ffdff000 处的结构 KPCR

作者: JIURL

主页: http://jiurl.yeah.net

日期: 2003-11-13

ffdff000 处是一个叫做 KPCR 的结构，PCR 即 Processor Control Region ，处理器控制域。这是一个很有用的结构。系统本身就大量使用。

下面是从 WinDbg 中得到的 win2k build 2195 的 KPCR 结构

struct _KPCR (sizeof=2832)

+000 struct _NT_TIB NtTib

+000 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList

+004 void *StackBase

+008 void *StackLimit

+00c void *SubSystemTib

+010 void *FiberData

+010 uint32 Version

+014 void *ArbitraryUserPointer

+018 struct _NT_TIB *Self

+01c struct _KPCR *SelfPcr

+020 struct _KPRCB *Prcb

+024 byte Irql

+028 uint32 IRR

+02c uint32 IrrActive

+030 uint32 IDR

+034 uint32 Reserved2

+038 struct _KIDTENTRY *IDT

+03c struct _KGDTENTRY *GDT

+040 struct _KTSS *TSS

+044 uint16 MajorVersion

+046 uint16 MinorVersion

+048 uint32 SetMember

+04c uint32 StallScaleFactor

+050 byte DebugActive

+051 byte Number

+052 byte VdmAlert

+053 byte Reserved[1]

+054 uint32 KernelReserved[15]

+090 uint32 SecondLevelCacheSize

+094 uint32 HalReserved[16]

+0d4 uint32 InterruptMode

+0d8 byte Spare1

+0dc uint32 KernelReserved2[17]

+120 struct _KPRCB PrcbData

+120 uint16 MinorVersion

+122 uint16 MajorVersion

+124 struct _KTHREAD *CurrentThread

+128 struct _KTHREAD *NextThread

+12c struct _KTHREAD *IdleThread

+130 char Number

+131 char Reserved

+132 uint16 BuildType

+134 uint32 SetMember

+138 char CpuType

+139 char CpuID

+13a uint16 CpuStep

+13c struct _KPROCESSOR_STATE ProcessorState

+13c struct _CONTEXT ContextFrame

+13c uint32 ContextFlags

+140 uint32 Dr0

+144 uint32 Dr1

+148 uint32 Dr2

+14c uint32 Dr3

+150 uint32 Dr6

+154 uint32 Dr7

+158 struct _FLOATING_SAVE_AREA FloatSave

+158 uint32 ControlWord

+15c uint32 StatusWord

+160 uint32 TagWord

+164 uint32 ErrorOffset

+168 uint32 ErrorSelector

+16c uint32 DataOffset

+170 uint32 DataSelector

+174 byte RegisterArea[80]

+1c4 uint32 Cr0NpxState

+1c8 uint32 SegGs

+1cc uint32 SegFs

+1d0 uint32 SegEs

+1d4 uint32 SegDs

+1d8 uint32 Edi

+1dc uint32 Esi

+1e0 uint32 Ebx

+1e4 uint32 Edx

+1e8 uint32 Ecx

+1ec uint32 Eax

+1f0 uint32 Ebp

+1f4 uint32 Eip

+1f8 uint32 SegCs

+1fc uint32 EFlags

+200 uint32 Esp

+204 uint32 SegSs

+208 byte ExtendedRegisters[512]

+408 struct _KSPECIAL_REGISTERS SpecialRegisters

+408 uint32 Cr0

+40c uint32 Cr2

+410 uint32 Cr3

+414 uint32 Cr4

+418 uint32 KernelDr0

+41c uint32 KernelDr1

+420 uint32 KernelDr2

+424 uint32 KernelDr3

+428 uint32 KernelDr6

+42c uint32 KernelDr7

+430 struct _DESCRIPTOR Gdtr

+430 uint16 Pad

+432 uint16 Limit

+434 uint32 Base

+438 struct _DESCRIPTOR Idtr

+438 uint16 Pad

+43a uint16 Limit

+43c uint32 Base

+440 uint16 Tr

+442 uint16 Ldtr

+444 uint32 Reserved[6]

