Process / thread structure of windows Kernel

Processes and threads

Catalog

Article directory

Process structure

Pay attention to distinguish peb(ring 3) and EPROCESS(ring 0)

There are many structures, often we can't learn to understand them all, so it's enough to select the key points and learn from some of the most critical members of the program execution

_EPROCESS

ntdll!_EPROCESS

   +0x000 Pcb              : _KPROCESS
   +0x06c ProcessLock      : _EX_PUSH_LOCK
   +0x070 CreateTime       : _LARGE_INTEGER
   +0x078 ExitTime         : _LARGE_INTEGER
   +0x080 RundownProtect   : _EX_RUNDOWN_REF
   +0x084 UniqueProcessId  : Ptr32 Void
   +0x088 ActiveProcessLinks : _LIST_ENTRY
   +0x090 QuotaUsage       : [3] Uint4B
   +0x09c QuotaPeak        : [3] Uint4B
   +0x0a8 CommitCharge     : Uint4B
   +0x0ac PeakVirtualSize  : Uint4B
   +0x0b0 VirtualSize      : Uint4B
   +0x0b4 SessionProcessLinks : _LIST_ENTRY
   +0x0bc DebugPort        : Ptr32 Void
   +0x0c0 ExceptionPort    : Ptr32 Void
   +0x0c4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0c8 Token            : _EX_FAST_REF
   +0x0cc WorkingSetLock   : _FAST_MUTEX
   +0x0ec WorkingSetPage   : Uint4B
   +0x0f0 AddressCreationLock : _FAST_MUTEX
   +0x110 HyperSpaceLock   : Uint4B
   +0x114 ForkInProgress   : Ptr32 _ETHREAD
   +0x118 HardwareTrigger  : Uint4B
   +0x11c VadRoot          : Ptr32 Void
   +0x120 VadHint          : Ptr32 Void
   +0x124 CloneRoot        : Ptr32 Void
   +0x128 NumberOfPrivatePages : Uint4B
   +0x12c NumberOfLockedPages : Uint4B
   +0x130 Win32Process     : Ptr32 Void
   +0x134 Job              : Ptr32 _EJOB
   +0x138 SectionObject    : Ptr32 Void
   +0x13c SectionBaseAddress : Ptr32 Void
   +0x140 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x144 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x148 Win32WindowStation : Ptr32 Void
   +0x14c InheritedFromUniqueProcessId : Ptr32 Void
   +0x150 LdtInformation   : Ptr32 Void
   +0x154 VadFreeHint      : Ptr32 Void
   +0x158 VdmObjects       : Ptr32 Void
   +0x15c DeviceMap        : Ptr32 Void
   +0x160 PhysicalVadList  : _LIST_ENTRY
   +0x168 PageDirectoryPte : _HARDWARE_PTE_X86
   +0x168 Filler           : Uint8B
   +0x170 Session          : Ptr32 Void
   +0x174 ImageFileName    : [16] UChar
   +0x184 JobLinks         : _LIST_ENTRY
   +0x18c LockedPagesList  : Ptr32 Void
   +0x190 ThreadListHead   : _LIST_ENTRY
   +0x198 SecurityPort     : Ptr32 Void
   +0x19c PaeTop           : Ptr32 Void
   +0x1a0 ActiveThreads    : Uint4B
   +0x1a4 GrantedAccess    : Uint4B
   +0x1a8 DefaultHardErrorProcessing : Uint4B
   +0x1ac LastThreadExitStatus : Int4B
   +0x1b0 Peb              : Ptr32 _PEB
   +0x1b4 PrefetchTrace    : _EX_FAST_REF
   +0x1b8 ReadOperationCount : _LARGE_INTEGER
   +0x1c0 WriteOperationCount : _LARGE_INTEGER
   +0x1c8 OtherOperationCount : _LARGE_INTEGER
   +0x1d0 ReadTransferCount : _LARGE_INTEGER
   +0x1d8 WriteTransferCount : _LARGE_INTEGER
   +0x1e0 OtherTransferCount : _LARGE_INTEGER
   +0x1e8 CommitChargeLimit : Uint4B
   +0x1ec CommitChargePeak : Uint4B
   +0x1f0 AweInfo          : Ptr32 Void
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1f8 Vm               : _MMSUPPORT
   +0x238 LastFaultCount   : Uint4B
   +0x23c ModifiedPageCount : Uint4B
   +0x240 NumberOfVads     : Uint4B
   +0x244 JobStatus        : Uint4B
   +0x248 Flags            : Uint4B
   +0x248 CreateReported   : Pos 0, 1 Bit
   +0x248 NoDebugInherit   : Pos 1, 1 Bit
   +0x248 ProcessExiting   : Pos 2, 1 Bit
   +0x248 ProcessDelete    : Pos 3, 1 Bit
   +0x248 Wow64SplitPages  : Pos 4, 1 Bit
   +0x248 VmDeleted        : Pos 5, 1 Bit
   +0x248 OutswapEnabled   : Pos 6, 1 Bit
   +0x248 Outswapped       : Pos 7, 1 Bit
   +0x248 ForkFailed       : Pos 8, 1 Bit
   +0x248 HasPhysicalVad   : Pos 9, 1 Bit
   +0x248 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x248 SetTimerResolution : Pos 12, 1 Bit
   +0x248 BreakOnTermination : Pos 13, 1 Bit
   +0x248 SessionCreationUnderway : Pos 14, 1 Bit
   +0x248 WriteWatch       : Pos 15, 1 Bit
   +0x248 ProcessInSession : Pos 16, 1 Bit
   +0x248 OverrideAddressSpace : Pos 17, 1 Bit
   +0x248 HasAddressSpace  : Pos 18, 1 Bit
   +0x248 LaunchPrefetched : Pos 19, 1 Bit
   +0x248 InjectInpageErrors : Pos 20, 1 Bit
   +0x248 VmTopDown        : Pos 21, 1 Bit
   +0x248 Unused3          : Pos 22, 1 Bit
   +0x248 Unused4          : Pos 23, 1 Bit
   +0x248 VdmAllowed       : Pos 24, 1 Bit
   +0x248 Unused           : Pos 25, 5 Bits
   +0x248 Unused1          : Pos 30, 1 Bit
   +0x248 Unused2          : Pos 31, 1 Bit
   +0x24c ExitStatus       : Int4B
   +0x250 NextPageColor    : Uint2B
   +0x252 SubSystemMinorVersion : UChar
   +0x253 SubSystemMajorVersion : UChar
   +0x252 SubSystemVersion : Uint2B
   +0x254 PriorityClass    : UChar
   +0x255 WorkingSetAcquiredUnsafe : UChar
   +0x258 Cookie           : Uint4B

