This post builds on a previous post. The reader is encouraged to visit that post before proceeding with this. In this post, we will be discussing the _EPROCESS structure with the aid of a kernel debugger.
The _EPROCESS is perhaps the most crucial structure in memory forensics. It is the basic
data structure that stores various attributes of the process and the
pointer to the other attributes and data structures related to the
process.
To check the _EPROCESS structure, enter the following command in the kernel debugger
dt nt!_EPROCESS
Below is the output
>>>dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x0c0 ProcessLock : _EX_PUSH_LOCK
+0x0c8 CreateTime : _LARGE_INTEGER
+0x0d0 ExitTime : _LARGE_INTEGER
+0x0d8 RundownProtect : _EX_RUNDOWN_REF
+0x0e0 UniqueProcessId : Ptr64 Void
+0x0e8 ActiveProcessLinks : _LIST_ENTRY
+0x0f8 QuotaUsage : [3] Uint8B
+0x110 QuotaPeak : [3] Uint8B
+0x128 CommitCharge : Uint8B
+0x130 PeakVirtualSize : Uint8B
+0x138 VirtualSize : Uint8B
+0x140 SessionProcessLinks : _LIST_ENTRY
+0x150 DebugPort : Ptr64 Void
+0x158 ExceptionPortData : Ptr64 Void
+0x158 ExceptionPortValue : Uint8B
+0x158 ExceptionPortState : Pos 0, 3 Bits
+0x160 ObjectTable : Ptr64 _HANDLE_TABLE
+0x168 Token : _EX_FAST_REF
+0x170 WorkingSetPage : Uint8B
+0x178 AddressCreationLock : _EX_PUSH_LOCK
+0x180 RotateInProgress : Ptr64 _ETHREAD
+0x188 ForkInProgress : Ptr64 _ETHREAD
+0x190 HardwareTrigger : Uint8B
+0x198 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x1a0 CloneRoot : Ptr64 Void
+0x1a8 NumberOfPrivatePages : Uint8B
+0x1b0 NumberOfLockedPages : Uint8B
+0x1b8 Win32Process : Ptr64 Void
+0x1c0 Job : Ptr64 _EJOB
+0x1c8 SectionObject : Ptr64 Void
+0x1d0 SectionBaseAddress : Ptr64 Void
+0x1d8 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1e0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x1e8 Win32WindowStation : Ptr64 Void
+0x1f0 InheritedFromUniqueProcessId : Ptr64 Void
+0x1f8 LdtInformation : Ptr64 Void
+0x200 VadFreeHint : Ptr64 Void
+0x208 VdmObjects : Ptr64 Void
+0x210 DeviceMap : Ptr64 Void
+0x218 EtwDataSource : Ptr64 Void
+0x220 FreeTebHint : Ptr64 Void
+0x228 PageDirectoryPte : _HARDWARE_PTE
+0x228 Filler : Uint8B
+0x230 Session : Ptr64 Void
+0x238 ImageFileName : [16] UChar
+0x248 JobLinks : _LIST_ENTRY
+0x258 LockedPagesList : Ptr64 Void
+0x260 ThreadListHead : _LIST_ENTRY
+0x270 SecurityPort : Ptr64 Void
+0x278 Wow64Process : Ptr64 _WOW64_PROCESS
+0x280 ActiveThreads : Uint4B
+0x284 ImagePathHash : Uint4B
+0x288 DefaultHardErrorProcessing : Uint4B
+0x28c LastThreadExitStatus : Int4B
+0x290 Peb : Ptr64 _PEB
+0x298 PrefetchTrace : _EX_FAST_REF
+0x2a0 ReadOperationCount : _LARGE_INTEGER
+0x2a8 WriteOperationCount : _LARGE_INTEGER
+0x2b0 OtherOperationCount : _LARGE_INTEGER
+0x2b8 ReadTransferCount : _LARGE_INTEGER
+0x2c0 WriteTransferCount : _LARGE_INTEGER
+0x2c8 OtherTransferCount : _LARGE_INTEGER
+0x2d0 CommitChargeLimit : Uint8B
+0x2d8 CommitChargePeak : Uint8B
+0x2e0 AweInfo : Ptr64 Void
+0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x2f0 Vm : _MMSUPPORT
+0x358 MmProcessLinks : _LIST_ENTRY
+0x368 ModifiedPageCount : Uint4B
+0x36c Flags2 : Uint4B
+0x36c JobNotReallyActive : Pos 0, 1 Bit
