Windbg 2进程线程结构分析
2024-05-04 13:14:13
目录
- 任务
- 进程资源
- 进程空间
- EPROCESS结构
- PEB
- 内核模式和用户模式
- 线程
- ETHREAD
- TEB
- WOW进程
- 注册表重定向
- 注册表反射
- 文件系统重定向
- 创建进程
- 最小进程和Pico进程
- 最小进程
- 任务管理器
任务
一个进程或者一个线程叫任务
进程资源
- 虚拟地址空间
- 全局唯一的进程ID
- 可执行映像
- 一个或多个线程
- 一个位于内核空间的EPROCESS
- 一个位于内核空间的对象句柄表
- 一个用于描述内存目录表其实位置的基地址
- 一个位于用户空间的进程环境块
- 一个访问令牌
进程空间
用户空间
内核空间
EPROCESS结构
1.查看所有进程的基本信息
6: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffff84898203c440SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.Image: SystemPROCESS ffff8489820c6040SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.Image: RegistryPROCESS ffff84898205d040SessionId: none Cid: 01e0 Peb: 3062840000 ParentCid: 0004DirBase: 77100002 ObjectTable: ffffe18f2c1ab340 HandleCount: 52.Image: smss.exePROCESS ffff848987825580SessionId: 0 Cid: 02d0 Peb: 9249550000 ParentCid: 028cDirBase: 40b000002 ObjectTable: ffffe18f2da8fb40 HandleCount: 566.Image: csrss.exePROCESS ffff84898e9da580SessionId: 0 Cid: 034c Peb: eeb2e6000 ParentCid: 028cDirBase: 40a200002 ObjectTable: ffffe18f2ddb5900 HandleCount: 168.Image: wininit.exePROCESS ffff84898e9d4580SessionId: 1 Cid: 0354 Peb: b3cb0e2000 ParentCid: 0344DirBase: 409d00002 ObjectTable: ffffe18f2f09dd00 HandleCount: 251.Image: csrss.exePROCESS ffff84898e9c8580SessionId: 0 Cid: 0398 Peb: 5766e9000 ParentCid: 034cDirBase: 407a00002 ObjectTable: ffffe18f2f126740 HandleCount: 727.Image: services.exePROCESS ffff84898e9c6580SessionId: 0 Cid: 03ac Peb: abceeb2000 ParentCid: 034cDirBase: 405000002 ObjectTable: ffffe18f2f145040 HandleCount: 825.Image: lsass.exe省略....PROCESS ffff8489903de080SessionId: 0 Cid: 17b0 Peb: 89fc42c000 ParentCid: 0398DirBase: 176690002 ObjectTable: ffffe18f34754d80 HandleCount: 94.Image: IntelCpHeciSvc.exePROCESS ffff84899850e080SessionId: 1 Cid: 17e0 Peb: 01020000 ParentCid: 1728DirBase: 170980002 ObjectTable: ffffe18f347981c0 HandleCount: 238.Image: explorer.exePROCESS ffff84899855d580SessionId: 0 Cid: 1840 Peb: cd79837000 ParentCid: 0644DirBase: 173e00002 ObjectTable: ffffe18f347c0d80 HandleCount: 16.Image: wermgr.exe
2. 查看EPROCESS结构
NT内核使用EPROCESS 结构描述进程
6: kd> dt _eprocess ffff84899855d580
nt!_EPROCESS+0x000 Pcb : _KPROCESS+0x2d8 ProcessLock : _EX_PUSH_LOCK+0x2e0 UniqueProcessId : 0x00000000`00001840 Void+0x2e8 ActiveProcessLinks : _LIST_ENTRY [ 0xfffff800`063a73b0 - 0xffff8489`9850e368 ]+0x2f8 RundownProtect : _EX_RUNDOWN_REF+0x300 Flags2 : 0xa014+0x300 JobNotReallyActive : 0y0+0x300 AccountingFolded : 0y0+0x300 NewProcessReported : 0y1+0x300 ExitProcessReported : 0y0+0x300 ReportCommitChanges : 0y1+0x300 LastReportMemory : 0y0+0x300 ForceWakeCharge : 0y0+0x300 CrossSessionCreate : 0y0+0x300 NeedsHandleRundown : 0y0+0x300 RefTraceEnabled : 0y0+0x300 PicoCreated : 0y0+0x300 EmptyJobEvaluated : 0y0+0x300 DefaultPagePriority : 0y010+0x300 PrimaryTokenFrozen : 0y1+0x300 ProcessVerifierTarget : 0y0+0x300 RestrictSetThreadContext : 0y0+0x300 AffinityPermanent : 0y0+0x300 AffinityUpdateEnable : 0y0+0x300 PropagateNode : 0y0+0x300 ExplicitAffinity : 0y0+0x300 ProcessExecutionState : 0y00+0x300 EnableReadVmLogging : 0y0+0x300 EnableWriteVmLogging : 0y0+0x300 FatalAccessTerminationRequested : 0y0+0x300 DisableSystemAllowedCpuSet : 0y0+0x300 ProcessStateChangeRequest : 0y00+0x300 ProcessStateChangeInProgress : 0y0+0x300 InPrivate : 0y0+0x304 Flags : 0xc5d0c01+0x304 CreateReported : 0y1+0x304 NoDebugInherit : 0y0+0x304 ProcessExiting : 0y0+0x304 ProcessDelete : 0y0+0x304 ManageExecutableMemoryWrites : 0y0+0x304 VmDeleted : 0y0+0x304 OutswapEnabled : 0y0+0x304 Outswapped : 0y0+0x304 FailFastOnCommitFail : 0y0+0x304 Wow64VaSpace4Gb : 0y0+0x304 AddressSpaceInitialized : 0y11+0x304 SetTimerResolution : 0y0+0x304 BreakOnTermination : 0y0+0x304 DeprioritizeViews : 0y0+0x304 WriteWatch : 0y0+0x304 ProcessInSession : 0y1+0x304 OverrideAddressSpace : 0y0+0x304 HasAddressSpace : 0y1+0x304 LaunchPrefetched : 0y1+0x304 Background : 0y1+0x304 VmTopDown : 0y0+0x304 ImageNotifyDone : 0y1+0x304 PdeUpdateNeeded : 0y0+0x304 VdmAllowed : 0y0+0x304 ProcessRundown : 0y0+0x304 ProcessInserted : 0y1+0x304 DefaultIoPriority : 0y001+0x304 ProcessSelfDelete : 0y0+0x304 SetTimerResolutionLink : 0y0+0x308 CreateTime : _LARGE_INTEGER 0x01d48c65`2230444f+0x310 ProcessQuotaUsage : [2] 0x948+0x320 ProcessQuotaPeak : [2] 0x948+0x330 PeakVirtualSize : 0x00000201`02933000+0x338 VirtualSize : 0x00000201`02933000+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffffb800`ff71c010 - 0xffff8489`903de3c0 ]+0x350 ExceptionPortData : 0xffff8489`877e3670 Void+0x350 ExceptionPortValue : 0xffff8489`877e3670+0x350 ExceptionPortState : 0y000+0x358 Token : _EX_FAST_REF+0x360 MmReserved : 0+0x368 AddressCreationLock : _EX_PUSH_LOCK+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK+0x378 RotateInProgress : (null) +0x380 ForkInProgress : (null) +0x388 CommitChargeJob : 0xffff8489`8efa5060 _EJOB+0x390 CloneRoot : _RTL_AVL_TREE+0x398 NumberOfPrivatePages : 0x50+0x3a0 NumberOfLockedPages : 0+0x3a8 Win32Process : 0xffff83c6`0226e010 Void+0x3b0 Job : 0xffff8489`8efa5060 _EJOB+0x3b8 SectionObject : 0xffffe18f`347c3880 Void+0x3c0 SectionBaseAddress : 0x00007ff7`e7c80000 Void+0x3c8 Cookie : 0xd5e20c1+0x3d0 WorkingSetWatch : (null) +0x3d8 Win32WindowStation : (null) +0x3e0 InheritedFromUniqueProcessId : 0x00000000`00000644 Void+0x3e8 LdtInformation : (null) +0x3f0 OwnerProcessId : 0x646+0x3f8 Peb : 0x000000cd`79837000 _PEB+0x400 Session : 0xffffb800`ff71c000 _MM_SESSION_SPACE+0x408 AweInfo : (null) +0x410 QuotaBlock : 0xfffff800`063d1bc0 _EPROCESS_QUOTA_BLOCK+0x418 ObjectTable : 0xffffe18f`347c0d80 _HANDLE_TABLE+0x420 DebugPort : (null) +0x428 WoW64Process : (null) +0x430 DeviceMap : 0xffffe18f`2b818ad0 Void+0x438 EtwDataSource : 0xffff8489`9855c980 Void+0x440 PageDirectoryPte : 0+0x448 ImageFilePointer : 0xffff8489`98556080 _FILE_OBJECT+0x450 ImageFileName : [15] "wermgr.exe"+0x45f PriorityClass : 0x5 ''+0x460 SecurityPort : (null) +0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO+0x470 JobLinks : _LIST_ENTRY [ 0xffff8489`8efa5088 - 0xffff8489`8fbc94f0 ]+0x480 HighestUserAddress : 0x00007fff`ffff0000 Void+0x488 ThreadListHead : _LIST_ENTRY [ 0xffff8489`9856ada8 - 0xffff8489`9856ada8 ]+0x498 ActiveThreads : 1+0x49c ImagePathHash : 0+0x4a0 DefaultHardErrorProcessing : 0x8000+0x4a4 LastThreadExitStatus : 0n0+0x4a8 PrefetchTrace : _EX_FAST_REF+0x4b0 LockedPagesList : (null) +0x4b8 ReadOperationCount : _LARGE_INTEGER 0x0+0x4c0 WriteOperationCount : _LARGE_INTEGER 0x0+0x4c8 OtherOperationCount : _LARGE_INTEGER 0x0+0x4d0 ReadTransferCount : _LARGE_INTEGER 0x0+0x4d8 WriteTransferCount : _LARGE_INTEGER 0x0+0x4e0 OtherTransferCount : _LARGE_INTEGER 0x0+0x4e8 CommitChargeLimit : 0+0x4f0 CommitCharge : 0x65+0x4f8 CommitChargePeak : 0x71+0x500 Vm : _MMSUPPORT_FULL+0x610 MmProcessLinks : _LIST_ENTRY [ 0xfffff800`063cc620 - 0xffff8489`9850e690 ]+0x620 ModifiedPageCount : 0+0x624 ExitStatus : 0n259+0x628 VadRoot : _RTL_AVL_TREE+0x630 VadHint : 0xffff8489`9855d490 Void+0x638 VadCount : 0x10+0x640 VadPhysicalPages : 0+0x648 VadPhysicalPagesLimit : 0+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]+0x680 TimerResolutionStackRecord : (null) +0x688 RequestedTimerResolution : 0+0x68c SmallestTimerResolution : 0+0x690 ExitTime : _LARGE_INTEGER 0x0+0x698 InvertedFunctionTable : (null) +0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK+0x6a8 ActiveThreadsHighWatermark : 1+0x6ac LargePrivateVadCount : 0+0x6b0 ThreadListLock : _EX_PUSH_LOCK+0x6b8 WnfContext : (null) +0x6c0 ServerSilo : (null) +0x6c8 SignatureLevel : 0 ''+0x6c9 SectionSignatureLevel : 0 ''+0x6ca Protection : _PS_PROTECTION+0x6cb HangCount : 0y0000+0x6cb GhostCount : 0y0000+0x6cc Flags3 : 0xc008+0x6cc Minimal : 0y0+0x6cc ReplacingPageRoot : 0y0+0x6cc Crashed : 0y0+0x6cc JobVadsAreTracked : 0y1+0x6cc VadTrackingDisabled : 0y0+0x6cc AuxiliaryProcess : 0y0+0x6cc SubsystemProcess : 0y0+0x6cc IndirectCpuSets : 0y0+0x6cc RelinquishedCommit : 0y0+0x6cc HighGraphicsPriority : 0y0+0x6cc CommitFailLogged : 0y0+0x6cc ReserveFailLogged : 0y0+0x6cc SystemProcess : 0y0+0x6cc HideImageBaseAddresses : 0y0+0x6cc AddressPolicyFrozen : 0y1+0x6cc ProcessFirstResume : 0y1+0x6cc ForegroundExternal : 0y0+0x6cc ForegroundSystem : 0y0+0x6cc HighMemoryPriority : 0y0+0x6d0 DeviceAsid : 0n0+0x6d8 SvmData : (null) +0x6e0 SvmProcessLock : _EX_PUSH_LOCK+0x6e8 SvmLock : 0+0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffff8489`9855dc70 - 0xffff8489`9855dc70 ]+0x700 LastFreezeInterruptTime : 0+0x708 DiskCounters : 0xffff8489`9855ddc8 _PROCESS_DISK_COUNTERS+0x710 PicoContext : (null) +0x718 TrustletIdentity : 0+0x720 EnclaveTable : (null) +0x728 EnclaveNumber : 0+0x730 EnclaveLock : _EX_PUSH_LOCK+0x738 HighPriorityFaultsAllowed : 0+0x740 EnergyContext : 0xffff8489`9855ddf0 _PO_PROCESS_ENERGY_CONTEXT+0x748 VmContext : (null) +0x750 SequenceNumber : 0x86+0x758 CreateInterruptTime : 0x77879ee+0x760 CreateUnbiasedInterruptTime : 0x77879ee+0x768 TotalUnbiasedFrozenTime : 0+0x770 LastAppStateUpdateTime : 0x77879ee+0x778 LastAppStateUptime : 0y0000000000000000000000000000000000000000000000000000000000000 (0)+0x778 LastAppState : 0y000+0x780 SharedCommitCharge : 0x53+0x788 SharedCommitLock : _EX_PUSH_LOCK+0x790 SharedCommitLinks : _LIST_ENTRY [ 0xffffe18f`34832fe8 - 0xffffe18f`347b86d8 ]+0x7a0 AllowedCpuSets : 0+0x7a8 DefaultCpuSets : 0+0x7a0 AllowedCpuSetsIndirect : (null) +0x7a8 DefaultCpuSetsIndirect : (null) +0x7b0 DiskIoAttribution : (null) +0x7b8 DxgProcess : (null) +0x7c0 Win32KFilterSet : 0+0x7c8 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES+0x7d0 KTimerSets : 0+0x7d4 KTimer2Sets : 0+0x7d8 ThreadTimerSets : 0+0x7e0 VirtualTimerListLock : 0+0x7e8 VirtualTimerListHead : _LIST_ENTRY [ 0xffff8489`9855dd68 - 0xffff8489`9855dd68 ]+0x7f8 WakeChannel : _WNF_STATE_NAME+0x7f8 WakeInfo : _PS_PROCESS_WAKE_INFORMATION+0x828 MitigationFlags : 0x21+0x828 MitigationFlagsValues : <unnamed-tag>+0x82c MitigationFlags2 : 0+0x82c MitigationFlags2Values : <unnamed-tag>+0x830 PartitionObject : 0xffff8489`820ab800 Void+0x838 SecurityDomain : 0+0x840 CoverageSamplerContext : (null) 使用!process 查看关键信息
6: kd> !process ffff84899855d580
PROCESS ffff84899855d580SessionId: 0 Cid: 1840 Peb: cd79837000 ParentCid: 0644DirBase: 173e00002 ObjectTable: ffffe18f347c0d80 HandleCount: 16.Image: wermgr.exeVadRoot ffff84898fddbb60 Vads 16 Clone 0 Private 80. Modified 0. Locked 0.DeviceMap ffffe18f2b818ad0Token ffffe18f34835060ElapsedTime 00:00:10.999UserTime 00:00:00.000KernelTime 00:00:00.000QuotaPoolUsage[PagedPool] 15616QuotaPoolUsage[NonPagedPool] 2376Working Set Sizes (now,min,max) (287, 50, 345) (1148KB, 200KB, 1380KB)PeakWorkingSetSize 254VirtualSize 2101289 MbPeakVirtualSize 2101289 MbPageFaultCount 290MemoryPriority BACKGROUNDBasePriority 6CommitCharge 101Job ffff84898efa5060THREAD ffff84899856a700 Cid 1840.1844 Teb: 000000cd79838000 Win32Thread: 0000000000000000 READY on processor 80000002Not impersonatingDeviceMap ffffe18f2b818ad0Owning Process ffff84899855d580 Image: wermgr.exeAttached Process N/A Image: N/AWait Start TickCount 804 Ticks: 702 (0:00:00:10.968)Context Switch Count 13 IdealProcessor: 3 UserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address 0x00007ff7e7c92860Stack Init ffff978958207b90 Current ffff978958207870Base ffff978958208000 Limit ffff978958201000 Call 0000000000000000Priority 6 BasePriority 6 PriorityDecrement 0 IoPriority 1 PagePriority 2Child-SP RetAddr Call Siteffff9789`582078b0 fffff800`061afd15 nt!KxDispatchInterrupt+0x12fffff9789`582079f0 fffff800`061ab011 nt!KiDpcInterruptBypass+0x25ffff9789`58207a00 00007ffd`84e59390 nt!KiInterruptDispatch+0xb1 (TrapFrame @ ffff9789`58207a00)000000cd`79a7efd0 00000000`00000000 0x00007ffd`84e59390查看eprocess 结构大小
