1.概述
KPCR是CPU的一個結構體,它就像EPROCESS對於進程,ETHREAD對於線程,KPCR對於CPU是非常重要的,它的全稱是Processor Control Region。
fs:[0]在3環時指向TEB,在0環時指向KPCR,每一個CPU核心都對應着一個KPCR,KPCR存儲了CPU需要使用的一些重要信息,比如GDT\IDT以及線程相關的信息
2.KPCR結構體
nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : Ptr32 Void
+0x008 Spare2 : Ptr32 Void
+0x00c TssCopy : Ptr32 Void
+0x010 ContextSwitches : Uint4B
+0x014 SetMemberCopy : Uint4B
+0x018 Used_Self : Ptr32 Void
+0x01c SelfPcr : Ptr32 _KPCR
+0x020 Prcb : Ptr32 _KPRCB
+0x024 Irql : UChar
+0x028 IRR : Uint4B
+0x02c IrrActive : Uint4B
+0x030 IDR : Uint4B
+0x034 KdVersionBlock : Ptr32 Void
+0x038 IDT : Ptr32 _KIDTENTRY
+0x03c GDT : Ptr32 _KGDTENTRY
+0x040 TSS : Ptr32 _KTSS
+0x044 MajorVersion : Uint2B
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 SpareUnused : UChar
+0x051 Number : UChar
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB
+0x01c Prcb:可以找到PrcbData,PrcbData裏面包含了一些有用的信息
+0x038 IDT:IDT表的基址
+0x03c GDT:GDT表的基址
+0x040 TSS:指向TSS
+0x051 Number:CPU編號
3.NT_TIB
KPCR的第一個成員是NT_TIB(它的第一個成員跟TEB一樣),使用指令dt _NT_TIB查看它的成員:
nt!_NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : Ptr32 Void
+0x008 StackLimit : Ptr32 Void
+0x00c SubSystemTib : Ptr32 Void
+0x010 FiberData : Ptr32 Void
+0x010 Version : Uint4B
+0x014 ArbitraryUserPointer : Ptr32 Void
+0x018 Self : Ptr32 _NT_TIB
ExceptionList:存儲異常處理函數
StackBase
StackLimit
標記當前線程的棧底和棧限
4.KPRCB
+0x120 PrcbData:拓展結構體,類型是_KPRCB
nt!_KPRCB
+0x000 MinorVersion : Uint2B
+0x002 MajorVersion : Uint2B
+0x004 CurrentThread : Ptr32 _KTHREAD
+0x008 NextThread : Ptr32 _KTHREAD
+0x00c IdleThread : Ptr32 _KTHREAD
+0x010 LegacyNumber : UChar
+0x011 NestingLevel : UChar
+0x012 BuildType : Uint2B
+0x014 CpuType : Char
+0x015 CpuID : Char
+0x016 CpuStep : Uint2B
+0x016 CpuStepping : UChar
+0x017 CpuModel : UChar
+0x018 ProcessorState : _KPROCESSOR_STATE
+0x338 KernelReserved : [16] Uint4B
+0x378 HalReserved : [16] Uint4B
+0x3b8 CFlushSize : Uint4B
+0x3bc CoresPerPhysicalProcessor : UChar
+0x3bd LogicalProcessorsPerCore : UChar
+0x3be PrcbPad0 : [2] UChar
+0x3c0 MHz : Uint4B
+0x3c4 CpuVendor : UChar
+0x3c5 GroupIndex : UChar
+0x3c6 Group : Uint2B
+0x3c8 GroupSetMember : Uint4B
+0x3cc Number : Uint4B
+0x3d0 PrcbPad1 : [72] UChar
+0x418 LockQueue : [17] _KSPIN_LOCK_QUEUE
+0x4a0 NpxThread : Ptr32 _KTHREAD
+0x4a4 InterruptCount : Uint4B
+0x4a8 KernelTime : Uint4B
+0x4ac UserTime : Uint4B
+0x4b0 DpcTime : Uint4B
+0x4b4 DpcTimeCount : Uint4B
+0x4b8 InterruptTime : Uint4B
+0x4bc AdjustDpcThreshold : Uint4B
+0x4c0 PageColor : Uint4B
+0x4c4 DebuggerSavedIRQL : UChar
+0x4c5 NodeColor : UChar
+0x4c6 PrcbPad20 : [2] UChar
