Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Forensics > _EPROCESS Contents > Flashcards

_EPROCESS Contents Flashcards

1
Q

Pcb

A

The kerneyl’s process control black (_KRPROCESS). This structure is found at the base of _EPROCRESS and contains several critical fields, includoing the DirectoryTableBase for address translations and the amount of of time the process has spent in kernel mode and user mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CreateTime

A

A UTC timestamp indicating when the process first started

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ExitTime

A

A UTC timestamp indicated the time the process exited. This value is zero for still-running processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

UniqueProcessID

A

An integer that uniquely identifies the process (also know as the PID)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ActiveProcessLinks

A

The doubly linked list that chains together active processes on the machine. Most APIs on a running system rely on walking this list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SessionProcessLinks

A

Another double linked list that chains together processes in the same session

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

InheritedFromUniqueProcessID

A

An integer that specifies the PID of the parent process. After a process is funning, this member is not modified, even if its parent terminates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Session

A

This member points to the _MM_SESSION_SPACE structure that stores information on a user’s logon session and GUI objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ImageFileName

A

The filename portion of the process’ executable. This field stores the first 16 ASCII characters, so longer filenames will appear truncated. To get the full path to the executable, or to see the Unicode name, you can access the corresponding VAD node or members in the PEB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ThreadListHead

A

A doubly linked list that chains together all the process’ threads (each element is an _ETHREAD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ActiveThreads

A

An integer indicating the number of active threads running in the process context. Seeing a process with zero active threads is a good sign that the process has exited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Peb

A

Peb A pointer to the Process Environment Block (PEB). Although this member (_EPROCESS.Peb) exists in kernel mode, it points to an address in user mode. The PEB contains pointers to the process’ DLL lists, current working directory, command line arguments, environmental variables, heaps, and standard handles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

VadRoot

A

The root node of the VAD tree. It contains detailed information about a process’ allocated memory segments, including the original access permissions (read, write, execute) and whether a file is mapped into the region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Forensics (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions