内核模式下的等待
KeWaitForSingleObject() 和 KeWaitForMultipleObjects()
NTSTATUS
KeWaitForSingleObject(
IN PVOID Object, //同步对象的指针
IN KWAIT_REASON WaitReason, //等待的原因,一般为Executive
IN KPROCESSOR_MODE WaitMode, //等待模式,说明是在用户模式还是在内核模式下等待,一般为KernelMode
IN BOOLEAN Alertable, //指明等待是否是可提醒的,一般为FALSE
IN PLARGE_INTEGER Timeout OPTIONAL //等待的时间,为NULL表示永久等待
);
如果等待的同步对象变为激发态,这个函数会退出睡眠状态,并返回STATUS_SUCCESS。如果是因为超时而退出,会返回STATUS_TIMEOUT。
NTSTATUS
KeWaitForMultipleObjects(
IN ULONG Count, //等待同步对象的个数
IN PVOID Object[], //同步对象数组
IN WAIT_TYPE WaitType, //指示等待一个还是等待所有
IN KWAIT_REASON WaitReason,
IN KPROCESSOR_MODE WaitMode,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL,
IN PKWAIT_BLOCK WaitBlockArray OPTIONAL
);
如果是因为超时而退出,会返回STATUS_TIMEOUT。如果是因为数组中其中一个同步对象变为激发态,这个函数返回的状态码减去STATUS_WAIT_0,就是激发同步对象在数组中的索引号。
内核模式下的事件对象
在内核中,用KEVENT数据结构表示一个事件对象,在使用前需要用KeInitializeEvent对其进行初始化。
KeSetEvent将指定的事件对象设置为受信状态(如果该事件还没有被通知),并返回该事件对象的前一状态。
KeResetEvent将指定的事件对象重置为未受信状态,并返回该事件对象的前一状态。
typedef struct _KEVENT {
DISPATCHER_HEADER Header;
} KEVENT, *PKEVENT, *RESTRICTED_POINTER PRKEVENT;
typedef enum _EVENT_TYPE
{
NotificationEvent, //通知事件,当事件对象变为受信状态时,程序员需要手动将其改回未受信状态。
SynchronizationEvent //同步事件,当事件对象变为受信状态时,如遇到KeWaitForXX等内核函数,事件对象将自动变回未受信状态。
} EVENT_TYPE;
VOID
KeInitializeEvent(
IN PRKEVENT Event, //事件对象的指针
IN EVENT_TYPE Type, //事件类型,NotificationEvent或SynchronizationEvent
IN BOOLEAN State) //TRUE表示初始化状态为受信状态,FALSE表示初始化为未受信状态
{
Event->Header.Type = Type;
Event->Header.Size = sizeof(KEVENT) / sizeof(ULONG);
Event->Header.SignalState = State;
InitializeListHead(&(Event->Header.WaitListHead));
}
LONG
KeSetEvent (
IN PRKEVENT Event,
IN KPRIORITY Increment,
IN BOOLEAN Wait
);
LONG
KeResetEvent (
IN PRKEVENT Event
);
内核模式下的LIST_ENTRY
每个双向链表都是以一个链表头作为链表的第一个元素。初次使用链表头需要用InitializeListHead进行初始化,主要将链表头的Flink和Blink两个指针都指向自己,这意味着链表头所代表的链是空链。
// 初始化链表头
void InitializeListHead(
PLIST_ENTRY ListHead
);
// InitializeListHead的实现
#define InitializeListHead(ListHead) (\
(ListHead)->Flink = (ListHead)->Blink = (ListHead))
// 在双向链表中插入/删除项,InsertHeadList、InsertTailList、RemoveHeadList、RemoveTailList
VOID
InsertHeadList(
IN PLIST_ENTRY ListHead,
IN PLIST_ENTRY Entry
);
PLIST_ENTRY
RemoveHeadList(
IN PLIST_ENTRY ListHead
);
// 以原子方式插入/删除,在函数前加ExInterlocked
PLIST_ENTRY
ExInterlockedInsertTailList (
IN PLIST_ENTRY ListHead,
IN PLIST_ENTRY ListEntry,
IN PKSPIN_LOCK Lock
);
PLIST_ENTRY
ExInterlockedRemoveHeadList (
IN PLIST_ENTRY ListHead,
IN PKSPIN_LOCK Lock
);
当我们自定义结构的第一个字段是LIST_ENTRY时,可以直接将其强转;第一个字段不是LIST_ENTRY时,可以用宏CONTAINING_RECORD。但是DDK建议无论自定义数据结构的第一个字段是否为ListEntry,都最好用CONTAINING_RECORD。
它的第二参数是一个结构体名称,第三参数是结构体中的某一个成员,第一参数是该成员的地址,返回值是结构体的首地址。
#define CONTAINING_RECORD(address, type, field) (\
(type *)(((ULONG_PTR)address) - (ULONG_PTR)(&(((type *)0)->field))))
