什么是进程

进程本质上就是一块被特殊标识的内存区域

进程的结构

由于Windows不是宏内核,所以结构被分成了两部分:执行体、微内核。

执行体结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
0: kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS //微内核
+0x098 ProcessLock : _EX_PUSH_LOCK //EPROCESS进程锁
+0x0a0 CreateTime : _LARGE_INTEGER //进程创建的时间
+0x0a8 ExitTime : _LARGE_INTEGER //进程结束时间
+0x0b0 RundownProtect : _EX_RUNDOWN_REF //锁
+0x0b4 UniqueProcessId : Ptr32 Void //进程pid
+0x0b8 ActiveProcessLinks : _LIST_ENTRY //进程链表 所有可见进程
+0x0c0 ProcessQuotaUsage : [2] Uint4B //性能分析
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY //session进程链表
+0x0ec DebugPort : Ptr32 Void //三环调试器附加会在这创建一个debg对象
+0x0f0 ExceptionPortData : Ptr32 Void //异常数据上报
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE //私有句柄表
+0x0f8 Token : _EX_FAST_REF //当前权限描述
+0x0fc WorkingSetPage : Uint4B //有多少个页正在工作
+0x100 AddressCreationLock : _EX_PUSH_LOCK //互斥体
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B //硬件触发计数
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE //物理页管理vad
+0x114 CloneRoot : Ptr32 Void //克隆
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void //是否为ui进程
+0x124 Job : Ptr32 _EJOB //job对象
+0x128 SectionObject : Ptr32 Void //节区obj
+0x12c SectionBaseAddress : Ptr32 Void //exeImageBase
+0x130 Cookie : Uint4B //指针加解密异或此值
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY //检测别人读
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void //这个进程是谁创建的(父id)
+0x144 LdtInformation : Ptr32 Void //ldt
+0x148 VdmObjects : Ptr32 Void //虚拟8086模式的对象
+0x14c ConsoleHostProcess : Uint4B //控制台句柄
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void //etw数据
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE_X86
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void //Session 会话对象
+0x16c ImageFileName : [15] UChar //进程名字
+0x17b PriorityClass : UChar //优先级
+0x17c JobLinks : _LIST_ENTRY //job链表
+0x184 LockedPagesList : Ptr32 Void //锁页链表
+0x188 ThreadListHead : _LIST_ENTRY //线程链表
+0x190 SecurityPort : Ptr32 Void //安全端口
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B //进程活动数
+0x19c ImagePathHash : Uint4B //名字路径的hash值
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER //进程中如果有操作文件,读写查询统计
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO //这也有一个名字
+0x1f0 Vm : _MMSUPPORT //工作集
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos 0, 1 Bit
+0x26c AccountingFolded : Pos 1, 1 Bit
+0x26c NewProcessReported : Pos 2, 1 Bit
+0x26c ExitProcessReported : Pos 3, 1 Bit //错误上报
+0x26c ReportCommitChanges : Pos 4, 1 Bit
+0x26c LastReportMemory : Pos 5, 1 Bit
+0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x26c HandleTableRundown : Pos 7, 1 Bit
+0x26c NeedsHandleRundown : Pos 8, 1 Bit
+0x26c RefTraceEnabled : Pos 9, 1 Bit
+0x26c NumaAware : Pos 10, 1 Bit
+0x26c ProtectedProcess : Pos 11, 1 Bit //应用层访问保护 防止调试
+0x26c DefaultPagePriority : Pos 12, 3 Bits
+0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x26c ProcessVerifierTarget : Pos 16, 1 Bit
+0x26c StackRandomizationDisabled : Pos 17, 1 Bit
+0x26c AffinityPermanent : Pos 18, 1 Bit
+0x26c AffinityUpdateEnable : Pos 19, 1 Bit
+0x26c PropagateNode : Pos 20, 1 Bit
+0x26c ExplicitAffinity : Pos 21, 1 Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos 0, 1 Bit
+0x270 NoDebugInherit : Pos 1, 1 Bit
+0x270 ProcessExiting : Pos 2, 1 Bit //进程是否正在结束
+0x270 ProcessDelete : Pos 3, 1 Bit
+0x270 Wow64SplitPages : Pos 4, 1 Bit
+0x270 VmDeleted : Pos 5, 1 Bit
+0x270 OutswapEnabled : Pos 6, 1 Bit
+0x270 Outswapped : Pos 7, 1 Bit
+0x270 ForkFailed : Pos 8, 1 Bit
+0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x270 AddressSpaceInitialized : Pos 10, 2 Bits
+0x270 SetTimerResolution : Pos 12, 1 Bit
+0x270 BreakOnTermination : Pos 13, 1 Bit//系统进程
+0x270 DeprioritizeViews : Pos 14, 1 Bit
+0x270 WriteWatch : Pos 15, 1 Bit
+0x270 ProcessInSession : Pos 16, 1 Bit
+0x270 OverrideAddressSpace : Pos 17, 1 Bit
+0x270 HasAddressSpace : Pos 18, 1 Bit
+0x270 LaunchPrefetched : Pos 19, 1 Bit
+0x270 InjectInpageErrors : Pos 20, 1 Bit
+0x270 VmTopDown : Pos 21, 1 Bit
+0x270 ImageNotifyDone : Pos 22, 1 Bit
+0x270 PdeUpdateNeeded : Pos 23, 1 Bit
+0x270 VdmAllowed : Pos 24, 1 Bit//地址分配方式 0从小到大 1从大到小
+0x270 CrossSessionCreate : Pos 25, 1 Bit
+0x270 ProcessInserted : Pos 26, 1 Bit//阻止附加2 任务管理器无法结束
+0x270 DefaultIoPriority : Pos 27, 3 Bits
+0x270 ProcessSelfDelete : Pos 30, 1 Bit//判断进程是不是自己关掉的
+0x270 SetTimerResolutionLink : Pos 31, 1 Bit
+0x274 ExitStatus : Int4B //进程退出错误码
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD

微内核结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
0: kd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY //性能分析链表(_LIST_ENTRY双向链表)
+0x018 DirectoryTableBase : Uint4B //进程CR3
+0x01c LdtDescriptor : _KGDTENTRY //LDT描述符
+0x024 Int21Descriptor : _KIDTENTRY //虚拟8086的中断描述符
+0x02c ThreadListHead : _LIST_ENTRY //属于此进程的所有线程都会挂在这个链表上
+0x034 ProcessLock : Uint4B //进程锁,如要修改KPROCESS内容要先锁住,防止同时修改
+0x038 Affinity : _KAFFINITY_EX //亲和性,创建的线程放在哪个核运行
+0x044 ReadyListHead : _LIST_ENTRY //就绪链表,当线程就绪,就插到此链表上,等待被调度
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY //记录此线程被交换到磁盘上的数据(_SINGLE_LIST_ENTRY单项链表)
+0x050 ActiveProcessors : _KAFFINITY_EX //当前用到的哪些核
+0x05c AutoAlignment : Pos 0, 1 Bit //是否自动对齐
+0x05c DisableBoost : Pos 1, 1 Bit //线程优先级
+0x05c DisableQuantum : Pos 2, 1 Bit //关闭时间碎片
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B //进程flag
+0x060 BasePriority : Char //进程默认优先级1-32
+0x061 QuantumReset : Char //时间碎片记录 当此值为0被切换
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B //线程调整优先级的种子
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS //DEP数据执行保护
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B //io权限偏移 tss段的IoMapBase加上这个就是R3权限的位图 与eflag的IOPL位相关
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY //进程链表 win7及以上没有使用
+0x080 CycleTime : Uint8B //时间相关
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B
+0x090 VdmTrapcHandler : Ptr32 Void

_DISPATCHER_HEADER成员(8字节)

有这个结构才能等待事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
0: kd> dt _DISPATCHER_HEADER
ntdll!_DISPATCHER_HEADER
+0x000 Type : UChar
+0x001 TimerControlFlags : UChar
+0x001 Absolute : Pos 0, 1 Bit
+0x001 Coalescable : Pos 1, 1 Bit
+0x001 KeepShifting : Pos 2, 1 Bit
+0x001 EncodedTolerableDelay : Pos 3, 5 Bits
+0x001 Abandoned : UChar
+0x001 Signalling : UChar
+0x002 ThreadControlFlags : UChar
+0x002 CpuThrottled : Pos 0, 1 Bit
+0x002 CycleProfiling : Pos 1, 1 Bit
+0x002 CounterProfiling : Pos 2, 1 Bit
+0x002 Reserved : Pos 3, 5 Bits
+0x002 Hand : UChar
+0x002 Size : UChar
+0x003 TimerMiscFlags : UChar
+0x003 Index : Pos 0, 1 Bit
+0x003 Processor : Pos 1, 5 Bits
+0x003 Inserted : Pos 6, 1 Bit
+0x003 Expired : Pos 7, 1 Bit
+0x003 DebugActive : UChar //DebugActive域
+0x003 ActiveDR7 : Pos 0, 1 Bit //DR7是否活动
+0x003 Instrumented : Pos 1, 1 Bit
+0x003 Reserved2 : Pos 2, 4 Bits //保留
+0x003 UmsScheduled : Pos 6, 1 Bit //轻量级线程调度
+0x003 UmsPrimary : Pos 7, 1 Bit
+0x003 DpcActive : UChar //DPC描述
+0x000 Lock : Int4B
+0x004 SignalState : Int4B
+0x008 WaitListHead : _LIST_ENTRY

_KEXECUTE_OPTIONS成员

1
2
3
4
5
6
7
8
9
10
11
0: kd> dt _KEXECUTE_OPTIONS
ntdll!_KEXECUTE_OPTIONS
+0x000 ExecuteDisable : Pos 0, 1 Bit //关闭执行 1
+0x000 ExecuteEnable : Pos 1, 1 Bit //开启执行 0
+0x000 DisableThunkEmulation : Pos 2, 1 Bit
+0x000 Permanent : Pos 3, 1 Bit
+0x000 ExecuteDispatchEnable : Pos 4, 1 Bit
+0x000 ImageDispatchEnable : Pos 5, 1 Bit
+0x000 DisableExceptionChainValidation : Pos 6, 1 Bit
+0x000 Spare : Pos 7, 1 Bit
+0x000 ExecuteOptions : UChar

KPCR

使用WinDbg的dd KeNumberProcessors命令查看当前存在几个核(导出)

image-20201202132305219

使用WinDbg的dd KiProcessorBlock命令查看当前所有KPRCB数组(未导出)

image-20201202133821735

使用Windbg查看gdtr中的KPCR可以看到807d3000

image-20201202140210256

那么KPCRB多出来的120是什么东西呢?使用Windbg查看KPCR结构可以看到在0x120的位置指向了KPCRB

image-20201202140436149

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
1: kd> dt _KPCR 807d3000
ntdll!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : 0x807ef10c _EXCEPTION_REGISTRATION_RECORD //异常链表
+0x004 Used_StackBase : (null)
+0x008 Spare2 : (null)
+0x00c TssCopy : 0x807d6750 Void //tss拷贝 保存第一份TSS _KTSS
+0x010 ContextSwitches : 0x47c9b //R3进R0 R0进R3的次数统计
+0x014 SetMemberCopy : 2 //
+0x018 Used_Self : (null) //指向自己KPCR的结构(仅xp使用)
+0x01c SelfPcr : 0x807d3000 _KPCR//指向自己的指针(现在使用这个)
+0x020 Prcb : 0x807d3120 _KPRCB//指向120 _KPRCB 因为下面部分是可以伸缩的
+0x024 Irql : 0x1f '' //Irql 因为是WinDbg断下的 所以等级非常高
+0x028 IRR : 0 //中断寄存器描述
+0x02c IrrActive : 0
+0x030 IDR : 0xffffffff
+0x034 KdVersionBlock : (null) //第一个核这里有值 DBGKD_GET_VERSION64
+0x038 IDT : 0x807dc020 _KIDTENTRY
+0x03c GDT : 0x807dbc20 _KGDTENTRY
+0x040 TSS : 0x807d6750 _KTSS
+0x044 MajorVersion : 1 //当前KPCR版本
+0x046 MinorVersion : 1 //
+0x048 SetMember : 2
+0x04c StallScaleFactor : 0xaf8
+0x050 SpareUnused : 0 ''
+0x051 Number : 0x1 '' //当前核的编号
+0x052 Spare0 : 0 ''
+0x053 SecondLevelCacheAssociativity : 0 ''
+0x054 VdmAlert : 0
+0x058 KernelReserved : [14] 0
+0x090 SecondLevelCacheSize : 0
+0x094 HalReserved : [16] 1
+0x0d4 InterruptMode : 0
+0x0d8 Spare1 : 0 ''
+0x0dc KernelReserved2 : [17] 0
+0x120 PrcbData : _KPRCB