+0x36c AccountingFolded : Pos 1, 1 Bit
+0x36c NewProcessReported : Pos 2, 1 Bit
+0x36c ExitProcessReported : Pos 3, 1 Bit
+0x36c ReportCommitChanges : Pos 4, 1 Bit
+0x36c LastReportMemory : Pos 5, 1 Bit
+0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x36c HandleTableRundown : Pos 7, 1 Bit
+0x36c NeedsHandleRundown : Pos 8, 1 Bit
+0x36c RefTraceEnabled : Pos 9, 1 Bit
+0x36c NumaAware : Pos 10, 1 Bit
+0x36c ProtectedProcess : Pos 11, 1 Bit
+0x36c DefaultPagePriority : Pos 12, 3 Bits
+0x36c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x36c ProcessVerifierTarget : Pos 16, 1 Bit
+0x36c StackRandomizationDisabled : Pos 17, 1 Bit
+0x370 Flags : Uint4B
+0x370 CreateReported : Pos 0, 1 Bit
+0x370 NoDebugInherit : Pos 1, 1 Bit
+0x370 ProcessExiting : Pos 2, 1 Bit
+0x370 ProcessDelete : Pos 3, 1 Bit
+0x370 Wow64SplitPages : Pos 4, 1 Bit
+0x370 VmDeleted : Pos 5, 1 Bit
+0x370 OutswapEnabled : Pos 6, 1 Bit
+0x370 Outswapped : Pos 7, 1 Bit
+0x370 ForkFailed : Pos 8, 1 Bit
+0x370 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x370 AddressSpaceInitialized : Pos 10, 2 Bits
+0x370 SetTimerResolution : Pos 12, 1 Bit
+0x370 BreakOnTermination : Pos 13, 1 Bit
+0x370 DeprioritizeViews : Pos 14, 1 Bit
+0x370 WriteWatch : Pos 15, 1 Bit
+0x370 ProcessInSession : Pos 16, 1 Bit
+0x370 OverrideAddressSpace : Pos 17, 1 Bit
+0x370 HasAddressSpace : Pos 18, 1 Bit
+0x370 LaunchPrefetched : Pos 19, 1 Bit
+0x370 InjectInpageErrors : Pos 20, 1 Bit
+0x370 VmTopDown : Pos 21, 1 Bit
+0x370 ImageNotifyDone : Pos 22, 1 Bit
+0x370 PdeUpdateNeeded : Pos 23, 1 Bit
+0x370 VdmAllowed : Pos 24, 1 Bit
+0x370 SmapAllowed : Pos 25, 1 Bit
+0x370 ProcessInserted : Pos 26, 1 Bit
+0x370 DefaultIoPriority : Pos 27, 3 Bits
+0x370 SparePsFlags1 : Pos 30, 2 Bits
+0x374 ExitStatus : Int4B
+0x378 Spare7 : Uint2B
+0x37a SubSystemMinorVersion : UChar
+0x37b SubSystemMajorVersion : UChar
+0x37a SubSystemVersion : Uint2B
+0x37c PriorityClass : UChar
+0x380 VadRoot : _MM_AVL_TABLE
+0x3c0 Cookie : Uint4B
+0x3c8 AlpcContext : _ALPC_PROCESS_CONTEXT
The above command revealed the entire _EPROCESS data structure including all its members. As discussed in an introductory post, the following members of the structure are significant from a forensic standpoint
+0x000 Pcb : _KPROCESS
+0x0c8 CreateTime : _LARGE_INTEGER
+0x0d0 ExitTime : _LARGE_INTEGER
+0x0e0 UniqueProcessId : Ptr64 Void
+0x0e8 ActiveProcessLinks : _LIST_ENTRY
+0x160 ObjectTable : Ptr64 _HANDLE_TABLE
+0x1f0 InheritedFromUniqueProcessId : Ptr64 Void
+0x260 ThreadListHead : _LIST_ENTRY
+0x290 Peb : Ptr64 _PEB
+0x380 VadRoot : _MM_AVL_TABLE
You can view the Process Control Block (Pcb) by typing the following command
dt nt!_KPROCESS
The output is given below
>>>dt nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x018 ProfileListHead : _LIST_ENTRY
+0x028 DirectoryTableBase : Uint8B
+0x030 Unused0 : Uint8B
+0x038 IopmOffset : Uint2B
+0x040 ActiveProcessors : Uint8B
+0x048 KernelTime : Uint4B
+0x04c UserTime : Uint4B
+0x050 ReadyListHead : _LIST_ENTRY
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 InstrumentationCallback : Ptr64 Void
+0x070 ThreadListHead : _LIST_ENTRY
+0x080 ProcessLock : Uint8B
+0x088 Affinity : Uint8B
