KTHREAD结构参考Windows内核原理与实现 win10
typedef struct _KWAIT_STATUS_REGISTER{
union
{
UCHAR Flags;
struct
{
UCHAR State : 3;
UCHAR Affinity : 1;
UCHAR Priority : 1;
UCHAR Apc : 1;
UCHAR UserApc : 1;
UCHAR Alert : 1;
};
};
}KWAIT_STATUS_REGISTER, *PKWAIT_STATUS_REGISTER;
typedef struct _KAPC_STATE
{
struct _LIST_ENTRY ApcListHead;
struct _KPROCESS *Process;
union
{
UCHAR InProgressFlags;
struct
{
UCHAR KernelApcInProgress : 1;
UCHAR SpecialApcInProgress : 1;
};
};
UCHAR KernelApcPending;
union
{
UCHAR UserApcPendingAll;
struct
{
UCHAR SpecialUserApcPending : 1;
UCHAR UserApcPending : 1;
};
};
}KAPC_STATE, *PKAPC_STATE;
typedef struct _RTL_RB_TREE
{
union
{
struct _RTL_BALANCED_NODE *Root;
struct
{
UCHAR Encoded;
};
struct _RTL_BALANCED_NODE *Min;
};
}RTL_RB_TREE, *PRTL_RB_TREE;
typedef struct _KLOCK_ENTRY_LOCK_STATE
{
union
{
struct
{
ULONG64 CrossThreadReleasable : 1;
ULONG64 Busy : 1;
ULONG64 Reserved : 61;
ULONG64 InTree : 1;
};
PVOID LockState;
};
union
{
PVOID SessionState;
ULONG SessionId;
};
ULONG SessionPad;
}KLOCK_ENTRY_LOCK_STATE, *PKLOCK_ENTRY_LOCK_STATE;
typedef struct _KLOCK_ENTRY_BOOST_BITMAP
{
union
{
ULONG AllFields;
struct
{
ULONG AllBoosts : 17;
ULONG Reserved : 15;
ULONG CpuBoostsBitmap : 15;
ULONG IoBoost : 1;
ULONG IoQoSBoost : 1;
ULONG IoNormalPriorityWaiterCount : 8;
ULONG IoQoSWaiterCount : 7;
};
};
}KLOCK_ENTRY_BOOST_BITMAP, *PKLOCK_ENTRY_BOOST_BITMAP;
typedef struct _KLOCK_ENTRY
{
union
{
struct _RTL_BALANCED_NODE TreeNode;
struct _SINGLE_LIST_ENTRY FreeListEntry;
};
union
{
ULONG EntryFlags;
UCHAR EntryOffset;
UCHAR ThreadLocalFlags;
struct
{
UCHAR WaitingBit : 1;
UCHAR Spare0 : 7;
};
UCHAR AcquiredByte;
struct
{
UCHAR AcquiredBit : 1;
};
};
union
{
UCHAR CrossThreadFlags;
struct
{
ULONG HeadNodeBit : 1;
ULONG IoPriorityBit : 1;
ULONG IoQoSWaiter : 1;
ULONG Spare1 : 5;
ULONG StaticState : 8;
ULONG AllFlags : 24;
};
ULONG SpareFlags;
};
union
{
struct _KLOCK_ENTRY_LOCK_STATE LockState;
PVOID LockUnsafe;
UCHAR CrossThreadReleasableAndBusyByte;
UCHAR Reserved;
UCHAR InTreeByte;
PVOID SessionState;
ULONG SessionId;
ULONG SessionPad;
};
union
{
struct _RTL_RB_TREE OwnerTree;
CHAR CpuPriorityKey;
};
struct _RTL_RB_TREE WaiterTree;
ULONG64 EntryLock;
struct _KLOCK_ENTRY_BOOST_BITMAP BoostBitmap;
ULONG SparePad;
}KLOCK_ENTRY, *PKLOCK_ENTRY;
typedef struct _KTHREAD
{
struct _DISPATCHER_HEADER Header; // 分发器对象
PVOID SListFaultAddress; // 记录了上一次用户模式互锁单链表POP操作发生页面错误的地址
ULONG64 QuantumTarget;
PVOID InitialStack; // 原始栈的高地址
PVOID StackLimit; // 原始栈的低地址
PVOID StackBase; // 当前栈的基地址
ULONG64 ThreadLock; // 线程锁 用户保护数据同步
ULONG64 CycleTime;
ULONG CurrentRunTime; // 当前线程运行的时间
ULONG ExpectedRunTime;
PVOID KernelStack; // 内核栈的基址
struct _XSAVE_FORMAT *StateSaveArea;
struct _KSCHEDULING_GROUP *SchedulingGroup;
