创建线程 Call NtCreateThread ;NtCreateThread( ; OUT PHANDLE ThreadHandle, +8h ; IN ACCESS_MASK DesiredAccess, +Ch ; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +10h ; IN HANDLE ProcessHandle, +14h ; OUT PCLIENT_ID ClientID, +18h ; IN PCONTEXT Context, /* see _BaseInitializeContext */ +1ch ; IN StackInformation* StackInfo, /* see _BaseCreateStack */ +20h ; IN BOOLEAN CreateSuspended /* ==1 */ +24h ; );805c6ae0 64a124010000 mov eax,dword ptr fs:[00000124h] ;取KTHREAD结构地址 805c6ae6 8945e0 mov dword ptr [ebp-20h],eax ;保存在变量中 805c6ae9 80b84001000000 cmp byte ptr [eax+140h],0 ;比较KTHREAD.PreviousMode 是否为0 805c6af6 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)] ;取用户地址 eax == 7fff0000h 805c6afb 8b4d08 mov ecx,dword ptr [ebp+8] ;取第一个参数 也就是句柄输出的地址 805c6afe 3bc8 cmp ecx,eax ;进行地址比较 805c6b00 7206 jb nt!NtCreateThread+0x38 (805c6b08) ;低于跳转 805c6b08 8b01 mov eax,dword ptr [ecx] ; -_-! 805c6b0a 8901 mov dword ptr [ecx],eax ; -_-! 805c6b0c 8b5d18 mov ebx,dword ptr [ebp+18h] ;取参数PCLIENT_ID到ebx ;以下为对 PCLIENT_ID的输入地址进行验证 805c6b0f 85db test ebx,ebx 805c6b11 7423 je nt!NtCreateThread+0x66 (805c6b36) 805c6b13 895ddc mov dword ptr [ebp-24h],ebx 805c6b16 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)] 805c6b1b 3bd8 cmp ebx,eax 805c6b1d 7203 jb nt!NtCreateThread+0x52 (805c6b22) 805c6b22 f6c303 test bl,3 805c6b25 7405 je nt!NtCreateThread+0x5c (805c6b2c) 805c6b2c 8a03 mov al,byte ptr [ebx] 805c6b2e 8803 mov byte ptr [ebx],al 805c6b30 8a4304 mov al,byte ptr [ebx+4] 805c6b33 884304 mov byte ptr [ebx+4],al ;测试PCONTEXT Context参数 805c6b36 837d1c00 cmp dword ptr [ebp+1Ch],0 805c6b3a 743e je nt!NtCreateThread+0xaa (805c6b7a) 805c6b3c f6451c03 test byte ptr [ebp+1Ch],3 805c6b40 7405 je nt!NtCreateThread+0x77 (805c6b47) 805c6b47 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)] 805c6b4c 39451c cmp dword ptr [ebp+1Ch],eax 805c6b4f 720b jb nt!NtCreateThread+0x8c (805c6b5c) ;测试StackInformation参数 ; Typedef struct _StackInformation ; { ; DWORD Reserved0; ; DWORD Reserved1; ; DWORD AddressOfTop; ; DWORD CommitAddress; ; DWORD ReservedAddress; ; } StackInformation; 805c6b5c 8b5d20 mov ebx,dword ptr [ebp+20h] 805c6b5f f6c303 test bl,3 805c6b62 740a je nt!NtCreateThread+0x9e (805c6b6e) 805c6b6e 3bd8 cmp ebx,eax ;eax==7fff0000h 地址测试 805c6b70 7216 jb nt!NtCreateThread+0xb8 (805c6b88) ;以下为测试Reserved0与Reserved1两个参数是否为0,同时赋值两个变量为0 805c6b88 8b03 mov eax,dword ptr [ebx] 805c6b8a 8945c8 mov dword ptr [ebp-38h],eax eax=00000000 805c6b8d 8b4b04 mov ecx,dword ptr [ebx+4] 805c6b90 894dcc mov dword ptr [ebp-34h],ecx ecx=00000000 805c6b93 33d2 xor edx,edx 805c6b95 3bc2 cmp eax,edx 805c6b97 750e jne nt!NtCreateThread+0xd7 (805c6ba7) 805c6b99 3bca cmp ecx,edx 805c6b9b 750a jne nt!NtCreateThread+0xd7 (805c6ba7) ; 将StackInformation参数中的内容移动到变量[ebp-38h]中 805c6b9d 6a05 push 5 805c6b9f 59 pop ecx 805c6ba0 8bf3 mov esi,ebx 805c6ba2 8d7dc8 lea edi,[ebp-38h] 805c6ba5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
805c6ba7 834dfcff or dword ptr [ebp-4],0FFFFFFFFh ;将第一个变量赋值为 -1 ;调用PspCreateThread ;PspCreateThread( ; OUT PHANDLE ThreadHandle, ; IN ACCESS_MASK DesiredAccess, ; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, ; IN HANDLE ProcessHandle, ; IN PEPROCESS ProcessPointer, ; OUT PCLIENT_ID ClientId OPTIONAL, ; IN PCONTEXT ThreadContext OPTIONAL, ; IN PINITIAL_TEB InitialTeb OPTIONAL, ; IN BOOLEAN CreateSuspended, ; IN PKSTART_ROUTINE StartRoutine OPTIONAL, ; IN PVOID StartContext ; ) 805c6bab 52 push edx ;StartContext == 0 30 805c6bac 52 push edx ;StartRoutine== 0 2c 805c6bad ff7524 push dword ptr [ebp+24h] ;CreateSuspended 28 805c6bb0 8d45c8 lea eax,[ebp-38h] ; 805c6bb3 50 push eax ;InitialTeb 24 805c6bb4 ff751c push dword ptr [ebp+1Ch] ;ThreadContext 20 