks; //0xe8
struct
_EX_RUNDOWN_REF RundownProtect; //0xf0
VOID* VdmObjects; //0xf4
union
{
ULONG Flags2; //0xf8
struct
{
ULONG JobNotReallyActive:1; //0xf8
ULONG AccountingFolded:1; //0xf8
ULONG NewProcessReported:1; //0xf8
ULONG ExitProcessReported:1; //0xf8
ULONG ReportCommitChanges:1; //0xf8
ULONG LastReportMemory:1; //0xf8
ULONG ForceWakeCharge:1; //0xf8
ULONG CrossSessionCreate:1; //0xf8
ULONG NeedsHandleRundown:1; //0xf8
ULONG RefTraceEnabled:1; //0xf8
ULONG PicoCreated:1; //0xf8
ULONG EmptyJobEvaluated:1; //0xf8
ULONG DefaultPagePriority:3; //0xf8
ULONG PrimaryTokenFrozen:1; //0xf8
ULONG ProcessVerifierTarget:1; //0xf8
ULONG RestrictSetThreadContext:1; //0xf8
ULONG AffinityPermanent:1; //0xf8
ULONG AffinityUpdateEnable:1; //0xf8
ULONG PropagateNode:1; //0xf8
ULONG ExplicitAffinity:1; //0xf8
ULONG ProcessExecutionState:2; //0xf8
ULONG EnableReadVmLogging:1; //0xf8
ULONG EnableWriteVmLogging:1; //0xf8
ULONG FatalAccessTerminationRequested:1; //0xf8
ULONG DisableSystemAllowedCpuSet:1; //0xf8
ULONG ProcessStateChangeRequest:2; //0xf8
ULONG ProcessStateChangeInProgress:1; //0xf8
ULONG InPrivate:1; //0xf8
};
};
union
{
ULONG Flags; //0xfc
struct
{
ULONG CreateReported:1; //0xfc
ULONG NoDebugInherit:1; //0xfc
ULONG ProcessExiting:1; //0xfc
ULONG ProcessDelete:1; //0xfc
ULONG ManageExecutableMemoryWrites:1; //0xfc
ULONG VmDeleted:1; //0xfc
ULONG OutswapEnabled:1; //0xfc
ULONG Outswapped:1; //0xfc
ULONG FailFastOnCommitFail:1; //0xfc
ULONG Wow64VaSpace4Gb:1; //0xfc
ULONG AddressSpaceInitialized:2; //0xfc
ULONG SetTimerResolution:1; //0xfc
ULONG BreakOnTermination:1; //0xfc
ULONG DeprioritizeViews:1; //0xfc
ULONG WriteWatch:1; //0xfc
ULONG ProcessInSession:1; //0xfc
ULONG OverrideAddressSpace:1; //0xfc
ULONG HasAddressSpace:1; //0xfc
ULONG LaunchPrefetched:1; //0xfc
ULONG Background:1; //0xfc
ULONG VmTopDown:1; //0xfc
ULONG ImageNotifyDone:1; //0xfc
ULONG PdeUpdateNeeded:1; //0xfc
ULONG VdmAllowed:1; //0xfc
ULONG ProcessRundown:1; //0xfc
ULONG ProcessInserted:1; //0xfc
ULONG DefaultIoPriority:3; //0xfc
ULONG ProcessSelfDelete:1; //0xfc
ULONG SetTimerResolutionLink:1; //0xfc
};
};
union
_LARGE_INTEGER CreateTime; //0x100
ULONG ProcessQuotaUsage[2]; //0x108
ULONG ProcessQuotaPeak[2]; //0x110
ULONG PeakVirtualSize; //0x118
ULONG VirtualSize; //0x11c
struct
_LIST_ENTRY SessionProcessLinks; //0x120
union
{
VOID* ExceptionPortData; //0x128
ULONG ExceptionPortValue; //0x128
ULONG ExceptionPortState:3; //0x128
};
struct
_EX_FAST_REF Token; //0x12c
ULONG MmReserved; //0x130
struct
_EX_PUSH_LOCK AddressCreationLock; //0x134
struct
_EX_PUSH_LOCK PageTableCommitmentLock; //0x138
struct
_ETHREAD* RotateInProgress; //0x13c
struct
_ETHREAD* ForkInProgress; //0x140
struct
_EJOB* volatile CommitChargeJob; //0x144
struct
_RTL_AVL_TREE CloneRoot; //0x148
volatile ULONG NumberOfPrivatePages; //0x14c
