Have a look here:

看看这里：

http://channel9.msdn.com/Shows/Going+Deep/Arun-Kishan-Process-Management-in-Windows-Vista

http://channel9.msdn.com/Shows/Going+Deep/Arun-Kishan-Process-Management-in-Windows-Vista

EPROCESSis the kernel mode equivalent of the PEBfrom user mode. More details can be found in this documenton Alex Ionescu's site as well as the book by Schreiberand other books about the NT internals.

EPROCESS是等效于PEB来自用户模式的内核模式。更多细节可以在 Alex Ionescu 网站上的这份文档以及Schreiber 的书和其他关于 NT 内部结构的书籍中找到。

Use dtin WinDbg to get an idea how they look.

dt在 WinDbg 中使用以了解它们的外观。

This is simplified, but the kernel mode portion of the Windows O/S is broken up into three pieces: the HAL, the Kernel, and the Executive Subsystems. The Executive Subsystems deal with general O/S policy and operation. The Kernel deals with process architecture specific details for low level operations (e.g. spinlocks, thread switching) as well as scheduling. The HAL deals with differences that arise in particular implementations of a processor architecture (e.g. how interrupts are routed on this implementation of the x86). This is all explained in greater detail in the Windows Internals book.

这是简化的，但 Windows O/S 的内核模式部分被分解为三个部分：HAL、内核和执行子系统。执行子系统处理一般的 O/S 策略和操作。内核处理低级操作（例如自旋锁、线程切换）以及调度的进程架构特定细节。HAL 处理在处理器架构的特定实现中出现的差异（例如，如何在 x86 的此实现上路由中断）。这在 Windows Internals 一书中有更详细的解释。

When you create a new Win32 process, both the Kernel and the Executive Subsystems want to track it. For example, the Kernel wants to know the priority and affinity of the threads in the process because that's going to affect scheduling. The Executive Subsystems want to track the process because, for example, the Security Executive Subsystem wants to associate a token with the process so we can do security checking later.

当您创建一个新的 Win32 进程时，内核和执行子系统都想跟踪它。例如，内核想知道进程中线程的优先级和亲和性，因为这会影响调度。执行子系统希望跟踪进程，因为例如，安全执行子系统希望将令牌与进程相关联，以便我们稍后进行安全检查。

The structure that the Kernel uses to track the process is the KPROCESS. The structure that the Executive Subsystems use to track it is the EPROCESS. As an implementation detail, the KPROCESS is the first field of the EPROCESS, so the Executive Subsystems allocate the EPROCESS structure and then call the Kernel to initialize the KPROCESS portion of it. In the end, both structures are part of the Process Object that represents the instance of the user process. This should also all be covered in the Windows Internals book.

内核用来跟踪进程的结构是 KPROCESS。执行子系统用来跟踪它的结构是 EPROCESS。作为一个实现细节，KPROCESS 是 EPROCESS 的第一个字段，因此执行子系统分配 EPROCESS 结构，然后调用 Kernel 来初始化它的 KPROCESS 部分。最后，这两个结构都是代表用户进程实例的进程对象的一部分。这也应该全部包含在 Windows Internals 书中。

-scott

-斯科特

EPROCESS is not available in user mode. Neither is KPROCESS.

EPROCESS 在用户模式下不可用。KPROCESS 也不是。

KPROCESS is a subset of EPROCESS. If you look at the fields in a debugger, you'll see the KPROCESS contains fields more related to scheduling and book-keeping of the process at a lower level, while EPROCESS has higher-level process contexts inside of it. The names, as far as I am aware, come from different subsystems that interact with these structures (the Executive has structures and functions frequently prefixed with Ex while the Kernel has structures and functions frequently prefixed with Ke)

KPROCESS 是 EPROCESS 的一个子集。如果您查看调试器中的字段，您会看到 KPROCESS 包含更多与较低级别的进程的调度和簿记相关的字段，而 EPROCESS 在其内部具有更高级别的进程上下文。据我所知，这些名称来自与这些结构交互的不同子系统（Executive 的结构和函数经常以 Ex 为前缀，而 Kernel 的结构和函数经常以 Ke 为前缀）

You can see this in different documented functions. Consider the prototype for KeStackAttachProcess ( http://msdn.microsoft.com/en-us/library/ff549659(v=vs.85).aspx), which is a Ke functions and takes a KPROCESS. There aren't any exported and documented Ex functions that accept EPROCESS (or KPROCESS), but Ps functions deal entirely in EPROCESSES.

您可以在不同的文档功能中看到这一点。考虑 KeStackAttachProcess ( http://msdn.microsoft.com/en-us/library/ff549659(v=vs.85).aspx)的原型，它是一个 Ke 函数并采用 KPROCESS。没有任何导出和记录的 Ex 函数接受 EPROCESS（或 KPROCESS），但 Ps 函数完全在 EPROCESSES 中处理。

A similar divide exists for threads, with KTHREAD and ETHREAD.

线程也存在类似的分歧，KTHREAD 和 ETHREAD。