Loading... ## KRPOCESS ``` 1 typedef struct _KPROCESS { 2 3 // 4 // The dispatch header and profile listhead are fairly infrequently 5 // referenced. 6 // 7 8 DISPATCHER_HEADER Header; // 分发器对象. 9 LIST_ENTRY ProfileListHead; // 全局的性能分析进程列表中的节点. 10 11 // 12 // The following fields are referenced during context switches. 13 // 14 15 ULONG_PTR DirectoryTableBase[2];// [0]保存进程的页目录表地址,[1]保存进程超空 16 17 #if defined(_X86_) 18 19 KGDTENTRY LdtDescriptor; // LDT(局部描述表)描述符 20 KIDTENTRY Int21Descriptor; // 兼容DOS程序的int 21h中断. 21 USHORT IopmOffset; // IOPM(I/O权限表)的位置 22 UCHAR Iopl; // 进程的I/O优先级 23 BOOLEAN Unused; 24 25 #endif 26 27 #if defined(_AMD64_) 28 29 USHORT IopmOffset; // IOPM(I/O权限表)的位置 30 31 #endif 32 33 volatile KAFFINITY ActiveProcessors; // 记录当前进程在哪些处理器上运行 34 35 // 36 // The following fields are referenced during clock interrupts. 37 // 38 // 这两个时间仅当进程中的一个线程结束时才更新. 39 ULONG KernelTime; // 进程对象在内核模式下的总时间. 40 ULONG UserTime; // 进程对象在用户模式下的总时间. 41 42 // 43 // The following fields are referenced infrequently. 44 // 45 46 LIST_ENTRY ReadyListHead; // 记录已经就绪,但尚未被加入到全局就绪链 47 SINGLE_LIST_ENTRY SwapListEntry; // 单链表, 当进程被换出或换入内存时,都会 48 49 #if defined(_X86_) 50 51 PVOID VdmTrapcHandler; 52 53 #else 54 55 PVOID Reserved1; 56 57 #endif 58 59 LIST_ENTRY ThreadListHead; // 指向一个本进程中所有线程的链表头 60 KSPIN_LOCK ProcessLock; // 自旋锁对象. 61 KAFFINITY Affinity; // 记录该进程的线程可在何种处理器上运行的 62 63 // 64 // N.B. The following bit number definitions must match the following 65 // bit field. 66 // 67 // N.B. These bits can only be written with interlocked operations. 68 // 69 70 #define KPROCESS_AUTO_ALIGNMENT_BIT 0 71 #define KPROCESS_DISABLE_BOOST_BIT 1 72 #define KPROCESS_DISABLE_QUANTUM_BIT 2 73 74 union { 75 struct { 76 LONG AutoAlignment : 1; // 内存访问对齐设置 77 LONG DisableBoost : 1; // 和线程调度的优先级提升有关. 78 LONG DisableQuantum : 1; // 和线程调度的时限有关. 79 LONG ReservedFlags : 29; 80 }; 81 82 LONG ProcessFlags; // 83 }; 84 85 SCHAR BasePriority; // 进程的基本优先级 86 SCHAR QuantumReset; // 记录进程中所有线程的基本时限重置值,一般被设 87 UCHAR State; // 说明进程是否在内存中,共有6中状态: 88 // ProcessInMemory(进程在内存中),ProcessOutOfMemory(进程不在内存中) 89 // ProcessInTransition(进程正在转移过程中),ProcessOutOfTransition(进程不在转 90 // ProcessInSwap(进程已被换出到内存交换空间中) 91 // ProcessOutOfSwap(进程不在内存交换空间中) 92 93 94 UCHAR ThreadSeed; // 用于记录进程中新线程的理想处理器 95 UCHAR PowerState; // 记录电源状态 96 UCHAR IdealNode; // 进程在被创建时,优先选择的处理器节点. 97 BOOLEAN Visited; 98 union { 99 KEXECUTE_OPTIONS Flags; 100 UCHAR ExecuteOptions; // 进程的内存执行选项 101 }; 102 103 #if !defined(_X86_) && !defined(_AMD64_) 104 105 PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable; 106 107 #endif 108 109 ULONG_PTR StackCount; // 记录当前进程中有多个线程的栈在内存中. 110 LIST_ENTRY ProcessListEntry; // 活动进程链表中的节点(KiProcessListHead),记 111 } KPROCESS, *PKPROCESS, *PRKPROCESS; ``` ## EPROCESS ``` 1 // Process structure. 2 // 3 // If you remove a field from this structure, please also 4 // remove the reference to it from within the kernel debugger 5 // (nt\private\sdktools\ntsd\ntkext.c) 6 // 78 typedef struct _EPROCESS { 9 KPROCESS Pcb; // 内核的进程结构体 10 11 // 12 // Lock used to protect: 13 // The list of threads in the process. 