Wednesday, July 18, 2012

Traversal Widows Process List

Method1:
Using the PsActiveProcessList in EProcess structure

Method 2:
Using the Handle_Table structure in Eprocess structure, and traversal HandleTableList.

kd> dt _Handle_table 0xe1001cd0 
nt!_HANDLE_TABLE
   +0x000 TableCode        : 0xe1002000
   +0x004 QuotaProcess     : (null) 
   +0x008 UniqueProcessId  : 0x00000004 
   +0x00c HandleTableLock  : [4] _EX_PUSH_LOCK
   +0x01c HandleTableList  : _LIST_ENTRY [ 0xe1023e44 - 0x8055b548 ]
   +0x024 HandleContentionEvent : _EX_PUSH_LOCK
   +0x028 DebugInfo        : (null) 
   +0x02c ExtraInfoPages   : 0
   +0x030 FirstFree        : 0x2c4
   +0x034 LastFree         : 0
   +0x038 NextHandleNeedingPool : 0x800
   +0x03c HandleCount      : 252
   +0x040 Flags            : 0
   +0x040 StrictFIFO       : 0y0

Method3: 
Using the queues in scheduler.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)