Click here to load reader
Upload
cala
View
54
Download
0
Embed Size (px)
DESCRIPTION
現代系統核心期末報告. 第四組 995202062 李宜庭 100522016 蔡逸祥 100522041 鍾珍慧 100522056 薛浩哲 100522065 吳季衡 100522069 潘偉誠 100522074 郭凱威 100522080 林依汶 100522083 曾敬忠 100522106 林宜姮 100522110 葉奇鑫 100582015 藍偉綺. 報告章節目錄 (P.137~176) Chapter 3 Windows 行程和緒程. 3.4 Windows 的行程和緒程管理 - PowerPoint PPT Presentation
Citation preview
995202062100522016100522041100522056100522065100522069100522074100522080100522083100522106100522110100582015113.4Windows3.4.33.4.43.4.555
Thread 75PspCreateThread[link]KiInitializeContextThread[link]KiThreadStartup[link]callKeInitThread[link]callPspUserThreadStartupIRQL APC_LEVELIRQL(IRQLInterrupt Request Level)Csrss.exeWindows32IRQLLevelSoftwareIRQLPASSIVE_LEVEL 0 // Passive release levelLOW_LEVEL 0 // Lowest interrupt levelAPC_LEVEL 1 // APC interrupt levelDISPATCH_LEVEL 2 // Dispatch level
75Thread94CmNotifyRunDown (Thread);KeRundownThread ();LpcExitThread (Thread);kernel threadTEBLpcExitThreadLpcReplyMessageThreadPspExitProcessProcessProcessProcess*****mutantTEBThread Environment Block:,TEBPEBProcess Environment BlockProcess:ProcessProcessPEB
LPCREPLYMESSAGELPCP_MESSAGELPC
94Windows process6Windows processNtCreateProcess EPROCESS stack
6Windows process7Windows API processWindows process
processmemory space Windows process
NtCreateProcess processNtCreateProcessEx
Windows API processWindows processprocessmemory spaceWindows process
NtCreateProcess base\ntos\ps\create.c 815~850 processNtCreateProcessEx 852~917 7NtCreateProcessEx8NTSTATUS NtCreateProcessEx( __outPHANDLEProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );
processProcessHandleprocessProcessHandle processProcessHandleprocess8NtCreateProcessEx9NTSTATUS NtCreateProcessEx( __outPHANDLEProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );DesiredAccess ProcessDesiredAccess Process9NtCreateProcessEx10NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );ObjectAttributes NULLObjectAttributes NULL
10NtCreateProcessEx11NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );ParentProcess processNULLPROCESS_CREATE_PROCESS ParentProcess processNULLPROCESS_CREATE_PROCESS 11NtCreateProcessEx12NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );Flags PROCESS_CREATE_FLAGS_INHERIT_HANDLESprocessprocessFlags PROCESS_CREATE_FLAGS_INHERIT_HANDLES NtCreateProcessbooleanTRUEprocessprocess
12NtCreateProcessEx13NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );SectionHandle processSECTION_MAP_EXECUTE SectionHandle processSECTION_MAP_EXECUTE 13NtCreateProcessEx14NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );DebugPort NULLportprocessprocessDebugPort NULLportprocessprocessPORT_WRITE PORT_READ 14NtCreateProcessEx15NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );ExceptionPortNULLportprocessprocessExceptionPort NULLportprocessprocessPORT_WRITE PORT_READ 15NtCreateProcessEx16NTSTATUS NtCreateProcessEx( __outPHANDLE ProcessHandle, __inACCESS_MASKDesiredAccess, __in_optPOBJECT_ATTRIBUTES ObjectAttributes, __inHANDLEParentProcess, __inULONGFlags, __in_optHANDLESectionHandle, __in_optHANDLEDebugPort, __in_optHANDLEExceptionPort, __inULONGJobMemberLevel );JobMemberLevel processJob JobMemberLevel processJob 16PspCreateProcess 17NtCreateProcessExProcessHandle
PspCreateProcess
PspCreateProcesswindosprocess(system process)NtCreateProcessExPsCreateSystemProcess PspInitPhase0
NtCreateProcessExProcessHandlePspCreateProcess base\ntos\ps\create.c 966~1758 http://doxygen.reactos.org/d0/d31/ps_8h_a94f0bce027453b00f9c65bd55644d787.html#a94f0bce027453b00f9c65bd55644d78717processAffinity KeActiveProcessorsObReferenceObjectByHandle ProcessEPROCESS Parent processAffinityNULL1NULLif (ARGUMENT_PRESENT (ParentProcess)) Affinity = KeActiveProcessors; Affinity = Parent->Pcb.Affinity;
WorkingSetMinimum = PsMinimumWorkingSet;
WorkingSetMaximum = PsMaximumWorkingSet; 18Parent ProcessNULLAffinityKeActiveProcessorsNULLObReferenceObjectByHandle ProcessEPROCESS Parent processAffinity18ObCreateObject PsProcessType Process EPROCESS 2process 3Status = ObCreateObject (PreviousMode, PsProcessType, ObjectAttributes, PreviousMode, NULL, sizeof (EPROCESS), 0, 0, &Process);192.ObCreateObject PsProcessType Process EPROCESS 3.process
194SectionHandleprocessPsInitialSystemProcessprocessNULLObReferenceObjectByHandle processNULLNULL( process)process if (ARGUMENT_PRESENT (SectionHandle))if (Parent != PsInitialSystemProcess)
SectionObject = Parent->SectionObject; if (SectionObject == NULL) { Status = STATUS_PROCESS_IS_TERMINATING; goto exit_and_deref;}Status = ObReferenceObjectByHandle (SectionHandle, SECTION_MAP_EXECUTE, MmSectionObjectType, PreviousMode, &SectionObject, NULL);204.SecrionHandleNULLProcessprocessPsInitialSystemProcessprocessNULL
