进程资源
备注: 这里的命令都是基于内核dmp调试
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffff84898203c440 ->// 内核空间中的EPROCESS(Executive process block, 进程执行块)结构,记录进程的关键信息,包括创建时间等等
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.
Image: System
PROCESS ffff8489820c6040
SessionId: none Cid: 0078 Peb: 00000000 ParentCid: 0004
DirBase: 99d00002 ObjectTable: ffffe18f2b825b80 HandleCount: 0.
Image: Registry
PROCESS ffff84898205d040
SessionId: none Cid: 01e0 Peb: 3062840000 ParentCid: 0004
DirBase: 77100002 ObjectTable: ffffe18f2c1ab340 HandleCount: 52.
Image: smss.exe
PROCESS ffff848987825580
SessionId: 0 // windows会话的id, 服务程序运行在session 0, 用户运行在session 1, 再切换用户后变为2…
Cid: 02d0 // client id, 进程id
Peb: 9249550000 ParentCid: 028c
DirBase: 40b000002 // 页目录基地址
ObjectTable: ffffe18f2da8fb40 HandleCount: 566.
Image: csrss.exe
…
!process 0 0 msmpeng.exe
PROCESS ffff84898fdd72c0
SessionId: 0 Cid: 1404 Peb: ec4ed48000 ParentCid: 0398
DirBase: 431f50002 ObjectTable: ffffe18f30607c00 HandleCount: 248.
Image: MsMpEng.exe
EPROCESS结构
dt _EPROCESS ffff84898fdd72c0
nt!_EPROCESS
+0x000 Pcb : _KPROCESS // 内核进程块,记录与任务调度有关信息
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 UniqueProcessId : 0x0000000000001404 Void // **pid** +0x2e8 ActiveProcessLinks : _LIST_ENTRY [ 0xffff8489
8fdf1368 – 0xffff84898fd4b368 ] +0x2f8 RundownProtect : _EX_RUNDOWN_REF +0x300 Flags2 : 0xd000 +0x300 JobNotReallyActive : 0y0 +0x300 AccountingFolded : 0y0 +0x300 NewProcessReported : 0y0 +0x300 ExitProcessReported : 0y0 +0x300 ReportCommitChanges : 0y0 +0x300 LastReportMemory : 0y0 +0x300 ForceWakeCharge : 0y0 +0x300 CrossSessionCreate : 0y0 +0x300 NeedsHandleRundown : 0y0 +0x300 RefTraceEnabled : 0y0 +0x300 PicoCreated : 0y0 +0x300 EmptyJobEvaluated : 0y0 +0x300 DefaultPagePriority : 0y101 +0x300 PrimaryTokenFrozen : 0y1 +0x300 ProcessVerifierTarget : 0y0 +0x300 RestrictSetThreadContext : 0y0 +0x300 AffinityPermanent : 0y0 +0x300 AffinityUpdateEnable : 0y0 +0x300 PropagateNode : 0y0 +0x300 ExplicitAffinity : 0y0 +0x300 ProcessExecutionState : 0y00 +0x300 EnableReadVmLogging : 0y0 +0x300 EnableWriteVmLogging : 0y0 +0x300 FatalAccessTerminationRequested : 0y0 +0x300 DisableSystemAllowedCpuSet : 0y0 +0x300 ProcessStateChangeRequest : 0y00 +0x300 ProcessStateChangeInProgress : 0y0 +0x300 InPrivate : 0y0 +0x304 Flags : 0x144d0c01 +0x304 CreateReported : 0y1 +0x304 NoDebugInherit : 0y0 +0x304 ProcessExiting : 0y0 // **正在退出标志** +0x304 ProcessDelete : 0y0 // **删除标志** +0x304 ManageExecutableMemoryWrites : 0y0 +0x304 VmDeleted : 0y0 +0x304 OutswapEnabled : 0y0 +0x304 Outswapped : 0y0 +0x304 FailFastOnCommitFail : 0y0 +0x304 Wow64VaSpace4Gb : 0y0 +0x304 AddressSpaceInitialized : 0y11 +0x304 SetTimerResolution : 0y0 +0x304 BreakOnTermination : 0y0 +0x304 DeprioritizeViews : 0y0 +0x304 WriteWatch : 0y0 +0x304 ProcessInSession : 0y1 +0x304 OverrideAddressSpace : 0y0 +0x304 HasAddressSpace : 0y1 +0x304 LaunchPrefetched : 0y1 +0x304 Background : 0y0 +0x304 VmTopDown : 0y0 +0x304 ImageNotifyDone : 0y1 +0x304 PdeUpdateNeeded : 0y0 +0x304 VdmAllowed : 0y0 +0x304 ProcessRundown : 0y0 +0x304 ProcessInserted : 0y1 +0x304 DefaultIoPriority : 0y010 +0x304 ProcessSelfDelete : 0y0 +0x304 SetTimerResolutionLink : 0y0 +0x308 **CreateTime** : _LARGE_INTEGER 0x01d48c65
21fd25d9 // 创建时间
+0x310 ProcessQuotaUsage : [2] 0x3270
+0x320 ProcessQuotaPeak : [2] 0x3270
+0x330 PeakVirtualSize : 0x0000020104e00000 +0x338 VirtualSize : 0x00000201
04de4000
+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffff84898fdf13c0 - 0xffff8489
8fd4b3c0 ]
+0x350 ExceptionPortData : 0xffff8489877e3670 Void +0x350 ExceptionPortValue : 0xffff8489
877e3670
+0x350 ExceptionPortState : 0y000
+0x358 Token : _EX_FAST_REF // 令牌
