深入解析Windows操作系统读书笔记

系统架构

内核处理器控制区(KPCR)

包含中断分发表IDT、任务状态段TSS、全局描述符GDT、中断控制器状态等。

还包括内核处理器控制块KPRCB,包含与处理器有关的统计信息。

1
2
3
4
5
6
dt nt!_KPCR @$pcr #观察KPCR内容
!pcr #观察KPCR内容
!prcb #默认观察0号处理器KPRCB
!prcb 2 #观察2号处理器KPRCB
!prcbkernel #观察KPRCB内容
dt nt!_KPRCB fffff80004b97180 MHz #观察处理器频率

实例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
0: kd> dt nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 GdtBase          : Ptr64 _KGDTENTRY64
   +0x008 TssBase          : Ptr64 _KTSS64
   +0x010 UserRsp          : Uint8B
   +0x018 Self             : Ptr64 _KPCR
   +0x020 CurrentPrcb      : Ptr64 _KPRCB
   +0x028 LockArray        : Ptr64 _KSPIN_LOCK_QUEUE
   +0x030 Used_Self        : Ptr64 Void
   +0x038 IdtBase          : Ptr64 _KIDTENTRY64
   +0x040 Unused           : [2] Uint8B
   +0x050 Irql             : UChar
   +0x051 SecondLevelCacheAssociativity : UChar
   +0x052 ObsoleteNumber   : UChar
   +0x053 Fill0            : UChar
   +0x054 Unused0          : [3] Uint4B
   +0x060 MajorVersion     : Uint2B
   +0x062 MinorVersion     : Uint2B
   +0x064 StallScaleFactor : Uint4B
   +0x068 Unused1          : [3] Ptr64 Void
   +0x080 KernelReserved   : [15] Uint4B
   +0x0bc SecondLevelCacheSize : Uint4B
   +0x0c0 HalReserved      : [16] Uint4B
   +0x100 Unused2          : Uint4B
   +0x108 KdVersionBlock   : Ptr64 Void
   +0x110 Unused3          : Ptr64 Void
   +0x118 PcrAlign1        : [24] Uint4B
   +0x180 Prcb             : _KPRCB
0: kd> dt nt!_KPCR @$pcr
   +0x000 NtTib            : _NT_TIB
   +0x000 GdtBase          : 0xfffff800`08275fb0 _KGDTENTRY64
   +0x008 TssBase          : 0xfffff800`08274000 _KTSS64
   +0x010 UserRsp          : 0x00000060`a88ff2a8
   +0x018 Self             : 0xfffff800`04b97000 _KPCR
   +0x020 CurrentPrcb      : 0xfffff800`04b97180 _KPRCB
   +0x028 LockArray        : 0xfffff800`04b97870 _KSPIN_LOCK_QUEUE
   +0x030 Used_Self        : 0x00000060`a8617000 Void
   +0x038 IdtBase          : 0xfffff800`08273000 _KIDTENTRY64
   +0x040 Unused           : [2] 0
   +0x050 Irql             : 0 ''
   +0x051 SecondLevelCacheAssociativity : 0xc ''
   +0x052 ObsoleteNumber   : 0 ''
   +0x053 Fill0            : 0 ''
   +0x054 Unused0          : [3] 0
   +0x060 MajorVersion     : 1
   +0x062 MinorVersion     : 1
   +0x064 StallScaleFactor : 0x973
   +0x068 Unused1          : [3] (null) 
   +0x080 KernelReserved   : [15] 0
   +0x0bc SecondLevelCacheSize : 0x2400000
   +0x0c0 HalReserved      : [16] 0x90321000
   +0x100 Unused2          : 0
   +0x108 KdVersionBlock   : (null) 
   +0x110 Unused3          : (null) 
   +0x118 PcrAlign1        : [24] 0
   +0x180 Prcb             : _KPRCB
0: kd> !prcb
PRCB for Processor 0 at fffff80004b97180:
Current IRQL -- 13
Threads--  Current fffff8000652b600 Next 0000000000000000 Idle fffff8000652b600
Processor Index 0 Number (0, 0) GroupSetMember 1
Interrupt Count -- 00018914
Times -- Dpc    00000018 Interrupt 0000000b 
         Kernel 00000789 User      0000009b 
0: kd> dt nt!_KPRCB fffff80004b97180 MHz
   +0x044 MHz : 0x973
0: kd> ? 0x973
Evaluate expression: 2419 = 00000000`00000973 #2.4GHz左右??

