SYSTEM_PROCESS struct

Learning Windows Kernel lately. The two struct below seems very similar. However, it turned out they serve different purposes. The one to be used for keeping track of process nodes was the right one. Having the wrong file would not BSOD the computer, but probably cause a crash.
(My mistake caused me lost a 1GB file in the memory buffer.)

The funny ( but of no value ) thing is to keep everything hidden in this way :

SystemInformation->NextEntryDelta = 0;

struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; // win2k only struct _SYSTEM_THREADS Threads[1]; };

/* Defined in ntdll.h */ typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; BYTE Reserved1[48]; PVOID Reserved2[3]; HANDLE UniqueProcessId; PVOID Reserved3; ULONG HandleCount; BYTE Reserved4[4]; PVOID Reserved5[11]; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved6[6]; } SYSTEM_PROCESS_INFORMATION;

Reference : Rootkits : Subverting the Windows Kernel