Windows 2000内核KPEB/KTEB详细结构

Windows 2000内核KPEB/KTEB详细结构

WebCrazy(http://webcrazy.yeah.net/)

EPROCESS与ETHREAD结构在Windows NT/2000内核的地位是不言而喻的。他们结构中的成员包含了内核的方方面面，是两个比较大的结构。在Windows 2000 Server Build 2195 Free Kernel中他们的大小分别达到648与584字节。在先前我提供的部分应用都大量引用了这两个结构。具体可以参考“网站导航”。应部分网友的要求,这儿我将他们的详细结构列于底下。

结构来源:

Microsoft Windbg的extension kdex2x86.dll

这个Kernel Debugger Extensions包含的结构不仅仅有EPROCESS/ETHREAD,还有EJOB等很多内部数据结构。所列的格式并非C语言格式,只是提供了结构成员的偏移量与成员名及成员类型。详细资料请参阅Microsoft提供的Windows NT/2000 OEM Support Tools Documention。

关于Windbg的使用请翻阅Microsft相关文档。

> !listexts

Default extension: D:\Program Files\Debuggers\bin\w2kfre\kdex2x86

kdex2x86 loaded D:\Program Files\Debuggers\bin\w2kfre\kdex2x86

> !kdex2x86.version

Free Extension dll for build 2195 debugging Free kernel for build 2195

> !kdex2x86.strct EPROCESS

struct _EPROCESS (sizeof=648)

+000 struct _KPROCESS Pcb

+000 struct _DISPATCHER_HEADER Header

+000 byte Type

+001 byte Absolute

+002 byte Size

+003 byte Inserted

+004 int32 SignalState

+008 struct _LIST_ENTRY WaitListHead

+008 struct _LIST_ENTRY *Flink

+00c struct _LIST_ENTRY *Blink

+010 struct _LIST_ENTRY ProfileListHead

+010 struct _LIST_ENTRY *Flink

+014 struct _LIST_ENTRY *Blink

+018 uint32 DirectoryTableBase[2]

+020 struct _KGDTENTRY LdtDescriptor

+020 uint16 LimitLow

+022 uint16 BaseLow

+024 union __unnamed9 HighWord

+024 struct __unnamed10 Bytes

+024 byte BaseMid

+025 byte Flags1

+026 byte Flags2

+027 byte BaseHi

+024 struct __unnamed11 Bits

+024 bits0-7 BaseMid

+024 bits8-12 Type

+024 bits13-14 Dpl

+024 bits15-15 Pres

+024 bits16-19 LimitHi

+024 bits20-20 Sys

+024 bits21-21 Reserved_0

+024 bits22-22 Default_Big

+024 bits23-23 Granularity

+024 bits24-31 BaseHi

+028 struct _KIDTENTRY Int21Descriptor

+028 uint16 Offset

+02a uint16 Selector

+02c uint16 Access

+02e uint16 ExtendedOffset

+030 uint16 IopmOffset

+032 byte Iopl

+033 byte VdmFlag

+034 uint32 ActiveProcessors

+038 uint32 KernelTime

+03c uint32 UserTime

+040 struct _LIST_ENTRY ReadyListHead

+040 struct _LIST_ENTRY *Flink

+044 struct _LIST_ENTRY *Blink

+048 struct _LIST_ENTRY SwapListEntry

+048 struct _LIST_ENTRY *Flink

+04c struct _LIST_ENTRY *Blink

+050 struct _LIST_ENTRY ThreadListHead

+050 struct _LIST_ENTRY *Flink

+054 struct _LIST_ENTRY *Blink

+058 uint32 ProcessLock

+05c uint32 Affinity

+060 uint16 StackCount

+062 char BasePriority

+063 char ThreadQuantum

+064 byte AutoAlignment

+065 byte State

+066 byte ThreadSeed

+067 byte DisableBoost

+068 byte PowerState

+069 byte DisableQuantum

+06a byte Spare[2]