进程和作业

EPROCESS、KRPOCESS、PEB

每个进程对象中有个EPROCESS结构,查看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
0: kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit
   +0x460 ReportCommitChanges : Pos 4, 1 Bit
   +0x460 LastReportMemory : Pos 5, 1 Bit
   +0x460 ForceWakeCharge  : Pos 6, 1 Bit
   +0x460 CrossSessionCreate : Pos 7, 1 Bit
   +0x460 NeedsHandleRundown : Pos 8, 1 Bit
   +0x460 RefTraceEnabled  : Pos 9, 1 Bit
   +0x460 PicoCreated      : Pos 10, 1 Bit
   +0x460 EmptyJobEvaluated : Pos 11, 1 Bit
   +0x460 DefaultPagePriority : Pos 12, 3 Bits
   +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x460 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x460 RestrictSetThreadContext : Pos 17, 1 Bit
   +0x460 AffinityPermanent : Pos 18, 1 Bit
   +0x460 AffinityUpdateEnable : Pos 19, 1 Bit
   +0x460 PropagateNode    : Pos 20, 1 Bit
   +0x460 ExplicitAffinity : Pos 21, 1 Bit
   +0x460 ProcessExecutionState : Pos 22, 2 Bits
   +0x460 EnableReadVmLogging : Pos 24, 1 Bit
   +0x460 EnableWriteVmLogging : Pos 25, 1 Bit
   +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit
   +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
   +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits
   +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit
   +0x460 InPrivate        : Pos 31, 1 Bit
   +0x464 Flags            : Uint4B
   +0x464 CreateReported   : Pos 0, 1 Bit
   +0x464 NoDebugInherit   : Pos 1, 1 Bit
   +0x464 ProcessExiting   : Pos 2, 1 Bit
   +0x464 ProcessDelete    : Pos 3, 1 Bit
   +0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit
   +0x464 VmDeleted        : Pos 5, 1 Bit
   +0x464 OutswapEnabled   : Pos 6, 1 Bit
   +0x464 Outswapped       : Pos 7, 1 Bit
   +0x464 FailFastOnCommitFail : Pos 8, 1 Bit
   +0x464 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x464 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x464 SetTimerResolution : Pos 12, 1 Bit
   +0x464 BreakOnTermination : Pos 13, 1 Bit
   +0x464 DeprioritizeViews : Pos 14, 1 Bit
   +0x464 WriteWatch       : Pos 15, 1 Bit
   +0x464 ProcessInSession : Pos 16, 1 Bit
   +0x464 OverrideAddressSpace : Pos 17, 1 Bit
   +0x464 HasAddressSpace  : Pos 18, 1 Bit
   +0x464 LaunchPrefetched : Pos 19, 1 Bit
   +0x464 Background       : Pos 20, 1 Bit
   +0x464 VmTopDown        : Pos 21, 1 Bit
   +0x464 ImageNotifyDone  : Pos 22, 1 Bit
   +0x464 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x464 VdmAllowed       : Pos 24, 1 Bit
   +0x464 ProcessRundown   : Pos 25, 1 Bit
   +0x464 ProcessInserted  : Pos 26, 1 Bit
   +0x464 DefaultIoPriority : Pos 27, 3 Bits
   +0x464 ProcessSelfDelete : Pos 30, 1 Bit
   +0x464 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x468 CreateTime       : _LARGE_INTEGER
   +0x470 ProcessQuotaUsage : [2] Uint8B
   +0x480 ProcessQuotaPeak : [2] Uint8B
   +0x490 PeakVirtualSize  : Uint8B
   +0x498 VirtualSize      : Uint8B
   +0x4a0 SessionProcessLinks : _LIST_ENTRY
   +0x4b0 ExceptionPortData : Ptr64 Void
   +0x4b0 ExceptionPortValue : Uint8B
   +0x4b0 ExceptionPortState : Pos 0, 3 Bits
   +0x4b8 Token            : _EX_FAST_REF
   +0x4c0 MmReserved       : Uint8B
   +0x4c8 AddressCreationLock : _EX_PUSH_LOCK
   +0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK
   +0x4d8 RotateInProgress : Ptr64 _ETHREAD
   +0x4e0 ForkInProgress   : Ptr64 _ETHREAD
   +0x4e8 CommitChargeJob  : Ptr64 _EJOB
   +0x4f0 CloneRoot        : _RTL_AVL_TREE
   +0x4f8 NumberOfPrivatePages : Uint8B
   +0x500 NumberOfLockedPages : Uint8B
   +0x508 Win32Process     : Ptr64 Void
   +0x510 Job              : Ptr64 _EJOB
   +0x518 SectionObject    : Ptr64 Void
   +0x520 SectionBaseAddress : Ptr64 Void
   +0x528 Cookie           : Uint4B
   +0x530 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x538 Win32WindowStation : Ptr64 Void
   +0x540 InheritedFromUniqueProcessId : Ptr64 Void
   +0x548 OwnerProcessId   : Uint8B
   +0x550 Peb              : Ptr64 _PEB
   +0x558 Session          : Ptr64 _MM_SESSION_SPACE
   +0x560 Spare1           : Ptr64 Void
   +0x568 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x570 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x578 DebugPort        : Ptr64 Void
   +0x580 WoW64Process     : Ptr64 _EWOW64PROCESS
   +0x588 DeviceMap        : Ptr64 Void
   +0x590 EtwDataSource    : Ptr64 Void
   +0x598 PageDirectoryPte : Uint8B
   +0x5a0 ImageFilePointer : Ptr64 _FILE_OBJECT
   +0x5a8 ImageFileName    : [15] UChar
   +0x5b7 PriorityClass    : UChar
   +0x5b8 SecurityPort     : Ptr64 Void
   +0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x5c8 JobLinks         : _LIST_ENTRY
   +0x5d8 HighestUserAddress : Ptr64 Void
   +0x5e0 ThreadListHead   : _LIST_ENTRY
   +0x5f0 ActiveThreads    : Uint4B
   +0x5f4 ImagePathHash    : Uint4B
   +0x5f8 DefaultHardErrorProcessing : Uint4B
   +0x5fc LastThreadExitStatus : Int4B
   +0x600 PrefetchTrace    : _EX_FAST_REF
   +0x608 LockedPagesList  : Ptr64 Void
   +0x610 ReadOperationCount : _LARGE_INTEGER
   +0x618 WriteOperationCount : _LARGE_INTEGER
   +0x620 OtherOperationCount : _LARGE_INTEGER
   +0x628 ReadTransferCount : _LARGE_INTEGER
   +0x630 WriteTransferCount : _LARGE_INTEGER
   +0x638 OtherTransferCount : _LARGE_INTEGER
   +0x640 CommitChargeLimit : Uint8B
   +0x648 CommitCharge     : Uint8B
   +0x650 CommitChargePeak : Uint8B
   +0x680 Vm               : _MMSUPPORT_FULL
   +0x7c0 MmProcessLinks   : _LIST_ENTRY
   +0x7d0 ModifiedPageCount : Uint4B
   +0x7d4 ExitStatus       : Int4B
   +0x7d8 VadRoot          : _RTL_AVL_TREE
   +0x7e0 VadHint          : Ptr64 Void
   +0x7e8 VadCount         : Uint8B
   +0x7f0 VadPhysicalPages : Uint8B
   +0x7f8 VadPhysicalPagesLimit : Uint8B
   +0x800 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x820 TimerResolutionLink : _LIST_ENTRY
   +0x830 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
   +0x838 RequestedTimerResolution : Uint4B
   +0x83c SmallestTimerResolution : Uint4B
   +0x840 ExitTime         : _LARGE_INTEGER
   +0x848 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
   +0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK
   +0x858 ActiveThreadsHighWatermark : Uint4B
   +0x85c LargePrivateVadCount : Uint4B
   +0x860 ThreadListLock   : _EX_PUSH_LOCK
   +0x868 WnfContext       : Ptr64 Void
   +0x870 ServerSilo       : Ptr64 _EJOB
   +0x878 SignatureLevel   : UChar
   +0x879 SectionSignatureLevel : UChar
   +0x87a Protection       : _PS_PROTECTION
   +0x87b HangCount        : Pos 0, 3 Bits
   +0x87b GhostCount       : Pos 3, 3 Bits
   +0x87b PrefilterException : Pos 6, 1 Bit
   +0x87c Flags3           : Uint4B
   +0x87c Minimal          : Pos 0, 1 Bit
   +0x87c ReplacingPageRoot : Pos 1, 1 Bit
   +0x87c Crashed          : Pos 2, 1 Bit
   +0x87c JobVadsAreTracked : Pos 3, 1 Bit
   +0x87c VadTrackingDisabled : Pos 4, 1 Bit
   +0x87c AuxiliaryProcess : Pos 5, 1 Bit
   +0x87c SubsystemProcess : Pos 6, 1 Bit
   +0x87c IndirectCpuSets  : Pos 7, 1 Bit
   +0x87c RelinquishedCommit : Pos 8, 1 Bit
   +0x87c HighGraphicsPriority : Pos 9, 1 Bit
   +0x87c CommitFailLogged : Pos 10, 1 Bit
   +0x87c ReserveFailLogged : Pos 11, 1 Bit
   +0x87c SystemProcess    : Pos 12, 1 Bit
   +0x87c HideImageBaseAddresses : Pos 13, 1 Bit
   +0x87c AddressPolicyFrozen : Pos 14, 1 Bit
   +0x87c ProcessFirstResume : Pos 15, 1 Bit
   +0x87c ForegroundExternal : Pos 16, 1 Bit
   +0x87c ForegroundSystem : Pos 17, 1 Bit
   +0x87c HighMemoryPriority : Pos 18, 1 Bit
   +0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
   +0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
   +0x87c SecurityDomainChanged : Pos 21, 1 Bit
   +0x87c SecurityFreezeComplete : Pos 22, 1 Bit
   +0x87c VmProcessorHost  : Pos 23, 1 Bit
   +0x87c VmProcessorHostTransition : Pos 24, 1 Bit
   +0x87c AltSyscall       : Pos 25, 1 Bit
   +0x87c TimerResolutionIgnore : Pos 26, 1 Bit
   +0x87c DisallowUserTerminate : Pos 27, 1 Bit
   +0x880 DeviceAsid       : Int4B
   +0x888 SvmData          : Ptr64 Void
   +0x890 SvmProcessLock   : _EX_PUSH_LOCK
   +0x898 SvmLock          : Uint8B
   +0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY
   +0x8b0 LastFreezeInterruptTime : Uint8B
   +0x8b8 DiskCounters     : Ptr64 _PROCESS_DISK_COUNTERS
   +0x8c0 PicoContext      : Ptr64 Void
   +0x8c8 EnclaveTable     : Ptr64 Void
   +0x8d0 EnclaveNumber    : Uint8B
   +0x8d8 EnclaveLock      : _EX_PUSH_LOCK
   +0x8e0 HighPriorityFaultsAllowed : Uint4B
   +0x8e8 EnergyContext    : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
   +0x8f0 VmContext        : Ptr64 Void
   +0x8f8 SequenceNumber   : Uint8B
   +0x900 CreateInterruptTime : Uint8B
   +0x908 CreateUnbiasedInterruptTime : Uint8B
   +0x910 TotalUnbiasedFrozenTime : Uint8B
   +0x918 LastAppStateUpdateTime : Uint8B
   +0x920 LastAppStateUptime : Pos 0, 61 Bits
   +0x920 LastAppState     : Pos 61, 3 Bits
   +0x928 SharedCommitCharge : Uint8B
   +0x930 SharedCommitLock : _EX_PUSH_LOCK
   +0x938 SharedCommitLinks : _LIST_ENTRY
   +0x948 AllowedCpuSets   : Uint8B
   +0x950 DefaultCpuSets   : Uint8B
   +0x948 AllowedCpuSetsIndirect : Ptr64 Uint8B
   +0x950 DefaultCpuSetsIndirect : Ptr64 Uint8B
   +0x958 DiskIoAttribution : Ptr64 Void
   +0x960 DxgProcess       : Ptr64 Void
   +0x968 Win32KFilterSet  : Uint4B
   +0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
   +0x978 KTimerSets       : Uint4B
   +0x97c KTimer2Sets      : Uint4B
   +0x980 ThreadTimerSets  : Uint4B
   +0x988 VirtualTimerListLock : Uint8B
   +0x990 VirtualTimerListHead : _LIST_ENTRY
   +0x9a0 WakeChannel      : _WNF_STATE_NAME
   +0x9a0 WakeInfo         : _PS_PROCESS_WAKE_INFORMATION
   +0x9d0 MitigationFlags  : Uint4B
   +0x9d0 MitigationFlagsValues : <anonymous-tag>
   +0x9d4 MitigationFlags2 : Uint4B
   +0x9d4 MitigationFlags2Values : <anonymous-tag>
   +0x9d8 PartitionObject  : Ptr64 Void
   +0x9e0 SecurityDomain   : Uint8B
   +0x9e8 ParentSecurityDomain : Uint8B
   +0x9f0 CoverageSamplerContext : Ptr64 Void
   +0x9f8 MmHotPatchContext : Ptr64 Void
   +0xa00 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE
   +0xa08 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK

EPROCESS结构第一个PCB结构位KPROCESS,-r命令可递归。

用这个命令获得除System Idle进程外的所有EPROCESS结构地址。

查看PCB的KPROCESS结构:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
0: kd> dt nt!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 ProfileListHead  : _LIST_ENTRY
   +0x028 DirectoryTableBase : Uint8B
   +0x030 ThreadListHead   : _LIST_ENTRY
   +0x040 ProcessLock      : Uint4B
   +0x044 ProcessTimerDelay : Uint4B
   +0x048 DeepFreezeStartTime : Uint8B
   +0x050 Affinity         : _KAFFINITY_EX
   +0x0f8 AffinityPadding  : [12] Uint8B
   +0x158 ReadyListHead    : _LIST_ENTRY
   +0x168 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x170 ActiveProcessors : _KAFFINITY_EX
   +0x218 ActiveProcessorsPadding : [12] Uint8B
   +0x278 AutoAlignment    : Pos 0, 1 Bit
   +0x278 DisableBoost     : Pos 1, 1 Bit
   +0x278 DisableQuantum   : Pos 2, 1 Bit
   +0x278 DeepFreeze       : Pos 3, 1 Bit
   +0x278 TimerVirtualization : Pos 4, 1 Bit
   +0x278 CheckStackExtents : Pos 5, 1 Bit
   +0x278 CacheIsolationEnabled : Pos 6, 1 Bit
   +0x278 PpmPolicy        : Pos 7, 3 Bits
   +0x278 VaSpaceDeleted   : Pos 10, 1 Bit
   +0x278 ReservedFlags    : Pos 11, 21 Bits
   +0x278 ProcessFlags     : Int4B
   +0x27c ActiveGroupsMask : Uint4B
   +0x280 BasePriority     : Char
   +0x281 QuantumReset     : Char
   +0x282 Visited          : Char
   +0x283 Flags            : _KEXECUTE_OPTIONS
   +0x284 ThreadSeed       : [20] Uint2B
   +0x2ac ThreadSeedPadding : [12] Uint2B
   +0x2c4 IdealProcessor   : [20] Uint2B
   +0x2ec IdealProcessorPadding : [12] Uint2B
   +0x304 IdealNode        : [20] Uint2B
   +0x32c IdealNodePadding : [12] Uint2B
   +0x344 IdealGlobalNode  : Uint2B
   +0x346 Spare1           : Uint2B
   +0x348 StackCount       : _KSTACK_COUNT
   +0x350 ProcessListEntry : _LIST_ENTRY
   +0x360 CycleTime        : Uint8B
   +0x368 ContextSwitches  : Uint8B
   +0x370 SchedulingGroup  : Ptr64 _KSCHEDULING_GROUP
   +0x378 FreezeCount      : Uint4B
   +0x37c KernelTime       : Uint4B
   +0x380 UserTime         : Uint4B
   +0x384 ReadyTime        : Uint4B
   +0x388 UserDirectoryTableBase : Uint8B
   +0x390 AddressPolicy    : UChar
   +0x391 Spare2           : [71] UChar
   +0x3d8 InstrumentationCallback : Ptr64 Void
   +0x3e0 SecureState      : <anonymous-tag>
   +0x3e8 KernelWaitTime   : Uint8B
   +0x3f0 UserWaitTime     : Uint8B
   +0x3f8 EndPadding       : [8] Uint8B

