【软件调试】第二章 进程和线程实验记录
进程资源
备注: 这里的命令都是基于内核dmp调试
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffff84898203c440 ->// 内核空间中的EPROCESS(Executive process block, 进程执行块)结构,记录进程的关键信息,包括创建时间等等
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.
Image: System
PROCESS ffff8489820c6040
SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004
DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.
Image: Registry
PROCESS ffff84898205d040
SessionId: none Cid: 01e0 Peb: 3062840000 ParentCid: 0004
DirBase: 77100002 ObjectTable: ffffe18f2c1ab340 HandleCount: 52.
Image: smss.exe
PROCESS ffff848987825580
SessionId: 0 // windows会话的id, 服务程序运行在session 0, 用户运行在session 1, 再切换用户后变为2...
Cid: 02d0 // client id, 进程id
Peb: 9249550000 ParentCid: 028c
DirBase: 40b000002 // 页目录基地址
ObjectTable: ffffe18f2da8fb40 HandleCount: 566.
Image: csrss.exe
...
!process 0 0 msmpeng.exe
PROCESS ffff84898fdd72c0
SessionId: 0 Cid: 1404 Peb: ec4ed48000 ParentCid: 0398
DirBase: 431f50002 ObjectTable: ffffe18f30607c00 HandleCount: 248.
Image: MsMpEng.exe
EPROCESS结构
dt _EPROCESS ffff84898fdd72c0
nt!_EPROCESS
+0x000 Pcb : _KPROCESS // 内核进程块,记录与任务调度有关信息
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 UniqueProcessId : 0x0000000000001404 Void // **pid** +0x2e8 ActiveProcessLinks : _LIST_ENTRY [ 0xffff84898fdf1368 - 0xffff84898fd4b368 ] +0x2f8 RundownProtect : _EX_RUNDOWN_REF +0x300 Flags2 : 0xd000 +0x300 JobNotReallyActive : 0y0 +0x300 AccountingFolded : 0y0 +0x300 NewProcessReported : 0y0 +0x300 ExitProcessReported : 0y0 +0x300 ReportCommitChanges : 0y0 +0x300 LastReportMemory : 0y0 +0x300 ForceWakeCharge : 0y0 +0x300 CrossSessionCreate : 0y0 +0x300 NeedsHandleRundown : 0y0 +0x300 RefTraceEnabled : 0y0 +0x300 PicoCreated : 0y0 +0x300 EmptyJobEvaluated : 0y0 +0x300 DefaultPagePriority : 0y101 +0x300 PrimaryTokenFrozen : 0y1 +0x300 ProcessVerifierTarget : 0y0 +0x300 RestrictSetThreadContext : 0y0 +0x300 AffinityPermanent : 0y0 +0x300 AffinityUpdateEnable : 0y0 +0x300 PropagateNode : 0y0 +0x300 ExplicitAffinity : 0y0 +0x300 ProcessExecutionState : 0y00 +0x300 EnableReadVmLogging : 0y0 +0x300 EnableWriteVmLogging : 0y0 +0x300 FatalAccessTerminationRequested : 0y0 +0x300 DisableSystemAllowedCpuSet : 0y0 +0x300 ProcessStateChangeRequest : 0y00 +0x300 ProcessStateChangeInProgress : 0y0 +0x300 InPrivate : 0y0 +0x304 Flags : 0x144d0c01 +0x304 CreateReported : 0y1 +0x304 NoDebugInherit : 0y0 +0x304 ProcessExiting : 0y0 // **正在退出标志** +0x304 ProcessDelete : 0y0 // **删除标志** +0x304 ManageExecutableMemoryWrites : 0y0 +0x304 VmDeleted : 0y0 +0x304 OutswapEnabled : 0y0 +0x304 Outswapped : 0y0 +0x304 FailFastOnCommitFail : 0y0 +0x304 Wow64VaSpace4Gb : 0y0 +0x304 AddressSpaceInitialized : 0y11 +0x304 SetTimerResolution : 0y0 +0x304 BreakOnTermination : 0y0 +0x304 DeprioritizeViews : 0y0 +0x304 WriteWatch : 0y0 +0x304 ProcessInSession : 0y1 +0x304 OverrideAddressSpace : 0y0 +0x304 HasAddressSpace : 0y1 +0x304 LaunchPrefetched : 0y1 +0x304 Background : 0y0 +0x304 VmTopDown : 0y0 +0x304 ImageNotifyDone : 0y1 +0x304 PdeUpdateNeeded : 0y0 +0x304 VdmAllowed : 0y0 +0x304 ProcessRundown : 0y0 +0x304 ProcessInserted : 0y1 +0x304 DefaultIoPriority : 0y010 +0x304 ProcessSelfDelete : 0y0 +0x304 SetTimerResolutionLink : 0y0 +0x308 **CreateTime** : _LARGE_INTEGER 0x01d48c6521fd25d9 // 创建时间
+0x310 ProcessQuotaUsage : [2] 0x3270
+0x320 ProcessQuotaPeak : [2] 0x3270
+0x330 PeakVirtualSize : 0x0000020104e00000 +0x338 VirtualSize : 0x0000020104de4000
+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffff84898fdf13c0 - 0xffff84898fd4b3c0 ]
+0x350 ExceptionPortData : 0xffff8489877e3670 Void +0x350 ExceptionPortValue : 0xffff8489877e3670
+0x350 ExceptionPortState : 0y000
+0x358 Token : _EX_FAST_REF // 令牌
+0x360 MmReserved : 0
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : (null)
+0x380 ForkInProgress : (null)
+0x388 CommitChargeJob : (null)
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : 0x219
+0x3a0 NumberOfLockedPages : 0
+0x3a8 Win32Process : 0xffff83c602259010 Void +0x3b0 Job : (null) +0x3b8 SectionObject : 0xffffe18f2b828bc0 Void
+0x3c0 SectionBaseAddress : 0x00007ff751b00000 Void +0x3c8 Cookie : 0xde25a48d +0x3d0 WorkingSetWatch : (null) +0x3d8 Win32WindowStation : 0x000000000000004c Void
+0x3e0 InheritedFromUniqueProcessId : 0x0000000000000398 Void +0x3e8 LdtInformation : (null) +0x3f0 OwnerProcessId : 0x39a +0x3f8 Peb : 0x000000ec4ed48000 _PEB // 进程环境块
+0x400 Session : 0xffffb800ff71c000 _MM_SESSION_SPACE +0x408 AweInfo : (null) +0x410 QuotaBlock : 0xfffff800063d1bc0 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : 0xffffe18f30607c00 _HANDLE_TABLE // **对象句柄表** +0x420 DebugPort : (null) // **用户态调试端口** +0x428 WoW64Process : (null) +0x430 DeviceMap : 0xffffe18f2b818ad0 Void