805c6bb7 ff7518 push dword ptr [ebp+18h] ;PCLIENT_ID参数 1c 805c6bba 52 push edx ; ProcessPointer == 0 18 805c6bbb ff7514 push dword ptr [ebp+14h] ;ProcessHandle 14 805c6bbe ff7510 push dword ptr [ebp+10h] ;ObjectAttributes 10 805c6bc1 ff750c push dword ptr [ebp+0Ch] ;DesiredAccess c 805c6bc4 ff7508 push dword ptr [ebp+8] ;ThreadHandle 8 805c6bc7 e8c4efffff call nt!PspCreateThread (805c5b90) 805c5b9f 64a124010000 mov eax,dword ptr fs:[00000124h] 805c5ba5 8945c4 mov dword ptr [ebp-3Ch],eax ;取KTHREAD保存到变量中 805c5ba8 33f6 xor esi,esi 805c5baa 39752c cmp dword ptr [ebp+2Ch],esi ;测试CreateSuspended标志是否为零 805c5bad 7406 je nt!PspCreateThread+0x25 (805c5bb5) ;为零跳转 805c5bb5 8a8040010000 mov al,byte ptr [eax+140h] ;存KTHREAD.PreviousMode 到变量 805c5bbb 8845d0 mov byte ptr [ebp-30h],al 805c5bbe 8975e4 mov dword ptr [ebp-1Ch],esi ;变量清零 805c5bc1 33db xor ebx,ebx 805c5bc3 895da4 mov dword ptr [ebp-5Ch],ebx ;变量清零 805c5bc6 397514 cmp dword ptr [ebp+14h],esi ;判断ProcessHandle是否为零 805c5bc9 7426 je nt!PspCreateThread+0x61 (805c5bf1) ;为零则跳转 ;call nt!ObReferenceObjectByHandle ; ObReferenceObjectByHandle( ; IN HANDLE Handle, ; IN ACCESS_MASK DesiredAccess, ; IN POBJECT_TYPE ObjectType OPTIONAL, ; IN KPROCESSOR_MODE AccessMode, ; OUT PVOID *Object, ; OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ; ); 805c5bcb 56 push esi ;HandleInformation == 0 805c5bcc 8d856cffffff lea eax,[ebp-94h] 805c5bd2 50 push eax ;*Object == 返回的对像指针 805c5bd3 ff75d0 push dword ptr [ebp-30h] ;AccessMode == KTHREAD.PreviousMode == 1 805c5bd6 ff3558a35580 push dword ptr [nt!PsProcessType (8055a358)] ;ObjectType 805c5bdc 6a02 push 2 ;DesiredAccess == 2 805c5bde ff7514 push dword ptr [ebp+14h] ;Handle == 进程句柄 == 110h 805c5be1 e8aaa9feff call nt!ObReferenceObjectByHandle (805b0590) 805c5be6 8b9d6cffffff mov ebx,dword ptr [ebp-94h] ;保存进程对像指针到EBX 805c5bec 895da4 mov dword ptr [ebp-5Ch],ebx ;保存进程对像指针到变量 805c5bef eb1b jmp nt!PspCreateThread+0x7c (805c5c0c) 805c5c0c 3bc6 cmp eax,esi ;测试是否上一调用是否完成 805c5c0e 0f8c33070000 jl nt!PspCreateThread+0x7b7 (805c6347) 805c5c14 807dd000 cmp byte ptr [ebp-30h],0 ;比较KTHREAD.PreviousMode是否为0 805c5c18 740f je nt!PspCreateThread+0x99 (805c5c29) 805c5c1a 3b1d54a35580 cmp ebx,dword ptr [nt!PsInitialSystemProcess (8055a354)] ;比较是否为系统进程 PsInitialSystemProcess返回系统进程的EPROCESS 805c5c20 7507 jne nt!PspCreateThread+0x99 (805c5c29) ;不等跳转
;call nt!ObCreateObject (805b66b0) ; ObCreateObject ( IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL, ; IN POBJECT_TYPE Type, ; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, ; IN KPROCESSOR_MODE AccessMode, ; IN OUT PVOID ParseContext OPTIONAL, ; IN ULONG ObjectSize, ; IN ULONG PagedPoolCharge OPTIONAL, ; IN ULONG NonPagedPoolCharge OPTIONAL, ; OUT PVOID * Object ; ) 805c5c29 8d45b0 lea eax,[ebp-50h] ;* Object 保存对像指针 805c5c2c 50 push eax ; 805c5c2d 56 push esi ; NonPagedPoolCharge == 0 805c5c2e 56 push esi ; PagedPoolCharge == 0 805c5c2f 6858020000 push 258h ; ObjectSize == 258h 805c5c34 56 push esi ;ParseContext == 0 805c5c35 ff75d0 push dword ptr [ebp-30h] ;KPROCESSOR_MODE == KTHREAD.PreviousMode == 1 805c5c38 ff7510 push dword ptr [ebp+10h] ;继承而来的ObjectAttributes参数 805c5c3b ff355ca35580 push dword ptr [nt!PsThreadType (8055a35c)] ;线程类型 805c5c41 ff75d0 push dword ptr [ebp-30h] ;ObjectAttributesAccessMode == KTHREAD.PreviousMode == 1 805c5c44 e8670affff call nt!ObCreateObject (805b66b0) 805c5c49 3bc6 cmp eax,esi ;判断调用是否成功 805c5c4b 7d10 jge nt!PspCreateThread+0xcd (805c5c5d) 805c5c5d b996000000 mov ecx,96h 805c5c62 33c0 xor eax,eax 805c5c64 8b75b0 mov esi,dword ptr [ebp-50h] ;移动对像指针 805c5c67 8bfe mov edi,esi 805c5c69 f3ab rep stos dword ptr es:[edi] ;移动到ES? 