windbg*****************************TBD-白红宇

windbg*****************************TBD

阅读量：7068 次

发布时间：2019-06-28

本文共 13862 字，大约阅读时间需要 46 分钟。

achieve structure from a simple address

　　Dt address

know pending IRP in a module

!thread xxxxxx到底能提供哪些Information:

3: kd> !threadTHREAD ffffe0000341f040  Cid 0004.0590  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3IRP List:    ffffe00002dadb10: (0006,03a0) Flags: 00060000  Mdl: 00000000Not impersonatingDeviceMap                 ffffc0000000c2e0Owning Process            ffffe0000023b700       Image:         SystemAttached Process          N/A            Image:         N/AWait Start TickCount      103483         Ticks: 7646 (0:00:01:59.468)Context Switch Count      114            IdealProcessor: 0  NoStackSwapUserTime                  00:00:00.000KernelTime                00:01:59.468Win32 Start Address nt!ExpWorkerThread (0xfffff802e12b6118)Stack Init ffffd00021c66c90 Current ffffd00021c66310Base ffffd00021c67000 Limit ffffd00021c61000 Call 0Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5Child-SP          RetAddr           : Args to Child                                                           : Call Siteffffd000`21c66400 fffff802`e12bb3c6 : 00000000`00000000 00000000`00000002 ffffd000`20688180 ffffe000`0341f140 : nt! ?? ::FNODOBFM::`string'+0xc614ffffd000`21c66500 fffff802`e13cee23 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x136ffffd000`21c66580 fffff800`031d3368 : 00000000`00000000 ffffd000`21c667b0 ffffe000`021d0ef0 00000000`00000000 : nt!KiApcInterrupt+0xc3 (TrapFrame @ ffffd000`21c66580)ffffd000`21c66710 fffff800`031d28eb : fffff800`031d8000 ffffd000`21c66880 00000000`00000000 fffff800`00000000 : btfilter+0x2368ffffd000`21c66780 fffff800`031d6010 : ffffe000`0375ebd0 ffffe000`0375ebd0 00000000`00000001 ffffe000`021d0ef0 : btfilter+0x18ebffffd000`21c66920 fffff802`e12bd118 : ffffe000`0375ebd0 ffffd000`21c66a09 ffffe000`021a9201 ffffe000`0375eee3 : btfilter+0x5010ffffd000`21c66960 fffff800`02f0c604 : ffffe000`0341f040 00000000`00000000 ffffe000`0198a000 ffffe000`021a92a0 : nt!IopfCompleteRequest+0x438ffffd000`21c66a70 fffff800`02f083de : ffffe000`0198a1a0 00000000`00000000 ffffe000`0198a050 ffffe000`02ab6130 : usbhub!UsbhPdoUnblockPendedD0IrpWI+0xb0ffffd000`21c66ab0 fffff802`e12b5c87 : ffffe000`011a8400 ffffe000`0198a050 00000000`00000000 fffff802`e135c14e : usbhub!UsbhHubWorker+0x62ffffd000`21c66af0 fffff802`e12b63cd : fffff802`00000003 fffff802`e12b5bac ffffd000`21c66bd0 ffffe000`011a8400 : nt!IopProcessWorkItem+0xdbffffd000`21c66b50 fffff802`e1361664 : 00000000`00004000 ffffe000`0341f040 ffffe000`0341f040 ffffe000`0023b700 : nt!ExpWorkerThread+0x2b5ffffd000`21c66c00 fffff802`e13d06c6 : ffffd000`201e7180 ffffe000`0341f040 ffffe000`00245640 00000004`00000b9c : nt!PspSystemThreadStartup+0x58ffffd000`21c66c60 00000000`00000000 : ffffd000`21c67000 ffffd000`21c61000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

