windows内核研究(进程与线程-KPCR)
进程与线程
KPCR(CPU控制区)
- 当线程进入0环时,FS:[0]指向KPCR(3环时FS:[0]指向TEB)
- 每个CPU都有一个KPCR结构体(一个核一个)
- KPCR中存储了CPU本身要用的一些重要数据:GDT,IDT以及线程相关的一些信息
在WinDbg中想看KPCR结构体
0: kd> dt _KPCR
ntdll!_KPCR+0x000 NtTib : _NT_TIB+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD+0x004 Used_StackBase : Ptr32 Void+0x008 MxCsr : Uint4B+0x00c TssCopy : Ptr32 Void+0x010 ContextSwitches : Uint4B+0x014 SetMemberCopy : Uint4B+0x018 Used_Self : Ptr32 Void+0x01c SelfPcr : Ptr32 _KPCR // 指向当前KPCR结构体+0x020 Prcb : Ptr32 _KPRCB // 指向_KPRCB结构体的指针+0x024 Irql : UChar+0x028 IRR : Uint4B+0x02c IrrActive : Uint4B+0x030 IDR : Uint4B+0x034 KdVersionBlock : Ptr32 Void+0x038 IDT : Ptr32 _KIDTENTRY // IDT表的基址+0x03c GDT : Ptr32 _KGDTENTRY // GDT表的基址+0x040 TSS : Ptr32 _KTSS // TSS表的基址+0x044 MajorVersion : Uint2B+0x046 MinorVersion : Uint2B+0x048 SetMember : Uint4B+0x04c StallScaleFactor : Uint4B+0x050 SpareUnused : UChar+0x051 Number : UChar // CPU编号+0x052 Spare0 : UChar+0x053 SecondLevelCacheAssociativity : UChar+0x054 VdmAlert : Uint4B+0x058 KernelReserved : [14] Uint4B+0x090 SecondLevelCacheSize : Uint4B+0x094 HalReserved : [16] Uint4B+0x0d4 InterruptMode : Uint4B+0x0d8 Spare1 : UChar+0x0dc KernelReserved2 : [17] Uint4B+0x120 PrcbData : _KPRCB // 扩展结构体
查看第一个成员结构体_NT_TIB(重要)
0: kd> dt _NT_TIB
ntdll!_NT_TIB+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD //异常链表+0x004 StackBase : Ptr32 Void // 栈基址+0x008 StackLimit : Ptr32 Void // 栈边界+0x00c SubSystemTib : Ptr32 Void+0x010 FiberData : Ptr32 Void+0x010 Version : Uint4B+0x014 ArbitraryUserPointer : Ptr32 Void+0x018 Self : Ptr32 _NT_TIB // 指向自己的指针(NT_TIB)
_KPRCB中几个比较重要的结构体
0: kd> dt _KPRCB
ntdll!_KPRCB+0x000 MinorVersion : Uint2B+0x002 MajorVersion : Uint2B+0x004 CurrentThread : Ptr32 _KTHREAD // 当前CPU正在跑的线程+0x008 NextThread : Ptr32 _KTHREAD // 一会CPU切换时的线程+0x00c IdleThread : Ptr32 _KTHREAD // 在没有线程切换时,空闲的线程在哪里+0x010 LegacyNumber : UChar+0x011 NestingLevel : UChar+0x012 BuildType : Uint2B+0x014 CpuType : Char+0x015 CpuID : Char+0x016 CpuStep : Uint2B+0x016 CpuStepping : UChar+0x017 CpuModel : UChar+0x018 ProcessorState : _KPROCESSOR_STATE+0x338 ParentNode : Ptr32 _KNODE+0x33c PriorityState : Ptr32 Char+0x340 KernelReserved : [14] Uint4B+0x378 HalReserved : [16] Uint4B+0x3b8 CFlushSize : Uint4B+0x3bc CoresPerPhysicalProcessor : UChar+0x3bd LogicalProcessorsPerCore : UChar+0x3be CpuVendor : UChar+0x3bf PrcbPad0 : [1] UChar+0x3c0 MHz : Uint4B+0x3c4 GroupIndex : UChar+0x3c5 Group : UChar+0x3c6 PrcbPad05 : [2] UChar+0x3c8 GroupSetMember : Uint4B+0x3cc Number : Uint4B+0x3d0 ClockOwner : UChar+0x3d1 PendingTickFlags : UChar+0x3d1 PendingTick : Pos 0, 1 Bit+0x3d1 PendingBackupTick : Pos 1, 1 Bit+0x3d2 PrcbPad10 : [70] UChar+0x418 LockQueue : [17] _KSPIN_LOCK_QUEUE+0x4a0 InterruptCount : Uint4B+0x4a4 KernelTime : Uint4B+0x4a8 UserTime : Uint4B+0x4ac DpcTime : Uint4B+0x4b0 DpcTimeCount : Uint4B+0x4b4 InterruptTime : Uint4B+0x4b8 AdjustDpcThreshold : Uint4B+0x4bc PageColor : Uint4B+0x4c0 DebuggerSavedIRQL : UChar+0x4c1 NodeColor : UChar+0x4c2 DeepSleep : UChar+0x4c3 TbFlushListActive : UChar+0x4c4 CachedStack : Ptr32 Void+0x4c8 NodeShiftedColor : Uint4B+0x4cc SecondaryColorMask : Uint4B+0x4d0 DpcTimeLimit : Uint4B+0x4d4 MmInternal : Ptr32 Void+0x4d8 PrcbFlags : _KPRCBFLAG+0x4dc SchedulerAssist : Ptr32 Void+0x4e0 CcFastReadNoWait : Uint4B+0x4e4 CcFastReadWait : Uint4B+0x4e8 CcFastReadNotPossible : Uint4B+0x4ec CcCopyReadNoWait : Uint4B+0x4f0 CcCopyReadWait : Uint4B+0x4f4 CcCopyReadNoWaitMiss : Uint4B+0x4f8 MmSpinLockOrdering : Int4B+0x4fc IoReadOperationCount : Int4B+0x500 IoWriteOperationCount : Int4B+0x504 IoOtherOperationCount : Int4B+0x508 IoReadTransferCount : _LARGE_INTEGER+0x510 IoWriteTransferCount : _LARGE_INTEGER+0x518 IoOtherTransferCount : _LARGE_INTEGER+0x520 CcFastMdlReadNoWait : Uint4B+0x524 CcFastMdlReadWait : Uint4B+0x528 CcFastMdlReadNotPossible : Uint4B+0x52c CcMapDataNoWait : Uint4B+0x530 CcMapDataWait : Uint4B+0x534 CcPinMappedDataCount : Uint4B+0x538 CcPinReadNoWait : Uint4B+0x53c CcPinReadWait : Uint4B+0x540 CcMdlReadNoWait : Uint4B+0x544 CcMdlReadWait : Uint4B+0x548 CcLazyWriteHotSpots : Uint4B+0x54c CcLazyWriteIos : Uint4B+0x550 CcLazyWritePages : Uint4B+0x554 CcDataFlushes : Uint4B+0x558 CcDataPages : Uint4B+0x55c CcLostDelayedWrites : Uint4B+0x560 CcFastReadResourceMiss : Uint4B+0x564 CcCopyReadWaitMiss : Uint4B+0x568 CcFastMdlReadResourceMiss : Uint4B+0x56c CcMapDataNoWaitMiss : Uint4B+0x570 CcMapDataWaitMiss : Uint4B+0x574 CcPinReadNoWaitMiss : Uint4B+0x578 CcPinReadWaitMiss : Uint4B+0x57c CcMdlReadNoWaitMiss : Uint4B+0x580 CcMdlReadWaitMiss : Uint4B+0x584 CcReadAheadIos : Uint4B+0x588 KeAlignmentFixupCount : Uint4B+0x58c KeExceptionDispatchCount : Uint4B+0x590 KeSystemCalls : Uint4B+0x594 AvailableTime : Uint4B+0x598 PrcbPad22 : [2] Uint4B+0x5a0 PPLookasideList : [16] _PP_LOOKASIDE_LIST+0x620 PPNxPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL+0xf20 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL+0x1820 