805c5c6b 218634020000 and dword ptr [esi+234h],eax ;ETHREAD.RundownProtect 清零 805c5c71 899e20020000 mov dword ptr [esi+220h],ebx ;移动进程的EPROCESS指针到ETHREAD.ThreadsProcess 805c5c77 8dbeec010000 lea edi,[esi+1ECh] ;取ETHREAD.ActiveTimerListHead到EDI 805c5c7d 8b8384000000 mov eax,dword ptr [ebx+84h] ds:0023:817bd844=00000004 ;取当前进程ID到eax 4==系统进程 805c5c83 8907 mov dword ptr [edi],eax ds:0023:8164e75c=00000000 805c5c85 8975b4 mov dword ptr [ebp-4Ch],esi ss:0010:f9e2fd00=00000630 ;保存ESI到变量 805c5c88 8365b800 and dword ptr [ebp-48h],0 ss:0010:f9e2fd04=8164e558 ; ;ExCreateHandle ,PspCidTable,&CidEntry 805c5c8c 8d45b4 lea eax,[ebp-4Ch] 805c5c8f 50 push eax 805c5c90 ff3560a35580 push dword ptr [nt!PspCidTable (8055a360)] ds:0023:8055a360=e1001850 805c5c96 e8f5e20300 call nt!ExCreateHandle (80603f90) 805c5c9b 8986f0010000 mov dword ptr [esi+1F0h],eax ds:0023:8164e760=00000000 ;移动返回的线程句柄到ETHREAD._CLIENT_ID.UniqueThread eax=00000230 805c5ca1 85c0 test eax,eax ;测试返回值 805c5ca3 750a jne nt!PspCreateThread+0x11f (805c5caf) [br=1] 805c5caf a1bca35480 mov eax,dword ptr [nt!MmReadClusterSize (8054a3bc)] ds:0023:8054a3bc=00000007 805c5cb4 898640020000 mov dword ptr [esi+240h],eax ds:0023:8164e7b0=00000000 ;填充ETHTREAD.ReadClusterSize 805c5cba 6a01 push 1 805c5cbc 6a00 push 0 805c5cbe 8d86f4010000 lea eax,[esi+1F4h] 805c5cc4 50 push eax 805c5cc5 e87c64f3ff call nt!KeInitializeSemaphore (804fc146) ;初始化信号灯 805c5cca 8d86c8010000 lea eax,[esi+1C8h] ;初始化ETHREAD.ExitTime 805c5cd0 894004 mov dword ptr [eax+4],eax ds:0023:8164e73c=00000000 805c5cd3 8900 mov dword ptr [eax],eax ds:0023:8164e738=00000000 805c5cd5 8d8610020000 lea eax,[esi+210h] ;初始化ETHREAD.IrpList 805c5cdb 894004 mov dword ptr [eax+4],eax ds:0023:8164e784=00000000 805c5cde 8900 mov dword ptr [eax],eax ds:0023:8164e780=00000000 805c5ce0 8d86d4010000 lea eax,[esi+1D4h] ;初始化ETHREAD.PostBlockList 805c5ce6 894004 mov dword ptr [eax+4],eax ds:0023:8164e748=00000000 805c5ce9 8900 mov dword ptr [eax],eax ds:0023:8164e744=00000000 805c5ceb 83a63802000000 and dword ptr [esi+238h],0 ds:0023:8164e7a8=00000000 805c5cf2 8d86e0010000 lea eax,[esi+1E0h] ;初始化ETHREAD.ActiveTimerListLock 805c5cf8 50 push eax 805c5cf9 e8626ff7ff call nt!KeInitializeSpinLock (8053cc60) 805c5cfe 8d86e4010000 lea eax,[esi+1E4h] ;初始化ETHREAD.ActiveTimerListHead 805c5d04 894004 mov dword ptr [eax+4],eax ds:0023:8164e758=00000000 805c5d07 8900 mov dword ptr [eax],eax ds:0023:8164e754=00000000 805c5d09 8d8b80000000 lea ecx,[ebx+80h] ;EPROCESS.RundownProtect 805c5d0f 898d68ffffff mov dword ptr [ebp-98h],ecx ss:0010:f9e2fcb4=817bd840 805c5d15 e874c60300 call nt!ExAcquireRundownProtection (8060238e) 805c5d1a 84c0 test al,al 805c5d1c 750a jne nt!PspCreateThread+0x198 (805c5d28) [br=1] 805c5d28 837d2000 cmp dword ptr [ebp+20h],0 ss:0010:f9e2fd6c=00000000 805c5d2c 0f8484000000 je nt!PspCreateThread+0x226 (805c5db6) [br=1] 805c5db6 33c9 xor ecx,ecx 805c5db8 894de4 mov dword ptr [ebp-1Ch],ecx ss:0010:f9e2fd30=00000000 805c5dbb 6a10 push 10h 805c5dbd 58 pop eax 805c5dbe 8d9648020000 lea edx,[esi+248h] ;移动10h到ETHREAD.CrossThreadFlags 805c5dc4 f00902 lock or dword ptr [edx],eax ds:0023:8164e7b8=00000000
805c5dc7 8b452c mov eax,dword ptr [ebp+2Ch] ss:0010:f9e2fd78={NDIS!ndisWorkerThread (f96fdb85)} 805c5dca 898624020000 mov dword ptr [esi+224h],eax ds:0023:8164e794=00000000 ;移动开始地址到 ETHREAD.StartAddress (PspCreateThread的第10个参数StartRoutine) 805c5dd0 53 push ebx ;EPROCESS 805c5dd1 51 push ecx ;==0 805c5dd2 51 push ecx ;==0 805c5dd3 ff7530 push dword ptr [ebp+30h] ss:0010:f9e2fd7c=81591f50 ;StartContext 805c5dd6 50 push eax ;ETHREAD.StartAddress 805c5dd7 68f4595c80 push offset nt!PspSystemThreadStartup (805c59f4) 805c5ddc 51 push ecx ;NULL 805c5ddd 56 push esi ;ETHREAD 805c5dde e8c10bfdff call nt!KeInitThread (805969a4) ;初始化线程(在网上没找到C原型) 805c5de3 8bf8 mov edi,eax 805c5de5 85ff test edi,edi ;测试是否调用成功 805c5de7 7d1c jge nt!PspCreateThread+0x275 (805c5e05) [br=1] 805c5e05 8b7dc4 mov edi,dword ptr [ebp-3Ch] ss:0010:f9e2fd10=81781bd8 805c5e08 ff8fd4000000 dec dword ptr [edi+0D4h] ds:0023:81781cac=00000000 805c5e0e 8d436c lea eax,[ebx+6Ch] ;EPROCESS.ProcessLock 805c5e11 89458c mov dword ptr [ebp-74h],eax ss:0010:f9e2fcd8=817bd82c 805c5e14 b800000000 mov eax,0 805c5e19 8b4d8c mov ecx,dword ptr [ebp-74h] ss:0010:f9e2fcd8=817bd82c 805c5e1c ba02000000 mov edx,2 805c5e21 0fb111 cmpxchg dword ptr [ecx],edx ds:0023:817bd82c=00000000 ;设置EPROCESS.ProcessLock.Value==2 805c5e24 85c0 test eax,eax 805c5e26 7408 je nt!PspCreateThread+0x2a0 (805c5e30) [br=1] 805c5e30 f6834802000008 test byte ptr [ebx+248h],8 ds:0023:817bda08=00 805c5e37 746f je nt!PspCreateThread+0x318 (805c5ea8) [br=1] 805c5ea8 8d83a0010000 lea eax,[ebx+1A0h] 805c5eae 8b38 mov edi,dword ptr [eax] ds:0023:817bd960=00000034 805c5eb0 8d4f01 lea ecx,[edi+1] 805c5eb3 8908 mov dword ptr [eax],ecx ds:0023:817bd960=00000034 805c5eb5 8d862c020000 lea eax,[esi+22Ch] ;ETHREAD.ThreadListEntry 805c5ebb 8d8b90010000 lea ecx,[ebx+190h] ;EPROCESS.ThreadListHead 805c5ec1 8b5104 mov edx,dword ptr [ecx+4] ds:0023:817bd954=816ad86c 805c5ec4 8908 mov dword ptr [eax],ecx ds:0023:8164e79c=00000000 805c5ec6 895004 mov dword ptr [eax+4],edx ds:0023:8164e7a0=00000000 805c5ec9 8902 mov dword ptr [edx],eax ds:0023:816ad86c=817bd950 805c5ecb 894104 mov dword ptr [ecx+4],eax ds:0023:817bd954=816ad86c 805c5ece 56 push esi 805c5ecf e8dc6af3ff call nt!KeStartThread (804fc9b0) call nt!ExReleaseRundownProtection call nt!WmiTraceThread call nt!ObReferenceObjectEx call nt!SeCreateAccessStateEx call nt!ObInsertObject call nt!SeDeleteAccessState call nt!KeQuerySystemTime call nt!ObGetObjectSecurity call nt!PsReferencePrimaryToken call nt!SeAccessCheck call nt!ObFastDereferenceObject call nt!ObReleaseObjectSecurity call nt!KeReadyThread call nt!ObfDereferenceObject
;附ETHREAD结构数据: +0x000 Tcb : _KTHREAD +0x000 Header : _DISPATCHER_HEADER +0x010 MutantListHead : _LIST_ENTRY [ 0x8164e580 - 0x8164e580 ] +0x018 InitialStack : 0xf7d7e000 +0x01c StackLimit : 0xf7d7b000 +0x020 Teb : (null) +0x024 TlsArray : (null) +0x028 KernelStack : 0xf7d7ddd4 +0x02c DebugActive : 0 '' +0x02d State : 0 '' +0x02e Alerted : [2] "" +0x030 Iopl : 0 '' +0x031 NpxState : 0xa '' +0x032 Saturation : 0 '' +0x033 Priority : 0 '' +0x034 ApcState : _KAPC_STATE +0x04c ContextSwitches : 0 +0x050 IdleSwapBlock : 0 '' +0x051 Spare0 : [3] "" +0x054 WaitStatus : 0 +0x058 WaitIrql : 0 '' +0x059 WaitMode : 0 '' +0x05a WaitNext : 0 '' +0x05b WaitReason : 0 '' +0x05c WaitBlockList : (null) +0x060 WaitListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x060 SwapListEntry : _SINGLE_LIST_ENTRY +0x068 WaitTime : 0 +0x06c BasePriority : 0 '' +0x06d DecrementCount : 0 '' +0x06e PriorityDecrement : 0 '' +0x06f Quantum : 0 '' +0x070 WaitBlock : [4] _KWAIT_BLOCK +0x0d0 LegoData : (null) +0x0d4 KernelApcDisable : 0 +0x0d8 UserAffinity : 0 +0x0dc SystemAffinityActive : 0 '' +0x0dd PowerState : 0 '' +0x0de NpxIrql : 0 '' +0x0df InitialNode : 0 '' +0x0e0 ServiceTable : 0x80553180 +0x0e4 Queue : (null) +0x0e8 ApcQueueLock : 0 +0x0f0 Timer : _KTIMER +0x118 QueueListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x120 SoftAffinity : 1 +0x124 Affinity : 0 +0x128 Preempted : 0 '' +0x129 ProcessReadyQueue : 0 '' +0x12a KernelStackResident : 0x1 '' +0x12b NextProcessor : 0 '' +0x12c CallbackStack : (null) +0x130 Win32Thread : (null) +0x134 TrapFrame : (null) +0x138 ApcStatePointer : [2] 0x8164e5a4 _KAPC_STATE +0x140 PreviousMode : 0 '' +0x141 EnableStackSwap : 0x1 '' +0x142 LargeStack : 0 '' +0x143 