windows 8.1下thread的结构体

3: kd> dt _ETHREADACPI!_ETHREAD   +0x000 Tcb              : _KTHREAD   +0x5d0 CreateTime       : _LARGE_INTEGER   +0x5d8 ExitTime         : _LARGE_INTEGER   +0x5d8 KeyedWaitChain   : _LIST_ENTRY   +0x5e8 ChargeOnlySession : Ptr64 Void   +0x5f0 PostBlockList    : _LIST_ENTRY   +0x5f0 ForwardLinkShadow : Ptr64 Void   +0x5f8 StartAddress     : Ptr64 Void   +0x600 TerminationPort  : Ptr64 _TERMINATION_PORT   +0x600 ReaperLink       : Ptr64 _ETHREAD   +0x600 KeyedWaitValue   : Ptr64 Void   +0x608 ActiveTimerListLock : Uint8B   +0x610 ActiveTimerListHead : _LIST_ENTRY   +0x620 Cid              : _CLIENT_ID   +0x630 KeyedWaitSemaphore : _KSEMAPHORE   +0x630 AlpcWaitSemaphore : _KSEMAPHORE   +0x650 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT   +0x658 IrpList          : _LIST_ENTRY   +0x668 TopLevelIrp      : Uint8B   +0x670 DeviceToVerify   : Ptr64 _DEVICE_OBJECT   +0x678 Win32StartAddress : Ptr64 Void   +0x680 LegacyPowerObject : Ptr64 Void   +0x688 ThreadListEntry  : _LIST_ENTRY   +0x698 RundownProtect   : _EX_RUNDOWN_REF   +0x6a0 ThreadLock       : _EX_PUSH_LOCK   +0x6a8 ReadClusterSize  : Uint4B   +0x6ac MmLockOrdering   : Int4B   +0x6b0 CmLockOrdering   : Int4B   +0x6b4 CrossThreadFlags : Uint4B   +0x6b4 Terminated       : Pos 0, 1 Bit   +0x6b4 ThreadInserted   : Pos 1, 1 Bit   +0x6b4 HideFromDebugger : Pos 2, 1 Bit   +0x6b4 ActiveImpersonationInfo : Pos 3, 1 Bit   +0x6b4 HardErrorsAreDisabled : Pos 4, 1 Bit   +0x6b4 BreakOnTermination : Pos 5, 1 Bit   +0x6b4 SkipCreationMsg  : Pos 6, 1 Bit   +0x6b4 SkipTerminationMsg : Pos 7, 1 Bit   +0x6b4 CopyTokenOnOpen  : Pos 8, 1 Bit   +0x6b4 ThreadIoPriority : Pos 9, 3 Bits   +0x6b4 ThreadPagePriority : Pos 12, 3 Bits   +0x6b4 RundownFail      : Pos 15, 1 Bit   +0x6b4 UmsForceQueueTermination : Pos 16, 1 Bit   +0x6b4 ReservedCrossThreadFlags : Pos 17, 15 Bits   +0x6b8 SameThreadPassiveFlags : Uint4B   +0x6b8 ActiveExWorker   : Pos 0, 1 Bit   +0x6b8 MemoryMaker      : Pos 1, 1 Bit   +0x6b8 ClonedThread     : Pos 2, 1 Bit   +0x6b8 KeyedEventInUse  : Pos 3, 1 Bit   +0x6b8 SelfTerminate    : Pos 4, 1 Bit   +0x6bc SameThreadApcFlags : Uint4B   +0x6bc HardFaultBehavior : Pos 0, 1 Bit   +0x6bc StartAddressInvalid : Pos 1, 1 