+06c int32 ExitStatus

+070 struct _KEVENT LockEvent

+070 struct _DISPATCHER_HEADER Header

+070 byte Type

+071 byte Absolute

+072 byte Size

+073 byte Inserted

+074 int32 SignalState

+078 struct _LIST_ENTRY WaitListHead

+078 struct _LIST_ENTRY *Flink

+07c struct _LIST_ENTRY *Blink

+080 uint32 LockCount

+088 union _LARGE_INTEGER CreateTime

+088 uint32 LowPart

+08c int32 HighPart

+088 struct __unnamed3 u

+088 uint32 LowPart

+08c int32 HighPart

+088 int64 QuadPart

+090 union _LARGE_INTEGER ExitTime

+090 uint32 LowPart

+094 int32 HighPart

+090 struct __unnamed3 u

+090 uint32 LowPart

+094 int32 HighPart

+090 int64 QuadPart

+098 struct _KTHREAD *LockOwner

+09c void *UniqueProcessId

+0a0 struct _LIST_ENTRY ActiveProcessLinks

+0a0 struct _LIST_ENTRY *Flink

+0a4 struct _LIST_ENTRY *Blink

+0a8 uint32 QuotaPeakPoolUsage[2]

+0b0 uint32 QuotaPoolUsage[2]

