Finding Active Processes with Windbg
In the Windows kernel, each process is assigned an EPROCESS structure, which is a kernel object that represents a program or process. And a Process Environment Block (PEB) is just one of many structures pointed to by the EPROCESS structure. A snippet from _EPROCESS as documented on Vergilius Project: volatile ULONGLONG OwnerProcessId; struct _PEB* Peb; struct _MM_SESSION_SPACE* Session; VOID* Sparel; In user space however, we cannot directly reference all of the EPROCESS structures and their data. At most, we can do something like dt nt!_EPROCESS in windbg and get a peek at the layout. We’ll have to enable kernel debugging to more closely examine things. But here’s what we can see in user mode. The EPROCESS structure is large. The entire output from windbg is as follows: ...