想看PEB的话,用命令:

1
!process 0 0

然后上面有PEB的超链接,直接点就行了,要用!peb太麻烦。

PEB是在应用层上就可以访问的,EPROCESS和KPROCESS只能在内核访问。

CSR_PROCESS

包含专用于Windows子系统CSRSS的进程信息,所以除了SMSS外Windows应用程序都有相关联的该结构。

例如查找现有CSRSS进程:

1
2
3
4
5
6
7
8
9
10
0: kd> !process 0 0 csrss.exe
PROCESS ffffc406606a0480
    SessionId: 0  Cid: 0164    Peb: eec78cb000  ParentCid: 0158
    DirBase: 6615f000  ObjectTable: ffffd9804b22ab00  HandleCount: 310.
    Image: csrss.exe

PROCESS ffffc40660ec6140
    SessionId: 1  Cid: 01b8    Peb: 7d2fba3000  ParentCid: 01a8
    DirBase: 513ee000  ObjectTable: ffffd9804b22d480  HandleCount: 295.
    Image: csrss.exe

选项/P将调试器进程上下文指向该进程,/r加载用户模式符号:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
0: kd> .process /r /P ffff868af7d9f340
Implicit process is now ffff868a`f7d9f340
.cache forcedecodeptes done
Loading User Symbols
...............

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.....
0: kd> dt csrss!_csr_process
   +0x000 ClientId         : _CLIENT_ID
   +0x010 ListLink         : _LIST_ENTRY
   +0x020 ThreadList       : _LIST_ENTRY
   +0x030 NtSession        : Ptr64 _CSR_NT_SESSION
   +0x038 ClientPort       : Ptr64 Void
   +0x040 ClientViewBase   : Ptr64 Char
   +0x048 ClientViewBounds : Ptr64 Char
   +0x050 ProcessHandle    : Ptr64 Void
   +0x058 SequenceNumber   : Uint4B
   +0x05c Flags            : Uint4B
   +0x060 DebugFlags       : Uint4B
   +0x064 ReferenceCount   : Int4B
   +0x068 ProcessGroupId   : Uint4B
   +0x06c ProcessGroupSequence : Uint4B
   +0x070 LastMessageSequence : Uint4B
   +0x074 NumOutstandingMessages : Uint4B
   +0x078 ShutdownLevel    : Uint4B
   +0x07c ShutdownFlags    : Uint4B
   +0x080 Luid             : _LUID
   +0x088 ServerDllPerProcessData : [1] Ptr64 Void

LDR

在PEB中,Ldr标识的PEB_LDR_DATA子结构存储所有该进程已加载的全部模块。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
0: kd> !process 0 0 notepad.exe
PROCESS ffff868afac8e080
    SessionId: 1  Cid: 0a0c    Peb: 1db1f6a000  ParentCid: 0ad4
    DirBase: 1cce5000  ObjectTable: ffffbd04a5821b80  HandleCount: 233.
    Image: notepad.exe

0: kd> !process /r /P ffff868afac8e080
Unknown option 'r'
Usage: !process [/s <session>] [/m <module>] <address> <flags> [Image]
0: kd> .process /r /P ffff868afac8e080
Implicit process is now ffff868a`fac8e080
.cache forcedecodeptes done
Loading User Symbols
...............

