typedef struct _EPROCESS { KPROCESS Pcb; EX_PUSH_LOCK ProcessLock; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; EX_RUNDOWN_REF RundownProtect; void *UniqueProcessId; LIST_ENTRY ActiveProcessLinks; unsigned __int64 ProcessQuotaUsage[2]; unsigned __int64 ProcessQuotaPeak[2]; volatile unsigned __int64 CommitCharge; EPROCESS_QUOTA_BLOCK *QuotaBlock; PS_CPU_QUOTA_BLOCK *CpuQuotaBlock; unsigned __int64 PeakVirtualSize; unsigned __int64 VirtualSize; LIST_ENTRY SessionProcessLinks; void *DebugPort; union { void *ExceptionPortData; unsigned __int64 ExceptionPortValue; unsigned __int64 ExceptionPortState : 3; }; HANDLE_TABLE *ObjectTable; EX_FAST_REF Token; unsigned __int64 WorkingSetPage; EX_PUSH_LOCK AddressCreationLock; ETHREAD *RotateInProgress; ETHREAD *ForkInProgress; unsigned __int64 HardwareTrigger; MM_AVL_TABLE *PhysicalVadRoot; void *CloneRoot; volatile unsigned __int64 NumberOfPrivatePages; volatile unsigned __int64 NumberOfLockedPages; void *Win32Process; EJOB *Job; void *SectionObject; void *SectionBaseAddress; unsigned long Cookie; unsigned long UmsScheduledThreads; PAGEFAULT_HISTORY *WorkingSetWatch; void *Win32WindowStation; void *InheritedFromUniqueProcessId; void *LdtInformation; void *Spare; unsigned __int64 ConsoleHostProcess; void *DeviceMap; void *EtwDataSource; void *FreeTebHint; void *FreeUmsTebHint; union { HARDWARE_PTE PageDirectoryPte; unsigned __int64 Filler; }; void *Session; unsigned char ImageFileName[15]; unsigned char PriorityClass; LIST_ENTRY JobLinks; void *LockedPagesList; LIST_ENTRY ThreadListHead; void *SecurityPort; void *Wow64Process; volatile unsigned long ActiveThreads; unsigned long ImagePathHash; unsigned long DefaultHardErrorProcessing; long LastThreadExitStatus; PEB *Peb; EX_FAST_REF PrefetchTrace; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; unsigned __int64 CommitChargeLimit; volatile unsigned __int64 CommitChargePeak; void *AweInfo; SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; MMSUPPORT Vm; LIST_ENTRY MmProcessLinks; void *HighestUserAddress; unsigned long ModifiedPageCount; union { unsigned long Flags2; struct { unsigned long JobNotReallyActive : 1; unsigned long AccountingFolded : 1; unsigned long NewProcessReported : 1; unsigned long ExitProcessReported : 1; unsigned long ReportCommitChanges : 1; unsigned long LastReportMemory : 1; unsigned long ReportPhysicalPageChanges : 1; unsigned long HandleTableRundown : 1; unsigned long NeedsHandleRundown : 1; unsigned long RefTraceEnabled : 1; unsigned long NumaAware : 1; unsigned long ProtectedProcess : 1; unsigned long DefaultPagePriority : 3; unsigned long PrimaryTokenFrozen : 1; unsigned long ProcessVerifierTarget : 1; unsigned long StackRandomizationDisabled : 1; unsigned long AffinityPermanent : 1; unsigned long AffinityUpdateEnable : 1; unsigned long PropagateNode : 1; unsigned long ExplicitAffinity : 1; unsigned long Spare1 : 1; unsigned long ForceRelocateImages : 1; unsigned long DisallowStrippedImages : 1; unsigned long LowVaAccessible : 1; }; }; union { unsigned long Flags; struct { unsigned long CreateReported : 1; unsigned long NoDebugInherit : 1; unsigned long ProcessExiting : 1; unsigned long ProcessDelete : 1; unsigned long Wow64SplitPages : 1; unsigned long VmDeleted : 1; unsigned long OutswapEnabled : 1; unsigned long Outswapped : 1; unsigned long ForkFailed : 1; unsigned long Wow64VaSpace4Gb : 1; unsigned long AddressSpaceInitialized : 2; unsigned long SetTimerResolution : 1; unsigned long BreakOnTermination : 1; unsigned long DeprioritizeViews : 1; unsigned long WriteWatch : 1; unsigned long ProcessInSession : 1; unsigned long OverrideAddressSpace : 1; unsigned long HasAddressSpace : 1; unsigned long LaunchPrefetched : 1; unsigned long InjectInpageErrors : 1; unsigned long VmTopDown : 1; unsigned long ImageNotifyDone : 1; unsigned long PdeUpdateNeeded : 1; unsigned long VdmAllowed : 1; unsigned long CrossSessionCreate : 1; unsigned long ProcessInserted : 1; unsigned long DefaultIoPriority : 3; unsigned long ProcessSelfDelete : 1; unsigned long SetTimerResolutionLink : 1; }; }; long ExitStatus; MM_AVL_TABLE VadRoot; ALPC_PROCESS_CONTEXT AlpcContext; LIST_ENTRY TimerResolutionLink; unsigned long RequestedTimerResolution; unsigned long ActiveThreadsHighWatermark; unsigned long SmallestTimerResolution; PO_DIAG_STACK_RECORD *TimerResolutionStackRecord; } EPROCESS, *PEPROCESS;