windbg*****************************TBD
achieve structure from a simple address
Dt address
know pending IRP in a module
!thread xxxxxx到底能提供哪些Information:
3: kd> !thread THREAD ffffe0000341f040 Cid 0004.0590 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3 IRP List: ffffe00002dadb10: (0006,03a0) Flags: 00060000 Mdl: 00000000 Not impersonating DeviceMap ffffc0000000c2e0 Owning Process ffffe0000023b700 Image: System Attached Process N/A Image: N/A Wait Start TickCount 103483 Ticks: 7646 (0:00:01:59.468) Context Switch Count 114 IdealProcessor: 0 NoStackSwap UserTime 00:00:00.000 KernelTime 00:01:59.468 Win32 Start Address nt!ExpWorkerThread (0xfffff802e12b6118) Stack Init ffffd00021c66c90 Current ffffd00021c66310 Base ffffd00021c67000 Limit ffffd00021c61000 Call 0 Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site ffffd000`21c66400 fffff802`e12bb3c6 : 00000000`00000000 00000000`00000002 ffffd000`20688180 ffffe000`0341f140 : nt! ?? ::FNODOBFM::`string'+0xc614 ffffd000`21c66500 fffff802`e13cee23 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x136 ffffd000`21c66580 fffff800`031d3368 : 00000000`00000000 ffffd000`21c667b0 ffffe000`021d0ef0 00000000`00000000 : nt!KiApcInterrupt+0xc3 (TrapFrame @ ffffd000`21c66580) ffffd000`21c66710 fffff800`031d28eb : fffff800`031d8000 ffffd000`21c66880 00000000`00000000 fffff800`00000000 : btfilter+0x2368 ffffd000`21c66780 fffff800`031d6010 : ffffe000`0375ebd0 ffffe000`0375ebd0 00000000`00000001 ffffe000`021d0ef0 : btfilter+0x18eb ffffd000`21c66920 fffff802`e12bd118 : ffffe000`0375ebd0 ffffd000`21c66a09 ffffe000`021a9201 ffffe000`0375eee3 : btfilter+0x5010 ffffd000`21c66960 fffff800`02f0c604 : ffffe000`0341f040 00000000`00000000 ffffe000`0198a000 ffffe000`021a92a0 : nt!IopfCompleteRequest+0x438 ffffd000`21c66a70 fffff800`02f083de : ffffe000`0198a1a0 00000000`00000000 ffffe000`0198a050 ffffe000`02ab6130 : usbhub!UsbhPdoUnblockPendedD0IrpWI+0xb0 ffffd000`21c66ab0 fffff802`e12b5c87 : ffffe000`011a8400 ffffe000`0198a050 00000000`00000000 fffff802`e135c14e : usbhub!UsbhHubWorker+0x62 ffffd000`21c66af0 fffff802`e12b63cd : fffff802`00000003 fffff802`e12b5bac ffffd000`21c66bd0 ffffe000`011a8400 : nt!IopProcessWorkItem+0xdb ffffd000`21c66b50 fffff802`e1361664 : 00000000`00004000 ffffe000`0341f040 ffffe000`0341f040 ffffe000`0023b700 : nt!ExpWorkerThread+0x2b5 ffffd000`21c66c00 fffff802`e13d06c6 : ffffd000`201e7180 ffffe000`0341f040 ffffe000`00245640 00000004`00000b9c : nt!PspSystemThreadStartup+0x58 ffffd000`21c66c60 00000000`00000000 : ffffd000`21c67000 ffffd000`21c61000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
windows 8.1下thread的结构体
3: kd> dt _ETHREAD ACPI!