NULLObReferenceObjectByHandle 205DebugPort processDebugPort ExceptionPort process ExceptionPort 6215. DebugPort processDebugPort 6. ExceptionPort process ExceptionPort
21processprocessprocessthreadprocessNULLNULL7Process->ObjectTable = CurrentProcess->ObjectTable; if (Parent != NULL) Status = STATUS_INSUFFICIENT_RESOURCES;227. ParentNULLprocessprocessthreadprocess228 KeInitializeProcess processAffinity(paging) PspInitializeProcessSecurity processprocess9KeInitializeProcess (&Process->Pcb, NORMAL_BASE_PRIORITY, Affinity, &DirectoryTableBase[0], (BOOLEAN)(Process->DefaultHardErrorProcessing & PROCESS_HARDERROR_ALIGNMENT_BIT));Status = PspInitializeProcessSecurity (Parent, Process); if (!NT_SUCCESS (Status)) { goto exit_and_deref; }238. KeInitializeProcess processAffinity(paging)9. PspInitializeProcessSecurity processprocess23processMmInitializeHandBuiltProcess2processcopyprocessprocessFlags processprocessNULLNULL10if (Parent != NULL) Status = MmInitializeHandBuiltProcess2 (Process);Process->PriorityClass = Parent->PriorityClass;
Status = ObInitProcess ((Flags&PROCESS_CREATE_FLAGS_INHERIT_HANDLES) ? Parent : NULL, Process);
2410. parentNULLMmInitializeHandBuiltProcess2processcopyprocessprocessFlags processprocess2411processprocessprocess ProcessPsInitialSystemProcessPsInitialSystemProcess2511. processprocessprocess MmInitializeProcessAddressSpace processPsInitialSystemProcessMmInitializeProcessAddressSpace processprocessprocessPsInitialSystemProcessMmInitializeProcessAddressSpaceprocessprocess2512process IDExCreateHandle CID ID process13processprocessprocess14Process->UniqueProcessId = ExCreateHandle (PspCidTable, &CidEntry); if (SeDetailedAuditingWithToken (NULL)) { SeAuditProcessCreation (Process); }if (Parent) { Job = Parent->Job; }2612.process IDExCreateHandle CID ID 13.process14.processprocessprocess2615PEBprocessPEBprocessPsActiveProcessHead16ObInsertObject processprocess17InsertTailList (&PsActiveProcessHead, &Process->ActiveProcessLinks);2715.PEBprocessPEB16.processPsActiveProcessHead17.ObInsertObject processprocess2718PspComputeQuantumAndPriorityprocessprocess(GranteAccess)19processprocessProcessHandleprocess20BasePriority = PspComputeQuantumAndPriority(Process, PsProcessPriorityBackground, &QuantumReset);Process->GrantedAccess = PROCESS_TERMINATE;2818.PspComputeQuantumAndPriorityprocess19.process(GranteAccess)20.processprocessProcessHandleprocess2829PspCreateProcess
processThread29NtCreateThreadNtCreateThreadbase\ntos\ps\create.c 77~169
NTSTATUS NtCreateThread( __out PHANDLE ThreadHandle, __in ACCESS_MASK DesiredAccess, __in_opt POBJECT_ATTRIBUTES ObjectAttributes, __in HANDLE ProcessHandle, __out PCLIENT_ID ClientId, __in PCONTEXT ThreadContext, __in PINITIAL_TEB InitialTeb, __in BOOLEAN CreateSuspended ); 30NtCreateThreadNTSTATUS NtCreateThread(){ // try { if (KeGetPreviousMode () != KernelMode) { ProbeForWriteHandle (ThreadHandle); if (ARGUMENT_PRESENT (ClientId)) { ProbeForWriteSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG)); } if (ARGUMENT_PRESENT (ThreadContext) ) { ProbeForReadSmallStructure (ThreadContext, sizeof (CONTEXT), CONTEXT_ALIGN); } else { return STATUS_INVALID_PARAMETER; } ProbeForReadSmallStructure (InitialTeb, sizeof (InitialTeb->OldInitialTeb), sizeof (ULONG)); } //... }//}1. kernel mode- ProbeForWrite: checks that a user-mode buffer actually resides in the user-mode portion of the address space, is writable, and is correctly aligned.- ARGUMENT_PRESENT: takes an argument pointer and returnsFALSEif the pointer isNULL. Otherwise, it returnsTRUE.31NtCreateThreadNTSTATUS NtCreateThread(){ // try { if (KeGetPreviousMode () != KernelMode) { // } CapturedInitialTeb.OldInitialTeb = InitialTeb->OldInitialTeb; if (CapturedInitialTeb.OldInitialTeb.OldStackBase == NULL && CapturedInitialTeb.OldInitialTeb.OldStackLimit == NULL) { // // Since the structure size here is less than 64k we don't need to reprobe // CapturedInitialTeb = *InitialTeb; } } //}2. InitialTeb CapturedInitialTeb try 32NtCreateThreadNTSTATUS NtCreateThread(){ //... try { // }// Status = PspCreateThread (ThreadHandle, DesiredAccess, ObjectAttributes, ProcessHandle, NULL, ClientId, ThreadContext, &CapturedInitialTeb, CreateSuspended, NULL, NULL); return Status;}3.NtCreateThread PspCreateThread33PspCreateThreadDesiredAccessNTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );35PspCreateThreadObjectAttributes optional pointerNULL NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );36PspCreateThreadProcessHandleNTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );37PspCreateThreadProcessPointerEPROCESS PsInitialSystemProcess NULLNTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );38PspCreateThreadClientIdCLIENT_IDUnique process IDUnique thread ID
NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );typedef struct { HANDLE UniqueProcess; HANDLE UniqueThread;} CLIENT_ID;
UniqueProcess:Unique process identifier.UniqueThread:Unique thread identifier.39PspCreateThreadThreadContext NULL NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );40PspCreateThreadInitialTebTEB NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );typedef struct _INITIAL_TEB { struct { PVOID OldStackBase; PVOID OldStackLimit; } OldInitialTeb; PVOID StackBase; PVOID StackLimit; PVOID StackAllocationBase; } INITIAL_TEB, *PINITIAL_TEB; 41PspCreateThreadCreateSuspended CreateSuspended TRUENtResumeThread NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );42PspCreateThreadStartRoutine NTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );- StartRoutine: Is the entry point43PspCreateThreadStartContextNTSTATUS PspCreateThread( OUTPHANDLEThreadHandle, INACCESS_MASKDesiredAccess, INPOBJECT_ATTRIBUTES ObjectAttributesOPTIONAL, INHANDLEProcessHandle, INPEPROCESSProcessPointer, OUTPCLIENT_IDClientIdOPTIONAL, INPCONTEXTThreadContextOPTIONAL, INPINITIAL_TEBInitialTebOPTIONAL, INBOOLEANCreateSuspended, INPKSTART_ROUTINEStartRoutineOPTIONAL, INPVOIDStartContext );- StartContext : Supplies a single argument that is passed to the thread when it begins execution.44PspCreateThreadPspCreateThread NtCreateThread: PsCreateSystemThread:
PsCreateThreadThreadContext InitialTeb : StartRoutine StartContext:
45if (ProcessHandle != NULL) { Status = ObReferenceObjectByHandle (ProcessHandle, PROCESS_CREATE_THREAD, PsProcessType, PreviousMode, &Process, NULL); } else { if (StartRoutine != NULL) { ObReferenceObject (ProcessPointer); Process = ProcessPointer; Status = STATUS_SUCCESS; } else { Status = STATUS_INVALID_HANDLE; } }CurrentThread = PsGetCurrentThread ();
if (StartRoutine != NULL) { PreviousMode = KernelMode;} else { PreviousMode = KeGetPreviousModeByThread (&CurrentThread->Tcb);}PspCreateThread46 ProcessHandle Process PsGetCurrentThread: returns a pointer to the executive thread object that represents the currently executing thread. ObReferenceObjectByHandle: provides access validation on the object handle, and, if access can be granted, returns the corresponding pointer to the object's body.46PspCreateThread2. ObCreateObject ETHREAD Status = ObCreateObject (PreviousMode, PsThreadType, ObjectAttributes, PreviousMode, NULL, sizeof(ETHREAD), 0, 0, &Thread);
RtlZeroMemory (Thread, sizeof (ETHREAD));- RtlZeroMemoryroutine fills a block of memory with zeros, given a pointer to the block and the length, in bytes, to be filled.47PspCreateThread3.RundownProtectThreadsProcessCidExInitializeRundownProtection (&Thread->RundownProtect);
Thread->ThreadsProcess = Process;
Thread->Cid.UniqueProcess = Process->UniqueProcessId;
CidEntry.Object = Thread;CidEntry.GrantedAccess = 0;Thread->Cid.UniqueThread = ExCreateHandle (PspCidTable, &CidEntry);4. ETHREAD ReadClusterSizeLpcReplySemaphoreLpcReplyChainIrpListPostBlockList ThreadLock ActiveTimerListLock ActiveTimerListHead - PsGetCurrentThread: returns a pointer to the executive thread object that represents the currently executing thread.48PspCreateThread5. RundownProtect KeStartThread PspCreateThread release RundownProtect if (!ExAcquireRundownProtection (&Process->RundownProtect)) { ObDereferenceObject (Thread); return STATUS_PROCESS_IS_TERMINATING;}49PspCreateThread6-1. user-mode thread TEBInitialTeb ThreadContext(Eip) StartAddress ThreadContext Eax Win32StartAddress if (ARGUMENT_PRESENT (ThreadContext)) { Status = MmCreateTeb (Process, InitialTeb, &Thread->Cid, &Teb); // try { Thread->StartAddress = (PVOID)CONTEXT_TO_PROGRAM_COUNTER(ThreadContext);
#if defined(_AMD64_) Thread->Win32StartAddress = (PVOID)ThreadContext->Rdx;
#elif defined(_X86_) Thread->Win32StartAddress = (PVOID)ThreadContext->Eax; // }//} StartAddress: threadstart addressthread start address CONTEXT_TO_PROGRAM_COUNTER(Context) ((Context)->Eip) Win32StartAddress: Windows start address50PspCreateThread7. kernel-mode thread CrossThreadFlags StartRoutine KeInitThread PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_SYSTEM);
Thread->StartAddress = (PKSTART_ROUTINE) StartRoutine;Status = KeInitThread (&Thread->Tcb, NULL, PspSystemThreadStartup, StartRoutine, StartContext, NULL, NULL, &Process->Pcb);- PS_CROSS_THREAD_FLAGS_SYSTEM52PspCreateThread8. 9. 1 KeStartThread OldActiveThreads = Process->ActiveThreads++;
InsertTailList (&Process->ThreadListHead, &Thread->ThreadListEntry);
KeStartThread (&Thread->Tcb);
ExReleaseRundownProtection (&Process->RundownProtect);53PspCreateThread10. processThreadProcess11. ThreadProcess12. Threadcallout routine10. : 12. Notify registered callout routines of thread creation.
