JIURL play Win2k process thread of articles ETHREAD: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
Each thread has an Ethread structure.
Win2k ETHREAD structure is defined in the following Build 2195 kd>! Strct ethread! Strct ethreadstruct _ETHREAD (sizeof = 584) 000 struct _KTHREAD Tcb 000 struct _DISPATCHER_HEADER Header 000 byte Type 001 byte Absolute 002 byte Size 003 byte Inserted 004 int32 SignalState 008 struct _LIST_ENTRY WaitListHead 008 struct _LIST_ENTRY * Flink 00c struct _LIST_ENTRY * Blink 010 struct _LIST_ENTRY MutantListHead 010 struct _LIST_ENTRY * Flink 014 struct _LIST_ENTRY * Blink 018 void * InitialStack 01c void * StackLimit 020 void * Teb 024 void * TlsArray 028 void * KernelStack 02c byte DebugActive 02d byte State 02e byte alerted [2] 030 byte iopl 031 byte NpxState 032 char Saturation 033 char Priority 034 struct _KAPC_STATE ApcState 034 struct _LIST_ENTRY ApcListHead [2] struct _LIST_ENTRY * Flinkstruct _LIST_ENTRY * Blink 044 struct _KPROCESS * Process 048 byte KernelApcInProgress 049 byte KernelApcPending 04a byte UserApcPending 04c uint32 ContextSwitches 050 int32 WaitStatus 054 byte WaitIrql 055 char WaitMode 056 byte WaitNext 057 Byte WaitReason 058 struct _KWAIT_BLOCK * WaitBlockList 05c struct _LIST_ENTRY WaitListEntry 05c struct _LIST_ENTRY * Flink 060 struct _LIST_ENTRY * Blink 064 uint32 WaitTime 068 char BasePriority 069 byte DecrementCount 06a char PriorityDecrement 06b char Quantum 06c struct _KWAIT_BLOCK WaitBlock [ 4] struct _LIST_ENTRY WaitListEntrystruct _LIST_ENTRY * Flinkstruct _LIST_ENTRY * Blinkstruct _KTHREAD * Threadvoid * Objectstruct _KWAIT_BLOCK * NextWaitBlockuint16 WaitKeyuint16 WaitType 0cc void * LegoData 0d0 uint32 KernelApcDisable
0d4 uint32 UserAffinity 0d8 byte SystemAffinityActive 0d9 byte PowerState 0da byte NpxIrql 0db byte Pad [1] 0dc void * ServiceTable 0e0 struct _KQUEUE * Queue 0e4 uint32 ApcQueueLock 0e8 struct _KTIMER Timer 0e8 struct _DISPATCHER_HEADER Header 0e8 byte Type 0e9 byte Absolute 0ea byte Size 0eb byte Inserted 0ec int32 SignalState 0f0 struct _LIST_ENTRY WaitListHead 0f0 struct _LIST_ENTRY * Flink 0f4 struct _LIST_ENTRY * Blink 0f8 union _ULARGE_INTEGER DueTime 0f8 uint32 LowPart 0fc uint32 HighPart 0f8 struct __unnamed12 u 0f8 uint32 LowPart 0fc uint32 HighPart 0f8 uint64 QuadPart 100 struct _LIST_ENTRY TimerListEntry 100 struct _LIST_ENTRY * Flink 104 struct _LIST_ENTRY * Blink 108 struct _KDPC * Dpc 10c int32 Period 110 struct _LIST_ENTRY QueueListEntry 110 struct _LIST_ENTRY * Flink 114 struct _LIST_ENTRY * Blink 118 uint32 Affinity 11c byte preempted 11d byte ProcessReadyQueue 11e byte KernelStackResident 11f byte NextProcessor 120 void * CallbackStack 124 void * Win32Thread 128 struct _KTRAP_FR AME * TrapFrame 12c struct _KAPC_STATE * ApcStatePointer [2] 134 char PreviousMode 135 byte EnableStackSwap 136 byte LargeStack 137 byte ResourceIndex 138 uint32 KernelTime 13c uint32 UserTime 140 struct _KAPC_STATE SavedApcState 140 struct _LIST_ENTRY ApcListHead [2] struct _LIST_ENTRY * Flinkstruct _LIST_ENTRY * Blink 150 struct _KPROCESS * Process 154 byte KernelApcInProgress 155 byte KernelApcPending 156 byte UserApcPending 158 byte Alertable 159 byte ApcStateIndex 15a byte ApcQueueable 15b byte AutoAlignment