14 // Process token. 15 // Win32 process field. 16 // Process and thread affinity setting. 17 // 18 19 EX_PUSH_LOCK ProcessLock; // 自旋锁,推锁对象,用于保护EPROCESS中数据成员. 20 21 LARGE_INTEGER CreateTime; // 进程创建时间 22 LARGE_INTEGER ExitTime; // 进程退出时间 23 24 // 25 // Structure to allow lock free cross process access to the process 26 // handle table, process section and address space. Acquire rundown 27 // protection with this if you do cross process handle table, process 28 // section or address space references. 29 // 30 31 EX_RUNDOWN_REF RundownProtect;// 停止保护锁,当进程被销毁时,使用此锁来等待. 32 33 HANDLE UniqueProcessId; // 进程唯一标识,pid,在进程创建时被赋值. 34 35 // 36 // Global list of all processes in the system. Processes are removed 37 // from this list in the object deletion routine. References to 38 // processes in this list must be done with ObReferenceObjectSafe 39 // because of this. 40 // 41 42 LIST_ENTRY ActiveProcessLinks; // 活动进程链表(双向链表),表头由PsActiveProc 43 44 // 45 // Quota Fields. 46 // 47 48 SIZE_T QuotaUsage[PsQuotaTypes]; // 进程内存使用率 49 SIZE_T QuotaPeak[PsQuotaTypes]; // 进程尖峰使用量. 50 SIZE_T CommitCharge; // 进程的虚拟内存已提交的页面数量 51 52 // 53 // VmCounters. 54 // 55 56 SIZE_T PeakVirtualSize; 57 SIZE_T VirtualSize; 58 59 LIST_ENTRY SessionProcessLinks; 60 61 PVOID DebugPort;// 调试端口 , 当进程被调试,此句柄有值. 62 PVOID ExceptionPort; // 异常端口 63 PHANDLE_TABLE ObjectTable; // 句柄表 64 65 // 66 // Security. 安全相关: 67 // 68 69 EX_FAST_REF Token; // 访问令牌,用于进程的安全访问检查 70 71 PFN_NUMBER WorkingSetPage; // 72 KGUARDED_MUTEX AddressCreationLock; 73 KSPIN_LOCK HyperSpaceLock; 74 75 struct _ETHREAD *ForkInProgress; 76 ULONG_PTR HardwareTrigger; 77 78 PMM_AVL_TABLE PhysicalVadRoot; 79 PVOID CloneRoot; 80 PFN_NUMBER NumberOfPrivatePages; 81 PFN_NUMBER NumberOfLockedPages; 82 PVOID Win32Process; 83 struct _EJOB *Job; 84 PVOID SectionObject; 85 86 PVOID SectionBaseAddress; 87 88 PEPROCESS_QUOTA_BLOCK QuotaBlock; 89 90 PPAGEFAULT_HISTORY WorkingSetWatch; 91 HANDLE Win32WindowStation; 92 HANDLE InheritedFromUniqueProcessId; 93 94 PVOID LdtInformation; 95 PVOID VadFreeHint; 96 PVOID VdmObjects; 97 PVOID DeviceMap; 98 99 PVOID Spare0[3]; 100 union { 101 HARDWARE_PTE PageDirectoryPte; 102 ULONGLONG Filler; 103 }; 104 PVOID Session; 105 UCHAR ImageFileName[ 16 ]; 106 107 LIST_ENTRY JobLinks; 108 PVOID LockedPagesList; 109 110 LIST_ENTRY ThreadListHead; // 一个进程的全部线程的双向链表. 111 112 // 113 // Used by rdr/security for authentication. 114 // 115 116 PVOID SecurityPort; // 安全端口,指向该进程与lsass进程之间的跨进程通信端口. 117 118 #ifdef _WIN64 119 PWOW64_PROCESS Wow64Process; 120 #else 121 PVOID PaeTop; 122 #endif 123 124 ULONG ActiveThreads; // 进程中活动线程的总数(如果为0,进程则退出.) 125 126 ACCESS_MASK GrantedAccess;// 进程的访问权限.位域,具体值参见:public\sdk\inc\ 127 128 ULONG DefaultHardErrorProcessing; 129 130 NTSTATUS LastThreadExitStatus; // 最后一个线程的退出状态. 131 132 // 133 // Peb 134 // 135 136 PPEB Peb; // 位于进程地址空间的内存块,包含有关进程地址空间中的对和系统模 137 138 // 139 // Pointer to the prefetches trace block. 140 // 141 EX_FAST_REF PrefetchTrace; 142 143 LARGE_INTEGER ReadOperationCount; // 记录NtReadFfile的执行次数 144 LARGE_INTEGER WriteOperationCount;// 记录NtWriteFfile的执行次数 145 LARGE_INTEGER OtherOperationCount;// 除读和写之外其它IO操作的执行次数 146 LARGE_INTEGER ReadTransferCount; // 记录IO读操作的完成次数 147 LARGE_INTEGER WriteTransferCount; // 记录IO写操作的完成次数 148 LARGE_INTEGER OtherTransferCount; // 记录其它IO操作的完成次数 149 150 SIZE_T CommitChargeLimit; 151 SIZE_T CommitChargePeak; 152 153 PVOID AweInfo; // 用于支持AWE(地址窗口扩展). 154 155 // 156 // This is used for SeAuditProcessCreation. 157 // It contains the full path to the image file. 158 // 159 160 SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;// 创建进程时指 161 162 MMSUPPORT Vm; // 管理进程虚拟内存的重要结构 163 164 #if !defined(_WIN64) 165 LIST_ENTRY MmProcessLinks; 166 #else 167 ULONG Spares[2]; 168 #endif 169 170 ULONG ModifiedPageCount; 171 172 #define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001UL 173 #define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002UL 174 #define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004UL 175 #define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008UL 176 #define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010UL 177 #define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020UL 178 #define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES 0x00000040UL 179 180 ULONG JobStatus; 181 182 183 // 184 // Process flags. Use interlocked operations with PS_SET_BITS, etc 185 // to modify these. 186 // 187 188 #define PS_PROCESS_FLAGS_CREATE_REPORTED 0x00000001UL // Create p 189 #define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT 0x00000002UL // Don't in 190 #define PS_PROCESS_FLAGS_PROCESS_EXITING 0x00000004UL // PspExitP 191 #define PS_PROCESS_FLAGS_PROCESS_DELETE 0x00000008UL // Delete p 192 #define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES 0x00000010UL // Wow64 sp 193 #define PS_PROCESS_FLAGS_VM_DELETED 0x00000020UL // VM is de 194 #define PS_PROCESS_FLAGS_OUTSWAP_ENABLED 0x00000040UL // Outswap 195 #define PS_PROCESS_FLAGS_OUTSWAPPED 0x00000080UL // Outswapp 196 #define PS_PROCESS_FLAGS_FORK_FAILED 0x00000100UL // Fork sta 197 #define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE 0x00000200UL // Wow64 pr 198 #define PS_PROCESS_FLAGS_ADDRESS_SPACE1 0x00000400UL // Addr spa 199 #define PS_PROCESS_FLAGS_ADDRESS_SPACE2 0x00000800UL // Addr spa 200 #define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION 0x00001000UL // SetTimer 201 #define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION 0x00002000UL // Break on 202 #define PS_PROCESS_FLAGS_CREATING_SESSION 0x00004000UL // Process 203 #define PS_PROCESS_FLAGS_USING_WRITE_WATCH 0x00008000UL // Process 204 #define PS_PROCESS_FLAGS_IN_SESSION 0x00010000UL // Process 205 #define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process 206 #define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE 0x00040000UL // This pro 207 #define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED 0x00080000UL // Process 208 #define PS_PROCESS_INJECT_INPAGE_ERRORS 0x00100000UL // Process 209 #define PS_PROCESS_FLAGS_VM_TOP_DOWN 0x00200000UL // Process 210 #define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE 0x00400000UL // We have 211 #define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED 0x00800000UL // The syst 212 #define PS_PROCESS_FLAGS_VDM_ALLOWED 0x01000000UL // Process 213 #define PS_PROCESS_FLAGS_SMAP_ALLOWED 0x02000000UL // Process 214 #define PS_PROCESS_FLAGS_CREATE_FAILED 0x04000000UL // Process 215 216 #define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY 0x38000000UL // The defa 217 218 #define PS_PROCESS_FLAGS_PRIORITY_SHIFT 27 219 220 #define PS_PROCESS_FLAGS_EXECUTE_SPARE1 0x40000000UL // 221 #define PS_PROCESS_FLAGS_EXECUTE_SPARE2 0x80000000UL // 222 223 224 union { 225 226 ULONG Flags; 227 228 // 229 // Fields can only be set by the PS_SET_BITS and other interlocked 230 // macros. Reading fields is best done via the bit definitions so 231 // references are easy to locate. 232 // 233 234 struct { 235 ULONG CreateReported : 1; 236 ULONG NoDebugInherit : 1; 237 ULONG ProcessExiting : 1; 238 ULONG ProcessDelete : 1; 239 ULONG Wow64SplitPages : 1; 240 ULONG VmDeleted : 1; 241 ULONG OutswapEnabled : 1; 242 ULONG Outswapped : 1; 243 ULONG ForkFailed : 1; 244 ULONG Wow64VaSpace4Gb : 1; 245 ULONG AddressSpaceInitialized : 2; 246 ULONG SetTimerResolution : 1; 247 ULONG BreakOnTermination : 1; 248 ULONG SessionCreationUnderway : 1; 249 ULONG WriteWatch : 1; 250 ULONG ProcessInSession : 1; 251 ULONG OverrideAddressSpace : 1; 252 ULONG HasAddressSpace : 1; 253 ULONG LaunchPrefetched : 1; 254 ULONG InjectInpageErrors : 1; 255 ULONG VmTopDown : 1; 256 ULONG ImageNotifyDone : 1; 257 ULONG PdeUpdateNeeded : 1; // NT32 only 258 ULONG VdmAllowed : 1; 259 ULONG SmapAllowed : 1; 260 ULONG CreateFailed : 1; 261 ULONG DefaultIoPriority : 3; 262 ULONG Spare1 : 1; 263 ULONG Spare2 : 1; 264 }; 265 }; 266 267 NTSTATUS ExitStatus; 268 269 USHORT NextPageColor; 270 union { 271 struct { 272 UCHAR SubSystemMinorVersion; 273 UCHAR SubSystemMajorVersion; 274 }; 275 USHORT SubSystemVersion; 276 }; 277 UCHAR PriorityClass; 278 279 MM_AVL_TABLE VadRoot; // 指向平衡二叉树的根节点,用于管理进程的虚拟地址空间. 280 281 ULONG Cookie; // 存储代表该进程的随机值. 282 283 } EPROCESS, *PEPROCESS; ``` ``` typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY; ``` ``` // LDR 链表中的每一项都是这个结构体,保存了驱动的基本信息 typedef struct _LDR_DATA_TABLE_ENTRY { struct _LIST_ENTRY InLoadOrderLinks; //0x0 struct _LIST_ENTRY InMemoryOrderLinks; //0x8 struct _LIST_ENTRY InInitializationOrderLinks; //0x10 VOID* DllBase; //0x18 VOID* EntryPoint; //0x1c ULONG SizeOfImage; //0x20 struct _UNICODE_STRING FullDllName; //0x24 struct _UNICODE_STRING BaseDllName; //0x2c // ... 后面还有一些字段,由于用不到,为了节省代码量,直接不考虑 } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; ``` 文件结构体 ``` typedef struct _FILE_FULL_DIR_INFORMATION { ULONG NextEntryOffset; //如果缓冲区中存在多个条目,则下一个FILE_FULL_DIR_INFORMATION条目的字节偏移量。如果没有其他条目跟随此成员,则该成员为零。 ULONG FileIndex; //父目录中文件的字节偏移量。对于文件系统(例如NTFS),该成员是未定义的,在NTFS中,文件在父目录中的位置是不固定的,可以随时更改以保持排序顺序。 LARGE_INTEGER CreationTime; //文件创建的时间。 LARGE_INTEGER LastAccessTime; //上次访问文件的时间 LARGE_INTEGER LastWriteTime; //上次写入文件的时间。 LARGE_INTEGER ChangeTime; //上次更改文件的时间。 LARGE_INTEGER EndOfFile; //新的文件末尾绝对位置,从文件开头开始的字节偏移量。EndOfFile指定到文件末尾的字节偏移量。因为此值是从零开始的,所以它实际上是指文件中的第一个空闲字节。