+0b8 uint32 PagefileUsage

+0bc uint32 CommitCharge

+0c0 uint32 PeakPagefileUsage

+0c4 uint32 PeakVirtualSize

+0c8 uint32 VirtualSize

+0d0 struct _MMSUPPORT Vm

+0d0 union _LARGE_INTEGER LastTrimTime

+0d0 uint32 LowPart

+0d4 int32 HighPart

+0d0 struct __unnamed3 u

+0d0 uint32 LowPart

+0d4 int32 HighPart

+0d0 int64 QuadPart

+0d8 uint32 LastTrimFaultCount

+0dc uint32 PageFaultCount

+0e0 uint32 PeakWorkingSetSize

+0e4 uint32 WorkingSetSize

+0e8 uint32 MinimumWorkingSetSize

+0ec uint32 MaximumWorkingSetSize

+0f0 *VmWorkingSetList

+0f4 struct _LIST_ENTRY WorkingSetExpansionLinks

+0f4 struct _LIST_ENTRY *Flink

+0f8 struct _LIST_ENTRY *Blink

+0fc byte AllowWorkingSetAdjustment

+0fd byte AddressSpaceBeingDeleted

+0fe byte ForegroundSwitchCount

+0ff byte MemoryPriority

+100 union __unnamed13 u

+100 uint32 LongFlags

+100 struct _MMSUPPORT_FLAGS Flags

+100 bits0-0 SessionSpace

+100 bits1-1 BeingTrimmed

+100 bits2-2 ProcessInSession

+100 bits3-3 SessionLeader

+100 bits4-4 TrimHard

+100 bits5-5 WorkingSetHard

+100 bits6-6 WriteWatch

+100 bits7-31 Filler

+104 uint32 Claim

+108 uint32 NextEstimationSlot

+10c uint32 NextAgingSlot

+110 uint32 EstimatedAvailable

+114 uint32 GrowthSinceLastEstimate

+118 struct _LIST_ENTRY SessionProcessLinks

+118 struct _LIST_ENTRY *Flink

+11c struct _LIST_ENTRY *Blink

+120 void *DebugPort

+124 void *ExceptionPort

+128 struct _HANDLE_TABLE *ObjectTable

+12c void *Token

+130 struct _FAST_MUTEX WorkingSetLock

+130 int32 Count

+134 struct _KTHREAD *Owner

+138 uint32 Contention

+13c struct _KEVENT Event

+13c struct _DISPATCHER_HEADER Header

+13c byte Type

+13d byte Absolute

+13e byte Size

+13f byte Inserted

+140 int32 SignalState

+144 struct _LIST_ENTRY WaitListHead

+144 struct _LIST_ENTRY *Flink

+148 struct _LIST_ENTRY *Blink

+14c uint32 OldIrql

+150 uint32 WorkingSetPage

+154 byte ProcessOutswapEnabled

+155 byte ProcessOutswapped

+156 byte AddressSpaceInitialized

+157 byte AddressSpaceDeleted

+158 struct _FAST_MUTEX AddressCreationLock

+158 int32 Count

+15c struct _KTHREAD *Owner

+160 uint32 Contention

+164 struct _KEVENT Event

+164 struct _DISPATCHER_HEADER Header

+164 byte Type

+165 byte Absolute

+166 byte Size

+167 byte Inserted

+168 int32 SignalState

+16c struct _LIST_ENTRY WaitListHead

+16c struct _LIST_ENTRY *Flink

+170 struct _LIST_ENTRY *Blink

+174 uint32 OldIrql

+178 uint32 HyperSpaceLock

+17c struct _ETHREAD *ForkInProgress

+180 uint16 VmOperation

+182 byte ForkWasSuccessful

+183 byte MmAgressiveWsTrimMask

+184 struct _KEVENT *VmOperationEvent

+188 void *PaeTop

+18c uint32 LastFaultCount

+190 uint32 ModifiedPageCount

+194 void *VadRoot

+198 void *VadHint

+19c void *CloneRoot

+1a0 uint32 NumberOfPrivatePages

+1a4 uint32 NumberOfLockedPages

+1a8 uint16 NextPageColor

+1aa byte ExitProcessCalled

+1ab byte CreateProcessReported

+1ac void *SectionHandle

+1b0 struct _PEB *Peb

+1b4 void *SectionBaseAddress

+1b8 struct _EPROCESS_QUOTA_BLOCK *QuotaBlock

+1bc int32 LastThreadExitStatus

+1c0 struct _PAGEFAULT_HISTORY *WorkingSetWatch

+1c4 void *Win32WindowStation

+1c8 void *InheritedFromUniqueProcessId

+1cc uint32 GrantedAccess

+1d0 uint32 DefaultHardErrorProcessing

+1d4 void *LdtInformation

+1d8 void *VadFreeHint

+1dc void *VdmObjects

+1e0 void *DeviceMap

+1e4 uint32 SessionId

+1e8 struct _LIST_ENTRY PhysicalVadList

+1e8 struct _LIST_ENTRY *Flink

+1ec struct _LIST_ENTRY *Blink

+1f0 struct _HARDWARE_PTE_X86 PageDirectoryPte

+1f0 bits0-0 Valid

+1f0 bits1-1 Write

+1f0 bits2-2 Owner

+1f0 bits3-3 WriteThrough

+1f0 bits4-4 CacheDisable

+1f0 bits5-5 Accessed

+1f0 bits6-6 Dirty

+1f0 bits7-7 LargePage

+1f0 bits8-8 Global

+1f0 bits9-9 CopyOnWrite

+1f0 bits10-10 Prototype

+1f0 bits11-11 reserved

+1f0 bits12-31 PageFrameNumber

+1f0 uint64 Filler

+1f8 uint32 PaePageDirectoryPage

+1fc byte ImageFileName[16]

