上一篇写自我保护时用到了,主要是不同版本的位置不同。找了一下,发现XP和win7的情况分别如下。
WIN7
lkd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
+0x0c0 ProcessQuotaUsage : [] Uint4B
+0x0c8 ProcessQuotaPeak : [] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort : Ptr32 Void
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos , Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void
+0x16c ImageFileName : [] UChar
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos , Bit
+0x26c AccountingFolded : Pos , Bit
+0x26c NewProcessReported : Pos , Bit
+0x26c ExitProcessReported : Pos , Bit
+0x26c ReportCommitChanges : Pos , Bit
+0x26c LastReportMemory : Pos , Bit
+0x26c ReportPhysicalPageChanges : Pos , Bit
+0x26c HandleTableRundown : Pos , Bit
+0x26c NeedsHandleRundown : Pos , Bit
+0x26c RefTraceEnabled : Pos , Bit
+0x26c NumaAware : Pos , Bit
+0x26c ProtectedProcess : Pos , Bit
+0x26c DefaultPagePriority : Pos , Bits
+0x26c PrimaryTokenFrozen : Pos , Bit
+0x26c ProcessVerifierTarget : Pos , Bit
+0x26c StackRandomizationDisabled : Pos , Bit
+0x26c AffinityPermanent : Pos , Bit
+0x26c AffinityUpdateEnable : Pos , Bit
+0x26c PropagateNode : Pos , Bit
+0x26c ExplicitAffinity : Pos , Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos , Bit
+0x270 NoDebugInherit : Pos , Bit
+0x270 ProcessExiting : Pos , Bit
+0x270 ProcessDelete : Pos , Bit
+0x270 Wow64SplitPages : Pos , Bit
+0x270 VmDeleted : Pos , Bit
+0x270 OutswapEnabled : Pos , Bit
+0x270 Outswapped : Pos , Bit
+0x270 ForkFailed : Pos , Bit
+0x270 Wow64VaSpace4Gb : Pos , Bit
+0x270 AddressSpaceInitialized : Pos , Bits
+0x270 SetTimerResolution : Pos , Bit
+0x270 BreakOnTermination : Pos , Bit
+0x270 DeprioritizeViews : Pos , Bit
+0x270 WriteWatch : Pos , Bit
+0x270 ProcessInSession : Pos , Bit
+0x270 OverrideAddressSpace : Pos , Bit
+0x270 HasAddressSpace : Pos , Bit
+0x270 LaunchPrefetched : Pos , Bit
+0x270 InjectInpageErrors : Pos , Bit
+0x270 VmTopDown : Pos , Bit
+0x270 ImageNotifyDone : Pos , Bit
+0x270 PdeUpdateNeeded : Pos , Bit
+0x270 VdmAllowed : Pos , Bit
+0x270 CrossSessionCreate : Pos , Bit
+0x270 ProcessInserted : Pos , Bit
+0x270 DefaultIoPriority : Pos , Bits
+0x270 ProcessSelfDelete : Pos , Bit
+0x270 SetTimerResolutionLink : Pos , Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
WIN XP SP3
kd> dt -r1 _Eprocess
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : [] Uint4B
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : _LIST_ENTRY
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : Ptr32 Void
+0x050 ThreadListHead : _LIST_ENTRY
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a IdealNode : UChar
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : UChar
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x000 Waiting : Pos , Bit
+0x000 Exclusive : Pos , Bit
+0x000 Shared : Pos , Bits
+0x000 Value : Uint4B
+0x000 Ptr : Ptr32 Void
+0x070 CreateTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x078 ExitTime : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x000 Count : Uint4B
+0x000 Ptr : Ptr32 Void
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x090 QuotaUsage : [] Uint4B
+0x09c QuotaPeak : [] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x000 TableCode : Uint4B
+0x004 QuotaProcess : Ptr32 _EPROCESS
+0x008 UniqueProcessId : Ptr32 Void
+0x00c HandleTableLock : [] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : Ptr32 _HANDLE_TRACE_DEBUG_INFO
+0x02c ExtraInfoPages : Int4B
+0x030 FirstFree : Uint4B
+0x034 LastFree : Uint4B
+0x038 NextHandleNeedingPool : Uint4B
+0x03c HandleCount : Int4B
+0x040 Flags : Uint4B
+0x040 StrictFIFO : Pos , Bit
+0x0c8 Token : _EX_FAST_REF
+0x000 Object : Ptr32 Void
+0x000 RefCnt : Pos , Bits
+0x000 Value : Uint4B