例如:大结构体是BIG,已知当前对象的v2地址是ListEntry,
typedef struct BIG
{
int v1;
LIST_ENYRT v2;
}BIG;
则结构体的首地址为:CONTAINING_RECORD(ListEntry, BIG, v2);
自旋锁
自旋锁(Spin Lock)是内核模式下的一种同步处理机制,它能保证某个资源只能被一个线程所拥有。
初始化自旋锁时,处于解锁状态,这时它可以被程序获取。被获取后自旋锁处于锁住状态,不能被再次获取。如果这时有程序申请获取这个自旋锁,程序则处于自旋状态(它会不停地询问是否可以获得自旋锁)。
// 初始化自旋锁
VOID
KeInitializeSpinLock(IN PKSPIN_LOCK SpinLock)
{
*SpinLock = 0;
}
// 申请自旋锁
VOID
KeAcquireSpinLock(
IN PKSPIN_LOCK SpinLock,
OUT PKIRQL OldIrql //记录获得自旋锁之前的IRQL
);
// 释放自旋锁
VOID
KeReleaseSpinLock(
IN PKSPIN_LOCK SpinLock,
IN KIRQL NewIrql
);
驱动程序必须在低于或等于DISPATCH_LEVEL的IRQL级别中使用自旋锁。如果在DISPATCH_LEVEL级别申请自旋锁,不会改变IRQL级别。这时,申请自旋锁可以用KeAcquireSpinLockAtDpcLevel,释放自旋锁用KeReleaseSpinLockFromDpcLevel。
内核中的进程结构EPROCESS
- 获得进程EPROCESS的方法:
// 通过进程ID获得进程EPROCESS
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
// 获得当前进程的EPROCESS
#define PsGetCurrentProcess _PsGetCurrentProcess
PEPROCESS
_PsGetCurrentProcess(VOID)
{
return (PEPROCESS)KeGetCurrentThread()->ApcState.Process;
}
- 通过进程EPROCESS获得进程ID:
HANDLE
PsGetProcessId(PEPROCESS Process)
{
return (HANDLE)Process->UniqueProcessId;
}
- 通过EPROCESS结构遍历进程列表:
所有进程的EPROCESS结构都有一个成员ActiveProcessLinks,它是LIST_ENTRY类型,共同维护一个双向链表,链表头是PsActiveProcessHead,它是系统导出的全局变量。
通过**extern LIST_ENTRY PsActiveProcessHead; **声明后即可使用。
Ring3层枚举进程的时候,通过遍历这个链表获得进程列表。将某一进程的EPROCRSS从链表中摘掉可以达到隐藏该进程的目的。
- 通过KPROCESS结构遍历该进程下的线程列表:
一个进程下的所有线程也都被放入一个双向链表,其中,链表头是KPROCESS->ThreadListHead,链表项是每个线程的KTHREAD->ThreadListEntry。
- EPROCESS的第一个成员是KPROCESS结构,结构成员及偏移如下:
0: kd> dt _EPROCESS
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
0: kd> dt _KPROCESS
nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : Uint4B //页面映射表的基地址
+0x01c LdtDescriptor : _KGDTENTRY
+0x024 Int21Descriptor : _KIDTENTRY
+0x02c ThreadListHead : _LIST_ENTRY //线程链表头
+0x034 ProcessLock : Uint4B
+0x038 Affinity : _KAFFINITY_EX
+0x044 ReadyListHead : _LIST_ENTRY
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY
+0x050 ActiveProcessors : _KAFFINITY_EX
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B
+0x060 BasePriority : Char
+0x061 QuantumReset : Char
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT //进程挂靠嵌套深度
+0x078 ProcessListEntry : _LIST_ENTRY
+0x080 CycleTime : Uint8B
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B
+0x090 VdmTrapcHandler : Ptr32 Void
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void //进程的PID
+0x0b8 ActiveProcessLinks : _LIST_ENTRY //系统中所有进程的EPROCESS形成的双向链表
+0x0c0 ProcessQuotaUsage : [2] Uint4B
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort : Ptr32 Void //调试端口,设置为0表示禁止进程被调试
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE //句柄表
+0x0f8 Token : _EX_FAST_REF //进程的权限token
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void //exe映像
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void //父进程ID