6: kd> ?? sizeof(_eprocess)
unsigned int64 0x848
Token记录了很多与进程安全相关的信息
6: kd> !Token ffffe18f34835060
_TOKEN 0xffffe18f34835060
TS Session ID: 0
User: S-1-5-18
User Groups: 00 S-1-16-16384Attributes - GroupIntegrity GroupIntegrityEnabled 01 S-1-1-0Attributes - Mandatory Default Enabled 02 S-1-5-32-545Attributes - Mandatory Default Enabled 03 S-1-5-6Attributes - Mandatory Default Enabled 04 S-1-2-1Attributes - Mandatory Default Enabled 05 S-1-5-11Attributes - Mandatory Default Enabled 06 S-1-5-15Attributes - Mandatory Default Enabled 07 S-1-5-80-4125092361-1567024937-842823819-2091237918-836075745Attributes - Default Enabled Owner 08 S-1-5-5-0-132261Attributes - Mandatory Default Enabled Owner LogonId 09 S-1-2-0Attributes - Mandatory Default Enabled 10 S-1-5-32-544Attributes - Default Enabled Owner
Primary Group: S-1-5-18
Privs: 03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - 04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default 05 0x000000005 SeIncreaseQuotaPrivilege Attributes - 07 0x000000007 SeTcbPrivilege Attributes - Enabled Default 08 0x000000008 SeSecurityPrivilege Attributes - 09 0x000000009 SeTakeOwnershipPrivilege Attributes - 10 0x00000000a SeLoadDriverPrivilege Attributes - 11 0x00000000b SeSystemProfilePrivilege Attributes - Enabled Default 12 0x00000000c SeSystemtimePrivilege Attributes - 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default 15 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default 16 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default 17 0x000000011 SeBackupPrivilege Attributes - 18 0x000000012 SeRestorePrivilege Attributes - 19 0x000000013 SeShutdownPrivilege Attributes - 20 0x000000014 SeDebugPrivilege Attributes - Enabled Default 21 0x000000015 SeAuditPrivilege Attributes - Enabled Default 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 25 0x000000019 SeUndockPrivilege Attributes - 28 0x00000001c SeManageVolumePrivilege Attributes - 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - Enabled Default 34 0x000000022 SeTimeZonePrivilege Attributes - Enabled Default 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - Enabled Default 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege Attributes - Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: Advapi TokenFlags: 0x2000 ( Token in use )
Token ID: 49cae ParentToken ID: 0
Modified ID: (0, 204e1)
RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0 Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)PEB
进程环境块,包括了大多数用户模式信息,在内核模式中建立映射到用户空间的, PEB的地址位于用户空间
查看PEB结构
6: kd> dt _peb ffff84899855d580
win32k!_PEB+0x000 InheritedAddressSpace : 0x3 ''+0x001 ReadImageFileExecOptions : 0 ''+0x002 BeingDebugged : 0xb6 ''+0x003 BitField : 0 ''+0x003 ImageUsesLargePages : 0y0+0x003 IsProtectedProcess : 0y0+0x003 IsImageDynamicallyRelocated : 0y0+0x003 SkipPatchingUser32Forwarders : 0y0+0x003 IsPackagedProcess : 0y0+0x003 IsAppContainer : 0y0+0x003 IsProtectedProcessLight : 0y0+0x003 IsLongPathAwareProcess : 0y0+0x004 Padding0 : [4] ""+0x008 Mutant : 0xffff8489`98564f10 Void+0x010 ImageBaseAddress : 0xffff8489`98564f10 Void+0x018 Ldr : 0xffff8489`9855d598 _PEB_LDR_DATA+0x020 ProcessParameters : 0xffff8489`9855d598 _RTL_USER_PROCESS_PARAMETERS+0x028 SubSystemData : 0x00000001`73e00002 Void+0x030 ProcessHeap : 0xffff8489`9856a9f8 Void+0x038 FastPebLock : 0xffff8489`9856a9f8 _RTL_CRITICAL_SECTION+0x040 AtlThunkSListPtr : (null) +0x048 IFEOKey : (null) +0x050 CrossProcessFlags : 0x140001+0x050 ProcessInJob : 0y1+0x050 ProcessInitializing : 0y0+0x050 ProcessUsingVEH : 0y0+0x050 ProcessUsingVCH : 0y0+0x050 ProcessUsingFTH : 0y0+0x050 ProcessPreviouslyThrottled : 0y0+0x050 ProcessCurrentlyThrottled : 0y0+0x050 ReservedBits0 : 0y0000000000010100000000000 (0x2800)+0x054 Padding1 : [4] ""+0x058 KernelCallbackTable : 0x00000000`000000ff Void+0x058 UserSharedInfoPtr : 0x00000000`000000ff Void+0x060 SystemReserved : 0+0x064 AtlThunkSListPtr32 : 0+0x068 ApiSetMap : (null) +0x070 TlsExpansionCounter : 0+0x074 Padding2 : [4] ""+0x078 TlsBitmap : (null) +0x080 TlsBitmapBits : [2] 0+0x088 ReadOnlySharedMemoryBase : (null) +0x090 SharedData : (null) +0x098 ReadOnlyStaticServerData : (null) +0x0a0 AnsiCodePageData : (null) +0x0a8 OemCodePageData : (null) +0x0b0 UnicodeCaseTableData : (null) +0x0b8 NumberOfProcessors : 0+0x0bc NtGlobalFlag : 0+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 0x0+0x0c8 HeapSegmentReserve : 0+0x0d0 HeapSegmentCommit : 0+0x0d8 HeapDeCommitTotalFreeThreshold : 0+0x0e0 HeapDeCommitFreeBlockThreshold : 0+0x0e8 NumberOfHeaps : 0+0x0ec MaximumNumberOfHeaps : 0+0x0f0 ProcessHeaps : (null) +0x0f8 GdiSharedHandleTable : 0xffff8489`9855d678 Void+0x100 ProcessStarterHelper : 0xffff8489`9855d678 Void+0x108 GdiDCAttributeList : 0+0x10c Padding3 : [4] ""+0x110 LoaderLock : 0x00000000`00140014 _RTL_CRITICAL_SECTION+0x118 OSMajorVersion : 0+0x11c OSMinorVersion : 0+0x120 OSBuildNumber : 0+0x122 OSCSDVersion : 0+0x124 OSPlatformId : 0+0x128 ImageSubsystem : 0+0x12c ImageSubsystemMajorVersion : 0+0x130 ImageSubsystemMinorVersion : 0+0x134 Padding4 : [4] ""+0x138 ActiveProcessAffinityMask : 0+0x140 GdiHandleBuffer : [60] 0+0x230 PostProcessInitRoutine : (null) +0x238 TlsExpansionBitmap : 0x00000008`00000000 Void+0x240 TlsExpansionBitmapBits : [32] 0x63b5480+0x2c0 SessionId : 0+0x2c4 Padding5 : [4] ""+0x2c8 AppCompatFlags : _ULARGE_INTEGER 0x0+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0+0x2d8 pShimData : (null) +0x2e0 AppCompatInfo : 0x00000000`00001840 Void+0x2e8 CSDVersion : _UNICODE_STRING "???"