本文详细探讨了Windbg中进程和线程的结构,从任务、进程资源、EPROCESS结构、PEB到内核模式与用户模式的切换。深入讲解了线程的ETHREAD和TEB,以及WOW进程的注册表重定向和文件系统重定向机制。文章还阐述了创建进程的六个阶段,并提到了最小进程和Pico进程在系统中的作用,以及任务管理器的相关知识。
目录
任务
一个进程或者一个线程叫任务
进程资源
- 虚拟地址空间
- 全局唯一的进程ID
- 可执行映像
- 一个或多个线程
- 一个位于内核空间的EPROCESS
- 一个位于内核空间的对象句柄表
- 一个用于描述内存目录表其实位置的基地址
- 一个位于用户空间的进程环境块
- 一个访问令牌
进程空间
用户空间
内核空间
EPROCESS结构
1.查看所有进程的基本信息
6: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffff84898203c440
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.
Image: System
PROCESS ffff8489820c6040
SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004
DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.
Image: Registry
PROCESS ffff84898205d040
SessionId: none Cid: 01e0 Peb: 3062840000 ParentCid: 0004
DirBase: 77100002 ObjectTable: ffffe18f2c1ab340 HandleCount: 52.
Image: smss.exe
PROCESS ffff848987825580
SessionId: 0 Cid: 02d0 Peb: 9249550000 ParentCid: 028c
DirBase: 40b000002 ObjectTable: ffffe18f2da8fb40 HandleCount: 566.
Image: csrss.exe
PROCESS ffff84898e9da580
SessionId: 0 Cid: 034c Peb: eeb2e6000 ParentCid: 028c
DirBase: 40a200002 ObjectTable: ffffe18f2ddb5900 HandleCount: 168.
Image: wininit.exe
PROCESS ffff84898e9d4580
SessionId: 1 Cid: 0354 Peb: b3cb0e2000 ParentCid: 0344
DirBase: 409d00002 ObjectTable: ffffe18f2f09dd00 HandleCount: 251.
Image: csrss.exe
PROCESS ffff84898e9c8580
SessionId: 0 Cid: 0398 Peb: 5766e9000 ParentCid: 034c
DirBase: 407a00002 ObjectTable: ffffe18f2f126740 HandleCount: 727.
Image: services.exe
PROCESS ffff84898e9c6580
SessionId: 0 Cid: 03ac Peb: abceeb2000 ParentCid: 034c
DirBase: 405000002 ObjectTable: ffffe18f2f145040 HandleCount: 825.
Image: lsass.exe
省略....
PROCESS ffff8489903de080
SessionId: 0 Cid: 17b0 Peb: 89fc42c000 ParentCid: 0398
DirBase: 176690002 ObjectTable: ffffe18f34754d80 HandleCount: 94.
Image: IntelCpHeciSvc.exe
PROCESS ffff84899850e080
SessionId: 1 Cid: 17e0 Peb: 01020000 ParentCid: 1728
DirBase: 170980002 ObjectTable: ffffe18f347981c0 HandleCount: 238.
Image: explorer.exe
PROCESS ffff84899855d580
SessionId: 0 Cid: 1840 Peb: cd79837000 ParentCid: 0644
DirBase: 173e00002 ObjectTable: ffffe18f347c0d80 HandleCount: 16.
Image: wermgr.exe
2. 查看EPROCESS结构
NT内核使用EPROCESS 结构描述进程
6: kd> dt _eprocess ffff84899855d580
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 UniqueProcessId : 0x00000000`00001840 Void
+0x2e8 ActiveProcessLinks : _LIST_ENTRY [ 0xfffff800`063a73b0 - 0xffff8489`9850e368 ]
+0x2f8 RundownProtect : _EX_RUNDOWN_REF
+0x300 Flags2 : 0xa014
+0x300 JobNotReallyActive : 0y0
+0x300 AccountingFolded : 0y0
+0x300 NewProcessReported : 0y1
+0x300 ExitProcessReported : 0y0
+0x300 ReportCommitChanges : 0y1
+0x300 LastReportMemory : 0y0
+0x300 ForceWakeCharge : 0y0
+0x300 CrossSessionCreate : 0y0
+0x300 NeedsHandleRundown : 0y0
+0x300 RefTraceEnabled : 0y0
+0x300 PicoCreated : 0y0
+0x300 EmptyJobEvaluated : 0y0
+0x300 DefaultPagePriority : 0y010
+0x300 PrimaryTokenFrozen : 0y1
+0x300 ProcessVerifierTarget : 0y0
+0x300 RestrictSetThreadContext : 0y0
+0x300 AffinityPermanent : 0y0
+0x300 AffinityUpdateEnable : 0y0
+0x300 PropagateNode : 0y0
+0x300 ExplicitAffinity : 0y0
+0x300 ProcessExecutionState : 0y00
+0x300 EnableReadVmLogging : 0y0
+0x300 EnableWriteVmLogging : 0y0
+0x300 FatalAccessTerminationRequested : 0y0