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.........................
0: kd> !peb
PEB at 0000001db1f6a000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00007ff74b950000
    NtGlobalFlag:             0
    NtGlobalFlag2:            0
    Ldr                       00007ffd32bbb4c0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 000001364f522670 . 000001364f54b8c0
    Ldr.InLoadOrderModuleList:           000001364f5227e0 . 000001364f54b050
    Ldr.InMemoryOrderModuleList:         000001364f5227f0 . 000001364f54b060
                    Base TimeStamp                     Module
            7ff74b950000 d686c2e9 Jan 20 05:32:25 2084 C:\Windows\system32\notepad.exe
            7ffd32a50000 e5d7ed5c Mar 12 12:11:08 2092 C:\Windows\SYSTEM32\ntdll.dll
            7ffd32580000 2f7cc9b6 Apr 01 11:34:14 1995 C:\Windows\System32\KERNEL32.DLL
            7ffd306c0000 1183946c Apr 25 05:04:44 1979 C:\Windows\System32\KERNELBASE.dll
            7ffd31620000 403d941e Feb 26 14:37:18 2004 C:\Windows\System32\GDI32.dll
            7ffd301d0000 0dcd0213 May 04 04:26:59 1977 C:\Windows\System32\win32u.dll
            7ffd30200000 97342902 May 22 04:33:06 2050 C:\Windows\System32\gdi32full.dll
            7ffd30550000 39255ccf May 19 23:25:03 2000 C:\Windows\System32\msvcp_win.dll
            7ffd303f0000 43cbc11d Jan 16 23:51:57 2006 C:\Windows\System32\ucrtbase.dll
            7ffd31ee0000 b661eb02 Dec 18 12:01:06 2066 C:\Windows\System32\USER32.dll
            7ffd326f0000 654b189d Nov 08 13:11:57 2023 C:\Windows\System32\combase.dll
            7ffd314f0000 76243d9a Oct 23 03:35:54 2032 C:\Windows\System32\RPCRT4.dll
            7ffd31670000 a11be9be Aug 27 14:31:26 2055 C:\Windows\System32\shcore.dll
            7ffd31720000 564f9f39 Nov 21 06:31:21 2015 C:\Windows\System32\msvcrt.dll
            7ffd24420000 470baab8 Oct 10 00:22:16 2007 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll
            7ffd326c0000 3a0e9944 Nov 12 21:21:08 2000 C:\Windows\System32\IMM32.DLL
            7ffd30640000 0b64b4c2 Jan 22 17:00:50 1976 C:\Windows\System32\bcryptPrimitives.dll
            7ffd32430000 15fd8d3b Sep 10 10:51:39 1981 C:\Windows\System32\ADVAPI32.dll
            7ffd324e0000 18cb116b Mar 08 16:50:51 1983 C:\Windows\System32\sechost.dll
            7ffd2e0b0000 f0713fcd Oct 30 14:42:21 2097 C:\Windows\SYSTEM32\kernel.appcore.dll
            7ffd2dc00000 5133cbb4 Mar 04 06:16:20 2013 C:\Windows\system32\uxtheme.dll
            7ffd30bb0000 db9f728a Oct 05 20:37:30 2086 C:\Windows\System32\clbcatq.dll
            7ffd28980000 fc44ac67 Feb 13 23:16:55 2104 C:\Windows\System32\MrmCoreR.dll
            7ffd30c60000 d245a575 Oct 16 02:48:21 2081 C:\Windows\System32\SHELL32.dll
            7ffd2e2b0000 08e1f13f Sep 22 03:51:27 1974 C:\Windows\SYSTEM32\windows.storage.dll
            7ffd2fae0000 0e2fb8a7 Jul 18 01:28:07 1977 C:\Windows\system32\Wldp.dll
            7ffd313b0000 1d0b562f Jun 11 04:10:23 1985 C:\Windows\System32\shlwapi.dll
            7ffd32240000 e201377f Feb 26 02:29:19 2090 C:\Windows\System32\MSCTF.dll
            7ffd32360000 0cb82403 Oct 06 04:13:55 1976 C:\Windows\System32\OLEAUT32.dll
            7ffd242e0000 1bc29287 Oct 04 19:12:07 1984 C:\Windows\system32\TextShaping.dll
            7ffd1de90000 cd8abeb3 Apr 11 15:01:07 2079 C:\Windows\System32\efswrt.dll
            7ffd2bf20000 4ea1eb03 Oct 22 05:58:27 2011 C:\Windows\SYSTEM32\wintypes.dll
            7ffd246c0000 baf5f9a3 May 25 12:40:03 2069 C:\Windows\System32\MPR.dll
            7ffd2aae0000 b1d2c62d Jul 16 04:48:45 2064 C:\Windows\System32\twinapi.appcore.dll
            7ffd1d360000 d0cad910 Jan 01 18:59:28 2081 C:\Windows\System32\oleacc.dll
            7ffd285d0000 33fb493e Aug 21 03:45:02 1997 C:\Windows\SYSTEM32\textinputframework.dll
            7ffd2d540000 ce358de3 Aug 19 04:30:27 2079 C:\Windows\System32\CoreUIComponents.dll
            7ffd2da80000 5c941056 Mar 22 06:29:42 2019 C:\Windows\System32\CoreMessaging.dll
            7ffd31d30000 aff3315b Jul 18 10:18:03 2063 C:\Windows\System32\WS2_32.dll
            7ffd2eec0000 3d60ad04 Aug 19 16:32:04 2002 C:\Windows\SYSTEM32\ntmarta.dll
    SubSystemData:     00007ffd2acc01d0
    ProcessHeap:       000001364f520000
    ProcessParameters: 000001364f521db0
    CurrentDirectory:  'C:\Users\User\'
    WindowTitle:  'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk'
    ImageFile:    'C:\Windows\system32\notepad.exe'
    CommandLine:  '"C:\Windows\system32\notepad.exe" '
    DllPath:      '< Name not readable >'
    Environment:  000001364f520fe0
        =::=::\
        ALLUSERSPROFILE=C:\ProgramData
        APPDATA=C:\Users\User\AppData\Roaming
        CommonProgramFiles=C:\Program Files\Common Files
        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
        CommonProgramW6432=C:\Program Files\Common Files
        COMPUTERNAME=DESKTOP-C6IH61J
        ComSpec=C:\Windows\system32\cmd.exe
        Desktop=C:\Users\User\Desktop
        DriverData=C:\Windows\System32\Drivers\DriverData
        FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
        FPS_BROWSER_USER_PROFILE_STRING=Default
        HOMEDRIVE=C:
        HOMEPATH=\Users\User
        LOCALAPPDATA=C:\Users\User\AppData\Local
        LOGONSERVER=\\DESKTOP-C6IH61J
        NUMBER_OF_PROCESSORS=2
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\User\AppData\Local\Microsoft\WindowsApps;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;C:\Windows\AtlasModules;C:\Program Files\dotnet\;C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\;C:\Users\User\AppData\Local\Microsoft\WindowsApps;C:\Users\User\.dotnet\tools
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=AMD64
        PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 183 Stepping 1, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=b701
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        ProgramFiles(x86)=C:\Program Files (x86)
        ProgramW6432=C:\Program Files
        PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
        PUBLIC=C:\Users\Public
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\Users\User\AppData\Local\Temp
        TMP=C:\Users\User\AppData\Local\Temp
        USERDOMAIN=DESKTOP-C6IH61J
        USERDOMAIN_ROAMINGPROFILE=DESKTOP-C6IH61J
        USERNAME=User
        USERPROFILE=C:\Users\User
        windir=C:\Windows

Ldr后地址查看即可,结构比较复杂,用扩展语法:

1
!list -x "dt ntdll!_LDR_DATA_TABLE_ENTRY" @@C++(&@$peb->Ldr->InLoadOrderModuleList)

线程

ETHREAD、KTHREAD、TEB

类似于进程,查看:

1
2
dt nt!_ETHREAD
dt nt!_KTHREAD

实验:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
0: kd> !process 0 0 notepad.exe
PROCESS ffff868afac8e080
    SessionId: 1  Cid: 0a0c    Peb: 1db1f6a000  ParentCid: 0ad4
    DirBase: 1cce5000  ObjectTable: ffffbd04a5821b80  HandleCount: 233.
    Image: notepad.exe

0: kd> !process ffff868afac8e080 2
PROCESS ffff868afac8e080
    SessionId: 1  Cid: 0a0c    Peb: 1db1f6a000  ParentCid: 0ad4
    DirBase: 1cce5000  ObjectTable: ffffbd04a5821b80  HandleCount: 233.
    Image: notepad.exe