+45c uint32 KernelReserved[16]

+49c uint32 HalReserved[16]

+4dc struct _KSPIN_LOCK_QUEUE LockQueue[16]

struct _KSPIN_LOCK_QUEUE *Next

uint32 *Lock

+55c struct _KTHREAD *NpxThread

+560 uint32 InterruptCount

+564 uint32 KernelTime

+568 uint32 UserTime

+56c uint32 DpcTime

+570 uint32 InterruptTime

+574 uint32 ApcBypassCount

+578 uint32 DpcBypassCount

+57c uint32 AdjustDpcThreshold

+580 uint32 DebugDpcTime

+584 uint32 Spare2[4]

+594 uint32 ThreadStartCount[2]

+59c void *SpareHotData[2]

+5a4 uint32 CcFastReadNoWait

+5a8 uint32 CcFastReadWait

+5ac uint32 CcFastReadNotPossible

+5b0 uint32 CcCopyReadNoWait

+5b4 uint32 CcCopyReadWait

+5b8 uint32 CcCopyReadNoWaitMiss

+5bc uint32 KeAlignmentFixupCount

+5c0 uint32 KeContextSwitches

+5c4 uint32 KeDcacheFlushCount

+5c8 uint32 KeExceptionDispatchCount

+5cc uint32 KeFirstLevelTbFills

+5d0 uint32 KeFloatingEmulationCount

+5d4 uint32 KeIcacheFlushCount

+5d8 uint32 KeSecondLevelTbFills

+5dc uint32 KeSystemCalls

+5e0 uint32 ReservedCounter[8]

+600 void *SmallIrpFreeEntry

+604 void *LargeIrpFreeEntry

+608 void *MdlFreeEntry

+60c void *CreateInfoFreeEntry

+610 void *NameBufferFreeEntry

+614 void *SharedCacheMapEntry

+618 uint32 CachePad0[2]

+620 struct _PP_LOOKASIDE_LIST PPLookasideList[16]

struct _NPAGED_LOOKASIDE_LIST *P

struct _NPAGED_LOOKASIDE_LIST *L

+6a0 struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[8]

struct _NPAGED_LOOKASIDE_LIST *P

struct _NPAGED_LOOKASIDE_LIST *L

+6e0 struct _PP_LOOKASIDE_LIST PPPagedLookasideList[8]

struct _NPAGED_LOOKASIDE_LIST *P

struct _NPAGED_LOOKASIDE_LIST *L

+720 byte ReservedPad[128]

+7a0 void *CurrentPacket[3]

+7ac uint32 TargetSet

+7b0 function *WorkerRoutine

+7b4 uint32 IpiFrozen

+7b8 uint32 CachePad1[2]

+7c0 uint32 RequestSummary

+7c4 struct _KPRCB *SignalDone

+7c8 uint32 ReverseStall

+7cc void *IpiFrame

+7d0 uint32 CachePad2[4]

+7e0 uint32 DpcInterruptRequested

+7e4 void *ChainedInterruptList

+7e8 uint32 CachePad3[2]

+7f0 uint32 MaximumDpcQueueDepth

+7f4 uint32 MinimumDpcRate

+7f8 uint32 CachePad4[2]

+800 struct _LIST_ENTRY DpcListHead

+800 struct _LIST_ENTRY *Flink

+804 struct _LIST_ENTRY *Blink

+808 uint32 DpcQueueDepth

+80c uint32 DpcRoutineActive

+810 uint32 DpcCount

+814 uint32 DpcLastCount

+818 uint32 DpcRequestRate

+81c void *DpcStack

+820 uint32 KernelReserved2[10]

+848 uint32 DpcLock

+84c byte SkipTick

+84d byte VendorString[13]