54PspCreateThread13. 2if (CreateSuspended) { try { KeSuspendThread (&Thread->Tcb); } except () { // } // If deletion was started after we suspended then wake up the thread if (Thread->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_TERMINATED) { KeForceResumeThread (&Thread->Tcb); }}14. CreateSuspended trueKeSuspendThread15. SeCreateAccessStateEx ACCESS_STATE13. Reference count of thread is biased once for itself and once for the handle if we create it.15. typedef struct _ACCESS_STATE { LUID OperationID; BOOLEAN SecurityEvaluated; BOOLEAN GenerateAudit; BOOLEAN GenerateOnClose; BOOLEAN PrivilegesAllocated; ULONG Flags; ACCESS_MASK RemainingDesiredAccess; ACCESS_MASK PreviouslyGrantedAccess; ACCESS_MASK OriginalDesiredAccess; SECURITY_SUBJECT_CONTEXT SubjectSecurityContext; PSECURITY_DESCRIPTOR SecurityDescriptor; PVOID AuxData; union { INITIAL_PRIVILEGE_SET InitialPrivilegeSet; PRIVILEGE_SET PrivilegeSet; } Privileges; BOOLEAN AuditPrivileges; UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName;} ACCESS_STATE, *PACCESS_STATE;55PspCreateThread16. ObInsertObject process ObInsertObjectthread ObInsertObjectThreadHandleClientId Status = ObInsertObject (Thread, AccessState, DesiredAccess, 0, NULL, &LocalThreadHandle); if (!NT_SUCCESS (Status)) { PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_DEADTHREAD);} else { try { *ThreadHandle = LocalThreadHandle; if (ARGUMENT_PRESENT (ClientId)) { *ClientId = Thread->Cid; } } //}PS_SET_BITS: This trick is used so that Dbgk doesn't report events for dead threads
56PspCreateThread17. Thread18. ThreadGrantedAccess 754~807 KeReadyThreadthreadready processmemorythreadtransition 20. 1 KeReadyThread (&Thread->Tcb);- KeReadyThread : This function readies a thread for execution. If the thread's process is currently not in the balance set, then the thread is inserted in the thread's process' ready queue. Else if the thread is higher priority than another thread that is currently running on a processor then the thread is selected for execution on that processor. Else the thread is inserted in the dispatcher ready queue selected by its priority.57PspCreateThreadPspCreateThreadThreadThreadProcessThread
585859CreateProcessCreateProcess(CreateProcessW)(NtCreateProcessEX)Windows 1.Create Process2.CreateProcesskernel32.dll3.NtCreateProcess or NtCreateProcessEx 4.windows59()60ntoskrnl.exe
6061DLLNTDLL.DLLAPI(LPC)I/O()Windows
() (HAL)2.3 Windows61(1/6)62Kernel32.dllCreateProcess functionKernel32.dllWindowskernel32.dll62applicationprocess63Hey,processPspExitThread83Thread84NtTerminateThreadif (Process == CurrentProcess) { if (ProcessHandleSpecified) {
ObDereferenceObject (Process);
// // Never Returns //
PspTerminateThreadByPointer (Self, ExitStatus, TRUE); } }PsTerminateSystemThreadNtTerminateThreadPspTerminateThreadByPointerCallPspExitThreadPS_CROSS_THREAD_FLAGS_TERMINATEDKernel mode APC PsExitSpecialApcPspExitApcRundownPspExitNormalApcCurrentNon-currentPsExitSpecialApc ->PspExitThreadTRUE THREADThreadHandlePspTerminateThreadByPointerDirectTerminateTrueThreadFalseThread
84PsTerminateSystemThreadThread85NtTerminateThreadfor (Thread = PsGetNextProcessThread (Process, NULL);Thread != NULL;Thread = PsGetNextProcessThread (Process, Thread)) {st = STATUS_SUCCESS;if (Thread != Self) {PspTerminateThreadByPointer (Thread, ExitStatus, FALSE); } }NtTerminateThreadCallPspTerminateThreadByPointerPspExitThreadPS_CROSS_THREAD_FLAGS_TERMINATEDCurrentNon-currentPsExitSpecialApc ->PspExitThreadKernel mode APC PsExitSpecialApcPspExitApcRundownPspExitNormalApcFALSE THREADThread = PsGetNextProcessThread (Process, NULL); PROCESS THREADThread != NULL; PROCESS THREADThread = PsGetNextProcessThread (Process, Thread)PROCESS THREAD85NtTerminateThreadCallThread86PsTerminateSystemThread{ PETHREAD Thread = PsGetCurrentThread();
if (!IS_SYSTEM_THREAD (Thread)) { return STATUS_INVALID_PARAMETER; }
return PspTerminateThreadByPointer (Thread, ExitStatus, TRUE);}
