在http://www.wasm.ru/print.php?article=gui_subsystem
中,提供了32位系统的驱动枚举所有快捷键的程序,但是转到win7 64位下会有各种问题。
win7 x64不支持inline的汇编。。。那个驱动都无法编译。。。我对汇编也不熟,不能把汇编提成函数放到单独的asm里面。
唉。只能学习一下windbg的内核调试过程了。
debug到gphkHashTable却得不到这个变量的数据类型。。。
lkd> !process 0 0 //枚举所有进程
**** NT ACTIVE PROCESS DUMP ****PROCESS fffffa80039689e0
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000001770 HandleCount: 731.
Image: System
PROCESS fffffa8004fdbb30
SessionId: none Cid: 0124 Peb: 7fffffd8000 ParentCid: 0004
DirBase: 98077000 ObjectTable: fffff8a001e8b5e0 HandleCount: 32.
Image: smss.exe
PROCESS fffffa8005e6eb30
SessionId: 0 Cid: 01bc Peb: 7fffffda000 ParentCid: 0188
DirBase: 7650f000 ObjectTable: fffff8a0026f36a0 HandleCount: 703.
Image: csrss.exe
PROCESS fffffa80069ea710
SessionId: 0 Cid: 021c Peb: 7fffffdf000 ParentCid: 0188
DirBase: 736d5000 ObjectTable: fffff8a002822af0 HandleCount: 78.
Image: wininit.exe
PROCESS fffffa8006ab6060
SessionId: 1 Cid: 0230 Peb: 7fffffdc000 ParentCid: 0224
DirBase: 73554000 ObjectTable: fffff8a0028315b0 HandleCount: 902.
Image: csrss.exe
PROCESS fffffa8006b0b910
SessionId: 0 Cid: 0264 Peb: 7fffffdf000 ParentCid: 021c
DirBase: 834f8000 ObjectTable: fffff8a0029c0f90 HandleCount: 325.
Image: services.exe
PROCESS fffffa8006afdb30
SessionId: 0 Cid: 0274 Peb: 7fffffdf000 ParentCid: 021c
DirBase: 71c9f000 ObjectTable: fffff8a0028244b0 HandleCount: 978.
Image: lsass.exe
PROCESS fffffa8006b0e710
SessionId: 0 Cid: 027c Peb: 7fffffdf000 ParentCid: 021c
DirBase: 823e5000 ObjectTable: fffff8a0029e2d20 HandleCount: 176.
Image: lsm.exe
PROCESS fffffa8006b82b30
SessionId: 1 Cid: 02f0 Peb: 7fffffd5000 ParentCid: 0224
DirBase: 70c5a000 ObjectTable: fffff8a00266f980 HandleCount: 117.
Image: winlogon.exe
PROCESS fffffa8006b8f060
SessionId: 0 Cid: 0318 Peb: 7fffffd6000 ParentCid: 0264
DirBase: 80efa000 ObjectTable: fffff8a00294ef30 HandleCount: 396.
Image: svchost.exe
PROCESS fffffa8006bd4420
SessionId: 0 Cid: 0394 Peb: 7fffffdb000 ParentCid: 0264
DirBase: 803ea000 ObjectTable: fffff8a002bb0a00 HandleCount: 117.
Image: nvvsvc.exe
PROCESS fffffa8006bfa060
SessionId: 0 Cid: 03d4 Peb: 7efdf000 ParentCid: 0264
DirBase: 70640000 ObjectTable: fffff8a002c00d90 HandleCount: 458.
Image: QQPCRTP.exe
PROCESS fffffa8006c38b30
SessionId: 0 Cid: 0140 Peb: 7fffffd9000 ParentCid: 0264
DirBase: 6e30d000 ObjectTable: fffff8a002c6ed70 HandleCount: 389.
Image: svchost.exe
PROCESS fffffa8006c501b0
SessionId: 0 Cid: 01c8 Peb: 7fffffdd000 ParentCid: 0264
DirBase: 6dd13000 ObjectTable: fffff8a002d03140 HandleCount: 431.
Image: MsMpEng.exe
PROCESS fffffa8006cc6b30
SessionId: 0 Cid: 038c Peb: 7fffffdf000 ParentCid: 0264
DirBase: 6d0de000 ObjectTable: fffff8a002dd3170 HandleCount: 522.
