概念
Although programs and processes appear similar on the surface, they are fundamentally different. A program is a static sequence of instructions, whereas a process is a container for a set of resources used when executing the instance of the program.
组成
| 组成成分 | 作用 |
|---|---|
| A private virtual address space | This is a set of virtual memory addresses that the process can use. |
| An executable program | This defines initial code and data and is mapped into the process’s virtualaddress space. |
| A private virtual address space | This is a set of virtual memory addresses that the process can use. |
| A list of open handles | These map to various system resources such as semaphores, synchronization |
| A security context | This is an access token that identifies the user, security groups, privileges,attributes, claims, capabilities, User Account Control (UAC) virtualization state, session, andlimited user account state associated with the process, as well as the AppContainer identifier andits related sandboxing information. |
| A process ID | his is a unique identifier, which is internally part of an identifier called a client ID. |
| At least one thread of execution | Although an “empty” process is possible, it is (mostly) notuseful. |
_EPROCESS
//待补充
_EPROCESS
+0x000 Pcb : _KPROCESS //内嵌的内核层进程结构体
+0x2d8 ProcessLock : _EX_PUSH_LOCK //用于保护EPROCESS数据成员的同步
+0x2e0 RundownProtect : _EX_RUNDOWN_REF //进程的停止保护锁 当进程最后被销毁时 要等到其他进程和线程释放了此锁才可以继续
+0x2e8 UniqueProcessId : Ptr64 Void //进程id
+0x2f0 ActiveProcessLinks : _LIST_ENTRY //进程活动链表(PsActiveProcessHead)
+0x300 Flags2 : Uint4B
+0x300 JobNotReallyActive : Pos 0, 1 Bit
+0x300 AccountingFolded : Pos 1, 1 Bit
+0x300 NewPrporocessReported : Pos 2, 1 Bit
+0x300 ExitProcessReported : Pos 3, 1 Bit
+0x300 ReportCommitChanges : Pos 4, 1 Bit
+0x300 LastRetMemory : Pos 5, 1 Bit
+0x300 ForceWakeCharge : Pos 6, 1 Bit
+0x300 CrossSessionCreate : Pos 7, 1 Bit
+0x300 NeedsHandleRundown : Pos 8, 1 Bit
+0x300 RefTraceEnabled : Pos 9, 1 Bit
+0x300 DisableDynamicCode : Pos 10, 1 Bit
+0x300 EmptyJobEvaluated : Pos 11, 1 Bit
+0x300 DefaultPagePriority : Pos 12, 3 Bits
+0x300 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x300 ProcessVerifierTarget : Pos 16, 1 Bit
+0x300 StackRandomizationDisabled : Pos 17, 1 Bit
+0x300 AffinityPermanent : Pos 18, 1 Bit
+0x300 AffinityUpdateEnable : Pos 19, 1 Bit
+0x300 PropagateNode : Pos 20, 1 Bit
+0x300 ExplicitAffinity : Pos 21, 1 Bit
+0x300 ProcessExecutionState : Pos 22, 2 Bits
+0x300 DisallowStrippedImages : Pos 24, 1 Bit
+0x300 HighEntropyASLREnabled : Pos 25, 1 Bit
+0x300 ExtensionPointDisable : Pos 26, 1 Bit
+0x300 ForceRelocateImages : Pos 27, 1 Bit
+0x300 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x300 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x300 DisallowWin32kSystemCalls : Pos 31, 1 Bit
+0x304 Flags : Uint4B
+0x304 CreateReported : Pos 0, 1 Bit
+0x304 NoDebugInherit : Pos 1, 1 Bit
+0x304 ProcessExiting : Pos 2, 1 Bit
+0x304 ProcessDelete : Pos 3, 1 Bit
+0x304 ControlFlowGuardEnabled : Pos 4, 1 Bit
+0x304 VmDeleted : Pos 5, 1 Bit