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x000 Count : Int4B
+0x004 Owner : Ptr32 _KTHREAD
+0x008 Contention : Uint4B
+0x00c Event : _KEVENT
+0x01c OldIrql : Uint4B
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x000 Count : Int4B
+0x004 Owner : Ptr32 _KTHREAD
+0x008 Contention : Uint4B
+0x00c Event : _KEVENT
+0x01c OldIrql : Uint4B
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x000 Tcb : _KTHREAD
+0x1c0 CreateTime : _LARGE_INTEGER
+0x1c0 NestedFaultCount : Pos , Bits
+0x1c0 ApcNeeded : Pos , Bit
+0x1c8 ExitTime : _LARGE_INTEGER
+0x1c8 LpcReplyChain : _LIST_ENTRY
+0x1c8 KeyedWaitChain : _LIST_ENTRY
+0x1d0 ExitStatus : Int4B
+0x1d0 OfsChain : Ptr32 Void
+0x1d4 PostBlockList : _LIST_ENTRY
+0x1dc TerminationPort : Ptr32 _TERMINATION_PORT
+0x1dc ReaperLink : Ptr32 _ETHREAD
+0x1dc KeyedWaitValue : Ptr32 Void
+0x1e0 ActiveTimerListLock : Uint4B
+0x1e4 ActiveTimerListHead : _LIST_ENTRY
+0x1ec Cid : _CLIENT_ID
+0x1f4 LpcReplySemaphore : _KSEMAPHORE
+0x1f4 KeyedWaitSemaphore : _KSEMAPHORE
+0x208 LpcReplyMessage : Ptr32 Void
+0x208 LpcWaitingOnPort : Ptr32 Void
+0x20c ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION
+0x210 IrpList : _LIST_ENTRY
+0x218 TopLevelIrp : Uint4B
+0x21c DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x220 ThreadsProcess : Ptr32 _EPROCESS
+0x224 StartAddress : Ptr32 Void
+0x228 Win32StartAddress : Ptr32 Void
+0x228 LpcReceivedMessageId : Uint4B
+0x22c ThreadListEntry : _LIST_ENTRY
+0x234 RundownProtect : _EX_RUNDOWN_REF
+0x238 ThreadLock : _EX_PUSH_LOCK
+0x23c LpcReplyMessageId : Uint4B
+0x240 ReadClusterSize : Uint4B
+0x244 GrantedAccess : Uint4B
+0x248 CrossThreadFlags : Uint4B
+0x248 Terminated : Pos , Bit
+0x248 DeadThread : Pos , Bit
+0x248 HideFromDebugger : Pos , Bit
+0x248 ActiveImpersonationInfo : Pos , Bit
+0x248 SystemThread : Pos , Bit
+0x248 HardErrorsAreDisabled : Pos , Bit
+0x248 BreakOnTermination : Pos , Bit
+0x248 SkipCreationMsg : Pos , Bit
+0x248 SkipTerminationMsg : Pos , Bit
+0x24c SameThreadPassiveFlags : Uint4B
+0x24c ActiveExWorker : Pos , Bit
+0x24c ExWorkerCanWaitUser : Pos , Bit
+0x24c MemoryMaker : Pos , Bit
+0x250 SameThreadApcFlags : Uint4B
+0x250 LpcReceivedMsgIdValid : Pos , Bit
+0x250 LpcExitThreadCalled : Pos , Bit
+0x250 AddressSpaceOwner : Pos , Bit
+0x254 ForwardClusterOnly : UChar
+0x255 DisablePageFaultClustering : UChar
+0x118 HardwareTrigger : Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x000 Event : _KEVENT
+0x010 JobLinks : _LIST_ENTRY
+0x018 ProcessListHead : _LIST_ENTRY
+0x020 JobLock : _ERESOURCE
+0x058 TotalUserTime : _LARGE_INTEGER
+0x060 TotalKernelTime : _LARGE_INTEGER
+0x068 ThisPeriodTotalUserTime : _LARGE_INTEGER
+0x070 ThisPeriodTotalKernelTime : _LARGE_INTEGER
+0x078 TotalPageFaultCount : Uint4B
+0x07c TotalProcesses : Uint4B
+0x080 ActiveProcesses : Uint4B
+0x084 TotalTerminatedProcesses : Uint4B
+0x088 PerProcessUserTimeLimit : _LARGE_INTEGER
+0x090 PerJobUserTimeLimit : _LARGE_INTEGER
+0x098 LimitFlags : Uint4B
+0x09c MinimumWorkingSetSize : Uint4B
+0x0a0 MaximumWorkingSetSize : Uint4B
+0x0a4 ActiveProcessLimit : Uint4B
+0x0a8 Affinity : Uint4B
+0x0ac PriorityClass : UChar
+0x0b0 UIRestrictionsClass : Uint4B
+0x0b4 SecurityLimitFlags : Uint4B
+0x0b8 Token : Ptr32 Void
+0x0bc Filter : Ptr32 _PS_JOB_TOKEN_FILTER
+0x0c0 EndOfJobTimeAction : Uint4B
+0x0c4 CompletionPort : Ptr32 Void
+0x0c8 CompletionKey : Ptr32 Void
+0x0cc SessionId : Uint4B
+0x0d0 SchedulingClass : Uint4B
+0x0d8 ReadOperationCount : Uint8B
+0x0e0 WriteOperationCount : Uint8B
+0x0e8 OtherOperationCount : Uint8B
+0x0f0 ReadTransferCount : Uint8B
+0x0f8 WriteTransferCount : Uint8B
+0x100 OtherTransferCount : Uint8B
+0x108 IoInfo : _IO_COUNTERS
+0x138 ProcessMemoryLimit : Uint4B
