_LDR_DATA_TABLE_ENTRY 최상단에 PsLoadedModuleList 심볼이 있는 것처럼,
_EPROCESS의 리스트인 ActiveProcessLinks와 핸들 테이블(ObjectTable)의 HandleTableList의 경우
최상단에 커널 심볼이 있다는 것을 최근에야 알았다;;
심볼 이름은 각각 PsActiveProcessHead, HandleTableListHead.
각각의 심볼로 리스트를 구해보면 아래와 같고,
그동안 시작이라고 생각하던 System 프로세스의 EPROCESS가 2번째 위치하고 있는 것을 볼 수 있다.
Test Machine : Windows VISTA SP2 x86
1: kd> dl nt!PsActiveProcessHead
8194b990 8314fcb0 9bdc12f8 850269c0 9bdc68b8
8314fcb0 858b90c0 8194b990 00000000 00000000
858b90c0 8514d248 8314fcb0 000002d0 000022d0
8514d248 858800c0 858b90c0 00001488 00023ba0
858800c0 858810c0 8514d248 00001cf0 0004c398
858810c0 859480c0 858800c0 00001190 00015cb8
859480c0 8590f0c0 858810c0 00001e58 00016650
8590f0c0 85917e30 859480c0 00000e38 00014d80
85917e30 85916e30 8590f0c0 00002a10 00017dd8
85916e30 9702a0c0 85917e30 00000e98 0000ed10
9702a0c0 8590ea10 85916e30 00001368 000121a0
8590ea10 9705eb98 9702a0c0 00001e30 00012190
9705eb98 970cc798 8590ea10 000020c8 0001d640
970cc798 970c8e30 9705eb98 000037f8 0001b2e0
970c8e30 970af9b8 970cc798 00003550 00021e48
970af9b8 970db5e0 970c8e30 000077b8 000301b8
970db5e0 970ba8e0 970af9b8 00000f00 000112b0
970ba8e0 9903f808 970db5e0 00000a10 0000f290
9903f808 97104400 970ba8e0 000059c0 00025cb8
97104400 97188d30 9903f808 000032f8 0001d900
97188d30 8596e118 97104400 00002b88 00028b28
8596e118 859a20c0 97188d30 00006100 0001a258
859a20c0 990047c0 8596e118 00002450 00027270
990047c0 97085218 859a20c0 000012f8 00018a68
97085218 970118f0 990047c0 00000a18 000155f0
970118f0 850290c0 97085218 00005dc0 00054ff8
850290c0 8596dc68 970118f0 00002bf8 000294b8
8596dc68 990dd0c0 850290c0 00000ff0 0001e380
990dd0c0 991454a0 8596dc68 00002088 00033418
991454a0 99173370 990dd0c0 000006b8 00008e78
99173370 991846d0 991454a0 000013f8 00012418
991846d0 991a6e30 99173370 00003158 0002d810
1: kd> dl
991a6e30 991ab698 991846d0 00000fe8 00015d10
991ab698 991be690 991a6e30 00002eb8 00027420
991be690 991d90c0 991ab698 00000ee0 00012820
991d90c0 991e0378 991be690 000012b0 00015388
991e0378 991ff0c0 991d90c0 00001688 0001ce88
991ff0c0 9bc24ca8 991e0378 00001fa0 0001bd90
9bc24ca8 990c3420 991ff0c0 00001ed0 00017928
990c3420 9bc70a40 9bc24ca8 00001150 0001a258
9bc70a40 9bde0440 990c3420 000012b0 0001ae80
9bde0440 9ca560c0 9bc70a40 00001008 0001d100
9ca560c0 836ce1a8 9bde0440 00001160 00010420
836ce1a8 9be02e30 9ca560c0 00001308 0001a0a0
9be02e30 838810c0 836ce1a8 00000db0 0001a030
838810c0 838d00c0 9be02e30 00001440 000134a8
838d00c0 9bdc12f8 838810c0 000050c0 0002fde0
9bdc12f8 8194b990 838d00c0 00000688 000089b8
1: kd> dt nt!_EPROCESS (8314fcb0-0xA0)
+0x000 Pcb : _KPROCESS
+0x080 ProcessLock : _EX_PUSH_LOCK
+0x088 CreateTime : _LARGE_INTEGER 0x1cf6ddc`179ab4e2
+0x090 ExitTime : _LARGE_INTEGER 0x0
+0x098 RundownProtect : _EX_RUNDOWN_REF
+0x09c UniqueProcessId : 0x00000004 Void
+0x0a0 ActiveProcessLinks : _LIST_ENTRY [ 0x858b90c0 - 0x8194b990 ]
...