15c void * StackBase 160 struct _KAPC SuspendApc 160 int16 Type 162 int16 Size 164 uint32 Spare0 168 struct _KTHREAD * Thread 16c struct _LIST_ENTRY ApcListEntry 16c struct _LIST_ENTRY * Flink 170 struct _LIST_ENTRY * Blink 174 function * KernelRoutine 178 function * RundownRoutine 17c function * NormalRoutine 180 void * NormalContext 184 void * SystemArgument1 188 void * SystemArgument2 18c char ApcStateIndex 18d char ApcMode 18e byte Inserted 190 struct _KSEMAPHORE SuspendSemaphore 190 struct _DISPATCHER_HEADER Header 190 byte Type 191 byte Absolute 192 byte Size 193 byte Inserted 194 int32 SignalState 198 struct _LIST_ENTRY WaitListHead 198 struct _LIST_ENTRY * Flink 19c struct _LIST_ENTRY * Blink 1a0 int32 Limit 1a4 struct _LIST_ENTRY ThreadListEntry 1a4 struct _LIST_ENTRY * Flink 1a8 struct _LIST_ENTRY * Blink 1ac char FreezeCount 1ad char SuspendCount 1ae byte IdealProcessor 1af byte DisableBoost 1b0 union _LARGE_INTEGER CreateTime 1b0 uint32 LowPart 1b4 int32 HighPart 1b0 struct __unnamed3 u 1b0 uint32 LowPart 1b4 int32 HighPart 1b0 int64 QuadPart 1b0 bits0-1 NestedFaultCount 1b0 bits2-2 ApcNeeded 1b8 union _LARGE_INTEGER ExitTime 1b8 uint32 LowPart 1bc int32 HighPart 1b8 struct __unnamed3 u 1b8 uint32 LowPart 1bc int32 HighPart 1b8 int64 QuadPart 1b8 struct _LIST_ENTRY LpcReplyChain 1b8 struct _LIST_ENTRY * Flink 1bc struct _LIST_ENTRY * Blink 1c0 int32 ExitStatus 1c0 void * OfsChain 1c4 struct _LIST_ENTRY PostBlockList 1c4 struct _LIST_ENTRY * Flink 1c8 struct _LIST_ENTRY * Blink
1cc struct _LIST_ENTRY TerminationPortList 1cc struct _LIST_ENTRY * Flink 1d0 struct _LIST_ENTRY * Blink 1d4 uint32 ActiveTimerListLock 1d8 struct _LIST_ENTRY ActiveTimerListHead 1d8 struct _LIST_ENTRY * Flink 1dc struct _LIST_ENTRY * Blink 1e0 struct _CLIENT_ID Cid 1e0 void * UniqueProcess 1e4 void * UniqueThread 1e8 struct _KSEMAPHORE LpcReplySemaphore 1e8 struct _DISPATCHER_HEADER Header 1e8 byte Type 1e9 byte Absolute 1ea byte Size 1eb byte Inserted 1ec int32 SignalState 1f0 struct _LIST_ENTRY WaitListHead 1f0 struct _LIST_ENTRY * Flink 1f4 struct _LIST_ENTRY * Blink 1f8 int32 Limit 1fc void * LpcReplyMessage 200 uint32 LpcReplyMessageId 204 uint32 PerformanceCountLow 208 struct _PS_IMPERSONATION_INFORMATION * ImpersonationInfo 20c struct _LIST_ENTRY IrpList 20c struct _LIST_ENTRY * Flink 210 struct _LIST_ENTRY * Blink 214 uint32 TopLevelIrp 218 struct _DEVICE_OBJECT * DeviceToVerify 21c uint32 readclustersize 220 Byte ForwardClusteronly 221 Byte DisablepageFaultClustering 222 Byte Deadthread 2 23 byte HideFromDebugger 224 uint32 HasTerminated 228 uint32 GrantedAccess 22c struct _EPROCESS * ThreadsProcess 230 void * StartAddress 234 void * Win32StartAddress 234 uint32 LpcReceivedMessageId 238 byte LpcExitThreadCalled 239 byte HardErrorsAreDisabled 23a byte LpcReceivedMsgIdValid 23b byte ActiveImpersonationInfo 23c int32 PerformanceCountHigh 240 struct _LIST_ENTRY ThreadListEntry 240 struct _LIST_ENTRY * Flink 244 struct _LIST_ENTRY * Blinkstruct _KTRAP_FRAME (sizeof = 140) 00 uint32 DbgEbp 04 uint32 DbgEip 08 uint32 DbgArgMark