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL+0x2120 PacketBarrier : Int4B+0x2124 ReverseStall : Int4B+0x2128 IpiFrame : Ptr32 Void+0x212c PrcbPad3 : [52] UChar+0x2160 CurrentPacket : [3] Ptr32 Void+0x216c TargetSet : Uint4B+0x2170 WorkerRoutine : Ptr32 void +0x2174 IpiFrozen : Uint4B+0x2178 PrcbPad4 : [40] UChar+0x21a0 RequestSummary : Uint4B+0x21a4 TargetCount : Int4B+0x21a8 LastNonHrTimerExpiration : Uint8B+0x21b0 TrappedSecurityDomain : Uint8B+0x21b8 BpbState : UChar+0x21b8 BpbCpuIdle : Pos 0, 1 Bit+0x21b8 BpbFlushRsbOnTrap : Pos 1, 1 Bit+0x21b8 BpbIbpbOnReturn : Pos 2, 1 Bit+0x21b8 BpbIbpbOnTrap : Pos 3, 1 Bit+0x21b8 BpbReserved : Pos 4, 4 Bits+0x21b9 BpbFeatures : UChar+0x21b9 BpbClearOnIdle : Pos 0, 1 Bit+0x21b9 BpbEnabled : Pos 1, 1 Bit+0x21b9 BpbSmep : Pos 2, 1 Bit+0x21b9 BpbFeaturesReserved : Pos 3, 5 Bits+0x21ba BpbCurrentSpecCtrl : UChar+0x21bb BpbKernelSpecCtrl : UChar+0x21bc BpbNmiSpecCtrl : UChar+0x21bd BpbUserSpecCtrl : UChar+0x21be PrcbPad49 : [2] UChar+0x21c0 ProcessorSignature : Uint4B+0x21c4 ProcessorFlags : Uint4B+0x21c8 PrcbPad50 : [8] UChar+0x21d0 InterruptLastCount : Uint4B+0x21d4 InterruptRate : Uint4B+0x21d8 DeviceInterrupts : Uint4B+0x21dc IsrDpcStats : Ptr32 Void+0x21e0 DpcData : [2] _KDPC_DATA+0x2210 DpcStack : Ptr32 Void+0x2214 MaximumDpcQueueDepth : Int4B+0x2218 DpcRequestRate : Uint4B+0x221c MinimumDpcRate : Uint4B+0x2220 DpcLastCount : Uint4B+0x2224 PrcbLock : Uint4B+0x2228 DpcGate : _KGATE+0x2238 IdleState : UChar+0x2239 QuantumEnd : UChar+0x223a DpcRoutineActive : UChar+0x223b IdleSchedule : UChar+0x223c DpcRequestSummary : Int4B+0x223c DpcRequestSlot : [2] Int2B+0x223c NormalDpcState : Int2B+0x223e ThreadDpcState : Int2B+0x223c DpcNormalProcessingActive : Pos 0, 1 Bit+0x223c DpcNormalProcessingRequested : Pos 1, 1 Bit+0x223c DpcNormalThreadSignal : Pos 2, 1 Bit+0x223c DpcNormalTimerExpiration : Pos 3, 1 Bit+0x223c DpcNormalDpcPresent : Pos 4, 1 Bit+0x223c DpcNormalLocalInterrupt : Pos 5, 1 Bit+0x223c DpcNormalSpare : Pos 6, 10 Bits+0x223c DpcThreadActive : Pos 16, 1 Bit+0x223c DpcThreadRequested : Pos 17, 1 Bit+0x223c DpcThreadSpare : Pos 18, 14 Bits+0x2240 LastTimerHand : Uint4B+0x2244 LastTick : Uint4B+0x2248 PeriodicCount : Uint4B+0x224c PeriodicBias : Uint4B+0x2250 ClockInterrupts : Uint4B+0x2254 ReadyScanTick : Uint4B+0x2258 GroupSchedulingOverQuota : UChar+0x2259 ThreadDpcEnable : UChar+0x225a PrcbPad41 : [2] UChar+0x2260 TimerTable : _KTIMER_TABLE+0x3aa0 CallDpc : _KDPC+0x3ac0 ClockKeepAlive : Int4B+0x3ac4 PrcbPad6 : [4] UChar+0x3ac8 DpcWatchdogPeriod : Int4B+0x3acc DpcWatchdogCount : Int4B+0x3ad0 KeSpinLockOrdering : Int4B+0x3ad4 DpcWatchdogProfileCumulativeDpcThreshold : Uint4B+0x3ad8 QueueIndex : Uint4B+0x3adc DeferredReadyListHead : _SINGLE_LIST_ENTRY+0x3ae0 ReadySummary : Uint4B+0x3ae4 AffinitizedSelectionMask : Int4B+0x3ae8 WaitLock : Uint4B+0x3aec WaitListHead : _LIST_ENTRY+0x3af4 ScbOffset : Uint4B+0x3af8 ReadyThreadCount : Uint4B+0x3b00 StartCycles : Uint8B+0x3b08 TaggedCyclesStart : Uint8B+0x3b10 TaggedCycles : [2] Uint8B+0x3b20 GenerationTarget : Uint8B+0x3b28 CycleTime : Uint8B+0x3b30 AffinitizedCycles : Uint8B+0x3b38 ImportantCycles : Uint8B+0x3b40 UnimportantCycles : Uint8B+0x3b48 ReadyQueueExpectedRunTime : Uint8B+0x3b50 HighCycleTime : Uint4B+0x3b58 Cycles : [4] [2] Uint8B+0x3b98 PrcbPad71 : [2] Uint4B+0x3ba0 DispatcherReadyListHead : [32] _LIST_ENTRY+0x3ca0 ChainedInterruptList : Ptr32 Void+0x3ca4 LookasideIrpFloat : Int4B+0x3ca8 ScbQueue : _RTL_RB_TREE+0x3cb0 ScbList : _LIST_ENTRY+0x3cb8 MmPageFaultCount : Int4B+0x3cbc MmCopyOnWriteCount : Int4B+0x3cc0 MmTransitionCount : Int4B+0x3cc4 MmCacheTransitionCount : Int4B+0x3cc8 MmDemandZeroCount : Int4B+0x3ccc MmPageReadCount : Int4B+0x3cd0 MmPageReadIoCount : Int4B+0x3cd4 MmCacheReadCount : Int4B+0x3cd8 MmCacheIoCount : Int4B+0x3cdc MmDirtyPagesWriteCount : Int4B+0x3ce0 MmDirtyWriteIoCount : Int4B+0x3ce4 MmMappedPagesWriteCount : Int4B+0x3ce8 MmMappedWriteIoCount : Int4B+0x3cec CachedCommit : Uint4B+0x3cf0 CachedResidentAvailable : Uint4B+0x3cf4 HyperPte : Ptr32 Void+0x3cf8 PrcbPad8 : [4] UChar+0x3cfc VendorString : [13] UChar+0x3d09 InitialApicId : UChar+0x3d0a LogicalProcessorsPerPhysicalProcessor : UChar+0x3d0b PrcbPad9 : [1] UChar+0x3d10 FeatureBits : Uint8B+0x3d18 UpdateSignature : _LARGE_INTEGER+0x3d20 IsrTime : Uint8B+0x3d28 PrcbPad90 : [2] Uint4B+0x3d30 PowerState : _PROCESSOR_POWER_STATE+0x3ed8 ForceIdleDpc : _KDPC+0x3ef8 PrcbPad91 : [14] Uint4B+0x3f30 DpcWatchdogProfileSingleDpcThreshold : Uint4B+0x3f34 DpcWatchdogDpc : _KDPC+0x3f58 DpcWatchdogTimer : _KTIMER+0x3f80 HypercallPageList : _SLIST_HEADER+0x3f88 HypercallCachedPages : Ptr32 Void+0x3f8c VirtualApicAssist : Ptr32 Void+0x3f90 StatisticsPage : Ptr32 Uint8B+0x3f94 Cache : [5] _CACHE_DESCRIPTOR+0x3fd0 CacheCount : Uint4B+0x3fd4 PackageProcessorSet : _KAFFINITY_EX+0x3fe0 SharedReadyQueueMask : Uint4B+0x3fe4 SharedReadyQueue : Ptr32 _KSHARED_READY_QUEUE+0x3fe8 SharedQueueScanOwner : Uint4B+0x3fec CoreProcessorSet : Uint4B+0x3ff0 ScanSiblingMask : Uint4B+0x3ff4 LLCMask : Uint4B+0x3ff8 CacheProcessorMask : [5] Uint4B+0x400c ScanSiblingIndex : Uint4B+0x4010 WheaInfo : Ptr32 Void+0x4014 EtwSupport : Ptr32 Void+0x4018 InterruptObjectPool : _SLIST_HEADER+0x4020 DpcWatchdogProfile : Ptr32 Ptr32 Void+0x4024 DpcWatchdogProfileCurrentEmptyCapture : Ptr32 Ptr32 Void+0x4028 PackageId : Uint4B+0x402c PteBitCache : Uint4B+0x4030 PteBitOffset : Uint4B+0x4034 PrcbPad93 : Uint4B+0x4038 ProcessorProfileControlArea : Ptr32 _PROCESSOR_PROFILE_CONTROL_AREA+0x403c ProfileEventIndexAddress : Ptr32 Void+0x4040 TimerExpirationDpc : _KDPC+0x4060 SynchCounters : _SYNCH_COUNTERS+0x4118 FsCounters : _FILESYSTEM_DISK_COUNTERS+0x4128 Context : Ptr32 _CONTEXT+0x412c ContextFlagsInit : Uint4B+0x4130 ExtendedState : Ptr32 _XSAVE_AREA+0x4134 EntropyTimingState : _KENTROPY_TIMING_STATE+0x425c IsrStack : Ptr32 Void+0x4260 VectorToInterruptObject : [208] Ptr32 _KINTERRUPT+0x45a0 AbSelfIoBoostsList : _SINGLE_LIST_ENTRY+0x45a4 AbPropagateBoostsList : _SINGLE_LIST_ENTRY+0x45a8 AbDpc : _KDPC+0x45c8 IoIrpStackProfilerCurrent : _IOP_IRP_STACK_PROFILER+0x461c IoIrpStackProfilerPrevious : _IOP_IRP_STACK_PROFILER+0x4670 TimerExpirationTrace : [16] _KTIMER_EXPIRATION_TRACE+0x4770 TimerExpirationTraceCount : Uint4B+0x4774 ExSaPageArray : Ptr32 Void+0x4778 ExtendedSupervisorState : Ptr32 _XSAVE_AREA_HEADER+0x477c PrcbPad100 : [9] Uint4B+0x47a0 LocalSharedReadyQueue : _KSHARED_READY_QUEUE+0x48e0 Mailbox : Ptr32 _REQUEST_MAILBOX+0x48e4 PrcbPad : [1532] UChar+0x4ee0 KernelDirectoryTableBase : Uint4B+0x4ee4 EspBaseShadow : Uint4B+0x4ee8 UserEspShadow : Uint4B+0x4eec ShadowFlags : Uint4B+0x4ef0 UserDS : Uint4B+0x4ef4 UserES : Uint4B+0x4ef8 UserFS : Uint4B+0x4efc EspIretd : Ptr32 Void+0x4f00 RestoreSegOption : Uint4B+0x4f04 SavedEsi : Uint4B+0x4f08 VerwSelector : Uint2B+0x4f0a PrcbShadowPad : Uint2B+0x4f0c TaskSwitchCount : Uint4B+0x4f10 DbgLogs : [512] Uint4B+0x5710 DbgCount : Uint4B+0x5714 PrcbPadRemainingPage : [499] Uint4B+0x5ee0 RequestMailbox : [1] _REQUEST_MAILBOX内核学习的参考和建议:
由于windows操作系统并不开源,所以我们在学习windows内核程序时,很多内核成员需要我们自己去逆向分析,虽然在网上有一些相关的开源资料(ReactOS,WRK)但是和我们现在的windows版本相差很大,仅仅只能作为参考
- ReactOS 是开源、自由的 Windows NT 系列克隆操作系统,保持了与 Windows 的系统级兼容性(一群人通过逆向Windows写的一个操作系统)
- WRK是微软针对教育和学术界开放的Windows内核的部分源码
github-ReactOS
github-WRK
相关的参考书籍:《内核情景分析》(基于ReactOS 写的)《windows内核原理与实现》(基于WRK写的)