+0x438 EtwDataSource : 0xffff84898fdc80f0 Void +0x440 PageDirectoryPte : 0 +0x448 ImageFilePointer : 0xffff84898fd6ad50 _FILE_OBJECT
+0x450 ImageFileName : [15] "MsMpEng.exe" // 进程名
+0x45f PriorityClass : 0x2 ''
+0x460 SecurityPort : (null)
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY [ 0x0000000000000000 - 0x0000000000000000 ]
+0x480 HighestUserAddress : 0x00007fffffff0000 Void +0x488 ThreadListHead : _LIST_ENTRY [ 0xffff84898fdd6728 - 0xffff848998572728 ] +0x498 ActiveThreads : 0xa +0x49c ImagePathHash : 0 +0x4a0 DefaultHardErrorProcessing : 0x8000 +0x4a4 LastThreadExitStatus : 0n0 +0x4a8 PrefetchTrace : _EX_FAST_REF +0x4b0 LockedPagesList : (null) +0x4b8 ReadOperationCount : _LARGE_INTEGER 0x4 +0x4c0 WriteOperationCount : _LARGE_INTEGER 0x0 +0x4c8 OtherOperationCount : _LARGE_INTEGER 0x89 +0x4d0 ReadTransferCount : _LARGE_INTEGER 0x5e0 +0x4d8 WriteTransferCount : _LARGE_INTEGER 0x0 +0x4e0 OtherTransferCount : _LARGE_INTEGER 0xdb8 +0x4e8 CommitChargeLimit : 0 +0x4f0 CommitCharge : 0x2e2 +0x4f8 CommitChargePeak : 0x2e2 +0x500 Vm : _MMSUPPORT_FULL +0x610 MmProcessLinks : _LIST_ENTRY [ 0xffff84898fdf1690 - 0xffff84898fd4b690 ] +0x620 ModifiedPageCount : 0x13 +0x624 ExitStatus : 0n259 +0x628 VadRoot : _RTL_AVL_TREE +0x630 VadHint : 0xffff84898fd7f310 Void
+0x638 VadCount : 0x49
+0x640 VadPhysicalPages : 0
+0x648 VadPhysicalPagesLimit : 0
+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x0000000000000000 - 0x0000000000000000 ]
+0x680 TimerResolutionStackRecord : (null)
+0x688 RequestedTimerResolution : 0
+0x68c SmallestTimerResolution : 0
+0x690 ExitTime : _LARGE_INTEGER 0x0
+0x698 InvertedFunctionTable : (null)
+0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x6a8 ActiveThreadsHighWatermark : 0xa
+0x6ac LargePrivateVadCount : 0
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : 0xffffe18f2b82a010 Void +0x6c0 ServerSilo : (null) +0x6c8 SignatureLevel : 0x37 '7' +0x6c9 SectionSignatureLevel : 0x8 '' +0x6ca Protection : _PS_PROTECTION +0x6cb HangCount : 0y0000 +0x6cb GhostCount : 0y0000 +0x6cc Flags3 : 0xc000 +0x6cc Minimal : 0y0 +0x6cc ReplacingPageRoot : 0y0 +0x6cc Crashed : 0y0 +0x6cc JobVadsAreTracked : 0y0 +0x6cc VadTrackingDisabled : 0y0 +0x6cc AuxiliaryProcess : 0y0 +0x6cc SubsystemProcess : 0y0 +0x6cc IndirectCpuSets : 0y0 +0x6cc RelinquishedCommit : 0y0 +0x6cc HighGraphicsPriority : 0y0 +0x6cc CommitFailLogged : 0y0 +0x6cc ReserveFailLogged : 0y0 +0x6cc SystemProcess : 0y0 +0x6cc HideImageBaseAddresses : 0y0 +0x6cc AddressPolicyFrozen : 0y1 +0x6cc ProcessFirstResume : 0y1 +0x6cc ForegroundExternal : 0y0 +0x6cc ForegroundSystem : 0y0 +0x6cc HighMemoryPriority : 0y0 +0x6d0 DeviceAsid : 0n0 +0x6d8 SvmData : (null) +0x6e0 SvmProcessLock : _EX_PUSH_LOCK +0x6e8 SvmLock : 0 +0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffff84898fdd79b0 - 0xffff84898fdd79b0 ] +0x700 LastFreezeInterruptTime : 0 +0x708 DiskCounters : 0xffff84898fdd7b08 _PROCESS_DISK_COUNTERS
+0x710 PicoContext : (null)
+0x718 TrustletIdentity : 0
+0x720 EnclaveTable : (null)
+0x728 EnclaveNumber : 0
+0x730 EnclaveLock : _EX_PUSH_LOCK
+0x738 HighPriorityFaultsAllowed : 0
+0x740 EnergyContext : 0xffff84898fdd7b30 _PO_PROCESS_ENERGY_CONTEXT +0x748 VmContext : (null) +0x750 SequenceNumber : 0x79 +0x758 CreateInterruptTime : 0x7454b6c +0x760 CreateUnbiasedInterruptTime : 0x7454b6c +0x768 TotalUnbiasedFrozenTime : 0 +0x770 LastAppStateUpdateTime : 0x7454b6c +0x778 LastAppStateUptime : 0y0000000000000000000000000000000000000000000000000000000000000 (0) +0x778 LastAppState : 0y000 +0x780 SharedCommitCharge : 0x206 +0x788 SharedCommitLock : _EX_PUSH_LOCK +0x790 SharedCommitLinks : _LIST_ENTRY [ 0xffffe18f3061d7f8 - 0xffffe18f3472e5f8 ] +0x7a0 AllowedCpuSets : 0 +0x7a8 DefaultCpuSets : 0 +0x7a0 AllowedCpuSetsIndirect : (null) +0x7a8 DefaultCpuSetsIndirect : (null) +0x7b0 DiskIoAttribution : (null) +0x7b8 DxgProcess : 0xffffe18f306d4a50 Void
+0x7c0 Win32KFilterSet : 0
+0x7c8 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
+0x7d0 KTimerSets : 0
+0x7d4 KTimer2Sets : 0
+0x7d8 ThreadTimerSets : 2
+0x7e0 VirtualTimerListLock : 0
+0x7e8 VirtualTimerListHead : _LIST_ENTRY [ 0xffff84898fdd7aa8 - 0xffff84898fdd7aa8 ]
+0x7f8 WakeChannel : _WNF_STATE_NAME
+0x7f8 WakeInfo : _PS_PROCESS_WAKE_INFORMATION
+0x828 MitigationFlags : 0x8800a1
+0x828 MitigationFlagsValues :
+0x82c MitigationFlags2 : 0
+0x82c MitigationFlags2Values :
+0x830 PartitionObject : 0xffff8489`820ab800 Void
+0x838 SecurityDomain : 0
+0x840 CoverageSamplerContext : (null)
通过!process [EPROCESS ADDR]显示进程的关键信息,以msmpeng为例:
!process ffff84898fdd72c0
PROCESS ffff84898fdd72c0
SessionId: 0 Cid: 1404 Peb: ec4ed48000 ParentCid: 0398
DirBase: 431f50002 ObjectTable: ffffe18f30607c00 HandleCount: 248.
Image: MsMpEng.exe
VadRoot ffff84898fdd5dd0 Vads 73 Clone 0 Private 537. Modified 19. Locked 0.