+20c uint32 VmTrimFaultValue

+210 byte SetTimerResolution

+211 byte PriorityClass

+212 byte SubSystemMinorVersion

+213 byte SubSystemMajorVersion

+212 uint16 SubSystemVersion

+214 void *Win32Process

+218 struct _EJOB *Job

+21c uint32 JobStatus

+220 struct _LIST_ENTRY JobLinks

+220 struct _LIST_ENTRY *Flink

+224 struct _LIST_ENTRY *Blink

+228 void *LockedPagesList

+22c void *SecurityPort

+230 struct _WOW64_PROCESS *Wow64Process

+238 union _LARGE_INTEGER ReadOperationCount

+238 uint32 LowPart

+23c int32 HighPart

+238 struct __unnamed3 u

+238 uint32 LowPart

+23c int32 HighPart

+238 int64 QuadPart

+240 union _LARGE_INTEGER WriteOperationCount

+240 uint32 LowPart

+244 int32 HighPart

+240 struct __unnamed3 u

+240 uint32 LowPart

+244 int32 HighPart

+240 int64 QuadPart

+248 union _LARGE_INTEGER OtherOperationCount

+248 uint32 LowPart

+24c int32 HighPart

+248 struct __unnamed3 u

+248 uint32 LowPart

+24c int32 HighPart

+248 int64 QuadPart

+250 union _LARGE_INTEGER ReadTransferCount

+250 uint32 LowPart

+254 int32 HighPart

+250 struct __unnamed3 u

+250 uint32 LowPart

+254 int32 HighPart

+250 int64 QuadPart

+258 union _LARGE_INTEGER WriteTransferCount

+258 uint32 LowPart

+25c int32 HighPart

+258 struct __unnamed3 u

+258 uint32 LowPart

+25c int32 HighPart

+258 int64 QuadPart

+260 union _LARGE_INTEGER OtherTransferCount

+260 uint32 LowPart

+264 int32 HighPart

+260 struct __unnamed3 u

+260 uint32 LowPart

+264 int32 HighPart

+260 int64 QuadPart

+268 uint32 CommitChargeLimit

+26c uint32 CommitChargePeak

+270 struct _LIST_ENTRY ThreadListHead

+270 struct _LIST_ENTRY *Flink

+274 struct _LIST_ENTRY *Blink

+278 struct _RTL_BITMAP *VadPhysicalPagesBitMap

+27c uint32 VadPhysicalPages

+280 uint32 AweLock

> !kdex2x86.strct ETHREAD

struct _ETHREAD (sizeof=584)

+000 struct _KTHREAD Tcb

+000 struct _DISPATCHER_HEADER Header

+000 byte Type

+001 byte Absolute

+002 byte Size

+003 byte Inserted

+004 int32 SignalState

+008 struct _LIST_ENTRY WaitListHead

+008 struct _LIST_ENTRY *Flink

+00c struct _LIST_ENTRY *Blink

+010 struct _LIST_ENTRY MutantListHead

+010 struct _LIST_ENTRY *Flink

+014 struct _LIST_ENTRY *Blink

+018 void *InitialStack

+01c void *StackLimit

+020 void *Teb

+024 void *TlsArray

+028 void *KernelStack

+02c byte DebugActive

+02d byte State

+02e byte Alerted[2]

+030 byte Iopl

+031 byte NpxState

+032 char Saturation

+033 char Priority

+034 struct _KAPC_STATE ApcState

+034 struct _LIST_ENTRY ApcListHead[2]

struct _LIST_ENTRY *Flink

struct _LIST_ENTRY *Blink

+044 struct _KPROCESS *Process

+048 byte KernelApcInProgress

+049 byte KernelApcPending

+04a byte UserApcPending

+04c uint32 ContextSwitches

+050 int32 WaitStatus

+054 byte WaitIrql

+055 char WaitMode

+056 byte WaitNext

+057 byte WaitReason

+058 struct _KWAIT_BLOCK *WaitBlockList

+05c struct _LIST_ENTRY WaitListEntry

+05c struct _LIST_ENTRY *Flink

+060 struct _LIST_ENTRY *Blink

+064 uint32 WaitTime

+068 char BasePriority

+069 byte DecrementCount

+06a char PriorityDecrement

+06b char Quantum

+06c struct _KWAIT_BLOCK WaitBlock[4]

struct _LIST_ENTRY WaitListEntry

struct _LIST_ENTRY *Flink

struct _LIST_ENTRY *Blink

struct _KTHREAD *Thread

void *Object

struct _KWAIT_BLOCK *NextWaitBlock

uint16 WaitKey

uint16 WaitType

+0cc void *LegoData

+0d0 uint32 KernelApcDisable

+0d4 uint32 UserAffinity

+0d8 byte SystemAffinityActive

+0d9 byte PowerState

+0da byte NpxIrql

+0db byte Pad[1]