Image: svchost.exe
PROCESS fffffa8006ccc740
SessionId: 0 Cid: 0430 Peb: 7fffffdf000 ParentCid: 0264
DirBase: 7cbea000 ObjectTable: fffff8a002e70e50 HandleCount: 523.
Image: svchost.exe
PROCESS fffffa8006111060
SessionId: 0 Cid: 045c Peb: 7fffffd3000 ParentCid: 0264
DirBase: 7be70000 ObjectTable: fffff8a002ea2af0 HandleCount: 1323.
Image: svchost.exe
PROCESS fffffa8006dea280
SessionId: 0 Cid: 04d8 Peb: 7fffffd5000 ParentCid: 038c
DirBase: 7a33f000 ObjectTable: fffff8a002ef1d70 HandleCount: 133.
Image: audiodg.exe
PROCESS fffffa8006e04420
SessionId: 0 Cid: 0500 Peb: 7fffffda000 ParentCid: 0264
DirBase: 79b35000 ObjectTable: fffff8a002888770 HandleCount: 370.
Image: svchost.exe
PROCESS fffffa80052f0b30
SessionId: 1 Cid: 0638 Peb: 7fffffdf000 ParentCid: 0394
DirBase: 71c36000 ObjectTable: fffff8a0029dea40 HandleCount: 211.
Image: nvxdsync.exe
PROCESS fffffa80053d1430
SessionId: 1 Cid: 0644 Peb: 7fffffd4000 ParentCid: 0394
DirBase: 71e3b000 ObjectTable: fffff8a002eadb40 HandleCount: 175.
Image: nvvsvc.exe
PROCESS fffffa8006e8d7a0
SessionId: 0 Cid: 069c Peb: 7fffffd8000 ParentCid: 0264
DirBase: 71176000 ObjectTable: fffff8a002ba3150 HandleCount: 664.
Image: svchost.exe
PROCESS fffffa8005dcb340
SessionId: 0 Cid: 0744 Peb: 7fffffd3000 ParentCid: 0264
DirBase: 606da000 ObjectTable: fffff8a003043f90 HandleCount: 330.
Image: spoolsv.exe
PROCESS fffffa8005e6e060
SessionId: 0 Cid: 0760 Peb: 7fffffdf000 ParentCid: 0264
DirBase: 60416000 ObjectTable: fffff8a002ec4290 HandleCount: 321.
Image: svchost.exe
PROCESS fffffa8006f8bb30
SessionId: 0 Cid: 05d4 Peb: 7fffffd4000 ParentCid: 0264
DirBase: 5bf47000 ObjectTable: fffff8a00300dcf0 HandleCount: 94.
Image: svchost.exe
PROCESS fffffa8006f94b30
SessionId: 0 Cid: 060c Peb: 7efdf000 ParentCid: 0264
DirBase: 5c3cd000 ObjectTable: fffff8a002de0950 HandleCount: 209.
Image: AppleMobileDeviceService.exe
PROCESS fffffa8005f09340
SessionId: 0 Cid: 08b0 Peb: 7efdf000 ParentCid: 0264
DirBase: 53117000 ObjectTable: fffff8a00338a610 HandleCount: 75.
Image: BrowserDataServices.exe
PROCESS fffffa8007137580
SessionId: 0 Cid: 08fc Peb: 7efdf000 ParentCid: 0264
DirBase: 51920000 ObjectTable: fffff8a0032ca120 HandleCount: 86.
Image: InjectWinSockServiceV6.exe
PROCESS fffffa80071e2330
SessionId: 0 Cid: 0938 Peb: 7fffffd3000 ParentCid: 0264
DirBase: 4d1c8000 ObjectTable: fffff8a0031c4e80 HandleCount: 91.
Image: HeciServer.exe
PROCESS fffffa80071f3530
SessionId: 0 Cid: 0950 Peb: 7efdf000 ParentCid: 0264
DirBase: 4df4e000 ObjectTable: fffff8a0031866d0 HandleCount: 102.
Image: Jhi_service.exe
PROCESS fffffa80071eaaa0
SessionId: 0 Cid: 0970 Peb: fffdf000 ParentCid: 0264
DirBase: 4de14000 ObjectTable: fffff8a002f020a0 HandleCount: 414.