DeviceMap ffffe18f2b818ad0
Token ffffe18f30642060
ElapsedTime 00:00:11.334
UserTime 00:00:00.015
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 90088
QuotaPoolUsage[NonPagedPool] 12912
Working Set Sizes (now,min,max) (3181, 50, 345) (12724KB, 200KB, 1380KB)
PeakWorkingSetSize 3112
VirtualSize 2101325 Mb
PeakVirtualSize 2101326 Mb
PageFaultCount 3237
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 738
THREAD ffff84898fdd6080 Cid 1404.1408 Teb: 000000ec4ed49000 Win32Thread: ffff84898f7b14c0 WAIT: (UserRequest) UserMode Non-Alertable
ffff84898fe45920 SynchronizationEvent
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 784 Ticks: 722 (0:00:00:11.281)
Context Switch Count 107 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x00007ff751b0c120
Stack Init ffff9789579e7b90 Current ffff9789579e75c0
Base ffff9789579e8000 Limit ffff9789579e1000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`579e7600 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`579e7740 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`579e7810 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`579e78b0 fffff800`064e5f2c nt!KeWaitForSingleObject+0x1ff
ffff9789`579e7990 fffff800`061b9d43 nt!NtWaitForSingleObject+0xfc
ffff9789`579e7a00 00007ffd`84ee9f84 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`579e7a00)
000000ec`4eb3f988 00000000`00000000 0x00007ffd`84ee9f84
THREAD ffff84898fde2080 Cid 1404.143c Teb: 000000ec4ed4b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fde8440 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 9 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a2fb90 Current ffff978957a2f280
Base ffff978957a30000 Limit ffff978957a29000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a2f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a2f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a2f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57a2f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57a2f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57a2f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57a2f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a2fa00)
000000ec`4ebbf938 00000000`00000000 0x00007ffd`84eed854
THREAD ffff84898fe10040 Cid 1404.1448 Teb: 000000ec4ed4d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
ffff84898fdab6f0 NotificationEvent
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 794 Ticks: 712 (0:00:00:11.125)
Context Switch Count 5 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a4fb90 Current ffff978957a4f5c0
Base ffff978957a50000 Limit ffff978957a49000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a4f600 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a4f740 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a4f810 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`57a4f8b0 fffff800`064e5f2c nt!KeWaitForSingleObject+0x1ff
ffff9789`57a4f990 fffff800`061b9d43 nt!NtWaitForSingleObject+0xfc
ffff9789`57a4fa00 00007ffd`84ee9f84 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a4fa00)
000000ec`4ee7f3e8 00000000`00000000 0x00007ffd`84ee9f84
THREAD ffff84898fe09080 Cid 1404.1460 Teb: 000000ec4ed4f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fde8440 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 800 Ticks: 706 (0:00:00:11.031)
Context Switch Count 6 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a7fb90 Current ffff978957a7f280
Base ffff978957a80000 Limit ffff978957a79000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a7f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a7f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a7f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57a7f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57a7f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57a7f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57a7f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a7fa00)
000000ec`4eeff6a8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff84898fec9080 Cid 1404.15ac Teb: 000000ec4ed53000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fd1ed40 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 794 Ticks: 712 (0:00:00:11.125)
Context Switch Count 3 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957cdfb90 Current ffff978957cdf280
Base ffff978957ce0000 Limit ffff978957cd9000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57cdf2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57cdf400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57cdf4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57cdf570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57cdf620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57cdf740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57cdf990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57cdfa00)
000000ec`4efff588 00000000`00000000 0x00007ffd`84eed854
THREAD ffff8489901b0080 Cid 1404.1758 Teb: 000000ec4ed55000 Win32Thread: ffff84898fbe8b10 WAIT: (WrLpcReply) UserMode Non-Alertable
ffff8489901b06c8 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffffe18f30694ce0 : queued at port ffff84898eb2ce20 : owned by process ffff84898e9c8580
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 803 Ticks: 703 (0:00:00:10.984)
Context Switch Count 226 IdealProcessor: 4
UserTime 00:00:00.031
KernelTime 00:00:00.046
Win32 Start Address 0x00007ffd8164c490
Stack Init ffff978957ffab90 Current ffff978957ffa2e0
Base ffff978957ffb000 Limit ffff978957ff4000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57ffa320 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57ffa460 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57ffa530 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`57ffa5d0 fffff800`060283cb nt!KeWaitForSingleObject+0x1ff
ffff9789`57ffa6b0 fffff800`064b6c06 nt!AlpcpSignalAndWait+0x17b
ffff9789`57ffa750 fffff800`064b6882 nt!AlpcpReceiveSynchronousReply+0x56
ffff9789`57ffa7b0 fffff800`064b4872 nt!AlpcpProcessSynchronousRequest+0x372