+85c uint32 MHz

+860 uint32 FeatureBits

+868 union _LARGE_INTEGER UpdateSignature

+868 uint32 LowPart

+86c int32 HighPart

+868 struct __unnamed3 u

+868 uint32 LowPart

+86c int32 HighPart

+868 int64 QuadPart

+870 uint32 QuantumEnd

+878 struct _PROCESSOR_POWER_STATE PowerState

+878 function *IdleFunction

+87c uint32 Idle0KernelTimeLimit

+880 uint32 Idle0LastTime

+884 void *IdleState

+888 uint64 LastCheck

+890 struct PROCESSOR_IDLE_TIMES IdleTimes

+890 uint64 StartTime

+898 uint64 EndTime

+8a0 uint32 IdleHandlerReserved[4]

+8b0 uint32 IdleTime1

+8b4 uint32 PromotionCheck

+8b8 uint32 IdleTime2

+8bc byte CurrentThrottle

+8bd byte ThrottleLimit

+8be byte Spare1[2]

+8c0 uint32 SetMember

+8c4 void *AbortThrottle

+8c8 uint64 DebugDelta

+8d0 uint32 DebugCount

+8d4 uint32 LastSysTime

+8d8 uint32 Spare2[10]

+900 struct _FX_SAVE_AREA NpxSaveArea

+900 union __unnamed63 U

+900 struct _FNSAVE_FORMAT FnArea

+900 uint32 ControlWord

+904 uint32 StatusWord

+908 uint32 TagWord

+90c uint32 ErrorOffset

+910 uint32 ErrorSelector

+914 uint32 DataOffset

+918 uint32 DataSelector

+91c byte RegisterArea[80]

+900 struct _FXSAVE_FORMAT FxArea

+900 uint16 ControlWord

+902 uint16 StatusWord

+904 uint16 TagWord

+906 uint16 ErrorOpcode

+908 uint32 ErrorOffset

+90c uint32 ErrorSelector

+910 uint32 DataOffset

+914 uint32 DataSelector

+918 uint32 MXCsr

+91c uint32 Reserved2

+920 byte RegisterArea[128]

+9a0 byte Reserved3[128]

+a20 byte Reserved4[224]

+b00 byte Align16Byte[8]

+b08 uint32 NpxSavedCpu

+b0c uint32 Cr0NpxState

某一时刻 KPCR 中的值

struct _KPCR (sizeof=2832)

+000 struct _NT_TIB NtTib

+000 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList = 8046F7CC

+004 void *StackBase = 8046FE30

+008 void *StackLimit = 8046D040

+00c void *SubSystemTib = 00000000

+010 void *FiberData = 00000000

+010 uint32 Version = 00000000

+014 void *ArbitraryUserPointer = 00000000

+018 struct _NT_TIB *Self = 00000000

+01c struct _KPCR *SelfPcr = FFDFF000

+020 struct _KPRCB *Prcb = FFDFF120

+024 byte Irql = 00 .

+028 uint32 IRR = 00000000

+02c uint32 IrrActive = 00000000

+030 uint32 IDR = ffffffff

+034 uint32 Reserved2 = 00000000

+038 struct _KIDTENTRY *IDT = 80036400

+03c struct _KGDTENTRY *GDT = 80036000

+040 struct _KTSS *TSS = 80223000

+044 uint16 MajorVersion = 0001

+046 uint16 MinorVersion = 0001

+048 uint32 SetMember = 00000001

+04c uint32 StallScaleFactor = 00000064

+050 byte DebugActive = 00 .

+051 byte Number = 00 .

+052 byte VdmAlert = 00 .

+053 byte Reserved[1] = 00 .

+054 uint32 KernelReserved[15] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 .... .... ....

+090 uint32 SecondLevelCacheSize = 00020000

+094 uint32 HalReserved[16] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

+0d4 uint32 InterruptMode = 00000000

+0d8 byte Spare1 = 00 .

+0dc uint32 KernelReserved2[17] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

00000000 ....

+120 struct _KPRCB PrcbData

+120 uint16 MinorVersion = 0001

+122 uint16 MajorVersion = 0001

+124 struct _KTHREAD *CurrentThread = 8046BDF0

+128 struct _KTHREAD *NextThread = 00000000

+12c struct _KTHREAD *IdleThread = 8046BDF0

+130 char Number = 00 .

