四、进程线程
4.1.WRK
1.Project-->New Project-->选择wrk目录-->ok
2.Add and Remove Project Files--->选中四个文件-->Add Tree
3.搜索
4.2.KPCR
kpcr:cpu核控制块,cpu一个核一个kpcr结构
fs=0x30 在内核中的时候,指向的是kpcr结构
fs=0x3b 在应用层的时候,指向的是当前线程的TEB
1.kpcr结构
kd> dt _KPCR
ntdll!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : Ptr32 Void
+0x008 Spare2 : Ptr32 Void
+0x00c TssCopy : Ptr32 Void
+0x010 ContextSwitches : Uint4B
+0x014 SetMemberCopy : Uint4B
+0x018 Used_Self : Ptr32 Void //指向自己或者线程的TEB
+0x01c SelfPcr : Ptr32 _KPCR //一定会指向kpcr自己
+0x020 Prcb : Ptr32 _KPRCB //用于定位+0x120 _KPCR的位置
+0x024 Irql : UChar
+0x028 IRR : Uint4B
+0x02c IrrActive : Uint4B
+0x030 IDR : Uint4B
+0x034 KdVersionBlock : Ptr32 Void
+0x038 IDT : Ptr32 _KIDTENTRY
+0x03c GDT : Ptr32 _KGDTENTRY
+0x040 TSS : Ptr32 _KTSS
+0x044 MajorVersion : Uint2B
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 SpareUnused : UChar
+0x051 Number : UChar //当前跑在哪个核上
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB //KPCR扩展块2.KiProcessorBlock
-
KiProcessorBlock:cpu控制扩展块数组,指向的是KPCR的0x120位置
-
KeNumberProcessors:核数量
扩展块
3.+0x000 NtTib
ntdll!_NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : Ptr32 Void
+0x008 StackLimit : Ptr32 Void //当前这个核上跑的线程的堆栈的栈顶和栈底
+0x00c SubSystemTib : Ptr32 Void
+0x010 FiberData : Ptr32 Void
+0x010 Version : Uint4B
+0x014 ArbitraryUserPointer : Ptr32 Void
+0x018 Self : Ptr32 _NT_TIB4.3.函数类型
Windows是微内核,分内核结构和执行体结构
-
-
执行体结构:专门用于和R3打交道 (EPROCESS属于执行体)
函数类型
-
Ex:执行体函数,进程、线程、链表、对象属性、赋值、取值、加锁相关
-
Ke:内核函数,大部分是导出
-
Ki:微内核函数,不导出,内部自己使用。进程、线程、cpu、调度相关
-
Ps:执行体函数,进程、线程相关
-
Mm:内存相关函数,一般导出
-
Mi:内存相关函数,Mm函数底层就是调用Mi,不导出
-
Io:文件、设备相关,导出
-
CC:文件缓存
-
Rtl:导出函数,一般是运行库,字符串操作等
-
Zw:SSDT,但是Zw不需要修改线程的先前模式
-
Nt:Zw函数会调用到Nt,本身Zw函数不实现功能
-
CM:注册表
-
hal:硬件函数
-
Ob:对象管理器,句柄,创建内核对象,查询内核对象等
-
Pnp:电源管理
-
Psp:执行体函数,进程、线程。Ps函数实现复杂功能的时候,都是调用Psp
4.4.KPROCESS
KPROCESS
kd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY //性能分析
+0x018 DirectoryTableBase : Uint4B //CR3
+0x01c LdtDescriptor : _KGDTENTRY
+0x024 Int21Descriptor : _KIDTENTRY
+0x02c ThreadListHead : _LIST_ENTRY //当前进程有多少线程
+0x034 ProcessLock : Uint4B //自旋锁
+0x038 Affinity : _KAFFINITY_EX //亲核性
+0x044 ReadyListHead : _LIST_ENTRY //就绪链表
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY //交换链表
+0x050 ActiveProcessors : _KAFFINITY_EX
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit //时间碎片
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B
+0x060 BasePriority : Char //初始优先级
+0x061 QuantumReset : Char //时间碎片值
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY
+0x080 CycleTime : Uint8B
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B //统计线程开始到死亡活动的时间
+0x090 VdmTrapcHandler : Ptr32 Void4.5.EPROCESS
kd> dt _EPROCESS 88079d40
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK //自旋锁
+0x0a0 CreateTime : _LARGE_INTEGER 0x01d88c86`b179ff84 //进程创建的时间
+0x0a8 ExitTime : _LARGE_INTEGER 0x0 //进程退出的时间
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x00000cb8 Void //进程pid