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void
+0x16c ImageFileName : [15] UChar //进程ImageName
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY //线程链表头
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB //进程环境块,指向用户空间的PEB结构
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos 0, 1 Bit
+0x26c AccountingFolded : Pos 1, 1 Bit
+0x26c NewProcessReported : Pos 2, 1 Bit
+0x26c ExitProcessReported : Pos 3, 1 Bit
+0x26c ReportCommitChanges : Pos 4, 1 Bit
+0x26c LastReportMemory : Pos 5, 1 Bit
+0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x26c HandleTableRundown : Pos 7, 1 Bit
+0x26c NeedsHandleRundown : Pos 8, 1 Bit
+0x26c RefTraceEnabled : Pos 9, 1 Bit
+0x26c NumaAware : Pos 10, 1 Bit
+0x26c ProtectedProcess : Pos 11, 1 Bit
+0x26c DefaultPagePriority : Pos 12, 3 Bits
+0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x26c ProcessVerifierTarget : Pos 16, 1 Bit
+0x26c StackRandomizationDisabled : Pos 17, 1 Bit
+0x26c AffinityPermanent : Pos 18, 1 Bit
+0x26c AffinityUpdateEnable : Pos 19, 1 Bit
+0x26c PropagateNode : Pos 20, 1 Bit
+0x26c ExplicitAffinity : Pos 21, 1 Bit
+0x26c Spare1 : Pos 22, 1 Bit
+0x26c ForceRelocateImages : Pos 23, 1 Bit
+0x26c DisallowStrippedImages : Pos 24, 1 Bit
+0x26c LowVaAccessible : Pos 25, 1 Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos 0, 1 Bit
+0x270 NoDebugInherit : Pos 1, 1 Bit
+0x270 ProcessExiting : Pos 2, 1 Bit
+0x270 ProcessDelete : Pos 3, 1 Bit
+0x270 Wow64SplitPages : Pos 4, 1 Bit
+0x270 VmDeleted : Pos 5, 1 Bit
+0x270 OutswapEnabled : Pos 6, 1 Bit
+0x270 Outswapped : Pos 7, 1 Bit
+0x270 ForkFailed : Pos 8, 1 Bit
+0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x270 AddressSpaceInitialized : Pos 10, 2 Bits
+0x270 SetTimerResolution : Pos 12, 1 Bit
+0x270 BreakOnTermination : Pos 13, 1 Bit
+0x270 DeprioritizeViews : Pos 14, 1 Bit
+0x270 WriteWatch : Pos 15, 1 Bit
+0x270 ProcessInSession : Pos 16, 1 Bit
+0x270 OverrideAddressSpace : Pos 17, 1 Bit
+0x270 HasAddressSpace : Pos 18, 1 Bit
+0x270 LaunchPrefetched : Pos 19, 1 Bit
+0x270 InjectInpageErrors : Pos 20, 1 Bit
+0x270 VmTopDown : Pos 21, 1 Bit
+0x270 ImageNotifyDone : Pos 22, 1 Bit
+0x270 PdeUpdateNeeded : Pos 23, 1 Bit
+0x270 VdmAllowed : Pos 24, 1 Bit
+0x270 CrossSessionCreate : Pos 25, 1 Bit
+0x270 ProcessInserted : Pos 26, 1 Bit
+0x270 DefaultIoPriority : Pos 27, 3 Bits
+0x270 ProcessSelfDelete : Pos 30, 1 Bit
+0x270 SetTimerResolutionLink : Pos 31, 1 Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE //指向进程的用户空间
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
内核中的线程结构ETHREAD
- 获得线程ETHREAD的方法:
#define PsGetCurrentThread() GetCurrentThreadId()
DWORD
GetCurrentThreadId(VOID)
{
return HandleToUlong(NtCurrentTeb()->ClientId.UniqueThread);
}
- 内核中创建和终止线程
NTSTATUS
PsCreateSystemThread(