Image: sqlservr.exe
PROCESS fffffa8004cc5b30
SessionId: 0 Cid: 09c8 Peb: fffdf000 ParentCid: 0264
DirBase: 60561000 ObjectTable: fffff8a003425c50 HandleCount: 32727.
Image: mysqld.exe
PROCESS fffffa8006fe2b30
SessionId: 0 Cid: 09e4 Peb: 7fffffd8000 ParentCid: 0264
DirBase: 5f328000 ObjectTable: fffff8a003155790 HandleCount: 60.
Image: svchost.exe
PROCESS fffffa8006fd9b30
SessionId: 0 Cid: 0a04 Peb: 7fffffdc000 ParentCid: 0264
DirBase: 5ea6d000 ObjectTable: fffff8a003481500 HandleCount: 59.
Image: svchost.exe
PROCESS fffffa80072099d0
SessionId: 0 Cid: 0a18 Peb: 7fffffdc000 ParentCid: 0264
DirBase: 5eaf3000 ObjectTable: fffff8a0034968b0 HandleCount: 105.
Image: TCPSVCS.EXE
PROCESS fffffa80072efb30
SessionId: 0 Cid: 0a2c Peb: 7fffffdf000 ParentCid: 0264
DirBase: 5ea39000 ObjectTable: fffff8a0034a3320 HandleCount: 84.
Image: sqlwriter.exe
PROCESS fffffa80073056e0
SessionId: 0 Cid: 0a50 Peb: 7fffffde000 ParentCid: 0264
DirBase: 5e87f000 ObjectTable: fffff8a002b41cc0 HandleCount: 102.
Image: svchost.exe
PROCESS fffffa800732eb30
SessionId: 0 Cid: 0a74 Peb: 7fffffdf000 ParentCid: 0264
DirBase: 46704000 ObjectTable: fffff8a0034b8740 HandleCount: 151.
Image: svchost.exe
PROCESS fffffa8007391210
SessionId: 0 Cid: 0af4 Peb: 7efdf000 ParentCid: 0264
DirBase: 5af70000 ObjectTable: fffff8a003509e40 HandleCount: 185.
Image: wlcommsvc.exe
PROCESS fffffa8007389b30
SessionId: 0 Cid: 0b08 Peb: 7fffffdf000 ParentCid: 0264
DirBase: 5b6b6000 ObjectTable: fffff8a002bfd950 HandleCount: 347.
Image: WLIDSVC.EXE
PROCESS fffffa80073cc060
SessionId: 1 Cid: 0b58 Peb: 7fffffdb000 ParentCid: 0264
DirBase: 5bafd000 ObjectTable: fffff8a0020ae7b0 HandleCount: 212.
Image: taskhost.exe
PROCESS fffffa800787cb30
SessionId: 0 Cid: 07ac Peb: fffdf000 ParentCid: 0264
DirBase: 5866b000 ObjectTable: fffff8a0026d9340 HandleCount: 220.
Image: BuildService.exe
PROCESS fffffa80078aeb30
SessionId: 0 Cid: 0888 Peb: 7fffffd5000 ParentCid: 0b08
DirBase: 540bf000 ObjectTable: fffff8a00340eb00 HandleCount: 60.
Image: WLIDSVCM.EXE
PROCESS fffffa8007933060
SessionId: 1 Cid: 0c50 Peb: 7fffffd3000 ParentCid: 0430
DirBase: 37a11000 ObjectTable: fffff8a00408d630 HandleCount: 131.
Image: dwm.exe
PROCESS fffffa800794e1c0
SessionId: 1 Cid: 0c68 Peb: 7fffffdc000 ParentCid: 0c34
DirBase: 51eb0000 ObjectTable: fffff8a004163bb0 HandleCount: 862.
Image: explorer.exe
PROCESS fffffa800799b400
SessionId: 1 Cid: 0ce8 Peb: 7fffffdf000 ParentCid: 0c68
DirBase: 2fd47000 ObjectTable: fffff8a0042354e0 HandleCount: 253.
Image: RAVCpl64.exe
PROCESS fffffa8007443060
SessionId: 0 Cid: 0d94 Peb: 7fffffdf000 ParentCid: 0264
DirBase: 464bc000 ObjectTable: fffff8a0043dc840 HandleCount: 245.
