当前位置：首页 > news >正文

windows内核研究（进程与线程-进程结构体EPROCESS）

news 2025/7/15 9:28:09

进程与线程

每个windows进程在0环都有一个对应的结构体：EPROCESS（0环），这个结构体包含了进程所有重要的信息

使用WinDbg查看EPROCESS结构体

2: kd> dt _EPROCESS
ntdll!_EPROCESS+0x000 Pcb              : _KPROCESS		// 子结构体+0x0b0 ProcessLock      : _EX_PUSH_LOCK+0x0b4 UniqueProcessId  : Ptr32 Void		// 进程的编号（任务管理器中的PID）+0x0b8 ActiveProcessLinks : _LIST_ENTRY			// 双向链表，所有的活动进程都链接在一起，构成了一个链表+0x0c0 RundownProtect   : _EX_RUNDOWN_REF+0x0c4 VdmObjects       : Ptr32 Void+0x0c8 Flags2           : Uint4B+0x0c8 JobNotReallyActive : Pos 0, 1 Bit+0x0c8 AccountingFolded : Pos 1, 1 Bit+0x0c8 NewProcessReported : Pos 2, 1 Bit+0x0c8 ExitProcessReported : Pos 3, 1 Bit+0x0c8 ReportCommitChanges : Pos 4, 1 Bit+0x0c8 LastReportMemory : Pos 5, 1 Bit+0x0c8 ForceWakeCharge  : Pos 6, 1 Bit+0x0c8 CrossSessionCreate : Pos 7, 1 Bit+0x0c8 NeedsHandleRundown : Pos 8, 1 Bit+0x0c8 RefTraceEnabled  : Pos 9, 1 Bit+0x0c8 PicoCreated      : Pos 10, 1 Bit+0x0c8 EmptyJobEvaluated : Pos 11, 1 Bit+0x0c8 DefaultPagePriority : Pos 12, 3 Bits+0x0c8 PrimaryTokenFrozen : Pos 15, 1 Bit+0x0c8 ProcessVerifierTarget : Pos 16, 1 Bit+0x0c8 RestrictSetThreadContext : Pos 17, 1 Bit+0x0c8 AffinityPermanent : Pos 18, 1 Bit+0x0c8 AffinityUpdateEnable : Pos 19, 1 Bit+0x0c8 PropagateNode    : Pos 20, 1 Bit+0x0c8 ExplicitAffinity : Pos 21, 1 Bit+0x0c8 ProcessExecutionState : Pos 22, 2 Bits+0x0c8 EnableReadVmLogging : Pos 24, 1 Bit+0x0c8 EnableWriteVmLogging : Pos 25, 1 Bit+0x0c8 FatalAccessTerminationRequested : Pos 26, 1 Bit+0x0c8 DisableSystemAllowedCpuSet : Pos 27, 1 Bit+0x0c8 ProcessStateChangeRequest : Pos 28, 2 Bits+0x0c8 ProcessStateChangeInProgress : Pos 30, 1 Bit+0x0c8 InPrivate        : Pos 31, 1 Bit+0x0cc Flags            : Uint4B+0x0cc CreateReported   : Pos 0, 1 Bit+0x0cc NoDebugInherit   : Pos 1, 1 Bit+0x0cc ProcessExiting   : Pos 2, 1 Bit+0x0cc ProcessDelete    : Pos 3, 1 Bit+0x0cc ManageExecutableMemoryWrites : Pos 4, 1 Bit+0x0cc VmDeleted        : Pos 5, 1 Bit+0x0cc OutswapEnabled   : Pos 6, 1 Bit+0x0cc Outswapped       : Pos 7, 1 Bit+0x0cc FailFastOnCommitFail : Pos 8, 1 Bit+0x0cc Wow64VaSpace4Gb  : Pos 9, 1 Bit+0x0cc AddressSpaceInitialized : Pos 10, 2 Bits+0x0cc SetTimerResolution : Pos 12, 1 Bit+0x0cc BreakOnTermination : Pos 13, 1 Bit+0x0cc DeprioritizeViews : Pos 14, 1 Bit+0x0cc WriteWatch       : Pos 15, 1 Bit+0x0cc ProcessInSession : Pos 16, 1 Bit+0x0cc OverrideAddressSpace : Pos 17, 1 Bit+0x0cc HasAddressSpace  : Pos 18, 1 Bit+0x0cc LaunchPrefetched : Pos 19, 1 Bit+0x0cc Background       : Pos 20, 1 Bit+0x0cc VmTopDown        : Pos 21, 1 Bit+0x0cc ImageNotifyDone  : Pos 22, 1 Bit+0x0cc PdeUpdateNeeded  : Pos 23, 1 Bit+0x0cc VdmAllowed       : Pos 24, 1 Bit+0x0cc ProcessRundown   : Pos 25, 1 Bit+0x0cc ProcessInserted  : Pos 26, 1 Bit+0x0cc DefaultIoPriority : Pos 27, 3 Bits+0x0cc ProcessSelfDelete : Pos 30, 1 Bit+0x0cc SetTimerResolutionLink : Pos 31, 1 Bit+0x0d0 CreateTime       : _LARGE_INTEGER		// 进程的创建时间+0x0d8 ProcessQuotaUsage : [2] Uint4B				// 物理页相关的统计信息+0x0e0 ProcessQuotaPeak : [2] Uint4B					// 物理页相关的统计信息+0x0e8 PeakVirtualSize  : Uint4B							// 虚拟内存的相关统计信息+0x0ec VirtualSize      : Uint4B								// 虚拟内存的相关统计信息+0x0f0 SessionProcessLinks : _LIST_ENTRY+0x0f8 ExceptionPortData : Ptr32 Void					// 调试相关+0x0f8 ExceptionPortValue : Uint4B+0x0f8 ExceptionPortState : Pos 0, 3 Bits+0x0fc Token            : _EX_FAST_REF+0x100 MmReserved       : Uint4B+0x104 AddressCreationLock : _EX_PUSH_LOCK+0x108 PageTableCommitmentLock : _EX_PUSH_LOCK+0x10c RotateInProgress : Ptr32 _ETHREAD+0x110 ForkInProgress   : Ptr32 _ETHREAD+0x114 CommitChargeJob  : Ptr32 _EJOB+0x118 CloneRoot        : _RTL_AVL_TREE+0x11c NumberOfPrivatePages : Uint4B+0x120 NumberOfLockedPages : Uint4B+0x124 Win32Process     : Ptr32 Void+0x128 Job              : Ptr32 _EJOB+0x12c SectionObject    : Ptr32 Void+0x130 SectionBaseAddress : Ptr32 Void+0x134 Cookie           : Uint4B+0x138 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY+0x13c Win32WindowStation : Ptr32 Void+0x140 InheritedFromUniqueProcessId : Ptr32 Void+0x144 LdtInformation   : Ptr32 Void+0x148 OwnerProcessId   : Uint4B+0x14c Peb              : Ptr32 _PEB				// 进程环境块（进程在3环的一个结构体，里面包含了一些进程的相关信息）+0x150 Session          : Ptr32 _MM_SESSION_SPACE+0x154 Spare1           : Ptr32 Void+0x158 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK+0x15c ObjectTable      : Ptr32 _HANDLE_TABLE		// 句柄表+0x160 DebugPort        : Ptr32 Void						// 调试相关+0x164 PaeTop           : Ptr32 Void+0x168 DeviceMap        : Ptr32 Void+0x16c EtwDataSource    : Ptr32 Void+0x170 PageDirectoryPte : Uint8B+0x178 ImageFilePointer : Ptr32 _FILE_OBJECT+0x17c ImageFileName    : [15] UChar			// 进程镜像文件名+0x18b PriorityClass    : UChar+0x18c SecurityPort     : Ptr32 Void+0x190 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO+0x194 JobLinks         : _LIST_ENTRY+0x19c HighestUserAddress : Ptr32 Void+0x1a0 ThreadListHead   : _LIST_ENTRY+0x1a8 ActiveThreads    : Uint4B				// 活动线程的数量+0x1ac ImagePathHash    : Uint4B	+0x1b0 DefaultHardErrorProcessing : Uint4B+0x1b4 LastThreadExitStatus : Int4B+0x1b8 PrefetchTrace    : _EX_FAST_REF+0x1bc LockedPagesList  : Ptr32 Void+0x1c0 ReadOperationCount : _LARGE_INTEGER+0x1c8 WriteOperationCount : _LARGE_INTEGER+0x1d0 OtherOperationCount : _LARGE_INTEGER+0x1d8 ReadTransferCount : _LARGE_INTEGER+0x1e0 WriteTransferCount : _LARGE_INTEGER+0x1e8 OtherTransferCount : _LARGE_INTEGER+0x1f0 CommitChargeLimit : Uint4B+0x1f4 CommitCharge     : Uint4B						// 虚拟内存的相关统计信息+0x1f8 CommitChargePeak : Uint4B+0x200 Vm               : _MMSUPPORT_FULL+0x300 MmProcessLinks   : _LIST_ENTRY+0x308 ModifiedPageCount : Uint4B+0x30c ExitStatus       : Int4B+0x310 VadRoot          : _RTL_AVL_TREE			// 标识哪些0-2地址没占用了+0x314 VadHint          : Ptr32 Void+0x318 VadCount         : Uint4B+0x31c VadPhysicalPages : Uint4B+0x320 VadPhysicalPagesLimit : Uint4B+0x324 AlpcContext      : _ALPC_PROCESS_CONTEXT+0x334 TimerResolutionLink : _LIST_ENTRY+0x33c TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD+0x340 RequestedTimerResolution : Uint4B+0x344 SmallestTimerResolution : Uint4B+0x348 ExitTime         : _LARGE_INTEGER			// 进程的退出时间+0x350 ActiveThreadsHighWatermark : Uint4B+0x354 LargePrivateVadCount : Uint4B+0x358 ThreadListLock   : _EX_PUSH_LOCK+0x35c