ffff9789`57ffa8d0 fffff800`061b9d43 nt!NtAlpcSendWaitReceivePort+0x1e2
ffff9789`57ffa990 00007ffd`84eeb034 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57ffaa00)
000000ec`4f07eac8 00000000`00000000 0x00007ffd`84eeb034
THREAD ffff8489903b5080 Cid 1404.17a4 Teb: 000000ec4ed57000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fdd1f00 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 6 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff97895808fb90 Current ffff97895808f280
Base ffff978958090000 Limit ffff978958089000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5808f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5808f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5808f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`5808f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`5808f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`5808f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`5808f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5808fa00)
000000ec`4ef7f5c8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff848998525700 Cid 1404.1228 Teb: 000000ec4ed59000 Win32Thread: ffff84898fd20710 WAIT: (WrLpcReply) UserMode Non-Alertable
ffff848998525d48 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffffe18f34668ce0 : queued at port ffff84898ed5f1a0 : owned by process ffff84898eb94340
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 16 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd8164c490
Stack Init ffff97895812fb90 Current ffff97895812f2e0
Base ffff978958130000 Limit ffff978958129000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5812f320 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5812f460 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5812f530 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`5812f5d0 fffff800`060283cb nt!KeWaitForSingleObject+0x1ff
ffff9789`5812f6b0 fffff800`064b6c06 nt!AlpcpSignalAndWait+0x17b
ffff9789`5812f750 fffff800`064b6882 nt!AlpcpReceiveSynchronousReply+0x56
ffff9789`5812f7b0 fffff800`064b4872 nt!AlpcpProcessSynchronousRequest+0x372
ffff9789`5812f8d0 fffff800`061b9d43 nt!NtAlpcSendWaitReceivePort+0x1e2
ffff9789`5812f990 00007ffd`84eeb034 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5812fa00)
000000ec`4f0fed28 00000000`00000000 0x00007ffd`84eeb034
THREAD ffff848998573080 Cid 1404.1870 Teb: 000000ec4ed5b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fdd1f00 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 1 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff97895824fb90 Current ffff97895824f280
Base ffff978958250000 Limit ffff978958249000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5824f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5824f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5824f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`5824f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`5824f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`5824f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`5824f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5824fa00)
000000ec`4f17f5c8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff848998572080 Cid 1404.1874 Teb: 000000ec4ed5d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
ffff848998574100 SynchronizationTimer
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 803 Ticks: 703 (0:00:00:10.984)
Context Switch Count 1 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd82446cd0
Stack Init ffff978958257b90 Current ffff978958256d60
Base ffff978958258000 Limit ffff978958251000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`58256da0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`58256ee0 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`58256fb0 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`58257050 fffff800`06037d15 nt!KeWaitForSingleObject+0x1ff
ffff9789`58257130 fffff800`064e44e0 nt!KeWaitForMultipleObjects+0x4b5
ffff9789`58257210 fffff800`064e5007 nt!ObWaitForMultipleObjects+0x2a0
ffff9789`58257710 fffff800`061b9d43 nt!NtWaitForMultipleObjects+0xf7
ffff9789`58257990 00007ffd`84eeaa54 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`58257a00)
000000ec`4f1ff8c8 00000000`00000000 0x00007ffd`84eeaa54
观察Token
!token ffffe18f30642060
_TOKEN 0xffffe18f30642060
TS Session ID: 0
User: S-1-5-18
User Groups:
00 S-1-16-16384
Attributes - GroupIntegrity GroupIntegrityEnabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-32-545
Attributes - Mandatory Default Enabled
03 S-1-5-6
Attributes - Mandatory Default Enabled
04 S-1-2-1
Attributes - Mandatory Default Enabled
05 S-1-5-11
Attributes - Mandatory Default Enabled
06 S-1-5-15
Attributes - Mandatory Default Enabled
07 S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
Attributes - Default Enabled Owner
08 S-1-5-5-0-259255
Attributes - Mandatory Default Enabled Owner LogonId
09 S-1-2-0
Attributes - Mandatory Default Enabled
10 S-1-5-32-544
Attributes - Default Enabled Owner
Primary Group: S-1-5-18
Privs:
03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes - Enabled
05 0x000000005 SeIncreaseQuotaPrivilege Attributes - Enabled
07 0x000000007 SeTcbPrivilege Attributes - Enabled Default
08 0x000000008 SeSecurityPrivilege Attributes - Enabled
09 0x000000009 SeTakeOwnershipPrivilege Attributes - Enabled
10 0x00000000a SeLoadDriverPrivilege Attributes - Enabled
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default
17 0x000000011 SeBackupPrivilege Attributes - Enabled
18 0x000000012 SeRestorePrivilege Attributes - Enabled
19 0x000000013 SeShutdownPrivilege Attributes - Enabled
20 0x000000014 SeDebugPrivilege Attributes - Enabled Default
22 0x000000016 SeSystemEnvironmentPrivilege Attributes - Enabled
23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: Advapi TokenFlags: 0x2800 ( Token in use )
Token ID: 3f834 ParentToken ID: 0
Modified ID: (0, 452a8)
RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0 Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: S-1-19-512-1536
线程
kd> .thread
Implicit thread is now ffff84898fe7f480** ||2:6: kd> **!thread ffff84898fe7f480
THREAD ffff84898fe7f480 Cid 129c.1534 Teb: 00000046dd4b8000 Win32Thread: ffff84898fbc0f00
RUNNING on processor 6 // 运行在6号CPU
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fc36080 Image: DolbyDAX2API.exe
Attached Process N/A Image: N/A
Wait Start TickCount 805 Ticks: 701 (0:00:00:10.953)
Context Switch Count 734 IdealProcessor: 7
UserTime 00:00:00.031
KernelTime 00:00:10.968
Win32 Start Address 0x00007ff7bc4c7080
Stack Init ffff978957c1fb90 Current ffff978957c1e610
Base ffff978957c20000 Limit ffff978957c19000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffb800fcbfdb78 fffff800061fb578 : 0000000000000101 0000000000000018 0000000000000000 ffffb800fd161180 : nt!KeBugCheckEx
ffffb800fcbfdb80 fffff800060df1ad : 0000000000000000 ffffb800fcbe1180 0000000000000246 00000000000005e2 : nt!KeAccumulateTicks+0x1188b8
ffffb800fcbfdbe0 fffff800060e0293 : fffff78000000340 0000000000000000 00000000000005e2 0000000000000000 : nt!KiUpdateRunTime+0x5d
ffffb800fcbfdc30 fffff80006954883 : 00000014f9bf6e49 fffff800063cd8a0 0000000000000000 ffff978957c1eb60 : nt!KeClockInterruptNotify+0x8f3
ffffb800fcbfdf40 fffff8000612cd75 : ffff848982102500 0000000000000000 0000000000000000 0000000000000000 : hal!HalpTimerClockInterrupt+0x63
ffffb800fcbfdf70 fffff800061aaf4a : ffff978957c1ebe0 ffff848982102500 0000007ffffffff8 ffff848982127000 : nt!KiCallInterruptServiceRoutine+0xa5
ffffb800fcbfdfb0 fffff800061ab437 : ffff84423863cd20 ffff848982102500 0000000000000000 ffff84899851f010 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea (TrapFrame @ ffffb800fcbfde70) ffff978957c1eb60 fffff800060fe951 : ffffe18f34799e90 0000000000000000 ffffe18f00000002 ffffe18f34799e90 : nt!KiInterruptDispatchNoLockNoEtw+0x37 (TrapFrame @ ffff978957c1eb60)
ffff978957c1ecf0 fffff8000610217d : fffff800063cd8a0 ffff978957c1eeb0 ffff84423863cd20 3a00000178054863 : nt!MiFastLockLeafPageTable+0x3f1
ffff978957c1edb0 fffff80006102890 : ffff978957c1f010 0000000000000000 ffffe18f00001000 0000000000001000 : nt!MiCommitPoolMemory+0x3bd
ffff978957c1eef0 fffff800060e5844 : ffff978957c1f009 ffffe18f3484b000 0000000000000001 0000000000f3484b : nt!MmAllocatePoolMemory+0x80
ffff978957c1ef50 fffff80006064bf4 : 0000000080000001 0000000000000000 0000000000000000 0000000000000000 : nt!MiAllocatePagedPoolPages+0x554
ffff978957c1f070 fffff800062ead37 : 0000000000000000 0000000074536d4d ffff978957c10000 ffff848974536d4d : nt!ExpAllocateBigPool+0x5a4
ffff978957c1f170 fffff8000649fa20 : 000000000000048d 0000000000001000 ffffb80174536d4d ffff848900000000 : nt!ExAllocatePoolWithTag+0x927
ffff978957c1f260 fffff8000649f5e3 : 0000000000000402 ffffb80100aed188 0000000000000000 ffff978957c1f390 : nt!MiBuildImageControlArea+0x114
ffff978957c1f2e0 fffff8000649e95f : ffff978957c1f780 0000000400000002 0000000000000000 0000000000000000 : nt!MiCreateImageFileMap+0x3cb
ffff978957c1f4b0 fffff8000657f240 : ffff8489986dd950 ffff978957c1f650 ffff978957c1f780 fffff800062eb32e : nt!MiCreateNewSection+0x21f
ffff978957c1f620 fffff8000657e8b8 : ffff978957c1f650 0000000000000000 ffff8489986dd950 0000000000000000 : nt!MiCreateImageOrDataSection+0x2f0
ffff978957c1f710 fffff8000657e78c : 0000000000000000 ffff978957c1f950 0000000000000000 ffff848998543180 : nt!MiCreateSection+0xe8
ffff978957c1f870 fffff8000657e5a3 : 0000000000000000 ffff978957c1fa80 0000000000000010 0000000001000000 : nt!MmCreateSection+0xec
ffff978957c1f900 fffff800061b9d43 : ffff84898fe7f480 00000046ddbf34a8 0000000000000000 0000000000000000 : nt!NtCreateSection+0x153
ffff978957c1f990 00007ffd84eea844 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff978957c1fa00) 00000046ddbf3488 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffd84eea844
||2:6: kd> **dt _ETHREAD ffff84898fe7f480** nt!_ETHREAD +0x000 Tcb : _KTHREAD +0x5f0 CreateTime : _LARGE_INTEGER 0x01d48c652205e41e
+0x5f8 ExitTime : _LARGE_INTEGER 0xffff84898fe7fa78 +0x5f8 KeyedWaitChain : _LIST_ENTRY [ 0xffff84898fe7fa78 - 0xffff84898fe7fa78 ] +0x608 PostBlockList : _LIST_ENTRY [ 0xffffe18f32dd3660 - 0xffffe18f32dd3660 ] +0x608 ForwardLinkShadow : 0xffffe18f32dd3660 Void
+0x610 StartAddress : 0xffffe18f32dd3660 Void +0x618 TerminationPort : (null) +0x618 ReaperLink : (null) +0x618 KeyedWaitValue : (null) +0x620 ActiveTimerListLock : 0 +0x628 ActiveTimerListHead : _LIST_ENTRY [ 0xffff84898fe7faa8 - 0xffff84898fe7faa8 ] +0x638 Cid : _CLIENT_ID +0x648 KeyedWaitSemaphore : _KSEMAPHORE +0x648 AlpcWaitSemaphore : _KSEMAPHORE +0x668 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT +0x670 IrpList : _LIST_ENTRY [ 0xffff84898fe7faf0 - 0xffff84898fe7faf0 ] +0x680 TopLevelIrp : 1 +0x688 DeviceToVerify : (null) +0x690 Win32StartAddress : 0x00007ff7bc4c7080 Void
+0x698 ChargeOnlySession : (null)
+0x6a0 LegacyPowerObject : (null)
+0x6a8 ThreadListEntry : _LIST_ENTRY [ 0xffff84898fe77da8 - 0xffff84898fe69728 ]
+0x6b8 RundownProtect : _EX_RUNDOWN_REF
+0x6c0 ThreadLock : _EX_PUSH_LOCK
+0x6c8 ReadClusterSize : 7
+0x6cc MmLockOrdering : 0n0
+0x6d0 CrossThreadFlags : 0x5402
+0x6d0 Terminated : 0y0
+0x6d0 ThreadInserted : 0y1
+0x6d0 HideFromDebugger : 0y0
+0x6d0 ActiveImpersonationInfo : 0y0
+0x6d0 HardErrorsAreDisabled : 0y0
+0x6d0 BreakOnTermination : 0y0
+0x6d0 SkipCreationMsg : 0y0
+0x6d0 SkipTerminationMsg : 0y0
+0x6d0 CopyTokenOnOpen : 0y0
+0x6d0 ThreadIoPriority : 0y010
+0x6d0 ThreadPagePriority : 0y101
+0x6d0 RundownFail : 0y0
+0x6d0 UmsForceQueueTermination : 0y0
+0x6d0 IndirectCpuSets : 0y0
+0x6d0 DisableDynamicCodeOptOut : 0y0
+0x6d0 ExplicitCaseSensitivity : 0y0
+0x6d0 PicoNotifyExit : 0y0
+0x6d0 DbgWerUserReportActive : 0y0
+0x6d0 ForcedSelfTrimActive : 0y0
+0x6d0 SamplingCoverage : 0y0
+0x6d0 ReservedCrossThreadFlags : 0y00000000 (0)
+0x6d4 SameThreadPassiveFlags : 0
+0x6d4 ActiveExWorker : 0y0
+0x6d4 MemoryMaker : 0y0
+0x6d4 StoreLockThread : 0y00
