调试过程中发现2000下Ethread结构的诡异问题，望指点

楼主^#

更多发布于：2010-06-27 16:45

网上有人说设置ethread结构中的CrossThreadFlags标记为PS_CROSS_THREAD_FLAGS_SYSTEM 就可以达到防杀目的，原理比较简单也是比较传统的
我在XP和2003下均能顺利测试成功，但是在2000下，死活行不同，后来看来了一下2000下
Ethread的结构，好像没有CrossThreadFlags字段，而XP，2003，vista下均有这个字段
难道上面说的这个设置线程为系统线程的方法来对抗防杀的方式，不能用在2000下嘛，如果没有没有这个结构，那么是不是就根本不能判断进程的标记属性呢，疑惑中？！望高人指点，谢谢！

2000 下 _ETHREAD的结构
kd> !ethread 8112f710
struct _ETHREAD (sizeof=584)
+000 struct _KTHREAD Tcb
+000 struct _DISPATCHER_HEADER Header
+000 byte Type = 06
+001 byte Absolute = 00
+002 byte Size = 6c
+003 byte Inserted = 00
+004 int32 SignalState = 00000000
+008 struct _LIST_ENTRY WaitListHead
+008 struct _LIST_ENTRY *Flink = 8112F718
+00c struct _LIST_ENTRY *Blink = 8112F718
+010 struct _LIST_ENTRY MutantListHead
+010 struct _LIST_ENTRY *Flink = 8112F720
+014 struct _LIST_ENTRY *Blink = 8112F720
+018 void *InitialStack = BDEBD000
+01c void *StackLimit = BDEBA000
+020 void *Teb = 7FFDD000
+024 void *TlsArray = 00000000
+028 void *KernelStack = BDEBCC48
+02c byte DebugActive = 00
+02d byte State = 05
+02e byte Alerted[2] = 00 00
+030 byte Iopl = 00
+031 byte NpxState = 0a
+032 char Saturation = 00
+033 char Priority = 08
+034 struct _KAPC_STATE ApcState
+034 struct _LIST_ENTRY ApcListHead[2]
+034 ApcListHead[0]
+034 struct _LIST_ENTRY *Flink = 8112F744
+038 struct _LIST_ENTRY *Blink = 8112F744
+03c ApcListHead[1]
+03c struct _LIST_ENTRY *Flink = 8112F74C
+040 struct _LIST_ENTRY *Blink = 8112F74C
+044 struct _KPROCESS *Process = 810BAD70
+048 byte KernelApcInProgress = 00
+049 byte KernelApcPending = 00
+04a byte UserApcPending = 00
+04c uint32 ContextSwitches = 00000003
+050 int32 WaitStatus = 00000000
+054 byte WaitIrql = 00
+055 char WaitMode = 01
+056 byte WaitNext = 00
+057 byte WaitReason = 10
+058 struct _KWAIT_BLOCK *WaitBlockList = 8112F77C
+05c struct _LIST_ENTRY WaitListEntry
+05c struct _LIST_ENTRY *Flink = 84F478AC
+060 struct _LIST_ENTRY *Blink = 8114458C
+064 uint32 WaitTime = 00064800
+068 char BasePriority = 08
+069 byte DecrementCount = 00
+06a char PriorityDecrement = 00
+06b char Quantum = 05
+06c struct _KWAIT_BLOCK WaitBlock[4]
+06c WaitBlock[0]
+06c struct _LIST_ENTRY WaitListEntry
+06c struct _LIST_ENTRY *Flink = 8109A0B0
+070 struct _LIST_ENTRY *Blink = 8109A0B0
+074 struct _KTHREAD *Thread = 8112F710
+078 void *Object = 8109A0A8
+07c struct _KWAIT_BLOCK *NextWaitBlock = 8112F77C
+080 uint16 WaitKey = 0000
+082 uint16 WaitType = 0001

(three more wait blocks)