Image: NisSrv.exe
PROCESS fffffa8007b0c780
SessionId: 0 Cid: 0dd0 Peb: 7fffffd9000 ParentCid: 0264
DirBase: 2b1c6000 ObjectTable: fffff8a004400590 HandleCount: 102.
Image: svchost.exe
PROCESS fffffa8007c16780
SessionId: 1 Cid: 0f18 Peb: 7fffffdb000 ParentCid: 0c68
DirBase: 3ebb5000 ObjectTable: fffff8a0040481e0 HandleCount: 180.
Image: RAVBg64.exe
PROCESS fffffa8007c4a960
SessionId: 0 Cid: 0f28 Peb: 7fffffdc000 ParentCid: 0264
DirBase: 3e0f6000 ObjectTable: fffff8a005a61f90 HandleCount: 922.
Image: SearchIndexer.exe
PROCESS fffffa8007cb7a30
SessionId: 1 Cid: 0f90 Peb: 7fffffda000 ParentCid: 0c68
DirBase: 3d2f9000 ObjectTable: fffff8a006d0c350 HandleCount: 109.
Image: TSVNCache.exe
PROCESS fffffa8006b9fb30
SessionId: 1 Cid: 0c78 Peb: 7fffffdf000 ParentCid: 0638
DirBase: 6b25b000 ObjectTable: fffff8a00342b0a0 HandleCount: 96.
Image: nvtray.exe
PROCESS fffffa8007cc2060
SessionId: 1 Cid: 0d80 Peb: 7efdf000 ParentCid: 03d4
DirBase: 3a1e5000 ObjectTable: fffff8a006c46110 HandleCount: 771.
Image: QQPCTray.exe
PROCESS fffffa8006bffb30
SessionId: 1 Cid: 0dcc Peb: 7fffffda000 ParentCid: 0c68
DirBase: 7ac34000 ObjectTable: fffff8a002d0fe10 HandleCount: 216.
Image: SynTPEnh.exe
PROCESS fffffa8007df7060
SessionId: 1 Cid: 124c Peb: 7fffffdf000 ParentCid: 0c68
DirBase: 0074c000 ObjectTable: fffff8a004d02db0 HandleCount: 263.
Image: msseces.exe
PROCESS fffffa8007e4b5b0
SessionId: 1 Cid: 12b4 Peb: 7fffffdf000 ParentCid: 0c68
DirBase: 00f58000 ObjectTable: fffff8a000130ae0 HandleCount: 177.
Image: hkcmd.exe
PROCESS fffffa8005d2a360
SessionId: 1 Cid: 12bc Peb: 7fffffdf000 ParentCid: 0c68
DirBase: 12415e000 ObjectTable: fffff8a004d02800 HandleCount: 163.
Image: igfxpers.exe
PROCESS fffffa8006e2ab30
SessionId: 1 Cid: 1334 Peb: 7efdf000 ParentCid: 0c68
DirBase: 1e164000 ObjectTable: fffff8a002fdd480 HandleCount: 1282.
Image: msnmsgr.exe
PROCESS fffffa8007e48350
SessionId: 1 Cid: 1374 Peb: 7fffffde000 ParentCid: 0dcc
DirBase: 123998000 ObjectTable: fffff8a00422a340 HandleCount: 20.
Image: SynTPHelper.exe
PROCESS fffffa8006b76620
SessionId: 1 Cid: 13cc Peb: 7efdf000 ParentCid: 0c68
DirBase: 1cf2e000 ObjectTable: fffff8a0051ab3b0 HandleCount: 473.
Image: YodaoDict.exe
PROCESS fffffa8006f69490
SessionId: 1 Cid: 1010 Peb: 7efdf000 ParentCid: 0c68
DirBase: 19dba000 ObjectTable: fffff8a003960790 HandleCount: 806.
Image: Fetion.exe
PROCESS fffffa8003b6c710
SessionId: 1 Cid: 1038 Peb: 7efdf000 ParentCid: 0c68
DirBase: 193a4000 ObjectTable: fffff8a0043d0150 HandleCount: 47.
Image: ONENOTEM.EXE
PROCESS fffffa8003bae580
SessionId: 1 Cid: 11a0 Peb: 7fffffdf000 ParentCid: 1024
DirBase: 11c586000 ObjectTable: fffff8a004c89990 HandleCount: 218.