+0x360 MmReserved : 0
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : (null)
+0x380 ForkInProgress : (null)
+0x388 CommitChargeJob : (null)
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : 0x219
+0x3a0 NumberOfLockedPages : 0
+0x3a8 Win32Process : 0xffff83c602259010 Void +0x3b0 Job : (null) +0x3b8 SectionObject : 0xffffe18f
2b828bc0 Void
+0x3c0 SectionBaseAddress : 0x00007ff751b00000 Void +0x3c8 Cookie : 0xde25a48d +0x3d0 WorkingSetWatch : (null) +0x3d8 Win32WindowStation : 0x00000000
0000004c Void
+0x3e0 InheritedFromUniqueProcessId : 0x0000000000000398 Void +0x3e8 LdtInformation : (null) +0x3f0 OwnerProcessId : 0x39a +0x3f8 Peb : 0x000000ec
4ed48000 _PEB // 进程环境块
+0x400 Session : 0xffffb800ff71c000 _MM_SESSION_SPACE +0x408 AweInfo : (null) +0x410 QuotaBlock : 0xfffff800
063d1bc0 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : 0xffffe18f30607c00 _HANDLE_TABLE // **对象句柄表** +0x420 DebugPort : (null) // **用户态调试端口** +0x428 WoW64Process : (null) +0x430 DeviceMap : 0xffffe18f
2b818ad0 Void
+0x438 EtwDataSource : 0xffff84898fdc80f0 Void +0x440 PageDirectoryPte : 0 +0x448 ImageFilePointer : 0xffff8489
8fd6ad50 _FILE_OBJECT
+0x450 ImageFileName : [15] “MsMpEng.exe” // 进程名
+0x45f PriorityClass : 0x2 ”
+0x460 SecurityPort : (null)
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY [ 0x0000000000000000 - 0x00000000
00000000 ]
+0x480 HighestUserAddress : 0x00007fffffff0000 Void +0x488 ThreadListHead : _LIST_ENTRY [ 0xffff8489
8fdd6728 – 0xffff848998572728 ] +0x498 ActiveThreads : 0xa +0x49c ImagePathHash : 0 +0x4a0 DefaultHardErrorProcessing : 0x8000 +0x4a4 LastThreadExitStatus : 0n0 +0x4a8 PrefetchTrace : _EX_FAST_REF +0x4b0 LockedPagesList : (null) +0x4b8 ReadOperationCount : _LARGE_INTEGER 0x4 +0x4c0 WriteOperationCount : _LARGE_INTEGER 0x0 +0x4c8 OtherOperationCount : _LARGE_INTEGER 0x89 +0x4d0 ReadTransferCount : _LARGE_INTEGER 0x5e0 +0x4d8 WriteTransferCount : _LARGE_INTEGER 0x0 +0x4e0 OtherTransferCount : _LARGE_INTEGER 0xdb8 +0x4e8 CommitChargeLimit : 0 +0x4f0 CommitCharge : 0x2e2 +0x4f8 CommitChargePeak : 0x2e2 +0x500 Vm : _MMSUPPORT_FULL +0x610 MmProcessLinks : _LIST_ENTRY [ 0xffff8489
8fdf1690 – 0xffff84898fd4b690 ] +0x620 ModifiedPageCount : 0x13 +0x624 ExitStatus : 0n259 +0x628 VadRoot : _RTL_AVL_TREE +0x630 VadHint : 0xffff8489
8fd7f310 Void
+0x638 VadCount : 0x49
+0x640 VadPhysicalPages : 0
+0x648 VadPhysicalPagesLimit : 0
+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x0000000000000000 - 0x00000000
00000000 ]
+0x680 TimerResolutionStackRecord : (null)
+0x688 RequestedTimerResolution : 0
+0x68c SmallestTimerResolution : 0
+0x690 ExitTime : _LARGE_INTEGER 0x0
+0x698 InvertedFunctionTable : (null)
+0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x6a8 ActiveThreadsHighWatermark : 0xa
+0x6ac LargePrivateVadCount : 0
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : 0xffffe18f2b82a010 Void +0x6c0 ServerSilo : (null) +0x6c8 SignatureLevel : 0x37 '7' +0x6c9 SectionSignatureLevel : 0x8 '' +0x6ca Protection : _PS_PROTECTION +0x6cb HangCount : 0y0000 +0x6cb GhostCount : 0y0000 +0x6cc Flags3 : 0xc000 +0x6cc Minimal : 0y0 +0x6cc ReplacingPageRoot : 0y0 +0x6cc Crashed : 0y0 +0x6cc JobVadsAreTracked : 0y0 +0x6cc VadTrackingDisabled : 0y0 +0x6cc AuxiliaryProcess : 0y0 +0x6cc SubsystemProcess : 0y0 +0x6cc IndirectCpuSets : 0y0 +0x6cc RelinquishedCommit : 0y0 +0x6cc HighGraphicsPriority : 0y0 +0x6cc CommitFailLogged : 0y0 +0x6cc ReserveFailLogged : 0y0 +0x6cc SystemProcess : 0y0 +0x6cc HideImageBaseAddresses : 0y0 +0x6cc AddressPolicyFrozen : 0y1 +0x6cc ProcessFirstResume : 0y1 +0x6cc ForegroundExternal : 0y0 +0x6cc ForegroundSystem : 0y0 +0x6cc HighMemoryPriority : 0y0 +0x6d0 DeviceAsid : 0n0 +0x6d8 SvmData : (null) +0x6e0 SvmProcessLock : _EX_PUSH_LOCK +0x6e8 SvmLock : 0 +0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffff8489