+0x300 DisableSystemAllowedCpuSet : 0y0
+0x300 ProcessStateChangeRequest : 0y00
+0x300 ProcessStateChangeInProgress : 0y0
+0x300 InPrivate : 0y0
+0x304 Flags : 0xc5d0c01
+0x304 CreateReported : 0y1
+0x304 NoDebugInherit : 0y0
+0x304 ProcessExiting : 0y0
+0x304 ProcessDelete : 0y0
+0x304 ManageExecutableMemoryWrites : 0y0
+0x304 VmDeleted : 0y0
+0x304 OutswapEnabled : 0y0
+0x304 Outswapped : 0y0
+0x304 FailFastOnCommitFail : 0y0
+0x304 Wow64VaSpace4Gb : 0y0
+0x304 AddressSpaceInitialized : 0y11
+0x304 SetTimerResolution : 0y0
+0x304 BreakOnTermination : 0y0
+0x304 DeprioritizeViews : 0y0
+0x304 WriteWatch : 0y0
+0x304 ProcessInSession : 0y1
+0x304 OverrideAddressSpace : 0y0
+0x304 HasAddressSpace : 0y1
+0x304 LaunchPrefetched : 0y1
+0x304 Background : 0y1
+0x304 VmTopDown : 0y0
+0x304 ImageNotifyDone : 0y1
+0x304 PdeUpdateNeeded : 0y0
+0x304 VdmAllowed : 0y0
+0x304 ProcessRundown : 0y0
+0x304 ProcessInserted : 0y1
+0x304 DefaultIoPriority : 0y001
+0x304 ProcessSelfDelete : 0y0
+0x304 SetTimerResolutionLink : 0y0
+0x308 CreateTime : _LARGE_INTEGER 0x01d48c65`2230444f
+0x310 ProcessQuotaUsage : [2] 0x948
+0x320 ProcessQuotaPeak : [2] 0x948
+0x330 PeakVirtualSize : 0x00000201`02933000
+0x338 VirtualSize : 0x00000201`02933000
+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffffb800`ff71c010 - 0xffff8489`903de3c0 ]
+0x350 ExceptionPortData : 0xffff8489`877e3670 Void
+0x350 ExceptionPortValue : 0xffff8489`877e3670
+0x350 ExceptionPortState : 0y000
+0x358 Token : _EX_FAST_REF
+0x360 MmReserved : 0
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : (null)
+0x380 ForkInProgress : (null)
+0x388 CommitChargeJob : 0xffff8489`8efa5060 _EJOB
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : 0x50
+0x3a0 NumberOfLockedPages : 0
+0x3a8 Win32Process : 0xffff83c6`0226e010 Void
+0x3b0 Job : 0xffff8489`8efa5060 _EJOB
+0x3b8 SectionObject : 0xffffe18f`347c3880 Void
+0x3c0 SectionBaseAddress : 0x00007ff7`e7c80000 Void
+0x3c8 Cookie : 0xd5e20c1
+0x3d0 WorkingSetWatch : (null)
+0x3d8 Win32WindowStation : (null)
+0x3e0 InheritedFromUniqueProcessId : 0x00000000`00000644 Void
+0x3e8 LdtInformation : (null)
+0x3f0 OwnerProcessId : 0x646
+0x3f8 Peb : 0x000000cd`79837000 _PEB
+0x400 Session : 0xffffb800`ff71c000 _MM_SESSION_SPACE
+0x408 AweInfo : (null)
+0x410 QuotaBlock : 0xfffff800`063d1bc0 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : 0xffffe18f`347c0d80 _HANDLE_TABLE
+0x420 DebugPort : (null)
+0x428 WoW64Process : (null)
+0x430 DeviceMap : 0xffffe18f`2b818ad0 Void
+0x438 EtwDataSource : 0xffff8489`9855c980 Void
+0x440 PageDirectoryPte : 0
+0x448 ImageFilePointer : 0xffff8489`98556080 _FILE_OBJECT
+0x450 ImageFileName : [15] "wermgr.exe"
+0x45f PriorityClass : 0x5 ''
+0x460 SecurityPort : (null)
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY [ 0xffff8489`8efa5088 - 0xffff8489`8fbc94f0 ]
+0x480 HighestUserAddress : 0x00007fff`ffff0000 Void
+0x488 ThreadListHead : _LIST_ENTRY [ 0xffff8489`9856ada8 - 0xffff8489`9856ada8 ]
+0x498 ActiveThreads : 1
+0x49c ImagePathHash : 0
+0x4a0 DefaultHardErrorProcessing : 0x8000
+0x4a4 LastThreadExitStatus : 0n0
+0x4a8 PrefetchTrace : _EX_FAST_REF
+0x4b0 LockedPagesList : (null)
+0x4b8 ReadOperationCount : _LARGE_INTEGER 0x0
+0x4c0 WriteOperationCount : _LARGE_INTEGER 0x0