+0dc void *ServiceTable

+0e0 struct _KQUEUE *Queue

+0e4 uint32 ApcQueueLock

+0e8 struct _KTIMER Timer

+0e8 struct _DISPATCHER_HEADER Header

+0e8 byte Type

+0e9 byte Absolute

+0ea byte Size

+0eb byte Inserted

+0ec int32 SignalState

+0f0 struct _LIST_ENTRY WaitListHead

+0f0 struct _LIST_ENTRY *Flink

+0f4 struct _LIST_ENTRY *Blink

+0f8 union _ULARGE_INTEGER DueTime

+0f8 uint32 LowPart

+0fc uint32 HighPart

+0f8 struct __unnamed12 u

+0f8 uint32 LowPart

+0fc uint32 HighPart

+0f8 uint64 QuadPart

+100 struct _LIST_ENTRY TimerListEntry

+100 struct _LIST_ENTRY *Flink

+104 struct _LIST_ENTRY *Blink

+108 struct _KDPC *Dpc

+10c int32 Period

+110 struct _LIST_ENTRY QueueListEntry

+110 struct _LIST_ENTRY *Flink

+114 struct _LIST_ENTRY *Blink

+118 uint32 Affinity

+11c byte Preempted

+11d byte ProcessReadyQueue

+11e byte KernelStackResident

+11f byte NextProcessor

+120 void *CallbackStack

+124 void *Win32Thread

+128 struct _KTRAP_FRAME *TrapFrame

+12c struct _KAPC_STATE *ApcStatePointer[2]

+134 char PreviousMode

+135 byte EnableStackSwap

+136 byte LargeStack

+137 byte ResourceIndex

+138 uint32 KernelTime

+13c uint32 UserTime

+140 struct _KAPC_STATE SavedApcState

+140 struct _LIST_ENTRY ApcListHead[2]