PsTerminateSystemThreadPspTerminateThreadByPointerPspExitThreadPS_CROSS_THREAD_FLAGS_TERMINATEDCurrentNon-currentPsExitSpecialApc ->PspExitThreadKernel mode APC PsExitSpecialApcPspExitApcRundownPspExitNormalApcIS_SYSTEM_THREAD (Thread) THREAD STATUS_INVALID_PARAMETER
PspTerminateThreadByPointer
86CurrentNon-currentThread87PspTerminateThreadByPointerif (DirectTerminate && Thread == PsGetCurrentThread()) {
ASSERT (KeGetCurrentIrql() < APC_LEVEL);
PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_TERMINATED);
PspExitThread (ExitStatus);
// Never Returns }PsTerminateSystemThreadNtTerminateThreadCallPspTerminateThreadByPointerPspExitThreadPS_CROSS_THREAD_FLAGS_TERMINATEDPsExitSpecialApc ->PspExitThreadKernel mode APC PsExitSpecialApcPspExitApcRundownPspExitNormalApcDirectTerminate = TRUE
PspTerminateThreadByPointer PS_SET_BITSFLAGPspExitThread THREAD
ThreadPS_CROSS_THREAD_FLAGS_TERMINATEDPspExitThreadThread
87PspExitThreadPS_CROSS_THREAD_FLAGS_TERMINATEDThread88PspTerminateThreadByPointerKeInitializeApc (ExitApc,PsGetKernelThread (Thread),OriginalApcEnvironment,PsExitSpecialApc,PspExitApcRundown,PspExitNormalApc,KernelMode,ULongToPtr (ExitStatus));PsTerminateSystemThreadNtTerminateThreadCallPspTerminateThreadByPointerCurrentNon-currentPsExitSpecialApc ->PspExitThreadKernel mode APC PsExitSpecialApcPspExitApcRundownPspExitNormalApcDirectTerminate = FLASE// Cross thread deletion of system threads won't work.APCPsExitSpecialApc -> 656 -> PspExitThread
ThreadThreadkernel APCPsExitSpecialApcPspExitApcRundownPspExitNormalApc(CH5)
88Thread89PspExitThreadThread = PsGetCurrentThread();Process = THREAD_TO_PROCESS(Thread);if (Process != PsGetCurrentProcessByThread (Thread))PoRundownThread(Thread);PROCESSTHREADTHREADPROCESS89Thread90PERFINFO_THREAD_DELETE(Thread);if(PspCreateThreadNotifyRoutineCount != 0)Process->ActiveThreads--;if (Process->ActiveThreads == 0)THREADTHREAD - 13. PROCESSTHREADTHREAD
90Thread91if (Process->DebugPort != NULL)if (KD_DEBUGGER_ENABLED)91Thread92TerminationPortLpcRequestPort (TerminationPort->Port, (PPORT_MESSAGE)&CdMsg);LpcRequestPort (Process->ExceptionPort, (PPORT_MESSAGE)&CdMsg);if (Thread->Tcb.Win32Thread) { (PspW32ThreadCallout) (Thread, PsW32ThreadCalloutExit);}THREADExceptionPortWINTHREAD92Thread93if (LastThread && Process->Win32Process) {(PspW32ProcessCallout) (Process, FALSE);}IoCancelThreadIo (Thread);ExTimerRundown ();THREADWINI/O THREADTIMER93Thread95Thread->ExitStatus = ExitStatus;KeQuerySystemTime (&Thread->ExitTime);if (LastThread) PspExitProcess (TRUE, Process);KeForceResumeThread (&Thread->Tcb);
THREADPspExitProcessTHREADAPCTcb = thread control blockTHREAD95Thread96KeFlushQueueApc (&Thread->Tcb, UserMode);if (Apc->RundownRoutine) {(Apc->RundownRoutine) (Apc);} else {ExFreePool (Apc);}if (LastThread) {MmCleanProcessAddressSpace (Process);}USER APC(RundownRountine)APCPROCESSTHREADPROCESSTEB = ?96Thread97KeTerminateThread (0L);Thread->Header.SignalState = TRUE;Thread->State = Terminated;KeTerminateThreadTHREAD97Process98NtTerminateProcess
PspTerminateThreadByPointer (Thread, ExitStatus, FALSE);
PspTerminateThreadByPointer (Self, ExitStatus, TRUE);NtTerminateProcessPspTerminateThreadByPointer processProcessThreadforProcessPspTerminateThreadByPointerProcessPspTerminateThreadByPointer98Process99PsTerminateProcessPsTerminateProcessProcessPspTerminateProcessPspTerminateProcessPspTerminateThreadByPointerProcessThreadProcessThreadProcessPsTerminateProcessPspTerminateProcessPspTerminateThreadByPointer993.4Windows3.4.33.4.43.4.5100100Outline1011. idle process and the idle thread of P0 processor
2. phase 0
3. phase 1
101idle process and the idle thread of P0 processor 10201InitializationPhase InitializationPhase0phase0InitializationPhase1phase1
_KiSystemStartup1. ntldrP02. _KiSystemStartup 3. KiInitializeKernel = 4. KiInitializeKernelKeInitializeProcess = PROCESSProcess ID0(idle Process)5. KiInitializeKernel KeInitializeThread = THREAD6. KeInitializeThreadKeInitThreadThread7. KeInitThreadKeStartThreadThreadProcess 0idle Thread8. PROCESSTHREADP0
