我是靠谱客的博主 激动花瓣,这篇文章主要介绍windbg3 windows系统部件概览内核和HAL模块系统进程内核空间的其他模块NTDLL.DLL环境子系统原生进程,现在分享给大家,希望可以做个参考。
@TOP
概览
内核空间
- 硬件抽象层
- 操作系统内核
- 执行体
- 内核态驱动程序
- Windows 子系统驱动程序
- 内核支持模块
用户空间
- 会话管理器进程(SMSS.EXE)
- Windows 子系统服务器进程(CSRSS.EXE)
- 登录进程(WinLogon.EXE)
- 本地安全和认证进程(LSASS.EXE)
- 服务管理进程(SERVICES.EXE)
- OS/2 子系统和POSIX子系统服务进程
- 外壳(Shell)程序 默认为Explorer.exe
内核和HAL模块
内核文件
NTOSKRNL.EXE 内核文件
HAL
硬件抽象层模块
中断请求级别内核中的重要机制
空闲进程
系统进程和 空闲进程
NT内核启动时会创建空闲进程
查看空闲进程
复制代码
1
2
3
4
5
6
7
8
96: kd> !prcb PRCB for Processor 6 at ffffb800fcbe1180: Current IRQL -- 13 Threads-- Current ffff84898fe7f480 Next ffff8489821f5700 Idle ffffb800fcbf1200 Processor Index 6 Number (0, 6) GroupSetMember 40 Interrupt Count -- 0000e351 Times -- Dpc 00000027 Interrupt 00000001 Kernel 0000059f User 00000018
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
196: kd> !thread ffffb800fcbf1200 THREAD ffffb800fcbf1200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 749 Ticks: 757 (0:00:00:11.828) Context Switch Count 7923 IdealProcessor: 6 UserTime 00:00:00.000 KernelTime 00:00:07.500 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895527fb90 Current ffff97895527fb20 Base ffff978955280000 Limit ffff978955279000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr : Args to Child : Call Site ffff9789`5527fb60 00000000`00000000 : ffff9789`55280000 ffff9789`55279000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x11d
空闲进程的进程ID字段为空
使用!process 观察空闲进程
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
1536: kd> !process fffff800064679c0 PROCESS fffff800064679c0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564. Image: Idle VadRoot ffff848982059eb0 Vads 1 Clone 0 Private 8. Modified 2029. Locked 0. DeviceMap 0000000000000000 Token ffffe18f2b817040 ElapsedTime 00:00:19.992 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 136 Working Set Sizes (now,min,max) (8, 50, 450) (32KB, 200KB, 1800KB) PeakWorkingSetSize 2 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 8 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 13 THREAD fffff8000646a400 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 369 Ticks: 1137 (0:00:00:17.765) Context Switch Count 7836 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:07.750 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init fffff80008fe0b90 Current fffff80008fe0b20 Base fffff80008fe1000 Limit fffff80008fda000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5 Child-SP RetAddr Call Site fffff800`08fe0b60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fd171200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531) Context Switch Count 5128 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:10.250 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895522fb90 Current ffff97895522fb20 Base ffff978955230000 Limit ffff978955229000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5522fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fce34200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531) Context Switch Count 12204 IdealProcessor: 2 UserTime 00:00:00.000 KernelTime 00:00:09.406 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895523fb90 Current ffff97895523fb20 Base ffff978955240000 Limit ffff978955239000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5523fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fce90200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531) Context Switch Count 7466 IdealProcessor: 3 UserTime 00:00:00.000 KernelTime 00:00:10.312 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895524fb90 Current ffff97895524fb20 Base ffff978955250000 Limit ffff978955249000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5524fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fd2d0200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531) Context Switch Count 10814 IdealProcessor: 4 UserTime 00:00:00.000 KernelTime 00:00:08.421 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895525fb90 Current ffff97895525fb20 Base ffff978955260000 Limit ffff978955259000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5525fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fd36b200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 0 Ticks: 1506 (0:00:00:23.531) Context Switch Count 7707 IdealProcessor: 5 UserTime 00:00:00.000 KernelTime 00:00:08.437 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895526fb90 Current ffff97895526fb20 Base ffff978955270000 Limit ffff978955269000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5526fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fcbf1200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 