type
 TPROCESS = packed record
    ProcessId : dword;
    ImageName : array [0..15] of Char;
    pEPROCESS : dword;
    ParrentPid: dword;
    end;

 PSYS_PROCESSES = ^TSYS_PROCESSES;
 TSYS_PROCESSES = packed record
   ProcessesCount: dword;
   Process: array[0..0] of TPROCESS;
   end;
   
{ Получение списка процессов прямым доступом к структурам ядра. }
function GetProcesses(): PSYS_PROCESSES;
var
 Eprocess: array [0..$600] of byte;
 CurrentStruct: dword;
 CurrSize: dword;
 OldPriority: dword;
begin
 CurrSize := SizeOf(TSYS_PROCESSES);
 GetMem(Result, CurrSize);
 ZeroMemory(Result, CurrSize);
 ZeroMemory(@Eprocess, $600);
 CurrentStruct := UndocData.BaseProcStrAdr + UndocData.ActivePsListOffset;
 OldPriority := GetThreadPriority($FFFFFFFE);
 SetThreadPriority($FFFFFFFE, THREAD_PRIORITY_TIME_CRITICAL);
 repeat
  CurrentStruct := CurrentStruct - UndocData.ActivePsListOffset;
  Ring0CopyMemory(pointer(CurrentStruct), @Eprocess, $220);
  if pdword(dword(@Eprocess) + UndocData.ppIdOffset)^ > 0 then
     begin
      Inc(CurrSize, SizeOf(TPROCESS));
      ReallocMem(Result, CurrSize);
      Result^.Process[Result^.ProcessesCount].ProcessId :=
                                pdword(dword(@Eprocess) + UndocData.PidOffset)^;
      Result^.Process[Result^.ProcessesCount].pEPROCESS := CurrentStruct;
      lstrcpyn(@Result^.Process[Result^.ProcessesCount].ImageName,
              PChar(dword(@Eprocess) + UndocData.NameOffset), 16);
      Result^.Process[Result^.ProcessesCount].ParrentPid :=
                                pdword(dword(@Eprocess) + UndocData.ppIdOffset)^;

      Inc(Result^.ProcessesCount);
     end;
  CurrentStruct := pdword(dword(@Eprocess) + UndocData.ActivePsListOffset)^;
  if CurrentStruct < $80000000 then break;
 until CurrentStruct = UndocData.BaseProcStrAdr + UndocData.ActivePsListOffset;
 SetThreadPriority($FFFFFFFE, OldPriority);
end;