首页 > WinDriver > WD-进程KPROCESS结构(WRK)
2015四月2

WD-进程KPROCESS结构(WRK)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
typedef struct _KPROCESS {
    DISPATCHER_HEADER Header;
    LIST_ENTRY ProfileListHead;
 
    ULONG_PTR DirectoryTableBase[2];
 
#if defined(_X86_)
    KGDTENTRY LdtDescriptor;
    KIDTENTRY Int21Descriptor;
    USHORT IopmOffset;
    UCHAR Iopl;
    BOOLEAN Unused;
#endif
 
#if defined(_AMD64_)
    USHORT IopmOffset;
#endif
    volatile KAFFINITY ActiveProcessors;
 
    ULONG KernelTime;
    ULONG UserTime;
 
    LIST_ENTRY ReadyListHead;
    SINGLE_LIST_ENTRY SwapListEntry;
 
#if defined(_X86_)
    PVOID VdmTrapcHandler;
#else
    PVOID Reserved1;
#endif
 
    LIST_ENTRY ThreadListHead;
    KSPIN_LOCK ProcessLock;
    KAFFINITY Affinity;
 
#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2
 
    union {
        struct {
            LONG AutoAlignment : 1;
            LONG DisableBoost : 1;
            LONG DisableQuantum : 1;
            LONG ReservedFlags : 29;
        };
 
        LONG ProcessFlags;
    };
 
    SCHAR BasePriority;
    SCHAR QuantumReset;
    UCHAR State;
    UCHAR ThreadSeed;
    UCHAR PowerState;
    UCHAR IdealNode;
    BOOLEAN Visited;
    union {
        KEXECUTE_OPTIONS Flags;
        UCHAR ExecuteOptions;
    };
 
#if !defined(_X86_) && !defined(_AMD64_)
 
    PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;
 
#endif
 
    ULONG_PTR StackCount;
    LIST_ENTRY ProcessListEntry;
} KPROCESS, *PKPROCESS, *PRKPROCESS;

每个KPROCESS对象都代表一个进程,反之也成立

DISPATCHER_HEADER Header

Header 域表明KPROCESS对象也是一个分发器对象(dispatcher object),即进程对象是可以被等待的,可以使用Wait函数,当进程退出时,它变成有信号状态.

LIST_ENTRY ProfileListHead;

用于当该进程参与性能分析(profiling)时,作为一个节点加入到全局的性能分析进程列表(内核全局变量KiProfileListHead)中。

ULONG_PTR DirectoryTableBase[2];

第一项指向该进程的页目录表地址,第二项指向该进程的超空间(hyperspace)的页目录表地址

#if defined(_X86_)
    KGDTENTRY LdtDescriptor;     // 该进程的LDT(局部描述符表)的描述符
    KIDTENTRY Int21Descriptor;   // 兼容DOS,允许调用int 21h
    USHORT    IopmOffset;        //指定了IOPM(I/O权限表)的位置,内核通过IOPM可控制进程的用户模式I/O 访问权
    UCHAR     Iopl;              // Iopl域定义了进程的I/O优先级(I/O Privilege Level)
    BOOLEAN   Unused;
#endif
volatile KAFFINITY ActiveProcessors;

ActiveProcessors域记录了当前进程正在哪些处理器上运行,如下:

kd> dt 8489d208  KPROCESS -y ActiveProcessors
nt!KPROCESS
   +0x034 ActiveProcessors : 0

KernelTime和UserTime 域分别记录了一个进程对象在内核模式和用户模式下所花的时间,但是windbg查看到的:

+0x038 KernelTime       : 0
+0x03c UserTime         : 0

为0!原因:由于仅当一个线程结束时才更新其进程的这两个时间值,所以,若一个进程中尚未有任何一个线程结束,则这两个域中的值为0。

  LIST_ENTRY ReadyListHead;

ReadyListHead 是一个双向链表的表头,该链表记录了这个进程中处于就绪状态但尚未被加入全局就绪链表的线程,这个域的意义在于,当一个进程被换出内存以后,它所属的线程一旦就绪,则被挂到此链表中,并要求换入该进程;以后,当该进程被换入内存时,ReadyListHead 中的所有线程被加入到系统全局的就绪线程链表中

它的每一项都是一个指向KTHREAD对象的WaitListEntry 域的地址,所以,从链表中的每一项都可以定位到对应的线程对象.