+0x2f8 ActivationContextData : (null) +0x300 ProcessAssemblyStorageMap : 0x0c5d0c01`0000a014 _ASSEMBLY_STORAGE_MAP+0x308 SystemDefaultActivationContextData : 0x01d48c65`2230444f _ACTIVATION_CONTEXT_DATA+0x310 SystemAssemblyStorageMap : 0x00000000`00000948 _ASSEMBLY_STORAGE_MAP+0x318 MinimumStackCommit : 0x3d00+0x320 FlsCallback : 0x00000000`00000948 _FLS_CALLBACK_INFO+0x328 FlsListHead : _LIST_ENTRY [ 0x00000000`00003d00 - 0x00000201`02933000 ]+0x338 FlsBitmap : 0x00000201`02933000 Void+0x340 FlsBitmapBits : [4] 0xff71c010+0x350 FlsHighIndex : 0x877e3670+0x358 WerRegistrationData : 0xffffe18f`34835065 Void+0x360 WerShipAssertPtr : (null) +0x368 pUnused : (null) +0x370 pImageHeaderHash : (null) +0x378 TracingFlags : 0+0x378 HeapTracingEnabled : 0y0+0x378 CritSecTracingEnabled : 0y0+0x378 LibLoaderTracingEnabled : 0y0+0x378 SpareTracingBits : 0y00000000000000000000000000000 (0)+0x37c Padding6 : [4] ""+0x380 CsrServerReadOnlySharedMemoryBase : 0+0x388 TppWorkerpListLock : 0xffff8489`8efa5060+0x390 TppWorkerpList : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000050 ]+0x3a0 WaitOnAddressHashTable : [128] (null) +0x7a0 TelemetryCoverageHeader : (null) +0x7a8 CloudFileFlags : 0+0x7ac CloudFileDiagFlags : 0+0x7b0 PlaceholderCompatibilityMode : 0 ''+0x7b1 PlaceholderCompatibilityModeReserved : [7] ""内核模式和用户模式
- 访问模式
分为内核模式和用户模式 - 使用INT2E切换到内核模式
window 将2e号向量专门用于系统调用 - 快速系统调用
使用KiFastCallEntry调用到内核 - 逆向调用
通过ntdll.dll 中的KiUserCallbackDispatcher
线程
ETHREAD
内核使用ETHREAD来描述线程的结构, 在内核调试会话中使用.thread
6: kd> .thread
Implicit thread is now ffff8489`8fe7f480
查看线程的结构
6: kd> dt _ethread ffff8489`8fe7f480
nt!_ETHREAD+0x000 Tcb : _KTHREAD 线程控制块+0x5f0 CreateTime : _LARGE_INTEGER 0x01d48c65`2205e41e+0x5f8 ExitTime : _LARGE_INTEGER 0xffff8489`8fe7fa78+0x5f8 KeyedWaitChain : _LIST_ENTRY [ 0xffff8489`8fe7fa78 - 0xffff8489`8fe7fa78 ]+0x608 PostBlockList : _LIST_ENTRY [ 0xffffe18f`32dd3660 - 0xffffe18f`32dd3660 ]+0x608 ForwardLinkShadow : 0xffffe18f`32dd3660 Void+0x610 StartAddress : 0xffffe18f`32dd3660 Void+0x618 TerminationPort : (null) +0x618 ReaperLink : (null) +0x618 KeyedWaitValue : (null) +0x620 ActiveTimerListLock : 0+0x628 ActiveTimerListHead : _LIST_ENTRY [ 0xffff8489`8fe7faa8 - 0xffff8489`8fe7faa8 ]+0x638 Cid : _CLIENT_ID+0x648 KeyedWaitSemaphore : _KSEMAPHORE+0x648 AlpcWaitSemaphore : _KSEMAPHORE+0x668 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT+0x670 IrpList : _LIST_ENTRY [ 0xffff8489`8fe7faf0 - 0xffff8489`8fe7faf0 ]+0x680 TopLevelIrp : 1+0x688 DeviceToVerify : (null) +0x690 Win32StartAddress : 0x00007ff7`bc4c7080 Void+0x698 ChargeOnlySession : (null) +0x6a0 LegacyPowerObject : (null) +0x6a8 ThreadListEntry : _LIST_ENTRY [ 0xffff8489`8fe77da8 - 0xffff8489`8fe69728 ]+0x6b8 RundownProtect : _EX_RUNDOWN_REF+0x6c0 ThreadLock : _EX_PUSH_LOCK+0x6c8 ReadClusterSize : 7+0x6cc MmLockOrdering : 0n0+0x6d0 CrossThreadFlags : 0x5402+0x6d0 Terminated : 0y0+0x6d0 ThreadInserted : 0y1+0x6d0 HideFromDebugger : 0y0+0x6d0 ActiveImpersonationInfo : 0y0+0x6d0 HardErrorsAreDisabled : 0y0+0x6d0 BreakOnTermination : 0y0+0x6d0 SkipCreationMsg : 0y0+0x6d0 SkipTerminationMsg : 0y0+0x6d0 CopyTokenOnOpen : 0y0+0x6d0 ThreadIoPriority : 0y010+0x6d0 ThreadPagePriority : 0y101+0x6d0 RundownFail : 0y0+0x6d0 UmsForceQueueTermination : 0y0+0x6d0 IndirectCpuSets : 0y0+0x6d0 DisableDynamicCodeOptOut : 0y0+0x6d0 ExplicitCaseSensitivity : 0y0+0x6d0 PicoNotifyExit : 0y0+0x6d0 DbgWerUserReportActive : 0y0+0x6d0 ForcedSelfTrimActive : 0y0+0x6d0 SamplingCoverage : 0y0+0x6d0 ReservedCrossThreadFlags : 0y00000000 (0)+0x6d4 SameThreadPassiveFlags : 0+0x6d4 ActiveExWorker : 0y0+0x6d4 MemoryMaker : 0y0+0x6d4 StoreLockThread : 0y00+0x6d4 ClonedThread : 0y0+0x6d4 KeyedEventInUse : 0y0+0x6d4 SelfTerminate : 0y0+0x6d4 RespectIoPriority : 0y0+0x6d4 ActivePageLists : 0y0+0x6d4 SecureContext : 0y0+0x6d4 ZeroPageThread : 0y0+0x6d4 ReservedSameThreadPassiveFlags : 0y000000000000000000000 (0)+0x6d8 SameThreadApcFlags : 8+0x6d8 OwnsProcessAddressSpaceExclusive : 0y0+0x6d8 OwnsProcessAddressSpaceShared : 0y0+0x6d8 HardFaultBehavior : 0y0+0x6d8 StartAddressInvalid : 0y1+0x6d8 EtwCalloutActive : 0y0+0x6d8 SuppressSymbolLoad : 0y0+0x6d8 Prefetching : 0y0+0x6d8 OwnsVadExclusive : 0y0+0x6d9 SystemPagePriorityActive : 0y0+0x6d9 SystemPagePriority : 0y000+0x6d9 AllowWritesToExecutableMemory : 0y0+0x6dc CacheManagerActive : 0 ''+0x6dd DisablePageFaultClustering : 0 ''+0x6de ActiveFaultCount : 0 ''+0x6df LockOrderState : 0 ''+0x6e0 AlpcMessageId : 0+0x6e8 AlpcMessage : (null) +0x6e8 AlpcReceiveAttributeSet : 0+0x6f0 AlpcWaitListEntry : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]+0x700 ExitStatus : 0n0+0x704 CacheManagerCount : 0+0x708 IoBoostCount : 0+0x70c IoQoSBoostCount : 0+0x710 IoQoSThrottleCount : 0+0x718 BoostList : _LIST_ENTRY [ 0xffff8489`8fe7fb98 - 0xffff8489`8fe7fb98 ]+0x728 DeboostList : _LIST_ENTRY [ 0xffff8489`8fe7fba8 - 0xffff8489`8fe7fba8 ]+0x738 BoostListLock : 0+0x740 IrpListLock : 0+0x748 ReservedForSynchTracking : (null) +0x750 CmCallbackListHead : _SINGLE_LIST_ENTRY+0x758 ActivityId : (null) +0x760 SeLearningModeListHead : _SINGLE_LIST_ENTRY+0x768 VerifierContext : (null) +0x770 KernelStackReference : 1+0x778 AdjustedClientToken : (null) +0x780 WorkOnBehalfThread : (null) +0x788 PropertySet : _PS_PROPERTY_SET+0x7a0 PicoContext : (null) +0x7a8 UserFsBase : 0+0x7b0 UserGsBase : 0+0x7b8 EnergyValues : 0xffff8489`8fe7fc98 _THREAD_ENERGY_VALUES+0x7c0 CmDbgInfo : (null) +0x7c8 SelectedCpuSets : 0+0x7c8 SelectedCpuSetsIndirect : (null) +0x7d0 Silo : 0xffffffff`fffffffd _EJOB+0x7d8 ThreadName : (null) +0x7e0 SetContextState : (null) +0x7e8 LastExpectedRunTime : 0xcec24+0x7f0 OwnerEntryListHead : _LIST_ENTRY [ 0xffff8489`8fe7fc70 - 0xffff8489`8fe7fc70 ]+0x800 DisownedOwnerEntryListLock : 0+0x808 DisownedOwnerEntryListHead : _LIST_ENTRY [ 0xffff8489`8fe7fc88 - 0xffff8489`8fe7fc88 ]查看线程控制块的结构, ethread 的开头的512字节时kthread结构
