you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:
WnfContext created in function ExpWnfCreateProcessContext and looks like:
kd> ? nt!ExpWnfProcessesListHead
Evaluate expression: -8781752063864 = fffff803`56c9a888
kd> dp fffff803`56c9a888
fffff803`56c9a888 fffff8a0`00125750 fffff8a0`021fb760
fffff803`56c9a898 00000000`00840082 fffff803`56a43460
fffff803`56c9a8a8 00000000`00120010 fffff803`56a43448
fffff803`56c9a8b8 00000000`00000060 00000000`00000058
fffff803`56c9a8c8 fffff803`56693df0 fffff803`56693dd8
fffff803`56c9a8d8 00000000`00760074 fffff803`56a41cd0
fffff803`56c9a8e8 00000000`00240022 fffff803`56a416c0
fffff803`56c9a8f8 00000000`00140012 fffff803`56a416a8
kd> !pool fffff8a0`00125750 2
Pool page fffff8a000125750 region is Paged pool
*fffff8a000125730 size: f0 previous size: 90 (Allocated) *Wnf
Pooltag Wnf : Windows Notification Facility, Binary : nt!wnf
kd> dp fffff8a0`00125740
fffff8a0`00125740 00000000`00d80906fffffa80`018a46c0
fffff8a0`00125750 fffff8a0`0010b9e0 fffff803`56c9a888
fffff8a0`00125760 00000000`00000000 00000000`00000000
fffff8a0`00125770 00000000`00000000 00000000`00000000
fffff8a0`00125780 fffff8a0`020c5a50 fffff8a0`00f03690
fffff8a0`00125790 00000000`00000000 fffff8a0`00129028
fffff8a0`001257a0 fffff8a0`015ee5c8 00000000`00000000
fffff8a0`001257b0 fffff8a0`001257b0 fffff8a0`001257b0
kd> !process fffffa80`018a46c0 0
PROCESS fffffa80018a46c0
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000003000 HandleCount:
Image: System
kd> dp fffff8a0`0010b9d0
fffff8a0`0010b9d0 00000000`00d80906fffffa80`038b4940
fffff8a0`0010b9e0 fffff8a0`058ed020 fffff8a0`00125750
fffff8a0`0010b9f0 fffff8a0`00117f40 00000000`00000000
fffff8a0`0010ba00 00000000`00000000 00000000`00000000
fffff8a0`0010ba10 fffff8a0`0010ba10 fffff8a0`0010ba10
fffff8a0`0010ba20 00000000`00000000 fffff8a0`0010b938
fffff8a0`0010ba30 fffff8a0`0587f968 00000000`00000000
fffff8a0`0010ba40 fffff8a0`0010ba40 fffff8a0`0010ba40
kd> !process fffffa80`038b4940 0
PROCESS fffffa80038b4940
SessionId: 0 Cid: 0148 Peb: 7f630624000 ParentCid: 0140
DirBase: 10feb000 ObjectTable: fffff8a000555cc0 HandleCount:
Image: csrss.exe
WnfContext created in function ExpWnfCreateProcessContext and looks like:
struct _wnf_ctx_internal
{
PVOID sign; /* 880906/
d80906
for x64 */
PEPROCESS proc;
LIST_ENTRY Entry;
};
so it`s easy to iterate over list of WnfContexts where head of list stored in nt!ExpWnfProcessesListHead