Windbg

In the Windows kernel, each process is assigned an EPROCESS structure, which is a kernel object that represents a program or process. And a Process Environment Block (PEB) is just one of many structures pointed to by the EPROCESS structure. A snippet from _EPROCESS as documented on Vergilius Project: volatile ULONGLONG OwnerProcessId; struct _PEB* Peb; struct _MM_SESSION_SPACE* Session; VOID* Sparel; In user space however, we cannot directly reference all of the EPROCESS structures and their data....