ResourceIndex : 0 '' +0x144 KernelTime : 0 +0x148 UserTime : 0 +0x14c SavedApcState : _KAPC_STATE +0x164 Alertable : 0 '' +0x165 ApcStateIndex : 0 '' +0x166 ApcQueueable : 0x1 '' +0x167 AutoAlignment : 0 '' +0x168 StackBase : 0xf7d7e000 +0x16c SuspendApc : _KAPC +0x19c SuspendSemaphore : _KSEMAPHORE +0x1b0 ThreadListEntry : _LIST_ENTRY [ 0x0 - 0x0 ] +0x1b8 FreezeCount : 0 '' +0x1b9 SuspendCount : 0 '' +0x1ba IdealProcessor : 0 '' +0x1bb DisableBoost : 0 '' +0x1c0 CreateTime : _LARGE_INTEGER 0x0 +0x000 LowPart : 0 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 0 +0x1c0 NestedFaultCount : 0y00 +0x1c0 ApcNeeded : 0y0 +0x1c8 ExitTime : _LARGE_INTEGER 0x8164e738`8164e738 +0x000 LowPart : 0x8164e738 +0x004 HighPart : -2124093640 +0x000 u : __unnamed +0x000 QuadPart : -9122912715270723784 +0x1c8 LpcReplyChain : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x000 Flink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x004 Blink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x1c8 KeyedWaitChain : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x000 Flink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x004 Blink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ] +0x1d0 ExitStatus : 0 +0x1d0 OfsChain : (null) +0x1d4 PostBlockList : _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ] +0x000 Flink : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ] +0x004 Blink : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ] +0x1dc TerminationPort : (null) +0x1dc ReaperLink : (null) +0x1dc KeyedWaitValue : (null) +0x1e0 ActiveTimerListLock : 0 +0x1e4 ActiveTimerListHead : _LIST_ENTRY [ 0x8164e754 - 0x8164e754 ] +0x000 Flink : 0x8164e754 _LIST_ENTRY [ 0x8164e754 - 0x8164e754 ] +0x004 Blink : 0x8164e754 _LIST_ENTRY [ 0x8164e754 - 0x8164e754 ] +0x1ec Cid : _CLIENT_ID +0x000 UniqueProcess : 0x00000004 +0x004 UniqueThread : 0x00000230 +0x1f4 LpcReplySemaphore : _KSEMAPHORE +0x000 Header : _DISPATCHER_HEADER +0x010 Limit : 1 +0x1f4 KeyedWaitSemaphore : _KSEMAPHORE +0x000 Header : _DISPATCHER_HEADER +0x010 Limit : 1 +0x208 LpcReplyMessage : (null) +0x208 LpcWaitingOnPort : (null) +0x20c ImpersonationInfo : (null) +0x210 IrpList : _LIST_ENTRY [ 0x8164e780 - 0x8164e780 ] +0x000 Flink : 0x8164e780 _LIST_ENTRY [ 0x8164e780 - 0x8164e780 ] +0x004 Blink : 0x8164e780 _LIST_ENTRY [ 0x8164e780 - 0x8164e780 ] +0x218 TopLevelIrp : 0 +0x21c DeviceToVerify : (null) +0x220 ThreadsProcess : 0x817bd7c0 _EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x0 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : 0x00000004 +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x815d00a8 - 0x8055a258 ] +0x090 QuotaUsage : [3] 0 +0x09c QuotaPeak : [3] 0 +0x0a8 CommitCharge : 9 +0x0ac PeakVirtualSize : 0x28a000 +0x0b0 VirtualSize : 0x1c8000 +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x0bc DebugPort : (null) +0x0c0 ExceptionPort : (null) +0x0c4 ObjectTable : 0xe1001cb0 _HANDLE_TABLE +0x0c8 Token : _EX_FAST_REF +0x0cc WorkingSetLock : _FAST_MUTEX +0x0ec WorkingSetPage : 0 +0x0f0 AddressCreationLock : _FAST_MUTEX +0x110 HyperSpaceLock : 0 +0x114 ForkInProgress : (null) +0x118 HardwareTrigger : 0 +0x11c VadRoot : 0x817f1078 +0x120 VadHint : 0x817f1078 +0x124 CloneRoot : (null) +0x128 NumberOfPrivatePages : 4 +0x12c NumberOfLockedPages : 0 +0x130 Win32Process : (null) +0x134 Job : (null) +0x138 SectionObject : (null) +0x13c SectionBaseAddress : (null) +0x140 QuotaBlock : 0x8055a300 _EPROCESS_QUOTA_BLOCK +0x144 WorkingSetWatch : (null) +0x148 Win32WindowStation : (null) +0x14c InheritedFromUniqueProcessId : (null) +0x150 LdtInformation : (null) +0x154 VadFreeHint : (null) +0x158 VdmObjects : (null) +0x15c DeviceMap : 0xe10000d0 +0x160 