8fdd79b0 – 0xffff84898fdd79b0 ] +0x700 LastFreezeInterruptTime : 0 +0x708 DiskCounters : 0xffff8489
8fdd7b08 _PROCESS_DISK_COUNTERS
+0x710 PicoContext : (null)
+0x718 TrustletIdentity : 0
+0x720 EnclaveTable : (null)
+0x728 EnclaveNumber : 0
+0x730 EnclaveLock : _EX_PUSH_LOCK
+0x738 HighPriorityFaultsAllowed : 0
+0x740 EnergyContext : 0xffff84898fdd7b30 _PO_PROCESS_ENERGY_CONTEXT +0x748 VmContext : (null) +0x750 SequenceNumber : 0x79 +0x758 CreateInterruptTime : 0x7454b6c +0x760 CreateUnbiasedInterruptTime : 0x7454b6c +0x768 TotalUnbiasedFrozenTime : 0 +0x770 LastAppStateUpdateTime : 0x7454b6c +0x778 LastAppStateUptime : 0y0000000000000000000000000000000000000000000000000000000000000 (0) +0x778 LastAppState : 0y000 +0x780 SharedCommitCharge : 0x206 +0x788 SharedCommitLock : _EX_PUSH_LOCK +0x790 SharedCommitLinks : _LIST_ENTRY [ 0xffffe18f
3061d7f8 – 0xffffe18f3472e5f8 ] +0x7a0 AllowedCpuSets : 0 +0x7a8 DefaultCpuSets : 0 +0x7a0 AllowedCpuSetsIndirect : (null) +0x7a8 DefaultCpuSetsIndirect : (null) +0x7b0 DiskIoAttribution : (null) +0x7b8 DxgProcess : 0xffffe18f
306d4a50 Void
+0x7c0 Win32KFilterSet : 0
+0x7c8 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
+0x7d0 KTimerSets : 0
+0x7d4 KTimer2Sets : 0
+0x7d8 ThreadTimerSets : 2
+0x7e0 VirtualTimerListLock : 0
+0x7e8 VirtualTimerListHead : _LIST_ENTRY [ 0xffff84898fdd7aa8 - 0xffff8489
8fdd7aa8 ]
+0x7f8 WakeChannel : _WNF_STATE_NAME
+0x7f8 WakeInfo : _PS_PROCESS_WAKE_INFORMATION
+0x828 MitigationFlags : 0x8800a1
+0x828 MitigationFlagsValues :
+0x82c MitigationFlags2 : 0
+0x82c MitigationFlags2Values :
+0x830 PartitionObject : 0xffff8489`820ab800 Void
+0x838 SecurityDomain : 0
+0x840 CoverageSamplerContext : (null)
通过!process [EPROCESS ADDR]
显示进程的关键信息,以msmpeng为例:
!process ffff84898fdd72c0
PROCESS ffff84898fdd72c0
SessionId: 0 Cid: 1404 Peb: ec4ed48000 ParentCid: 0398
DirBase: 431f50002 ObjectTable: ffffe18f30607c00 HandleCount: 248.
Image: MsMpEng.exe
VadRoot ffff84898fdd5dd0 Vads 73 Clone 0 Private 537. Modified 19. Locked 0.
DeviceMap ffffe18f2b818ad0
Token ffffe18f30642060
ElapsedTime 00:00:11.334
UserTime 00:00:00.015
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 90088
QuotaPoolUsage[NonPagedPool] 12912
Working Set Sizes (now,min,max) (3181, 50, 345) (12724KB, 200KB, 1380KB)
PeakWorkingSetSize 3112
VirtualSize 2101325 Mb
PeakVirtualSize 2101326 Mb
PageFaultCount 3237
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 738
THREAD ffff84898fdd6080 Cid 1404.1408 Teb: 000000ec4ed49000 Win32Thread: ffff84898f7b14c0 WAIT: (UserRequest) UserMode Non-Alertable
ffff84898fe45920 SynchronizationEvent
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 784 Ticks: 722 (0:00:00:11.281)
Context Switch Count 107 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x00007ff751b0c120
Stack Init ffff9789579e7b90 Current ffff9789579e75c0
Base ffff9789579e8000 Limit ffff9789579e1000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`579e7600 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`579e7740 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`579e7810 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`579e78b0 fffff800`064e5f2c nt!KeWaitForSingleObject+0x1ff
ffff9789`579e7990 fffff800`061b9d43 nt!NtWaitForSingleObject+0xfc
ffff9789`579e7a00 00007ffd`84ee9f84 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`579e7a00)
000000ec`4eb3f988 00000000`00000000 0x00007ffd`84ee9f84
