2.3 常见内核数据结构 : 进程与线程数据结构
进程与线程数据结构:
1. 执行体进程块(EPROCESS)
驱动程序通过PsGetCurrentProcess函数获取指向当前进程的执行体进程块指针
kd> dt nt!_EPROCESS
Pcb _KPROCESS
ProcessLock
CreateTime
ExitTime
RundownProtect
UniqueProcessId Ptr32 Void
ActiveProcessLinks
QuotaUsage
QuotaPeak
CommitCharge
PeakVirtualSize
VirutalSize
SessionProcessLinks
DebugPort
ExceptionPort
ObjectTable Ptr32 _HANDLE_TABLE
Token _EXFAST_REF
WorkingSetLock _FAST_MUTEX
WorkingSetPage
AddressCreationLock _FAST_MUTEX
HyperSpaceLock
ForkInProgress
HardwareTrigger
VadRoot
VadHint
CloneRoot
NumberOfPrivatePages
NumberOfLockedPages
Win32Process Ptr32 Void
Job Ptr32 _EJOB
SectionObject
SectionBaseAddress Ptr32 Void
QuotaBlock
WorkingSetWatch
Win32WindowStation
InheritedFromUniqueProcessId
LdtInformation
VadFreeHint
VdmObjects
DeviceMap
PhysicalVadList _LIST_ENTRY
PageDirectoryPte
Filler
Session Ptr32 Void
ImageFileName [16] UChar
JobLinks
LockedPagesList
ThreadListHead _LIST_ENTRY
SecurityPort
PaeTop
ActiveThreads
GrantedAccess
DefaultHardErrorProcessing
LastThreadExitStatus
Peb Ptr32 _PEB
PrefetchTrace
ReadOperationCount
WriteOperationCount
OtherOperationCount
ReadTransferCount
WriteTransferCount
OtherTransferCount
CommitChargeLimit
CommitChargePeak
AweInfo
SeAuditProcessCreationInfo _SE_AUDIT_PROCESS_CREATION_INFO
Vm _MMSUPPORT
LastFaultCount
ModifiedPageCount
NumberOfVads
JobStatus
Flags
CreateReported
NoDebugInherit
ProcessExiting
ProcessDelete
Wow64SplitPages
VmDeleted
OutswapEnabled
Outswapped
ForkFailed
HasPhysicalVad
AddressSpaceInitialized
SetTimerResolution
BreakOnTermination
SessionCreationUnderway
WriteWatch
ProcessInSession
OverrideAddressSpace
HasAddressSpace
LaunchPrefetched
InjectInpageErrors
VmTopDown
Unused3
Unused4
VdmAllowed
Unused
Unused1
Unused2
ExitStatus
NextPageColor
SubSystemMinorVersion
SubSystemMajorVersion
SubSystemVersion
PriorityClass
WorkingSetAcquiredUnsafe
Cookie
2. 内核进程块(KPROCESS)
kd> dt nt!_KPROCESS
Header _DISPATCHER_HEADER
ProfileListHead _LIST_ENTRY
DirectoryTableBase
LdtDescriptor _KGDTENTRY
Int21Descriptor _KIDTENTRY
IopmOffset
Iopl
Unused
ActiveProcessors
KernelTime Uint 4B
UserTime Uint 4B
ReadyListHead _LIST_ENTRY
SwapListEntry _SINGLE_LIST_ENTRY
VdmTrapcHandler
ThreadListHead _LIST_ENTRY
ProcessLock
Affinity Uint 4B
StackCount
BasePriority
ThreadQuantum
AutoAlignment
State
ThreadSeed
DisableBoost
PowerState
DisableQuantum
IdealNode
Flags _KEXECUTE_OPTIONS
ExecuteOptions
3. 执行体线程块(ETHREAD)
驱动程序通过PsGetCurrentThread函数获取一个指向当前线程的执行体线程块指针
kd> dt nt!_ethread
Tcb _KTHREAD
CreateTime _LARGE_INTEGER
NestedFaultCount
ApcNeeded
ExitTime _LARGE_INTEGER
LpcReplyChain
KeyedWaitChain
ExitStatus
OfsChain
PostBlockList
TerminationPort
ReaperLink
KeyedWaitValue
ActiveTimerListLock
ActiveTimerListHead _LIST_ENTRY
Cid _CLIEND_ID
LpcReplySemaphore
KeyedWaitSemaphore
LpcReplyMessage
LpcWaitingOnPort
ImpersonationInfo Ptr32 _PS_IMPERSONATION_INFORMATION
IrpList _LIST_ENTRY
TopLevelIrp
DeviceToVerify
ThreadsProcess
StartAddress Ptr32 Void
Win32StartAddress
LpcReceivedMessageId Uint 4B
ThreadListEntry _LIST_ENTRY
RundownProtect _EX_RUNDOWN_REF
ThreadLock _EX_PUSH_LOCK
LpcReplyMessageId
ReadClusterSize
GrantedAccess
CrossThreadFlags
Terminated
DeadThread
HideFromDebugger
ActiveImpersonationInfo
SystemThread
HardErrorsAreDisabled
BreakOnTermination
SkipCreationMsg
SkipTerminationMsg
SameThreadPassiveFlags
ActiveExWorked
ExWorkerCanWaitUser
MemoryMaker
SameThreadApcFlags
LpcReceivedMsgIdValid
LpcExitThreadCalled
AddressSpaceOwner
ForwardClusterOnly
DisablePageFaultClustering
4. 内核线程块(KTHREAD)
kd> dt nt!_KTHREAD
Header _DISPATCHER_HEADER
MutantListHead _LIST_ENTRY
InitialStack Ptr32 Void
StackLimit Ptr32 Void
Teb Ptr32 Void
TlsArray
KernelStack
DebugActive
State
Alerted
Iopl
NpxState
Saturation
Priority
ApcState
ContextSwitches
IdleSwapBlock
Spare0
WaitStatus
WaitIrql
WaitMode
WaitNext
WaitReason
WaitBlockList
WaitListEntry _LIST_ENTRY
SwapListEntry
WaitTime
BasePriority
DecrementCount
PriorityDecrement
Quantum
WaitBlock [4] _KWAIT_BLOCK
LegoData
KernelApcDisable
UserAffinity
SystemAffinityActive
PowerState
NpxIrql
InitialNode
ServiceTable
Queue Ptr32 _KQUEUE
ApcQueueLock
Timer _KTIMER
QueueListEntry _LIST_ENTRY
SoftAffinity
Affinity
Preempted
ProcessReadyQueue
KernelStackResident
NextProcessor
CallbackStack
Win32Thread
TrapFrame
ApcStatePointer
PreviosMode
KernelTime
UserTime
SavedApcState
Alertable
ApcStateIndex
ApcQueueable
Autoalignment
StackBase
SuspendApc _KAPC
SuspendSemaphore _KSEMAPHORE
ThreadListEntry _LIST_ENTRY
FreezeConut
SuspendCount
IdealProcessor
DisableBoost