+0x13c JobMemoryLimit : Uint4B
+0x140 PeakProcessMemoryUsed : Uint4B
+0x144 PeakJobMemoryUsed : Uint4B
+0x148 CurrentJobMemoryUsed : Uint4B
+0x14c MemoryLimitsLock : _FAST_MUTEX
+0x16c JobSetLinks : _LIST_ENTRY
+0x174 MemberLevel : Uint4B
+0x178 JobFlags : Uint4B
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x000 QuotaEntry : [] _EPROCESS_QUOTA_ENTRY
+0x030 QuotaList : _LIST_ENTRY
+0x038 ReferenceCount : Uint4B
+0x03c ProcessCount : Uint4B
+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x000 CurrentIndex : Uint4B
+0x004 MaxIndex : Uint4B
+0x008 SpinLock : Uint4B
+0x00c Reserved : Ptr32 Void
+0x010 WatchInfo : [] _PROCESS_WS_WATCH_INFORMATION
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x000 Valid : Pos , Bit
+0x000 Write : Pos , Bit
+0x000 Owner : Pos , Bit
+0x000 WriteThrough : Pos , Bit
+0x000 CacheDisable : Pos , Bit
+0x000 Accessed : Pos , Bit
+0x000 Dirty : Pos , Bit
+0x000 LargePage : Pos , Bit
+0x000 Global : Pos , Bit
+0x000 CopyOnWrite : Pos , Bit
+0x000 Prototype : Pos , Bit
+0x000 reserved : Pos , Bit
+0x000 PageFrameNumber : Pos , Bits
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : [] UChar
+0x184 JobLinks : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x18c LockedPagesList : Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : Ptr32 Void
+0x024 FastPebUnlockRoutine : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved : [] Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 Void
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ImageProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [] Uint4B
+0x14c PostProcessInitRoutine : Ptr32 void
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 Void
+0x1fc ProcessAssemblyStorageMap : Ptr32 Void
+0x200 SystemDefaultActivationContextData : Ptr32 Void
+0x204 SystemAssemblyStorageMap : Ptr32 Void
+0x208 MinimumStackCommit : Uint4B
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x000 Object : Ptr32 Void
+0x000 RefCnt : Pos , Bits
+0x000 Value : Uint4B
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x000 LowPart : Uint4B
+0x004 HighPart : Int4B
+0x000 u : __unnamed
+0x000 QuadPart : Int8B
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x000 ImageFileName : Ptr32 _OBJECT_NAME_INFORMATION
+0x1f8 Vm : _MMSUPPORT
+0x000 LastTrimTime : _LARGE_INTEGER
+0x008 Flags : _MMSUPPORT_FLAGS
+0x00c PageFaultCount : Uint4B
+0x010 PeakWorkingSetSize : Uint4B
+0x014 WorkingSetSize : Uint4B
+0x018 MinimumWorkingSetSize : Uint4B
+0x01c MaximumWorkingSetSize : Uint4B
+0x020 VmWorkingSetList : Ptr32 _MMWSL
+0x024 WorkingSetExpansionLinks : _LIST_ENTRY
+0x02c Claim : Uint4B
+0x030 NextEstimationSlot : Uint4B
+0x034 NextAgingSlot : Uint4B
+0x038 EstimatedAvailable : Uint4B
+0x03c GrowthSinceLastEstimate : Uint4B
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos , Bit
+0x248 NoDebugInherit : Pos , Bit
+0x248 ProcessExiting : Pos , Bit
+0x248 ProcessDelete : Pos , Bit
+0x248 Wow64SplitPages : Pos , Bit
+0x248 VmDeleted : Pos , Bit
+0x248 OutswapEnabled : Pos , Bit
+0x248 Outswapped : Pos , Bit
+0x248 ForkFailed : Pos , Bit
+0x248 HasPhysicalVad : Pos , Bit
+0x248 AddressSpaceInitialized : Pos , Bits
+0x248 SetTimerResolution : Pos , Bit
+0x248 BreakOnTermination : Pos , Bit
+0x248 SessionCreationUnderway : Pos , Bit
+0x248 WriteWatch : Pos , Bit
+0x248 ProcessInSession : Pos , Bit
+0x248 OverrideAddressSpace : Pos , Bit
+0x248 HasAddressSpace : Pos , Bit
+0x248 LaunchPrefetched : Pos , Bit
+0x248 InjectInpageErrors : Pos , Bit
+0x248 VmTopDown : Pos , Bit
+0x248 Unused3 : Pos , Bit
+0x248 Unused4 : Pos , Bit
+0x248 VdmAllowed : Pos , Bit
+0x248 Unused : Pos , Bits
+0x248 Unused1 : Pos , Bit
+0x248 Unused2 : Pos , Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B