_ETHREAD +0x000 Tcb : _KTHREAD +0x5d0 CreateTime : _LARGE_INTEGER +0x5d8 ExitTime : _LARGE_INTEGER +0x5d8 KeyedWaitChain : _LIST_ENTRY +0x5e8 ChargeOnlySession : Ptr64 Void +0x5f0 PostBlockList : _LIST_ENTRY +0x5f0 ForwardLinkShadow : Ptr64 Void +0x5f8 StartAddress : Ptr64 Void +0x600 TerminationPort : Ptr64 _TERMINATION_PORT +0x600 ReaperLink : Ptr64 _ETHREAD +0x600 KeyedWaitValue : Ptr64 Void +0x608 ActiveTimerListLock : Uint8B +0x610 ActiveTimerListHead : _LIST_ENTRY +0x620 Cid : _CLIENT_ID +0x630 KeyedWaitSemaphore : _KSEMAPHORE +0x630 AlpcWaitSemaphore : _KSEMAPHORE +0x650 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT +0x658 IrpList : _LIST_ENTRY +0x668 TopLevelIrp : Uint8B +0x670 DeviceToVerify : Ptr64 _DEVICE_OBJECT +0x678 Win32StartAddress : Ptr64 Void +0x680 LegacyPowerObject : Ptr64 Void +0x688 ThreadListEntry : _LIST_ENTRY +0x698 RundownProtect : _EX_RUNDOWN_REF +0x6a0 ThreadLock : _EX_PUSH_LOCK +0x6a8 ReadClusterSize : Uint4B +0x6ac MmLockOrdering : Int4B +0x6b0 CmLockOrdering : Int4B +0x6b4 CrossThreadFlags : Uint4B +0x6b4 Terminated : Pos 0, 1 Bit +0x6b4 ThreadInserted : Pos 1, 1 Bit +0x6b4 HideFromDebugger : Pos 2, 1 Bit +0x6b4 ActiveImpersonationInfo : Pos 3, 1 Bit +0x6b4 HardErrorsAreDisabled : Pos 4, 1 Bit +0x6b4 BreakOnTermination : Pos 5, 1 Bit +0x6b4 SkipCreationMsg : Pos 6, 1 Bit +0x6b4 SkipTerminationMsg : Pos 7, 1 Bit +0x6b4 CopyTokenOnOpen : Pos 8, 1 Bit +0x6b4 ThreadIoPriority : Pos 9, 3 Bits +0x6b4 ThreadPagePriority : Pos 12, 3 Bits +0x6b4 RundownFail : Pos 15, 1 Bit +0x6b4 UmsForceQueueTermination : Pos 16, 1 Bit +0x6b4 ReservedCrossThreadFlags : Pos 17, 15 Bits +0x6b8 SameThreadPassiveFlags : Uint4B +0x6b8 ActiveExWorker : Pos 0, 1 Bit +0x6b8 MemoryMaker : Pos 1, 1 Bit +0x6b8 ClonedThread : Pos 2, 1 Bit +0x6b8 KeyedEventInUse : Pos 3, 1 Bit +0x6b8 SelfTerminate : Pos 4, 1 Bit +0x6bc SameThreadApcFlags : Uint4B +0x6bc HardFaultBehavior : Pos 0, 1 Bit +0x6bc StartAddressInvalid : Pos 1, 1 Bit +0x6bc EtwCalloutActive : Pos 2, 1 Bit +0x6bc OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit +0x6bc OwnsProcessWorkingSetShared : Pos 4, 1 Bit +0x6bc OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit +0x6bc OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit +0x6bc OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit +0x6bd OwnsSessionWorkingSetShared : Pos 0, 1 Bit +0x6bd OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit +0x6bd OwnsProcessAddressSpaceShared : Pos 2, 1 Bit +0x6bd SuppressSymbolLoad : Pos 3, 1 Bit +0x6bd Prefetching : Pos 4, 1 Bit +0x6bd OwnsVadExclusive : Pos 5, 1 Bit +0x6bd OwnsChangeControlAreaExclusive : Pos 6, 1 Bit +0x6bd OwnsChangeControlAreaShared : Pos 7, 1 Bit +0x6be OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit +0x6be OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit +0x6be OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit +0x6be OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit +0x6be TrimTrigger : Pos 4, 2 Bits +0x6be Spare2 : Pos 6, 2 Bits +0x6bf SystemPagePriorityActive : Pos 0, 1 Bit +0x6bf SystemPagePriority : Pos 1, 3 Bits +0x6bf Spare3 : Pos 4, 4 Bits +0x6c0 CacheManagerActive : UChar +0x6c1 DisablePageFaultClustering : UChar +0x6c2 ActiveFaultCount : UChar +0x6c3 LockOrderState : UChar +0x6c8 AlpcMessageId : Uint8B +0x6d0 AlpcMessage : Ptr64 Void +0x6d0 AlpcReceiveAttributeSet : Uint4B +0x6d8 ExitStatus : Int4B +0x6e0 AlpcWaitListEntry : _LIST_ENTRY +0x6f0 CacheManagerCount : Uint4B +0x6f4 IoBoostCount : Uint4B +0x6f8 BoostList : _LIST_ENTRY +0x708 DeboostList : _LIST_ENTRY +0x718 BoostListLock : Uint8B +0x720 IrpListLock : Uint8B +0x728 ReservedForSynchTracking : Ptr64 Void +0x730 CmCallbackListHead : _SINGLE_LIST_ENTRY +0x738 ActivityId : Ptr64 _GUID +0x740 SeLearningModeListHead : _SINGLE_LIST_ENTRY +0x748 VerifierContext : Ptr64 Void +0x750 KernelStackReference : Uint4B +0x758 AdjustedClientToken : Ptr64 Void +0x760 UserFsBase : Uint4B +0x768 UserGsBase : Uint8B +0x770 PicoContext : Ptr64 Void