        THREAD ffff868afae1c080  Cid 0a0c.0a18  Teb: 0000001db1f6b000 Win32Thread: ffff868afb28b520 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff868afb77e840  QueueObject

        THREAD ffff868afb03b080  Cid 0a0c.0ad0  Teb: 0000001db1f6d000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff868afb77e140  QueueObject

        THREAD ffff868afb415080  Cid 0a0c.0dd8  Teb: 0000001db1f6f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff868afb77e140  QueueObject

        THREAD ffff868afb40c080  Cid 0a0c.0008  Teb: 0000001db1f71000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff868afb77ddc0  QueueObject

        THREAD ffff868afa85d080  Cid 0a0c.0454  Teb: 0000001db1f73000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff868afb29a930  SynchronizationTimer

        THREAD ffff868af6366080  Cid 0a0c.072c  Teb: 0000001db1f75000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff868afb77ddc0  QueueObject


0: kd> !thread ffff868afae1c080
THREAD ffff868afae1c080  Cid 0a0c.0a18  Teb: 0000001db1f6b000 Win32Thread: ffff868afb28b520 WAIT: (WrUserRequest) UserMode Non-Alertable
    ffff868afb77e840  QueueObject
Not impersonating
DeviceMap                 ffffbd04a46f6850
Owning Process            ffff868afac8e080       Image:         notepad.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      37348          Ticks: 407 (0:00:00:06.359)
Context Switch Count      5406           IdealProcessor: 1             
UserTime                  00:00:00.000
KernelTime                00:00:00.093
Win32 Start Address notepad!wWinMainCRTStartup (0x00007ff74b973c00)
Stack Init ffffb8828641ac90 Current ffffb88286419f50
Base ffffb8828641b000 Limit ffffb88286415000 Call 0000000000000000
Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr               : Args to Child                                                           : Call Site
ffffb882`86419f90 fffff800`180e2e60     : ffffb882`0000000a fffff800`ffffffff ffffb882`00000000 ffff868a`fb62d6d8 : nt!KiSwapContext+0x76
ffffb882`8641a0d0 fffff800`180e238f     : 00000000`00000000 00000000`00000000 ffffb882`8641a290 00000000`001f0003 : nt!KiSwapThread+0x500
ffffb882`8641a180 fffff800`180e1c33     : 00000000`00000000 00000000`00000000 00000000`00000000 ffff868a`fae1c1c0 : nt!KiCommitThreadWait+0x14f
ffffb882`8641a220 fffff800`180c166b     : ffff868a`fb77e840 fffff800`0000000d ffff868a`f73c7401 00000000`00000000 : nt!KeWaitForSingleObject+0x233
ffffb882`8641a310 fffffd8f`8173ce42     : fffffdc7`427648a0 fffffdc7`427648a0 00000000`00000000 fffffd8f`8173c943 : nt!KeWaitForMultipleObjects+0x45b
ffffb882`8641a420 fffffdc7`427648a0     : fffffdc7`427648a0 00000000`00000000 fffffd8f`8173c943 00000000`00000001 : 0xfffffd8f`8173ce42
ffffb882`8641a428 fffffdc7`427648a0     : 00000000`00000000 fffffd8f`8173c943 00000000`00000001 00000000`00000000 : 0xfffffdc7`427648a0
ffffb882`8641a430 00000000`00000000     : fffffd8f`8173c943 00000000`00000001 00000000`00000000 00000000`00000000 : 0xfffffdc7`427648a0

内核模式下看TEB:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
0: kd> !process 0 2 explorer.exe
PROCESS ffff8809a1280080
    SessionId: 1  Cid: 0a94    Peb: 0059f000  ParentCid: 0a74
    DirBase: 4301e000  ObjectTable: ffffce007d86ac80  HandleCount: 1668.
    Image: explorer.exe

        THREAD ffff8809a113a080  Cid 0a94.0a98  Teb: 00000000005a0000 Win32Thread: ffff8809a1104fc0 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a0fb3480  QueueObject

        THREAD ffff8809a1310040  Cid 0a94.0ab0  Teb: 00000000005ac000 Win32Thread: ffff8809a110eca0 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a12cb2e0  NotificationEvent
            ffff8809a12cb260  Semaphore Limit 0xffff
            ffff8809a1332280  QueueObject

        THREAD ffff8809a130f080  Cid 0a94.0ab4  Teb: 00000000005ae000 Win32Thread: ffff8809a1105fb0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d1560  SynchronizationEvent
            ffff8809a1328780  QueueObject

        THREAD ffff8809a107d080  Cid 0a94.0ad4  Teb: 00000000005b6000 Win32Thread: ffff8809a1102400 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d0460  SynchronizationEvent
            ffff8809a1331100  QueueObject

        THREAD ffff8809a1052080  Cid 0a94.0b6c  Teb: 00000000005ba000 Win32Thread: ffff8809a11024a0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a1331c40  QueueObject

        THREAD ffff8809a0f60080  Cid 0a94.0bc0  Teb: 00000000005c2000 Win32Thread: ffff8809a10c9530 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d77e0  NotificationEvent
            ffff8809a14d7960  NotificationEvent
            ffff8809a14d79e0  NotificationEvent
            ffff8809a14d72e0  NotificationEvent
            ffff8809a14d7a60  NotificationEvent
            ffff8809a14d73e0  NotificationEvent
            ffff8809a14d5660  NotificationEvent
            ffff8809a14d5360  NotificationEvent
            ffff8809a1a1d6e0  NotificationEvent
            ffff8809a1a1e060  NotificationEvent
            ffff8809a1a1d860  NotificationEvent
            ffff8809a1a1db60  NotificationEvent
            ffff8809a1a1da60  NotificationEvent
            ffff8809a1a1dce0  NotificationEvent
            ffff8809a1a1e0e0  NotificationEvent
            ffff8809a1a1de60  NotificationEvent
            ffff8809a1a1d3e0  NotificationEvent
            ffff8809a1a1d460  NotificationEvent
            ffff8809a1573fe0  NotificationEvent
            ffff8809a1574be0  NotificationEvent
            ffff8809a1573f60  NotificationEvent
            ffff8809a1573260  NotificationEvent
            ffff8809a12cf060  NotificationEvent
            ffff8809a12ce2e0  NotificationEvent
            ffff8809a12cf0e0  NotificationEvent
            ffff8809a12ce4e0  NotificationEvent
            ffff8809a1372920  NotificationEvent
            ffff8809a133a400  QueueObject

