枚举劳务线程
ExWorkerQueue是全局数组
一共三类
typedef enum _WORK_QUEUE_TYPE {
CriticalWorkQueue,
DelayedWorkQueue,
HyperCriticalWorkQueue,
MaximumWorkQueue
} WORK_QUEUE_TYPE;
kd> dt _KQUEUE 80565820
nt!_KQUEUE
+0x000 Header : _DISPATCHER_HEADER
+0x010 EntryListHead : _LIST_ENTRY [ 0x80565830 - 0x80565830 ]
+0x018 CurrentCount : 0
+0x01c MaximumCount : 1
+0x020 ThreadListHead : _LIST_ENTRY [ 0x821b6e38 - 0x821b6458 ]
ThreadListHead 是这类劳务线程链表,nt!_KTHREAD.QueueListEntry的队列
实际枚举的时候判断内核线程BasePriority 是13~15的时候,分别是以上三种劳务线程
问题是如何获得WorkerRoutine,查看一下劳务线程的内核栈
kd> dds f8ad1d10 l 100
f8ad1d10 f8ad1dcc
f8ad1d14 00000246
f8ad1d18 80546a1b nt!KiSwapContext+0x2f
f8ad1d1c f8ad1d60
f8ad1d20 821b6aa8
f8ad1d24 ffdff120
f8ad1d28 821b6b08
f8ad1d2c 80504850 nt!KiSwapThread+0x8a
f8ad1d30 821b6b60
f8ad1d34 821b6aa8
f8ad1d38 804fba43 nt!KeDelayExecutionThread+0x1c9
f8ad1d3c f8afdc6c
f8ad1d40 80565820 nt!ExWorkerQueue
f8ad1d44 821b6aa8
f8ad1d48 d3f106e8
f8ad1d4c 00000005
f8ad1d50 821fcd60
f8ad1d54 80565820 nt!ExWorkerQueue
f8ad1d58 f8ad1d74
f8ad1d5c 00000000
f8ad1d60 f8ad1d7c
f8ad1d64 f89d3034 Iocode!Worker+0x24 [e:\work\mysimpledriver\fristdriver.cpp @ 269]
f8ad1d68 00000000
f8ad1d6c 00000001
f8ad1d70 f8ad1d74
f8ad1d74 fd050f80
f8ad1d78 ffffffff
f8ad1d7c f8ad1dac
f8ad1d80 805397cb nt!ExpWorkerThread+0xef
f8ad1d84 00000000
f8ad1d88 00000000
f8ad1d8c 821b6aa8
f8ad1d90 00000000
f8ad1d94 00000000
f8ad1d98 00000000
f8ad1d9c 00000001
f8ad1da0 821b6aa8
f8ad1da4 00000000
f8ad1da8 f89d3010 Iocode!Worker [e:\work\mysimpledriver\fristdriver.cpp @ 263]
f8ad1dac f8ad1ddc
f8ad1db0 805d0fa8 nt!PspSystemThreadStartup+0x34
这是劳务线程起始函数,ExpWorkerThread
这个函数中,
ASSERT ((ULONG_PTR)WorkerRoutine > MmUserProbeAddress);
((PWORKER_THREAD_ROUTINE)WorkerRoutine) (Parameter);
汇编是
.text:00461775 89 45 FC mov [ebp-4], eax
.text:00461778 89 4D 08 mov [ebp+8], ecx
.text:0046177B FF D0 call eax ; Indirect Call Near Procedure
所以从劳务线程内核栈中回溯,找到这个局部变量就好了~
和PT对比下结果~不完全一样,因为时间差~iocode.sys是我弄的几个无限循环的~
感谢 ithurricane ~
互粉哦亲 @Retme = =
类别:内核 查看评论