6: kd> dt _kthread ffff8489`8fe7f480
nt!_KTHREAD+0x000 Header : _DISPATCHER_HEADER NT内核的线程调度器+0x018 SListFaultAddress : (null) +0x020 QuantumTarget : 0xa735cca+0x028 InitialStack : 0xffff9789`57c1fb90 Void+0x030 StackLimit : 0xffff9789`57c19000 Void+0x038 StackBase : 0xffff9789`57c20000 Void+0x040 ThreadLock : 0+0x048 CycleTime : 0x00000005`1dd2a08d+0x050 CurrentRunTime : 0xffffffff+0x054 ExpectedRunTime : 0xcec24+0x058 KernelStack : 0xffff9789`57c1e610 Void+0x060 StateSaveArea : 0xffff9789`57c1fbc0 _XSAVE_FORMAT+0x068 SchedulingGroup : (null) +0x070 WaitRegister : _KWAIT_STATUS_REGISTER+0x071 Running : 0x1 ''+0x072 Alerted : [2] ""+0x074 AutoBoostActive : 0y1+0x074 ReadyTransition : 0y0+0x074 WaitNext : 0y0+0x074 SystemAffinityActive : 0y0+0x074 Alertable : 0y0+0x074 UserStackWalkActive : 0y0+0x074 ApcInterruptRequest : 0y0+0x074 QuantumEndMigrate : 0y0+0x074 UmsDirectedSwitchEnable : 0y0+0x074 TimerActive : 0y0+0x074 SystemThread : 0y0+0x074 ProcessDetachActive : 0y0+0x074 CalloutActive : 0y0+0x074 ScbReadyQueue : 0y0+0x074 ApcQueueable : 0y1+0x074 ReservedStackInUse : 0y0+0x074 UmsPerformingSyscall : 0y0+0x074 TimerSuspended : 0y0+0x074 SuspendedWaitMode : 0y0+0x074 SuspendSchedulerApcWait : 0y0+0x074 Reserved : 0y000000000000 (0)+0x074 MiscFlags : 0n16385+0x078 BamQosLevel : 0y10+0x078 AutoAlignment : 0y0+0x078 DisableBoost : 0y0+0x078 AlertedByThreadId : 0y0+0x078 QuantumDonation : 0y0+0x078 EnableStackSwap : 0y1+0x078 GuiThread : 0y1+0x078 DisableQuantum : 0y0+0x078 ChargeOnlySchedulingGroup : 0y0+0x078 DeferPreemption : 0y0+0x078 QueueDeferPreemption : 0y0+0x078 ForceDeferSchedule : 0y0+0x078 SharedReadyQueueAffinity : 0y1+0x078 FreezeCount : 0y0+0x078 TerminationApcRequest : 0y0+0x078 AutoBoostEntriesExhausted : 0y0+0x078 KernelStackResident : 0y1+0x078 TerminateRequestReason : 0y00+0x078 ProcessStackCountDecremented : 0y0+0x078 RestrictedGuiThread : 0y0+0x078 VpBackingThread : 0y0+0x078 ThreadFlagsSpare : 0y0+0x078 EtwStackTraceApcInserted : 0y00000000 (0)+0x078 ThreadFlags : 0n139458+0x07c Tag : 0 ''+0x07d SystemHeteroCpuPolicy : 0x5 ''+0x07e UserHeteroCpuPolicy : 0y0001000 (0x8)+0x07e ExplicitSystemHeteroCpuPolicy : 0y0+0x07f Spare0 : 0 ''+0x080 SystemCallNumber : 0x4a+0x084 ReadyTime : 0xc+0x088 FirstArgument : 0x00000155`418442e8 Void+0x090 TrapFrame : 0xffff9789`57c1fa00 _KTRAP_FRAME+0x098 ApcState : _KAPC_STATE+0x098 ApcStateFill : [43] " ???"+0x0c3 Priority : 9 ''+0x0c4 UserIdealProcessor : 7+0x0c8 WaitStatus : 0n0+0x0d0 WaitBlockList : 0xffff8489`8fe7f5c0 _KWAIT_BLOCK+0x0d8 WaitListEntry : _LIST_ENTRY [ 0xffffb800`fd2c67a0 - 0xffffb800`fd2c67a0 ]+0x0d8 SwapListEntry : _SINGLE_LIST_ENTRY+0x0e8 Queue : (null) +0x0f0 Teb : 0x00000046`dd4b8000 Void+0x0f8 RelativeTimerBias : 0+0x100 Timer : _KTIMER+0x140 WaitBlock : [4] _KWAIT_BLOCK+0x140 WaitBlockFill4 : [20] "???"+0x154 ContextSwitches : 0x2de+0x140 WaitBlockFill5 : [68] "???"+0x184 State : 0x2 ''+0x185 Spare13 : 0 ''+0x186 WaitIrql : 0 ''+0x187 WaitMode : 0 ''+0x140 WaitBlockFill6 : [116] "???"+0x1b4 WaitTime : 0x325+0x140 WaitBlockFill7 : [164] "???"+0x1e4 KernelApcDisable : 0n-2+0x1e6 SpecialApcDisable : 0n0+0x1e4 CombinedApcDisable : 0xfffe+0x140 WaitBlockFill8 : [40] "???"+0x168 ThreadCounters : (null) +0x140 WaitBlockFill9 : [88] "???"+0x198 XStateSave : (null) +0x140 WaitBlockFill10 : [136] "???"+0x1c8 Win32Thread : 0xffff8489`8fbc0f00 Void+0x140 WaitBlockFill11 : [176] "???"+0x1f0 Ucb : (null) +0x1f8 Uch : (null) +0x200 Spare21 : (null) +0x208 QueueListEntry : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]+0x218 NextProcessor : 6+0x218 NextProcessorNumber : 0y0000000000000000000000000000110 (0x6)+0x218 SharedReadyQueue : 0y0+0x21c QueuePriority : 0n0+0x220 Process : 0xffff8489`8fc36080 _KPROCESS+0x228 UserAffinity : _GROUP_AFFINITY+0x228 UserAffinityFill : [10] "???"+0x232 PreviousMode : 1 ''+0x233 BasePriority : 8 ''+0x234 PriorityDecrement : 0 ''+0x234 ForegroundBoost : 0y0000+0x234 UnusualBoost : 0y0000+0x235 Preempted : 0x1 ''+0x236 AdjustReason : 0 ''+0x237 AdjustIncrement : 1 ''+0x238 AffinityVersion : 0x38+0x240 Affinity : _GROUP_AFFINITY+0x240 AffinityFill : [10] "???"+0x24a ApcStateIndex : 0 ''+0x24b WaitBlockCount : 0x1 ''+0x24c IdealProcessor : 7+0x250 NpxState : 0x1d+0x258 SavedApcState : _KAPC_STATE+0x258 SavedApcStateFill : [43] "???"+0x283 WaitReason : 0x9 ''+0x284 SuspendCount : 0 ''+0x285 Saturation : 0 ''+0x286 SListFaultCount : 0+0x288 SchedulerApc : _KAPC+0x288 SchedulerApcFill0 : [1] "??????"+0x289 ResourceIndex : 0x1 ''+0x288 SchedulerApcFill1 : [3] "???"+0x28b QuantumReset : 0x6 ''+0x288 SchedulerApcFill2 : [4] "???"+0x28c KernelTime : 0x2be+0x288 SchedulerApcFill3 : [64] "???"+0x2c8 WaitPrcb : (null) +0x288 SchedulerApcFill4 : [72] "???"+0x2d0 LegoData : (null) +0x288 SchedulerApcFill5 : [83] "???"+0x2db CallbackNestingLevel : 0 ''+0x2dc UserTime : 2+0x2e0 SuspendEvent : _KEVENT+0x2f8 ThreadListEntry : _LIST_ENTRY [ 0xffff8489`8fe779f8 - 0xffff8489`8fe69378 ]+0x308 MutantListHead : _LIST_ENTRY [ 0xffff8489`8fe7f788 - 0xffff8489`8fe7f788 ]+0x318 AbEntrySummary : 0x3e '>'+0x319 AbWaitEntryCount : 0 ''+0x31a AbAllocationRegionCount : 0 ''+0x31b SystemPriority : 0 ''+0x31c SecureThreadCookie : 0+0x320 LockEntries : [6] _KLOCK_ENTRY+0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY+0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY+0x570 PriorityFloorCounts : [16] ""+0x580 PriorityFloorSummary : 0+0x584 AbCompletedIoBoostCount : 0n0+0x588 AbCompletedIoQoSBoostCount : 0n0+0x58c KeReferenceCount : 0n0+0x58e AbOrphanedEntrySummary : 0 ''+0x58f AbOwnedEntryCount : 0x1 ''+0x590 ForegroundLossTime : 0+0x598 GlobalForegroundListEntry : _LIST_ENTRY [ 0x00000000`00000001 - 0x00000000`00000000 ]+0x598 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY+0x5a0 InGlobalForegroundList : 0+0x5a8 ReadOperationCount : 0n14+0x5b0 WriteOperationCount : 0n0+0x5b8 OtherOperationCount : 0n256+0x5c0 ReadTransferCount : 0n55862+0x5c8 WriteTransferCount : 0n0+0x5d0 OtherTransferCount : 0n3390+0x5d8 QueuedScb : (null) +0x5e0 ThreadTimerDelay : 0+0x5e4 ThreadFlags2 : 0n0+0x5e4 PpmPolicy : 0y00+0x5e4 ThreadFlags2Reserved : 0y000000000000000000000000000000 (0)+0x5e8 SchedulerAssist : (null) 另外一种查看线程控制块结构的方法