THREAD ffff84898fde2080 Cid 1404.143c Teb: 000000ec4ed4b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fde8440 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 9 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a2fb90 Current ffff978957a2f280
Base ffff978957a30000 Limit ffff978957a29000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a2f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a2f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a2f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57a2f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57a2f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57a2f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57a2f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a2fa00)
000000ec`4ebbf938 00000000`00000000 0x00007ffd`84eed854
THREAD ffff84898fe10040 Cid 1404.1448 Teb: 000000ec4ed4d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
ffff84898fdab6f0 NotificationEvent
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 794 Ticks: 712 (0:00:00:11.125)
Context Switch Count 5 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a4fb90 Current ffff978957a4f5c0
Base ffff978957a50000 Limit ffff978957a49000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a4f600 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a4f740 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a4f810 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`57a4f8b0 fffff800`064e5f2c nt!KeWaitForSingleObject+0x1ff
ffff9789`57a4f990 fffff800`061b9d43 nt!NtWaitForSingleObject+0xfc
ffff9789`57a4fa00 00007ffd`84ee9f84 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a4fa00)
000000ec`4ee7f3e8 00000000`00000000 0x00007ffd`84ee9f84
THREAD ffff84898fe09080 Cid 1404.1460 Teb: 000000ec4ed4f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fde8440 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 800 Ticks: 706 (0:00:00:11.031)
Context Switch Count 6 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957a7fb90 Current ffff978957a7f280
Base ffff978957a80000 Limit ffff978957a79000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57a7f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57a7f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57a7f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57a7f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57a7f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57a7f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57a7f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57a7fa00)
000000ec`4eeff6a8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff84898fec9080 Cid 1404.15ac Teb: 000000ec4ed53000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fd1ed40 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 794 Ticks: 712 (0:00:00:11.125)
Context Switch Count 3 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff978957cdfb90 Current ffff978957cdf280
Base ffff978957ce0000 Limit ffff978957cd9000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57cdf2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57cdf400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57cdf4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`57cdf570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`57cdf620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`57cdf740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`57cdf990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57cdfa00)
000000ec`4efff588 00000000`00000000 0x00007ffd`84eed854
THREAD ffff8489901b0080 Cid 1404.1758 Teb: 000000ec4ed55000 Win32Thread: ffff84898fbe8b10 WAIT: (WrLpcReply) UserMode Non-Alertable
ffff8489901b06c8 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffffe18f30694ce0 : queued at port ffff84898eb2ce20 : owned by process ffff84898e9c8580