如KiInSwapProcesses将链表中的每个线程加入到全局就绪线程链表中(通过调用KiReadyThread来完成)。

1
2
3
4
5
6
7
8
9
10
  PKTHREAD Thread;
   ....
  NextEntry = Process->ReadyListHead.Flink;
        while (NextEntry != &Process->ReadyListHead) {
            Thread = CONTAINING_RECORD(NextEntry, KTHREAD, WaitListEntry);  // 从ReadyListHead获取线程对象
            RemoveEntryList(NextEntry);
            Thread->ProcessReadyQueue = FALSE;
            KiReadyThread(Thread);
            NextEntry = Process->ReadyListHead.Flink;
        }

SwapListEntry域是一个单链表项,当一个进程要被换出内存时,它通过此域加入到以KiProcessOutSwapListHead 为链头的单链表中;当一个进程要被换入内存时,它通过此域加入到以KiProcessInSwapListHead 为链头的单链表中。这里,KiProcessOutSwapListHead和KiProcessInSwapListHead 是定义在base\ntos\ke\kernldat.c 中的全局变量。

 PVOID VdmTrapcHandler;

仅用于VDM(虚拟DOS环境)运行16位程序.

 LIST_ENTRY ThreadListHead;

ThreadListHead 域指向一个链表头,此链表包含了该进程的所有当前线程。当一个线程被初始创建的时候,被加入到此链表中,在终止的时候被从链表中移除,如下代码:

1
2
3
4
5
6
7
8
9
 PKTHREAD Thread;
   ....
 NextEntry = Process->ThreadListHead.Flink;
    while (NextEntry != &Process->ThreadListHead) {
        Thread = CONTAINING_RECORD(NextEntry, KTHREAD, ThreadListEntry);
        KernelTime += Thread->KernelTime;
        TotalTime += Thread->UserTime;
        NextEntry = NextEntry->Flink;
    }
    KSPIN_LOCK ProcessLock;

这是一个自旋锁(spin lock)对象,它的用途是保护此进程中的数据成员

Affinity域指定了该进程的线程可以在哪些处理器上运行,其类型是KAFFINITY,这是一个32 位或64 位整数,其二进制表示的每一位分别对应于当前机器上的一个处理器

1
2
3
4
5
6
7
8
9
    union {
        struct {
            LONG AutoAlignment : 1;//用于该进程中的内存访问对齐设置
            LONG DisableBoost : 1;  //与线程调度过程中的优先级提升和时限(quantum)分配有关
            LONG DisableQuantum : 1;//与线程调度过程中的优先级提升和时限(quantum)分配有关
            LONG ReservedFlags : 29;
        };
 
        LONG ProcessFlags;
  +0x064 BasePriority     : 8 ''

BasePriority用于指定一个进程中的线程的基本优先级,所有的线程在启动时都会继承进程的BasePriority 值

 +0x065 QuantumReset: 6 ''

QuantumReset用于指定一个进程中线程的基本时限重置值

 +0x066 State            : 0 ''

State 域说明了一个进程是否在内存中,共有六种可能的状态

1
2
3
4
5
6
7
8
typedef enum _KPROCESS_STATE {
    ProcessInMemory,              // 在内存中
    ProcessOutOfMemory,           // 不在内存中
    ProcessInTransition,          // 转移进中
    ProcessOutTransition,         // 转移出中
    ProcessInSwap,                // 换入中
    ProcessOutSwap                // 换出中
} KPROCESS_STATE;
+0x067 ThreadSeed       : 0 ''

ThreadSeed域用于为该进程的线程选择适当的理想处理器,理想处理器是指在多处理器环境下,每个线程都有一个优先选择的处理器

 UCHAR PowerState;// PowerState域用于记录电源状态
+0x069 IdealNode        : 0 ''// IdealNode域用于为一个进程选择优先的处理器节点,这是在进程初始化时设定的
 BOOLEAN Visited;// 未被使用
    union {
        KEXECUTE_OPTIONS Flags;
        UCHAR ExecuteOptions;//设置一个进程的内存执行选项
    };
 +0x06c StackCount       : 1//StackCount域记录了当前进程中有多少个线程的栈位于内存中,这里表示只有一个线程的栈位于内存
 LIST_ENTRY ProcessListEntry;

ProcessListEntry域用于将当前系统中所有具有活动线程的进程串成一个链表,链表头为KiProcessListHead(WRK看到只在AMD64下有效)

简单归纳一下,KPROCESS 对象中记录的信息主要包括两类:一类跟进程的内存环境相关,比如页目录表、交换状态等;另一类是与其线程相关的一些属性,比如线程列表以及线程所需要的优先级、时限设置等。系统中的KPROCESS 对象通过KiProcessListHead链表串起来,但这一链表仅用于AMD64 系统。

文章作者:hgy413
本文地址:https://hgy413.com/2884.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

25 Responses to “WD-进程KPROCESS结构(WRK)”

  1. #1 minecraft 回复 | 引用 Post:2018-10-04 09:05

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically
    tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite
    some time and was hoping maybe you would have some
    experience with something like this. Please let me know if you run into anything.

    I truly enjoy reading your blog and I look forward
    to your new updates.

  2. #2 minecraft 回复 | 引用 Post:2018-10-04 18:48

    Hey there, You have done a great job. I’ll definitely digg
    it and personally suggest to my friends. I’m sure they’ll be
    benefited from this website.