6: kd> !thread ffff8489`8fe7f480
THREAD ffff84898fe7f480 Cid 129c.1534 Teb: 00000046dd4b8000 Win32Thread: ffff84898fbc0f00 RUNNING on processor 6
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fc36080 Image: DolbyDAX2API.exe
Attached Process N/A Image: N/A
Wait Start TickCount 805 Ticks: 701 (0:00:00:10.953)
Context Switch Count 734 IdealProcessor: 7
UserTime 00:00:00.031
KernelTime 00:00:10.968
Win32 Start Address 0x00007ff7bc4c7080
Stack Init ffff978957c1fb90 Current ffff978957c1e610
Base ffff978957c20000 Limit ffff978957c19000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffb800`fcbfdb78 fffff800`061fb578 : 00000000`00000101 00000000`00000018 00000000`00000000 ffffb800`fd161180 : nt!KeBugCheckEx
ffffb800`fcbfdb80 fffff800`060df1ad : 00000000`00000000 ffffb800`fcbe1180 00000000`00000246 00000000`000005e2 : nt!KeAccumulateTicks+0x1188b8
ffffb800`fcbfdbe0 fffff800`060e0293 : fffff780`00000340 00000000`00000000 00000000`000005e2 00000000`00000000 : nt!KiUpdateRunTime+0x5d
ffffb800`fcbfdc30 fffff800`06954883 : 00000014`f9bf6e49 fffff800`063cd8a0 00000000`00000000 ffff9789`57c1eb60 : nt!KeClockInterruptNotify+0x8f3
ffffb800`fcbfdf40 fffff800`0612cd75 : ffff8489`82102500 00000000`00000000 00000000`00000000 00000000`00000000 : hal!HalpTimerClockInterrupt+0x63
ffffb800`fcbfdf70 fffff800`061aaf4a : ffff9789`57c1ebe0 ffff8489`82102500 0000007f`fffffff8 ffff8489`82127000 : nt!KiCallInterruptServiceRoutine+0xa5
ffffb800`fcbfdfb0 fffff800`061ab437 : ffff8442`3863cd20 ffff8489`82102500 00000000`00000000 ffff8489`9851f010 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea (TrapFrame @ ffffb800`fcbfde70)
ffff9789`57c1eb60 fffff800`060fe951 : ffffe18f`34799e90 00000000`00000000 ffffe18f`00000002 ffffe18f`34799e90 : nt!KiInterruptDispatchNoLockNoEtw+0x37 (TrapFrame @ ffff9789`57c1eb60)
ffff9789`57c1ecf0 fffff800`0610217d : fffff800`063cd8a0 ffff9789`57c1eeb0 ffff8442`3863cd20 3a000001`78054863 : nt!MiFastLockLeafPageTable+0x3f1
ffff9789`57c1edb0 fffff800`06102890 : ffff9789`57c1f010 00000000`00000000 ffffe18f`00001000 00000000`00001000 : nt!MiCommitPoolMemory+0x3bd
ffff9789`57c1eef0 fffff800`060e5844 : ffff9789`57c1f009 ffffe18f`3484b000 00000000`00000001 00000000`00f3484b : nt!MmAllocatePoolMemory+0x80
ffff9789`57c1ef50 fffff800`06064bf4 : 00000000`80000001 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiAllocatePagedPoolPages+0x554
ffff9789`57c1f070 fffff800`062ead37 : 00000000`00000000 00000000`74536d4d ffff9789`57c10000 ffff8489`74536d4d : nt!ExpAllocateBigPool+0x5a4
ffff9789`57c1f170 fffff800`0649fa20 : 00000000`0000048d 00000000`00001000 ffffb801`74536d4d ffff8489`00000000 : nt!ExAllocatePoolWithTag+0x927
ffff9789`57c1f260 fffff800`0649f5e3 : 00000000`00000402 ffffb801`00aed188 00000000`00000000 ffff9789`57c1f390 : nt!MiBuildImageControlArea+0x114
ffff9789`57c1f2e0 fffff800`0649e95f : ffff9789`57c1f780 00000004`00000002 00000000`00000000 00000000`00000000 : nt!MiCreateImageFileMap+0x3cb
ffff9789`57c1f4b0 fffff800`0657f240 : ffff8489`986dd950 ffff9789`57c1f650 ffff9789`57c1f780 fffff800`062eb32e : nt!MiCreateNewSection+0x21f
ffff9789`57c1f620 fffff800`0657e8b8 : ffff9789`57c1f650 00000000`00000000 ffff8489`986dd950 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2f0
ffff9789`57c1f710 fffff800`0657e78c : 00000000`00000000 ffff9789`57c1f950 00000000`00000000 ffff8489`98543180 : nt!MiCreateSection+0xe8
ffff9789`57c1f870 fffff800`0657e5a3 : 00000000`00000000 ffff9789`57c1fa80 00000000`00000010 00000000`01000000 : nt!MmCreateSection+0xec
ffff9789`57c1f900 fffff800`061b9d43 : ffff8489`8fe7f480 00000046`ddbf34a8 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x153
ffff9789`57c1f990 00007ffd`84eea844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57c1fa00)
00000046`ddbf3488 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`84eea844直接观察kthread 结构的state字段
6: kd> dt _kthread ffff8489`8fe7f480 -y state
nt!_KTHREAD+0x060 StateSaveArea : 0xffff9789`57c1fbc0 _XSAVE_FORMAT+0x184 State : 0x2 ''
查看处于就绪状态的线程
6: kd> !ready
KSHARED_READY_QUEUE fffff80004f40700: (00) ****------------------------------------------------------------
SharedReadyQueue fffff80004f40700: Ready Threads at priority 6THREAD ffff84899856a700 Cid 1840.1844 Teb: 000000cd79838000 Win32Thread: 0000000000000000 READY on processor 80000002
Processor 0: Ready Threads at priority 1THREAD ffff8489901c0040 Cid 0004.1770 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 0
Processor 1: Ready Threads at priority 1THREAD ffff8489901be040 Cid 0004.1774 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 1
Processor 2: Ready Threads at priority 1THREAD ffff8489901c1040 Cid 0004.1778 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 2
Processor 3: Ready Threads at priority 1THREAD ffff8489901c3040 Cid 0004.177c Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 3
KSHARED_READY_QUEUE ffffb800fd2c6700: (00) ----****--------------------------------------------------------
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 9THREAD ffff84899868e080 Cid 1294.18c4 Teb: 00000057a6edd000 Win32Thread: 0000000000000000 READY on processor 80000004