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 803 Ticks: 703 (0:00:00:10.984)
Context Switch Count 226 IdealProcessor: 4
UserTime 00:00:00.031
KernelTime 00:00:00.046
Win32 Start Address 0x00007ffd8164c490
Stack Init ffff978957ffab90 Current ffff978957ffa2e0
Base ffff978957ffb000 Limit ffff978957ff4000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`57ffa320 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`57ffa460 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`57ffa530 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`57ffa5d0 fffff800`060283cb nt!KeWaitForSingleObject+0x1ff
ffff9789`57ffa6b0 fffff800`064b6c06 nt!AlpcpSignalAndWait+0x17b
ffff9789`57ffa750 fffff800`064b6882 nt!AlpcpReceiveSynchronousReply+0x56
ffff9789`57ffa7b0 fffff800`064b4872 nt!AlpcpProcessSynchronousRequest+0x372
ffff9789`57ffa8d0 fffff800`061b9d43 nt!NtAlpcSendWaitReceivePort+0x1e2
ffff9789`57ffa990 00007ffd`84eeb034 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`57ffaa00)
000000ec`4f07eac8 00000000`00000000 0x00007ffd`84eeb034
THREAD ffff8489903b5080 Cid 1404.17a4 Teb: 000000ec4ed57000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fdd1f00 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 6 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff97895808fb90 Current ffff97895808f280
Base ffff978958090000 Limit ffff978958089000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5808f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5808f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5808f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`5808f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`5808f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`5808f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`5808f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5808fa00)
000000ec`4ef7f5c8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff848998525700 Cid 1404.1228 Teb: 000000ec4ed59000 Win32Thread: ffff84898fd20710 WAIT: (WrLpcReply) UserMode Non-Alertable
ffff848998525d48 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffffe18f34668ce0 : queued at port ffff84898ed5f1a0 : owned by process ffff84898eb94340
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 16 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd8164c490
Stack Init ffff97895812fb90 Current ffff97895812f2e0
Base ffff978958130000 Limit ffff978958129000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5812f320 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5812f460 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5812f530 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`5812f5d0 fffff800`060283cb nt!KeWaitForSingleObject+0x1ff
ffff9789`5812f6b0 fffff800`064b6c06 nt!AlpcpSignalAndWait+0x17b
ffff9789`5812f750 fffff800`064b6882 nt!AlpcpReceiveSynchronousReply+0x56
ffff9789`5812f7b0 fffff800`064b4872 nt!AlpcpProcessSynchronousRequest+0x372
ffff9789`5812f8d0 fffff800`061b9d43 nt!NtAlpcSendWaitReceivePort+0x1e2
ffff9789`5812f990 00007ffd`84eeb034 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5812fa00)
000000ec`4f0fed28 00000000`00000000 0x00007ffd`84eeb034
THREAD ffff848998573080 Cid 1404.1870 Teb: 000000ec4ed5b000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff84898fdd1f00 QueueObject
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 802 Ticks: 704 (0:00:00:11.000)
Context Switch Count 1 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd84e6f320
Stack Init ffff97895824fb90 Current ffff97895824f280