OUT PHANDLE ThreadHandle, //线程句柄
IN ACCESS_MASK DesiredAccess, //创建的权限
IN POBJECT_ATTRIBUTES ObjectAttributes, //线程属性,一般为NULL
IN HANDLE ProcessHandle, //指定是用户线程(该值是一个进程句柄)还是系统线程(该值为NULL)
IN PCLIENT_ID ClientId, //NULL
IN PKSTART_ROUTINE StartRoutine,//新线程的运行地址
IN PVOID StartContext //新线程接受的参数
);
NTSTATUS
PsTerminateSystemThread(
IN NTSTATUS ExitStatus
);
// 例如
// 创建用户线程
Status = PsCreateSystemThread(&ThreadHandle, 0, NULL, NtCurrentProcess(), NULL, UserThread, NULL);
// 创建内核线程
Status = PsCreateSystemThread(&ThreadHandle, 0, NULL, NULL, NULL, SystemThread, NULL);
- ETHREAD的第一个成员是KTHREAD结构,结构成员及偏移如下:
0: kd> dt _ETHREAD
nt!_ETHREAD
+0x000 Tcb : _KTHREAD
0: kd> dt _KTHREAD
nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 CycleTime : Uint8B
+0x018 HighCycleTime : Uint4B
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr32 Void
+0x02c StackLimit : Ptr32 Void
+0x030 KernelStack : Ptr32 Void
+0x034 ThreadLock : Uint4B
+0x038 WaitRegister : _KWAIT_STATUS_REGISTER
+0x039 Running : UChar
+0x03a Alerted : [2] UChar //可提醒标志位
+0x03c KernelStackResident : Pos 0, 1 Bit
+0x03c ReadyTransition : Pos 1, 1 Bit
+0x03c ProcessReadyQueue : Pos 2, 1 Bit
+0x03c WaitNext : Pos 3, 1 Bit
+0x03c SystemAffinityActive : Pos 4, 1 Bit
+0x03c Alertable : Pos 5, 1 Bit
+0x03c GdiFlushActive : Pos 6, 1 Bit
+0x03c UserStackWalkActive : Pos 7, 1 Bit
+0x03c ApcInterruptRequest : Pos 8, 1 Bit
+0x03c ForceDeferSchedule : Pos 9, 1 Bit
+0x03c QuantumEndMigrate : Pos 10, 1 Bit
+0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit
+0x03c TimerActive : Pos 12, 1 Bit
+0x03c SystemThread : Pos 13, 1 Bit
+0x03c Reserved : Pos 14, 18 Bits
+0x03c MiscFlags : Int4B
+0x040 ApcState : _KAPC_STATE //APC队列
+0x040 ApcStateFill : [23] UChar
+0x057 Priority : Char //线程优先级
+0x058 NextProcessor : Uint4B
+0x05c DeferredProcessor : Uint4B
+0x060 ApcQueueLock : Uint4B
+0x064 ContextSwitches : Uint4B //线程的模式切换次数
+0x068 State : UChar
+0x069 NpxState : Char
+0x06a WaitIrql : UChar
+0x06b WaitMode : Char
+0x06c WaitStatus : Int4B
+0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK //指向一个等待块队列
+0x074 WaitListEntry : _LIST_ENTRY
+0x074 SwapListEntry : _SINGLE_LIST_ENTRY
+0x07c Queue : Ptr32 _KQUEUE
+0x080 WaitTime : Uint4B
+0x084 KernelApcDisable : Int2B
+0x086 SpecialApcDisable : Int2B
+0x084 CombinedApcDisable : Uint4B
+0x088 Teb : Ptr32 Void //指向用户空间中的TEB
+0x090 Timer : _KTIMER
+0x0b8 AutoAlignment : Pos 0, 1 Bit
+0x0b8 DisableBoost : Pos 1, 1 Bit
+0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit
+0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit
+0x0b8 CalloutActive : Pos 4, 1 Bit
+0x0b8 ApcQueueable : Pos 5, 1 Bit
+0x0b8 EnableStackSwap : Pos 6, 1 Bit
+0x0b8 GuiThread : Pos 7, 1 Bit
+0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit
+0x0b8 VdmSafe : Pos 9, 1 Bit
+0x0b8 UmsDispatched : Pos 10, 1 Bit
+0x0b8 ReservedFlags : Pos 11, 21 Bits
+0x0b8 ThreadFlags : Int4B
+0x0bc ServiceTable : Ptr32 Void
+0x0c0 WaitBlock : [4] _KWAIT_BLOCK //等待块数组,大小为4
+0x120 QueueListEntry : _LIST_ENTRY
+0x128 TrapFrame : Ptr32 _KTRAP_FRAME //自陷框架
+0x12c FirstArgument : Ptr32 Void
+0x130 CallbackStack : Ptr32 Void
+0x130 CallbackDepth : Uint4B
+0x134 ApcStateIndex : UChar
+0x135 BasePriority : Char
+0x136 PriorityDecrement : Char
+0x136 ForegroundBoost : Pos 0, 4 Bits
+0x136 UnusualBoost : Pos 4, 4 Bits
+0x137 Preempted : UChar
+0x138 AdjustReason : UChar
+0x139 AdjustIncrement : Char
+0x13a PreviousMode : Char
+0x13b Saturation : Char
+0x13c SystemCallNumber : Uint4B
+0x140 FreezeCount : Uint4B
+0x144 UserAffinity : _GROUP_AFFINITY
+0x150 Process : Ptr32 _KPROCESS //当前线程所挂靠进程的KPROCESS
+0x154 Affinity : _GROUP_AFFINITY
+0x160 IdealProcessor : Uint4B
+0x164 UserIdealProcessor : Uint4B
+0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0x170 SavedApcState : _KAPC_STATE
+0x170 SavedApcStateFill : [23] UChar
+0x187 WaitReason : UChar
+0x188 SuspendCount : Char
+0x189 Spare1 : Char
+0x18a OtherPlatformFill : UChar
+0x18c Win32Thread : Ptr32 Void
+0x190 StackBase : Ptr32 Void
+0x194 SuspendApc : _KAPC
+0x194 SuspendApcFill0 : [1] UChar
+0x195 ResourceIndex : UChar
+0x194 SuspendApcFill1 : [3] UChar
+0x197 QuantumReset : UChar
+0x194 SuspendApcFill2 : [4] UChar
+0x198 KernelTime : Uint4B
+0x194 SuspendApcFill3 : [36] UChar
+0x1b8 WaitPrcb : Ptr32 _KPRCB
+0x194 SuspendApcFill4 : [40] UChar
+0x1bc LegoData : Ptr32 Void
+0x194 SuspendApcFill5 : [47] UChar
+0x1c3 LargeStack : UChar
+0x1c4 UserTime : Uint4B
+0x1c8 SuspendSemaphore : _KSEMAPHORE
+0x1c8 SuspendSemaphorefill : [20] UChar
+0x1dc SListFaultCount : Uint4B
+0x1e0 ThreadListEntry : _LIST_ENTRY //双向链表
+0x1e8 MutantListHead : _LIST_ENTRY
+0x1f0 SListFaultAddress : Ptr32 Void
+0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS
+0x1f8 XStateSave : Ptr32 _XSTATE_SAVE
+0x200 CreateTime : _LARGE_INTEGER
+0x208 ExitTime : _LARGE_INTEGER
+0x208 KeyedWaitChain : _LIST_ENTRY
+0x210 ExitStatus : Int4B
+0x214 PostBlockList : _LIST_ENTRY
+0x214 ForwardLinkShadow : Ptr32 Void
+0x218 StartAddress : Ptr32 Void //
+0x21c TerminationPort : Ptr32 _TERMINATION_PORT
+0x21c ReaperLink : Ptr32 _ETHREAD
+0x21c KeyedWaitValue : Ptr32 Void
+0x220 ActiveTimerListLock : Uint4B
+0x224 ActiveTimerListHead : _LIST_ENTRY
+0x22c Cid : _CLIENT_ID
+0x234 KeyedWaitSemaphore : _KSEMAPHORE
+0x234 AlpcWaitSemaphore : _KSEMAPHORE
+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x24c IrpList : _LIST_ENTRY
+0x254 TopLevelIrp : Uint4B
+0x258 DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC
+0x260 Win32StartAddress : Ptr32 Void
+0x264 LegacyPowerObject : Ptr32 Void