102103
http://www.docin.com/p-26033550.html
103idle process and the idle thread of P0 processor 104_KiSystemStartupKiInitializeKernelKeInitializeProcessKeInitializeThreadKeInitThreadKeStartThread1. ntldrP02. _KiSystemStartup 3. KiInitializeKernel = 4. KiInitializeKernelKeInitializeProcess = PROCESSProcess ID0(idle Process)5. KiInitializeKernel KeInitializeThread = THREAD6. KeInitializeThreadKeInitThreadThread7. KeInitThreadKeStartThreadThreadProcess 0idle Thread8. PROCESSTHREADP0
104phase 01051. ExpInitializeExecutivePsInitSystme2. PsInitSystmePspInitPhase03. PspInitPhase0System process1Phase1Initialization Thread. 105phase 1106Phase1InitializationDiscardPsInitSystemPspInitPhase1PspInitializeSystemDll1. Phase1InitializationDiscardPsInitSystem2. PsInitSystemPspInitPhase13. PspInitPhase1PspInitializeSystemDll=DLL(ntdll.dll)DLLAPCreturn Address.4. PspLookupKernelUserEntryPoints5. 1Threadpage 0 thread()
106ProcessThread107Idle process PsIdleProcess ID= 0System process PsInitialSystemProcess ID= 4zero page thread() idle thread (P0)1_KiSystemStartupidle threadA special thread calledzero page threadwill be created on system boot. This thread is assigned priority 0 and is the only thread in the entire system that runs at priority 0. The zero page thread is responsible for zeroing any free pages of RAM in the system when there are no other threads that need to perform work.system boot 0
RAMfree page107Workitem108System process THREADPsCreateSystemThreadProcessThreadSystem processSystem process(WORKITEM)WINTHREADDPCTHREAD( & )THREAD
108(idle loop) = KiIdleLoop1091. DPCTHREAD2. DPC(Deferred procedure call)DPCDPC3. Threadthreadthreadidle schedule flagKiIdleSchedulethread
DPC =
thread schedulerKiIdleLoopDPCthreadDPCDPCDPCthreadthreadthreadset idle schedule flag KiIdleSchedulethread
1093.5Windows3.5.13.5.23.5.33.5.4110110
111(priority level)thread scheduler(Preemptive)Windows32: 16~31: 1~15: 0
111112Windows(task manager)
112113typedef struct _KPROCESS { SCHAR BasePriority; //} KPROCESS, *PKPROCESS, *PRKPROCESS;
typedef struct _KTHREAD {SCHAR Priority; //SCHAR BasePriority; //} KTHREAD, *PKTHREAD, *PRKTHREAD;
base\ntos\inc\ke.h
113114FORCEINLINESCHARKiComputeNewPriority ( IN PKTHREAD Thread, IN SCHAR Adjustment ){ SCHAR Priority; /* */ ASSERT((Thread->PriorityDecrement >= 0) && (Thread->PriorityDecrement Priority));
ASSERT((Thread->Priority < LOW_REALTIME_PRIORITY) ? TRUE : (Thread->PriorityDecrement == 0));
114115/* */Priority = Thread->Priority; if (Priority < LOW_REALTIME_PRIORITY) { /* */ Priority = Priority - Thread->PriorityDecrement - Adjustment; /* base priority */ if (Priority < Thread->BasePriority) { Priority = Thread->BasePriority; } Thread->PriorityDecrement = 0; } ASSERT((Thread->BasePriority == 0) || (Priority != 0)); return Priority;}115116(16~31)
116117Windows
(Realtime)24 (High)13 (Above Normal)10 (Normal)8 (Below Normal)6 (Low)4117118ntpsapi.h( public\sdk\inc\)#define PROCESS_PRIORITY_CLASS_UNKNOWN 0#define PROCESS_PRIORITY_CLASS_IDLE 1#define PROCESS_PRIORITY_CLASS_NORMAL 2#define PROCESS_PRIORITY_CLASS_HIGH 3#define PROCESS_PRIORITY_CLASS_REALTIME 4#define PROCESS_PRIORITY_CLASS_BELOW_NORMAL 5#define PROCESS_PRIORITY_CLASS_ABOVE_NORMAL 6
psquery.c( base\ntos\ps\psquery.c)const KPRIORITY PspPriorityTable[PROCESS_PRIORITY_CLASS_ABOVE_NORMAL+1] = {8,4,8,13,24,6,10};118119I/O415(priority inversion)1193.5Windows3.5.13.5.23.5.33.5.4120120121KTHREADSTATE122typedef enum _KTHREAD_STATE{Initialized, //Ready, //Running, //Standby, //Terminated, //Waiting, //Transition, //DeferredReady, //GateWait //}KTHREAD_STATE;
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