3: kd> dt _KTHREAD ACPI!_KTHREAD +0x000 Header : _DISPATCHER_HEADER +0x018 SListFaultAddress : Ptr64 Void +0x020 QuantumTarget : Uint8B +0x028 InitialStack : Ptr64 Void +0x030 StackLimit : Ptr64 Void +0x038 StackBase : Ptr64 Void +0x040 ThreadLock : Uint8B +0x048 CycleTime : Uint8B +0x050 CurrentRunTime : Uint4B +0x054 ExpectedRunTime : Uint4B +0x058 KernelStack : Ptr64 Void +0x060 StateSaveArea : Ptr64 _XSAVE_FORMAT +0x068 SchedulingGroup : Ptr64 _KSCHEDULING_GROUP +0x070 WaitRegister : _KWAIT_STATUS_REGISTER +0x071 Running : UChar +0x072 Alerted : [2] UChar +0x074 KernelStackResident : Pos 0, 1 Bit +0x074 ReadyTransition : Pos 1, 1 Bit +0x074 ProcessReadyQueue : Pos 2, 1 Bit +0x074 WaitNext : Pos 3, 1 Bit +0x074 SystemAffinityActive : Pos 4, 1 Bit +0x074 Alertable : Pos 5, 1 Bit +0x074 UserStackWalkActive : Pos 6, 1 Bit +0x074 ApcInterruptRequest : Pos 7, 1 Bit +0x074 QuantumEndMigrate : Pos 8, 1 Bit +0x074 UmsDirectedSwitchEnable : Pos 9, 1 Bit +0x074 TimerActive : Pos 10, 1 Bit +0x074 SystemThread : Pos 11, 1 Bit +0x074 ProcessDetachActive : Pos 12, 1 Bit +0x074 CalloutActive : Pos 13, 1 Bit +0x074 ScbReadyQueue : Pos 14, 1 Bit +0x074 ApcQueueable : Pos 15, 1 Bit +0x074 ReservedStackInUse : Pos 16, 1 Bit +0x074 UmsPerformingSyscall : Pos 17, 1 Bit +0x074 ApcPendingReload : Pos 18, 1 Bit +0x074 Reserved : Pos 19, 13 Bits +0x074 MiscFlags : Int4B +0x078 AutoAlignment : Pos 0, 1 Bit +0x078 DisableBoost : Pos 1, 1 Bit +0x078 UserAffinitySet : Pos 2, 1 Bit +0x078 AlertedByThreadId : Pos 3, 1 Bit +0x078 QuantumDonation : Pos 4, 1 Bit +0x078 EnableStackSwap : Pos 5, 1 Bit +0x078 GuiThread : Pos 6, 1 Bit +0x078 DisableQuantum : Pos 7, 1 Bit +0x078 ChargeOnlySchedulingGroup : Pos 8, 1 Bit +0x078 DeferPreemption : Pos 9, 1 Bit +0x078 QueueDeferPreemption : Pos 10, 1 Bit +0x078 ForceDeferSchedule : Pos 11, 1 Bit +0x078 SharedReadyQueueAffinity : Pos 12, 1 Bit +0x078 FreezeCount : Pos 13, 1 Bit +0x078 TerminationApcRequest : Pos 14, 1 Bit +0x078 AutoBoostEntriesExhausted : Pos 15, 1 Bit +0x078 EtwStackTraceApcInserted : Pos 16, 8 Bits +0x078 ReservedFlags : Pos 24, 8 Bits +0x078 ThreadFlags : Int4B +0x07c Spare0 : Uint4B +0x080 SystemCallNumber : Uint4B +0x084 Spare1 : Uint4B +0x088 FirstArgument : Ptr64 Void +0x090 TrapFrame : Ptr64 _KTRAP_FRAME +0x098 ApcState : _KAPC_STATE +0x098 ApcStateFill : [43] UChar +0x0c3 Priority : Char +0x0c4 UserIdealProcessor : Uint4B +0x0c8 WaitStatus : Int8B +0x0d0 WaitBlockList : Ptr64 _KWAIT_BLOCK +0x0d8 WaitListEntry : _LIST_ENTRY +0x0d8 SwapListEntry : _SINGLE_LIST_ENTRY +0x0e8 Queue : Ptr64 _DISPATCHER_HEADER +0x0f0 Teb : Ptr64 Void +0x0f8 RelativeTimerBias : Uint8B +0x100 