  3. #3 minecraft 回复 | 引用 Post:2018-10-06 07:45

    Hello everyone, it’s my first pay a visit at this web
    site, and post is genuinely fruitful designed for
    me, keep up posting these content.

  4. #4 minecraft 回复 | 引用 Post:2018-10-06 12:39

    I every time emailed this web site post page to all my friends, because
    if like to read it then my friends will too.

  5. #5 minecraft 回复 | 引用 Post:2018-10-07 12:39

    WOW just what I was searching for. Came here by searching for minecraft

  6. An interesting discussion is definitely worth
    comment. I do believe that you ought to write more
    on this topic, it may not be a taboo subject but usually folks
    don’t speak about such topics. To the next!
    Cheers!!

  7. #7 tinder dating site 回复 | 引用 Post:2018-10-16 07:06

    excellent points altogether, you simply won a logo new reader.
    What may you suggest about your publish that you simply made a few days in the past?
    Any positive?

  8. #8 tinder dating site 回复 | 引用 Post:2018-10-17 11:55

    Appreciation to my father who told me about this webpage,
    this web site is in fact amazing.

  9. #9 Benefits of Coconut Oil 回复 | 引用 Post:2018-10-19 07:35

    Pretty! This was a really wonderful post. Thanks for supplying these details.

  10. #10 Coconut Oil 回复 | 引用 Post:2018-10-21 06:09

    Thanks for the good writeup. It if truth be told was a entertainment account it.
    Look complex to far added agreeable from you!
    By the way, how could we be in contact?

  11. #11 Coconut Oil 回复 | 引用 Post:2018-10-22 19:04

    We stumbled over here different web page and thought I might
    as well check things out. I like what I see so i am just following you.
    Look forward to going over your web page again.

  12. #12 Coconut Oil Benefits 回复 | 引用 Post:2018-10-23 04:26

    Thanks for finally talking about >blog topic <Liked it!

  13. Descargar facebook
    After I initially commented I seem to have clicked the
    -Notify me when new comments are added- checkbox and from now on each time a comment is added I get 4 emails with the same comment.
    Perhaps there is an easy method you are able to remove me from that service?

    Kudos! Descargar facebook

  14. #14 descargar facebook 回复 | 引用 Post:2018-11-02 05:58

    Hi there friends, pleasant article and good urging commented at this place, I am truly enjoying by these.

  15. #15 quest bars cheap 回复 | 引用 Post:2018-11-03 10:31

    Asking questions are actually fastidious thing if you are not understanding anything totally, however this piece of writing provides nice
    understanding even.

  16. #16 Quest Protein Bars 回复 | 引用 Post:2018-11-06 08:28

    This post will help the internet viewers for building up new weblog or even a blog from start to end.

  17. #17 Sling TV 回复 | 引用 Post:2018-11-11 02:11

    Hey there just wanted to give you a quick heads
    up. The text in your content seem to be running off the screen in Internet explorer.
    I’m not sure if this is a formatting issue or something to do with browser compatibility but I thought I’d post to
    let you know. The style and design look great though!

    Hope you get the problem solved soon. Thanks

  18. #18 Sling TV 回复 | 引用 Post:2018-11-15 08:16

    Hi there, I found your website by the use of Google whilst searching for a comparable subject, your web site came up, it seems to be great.

    I have bookmarked it in my google bookmarks.
    Hello there, simply was alert to your blog via Google, and located that it’s really informative.
    I’m gonna watch out for brussels. I’ll appreciate should you proceed this in future.
    A lot of folks might be benefited from your
    writing. Cheers!

  19. #19 descargar facebook 回复 | 引用 Post:2018-11-21 01:26

    I like the helpful information you provide in your articles.

    I will bookmark your blog and check again here frequently.
    I am quite certain I will learn plenty of new stuff right here!
    Best of luck for the next!

  20. #20 descargar facebook 回复 | 引用 Post:2018-12-06 05:09

    Great info. Lucky me I found your website by chance (stumbleupon).
    I’ve book-marked it for later!

  21. #21 g go 回复 | 引用 Post:2020-06-10 16:03

    Hi to every one, the contents existing at this site are in fact amazing for people knowledge,
    well, keep up the good work fellows.

  22. #22 his g 回复 | 引用 Post:2020-06-12 11:31

    Hi there! This article could not be written any better!
    Looking through this post reminds me of my
    previous roommate! He continually kept preaching about this.
    I’ll forward this post to him. Pretty sure he’ll have a good read.
    Thank you for sharing!

  23. #23 www.0912666.com 回复 | 引用 Post:2020-06-14 03:53

    I know this web site gives quality dependent articles or reviews and
    other data, is there any other web page which provides such information in quality?

  24. #24 g 回复 | 引用 Post:2020-06-15 11:30

    Thanks for finally writing about > blog topic < Loved it!

  25. #25 g 回复 | 引用 Post:2020-06-15 18:43

    I constantly spent my half an hour to read this website’s content everyday along with
    a mug of coffee.

发表评论