Post

Windows Kernel Structures

Posted
By Oreomeister
1 min read

Introduction

This blog post serves as a reference guide/lookup table for me and those interested in Windows Kernel Exploitation (WKE) or Windows kernel malware development such as rootkits. It will cover various kernel structures that I find useful in my research and development projects.

_EPROCESS

_EPROCESS, or EPROCESS, is an opaque kernel structure that serves as the process object for a running process, both user- (such as your browser) and kernel-mode (such as your graphics driver). The _EPROCESS structure has a plethora of fields/members such as ptrs to ActiveProcessLinks and the process’s _TOKEN structure.

_TOKEN

_TOKEN is a kernel memory structure that describes an object’s or process’s security context - its privileges, logon id, session id, token type (e.g. primary or impersonation), and much more. A primary interest in this structure is its _SEP_TOKEN_PRIVILEGES field - see more here.

_SEP_TOKEN_PRIVILEGES

_KTHREAD

windows, wke
windows wke re
This post is licensed under CC BY 4.0 by the author.

Trending Tags

pwn windows wke kernel ctf linux re