我是靠谱客的博主 激动花瓣,最近开发中收集的这篇文章主要介绍windbg3 windows系统部件概览内核和HAL模块系统进程内核空间的其他模块NTDLL.DLL环境子系统原生进程,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
@TOP
概览
内核空间
- 硬件抽象层
- 操作系统内核
- 执行体
- 内核态驱动程序
- Windows 子系统驱动程序
- 内核支持模块
用户空间
- 会话管理器进程(SMSS.EXE)
- Windows 子系统服务器进程(CSRSS.EXE)
- 登录进程(WinLogon.EXE)
- 本地安全和认证进程(LSASS.EXE)
- 服务管理进程(SERVICES.EXE)
- OS/2 子系统和POSIX子系统服务进程
- 外壳(Shell)程序 默认为Explorer.exe
内核和HAL模块
内核文件
NTOSKRNL.EXE 内核文件
HAL
硬件抽象层模块
中断请求级别内核中的重要机制
空闲进程
系统进程和 空闲进程
NT内核启动时会创建空闲进程
查看空闲进程
6: kd> !prcb
PRCB for Processor 6 at ffffb800fcbe1180:
Current IRQL -- 13
Threads-- Current ffff84898fe7f480 Next ffff8489821f5700 Idle ffffb800fcbf1200
Processor Index 6 Number (0, 6) GroupSetMember 40
Interrupt Count -- 0000e351
Times -- Dpc 00000027 Interrupt 00000001
Kernel 0000059f User 00000018
6: kd> !thread ffffb800fcbf1200
THREAD ffffb800fcbf1200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 749 Ticks: 757 (0:00:00:11.828)
Context Switch Count 7923 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:07.500
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895527fb90 Current ffff97895527fb20
Base ffff978955280000 Limit ffff978955279000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr : Args to Child : Call Site
ffff9789`5527fb60 00000000`00000000 : ffff9789`55280000 ffff9789`55279000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x11d
空闲进程的进程ID字段为空
使用!process 观察空闲进程
6: kd> !process fffff800064679c0
PROCESS fffff800064679c0
SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.
Image: Idle
VadRoot ffff848982059eb0 Vads 1 Clone 0 Private 8. Modified 2029. Locked 0.
DeviceMap 0000000000000000
Token ffffe18f2b817040
ElapsedTime 00:00:19.992
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 136
Working Set Sizes (now,min,max) (8, 50, 450) (32KB, 200KB, 1800KB)
PeakWorkingSetSize 2
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 8
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 13
THREAD fffff8000646a400 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 369 Ticks: 1137 (0:00:00:17.765)
Context Switch Count 7836 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:07.750
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init fffff80008fe0b90 Current fffff80008fe0b20
Base fffff80008fe1000 Limit fffff80008fda000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5
Child-SP RetAddr Call Site
fffff800`08fe0b60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fd171200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531)
Context Switch Count 5128 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:10.250
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895522fb90 Current ffff97895522fb20
Base ffff978955230000 Limit ffff978955229000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5522fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fce34200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531)
Context Switch Count 12204 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:09.406
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895523fb90 Current ffff97895523fb20
Base ffff978955240000 Limit ffff978955239000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5523fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fce90200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531)
Context Switch Count 7466 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:10.312
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895524fb90 Current ffff97895524fb20
Base ffff978955250000 Limit ffff978955249000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5524fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fd2d0200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531)
Context Switch Count 10814 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 00:00:08.421
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895525fb90 Current ffff97895525fb20
Base ffff978955260000 Limit ffff978955259000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5525fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fd36b200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531)
Context Switch Count 7707 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:08.437
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895526fb90 Current ffff97895526fb20
Base ffff978955270000 Limit ffff978955269000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5526fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fcbf1200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 749 Ticks: 757 (0:00:00:11.828)
Context Switch Count 7923 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:07.500
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895527fb90 Current ffff97895527fb20
Base ffff978955280000 Limit ffff978955279000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5527fb60 00000000`00000000 nt!KiIdleLoop+0x11d
THREAD ffffb800fd490200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7
Not impersonating
DeviceMap ffffe18f2b818ad0
Owning Process fffff800064679c0 Image: Idle
Attached Process ffff84898203c440 Image: System
Wait Start TickCount 571 Ticks: 935 (0:00:00:14.609)
Context Switch Count 4978 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 00:00:09.125
Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70)
Stack Init ffff97895528fb90 Current ffff97895528fb20
Base ffff978955290000 Limit ffff978955289000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffff9789`5528fb60 00000000`00000000 nt!KiIdleLoop+0x11d
系统进程
系统进程是操作系统内核和所有系统线程的宿主,为操作系统提供独立的进程空间和进程对象
系统进程是系统创建的第二个进程
内核调试会话中
6: kd> !process 4 1
Searching for Process with Cid == 4
PROCESS ffff84898203c440
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564.
Image: System
VadRoot ffff84898536f560 Vads 19 Clone 0 Private 24. Modified 4622. Locked 128.