KPRCB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
1: kd> dt _KPRCB 807d3000+120
ntdll!_KPRCB
+0x000 MinorVersion : 1
+0x002 MajorVersion : 1
+0x004 CurrentThread : 0x807d8800 _KTHREAD //fs:[0x124]取当前线程
+0x008 NextThread : (null) //备用线程
+0x00c IdleThread : 0x807d8800 _KTHREAD//闲置线程
+0x010 LegacyNumber : 0x1 ''
+0x011 NestingLevel : 0x1 ''
+0x012 BuildType : 0
+0x014 CpuType : 6 ''
+0x015 CpuID : 1 ''
+0x016 CpuStep : 0x9e09
+0x016 CpuStepping : 0x9 ''
+0x017 CpuModel : 0x9e ''
+0x018 ProcessorState : _KPROCESSOR_STATE
+0x338 KernelReserved : [16] 0
+0x378 HalReserved : [16] 0x9600
+0x3b8 CFlushSize : 0x40
+0x3bc CoresPerPhysicalProcessor : 0x2 ''
+0x3bd LogicalProcessorsPerCore : 0x1 ''
+0x3be PrcbPad0 : [2] ""
+0x3c0 MHz : 0xaf8
+0x3c4 CpuVendor : 0x1 ''
+0x3c5 GroupIndex : 0x1 ''
+0x3c6 Group : 0
+0x3c8 GroupSetMember : 2
+0x3cc Number : 1
+0x3d0 PrcbPad1 : [72] ""
+0x418 LockQueue : [17] _KSPIN_LOCK_QUEUE
+0x4a0 NpxThread : (null)
+0x4a4 InterruptCount : 0x65784
+0x4a8 KernelTime : 0x7525
+0x4ac UserTime : 0x17c
+0x4b0 DpcTime : 4
+0x4b4 DpcTimeCount : 0
+0x4b8 InterruptTime : 0x23
+0x4bc AdjustDpcThreshold : 0x12
+0x4c0 PageColor : 0x21e1
+0x4c4 DebuggerSavedIRQL : 0x1c ''
+0x4c5 NodeColor : 0 ''
+0x4c6 PrcbPad20 : [2] ""
+0x4c8 NodeShiftedColor : 0
+0x4cc ParentNode : 0x83f4d300 _KNODE
+0x4d0 SecondaryColorMask : 0x7f
+0x4d4 DpcTimeLimit : 0
+0x4d8 PrcbPad21 : [2] 0
+0x4e0 CcFastReadNoWait : 0
+0x4e4 CcFastReadWait : 0x10ce
+0x4e8 CcFastReadNotPossible : 0
+0x4ec CcCopyReadNoWait : 0
+0x4f0 CcCopyReadWait : 0x1688
+0x4f4 CcCopyReadNoWaitMiss : 0
+0x4f8 MmSpinLockOrdering : 0n0
+0x4fc IoReadOperationCount : 0n7122
+0x500 IoWriteOperationCount : 0n1605
+0x504 IoOtherOperationCount : 0n331141
+0x508 IoReadTransferCount : _LARGE_INTEGER 0x88b6ba8
+0x510 IoWriteTransferCount : _LARGE_INTEGER 0x5e1255
+0x518 IoOtherTransferCount : _LARGE_INTEGER 0x40f9f8
+0x520 CcFastMdlReadNoWait : 0
+0x524 CcFastMdlReadWait : 0
+0x528 CcFastMdlReadNotPossible : 0
+0x52c CcMapDataNoWait : 0
+0x530 CcMapDataWait : 0x286ce
+0x534 CcPinMappedDataCount : 0x630
+0x538 CcPinReadNoWait : 0
+0x53c CcPinReadWait : 0x22b
+0x540 CcMdlReadNoWait : 0
+0x544 CcMdlReadWait : 0
+0x548 CcLazyWriteHotSpots : 0xd
+0x54c CcLazyWriteIos : 0x68
+0x550 CcLazyWritePages : 0xdc
+0x554 CcDataFlushes : 0x1a9
+0x558 CcDataPages : 0x315
+0x55c CcLostDelayedWrites : 0
+0x560 CcFastReadResourceMiss : 0
+0x564 CcCopyReadWaitMiss : 0x1e8a
+0x568 CcFastMdlReadResourceMiss : 0
+0x56c CcMapDataNoWaitMiss : 0
+0x570 CcMapDataWaitMiss : 0x5c9
+0x574 CcPinReadNoWaitMiss : 0
+0x578 CcPinReadWaitMiss : 7
+0x57c CcMdlReadNoWaitMiss : 0
+0x580 CcMdlReadWaitMiss : 0
+0x584 CcReadAheadIos : 0x2ef
+0x588 KeAlignmentFixupCount : 0
+0x58c KeExceptionDispatchCount : 0x8ed
+0x590 KeSystemCalls : 0x29d235
+0x594 AvailableTime : 0x8e
+0x598 PrcbPad22 : [2] 0
+0x5a0 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1820 PacketBarrier : 0
+0x1824 ReverseStall : 0n29
+0x1828 IpiFrame : 0x807efb28 Void
+0x182c PrcbPad3 : [52] ""
+0x1860 CurrentPacket : [3] (null)
+0x186c TargetSet : 0
+0x1870 WorkerRoutine : 0x83eaea43 void nt!KiFlushTargetMultipleRangeTb+0
+0x1874 IpiFrozen : 0x24
+0x1878 PrcbPad4 : [40] ""
+0x18a0 RequestSummary : 0
+0x18a4 SignalDone : (null)
+0x18a8 PrcbPad50 : [56] ""
+0x18e0 DpcData : [2] _KDPC_DATA
+0x1908 DpcStack : 0x807f4000 Void
+0x190c MaximumDpcQueueDepth : 0n4
+0x1910 DpcRequestRate : 0
+0x1914 MinimumDpcRate : 3
+0x1918 DpcLastCount : 0x775
+0x191c PrcbLock : 0
+0x1920 DpcGate : _KGATE
+0x1930 ThreadDpcEnable : 0x1 ''
+0x1931 QuantumEnd : 0 ''
+0x1932 DpcRoutineActive : 0 ''
+0x1933 IdleSchedule : 0 ''
+0x1934 DpcRequestSummary : 0n0
+0x1934 DpcRequestSlot : [2] 0n0
+0x1934 NormalDpcState : 0n0
+0x1936 DpcThreadActive : 0y0
+0x1936 ThreadDpcState : 0n0
+0x1938 TimerHand : 0x7a71
+0x193c LastTick : 0x7a74
+0x1940 MasterOffset : 0n0
+0x1944 PrcbPad41 : [2] 0
+0x194c PeriodicCount : 0
+0x1950 PeriodicBias : 0
+0x1958 TickOffset : 0xb19
+0x1960 TimerTable : _KTIMER_TABLE
+0x31a0 CallDpc : _KDPC
+0x31c0 ClockKeepAlive : 0n1
+0x31c4 ClockCheckSlot : 0 ''
+0x31c5 ClockPollCycle : 0x64 'd'
+0x31c6 PrcbPad6 : [2] ""
+0x31c8 DpcWatchdogPeriod : 0n0
+0x31cc DpcWatchdogCount : 0n0
+0x31d0 ThreadWatchdogPeriod : 0n0
+0x31d4 ThreadWatchdogCount : 0n0
+0x31d8 KeSpinLockOrdering : 0n0
+0x31dc PrcbPad70 : [1] 0
+0x31e0 WaitListHead : _LIST_ENTRY [ 0x86053c1c - 0x85ef9534 ]