Image: pcee4.exe
PROCESS fffffa8003ba2b30
SessionId: 1 Cid: 03c4 Peb: 7efdf000 ParentCid: 1124
DirBase: 174ba000 ObjectTable: fffff8a0051a95b0 HandleCount: 107.
Image: xgTrayIcon.exe
PROCESS fffffa8003bde060
SessionId: 1 Cid: 00e0 Peb: 7efdf000 ParentCid: 1024
DirBase: 1616d000 ObjectTable: fffff8a004975180 HandleCount: 351.
Image: QDesk.exe
PROCESS fffffa8003cdd770
SessionId: 1 Cid: 1364 Peb: 7efdf000 ParentCid: 0d80
DirBase: 1161a0000 ObjectTable: fffff8a00402f580 HandleCount: 263.
Image: QQPCWebShield.exe
PROCESS fffffa8003d87b30
SessionId: 1 Cid: 02c8 Peb: 7efdf000 ParentCid: 13cc
DirBase: 110389000 ObjectTable: fffff8a004283f90 HandleCount: 168.
Image: WordBook.exe
PROCESS fffffa8003e3d1b0
SessionId: 0 Cid: 0d64 Peb: 7fffffd8000 ParentCid: 0264
DirBase: 09f71000 ObjectTable: fffff8a00585d540 HandleCount: 173.
Image: svchost.exe
PROCESS fffffa8003bc0b30
SessionId: 1 Cid: 13f4 Peb: 7fffffd3000 ParentCid: 13cc
DirBase: 119f22000 ObjectTable: fffff8a004aec650 HandleCount: 53.
Image: YoudaoEH.exe
PROCESS fffffa8004075060
SessionId: 0 Cid: 1428 Peb: 7efdf000 ParentCid: 0264
DirBase: b8a5c000 ObjectTable: fffff8a0056558d0 HandleCount: 104.
Image: LMS.exe
PROCESS fffffa800406a060
SessionId: 0 Cid: 1480 Peb: 7efdf000 ParentCid: 0264
DirBase: 10caed000 ObjectTable: fffff8a00594c5a0 HandleCount: 162.
Image: daemonu.exe
PROCESS fffffa80040a15b0
SessionId: 1 Cid: 1494 Peb: 7fffffda000 ParentCid: 0264
DirBase: 10c577000 ObjectTable: fffff8a0056328f0 HandleCount: 139.
Image: InputPersonalization.exe
PROCESS fffffa8004226b30
SessionId: 0 Cid: 1678 Peb: 7efdf000 ParentCid: 0264
DirBase: 82005000 ObjectTable: fffff8a0074d4e80 HandleCount: 257.
Image: UNS.exe
PROCESS fffffa80044bcab0
SessionId: 1 Cid: 05f8 Peb: fffdf000 ParentCid: 0c68
DirBase: 7ab82000 ObjectTable: fffff8a0039155d0 HandleCount: 3858.
Image: devenv.exe
PROCESS fffffa8004463b30
SessionId: 1 Cid: 0e50 Peb: 7efdf000 ParentCid: 0c68
DirBase: 04d2e000 ObjectTable: fffff8a00f6cb890 HandleCount: 3237.
Image: OUTLOOK.EXE
PROCESS fffffa80044cd060
SessionId: 0 Cid: 0770 Peb: 7fffffd4000 ParentCid: 0264
DirBase: 65a67000 ObjectTable: fffff8a006e39240 HandleCount: 145.
Image: OSPPSVC.EXE
PROCESS fffffa8004b5e060
SessionId: 1 Cid: 0bec Peb: 7efdf000 ParentCid: 0d80
DirBase: b14fc000 ObjectTable: 00000000 HandleCount: 0.
Image: QQPCMgrUpdate.exe
PROCESS fffffa8004d5b6b0
SessionId: 1 Cid: 10f4 Peb: fffdf000 ParentCid: 0318
DirBase: 43ae3000 ObjectTable: fffff8a00f6e3140 HandleCount: 555.
Image: wlcomm.exe
PROCESS fffffa8005a1cb30
SessionId: 1 Cid: 1b3c Peb: 7efdf000 ParentCid: 0d80
DirBase: 5b78a000 ObjectTable: 00000000 HandleCount: 0.