_KPROCESS

ntdll!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY
   +0x018 DirectoryTableBase : [2] Uint4B
   +0x020 LdtDescriptor    : _KGDTENTRY
   +0x028 Int21Descriptor  : _KIDTENTRY
   +0x030 IopmOffset       : Uint2B
   +0x032 Iopl             : UChar
   +0x033 Unused           : UChar
   +0x034 ActiveProcessors : Uint4B
   +0x038 KernelTime       : Uint4B
   +0x03c UserTime         : Uint4B
   +0x040 ReadyListHead    : _LIST_ENTRY
   +0x048 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x04c VdmTrapcHandler  : Ptr32 Void
   +0x050 ThreadListHead   : _LIST_ENTRY
   +0x058 ProcessLock      : Uint4B
   +0x05c Affinity         : Uint4B
   +0x060 StackCount       : Uint2B
   +0x062 BasePriority     : Char
   +0x063 ThreadQuantum    : Char
   +0x064 AutoAlignment    : UChar
   +0x065 State            : UChar
   +0x066 ThreadSeed       : UChar
   +0x067 DisableBoost     : UChar
   +0x068 PowerState       : UChar
   +0x069 DisableQuantum   : UChar
   +0x06a IdealNode        : UChar
   +0x06b Flags            : _KEXECUTE_OPTIONS
   +0x06b ExecuteOptions   : UChar

  • +0x000 Header :_DISPATCHER_HEADER
    "Wait" objects, such as Mutex mutex, Event event (WaitForSingleObject). As long as the thread (process) structure starts with this, it is a wait object

  • +0x018 directorytablebase: the base address of the directory table on the [2] unint4b page. When the process is switched, switch the CR3 of the second process to this item to complete the process switching