+0x304 OutswapEnabled : Pos 6, 1 Bit
+0x304 Outswapped : Pos 7, 1 Bit
+0x304 FailFastOnCommitFail : Pos 8, 1 Bit
+0x304 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x304 AddressSpaceInitialized : Pos 10, 2 Bits
+0x304 SetTimerResolution : Pos 12, 1 Bit
+0x304 BreakOnTermination : Pos 13, 1 Bit //关键进程标志(RtlSetProcessCritical)
+0x304 DeprioritizeViews : Pos 14, 1 Bit
+0x304 WriteWatch : Pos 15, 1 Bit
+0x304 ProcessInSession : Pos 16, 1 Bit
+0x304 OverrideAddressSpace : Pos 17, 1 Bit
+0x304 HasAddressSpace : Pos 18, 1 Bit
+0x304 LaunchPrefetched : Pos 19, 1 Bit
+0x304 Background : Pos 20, 1 Bit
+0x304 VmTopDown : Pos 21, 1 Bit
+0x304 ImageNotifyDone : Pos 22, 1 Bit
+0x304 PdeUpdateNeeded : Pos 23, 1 Bit
+0x304 VdmAllowed : Pos 24, 1 Bit
+0x304 ProcessRundown : Pos 25, 1 Bit
+0x304 ProcessInserted : Pos 26, 1 Bit
+0x304 DefaultIoPriority : Pos 27, 3 Bits
+0x304 ProcessSelfDelete : Pos 30, 1 Bit
+0x304 SetTimerResolutionLink : Pos 31, 1 Bit
+0x308 CreateTime : _LARGE_INTEGER //进程创建时间
+0x310 ProcessQuotaUsage : [2] Uint8B //进程的内存使用量 其中的元素分别对应分页内存池 非分页内存池 交换文件中的内存使用情况
+0x320 ProcessQuotaPeak : [2] Uint8B //进程的尖峰使用量 其中的元素分别对应分页内存池 非分页内存池 交换文件中的内存使用情况
+0x330 PeakVirtualSize : Uint8B //进程的虚拟内存大小的尖峰值
+0x338 VirtualSize : Uint8B //进程的虚拟内存大小
+0x340 SessionProcessLinks : _LIST_ENTRY //同一个会话内的进程链表
+0x350 ExceptionPortData : Ptr64 Void
+0x350 ExceptionPortValue : Uint8B
+0x350 ExceptionPortState : Pos 0, 3 Bits
+0x358 Token : _EX_FAST_REF //进程令牌
+0x360 WorkingSetPage : Uint8B //工作集页面大小
+0x368 AddressCreationLock : _EX_PUSH_LOCK //用于保护对地址空间的操作
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : Ptr64 _ETHREAD
+0x380 ForkInProgress : Ptr64 _ETHREAD //指向正在复制地址空间的那个线程 只有在复制地址空间时此域才有值
+0x388 CommitChargeJob : Ptr64 _EJOB
+0x390 CloneRoot : _RTL_AVL_TREE //指向一个平衡树的根 当进程地址空间复制时 此树被创建
+0x398 NumberOfPrivatePages : Uint8B //进程私有页面的数量
+0x3a0 NumberOfLockedPages : Uint8B //被锁住的页面数量
+0x3a8 Win32Process : Ptr64 Void //指向由Windows子系统管理的进程区域
+0x3b0 Job : Ptr64 _EJOB //作业对象 (挂在PspJobList上)
+0x3b8 SectionObject : Ptr64 Void //进程的内存区对象()
+0x3c0 SectionBaseAddress : Ptr64 Void //内存区对象的基址
+0x3c8 Cookie : Uint4B //该进程的随机值
+0x3d0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY //监视进程的页面错误
+0x3d8 Win32WindowStation : Ptr64 Void //窗口站句柄
+0x3e0 InheritedFromUniqueProcessId : Ptr64 Void //父进程id
+0x3e8 LdtInformation : Ptr64 Void
+0x3f0 OwnerProcessId : Uint8B
+0x3f8 Peb : Ptr64 _PEB //进程环境块(用户层中)
+0x400 Session : Ptr64 Void //进程所属会话(_MM_SESSION_SPACE)
+0x408 AweInfo : Ptr64 Void //_AWEINFO
+0x410 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : Ptr64 _HANDLE_TABLE //句柄表
+0x420 DebugPort : Ptr64 Void //调试端口
+0x428 Wow64Process : Ptr64 Void
+0x430 DeviceMap : Ptr64 Void //进程使用的设备表(_DEVICE_MAP)
+0x438 EtwDataSource : Ptr64 Void
+0x440 PageDirectoryPte : Uint8B //顶级页目录页面的页表项
+0x448 ImageFileName : [15] UChar //映像名
+0x457 PriorityClass : UChar //进程的优先级
+0x458 SecurityPort : Ptr64 Void //指向该进程与lsass进程之间的跨进程通信端口
+0x460 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x468 JobLinks : _LIST_ENTRY //同一个作业的所有进程串成的链表
+0x478 HighestUserAddress : Ptr64 Void //用户层地址上限