+0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x83f59c88 - 0x88067540 ] //活动进程链表
+0x0c0 ProcessQuotaUsage : [2] 0x3688
+0x0c8 ProcessQuotaPeak : [2] 0x373c
+0x0d0 CommitCharge : 0x602
+0x0d4 QuotaBlock : 0x87acf1c0 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : (null)
+0x0dc PeakVirtualSize : 0x8156000
+0x0e0 VirtualSize : 0x8115000
+0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x8f18f010 - 0x87d6adbc ] //当前用户进程链表
+0x0ec DebugPort : (null) //如果有值,说明正在被调试
+0x0f0 ExceptionPortData : 0x879e0f00 Void
+0x0f0 ExceptionPortValue : 0x879e0f00
+0x0f0 ExceptionPortState : 0y000
+0x0f4 ObjectTable : 0xa4738a78 _HANDLE_TABLE //句柄表
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : 0xf226 //用了多少页
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : (null)
+0x108 ForkInProgress : (null)
+0x10c HardwareTrigger : 0
+0x110 PhysicalVadRoot : (null)
+0x114 CloneRoot : (null)
+0x118 NumberOfPrivatePages : 0x44e
+0x11c NumberOfLockedPages : 0
+0x120 Win32Process : 0xffa40510 Void
+0x124 Job : (null)
+0x128 SectionObject : 0x99dff928 Void
+0x12c SectionBaseAddress : 0x00be0000 Void
+0x130 Cookie : 0x910986dc
+0x134 Spare8 : 0
+0x138 WorkingSetWatch : (null)
+0x13c Win32WindowStation : 0x00000038 Void
+0x140 InheritedFromUniqueProcessId : 0x00000554 Void
+0x144 LdtInformation : (null)
+0x148 VdmObjects : (null)
+0x14c ConsoleHostProcess : 0
+0x150 DeviceMap : 0x83650490 Void
+0x154 EtwDataSource : (null)
+0x158 FreeTebHint : 0x7ffde000 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE_X86
+0x160 Filler : 0
+0x168 Session : 0x8f18f000 Void
+0x16c ImageFileName : [15] "notepad.exe" //进程名字
+0x17b PriorityClass : 0x2 ''
+0x17c JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x184 LockedPagesList : (null)
+0x188 ThreadListHead : _LIST_ENTRY [ 0x85da7298 - 0x88094fb0 ] //线程链表
+0x190 SecurityPort : (null)
+0x194 PaeTop : 0x86b79560 Void
+0x198 ActiveThreads : 4 //当前进程有多少个线程
+0x19c ImagePathHash : 0xeb1b961a
+0x1a0 DefaultHardErrorProcessing : 1
+0x1a4 LastThreadExitStatus : 0n0
+0x1a8 Peb : 0x7ffdf000 _PEB //PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER 0x1c
+0x1b8 WriteOperationCount : _LARGE_INTEGER 0x4
+0x1c0 OtherOperationCount : _LARGE_INTEGER 0x1fa
+0x1c8 ReadTransferCount : _LARGE_INTEGER 0x4b9031
+0x1d0 WriteTransferCount : _LARGE_INTEGER 0x2a38
+0x1d8 OtherTransferCount : _LARGE_INTEGER 0x126c
+0x1e0 CommitChargeLimit : 0
+0x1e4 CommitChargePeak : 0xb49
+0x1e8 AweInfo : (null)
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO //进程名完整路劲
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY [ 0x83f600f0 - 0x880676e4 ]
+0x264 HighestUserAddress : 0x7fff0000 Void
+0x268 ModifiedPageCount : 0x209
+0x26c Flags2 : 0x200d000
+0x26c JobNotReallyActive : 0y0
+0x26c AccountingFolded : 0y0
+0x26c NewProcessReported : 0y0
+0x26c ExitProcessReported : 0y0
+0x26c ReportCommitChanges : 0y0
+0x26c LastReportMemory : 0y0
+0x26c ReportPhysicalPageChanges : 0y0
+0x26c HandleTableRundown : 0y0