Image: QQPCMgrUpdate.exe
PROCESS fffffa80060af060
SessionId: 1 Cid: 0518 Peb: 7fffffdd000 ParentCid: 0264
DirBase: 76298000 ObjectTable: fffff8a011c499d0 HandleCount: 96.
Image: taskhost.exe
PROCESS fffffa8007af0640
SessionId: 1 Cid: 1030 Peb: 7efdf000 ParentCid: 0c68
DirBase: 4513e000 ObjectTable: 00000000 HandleCount: 0.
Image: chrome.exe
PROCESS fffffa80083e4060
SessionId: 1 Cid: 14b8 Peb: 7efdf000 ParentCid: 00e0
DirBase: 1145ac000 ObjectTable: fffff8a003038370 HandleCount: 68.
Image: goagent.exe
PROCESS fffffa80044d9a70
SessionId: 1 Cid: 114c Peb: 7fffffdf000 ParentCid: 0230
DirBase: 21cf1000 ObjectTable: fffff8a0031bb830 HandleCount: 60.
Image: conhost.exe
PROCESS fffffa800460e920
SessionId: 1 Cid: 1ae8 Peb: 7efdf000 ParentCid: 14b8
DirBase: 1523c000 ObjectTable: fffff8a004326f90 HandleCount: 207.
Image: proxy.exe
PROCESS fffffa800469db30
SessionId: 1 Cid: 1bc8 Peb: 7efdf000 ParentCid: 0c68
DirBase: 5353c000 ObjectTable: fffff8a010783d00 HandleCount: 1480.
Image: QQ.exe
PROCESS fffffa800596e060
SessionId: 1 Cid: 15c4 Peb: 7efdf000 ParentCid: 0318
DirBase: 705e6000 ObjectTable: fffff8a005689850 HandleCount: 88.
Image: TXPlatform.exe
PROCESS fffffa8003e7f850
SessionId: 1 Cid: 07f0 Peb: fffdf000 ParentCid: 05f8
DirBase: 3246a000 ObjectTable: 00000000 HandleCount: 0.
Image: BuildSystem.exe
PROCESS fffffa80065f8660
SessionId: 1 Cid: 12d4 Peb: 7efdf000 ParentCid: 1bc8
DirBase: a06ed000 ObjectTable: fffff8a0026c5590 HandleCount: 356.
Image: QQExternal.exe
PROCESS fffffa8004e687e0
SessionId: 1 Cid: 1b78 Peb: 7efdf000 ParentCid: 1bc8
DirBase: b18d1000 ObjectTable: 00000000 HandleCount: 0.
Image: txupd.exe
PROCESS fffffa8007b9e2e0
SessionId: 1 Cid: 10b4 Peb: 7efdf000 ParentCid: 1010
DirBase: 14764000 ObjectTable: fffff8a0055e13c0 HandleCount: 478.
Image: fxWebBrowser.exe
PROCESS fffffa80045616f0
SessionId: 1 Cid: 00c8 Peb: 7fffffdc000 ParentCid: 0c68
DirBase: 46781000 ObjectTable: fffff8a010b64e50 HandleCount: 221.
Image: windbg.exe
PROCESS fffffa8004d57060
SessionId: 0 Cid: 17bc Peb: 7fffffd8000 ParentCid: 0f28
DirBase: 43bc3000 ObjectTable: fffff8a0078903b0 HandleCount: 283.
Image: SearchProtocolHost.exe
PROCESS fffffa800818a060
SessionId: 0 Cid: 1610 Peb: 7fffffd8000 ParentCid: 0f28
DirBase: 116709000 ObjectTable: fffff8a011caf840 HandleCount: 103.