1443.5Windows3.5.13.5.23.5.33.5.4145145 Quantum146ThreadKTHREAD (Kernel Thread)Quantum: threadQuantumReset: threadQuantumReset636146QuantumReset Quantum decrement147Quantum decrementCLOCK_QUANTUM_DECREMENTCLOCK Quantum3WAIT_QUANTUM_DECREMENTthreadQuantum1Quantum0ThreadQuantumResetthreadclockQuantumQuantumQuantumReset147Windows 148Threadpriority: :Thread object AdjustReason AdjustBoostThreadQuantumServerthread148Windows Thread149
PspInitPhase0( )PsChangeQuantumTable( )PspVaribleQuantums[6]PspFixedQuantums[6]PspComputeQuantumAndPriority( )PspForegroundQuantum[3]PspCreateProcess( )callWin32PrioritySeparationQuantumcallAssignPspForegroundQuantum[3] 41149Server(XP,WIN7)PspForegroundQuantum[3]Server : {36, 36, 36}Client: {6, 12, 18}Win32PrioritySeparation2Server: Thread QuantumReset36Client: Thread QuantumReset18 Thread QuantumReset63.5Windows3.5.13.5.23.5.33.5.4151151?152KiProcessorBlockKPRCBKiIdleSummary32KiIdleSummary32(DWORD)32
152KiIdleSummary153KiSetIdleSummaryKiIdleSummaryKiClearIdleSummaryKiIdleSummary/base/ntos/ke/ki.h
KiDeferredReadyThreadKiClearIdleSummary153KiIdleSummary/base/ntos/ke/ki.hKiSetIdleSummaryKiIdleSummaryKiClearIdleSummaryKiIdleSummaryKiDeferredReadyThreadKiClearIdleSummary
#if defined(NT_UP) KiIdleSummary |= Mask;#else
#if defined(_X86_) InterlockedOr((volatile LONG *)&KiIdleSummary, (LONG)Mask);#else InterlockedOr64((volatile LONG64 *)&KiIdleSummary, (LONG64)Mask);#endifThread->State = Standby;Thread->NextProcessor = (UCHAR)Processor;KiClearIdleSummary(AFFINITY_MASK(Processor)); TargetPrcb->NextThread = Thread;#if defined(NT_UP) KiIdleSummary &= ~Mask;#else#if defined(_X86_) InterlockedAnd((volatile LONG *)&KiIdleSummary, ~(LONG)Mask);#else InterlockedAnd64((volatile LONG64 *)&KiIdleSummary, ~(LONG64)Mask);#endif154154KPRCB155
155ReadySummary156ReadySummaryReadySummaryDispatcherReadyListHeadKiSelectReadyThread KiFindReadyThreadDefferedReadyListHeadKiDeferredReadyThread
This function readies a thread for execution and attempts to dispatch the thread for execution by either assigning the thread to an idle processor or preempting another lower priority thread.
156157: (KeDelayExectIonThreadKeWaitForSingleObjectKeWaitForMultipleObjects):
157KiSwapThread158KiSwapThreadbase\ntos\ke\thredsup.cLONG_PTRFASTCALLKiSwapThread ( IN PKTHREAD OldThread, IN PKPRCB CurrentPrcb )KPRCBNextThread if (CurrentPrcb->NextThread != NULL){ CurrentPrcb->CurrentThread = NewThread; NewThread->State = Running;}NextThreadDispatcherReadyListHeadif ((NewThread = KiSelectReadyThread(0, CurrentPrcb)) != NULL) { CurrentPrcb->CurrentThread = NewThread; NewThread->State = Running; KiSetIdleSummary(CurrentPrcb->SetMember);
158KiSwapThread159 KeWaitForGateKeTerminateThreadKiSwapThreadKeRemoveQueueKiSwapThreadKiAttachProcess
KiSwapThread3. Thread KeTerminateThread159160
160161KiSwapThreadKiSwapContextKiSwapContextbase\ntos\ke\i386\ctxswap.asm
sub esp, 4*4 mov [esp+12], ebx ; save registers mov [esp+8], esi ; mov [esp+4], edi ; mov [esp+0], ebp ; mov ebx, PCR[PcSelfPcr] ; set address of PCR mov edi, ecx ; set old thread address mov esi, edx ; set next thread address movzx ecx, byte ptr [edi].ThWaitirql ; set APC interrupt bypass disable
call SwapContext ; swap context mov ebp, [esp+0] ; restore registers mov edi, [esp+4] ; mov esi, [esp+8] ; mov ebx, [esp+12] ; add esp, 4*4 ;161162
162163: KiDeferredReadyThread
if ((Thread1 = TargetPrcb->NextThread) != NULL) { ASSERT(Thread1->State == Standby); if (ThreadPriority > Thread1->Priority) { Thread1->Preempted = TRUE; Thread->State = Standby; TargetPrcb->NextThread = Thread; Thread1->State = DeferredReady; Thread1->DeferredProcessor = CurrentPrcb->Number; KiReleaseTwoPrcbLocks(CurrentPrcb, TargetPrcb); KiDeferredReadyThread(Thread1); return; }KiDeferredReadyThreadBase\ntos\ke\thredsup.c163164: KiDispatchInterrutKiDispatchInterrutDISPATCH_LEVELDPCBase\ntos\ke\i386\ctxswap.asm
164KiDispatchInterrupt165DPCKiQuantumEndKPRCBNextThreadKPRCBQuantumEndDPC
KiRetireDpcListDPC
KPRCBQuantumEndclockinterruptKeUpdateRunTimeKeUpdateRunTime
KiQuantumEnd
KPRCBNextThread Thread
