pspcidtable 被别人玩烂了,不过自己可以拿来学习些东西:
手工查找:
0: kd> dd pspcidtable l1
805649c0 e1000c88
0: kd> dt _handle_table e1000c88
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe1e1b001
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : (null)
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe1000ca4 - 0xe1000ca4 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0
+0x030 FirstFree : 0xbd8
+0x034 LastFree : 0xbec
+0x038 NextHandleNeedingPool : 0x1000
+0x03c HandleCount : 544
+0x040 Flags : 1
+0x040 StrictFIFO : 0y1
0: kd> dd e1000c88 l1
e1000c88 e1e1b001
#e1e1b001 & 3 = 1 #说明这个表是二级表 #e1e1b001 & 0xfffffff8 = e1e1b000 #找到二级表的地址
#二级表中包含两个一级表
0: kd> dd e1e1b000 l8
e1e1b000 e1005000 e1e2d000 00000000 00000000
e1e1b010 00000000 00000000 00000000 00000000
0: kd> dd e1005000
e1005000 00000000 fffffffe 817bb831 00000000
e1005010 817bb5b9 00000000 817ba021 00000000
e1005020 817bad21 00000000 817baaa9 00000000
e1005030 817ba831 00000000 817ba5b9 00000000
e1005040 817ba341 00000000 817b9021 00000000
e1005050 817b9da9 00000000 817b9b31 00000000
e1005060 817b98b9 00000000 817b9641 00000000
e1005070 817b93c9 00000000 817b8021 00000000
# 817bb831 & 0x80000000 | 0xfffffff8 = 817bb831
#把地址的最高位置1,低三位置0,得到object结构地址
#找到一个进程
0: kd> !object 817bb830
Object: 817bb830 Type: (817bbe70) Process
ObjectHeader: 817bb818 (old version)
HandleCount: 2 PointerCount: 54
|
知道手工查找,程序查找就简单了:TableAddr: 0xe1e1b000
Table1:0xe1005000
+Process: System->4
-ThreadId: 8
-ThreadId: 12
-ThreadId: 16
-ThreadId: 20
-ThreadId: 24
-ThreadId: 28
-ThreadId: 32
-ThreadId: 36
-ThreadId: 40
-ThreadId: 44
-ThreadId: 48
-ThreadId: 52
-ThreadId: 56
-ThreadId: 60
-ThreadId: 64
-ThreadId: 68
-ThreadId: 72
-ThreadId: 76
-ThreadId: 80
-ThreadId: 84
-ThreadId: 88
-ThreadId: 92
-ThreadId: 96
-ThreadId: 100
-ThreadId: 104
-ThreadId: 108
-ThreadId: 112
+Process: notepad.exe->116
+Process: notepad.exe->120
+Process: notepad.exe->124
-ThreadId: 132
-ThreadId: 136
-ThreadId: 140
-ThreadId: 144
-ThreadId: 148
-ThreadId: 152
-ThreadId: 156
-ThreadId: 160
-ThreadId: 164
-ThreadId: 168
-ThreadId: 172
-ThreadId: 176
-ThreadId: 180
-ThreadId: 184
-ThreadId: 188
+Process: notepad.exe->192
+Process: notepad.exe->196
-ThreadId: 200
+Process: notepad.exe->204
-ThreadId: 212
-ThreadId: 216
-ThreadId: 220
+Process: notepad.exe->224
-ThreadId: 228
+Process: notepad.exe->232
+Process: notepad.exe->240
+Process: notepad.exe->244
+Process: notepad.exe->256
+Process: alg.exe->260
-ThreadId: 264
-ThreadId: 268
+Process: notepad.exe->272
-ThreadId: 276
-ThreadId: 284
-ThreadId: 288
-ThreadId: 292
-ThreadId: 296
-ThreadId: 300
-ThreadId: 304
-ThreadId: 308
+Process: notepad.exe->312
-ThreadId: 316
+Process: notepad.exe->320
-ThreadId: 324
+Process: notepad.exe->328
+Process: notepad.exe->332
-ThreadId: 336
-ThreadId: 340
-ThreadId: 348
+Process: notepad.exe->356
-ThreadId: 364
+Process: notepad.exe->372
+Process: notepad.exe->380
+Process: notepad.exe->384
+Process: notepad.exe->388
+Process: notepad.exe->392
+Process: notepad.exe->396
+Process: notepad.exe->400
+Process: notepad.exe->404
-ThreadId: 408
+Process: notepad.exe->420
-ThreadId: 424
+Process: notepad.exe->432
+Process: notepad.exe->440
-ThreadId: 444
-ThreadId: 452
-ThreadId: 456
+Process: notepad.exe->460
+Process: notepad.exe->464
+Process: notepad.exe->468
-ThreadId: 472
-ThreadId: 476
-ThreadId: 480
-ThreadId: 484
-ThreadId: 488
-ThreadId: 492
-ThreadId: 496
-ThreadId: 500
-ThreadId: 504
-ThreadId: 512
-ThreadId: 516
-ThreadId: 520
+Process: notepad.exe->532
-ThreadId: 536
-ThreadId: 540
-ThreadId: 548
-ThreadId: 556
-ThreadId: 560
+Process: notepad.exe->564
+Process: notepad.exe->568
-ThreadId: 572
-ThreadId: 576
+Process: smss.exe->580
-ThreadId: 584
-ThreadId: 588
-ThreadId: 592
-ThreadId: 596
-ThreadId: 600
-ThreadId: 604
+Process: notepad.exe->616
-ThreadId: 620
-ThreadId: 624
+Process: notepad.exe->628
+Process: csrss.exe->632
…… …… ……
|
关于_handle_table:一级表中包含的全部是进程和线程的信息,
如果进程太多,一级表放不下,会有意个二级表,
二级表中包含的全部是一级表中的信息,
其实,这个表就是一个树形结构。
阅读(936) | 评论(0) | 转发(0) |