+0x480 ThreadListHead : _LIST_ENTRY // 进程的线程链表
+0x490 ActiveThreads : Uint4B //记录了当前进程有多少个活动线程 当该值等于0时 所有线程退出 进程随之退出
+0x494 ImagePathHash : Uint4B
+0x498 DefaultHardErrorProcessing : Uint4B //默认的硬件错误处理方式
+0x49c LastThreadExitStatus : Int4B //进程的最后一个线程的退出状态
+0x4a0 PrefetchTrace : _EX_FAST_REF //指向与该进程关联的预取痕迹结构
+0x4a8 LockedPagesList : Ptr64 Void //指向LOCK_HEAD 该结构包含一个链表头 系统通过它知晓哪些物理页面被锁住
+0x4b0 ReadOperationCount : _LARGE_INTEGER //记录进程NtReadFile被调用的次数
+0x4b8 WriteOperationCount : _LARGE_INTEGER //记录进程NtWriteFile被调用的次数
+0x4c0 OtherOperationCount : _LARGE_INTEGER //记录了除了读和写其他的Io服务被调用的次数
+0x4c8 ReadTransferCount : _LARGE_INTEGER //记录了Io读操作完成的次数
+0x4d0 WriteTransferCount : _LARGE_INTEGER //记录了Io写操作完成的次数
+0x4d8 OtherTransferCount : _LARGE_INTEGER //记录了Io非读写操作完成的次数
+0x4e0 CommitChargeLimit : Uint8B //已提交页面数量的限制值
+0x4e8 CommitCharge : Uint8B //虚拟内存已提交的页面数量
+0x4f0 CommitChargePeak : Uint8B //尖峰时刻已提交的页面数量
+0x4f8 Vm : _MMSUPPORT //
+0x5f0 MmProcessLinks : _LIST_ENTRY //有独立地址空间的进程串成的双向链表
+0x600 ModifiedPageCount : Uint4B //记录了进程中已修改页面的数量
+0x604 ExitStatus : Int4B //进程退出时返回值
+0x608 VadRoot : _RTL_AVL_TREE //
+0x610 VadHint : Ptr64 Void
+0x618 VadCount : Uint8B
+0x620 VadPhysicalPages : Uint8B
+0x628 VadPhysicalPagesLimit : Uint8B
+0x630 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x650 TimerResolutionLink : _LIST_ENTRY
+0x660 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
+0x668 RequestedTimerResolution : Uint4B
+0x66c SmallestTimerResolution : Uint4B
+0x670 ExitTime : _LARGE_INTEGER //退出时间
+0x678 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
+0x680 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x688 ActiveThreadsHighWatermark : Uint4B
+0x68c LargePrivateVadCount : Uint4B
+0x690 ThreadListLock : _EX_PUSH_LOCK
+0x698 WnfContext : Ptr64 Void
+0x6a0 Spare0 : Uint8B
+0x6a8 SignatureLevel : UChar
+0x6a9 SectionSignatureLevel : UChar
+0x6aa Protection : _PS_PROTECTION //保护进程 Protected Process(PP),Protected Process Lite(PPL)
+0x6ab HangCount : UChar
+0x6ac Flags3 : Uint4B
+0x6ac Minimal : Pos 0, 1 Bit
+0x6ac ReplacingPageRoot : Pos 1, 1 Bit
+0x6ac DisableNonSystemFonts : Pos 2, 1 Bit
+0x6ac AuditNonSystemFontLoading : Pos 3, 1 Bit
+0x6ac Crashed : Pos 4, 1 Bit
+0x6ac JobVadsAreTracked : Pos 5, 1 Bit
+0x6ac VadTrackingDisabled : Pos 6, 1 Bit
+0x6ac AuxiliaryProcess : Pos 7, 1 Bit
+0x6ac SubsystemProcess : Pos 8, 1 Bit
+0x6ac IndirectCpuSets : Pos 9, 1 Bit
+0x6ac InPrivate : Pos 10, 1 Bit
+0x6b0 DeviceAsid : Int4B
+0x6b8 SvmData : Ptr64 Void
+0x6c0 SvmProcessLock : _EX_PUSH_LOCK
+0x6c8 SvmLock : Uint8B
+0x6d0 SvmProcessDeviceListHead : _LIST_ENTRY
+0x6e0 LastFreezeInterruptTime : Uint8B
+0x6e8 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS
+0x6f0 PicoContext : Ptr64 Void
+0x6f8 TrustletIdentity : Uint8B
+0x700 KeepAliveCounter : Uint4B
+0x704 NoWakeKeepAliveCounter : Uint4B
+0x708 HighPriorityFaultsAllowed : Uint4B
+0x710 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
+0x718 VmContext : Ptr64 Void
+0x720 Silo : Ptr64 _ESILO
+0x728 SiloEntry : _LIST_ENTRY
+0x738 SequenceNumber : Uint8B