+0x4c8 NodeShiftedColor : Uint4B
+0x4cc ParentNode : Ptr32 _KNODE
+0x4d0 SecondaryColorMask : Uint4B
+0x4d4 DpcTimeLimit : Uint4B
+0x4d8 PrcbPad21 : [2] Uint4B
+0x4e0 CcFastReadNoWait : Uint4B
+0x4e4 CcFastReadWait : Uint4B
+0x4e8 CcFastReadNotPossible : Uint4B
+0x4ec CcCopyReadNoWait : Uint4B
+0x4f0 CcCopyReadWait : Uint4B
+0x4f4 CcCopyReadNoWaitMiss : Uint4B
+0x4f8 MmSpinLockOrdering : Int4B
+0x4fc IoReadOperationCount : Int4B
+0x500 IoWriteOperationCount : Int4B
+0x504 IoOtherOperationCount : Int4B
+0x508 IoReadTransferCount : _LARGE_INTEGER
+0x510 IoWriteTransferCount : _LARGE_INTEGER
+0x518 IoOtherTransferCount : _LARGE_INTEGER
+0x520 CcFastMdlReadNoWait : Uint4B
+0x524 CcFastMdlReadWait : Uint4B
+0x528 CcFastMdlReadNotPossible : Uint4B
+0x52c CcMapDataNoWait : Uint4B
+0x530 CcMapDataWait : Uint4B
+0x534 CcPinMappedDataCount : Uint4B
+0x538 CcPinReadNoWait : Uint4B
+0x53c CcPinReadWait : Uint4B
+0x540 CcMdlReadNoWait : Uint4B
+0x544 CcMdlReadWait : Uint4B
+0x548 CcLazyWriteHotSpots : Uint4B
+0x54c CcLazyWriteIos : Uint4B
+0x550 CcLazyWritePages : Uint4B
+0x554 CcDataFlushes : Uint4B
+0x558 CcDataPages : Uint4B
+0x55c CcLostDelayedWrites : Uint4B
+0x560 CcFastReadResourceMiss : Uint4B
+0x564 CcCopyReadWaitMiss : Uint4B
+0x568 CcFastMdlReadResourceMiss : Uint4B
+0x56c CcMapDataNoWaitMiss : Uint4B
+0x570 CcMapDataWaitMiss : Uint4B
+0x574 CcPinReadNoWaitMiss : Uint4B
+0x578 CcPinReadWaitMiss : Uint4B
+0x57c CcMdlReadNoWaitMiss : Uint4B
+0x580 CcMdlReadWaitMiss : Uint4B
+0x584 CcReadAheadIos : Uint4B
+0x588 KeAlignmentFixupCount : Uint4B
+0x58c KeExceptionDispatchCount : Uint4B
+0x590 KeSystemCalls : Uint4B
+0x594 AvailableTime : Uint4B
+0x598 PrcbPad22 : [2] Uint4B
+0x5a0 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1820 PacketBarrier : Uint4B
+0x1824 ReverseStall : Int4B
+0x1828 IpiFrame : Ptr32 Void
+0x182c PrcbPad3 : [52] UChar
+0x1860 CurrentPacket : [3] Ptr32 Void
+0x186c TargetSet : Uint4B
+0x1870 WorkerRoutine : Ptr32 void
+0x1874 IpiFrozen : Uint4B
+0x1878 PrcbPad4 : [40] UChar
+0x18a0 RequestSummary : Uint4B
+0x18a4 SignalDone : Ptr32 _KPRCB
+0x18a8 PrcbPad50 : [56] UChar
+0x18e0 DpcData : [2] _KDPC_DATA
+0x1908 DpcStack : Ptr32 Void
+0x190c MaximumDpcQueueDepth : Int4B
+0x1910 DpcRequestRate : Uint4B
+0x1914 MinimumDpcRate : Uint4B
+0x1918 DpcLastCount : Uint4B
+0x191c PrcbLock : Uint4B
+0x1920 DpcGate : _KGATE
+0x1930 ThreadDpcEnable : UChar
+0x1931 QuantumEnd : UChar
+0x1932 DpcRoutineActive : UChar
+0x1933 IdleSchedule : UChar
+0x1934 DpcRequestSummary : Int4B
+0x1934 DpcRequestSlot : [2] Int2B
+0x1934 NormalDpcState : Int2B
