阅读EPROCESS结构 [英] reading the EPROCESS struct

问题描述

你好，

我正在使用Windows 7.我写了一个驱动程序来获取我的进程的EPROCESS结构。

hello,
I''m working with windows 7. I wrote a driver to get the EPROCESS struct of my process.

PEPROCESS  EP = NULL;
.....
.....
.....
status = PsLookupProcessByProcessId((HANDLE)pid, &EP);

状态以 NT_SUCCESS 返回。

但我得到了我尝试访问此结构的任何字段时出错。

如下所示：

the status is returned as NT_SUCCESS.
but I got an error when I tried to access any field of this struct.
like the following:

peb = (DWORD)EP->Peb;

错误是：

the error was:

" left of 'Peb' specifies undefined struct/union '_EPROCESS' "

我不知道whay我收到此错误以及如何解决它？



感谢您的帮助。

I don''t know whay I got this error and how to solve it??

thanks for helping.

推荐答案

您的代码表明EP是指针类型，但它的声明并不明显。也许你的代码应该是

Your code suggests that EP is a pointer type, but it is not obvious from it''s declaration that it is. Perhaps your code should be

peb = (DWORD)EP.Peb;

这是一个不透明的结构。你不应该直接访问它。



但是如果你想学习（从不在真实产品中）你可以查看字段和位移，并构建你自己的使用windbg的结构的每个os版本....

This is an "opaque" struct. YOU SHOULD NOT access it directly.

But if you want to learn (never in a real product) you can view at the fields and displacements, and build your "own" per os version of the struct using windbg....

这篇关于阅读EPROCESS结构的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！