The thread structure is defined in the ETHREAD. dt _ETHREAD, dt _KTHREAD When you run the command, as shown below, each structure definition ETHREADwill be able to check.

ETHTEADis an important field is as follows.

KTHREAD block:

KTHREAD data structure

Thread time information:

Thread creation and end times

Process identification:

The process IDand thread ID

The start address:

The address of the thread start routine

Impersonation information:

Access token impersonation level


This thread LPC message address


The pending IRP list

So let’s check out the entire structure of the ETHREAD.

kd> dt _ETHREAD

+0x000 Tcb : _KTHREAD  thread synchronization objects

+0x200 CreateTime : _LARGE_INTEGER  Thread creation time

+0x208 ExitTime : _LARGE_INTEGER  Thread termination time

+0x208 KeyedWaitChain : _LIST_ENTRY

+0x210 ExitStatus : Int4B

+0x214 PostBlockList : _LIST_ENTRY  County list of all objects that reference thread

+0x214 ForwardLinkShadow : Ptr32 Void

+0x218 StartAddress : Ptr32 Void  the actual thread start address

+0x21c TerminationPort : Ptr32 _TERMINATION_PORT

+0x21c ReaperLink : Ptr32 _ETHREAD

+0x21c KeyedWaitValue : Ptr32 Void

+0x220 ActiveTimerListLock : Uint4B

+0x224 ActiveTimerListHead : _LIST_ENTRY

+0x22c Cid : _CLIENT_ID  the process IDand thread IDcan be verified.

+0x234 KeyedWaitSemaphore : _KSEMAPHORE

+0x234 AlpcWaitSemaphore : _KSEMAPHORE

+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT

+0x24c IrpList : _LIST_ENTRY  IRP list thread running the County

+0x254 TopLevelIrp : Uint4B

+0x258 DeviceToVerify : Ptr32 _DEVICE_OBJECT

+0x25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC

+0x260 Win32StartAddress : Ptr32 Void  user mode thread start address

+0x264 LegacyPowerObject : Ptr32 Void

+0x268 ThreadListEntry : _LIST_ENTRY  A list of all threads in the process have

+0x270 RundownProtect : _EX_RUNDOWN_REF

+0x274 ThreadLock : _EX_PUSH_LOCK

+0x278 ReadClusterSize : Uint4B

+0x27c MmLockOrdering : Int4B

+0x280 CrossThreadFlags : Uint4B

+0x280 Terminated : Pos 0, 1 Bit

+0x280 ThreadInserted : Pos 1, 1 Bit

+0x280 HideFromDebugger : Pos 2, 1 Bit

+0x280 ActiveImpersonationInfo : Pos 3, 1 Bit

+0x280 Reserved : Pos 4, 1 Bit

+0x280 HardErrorsAreDisabled : Pos 5, 1 Bit

+0x280 BreakOnTermination : Pos 6, 1 Bit

+0x280 SkipCreationMsg : Pos 7, 1 Bit

+0x280 SkipTerminationMsg : Pos 8, 1 Bit

+0x280 CopyTokenOnOpen : Pos 9, 1 Bit

+0x280 ThreadIoPriority : Pos 10, 3 Bits  Threaded I/O priority

+0x280 ThreadPagePriority : Pos 13, 3 Bits  Thread page-priority

+0x280 RundownFail : Pos 16, 1 Bit

+0x280 NeedsWorkingSetAging : Pos 17, 1 Bit

+0x284 SameThreadPassiveFlags : Uint4B

+0x284 ActiveExWorker : Pos 0, 1 Bit

+0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit

+0x284 MemoryMaker : Pos 2, 1 Bit

+0x284 ClonedThread : Pos 3, 1 Bit

+0x284 KeyedEventInUse : Pos 4, 1 Bit

+0x284 RateApcState : Pos 5, 2 Bits

+0x284 SelfTerminate : Pos 7, 1 Bit

+0x288 SameThreadApcFlags : Uint4B

+0x288 Spare : Pos 0, 1 Bit

+0x288 StartAddressInvalid : Pos 1, 1 Bit

+0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit

+0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit

+0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit

+0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit

+0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit

+0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit

+0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit

+0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit

+0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit

+0x289 SuppressSymbolLoad : Pos 3, 1 Bit

+0x289 Prefetching : Pos 4, 1 Bit  Landscape features from patching feature activation 3the presence.