Bit   +0x6bc EtwCalloutActive : Pos 2, 1 Bit   +0x6bc OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit   +0x6bc OwnsProcessWorkingSetShared : Pos 4, 1 Bit   +0x6bc OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit   +0x6bc OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit   +0x6bc OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit   +0x6bd OwnsSessionWorkingSetShared : Pos 0, 1 Bit   +0x6bd OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit   +0x6bd OwnsProcessAddressSpaceShared : Pos 2, 1 Bit   +0x6bd SuppressSymbolLoad : Pos 3, 1 Bit   +0x6bd Prefetching      : Pos 4, 1 Bit   +0x6bd OwnsVadExclusive : Pos 5, 1 Bit   +0x6bd OwnsChangeControlAreaExclusive : Pos 6, 1 Bit   +0x6bd OwnsChangeControlAreaShared : Pos 7, 1 Bit   +0x6be OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit   +0x6be OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit   +0x6be OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit   +0x6be OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit   +0x6be TrimTrigger      : Pos 4, 2 Bits   +0x6be Spare2           : Pos 6, 2 Bits   +0x6bf SystemPagePriorityActive : Pos 0, 1 Bit   +0x6bf SystemPagePriority : Pos 1, 3 Bits   +0x6bf Spare3           : Pos 4, 4 Bits   +0x6c0 CacheManagerActive : UChar   +0x6c1 DisablePageFaultClustering : UChar   +0x6c2 ActiveFaultCount : UChar   +0x6c3 LockOrderState   : UChar   +0x6c8 AlpcMessageId    : Uint8B   +0x6d0 AlpcMessage      : Ptr64 Void   +0x6d0 AlpcReceiveAttributeSet : Uint4B   +0x6d8 ExitStatus       : Int4B   +0x6e0 AlpcWaitListEntry : _LIST_ENTRY   +0x6f0 CacheManagerCount : Uint4B   +0x6f4 IoBoostCount     : Uint4B   +0x6f8 BoostList        : _LIST_ENTRY   +0x708 DeboostList      : _LIST_ENTRY   +0x718 BoostListLock    : Uint8B   +0x720 IrpListLock      : Uint8B   +0x728 ReservedForSynchTracking : Ptr64 Void   +0x730 CmCallbackListHead : _SINGLE_LIST_ENTRY   +0x738 ActivityId       : Ptr64 _GUID   +0x740 SeLearningModeListHead : _SINGLE_LIST_ENTRY   +0x748 VerifierContext  : Ptr64 Void   +0x750 KernelStackReference : Uint4B   +0x758 AdjustedClientToken : Ptr64 Void   +0x760 UserFsBase       : Uint4B   +0x768 UserGsBase       : Uint8B   +0x770 PicoContext      : Ptr64 Void