WnfContext       : Ptr32 Void+0x360 ServerSilo       : Ptr32 _EJOB+0x364 SignatureLevel   : UChar+0x365 SectionSignatureLevel : UChar+0x366 Protection       : _PS_PROTECTION+0x367 HangCount        : Pos 0, 3 Bits+0x367 GhostCount       : Pos 3, 3 Bits+0x367 PrefilterException : Pos 6, 1 Bit+0x368 Flags3           : Uint4B+0x368 Minimal          : Pos 0, 1 Bit+0x368 ReplacingPageRoot : Pos 1, 1 Bit+0x368 Crashed          : Pos 2, 1 Bit+0x368 JobVadsAreTracked : Pos 3, 1 Bit+0x368 VadTrackingDisabled : Pos 4, 1 Bit+0x368 AuxiliaryProcess : Pos 5, 1 Bit+0x368 SubsystemProcess : Pos 6, 1 Bit+0x368 IndirectCpuSets  : Pos 7, 1 Bit+0x368 RelinquishedCommit : Pos 8, 1 Bit+0x368 HighGraphicsPriority : Pos 9, 1 Bit+0x368 CommitFailLogged : Pos 10, 1 Bit+0x368 ReserveFailLogged : Pos 11, 1 Bit+0x368 SystemProcess    : Pos 12, 1 Bit+0x368 HideImageBaseAddresses : Pos 13, 1 Bit+0x368 AddressPolicyFrozen : Pos 14, 1 Bit+0x368 ProcessFirstResume : Pos 15, 1 Bit+0x368 ForegroundExternal : Pos 16, 1 Bit+0x368 ForegroundSystem : Pos 17, 1 Bit+0x368 HighMemoryPriority : Pos 18, 1 Bit+0x368 EnableProcessSuspendResumeLogging : Pos 19, 1 Bit+0x368 EnableThreadSuspendResumeLogging : Pos 20, 1 Bit+0x368 SecurityDomainChanged : Pos 21, 1 Bit+0x368 SecurityFreezeComplete : Pos 22, 1 Bit+0x368 VmProcessorHost  : Pos 23, 1 Bit+0x36c DeviceAsid       : Int4B+0x370 SvmData          : Ptr32 Void+0x374 SvmProcessLock   : _EX_PUSH_LOCK+0x378 SvmLock          : Uint4B+0x37c SvmProcessDeviceListHead : _LIST_ENTRY+0x388 LastFreezeInterruptTime : Uint8B+0x390 DiskCounters     : Ptr32 _PROCESS_DISK_COUNTERS+0x394 PicoContext      : Ptr32 Void+0x398 HighPriorityFaultsAllowed : Uint4B+0x39c InstrumentationCallback : Ptr32 Void+0x3a0 EnergyContext    : Ptr32 _PO_PROCESS_ENERGY_CONTEXT+0x3a4 VmContext        : Ptr32 Void+0x3a8 SequenceNumber   : Uint8B+0x3b0 CreateInterruptTime : Uint8B+0x3b8 CreateUnbiasedInterruptTime : Uint8B+0x3c0 TotalUnbiasedFrozenTime : Uint8B+0x3c8 LastAppStateUpdateTime : Uint8B+0x3d0 LastAppStateUptime : Pos 0, 61 Bits+0x3d0 LastAppState     : Pos 61, 3 Bits+0x3d8 SharedCommitCharge : Uint4B+0x3dc SharedCommitLock : _EX_PUSH_LOCK+0x3e0 SharedCommitLinks : _LIST_ENTRY+0x3e8 AllowedCpuSets   : Uint4B+0x3ec DefaultCpuSets   : Uint4B+0x3e8 AllowedCpuSetsIndirect : Ptr32 Uint4B+0x3ec DefaultCpuSetsIndirect : Ptr32 Uint4B+0x3f0 DiskIoAttribution : Ptr32 Void+0x3f4 DxgProcess       : Ptr32 Void+0x3f8 Win32KFilterSet  : Uint4B+0x400 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES+0x408 KTimerSets       : Uint4B+0x40c KTimer2Sets      : Uint4B+0x410 ThreadTimerSets  : Uint4B+0x414 VirtualTimerListLock : Uint4B+0x418 VirtualTimerListHead : _LIST_ENTRY+0x420 WakeChannel      : _WNF_STATE_NAME+0x420 WakeInfo         : _PS_PROCESS_WAKE_INFORMATION+0x450 MitigationFlags  : Uint4B+0x450 MitigationFlagsValues : <anonymous-tag>+0x454 MitigationFlags2 : Uint4B+0x454 MitigationFlags2Values : <anonymous-tag>+0x458 PartitionObject  : Ptr32 Void+0x460 SecurityDomain   : Uint8B+0x468 ParentSecurityDomain : Uint8B+0x470 CoverageSamplerContext : Ptr32 Void+0x474 MmHotPatchContext : Ptr32 Void

