Windows 2000内核KPEB/KTEB详细结构(http://webcrazy.yeah.net/)
来源:互联网 发布:二手物品交易平台源码 编辑:程序博客网 时间:2024/05/17 07:15
| Windows 2000内核KPEB/KTEB详细结构 WebCrazy(http://webcrazy.yeah.net/) EPROCESS与ETHREAD结构在Windows NT/2000内核的地位是不言而喻的。他们结构中的成员包含了内核的方方面面,是两个比较大的结构。在Windows 2000 Server Build 2195 Free Kernel中他们的大小分别达到648与584字节。在先前我提供的部分应用都大量引用了这两个结构。具体可以参考“网站导航”。应部分网友的要求,这儿我将他们的详细结构列于底下。 结构来源: Microsoft Windbg的extension kdex2x86.dll 这个Kernel Debugger Extensions包含的结构不仅仅有EPROCESS/ETHREAD,还有EJOB等很多内部数据结构。所列的格式并非C语言格式,只是提供了结构成员的偏移量与成员名及成员类型。详细资料请参阅Microsoft提供的Windows NT/2000 OEM Support Tools Documention。 关于Windbg的使用请翻阅Microsft相关文档。 > !listexts Default extension: D:/Program Files/Debuggers/bin/w2kfre/kdex2x86 kdex2x86 loaded D:/Program Files/Debuggers/bin/w2kfre/kdex2x86 > !kdex2x86.version Free Extension dll for build 2195 debugging Free kernel for build 2195 > !kdex2x86.strct EPROCESS struct _EPROCESS (sizeof=648) +000 struct _KPROCESS Pcb +000 struct _DISPATCHER_HEADER Header +000 byte Type +001 byte Absolute +002 byte Size +003 byte Inserted +004 int32 SignalState +008 struct _LIST_ENTRY WaitListHead +008 struct _LIST_ENTRY *Flink +00c struct _LIST_ENTRY *Blink +010 struct _LIST_ENTRY ProfileListHead +010 struct _LIST_ENTRY *Flink +014 struct _LIST_ENTRY *Blink +018 uint32 DirectoryTableBase[2] +020 struct _KGDTENTRY LdtDescriptor +020 uint16 LimitLow +022 uint16 BaseLow +024 union __unnamed9 HighWord +024 struct __unnamed10 Bytes +024 byte BaseMid +025 byte Flags1 +026 byte Flags2 +027 byte BaseHi +024 struct __unnamed11 Bits +024 bits0-7 BaseMid +024 bits8-12 Type +024 bits13-14 Dpl +024 bits15-15 Pres +024 bits16-19 LimitHi +024 bits20-20 Sys +024 bits21-21 Reserved_0 +024 bits22-22 Default_Big +024 bits23-23 Granularity +024 bits24-31 BaseHi +028 struct _KIDTENTRY Int21Descriptor +028 uint16 Offset +02a uint16 Selector +02c uint16 Access +02e uint16 ExtendedOffset +030 uint16 IopmOffset +032 byte Iopl +033 byte VdmFlag +034 uint32 ActiveProcessors +038 uint32 KernelTime +03c uint32 UserTime +040 struct _LIST_ENTRY ReadyListHead +040 struct _LIST_ENTRY *Flink +044 struct _LIST_ENTRY *Blink +048 struct _LIST_ENTRY SwapListEntry +048 struct _LIST_ENTRY *Flink +04c struct _LIST_ENTRY *Blink +050 struct _LIST_ENTRY ThreadListHead +050 struct _LIST_ENTRY *Flink +054 struct _LIST_ENTRY *Blink +058 uint32 ProcessLock +05c uint32 Affinity +060 uint16 StackCount +062 char BasePriority +063 char ThreadQuantum +064 byte AutoAlignment +065 byte State +066 byte ThreadSeed +067 byte DisableBoost +068 byte PowerState +069 byte DisableQuantum +06a byte Spare[2] +06c int32 ExitStatus +070 struct _KEVENT LockEvent +070 struct _DISPATCHER_HEADER Header +070 byte Type +071 byte Absolute +072 byte Size +073 byte Inserted +074 int32 SignalState +078 struct _LIST_ENTRY WaitListHead +078 struct _LIST_ENTRY *Flink +07c struct _LIST_ENTRY *Blink +080 uint32 LockCount +088 union _LARGE_INTEGER CreateTime +088 uint32 LowPart +08c int32 HighPart +088 struct __unnamed3 u +088 uint32 LowPart +08c int32 HighPart +088 int64 QuadPart +090 union _LARGE_INTEGER ExitTime +090 uint32 LowPart +094 int32 HighPart +090 struct __unnamed3 u +090 uint32 LowPart +094 int32 HighPart +090 int64 QuadPart +098 struct _KTHREAD *LockOwner +09c void *UniqueProcessId +0a0 struct _LIST_ENTRY ActiveProcessLinks +0a0 struct _LIST_ENTRY *Flink +0a4 struct _LIST_ENTRY *Blink +0a8 uint32 QuotaPeakPoolUsage[2] +0b0 uint32 QuotaPoolUsage[2] +0b8 uint32 PagefileUsage +0bc uint32 CommitCharge +0c0 uint32 PeakPagefileUsage +0c4 uint32 PeakVirtualSize +0c8 uint32 VirtualSize +0d0 struct _MMSUPPORT Vm +0d0 union _LARGE_INTEGER LastTrimTime +0d0 uint32 LowPart +0d4 int32 HighPart +0d0 struct __unnamed3 u +0d0 uint32 LowPart +0d4 int32 HighPart +0d0 int64 QuadPart +0d8 uint32 LastTrimFaultCount +0dc uint32 PageFaultCount +0e0 uint32 PeakWorkingSetSize +0e4 uint32 WorkingSetSize +0e8 uint32 MinimumWorkingSetSize +0ec uint32 MaximumWorkingSetSize +0f0 *VmWorkingSetList +0f4 struct _LIST_ENTRY WorkingSetExpansionLinks +0f4 struct _LIST_ENTRY *Flink +0f8 struct _LIST_ENTRY *Blink +0fc byte AllowWorkingSetAdjustment +0fd byte AddressSpaceBeingDeleted +0fe byte ForegroundSwitchCount +0ff byte MemoryPriority +100 union __unnamed13 u +100 uint32 LongFlags +100 struct _MMSUPPORT_FLAGS Flags +100 bits0-0 SessionSpace +100 bits1-1 BeingTrimmed +100 bits2-2 ProcessInSession +100 bits3-3 SessionLeader +100 bits4-4 TrimHard +100 bits5-5 WorkingSetHard +100 bits6-6 WriteWatch +100 bits7-31 Filler +104 uint32 Claim +108 uint32 NextEstimationSlot +10c uint32 NextAgingSlot +110 uint32 EstimatedAvailable +114 uint32 GrowthSinceLastEstimate +118 struct _LIST_ENTRY SessionProcessLinks +118 struct _LIST_ENTRY *Flink +11c struct _LIST_ENTRY *Blink +120 void *DebugPort +124 void *ExceptionPort +128 struct _HANDLE_TABLE *ObjectTable +12c void *Token +130 struct _FAST_MUTEX WorkingSetLock +130 int32 Count +134 struct _KTHREAD *Owner +138 uint32 Contention +13c struct _KEVENT Event +13c struct _DISPATCHER_HEADER Header +13c byte Type +13d byte Absolute +13e byte Size +13f byte Inserted +140 int32 SignalState +144 struct _LIST_ENTRY WaitListHead +144 struct _LIST_ENTRY *Flink +148 struct _LIST_ENTRY *Blink +14c uint32 OldIrql +150 uint32 WorkingSetPage +154 byte ProcessOutswapEnabled +155 byte ProcessOutswapped +156 byte AddressSpaceInitialized +157 byte AddressSpaceDeleted +158 struct _FAST_MUTEX AddressCreationLock +158 int32 Count +15c struct _KTHREAD *Owner +160 uint32 Contention +164 struct _KEVENT Event +164 