3: kd> dt _KTHREADACPI!_KTHREAD   +0x000 Header           : _DISPATCHER_HEADER   +0x018 SListFaultAddress : Ptr64 Void   +0x020 QuantumTarget    : Uint8B   +0x028 InitialStack     : Ptr64 Void   +0x030 StackLimit       : Ptr64 Void   +0x038 StackBase        : Ptr64 Void   +0x040 ThreadLock       : Uint8B   +0x048 CycleTime        : Uint8B   +0x050 CurrentRunTime   : Uint4B   +0x054 ExpectedRunTime  : Uint4B   +0x058 KernelStack      : Ptr64 Void   +0x060 StateSaveArea    : Ptr64 _XSAVE_FORMAT   +0x068 SchedulingGroup  : Ptr64 _KSCHEDULING_GROUP   +0x070 WaitRegister     : _KWAIT_STATUS_REGISTER   +0x071 Running          : UChar   +0x072 Alerted          : [2] UChar   +0x074 KernelStackResident : Pos 0, 1 Bit   +0x074 ReadyTransition  : Pos 1, 1 Bit   +0x074 ProcessReadyQueue : Pos 2, 1 Bit   +0x074 WaitNext         : Pos 3, 1 Bit   +0x074 SystemAffinityActive : Pos 4, 1 Bit   +0x074 Alertable        : Pos 5, 1 Bit   +0x074 UserStackWalkActive : Pos 6, 1 Bit   +0x074 ApcInterruptRequest : Pos 7, 1 Bit   +0x074 QuantumEndMigrate : Pos 8, 1 Bit   +0x074 UmsDirectedSwitchEnable : Pos 9, 1 Bit   +0x074 TimerActive      : Pos 10, 1 Bit   +0x074 SystemThread     : Pos 11, 1 Bit   +0x074 ProcessDetachActive : Pos 12, 1 Bit   +0x074 CalloutActive    : Pos 13, 1 Bit   +0x074 ScbReadyQueue    : Pos 14, 1 Bit   +0x074 ApcQueueable     : Pos 15, 1 Bit   +0x074 ReservedStackInUse : Pos 16, 1 Bit   +0x074 UmsPerformingSyscall : Pos 17, 1 Bit   +0x074 ApcPendingReload : Pos 18, 1 Bit   +0x074 Reserved         : Pos 19, 13 Bits   +0x074 MiscFlags        : Int4B   +0x078 AutoAlignment    : Pos 0, 1 Bit   +0x078 DisableBoost     : Pos 1, 1 Bit   +0x078 UserAffinitySet  : Pos 2, 1 Bit   +0x078 AlertedByThreadId : Pos 3, 1 Bit   +0x078 QuantumDonation  : Pos 4, 1 Bit   +0x078 EnableStackSwap  : Pos 5, 1 Bit   +0x078 GuiThread        : Pos 6, 1 Bit   +0x078 DisableQuantum   : Pos 7, 1 Bit   +0x078 ChargeOnlySchedulingGroup : Pos 8, 1 Bit   +0x078 DeferPreemption  : Pos 9, 1 Bit   +0x078 QueueDeferPreemption : Pos 10, 1 Bit   +0x078 ForceDeferSchedule : Pos 11, 1 Bit   +0x078 SharedReadyQueueAffinity : Pos 12, 1 Bit   +0x078 FreezeCount      : Pos 13, 1 Bit   +0x078 TerminationApcRequest : Pos 14, 1 Bit   +0x078 AutoBoostEntriesExhausted : Pos 15, 1 Bit   +0x078 EtwStackTraceApcInserted : Pos 16, 8 Bits   +0x078 ReservedFlags    : Pos 24, 8 Bits   +0x078 ThreadFlags      : Int4B   +0x07c Spare0           : Uint4B   +0x080 SystemCallNumber : Uint4B   +0x084 Spare1           : Uint4B   +0x088 FirstArgument    : Ptr64 Void   +0x090 TrapFrame        : Ptr64 _KTRAP_FRAME   +0x098 ApcState         : _KAPC_STATE   +0x098 ApcStateFill     : [43] UChar   +0x0c3 Priority         : Char   +0x0c4 UserIdealProcessor : Uint4B   +0x0c8 WaitStatus       : Int8B   +0x0d0 WaitBlockList    : Ptr64 _KWAIT_BLOCK   +0x0d8 WaitListEntry    : _LIST_ENTRY   +0x0d8 SwapListEntry    : _SINGLE_LIST_ENTRY   +0x0e8 Queue            : Ptr64 _DISPATCHER_HEADER   +0x0f0 Teb              : Ptr64 Void   +0x0f8 RelativeTimerBias : Uint8B   +0x100 Timer            : _KTIMER   +0x140 WaitBlock        : [4] _KWAIT_BLOCK   +0x140 WaitBlockFill4   : [20] UChar   +0x154 ContextSwitches  : Uint4B   +0x140 WaitBlockFill5   : [68] UChar   +0x184 State            : UChar   +0x185 NpxState         : Char   +0x186 WaitIrql         : UChar   +0x187 WaitMode         : Char   +0x140 WaitBlockFill6   : [116] UChar   +0x1b4 WaitTime         : Uint4B   +0x140 WaitBlockFill7   : [164] UChar   +0x1e4 KernelApcDisable : Int2B   +0x1e6 SpecialApcDisable : Int2B   +0x1e4 CombinedApcDisable : Uint4B   +0x140 WaitBlockFill8   : [40] UChar   +0x168 ThreadCounters   : Ptr64 _KTHREAD_COUNTERS   +0x140 WaitBlockFill9   : [88] UChar   +0x198 XStateSave       : Ptr64 _XSTATE_SAVE   +0x140 WaitBlockFill10  : [136] UChar   +0x1c8 Win32Thread      : Ptr64 Void   +0x140 WaitBlockFill11  : [176] UChar   +0x1f0 Ucb              : Ptr64 _UMS_CONTROL_BLOCK   +0x1f8 Uch              : Ptr64 _KUMS_CONTEXT_HEADER   +0x200 TebMappedLowVa   : Ptr64 Void   +0x208 QueueListEntry   : _LIST_ENTRY   +0x218 NextProcessor    : Uint4B   +0x218 NextProcessorNumber : Pos 0, 31 Bits   +0x218 SharedReadyQueue : Pos 31, 1 Bit   +0x21c QueuePriority    : Int4B   +0x220 Process          : Ptr64 _KPROCESS   +0x228 UserAffinity     : _GROUP_AFFINITY   +0x228 UserAffinityFill : [10] UChar   +0x232 PreviousMode     : Char   +0x233 BasePriority     : Char   +0x234 PriorityDecrement : Char   +0x234 ForegroundBoost  : Pos 0, 4 Bits   +0x234 UnusualBoost     : Pos 4, 4 Bits   +0x235 Preempted        : UChar   +0x236 AdjustReason     : UChar   +0x237 AdjustIncrement  : Char   +0x238 Affinity         : _GROUP_AFFINITY   +0x238 AffinityFill     : [10] UChar   +0x242 ApcStateIndex    : UChar   +0x243 WaitBlockCount   : UChar   +0x244 IdealProcessor   : Uint4B   +0x248 ApcStatePointer  : [2] Ptr64 _KAPC_STATE   +0x258 SavedApcState    : _KAPC_STATE   +0x258 SavedApcStateFill : [43] UChar   +0x283 WaitReason       : UChar   +0x284 SuspendCount     : Char   +0x285 Saturation       : Char   +0x286 SListFaultCount  : Uint2B   +0x288 SchedulerApc     : _KAPC   +0x288 SchedulerApcFill0 : [1] UChar   +0x289 ResourceIndex    : UChar   +0x288 SchedulerApcFill1 : [3] UChar   +0x28b QuantumReset     : UChar   +0x288 SchedulerApcFill2 : [4] UChar   +0x28c KernelTime       : Uint4B   +0x288 SchedulerApcFill3 : [64] UChar   +0x2c8 WaitPrcb         : Ptr64 _KPRCB   +0x288 SchedulerApcFill4 : [72] UChar   +0x2d0 LegoData         : Ptr64 Void   +0x288 SchedulerApcFill5 : [83] UChar   +0x2db CallbackNestingLevel : UChar   +0x2dc UserTime         : Uint4B   +0x2e0 SuspendEvent     : _KEVENT   +0x2f8 ThreadListEntry  : _LIST_ENTRY   +0x308 MutantListHead   : _LIST_ENTRY   +0x318 LockEntriesFreeList : _SINGLE_LIST_ENTRY   +0x320 LockEntries      : [6] _KLOCK_ENTRY   +0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY   +0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY   +0x570 PriorityFloorCounts : [16] UChar   +0x580 PriorityFloorSummary : Uint4B   +0x584 AbCompletedIoBoostCount : Int4B   +0x588 AbReferenceCount : Int2B   +0x58a AbFreeEntryCount : UChar   +0x58b AbWaitEntryCount : UChar   +0x58c ForegroundLossTime : Uint4B   +0x590 GlobalForegroundListEntry : _LIST_ENTRY   +0x590 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY   +0x598 InGlobalForegroundList : Uint8B   +0x5a0 ReadOperationCount : Int8B   +0x5a8 WriteOperationCount : Int8B   +0x5b0 OtherOperationCount : Int8B   +0x5b8 ReadTransferCount : Int8B   +0x5c0 WriteTransferCount : Int8B   +0x5c8 OtherTransferCount : Int8B

转载于:https://www.cnblogs.com/zzSoftware/p/3277435.html

你可能感兴趣的文章

【总编下午茶】一场关于四合院和楼房的云架构讨论

查看>>