+0x740 CreateInterruptTime : Uint8B
+0x748 CreateUnbiasedInterruptTime : Uint8B
+0x750 TotalUnbiasedFrozenTime : Uint8B
+0x758 LastAppStateUpdateTime : Uint8B
+0x760 LastAppStateUptime : Pos 0, 61 Bits
+0x760 LastAppState : Pos 61, 3 Bits
+0x768 SharedCommitCharge : Uint8B
+0x770 SharedCommitLock : _EX_PUSH_LOCK
+0x778 SharedCommitLinks : _LIST_ENTRY
+0x788 AllowedCpuSets : Uint8B
+0x790 DefaultCpuSets : Uint8B
+0x788 AllowedCpuSetsIndirect : Ptr64 Uint8B
+0x790 DefaultCpuSetsIndirect : Ptr64 Uint8B
_KPROCESS
nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER //分发器对象
+0x018 ProfileListHead : _LIST_ENTRY //全局性能分析进程列表的一个节点(KiProfileListHead)
+0x028 DirectoryTableBase : Uint8B //页目录表的地址
+0x030 ThreadListHead : _LIST_ENTRY //进程的所有线程构成的双向链表
+0x040 ProcessLock : Uint4B //同步锁
+0x044 Spare0 : Uint4B
+0x048 DeepFreezeStartTime : Uint8B
+0x050 Affinity : _KAFFINITY_EX //线程可以在那些处理器上运行(处理器亲缘性)
+0x0f8 ReadyListHead : _LIST_ENTRY
+0x108 SwapListEntry : _SINGLE_LIST_ENTRY
+0x110 ActiveProcessors : _KAFFINITY_EX //进程正在哪些处理器上运行
+0x1b8 AutoAlignment : Pos 0, 1 Bit
+0x1b8 DisableBoost : Pos 1, 1 Bit
+0x1b8 DisableQuantum : Pos 2, 1 Bit
+0x1b8 DeepFreeze : Pos 3, 1 Bit
+0x1b8 TimerVirtualization : Pos 4, 1 Bit
+0x1b8 CheckStackExtents : Pos 5, 1 Bit
+0x1b8 SpareFlags0 : Pos 6, 2 Bits
+0x1b8 ActiveGroupsMask : Pos 8, 20 Bits
+0x1b8 ReservedFlags : Pos 28, 4 Bits
+0x1b8 ProcessFlags : Int4B
+0x1bc BasePriority : Char //基础优先级
+0x1bd QuantumReset : Char //基本时限重置值
+0x1be Visited : UChar
+0x1bf Flags : _KEXECUTE_OPTIONS
+0x1c0 ThreadSeed : [20] Uint4B
+0x210 IdealNode : [20] Uint2B
+0x238 IdealGlobalNode : Uint2B
+0x23a Spare1 : Uint2B
+0x23c StackCount : _KSTACK_COUNT //有多少个线程栈位于内存中
+0x240 ProcessListEntry : _LIST_ENTRY //当前系统中所有具有活动线程的进程构成的双链表(KiProcessListHead AMD64)
+0x250 CycleTime : Uint8B
+0x258 ContextSwitches : Uint8B
+0x260 SchedulingGroup : Ptr64 _KSCHEDULING_GROUP
+0x268 FreezeCount : Uint4B
+0x26c KernelTime : Uint4B //内核模式下的运行时间
+0x270 UserTime : Uint4B //用户模式下的运行时间
+0x274 LdtFreeSelectorHint : Uint2B
+0x276 LdtTableLength : Uint2B
+0x278 LdtSystemDescriptor : _KGDTENTRY64
+0x288 LdtBaseAddress : Ptr64 Void
+0x290 LdtProcessLock : _FAST_MUTEX
+0x2c8 InstrumentationCallback : Ptr64 Void
+0x2d0 SecurePid : Uint8B
windbg脚本
打印系统内进程名和地址
r @$t1=poi(PsActiveProcessHead);
r @$t2=0;
.do
{
.printf "imageName: %ma eprocess: %p\n",@$t1+0x158,@$t1-0x2F0;
r @$t1 = poi(@$t1);
r @$t2 = @$t2+1
}(@$t1!=PsActiveProcessHead)
.printf "Print Active Process Num Is %d\n",@$t2
遍历PspCidTable表查找指定PID的进程
//arg1:PID
r @$t0 = poi(PspCidTable ) ;
r @$t1 = by(@$t0 +0x8 ) &0x03;
r @$t0 = poi(@$t0 +0x8 )&0xfffffffffffffffc;
.if( ${/d:$arg1} ){
r @$t2 = ( ${$arg1} / 0n4 ) / 0n256;
r @$t3 = ( ${$arg1} / 0n4 ) % 0n256;
.if( @$t1 == 1 ){
r @$t0 = poi( @$t0 + @$t2 * 0x10 );
}
.if( @$t1 == 2 ){
.printf "not support 3 layer";
}
r @$t0 = poi(@$t0+@$t3*0x10);
!process ((((@$t0>>0x14)<<0x4)|0xFFFF000000000000)) 0;
}
.else{
.printf "no paramrter";
}
参考资料
- Windows Internals, Part 1 7th
- windwos 内核原理与实现
扫一扫
4195
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