+0x26c NeedsHandleRundown : 0y0
+0x26c RefTraceEnabled : 0y0
+0x26c NumaAware : 0y0
+0x26c ProtectedProcess : 0y0 //保护进程
+0x26c DefaultPagePriority : 0y101
+0x26c PrimaryTokenFrozen : 0y1
+0x26c ProcessVerifierTarget : 0y0
+0x26c StackRandomizationDisabled : 0y0
+0x26c AffinityPermanent : 0y0
+0x26c AffinityUpdateEnable : 0y0
+0x26c PropagateNode : 0y0
+0x26c ExplicitAffinity : 0y0
+0x270 Flags : 0x144d0801
+0x270 CreateReported : 0y1
+0x270 NoDebugInherit : 0y0
+0x270 ProcessExiting : 0y0
+0x270 ProcessDelete : 0y0
+0x270 Wow64SplitPages : 0y0
+0x270 VmDeleted : 0y0
+0x270 OutswapEnabled : 0y0
+0x270 Outswapped : 0y0
+0x270 ForkFailed : 0y0
+0x270 Wow64VaSpace4Gb : 0y0
+0x270 AddressSpaceInitialized : 0y10
+0x270 SetTimerResolution : 0y0
+0x270 BreakOnTermination : 0y0
+0x270 DeprioritizeViews : 0y0
+0x270 WriteWatch : 0y0
+0x270 ProcessInSession : 0y1
+0x270 OverrideAddressSpace : 0y0
+0x270 HasAddressSpace : 0y1
+0x270 LaunchPrefetched : 0y1
+0x270 InjectInpageErrors : 0y0
+0x270 VmTopDown : 0y0 //申请的内存地址从大地址开始,默认是小地址
+0x270 ImageNotifyDone : 0y1
+0x270 PdeUpdateNeeded : 0y0
+0x270 VdmAllowed : 0y0
+0x270 CrossSessionCreate : 0y0
+0x270 ProcessInserted : 0y1
+0x270 DefaultIoPriority : 0y010
+0x270 ProcessSelfDelete : 0y0
+0x270 SetTimerResolutionLink : 0y0
+0x274 ExitStatus : 0n259 //判断进程是否退出,不是259就是退出
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x2b0 RequestedTimerResolution : 0
+0x2b4 ActiveThreadsHighWatermark : 6
+0x2b8 SmallestTimerResolution : 0
+0x2bc TimerResolutionStackRecord : (null) 4.6.OBJECT-HEADER
EPROCESS都有一个对象头,在减
-
位置:-0x18,
-
Flags:修改OBJECT_HEADER的Flags为4可以保护进程
kd> dt _OBJECT_HEADER 88079d40-0x18
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n54 //引用次数
+0x004 HandleCount : 0n3
+0x004 NextToFree : 0x00000003 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : 0x7 '' //对象类型
+0x00d TraceFlags : 0 ''
+0x00e InfoMask : 0x8 ''
+0x00f Flags : 0 '' //把flags改成4,可以保护进程
+0x010 ObjectCreateInfo : 0x87acf1c0 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x87acf1c0 Void
+0x014 SecurityDescriptor : 0x8ce7aeca Void
+0x018 Body : _QUAD
kd> eb 88079d40-0x18+f 4
kd> g4.7.保护进程
DriverEntry.c
#include <ntifs.h>
EXTERN_C UCHAR * PsGetProcessImageFileName(
__in PEPROCESS Process
);
//设置Object_Header的Flags位
VOID SetProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) |= 4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) |= 4;
#endif
}
VOID CloseProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) &= ~4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) &= ~4;
#endif
}
PEPROCESS FindProceeByName(char* name)
{
PEPROCESS findProcess = NULL;
for (int i = 4; i < 0x1000000; i += 4)
{
PEPROCESS Process = NULL;
//根据pid获取进程对象
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &Process);
if (!NT_SUCCESS(status))
{
continue;
}
//获取进程名字
PUCHAR processName = PsGetProcessImageFileName(Process);
if (processName && _stricmp(processName, name) == 0)
{
findProcess = Process;