  • +0x038 kernetime: running time at ring 0

  • +0x03c usertime: running time in ring 3

  • +0x05c Affinity specifies which CPU all threads in a process can run on. If the value is 1, all threads in this process can only run on CPU 0 (000000001). If the value is 3, all threads in this process can run on CPU 0 and 1 (000000011). If the value is 4, all threads in this process can run on CPU 2 (000000100), If the value is 5, then all threads of this process can run on CPU 0 and 2, with 4 bytes of 32 bits in total, so the maximum is 32 cores, windows 64 bits, 64 cores. If there is only one CPU, set this to 4, then this process will die

  • +0x062 basepriority: char basic priority or lowest priority, the lowest priority of all threads in the process

Other important structures

  • +0x070 CreateTime _LARGE_INTEGER

  • +0x078 ExitTime
    _LARGE_INTEGER / / these two structures are the process creation and process end time, respectively

  • +0x084 uniqueprocessid ptr32 void stores the process PID value

  • +0x088 activeprocesslinks: list entry two-way linked list. All active processes are connected together to form a linked list. PsActiveProcessHead points to the global chain header (the operating system places all process addresses in the two-way linked list)

  • There is an error in the figure below. It is dd PsActiveProcessHead instead of dt

  • +0x090 QuotaUsage : [3] Uint4B
    +0x09c QuotaPeak : [3] Uint4B
    Stores information related to physical pages, and which physical pages are used by the current process

  • +0x0a8 CommitCharge : Uint4B
    +0x0ac PeakVirtualSize : Uint4B
    +0x0b0 VirtualSize : Uint4B
    Virtual memory related statistics

  • +0x11c VadRoot : Ptr32 Void
    This member points to a balanced binary tree,
    Identify which addresses of 0-2g (lower 2G address) are not occupied

  • +0x0bc DebugPort : Ptr32 Void
    +0x0c0 ExceptionPort : Ptr32 Void
    Debugging related

  • +0x0c4 objecttable: ptr32 ﹣ handle ﹣ table. This process space may also hold other kernel objects. This is a handle table, which stores other kernel object addresses used

  • +0x174 ImageFileName : [16] UChar
    Current process image filename

  • +0x1a0 ActiveThreads : Uint4B
    Number of threads in process

  • +0x1b0 Peb : Ptr32 _PEB
    PEB(Process Environment Block) is a 3-ring structure of a process, which contains information such as the module list of the process, whether it is in debugging state, etc.