volatile ULONG NumberOfLockedPages; //0x150
VOID* Win32Process; //0x154
struct
_EJOB* volatile Job; //0x158
VOID* SectionObject; //0x15c
VOID* SectionBaseAddress; //0x160
ULONG Cookie; //0x164
struct
_PAGEFAULT_HISTORY* WorkingSetWatch; //0x168
VOID* Win32WindowStation; //0x16c
VOID* InheritedFromUniqueProcessId; //0x170
VOID* LdtInformation; //0x174
volatile ULONG OwnerProcessId; //0x178
struct
_PEB* Peb; //0x17c
struct
_MM_SESSION_SPACE* Session; //0x180
VOID* Spare1; //0x184
struct
_EPROCESS_QUOTA_BLOCK* QuotaBlock; //0x188
struct
_HANDLE_TABLE* ObjectTable; //0x18c
VOID* DebugPort; //0x190
VOID* PaeTop; //0x194
VOID* DeviceMap; //0x198
VOID* EtwDataSource; //0x19c
ULONGLONG PageDirectoryPte; //0x1a0
struct
_FILE_OBJECT* ImageFilePointer; //0x1a8
UCHAR ImageFileName[15]; //0x1ac
UCHAR PriorityClass; //0x1bb
VOID* SecurityPort; //0x1bc
struct
_SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; //0x1c0
struct
_LIST_ENTRY JobLinks; //0x1c4
VOID* HighestUserAddress; //0x1cc
struct
_LIST_ENTRY ThreadListHead; //0x1d0
volatile ULONG ActiveThreads; //0x1d8
ULONG ImagePathHash; //0x1dc
ULONG DefaultHardErrorProcessing; //0x1e0
LONG LastThreadExitStatus; //0x1e4
struct
_EX_FAST_REF PrefetchTrace; //0x1e8
VOID* LockedPagesList; //0x1ec
union
_LARGE_INTEGER ReadOperationCount; //0x1f0
union
_LARGE_INTEGER WriteOperationCount; //0x1f8
union
_LARGE_INTEGER OtherOperationCount; //0x200
union
_LARGE_INTEGER ReadTransferCount; //0x208
union
_LARGE_INTEGER WriteTransferCount; //0x210
union
_LARGE_INTEGER OtherTransferCount; //0x218
ULONG CommitChargeLimit; //0x220
volatile ULONG CommitCharge; //0x224
volatile ULONG CommitChargePeak; //0x228
struct
_MMSUPPORT_FULL Vm; //0x240
struct
_LIST_ENTRY MmProcessLinks; //0x340
ULONG ModifiedPageCount; //0x348
LONG ExitStatus; //0x34c
struct
_RTL_AVL_TREE VadRoot; //0x350
VOID* VadHint; //0x354
ULONG VadCount; //0x358
volatile ULONG VadPhysicalPages; //0x35c
ULONG VadPhysicalPagesLimit; //0x360
struct
_ALPC_PROCESS_CONTEXT AlpcContext; //0x364
struct
_LIST_ENTRY TimerResolutionLink; //0x374
struct
_PO_DIAG_STACK_RECORD* TimerResolutionStackRecord; //0x37c
ULONG RequestedTimerResolution; //0x380
ULONG SmallestTimerResolution; //0x384
union
_LARGE_INTEGER ExitTime; //0x388
ULONG ActiveThreadsHighWatermark; //0x390
ULONG LargePrivateVadCount; //0x394
struct
_EX_PUSH_LOCK ThreadListLock; //0x398
VOID* WnfContext; //0x39c
struct
_EJOB* ServerSilo; //0x3a0
UCHAR SignatureLevel; //0x3a4
UCHAR SectionSignatureLevel; //0x3a5
struct
_PS_PROTECTION Protection; //0x3a6
UCHAR HangCount:3; //0x3a7
UCHAR GhostCount:3; //0x3a7
UCHAR PrefilterException:1; //0x3a7
union
{
ULONG Flags3; //0x3a8
struct
{
ULONG Minimal:1; //0x3a8
ULONG ReplacingPageRoot:1; //0x3a8
ULONG Crashed:1; //0x3a8
ULONG JobVadsAreTracked:1; //0x3a8
ULONG VadTrackingDisabled:1; //0x3a8
ULONG AuxiliaryProcess:1; //0x3a8