break;
}
ObDereferenceObject(Process); //引用计数-1
}
return findProcess;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return;
}
CloseProcessFlags(Process);
ObDereferenceObject(Process); //引用计数-1
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return STATUS_UNSUCCESSFUL;
}
SetProcessFlags(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}4.8.进程断链
通过特征码先定位到UniqueProcessId,然后+4得到ActiveProcessLinks
kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRYDriverEntry.c
#include <ntifs.h>
PEPROCESS FindProcessByName(PWCH name)
{
PEPROCESS Process = NULL;
PEPROCESS findProcess = NULL;
for (int i = 8; i < 0x1000000; i += 4)
{
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i,&Process);
if (!NT_SUCCESS(status))
{
continue;
}
PUNICODE_STRING ProcessName = NULL;
status = SeLocateProcessImageName(Process, &ProcessName); //进程全路劲名字
if (!NT_SUCCESS(status))
{
ObDereferenceObject(Process);
continue;
}
if (ProcessName->Length)
{
_wcsupr(ProcessName->Buffer);
if (wcsstr(ProcessName->Buffer, name) != 0)
{
findProcess = Process;
ExFreePoolWithTag(ProcessName,0); //释放
break;
}
}
ExFreePoolWithTag(ProcessName, 0);
ObDereferenceObject(Process);
}
return findProcess;
}
ULONG GetProcessActiveProcessLinkOffset()
{
static ULONG offset = 0;
if (offset) return offset;
UNICODE_STRING Name;
RtlInitUnicodeString(&Name,L"PsGetProcessId");
PUCHAR func = (PUCHAR)MmGetSystemRoutineAddress(&Name);
for (int i = 0; i < 100; i ++)
{
if (func[i] == 0x8b && func[i + 1] == 0x80)
{
offset = *(PULONG)(func + i + 2);
//先定位到UniqueProcessID,然后+4定位到ActiveProcessLinks
offset += 4; //通过特征码定位
break;
}
}
return offset;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProcessByName(L"DBGVIEW.EXE");
ULONG offset = GetProcessActiveProcessLinkOffset();
RemoveEntryList((PUCHAR)Process + offset); //断链
InitializeListHead((PUCHAR)Process + offset); //初始化链表
ObDereferenceObject(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}4.9.KTHREAD
kd> dt _KTHREAD 85ff6488
nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 CycleTime : 0x19b25
+0x018 HighCycleTime : 0
+0x020 QuantumTarget : 0xded7d91 //总耗时时间碎片
+0x028 InitialStack : 0xa4ea7ed0 Void
+0x02c StackLimit : 0xa4ea5000 Void
+0x030 KernelStack : 0xa4ea7a60 Void
+0x034 ThreadLock : 0
+0x038 WaitRegister : _KWAIT_STATUS_REGISTER
+0x039 Running : 0 '' //是否在运行中
+0x03a Alerted : [2] "" //可警惕性
+0x03c KernelStackResident : 0y1 //堆栈拓展
+0x03c ReadyTransition : 0y0
+0x03c ProcessReadyQueue : 0y0
+0x03c WaitNext : 0y0
+0x03c SystemAffinityActive : 0y0
+0x03c Alertable : 0y1 //是否可被唤醒
+0x03c GdiFlushActive : 0y0
+0x03c UserStackWalkActive : 0y0
+0x03c ApcInterruptRequest : 0y0 //APC中断
+0x03c ForceDeferSchedule : 0y0
+0x03c QuantumEndMigrate : 0y0
+0x03c UmsDirectedSwitchEnable : 0y0
+0x03c TimerActive : 0y1
+0x03c SystemThread : 0y0 //判断是不是内核线程
+0x03c Reserved : 0y000000000000000000 (0)
+0x03c MiscFlags : 0n4129
+0x040 ApcState : _KAPC_STATE //APC状态
+0x040 ApcStateFill : [23] "???"