+0cc void *LegoData = 00000000
+0d0 uint32 KernelApcDisable = 00000000
+0d4 uint32 UserAffinity = 00000001
+0d8 byte SystemAffinityActive = 00
+0d9 byte PowerState = 00
+0da byte NpxIrql = 00
+0db byte Pad[1] = 00
+0dc void *ServiceTable = 8046AB80
+0e0 struct _KQUEUE *Queue = 00000000
+0e4 uint32 ApcQueueLock = 00000000
+0e8 struct _KTIMER Timer
+0e8 struct _DISPATCHER_HEADER Header
+0e8 byte Type = 08
+0e9 byte Absolute = 00
+0ea byte Size = 0a
+0eb byte Inserted = 00
+0ec int32 SignalState = 00000001
+0f0 struct _LIST_ENTRY WaitListHead
+0f0 struct _LIST_ENTRY *Flink = 8112F800
+0f4 struct _LIST_ENTRY *Blink = 8112F800
+0f8 union _ULARGE_INTEGER DueTime
+0f8 uint32 LowPart = 9925c310
+0fc uint32 HighPart = 00000009
+0f8 struct __unnamed12 u
+0f8 uint32 LowPart = 9925c310
+0fc uint32 HighPart = 00000009
+0f8 uint64 QuadPart = 000000099925c310
+100 struct _LIST_ENTRY TimerListEntry
+100 struct _LIST_ENTRY *Flink = 81BDBEB0
+104 struct _LIST_ENTRY *Blink = 8046FD70
+108 struct _KDPC *Dpc = 00000000
+10c int32 Period = 00000000
+110 struct _LIST_ENTRY QueueListEntry
+110 struct _LIST_ENTRY *Flink = 00000000
+114 struct _LIST_ENTRY *Blink = 00000000
+118 uint32 Affinity = 00000001
+11c byte Preempted = 00
+11d byte ProcessReadyQueue = 00
+11e byte KernelStackResident = 00
+11f byte NextProcessor = 00
+120 void *CallbackStack = 00000000
+124 void *Win32Thread = 00000000
+128 struct _KTRAP_FRAME *TrapFrame = BDEBCD64
+12c struct _KAPC_STATE *ApcStatePointer[2] = 8112F744
8112F850
+134 char PreviousMode = 01
+135 byte EnableStackSwap = 01
+136 byte LargeStack = 00
+137 byte ResourceIndex = 00
+138 uint32 KernelTime = 00000000
+13c uint32 UserTime = 00000000
+140 struct _KAPC_STATE SavedApcState
+140 struct _LIST_ENTRY ApcListHead[2]
+140 ApcListHead[0]
+140 struct _LIST_ENTRY *Flink = 00000000
+144 struct _LIST_ENTRY *Blink = 00000000
+148 ApcListHead[1]
+148 struct _LIST_ENTRY *Flink = 00000000
+14c struct _LIST_ENTRY *Blink = 00000000
+150 struct _KPROCESS *Process = 00000000
+154 byte KernelApcInProgress = 00
+155 byte KernelApcPending = 00
+156 byte UserApcPending = 00
+158 byte Alertable = 00
+159 byte ApcStateIndex = 00
+15a byte ApcQueueable = 01
+15b byte AutoAlignment = 00
+15c void *StackBase = BDEBD000
+160 struct _KAPC SuspendApc
+160 int16 Type = 0012
+162 int16 Size = 0030
+164 uint32 Spare0 = 00000000
+168 struct _KTHREAD *Thread = 8112F710
+16c struct _LIST_ENTRY ApcListEntry
+16c struct _LIST_ENTRY *Flink = 8112F744
+170 struct _LIST_ENTRY *Blink = 8112F744
+174 function *KernelRoutine = 80430B27
+178 function *RundownRoutine = 00000000
+17c function *NormalRoutine = 80430E2B
+180 void *NormalContext = 00000000
+184 void *SystemArgument1 = 00000000
+188 void *SystemArgument2 = 00000000
+18c char ApcStateIndex = 00
+18d char ApcMode = 00
+18e byte Inserted = 00
+190 struct _KSEMAPHORE SuspendSemaphore
+190 struct _DISPATCHER_HEADER Header
+190 byte Type = 05
+191 byte Absolute = 00
+192 byte Size = 05
+193 byte Inserted = 00
+194 int32 SignalState = 00000000
+198 struct _LIST_ENTRY WaitListHead
+198 struct _LIST_ENTRY *Flink = 8112F8A8
+19c struct _LIST_ENTRY *Blink = 8112F8A8
+1a0 int32 Limit = 00000002
+1a4 struct _LIST_ENTRY ThreadListEntry
+1a4 struct _LIST_ENTRY *Flink = 810BADC0
+1a8 struct _LIST_ENTRY *Blink = 810A44B4
+1ac char FreezeCount = 00
+1ad char SuspendCount = 00
+1ae byte IdealProcessor = 00
+1af byte DisableBoost = 00
+1b0 union _LARGE_INTEGER CreateTime
+1b0 uint32 LowPart = ade71268
+1b4 int32 HighPart = 0dfd0747
+1b0 struct __unnamed3 u
+1b0 uint32 LowPart = ade71268
+1b4 int32 HighPart = 0dfd0747
+1b0 int64 QuadPart = 0dfd0747ade71268
+1b0 bits0-1 NestedFaultCount = 0
+1b0 bits2-2 ApcNeeded = 0
+1b8 union _LARGE_INTEGER ExitTime
+1b8 uint32 LowPart = 8112f8c8
+1bc int32 HighPart = 8112f8c8
+1b8 struct __unnamed3 u
+1b8 uint32 LowPart = 8112f8c8
+1bc int32 HighPart = 8112f8c8
+1b8 int64 QuadPart = 8112f8c88112f8c8
+1b8 struct _LIST_ENTRY LpcReplyChain
+1b8 struct _LIST_ENTRY *Flink = 8112F8C8
+1bc struct _LIST_ENTRY *Blink = 8112F8C8
+1c0 int32 ExitStatus = 00000000
+1c0 void *OfsChain = 00000000
+1c4 struct _LIST_ENTRY PostBlockList
+1c4 struct _LIST_ENTRY *Flink = 8112F8D4
+1c8 struct _LIST_ENTRY *Blink = 8112F8D4
+1cc struct _LIST_ENTRY TerminationPortList
+1cc struct _LIST_ENTRY *Flink = E252C508
+1d0 struct _LIST_ENTRY *Blink = E252C508
+1d4 uint32 ActiveTimerListLock = 00000000
+1d8 struct _LIST_ENTRY ActiveTimerListHead
+1d8 struct _LIST_ENTRY *Flink = 8112F8E8
+1dc struct _LIST_ENTRY *Blink = 8112F8E8
+1e0 struct _CLIENT_ID Cid
+1e0 void *UniqueProcess = 000002C8
+1e4 void *UniqueThread = 000005BC
+1e8 struct _KSEMAPHORE LpcReplySemaphore
+1e8 struct _DISPATCHER_HEADER Header
+1e8 byte Type = 05
+1e9 byte Absolute = 00
+1ea byte Size = 05
+1eb byte Inserted = 00
+1ec int32 SignalState = 00000000
+1f0 struct _LIST_ENTRY WaitListHead
+1f0 struct _LIST_ENTRY *Flink = 8112F900
+1f4 struct _LIST_ENTRY *Blink = 8112F900
+1f8 int32 Limit = 00000001
+1fc void *LpcReplyMessage = 00000000
+200 uint32 LpcReplyMessageId = 00000000
+204 uint32 PerformanceCountLow = 00000000
+208 struct _PS_IMPERSONATION_INFORMATION *ImpersonationInfo = 00000000
+20c struct _LIST_ENTRY IrpList
+20c struct _LIST_ENTRY *Flink = 8112F91C
+210 struct _LIST_ENTRY *Blink = 8112F91C
+214 uint32 TopLevelIrp = 00000000
+218 struct _DEVICE_OBJECT *DeviceToVerify = 00000000
+21c uint32 ReadClusterSize = 00000007
+220 byte ForwardClusterOnly = 00
+221 byte DisablePageFaultClustering = 00
+222 byte DeadThread = 00
+223 byte HideFromDebugger = 00
+224 uint32 HasTerminated = 00000000
+228 uint32 GrantedAccess = 001f03ff
+22c struct _EPROCESS *ThreadsProcess = 810BAD70
+230 void *StartAddress = 77E92C50
+234 void *Win32StartAddress = 77D4B759
+234 uint32 LpcReceivedMessageId = 77d4b759
+238 byte LpcExitThreadCalled = 00
+239 byte HardErrorsAreDisabled = 00
+23a byte LpcReceivedMsgIdValid = 00
+23b byte ActiveImpersonationInfo = 00
+23c int32 PerformanceCountHigh = 00000000
+240 struct _LIST_ENTRY ThreadListEntry
+240 struct _LIST_ENTRY *Flink = 810BAFE0
+244 struct _LIST_ENTRY *Blink = 810A4550