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 8THREAD ffff84898ed8c700 Cid 0464.0490 Teb: 0000005035ae4000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff84898ede6700 Cid 0008.1680 Teb: 0000003a49dea000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff84898fe22080 Cid 0398.14a8 Teb: 0000000576742000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898fe29080 Cid 0398.14ac Teb: 0000000576744000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff848998694080 Cid 17b0.18c8 Teb: 00000089fc435000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898f88e080 Cid 0c88.0d24 Teb: 0000002ae76ba000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff848998691080 Cid 0008.18d0 Teb: 0000003a49dfa000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898fe52080 Cid 12a8.14e0 Teb: 0000000002fac000 Win32Thread: ffff84898fcb8990 READY on processor 80000007THREAD ffff84898f30e080 Cid 0814.0b78 Teb: 00000013fedcb000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898f03e040 Cid 0814.085c Teb: 00000013fedc3000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff84898f1e8540 Cid 0814.0a84 Teb: 00000013fedc9000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff84898eef6640 Cid 0398.068c Teb: 0000000576712000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff84898fe05680 Cid 0398.1484 Teb: 000000057673c000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff848998683080 Cid 0464.18e0 Teb: 0000005035b0c000 Win32Thread: 0000000000000000 READY on processor 80000004THREAD ffff848982b58040 Cid 0004.01d8 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff84898f1aa480 Cid 0a98.0ac0 Teb: 000000b5c3166000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff84898f260700 Cid 0a98.0ad8 Teb: 000000b5c316e000 Win32Thread: 0000000000000000 READY on processor 80000005THREAD ffff84898fcbd700 Cid 0398.11f4 Teb: 0000000576732000 Win32Thread: 0000000000000000 READY on processor 80000004THREAD ffff84898ee4a040 Cid 0398.0560 Teb: 000000057670a000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff84898fd0b080 Cid 0398.13a0 Teb: 000000057672c000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898fd86440 Cid 0398.1418 Teb: 0000000576734000 Win32Thread: 0000000000000000 READY on processor 80000006THREAD ffff848988baa040 Cid 0004.0244 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000004
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 7THREAD ffff84898f332700 Cid 0a10.0a18 Teb: 000000da16152000 Win32Thread: 0000000000000000 READY on processor 80000007THREAD ffff84898ffd7080 Cid 1728.172c Teb: 0000008d078a7000 Win32Thread: ffff84898fca9050 READY on processor 80000004THREAD ffff848998547700 Cid 1294.1810 Teb: 00000057a6ecf000 Win32Thread: 0000000000000000 READY on processor 80000006
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 6THREAD ffff84898fbcc080 Cid 11e8.11ec Teb: 000000d397d31000 Win32Thread: 0000000000000000 READY on processor 80000005
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 0THREAD ffff8489820cb040 Cid 0004.0050 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000007
Processor 4: Ready Threads at priority 1THREAD ffff8489901c2040 Cid 0004.1780 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 4
Processor 5: Ready Threads at priority 1THREAD ffff8489901c5040 Cid 0004.1784 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 5
Processor 6: Ready Threads at priority 1THREAD ffff8489901c7040 Cid 0004.1788 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 6
Processor 7: Ready Threads at priority 1THREAD ffff8489901c6040 Cid 0004.178c Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 7TEB
线程环境块,用来描述线程的用户空间
0:000> !teb
TEB at 000000696e702000ExceptionList: 0000000000000000StackBase: 000000696e600000StackLimit: 000000696e5ef000SubSystemTib: 0000000000000000FiberData: 0000000000001e00ArbitraryUserPointer: 0000000000000000Self: 000000696e702000EnvironmentPointer: 0000000000000000ClientId: 0000000000003d98 . 0000000000003e0cRpcHandle: 0000000000000000Tls Storage: 000002593f4fd950PEB Address: 000000696e701000LastErrorValue: 0LastStatusValue: c0000034Count Owned Locks: 0HardErrorMode: 0
0:000> dt _peb 000000696e702000
wintypes!_PEB+0x000 Reserved1 : [2] ""+0x002 BeingDebugged : 0 ''+0x003 Reserved2 : [1] ""+0x008 Reserved3 : [2] 0x00000069`6e600000 Void+0x018 Ldr : (null) +0x020 ProcessParameters : 0x00000000`00001e00 _RTL_USER_PROCESS_PARAMETERS+0x028 Reserved4 : [3] (null) +0x040 AtlThunkSListPtr : 0x00000000`00003d98 Void+0x048 Reserved5 : 0x00000000`00003e0c Void+0x050 Reserved6 : 0+0x058 Reserved7 : 0x00000259`3f4fd950 Void+0x060 Reserved8 : 0x6e701000+0x064 AtlThunkSListPtr32 : 0x69+0x068 Reserved9 : [45] (null) +0x1d0 Reserved10 : [96] ""+0x230 PostProcessInitRoutine : (null) +0x238 Reserved11 : [128] ""+0x2b8 Reserved12 : [1] (null) +0x2c0 SessionId : 0
WOW进程
运行在64位内核上的32位进程有一个专门的名字 Wow进程
SysWow64 放32位的程序
System32 放的是64的程序
32位和64位之间的切换
0:000> .effmach
Effective machine: x64 (AMD64)
0:000> .effmach x86
Effective machine: x86 compatible (x86)
0:000:x86> .effmach x64
Unknown machine 'x64'
0:000:x86> .effmach amd64
Effective machine: x64 (AMD64)
注册表重定向
注册表反射
文件系统重定向
创建进程
共分为6个阶段
阶段1 在父进程的用户空间中打开要执行的映像文件
阶段2 进入父进程的内核空间,为新进程创建EPROCESS结构、进程地址空间、KPROCESS结构和PEB
阶段3 创建初始线程,但是创建时指定了挂起标志
阶段4 通知子系统服务程序
阶段5 初始线程开始在内核空间执行
阶段6 通过APC 机制在新进程自己的用户空间执行初始化动作,通过ntdll的加载器加载进程依赖的文件
最小进程和Pico进程
最小进程
支持创建进程空间,不向进程空间中添加内容, Registry是一个最小进程
6: kd> !process 0 0 Registry
PROCESS ffff8489820c6040SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.Image: Registry6: kd> dt _eprocess ffff8489820c6040 -y Flags
nt!_EPROCESS+0x300 Flags2 : 0xd000+0x304 Flags : 0x14440c01+0x6cc Flags3 : 0x4001 为1 代表最小进程
6: kd> !process ffff8489820c6040