+0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit

+0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit

+0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit

+0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit

+0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit

+0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit

+0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit

+0x28a TrimTrigger : Pos 4, 2 Bits

+0x28a Spare1 : Pos 6, 2 Bits

+0x28b PriorityRegionActive : UChar

+0x28c CacheManagerActive : UChar

+0x28d DisablePageFaultClustering : UChar

+0x28e ActiveFaultCount : UChar

+0x28f LockOrderState : UChar

+0x290 AlpcMessageId : Uint4B  ALPC Message ID

+0x294 AlpcMessage : Ptr32 Void  ALPC Message

+0x294 AlpcReceiveAttributeSet : Uint4B

+0x298 AlpcWaitListEntry : _LIST_ENTRY  ALPC Waiting list

+0x2a0 CacheManagerCount : Uint4B

+0x2a4 IoBoostCount : Uint4B

+0x2a8 IrpListLock : Uint4B

+0x2ac ReservedForSynchTracking : Ptr32 Void

+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY

+0x2b4 KernelStackReference : Uint4B

[The content] Windbg ETHREAD structure

A kernel thread scheduling each KTHREADhas the necessary information. My main structure field is as follows.

The dispatcher more:

To be able to operate with the default dispatcher Edith l-wife has header information.

Execution time:

CPUrunning on full time

Kernel stack information:

The base/top thread kernel stacks the County address

System service table information:

System service table address

Scheduling information:

Current priorities and quantum, scheduling information, such as the State of the

Pending block:

Thread creation: 4waiting block list as well.

Standby information:

Why wait time

MU Dex list:

This thread’s Mu Dex object list

APC queue:

APC waiting list

Timer block:

Built-in timer block 4is included in one of the waiting blocks.

Queue list:

The pointer of the thread using queue objects

TEB pointer:

Points to the location of the TEB.

Then check out the entire structure of a KTHREADlet.

kd> dt _KTHREAD

+0x000 Header : _DISPATCHER_HEADER  7check the contents related to Chief dispatcher header can be.

+0x010 CycleTime : Uint8B

+0x018 HighCycleTime : Uint4B

+0x020 QuantumTarget : Uint8B

+0x028 InitialStack : Ptr32 Void  The starting address of the stack

+0x02c StackLimit : Ptr32 Void  Limit the use of the stack address

+0x030 KernelStack : Ptr32 Void  Pointer to the location of the stack usage the County