+131 char Reserved = 00 .

+132 uint16 BuildType = 0002

+134 uint32 SetMember = 00000001

+138 char CpuType = 06 .

+139 char CpuID = 01 .

+13a uint16 CpuStep = 0608

+13c struct _KPROCESSOR_STATE ProcessorState

+13c struct _CONTEXT ContextFrame

+13c uint32 ContextFlags = 00010017

+140 uint32 Dr0 = 00000000

+144 uint32 Dr1 = 00000000

+148 uint32 Dr2 = 00000000

+14c uint32 Dr3 = 00000000

+150 uint32 Dr6 = 00000023

+154 uint32 Dr7 = 00000000

+158 struct _FLOATING_SAVE_AREA FloatSave

+158 uint32 ControlWord = 00000000

+15c uint32 StatusWord = 00000000

+160 uint32 TagWord = 00000000

+164 uint32 ErrorOffset = 00000000

+168 uint32 ErrorSelector = 00000000

+16c uint32 DataOffset = 00000000

+170 uint32 DataSelector = 00000000

+174 byte RegisterArea[80] = 00 00 00 00 18 fc 46 80 . . . . . . F .

70 00 43 80 00 fc 46 80 p . C . . . F .

00 00 00 00 8c f8 46 80 . . . . . . F .

17 00 01 00 00 00 00 00 . . . . . . . .

+1c4 uint32 Cr0NpxState = 00000023

+1c8 uint32 SegGs = 00000000

+1cc uint32 SegFs = 00000030

+1d0 uint32 SegEs = 00000023

+1d4 uint32 SegDs = 00000023

+1d8 uint32 Edi = fe4cf228

+1dc uint32 Esi = fe4f50e0

+1e0 uint32 Ebx = ffffffff

+1e4 uint32 Edx = 8047e684

+1e8 uint32 Ecx = 000000b1

+1ec uint32 Eax = 00000001

+1f0 uint32 Ebp = 8046fc8c

+1f4 uint32 Eip = fe1c2806

+1f8 uint32 SegCs = 00000008

+1fc uint32 EFlags = 00000246

+200 uint32 Esp = 8046fc88

+204 uint32 SegSs = 00000010

+208 byte ExtendedRegisters[512] = 10 00 00 00 10 00 00 00 . . . . . . . .

10 00 00 00 9c 6a 06 80 . . . . . j . .

9c 6a 06 80 fe 03 00 00 . j . . . . . .

00 00 00 00 88 a4 06 80 . . . . . . . .

+408 struct _KSPECIAL_REGISTERS SpecialRegisters

+408 uint32 Cr0 = 8001003b

+40c uint32 Cr2 = 77e1fe01

+410 uint32 Cr3 = 00030000

+414 uint32 Cr4 = 000002d1

+418 uint32 KernelDr0 = 00000000

+41c uint32 KernelDr1 = 00000000

+420 uint32 KernelDr2 = 00000000

+424 uint32 KernelDr3 = 00000000

+428 uint32 KernelDr6 = ffff0ff0

+42c uint32 KernelDr7 = 00000400

+430 struct _DESCRIPTOR Gdtr

+430 uint16 Pad = 0000

+432 uint16 Limit = 03ff

+434 uint32 Base = 80036000

+438 struct _DESCRIPTOR Idtr

+438 uint16 Pad = 0000

+43a uint16 Limit = 07ff

+43c uint32 Base = 80036400

+440 uint16 Tr = 0028

+442 uint16 Ldtr = 0000

+444 uint32 Reserved[6] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 .... ....