struct _KWAIT_STATUS_REGISTER WaitRegister;
UCHAR Running;
UCHAR Alerted; // 该线程在内核模式和用户模式下是否可以被唤醒
union
{
struct
{
LONG AutoBoostActive : 1;
LONG ReadyTransition : 1;
LONG WaitNext : 1;
LONG SystemAffinityActive : 1;
LONG Alertable : 1;
LONG UserStackWalkActive : 1;
LONG ApcInterruptRequest : 1;
LONG QuantumEndMigrate : 1;
LONG UmsDirectedSwitchEnable : 1;
LONG TimerActive : 1;
LONG SystemThread : 1;
LONG ProcessDetachActive : 1;
LONG CalloutActive : 1;
LONG ScbReadyQueue : 1;
LONG ApcQueueable : 1;
LONG ReservedStackInUse : 1;
LONG UmsPerformingSyscall : 1;
LONG TimerSuspended : 1;
LONG SuspendedWaitMode : 1;
LONG SuspendSchedulerApcWait : 1;
LONG CetUserShadowStack : 1;
LONG BypassProcessFreeze : 1;
LONG Reserved : 1;
};
LONG MiscFlags;
};
union
{
struct
{
LONG BamQosLevel : 2;
LONG AutoAlignment : 1; // 内存访问对齐 继承内核进程对象的相关域
LONG DisableBoost : 1; // 线程的优先级设置 继承内核进程对象的相关域
LONG AlertedByThreadId : 1;
LONG QuantumDonation : 1;
LONG EnableStackSwap : 1; // 本线程的内核栈是否允许交换到磁盘上
LONG GuiThread : 1;
LONG DisableQuantum : 1; // 线程的时限设置 继承内核进程对象的相关域
LONG ChargeOnlySchedulingGroup : 1;
LONG DeferPreemption : 1;
LONG QueueDeferPreemption : 1;
LONG ForceDeferSchedule : 1;
LONG SharedReadyQueueAffinity : 1;
LONG FreezeCount : 1;
LONG TerminationApcRequest : 1;
LONG AutoBoostEntriesExhausted : 1;
LONG KernelStackResident : 1; // 表示线程的内核栈是否在驻留在内存中
LONG TerminateRequestReason : 2;
LONG ProcessStackCountDecremented : 1;
LONG RestrictedGuiThread : 1;
LONG VpBackingThread : 1;
LONG ThreadFlagsSpare : 1;
LONG EtwStackTraceApcInserted : 8;
};
LONG ThreadFlags;
};
UCHAR Tag;
UCHAR SystemHeteroCpuPolicy;
union
{
struct
{
UCHAR UserHeteroCpuPolicy : 7;
UCHAR ExplicitSystemHeteroCpuPolicy : 1;
};
};
UCHAR Spare0;
ULONG SystemCallNumber;
ULONG ReadyTime;
PVOID FirstArgument;
struct _KTRAP_FRAME *TrapFrame; // 保存线程切换前的环境上下文
union
{
struct _KAPC_STATE ApcState;
UCHAR ApcStateFill;
};
CHAR Priority; // 线程的动态优先级值
ULONG UserIdealProcessor;
LONG64 WaitStatus;
struct _KWAIT_BLOCK WaitBlockList; // 元素链表 指明了哪个线程正在等待哪个分发器对象
union
{
struct _LIST_ENTRY WaitListEntry; // 双向链表
struct _SINGLE_LIST_ENTRY SwapListEntry; // 单向链表
};
struct _DISPATCHER_HEADER *Queue; // 分发器对象 如果不为NULL 表示本线程正在处理此队列中的项
PVOID Teb; // 指向用户模式下的Teb
ULONG64 RelativeTimerBias;
struct _KTIMER Timer; // 附加在线程上的定时器对象
union
{
struct _KWAIT_BLOCK WaitBlock; // 线程等待分发器对象或分发器对象正在被线程对象 如果不大于4个对象 用静态数组可优化性能 不够可动态分配
UCHAR WaitBlockFill4;
UCHAR WaitBlockFill5;
UCHAR WaitBlockFill6;
UCHAR WaitBlockFill7;
UCHAR WaitBlockFill8;
UCHAR WaitBlockFill9;
UCHAR WaitBlockFill10;
UCHAR WaitBlockFill11;
ULONG ContextSwitches;
UCHAR State;
CHAR Spare13;
UCHAR WaitIrql;
CHAR WaitMode;
ULONG WaitTime;
union
{
SHORT KernelApcDisable; // 0表示允许插入APC 负数表示禁止插入APC 用于控制普通内核APC
SHORT SpecialApcDisable; // 0表示允许插入APC 负数表示禁止插入APC 用于控制特殊内核APC