+0x034 ThreadLock : Uint4B

+0x038 WaitRegister : _KWAIT_STATUS_REGISTER

+0x039 Running : UChar  Run status

+ 0x03a Alerted: [2] UChar  alarm

+0x03c KernelStackResident : Pos 0, 1 Bit

+0x03c ReadyTransition : Pos 1, 1 Bit

+0x03c ProcessReadyQueue : Pos 2, 1 Bit

+0x03c WaitNext : Pos 3, 1 Bit

+0x03c SystemAffinityActive : Pos 4, 1 Bit

+0x03c Alertable : Pos 5, 1 Bit  User APC is possible using

+0x03c GdiFlushActive : Pos 6, 1 Bit

+0x03c UserStackWalkActive : Pos 7, 1 Bit

+0x03c ApcInterruptRequest : Pos 8, 1 Bit

+0x03c ForceDeferSchedule : Pos 9, 1 Bit

+0x03c QuantumEndMigrate : Pos 10, 1 Bit

+0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit

+0x03c TimerActive : Pos 12, 1 Bit

+0x03c SystemThread : Pos 13, 1 Bit

+0x03c Reserved : Pos 14, 18 Bits

+0x03c MiscFlags : Int4B

+0x040 ApcState : _KAPC_STATE

+0x040 ApcStateFill : [23] UChar

+0x057 Priority : Char  Thread priority

+0x058 NextProcessor : Uint4B  Then be used as a processor run time

+0x05c DeferredProcessor : Uint4B  Delay processor

+0x060 ApcQueueLock : Uint4B

+0x064 ContextSwitches : Uint4B  Contextual switches count

+0x068 State : UChar  Thread state

+0x069 NpxState : Char

+0x06a WaitIrql : UChar

+0x06b WaitMode : Char

+0x06c WaitStatus : Int4B  Standby state

+0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK

+0x074 WaitListEntry : _LIST_ENTRY  A list of waiting threads

+0x074 SwapListEntry : _SINGLE_LIST_ENTRY

+0x07c Queue : Ptr32 _KQUEUE  Queue list

+0x080 WaitTime : Uint4B  Standby time

+0x084 KernelApcDisable : Int2B  Use the kernel APC

+0x086 SpecialApcDisable : Int2B  Special APC use

+0x084 CombinedApcDisable : Uint4B

+0x088 Teb : Ptr32 Void  TEB pointer

+0x090 Timer : _KTIMER

+0x0b8 AutoAlignment : Pos 0, 1 Bit

+0x0b8 DisableBoost : Pos 1, 1 Bit

+0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit

+0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit

+0x0b8 CalloutActive : Pos 4, 1 Bit

+0x0b8 ApcQueueable : Pos 5, 1 Bit

+0x0b8 EnableStackSwap : Pos 6, 1 Bit

+0x0b8 GuiThread : Pos 7, 1 Bit

+0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit

+0x0b8 VdmSafe : Pos 9, 1 Bit

+0x0b8 UmsDispatched : Pos 10, 1 Bit

+0x0b8 ReservedFlags : Pos 11, 21 Bits

+0x0b8 ThreadFlags : Int4B

+0x0bc ServiceTable : Ptr32 Void

+0x0c0 WaitBlock : [4] _KWAIT_BLOCK

+0x120 QueueListEntry : _LIST_ENTRY  Queue list

+0x128 TrapFrame : Ptr32 _KTRAP_FRAME  Exception caught in the trap to be used when the frame pointer

+0x12c FirstArgument : Ptr32 Void

+0x130 CallbackStack : Ptr32 Void

+0x130 CallbackDepth : Uint4B

+0x134 ApcStateIndex : UChar

+0x135 BasePriority : Char  The base priority of threads

+0x136 PriorityDecrement : Char

+0x136 ForegroundBoost : Pos 0, 4 Bits

+0x136 UnusualBoost : Pos 4, 4 Bits

+0x137 Preempted : UChar  It is set at have preempted.

+0x138 AdjustReason : UChar

+0x139 AdjustIncrement : Char

+0x13a PreviousMode : Char

+0x13b Saturation : Char

+0x13c SystemCallNumber : Uint4B

+0x140 FreezeCount : Uint4B  The number of waiting

+0x144 UserAffinity : _GROUP_AFFINITY

+0x150 Process : Ptr32 _KPROCESS  Pointer to the KPROCESS of the process the thread belongs

+0x154 Affinity : _GROUP_AFFINITY  The preferred processor

+0x160 IdealProcessor : Uint4B

+0x164 UserIdealProcessor : Uint4B

+0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE

+0x170 SavedApcState : _KAPC_STATE

+0x170 SavedApcStateFill : [23] UChar

+0x187 WaitReason : UChar

+0x188 SuspendCount : Char  Suspend count

+0x189 Spare1 : Char

+0x18a OtherPlatformFill : UChar

+0x18c Win32Thread : Ptr32 Void  User mode thread address

+0x190 StackBase : Ptr32 Void  The stack base address

+0x194 SuspendApc : _KAPC

+0x194 SuspendApcFill0 : [1] UChar

+0x195 ResourceIndex : UChar

+0x194 SuspendApcFill1 : [3] UChar

+0x197 QuantumReset : UChar  A quantum value is assigned to a thread 6County chapter deals.

+0x194 SuspendApcFill2 : [4] UChar

+0x198 KernelTime : Uint4B  County of threads in kernel mode execution time

+0x194 SuspendApcFill3 : [36] UChar

+0x1b8 WaitPrcb : Ptr32 _KPRCB

+0x194 SuspendApcFill4 : [40] UChar

+0x1bc LegoData : Ptr32 Void

+0x194 SuspendApcFill5 : [47] UChar

+0x1c3 LargeStack : UChar

+0x1c4 UserTime : Uint4B  County of thread execution time in user mode

+0x1c8 SuspendSemaphore : _KSEMAPHORE

+0x1c8 SuspendSemaphorefill : [20] UChar

+0x1dc SListFaultCount : Uint4B

+0x1e0 ThreadListEntry : _LIST_ENTRY  A list of all threads in the process have

+0x1e8 MutantListHead : _LIST_ENTRY

+0x1f0 SListFaultAddress : Ptr32 Void

+0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS

+0x1f8 XStateSave : Ptr32 _XSTATE_SAVE

[Content] Windbg KTHREAD structure

The information in each of the threads TEB Windbg command ! thread command, you can make it through.

Check out this information in the process of thread scheduling status were being processed by the thread, I wonder if the information can be verified.