749 Ticks: 757 (0:00:00:11.828) Context Switch Count 7923 IdealProcessor: 6 UserTime 00:00:00.000 KernelTime 00:00:07.500 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895527fb90 Current ffff97895527fb20 Base ffff978955280000 Limit ffff978955279000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5527fb60 00000000`00000000 nt!KiIdleLoop+0x11d THREAD ffffb800fd490200 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7 Not impersonating DeviceMap ffffe18f2b818ad0 Owning Process fffff800064679c0 Image: Idle Attached Process ffff84898203c440 Image: System Wait Start TickCount 571 Ticks: 935 (0:00:00:14.609) Context Switch Count 4978 IdealProcessor: 7 UserTime 00:00:00.000 KernelTime 00:00:09.125 Win32 Start Address nt!KiIdleLoop (0xfffff800061acd70) Stack Init ffff97895528fb90 Current ffff97895528fb20 Base ffff978955290000 Limit ffff978955289000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffff9789`5528fb60 00000000`00000000 nt!KiIdleLoop+0x11d
系统进程
系统进程是操作系统内核和所有系统线程的宿主,为操作系统提供独立的进程空间和进程对象
系统进程是系统创建的第二个进程
内核调试会话中
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
256: kd> !process 4 1 Searching for Process with Cid == 4 PROCESS ffff84898203c440 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001ad002 ObjectTable: ffffe18f2b814040 HandleCount: 2564. Image: System VadRoot ffff84898536f560 Vads 19 Clone 0 Private 24. Modified 4622. Locked 128. DeviceMap ffffe18f2b818ad0 Token ffffe18f2b817040 ElapsedTime 00:00:19.992 UserTime 00:00:00.000 KernelTime 00:00:04.406 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 136 Working Set Sizes (now,min,max) (255, 50, 450) (1020KB, 200KB, 1800KB) PeakWorkingSetSize 1090 VirtualSize 5 Mb PeakVirtualSize 14 Mb PageFaultCount 1496 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 48
内核空间的其他模块
Win32k.sys Windows的子系统内核空间模块
DxgKrnl.sys GPU的核心模块
AFD.sys 网络套接字的内核空间接口驱动
NDIS.sys 管理网卡驱动的核心驱动
Wfplwf.sys管理网络过滤驱动的核心模块
ACPI.sys 负责与平台固件接口的内核模块
PCI.sys PCI 总线的核心驱动模块
NTFS.sys NTFS 的文件系统实现
NTDLL.DLL
NTDLL.DLL是内核派驻到用户空间的大使
沟通用户空间和内核空间的桥梁
调用系统服务的桩函数
NtXXX 开头的函数
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
210:000> x ntdll!* 7745bbd0 ntdll!EtwDeliverDataBlock (void) 77431840 ntdll!RtlpTpWorkCallback (void) 7743603b ntdll!SbpDetermineDllContext (void) 77429160 ntdll!LdrEnumerateLoadedModules (void) 77438e10 ntdll!TppCallbackCheckThreadAfterCallback (void) 7743ccf6 ntdll!RtlpMuiRegLoadLicInformation (void) 7745d659 ntdll!IsProgramFilesPath (void) 77425fb0 ntdll!RebalanceNode (void) 7743b42e ntdll!LdrpConvertLangFallbackListToMultiSz (void) 77461722 ntdll!RtlWideCharArrayCopyStringWorker (void) 774b9aa2 ntdll!RtlWideCharArrayCopyStringWorker (void) 77462bb0 ntdll!LdrResGetRCConfig (void) 77471744 ntdll!EtwpGetTimeZoneInformation (void) 774264d8 ntdll!LdrpGetProcedureAddress (void) 77452d10 ntdll!RtlGetFullPathName_UstrEx (void) 77453c90 ntdll!RtlpLocateActivationContextSection (void) 77439d2c ntdll!RtlpAllocateUserBlockFromHeap (void) 77444f40 ntdll!LdrpLoadResourceFromAlternativeModule (void) 7745f4a4 ntdll!WerEscalationReadImageVersionInfoForModuleB
映像文件加载器
LDR开头,ldr,_ldr开头,第4个字符为小写代表内部函数,大写代表接口函数
复制代码
1
2
3
4
5
6
7
80:000> k # ChildEBP RetAddr 00 009bf700 774a9486 ntdll!LdrpDoDebuggerBreak+0x2b 01 009bf960 77432fe1 ntdll!LdrpInitializeProcess+0x1ba6 02 009bf9b8 77432ed1 ntdll!_LdrpInitialize+0xba 03 009bf9c4 00000000 ntdll!LdrInitializeThunk+0x11
ntdll!LdrInitializeThunk+0x11 转接(Thunk),从内核空间转接到用户空间
ntdll!_LdrpInitialize 执行进程初始化的核心函数
运行时库
Rtl 开头,提供基础函数
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
160:000> x ntdll!Rtl* 77431840 ntdll!RtlpTpWorkCallback (void) 7743ccf6 ntdll!RtlpMuiRegLoadLicInformation (void) 77461722 ntdll!RtlWideCharArrayCopyStringWorker (void) 774b9aa2 ntdll!RtlWideCharArrayCopyStringWorker (void) 77452d10 ntdll!RtlGetFullPathName_UstrEx (void) 77453c90 ntdll!RtlpLocateActivationContextSection (void) 77439d2c ntdll!RtlpAllocateUserBlockFromHeap (void) 774284ed ntdll!RtlpTpTimerRundown (void) 77429c67 ntdll!RtlpProcessIFEOKeyFilter (void) 774333ad ntdll!RtlpTpRevertCapture (void) 77458520 ntdll!RtlInitializeResource (void) 7742871a ntdll!RtlStringExValidateDestW (void) 77456237 ntdll!RtlpCreateSplitBlock (void) 7746c000 ntdll!RtlCheckHeldCriticalSections (void)
环境子系统
不同类型的应用程序运行在不同的环境子系统中
原生进程
普通的应用程序都属于某个环境子系统
特殊的进程,他们不依赖任何子系统,通过特殊的私有接口直接与内核交互,通常把这类进程叫做原生进程
没有创建子系统的时候就可以运行
SMSS
会话管理器子系统
CSRSS
Windows子系统的服务进程
最后
以上就是激动花瓣最近收集整理的关于windbg3 windows系统部件概览内核和HAL模块系统进程内核空间的其他模块NTDLL.DLL环境子系统原生进程的全部内容,更多相关windbg3内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复