        THREAD ffff8809a12e5080  Cid 0a94.0bc4  Teb: 00000000005c4000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            fffff8051ee1fc60  NotificationEvent

        THREAD ffff8809a1419080  Cid 0a94.0bc8  Teb: 00000000005c6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
            ffff8809a12cb8e0  NotificationEvent
            ffff8809a12cbe60  SynchronizationEvent
            ffff8809a12cbc60  SynchronizationEvent

        THREAD ffff8809a1418080  Cid 0a94.0bd0  Teb: 00000000005ca000 Win32Thread: ffff8809a10c9cb0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a12c0f60  NotificationEvent
            ffff8809a133a4c0  QueueObject

        THREAD ffff8809a1416080  Cid 0a94.0bdc  Teb: 00000000005ce000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a133ddc0  QueueObject

        THREAD ffff8809a1415080  Cid 0a94.0be0  Teb: 00000000005d0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a1010360  SynchronizationEvent

        THREAD ffff8809a140f080  Cid 0a94.0bf8  Teb: 00000000005dc000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a0fb6a00  Semaphore Limit 0xffff
            ffff8809a12ce060  SynchronizationEvent

        THREAD ffff8809a1404080  Cid 0a94.0844  Teb: 00000000005e4000 Win32Thread: ffff8809a0d9fdd0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a0ab4b60  NotificationEvent
            ffff8809a1342f00  QueueObject

        THREAD ffff8809a13dd080  Cid 0a94.0824  Teb: 00000000005ea000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff88099ca0ff70  NotificationEvent
            ffff8809a12d0c60  NotificationEvent

        THREAD ffff8809a13f5080  Cid 0a94.0404  Teb: 00000000005ec000 Win32Thread: ffff8809a1108f30 WAIT: (UserRequest) UserMode Alertable
            ffff8809a12d0960  NotificationEvent
            ffff8809a13438c0  QueueObject

        THREAD ffff8809a1528080  Cid 0a94.0950  Teb: 00000000005f6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff88099ca0ff70  NotificationEvent
            ffff8809a15685e0  NotificationEvent

        THREAD ffff8809a0f770c0  Cid 0a94.0c10  Teb: 0000000000404000 Win32Thread: ffff8809a16c16d0 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a1521a80  QueueObject

        THREAD ffff8809a16e7080  Cid 0a94.0c14  Teb: 0000000000406000 Win32Thread: ffff8809a16c18b0 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a12c7560  NotificationEvent
            ffff8809a12c7ce0  Semaphore Limit 0xffff
            ffff8809a1703d80  QueueObject

        THREAD ffff8809a16e4080  Cid 0a94.0c20  Teb: 000000000040c000 Win32Thread: ffff8809a16c1900 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a1702f80  QueueObject

        THREAD ffff8809a16da080  Cid 0a94.0c4c  Teb: 0000000000412000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff88099ca0ff70  NotificationEvent
            ffff8809a15739e0  NotificationEvent

        THREAD ffff8809a16d9080  Cid 0a94.0c50  Teb: 0000000000414000 Win32Thread: ffff8809a16c2a30 WAIT: (UserRequest) UserMode Alertable
            ffff8809a1573d60  NotificationEvent
            ffff8809a1576d60  NotificationEvent
            ffff8809a15767e0  NotificationEvent
            ffff8809a1707b80  QueueObject

        THREAD ffff8809a16d8080  Cid 0a94.0c54  Teb: 0000000000416000 Win32Thread: ffff8809a16c2a80 WAIT: (UserRequest) UserMode Alertable
            ffff8809a1707e40  QueueObject

        THREAD ffff8809a16d7080  Cid 0a94.0c58  Teb: 0000000000418000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff8809a1708280  QueueObject

        THREAD ffff8809a16d3080  Cid 0a94.0c68  Teb: 0000000000420000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a15ebb80  Semaphore Limit 0xffff
            ffff8809a1574c60  SynchronizationEvent

        THREAD ffff8809a090f080  Cid 0a94.0c80  Teb: 0000000000426000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a15ebf40  Semaphore Limit 0xffff
            ffff8809a1575460  SynchronizationEvent

        THREAD ffff8809a17d4080  Cid 0a94.0d8c  Teb: 000000000042a000 Win32Thread: ffff8809a0d9b190 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a1726bc0  QueueObject
            ffff8809a146d380  SynchronizationEvent

        THREAD ffff8809a18f2080  Cid 0a94.0db0  Teb: 000000000042e000 Win32Thread: ffff8809a16ca190 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a1728980  QueueObject
            ffff8809a146da40  SynchronizationEvent

        THREAD ffff8809a18ef080  Cid 0a94.0dc0  Teb: 0000000000432000 Win32Thread: ffff8809a16caf00 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a172a200  QueueObject
            ffff8809a146df20  SynchronizationEvent

        THREAD ffff88099f5ce080  Cid 0a94.0e74  Teb: 0000000000440000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff88099cf2c080  Thread

        THREAD ffff88099cf2c080  Cid 0a94.0e8c  Teb: 0000000000442000 Win32Thread: ffff8809a1105e20 WAIT: (UserRequest) UserMode Alertable
            ffff8809a1a358e0  SynchronizationEvent
            ffff8809a1a34c60  NotificationEvent
            ffff8809a161c6a0  SynchronizationTimer
            ffff8809a1906bc0  QueueObject

        THREAD ffff8809a0a7f080  Cid 0a94.0e6c  Teb: 0000000000446000 Win32Thread: ffff8809a08361d0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a1a35860  SynchronizationEvent

        THREAD ffff88099c4c0080  Cid 0a94.0f60  Teb: 0000000000454000 Win32Thread: ffff8809a1103a80 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14cf460  SynchronizationEvent
            ffff8809a0ebf140  QueueObject

        THREAD ffff8809a0f4e080  Cid 0a94.04b8  Teb: 0000000000456000 Win32Thread: ffff8809a11038a0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d0060  SynchronizationEvent
            ffff8809a0ebe340  QueueObject

        THREAD ffff8809a0908080  Cid 0a94.0a30  Teb: 0000000000458000 Win32Thread: ffff8809a11038f0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14cf860  SynchronizationEvent
            ffff8809a0ebe7c0  QueueObject

        THREAD ffff8809a0861080  Cid 0a94.064c  Teb: 000000000045a000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a10a0a00  SynchronizationTimer

        THREAD ffff8809a0ea6040  Cid 0a94.0e9c  Teb: 000000000045c000 Win32Thread: ffff8809a1105880 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d1860  SynchronizationEvent
            ffff8809a0ebedc0  QueueObject