ULONG SubsystemProcess:1; //0x3a8
ULONG IndirectCpuSets:1; //0x3a8
ULONG RelinquishedCommit:1; //0x3a8
ULONG HighGraphicsPriority:1; //0x3a8
ULONG CommitFailLogged:1; //0x3a8
ULONG ReserveFailLogged:1; //0x3a8
ULONG SystemProcess:1; //0x3a8
ULONG HideImageBaseAddresses:1; //0x3a8
ULONG AddressPolicyFrozen:1; //0x3a8
ULONG ProcessFirstResume:1; //0x3a8
ULONG ForegroundExternal:1; //0x3a8
ULONG ForegroundSystem:1; //0x3a8
ULONG HighMemoryPriority:1; //0x3a8
ULONG EnableProcessSuspendResumeLogging:1; //0x3a8
ULONG EnableThreadSuspendResumeLogging:1; //0x3a8
ULONG SecurityDomainChanged:1; //0x3a8
ULONG SecurityFreezeComplete:1; //0x3a8
ULONG VmProcessorHost:1; //0x3a8
ULONG VmProcessorHostTransition:1; //0x3a8
ULONG AltSyscall:1; //0x3a8
ULONG TimerResolutionIgnore:1; //0x3a8
ULONG DisallowUserTerminate:1; //0x3a8
};
};
LONG DeviceAsid; //0x3ac
VOID* SvmData; //0x3b0
struct
_EX_PUSH_LOCK SvmProcessLock; //0x3b4
ULONG SvmLock; //0x3b8
struct
_LIST_ENTRY SvmProcessDeviceListHead; //0x3bc
ULONGLONG LastFreezeInterruptTime; //0x3c8
struct
_PROCESS_DISK_COUNTERS* DiskCounters; //0x3d0
VOID* PicoContext; //0x3d4
ULONG HighPriorityFaultsAllowed; //0x3d8
VOID* InstrumentationCallback; //0x3dc
struct
_PO_PROCESS_ENERGY_CONTEXT* EnergyContext; //0x3e0
VOID* VmContext; //0x3e4
ULONGLONG SequenceNumber; //0x3e8
ULONGLONG CreateInterruptTime; //0x3f0
ULONGLONG CreateUnbiasedInterruptTime; //0x3f8
ULONGLONG TotalUnbiasedFrozenTime; //0x400
ULONGLONG LastAppStateUpdateTime; //0x408
ULONGLONG LastAppStateUptime:61; //0x410
ULONGLONG LastAppState:3; //0x410
volatile ULONG SharedCommitCharge; //0x418
struct
_EX_PUSH_LOCK SharedCommitLock; //0x41c
struct
_LIST_ENTRY SharedCommitLinks; //0x420
union
{
struct
{
ULONG AllowedCpuSets; //0x428
ULONG DefaultCpuSets; //0x42c
};
struct
{
ULONG* AllowedCpuSetsIndirect; //0x428
ULONG* DefaultCpuSetsIndirect; //0x42c
};
};
VOID* DiskIoAttribution; //0x430
VOID* DxgProcess; //0x434
ULONG Win32KFilterSet; //0x438
unionvolatile
_PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay; //0x440
volatile ULONG KTimerSets; //0x448
volatile ULONG KTimer2Sets; //0x44c
volatile ULONG ThreadTimerSets; //0x450
ULONG VirtualTimerListLock; //0x454
struct
_LIST_ENTRY VirtualTimerListHead; //0x458
union
{
struct
_WNF_STATE_NAME WakeChannel; //0x460
struct
_PS_PROCESS_WAKE_INFORMATION WakeInfo; //0x460
};
union
{
ULONG MitigationFlags; //0x490
struct
{
ULONG ControlFlowGuardEnabled:1; //0x490
ULONG ControlFlowGuardExportSuppressionEnabled:1; //0x490
ULONG ControlFlowGuardStrict:1; //0x490
ULONG DisallowStrippedImages:1; //0x490
ULONG ForceRelocateImages:1; //0x490
ULONG HighEntropyASLREnabled:1; //0x490
ULONG StackRandomizationDisabled:1; //0x490
ULONG ExtensionPointDisable:1; //0x490
ULONG DisableDynamicCode:1; //0x490
ULONG DisableDynamicCodeAllowOptOut:1; //0x490