Timer : _KTIMER +0x140 WaitBlock : [4] _KWAIT_BLOCK +0x140 WaitBlockFill4 : [20] UChar +0x154 ContextSwitches : Uint4B +0x140 WaitBlockFill5 : [68] UChar +0x184 State : UChar +0x185 NpxState : Char +0x186 WaitIrql : UChar +0x187 WaitMode : Char +0x140 WaitBlockFill6 : [116] UChar +0x1b4 WaitTime : Uint4B +0x140 WaitBlockFill7 : [164] UChar +0x1e4 KernelApcDisable : Int2B +0x1e6 SpecialApcDisable : Int2B +0x1e4 CombinedApcDisable : Uint4B +0x140 WaitBlockFill8 : [40] UChar +0x168 ThreadCounters : Ptr64 _KTHREAD_COUNTERS +0x140 WaitBlockFill9 : [88] UChar +0x198 XStateSave : Ptr64 _XSTATE_SAVE +0x140 WaitBlockFill10 : [136] UChar +0x1c8 Win32Thread : Ptr64 Void +0x140 WaitBlockFill11 : [176] UChar +0x1f0 Ucb : Ptr64 _UMS_CONTROL_BLOCK +0x1f8 Uch : Ptr64 _KUMS_CONTEXT_HEADER +0x200 TebMappedLowVa : Ptr64 Void +0x208 QueueListEntry : _LIST_ENTRY +0x218 NextProcessor : Uint4B +0x218 NextProcessorNumber : Pos 0, 31 Bits +0x218 SharedReadyQueue : Pos 31, 1 Bit +0x21c QueuePriority : Int4B +0x220 Process : Ptr64 _KPROCESS +0x228 UserAffinity : _GROUP_AFFINITY +0x228 UserAffinityFill : [10] UChar +0x232 PreviousMode : Char +0x233 BasePriority : Char +0x234 PriorityDecrement : Char +0x234 ForegroundBoost : Pos 0, 4 Bits +0x234 UnusualBoost : Pos 4, 4 Bits +0x235 Preempted : UChar +0x236 AdjustReason : UChar +0x237 AdjustIncrement : Char +0x238 Affinity : _GROUP_AFFINITY +0x238 AffinityFill : [10] UChar +0x242 ApcStateIndex : UChar +0x243 WaitBlockCount : UChar +0x244 IdealProcessor : Uint4B +0x248 ApcStatePointer : [2] Ptr64 _KAPC_STATE +0x258 SavedApcState : _KAPC_STATE +0x258 SavedApcStateFill : [43] UChar +0x283 WaitReason : UChar +0x284 SuspendCount : Char +0x285 Saturation : Char +0x286 SListFaultCount : Uint2B +0x288 SchedulerApc : _KAPC +0x288 SchedulerApcFill0 : [1] UChar +0x289 ResourceIndex : UChar +0x288 SchedulerApcFill1 : [3] UChar +0x28b QuantumReset : UChar +0x288 SchedulerApcFill2 : [4] UChar +0x28c KernelTime : Uint4B +0x288 SchedulerApcFill3 : [64] UChar +0x2c8 WaitPrcb : Ptr64 _KPRCB +0x288 SchedulerApcFill4 : [72] UChar +0x2d0 LegoData : Ptr64 Void +0x288 SchedulerApcFill5 : [83] UChar +0x2db CallbackNestingLevel : UChar +0x2dc UserTime : Uint4B +0x2e0 SuspendEvent : _KEVENT +0x2f8 ThreadListEntry : _LIST_ENTRY +0x308 MutantListHead : _LIST_ENTRY +0x318 LockEntriesFreeList : _SINGLE_LIST_ENTRY +0x320 LockEntries : [6] _KLOCK_ENTRY +0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY +0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY +0x570 PriorityFloorCounts : [16] UChar +0x580 PriorityFloorSummary : Uint4B +0x584 AbCompletedIoBoostCount : Int4B +0x588 AbReferenceCount : Int2B +0x58a AbFreeEntryCount : UChar +0x58b AbWaitEntryCount : UChar +0x58c ForegroundLossTime : Uint4B +0x590 GlobalForegroundListEntry : _LIST_ENTRY +0x590 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY +0x598 InGlobalForegroundList : Uint8B +0x5a0 ReadOperationCount : Int8B +0x5a8 WriteOperationCount : Int8B +0x5b0 OtherOperationCount : Int8B +0x5b8 ReadTransferCount : Int8B +0x5c0 WriteTransferCount : Int8B +0x5c8 OtherTransferCount : Int8B