+0x057 Priority : 10 '' //优先级,数字越大优先级越高。初始为8
+0x058 NextProcessor : 0
+0x05c DeferredProcessor : 0
+0x060 ApcQueueLock : 0
+0x064 ContextSwitches : 3 //当前线程切换的次数
+0x068 State : 0x5 ''
+0x069 NpxState : 0 ''
+0x06a WaitIrql : 0 ''
+0x06b WaitMode : 1 ''
+0x06c WaitStatus : 0n-2048370368
+0x070 WaitBlockList : 0x85ff6548 _KWAIT_BLOCK
+0x074 WaitListEntry : _LIST_ENTRY [ 0x87df395c - 0x8643e62c ]
+0x074 SwapListEntry : _SINGLE_LIST_ENTRY
+0x07c Queue : 0x85e62900 _KQUEUE
+0x080 WaitTime : 0x5a905
+0x084 KernelApcDisable : 0n0
+0x086 SpecialApcDisable : 0n0
+0x084 CombinedApcDisable : 0
+0x088 Teb : 0x7ffd3000 Void //Teb
+0x090 Timer : _KTIMER //定时器
+0x0b8 AutoAlignment : 0y0
+0x0b8 DisableBoost : 0y0
+0x0b8 EtwStackTraceApc1Inserted : 0y0
+0x0b8 EtwStackTraceApc2Inserted : 0y0
+0x0b8 CalloutActive : 0y0
+0x0b8 ApcQueueable : 0y1
+0x0b8 EnableStackSwap : 0y1
+0x0b8 GuiThread : 0y0
+0x0b8 UmsPerformingSyscall : 0y0
+0x0b8 VdmSafe : 0y0
+0x0b8 UmsDispatched : 0y0
+0x0b8 ReservedFlags : 0y000000000000000000000 (0)
+0x0b8 ThreadFlags : 0n96
+0x0bc ServiceTable : 0x83f71b00 Void
+0x0c0 WaitBlock : [4] _KWAIT_BLOCK
+0x120 QueueListEntry : _LIST_ENTRY [ 0x85e62920 - 0x85e62920 ]
+0x128 TrapFrame : 0xa4ea7c34 _KTRAP_FRAME
+0x12c FirstArgument : 0x0000018c Void
+0x130 CallbackStack : (null)
+0x130 CallbackDepth : 0
+0x134 ApcStateIndex : 0 ''
+0x135 BasePriority : 8 ''
+0x136 PriorityDecrement : 2 ''
+0x136 ForegroundBoost : 0y0010
+0x136 UnusualBoost : 0y0000
+0x137 Preempted : 0 '' //抢占
+0x138 AdjustReason : 0 ''
+0x139 AdjustIncrement : 0 ''
+0x13a PreviousMode : 1 ''
+0x13b Saturation : 0 ''
+0x13c SystemCallNumber : 0x188
+0x140 FreezeCount : 0
+0x144 UserAffinity : _GROUP_AFFINITY
+0x150 Process : 0x85d70030 _KPROCESS //创建这个线程的进程
+0x154 Affinity : _GROUP_AFFINITY
+0x160 IdealProcessor : 0
+0x164 UserIdealProcessor : 0
+0x168 ApcStatePointer : [2] 0x85ff64c8 _KAPC_STATE
+0x170 SavedApcState : _KAPC_STATE
+0x170 SavedApcStateFill : [23] ""
+0x187 WaitReason : 0xf ''
+0x188 SuspendCount : 0 ''
+0x189 Spare1 : 0 ''
+0x18a OtherPlatformFill : 0 ''
+0x18c Win32Thread : (null)
+0x190 StackBase : 0xa4ea8000 Void
+0x194 SuspendApc : _KAPC
+0x194 SuspendApcFill0 : [1] "???"