+0x1936 DpcThreadActive : Pos 0, 1 Bit
+0x1936 ThreadDpcState : Int2B
+0x1938 TimerHand : Uint4B
+0x193c LastTick : Uint4B
+0x1940 MasterOffset : Int4B
+0x1944 PrcbPad41 : [2] Uint4B
+0x194c PeriodicCount : Uint4B
+0x1950 PeriodicBias : Uint4B
+0x1958 TickOffset : Uint8B
+0x1960 TimerTable : _KTIMER_TABLE
+0x31a0 CallDpc : _KDPC
+0x31c0 ClockKeepAlive : Int4B
+0x31c4 ClockCheckSlot : UChar
+0x31c5 ClockPollCycle : UChar
+0x31c6 PrcbPad6 : [2] UChar
+0x31c8 DpcWatchdogPeriod : Int4B
+0x31cc DpcWatchdogCount : Int4B
+0x31d0 ThreadWatchdogPeriod : Int4B
+0x31d4 ThreadWatchdogCount : Int4B
+0x31d8 KeSpinLockOrdering : Int4B
+0x31dc PrcbPad70 : [1] Uint4B
+0x31e0 WaitListHead : _LIST_ENTRY
+0x31e8 WaitLock : Uint4B
+0x31ec ReadySummary : Uint4B
+0x31f0 QueueIndex : Uint4B
+0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0x31f8 StartCycles : Uint8B
+0x3200 CycleTime : Uint8B
+0x3208 HighCycleTime : Uint4B
+0x320c PrcbPad71 : Uint4B
+0x3210 PrcbPad72 : [2] Uint8B
+0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY
+0x3320 ChainedInterruptList : Ptr32 Void
+0x3324 LookasideIrpFloat : Int4B
+0x3328 MmPageFaultCount : Int4B
+0x332c MmCopyOnWriteCount : Int4B
+0x3330 MmTransitionCount : Int4B
+0x3334 MmCacheTransitionCount : Int4B
+0x3338 MmDemandZeroCount : Int4B
+0x333c MmPageReadCount : Int4B
+0x3340 MmPageReadIoCount : Int4B
+0x3344 MmCacheReadCount : Int4B
+0x3348 MmCacheIoCount : Int4B
+0x334c MmDirtyPagesWriteCount : Int4B
+0x3350 MmDirtyWriteIoCount : Int4B
+0x3354 MmMappedPagesWriteCount : Int4B
+0x3358 MmMappedWriteIoCount : Int4B
+0x335c CachedCommit : Uint4B
+0x3360 CachedResidentAvailable : Uint4B
+0x3364 HyperPte : Ptr32 Void
+0x3368 PrcbPad8 : [4] UChar
+0x336c VendorString : [13] UChar
+0x3379 InitialApicId : UChar
+0x337a LogicalProcessorsPerPhysicalProcessor : UChar
+0x337b PrcbPad9 : [5] UChar
+0x3380 FeatureBits : Uint4B
+0x3388 UpdateSignature : _LARGE_INTEGER
+0x3390 IsrTime : Uint8B
+0x3398 RuntimeAccumulation : Uint8B
+0x33a0 PowerState : _PROCESSOR_POWER_STATE
+0x3468 DpcWatchdogDpc : _KDPC
+0x3488 DpcWatchdogTimer : _KTIMER
+0x34b0 WheaInfo : Ptr32 Void
+0x34b4 EtwSupport : Ptr32 Void
+0x34b8 InterruptObjectPool : _SLIST_HEADER
+0x34c0 HypercallPageList : _SLIST_HEADER
+0x34c8 HypercallPageVirtual : Ptr32 Void
+0x34cc VirtualApicAssist : Ptr32 Void
+0x34d0 StatisticsPage : Ptr32 Uint8B
+0x34d4 RateControl : Ptr32 Void
+0x34d8 Cache : [5] _CACHE_DESCRIPTOR
+0x3514 CacheCount : Uint4B
+0x3518 CacheProcessorMask : [5] Uint4B
+0x352c PackageProcessorSet : _KAFFINITY_EX
+0x3538 PrcbPad91 : [1] Uint4B