+0x31e8 WaitLock : 0
+0x31ec ReadySummary : 0
+0x31f0 QueueIndex : 1
+0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY //线程切换就绪链表(xp没有win7及以上才有)
+0x31f8 StartCycles : 0x0000019e`a8b149e0
+0x3200 CycleTime : 0x0000002a`d163764d
+0x3208 HighCycleTime : 0x2a
+0x320c PrcbPad71 : 0
+0x3210 PrcbPad72 : [2] 0
+0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0x807d6340 - 0x807d6340 ]
+0x3320 ChainedInterruptList : (null)
+0x3324 LookasideIrpFloat : 0n2147483647
+0x3328 MmPageFaultCount : 0n313770
+0x332c MmCopyOnWriteCount : 0n5357
+0x3330 MmTransitionCount : 0n130752
+0x3334 MmCacheTransitionCount : 0n0
+0x3338 MmDemandZeroCount : 0n163442
+0x333c MmPageReadCount : 0n37894
+0x3340 MmPageReadIoCount : 0n9143
+0x3344 MmCacheReadCount : 0n0
+0x3348 MmCacheIoCount : 0n0
+0x334c MmDirtyPagesWriteCount : 0n0
+0x3350 MmDirtyWriteIoCount : 0n0
+0x3354 MmMappedPagesWriteCount : 0n0
+0x3358 MmMappedWriteIoCount : 0n0
+0x335c CachedCommit : 0xf8
+0x3360 CachedResidentAvailable : 0xc0
+0x3364 HyperPte : 0x8d700004 Void
+0x3368 PrcbPad8 : [4] ""
+0x336c VendorString : [13] "GenuineIntel"
+0x3379 InitialApicId : 0x1 ''
+0x337a LogicalProcessorsPerPhysicalProcessor : 0x2 ''
+0x337b PrcbPad9 : [5] ""
+0x3380 FeatureBits : 0xa0cd3fff
+0x3388 UpdateSignature : _LARGE_INTEGER 0x0000008e`00000000
+0x3390 IsrTime : 0
+0x3398 RuntimeAccumulation : 0x00000001`237c6246
+0x33a0 PowerState : _PROCESSOR_POWER_STATE
+0x3468 DpcWatchdogDpc : _KDPC
+0x3488 DpcWatchdogTimer : _KTIMER
+0x34b0 WheaInfo : 0x85ef92ec Void
+0x34b4 EtwSupport : 0x85ed3008 Void
+0x34b8 InterruptObjectPool : _SLIST_HEADER
+0x34c0 HypercallPageList : _SLIST_HEADER
+0x34c8 HypercallPageVirtual : 0x807f4000 Void
+0x34cc VirtualApicAssist : (null)
+0x34d0 StatisticsPage : (null)
+0x34d4 RateControl : (null)
+0x34d8 Cache : [5] _CACHE_DESCRIPTOR
+0x3514 CacheCount : 4
+0x3518 CacheProcessorMask : [5] 2
+0x352c PackageProcessorSet : _KAFFINITY_EX
+0x3538 PrcbPad91 : [1] 0
+0x353c CoreProcessorSet : 2
+0x3540 TimerExpirationDpc : _KDPC
+0x3560 SpinLockAcquireCount : 0x3d8a6f
+0x3564 SpinLockContentionCount : 0x1ae8
+0x3568 SpinLockSpinCount : 0x2a39
+0x356c IpiSendRequestBroadcastCount : 0
+0x3570 IpiSendRequestRoutineCount : 0x1e890
+0x3574 IpiSendSoftwareInterruptCount : 0x10b6e
+0x3578 ExInitializeResourceCount : 0x4663
+0x357c ExReInitializeResourceCount : 0x411
+0x3580 ExDeleteResourceCount : 0x3b3c
+0x3584 ExecutiveResourceAcquiresCount : 0x37ad1c
+0x3588 ExecutiveResourceContentionsCount : 0xe20
+0x358c ExecutiveResourceReleaseExclusiveCount : 0xb483e
+0x3590 ExecutiveResourceReleaseSharedCount : 0x2c5f1c
+0x3594 ExecutiveResourceConvertsCount : 0x22c
+0x3598 ExAcqResExclusiveAttempts : 0xb1b32
+0x359c ExAcqResExclusiveAcquiresExclusive : 0xaa172
+0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0x782d
+0x35a4 ExAcqResExclusiveWaits : 0x8c2
+0x35a8 ExAcqResExclusiveNotAcquires : 0x193
+0x35ac ExAcqResSharedAttempts : 0x2bcd37
+0x35b0 ExAcqResSharedAcquiresExclusive : 0x338b
+0x35b4 ExAcqResSharedAcquiresShared : 0x2b662e
+0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x3373
+0x35bc ExAcqResSharedWaits : 0x55e
+0x35c0 ExAcqResSharedNotAcquires : 0xb
+0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0xc651
+0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 1
+0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0xc5d9
+0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0x77
+0x35d4 ExAcqResSharedStarveExclusiveWaits : 0
+0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0
+0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0
+0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0
+0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0
+0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0
+0x35ec ExAcqResSharedWaitForExclusiveWaits : 0
+0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0
+0x35f4 ExSetResOwnerPointerExclusive : 0
+0x35f8 ExSetResOwnerPointerSharedNew : 0x191
+0x35fc ExSetResOwnerPointerSharedOld : 0x108
+0x3600 ExTryToAcqExclusiveAttempts : 0
+0x3604 ExTryToAcqExclusiveAcquires : 0
+0x3608 ExBoostExclusiveOwner : 0
+0x360c ExBoostSharedOwners : 0
+0x3610 ExEtwSynchTrackingNotificationsCount : 0
+0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0
+0x3618 Context : 0x8d710340 _CONTEXT
+0x361c ContextFlags : 0x1007f
+0x3620 ExtendedState : 0x8d710000 _XSAVE_AREA