PROCESS ffff8489820c6040SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.Image: RegistryVadRoot ffff84898a4f6ab0 Vads 55 Clone 0 Private 369. Modified 22324. Locked 0.DeviceMap ffffe18f2b818ad0Token ffffe18f2b824040ElapsedTime 00:00:22.776UserTime 00:00:00.000KernelTime 00:00:00.328QuotaPoolUsage[PagedPool] 201216QuotaPoolUsage[NonPagedPool] 7480Working Set Sizes (now,min,max) (3632, 50, 345) (14528KB, 200KB, 1380KB)PeakWorkingSetSize 22438VirtualSize 96 MbPeakVirtualSize 96 MbPageFaultCount 26016MemoryPriority BACKGROUNDBasePriority 8CommitCharge 372THREAD ffff848982094040 Cid 0078.007c Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) KernelMode Non-Alertablefffff800063cb300 SynchronizationEventNot impersonatingDeviceMap ffffe18f2b818ad0Owning Process ffff8489820c6040 Image: RegistryAttached Process N/A Image: N/AWait Start TickCount 47 Ticks: 1459 (0:00:00:22.796)Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address nt!CmpDummyThreadRoutine (0xfffff80006650f60)Stack Init ffff97895536ab90 Current ffff97895536a700Base ffff97895536b000 Limit ffff978955364000 Call 0000000000000000Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5Child-SP RetAddr Call Siteffff9789`5536a740 fffff800`060395d6 nt!KiSwapContext+0x76ffff9789`5536a880 fffff800`06038dcb nt!KiSwapThread+0x2c6ffff9789`5536a950 fffff800`060384ef nt!KiCommitThreadWait+0x13bffff9789`5536a9f0 fffff800`06650f7e nt!KeWaitForSingleObject+0x1ffffff9789`5536aad0 fffff800`060734f7 nt!CmpDummyThreadRoutine+0x1effff9789`5536ab10 fffff800`061b0b06 nt!PspSystemThreadStartup+0x47ffff9789`5536ab60 00000000`00000000 nt!KiStartSystemThread+0x16THREAD ffff84898a501080 Cid 0078.0270 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertablefffff80006397420 SynchronizationEventNot impersonatingDeviceMap ffffe18f2b818ad0Owning Process ffff8489820c6040 Image: RegistryAttached Process N/A Image: N/AWait Start TickCount 321 Ticks: 1185 (0:00:00:18.515)Context Switch Count 1 IdealProcessor: 0 UserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address nt!CmpLazyWriteWorker (0xfffff8000617dcd0)Stack Init ffff978955a37b90 Current ffff978955a37700Base ffff978955a38000 Limit ffff978955a31000 Call 0000000000000000Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5Child-SP RetAddr Call Siteffff9789`55a37740 fffff800`060395d6 nt!KiSwapContext+0x76ffff9789`55a37880 fffff800`06038dcb nt!KiSwapThread+0x2c6ffff9789`55a37950 fffff800`060384ef nt!KiCommitThreadWait+0x13bffff9789`55a379f0 fffff800`0617dcfc nt!KeWaitForSingleObject+0x1ffffff9789`55a37ad0 fffff800`060734f7 nt!CmpLazyWriteWorker+0x2cffff9789`55a37b10 fffff800`061b0b06 nt!PspSystemThreadStartup+0x47ffff9789`55a37b60 00000000`00000000 nt!KiStartSystemThread+0x16THREAD ffff848988ac4080 Cid 0078.0274 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertablefffff800063974e0 SynchronizationEventNot impersonatingDeviceMap ffffe18f2b818ad0Owning Process ffff8489820c6040 Image: RegistryAttached Process N/A Image: N/AWait Start TickCount 321 Ticks: 1185 (0:00:00:18.515)Context Switch Count 1 IdealProcessor: 2 UserTime 00:00:00.000KernelTime 00:00:00.000Win32 Start Address nt!CmpLazyWriteWorker (0xfffff8000617dcd0)Stack Init ffff978955a3fb90 Current ffff978955a3f700Base ffff978955a40000 Limit ffff978955a39000 Call 0000000000000000Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5Child-SP RetAddr Call Siteffff9789`55a3f740 fffff800`060395d6 nt!KiSwapContext+0x76ffff9789`55a3f880 fffff800`06038dcb nt!KiSwapThread+0x2c6ffff9789`55a3f950 fffff800`060384ef nt!KiCommitThreadWait+0x13bffff9789`55a3f9f0 fffff800`0617dcfc nt!KeWaitForSingleObject+0x1ffffff9789`55a3fad0 fffff800`060734f7 nt!CmpLazyWriteWorker+0x2cffff9789`55a3fb10 fffff800`061b0b06 nt!PspSystemThreadStartup+0x47ffff9789`55a3fb60 00000000`00000000 nt!KiStartSystemThread+0x16任务管理器
系统空闲进程(IDLE)的ID总是0, 线程数是CPU个数
Windbg 2进程线程结构分析相关推荐
- 进程线程001 进程线程结构体和KPCR
文章目录 前言 EPROCESS KPROCESS主要成员 EPROCESS其他成员 ETHREAD KTHREAD主要成员介绍 ETHREAD其他成员介绍 KPCR KPCR介绍 _NT_TIB主要 ...
- 一字节anti创建进程线程等回调
很久没有发帖子了~~~ 上次一个哥们 一字节anti callbacks 其实还有更多地方哦~ ~~ 但是这样 还是不够的 这次 一字节 anti 创建进程线程回调~~~ pspexitthread ...
- php多线程模型,PHP进程模型、进程通讯方式、进程线程的区别分别有哪些?
PHP进程模型是一个正在执行的程序,可以分配给处理器并由处理器执行的一个实体:PHP进程通讯方式有管道及有名管道,信号,共享内存等:PHP进程线程的区别有进程是资源的分配和调度的一个独立单元,而线程是 ...
- Java多线程复习:3(在操作系统中查看和杀死进程线程)
此博客是记录自己学习过程的记录,仅做参考 Windows下查看和杀死进程线程 查看所有进程 tasklist 查看指定关键字的进程 tasklist | findstr + 关键字 Java程序运行的 ...
- Linux查看进程线程个数
1.根据进程号进行查询: # pstree -p 进程号 # top -Hp 进程号 2.根据进程名字进行查询: # pstree -p `ps -e | grep server | awk '{pr ...
- 15分钟读懂进程线程、同步异步、阻塞非阻塞、并发并行,太实用了!
作者:Martin cnblogs.com/mhq-martin/p/9035640.html 基本概念 1 进程和线程 进程(Process): 是Windows系统中的一个基本概念,它包含着一个运 ...
- 简要说明__python3中的进程/线程/协程
多任务可以充分利用系统资源,极大提升程序运行效率,多任务的实现往往与 多线程,多进程,多协程有关 稳定性: 进程 > 线程 > 协程 系统资源占用量:进程 > 线程 > 协程 ...
- php linux fork进程 多个进程/线程共享一个 socket连接 出现多个进程响应串联
简单说来就是:因为fork,父子进程共享了一个redis连接.然后父子进程在发送了各自的redis请求分别获取到了对方的响应体. 复现示例代码: testFork.php <?php requi ...
- windows 获取当前进程/线程的ID、句柄和内核地址
获取当前进程 / 线程的 ID .句柄和内核地址 在用户态( RING3 )和内核态( RING0 )下,获取这些值的函数是不同的,而且这些函数的实现原理也是不同的,下面做个小结: 1. 用户态( R ...
最新文章
- 96根电极每秒测量3万次,大脑植入物首次帮助瘫患者控制肌肉!
- 我的erlang TCP服务器
- NGUI-制作位图字体以及图文混排
- Java实战应用50篇(二)-SSM框架中的设计模式:动态代理
- IOS-组件化架构漫谈
- [1-2] Dependence-Aware Service Function Chain Design and Mapping
- scala中akka actor例子
- phpcms文件所需权限
- Mapgis与Arcgis数据互转中出现的问题
- Self Attention和Multi-Head Attention的原理和实现
- JAVA Swing GUI设计 WindowBuilder Pro Container使用大全7——JDesktopPane使用
- Win10中小娜无法搜索本地应用
- java读取txt文件_Java读取TXT文件的方法
- 小米更新显示非官方rom_MIUI官改篇对比分析-极光ROM-台湾W大-星空未来-其他官改官网...
- GCC、GNU到底啥意思?
- scipy--统计检验
- C/C++程序的内存开辟
- Weakly Supervised Instance Segmentation using the Bounding Box Tightness Prior 论文笔记
- 实用Internet Download Manager(IDM)破解技巧,全版本通用!
- linux启动、进程、文本处理