+45c uint32 KernelReserved[16] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

+49c uint32 HalReserved[16] = 00000000 00001010 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

+4dc struct _KSPIN_LOCK_QUEUE LockQueue[16]

+4dc LockQueue[0]

+4dc struct _KSPIN_LOCK_QUEUE *Next = 00000000

+4e0 uint32 *Lock = 00000000

+4e4 LockQueue[1]

+4e4 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+4e8 uint32 *Lock = 00000000

+4ec LockQueue[2]

+4ec struct _KSPIN_LOCK_QUEUE *Next = 00000000

+4f0 uint32 *Lock = 00000000

+4f4 LockQueue[3]

+4f4 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+4f8 uint32 *Lock = 00000000

+4fc LockQueue[4]

+4fc struct _KSPIN_LOCK_QUEUE *Next = 00000000

+500 uint32 *Lock = 00000000

+504 LockQueue[5]

+504 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+508 uint32 *Lock = 00000000

+50c LockQueue[6]

+50c struct _KSPIN_LOCK_QUEUE *Next = 00000000

+510 uint32 *Lock = 00000000

+514 LockQueue[7]

+514 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+518 uint32 *Lock = 00000000

+51c LockQueue[8]

+51c struct _KSPIN_LOCK_QUEUE *Next = 00000000

+520 uint32 *Lock = 00000000

+524 LockQueue[9]

+524 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+528 uint32 *Lock = 00000000

+52c LockQueue[10]

+52c struct _KSPIN_LOCK_QUEUE *Next = 00000000

+530 uint32 *Lock = 00000000

+534 LockQueue[11]

+534 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+538 uint32 *Lock = 00000000

+53c LockQueue[12]

+53c struct _KSPIN_LOCK_QUEUE *Next = 00000000

+540 uint32 *Lock = 00000000

+544 LockQueue[13]

+544 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+548 uint32 *Lock = 00000000

+54c LockQueue[14]

+54c struct _KSPIN_LOCK_QUEUE *Next = 00000000

+550 uint32 *Lock = 00000000

+554 LockQueue[15]

+554 struct _KSPIN_LOCK_QUEUE *Next = 00000000

+558 uint32 *Lock = 00000000

+55c struct _KTHREAD *NpxThread = 00000000

+560 uint32 InterruptCount = 00004aca

+564 uint32 KernelTime = 00003396

+568 uint32 UserTime = 000002d9

+56c uint32 DpcTime = 0000007b

+570 uint32 InterruptTime = 000003fb

+574 uint32 ApcBypassCount = 00001709

+578 uint32 DpcBypassCount = 00000000

+57c uint32 AdjustDpcThreshold = 00000014

+580 uint32 DebugDpcTime = 00000000

+584 uint32 Spare2[4] = 00000000 00000000 00000000 00000000 .... .... .... ....

+594 uint32 ThreadStartCount[2] = 00000000 00000000 .... ....

+59c void *SpareHotData[2] = 00000000

00000000

+5a4 uint32 CcFastReadNoWait = 00000000

+5a8 uint32 CcFastReadWait = 00000000

+5ac uint32 CcFastReadNotPossible = 00000000

+5b0 uint32 CcCopyReadNoWait = 00000000

+5b4 uint32 CcCopyReadWait = 00000000

+5b8 uint32 CcCopyReadNoWaitMiss = 00000000

+5bc uint32 KeAlignmentFixupCount = 00000000

+5c0 uint32 KeContextSwitches = 0000b897

+5c4 uint32 KeDcacheFlushCount = 00000000

+5c8 uint32 KeExceptionDispatchCount = 000007fe

+5cc uint32 KeFirstLevelTbFills = 00000000

+5d0 uint32 KeFloatingEmulationCount = 00000000

+5d4 uint32 KeIcacheFlushCount = 00000000

+5d8 uint32 KeSecondLevelTbFills = 00000000

+5dc uint32 KeSystemCalls = 00050211

+5e0 uint32 ReservedCounter[8] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

+600 void *SmallIrpFreeEntry = 00000000

+604 void *LargeIrpFreeEntry = 00000000

+608 void *MdlFreeEntry = 00000000

+60c void *CreateInfoFreeEntry = 00000000

+610 void *NameBufferFreeEntry = 00000000

+614 void *SharedCacheMapEntry = 00000000

+618 uint32 CachePad0[2] = 00000000 00000000 .... ....