DBGKD_GET_VERSION64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1: kd> dt _DBGKD_GET_VERSION64 0x83f42c00
nt!_DBGKD_GET_VERSION64
+0x000 MajorVersion : 0xf
+0x002 MinorVersion : 0x1db1
+0x004 ProtocolVersion : 0x6 ''
+0x005 KdSecondaryVersion : 0 ''
+0x006 Flags : 3
+0x008 MachineType : 0x14c
+0x00a MaxPacketType : 0xc ''
+0x00b MaxStateChange : 0x3 ''
+0x00c MaxManipulate : 0x2f '/'
+0x00d Simulation : 0 ''
+0x00e Unused : [1] 0
+0x010 KernBase : 0xffffffff`83e18000 //驱动模块基址
+0x018 PsLoadedModuleList : 0xffffffff`83f62850 //驱动链表 _LDR_DATA_TABLE_ENIRY
+0x020 DebuggerDataList : 0xffffffff`84188fec //调试数据链表

image-20201202153346502

KDDEBUGGER_DATA64(但是实际运行起来比这个结构多)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
1: kd> dds 83f42c28 L100
ReadVirtual: 83f42ca8 not properly sign extended
83f42c28 84188fec nt!KdpDebuggerDataListHead
83f42c2c 84188fec nt!KdpDebuggerDataListHead
83f42c30 00000000
83f42c34 00000000
83f42c38 4742444b
83f42c3c 00000340
83f42c40 83e18000 nt!_imp__VidBitBlt <PERF> (nt+0x0)
83f42c44 00000000
83f42c48 83e93110 nt!RtlpBreakWithStatusInstruction
83f42c4c 00000000
83f42c50 00000000
83f42c54 00000000
83f42c58 00080130
83f42c5c 00010018
83f42c60 83e97584 nt!KiCallUserMode
83f42c64 00000000
83f42c68 00000000
83f42c6c 00000000
83f42c70 83f62850 nt!PsLoadedModuleList
83f42c74 00000000
83f42c78 83f5af18 nt!PsActiveProcessHead
83f42c7c 00000000
83f42c80 83f5af34 nt!PspCidTable
83f42c84 00000000
83f42c88 83f54718 nt!ExpSystemResourcesList
83f42c8c 00000000
83f42c90 83f54b60 nt!ExpPagedPoolDescriptor
83f42c94 00000000
83f42c98 83f82014 nt!ExpNumberOfPagedPools
83f42c9c 00000000
83f42ca0 83f82888 nt!KeTimeIncrement
83f42ca4 00000000
83f42ca8 83f7db60 nt!KeBugCheckCallbackListHead
83f42cac 00000000
83f42cb0 83f7aa40 nt!KiBugCheckData
83f42cb4 00000000
83f42cb8 83f807a0 nt!IopErrorLogListHead
83f42cbc 00000000
83f42cc0 83f5bac8 nt!ObpRootDirectoryObject
83f42cc4 00000000
83f42cc8 83f5bad4 nt!ObpTypeObjectType
83f42ccc 00000000
83f42cd0 00000000
83f42cd4 00000000
83f42cd8 00000000
83f42cdc 00000000
83f42ce0 83f4e540 nt!MmSystemCacheWs
83f42ce4 00000000
83f42ce8 83f82700 nt!MmPfnDatabase
83f42cec 00000000
83f42cf0 00000000
83f42cf4 00000000
83f42cf8 00000000
83f42cfc 00000000
83f42d00 83f82704 nt!MmSubsectionBase
83f42d04 00000000
83f42d08 83f61d84 nt!MmNumberOfPagingFiles
83f42d0c 00000000
83f42d10 83f82708 nt!MmLowestPhysicalPage
83f42d14 00000000
83f42d18 83f8270c nt!MmHighestPhysicalPage
83f42d1c 00000000
83f42d20 83f82710 nt!MmNumberOfPhysicalPages
83f42d24 00000000
83f42d28 83f82128 nt!MmMaximumNonPagedPoolInBytes
83f42d2c 00000000
83f42d30 00000000
83f42d34 00000000
83f42d38 83f8212c nt!MmNonPagedPoolStart
83f42d3c 00000000
83f42d40 00000000
83f42d44 00000000
83f42d48 00000000
83f42d4c 00000000
83f42d50 83f82098 nt!MmPagedPoolEnd
83f42d54 00000000
83f42d58 83f8209c nt!MmPagedPoolInfo
83f42d5c 00000000
83f42d60 00001000
83f42d64 00000000
83f42d68 83f825d0 nt!MmSizeOfPagedPoolInBytes
83f42d6c 00000000
83f42d70 83f61394 nt!MmTotalCommitLimit
83f42d74 00000000
83f42d78 83f61398 nt!MmTotalCommittedPages
83f42d7c 00000000
83f42d80 83f51224 nt!MmSharedCommit
83f42d84 00000000
83f42d88 83f628c0 nt!MmDriverCommit
83f42d8c 00000000
83f42d90 83f61378 nt!MmProcessCommit
83f42d94 00000000
83f42d98 83f613c0 nt!MmPagedPoolCommit
83f42d9c 00000000
83f42da0 00000000
83f42da4 00000000
83f42da8 83f83000 nt!MmZeroedPageListHead
83f42dac 00000000
83f42db0 83f83040 nt!MmFreePageListHead
83f42db4 00000000
83f42db8 83f83080 nt!MmStandbyPageListHead
83f42dbc 00000000
83f42dc0 83f830c0 nt!MmModifiedPageListHead
83f42dc4 00000000
83f42dc8 83f4294c nt!MmModifiedNoWritePageListHead
83f42dcc 00000000
83f42dd0 83f47480 nt!MmAvailablePages
83f42dd4 00000000
83f42dd8 83f47500 nt!MmResidentAvailablePages
83f42ddc 00000000
83f42de0 83f54c24 nt!PoolTrackTable
83f42de4 00000000
83f42de8 83f4f940 nt!NonPagedPoolDescriptor
83f42dec 00000000
83f42df0 83f82714 nt!MmHighestUserAddress
83f42df4 00000000
83f42df8 83f82718 nt!MmSystemRangeStart
83f42dfc 00000000
83f42e00 83f8271c nt!MmUserProbeAddress
83f42e04 00000000
83f42e08 84185000 nt!KdPrintDefaultCircularBuffer
83f42e0c 00000000
83f42e10 84186000 nt!KdPrintWritePointer