PhysicalVadList : _LIST_ENTRY [ 0x8164e158 - 0x81633228 ] +0x168 PageDirectoryPte : _HARDWARE_PTE +0x168 Filler : 0 +0x170 Session : (null) +0x174 ImageFileName : [16] "System" +0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x18c LockedPagesList : (null) +0x190 ThreadListHead : _LIST_ENTRY [ 0x817bd774 - 0x8164e79c ] +0x198 SecurityPort : 0xe16ebba0 +0x19c PaeTop : (null) +0x1a0 ActiveThreads : 0x35 +0x1a4 GrantedAccess : 0x1f0fff +0x1a8 DefaultHardErrorProcessing : 1 +0x1ac LastThreadExitStatus : 0 +0x1b0 Peb : (null) +0x1b4 PrefetchTrace : _EX_FAST_REF +0x1b8 ReadOperationCount : _LARGE_INTEGER 0x50 +0x1c0 WriteOperationCount : _LARGE_INTEGER 0x11c +0x1c8 OtherOperationCount : _LARGE_INTEGER 0xbc7 +0x1d0 ReadTransferCount : _LARGE_INTEGER 0x4ca32 +0x1d8 WriteTransferCount : _LARGE_INTEGER 0x1d4000 +0x1e0 OtherTransferCount : _LARGE_INTEGER 0x436b8 +0x1e8 CommitChargeLimit : 0 +0x1ec CommitChargePeak : 0x1cc +0x1f0 AweInfo : (null) +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x1f8 Vm : _MMSUPPORT +0x238 LastFaultCount : 0 +0x23c ModifiedPageCount : 0x6a2 +0x240 NumberOfVads : 0xa +0x244 JobStatus : 0 +0x248 Flags : 0x40200 +0x248 CreateReported : 0y0 +0x248 NoDebugInherit : 0y0 +0x248 ProcessExiting : 0y0 +0x248 ProcessDelete : 0y0 +0x248 Wow64SplitPages : 0y0 +0x248 VmDeleted : 0y0 +0x248 OutswapEnabled : 0y0 +0x248 Outswapped : 0y0 +0x248 ForkFailed : 0y0 +0x248 HasPhysicalVad : 0y1 +0x248 AddressSpaceInitialized : 0y00 +0x248 SetTimerResolution : 0y0 +0x248 BreakOnTermination : 0y0 +0x248 SessionCreationUnderway : 0y0 +0x248 WriteWatch : 0y0 +0x248 ProcessInSession : 0y0 +0x248 OverrideAddressSpace : 0y0 +0x248 HasAddressSpace : 0y1 +0x248 LaunchPrefetched : 0y0 +0x248 InjectInpageErrors : 0y0 +0x248 VmTopDown : 0y0 +0x248 Unused3 : 0y0 +0x248 Unused4 : 0y0 +0x248 VdmAllowed : 0y0 +0x248 Unused : 0y00000 (0) +0x248 Unused1 : 0y0 +0x248 Unused2 : 0y0 +0x24c ExitStatus : 259 +0x250 NextPageColor : 0x3f69 +0x252 SubSystemMinorVersion : 0 '' +0x253 SubSystemMajorVersion : 0 '' +0x252 SubSystemVersion : 0 +0x254 PriorityClass : 0x2 '' +0x255 WorkingSetAcquiredUnsafe : 0 '' +0x258 Cookie : 0 +0x224 StartAddress : 0xf96fdb85 +0x228 Win32StartAddress : (null) +0x228 LpcReceivedMessageId : 0 +0x22c ThreadListEntry : _LIST_ENTRY [ 0x817bd950 - 0x816ad86c ] +0x000 Flink : 0x817bd950 _LIST_ENTRY [ 0x817bd774 - 0x8164e79c ] +0x004 Blink : 0x816ad86c _LIST_ENTRY [ 0x8164e79c - 0x816adae4 ] +0x234 RundownProtect : _EX_RUNDOWN_REF +0x000 Count : 0 +0x000 Ptr : (null) +0x238 ThreadLock : _EX_PUSH_LOCK +0x000 Waiting : 0y0 +0x000 Exclusive : 0y0 +0x000 Shared : 0y000000000000000000000000000000 (0) +0x000 Value : 0 +0x000 Ptr : (null) +0x23c LpcReplyMessageId : 0 +0x240 ReadClusterSize : 7 +0x244 GrantedAccess : 0 +0x248 CrossThreadFlags : 0x10 +0x248 Terminated : 0y0 +0x248 DeadThread : 0y0 +0x248 HideFromDebugger : 0y0 +0x248 ActiveImpersonationInfo : 0y0 +0x248 SystemThread : 0y1 +0x248 HardErrorsAreDisabled : 0y0 +0x248 BreakOnTermination : 0y0 +0x248 SkipCreationMsg : 0y0 +0x248 SkipTerminationMsg : 0y0 +0x24c SameThreadPassiveFlags : 0 +0x24c ActiveExWorker : 0y0 +0x24c ExWorkerCanWaitUser : 0y0 +0x24c MemoryMaker : 0y0 +0x250 SameThreadApcFlags : 0 +0x250 LpcReceivedMsgIdValid : 0y0 +0x250 LpcExitThreadCalled : 0y0 +0x250 AddressSpaceOwner : 0y0 +0x254 ForwardClusterOnly : 0 '' +0x255 DisablePageFaultClustering : 0 ''
