windbg怎么查看_SYSTEM_PROCESS_INFORMATION结构-软件逆向-看雪-安全社区|安全招聘|kanxue.com

windbg怎么查看_SYSTEM_PROCESS_INFORMATION结构

发表于: 2015-7-21 20:50 11331

windbg怎么查看_SYSTEM_PROCESS_INFORMATION结构

zyccrazy

活跃值

2015-7-21 20:50

11331

_SYSTEM_PROCESS_INFORMATION结构地址+0xDC 是其哪个成员
哪位大哥指点下小弟感激
有没有什么工具可以直接显示出结构体各个成员的偏移
struct abc{
+0 int x;
+4 int y;
....
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

分享

最新回复 (14)
Morgion 雪币： 608 活跃值： (648) 能力值： ( LV4，RANK：50 ) 在线值：发帖 9 回帖 649 粉丝 5 关注私信	Morgion 1 2 楼在你正确加载了符号的前提下 dt nt!_SYSTEM_PROCESS_INFORMATION 2015-7-21 21:30 0
zyccrazy 雪币： 79 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 193 粉丝 0 关注私信	zyccrazy 3 楼这个结构是内核结构吗？ 2015-7-21 21:35 0
zyccrazy 雪币： 79 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 193 粉丝 0 关注私信	zyccrazy 4 楼 NTSTATUS WINAPI ZwQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); 其中的一个参数不知道是否可以用windbg来查看这个结构的成员 2015-7-21 21:36 0
lzq李志强雪币： 79 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	lzq李志强 5 楼这是个枚举~ 2015-7-21 23:25 0
GeekCheng 雪币： 22 活跃值： (242) 能力值： ( LV7，RANK：110 ) 在线值：发帖 16 回帖 154 粉丝 13 关注私信	GeekCheng 2 6 楼 wrk源代码直接搜 2015-7-22 08:37 0
zyccrazy 雪币： 79 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 193 粉丝 0 关注私信	zyccrazy 7 楼问题是想看各个成员的偏移 2015-7-22 09:32 0
我是小牛牛雪币： 112 活跃值： (293) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 238 粉丝 0 关注私信	我是小牛牛 8 楼 typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, // obsolete...delete SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemMirrorMemoryInformation, SystemPerformanceTraceInformation, SystemObsolete0, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemVerifierAddDriverInformation, SystemVerifierRemoveDriverInformation, SystemProcessorIdleInformation, SystemLegacyDriverInformation, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation, SystemRangeStartInformation, SystemVerifierInformation, SystemVerifierThunkExtend, SystemSessionProcessInformation, SystemLoadGdiDriverInSystemSpace, SystemNumaProcessorMap, SystemPrefetcherInformation, SystemExtendedProcessInformation, SystemRecommendedSharedDataAlignment, SystemComPlusPackage, SystemNumaAvailableMemory, SystemProcessorPowerInformation, SystemEmulationBasicInformation, SystemEmulationProcessorInformation, SystemExtendedHandleInformation, SystemLostDelayedWriteInformation, SystemBigPoolInformation, SystemSessionPoolTagInformation, SystemSessionMappedViewInformation, SystemHotpatchInformation, SystemObjectSecurityMode, SystemWatchdogTimerHandler, SystemWatchdogTimerInformation, SystemLogicalProcessorInformation, SystemWow64SharedInformation, SystemRegisterFirmwareTableInformationHandler, SystemFirmwareTableInformation, SystemModuleInformationEx, SystemVerifierTriageInformation, SystemSuperfetchInformation, SystemMemoryListInformation, SystemFileCacheInformationEx, MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum } SYSTEM_INFORMATION_CLASS; 2015-7-22 09:39 0
zyccrazy 雪币： 79 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 193 粉丝 0 关注私信	zyccrazy 9 楼感谢楼上几位大哥指点不过好像我问的问题不是很明白主要是想弄清[_SYSTEM_PROCESS_INFORMATION+0xDC]是其结构内部的哪个成员？ 2015-7-22 15:57 0
zyccrazy 雪币： 79 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 24 回帖 193 粉丝 0 关注私信	zyccrazy 10 楼哪位大哥指点下小弟感激 2015-7-22 18:53 0
GeekCheng 雪币： 22 活跃值： (242) 能力值： ( LV7，RANK：110 ) 在线值：发帖 16 回帖 154 粉丝 13 关注私信	GeekCheng 2 11 楼 typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER SpareLi1; LARGE_INTEGER SpareLi2; LARGE_INTEGER SpareLi3; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; ULONG_PTR PageDirectoryBase; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 这个自己加一下吧 2015-7-22 23:58 0
zhykzdlgw 雪币： 6 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 10 粉丝 0 关注私信	zhykzdlgw 12 楼我觉得0xdc是_SYSTEM_THREAD中的ClientID 2015-9-30 10:26 0