83f42e14 00000000
83f42e18 84186000 nt!KdPrintWritePointer
83f42e1c 00000000
83f42e20 84186004 nt!KdPrintRolloverCount
83f42e24 00000000
83f42e28 83f62e38 nt!MmLoadedUserImageList
83f42e2c 00000000
83f42e30 83e62fa8 nt!NtBuildLabEx
83f42e34 00000000
83f42e38 00000000
83f42e3c 00000000
83f42e40 83f828c0 nt!KiProcessorBlock
83f42e44 00000000
83f42e48 83f82560 nt!MmUnloadedDrivers
83f42e4c 00000000
83f42e50 83f6284c nt!MmLastUnloadedDriver
83f42e54 00000000
83f42e58 83f59ef4 nt!VerifierTriageActionTaken
83f42e5c 00000000
83f42e60 83f82144 nt!MmSpecialPoolTag
83f42e64 00000000
83f42e68 83f53a60 nt!KernelVerifier
83f42e6c 00000000
83f42e70 83f62b80 nt!MmVerifierData
83f42e74 00000000
83f42e78 83f620cc nt!MmAllocatedNonPagedPool
83f42e7c 00000000
83f42e80 83f613b8 nt!MmPeakCommitment
83f42e84 00000000
83f42e88 83f6139c nt!MmTotalCommitLimitMaximum
83f42e8c 00000000
83f42e90 83f81cbc nt!CmNtCSDVersion
83f42e94 00000000
83f42e98 83f82668 nt!MmPhysicalMemoryBlock
83f42e9c 00000000
83f42ea0 00000000
83f42ea4 00000000
83f42ea8 00000000
83f42eac 00000000
83f42eb0 00000000
83f42eb4 00000000
83f42eb8 00000000
83f42ebc 00000000
83f42ec0 00880058
83f42ec4 00280030
83f42ec8 00680050
83f42ecc 00000000
83f42ed0 01a802c0
83f42ed4 00180140
83f42ed8 19323628
83f42edc 03c00004
83f42ee0 336c0014
83f42ee4 03cc0018
83f42ee8 000002b8
83f42eec 00000000
83f42ef0 84186008 nt!KdPrintCircularBuffer
83f42ef4 00000000
83f42ef8 8418600c nt!KdPrintBufferSize
83f42efc 00000000
83f42f00 83f7dd20 nt!KdpLoaderDebuggerBlock
83f42f04 ffffffff
83f42f08 001c3748
83f42f0c 01200020
83f42f10 00000000
83f42f14 00000000
83f42f18 02e40000
83f42f1c 00100008
83f42f20 00180030
83f42f24 00380020
83f42f28 00280048
83f42f2c 00000000
83f42f30 83f80420 nt!IopNumTriageDumpDataBlocks
83f42f34 00000000
83f42f38 83f80220 nt!IopTriageDumpDataBlocks
83f42f3c 00000000
83f42f40 00000000
83f42f44 00000000
83f42f48 83f6118c nt!MmBadPagesDetected
83f42f4c 00000000
83f42f50 83f61188 nt!MmZeroedPageSingleBitErrorsDetected
83f42f54 00000000
83f42f58 83e5f088 nt!EtwpDebuggerData
83f42f5c 00000000
83f42f60 00003618
83f42f64 00000000
83f42f68 83f50ea8 nt!Kd_SYSTEM_Mask
83f42f6c 83f50eac nt!Kd_SMSS_Mask
83f42f70 83f50eb0 nt!Kd_SETUP_Mask
83f42f74 83f50eb4 nt!Kd_NTFS_Mask
83f42f78 83f50eb8 nt!Kd_FSTUB_Mask
83f42f7c 83f50ebc nt!Kd_CRASHDUMP_Mask
83f42f80 83f50ec0 nt!Kd_CDAUDIO_Mask
83f42f84 83f50ec4 nt!Kd_CDROM_Mask
83f42f88 83f50ec8 nt!Kd_CLASSPNP_Mask
83f42f8c 83f50ecc nt!Kd_DISK_Mask
83f42f90 83f50ed0 nt!Kd_REDBOOK_Mask
83f42f94 83f50ed4 nt!Kd_STORPROP_Mask
83f42f98 83f50ed8 nt!Kd_SCSIPORT_Mask
83f42f9c 83f50edc nt!Kd_SCSIMINIPORT_Mask
83f42fa0 83f50ee0 nt!Kd_CONFIG_Mask
83f42fa4 83f50ee4 nt!Kd_I8042PRT_Mask
83f42fa8 83f50ee8 nt!Kd_SERMOUSE_Mask
83f42fac 83f50eec nt!Kd_LSERMOUS_Mask
83f42fb0 83f50ef0 nt!Kd_KBDHID_Mask
83f42fb4 83f50ef4 nt!Kd_MOUHID_Mask
83f42fb8 83f50ef8 nt!Kd_KBDCLASS_Mask
83f42fbc 83f50efc nt!Kd_MOUCLASS_Mask
83f42fc0 83f50f00 nt!Kd_TWOTRACK_Mask
83f42fc4 83f50f04 nt!Kd_WMILIB_Mask
83f42fc8 83f50f08 nt!Kd_ACPI_Mask
83f42fcc 83f50f0c nt!Kd_AMLI_Mask
83f42fd0 83f50f10 nt!Kd_HALIA64_Mask
83f42fd4 83f50f14 nt!Kd_VIDEO_Mask
83f42fd8 83f50f18 nt!Kd_SVCHOST_Mask
83f42fdc 83f50f1c nt!Kd_VIDEOPRT_Mask
83f42fe0 83f50f20 nt!Kd_TCPIP_Mask
83f42fe4 83f50f24 nt!Kd_DMSYNTH_Mask
83f42fe8 83f50f28 nt!Kd_NTOSPNP_Mask
83f42fec 83f50f2c nt!Kd_FASTFAT_Mask
83f42ff0 83f50f30 nt!Kd_SAMSS_Mask
83f42ff4 83f50f34 nt!Kd_PNPMGR_Mask
83f42ff8 83f50f38 nt!Kd_NETAPI_Mask
83f42ffc 83f50f3c nt!Kd_SCSERVER_Mask
83f43000 83f50f40 nt!Kd_SCCLIENT_Mask
83f43004 83f50f44 nt!Kd_SERIAL_Mask
83f43008 83f50f48 nt!Kd_SERENUM_Mask
83f4300c 83f50f4c nt!Kd_UHCD_Mask
83f43010 83f50f50 nt!Kd_RPCPROXY_Mask
83f43014 83f50f54 nt!Kd_AUTOCHK_Mask
83f43018 83f50f58 nt!Kd_DCOMSS_Mask
83f4301c 83f50f5c nt!Kd_UNIMODEM_Mask
83f43020 83f50f60 nt!Kd_SIS_Mask
83f43024 83f50f64 nt!Kd_FLTMGR_Mask

线程

线程查询

XP中有32个就绪链表,其实是33个有一个在线程结构_KTHREAD中的+074的位置的WaitListEntry,0-1F这32个优先级对应这32个全局性的链表,假如一个线程的优先级为18,那么WaitListEntry指向的就是18号链表。

到了Win7和server2003等等,这32个链表就不是全局的了。他放到了KPRCB中的+3320的DispatcherReadyListHead

那么如何快速找到对应的链表呢?KPRCB中定义了一个32位(四字节)的位图+13ec的ReadySummary,每个位由0或1代表有没有存在等待的线程,找的时候从高位开始找,找哪个位为1。