+620 struct _PP_LOOKASIDE_LIST PPLookasideList[16]

+620 PPLookasideList[0]

+620 struct _NPAGED_LOOKASIDE_LIST *P = FE4EC808

+624 struct _NPAGED_LOOKASIDE_LIST *L = 804758A0

+628 PPLookasideList[1]

+628 struct _NPAGED_LOOKASIDE_LIST *P = FE4EC868

+62c struct _NPAGED_LOOKASIDE_LIST *L = 804756A0

+630 PPLookasideList[2]

+630 struct _NPAGED_LOOKASIDE_LIST *P = FE4EC7A8

+634 struct _NPAGED_LOOKASIDE_LIST *L = 80475740

+638 PPLookasideList[3]

+638 struct _NPAGED_LOOKASIDE_LIST *P = FE4F4748

+63c struct _NPAGED_LOOKASIDE_LIST *L = 8047F8A0

+640 PPLookasideList[4]

+640 struct _NPAGED_LOOKASIDE_LIST *P = FE4F46E8

+644 struct _NPAGED_LOOKASIDE_LIST *L = 8047F900

+648 PPLookasideList[5]

+648 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1168

+64c struct _NPAGED_LOOKASIDE_LIST *L = 80472100

+650 PPLookasideList[6]

+650 struct _NPAGED_LOOKASIDE_LIST *P = FE4EC8C8

+654 struct _NPAGED_LOOKASIDE_LIST *L = 80475800

+658 PPLookasideList[7]

+658 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+65c struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+660 PPLookasideList[8]

+660 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+664 struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+668 PPLookasideList[9]

+668 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+66c struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+670 PPLookasideList[10]

+670 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+674 struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+678 PPLookasideList[11]

+678 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+67c struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+680 PPLookasideList[12]

+680 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+684 struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+688 PPLookasideList[13]

+688 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+68c struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+690 PPLookasideList[14]

+690 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+694 struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+698 PPLookasideList[15]

+698 struct _NPAGED_LOOKASIDE_LIST *P = 00000000

+69c struct _NPAGED_LOOKASIDE_LIST *L = 00000000

+6a0 struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[8]

+6a0 PPNPagedLookasideList[0]

+6a0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F2308

+6a4 struct _NPAGED_LOOKASIDE_LIST *L = 80472A00

+6a8 PPNPagedLookasideList[1]

+6a8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1BA8

+6ac struct _NPAGED_LOOKASIDE_LIST *L = 80472A50

+6b0 PPNPagedLookasideList[2]

+6b0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1AE8

+6b4 struct _NPAGED_LOOKASIDE_LIST *L = 80472AA0

+6b8 PPNPagedLookasideList[3]

+6b8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1A28

+6bc struct _NPAGED_LOOKASIDE_LIST *L = 80472AF0

+6c0 PPNPagedLookasideList[4]

+6c0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1968

+6c4 struct _NPAGED_LOOKASIDE_LIST *L = 80472B40

+6c8 PPNPagedLookasideList[5]

+6c8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F18A8

+6cc struct _NPAGED_LOOKASIDE_LIST *L = 80472B90

+6d0 PPNPagedLookasideList[6]

+6d0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F17E8

+6d4 struct _NPAGED_LOOKASIDE_LIST *L = 80472BE0

+6d8 PPNPagedLookasideList[7]

+6d8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1728

+6dc struct _NPAGED_LOOKASIDE_LIST *L = 80472C30

+6e0 struct _PP_LOOKASIDE_LIST PPPagedLookasideList[8]

+6e0 PPPagedLookasideList[0]

+6e0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F22A8

+6e4 struct _NPAGED_LOOKASIDE_LIST *L = 80472CA0

+6e8 PPPagedLookasideList[1]