DeviceMap ffffe18f2b818ad0
Token ffffe18f2b817040
ElapsedTime 00:00:19.992
UserTime 00:00:00.000
KernelTime 00:00:04.406
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 136
Working Set Sizes (now,min,max) (255, 50, 450) (1020KB, 200KB, 1800KB)
PeakWorkingSetSize 1090
VirtualSize 5 Mb
PeakVirtualSize 14 Mb
PageFaultCount 1496
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 48
内核空间的其他模块
Win32k.sys Windows的子系统内核空间模块
DxgKrnl.sys GPU的核心模块
AFD.sys 网络套接字的内核空间接口驱动
NDIS.sys 管理网卡驱动的核心驱动
Wfplwf.sys管理网络过滤驱动的核心模块
ACPI.sys 负责与平台固件接口的内核模块
PCI.sys PCI 总线的核心驱动模块
NTFS.sys NTFS 的文件系统实现
NTDLL.DLL
NTDLL.DLL是内核派驻到用户空间的大使
沟通用户空间和内核空间的桥梁
调用系统服务的桩函数
NtXXX 开头的函数
0:000> x ntdll!*
7745bbd0 ntdll!EtwDeliverDataBlock (void)
77431840 ntdll!RtlpTpWorkCallback (void)
7743603b ntdll!SbpDetermineDllContext (void)
77429160 ntdll!LdrEnumerateLoadedModules (void)
77438e10 ntdll!TppCallbackCheckThreadAfterCallback (void)
7743ccf6 ntdll!RtlpMuiRegLoadLicInformation (void)
7745d659 ntdll!IsProgramFilesPath (void)
77425fb0 ntdll!RebalanceNode (void)
7743b42e ntdll!LdrpConvertLangFallbackListToMultiSz (void)
77461722 ntdll!RtlWideCharArrayCopyStringWorker (void)
774b9aa2 ntdll!RtlWideCharArrayCopyStringWorker (void)
77462bb0 ntdll!LdrResGetRCConfig (void)
77471744 ntdll!EtwpGetTimeZoneInformation (void)
774264d8 ntdll!LdrpGetProcedureAddress (void)
77452d10 ntdll!RtlGetFullPathName_UstrEx (void)
77453c90 ntdll!RtlpLocateActivationContextSection (void)
77439d2c ntdll!RtlpAllocateUserBlockFromHeap (void)
77444f40 ntdll!LdrpLoadResourceFromAlternativeModule (void)
7745f4a4 ntdll!WerEscalationReadImageVersionInfoForModuleB
映像文件加载器
LDR开头,ldr,_ldr开头,第4个字符为小写代表内部函数,大写代表接口函数
0:000> k
# ChildEBP RetAddr
00 009bf700 774a9486 ntdll!LdrpDoDebuggerBreak+0x2b
01 009bf960 77432fe1 ntdll!LdrpInitializeProcess+0x1ba6
02 009bf9b8 77432ed1 ntdll!_LdrpInitialize+0xba
03 009bf9c4 00000000 ntdll!LdrInitializeThunk+0x11
ntdll!LdrInitializeThunk+0x11 转接(Thunk),从内核空间转接到用户空间
ntdll!_LdrpInitialize 执行进程初始化的核心函数
运行时库
Rtl 开头,提供基础函数
0:000> x ntdll!Rtl*
77431840 ntdll!RtlpTpWorkCallback (void)
7743ccf6 ntdll!RtlpMuiRegLoadLicInformation (void)
77461722 ntdll!RtlWideCharArrayCopyStringWorker (void)
774b9aa2 ntdll!RtlWideCharArrayCopyStringWorker (void)
77452d10 ntdll!RtlGetFullPathName_UstrEx (void)
77453c90 ntdll!RtlpLocateActivationContextSection (void)
77439d2c ntdll!RtlpAllocateUserBlockFromHeap (void)
774284ed ntdll!RtlpTpTimerRundown (void)
77429c67 ntdll!RtlpProcessIFEOKeyFilter (void)
774333ad ntdll!RtlpTpRevertCapture (void)
77458520 ntdll!RtlInitializeResource (void)
7742871a ntdll!RtlStringExValidateDestW (void)
77456237 ntdll!RtlpCreateSplitBlock (void)
7746c000 ntdll!RtlCheckHeldCriticalSections (void)
环境子系统
不同类型的应用程序运行在不同的环境子系统中
原生进程
普通的应用程序都属于某个环境子系统
特殊的进程,他们不依赖任何子系统,通过特殊的私有接口直接与内核交互,通常把这类进程叫做原生进程
没有创建子系统的时候就可以运行
SMSS
会话管理器子系统
CSRSS
Windows子系统的服务进程
最后
以上就是激动花瓣为你收集整理的windbg3 windows系统部件概览内核和HAL模块系统进程内核空间的其他模块NTDLL.DLL环境子系统原生进程的全部内容,希望文章能够帮你解决windbg3 windows系统部件概览内核和HAL模块系统进程内核空间的其他模块NTDLL.DLL环境子系统原生进程所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复