对ntkrnlpa.exe线程查询的逆向

这种内部调用的模块一般为Ki开头,加上Find,这个就是

image-20201209171228316

image-20201209193302503

先随便找一个进程

image-20201208150631124

直接!process 查看线程 因为这个程序比较简单 所以只有一个窗口的线程

image-20201208151457612

_ETHREAD

使用dt _ETHREAD 查看结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
1: kd> dt _ETHREAD 8779e030
ntdll!_ETHREAD
+0x000 Tcb : _KTHREAD //微内核
+0x200 CreateTime : _LARGE_INTEGER 0x01d6cd27`be3c6bfc
+0x208 ExitTime : _LARGE_INTEGER 0x8779e238`8779e238
+0x208 KeyedWaitChain : _LIST_ENTRY [ 0x8779e238 - 0x8779e238 ] //等待链
+0x210 ExitStatus : 0n0
+0x214 PostBlockList : _LIST_ENTRY [ 0x0 - 0x76fb7098 ]
+0x214 ForwardLinkShadow : (null)
+0x218 StartAddress : 0x76fb7098 Void //线程起始地址
+0x21c TerminationPort : (null)
+0x21c ReaperLink : (null)
+0x21c KeyedWaitValue : (null)
+0x220 ActiveTimerListLock : 0
+0x224 ActiveTimerListHead : _LIST_ENTRY [ 0x8779e254 - 0x8779e254 ] //定时器链表
+0x22c Cid : _CLIENT_ID //包含一个创建此线程的进程id和自己的线程id
+0x234 KeyedWaitSemaphore : _KSEMAPHORE
+0x234 AlpcWaitSemaphore : _KSEMAPHORE
+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x24c IrpList : _LIST_ENTRY [ 0x8779e27c - 0x8779e27c ]
+0x254 TopLevelIrp : 0
+0x258 DeviceToVerify : (null)
+0x25c CpuQuotaApc : (null)
+0x260 Win32StartAddress : 0x00402317 Void //如果是ui程序起始地址则使用这个
+0x264 LegacyPowerObject : (null)
+0x268 ThreadListEntry : _LIST_ENTRY [ 0x8775aaf8 - 0x8775aaf8 ] //线程链表
+0x270 RundownProtect : _EX_RUNDOWN_REF
+0x274 ThreadLock : _EX_PUSH_LOCK
+0x278 ReadClusterSize : 7
+0x27c MmLockOrdering : 0n0
+0x280 CrossThreadFlags : 0xa802
+0x280 Terminated : 0y0 //是否已经被结束
+0x280 ThreadInserted : 0y1 //线程是否可以插入 置0被保护
+0x280 HideFromDebugger : 0y0 //调试器的保护 置1普通调试器无法挂起
+0x280 ActiveImpersonationInfo : 0y0
+0x280 Reserved : 0y0
+0x280 HardErrorsAreDisabled : 0y0
+0x280 BreakOnTermination : 0y0 //置一线程无法被结束 结束就蓝屏
+0x280 SkipCreationMsg : 0y0
+0x280 SkipTerminationMsg : 0y0
+0x280 CopyTokenOnOpen : 0y0
+0x280 ThreadIoPriority : 0y010
+0x280 ThreadPagePriority : 0y101
+0x280 RundownFail : 0y0
+0x280 NeedsWorkingSetAging : 0y0
+0x284 SameThreadPassiveFlags : 0
+0x284 ActiveExWorker : 0y0
+0x284 ExWorkerCanWaitUser : 0y0
+0x284 MemoryMaker : 0y0
+0x284 ClonedThread : 0y0
+0x284 KeyedEventInUse : 0y0
+0x284 RateApcState : 0y00
+0x284 SelfTerminate : 0y0
+0x288 SameThreadApcFlags : 0
+0x288 Spare : 0y0
+0x288 StartAddressInvalid : 0y0
+0x288 EtwPageFaultCalloutActive : 0y0
+0x288 OwnsProcessWorkingSetExclusive : 0y0
+0x288 OwnsProcessWorkingSetShared : 0y0
+0x288 OwnsSystemCacheWorkingSetExclusive : 0y0
+0x288 OwnsSystemCacheWorkingSetShared : 0y0
+0x288 OwnsSessionWorkingSetExclusive : 0y0
+0x289 OwnsSessionWorkingSetShared : 0y0
+0x289 OwnsProcessAddressSpaceExclusive : 0y0
+0x289 OwnsProcessAddressSpaceShared : 0y0
+0x289 SuppressSymbolLoad : 0y0
+0x289 Prefetching : 0y0
+0x289 OwnsDynamicMemoryShared : 0y0
+0x289 OwnsChangeControlAreaExclusive : 0y0
+0x289 OwnsChangeControlAreaShared : 0y0
+0x28a OwnsPagedPoolWorkingSetExclusive : 0y0
+0x28a OwnsPagedPoolWorkingSetShared : 0y0
+0x28a OwnsSystemPtesWorkingSetExclusive : 0y0
+0x28a OwnsSystemPtesWorkingSetShared : 0y0
+0x28a TrimTrigger : 0y00
+0x28a Spare1 : 0y00
+0x28b PriorityRegionActive : 0 ''
+0x28c CacheManagerActive : 0 ''
+0x28d DisablePageFaultClustering : 0 ''
+0x28e ActiveFaultCount : 0 ''
+0x28f LockOrderState : 0 ''
+0x290 AlpcMessageId : 0
+0x294 AlpcMessage : (null)
+0x294 AlpcReceiveAttributeSet : 0
+0x298 AlpcWaitListEntry : _LIST_ENTRY [ 0x0 - 0x871e19ac ]
+0x2a0 CacheManagerCount : 0
+0x2a4 IoBoostCount : 0
+0x2a8 IrpListLock : 0
+0x2ac ReservedForSynchTracking : (null)
+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY

_KTHREAD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
1: kd> dt _KTHREAD 8779e030
ntdll!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER //可等待头
+0x010 CycleTime : 0x00000008`9136cc40
+0x018 HighCycleTime : 8
+0x020 QuantumTarget : 0x00000008`93a685c1
+0x028 InitialStack : 0x93217ed0 Void //线程所属内核态的堆栈 初始化栈(栈底)
+0x02c StackLimit : 0x93215000 Void //栈顶
+0x030 KernelStack : 0x93217aa0 Void //当前esp位置 当线程切走时 esp保存在这 回来再从赋值到esp
+0x034 ThreadLock : 0
+0x038 WaitRegister : _KWAIT_STATUS_REGISTER
+0x039 Running : 0 '' //线程是否在运行 运行为1 其他状态都为0
+0x03a Alerted : [2] "" //警惕性 [0]内核警醒 [1]用户警醒 指该线程分别在内核模式和用户模式下是否可以被唤醒
+0x03c KernelStackResident : 0y1
+0x03c ReadyTransition : 0y0
+0x03c ProcessReadyQueue : 0y0
+0x03c WaitNext : 0y0
+0x03c SystemAffinityActive : 0y0
+0x03c Alertable : 0y0 //此线程是否可以被唤醒 WaitForSingkeObject
+0x03c GdiFlushActive : 0y0
+0x03c UserStackWalkActive : 0y0
+0x03c ApcInterruptRequest : 0y0
+0x03c ForceDeferSchedule : 0y0
+0x03c QuantumEndMigrate : 0y0
+0x03c UmsDirectedSwitchEnable : 0y0
+0x03c TimerActive : 0y0
+0x03c SystemThread : 0y0 //是否是系统线程 1是
+0x03c Reserved : 0y000000000000000000 (0)
+0x03c MiscFlags : 0n1
+0x040 ApcState : _KAPC_STATE //apc状态 此结构里也有一个进程 为挂靠的进程
+0x040 ApcStateFill : [23] "p???"
+0x057 Priority : 13 '' //线程的优先级
+0x058 NextProcessor : 1 //下个处理器 如果为0随机选择处理器运行线程 如果有值则是对应值的核
+0x05c DeferredProcessor : 0 //默认处理器
+0x060 ApcQueueLock : 0 //apc队列锁
+0x064 ContextSwitches : 0x1313d //ContextSwitches域记录了该线程进行了多少次环境切换
+0x068 State : 0x5 ''
+0x069 NpxState : 0 '' //浮点协处理器的状态
+0x06a WaitIrql : 0 '' //等待的RIQL等级
+0x06b WaitMode : 1 '' //等待的模式 0环或3环
+0x06c WaitStatus : 0n0 //等待的结果状态
+0x070 WaitBlockList : 0x8779e0f0 _KWAIT_BLOCK
+0x074 WaitListEntry : _LIST_ENTRY [ 0x807d6300 - 0x86a140a4 ]
+0x074 SwapListEntry : _SINGLE_LIST_ENTRY
+0x07c Queue : (null) //队列
+0x080 WaitTime : 0x625d3 //等待的时间
+0x084 KernelApcDisable : 0n0
+0x086 SpecialApcDisable : 0n0
+0x084 CombinedApcDisable : 0
+0x088 Teb : 0x7ffdf000 Void //线程的TEB
+0x090 Timer : _KTIMER //线程的定时器
+0x0b8 AutoAlignment : 0y0
+0x0b8 DisableBoost : 0y0
+0x0b8 EtwStackTraceApc1Inserted : 0y0
+0x0b8 EtwStackTraceApc2Inserted : 0y0
+0x0b8 CalloutActive : 0y0 //判断是否正在0环调3环 如果是为1 KrUSermodecallback
+0x0b8 ApcQueueable : 0y1 //apc队列是否可以使用
+0x0b8 EnableStackSwap : 0y1
+0x0b8 GuiThread : 0y0 //是否是gui线程
+0x0b8 UmsPerformingSyscall : 0y0
+0x0b8 VdmSafe : 0y0
+0x0b8 UmsDispatched : 0y0
+0x0b8 ReservedFlags : 0y000000000000000000000 (0)
+0x0b8 ThreadFlags : 0n96
+0x0bc ServiceTable : 0x83f84a00 Void //服务表
+0x0c0 WaitBlock : [4] _KWAIT_BLOCK
+0x120 QueueListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x128 TrapFrame : 0x93217c34 _KTRAP_FRAME
+0x12c FirstArgument : 0x0012ff00 Void //TrapFrame
+0x130 CallbackStack : (null)
+0x130 CallbackDepth : 0
+0x134 ApcStateIndex : 0 ''
+0x135 BasePriority : 8 '' //来自进程优先级的继承
+0x136 PriorityDecrement : 18 '' //优先级调整值
+0x136 ForegroundBoost : 0y0010
+0x136 UnusualBoost : 0y0001
+0x137 Preempted : 0 '' //抢占
+0x138 AdjustReason : 0 ''
+0x139 AdjustIncrement : 2 ''
+0x13a PreviousMode : 1 '' //先前模式
+0x13b Saturation : 0 ''
+0x13c SystemCallNumber : 0x1273
+0x140 FreezeCount : 0 //被挂起的次数 反调试能用到
+0x144 UserAffinity : _GROUP_AFFINITY
+0x150 Process : 0x8775a970 _KPROCESS //创建这个线程的进程
+0x154 Affinity : _GROUP_AFFINITY
+0x160 IdealProcessor : 1
+0x164 UserIdealProcessor : 1
+0x168 ApcStatePointer : [2] 0x8779e070 _KAPC_STATE
+0x170 SavedApcState : _KAPC_STATE
+0x170 SavedApcStateFill : [23] "???"
+0x187 WaitReason : 0xd ''
+0x188 SuspendCount : 0 ''
+0x189 Spare1 : 0 ''
+0x18a OtherPlatformFill : 0 ''
+0x18c Win32Thread : 0xfe9345a8 Void
+0x190 StackBase : 0x93218000 Void
+0x194 SuspendApc : _KAPC
+0x194 SuspendApcFill0 : [1] "??????"
+0x195 ResourceIndex : 0x1 ''
+0x194 SuspendApcFill1 : [3] "???"
+0x197 QuantumReset : 0x12 ''
+0x194 SuspendApcFill2 : [4] "???"
+0x198 KernelTime : 2
+0x194 SuspendApcFill3 : [36] "???"
+0x1b8 WaitPrcb : 0x807d3120 _KPRCB
+0x194 SuspendApcFill4 : [40] "???"
+0x1bc LegoData : (null)
+0x194 SuspendApcFill5 : [47] "???" //可用来通信
+0x1c3 LargeStack : 0 ''
+0x1c4 UserTime : 2
+0x1c8 SuspendSemaphore : _KSEMAPHORE
+0x1c8 SuspendSemaphorefill : [20] "???"
+0x1dc SListFaultCount : 0
+0x1e0 ThreadListEntry : _LIST_ENTRY [ 0x8775a99c - 0x8775a99c ]
+0x1e8 MutantListHead : _LIST_ENTRY [ 0x8779e218 - 0x8779e218 ]
+0x1f0 SListFaultAddress : (null)
+0x1f4 ThreadCounters : (null)
+0x1f8 XStateSave : (null)

References:

《牛逼的火哥》

以及 朝闻道 大佬的博客