+0x268 ThreadListEntry : _LIST_ENTRY //线程链表项
+0x270 RundownProtect : _EX_RUNDOWN_REF
+0x274 ThreadLock : _EX_PUSH_LOCK
+0x278 ReadClusterSize : Uint4B
+0x27c MmLockOrdering : Int4B
+0x280 CrossThreadFlags : Uint4B
+0x280 Terminated : Pos 0, 1 Bit
+0x280 ThreadInserted : Pos 1, 1 Bit
+0x280 HideFromDebugger : Pos 2, 1 Bit
+0x280 ActiveImpersonationInfo : Pos 3, 1 Bit
+0x280 Reserved : Pos 4, 1 Bit
+0x280 HardErrorsAreDisabled : Pos 5, 1 Bit
+0x280 BreakOnTermination : Pos 6, 1 Bit
+0x280 SkipCreationMsg : Pos 7, 1 Bit
+0x280 SkipTerminationMsg : Pos 8, 1 Bit
+0x280 CopyTokenOnOpen : Pos 9, 1 Bit
+0x280 ThreadIoPriority : Pos 10, 3 Bits
+0x280 ThreadPagePriority : Pos 13, 3 Bits
+0x280 RundownFail : Pos 16, 1 Bit
+0x280 NeedsWorkingSetAging : Pos 17, 1 Bit
+0x284 SameThreadPassiveFlags : Uint4B
+0x284 ActiveExWorker : Pos 0, 1 Bit
+0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit
+0x284 MemoryMaker : Pos 2, 1 Bit
+0x284 ClonedThread : Pos 3, 1 Bit
+0x284 KeyedEventInUse : Pos 4, 1 Bit
+0x284 RateApcState : Pos 5, 2 Bits
+0x284 SelfTerminate : Pos 7, 1 Bit
+0x288 SameThreadApcFlags : Uint4B
+0x288 Spare : Pos 0, 1 Bit
+0x288 StartAddressInvalid : Pos 1, 1 Bit
+0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit
+0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
+0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
+0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
+0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
+0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
+0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
+0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
+0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
+0x289 SuppressSymbolLoad : Pos 3, 1 Bit
+0x289 Prefetching : Pos 4, 1 Bit
+0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
+0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
+0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit
+0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
+0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
+0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
+0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
+0x28a TrimTrigger : Pos 4, 2 Bits
+0x28a Spare1 : Pos 6, 2 Bits
+0x28b PriorityRegionActive : UChar
+0x28c CacheManagerActive : UChar
+0x28d DisablePageFaultClustering : UChar
+0x28e ActiveFaultCount : UChar
+0x28f LockOrderState : UChar
+0x290 AlpcMessageId : Uint4B
+0x294 AlpcMessage : Ptr32 Void
+0x294 AlpcReceiveAttributeSet : Uint4B
+0x298 AlpcWaitListEntry : _LIST_ENTRY
+0x2a0 CacheManagerCount : Uint4B
+0x2a4 IoBoostCount : Uint4B
+0x2a8 IrpListLock : Uint4B
+0x2ac ReservedForSynchTracking : Ptr32 Void
+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x2b4 KernelStackReference : Uint4B