struct _DISPATCHER_HEADER Header +164 byte Type +165 byte Absolute +166 byte Size +167 byte Inserted +168 int32 SignalState +16c struct _LIST_ENTRY WaitListHead +16c struct _LIST_ENTRY *Flink +170 struct _LIST_ENTRY *Blink +174 uint32 OldIrql +178 uint32 HyperSpaceLock +17c struct _ETHREAD *ForkInProgress +180 uint16 VmOperation +182 byte ForkWasSuccessful +183 byte MmAgressiveWsTrimMask +184 struct _KEVENT *VmOperationEvent +188 void *PaeTop +18c uint32 LastFaultCount +190 uint32 ModifiedPageCount +194 void *VadRoot +198 void *VadHint +19c void *CloneRoot +1a0 uint32 NumberOfPrivatePages +1a4 uint32 NumberOfLockedPages +1a8 uint16 NextPageColor +1aa byte ExitProcessCalled +1ab byte CreateProcessReported +1ac void *SectionHandle +1b0 struct _PEB *Peb +1b4 void *SectionBaseAddress +1b8 struct _EPROCESS_QUOTA_BLOCK *QuotaBlock +1bc int32 LastThreadExitStatus +1c0 struct _PAGEFAULT_HISTORY *WorkingSetWatch +1c4 void *Win32WindowStation +1c8 void *InheritedFromUniqueProcessId +1cc uint32 GrantedAccess +1d0 uint32 DefaultHardErrorProcessing +1d4 void *LdtInformation +1d8 void *VadFreeHint +1dc void *VdmObjects +1e0 void *DeviceMap +1e4 uint32 SessionId +1e8 struct _LIST_ENTRY PhysicalVadList +1e8 struct _LIST_ENTRY *Flink +1ec struct _LIST_ENTRY *Blink +1f0 struct _HARDWARE_PTE_X86 PageDirectoryPte +1f0 bits0-0 Valid +1f0 bits1-1 Write +1f0 bits2-2 Owner +1f0 bits3-3 WriteThrough +1f0 bits4-4 CacheDisable +1f0 bits5-5 Accessed +1f0 bits6-6 Dirty +1f0 bits7-7 LargePage +1f0 bits8-8 Global +1f0 bits9-9 CopyOnWrite +1f0 bits10-10 Prototype +1f0 bits11-11 reserved +1f0 bits12-31 PageFrameNumber +1f0 uint64 Filler +1f8 uint32 PaePageDirectoryPage +1fc byte ImageFileName[16] +20c uint32 VmTrimFaultValue +210 byte SetTimerResolution +211 byte PriorityClass +212 byte SubSystemMinorVersion +213 byte SubSystemMajorVersion +212 uint16 SubSystemVersion +214 void *Win32Process +218 struct _EJOB *Job +21c uint32 JobStatus +220 struct _LIST_ENTRY JobLinks +220 struct _LIST_ENTRY *Flink +224 struct _LIST_ENTRY *Blink +228 void *LockedPagesList +22c void *SecurityPort +230 struct _WOW64_PROCESS *Wow64Process +238 union _LARGE_INTEGER ReadOperationCount +238 uint32 LowPart +23c int32 HighPart +238 struct __unnamed3 u +238 uint32 LowPart +23c int32 HighPart +238 int64 QuadPart +240 union _LARGE_INTEGER WriteOperationCount +240 uint32 LowPart +244 int32 HighPart +240 struct __unnamed3 u +240 uint32 LowPart +244 int32 HighPart +240 int64 QuadPart +248 union _LARGE_INTEGER OtherOperationCount +248 uint32 LowPart +24c int32 HighPart +248 struct __unnamed3 u +248 uint32 LowPart +24c int32 HighPart +248 int64 QuadPart +250 union _LARGE_INTEGER ReadTransferCount +250 uint32 LowPart +254 int32 HighPart +250 struct __unnamed3 u +250 