// First, check out the process information, PEB let’s check the address.
Kd> !process 81c9a458

PROCESS 81c9a458 SessionId: 0 Cid: 0284 Peb: 7ffd6000 ParentCid: 01a4

DirBase: 0af6e000 ObjectTable: e12e4bb0 HandleCount: 462.

Image: csrss.exe

VadRoot 81e7d940 Vads 94 Clone 0 Private 308. Modified 405. Locked 0.

DeviceMap e10087c0

Token e141d990

ElapsedTime 00:28:24.259

UserTime 00:00:00.440

KernelTime 00:00:00.280

QuotaPoolUsage[PagedPool] 56760

QuotaPoolUsage[NonPagedPool] 4840

Working Set Sizes (now,min,max) (970, 50, 345) (3880KB, 200KB, 1380KB)

PeakWorkingSetSize 979

VirtualSize 33 Mb

PeakVirtualSize 46 Mb

PageFaultCount 1907

MemoryPriority BACKGROUND

BasePriority 13

CommitCharge 386

// Currently running in the process and outputs with the thread information. TEB call handling of location and thread stack information can make.

THREAD 81e1bda8 Cid 0284.028c Teb: 7ffde000 Win32Thread: 00000000 WAIT: (WrLpcReply) UserMode Non-Alertable

81e1bf9c Semaphore Limit 0x1

Waiting for reply to LPC MessageId 00000cf6:

Current LPC port e1084758

Not impersonating

DeviceMap e10087c0

Owning Process 0 Image: <Unknown>

Attached Process 81c9a458 Image: csrss.exe

Wait Start TickCount 7312 Ticks: 163500 (0:00:27:17.354)

Context Switch Count 4

UserTime 00:00:00.000

KernelTime 00:00:00.000

Start Address 0x764c7d63

Stack Init f89e4000 Current f89e3c50 Base f89e4000 Limit f89e1000 Call 0

Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0

Kernel stack not resident.

ChildEBP RetAddr

f89e3c68 804de0f7 nt! KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])

f89e3c74 804de143 nt! KiSwapThread+0x46 (FPO: [0,0,0])

f89e3c9c 80578fc6 nt! KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])

f89e3d50 804e07ec nt! NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])

f89e3d50 7c93e4f4 nt! KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f89e3d64)

0050fff4 00000000 ntdll! KiFastSystemCallRet (FPO: [0,0,0])

[Contents] Windbgfrom the ! process command identified by the PEB, TEB address

If you want to check the contents of the structure of a specific process that you want to make and enter the corresponding structures and structure fields to fill in the memory locations.

For example, if you want to check the name of the image file, if you enter as shown below. The value entered in the field can be found. If you do not specify a particular field that is defined in each structure can see the entire contents of the.

dt nt!_EPROCESS ImageFileName 0x81bde940

[Content] dt command


[Figure] Windbg EPROCESS structure is identified in some

This is also used a lot of debugging, Windbg’s command and is one of the powerful features with the mastery of your own that you can digest and, continue to see a lot of Windows facing the inside of the. (Not sure if each structure is like finding a needle in the sand.)

Dt (Display Type) to use

Windbg dtcommand that is supported by earlier seemed to have the baby, and understands the inside of the Windows kernel, you’ve got to make sure your data is one of the commonly used commands. Continue dt dtcommand came up with some useful options that are available will be bear home.

-b : To check the structures and substructures are also shown associated with the.

// dt –b Command checks at a time until the PCB structure can.
kd> dt -b _EPROCESS


+0x000 Pcb : _KPROCESS

+0x000 Header : _DISPATCHER_HEADER

+0x000 Type : UChar

+0x001 Absolute : UChar

+0x002 Size : UChar

+0x003 Inserted : UChar

+0x004 SignalState : Int4B

+0x008 WaitListHead : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

+0x010 ProfileListHead : _LIST_ENTRY

+0x000 Flink : Ptr32

+0x004 Blink : Ptr32

+0x018 DirectoryTableBase : Uint4B

+0x020 LdtDescriptor : _KGDTENTRY

+0x000 LimitLow : Uint2B

+0x002 BaseLow : Uint2B

+0x004 HighWord : __unnamed

+0x000 Bytes : __unnamed

+0x000 BaseMid : UChar

+0x001 Flags1 : UChar

+0x002 Flags2 : UChar

+0x003 BaseHi : UChar

+0x000 Bits : __unnamed

+0x000 BaseMid : Pos 0, 8 Bits

+0x000 Type : Pos 8, 5 Bits

+0x000 Dpl : Pos 13, 2 Bits

+0x000 Pres : Pos 15, 1 Bit

+0x000 LimitHi : Pos 16, 4 Bits

+0x000 Sys : Pos 20, 1 Bit

[Content] substructures

-d : At the end of the structure you want to make when you search through the search *s displays the type of structure that gives.