Base ffff978958250000 Limit ffff978958249000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`5824f2c0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`5824f400 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`5824f4d0 fffff800`060d7ae2 nt!KiCommitThreadWait+0x13b
ffff9789`5824f570 fffff800`060d7579 nt!KeRemoveQueueEx+0x262
ffff9789`5824f620 fffff800`060d6b44 nt!IoRemoveIoCompletion+0x99
ffff9789`5824f740 fffff800`061b9d43 nt!NtWaitForWorkViaWorkerFactory+0x334
ffff9789`5824f990 00007ffd`84eed854 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`5824fa00)
000000ec`4f17f5c8 00000000`00000000 0x00007ffd`84eed854
THREAD ffff848998572080 Cid 1404.1874 Teb: 000000ec4ed5d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
ffff848998574100 SynchronizationTimer
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process ffff84898fdd72c0 Image: MsMpEng.exe
Attached Process N/A Image: N/A
Wait Start TickCount 803 Ticks: 703 (0:00:00:10.984)
Context Switch Count 1 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ffd82446cd0
Stack Init ffff978958257b90 Current ffff978958256d60
Base ffff978958258000 Limit ffff978958251000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff9789`58256da0 fffff800`060395d6 nt!KiSwapContext+0x76
ffff9789`58256ee0 fffff800`06038dcb nt!KiSwapThread+0x2c6
ffff9789`58256fb0 fffff800`060384ef nt!KiCommitThreadWait+0x13b
ffff9789`58257050 fffff800`06037d15 nt!KeWaitForSingleObject+0x1ff
ffff9789`58257130 fffff800`064e44e0 nt!KeWaitForMultipleObjects+0x4b5
ffff9789`58257210 fffff800`064e5007 nt!ObWaitForMultipleObjects+0x2a0
ffff9789`58257710 fffff800`061b9d43 nt!NtWaitForMultipleObjects+0xf7
ffff9789`58257990 00007ffd`84eeaa54 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff9789`58257a00)
000000ec`4f1ff8c8 00000000`00000000 0x00007ffd`84eeaa54
观察Token
!token ffffe18f30642060
_TOKEN 0xffffe18f30642060
TS Session ID: 0
User: S-1-5-18
User Groups:
00 S-1-16-16384
Attributes – GroupIntegrity GroupIntegrityEnabled
01 S-1-1-0
Attributes – Mandatory Default Enabled
02 S-1-5-32-545
Attributes – Mandatory Default Enabled
03 S-1-5-6
Attributes – Mandatory Default Enabled
04 S-1-2-1
Attributes – Mandatory Default Enabled
05 S-1-5-11
Attributes – Mandatory Default Enabled
06 S-1-5-15
Attributes – Mandatory Default Enabled
07 S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
Attributes – Default Enabled Owner
08 S-1-5-5-0-259255
Attributes – Mandatory Default Enabled Owner LogonId
09 S-1-2-0
Attributes – Mandatory Default Enabled
10 S-1-5-32-544
Attributes – Default Enabled Owner
Primary Group: S-1-5-18
Privs:
03 0x000000003 SeAssignPrimaryTokenPrivilege Attributes – Enabled
05 0x000000005 SeIncreaseQuotaPrivilege Attributes – Enabled
07 0x000000007 SeTcbPrivilege Attributes – Enabled Default
08 0x000000008 SeSecurityPrivilege Attributes – Enabled
09 0x000000009 SeTakeOwnershipPrivilege Attributes – Enabled
10 0x00000000a SeLoadDriverPrivilege Attributes – Enabled
14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes – Enabled Default
17 0x000000011 SeBackupPrivilege Attributes – Enabled
18 0x000000012 SeRestorePrivilege Attributes – Enabled
19 0x000000013 SeShutdownPrivilege Attributes – Enabled
20 0x000000014 SeDebugPrivilege Attributes – Enabled Default
22 0x000000016 SeSystemEnvironmentPrivilege Attributes – Enabled
23 0x000000017 SeChangeNotifyPrivilege Attributes – Enabled Default
29 0x00000001d SeImpersonatePrivilege Attributes – Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: Advapi TokenFlags: 0x2800 ( Token in use )
Token ID: 3f834 ParentToken ID: 0
Modified ID: (0, 452a8)
RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0 Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: S-1-19-512-1536
线程
原创文章,作者:254126420,如若转载,请注明出处:https://blog.ytso.com/269728.html