Thread structure ETHREAD

ETHREAD

kd> dt _ETHREAD
ntdll!_ETHREAD
   +0x000 Tcb              : _KTHREAD
   +0x1c0 CreateTime       : _LARGE_INTEGER
   +0x1c0 NestedFaultCount : Pos 0, 2 Bits
   +0x1c0 ApcNeeded        : Pos 2, 1 Bit
   +0x1c8 ExitTime         : _LARGE_INTEGER
   +0x1c8 LpcReplyChain    : _LIST_ENTRY
   +0x1c8 KeyedWaitChain   : _LIST_ENTRY
   +0x1d0 ExitStatus       : Int4B
   +0x1d0 OfsChain         : Ptr32 Void
   +0x1d4 PostBlockList    : _LIST_ENTRY
   +0x1dc TerminationPort  : Ptr32 _TERMINATION_PORT
   +0x1dc ReaperLink       : Ptr32 _ETHREAD
   +0x1dc KeyedWaitValue   : Ptr32 Void
   +0x1e0 ActiveTimerListLock : Uint4B
   +0x1e4 ActiveTimerListHead : _LIST_ENTRY
   +0x1ec Cid              : _CLIENT_ID
   +0x1f4 LpcReplySemaphore : _KSEMAPHORE
   +0x1f4 KeyedWaitSemaphore : _KSEMAPHORE
   +0x208 LpcReplyMessage  : Ptr32 Void
   +0x208 LpcWaitingOnPort : Ptr32 Void
   +0x20c ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION
   +0x210 IrpList          : _LIST_ENTRY
   +0x218 TopLevelIrp      : Uint4B
   +0x21c DeviceToVerify   : Ptr32 _DEVICE_OBJECT
   +0x220 ThreadsProcess   : Ptr32 _EPROCESS
   +0x224 StartAddress     : Ptr32 Void
   +0x228 Win32StartAddress : Ptr32 Void
   +0x228 LpcReceivedMessageId : Uint4B
   +0x22c ThreadListEntry  : _LIST_ENTRY
   +0x234 RundownProtect   : _EX_RUNDOWN_REF
   +0x238 ThreadLock       : _EX_PUSH_LOCK
   +0x23c LpcReplyMessageId : Uint4B
   +0x240 ReadClusterSize  : Uint4B
   +0x244 GrantedAccess    : Uint4B
   +0x248 CrossThreadFlags : Uint4B
   +0x248 Terminated       : Pos 0, 1 Bit
   +0x248 DeadThread       : Pos 1, 1 Bit
   +0x248 HideFromDebugger : Pos 2, 1 Bit
   +0x248 ActiveImpersonationInfo : Pos 3, 1 Bit
   +0x248 SystemThread     : Pos 4, 1 Bit
   +0x248 HardErrorsAreDisabled : Pos 5, 1 Bit
   +0x248 BreakOnTermination : Pos 6, 1 Bit
   +0x248 SkipCreationMsg  : Pos 7, 1 Bit
   +0x248 SkipTerminationMsg : Pos 8, 1 Bit
   +0x24c SameThreadPassiveFlags : Uint4B
   +0x24c ActiveExWorker   : Pos 0, 1 Bit
   +0x24c ExWorkerCanWaitUser : Pos 1, 1 Bit
   +0x24c MemoryMaker      : Pos 2, 1 Bit
   +0x250 SameThreadApcFlags : Uint4B
   +0x250 LpcReceivedMsgIdValid : Pos 0, 1 Bit
   +0x250 LpcExitThreadCalled : Pos 1, 1 Bit
   +0x250 AddressSpaceOwner : Pos 2, 1 Bit
   +0x254 ForwardClusterOnly : UChar
   +0x255 DisablePageFaultClustering : UChar

_KTHREAD

+0x000 Header           : _DISPATCHER_HEADER
   +0x010 MutantListHead   : _LIST_ENTRY
   +0x018 InitialStack     : Ptr32 Void
   +0x01c StackLimit       : Ptr32 Void
   +0x020 Teb              : Ptr32 Void
   +0x024 TlsArray         : Ptr32 Void
   +0x028 KernelStack      : Ptr32 Void
   +0x02c DebugActive      : UChar
   +0x02d State            : UChar
   +0x02e Alerted          : [2] UChar
   +0x030 Iopl             : UChar
   +0x031 NpxState         : UChar
   +0x032 Saturation       : Char
   +0x033 Priority         : Char
   +0x034 ApcState         : _KAPC_STATE
   +0x04c ContextSwitches  : Uint4B
   +0x050 IdleSwapBlock    : UChar
   +0x051 Spare0           : [3] UChar
   +0x054 WaitStatus       : Int4B
   +0x058 WaitIrql         : UChar
   +0x059 WaitMode         : Char
   +0x05a WaitNext         : UChar
   +0x05b WaitReason       : UChar
   +0x05c WaitBlockList    : Ptr32 _KWAIT_BLOCK
   +0x060 WaitListEntry    : _LIST_ENTRY
   +0x060 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x068 WaitTime         : Uint4B
   +0x06c BasePriority     : Char
   +0x06d DecrementCount   : UChar
   +0x06e PriorityDecrement : Char
   +0x06f Quantum          : Char
   +0x070 WaitBlock        : [4] _KWAIT_BLOCK
   +0x0d0 LegoData         : Ptr32 Void
   +0x0d4 KernelApcDisable : Uint4B
   +0x0d8 UserAffinity     : Uint4B
   +0x0dc SystemAffinityActive : UChar
   +0x0dd PowerState       : UChar
   +0x0de NpxIrql          : UChar
   +0x0df InitialNode      : UChar
   +0x0e0 ServiceTable     : Ptr32 Void
   +0x0e4 Queue            : Ptr32 _KQUEUE
   +0x0e8 ApcQueueLock     : Uint4B
   +0x0f0 Timer            : _KTIMER
   +0x118 QueueListEntry   : _LIST_ENTRY
   +0x120 SoftAffinity     : Uint4B
   +0x124 Affinity         : Uint4B
   +0x128 Preempted        : UChar
   +0x129 ProcessReadyQueue : UChar
   +0x12a KernelStackResident : UChar
   +0x12b NextProcessor    : UChar
   +0x12c CallbackStack    : Ptr32 Void
   +0x130 Win32Thread      : Ptr32 Void
   +0x134 TrapFrame        : Ptr32 _KTRAP_FRAME
   +0x138 ApcStatePointer  : [2] Ptr32 _KAPC_STATE
   +0x140 PreviousMode     : Char
   +0x141 EnableStackSwap  : UChar
   +0x142 LargeStack       : UChar
   +0x143 ResourceIndex    : UChar
   +0x144 KernelTime       : Uint4B
   +0x148 UserTime         : Uint4B
   +0x14c SavedApcState    : _KAPC_STATE
   +0x164 Alertable        : UChar
   +0x165 ApcStateIndex    : UChar
   +0x166 ApcQueueable     : UChar
   +0x167 AutoAlignment    : UChar
   +0x168 StackBase        : Ptr32 Void
   +0x16c SuspendApc       : _KAPC
   +0x19c SuspendSemaphore : _KSEMAPHORE
   +0x1b0 ThreadListEntry  : _LIST_ENTRY
   +0x1b8 FreezeCount      : Char
   +0x1b9 SuspendCount     : Char
   +0x1ba IdealProcessor   : UChar
   +0x1bb DisableBoost     : UChar