+0x353c CoreProcessorSet : Uint4B
+0x3540 TimerExpirationDpc : _KDPC
+0x3560 SpinLockAcquireCount : Uint4B
+0x3564 SpinLockContentionCount : Uint4B
+0x3568 SpinLockSpinCount : Uint4B
+0x356c IpiSendRequestBroadcastCount : Uint4B
+0x3570 IpiSendRequestRoutineCount : Uint4B
+0x3574 IpiSendSoftwareInterruptCount : Uint4B
+0x3578 ExInitializeResourceCount : Uint4B
+0x357c ExReInitializeResourceCount : Uint4B
+0x3580 ExDeleteResourceCount : Uint4B
+0x3584 ExecutiveResourceAcquiresCount : Uint4B
+0x3588 ExecutiveResourceContentionsCount : Uint4B
+0x358c ExecutiveResourceReleaseExclusiveCount : Uint4B
+0x3590 ExecutiveResourceReleaseSharedCount : Uint4B
+0x3594 ExecutiveResourceConvertsCount : Uint4B
+0x3598 ExAcqResExclusiveAttempts : Uint4B
+0x359c ExAcqResExclusiveAcquiresExclusive : Uint4B
+0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : Uint4B
+0x35a4 ExAcqResExclusiveWaits : Uint4B
+0x35a8 ExAcqResExclusiveNotAcquires : Uint4B
+0x35ac ExAcqResSharedAttempts : Uint4B
+0x35b0 ExAcqResSharedAcquiresExclusive : Uint4B
+0x35b4 ExAcqResSharedAcquiresShared : Uint4B
+0x35b8 ExAcqResSharedAcquiresSharedRecursive : Uint4B
+0x35bc ExAcqResSharedWaits : Uint4B
+0x35c0 ExAcqResSharedNotAcquires : Uint4B
+0x35c4 ExAcqResSharedStarveExclusiveAttempts : Uint4B
+0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : Uint4B
+0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : Uint4B
+0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : Uint4B
+0x35d4 ExAcqResSharedStarveExclusiveWaits : Uint4B
+0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : Uint4B
+0x35dc ExAcqResSharedWaitForExclusiveAttempts : Uint4B
+0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : Uint4B
+0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : Uint4B
+0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : Uint4B
+0x35ec ExAcqResSharedWaitForExclusiveWaits : Uint4B
+0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : Uint4B
+0x35f4 ExSetResOwnerPointerExclusive : Uint4B
+0x35f8 ExSetResOwnerPointerSharedNew : Uint4B
+0x35fc ExSetResOwnerPointerSharedOld : Uint4B
+0x3600 ExTryToAcqExclusiveAttempts : Uint4B
+0x3604 ExTryToAcqExclusiveAcquires : Uint4B
+0x3608 ExBoostExclusiveOwner : Uint4B
+0x360c ExBoostSharedOwners : Uint4B
+0x3610 ExEtwSynchTrackingNotificationsCount : Uint4B
+0x3614 ExEtwSynchTrackingNotificationsAccountedCount : Uint4B
+0x3618 Context : Ptr32 _CONTEXT
+0x361c ContextFlags : Uint4B
+0x3620 ExtendedState : Ptr32 _XSAVE_AREA
+0x004 CurrentThread : CPU當前運行的線程
+0x008 NextThread : 將要切換的線程
+0x00c IdleThread : 如果沒有要切換的線程,要運行的空閒線程