+6e8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1B48

+6ec struct _NPAGED_LOOKASIDE_LIST *L = 80472CF0

+6f0 PPPagedLookasideList[2]

+6f0 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1A88

+6f4 struct _NPAGED_LOOKASIDE_LIST *L = 80472D40

+6f8 PPPagedLookasideList[3]

+6f8 struct _NPAGED_LOOKASIDE_LIST *P = FE4F19C8

+6fc struct _NPAGED_LOOKASIDE_LIST *L = 80472D90

+700 PPPagedLookasideList[4]

+700 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1908

+704 struct _NPAGED_LOOKASIDE_LIST *L = 80472DE0

+708 PPPagedLookasideList[5]

+708 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1848

+70c struct _NPAGED_LOOKASIDE_LIST *L = 80472E30

+710 PPPagedLookasideList[6]

+710 struct _NPAGED_LOOKASIDE_LIST *P = FE4F1788

+714 struct _NPAGED_LOOKASIDE_LIST *L = 80472E80

+718 PPPagedLookasideList[7]

+718 struct _NPAGED_LOOKASIDE_LIST *P = FE4F16C8

+71c struct _NPAGED_LOOKASIDE_LIST *L = 80472ED0

+720 byte ReservedPad[128] = 00 00 00 00 00 00 00 00 . . . . . . . .

00 00 00 00 00 00 00 00 . . . . . . . .

+7a0 void *CurrentPacket[3] = 00000000

00000000

+7ac uint32 TargetSet = 00000000

+7b0 function *WorkerRoutine = 00000000

+7b4 uint32 IpiFrozen = 00000000

+7b8 uint32 CachePad1[2] = 00000000 00000000 .... ....

+7c0 uint32 RequestSummary = 00000000

+7c4 struct _KPRCB *SignalDone = 00000000

+7c8 uint32 ReverseStall = 00000004

+7cc void *IpiFrame = 00000000

+7d0 uint32 CachePad2[4] = 00000000 00000000 00000000 00000000 .... .... .... ....

+7e0 uint32 DpcInterruptRequested = 00000001

+7e4 void *ChainedInterruptList = 00000000

+7e8 uint32 CachePad3[2] = 00000000 00000000 .... ....

+7f0 uint32 MaximumDpcQueueDepth = 00000001

+7f4 uint32 MinimumDpcRate = 00000003

+7f8 uint32 CachePad4[2] = 00000000 00000000 .... ....

+800 struct _LIST_ENTRY DpcListHead

+800 struct _LIST_ENTRY *Flink = 8047E684

+804 struct _LIST_ENTRY *Blink = FE4F5260

+808 uint32 DpcQueueDepth = 00000002

+80c uint32 DpcRoutineActive = 00000000

+810 uint32 DpcCount = 000023c1

+814 uint32 DpcLastCount = 000023c0

+818 uint32 DpcRequestRate = 00000000

+81c void *DpcStack = F9024000

+820 uint32 KernelReserved2[10] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 .... ....

+848 uint32 DpcLock = 00000000

+84c byte SkipTick = 00 .

+84d byte VendorString[13] = 47 65 6e 75 69 6e 65 49 G e n u i n e I

6e 74 65 6c 00 n t e l .

+85c uint32 MHz = 00000227

+860 uint32 FeatureBits = 00000fff

+868 union _LARGE_INTEGER UpdateSignature

+868 uint32 LowPart = 00000000

+86c int32 HighPart = 00000000

+868 struct __unnamed3 u

+868 uint32 LowPart = 00000000

+86c int32 HighPart = 00000000

+868 int64 QuadPart = 0000000000000000

+870 uint32 QuantumEnd = 00000000

+878 struct _PROCESSOR_POWER_STATE PowerState

+878 function *IdleFunction = 80450804

+87c uint32 Idle0KernelTimeLimit = ffffffff

+880 uint32 Idle0LastTime = 00000000

+884 void *IdleState = 00000000

+888 uint64 LastCheck = 0000000000000000

+890 struct PROCESSOR_IDLE_TIMES IdleTimes

+890 uint64 StartTime = 0000000000000000

+898 uint64 EndTime = 0000000000000000

+8a0 uint32 IdleHandlerReserved[4] = 00000000 00000000 00000000 00000000 .... .... .... ....