  • +0x000 Header : _DISPATCHER_HEADER
    "Can wait" object

  • +0x018 InitialStack : Ptr32 Void
    +0x01c StackLimit : Ptr32 Void
    +0x028 KernelStack : Ptr32 Void
    Stack switching correlation

  • +0x020 Teb : Ptr32 Void
    TEB(Thread Environment Block), 4KB in size, is located in the user address space.
    FS: [0] - > TEB (when ring 3; when ring 0, FS performs KPCR)

  • +0x02c debugactive: uchar if the value is - 1, the debug register cannot be used: Dr0-Dr7

  • +0x034 ApcState : _KAPC_STATE
    +0x0e8 ApcQueueLock : Uint4B
    +0x138 ApcStatePointer : [2] Ptr32 _KAPC_STATE
    +0x14c savedapcstate: related to kapc state APC, which will be explained in the following special chapters

  • 0x02d State :UChar
    Thread status: ready, pending or running

  • +0x06c BasePriority : Char
    The basic thread priority. Its initial value is the BasePriority value of the process (kprocess - > BasePriority). It can be reset later through KeSetBasePriorityThread() function

  • 0x070 waitblock: [4]] kwait block records which object (WaitForSingleObject) the call waiting function is currently waiting for

  • +0x0e0 ServiceTable :Ptr32 Void
    Base address pointing to system service table

  • +0x134 TrapFrame : Ptr32 _KTRAP_FRAME
    This should be familiar. If the current thread enters ring0 from ring3, the register of ring3 is saved in TrapFrame

  • +0x140 PreviousMode : Char
    Some kernel functions check whether the program is a ring0 call or a ring3 call

  • +0x1b0 ThreadListEntry : _LIST_ENTRY
    All threads in a process will be hung in a two-way linked list, which is the location. There are two such linked lists in total

Other important structures

  • +0x1ec Cid : _CLIENT_ID
    Stores the current thread ID and the owning process ID

  • +0x220 ThreadsProcess : Ptr32 _EPROCESS
    Point to the process address of the current thread

  • +0x22c ThreadListEntry : _LIST_ENTRY
    It's said that there are two such lists. Isn't the second one coming

CPU control area structure KPCR

Kpcr: CPU control region
The running CPU also needs a structure to record some data. Each CPU has a structure like this