;附EPROCESS结构数据 +0x000 Pcb : _KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x010 ProfileListHead : _LIST_ENTRY [ 0x817bd7d0 - 0x817bd7d0 ] +0x018 DirectoryTableBase : [2] 0xa8f000 +0x020 LdtDescriptor : _KGDTENTRY +0x028 Int21Descriptor : _KIDTENTRY +0x030 IopmOffset : 0x20ac +0x032 Iopl : 0 '' +0x033 Unused : 0 '' +0x034 ActiveProcessors : 0 +0x038 KernelTime : 0x2b0 +0x03c UserTime : 0 +0x040 ReadyListHead : _LIST_ENTRY [ 0x817bd800 - 0x817bd800 ] +0x048 SwapListEntry : _SINGLE_LIST_ENTRY +0x04c VdmTrapcHandler : (null) +0x050 ThreadListHead : _LIST_ENTRY [ 0x817bd6f8 - 0x816ad7f0 ] +0x058 ProcessLock : 0 +0x05c Affinity : 1 +0x060 StackCount : 0x2a +0x062 BasePriority : 8 '' +0x063 ThreadQuantum : 6 '' +0x064 AutoAlignment : 0 '' +0x065 State : 0 '' +0x066 ThreadSeed : 0 '' +0x067 DisableBoost : 0 '' +0x068 PowerState : 0 '' +0x069 DisableQuantum : 0 '' +0x06a IdealNode : 0 '' +0x06b Flags : _KEXECUTE_OPTIONS +0x06b ExecuteOptions : 0 '' +0x06c ProcessLock : _EX_PUSH_LOCK +0x000 Waiting : 0y0 +0x000 Exclusive : 0y1 +0x000 Shared : 0y000000000000000000000000000000 (0) +0x000 Value : 2 +0x000 Ptr : 0x00000002 +0x070 CreateTime : _LARGE_INTEGER 0x0 +0x000 LowPart : 0 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 0 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x000 LowPart : 0 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 0 +0x080 RundownProtect : _EX_RUNDOWN_REF +0x000 Count : 2 +0x000 Ptr : 0x00000002 +0x084 UniqueProcessId : 0x00000004 +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x815d00a8 - 0x8055a258 ] +0x000 Flink : 0x815d00a8 _LIST_ENTRY [ 0x81650aa8 - 0x817bd848 ] +0x004 Blink : 0x8055a258 _LIST_ENTRY [ 0x817bd848 - 0x81563448 ] +0x090 QuotaUsage : [3] 0 +0x09c QuotaPeak : [3] 0 +0x0a8 CommitCharge : 9 +0x0ac PeakVirtualSize : 0x28a000 +0x0b0 VirtualSize : 0x1c8000 +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Flink : (null) +0x004 Blink : (null) +0x0bc DebugPort : (null) +0x0c0 ExceptionPort : (null) +0x0c4 ObjectTable : 0xe1001cb0 _HANDLE_TABLE +0x000 TableCode : 0xe1002000 +0x004 QuotaProcess : (null) +0x008 UniqueProcessId : 0x00000004 +0x00c HandleTableLock : [4] _EX_PUSH_LOCK +0x01c HandleTableList : _LIST_ENTRY [ 0xe1296454 - 0x8055b548 ] +0x024 HandleContentionEvent : _EX_PUSH_LOCK +0x028 DebugInfo : (null) +0x02c ExtraInfoPages : 0 +0x030 FirstFree : 0x62c +0x034 LastFree : 0 +0x038 NextHandleNeedingPool : 0x800 +0x03c HandleCount : 236 +0x040 Flags : 0 +0x040 StrictFIFO : 0y0 +0x0c8 Token : _EX_FAST_REF +0x000 Object : 0xe1000812 +0x000 RefCnt : 0y010 +0x000 Value : 0xe1000812 +0x0cc WorkingSetLock : _FAST_MUTEX +0x000 Count : 1 +0x004 Owner : 0xf9df3aac _KTHREAD +0x008 Contention : 0 +0x00c Event : _KEVENT +0x01c OldIrql : 0 +0x0ec WorkingSetPage : 0 +0x0f0 AddressCreationLock : _FAST_MUTEX +0x000 Count : 1 +0x004 Owner : 0xf9df3ab0 _KTHREAD +0x008 Contention : 0 +0x00c Event : _KEVENT +0x01c OldIrql : 0 +0x110 HyperSpaceLock : 0 +0x114 ForkInProgress : (null) +0x118 HardwareTrigger : 0 +0x11c VadRoot : 0x817f1078 +0x120 VadHint : 0x817f1078 +0x124 CloneRoot : (null) +0x128 NumberOfPrivatePages : 4 +0x12c NumberOfLockedPages : 0 +0x130 Win32Process : (null) +0x134 Job : (null) +0x138 SectionObject : (null) +0x13c SectionBaseAddress : (null) +0x140 QuotaBlock : 0x8055a300 _EPROCESS_QUOTA_BLOCK +0x000 QuotaEntry : [3] _EPROCESS_QUOTA_ENTRY +0x030 QuotaList : _LIST_ENTRY [ 0x0 - 0x0 ] +0x038 ReferenceCount : 0xa60 +0x03c ProcessCount : 0x12 +0x144 WorkingSetWatch : (null) +0x148 Win32WindowStation : (null) +0x14c InheritedFromUniqueProcessId : (null) +0x150 LdtInformation : (null) +0x154 VadFreeHint : (null) +0x158 VdmObjects : (null) +0x15c DeviceMap : 0xe10000d0 +0x160 PhysicalVadList : _LIST_ENTRY [ 0x8164e158 - 0x81633228 ] +0x000 Flink : 0x8164e158 _LIST_ENTRY [ 0x8178ddd8 - 0x817bd920 ] +0x004 Blink : 0x81633228 _LIST_ENTRY [ 0x817bd920 - 0x81634200 ] +0x168 PageDirectoryPte : _HARDWARE_PTE +0x000 Valid : 0y0 +0x000 Write : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y0 +0x000 Dirty : 0y0 +0x000 LargePage : 0y0 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Prototype : 0y0 +0x000 reserved0 : 0y0 +0x000 PageFrameNumber : 0y00000000000000000000000000 (0) +0x000 reserved1 : 0y00000000000000000000000000 (0) +0x000 LowPart : 0 +0x004 HighPart : 0 +0x168 Filler : 0 +0x170 Session : (null) +0x174 ImageFileName : [16] "System" +0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x000 Flink : (null) +0x004 Blink : (null) +0x18c LockedPagesList : (null) +0x190 ThreadListHead : _LIST_ENTRY [ 0x817bd774 - 0x8164e79c ] +0x000 Flink : 0x817bd774 _LIST_ENTRY [ 0x817bd32c - 0x817bd950 ] +0x004 Blink : 0x8164e79c _LIST_ENTRY [ 0x817bd950 - 0x816ad86c ] +0x198 SecurityPort : 0xe16ebba0 +0x19c PaeTop : (null) +0x1a0 ActiveThreads : 0x35 +0x1a4 GrantedAccess : 0x1f0fff +0x1a8 DefaultHardErrorProcessing : 1 +0x1ac LastThreadExitStatus : 0 +0x1b0 Peb : (null) +0x1b4 PrefetchTrace : _EX_FAST_REF +0x000 Object : 0x81615965 +0x000 RefCnt : 0y101 +0x000 Value : 0x81615965 +0x1b8 ReadOperationCount : _LARGE_INTEGER 0x50 +0x000 LowPart : 0x50 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 80 +0x1c0 WriteOperationCount : _LARGE_INTEGER 0x11c +0x000 LowPart : 0x11c +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 284 +0x1c8 OtherOperationCount : _LARGE_INTEGER 0xbc7 +0x000 LowPart : 0xbc7 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 3015 +0x1d0 ReadTransferCount : _LARGE_INTEGER 0x4ca32 +0x000 LowPart : 0x4ca32 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 313906 +0x1d8 WriteTransferCount : _LARGE_INTEGER 0x1d4000 +0x000 LowPart : 0x1d4000 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 1916928 +0x1e0 OtherTransferCount : _LARGE_INTEGER 0x436b8 +0x000 LowPart : 0x436b8 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 276152 +0x1e8 CommitChargeLimit : 0 +0x1ec CommitChargePeak : 0x1cc +0x1f0 AweInfo : (null) +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x000 ImageFileName : 0xe10007c0 _OBJECT_NAME_INFORMATION +0x1f8 Vm : _MMSUPPORT +0x000 LastTrimTime : _LARGE_INTEGER 0x0 +0x008 Flags : _MMSUPPORT_FLAGS +0x00c PageFaultCount : 0xf15 +0x010 PeakWorkingSetSize : 0x20e +0x014 WorkingSetSize : 0x4b +0x018 MinimumWorkingSetSize : 0 +0x01c MaximumWorkingSetSize : 0x159 +0x020 VmWorkingSetList : 0xc0883000 _MMWSL +0x024 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x815d023c - 0x80558984 ] +0x02c Claim : 0 +0x030 NextEstimationSlot : 0 +0x034 NextAgingSlot : 0 +0x038 EstimatedAvailable : 0 +0x03c GrowthSinceLastEstimate : 0xf15 +0x238 LastFaultCount : 0 +0x23c ModifiedPageCount : 0x6a2 +0x240 NumberOfVads : 0xa +0x244 JobStatus : 0 +0x248 Flags : 0x40200 +0x248 CreateReported : 0y0 +0x248 NoDebugInherit : 0y0 +0x248 ProcessExiting : 0y0 +0x248 ProcessDelete : 0y0 +0x248 Wow64SplitPages : 0y0 +0x248 VmDeleted : 0y0 +0x248 OutswapEnabled : 0y0 +0x248 Outswapped : 0y0 +0x248 ForkFailed : 0y0 +0x248 HasPhysicalVad : 0y1 +0x248 AddressSpaceInitialized : 0y00 +0x248 SetTimerResolution : 0y0 +0x248 BreakOnTermination : 0y0 +0x248 SessionCreationUnderway : 0y0 +0x248 WriteWatch : 0y0 +0x248 ProcessInSession : 0y0 +0x248 OverrideAddressSpace : 0y0 +0x248 HasAddressSpace : 0y1 +0x248 LaunchPrefetched : 0y0 +0x248 InjectInpageErrors : 0y0 +0x248 VmTopDown : 0y0 +0x248 Unused3 : 0y0 +0x248 Unused4 : 0y0 +0x248 VdmAllowed : 0y0 +0x248 Unused : 0y00000 (0) +0x248 Unused1 : 0y0 +0x248 Unused2 : 0y0 +0x24c ExitStatus : 259 +0x250 NextPageColor : 0x3f69 +0x252 SubSystemMinorVersion : 0 '' +0x253 SubSystemMajorVersion : 0 '' +0x252 SubSystemVersion : 0 +0x254 PriorityClass : 0x2 '' +0x255 WorkingSetAcquiredUnsafe : 0 '' +0x258 Cookie : 0
线程创建流程
最新推荐文章于 2022-12-06 19:36:48 发布