165KiDispatchInterrupt166QuantumEnd0kdi40: sti ; enable interrupts cmp byte ptr [ebx].PcPrcbData.PbQuantumEnd, 0 ; quantum end requested jne kdi90 ; if neq, quantum end requestKPRCBnext thread cmp dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; check if next thread je kdi70 ; if eq, then no new threadkdi70: stdRET _KiDispatchInterrupt ; return0kdi90: mov byte ptr [ebx].PcPrcbData.PbQuantumEnd, 0 ; clear quantum end indicator stdCall _KiQuantumEnd ; process quantum end stdRET _KiDispatchInterrupt ; return166KiExitDispatcher167KiExitDispatcher?KiExitDispatcherBase\ntos\ke\waitsup.c
if (OldIrql < DISPATCH_LEVEL) {
if (Prcb->NextThread != NULL) { // If there is a new thread selected for execution, then switch // context to the new thread. KiAcquirePrcbLock(Prcb); NewThread = Prcb->NextThread; CurrentThread = Prcb->CurrentThread; KiSetContextSwapBusy(CurrentThread); Prcb->NextThread = NULL; Prcb->CurrentThread = NewThread; NewThread->State = Running; KxQueueReadyThread(CurrentThread, Prcb); CurrentThread->WaitIrql = OldIrql; Pending = KiSwapContext(CurrentThread, NewThread); if (Pending != FALSE) { KeLowerIrql(APC_LEVEL); KiDeliverApc(KernelMode, NULL, NULL); ASSERT(OldIrql == 0); } }
} else if ((Prcb->NextThread != NULL) && (Prcb->DpcRoutineActive == FALSE)) { KiRequestSoftwareInterrupt(DISPATCH_LEVEL); } KeLowerIrql(OldIrql); return;
167168KiSwapThreadKiSwapContextKiSwapContextSwapContext SwapContextSwapContextbase\ntos\ke\i386\ctxswap.asm ()()()
168SwapContext1691. SwapBusy2.+13. 4.5.KTHREADKeneralStack169SwapContext1706.CR0CR0CR07.170SwapContext1718.ActiveProcessorsCR3LDTLDTIDTINT 21171SwapContext1729. SwapBusy10.KPRCBTEBTEBGDTTEBTEB11. TSSEsp012.IOPM172SwapContext17313. +114. 15.DPCBugCheck173SwapContext17416.APCHalRequestSoftwareInterruptAPC_LEVEL1743.63.6.1ProcMon3.6.2ProcMon1751753.6.1 176Windows176ProcMon177orCPU
3.6.1 ProcMon3.6.2 ProcMon1773.6.1 ProcMon178Windows Server2003
CPU178179 ready queue or deferred queue
CPU
179ProcMon180Windows XP/Server 2003/Vista/Server2008/7 or180181ProcMonKMonDrv.syskernel
or1. 2. CPU3. Running threads: CPU4. Dispatcher Ready Queue: CPUready queue or deferred ready queue, 5. 1813.63.6.1ProcMon3.6.2ProcMon1821823.6.2 ProcMon 183user modeProcMon.exeKMonDrv.sysMFCProcMon.exeregister1timerWM_TIMERProcMonProcMonWM_TIMER, thread183KMonDrv184WindowsKMonDrvCPU, , ready queue & deferred ready queueKMonDrvProcMon1. 184KMonDrv(1/3)185CPUKPRCB, timerTimer1. Timer () ()2. codethreadKernels Processor Control BlockKPRCBntddk.h3. 185KMonDrv(2/3)186timerDISPATCH_LEVELCPUKPRCBKPRCBspin lock(PrcbLock)CurrentThread, NextThread, DispatcherReadyListHead, DeferredReadyListHeadCLIENT_ID, , Dispatch_level: Interrupt InterruptIRQLProcessorIRQL settingInterruptIRQLProcessorIRQL settingInterruptInterruptInterruptIRQL KeGetCurrentIRQL()System routineProcessorIRQL
Software IRQL(Interrupt Request Level IRQL.)PASSIVE_LEVEL 0 // Passive release levelLOW_LEVEL 0 // Lowest interrupt levelAPC_LEVEL 1 // APC interrupt levelDISPATCH_LEVEL 2 // Dispatch level
2. , Running ThreadsDispatcher Ready Queue186KMonDrv(3/3)187ProcMonProcMonKMonDrvWindowsI/O(I/O)KMonDrvbufferProcMonbufferKMonDrvbuffer187ProcMon188(polling)timerExample(a ETW provider)Cswitch : CPUReady Thread : WRK, Example: threadthread, , KMonDrvtimerthreadETW: Event Tracing for Windows WRK: http://nokyo.blogbus.com/logs/33016889.html1883.7 WindowsWindows&Windows189189Chapter 4 Windows190190CPUOS, , Windows1911., CPU, CPU, CPU2. 3.
4. , 5., , Windows
1914.14.1.14.1.24.1.34.1.4Windows1921924.1 (memory)()()(Intel x86)(Physical Address)(Linear Address)(Logical Address)193, CPU, CPU: CPU, : CPU
19332bit or 36bit unsigned integer194unsigned integer 19432bit, 4GBIntel x86195195=+(segment)(offset)Intel x86196196197 A A
1971
2
...
KiProcessorBlock
...
8
9
10
...
:
ReadySummary
DeferredReadyListHead
DispatcherReadyListHead
KiIdleSummary
...
8
9
10
...
:
ReadySummary
DeferredReadyListHead
DispatcherReadyListHead
KiSwapThread
KiDispatchInterrupt
SwapContext