Image: SearchFilterHost.exe
lkd> .process fffffa800469db30
Implicit process is now fffffa80`0469db30
lkd> dd win32k!gphkHashTable //需要reload
Couldn't resolve error at 'win32k!gphkHashTable'
lkd> .reload
Connected to Windows 7 7601 x64 target at (Thu Jun 28 10:33:36.409 2012 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
.........................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
lkd> dd win32k!gphkHashTable
fffff960`00390c20 c2ec5450 fffff900 00000000 00000000
fffff960`00390c30 00000000 00000000 00000000 00000000
fffff960`00390c40 00000000 00000000 00000000 00000000
fffff960`00390c50 00000000 00000000 00000000 00000000
fffff960`00390c60 00000000 00000000 c1ef3360 fffff900
fffff960`00390c70 00000000 00000000 00000000 00000000
fffff960`00390c80 00000000 00000000 c300b360 fffff900
fffff960`00390c90 00000000 00000000 00000000 00000000
lkd> dd fffff900`c2ec5450
fffff900`c2ec5450 c24d1010 fffff900 00000000 00000000
fffff900`c2ec5460 c08fe0f0 fffff900 00000002 00000000 //可能表示MOD_CONTROL0x0002,快捷键包含CTRL
fffff900`c2ec5470 0000c0a7 fffff900 c06368e0 fffff900
fffff900`c2ec5480 230f0004 34616c47 c2ec5480 fffff900
fffff900`c2ec5490 33041e4d 00000000 00000000 80000000
fffff900`c2ec54a0 03e68b50 fffffa80 000000d8 00000000 //这是一个线程号
fffff900`c2ec54b0 00000000 6c777355 c2ec5530 fffff900
fffff900`c2ec54c0 c2ec54c0 fffff900 c2ec54c0 fffff900 //其他这些数据要怎么解析呢。。。。
lkd> dt _KTHREAD fffffa80`03e68b50
nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x018 CycleTime : 0x2c`b7f805d1
+0x020 QuantumTarget : 0x2c`ba2aca3e
+0x028 InitialStack : 0xfffff880`0be8bc70 Void
+0x030 StackLimit : 0xfffff880`0be82000 Void
+0x038 KernelStack : 0xfffff880`0be8b730 Void
+0x040 ThreadLock : 0
+0x048 WaitRegister : _KWAIT_STATUS_REGISTER
+0x049 Running : 0 ''
+0x04a Alerted : [2] ""
+0x04c KernelStackResident : 0y1
+0x04c ReadyTransition : 0y0
+0x04c ProcessReadyQueue : 0y0
+0x04c WaitNext : 0y0
+0x04c SystemAffinityActive : 0y0
+0x04c Alertable : 0y0
+0x04c GdiFlushActive : 0y0
+0x04c UserStackWalkActive : 0y0
+0x04c ApcInterruptRequest : 0y0
+0x04c ForceDeferSchedule : 0y0
+0x04c QuantumEndMigrate : 0y0
+0x04c UmsDirectedSwitchEnable : 0y0
+0x04c TimerActive : 0y0
+0x04c SystemThread : 0y0
+0x04c Reserved : 0y000000000000000000 (0)
+0x04c MiscFlags : 0n1
+0x050 ApcState : _KAPC_STATE
+0x050 ApcStateFill : [43] "???"
+0x07b Priority : 10 ''
+0x07c NextProcessor : 0
+0x080 DeferredProcessor : 0
+0x088 ApcQueueLock : 0
+0x090 WaitStatus : 0n0
+0x098 WaitBlockList : 0xfffffa80`03e68c58 _KWAIT_BLOCK
+0x0a0 WaitListEntry : _LIST_ENTRY [ 0xfffffa80`04156bf0 - 0xfffffa80`06e44100 ]
+0x0a0 SwapListEntry : _SINGLE_LIST_ENTRY
+0x0b0 Queue : (null)
+0x0b8 Teb : 0x00000000`7efdb000 Void
+0x0c0 Timer : _KTIMER
+0x100 AutoAlignment : 0y1
+0x100 DisableBoost : 0y0
+0x100 EtwStackTraceApc1Inserted : 0y0
+0x100 EtwStackTraceApc2Inserted : 0y0
+0x100 CalloutActive : 0y0
+0x100 ApcQueueable : 0y1
+0x100 EnableStackSwap : 0y1
+0x100 GuiThread : 0y1
+0x100 UmsPerformingSyscall : 0y0
+0x100 VdmSafe : 0y0
+0x100 UmsDispatched : 0y0
+0x100 ReservedFlags : 0y000000000000000000000 (0)
+0x100 ThreadFlags : 0n225
+0x104 Spare0 : 0
+0x108 WaitBlock : [4] _KWAIT_BLOCK
+0x108 WaitBlockFill4 : [44] "???"
+0x134 ContextSwitches : 0x18b9e5
+0x108 WaitBlockFill5 : [92] "???"
