随笔记，找到r3定时器的pid tid....

最新推荐文章于 2022-02-28 09:52:28 发布

Shevacoming

最新推荐文章于 2022-02-28 09:52:28 发布

阅读量999

点赞数

分类专栏：内核研究文章标签： thread null list header integer c

本文链接：https://blog.csdn.net/Shevacoming/article/details/7640137

版权

内核研究专栏收录该内容

62 篇文章 6 订阅

订阅专栏

一些定时器的dpc函数在内核内部，切入点是NtCreateTimer,调试过程如下

dt _ktimer 8129e718
nt!_KTIMER
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 DueTime          : _ULARGE_INTEGER 0x80000000`fd1b046a
   +0x018 TimerListEntry   : _LIST_ENTRY [ 0x81304cb0 - 0x81339678 ]
   +0x020 Dpc              : 0x8129e770 _KDPC
   +0x024 Period           : 0n0
kd> dt _KDPC 0x8129e770
nt!_KDPC
   +0x000 Type             : 0n19
   +0x002 Number           : 0 ''
   +0x003 Importance       : 0x1 ''
   +0x004 DpcListEntry     : _LIST_ENTRY [ 0x8129e778 - 0x0 ]
   +0x00c DeferredRoutine : 0x805399a0     void nt!ExpTimerDpcRoutine+0
   +0x010 DeferredContext : 0x8129e718 Void
   +0x014 SystemArgument1 : (null)
   +0x018 SystemArgument2 : (null)
   +0x01c Lock             : (null)

kd> dt _ETIMER 0x8129e718
nt!_ETIMER
   +0x000 KeTimer          : _KTIMER
   +0x028 TimerApc         : _KAPC
   +0x058 TimerDpc         : _KDPC
   +0x078 ActiveTimerListEntry : _LIST_ENTRY [ 0x81304d8c - 0x81304d8c ]
   +0x080 Lock             : 0
   +0x084 Period           : 0n0
   +0x088 ApcAssociated    : 0x1 ''
   +0x089 WakeTimer        : 0 ''
   +0x08c WakeTimerListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]

kd> dt _KAPC 0x8129e718+28
nt!_KAPC
   +0x000 Type             : 0n18
   +0x002 Size             : 0n48
   +0x004 Spare0           : 0
   +0x008 Thread           : 0x81304ba8 _KTHREAD
   +0x00c ApcListEntry     : _LIST_ENTRY [ 0x80000 - 0x400ba7df ]
   +0x014 KernelRoutine    : 0x805399ec     void nt!ExpTimerApcRoutine+0
   +0x018 RundownRoutine   : (null)
   +0x01c NormalRoutine    : 0x7c9481a3     void +7c9481a3
   +0x020 NormalContext    : (null)
   +0x024 SystemArgument1 : 0xe193582c Void
   +0x028 SystemArgument2 : (null)
   +0x02c ApcStateIndex    : 0 ''
   +0x02d ApcMode          : 1 ''
   +0x02e Inserted         : 0 '

!thread 0x81304ba8
THREAD 81304ba8 Cid 0c38.0c6c Teb: 7ffde000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable
    81304c98 NotificationTimer
Not impersonating
DeviceMap                 e19bda40
Owning Process            0       Image:         <Unknown>
Attached Process          81216020       Image:         MalwareDefender.exe
Wait Start TickCount      27177          Ticks: 64712 (0:00:16:51.125)
Context Switch Count      1
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x7c947ebb
Start Address 0x7c8106e9
Stack Init f7967000 Current f7966cbc Base f7967000 Limit f7964000 Call 0
Priority 10 BasePriority 10 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.