+0x090 AutoAlignment : Pos 0, 1 Bit
+0x090 DisableBoost : Pos 1, 1 Bit
+0x090 DisableQuantum : Pos 2, 1 Bit
+0x090 ReservedFlags : Pos 3, 29 Bits
+0x090 ProcessFlags : Int4B
+0x094 BasePriority : Char
+0x095 QuantumReset : Char
+0x096 State : UChar
+0x097 ThreadSeed : UChar
+0x098 PowerState : UChar
+0x099 IdealNode : UChar
+0x09a Visited : UChar
+0x09b Flags : _KEXECUTE_OPTIONS
+0x09b ExecuteOptions : UChar
+0x0a0 StackCount : Uint8B
+0x0a8 ProcessListEntry : _LIST_ENTRY
+0x0b8 CycleTime : Uint8B
The EPROCESS structures are connected to each other via a doubly linked list called ActiveProcessLinks. This is a pointer to a circular doubly linked list that tracks all active processes. The next process in the list is referenced by FLink and the previous process object is referenced by the BLink pointer.
Figure 1: EPROCESS Linked List |
Traversing this list reveals all the active processes on the system. This is how the Volatility plugin pslist gets the list of active processes.
Let us take a look at what the doubly linked-list structure looks like by entering the below command in the kernel debugger.
dt _LIST_ENTRY
The output is given below:
>>>dt _LIST_ENTRY
ntdll!_LIST_ENTRY
+0x000 Flink : Ptr64 _LIST_ENTRY
+0x008 Blink : Ptr64 _LIST_ENTRY
To begin traversing the list, we need to find the head of the list (i.e. the pointer to the doubly linked list). We can do this by looking at the nt!PsActiveProcessHead by entering the command
x nt!PsActiveProcessHead
The output is given below
>>>x nt!PsActiveProcessHead
fffff800`01979e20 nt!PsActiveProcessHead = <no type information>
From the output of our command, the ActiveProcessHead can be found at the address
fffff800`01979e20
. Now that we have the pointer to the list, let us see what the Blink and Flink point to by entering the following command
dt _LIST_ENTRY
fffff800`01979e20
The output is given below:
>>>dt _LIST_ENTRY fffff800`01979e20
ntdll!_LIST_ENTRY
[ 0xfffffa80`00c36978 - 0xfffffa80`014db3e8 ]
+0x000 Flink : 0xfffffa80`00c36978 _LIST_ENTRY [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x008 Blink : 0xfffffa80`014db3e8 _LIST_ENTRY [ 0xfffff800`01979e20 - 0xfffffa80`0122d4a8 ]
Next, let us determine where the _LIST_ENTRY for ActiveProcessLinks is in the _EPROCESS structure by entering the following command.
dt nt!_EPROCESS -y ActiveProcessLinks
The output is given below
>>>dt nt!_EPROCESS -y ActiveProcessLinks
+0x0e8 ActiveProcessLinks : _LIST_ENTRY
For the sake of clarity, we will list all the processes and identify any random process to get hold of the pointer to the doubly linked list node. The ActiveProcessLinks of the EPROCESS structure for that process will provide us the pointer to the doubly linked list.
The following command gives us the list of running processes
!process 0 0
A truncated output is shown below
>>>!process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8000c36890
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00124000 ObjectTable: fffff88000002010 HandleCount: 366.
Image: System
PROCESS fffffa800234a2f0
SessionId: none Cid: 0160 Peb: 7fffffd6000 ParentCid: 0004
DirBase: 2a28d000 ObjectTable: fffff8800012bf00 HandleCount: 28.