+0x4c8 OtherOperationCount : _LARGE_INTEGER 0x0
+0x4d0 ReadTransferCount : _LARGE_INTEGER 0x0
+0x4d8 WriteTransferCount : _LARGE_INTEGER 0x0
+0x4e0 OtherTransferCount : _LARGE_INTEGER 0x0
+0x4e8 CommitChargeLimit : 0
+0x4f0 CommitCharge : 0x65
+0x4f8 CommitChargePeak : 0x71
+0x500 Vm : _MMSUPPORT_FULL
+0x610 MmProcessLinks : _LIST_ENTRY [ 0xfffff800`063cc620 - 0xffff8489`9850e690 ]
+0x620 ModifiedPageCount : 0
+0x624 ExitStatus : 0n259
+0x628 VadRoot : _RTL_AVL_TREE
+0x630 VadHint : 0xffff8489`9855d490 Void
+0x638 VadCount : 0x10
+0x640 VadPhysicalPages : 0
+0x648 VadPhysicalPagesLimit : 0
+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x680 TimerResolutionStackRecord : (null)
+0x688 RequestedTimerResolution : 0
+0x68c SmallestTimerResolution : 0
+0x690 ExitTime : _LARGE_INTEGER 0x0
+0x698 InvertedFunctionTable : (null)
+0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x6a8 ActiveThreadsHighWatermark : 1
+0x6ac LargePrivateVadCount : 0
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : (null)
+0x6c0 ServerSilo : (null)
+0x6c8 SignatureLevel : 0 ''
+0x6c9 SectionSignatureLevel : 0 ''
+0x6ca Protection : _PS_PROTECTION
+0x6cb HangCount : 0y0000
+0x6cb GhostCount : 0y0000
+0x6cc Flags3 : 0xc008
+0x6cc Minimal : 0y0
+0x6cc ReplacingPageRoot : 0y0
+0x6cc Crashed : 0y0
+0x6cc JobVadsAreTracked : 0y1
+0x6cc VadTrackingDisabled : 0y0
+0x6cc AuxiliaryProcess : 0y0
+0x6cc SubsystemProcess : 0y0
+0x6cc IndirectCpuSets : 0y0
+0x6cc RelinquishedCommit : 0y0
+0x6cc HighGraphicsPriority : 0y0
+0x6cc CommitFailLogged : 0y0
+0x6cc ReserveFailLogged : 0y0
+0x6cc SystemProcess : 0y0
+0x6cc HideImageBaseAddresses : 0y0
+0x6cc AddressPolicyFrozen : 0y1
+0x6cc ProcessFirstResume : 0y1
+0x6cc ForegroundExternal : 0y0
+0x6cc ForegroundSystem : 0y0
+0x6cc HighMemoryPriority : 0y0
+0x6d0 DeviceAsid : 0n0
+0x6d8 SvmData : (null)
+0x6e0 SvmProcessLock : _EX_PUSH_LOCK
+0x6e8 SvmLock : 0
+0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffff8489`9855dc70 - 0xffff8489`9855dc70 ]
+0x700 LastFreezeInterruptTime : 0
+0x708 DiskCounters : 0xffff8489`9855ddc8 _PROCESS_DISK_COUNTERS
+0x710 PicoContext : (null)
+0x718 TrustletIdentity : 0
+0x720 EnclaveTable : (null)
+0x728 EnclaveNumber : 0
+0x730 EnclaveLock : _EX_PUSH_LOCK
+0x738 HighPriorityFaultsAllowed : 0
+0x740 EnergyContext : 0xffff8489`9855ddf0 _PO_PROCESS_ENERGY_CONTEXT
+0x748 VmContext : (null)
+0x750 SequenceNumber : 0x86
+0x758 CreateInterruptTime : 0x77879ee
+0x760 CreateUnbiasedInterruptTime : 0x77879ee
+0x768 TotalUnbiasedFrozenTime : 0
+0x770 LastAppStateUpdateTime : 0x77879ee
+0x778 LastAppStateUptime : 0y0000000000000000000000000000000000000000000000000000000000000 (0)
+0x778 LastAppState : 0y000
+0x780 SharedCommitCharge : 0x53
+0x788 SharedCommitLock : _EX_PUSH_LOCK
+0x790 SharedCommitLinks : _LIST_ENTRY [ 0xffffe18f`34832fe8 - 0xffffe18f`347b86d8 ]
+0x7a0 AllowedCpuSets : 0
+0x7a8 DefaultCpuSets : 0
+0x7a0 AllowedCpuSetsIndirect : (null)
+0x7a8 DefaultCpuSetsIndirect : (null)
+0x7b0 DiskIoAttribution : (null)
+0x7b8 DxgProcess : (null)
+0x7c0 Win32KFilterSet : 0
+0x7c8 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
+0x7d0 KTimerSets : 0
+0x7d4 KTimer2Sets : 
最低0.47元/天 解锁文章
扫一扫
4万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
