[ntfsd]Re: Process List

Matt_Wu · February 27, 2002, 7:49pm

Heldai,

Use windbg use kd extension command: !strct EPROCESS to see the details of EPROCESS structure.

Or see Boose’s ntifs.h at http://www.acc.umu.se/~bosse. In his romfs, he also implemented a routine to get the entry of the process name in EPROCESS structure, see debug.c and init.c.

Best wishes,

========================
Matt Wu
E-Mail: mattwu@163.com
WebSite:http://sys.xiloo.com

Hi all,

I need view all process running on machine. I have used IoGetCurrentProcess to get PEPROCESS pointer. It’s OK. In one offset I know see the process name, but on NT and W2K this offset is different. Somebody know KPEB or KPROCESS structure to NT and W2K. Thanks in advance,

Heldai

You are currently subscribed to ntfsd as: mattwu@163.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · March 4, 2002, 1:12pm

You can find definitions for Windows 2000 here http://www.ntndis.com/downloads/structs.zip

If you have to do this in code, you’d better use approach M.Russinovich demonstrated in filemon utility(download source from www.sysinternals.com and examine it).

Best Regards,
Vadim
http://www.ntndis.com
“Heldai” wrote in message news:xxxxx@ntfsd…
Hi all,

I need view all process running on machine. I have used IoGetCurrentProcess to get PEPROCESS pointer. It’s OK. In one offset I know see the process name, but on NT and W2K this offset is different. Somebody know KPEB or KPROCESS structure to NT and W2K. Thanks in advance,

Heldai