+0x164 State : 0x5 ''
+0x165 NpxState : 5 ''
+0x166 WaitIrql : 0 ''
+0x167 WaitMode : 1 ''
+0x108 WaitBlockFill6 : [140] "???"
+0x194 WaitTime : 0x5797d
+0x108 WaitBlockFill7 : [168] "???"
+0x1b0 TebMappedLowVa : (null)
+0x1b8 Ucb : (null)
+0x108 WaitBlockFill8 : [188] "???"
+0x1c4 KernelApcDisable : 0n0
+0x1c6 SpecialApcDisable : 0n0
+0x1c4 CombinedApcDisable : 0
+0x1c8 QueueListEntry : _LIST_ENTRY [ 0x00000000`00000000 - 0x0 ]
+0x1d8 TrapFrame : 0xfffff880`0be8bae0 _KTRAP_FRAME
+0x1e0 FirstArgument : (null)
+0x1e8 CallbackStack : (null)
+0x1e8 CallbackDepth : 0
+0x1f0 ApcStateIndex : 0 ''
+0x1f1 BasePriority : 8 ''
+0x1f2 PriorityDecrement : 2 ''
+0x1f2 ForegroundBoost : 0y0010
+0x1f2 UnusualBoost : 0y0000
+0x1f3 Preempted : 0 ''
+0x1f4 AdjustReason : 0 ''
+0x1f5 AdjustIncrement : 2 ''
+0x1f6 PreviousMode : 1 ''
+0x1f7 Saturation : 0 ''
+0x1f8 SystemCallNumber : 0x100c
+0x1fc FreezeCount : 0
+0x200 UserAffinity : _GROUP_AFFINITY
+0x210 Process : 0xfffffa80`0469db30 _KPROCESS //这应该是快捷键所在进程。可以从!process 0 0的结果中得到,这个进程是QQ.exe
+0x218 Affinity : _GROUP_AFFINITY
+0x228 IdealProcessor : 0
+0x22c UserIdealProcessor : 0
+0x230 ApcStatePointer : [2] 0xfffffa80`03e68ba0 _KAPC_STATE
+0x240 SavedApcState : _KAPC_STATE
+0x240 SavedApcStateFill : [43] "???"
+0x26b WaitReason : 0xd ''
+0x26c SuspendCount : 0 ''
+0x26d Spare1 : 0 ''
+0x26e CodePatchInProgress : 0 ''
+0x270 Win32Thread : 0xfffff900`c24d1010 Void
+0x278 StackBase : 0xfffff880`0be8c000 Void
+0x280 SuspendApc : _KAPC
+0x280 SuspendApcFill0 : [1] "??????"
+0x281 ResourceIndex : 0x1 ''
+0x280 SuspendApcFill1 : [3] "???"
+0x283 QuantumReset : 0x12 ''
+0x280 SuspendApcFill2 : [4] "???"
+0x284 KernelTime : 0x4e5
+0x280 SuspendApcFill3 : [64] "???"
+0x2c0 WaitPrcb : 0xfffff800`05042e80 _KPRCB
+0x280 SuspendApcFill4 : [72] "???"
+0x2c8 LegoData : (null)
+0x280 SuspendApcFill5 : [83] "???"
+0x2d3 LargeStack : 0x1 ''
+0x2d4 UserTime : 0x52d
+0x2d8 SuspendSemaphore : _KSEMAPHORE
+0x2d8 SuspendSemaphorefill : [28] "???"
+0x2f4 SListFaultCount : 0
+0x2f8 ThreadListEntry : _LIST_ENTRY [ 0xfffffa80`079ab358 - 0xfffffa80`0469db60 ]
+0x308 MutantListHead : _LIST_ENTRY [ 0xfffffa80`05de7978 - 0xfffffa80`04486268 ]
+0x318 SListFaultAddress : (null)
+0x320 ReadOperationCount : 0n27284
+0x328 WriteOperationCount : 0n1031
+0x330 OtherOperationCount : 0n152123
+0x338 ReadTransferCount : 0n18422004
+0x340 WriteTransferCount : 0n6614868
+0x348 OtherTransferCount : 0n44429885
+0x350 ThreadCounters : (null)
+0x358 StateSaveArea : 0xfffff880`0be8bcc0 _XSAVE_FORMAT
+0x360 XStateSave : (null)