喜欢0

fancylf 驱动牛犊注册日期2007-07-29 最后登录2016-06-21 粉丝1 关注0 积分61分威望501点贡献值0点好评度23点原创分0分专家分0分加关注写私信	沙发^# 发布于：2010-06-28 14:03 没人做过吗？
	回复(0) 喜欢(0)

wanghui219 禁止发言注册日期2007-08-28 最后登录2019-07-29 粉丝4 关注3 积分101166分威望505351点贡献值0点好评度137点原创分0分专家分4分加关注写私信	板凳^# 发布于：2010-08-15 21:20 用户被禁言,该主题自动屏蔽!
	回复(0) 喜欢(0)

ren970122

驱动牛犊

注册日期2005-09-09
最后登录2013-08-26
粉丝0
关注0
积分21分
威望233点
贡献值0点
好评度40点
原创分0分
专家分0分

加关注写私信

地板^#

发布于：2012-03-07 10:09

不通用，不过2000可以不用考虑了。

兴趣所至，技术所在

回复喜欢

faxl999 禁止发言注册日期2017-10-22 最后登录2018-01-07 粉丝0 关注0 积分-290分威望70点贡献值0点好评度0点原创分0分专家分0分加关注写私信	地下室^# 发布于：2017-11-06 08:59 用户被禁言,该主题自动屏蔽!
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

调试过程中发现2000下Ethread结构的诡异问题，望指点

最新喜欢：