0c uint32 DbgArgPointer 10 uint32 TempSegCs 14 uint32 TempEsp 18 uint32 Dr0 1c uint32 Dr1 20 uint32 Dr2 24 uint32 Dr3 28 uint32 Dr6 2c uint32 Dr7 30 uint32 SegGs 34 uint32 SegEs 38 uint32 SegDs 3c uint32 Edx 40 uint32 Ecx 44 uint32 Eax 48 uint32 PreviousPreviousMode 4c struct _EXCEPTION_REGISTRATION_RECORD * ExceptionList 50 uint32 SegFs 54 uint32 Edi 58 uint32 Esi 5c uint32 Ebx 60 uint32 Ebp 64 uint32 ErrCode 68 uint32 Eip 6c uint32 All threads SegCs 70 uint32 EFlags 74 uint32 HardwareEsp 78 uint32 HardwareSegSs 7c uint32 V86Es 80 uint32 V86Ds 84 uint32 V86Fs 88 uint32 V86Gs traversing a process all threads of a process in a way circular linked list by LIST_ENTRY chain structure on. A linked list is a linked list of Threadlisthead in the KProcess PCB of the EPRocess structure. Each of the chain is a threadlistentry in the TCB of the KThread Ethread structure. Another chain list is a chain header with Threadlisthead in the EPRocess structure. Each of the chain is a threadListentry in a thread's Ethread structure. Through any of these two laylings, you can find all threads of a process. Of course, find the Ethread structure, you can find KThread in the Ethread structure.
KTHREAD list struct _EPROCESS (sizeof = 648) 000 struct _KPROCESS Pcb 050 struct _LIST_ENTRY ThreadListHead 050 struct _LIST_ENTRY * Flink 054 struct _LIST_ENTRY * Blinkstruct _ETHREAD (sizeof = 584) 000 struct _KTHREAD Tcb 1a4 struct _LIST_ENTRY ThreadListEntry 1a4 struct _LIST_ENTRY * Flink 1a8 struct _LIST_ENTRY * BlinkETHREAD list struct _EPROCESS (sizeof = 648) 270 struct _LIST_ENTRY ThreadListHead 270 struct _LIST_ENTRY * Flink 274 struct _LIST_ENTRY * Blinkstruct _ETHREAD (sizeof = 584) 240 struct _LIST_ENTRY ThreadListEntry 240 struct _LIST_ENTRY * Flink 244 struct _LIST_ENTRY * Blink process where the thread ID and thread process ID 1e0 struct _CLIENT_ID Cid 1e0 void * UniqueProcess 1e4 void * thread where the process UniqueThread 000 struct _KTHREAD Tcb 034 struct _KAPC_STATE ApcState 044 struct _KPROCESS * process 22C struct _eprocess * ThreadsProcesskthread Offset 044 The kProcess * Process at 044 is a pointer to the KProcess structure of the process where the thread is located. KThread offset 22c Eprocess * threadsProcess is a pointer to the EPROCESS structure of the process of the thread. Our KProcess structure is in the EPRocess structure and is located at the beginning of the EPROCESS structure. 044 * Process and 22C * threadsprocess point to the same address. Stack 018 Void * InitialStack 15c void * StackBase 01c void * StackLimit, a thread, there are two own stacks (stack). One is the stack in kernel mode, one is the stack in user mode. When the thread is in kernel mode, it is RING0, when executing code, is used, using the kernel mode stack. When the thread is in user mode, it is when the code is executed, and the user mode stack is used. Some threads running only in the kernel mode do not have a user mode stack, such as some threads of the System process (PID 8 process). A thread's kernel mode stack is located in the system address space. The thread Ethread structure offset 018 initialstack is the highest address of the thread kernel mode stack, that is, the start address, the stack is growing downward. The thread Ethread structure offset 15c stackbase also points to the highest address of the thread core mode stack. The thread Ethread structure offset 01c stacklimit is the minimum address of the thread core mode stack. The information of the user mode stack of threads is in the thread TEB.