kd> dt -d nt!_EPRO*
struct _EPROCESS, 107 elements, 0x260 bytes

+0x000 Pcb : struct _KPROCESS, 29 elements, 0x6c bytes

+0x06c ProcessLock : struct _EX_PUSH_LOCK, 5 elements, 0x4 bytes

+0x070 CreateTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes

+0x078 ExitTime : union _LARGE_INTEGER, 4 elements, 0x8 bytes

+0x080 RundownProtect : struct _EX_RUNDOWN_REF, 2 elements, 0x4 bytes

+0x084 UniqueProcessId : Ptr32 to Void

+0x088 ActiveProcessLinks : struct _LIST_ENTRY, 2 elements, 0x8 bytes

+0x090 QuotaUsage : [3] Uint4B

+0x09c QuotaPeak : [3] Uint4B

+0x0a8 CommitCharge : Uint4B

+0x0ac PeakVirtualSize : Uint4B

+0x0b0 VirtualSize : Uint4B

….. Omission

+0x258 Cookie : Uint4B

struct _EPROCESS_QUOTA_BLOCK, 4 elements, 0x40 bytes

+0x000 QuotaEntry : [3] struct _EPROCESS_QUOTA_ENTRY, 4 elements, 0x10 bytes

+0x030 QuotaList : struct _LIST_ENTRY, 2 elements, 0x8 bytes

+0x038 ReferenceCount : Uint4B

+0x03c ProcessCount : Uint4B

struct _EPROCESS_QUOTA_ENTRY, 4 elements, 0x10 bytes

+0x000 Usage : Uint4B

+0x004 Limit : Uint4B

+0x008 Peak : Uint4B

// nt! EPROdisplays all structure

kd> dt nt!_EPRO*




[Content] Windbgstructure search

-r : To check the structure and displays the associated sub structures, you can specify the depth numbers.

kd> dt -r5 _EPROCESS

+0x000 Pcb : _KPROCESS

+0x000 Header : _DISPATCHER_HEADER

+0x000 Type : UChar

+0x001 Absolute : UChar

+0x002 Size : UChar

+0x003 Inserted : UChar

+0x004 SignalState : Int4B

+0x008 WaitListHead : _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

+0x000 Flink : Ptr32 _LIST_ENTRY

+0x004 Blink : Ptr32 _LIST_ENTRY

… Omission

[Contents] it is possible to confirm the details until the sub structure

-Shut the box-

Until now, the unit of work used by the operating system processes and threads associated with a physical structure, theory and practice about the relationship to each other. Maybe it’s on right now is to understand the contents of the will. Here, these structures are only a relationship with processes and threads to understand and I hope we can proceed. Processes and threads Windows work as long as all of the above fields are regularly let out is, naturally, you will become familiar with. And then proceed to information processors is expected to proceed for.

And I understand this process and the thread structure below the functions, easy to understand about each structure will be able to do.

Windows kernel internal structure that enough to manage directly with hardware processing, CPU, memory, such as a hardware control and are closely related. Therefore, they need to understand about the way the behavior of the use is, the most important part of those threads to handle requests from theCPUcan be called. In order to understand the CPU CPUstack structure used to store data from about must understand, in order to understand how you stack, the language should be understood with the Assembly. (The program is also used to reverse engineer the Assembly.) Stack is a CPUthat are used by the data processing the required values in the archive, by a mechanism for future station analysis and relationship. You’ve got to understand the internal structure and reverse engineer the window stack does not understand the internal structure as well as the window station, proceed to difficult to analyze. (CPUdoes not understand, of course, an internal process to debug a station is not understand the analysis.) Also in the stack and registers the book so many reverse engineer, Assembly language is not left out each time for.

This book also would subtract this part. Just understand the basics by minimizing their contents quickly began working to configure.
Well first CPU processing and storing data, let’s take a look at for the registers.

Facebook Comments

Leave A Reply

이메일은 공개되지 않습니다. 필수 입력창은 * 로 표시되어 있습니다.