uint32 LowPart +254 int32 HighPart +250 int64 QuadPart +258 union _LARGE_INTEGER WriteTransferCount +258 uint32 LowPart +25c int32 HighPart +258 struct __unnamed3 u +258 uint32 LowPart +25c int32 HighPart +258 int64 QuadPart +260 union _LARGE_INTEGER OtherTransferCount +260 uint32 LowPart +264 int32 HighPart +260 struct __unnamed3 u +260 uint32 LowPart +264 int32 HighPart +260 int64 QuadPart +268 uint32 CommitChargeLimit +26c uint32 CommitChargePeak +270 struct _LIST_ENTRY ThreadListHead +270 struct _LIST_ENTRY *Flink +274 struct _LIST_ENTRY *Blink +278 struct _RTL_BITMAP *VadPhysicalPagesBitMap +27c uint32 VadPhysicalPages +280 uint32 AweLock > !kdex2x86.strct ETHREAD struct _ETHREAD (sizeof=584) +000 struct _KTHREAD Tcb +000 struct _DISPATCHER_HEADER Header +000 byte Type +001 byte Absolute +002 byte Size +003 byte Inserted +004 int32 SignalState +008 struct _LIST_ENTRY WaitListHead +008 struct _LIST_ENTRY *Flink +00c struct _LIST_ENTRY *Blink +010 struct _LIST_ENTRY MutantListHead +010 struct _LIST_ENTRY *Flink +014 struct _LIST_ENTRY *Blink +018 void *InitialStack +01c void *StackLimit +020 void *Teb +024 void *TlsArray +028 void *KernelStack +02c byte DebugActive +02d byte State +02e byte Alerted[2] +030 byte Iopl +031 byte NpxState +032 char Saturation +033 char Priority +034 struct _KAPC_STATE ApcState +034 struct _LIST_ENTRY ApcListHead[2] struct _LIST_ENTRY *Flink struct _LIST_ENTRY *Blink +044 struct _KPROCESS *Process +048 byte KernelApcInProgress +049 byte KernelApcPending +04a byte UserApcPending +04c uint32 ContextSwitches +050 int32 WaitStatus +054 byte WaitIrql +055 char WaitMode +056 byte WaitNext +057 byte WaitReason +058 struct _KWAIT_BLOCK *WaitBlockList +05c struct _LIST_ENTRY WaitListEntry +05c struct _LIST_ENTRY *Flink +060 struct _LIST_ENTRY *Blink +064 uint32 WaitTime +068 char BasePriority +069 byte DecrementCount +06a char PriorityDecrement +06b char Quantum +06c struct _KWAIT_BLOCK WaitBlock[4] struct _LIST_ENTRY WaitListEntry struct _LIST_ENTRY *Flink struct _LIST_ENTRY *Blink struct _KTHREAD *Thread void *Object struct _KWAIT_BLOCK *NextWaitBlock uint16 WaitKey uint16 WaitType +0cc void *LegoData +0d0 uint32 KernelApcDisable +0d4 uint32 UserAffinity +0d8 byte SystemAffinityActive +0d9 byte PowerState +0da byte NpxIrql +0db byte Pad[1] +0dc void *ServiceTable +0e0 struct _KQUEUE *Queue +0e4 uint32 ApcQueueLock +0e8 struct _KTIMER Timer +0e8 struct _DISPATCHER_HEADER Header +0e8 byte Type +0e9 byte Absolute +0ea byte Size +0eb byte Inserted +0ec int32 SignalState +0f0 struct _LIST_ENTRY WaitListHead +0f0 struct _LIST_ENTRY *Flink +0f4 struct _LIST_ENTRY *Blink +0f8 union _ULARGE_INTEGER DueTime +0f8 uint32 LowPart +0fc uint32 HighPart +0f8 struct __unnamed12 u +0f8 uint32 LowPart +0fc uint32 HighPart +0f8 uint64 QuadPart +100 struct _LIST_ENTRY TimerListEntry +100 struct _LIST_ENTRY *Flink +104 struct _LIST_ENTRY *Blink +108 struct _KDPC *Dpc +10c int32 Period +110 struct _LIST_ENTRY QueueListEntry +110 struct _LIST_ENTRY *Flink +114 struct _LIST_ENTRY *Blink +118 uint32 Affinity +11c byte Preempted +11d byte ProcessReadyQueue +11e byte KernelStackResident +11f byte NextProcessor +120 void *CallbackStack +124 void *Win32Thread +128 struct _KTRAP_FRAME *TrapFrame +12c struct _KAPC_STATE *ApcStatePointer[2] +134 char PreviousMode +135 byte EnableStackSwap +136 byte LargeStack +137 byte ResourceIndex +138 uint32 KernelTime +13c uint32 UserTime +140 struct _KAPC_STATE SavedApcState +140 struct _LIST_ENTRY ApcListHead[2] struct _LIST_ENTRY *Flink struct _LIST_ENTRY *Blink +150 struct _KPROCESS *Process +154 byte KernelApcInProgress +155 byte KernelApcPending +156 byte UserApcPending +158 byte Alertable +159 byte ApcStateIndex +15a byte ApcQueueable +15b byte AutoAlignment +15c void *StackBase +160 struct _KAPC SuspendApc +160 int16 Type +162 int16 Size +164 uint32 Spare0 +168 struct _KTHREAD *Thread +16c struct _LIST_ENTRY ApcListEntry +16c struct _LIST_ENTRY *Flink +170 struct _LIST_ENTRY *Blink +174 function *KernelRoutine +178 function *RundownRoutine +17c function *NormalRoutine +180 void *NormalContext +184 void *SystemArgument1 +188 void *SystemArgument2 +18c char ApcStateIndex +18d char ApcMode +18e byte Inserted +190 struct _KSEMAPHORE SuspendSemaphore +190 struct _DISPATCHER_HEADER Header +190 byte Type +191 byte Absolute +192 byte Size +193 byte Inserted +194 int32 SignalState +198 struct _LIST_ENTRY WaitListHead +198 struct _LIST_ENTRY *Flink +19c struct _LIST_ENTRY *Blink +1a0 int32 Limit +1a4 struct _LIST_ENTRY ThreadListEntry +1a4 struct _LIST_ENTRY *Flink +1a8 struct _LIST_ENTRY *Blink +1ac char FreezeCount +1ad char SuspendCount +1ae byte IdealProcessor +1af byte DisableBoost +1b0 union _LARGE_INTEGER CreateTime +1b0 uint32 LowPart +1b4 int32 HighPart +1b0 struct __unnamed3 u +1b0 uint32 LowPart +1b4 int32 HighPart +1b0 int64 QuadPart +1b0 bits0-1 NestedFaultCount +1b0 bits2-2 ApcNeeded +1b8 union _LARGE_INTEGER ExitTime +1b8 uint32 LowPart +1bc int32 HighPart +1b8 struct __unnamed3 u +1b8 uint32 LowPart +1bc int32 HighPart +1b8 int64 QuadPart +1b8 struct _LIST_ENTRY LpcReplyChain +1b8 struct _LIST_ENTRY *Flink +1bc struct _LIST_ENTRY *Blink +1c0 int32 ExitStatus +1c0 void *OfsChain +1c4 struct _LIST_ENTRY PostBlockList +1c4 struct _LIST_ENTRY *Flink +1c8 struct _LIST_ENTRY *Blink +1cc struct _LIST_ENTRY TerminationPortList +1cc struct _LIST_ENTRY *Flink +1d0 struct _LIST_ENTRY *Blink +1d4 uint32 ActiveTimerListLock +1d8 struct _LIST_ENTRY ActiveTimerListHead +1d8 struct _LIST_ENTRY *Flink +1dc struct _LIST_ENTRY *Blink +1e0 struct _CLIENT_ID Cid +1e0 void *UniqueProcess +1e4 void *UniqueThread +1e8 struct _KSEMAPHORE LpcReplySemaphore +1e8 struct _DISPATCHER_HEADER Header +1e8 byte Type +1e9 byte Absolute +1ea byte Size +1eb byte Inserted +1ec int32 SignalState +1f0 struct _LIST_ENTRY WaitListHead +1f0 struct _LIST_ENTRY *Flink +1f4 struct _LIST_ENTRY *Blink +1f8 int32 Limit +1fc void *LpcReplyMessage +200 uint32 LpcReplyMessageId +204 uint32 PerformanceCountLow +208 struct _PS_IMPERSONATION_INFORMATION *ImpersonationInfo +20c struct _LIST_ENTRY IrpList +20c struct _LIST_ENTRY *Flink +210 struct _LIST_ENTRY *Blink +214 uint32 TopLevelIrp +218 struct _DEVICE_OBJECT *DeviceToVerify +21c uint32 ReadClusterSize +220 byte ForwardClusterOnly +221 byte DisablePageFaultClustering +222 byte DeadThread +223 byte HideFromDebugger +224 uint32 HasTerminated +228 uint32 GrantedAccess +22c struct _EPROCESS *ThreadsProcess +230 void *StartAddress +234 void *Win32StartAddress +234 uint32 LpcReceivedMessageId +238 byte LpcExitThreadCalled +239 byte HardErrorsAreDisabled +23a byte LpcReceivedMsgIdValid +23b byte ActiveImpersonationInfo +23c int32 PerformanceCountHigh +240 struct _LIST_ENTRY ThreadListEntry +240 struct _LIST_ENTRY *Flink +244 struct _LIST_ENTRY *Blink | ||
|
- Windows 2000内核KPEB/KTEB详细结构(http://webcrazy.yeah.net/)
- 剖析Windows NT/2000内核对象组织(http://webcrazy.yeah.net)
- 小议Windows NT/2000分页机制(http://webcrazy.yeah.net)
- 浅析Windows NT/2000环境切换(http://webcrazy.yeah.net)
- 再谈Windows NT/2000环境切换(http://webcrazy.yeah.net)
- Windows NT/2000内部数据结构探究(http://webcrazy.yeah.net)
- 再谈Windows NT/2000内部数据结构(http://webcrazy.yeah.net)
- Windows 2000 System Services列表(http://webcrazy.yeah.net)
- 探究Windows 2000/XP原型PTE(http://webcrazy.yeah.net)
- Windows XP System Services(http://webcrazy.yeah.net)
- 深入Windows NT/2000模块的组织(http://webcrazy.yeah.net)
- 分析Windows NT/2000堆内存与虚拟内存组织(http://webcrazy.yeah.net)
- 解析Windows NT/2000窗口对象的组织(http://webcrazy.yeah.net/)
- Windows NT/2000/XP下不用驱动的Ring0代码实现(http://webcrazy.yeah.net)
- 浅谈Windows 2000/XP File Cache实现(http://webcrazy.yeah.net)
- 浅议Windows 2000/XP Pagefile组织管理(http://webcrazy.yeah.net)
- 探悉Windows 2000/XP Pool分配流程(http://webcrazy.yeah.net)
- 解读Windows 2000/XP分层驱动模型(http://webcrazy.yeah.net)
- 《CSDN社区电子杂志——移动开发杂志》创刊号发布!
- Struts开发技巧
- 分页存储过程,综合了NOT_IN和SET ROWCOUNT
- 企业中的 RMI-IIOP
- 解析Windows NT/2000窗口对象的组织(http://webcrazy.yeah.net/)
- Windows 2000内核KPEB/KTEB详细结构(http://webcrazy.yeah.net/)
- [学习笔记]Thinking in Java (the 2nd edition) Study Note (2)
- C#编译器的问题 OR JIT的问题?
- RFC2326 Real Time流媒体协议(RTSP)
- CSDN新年贺礼 eMag百花齐放
- 宽字符标量L"xx"在VC6.0/7.0和GNU g++中的不同实现。
- 探寻Windows NT/2000 Copy On Write机制(http://wecrazy.yeah.net)
- 在EXCEL中获取列中不重复的值的个数
- 自信是一种坚定!
