分类:
2008-10-13 16:13:35
原因比较简单,他们都是有个DISPATCHER_HEADER Header;的头部,EVENT只有这个头部(定义可以在DDK里面看到)
typedef struct _KTHREAD {
//
// The dispatcher header and mutant listhead are fairly infrequently
// referenced, but pad the thread to a 32-byte boundary (assumption
// that pool allocation is in units of 32-bytes).
//
DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;
//
// The following fields are referenced during trap, interrupts, or
// context switches.
//
// N.B. The Teb address and TlsArray are loaded as a quadword quantity
// on MIPS and therefore must be on a quadword boundary.
//
PVOID InitialStack;
PVOID StackLimit;
#if defined(_IA64_)
PVOID InitialBStore;
PVOID BStoreLimit;
#endif
PVOID Teb;
PVOID TlsArray;
PVOID KernelStack;
#if defined(_IA64_)
PVOID KernelBStore;
#endif
BOOLEAN DebugActive;
UCHAR State;
BOOLEAN Alerted[MaximumMode];
UCHAR Iopl;
UCHAR NpxState;
CHAR Saturation;
SCHAR Priority;
KAPC_STATE ApcState;
ULONG ContextSwitches;
//
// The following fields are referenced during wait operations.
//
LONG_PTR WaitStatus;
KIRQL WaitIrql;
KPROCESSOR_MODE WaitMode;
BOOLEAN WaitNext;
UCHAR WaitReason;
PRKWAIT_BLOCK WaitBlockList;
LIST_ENTRY WaitListEntry;
ULONG WaitTime;
SCHAR BasePriority;
UCHAR DecrementCount;
SCHAR PriorityDecrement;
SCHAR Quantum;
KWAIT_BLOCK WaitBlock[THREAD_WAIT_OBJECTS + 1];
PVOID LegoData;
ULONG KernelApcDisable;
KAFFINITY UserAffinity;
BOOLEAN SystemAffinityActive;
UCHAR PowerState;
UCHAR NpxIrql;
UCHAR Pad[1];
PVOID ServiceTable;
// struct _ECHANNEL *Channel;
// PVOID Section;
// PCHANNEL_MESSAGE SystemView;
// PCHANNEL_MESSAGE ThreadView;
//
// The following fields are referenced during queue operations.
//
PRKQUEUE Queue;
KSPIN_LOCK ApcQueueLock;
KTIMER Timer;
LIST_ENTRY QueueListEntry;
//
// The following fields are referenced during read and find ready
// thread.
//
KAFFINITY Affinity;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;
BOOLEAN KernelStackResident;
UCHAR NextProcessor;
//
// The following fields are referenced during system calls.
//
PVOID CallbackStack;
#if defined(_IA64_)
PVOID CallbackBStore;
#endif
PVOID Win32Thread;
PKTRAP_FRAME TrapFrame;
PKAPC_STATE ApcStatePointer[2];
CCHAR PreviousMode;
UCHAR EnableStackSwap;
UCHAR LargeStack;
UCHAR ResourceIndex;
//
// The following entries are referenced during clock interrupts.
//
ULONG KernelTime;
ULONG UserTime;
//
// The following fields are referenced during APC queuing and process
// attach/detach.
//
KAPC_STATE SavedApcState;
BOOLEAN Alertable;
UCHAR ApcStateIndex;
BOOLEAN ApcQueueable;
BOOLEAN AutoAlignment;
//
// The following fields are referenced when the thread is initialized
// and very infrequently thereafter.
//
PVOID StackBase;
KAPC SuspendApc;
KSEMAPHORE SuspendSemaphore;
LIST_ENTRY ThreadListEntry;
//
// N.B. The below four UCHARs share the same DWORD and are modified
// by other threads. Therefore, they must ALWAYS be modified
// under the dispatcher lock to prevent granularity problems
// on Alpha machines.
//
CCHAR FreezeCount;
CCHAR SuspendCount;
UCHAR IdealProcessor;
UCHAR DisableBoost;
} KTHREAD, *PKTHREAD, *RESTRICTED_POINTER PRKTHREAD;
//
// Process object structure definition
//
typedef struct _KPROCESS {
//
// The dispatch header and profile listhead are fairly infrequently
// referenced, but pad the process to a 32-byte boundary (assumption
// that pool block allocation is in units of 32-bytes).
//
DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;
//
// The following fields are referenced during context switches.
//
ULONG_PTR DirectoryTableBase[2];
#if defined(_X86_)
KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
BOOLEAN VdmFlag;
#endif
#if defined(_IA64_)
KGDTENTRY LdtDescriptor;
ULONGLONG UnscrambledLdtDescriptor;
KIDTENTRY Int21Descriptor;
BOOLEAN VdmFlag;
REGION_MAP_INFO ProcessRegion;
REGION_MAP_INFO SessionRegion;
PREGION_MAP_INFO SessionMapInfo;
ULONG_PTR SessionParentBase;
#endif // _IA64_
#if defined(_ALPHA_)
union {
struct {
KAFFINITY ActiveProcessors;
KAFFINITY RunOnProcessors;
};
ULONGLONG Alignment;
};
ULONGLONG ProcessSequence;
ULONG ProcessAsn;
#else
KAFFINITY ActiveProcessors;
#endif
//
// The following fields are referenced during clock interrupts.
//
ULONG KernelTime;
ULONG UserTime;
//
// The following fields are referenced infrequently.
//
LIST_ENTRY ReadyListHead;
LIST_ENTRY SwapListEntry;
LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;
USHORT StackCount;
SCHAR BasePriority;
SCHAR ThreadQuantum;
BOOLEAN AutoAlignment;
UCHAR State;
UCHAR ThreadSeed;
BOOLEAN DisableBoost;
UCHAR PowerState;
BOOLEAN DisableQuantum;
UCHAR Spare[2];
} KPROCESS, *PKPROCESS, *RESTRICTED_POINTER PRKPROCESS;