+0x14c ImageFileName : [16] "System"
...
1: kd> dl nt!HandleTableListHead
819402c8 86602018 9c292d08 00000000 00000000
86602018 866e8c98 819402c8 00000000 00000000
866e8c98 8cdf63d8 86602018 00000000 00000000
8cdf63d8 8dca77a8 866e8c98 00000000 00000000
8dca77a8 8dca5110 8cdf63d8 00000000 00000000
8dca5110 8cd38540 8dca77a8 00000000 00000000
8cd38540 8dca3c38 8dca5110 00000000 00000000
8dca3c38 8dcad4a0 8cd38540 00000000 00000000
8dcad4a0 8dc3c998 8dca3c38 00000000 00000000
8dc3c998 97f2a180 8dcad4a0 00000000 00000000
97f2a180 97e7cc68 8dc3c998 00000000 00000000
97e7cc68 97e7f880 97f2a180 00000000 00000000
97e7f880 98812730 97e7cc68 00000000 00000000
98812730 98867fd8 97e7f880 00000000 00000000
98867fd8 8dd4f7e0 98812730 00000000 00000000
8dd4f7e0 8dd5a418 98867fd8 00000000 00000000
8dd5a418 98862f48 8dd4f7e0 00000000 00000000
98862f48 988d8400 8dd5a418 00000000 00000000
988d8400 988fc878 98862f48 00000000 00000000
988fc878 97e57150 988d8400 00000000 00000000
97e57150 97fd8908 988fc878 00000000 00000000
97fd8908 989503f8 97e57150 00000000 00000000
989503f8 813b5090 97fd8908 00000000 00000000
813b5090 8dca3b10 989503f8 00000000 00000000
8dca3b10 88d08f70 813b5090 00000000 00000000
88d08f70 99f3bb88 8dca3b10 00000000 00000000
99f3bb88 99e65a08 88d08f70 00000000 00000000
99e65a08 81309748 99f3bb88 00000000 00000000
81309748 98952a48 99e65a08 00000000 00000000
98952a48 9a47be80 81309748 00000000 00000000
9a47be80 9a48f1d8 98952a48 00000000 00000000
9a48f1d8 9897bc48 9a47be80 00000000 00000000
1: kd> dl
9897bc48 99e74538 9a48f1d8 00000000 00000000
99e74538 9a559390 9897bc48 00000000 00000000
9a559390 9c22ae18 99e74538 00000000 00000000
9c22ae18 99e62480 9a559390 00000000 00000000
99e62480 9c2474e0 9c22ae18 00000000 00000000
9c2474e0 9c2ba398 99e62480 00000000 00000000
9c2ba398 9a46e278 9c2474e0 00000000 00000000
9a46e278 99f9d4c8 9c2ba398 00000000 00000000
99f9d4c8 9c35f990 9a46e278 00000000 00000000
9c35f990 9c379b30 99f9d4c8 00000000 00000000
9c379b30 813620d8 9c35f990 00000000 00000000
813620d8 9c320108 9c379b30 00000000 00000000
9c320108 a00bd218 813620d8 00000000 00000000
a00bd218 a00b4760 9c320108 00000000 00000000
a00b4760 9c292d08 a00bd218 00000000 00000000
9c292d08 819402c8 a00b4760 00000000 00000000
1: kd> dt nt!_HANDLE_TABLE (86602018-0x10)
+0x000 TableCode : 0x9a580001
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : 0x00000004 Void
+0x00c HandleLock : _EX_PUSH_LOCK
+0x010 HandleTableList : _LIST_ENTRY [ 0x866e8c98 - 0x819402c8 ]
+0x018 HandleContentionEvent : _EX_PUSH_LOCK
+0x01c DebugInfo : (null)
+0x020 ExtraInfoPages : 0n0
+0x024 Flags : 0
+0x024 StrictFIFO : 0y0
+0x028 FirstFreeHandle : 0n2216
+0x02c LastFreeHandleEntry : 0x9a58aff8 _HANDLE_TABLE_ENTRY
+0x030 HandleCount : 0n509
+0x034 NextHandleNeedingPool : 0x1000
'Kernel mode' 카테고리의 다른 글
| PspCreateProcessNotifyRoutine Maximum (0) | 2014.07.01 |
|---|---|
| PCR, KdVersionBlock을 참조하여 PspCidTable 주소를 찾는 방법 (0) | 2014.06.19 |
| windbg - registers are not yet known (0) | 2014.05.12 |
| [펌] 커널에서 프로세스 풀패스 얻는 법 (0) | 2014.03.06 |
| HANDLE에 관하여 (0) | 2014.02.17 |
