Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun


Process Objects

Here are just a few of the most basic EPROCESS fields which can form a simple signature using rather predictable constant values which hold true for all EPROCESS structures in the same system.


\begin{tabular}{\vert l\vert l\vert}
\par
\hline
\par
\textbf{Pcb.Header.Type} &...
...ubSystemVersion} & XP Service Pack 2 is 0x400 \\
\par
\hline
\par
\end{tabular}

Note that there are several other DISPATCH_HEADERs embedded within locks, events, timers, etc in the structure which also have a predicable Header.Type and Header.Size.