Image: smss.exe
PROCESS fffffa80023f2c10
SessionId: 0 Cid: 01a4 Peb: 7fffffdf000 ParentCid: 0198
DirBase: 24552000 ObjectTable: fffff880014b9fa0 HandleCount: 471.
Image: csrss.exe
PROCESS fffffa8002431810
SessionId: 0 Cid: 01c8 Peb: 7fffffdb000 ParentCid: 0198
DirBase: 239d9000 ObjectTable: fffff8800157a500 HandleCount: 96.
Image: wininit.exe
PROCESS fffffa8002439c10
SessionId: 1 Cid: 01dc Peb: 7fffffda000 ParentCid: 01d0
DirBase: 23af2000 ObjectTable: fffff8800156e430 HandleCount: 470.
Image: csrss.exe
PROCESS fffffa8002477c10
SessionId: 0 Cid: 0200 Peb: 7fffffdf000 ParentCid: 01c8
DirBase: 22873000 ObjectTable: fffff880015a64d0 HandleCount: 235.
Image: services.exe
PROCESS fffffa80024896b0
SessionId: 0 Cid: 020c Peb: 7fffffdd000 ParentCid: 01c8
DirBase: 22766000 ObjectTable: fffff880015c2190 HandleCount: 522.
Image: lsass.exe
PROCESS fffffa8002497b10
SessionId: 0 Cid: 0218 Peb: 7fffffdc000 ParentCid: 01c8
DirBase: 228ee000 ObjectTable: fffff880015c04e0 HandleCount: 201.
Image: lsm.exe
PROCESS fffffa80024c7870
SessionId: 1 Cid: 0240 Peb: 7fffffde000 ParentCid: 01d0
DirBase: 21fb9000 ObjectTable: fffff88001548d90 HandleCount: 124.
Image: winlogon.exe
Let us pick the last process from the above output winlogon.exe
found at the address fffffa80024c7870.
Let us confirm first that it is what it says it is
!process 0x
fffffa80024c7870
0
>>>!process 0xfffffa80024c7870 0
PROCESS fffffa80024c7870
SessionId: 1 Cid: 0240 Peb: 7fffffde000 ParentCid: 01d0
DirBase: 21fb9000 ObjectTable: fffff88001548d90 HandleCount: 124.
Image: winlogon.exe
Let us examine its _EPROCESS structure by entering the command below.
dt nt!_EPROCESS 0xfffffa80024c7870 -y ActiveProcessLinks
The output is given below
>>>dt nt!_EPROCESS 0xfffffa80024c7870 -y ActiveProcessLinks
+0x0e8 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`0248dc58 - 0xfffffa80`02497bf8 ]
The ActiveProcessLinks
can be found at 0x0e8
. If we want to get the other elements in that _EPROCESS structure, we need to get to the head of the _EPROCESS structure and not the ActiveProcessLinks
. To do this, we need to subtract the offset (0x0e8
) from the pointer 0xfffffa80024c7870
to get to the starting address of the _EPROCESS.
A truncated output is shown below.