The value of KPCR: a copy, a copy of current thread related information

  • When the thread enters ring 0, FS:[0] points to kpcr (when ring 3, FS:[0] - > TEB)
  • Each CPU has a KPCR structure (one core and one core)
  • KPCR stores some important data of CPU itself: GDT,IDT and thread related information. (view KPCR structure in Windbg)
nt!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x01c SelfPcr          : Ptr32 _KPCR
   +0x020 Prcb             : Ptr32 _KPRCB
   +0x024 Irql             : UChar
   +0x028 IRR              : Uint4B
   +0x02c IrrActive        : Uint4B
   +0x030 IDR              : Uint4B
   +0x034 KdVersionBlock   : Ptr32 Void
   +0x038 IDT              : Ptr32 _KIDTENTRY
   +0x03c GDT              : Ptr32 _KGDTENTRY
   +0x040 TSS              : Ptr32 _KTSS
   +0x044 MajorVersion     : Uint2B
   +0x046 MinorVersion     : Uint2B
   +0x048 SetMember        : Uint4B
   +0x04c StallScaleFactor : Uint4B
   +0x050 DebugActive      : UChar
   +0x051 Number           : UChar
   +0x052 Spare0           : UChar
   +0x053 SecondLevelCacheAssociativity : UChar
   +0x054 VdmAlert         : Uint4B
   +0x058 KernelReserved   : [14] Uint4B
   +0x090 SecondLevelCacheSize : Uint4B
   +0x094 HalReserved      : [16] Uint4B
   +0x0d4 InterruptMode    : Uint4B
   +0x0d8 Spare1           : UChar
   +0x0dc KernelReserved2  : [17] Uint4B
   +0x120 PrcbData         : _KPRCB



NT_TIB

Open the first member NtTib structure

ntdll!_NT_TIB
   +0x000 ExceptionList    : Ptr32 _EXCEPTION_REGISTRATION_RECORD
   +0x004 StackBase        : Ptr32 Void
   +0x008 StackLimit       : Ptr32 Void
   +0x00c SubSystemTib     : Ptr32 Void
   +0x010 FiberData        : Ptr32 Void
   +0x010 Version          : Uint4B
   +0x014 ArbitraryUserPointer : Ptr32 Void
   +0x018 Self             : Ptr32 _NT_TIB

  • +0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
    When it is in ring 3, it points to the list of exception handling functions. The exception handling function page in ring 0 exists here

Other important members

  • +0x01c SelfPcr : Ptr32 _KPCR
    Pointer to own structure

  • +0x020 PRCB: ptr32 ﹣ kprcb points to the extended structure PRCB. Although PrcbData can be found according to ﹣ KPCR + migration, if the KPCR structure changes its migration one day, it will not work well, and the function of the structure item will appear

  • +0x038 IDT : Ptr32 _KIDTENTRY
    +0x03c GDT : Ptr32 _KGDTENTRY
    Interrupt vector table and global descriptor table

  • +0x040 TSS: ptr32 ﹐ ktss task status segment, each CPU has a byte of TSS structure (always store the ring 0 stack of the current thread)