ULONG CombinedApcDisable; // 以上两者的合并
};
struct _KTHREAD_COUNTERS *ThreadCounters;
struct _XSTATE_SAVE *XStateSave;
PVOID Win32Thread; // 指向windows子系统管理的区域
};
struct _UMS_CONTROL_BLOCK *Ucb;
struct _KUMS_CONTEXT_HEADER *Uch;
PVOID Spare21;
struct _LIST_ENTRY QueueListEntry; // 线程在处理一个队列时加入到队列对象的线程链表中的节点地址
union
{
ULONG NextProcessor;
struct
{
ULONG NextProcessorNumber : 31;
ULONG SharedReadyQueue : 1;
};
};
LONG QueuePriority;
struct _KPROCESS *Process; // 该线程所属的进程对象
union
{
struct _GROUP_AFFINITY UserAffinity;
UCHAR UserAffinityFill;
};
CHAR PreviousMode; // 先前的CPU模式
CHAR BasePriority; // 基本优先级值 静态
union
{
CHAR PriorityDecrement; // 动态优先级的递减值
struct
{
CHAR ForegroundBoost : 4;
CHAR UnusualBoost : 4;
};
};
UCHAR Preempted; // 是否被高优先级线程抢占了
UCHAR AdjustReason;
CHAR AdjustIncrement;
ULONG64 AffinityVersion;
union
{
struct _GROUP_AFFINITY Affinity;
UCHAR AffinityFill;
};
UCHAR ApcStateIndex; // Apc状态在ApcStatePointer中的索引
UCHAR WaitBlockCount;
ULONG IdealProcessor;
ULONG64 NpxState;
union
{
struct _KAPC_STATE SavedApcState;
UCHAR SavedApcStateFill;
};
UCHAR WaitReason;
CHAR SuspendCount;
CHAR Saturation;
USHORT SListFaultCount;
union
{
struct _KAPC SchedulerApc;
UCHAR SchedulerApcFill0;
UCHAR ResourceIndex;
UCHAR SchedulerApcFill1;
UCHAR QuantumReset;
UCHAR SchedulerApcFill2;
ULONG KernelTime;
UCHAR SchedulerApcFill3;
struct _KPRCB *WaitPrcb;
UCHAR SchedulerApcFill4;
PVOID LegoData;
UCHAR SchedulerApcFill5;
UCHAR CallbackNestingLevel;
ULONG UserTime; // 用户模式下CPU运行的时间
};
struct _KEVENT SuspendEvent;
struct _LIST_ENTRY ThreadListEntry; // 双向链表 该线程在全局链表中的节点 当线程创建时它会加入到KPROCESS中的ThreadListEntry
struct _LIST_ENTRY MutantListHead; // 双向链表 该线程中的所有突变体
UCHAR AbEntrySummary;
UCHAR AbWaitEntryCount;
UCHAR AbAllocationRegionCount;
CHAR SystemPriority;
ULONG SecureThreadCookie;
struct _KLOCK_ENTRY LockEntries;
struct _SINGLE_LIST_ENTRY PropagateBoostsEntry;
struct _SINGLE_LIST_ENTRY IoSelfBoostsEntry;
UCHAR PriorityFloorCounts;
ULONG PriorityFloorSummary;
LONG AbCompletedIoBoostCount;
LONG AbCompletedIoQoSBoostCount;
SHORT KeReferenceCount;
UCHAR AbOrphanedEntrySummary;
UCHAR AbOwnedEntryCount;
ULONG ForegroundLossTime;
union
{
struct _LIST_ENTRY GlobalForegroundListEntry;
struct _SINGLE_LIST_ENTRY ForegroundDpcStackListEntry;
};
ULONG64 InGlobalForegroundList;
LONG64 ReadOperationCount;
LONG64 WriteOperationCount;
LONG64 OtherOperationCount;
LONG64 ReadTransferCount;
LONG64 WriteTransferCount;
LONG64 OtherTransferCount;
struct _KSCB *QueuedScb;
ULONG ThreadTimerDelay;
union
{
LONG ThreadFlags2;
struct
{
LONG PpmPolicy : 2;
LONG ThreadFlags2Reserved : 30;
};
};
ULONG64 TracingPrivate;
PVOID SchedulerAssist;
PVOID AbWaitObject;
}KTHREAD, *PKTHREAD; 一脸懵逼的进来,一脸懵逼的出去 原来这有,我还对windbg敲了一天,请教下这类资料在哪里有可以学习,谢谢!
页:
[1]