+0x6d4 ClonedThread : 0y0
+0x6d4 KeyedEventInUse : 0y0
+0x6d4 SelfTerminate : 0y0
+0x6d4 RespectIoPriority : 0y0
+0x6d4 ActivePageLists : 0y0
+0x6d4 SecureContext : 0y0
+0x6d4 ZeroPageThread : 0y0
+0x6d4 ReservedSameThreadPassiveFlags : 0y000000000000000000000 (0)
+0x6d8 SameThreadApcFlags : 8
+0x6d8 OwnsProcessAddressSpaceExclusive : 0y0
+0x6d8 OwnsProcessAddressSpaceShared : 0y0
+0x6d8 HardFaultBehavior : 0y0
+0x6d8 StartAddressInvalid : 0y1
+0x6d8 EtwCalloutActive : 0y0
+0x6d8 SuppressSymbolLoad : 0y0
+0x6d8 Prefetching : 0y0
+0x6d8 OwnsVadExclusive : 0y0
+0x6d9 SystemPagePriorityActive : 0y0
+0x6d9 SystemPagePriority : 0y000
+0x6d9 AllowWritesToExecutableMemory : 0y0
+0x6dc CacheManagerActive : 0 ''
+0x6dd DisablePageFaultClustering : 0 ''
+0x6de ActiveFaultCount : 0 ''
+0x6df LockOrderState : 0 ''
+0x6e0 AlpcMessageId : 0
+0x6e8 AlpcMessage : (null)
+0x6e8 AlpcReceiveAttributeSet : 0
+0x6f0 AlpcWaitListEntry : _LIST_ENTRY [ 0x0000000000000000 - 0x0000000000000000 ]
+0x700 ExitStatus : 0n0
+0x704 CacheManagerCount : 0
+0x708 IoBoostCount : 0
+0x70c IoQoSBoostCount : 0
+0x710 IoQoSThrottleCount : 0
+0x718 BoostList : _LIST_ENTRY [ 0xffff84898fe7fb98 - 0xffff84898fe7fb98 ]
+0x728 DeboostList : _LIST_ENTRY [ 0xffff84898fe7fba8 - 0xffff84898fe7fba8 ]
+0x738 BoostListLock : 0
+0x740 IrpListLock : 0
+0x748 ReservedForSynchTracking : (null)
+0x750 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x758 ActivityId : (null)
+0x760 SeLearningModeListHead : _SINGLE_LIST_ENTRY
+0x768 VerifierContext : (null)
+0x770 KernelStackReference : 1
+0x778 AdjustedClientToken : (null)
+0x780 WorkOnBehalfThread : (null)
+0x788 PropertySet : _PS_PROPERTY_SET
+0x7a0 PicoContext : (null)
+0x7a8 UserFsBase : 0
+0x7b0 UserGsBase : 0
+0x7b8 EnergyValues : 0xffff84898fe7fc98 _THREAD_ENERGY_VALUES +0x7c0 CmDbgInfo : (null) +0x7c8 SelectedCpuSets : 0 +0x7c8 SelectedCpuSetsIndirect : (null) +0x7d0 Silo : 0xfffffffffffffffd _EJOB
+0x7d8 ThreadName : (null)
+0x7e0 SetContextState : (null)
+0x7e8 LastExpectedRunTime : 0xcec24
+0x7f0 OwnerEntryListHead : _LIST_ENTRY [ 0xffff84898fe7fc70 - 0xffff84898fe7fc70 ]
+0x800 DisownedOwnerEntryListLock : 0
+0x808 DisownedOwnerEntryListHead : _LIST_ENTRY [ 0xffff84898fe7fc88 - 0xffff84898fe7fc88 ]
查看Tcb的内容, tcb(Thread Control Block线程控制块)的类型是KTHREAD, 主要功能是供内核调度线程时使用
dx -id 2,2,ffff84898fc36080 -r1 (*((ntkrnlmp!_KTHREAD )0xffff84898fe7f480))
(((ntkrnlmp!_KTHREAD *)0xffff84898fe7f480)) [Type: _KTHREAD]
[+0x000] Header [Type: _DISPATCHER_HEADER]
[+0x018] SListFaultAddress : 0x0 [Type: void *]
[+0x020] QuantumTarget : 0xa735cca [Type: unsigned __int64]
[+0x028] InitialStack : 0xffff978957c1fb90 [Type: void *]
[+0x030] StackLimit : 0xffff978957c19000 [Type: void *]
[+0x038] StackBase : 0xffff978957c20000 [Type: void *]
[+0x040] ThreadLock : 0x0 [Type: unsigned __int64]
[+0x048] CycleTime : 0x51dd2a08d [Type: unsigned __int64]
[+0x050] CurrentRunTime : 0xffffffff [Type: unsigned long]
[+0x054] ExpectedRunTime : 0xcec24 [Type: unsigned long]
[+0x058] KernelStack : 0xffff978957c1e610 [Type: void *]
[+0x060] StateSaveArea : 0xffff978957c1fbc0 [Type: _XSAVE_FORMAT *]
[+0x068] SchedulingGroup : 0x0 [Type: _KSCHEDULING_GROUP *]
[+0x070] WaitRegister [Type: _KWAIT_STATUS_REGISTER]
[+0x071] Running : 0x1 [Type: unsigned char]
[+0x072] Alerted [Type: unsigned char [2]]
[+0x074 ( 0: 0)] AutoBoostActive : 0x1 [Type: unsigned long]
[+0x074 ( 1: 1)] ReadyTransition : 0x0 [Type: unsigned long]
[+0x074 ( 2: 2)] WaitNext : 0x0 [Type: unsigned long]
[+0x074 ( 3: 3)] SystemAffinityActive : 0x0 [Type: unsigned long]
[+0x074 ( 4: 4)] Alertable : 0x0 [Type: unsigned long]
[+0x074 ( 5: 5)] UserStackWalkActive : 0x0 [Type: unsigned long]
[+0x074 ( 6: 6)] ApcInterruptRequest : 0x0 [Type: unsigned long]
[+0x074 ( 7: 7)] QuantumEndMigrate : 0x0 [Type: unsigned long]
[+0x074 ( 8: 8)] UmsDirectedSwitchEnable : 0x0 [Type: unsigned long]
[+0x074 ( 9: 9)] TimerActive : 0x0 [Type: unsigned long]
[+0x074 (10:10)] SystemThread : 0x0 [Type: unsigned long]
[+0x074 (11:11)] ProcessDetachActive : 0x0 [Type: unsigned long]
[+0x074 (12:12)] CalloutActive : 0x0 [Type: unsigned long]
[+0x074 (13:13)] ScbReadyQueue : 0x0 [Type: unsigned long]
[+0x074 (14:14)] ApcQueueable : 0x1 [Type: unsigned long]
[+0x074 (15:15)] ReservedStackInUse : 0x0 [Type: unsigned long]
[+0x074 (16:16)] UmsPerformingSyscall : 0x0 [Type: unsigned long]
[+0x074 (17:17)] TimerSuspended : 0x0 [Type: unsigned long]
[+0x074 (18:18)] SuspendedWaitMode : 0x0 [Type: unsigned long]
[+0x074 (19:19)] SuspendSchedulerApcWait : 0x0 [Type: unsigned long]
[+0x074 (31:20)] Reserved : 0x0 [Type: unsigned long]
[+0x074] MiscFlags : 16385 [Type: long]
[+0x078 ( 1: 0)] BamQosLevel : 0x2 [Type: unsigned long]
[+0x078 ( 2: 2)] AutoAlignment : 0x0 [Type: unsigned long]
[+0x078 ( 3: 3)] DisableBoost : 0x0 [Type: unsigned long]
[+0x078 ( 4: 4)] AlertedByThreadId : 0x0 [Type: unsigned long]
[+0x078 ( 5: 5)] QuantumDonation : 0x0 [Type: unsigned long]
[+0x078 ( 6: 6)] EnableStackSwap : 0x1 [Type: unsigned long]
[+0x078 ( 7: 7)] GuiThread : 0x1 [Type: unsigned long]
[+0x078 ( 8: 8)] DisableQuantum : 0x0 [Type: unsigned long]
[+0x078 ( 9: 9)] ChargeOnlySchedulingGroup : 0x0 [Type: unsigned long]
[+0x078 (10:10)] DeferPreemption : 0x0 [Type: unsigned long]
[+0x078 (11:11)] QueueDeferPreemption : 0x0 [Type: unsigned long]
[+0x078 (12:12)] ForceDeferSchedule : 0x0 [Type: unsigned long]
[+0x078 (13:13)] SharedReadyQueueAffinity : 0x1 [Type: unsigned long]
[+0x078 (14:14)] FreezeCount : 0x0 [Type: unsigned long]
[+0x078 (15:15)] TerminationApcRequest : 0x0 [Type: unsigned long]
[+0x078 (16:16)] AutoBoostEntriesExhausted : 0x0 [Type: unsigned long]
[+0x078 (17:17)] KernelStackResident : 0x1 [Type: unsigned long]
[+0x078 (19:18)] TerminateRequestReason : 0x0 [Type: unsigned long]
[+0x078 (20:20)] ProcessStackCountDecremented : 0x0 [Type: unsigned long]
[+0x078 (21:21)] RestrictedGuiThread : 0x0 [Type: unsigned long]