  • +0x051 Number : UChar
    Current CPU number: 0,1,2,3,4,5

  • +0x120 PrcbData :_KPCRB
    Extended structure

KPRCB

ntdll!_KPRCB
   +0x000 MinorVersion     : Uint2B
   +0x002 MajorVersion     : Uint2B
   +0x004 CurrentThread    : Ptr32 _KTHREAD
   +0x008 NextThread       : Ptr32 _KTHREAD
   +0x00c IdleThread       : Ptr32 _KTHREAD
   +0x010 Number           : Char
   +0x011 Reserved         : Char
   +0x012 BuildType        : Uint2B
   +0x014 SetMember        : Uint4B
   +0x018 CpuType          : Char
   +0x019 CpuID            : Char
   +0x01a CpuStep          : Uint2B
   +0x01c ProcessorState   : _KPROCESSOR_STATE
   +0x33c KernelReserved   : [16] Uint4B
   +0x37c HalReserved      : [16] Uint4B
   +0x3bc PrcbPad0         : [92] UChar
   +0x418 LockQueue        : [16] _KSPIN_LOCK_QUEUE
   +0x498 PrcbPad1         : [8] UChar
   +0x4a0 NpxThread        : Ptr32 _KTHREAD
   +0x4a4 InterruptCount   : Uint4B
   +0x4a8 KernelTime       : Uint4B
   +0x4ac UserTime         : Uint4B
   +0x4b0 DpcTime          : Uint4B
   +0x4b4 DebugDpcTime     : Uint4B
   +0x4b8 InterruptTime    : Uint4B
   +0x4bc AdjustDpcThreshold : Uint4B
   +0x4c0 PageColor        : Uint4B
   +0x4c4 SkipTick         : Uint4B
   +0x4c8 MultiThreadSetBusy : UChar
   +0x4c9 Spare2           : [3] UChar
   +0x4cc ParentNode       : Ptr32 _KNODE
   +0x4d0 MultiThreadProcessorSet : Uint4B
   +0x4d4 MultiThreadSetMaster : Ptr32 _KPRCB
   +0x4d8 ThreadStartCount : [2] Uint4B
   +0x4e0 CcFastReadNoWait : Uint4B
   +0x4e4 CcFastReadWait   : Uint4B
   +0x4e8 CcFastReadNotPossible : Uint4B
   +0x4ec CcCopyReadNoWait : Uint4B
   +0x4f0 CcCopyReadWait   : Uint4B
   +0x4f4 CcCopyReadNoWaitMiss : Uint4B
   +0x4f8 KeAlignmentFixupCount : Uint4B
   +0x4fc KeContextSwitches : Uint4B
   +0x500 KeDcacheFlushCount : Uint4B
   +0x504 KeExceptionDispatchCount : Uint4B
   +0x508 KeFirstLevelTbFills : Uint4B
   +0x50c KeFloatingEmulationCount : Uint4B
   +0x510 KeIcacheFlushCount : Uint4B
   +0x514 KeSecondLevelTbFills : Uint4B
   +0x518 KeSystemCalls    : Uint4B
   +0x51c SpareCounter0    : [1] Uint4B
   +0x520 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x5a0 PPNPagedLookasideList : [32] _PP_LOOKASIDE_LIST
   +0x6a0 PPPagedLookasideList : [32] _PP_LOOKASIDE_LIST
   +0x7a0 PacketBarrier    : Uint4B
   +0x7a4 ReverseStall     : Uint4B
   +0x7a8 IpiFrame         : Ptr32 Void
   +0x7ac PrcbPad2         : [52] UChar
   +0x7e0 CurrentPacket    : [3] Ptr32 Void
   +0x7ec TargetSet        : Uint4B
   +0x7f0 WorkerRoutine    : Ptr32     void 
   +0x7f4 IpiFrozen        : Uint4B
   +0x7f8 PrcbPad3         : [40] UChar
   +0x820 RequestSummary   : Uint4B
   +0x824 SignalDone       : Ptr32 _KPRCB
   +0x828 PrcbPad4         : [56] UChar
   +0x860 DpcListHead      : _LIST_ENTRY
   +0x868 DpcStack         : Ptr32 Void
   +0x86c DpcCount         : Uint4B
   +0x870 DpcQueueDepth    : Uint4B
   +0x874 DpcRoutineActive : Uint4B
   +0x878 DpcInterruptRequested : Uint4B
   +0x87c DpcLastCount     : Uint4B
   +0x880 DpcRequestRate   : Uint4B
   +0x884 MaximumDpcQueueDepth : Uint4B
   +0x888 MinimumDpcRate   : Uint4B
   +0x88c QuantumEnd       : Uint4B
   +0x890 PrcbPad5         : [16] UChar
   +0x8a0 DpcLock          : Uint4B
   +0x8a4 PrcbPad6         : [28] UChar
   +0x8c0 CallDpc          : _KDPC
   +0x8e0 ChainedInterruptList : Ptr32 Void
   +0x8e4 LookasideIrpFloat : Int4B
   +0x8e8 SpareFields0     : [6] Uint4B
   +0x900 VendorString     : [13] UChar
   +0x90d InitialApicId    : UChar
   +0x90e LogicalProcessorsPerPhysicalProcessor : UChar
   +0x910 MHz              : Uint4B
   +0x914 FeatureBits      : Uint4B
   +0x918 UpdateSignature  : _LARGE_INTEGER
   +0x920 NpxSaveArea      : _FX_SAVE_AREA
   +0xb30 PowerState       : _PROCESSOR_POWER_STATE

