EPROCESS and KPROCESS, ETHREAD, KTHREAD structures

The process used by the kernel to manage EPROCESSand ETHREAD KTHREAD, KPROCESS, structures let me learn more about the.

Contains information about processes and threads, as long as there are a lot of subprime loans that are associated with the structure are also fairly.

We want to understand the process of the operating system and all the information the thread here will be able to understand this structure by identifying.

EPROCESS, KPROCESS (Kernel process block)pointer of the process through information that is generated from the primary thread and process information. In addition, the process of identifying information on the EPROCESS, process memory used by the information, and the PEB (Process environment block) can confirm the information, such as, KPROCESS (PCB) and operates in kernel mode. (As Chiu earlier PEBand PCB blockexists in the kernel.) In other words PEBis Csrssprocess management can access free for user mode was created a thread on the PCBoperations such as the creation of Win32kfor accessible in kernel mode are separated to be used.

So, to continue the thread information for managing ETHREADcheck. ETHREADis the KPROCESSof ThreadListheadeach other through LinkedIn list is managed as user mode, EPROCESSand work in the area of the kernel mode. ETHREADnevertheless KTHREAD (Kernel Thread) blockhas a pointer information,KTHREAD (TCB)of KPROCESSoperates in kernel mode, as shown in the Thread environment block (TEB), , pointer information and thread scheduling and execution have information such as the quantum value.

These 4ways to struct EPROCESSis mainly connected to each other and, this structure when represented by their associations with figure as follows.


[Figure]process and thread objects of the Association

We look forward to, Windbgin dt(Display Type) command will verify the information in a structure. This is the future, it is possible to use the application in multiple directions.

Make sure the structure ahead of the dt command and find out about the.

Dtis Windbg’s intensive, one local variable values you, global variable values or data type and you can see the structure, etc..

For more information about how to use the basic commands are as follows. (Frequently-used options were displayed in bold.)

dt [-DisplayOpts] [-SearchOpts] Address/[module!] Name [-l List] [-SearchOpts]

DisplayOptsis the output from the basic information is not required, but can be adjusted. Find out about the options available to you.

-A [number]: displays the number of the information specified in the current index structure should specify. [Count]is not specified, displays the entire.

If you have a Sub -b: structures should be marked with a sub-structure information.

-C: display a single line structure.

-D: a structure similar to the structure that is the color of the name search with that name when you use *to a structure that contains all of the display. When the module shall be filled in.

-E: giant white forces not being used and use when you want to display information.

-I: displays except the sub structure.

-O: omit the offset value..

-P: physical marks on the basis of the address. (By default, the virtual address..)

-R [count]: you can specify the depth of the display the sub structure.

-S: that should be the same size and structure established by the field display when used with the– v option is useful.

-V: each struct field displays with the details about the.

SearchOptsis the module name, or you can search for a field in the module. They do not know the name of the exact structure is useful when there are2different options, as it can be used by specifying the.

-N: indicates that the next argument addresses not name.

-Y: beginning with the specified name, displays the information of a structure or structure field..

Process – EPROCESS, KPROCESS

THREAD – ETHREAD, KTHREAD

 

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.