>>>dt nt!_EPROCESS 0xfffffa80024c7870-0x0e8
+0x000 Pcb : _KPROCESS
+0x0c0 ProcessLock : _EX_PUSH_LOCK
+0x0c8 CreateTime : _LARGE_INTEGER 0xfffffa80`00c3a710
+0x0d0 ExitTime : _LARGE_INTEGER 0x20000000
+0x0d8 RundownProtect : _EX_RUNDOWN_REF
+0x0e0 UniqueProcessId : 0xfffff880`00005ed3 Void
+0x0e8 ActiveProcessLinks : _LIST_ENTRY [ 0x00000000`00300003 - 0xfffffa80`03ea6e10 ]
+0x0f8 QuotaUsage : [3] 0xfffffa80`012c54c0
+0x110 QuotaPeak : [3] 0x21fb9000
+0x128 CommitCharge : 0
+0x130 PeakVirtualSize : 0x00000007`00000036
+0x138 VirtualSize : 0xfffffa80`024c78c0
+0x140 SessionProcessLinks : _LIST_ENTRY [ 0xfffffa80`024c78c0 - 0x00000000`00000000 ]
+0x150 DebugPort : (null)
+0x158 ExceptionPortData : 0xfffffa80`024d39e0 Void
+0x158 ExceptionPortValue : 0xfffffa80`024d39e0
+0x158 ExceptionPortState : 0y000
+0x160 ObjectTable : 0xfffffa80`0315b730 _HANDLE_TABLE
+0x168 Token : _EX_FAST_REF
+0x170 WorkingSetPage : 3
+0x178 AddressCreationLock : _EX_PUSH_LOCK
+0x180 RotateInProgress : (null)
+0x188 ForkInProgress : (null)
+0x190 HardwareTrigger : 0xfffffa80`0248dc18
+0x198 PhysicalVadRoot : 0xfffffa80`02497bb8 _MM_AVL_TABLE
+0x1a0 CloneRoot : 0x00000000`5ff16610 Void
+0x1a8 NumberOfPrivatePages : 0
+0x1b0 NumberOfLockedPages : 0x01cc4712`e00e961c
+0x1b8 Win32Process : (null)
+0x1c0 Job : (null)
+0x1c8 SectionObject : 0x00000000`00000240 Void
Now that we are at the top of the _EPROCESS structure, we can get any element of that structure. Before proceeding with that however, let us once again figure out the head of the list by looking at the address of the PsActiveProcessHead
.
>>>x nt!PsActiveProcessHead
fffff800`01979e20 nt!PsActiveProcessHead = <no type information>
This is the same value as we obtained earlier. Let us look at the _LIST_ENTRY
again.
>>>dt _LIST_ENTRY fffff800`01979e20
ntdll!_LIST_ENTRY
[ 0xfffffa80`00c36978 - 0xfffffa80`014db3e8 ]
+0x000 Flink : 0xfffffa80`00c36978 _LIST_ENTRY [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x008 Blink : 0xfffffa80`014db3e8 _LIST_ENTRY [ 0xfffff800`01979e20 - 0xfffffa80`0122d4a8 ]
Now let us use the Flink value to traverse the list noting that we must subtract the offset (0x0e8
) to get to the beginning of the next _EPROCESS structure. We will pass the ImageFileName and the ActiveProcessLinks of the next process as arguments.
>>>dt nt!_EPROCESS 0xfffffa80`00c36978-0x0e8 -y ActiveProcessLinks.Flink -y ActiveProcessLinks.Blink -y ImageFileName
+0x0e8 ActiveProcessLinks : [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x000 Flink : 0xfffffa80`0234a3d8 _LIST_ENTRY [ 0xfffffa80`023f2cf8 - 0xfffffa80`00c36978 ]
+0x008 Blink : 0xfffff800`01979e20 _LIST_ENTRY [ 0xfffffa80`00c36978 - 0xfffffa80`014db3e8 ]
+0x238 ImageFileName : [16] "System"
From the above, it is very obvious to the reader that the first process is "System"
. We can also see that the next process as revealed by the ActiveProcessLinks.Flink
is at the address 0xfffffa80`0234a3d8
. Repeating the same process (passing the Flink of the System Process as argument) will reveal the next process in the system.
>>>dt nt!_EPROCESS 0xfffffa80`0234a3d8-0x0e8 -y ActiveProcessLinks.Flink -y ActiveProcessLinks.Blink -y ImageFileName
+0x0e8 ActiveProcessLinks : [ 0xfffffa80`023f2cf8 - 0xfffffa80`00c36978 ]
+0x000 Flink : 0xfffffa80`023f2cf8 _LIST_ENTRY [ 0xfffffa80`024318f8 - 0xfffffa80`0234a3d8 ]
+0x008 Blink : 0xfffffa80`00c36978 _LIST_ENTRY [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x238 ImageFileName : [16] "smss.exe"
Repeating the same process will reveal the next process in the system
>>>dt nt!_EPROCESS 0xfffffa80`023f2cf8-0x0e8 -y ActiveProcessLinks.Flink -y ActiveProcessLinks.Blink -y ImageFileName
+0x0e8 ActiveProcessLinks : [ 0xfffffa80`024318f8 - 0xfffffa80`0234a3d8 ]
+0x000 Flink : 0xfffffa80`024318f8 _LIST_ENTRY [ 0xfffffa80`02439cf8 - 0xfffffa80`023f2cf8 ]
+0x008 Blink : 0xfffffa80`0234a3d8 _LIST_ENTRY [ 0xfffffa80`023f2cf8 - 0xfffffa80`00c36978 ]
+0x238 ImageFileName : [16] "csrss.exe"
We can verify this chronology by one again looking at the !process command>>>!process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa8000c36890
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00124000 ObjectTable: fffff88000002010 HandleCount: 366.