  • +0x004 CurrentThread : Ptr32 _KTHREAD
    +0x008 NextThread : Ptr32 _KTHREAD
    +0x00c IdleThread : Ptr32 _KTHREAD
    Who is the current thread? , next thread during thread switching? , no thread switched which thread should be executed? It's the meaning of these three

Waiting list and scheduling list

Waiting list

kd> dd KiWaitListHead

8055b008  81e6c3f8 81cb5080 00000011 00000000
8055b018  e57a42bd d6bf94d5 01000013 ffdff980
8055b028  ffdff980 804dd2cd 00000000 00010fbc
8055b038  00000000 ffdff9c0 8055b040 8055b040
8055b048  00000000 00000000 8055b050 8055b050
8055b058  00000000 00000000 00000000 81fb2b30
8055b068  00000000 00000000 00040001 00000000
8055b078  81fb2ba0 81fb2ba0 00000001 00000000

When a thread calls a function such as Sleep() or WaitForSingleObject(), it is linked to the list (view the waiting thread). These addresses all point to 0x60 of the thread (WaitListEntry)

33 linked lists

In fact, in our operating system, no matter which state the thread is in, it will be stored in these 33 linked lists.

Threads have three states: ready, waiting, and running

The running threads are stored in KPCR, and the ready and waiting threads are all in the other 33 lists, including one waiting list and 33 ready lists. These lists all use the position of ﹐ KTHREAD(0x060), that is to say, the thread can only belong to one of the circles at a certain time

Therefore, + 0x60 in the ETHREAD structure has two names:
+0x060 WaitListEntry : _LIST_ENTRY
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY

How to view the ready list?

kd> dd KiDispatcherReadyListHead l70
8055baa0  8055baa0 8055baa0 8055baa8 8055baa8
8055bab0  8055bab0 8055bab0 8055bab8 8055bab8
8055bac0  8055bac0 8055bac0 8055bac8 8055bac8
8055bad0  8055bad0 8055bad0 8055bad8 8055bad8
8055bae0  8055bae0 8055bae0 8055bae8 8055bae8
8055baf0  8055baf0 8055baf0 8055baf8 8055baf8
8055bb00  8055bb00 8055bb00 8055bb08 8055bb08
8055bb10  8055bb10 8055bb10 8055bb18 8055bb18
8055bb20  8055bb20 8055bb20 8055bb28 8055bb28
8055bb30  8055bb30 8055bb30 8055bb38 8055bb38
8055bb40  8055bb40 8055bb40 8055bb48 8055bb48
8055bb50  8055bb50 8055bb50 8055bb58 8055bb58
8055bb60  8055bb60 8055bb60 8055bb68 8055bb68
8055bb70  8055bb70 8055bb70 8055bb78 8055bb78
8055bb80  8055bb80 8055bb80 8055bb88 8055bb88
8055bb90  8055bb90 8055bb90 8055bb98 8055bb98
8055bba0  00000000 00000000 00000000 00000000
8055bbb0  00000000 00000000 00000000 00000000
8055bbc0  00000000 00000000 00000000 00000000
8055bbd0  00000000 e1006000 00000000 00000000
8055bbe0  00000001 b286ac90 00000000 00040001
8055bbf0  00000000 8055bbf4 8055bbf4 00000000

You can count 32 in total (8 bytes is the head of a linked list (the size of the head node of the two-way linked list is 8 bytes))

Version difference

XP has only one 33 cycles, that is to say, there is only one array and only one multi-core array.

Win7 is the same with only one circle. If it's 64 bit, there are 64 circles

If server version:

There is only one KiWaitListHead in the whole system, but the array of kidispatcher readylisthead has several CPU s and several groups

summary

1. The running thread is in KPCR
2. The thread to be run is in 32 scheduling chain tables (level 0-31). The KiDispatcherReadyListHead is an array that stores the 32 chain headers
3. Threads in waiting status are stored in waiting list, KiWaitListHead
4. These rings are all hung in the same position: _KTHREAD(0X060)

5. Several CPU s and several kpcrs, but always just a waiting list and a ready list

21 original articles published, 7 praised, 4284 visited
Private letter follow

Tags: Session Windows

Posted on Thu, 12 Mar 2020 07:30:35 -0400 by plastik77