leeqwind 雪币： 190 活跃值： (84) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 48 粉丝 1 关注私信	leeqwind 13 楼 0:011> dt _SYSTEM_PROCESS_INFORMATION uxtheme!_SYSTEM_PROCESS_INFORMATION +0x000 NextEntryOffset : Uint4B +0x004 NumberOfThreads : Uint4B +0x008 WorkingSetPrivateSize : _LARGE_INTEGER +0x010 HardFaultCount : Uint4B +0x014 NumberOfThreadsHighWatermark : Uint4B +0x018 CycleTime : Uint8B +0x020 CreateTime : _LARGE_INTEGER +0x028 UserTime : _LARGE_INTEGER +0x030 KernelTime : _LARGE_INTEGER +0x038 ImageName : _UNICODE_STRING +0x048 BasePriority : Int4B +0x050 UniqueProcessId : Ptr64 Void +0x058 InheritedFromUniqueProcessId : Ptr64 Void +0x060 HandleCount : Uint4B +0x064 SessionId : Uint4B +0x068 UniqueProcessKey : Uint8B +0x070 PeakVirtualSize : Uint8B +0x078 VirtualSize : Uint8B +0x080 PageFaultCount : Uint4B +0x088 PeakWorkingSetSize : Uint8B +0x090 WorkingSetSize : Uint8B +0x098 QuotaPeakPagedPoolUsage : Uint8B +0x0a0 QuotaPagedPoolUsage : Uint8B +0x0a8 QuotaPeakNonPagedPoolUsage : Uint8B +0x0b0 QuotaNonPagedPoolUsage : Uint8B +0x0b8 PagefileUsage : Uint8B +0x0c0 PeakPagefileUsage : Uint8B +0x0c8 PrivatePageCount : Uint8B +0x0d0 ReadOperationCount : _LARGE_INTEGER +0x0d8 WriteOperationCount : _LARGE_INTEGER +0x0e0 OtherOperationCount : _LARGE_INTEGER +0x0e8 ReadTransferCount : _LARGE_INTEGER +0x0f0 WriteTransferCount : _LARGE_INTEGER +0x0f8 OtherTransferCount : _LARGE_INTEGER 2015-10-7 18:04 0
leeqwind 雪币： 190 活跃值： (84) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 48 粉丝 1 关注私信	leeqwind 14 楼 combase!_SYSTEM_PROCESS_INFORMATION +0x000 NextEntryOffset : Uint4B +0x004 NumberOfThreads : Uint4B +0x008 WorkingSetPrivateSize : _LARGE_INTEGER +0x010 HardFaultCount : Uint4B +0x014 NumberOfThreadsHighWatermark : Uint4B +0x018 CycleTime : Uint8B +0x020 CreateTime : _LARGE_INTEGER +0x028 UserTime : _LARGE_INTEGER +0x030 KernelTime : _LARGE_INTEGER +0x038 ImageName : _UNICODE_STRING +0x040 BasePriority : Int4B +0x044 UniqueProcessId : Ptr32 Void +0x048 InheritedFromUniqueProcessId : Ptr32 Void +0x04c HandleCount : Uint4B +0x050 SessionId : Uint4B +0x054 UniqueProcessKey : Uint4B +0x058 PeakVirtualSize : Uint4B +0x05c VirtualSize : Uint4B +0x060 PageFaultCount : Uint4B +0x064 PeakWorkingSetSize : Uint4B +0x068 WorkingSetSize : Uint4B +0x06c QuotaPeakPagedPoolUsage : Uint4B +0x070 QuotaPagedPoolUsage : Uint4B +0x074 QuotaPeakNonPagedPoolUsage : Uint4B +0x078 QuotaNonPagedPoolUsage : Uint4B +0x07c PagefileUsage : Uint4B +0x080 PeakPagefileUsage : Uint4B +0x084 PrivatePageCount : Uint4B +0x088 ReadOperationCount : _LARGE_INTEGER +0x090 WriteOperationCount : _LARGE_INTEGER +0x098 OtherOperationCount : _LARGE_INTEGER +0x0a0 ReadTransferCount : _LARGE_INTEGER +0x0a8 WriteTransferCount : _LARGE_INTEGER +0x0b0 OtherTransferCount : _LARGE_INTEGER 2015-10-7 18:39 0
xiaoniao李雪币： 33 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	xiaoniao李 15 楼为什么有的地方定义的 typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; BYTE Reserved1[48]; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; PVOID Reserved2; ULONG HandleCount; ULONG SessionId; PVOID Reserved3; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG Reserved4; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; PVOID Reserved5; SIZE_T QuotaPagedPoolUsage; PVOID Reserved6; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER Reserved7[6]; } SYSTEM_PROCESS_INFORMATION; 而有些实战中是上述定义的： typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER SpareLi1; LARGE_INTEGER SpareLi2; LARGE_INTEGER SpareLi3; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; ULONG_PTR PageDirectoryBase; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; 2018-1-27 16:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

zyccrazy

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//