Image: System
PROCESS fffffa800234a2f0
SessionId: none Cid: 0160 Peb: 7fffffd6000 ParentCid: 0004
DirBase: 2a28d000 ObjectTable: fffff8800012bf00 HandleCount: 28.
Image: smss.exe
PROCESS fffffa80023f2c10
SessionId: 0 Cid: 01a4 Peb: 7fffffdf000 ParentCid: 0198
DirBase: 24552000 ObjectTable: fffff880014b9fa0 HandleCount: 471.
Image: csrss.exe
PROCESS fffffa8002431810
SessionId: 0 Cid: 01c8 Peb: 7fffffdb000 ParentCid: 0198
DirBase: 239d9000 ObjectTable: fffff8800157a500 HandleCount: 96.
Image: wininit.exe
PROCESS fffffa8002439c10
SessionId: 1 Cid: 01dc Peb: 7fffffda000 ParentCid: 01d0
DirBase: 23af2000 ObjectTable: fffff8800156e430 HandleCount: 470.
Image: csrss.exe
PROCESS fffffa8002477c10
SessionId: 0 Cid: 0200 Peb: 7fffffdf000 ParentCid: 01c8
DirBase: 22873000 ObjectTable: fffff880015a64d0 HandleCount: 235.
Image: services.exe
PROCESS fffffa80024896b0
SessionId: 0 Cid: 020c Peb: 7fffffdd000 ParentCid: 01c8
DirBase: 22766000 ObjectTable: fffff880015c2190 HandleCount: 522.
Image: lsass.exe
PROCESS fffffa8002497b10
SessionId: 0 Cid: 0218 Peb: 7fffffdc000 ParentCid: 01c8
DirBase: 228ee000 ObjectTable: fffff880015c04e0 HandleCount: 201.
Image: lsm.exe
PROCESS fffffa80024c7870
SessionId: 1 Cid: 0240 Peb: 7fffffde000 ParentCid: 01d0
DirBase: 21fb9000 ObjectTable: fffff88001548d90 HandleCount: 124.
Image: winlogon.exe
From the above output, all we have done so far seem to be accurate and nicely fit. Let us now look at the "csrss.exe"
process and see what its Blink points to
>>>dt nt!_EPROCESS 0xfffffa80`0234a3d8-0x0e8 -y ActiveProcessLinks.Flink -y ActiveProcessLinks.Blink -y ImageFileName
+0x0e8 ActiveProcessLinks : [ 0xfffffa80`023f2cf8 - 0xfffffa80`00c36978 ]
+0x000 Flink : 0xfffffa80`023f2cf8 _LIST_ENTRY [ 0xfffffa80`024318f8 - 0xfffffa80`0234a3d8 ]
+0x008 Blink : 0xfffffa80`00c36978 _LIST_ENTRY [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x238 ImageFileName : [16] "smss.exe"
Repeating the same for the process, let us see what its Blink points to
>>>dt nt!_EPROCESS 0xfffffa80`00c36978-0x0e8 -y ActiveProcessLinks.Flink -y ActiveProcessLinks.Blink -y ImageFileName
+0x0e8 ActiveProcessLinks : [ 0xfffffa80`0234a3d8 - 0xfffff800`01979e20 ]
+0x000 Flink : 0xfffffa80`0234a3d8 _LIST_ENTRY [ 0xfffffa80`023f2cf8 - 0xfffffa80`00c36978 ]
+0x008 Blink : 0xfffff800`01979e20 _LIST_ENTRY [ 0xfffffa80`00c36978 - 0xfffffa80`014db3e8 ]
+0x238 ImageFileName : [16] "System"
From the above analysis, we can make two deductions
- The
ActiveProcessLinks
reveals all the processes running in the system - The
Flink
andBlink
points to the next process and previous process of the _EPROCESS structure respectively.
Post a Comment