ULONG DisableDynamicCodeAllowRemoteDowngrade:1; //0x490
ULONG AuditDisableDynamicCode:1; //0x490
ULONG DisallowWin32kSystemCalls:1; //0x490
ULONG AuditDisallowWin32kSystemCalls:1; //0x490
ULONG EnableFilteredWin32kAPIs:1; //0x490
ULONG AuditFilteredWin32kAPIs:1; //0x490
ULONG DisableNonSystemFonts:1; //0x490
ULONG AuditNonSystemFontLoading:1; //0x490
ULONG PreferSystem32Images:1; //0x490
ULONG ProhibitRemoteImageMap:1; //0x490
ULONG AuditProhibitRemoteImageMap:1; //0x490
ULONG ProhibitLowILImageMap:1; //0x490
ULONG AuditProhibitLowILImageMap:1; //0x490
ULONG SignatureMitigationOptIn:1; //0x490
ULONG AuditBlockNonMicrosoftBinaries:1; //0x490
ULONG AuditBlockNonMicrosoftBinariesAllowStore:1; //0x490
ULONG LoaderIntegrityContinuityEnabled:1; //0x490
ULONG AuditLoaderIntegrityContinuity:1; //0x490
ULONG EnableModuleTamperingProtection:1; //0x490
ULONG EnableModuleTamperingProtectionNoInherit:1; //0x490
ULONG RestrictIndirectBranchPrediction:1; //0x490
ULONG IsolateSecurityDomain:1; //0x490
} MitigationFlagsValues; //0x490
};
union
{
ULONG MitigationFlags2; //0x494
struct
{
ULONG EnableExportAddressFilter:1; //0x494
ULONG AuditExportAddressFilter:1; //0x494
ULONG EnableExportAddressFilterPlus:1; //0x494
ULONG AuditExportAddressFilterPlus:1; //0x494
ULONG EnableRopStackPivot:1; //0x494
ULONG AuditRopStackPivot:1; //0x494
ULONG EnableRopCallerCheck:1; //0x494
ULONG AuditRopCallerCheck:1; //0x494
ULONG EnableRopSimExec:1; //0x494
ULONG AuditRopSimExec:1; //0x494
ULONG EnableImportAddressFilter:1; //0x494
ULONG AuditImportAddressFilter:1; //0x494
ULONG DisablePageCombine:1; //0x494
ULONG SpeculativeStoreBypassDisable:1; //0x494
ULONG CetUserShadowStacks:1; //0x494
ULONG AuditCetUserShadowStacks:1; //0x494
ULONG AuditCetUserShadowStacksLogged:1; //0x494
ULONG UserCetSetContextIpValidation:1; //0x494
ULONG AuditUserCetSetContextIpValidation:1; //0x494
ULONG AuditUserCetSetContextIpValidationLogged:1; //0x494
ULONG CetUserShadowStacksStrictMode:1; //0x494
ULONG BlockNonCetBinaries:1; //0x494
ULONG BlockNonCetBinariesNonEhcont:1; //0x494
ULONG AuditBlockNonCetBinaries:1; //0x494
ULONG AuditBlockNonCetBinariesLogged:1; //0x494
ULONG Reserved1:1; //0x494
ULONG Reserved2:1; //0x494
ULONG Reserved3:1; //0x494
ULONG Reserved4:1; //0x494
ULONG Reserved5:1; //0x494
ULONG CetDynamicApisOutOfProcOnly:1; //0x494
ULONG UserCetSetContextIpValidationRelaxedMode:1; //0x494
} MitigationFlags2Values; //0x494
};
VOID* PartitionObject; //0x498
ULONGLONG SecurityDomain; //0x4a0
ULONGLONG ParentSecurityDomain; //0x4a8
VOID* CoverageSamplerContext; //0x4b0
VOID* MmHotPatchContext; //0x4b4
struct
_RTL_AVL_TREE DynamicEHContinuationTargetsTree; //0x4b8
struct
_EX_PUSH_LOCK DynamicEHContinuationTargetsLock; //0x4bc
struct
_PS_DYNAMIC_ENFORCED_ADDRESS_RANGES DynamicEnforcedCetCompatibleRanges; //0x4c0
ULONG DisabledComponentFlags; //0x4c8
};