+0x195 ResourceIndex : 0 ''
+0x194 SuspendApcFill1 : [3] "???"
+0x197 QuantumReset : 0x12 ''
+0x194 SuspendApcFill2 : [4] "???"
+0x198 KernelTime : 0
+0x194 SuspendApcFill3 : [36] "???"
+0x1b8 WaitPrcb : 0x83f32d20 _KPRCB
+0x194 SuspendApcFill4 : [40] "???"
+0x1bc LegoData : (null)
+0x194 SuspendApcFill5 : [47] "???"
+0x1c3 LargeStack : 0 ''
+0x1c4 UserTime : 0
+0x1c8 SuspendSemaphore : _KSEMAPHORE
+0x1c8 SuspendSemaphorefill : [20] "???"
+0x1dc SListFaultCount : 0
+0x1e0 ThreadListEntry : _LIST_ENTRY [ 0x85d7005c - 0x86506210 ] //所有线程链表
+0x1e8 MutantListHead : _LIST_ENTRY [ 0x85ff6670 - 0x85ff6670 ]
+0x1f0 SListFaultAddress : (null)
+0x1f4 ThreadCounters : (null)
+0x1f8 XStateSave : (null) +0x028 InitialStack
+0x02c StackLimit
+0x030 KernelStack
+0x028 InitialStack : 0xa4ea7ed0 Void
+0x02c StackLimit : 0xa4ea5000 Void
+0x030 KernelStack : 0xa4ea7a60 Void4.10.ETHREAD
kd> dt _ETHREAD 85ff6488
nt!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x200 CreateTime : _LARGE_INTEGER 0x01d88d5d`48ab4db8
+0x208 ExitTime : _LARGE_INTEGER 0x85ff6690`85ff6690
+0x208 KeyedWaitChain : _LIST_ENTRY [ 0x85ff6690 - 0x85ff6690 ]
+0x210 ExitStatus : 0n0
+0x214 PostBlockList : _LIST_ENTRY [ 0x0 - 0x77307098 ]
+0x214 ForwardLinkShadow : (null)
+0x218 StartAddress : 0x77307098 Void //线程的起始地址
+0x21c TerminationPort : (null)
+0x21c ReaperLink : (null)
+0x21c KeyedWaitValue : (null)
+0x220 ActiveTimerListLock : 0
+0x224 ActiveTimerListHead : _LIST_ENTRY [ 0x85ff66ac - 0x85ff66ac ]
+0x22c Cid : _CLIENT_ID //线程和进程I
+0x234 KeyedWaitSemaphore : _KSEMAPHORE
+0x234 AlpcWaitSemaphore : _KSEMAPHORE
+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x24c IrpList : _LIST_ENTRY [ 0x85ff66d4 - 0x85ff66d4 ]
+0x254 TopLevelIrp : 0
+0x258 DeviceToVerify : (null)
+0x25c CpuQuotaApc : (null)
+0x260 Win32StartAddress : 0x772f03e7 Void
+0x264 LegacyPowerObject : (null)
+0x268 ThreadListEntry : _LIST_ENTRY [ 0x85d701b8 - 0x86506298 ]
+0x270 RundownProtect : _EX_RUNDOWN_REF
+0x274 ThreadLock : _EX_PUSH_LOCK
+0x278 ReadClusterSize : 7
+0x27c MmLockOrdering : 0n0
+0x280 CrossThreadFlags : 0xa802
+0x280 Terminated : 0y0
+0x280 ThreadInserted : 0y1
+0x280 HideFromDebugger : 0y0
+0x280 ActiveImpersonationInfo : 0y0
+0x280 Reserved : 0y0
+0x280 HardErrorsAreDisabled : 0y0
+0x280 BreakOnTermination : 0y0 //防止线程被杀死
+0x280 SkipCreationMsg : 0y0
