EPROCESS+KPCR+ETHREAD部分介绍-学习记录

**目前32位上结构体已经延展到了0x2bc **

_EPROCESS

nt!_EPROCESS
+0x000 Pcb : _KPROCESS 详细见下面
+0x098 ProcessLock : _EX_PUSH_LOCK 进程锁,和KPEOCESS不一样,只锁自己的结构
+0x0a0 CreateTime : _LARGE_INTEGER 进程创建时间
+0x0a8 ExitTime : _LARGE_INTEGER 进程退出时间
+0x0b0 RundownProtect : _EX_RUNDOWN_REF 另外一种进程锁
+0x0b4 UniqueProcessId : Ptr32 Void 进程ID PID
+0x0b8 ActiveProcessLinks : _LIST_ENTRY 进程链表
+0x0c0 ProcessQuotaUsage : [2] Uint4B **到0x30都是性能统计的东西 **
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY 会话进程链表,扫出当前用户的所有进程
+0x0ec DebugPort : Ptr32 Void 调试端口反调试时候要清0
+0x0f0 ExceptionPortData : Ptr32 Void 以下三个是异常相关的分别是数据,值,状态
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE 事务句柄表
+0x0f8 Token : _EX_FAST_REF token,权限的描述,用来提权
+0x0fc WorkingSetPage : Uint4B 当前使用了多少物理页
+0x100 AddressCreationLock : _EX_PUSH_LOCK 锁
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE VAD 内存相关的
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void 切换为UI进程的时候回设置为UI进程对象
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B 指针加解密
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY 可以防止第三方读取本进程
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void 进程的父进程ID
+0x144 LdtInformation : Ptr32 Void LDT
+0x148 VdmObjects : Ptr32 Void 虚拟8086
+0x14c ConsoleHostProcess : Uint4B 控制台句柄
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void ETW数据源
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void 会话,说属于那个用户
+0x16c ImageFileName : [15] UChar 进程名
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY 作业链表
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY 线程链表
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER 读文件读一次会+1,以下几个同理
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos 0, 1 Bit
+0x26c AccountingFolded : Pos 1, 1 Bit
+0x26c NewProcessReported : Pos 2, 1 Bit
+0x26c ExitProcessReported : Pos 3, 1 Bit
+0x26c ReportCommitChanges : Pos 4, 1 Bit
+0x26c LastReportMemory : Pos 5, 1 Bit
+0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x26c HandleTableRundown : Pos 7, 1 Bit
+0x26c NeedsHandleRundown : Pos 8, 1 Bit
+0x26c RefTraceEnabled : Pos 9, 1 Bit
+0x26c NumaAware : Pos 10, 1 Bit
+0x26c ProtectedProcess : Pos 11, 1 Bit
+0x26c DefaultPagePriority : Pos 12, 3 Bits
+0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x26c ProcessVerifierTarget : Pos 16, 1 Bit
+0x26c StackRandomizationDisabled : Pos 17, 1 Bit
+0x26c AffinityPermanent : Pos 18, 1 Bit
+0x26c AffinityUpdateEnable : Pos 19, 1 Bit
+0x26c PropagateNode : Pos 20, 1 Bit
+0x26c ExplicitAffinity : Pos 21, 1 Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos 0, 1 Bit
+0x270 NoDebugInherit : Pos 1, 1 Bit
+0x270 ProcessExiting : Pos 2, 1 Bit
+0x270 ProcessDelete : Pos 3, 1 Bit
+0x270 Wow64SplitPages : Pos 4, 1 Bit
+0x270 VmDeleted : Pos 5, 1 Bit
+0x270 OutswapEnabled : Pos 6, 1 Bit
+0x270 Outswapped : Pos 7, 1 Bit
+0x270 ForkFailed : Pos 8, 1 Bit
+0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x270 AddressSpaceInitialized : Pos 10, 2 Bits
+0x270 SetTimerResolution : Pos 12, 1 Bit
+0x270 BreakOnTermination : Pos 13, 1 Bit
+0x270 DeprioritizeViews : Pos 14, 1 Bit
+0x270 WriteWatch : Pos 15, 1 Bit
+0x270 ProcessInSession : Pos 16, 1 Bit
+0x270 OverrideAddressSpace : Pos 17, 1 Bit
+0x270 HasAddressSpace : Pos 18, 1 Bit
+0x270 LaunchPrefetched : Pos 19, 1 Bit
+0x270 InjectInpageErrors : Pos 20, 1 Bit
+0x270 VmTopDown : Pos 21, 1 Bit
+0x270 ImageNotifyDone : Pos 22, 1 Bit
+0x270 PdeUpdateNeeded : Pos 23, 1 Bit
+0x270 VdmAllowed : Pos 24, 1 Bit
+0x270 CrossSessionCreate : Pos 25, 1 Bit
+0x270 ProcessInserted : Pos 26, 1 Bit
+0x270 DefaultIoPriority : Pos 27, 3 Bits
+0x270 ProcessSelfDelete : Pos 30, 1 Bit
+0x270 SetTimerResolutionLink : Pos 31, 1 Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD

首先说一下线性地址大小:
32位 ->4GB 2G+2G
64位->但是只用了48位所以大小是256T

FFFFFFFFFFFF
这48位也分为ring0和ring3,分别是128T

_KPROCESS

Pcb : _KPROCESS ->(内核进程块)是用来记录任务调度有关的一些信息,通常不被ring3访问
(进程是惰性的,必须得有一个线程来运行,不然就死了) 首地址跟EPROCESS的地址相同,所以可认为两者是相同的
nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER 用来事件等待
+0x010 ProfileListHead : _LIST_ENTRY 双向链表,用来性能统计(打开任务管理器的性能页面)
+0x018 DirectoryTableBase : Uint4B 就是页表基址CR3
+0x01c LdtDescriptor : _KGDTENTRY LDT
+0x024 Int21Descriptor : _KIDTENTRY 虚拟8086用的
+0x02c ThreadListHead : _LIST_ENTRY 双向链表,属于本进程的所有线程,都可以遍历出来
+0x034 ProcessLock : Uint4B 锁,安全机制
+0x038 Affinity : _KAFFINITY_EX 创建的线程默认跑在那哪个核心里,0号CPU是特殊的
+0x044 ReadyListHead : _LIST_ENTRY 就绪列表,一些线程除了已经被调度的还有一些初始化资源没有跑起来的就放在这个链表里
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY 单向链表,表示当前线程中栈空间跟磁盘有交互
+0x050 ActiveProcessors : _KAFFINITY_EX 当前进程用到了哪些核心
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B 进程标志位
+0x060 BasePriority : Char 本进程线程的默认优先级
+0x061 QuantumReset : Char 默认多少时间片之后线程会切走(6个时间片,一个时钟中断3个时间片)
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS 数据执行保护DEP
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY 在win7以后就不用了
+0x080 CycleTime : Uint8B
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B
+0x090 VdmTrapcHandler : Ptr32 Void