struct _LIST_ENTRY *Flink

struct _LIST_ENTRY *Blink

+150 struct _KPROCESS *Process

+154 byte KernelApcInProgress

+155 byte KernelApcPending

+156 byte UserApcPending

+158 byte Alertable

+159 byte ApcStateIndex

+15a byte ApcQueueable

+15b byte AutoAlignment

+15c void *StackBase

+160 struct _KAPC SuspendApc

+160 int16 Type

+162 int16 Size

+164 uint32 Spare0

+168 struct _KTHREAD *Thread

+16c struct _LIST_ENTRY ApcListEntry

+16c struct _LIST_ENTRY *Flink

+170 struct _LIST_ENTRY *Blink

+174 function *KernelRoutine

+178 function *RundownRoutine

+17c function *NormalRoutine

+180 void *NormalContext

+184 void *SystemArgument1

+188 void *SystemArgument2

+18c char ApcStateIndex

+18d char ApcMode

+18e byte Inserted

+190 struct _KSEMAPHORE SuspendSemaphore

+190 struct _DISPATCHER_HEADER Header

+190 byte Type

+191 byte Absolute

+192 byte Size

+193 byte Inserted

+194 int32 SignalState

+198 struct _LIST_ENTRY WaitListHead

+198 struct _LIST_ENTRY *Flink

+19c struct _LIST_ENTRY *Blink

+1a0 int32 Limit

+1a4 struct _LIST_ENTRY ThreadListEntry

+1a4 struct _LIST_ENTRY *Flink

+1a8 struct _LIST_ENTRY *Blink

+1ac char FreezeCount

+1ad char SuspendCount

+1ae byte IdealProcessor

+1af byte DisableBoost

+1b0 union _LARGE_INTEGER CreateTime

+1b0 uint32 LowPart

+1b4 int32 HighPart

+1b0 struct __unnamed3 u

+1b0 uint32 LowPart

+1b4 int32 HighPart

+1b0 int64 QuadPart

+1b0 bits0-1 NestedFaultCount

+1b0 bits2-2 ApcNeeded

+1b8 union _LARGE_INTEGER ExitTime

+1b8 uint32 LowPart

+1bc int32 HighPart

+1b8 struct __unnamed3 u

+1b8 uint32 LowPart

+1bc int32 HighPart

+1b8 int64 QuadPart

+1b8 struct _LIST_ENTRY LpcReplyChain

+1b8 struct _LIST_ENTRY *Flink

+1bc struct _LIST_ENTRY *Blink

+1c0 int32 ExitStatus

+1c0 void *OfsChain

+1c4 struct _LIST_ENTRY PostBlockList

+1c4 struct _LIST_ENTRY *Flink

+1c8 struct _LIST_ENTRY *Blink

+1cc struct _LIST_ENTRY TerminationPortList

+1cc struct _LIST_ENTRY *Flink

+1d0 struct _LIST_ENTRY *Blink

+1d4 uint32 ActiveTimerListLock

+1d8 struct _LIST_ENTRY ActiveTimerListHead

+1d8 struct _LIST_ENTRY *Flink

+1dc struct _LIST_ENTRY *Blink

+1e0 struct _CLIENT_ID Cid

+1e0 void *UniqueProcess

+1e4 void *UniqueThread

+1e8 struct _KSEMAPHORE LpcReplySemaphore

+1e8 struct _DISPATCHER_HEADER Header

+1e8 byte Type

+1e9 byte Absolute

+1ea byte Size

+1eb byte Inserted

+1ec int32 SignalState

+1f0 struct _LIST_ENTRY WaitListHead

+1f0 struct _LIST_ENTRY *Flink

+1f4 struct _LIST_ENTRY *Blink

+1f8 int32 Limit

+1fc void *LpcReplyMessage

+200 uint32 LpcReplyMessageId

+204 uint32 PerformanceCountLow

+208 struct _PS_IMPERSONATION_INFORMATION *ImpersonationInfo

+20c struct _LIST_ENTRY IrpList

+20c struct _LIST_ENTRY *Flink

+210 struct _LIST_ENTRY *Blink

+214 uint32 TopLevelIrp

+218 struct _DEVICE_OBJECT *DeviceToVerify

+21c uint32 ReadClusterSize

+220 byte ForwardClusterOnly

+221 byte DisablePageFaultClustering

+222 byte DeadThread

+223 byte HideFromDebugger

+224 uint32 HasTerminated

+228 uint32 GrantedAccess

+22c struct _EPROCESS *ThreadsProcess

+230 void *StartAddress

+234 void *Win32StartAddress

+234 uint32 LpcReceivedMessageId

+238 byte LpcExitThreadCalled

+239 byte HardErrorsAreDisabled

+23a byte LpcReceivedMsgIdValid

+23b byte ActiveImpersonationInfo

+23c int32 PerformanceCountHigh

+240 struct _LIST_ENTRY ThreadListEntry

+240 struct _LIST_ENTRY *Flink

+244 struct _LIST_ENTRY *Blink

• ·一个黑客程序开发实例
• ·浅析.NET Framework对PE文件格式
• ·Windows NT/2000/XP下不用驱动
• ·探索NTFS
• ·探寻Windows NT/2000 Copy
• ·解析Windows NT/2000窗口对象的组
• ·剖析Windows NT/2000内核对象组织
• ·深入Windows NT/2000模块的组织
• ·小议Windows NT/2000分页机制
• ·再谈Windows NT/2000环境切换