+0x280 SkipTerminationMsg : 0y0
+0x280 CopyTokenOnOpen : 0y0
+0x280 ThreadIoPriority : 0y010
+0x280 ThreadPagePriority : 0y101
+0x280 RundownFail : 0y0
+0x280 NeedsWorkingSetAging : 0y0
+0x284 SameThreadPassiveFlags : 0
+0x284 ActiveExWorker : 0y0
+0x284 ExWorkerCanWaitUser : 0y0
+0x284 MemoryMaker : 0y0
+0x284 ClonedThread : 0y0
+0x284 KeyedEventInUse : 0y0
+0x284 RateApcState : 0y00
+0x284 SelfTerminate : 0y0
+0x288 SameThreadApcFlags : 0
+0x288 Spare : 0y0
+0x288 StartAddressInvalid : 0y0
+0x288 EtwPageFaultCalloutActive : 0y0
+0x288 OwnsProcessWorkingSetExclusive : 0y0
+0x288 OwnsProcessWorkingSetShared : 0y0
+0x288 OwnsSystemCacheWorkingSetExclusive : 0y0
+0x288 OwnsSystemCacheWorkingSetShared : 0y0
+0x288 OwnsSessionWorkingSetExclusive : 0y0
+0x289 OwnsSessionWorkingSetShared : 0y0
+0x289 OwnsProcessAddressSpaceExclusive : 0y0
+0x289 OwnsProcessAddressSpaceShared : 0y0
+0x289 SuppressSymbolLoad : 0y0
+0x289 Prefetching : 0y0
+0x289 OwnsDynamicMemoryShared : 0y0
+0x289 OwnsChangeControlAreaExclusive : 0y0
+0x289 OwnsChangeControlAreaShared : 0y0
+0x28a OwnsPagedPoolWorkingSetExclusive : 0y0
+0x28a OwnsPagedPoolWorkingSetShared : 0y0
+0x28a OwnsSystemPtesWorkingSetExclusive : 0y0
+0x28a OwnsSystemPtesWorkingSetShared : 0y0
+0x28a TrimTrigger : 0y00
+0x28a Spare1 : 0y00
+0x28b PriorityRegionActive : 0 ''
+0x28c CacheManagerActive : 0 ''
+0x28d DisablePageFaultClustering : 0 ''
+0x28e ActiveFaultCount : 0 ''
+0x28f LockOrderState : 0 ''
+0x290 AlpcMessageId : 0
+0x294 AlpcMessage : (null)
+0x294 AlpcReceiveAttributeSet : 0
+0x298 AlpcWaitListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x2a0 CacheManagerCount : 0
+0x2a4 IoBoostCount : 0
+0x2a8 IrpListLock : 0
+0x2ac ReservedForSynchTracking : (null)
+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x2b4 KernelStackReference : 1Cid
-
+0x22c Cid : _CLIENT_ID
kd> dt _CLIENT_ID
nt!_CLIENT_ID
+0x000 UniqueProcess : Ptr32 Void //当前线程的父进程id
+0x004 UniqueThread : Ptr32 Void //当前线程的id4.11.线程查找
+0x074 WaitListEntry : _LIST_ENTRY //就绪线程dt nt!_KPRCB
//链表包含32个成员,对应就绪位图的32位。就绪位图的位为1,说明这个链表对应的索引成员有就绪线程
+0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY
//就绪位图,二进制32位,
+0x31ec ReadySummary : Uint4B KiFindReadyThread函数逆向分析,首先按x,进到KiSerachForNewThread,找到KiFindReadyThread的三个参数
然后开始分析KiFindReadyThread
4.12.线程主动切换
posted on 2022-09-18 22:40 zhang_derek 阅读(136) 评论(0) 编辑 收藏 举报