ntdll!_ETHREAD

+0x000 Tcb : _KTHREAD
+0x200 CreateTime : _LARGE_INTEGER 创建时间
+0x208 ExitTime : _LARGE_INTEGER 退出时间
+0x208 KeyedWaitChain : _LIST_ENTRY
+0x210 ExitStatus : Int4B
+0x214 PostBlockList : _LIST_ENTRY
+0x214 ForwardLinkShadow : Ptr32 Void
+0x218 StartAddress : Ptr32 Void 和0x260是一对,普通进程
+0x21c TerminationPort : Ptr32 _TERMINATION_PORT
+0x21c ReaperLink : Ptr32 _ETHREAD
+0x21c KeyedWaitValue : Ptr32 Void
+0x220 ActiveTimerListLock : Uint4B
+0x224 ActiveTimerListHead : _LIST_ENTRY
+0x22c Cid : _CLIENT_ID 包括进程ＩＤ(创建的不是挂靠的)，和线程ＩＤ
+0x234 KeyedWaitSemaphore : _KSEMAPHORE
+0x234 AlpcWaitSemaphore : _KSEMAPHORE
+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x24c IrpList : _LIST_ENTRY
+0x254 TopLevelIrp : Uint4B
+0x258 DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC
+0x260 Win32StartAddress : Ptr32 Void ＧＵＩ进程（可以伪装）
+0x264 LegacyPowerObject : Ptr32 Void
+0x268 ThreadListEntry : _LIST_ENTRY 另外一对线程链表
+0x270 RundownProtect : _EX_RUNDOWN_REF
+0x274 ThreadLock : _EX_PUSH_LOCK 线程锁
+0x278 ReadClusterSize : Uint4B
+0x27c MmLockOrdering : Int4B
+0x280 CrossThreadFlags : Uint4B
+0x280 Terminated : Pos 0, 1 Bit 是否被结束的线程
+0x280 ThreadInserted : Pos 1, 1 Bit 0:线程被保护,无法被打开
+0x280 HideFromDebugger : Pos 2, 1 Bit 1:不能被调试
+0x280 ActiveImpersonationInfo : Pos 3, 1 Bit
+0x280 Reserved : Pos 4, 1 Bit
+0x280 HardErrorsAreDisabled : Pos 5, 1 Bit
+0x280 BreakOnTermination : Pos 6, 1 Bit 1:线程无法结束,如果结束就蓝屏
+0x280 SkipCreationMsg : Pos 7, 1 Bit
+0x280 SkipTerminationMsg : Pos 8, 1 Bit
+0x280 CopyTokenOnOpen : Pos 9, 1 Bit
+0x280 ThreadIoPriority : Pos 10, 3 Bits
+0x280 ThreadPagePriority : Pos 13, 3 Bits
+0x280 RundownFail : Pos 16, 1 Bit
+0x280 NeedsWorkingSetAging : Pos 17, 1 Bit
+0x284 SameThreadPassiveFlags : Uint4B
+0x284 ActiveExWorker : Pos 0, 1 Bit
+0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit
+0x284 MemoryMaker : Pos 2, 1 Bit
+0x284 ClonedThread : Pos 3, 1 Bit
+0x284 KeyedEventInUse : Pos 4, 1 Bit
+0x284 RateApcState : Pos 5, 2 Bits
+0x284 SelfTerminate : Pos 7, 1 Bit
+0x288 SameThreadApcFlags : Uint4B
+0x288 Spare : Pos 0, 1 Bit
+0x288 StartAddressInvalid : Pos 1, 1 Bit
+0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit
+0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
+0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
+0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
+0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
+0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
+0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
+0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
+0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
+0x289 SuppressSymbolLoad : Pos 3, 1 Bit
+0x289 Prefetching : Pos 4, 1 Bit
+0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
+0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
+0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit
+0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
+0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
+0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
+0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
+0x28a TrimTrigger : Pos 4, 2 Bits
+0x28a Spare1 : Pos 6, 2 Bits
+0x28b PriorityRegionActive : UChar
+0x28c CacheManagerActive : UChar
+0x28d DisablePageFaultClustering : UChar
+0x28e ActiveFaultCount : UChar
+0x28f LockOrderState : UChar
+0x290 AlpcMessageId : Uint4B
+0x294 AlpcMessage : Ptr32 Void
+0x294 AlpcReceiveAttributeSet : Uint4B
+0x298 AlpcWaitListEntry : _LIST_ENTRY
+0x2a0 CacheManagerCount : Uint4B
+0x2a4 IoBoostCount : Uint4B
+0x2a8 IrpListLock : Uint4B
+0x2ac ReservedForSynchTracking : Ptr32 Void
+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY

ntdll!_KTHREAD

+0x000 Header : _DISPATCHER_HEADER 等待头
+0x010 CycleTime : Uint8B 和性能相关的时间
+0x018 HighCycleTime : Uint4B
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr32 Void 栈底
+0x02c StackLimit : Ptr32 Void 栈顶
+0x030 KernelStack : Ptr32 Void 当前所在栈的位置
+0x034 ThreadLock : Uint4B 线程锁
+0x038 WaitRegister : _KWAIT_STATUS_REGISTER
+0x039 Running : UChar 运行状态
+0x03a Alerted : [2] UChar 0内核警告,1用户警告
+0x03c KernelStackResident : Pos 0, 1 Bit
+0x03c ReadyTransition : Pos 1, 1 Bit
+0x03c ProcessReadyQueue : Pos 2, 1 Bit
+0x03c WaitNext : Pos 3, 1 Bit
+0x03c SystemAffinityActive : Pos 4, 1 Bit
+0x03c Alertable : Pos 5, 1 Bit 是不是可以被唤醒
+0x03c GdiFlushActive : Pos 6, 1 Bit
+0x03c UserStackWalkActive : Pos 7, 1 Bit
+0x03c ApcInterruptRequest : Pos 8, 1 Bit
+0x03c ForceDeferSchedule : Pos 9, 1 Bit
+0x03c QuantumEndMigrate : Pos 10, 1 Bit
+0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit
+0x03c TimerActive : Pos 12, 1 Bit
+0x03c SystemThread : Pos 13, 1 Bit 1:系统线程
+0x03c Reserved : Pos 14, 18 Bits
+0x03c MiscFlags : Int4B
+0x040 ApcState : _KAPC_STATE
+0x040 ApcStateFill : [23] UChar
+0x057 Priority : Char 当前线程优先级
+0x058 NextProcessor : Uint4B 下一次时间片被抢占之后,会运行在哪个核心里
+0x05c DeferredProcessor : Uint4B
+0x060 ApcQueueLock : Uint4B APC队列锁
+0x064 ContextSwitches : Uint4B 切换总数
+0x068 State : UChar 线程状态(重要)
+0x069 NpxState : Char
+0x06a WaitIrql : UChar 等待时候的IRql
+0x06b WaitMode : Char
+0x06c WaitStatus : Int4B 等待状态
+0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK 等待链表
+0x074 WaitListEntry : _LIST_ENTRY 链表
+0x074 SwapListEntry : _SINGLE_LIST_ENTRY
+0x07c Queue : Ptr32 _KQUEUE 队列
+0x080 WaitTime : Uint4B 时间
+0x084 KernelApcDisable : Int2B APC相关的
+0x086 SpecialApcDisable : Int2B
+0x084 CombinedApcDisable : Uint4B
+0x088 Teb : Ptr32 Void 线程TEB
+0x090 Timer : _KTIMER 定时器
+0x0b8 AutoAlignment : Pos 0, 1 Bit
+0x0b8 DisableBoost : Pos 1, 1 Bit
+0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit
+0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit
+0x0b8 CalloutActive : Pos 4, 1 Bit 是否0环调用3环
+0x0b8 ApcQueueable : Pos 5, 1 Bit 是否是APC队列
+0x0b8 EnableStackSwap : Pos 6, 1 Bit
+0x0b8 GuiThread : Pos 7, 1 Bit
+0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit
+0x0b8 VdmSafe : Pos 9, 1 Bit
+0x0b8 UmsDispatched : Pos 10, 1 Bit
+0x0b8 ReservedFlags : Pos 11, 21 Bits
+0x0b8 ThreadFlags : Int4B
+0x0bc ServiceTable : Ptr32 Void
+0x0c0 WaitBlock : [4] _KWAIT_BLOCK
+0x120 QueueListEntry : _LIST_ENTRY
+0x128 TrapFrame : Ptr32 _KTRAP_FRAME
+0x12c FirstArgument : Ptr32 Void
+0x130 CallbackStack : Ptr32 Void
+0x130 CallbackDepth : Uint4B
+0x134 ApcStateIndex : UChar
+0x135 BasePriority : Char 进程优先级,线程继承过来的
+0x136 PriorityDecrement : Char
+0x136 ForegroundBoost : Pos 0, 4 Bits
+0x136 UnusualBoost : Pos 4, 4 Bits
+0x137 Preempted : UChar
+0x138 AdjustReason : UChar
+0x139 AdjustIncrement : Char
+0x13a PreviousMode : Char 判断是用户模式还是内核模式
+0x13b Saturation : Char
+0x13c SystemCallNumber : Uint4B
+0x140 FreezeCount : Uint4B 线程挂起的次数总数
+0x144 UserAffinity : _GROUP_AFFINITY
+0x150 Process : Ptr32 _KPROCESS 创建线程的进程
+0x154 Affinity : _GROUP_AFFINITY
+0x160 IdealProcessor : Uint4B
+0x164 UserIdealProcessor : Uint4B
+0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0x170 SavedApcState : _KAPC_STATE
+0x170 SavedApcStateFill : [23] UChar
+0x187 WaitReason : UChar
+0x188 SuspendCount : Char
+0x189 Spare1 : Char
+0x18a OtherPlatformFill : UChar
+0x18c Win32Thread : Ptr32 Void
+0x190 StackBase : Ptr32 Void
+0x194 SuspendApc : _KAPC
+0x194 SuspendApcFill0 : [1] UChar
+0x195 ResourceIndex : UChar
+0x194 SuspendApcFill1 : [3] UChar
+0x197 QuantumReset : UChar
+0x194 SuspendApcFill2 : [4] UChar
+0x198 KernelTime : Uint4B
+0x194 SuspendApcFill3 : [36] UChar
+0x1b8 WaitPrcb : Ptr32 _KPRCB
+0x194 SuspendApcFill4 : [40] UChar
+0x1bc LegoData : Ptr32 Void
+0x194 SuspendApcFill5 : [47] UChar
+0x1c3 LargeStack : UChar
+0x1c4 UserTime : Uint4B
+0x1c8 SuspendSemaphore : _KSEMAPHORE
+0x1c8 SuspendSemaphorefill : [20] UChar
+0x1dc SListFaultCount : Uint4B
+0x1e0 ThreadListEntry : _LIST_ENTRY 线程链表,KPROCESS中的线程就指向这
+0x1e8 MutantListHead : _LIST_ENTRY
+0x1f0 SListFaultAddress : Ptr32 Void
+0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS
+0x1f8 XStateSave : Ptr32 _XSTATE_SAVE

ntdll!_KAPC_STATE

+0x000 ApcListHead : [2] _LIST_ENTRY
+0x010 Process : Ptr32 _KPROCESS 线程挂靠在哪个进程
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar

KPCR

描述内核核心的

ntdll!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD 异常链表SEH
+0x004 Used_StackBase : Ptr32 Void 栈基质
+0x008 Spare2 : Ptr32 Void
+0x00c TssCopy : Ptr32 Void Tss拷贝和下面TSS的值是一样的就是拷贝了一份
+0x010 ContextSwitches : Uint4B R0，R3相互切换次数的统计
+0x014 SetMemberCopy : Uint4B
+0x018 Used_Self : Ptr32 Void
从00-0x18是一个联合体
+0x01c SelfPcr : Ptr32 _KPCR 指向自己的指针
+0x020 Prcb : Ptr32 _KPRCB 指向KPRCB也就是最后一个成员偏移120h,用于扩展的一个成员
+0x024 Irql : UChar Irql等级
+0x028 IRR : Uint4B以下三个都是和中断相关的寄存器
+0x02c IrrActive : Uint4B 和中断相关的寄存器
+0x030 IDR : Uint4B 和中断相关的寄存器
+0x034 KdVersionBlock : Ptr32 Void 0核才有值
+0x038 IDT : Ptr32 _KIDTENTRY IDT基址
+0x03c GDT : Ptr32 _KGDTENTRY 基址
+0x040 TSS : Ptr32 _KTSS 基址
+0x044 MajorVersion : Uint2B 版本
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 SpareUnused : UChar
+0x051 Number : UChar
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB

dd keNumberProcessors
4核(不分物理还是逻辑)

KPCR所在位置
0x83f31c00

查看其他核心的KPCR
dd KiProcessorBlock

这四个值是KPRCB的地址

0: kd> dt _dbgkd_get_version64 0x83f31c00
nt!_DBGKD_GET_VERSION64
+0x000 MajorVersion : 0xe13c
+0x002 MinorVersion : 0x83f2
+0x004 ProtocolVersion : 0 ‘’
+0x005 KdSecondaryVersion : 0 ‘’
+0x006 Flags : 0
+0x008 MachineType : 0
+0x00a MaxPacketType : 0 ‘’
+0x00b MaxStateChange : 0 ‘’
+0x00c MaxManipulate : 0 ‘’
+0x00d Simulation : 0x40 ‘@’
+0x00e Unused : [1] 0x801e
+0x010 KernBase : 0x100035aa2 内核文件基地址 +0x018 PsLoadedModuleList : 0x83f31c0000000000
+0x020 DebuggerDataList : 0x1f`83f31d20

0: kd> dt _dbgkd_get_version32 83f31c00
nt!_DBGKD_GET_VERSION32
+0x000 MajorVersion : 0xe13c
+0x002 MinorVersion : 0x83f2
+0x004 ProtocolVersion : 0
+0x006 Flags : 0
+0x008 KernBase : 0
+0x00c PsLoadedModuleList : 0x801e4000
+0x010 MachineType : 0x5aa2
+0x012 ThCallbackStack : 3
+0x014 NextCallback : 1
+0x016 FramePointer : 0
+0x018 KiCallUserMode : 0
+0x01c KeUserCallbackDispatcher : 0x83f31c00
+0x020 BreakpointWithStatus : 0x83f31d20
+0x024 DebuggerDataList : 0x1f

_KPRCB

成员太多就不列了

0: kd> dt _KPRCB
ntdll!_KPRCB
+0x000 MinorVersion : Uint2B
+0x002 MajorVersion : Uint2B
+0x004 CurrentThread : Ptr32 _KTHREAD 当前线程
在线程切换的时候,不会先到就绪列表里面找,而是先看下一个线程有没有值,有的话会直接切换,没有的话采取就绪列表里面取
+0x008 NextThread : Ptr32 _KTHREAD 下一个线程
+0x00c IdleThread : Ptr32 _KTHREAD 0 就是系统空闲进程