4 Mar
2009
4 Mar
'09
4:34 a.m.
Hi,
I examined Windows XP 3, latest update, and found some differences in
its KPROCESS and our KPROCESS definition.
Specifically, in our KPROCESS we have the union of ProcessFlags,
between 2 fields Affinity, and BasePriority. This ProcessFlags field
is 4 bytes in size.
But XP3's KPROCESS has no such a ProcessFlags at that place. Instead,
they have a field named StackCount, with only 2 bytes in size.
So I wonder why there is the difference. The answer might be that we
have not updated ketypes.h for a long time, and latest update of
Windows changed some structures, therefore we have not catched up with
yet.
1) Is that the correct understanding?
2) If so, will we update our structures to reflect the changes?
Below is the output from my Windows XP.
Thanks,
J
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.080814-1236
kd> dt -a -b -v _KPROCESS
ntdll!_KPROCESS
struct _KPROCESS, 29 elements, 0x6c bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x000 Type : UChar
+0x001 Absolute : UChar
+0x002 Size : UChar
+0x003 Inserted : UChar
+0x004 SignalState : Int4B
+0x008 WaitListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x010 ProfileListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x018 DirectoryTableBase : (2 elements) Uint4B
+0x020 LdtDescriptor : struct _KGDTENTRY, 3 elements, 0x8 bytes
+0x000 LimitLow : Uint2B
+0x002 BaseLow : Uint2B
+0x004 HighWord : union __unnamed, 2 elements, 0x4 bytes
+0x000 Bytes : struct __unnamed, 4 elements, 0x4 bytes
+0x000 BaseMid : UChar
+0x001 Flags1 : UChar
+0x002 Flags2 : UChar
+0x003 BaseHi : UChar
+0x000 Bits : struct __unnamed, 10 elements, 0x4 bytes
+0x000 BaseMid : Bitfield Pos 0, 8 Bits
+0x000 Type : Bitfield Pos 8, 5 Bits
+0x000 Dpl : Bitfield Pos 13, 2 Bits
+0x000 Pres : Bitfield Pos 15, 1 Bit
+0x000 LimitHi : Bitfield Pos 16, 4 Bits
+0x000 Sys : Bitfield Pos 20, 1 Bit
+0x000 Reserved_0 : Bitfield Pos 21, 1 Bit
+0x000 Default_Big : Bitfield Pos 22, 1 Bit
+0x000 Granularity : Bitfield Pos 23, 1 Bit
+0x000 BaseHi : Bitfield Pos 24, 8 Bits
+0x028 Int21Descriptor : struct _KIDTENTRY, 4 elements, 0x8 bytes
+0x000 Offset : Uint2B
+0x002 Selector : Uint2B
+0x004 Access : Uint2B
+0x006 ExtendedOffset : Uint2B
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x048 SwapListEntry : struct _SINGLE_LIST_ENTRY, 1 elements, 0x4 bytes
+0x000 Next : Ptr32 to
+0x04c VdmTrapcHandler : Ptr32 to
+0x050 ThreadListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x000 Flink : Ptr32 to
+0x004 Blink : Ptr32 to
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a IdealNode : UChar
+0x06b Flags : struct _KEXECUTE_OPTIONS, 7 elements, 0x1 bytes
+0x000 ExecuteDisable : Bitfield Pos 0, 1 Bit
+0x000 ExecuteEnable : Bitfield Pos 1, 1 Bit
+0x000 DisableThunkEmulation : Bitfield Pos 2, 1 Bit
+0x000 Permanent : Bitfield Pos 3, 1 Bit
+0x000 ExecuteDispatchEnable : Bitfield Pos 4, 1 Bit
+0x000 ImageDispatchEnable : Bitfield Pos 5, 1 Bit
+0x000 Spare : Bitfield Pos 6, 2 Bits
+0x06b ExecuteOptions : UChar