[+0x078 (22:22)] VpBackingThread : 0x0 [Type: unsigned long]
[+0x078 (23:23)] ThreadFlagsSpare : 0x0 [Type: unsigned long]
[+0x078 (31:24)] EtwStackTraceApcInserted : 0x0 [Type: unsigned long]
[+0x078] ThreadFlags : 139458 [Type: long]
[+0x07c] Tag : 0x0 [Type: unsigned char]
[+0x07d] SystemHeteroCpuPolicy : 0x5 [Type: unsigned char]
[+0x07e ( 6: 0)] UserHeteroCpuPolicy : 0x8 [Type: unsigned char]
[+0x07e ( 7: 7)] ExplicitSystemHeteroCpuPolicy : 0x0 [Type: unsigned char]
[+0x07f] Spare0 : 0x0 [Type: unsigned char]
[+0x080] SystemCallNumber : 0x4a [Type: unsigned long]
[+0x084] ReadyTime : 0xc [Type: unsigned long]
[+0x088] FirstArgument : 0x155418442e8 [Type: void *]
[+0x090] TrapFrame : 0xffff978957c1fa00 [Type: _KTRAP_FRAME *]
[+0x098] ApcState [Type: _KAPC_STATE]
[+0x098] ApcStateFill [Type: unsigned char [43]]
[+0x0c3] Priority : 9 '\t' [Type: char]
[+0x0c4] UserIdealProcessor : 0x7 [Type: unsigned long]
[+0x0c8] WaitStatus : 0 [Type: __int64]
[+0x0d0] WaitBlockList : 0xffff84898fe7f5c0 [Type: _KWAIT_BLOCK *]
[+0x0d8] WaitListEntry [Type: _LIST_ENTRY]
[+0x0d8] SwapListEntry [Type: _SINGLE_LIST_ENTRY]
[+0x0e8] Queue : 0x0 [Type: _DISPATCHER_HEADER ]
[+0x0f0] Teb : 0x46dd4b8000 [Type: void ]
[+0x0f8] RelativeTimerBias : 0x0 [Type: unsigned __int64]
[+0x100] Timer [Type: _KTIMER]
[+0x140] WaitBlock [Type: _KWAIT_BLOCK [4]]
[+0x140] WaitBlockFill4 [Type: unsigned char [20]]
[+0x154] ContextSwitches : 0x2de [Type: unsigned long]
[+0x140] WaitBlockFill5 [Type: unsigned char [68]]
** [+0x184] State : 0x2 [Type: unsigned char] //2表示正在运行, 其他状态见下表
[+0x185] Spare13 : 0 [Type: char]
[+0x186] WaitIrql : 0x0 [Type: unsigned char]
[+0x187] WaitMode : 0 [Type: char]
[+0x140] WaitBlockFill6 [Type: unsigned char [116]]
[+0x1b4] WaitTime : 0x325 [Type: unsigned long]
[+0x140] WaitBlockFill7 [Type: unsigned char [164]]
[+0x1e4] KernelApcDisable : -2 [Type: short]
[+0x1e6] SpecialApcDisable : 0 [Type: short]
[+0x1e4] CombinedApcDisable : 0xfffe [Type: unsigned long]
[+0x140] WaitBlockFill8 [Type: unsigned char [40]]
[+0x168] ThreadCounters : 0x0 [Type: _KTHREAD_COUNTERS *]
[+0x140] WaitBlockFill9 [Type: unsigned char [88]]
[+0x198] XStateSave : 0x0 [Type: _XSTATE_SAVE *]
[+0x140] WaitBlockFill10 [Type: unsigned char [136]]
[+0x1c8] Win32Thread : 0xffff84898fbc0f00 [Type: void *]
[+0x140] WaitBlockFill11 [Type: unsigned char [176]]
[+0x1f0] Ucb : 0x0 [Type: _UMS_CONTROL_BLOCK *]
[+0x1f8] Uch : 0x0 [Type: _KUMS_CONTEXT_HEADER *]
[+0x200] Spare21 : 0x0 [Type: void *]
[+0x208] QueueListEntry [Type: _LIST_ENTRY]
[+0x218] NextProcessor : 0x6 [Type: unsigned long]
[+0x218 (30: 0)] NextProcessorNumber : 0x6 [Type: unsigned long]
[+0x218 (31:31)] SharedReadyQueue : 0x0 [Type: unsigned long]
[+0x21c] QueuePriority : 0 [Type: long]
[+0x220] Process : 0xffff84898fc36080 [Type: _KPROCESS *]
[+0x228] UserAffinity [Type: _GROUP_AFFINITY]
[+0x228] UserAffinityFill [Type: unsigned char [10]]
[+0x232] PreviousMode : 1 [Type: char]
[+0x233] BasePriority : 8 [Type: char]
[+0x234] PriorityDecrement : 0 [Type: char]
[+0x234 ( 3: 0)] ForegroundBoost : 0x0 [Type: unsigned char]
[+0x234 ( 7: 4)] UnusualBoost : 0x0 [Type: unsigned char]
[+0x235] Preempted : 0x1 [Type: unsigned char]
[+0x236] AdjustReason : 0x0 [Type: unsigned char]
[+0x237] AdjustIncrement : 1 [Type: char]
[+0x238] AffinityVersion : 0x38 [Type: unsigned __int64]
[+0x240] Affinity [Type: _GROUP_AFFINITY]
[+0x240] AffinityFill [Type: unsigned char [10]]
[+0x24a] ApcStateIndex : 0x0 [Type: unsigned char]
[+0x24b] WaitBlockCount : 0x1 [Type: unsigned char]
[+0x24c] IdealProcessor : 0x7 [Type: unsigned long]
[+0x250] NpxState : 0x1d [Type: unsigned __int64]
[+0x258] SavedApcState [Type: _KAPC_STATE]
[+0x258] SavedApcStateFill [Type: unsigned char [43]]
[+0x283] WaitReason : 0x9 [Type: unsigned char]
[+0x284] SuspendCount : 0 [Type: char]
[+0x285] Saturation : 0 [Type: char]
[+0x286] SListFaultCount : 0x0 [Type: unsigned short]
[+0x288] SchedulerApc [Type: _KAPC]
[+0x288] SchedulerApcFill0 [Type: unsigned char [1]]
[+0x289] ResourceIndex : 0x1 [Type: unsigned char]
[+0x288] SchedulerApcFill1 [Type: unsigned char [3]]
[+0x28b] QuantumReset : 0x6 [Type: unsigned char]
[+0x288] SchedulerApcFill2 [Type: unsigned char [4]]
[+0x28c] KernelTime : 0x2be [Type: unsigned long]
[+0x288] SchedulerApcFill3 [Type: unsigned char [64]]
[+0x2c8] WaitPrcb : 0x0 [Type: _KPRCB *]
[+0x288] SchedulerApcFill4 [Type: unsigned char [72]]
[+0x2d0] LegoData : 0x0 [Type: void *]
[+0x288] SchedulerApcFill5 [Type: unsigned char [83]]
[+0x2db] CallbackNestingLevel : 0x0 [Type: unsigned char]
[+0x2dc] UserTime : 0x2 [Type: unsigned long]
[+0x2e0] SuspendEvent [Type: _KEVENT]
[+0x2f8] ThreadListEntry [Type: _LIST_ENTRY]
[+0x308] MutantListHead [Type: _LIST_ENTRY]
[+0x318] AbEntrySummary : 0x3e [Type: unsigned char]
[+0x319] AbWaitEntryCount : 0x0 [Type: unsigned char]
[+0x31a] AbAllocationRegionCount : 0x0 [Type: unsigned char]
[+0x31b] SystemPriority : 0 [Type: char]
[+0x31c] SecureThreadCookie : 0x0 [Type: unsigned long]
[+0x320] LockEntries [Type: _KLOCK_ENTRY [6]]
[+0x560] PropagateBoostsEntry [Type: _SINGLE_LIST_ENTRY]
[+0x568] IoSelfBoostsEntry [Type: _SINGLE_LIST_ENTRY]
[+0x570] PriorityFloorCounts [Type: unsigned char [16]]
[+0x580] PriorityFloorSummary : 0x0 [Type: unsigned long]
[+0x584] AbCompletedIoBoostCount : 0 [Type: long]
[+0x588] AbCompletedIoQoSBoostCount : 0 [Type: long]
[+0x58c] KeReferenceCount : 0 [Type: short]
[+0x58e] AbOrphanedEntrySummary : 0x0 [Type: unsigned char]
[+0x58f] AbOwnedEntryCount : 0x1 [Type: unsigned char]
[+0x590] ForegroundLossTime : 0x0 [Type: unsigned long]
[+0x598] GlobalForegroundListEntry [Type: _LIST_ENTRY]
[+0x598] ForegroundDpcStackListEntry [Type: _SINGLE_LIST_ENTRY]
[+0x5a0] InGlobalForegroundList : 0x0 [Type: unsigned __int64]
[+0x5a8] ReadOperationCount : 14 [Type: __int64]
[+0x5b0] WriteOperationCount : 0 [Type: __int64]
[+0x5b8] OtherOperationCount : 256 [Type: __int64]
[+0x5c0] ReadTransferCount : 55862 [Type: __int64]