+8b0 uint32 IdleTime1 = 00000000

+8b4 uint32 PromotionCheck = 00000000

+8b8 uint32 IdleTime2 = 00000000

+8bc byte CurrentThrottle = 08 .

+8bd byte ThrottleLimit = 08 .

+8be byte Spare1[2] = 00 00 . .

+8c0 uint32 SetMember = 00000001

+8c4 void *AbortThrottle = 00000000

+8c8 uint64 DebugDelta = 0000000000000000

+8d0 uint32 DebugCount = 00000000

+8d4 uint32 LastSysTime = 00000000

+8d8 uint32 Spare2[10] = 00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 00000000 00000000 .... .... .... ....

00000000 00000000 .... ....

+900 struct _FX_SAVE_AREA NpxSaveArea

+900 union __unnamed63 U

+900 struct _FNSAVE_FORMAT FnArea

+900 uint32 ControlWord = 00000000

+904 uint32 StatusWord = 00000000

+908 uint32 TagWord = 00000000

+90c uint32 ErrorOffset = 00000000

+910 uint32 ErrorSelector = 00000000

+914 uint32 DataOffset = 00000000

+918 uint32 DataSelector = 00000000

+91c byte RegisterArea[80] = 00 00 00 00 00 00 00 00 . . . . . . . .

00 00 00 00 00 00 00 00 . . . . . . . .

+900 struct _FXSAVE_FORMAT FxArea

+900 uint16 ControlWord = 0000

+902 uint16 StatusWord = 0000

+904 uint16 TagWord = 0000

+906 uint16 ErrorOpcode = 0000

+908 uint32 ErrorOffset = 00000000

+90c uint32 ErrorSelector = 00000000

+910 uint32 DataOffset = 00000000

+914 uint32 DataSelector = 00000000

+918 uint32 MXCsr = 00000000

+91c uint32 Reserved2 = 00000000

+920 byte RegisterArea[128] = 00 00 00 00 00 00 00 00 . . . . . . . .

00 00 00 00 00 00 00 00 . . . . . . . .

+9a0 byte Reserved3[128] = 00 00 00 00 00 00 00 00 . . . . . . . .

00 00 00 00 00 00 00 00 . . . . . . . .

+a20 byte Reserved4[224] = 00 00 00 00 00 00 00 00 . . . . . . . .

00 00 00 00 00 00 00 00 . . . . . . . .

+b00 byte Align16Byte[8] = 00 00 00 00 00 00 00 00 . . . . . . . .

+b08 uint32 NpxSavedCpu = 00000000

+b0c uint32 Cr0NpxState = 00000000

使用 WinDbg 的 !pcr 命令可以得到一个简单的 pcr 的输出

某一时刻使用 !pcr 的输出

kd> !pcr

PCR Processor 0 @ffdff000

NtTib.ExceptionList: 8046f7cc

NtTib.StackBase: 8046fe30

NtTib.StackLimit: 8046d040

NtTib.SubSystemTib: 00000000

NtTib.Version: 00000000

NtTib.UserPointer: 00000000

NtTib.SelfTib: 00000000

SelfPcr: ffdff000

Prcb: ffdff120

Irql: 00000000

IRR: 00000000

IDR: ffffffff

InterruptMode: 00000000

IDT: 80036400

GDT: 80036000

TSS: 80223000

CurrentThread: 8046bdf0

NextThread: 00000000

IdleThread: 8046bdf0

DpcQueue: 0x8047e680 0x80431669 nt!KiTimerExpiration

0xfe4f525c 0xfe1c1190 i8042prt!I8042KeyboardIsrDpc

欢迎交流，欢迎交朋友，

欢迎访问 http://jiurl.yeah.net http://jiurl.cosoft.org.cn/forum