先来看一下第一个结构体_KPROCESS

2: kd>  dt _KPROCESS
ntdll!_KPROCESS+0x000 Header           : _DISPATCHER_HEADER				// 可等待对象（WaitForSingleObject）+0x010 ProfileListHead  : _LIST_ENTRY+0x018 DirectoryTableBase : Uint4B						// 页目录表基地（重要）+0x01c LdtDescriptor    : _KGDTENTRY+0x024 Int21Descriptor  : _KIDTENTRY+0x02c ThreadListHead   : _LIST_ENTRY+0x034 ProcessLock      : Uint4B+0x038 DeepFreezeStartTime : Uint8B+0x040 Affinity         : _KAFFINITY_EX					// 规定所有进程里面的线程能在哪个CPU上跑+0x04c ReadyListHead    : _LIST_ENTRY+0x054 SwapListEntry    : _SINGLE_LIST_ENTRY+0x058 ActiveProcessors : _KAFFINITY_EX+0x064 AutoAlignment    : Pos 0, 1 Bit+0x064 DisableBoost     : Pos 1, 1 Bit+0x064 DisableQuantum   : Pos 2, 1 Bit+0x064 DeepFreeze       : Pos 3, 1 Bit+0x064 TimerVirtualization : Pos 4, 1 Bit+0x064 CheckStackExtents : Pos 5, 1 Bit+0x064 CacheIsolationEnabled : Pos 6, 1 Bit+0x064 PpmPolicy        : Pos 7, 3 Bits+0x064 VaSpaceDeleted   : Pos 10, 1 Bit+0x064 ReservedFlags    : Pos 11, 21 Bits+0x064 ProcessFlags     : Int4B+0x068 BasePriority     : Char							// 该进程中的所有线程基础或最低优先级+0x069 QuantumReset     : Char+0x06a Visited          : Char+0x06b Flags            : _KEXECUTE_OPTIONS+0x06c ThreadSeed       : [1] Uint2B+0x06e IdealProcessor   : [1] Uint2B+0x070 IdealNode        : [1] Uint2B+0x072 IdealGlobalNode  : Uint2B+0x074 Spare1           : Uint2B+0x076 IopmOffset       : Uint2B+0x078 SchedulingGroup  : Ptr32 _KSCHEDULING_GROUP+0x07c StackCount       : _KSTACK_COUNT+0x080 ProcessListEntry : _LIST_ENTRY+0x088 CycleTime        : Uint8B+0x090 ContextSwitches  : Uint8B+0x098 FreezeCount      : Uint4B+0x09c KernelTime       : Uint4B						// 在0环的运行时间+0x0a0 UserTime         : Uint4B						// 在3环的运行时间+0x0a4 ReadyTime        : Uint4B+0x0a8 VdmTrapcHandler  : Ptr32 Void+0x0ac ProcessTimerDelay : Uint4B

PsActiveProcessHead

PsActiveProcessHead指向全局链表头

dd PsActiveProcessHead // 获取全局链表头的地址

在这里插入图片描述
通过链表头查找下一个_EPROCESS

dt 82b7d0f8-b8 // 头地址-b8的偏移

这里的b8是头部指向偏移的位置，并不是在下一个_EPROCESS头，所以-b8的偏移就是头部，这样解析出来的结构体就不会有问题（这里的b8偏移并不是固定的，这和你当前的操作系统版本相关）

在这里插入图片描述

可以看到我们头部指向的第一个进程结构体名称是System

继续遍历就用 +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x86a2a6b8 - 0x836ae460 ] 中的0x86a2a6b8 地址-偏移就可以得到下一个进程结构体对象了

_PEB结构体

进程环境块（进程在3环的一个结构体，里面包含了一些进程的相关信息）

在这里插入图片描述
列举几个比较重要的成员：

+0x002 BeingDebugged : UChar // 调试相关（当前进程被调试值置为1）
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
- +0x00c InLoadOrderModuleList : _LIST_ENTRY // 加载顺序模块列表
- +0x014 InMemoryOrderModuleList : _LIST_ENTRY // 内存顺序模块列表
- +0x01c InInitializationOrderModuleList : _LIST_ENTRY // 初始化顺序模块列表