换句话说,EndOfFile是文件中最后一个有效字节之后紧随该字节的偏移量。 LARGE_INTEGER AllocationSize; //文件分配大小,以字节为单位。通常,此值是基础物理设备的扇区或群集大小的倍数。 ULONG FileAttributes; //文件属性 ULONG FileNameLength; //指定文件名字符串的长度。 ULONG EaSize; //文件扩展属性(EA)的组合长度(以字节为单位)。 WCHAR FileName[1]; //指定文件名字符串的第一个字符。在内存中紧随其后的是字符串的其余部分。 } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; ``` LARGE_INTEGER 转换 FileTime 文件属性 ``` FILE_ATTRIBUTE_READONLY //只读 FILE_ATTRIBUTE_HIDDEN //隐藏 FILE_ATTRIBUTE_SYSTEM //系统 FILE_ATTRIBUTE_DIRECTORY //文件夹的标志符 FILE_ATTRIBUTE_NORMAL //设定为一般 (取消前四种属性) FILE_ATTRIBUTE_ARCHIVE //说明这个是个存档文件 FILE_ATTRIBUTE_TEMPORARY //临时文件 FILE_ATTRIBUTE_COMPRESSED //压缩文件 ``` pid 获取目标进程的 EPROCESS (PsLookupProcessByProcessId) 切换当前进程,方法当然是通过 KeAttachProcess 或者 KeStackAttachProcess GDT ``` typedef struct _GDT_INFO { UINT16 uGdtLimit; UINT16 uLowGdtBase; UINT16 uHighGdtBase; }GDT_INFO, * PGDT_INFO; //0x8 bytes (sizeof) typedef struct _GDTENTRY { USHORT LimitLow; //0x0 USHORT BaseLow; //0x2 union { struct { UCHAR BaseMid; //0x4 UCHAR Flags1; //0x5 UCHAR Flags2; //0x6 UCHAR BaseHi; //0x7 } Bytes; //0x4 struct { UINT32 BaseMid : 8; UINT32 Type : 4; UINT32 S : 1; UINT32 Dpl : 2; UINT32 Pres : 1; UINT32 LimitHi : 4; UINT32 Avl : 1; UINT32 Reserved_0 : 1; UINT32 D_B : 1; UINT32 Granularity : 1; UINT32 BaseHi : 8; } Bits; } HighWord; }GDTENTRY, * PGDTENTRY; ``` IDT ``` typedef struct _IDT_INFO { UINT16 uIdtLimit; // IDT范围 UINT16 uLowIdtBase; // IDT低基址 UINT16 uHighIdtBase; // IDT高基址 }IDT_INFO, * PIDT_INFO; //0x8 bytes (sizeof) typedef struct _IDTENTRY { // USHORT == UINT16 USHORT uOffsetLow; //0x0,低地址偏移 USHORT uSelector; //0x2,段选择器 //USHORT uAccess; //0x4 UINT8 uReserved; // 保留 UINT32 GateType : 4; // 中断类型 UINT32 StorageSegment : 1; // 为0则是中断门 UINT32 DPL : 2; // 特权级 UINT32 Present : 1; // 如未使用中断可置为0 USHORT uOffsetHigh; //0x6 // 高地址偏移 }IDTENTRY, * PIDTENTRY; ``` SSDT ``` typedef struct _ServiceDescriptorTable { //System Service Dispatch Table的基地址 ULONG* ServiceTableBase; //SSDT中每个服务被调用次数的计数器。这个计数器一般由sysenter 更新。 ULONG* ServiceCounterTable; //由 ServiceTableBase 描述的服务的数目。 ULONG NumberOfServices; //每个系统服务参数字节数表的基地址-系统服务参数表SSPT UCHAR* ParamTableBase; }*PServiceDescriptorTable; //获取SSDT表指针 extern PServiceDescriptorTable KeServiceDescriptorTable; PServiceDescriptorTable g_ServiceDescriptorTable; ``` PEB ``` //0x30 bytes (sizeof) typedef struct _PEB_LDR_DATA { ULONG Length; //0x0 UCHAR Initialized; //0x4 VOID* SsHandle; //0x8 struct _LIST_ENTRY InLoadOrderModuleList; //0xc struct _LIST_ENTRY InMemoryOrderModuleList; //0x14 struct _LIST_ENTRY InInitializationOrderModuleList; //0x1c VOID* EntryInProgress; //0x24 UCHAR ShutdownInProgress; //0x28 VOID* ShutdownThreadId; //0x2c }*PEB_LDR_DATA; ``` ``` typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; // ULONG padding on IA64 PVOID GpValue; ULONG64 NonPagedDebugInfo; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Unused5; PVOID SectionPointer; ULONG CheckSum; // ULONG padding on IA64 PVOID LoadedImports; PVOID PatchInformation; } KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY; ``` 最后修改:2021 年 03 月 28 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