        THREAD ffff8809a180d080  Cid 0a94.09a4  Teb: 0000000000460000 Win32Thread: ffff8809a1107130 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a15735e0  NotificationEvent
            ffff8809a15740e0  Semaphore Limit 0xffff
            ffff8809a1903680  QueueObject

        THREAD ffff8809a1293080  Cid 0a94.0218  Teb: 0000000000464000 Win32Thread: ffff8809a1108170 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d7760  SynchronizationEvent
            ffff8809a1902500  QueueObject

        THREAD ffff8809a131f080  Cid 0a94.0624  Teb: 0000000000466000 Win32Thread: ffff8809a11091b0 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffff8809a1912640  QueueObject

        THREAD ffff8809a1143080  Cid 0a94.05f8  Teb: 0000000000468000 Win32Thread: ffff8809a10c6150 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d6ee0  SynchronizationEvent
            ffff8809a1916280  QueueObject

        THREAD ffff88099c4f9080  Cid 0a94.0648  Teb: 000000000046a000 Win32Thread: ffff8809a10c6920 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d6be0  SynchronizationEvent
            ffff8809a1916380  QueueObject

        THREAD ffff8809a01ad080  Cid 0a94.09bc  Teb: 000000000046c000 Win32Thread: ffff8809a10c7280 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d70e0  SynchronizationEvent
            ffff8809a1915f00  QueueObject

        THREAD ffff8809a17eb080  Cid 0a94.06e0  Teb: 000000000046e000 Win32Thread: ffff8809a0b5d880 WAIT: (WrQueue) UserMode Alertable
            ffff8809a0fb2140  QueueObject


PROCESS ffff8809a17ce080
    SessionId: 1  Cid: 058c    Peb: 00e14000  ParentCid: 02b8
    DirBase: 60ee5000  ObjectTable: ffffce007fec4280  HandleCount: 798.
    Image: explorer.exe

        THREAD ffff8809a1304080  Cid 058c.026c  Teb: 0000000000e15000 Win32Thread: ffff8809a1107db0 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a1909c00  QueueObject

        THREAD ffff8809a131e080  Cid 058c.0100  Teb: 0000000000e17000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff8809a1907d40  QueueObject

        THREAD ffff8809a1284080  Cid 058c.0270  Teb: 0000000000e19000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff8809a1907d40  QueueObject

        THREAD ffff8809a1296080  Cid 058c.02b4  Teb: 0000000000e1b000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a1857e30  SynchronizationTimer

        THREAD ffff8809a12db040  Cid 058c.0a28  Teb: 0000000000e1d000 Win32Thread: ffff8809a1107c20 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d42e0  NotificationEvent
            ffff8809a14d4ce0  Semaphore Limit 0xffff
            ffff8809a1911bc0  QueueObject

        THREAD ffff8809a1283080  Cid 058c.07c0  Teb: 0000000000e1f000 Win32Thread: ffff8809a11089e0 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d42e0  NotificationEvent
            ffff8809a14d4ce0  Semaphore Limit 0xffff
            ffff8809a1911d80  QueueObject

        THREAD ffff8809a1305080  Cid 058c.074c  Teb: 0000000000e21000 Win32Thread: ffff8809a1108580 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d4be0  SynchronizationEvent
            ffff8809a1910c00  QueueObject

        THREAD ffff8809a1285080  Cid 058c.03c4  Teb: 0000000000e23000 Win32Thread: ffff8809a10c7960 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d42e0  NotificationEvent
            ffff8809a14d4ce0  Semaphore Limit 0xffff
            ffff8809a1916d00  QueueObject

        THREAD ffff8809a1282080  Cid 058c.0310  Teb: 0000000000e27000 Win32Thread: ffff8809a11085d0 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d4b60  SynchronizationEvent
            ffff8809a1913180  QueueObject

        THREAD ffff8809a0e5b080  Cid 058c.034c  Teb: 0000000000e2b000 Win32Thread: ffff8809a10c56b0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d55e0  SynchronizationEvent
            ffff8809a19144c0  QueueObject

        THREAD ffff88099c4f7080  Cid 058c.0414  Teb: 0000000000e2d000 Win32Thread: ffff8809a10c52a0 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d5ee0  SynchronizationEvent
            ffff8809a19152c0  QueueObject

        THREAD ffff8809a0f80080  Cid 058c.0878  Teb: 0000000000e2f000 Win32Thread: ffff8809a10c5200 WAIT: (UserRequest) UserMode Alertable
            ffff8809a14d60e0  SynchronizationEvent
            ffff8809a1914400  QueueObject

        THREAD ffff8809a0917080  Cid 058c.047c  Teb: 0000000000e31000 Win32Thread: ffff8809a10c5390 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d6360  SynchronizationEvent
            ffff8809a14d4660  NotificationEvent

        THREAD ffff88099c564080  Cid 058c.0660  Teb: 0000000000e33000 Win32Thread: ffff8809a10c7f50 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d42e0  NotificationEvent
            ffff8809a14d4ce0  Semaphore Limit 0xffff
            ffff8809a1916540  QueueObject

        THREAD ffff8809a011e080  Cid 058c.0738  Teb: 0000000000e35000 Win32Thread: ffff8809a10c8770 WAIT: (UserRequest) UserMode Non-Alertable
            ffff8809a14d42e0  NotificationEvent
            ffff8809a14d4ce0  Semaphore Limit 0xffff
            ffff8809a1916e00  QueueObject

        THREAD ffff8809a09c9080  Cid 058c.0734  Teb: 0000000000e37000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff8809a19025c0  QueueObject

        THREAD ffff8809a0b70080  Cid 058c.05e4  Teb: 0000000000e3b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffff8809a19025c0  QueueObject

0: kd> .thread /p ffff8809a1304080; !teb 0000000000e15000
Implicit thread is now ffff8809`a1304080
Implicit process is now ffff8809`a17ce080
.cache forcedecodeuser done
TEB at 0000000000e15000
    ExceptionList:        0000000000000000
    StackBase:            0000000001080000
    StackLimit:           0000000001072000
    SubSystemTib:         0000000000000000
    FiberData:            0000000000001e00
    ArbitraryUserPointer: 0000000000000000
    Self:                 0000000000e15000
    EnvironmentPointer:   0000000000000000
    ClientId:             000000000000058c . 000000000000026c
    RpcHandle:            0000000000000000
    Tls Storage:          00000000060133d0
    PEB Address:          0000000000e14000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0

查看W32THREAD

查看:

1
dt csrss!_csr_thread