[+0x5c8] WriteTransferCount : 0 [Type: __int64]
[+0x5d0] OtherTransferCount : 3390 [Type: __int64]
[+0x5d8] QueuedScb : 0x0 [Type: _KSCB *]
[+0x5e0] ThreadTimerDelay : 0x0 [Type: unsigned long]
[+0x5e4] ThreadFlags2 : 0 [Type: long]
[+0x5e4 ( 1: 0)] PpmPolicy : 0x0 [Type: unsigned long]
[+0x5e4 (31: 2)] ThreadFlags2Reserved : 0x0 [Type: unsigned long]
[+0x5e8] SchedulerAssist : 0x0 [Type: void *]
| 0x184 KTHREAD.State状态 | 值 | 含义 |
|---|---|---|
| Initialized | 0 | 正在创建+初始化 |
| Ready | 1 | 就绪,可以被调度运行 |
| Running | 2 | 运行中 |
| Standby | 3 | 待命, 每个CPU只有一个线程处于此状态, 代表下一个要执行的线程 |
| Terminated | 4 | 结束运行 |
| Waiting | 5 | 等待,通常线程调用了Sleep、等对象的函数,主动放弃执行机会 |
| Transition | 6 | 过渡,已经可以运行但是内核态栈被换出内存, 一旦换入后到Ready |
| DdeferredReady | 7 | 延迟就绪,为了缩短扫描调度数据库时的加锁时间, 内核把就绪的线程先设置为此状态 |
| GateWait | 8 | 等待门分发器对象时进入此状态 |
可直接加-y xxx将前缀为xxx的字段信息打印出来
||2:6: kd> dt _KTHREAD ffff84898fe7f480 -y State
nt!_KTHREAD
+0x060 StateSaveArea : 0xffff9789`57c1fbc0 _XSAVE_FORMAT
+0x184 State : 0x2 ''
||2:6: kd> dt _KTHREAD ffff84898fe7f480 -y Prio
nt!_KTHREAD
+0x0c3 Priority : 9 ''
+0x234 PriorityDecrement : 0 ''
+0x570 PriorityFloorCounts : [16] ""
+0x580 PriorityFloorSummary : 0
执行ready可查看所有处于就绪状态的线程
kd> !ready
KSHARED_READY_QUEUE fffff80004f40700: (00) ------------------------------------------------------------
SharedReadyQueue fffff80004f40700: Ready Threads at priority 6
THREAD ffff84899856a700 Cid 1840.1844 Teb: 000000cd79838000 Win32Thread: 0000000000000000 READY on processor 80000002
Processor 0: Ready Threads at priority 1
THREAD ffff8489901c0040 Cid 0004.1770 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 0
Processor 1: Ready Threads at priority 1
THREAD ffff8489901be040 Cid 0004.1774 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 1
Processor 2: Ready Threads at priority 1
THREAD ffff8489901c1040 Cid 0004.1778 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 2
Processor 3: Ready Threads at priority 1
THREAD ffff8489901c3040 Cid 0004.177c Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 3
KSHARED_READY_QUEUE ffffb800fd2c6700: (00) ------------------------------------------------------------
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 9
THREAD ffff84899868e080 Cid 1294.18c4 Teb: 00000057a6edd000 Win32Thread: 0000000000000000 READY on processor 80000004
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 8
THREAD ffff84898ed8c700 Cid 0464.0490 Teb: 0000005035ae4000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff84898ede6700 Cid 0008.1680 Teb: 0000003a49dea000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff84898fe22080 Cid 0398.14a8 Teb: 0000000576742000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898fe29080 Cid 0398.14ac Teb: 0000000576744000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff848998694080 Cid 17b0.18c8 Teb: 00000089fc435000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898f88e080 Cid 0c88.0d24 Teb: 0000002ae76ba000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff848998691080 Cid 0008.18d0 Teb: 0000003a49dfa000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898fe52080 Cid 12a8.14e0 Teb: 0000000002fac000 Win32Thread: ffff84898fcb8990 READY on processor 80000007
THREAD ffff84898f30e080 Cid 0814.0b78 Teb: 00000013fedcb000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898f03e040 Cid 0814.085c Teb: 00000013fedc3000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff84898f1e8540 Cid 0814.0a84 Teb: 00000013fedc9000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff84898eef6640 Cid 0398.068c Teb: 0000000576712000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff84898fe05680 Cid 0398.1484 Teb: 000000057673c000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff848998683080 Cid 0464.18e0 Teb: 0000005035b0c000 Win32Thread: 0000000000000000 READY on processor 80000004
THREAD ffff848982b58040 Cid 0004.01d8 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff84898f1aa480 Cid 0a98.0ac0 Teb: 000000b5c3166000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff84898f260700 Cid 0a98.0ad8 Teb: 000000b5c316e000 Win32Thread: 0000000000000000 READY on processor 80000005
THREAD ffff84898fcbd700 Cid 0398.11f4 Teb: 0000000576732000 Win32Thread: 0000000000000000 READY on processor 80000004
THREAD ffff84898ee4a040 Cid 0398.0560 Teb: 000000057670a000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff84898fd0b080 Cid 0398.13a0 Teb: 000000057672c000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898fd86440 Cid 0398.1418 Teb: 0000000576734000 Win32Thread: 0000000000000000 READY on processor 80000006
THREAD ffff848988baa040 Cid 0004.0244 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000004
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 7
THREAD ffff84898f332700 Cid 0a10.0a18 Teb: 000000da16152000 Win32Thread: 0000000000000000 READY on processor 80000007
THREAD ffff84898ffd7080 Cid 1728.172c Teb: 0000008d078a7000 Win32Thread: ffff84898fca9050 READY on processor 80000004
THREAD ffff848998547700 Cid 1294.1810 Teb: 00000057a6ecf000 Win32Thread: 0000000000000000 READY on processor 80000006
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 6
THREAD ffff84898fbcc080 Cid 11e8.11ec Teb: 000000d397d31000 Win32Thread: 0000000000000000 READY on processor 80000005
SharedReadyQueue ffffb800fd2c6700: Ready Threads at priority 0
THREAD ffff8489820cb040 Cid 0004.0050 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 80000007
Processor 4: Ready Threads at priority 1
THREAD ffff8489901c2040 Cid 0004.1780 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 4
Processor 5: Ready Threads at priority 1
THREAD ffff8489901c5040 Cid 0004.1784 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 5
Processor 6: Ready Threads at priority 1
THREAD ffff8489901c7040 Cid 0004.1788 Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 6
Processor 7: Ready Threads at priority 1
THREAD ffff8489901c6040 Cid 0004.178c Teb: 0000000000000000 Win32Thread: 0000000000000000 READY on processor 7
线程状态切换图:
