首页
社区
课程
招聘
windbg怎么查看_SYSTEM_PROCESS_INFORMATION结构
发表于: 2015-7-21 20:50 11330

windbg怎么查看_SYSTEM_PROCESS_INFORMATION结构

2015-7-21 20:50
11330
_SYSTEM_PROCESS_INFORMATION结构地址+0xDC 是其哪个成员
哪位大哥指点下小弟 感激
有没有什么工具可以直接显示出结构体各个成员的偏移
struct abc{
+0  int x;
+4  int y;
....
}

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (14)
雪    币: 608
活跃值: (648)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
在你正确加载了符号的前提下 dt nt!_SYSTEM_PROCESS_INFORMATION
2015-7-21 21:30
0
雪    币: 79
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
这个结构是内核结构吗?
2015-7-21 21:35
0
雪    币: 79
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
NTSTATUS WINAPI ZwQuerySystemInformation(
  _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  _Inout_   PVOID                    SystemInformation,
  _In_      ULONG                    SystemInformationLength,
  _Out_opt_ PULONG                   ReturnLength
); 其中的一个参数

不知道是否可以用windbg来查看这个结构的成员
2015-7-21 21:36
0
雪    币: 79
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
这是个枚举~
2015-7-21 23:25
0
雪    币: 22
活跃值: (242)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
6
wrk源代码直接搜
2015-7-22 08:37
0
雪    币: 79
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
问题是
想看各个成员的偏移
2015-7-22 09:32
0
雪    币: 112
活跃值: (293)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,             // obsolete...delete
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemPathInformation,
    SystemProcessInformation,
    SystemCallCountInformation,
    SystemDeviceInformation,
    SystemProcessorPerformanceInformation,
    SystemFlagsInformation,
    SystemCallTimeInformation,
    SystemModuleInformation,
    SystemLocksInformation,
    SystemStackTraceInformation,
    SystemPagedPoolInformation,
    SystemNonPagedPoolInformation,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPageFileInformation,
    SystemVdmInstemulInformation,
    SystemVdmBopInformation,
    SystemFileCacheInformation,
    SystemPoolTagInformation,
    SystemInterruptInformation,
    SystemDpcBehaviorInformation,
    SystemFullMemoryInformation,
    SystemLoadGdiDriverInformation,
    SystemUnloadGdiDriverInformation,
    SystemTimeAdjustmentInformation,
    SystemSummaryMemoryInformation,
    SystemMirrorMemoryInformation,
    SystemPerformanceTraceInformation,
    SystemObsolete0,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemExtendServiceTableInformation,
    SystemPrioritySeperation,
    SystemVerifierAddDriverInformation,
    SystemVerifierRemoveDriverInformation,
    SystemProcessorIdleInformation,
    SystemLegacyDriverInformation,
    SystemCurrentTimeZoneInformation,
    SystemLookasideInformation,
    SystemTimeSlipNotification,
    SystemSessionCreate,
    SystemSessionDetach,
    SystemSessionInformation,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemVerifierThunkExtend,
    SystemSessionProcessInformation,
    SystemLoadGdiDriverInSystemSpace,
    SystemNumaProcessorMap,
    SystemPrefetcherInformation,
    SystemExtendedProcessInformation,
    SystemRecommendedSharedDataAlignment,
    SystemComPlusPackage,
    SystemNumaAvailableMemory,
    SystemProcessorPowerInformation,
    SystemEmulationBasicInformation,
    SystemEmulationProcessorInformation,
    SystemExtendedHandleInformation,
    SystemLostDelayedWriteInformation,
    SystemBigPoolInformation,
    SystemSessionPoolTagInformation,
    SystemSessionMappedViewInformation,
    SystemHotpatchInformation,
    SystemObjectSecurityMode,
    SystemWatchdogTimerHandler,
    SystemWatchdogTimerInformation,
    SystemLogicalProcessorInformation,
    SystemWow64SharedInformation,
    SystemRegisterFirmwareTableInformationHandler,
    SystemFirmwareTableInformation,
    SystemModuleInformationEx,
    SystemVerifierTriageInformation,
    SystemSuperfetchInformation,
    SystemMemoryListInformation,
    SystemFileCacheInformationEx,
    MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
2015-7-22 09:39
0
雪    币: 79
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
感谢楼上几位大哥指点 不过好像我问的问题不是很明白  主要是想弄清[_SYSTEM_PROCESS_INFORMATION+0xDC]是其结构内部的哪个成员?
2015-7-22 15:57
0
雪    币: 79
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
哪位大哥指点下小弟 感激
2015-7-22 18:53
0
雪    币: 22
活跃值: (242)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
11
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    HANDLE InheritedFromUniqueProcessId;
    ULONG HandleCount;
    ULONG SessionId;
    ULONG_PTR PageDirectoryBase;
    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;
    ULONG PageFaultCount;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    SIZE_T QuotaPeakPagedPoolUsage;
    SIZE_T QuotaPagedPoolUsage;
    SIZE_T QuotaPeakNonPagedPoolUsage;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER ReadOperationCount;
    LARGE_INTEGER WriteOperationCount;
    LARGE_INTEGER OtherOperationCount;
    LARGE_INTEGER ReadTransferCount;
    LARGE_INTEGER WriteTransferCount;
    LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

这个自己加一下吧
2015-7-22 23:58
0
雪    币: 6
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
我觉得0xdc是_SYSTEM_THREAD中的ClientID
2015-9-30 10:26
0
雪    币: 190
活跃值: (84)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
0:011> dt _SYSTEM_PROCESS_INFORMATION
uxtheme!_SYSTEM_PROCESS_INFORMATION
   +0x000 NextEntryOffset  : Uint4B
   +0x004 NumberOfThreads  : Uint4B
   +0x008 WorkingSetPrivateSize : _LARGE_INTEGER
   +0x010 HardFaultCount   : Uint4B
   +0x014 NumberOfThreadsHighWatermark : Uint4B
   +0x018 CycleTime        : Uint8B
   +0x020 CreateTime       : _LARGE_INTEGER
   +0x028 UserTime         : _LARGE_INTEGER
   +0x030 KernelTime       : _LARGE_INTEGER
   +0x038 ImageName        : _UNICODE_STRING
   +0x048 BasePriority     : Int4B
   +0x050 UniqueProcessId  : Ptr64 Void
   +0x058 InheritedFromUniqueProcessId : Ptr64 Void
   +0x060 HandleCount      : Uint4B
   +0x064 SessionId        : Uint4B
   +0x068 UniqueProcessKey : Uint8B
   +0x070 PeakVirtualSize  : Uint8B
   +0x078 VirtualSize      : Uint8B
   +0x080 PageFaultCount   : Uint4B
   +0x088 PeakWorkingSetSize : Uint8B
   +0x090 WorkingSetSize   : Uint8B
   +0x098 QuotaPeakPagedPoolUsage : Uint8B
   +0x0a0 QuotaPagedPoolUsage : Uint8B
   +0x0a8 QuotaPeakNonPagedPoolUsage : Uint8B
   +0x0b0 QuotaNonPagedPoolUsage : Uint8B
   +0x0b8 PagefileUsage    : Uint8B
   +0x0c0 PeakPagefileUsage : Uint8B
   +0x0c8 PrivatePageCount : Uint8B
   +0x0d0 ReadOperationCount : _LARGE_INTEGER
   +0x0d8 WriteOperationCount : _LARGE_INTEGER
   +0x0e0 OtherOperationCount : _LARGE_INTEGER
   +0x0e8 ReadTransferCount : _LARGE_INTEGER
   +0x0f0 WriteTransferCount : _LARGE_INTEGER
   +0x0f8 OtherTransferCount : _LARGE_INTEGER
2015-10-7 18:04
0
雪    币: 190
活跃值: (84)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
combase!_SYSTEM_PROCESS_INFORMATION
   +0x000 NextEntryOffset  : Uint4B
   +0x004 NumberOfThreads  : Uint4B
   +0x008 WorkingSetPrivateSize : _LARGE_INTEGER
   +0x010 HardFaultCount   : Uint4B
   +0x014 NumberOfThreadsHighWatermark : Uint4B
   +0x018 CycleTime        : Uint8B
   +0x020 CreateTime       : _LARGE_INTEGER
   +0x028 UserTime         : _LARGE_INTEGER
   +0x030 KernelTime       : _LARGE_INTEGER
   +0x038 ImageName        : _UNICODE_STRING
   +0x040 BasePriority     : Int4B
   +0x044 UniqueProcessId  : Ptr32 Void
   +0x048 InheritedFromUniqueProcessId : Ptr32 Void
   +0x04c HandleCount      : Uint4B
   +0x050 SessionId        : Uint4B
   +0x054 UniqueProcessKey : Uint4B
   +0x058 PeakVirtualSize  : Uint4B
   +0x05c VirtualSize      : Uint4B
   +0x060 PageFaultCount   : Uint4B
   +0x064 PeakWorkingSetSize : Uint4B
   +0x068 WorkingSetSize   : Uint4B
   +0x06c QuotaPeakPagedPoolUsage : Uint4B
   +0x070 QuotaPagedPoolUsage : Uint4B
   +0x074 QuotaPeakNonPagedPoolUsage : Uint4B
   +0x078 QuotaNonPagedPoolUsage : Uint4B
   +0x07c PagefileUsage    : Uint4B
   +0x080 PeakPagefileUsage : Uint4B
   +0x084 PrivatePageCount : Uint4B
   +0x088 ReadOperationCount : _LARGE_INTEGER
   +0x090 WriteOperationCount : _LARGE_INTEGER
   +0x098 OtherOperationCount : _LARGE_INTEGER
   +0x0a0 ReadTransferCount : _LARGE_INTEGER
   +0x0a8 WriteTransferCount : _LARGE_INTEGER
   +0x0b0 OtherTransferCount : _LARGE_INTEGER
2015-10-7 18:39
0
雪    币: 33
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
为什么有的地方定义的
typedef  struct  _SYSTEM_PROCESS_INFORMATION  {
        ULONG  NextEntryOffset;
        ULONG  NumberOfThreads;
        BYTE  Reserved1[48];
        UNICODE_STRING  ImageName;
        KPRIORITY  BasePriority;
        HANDLE  UniqueProcessId;
        PVOID  Reserved2;
        ULONG  HandleCount;
        ULONG  SessionId;
        PVOID  Reserved3;
        SIZE_T  PeakVirtualSize;
        SIZE_T  VirtualSize;
        ULONG  Reserved4;
        SIZE_T  PeakWorkingSetSize;
        SIZE_T  WorkingSetSize;
        PVOID  Reserved5;
        SIZE_T  QuotaPagedPoolUsage;
        PVOID  Reserved6;
        SIZE_T  QuotaNonPagedPoolUsage;
        SIZE_T  PagefileUsage;
        SIZE_T  PeakPagefileUsage;
        SIZE_T  PrivatePageCount;
        LARGE_INTEGER  Reserved7[6];
}  SYSTEM_PROCESS_INFORMATION;
而有些实战中是上述定义的:
typedef  struct  _SYSTEM_PROCESS_INFORMATION  {
        ULONG  NextEntryOffset;
        ULONG  NumberOfThreads;
        LARGE_INTEGER  SpareLi1;
        LARGE_INTEGER  SpareLi2;
        LARGE_INTEGER  SpareLi3;
        LARGE_INTEGER  CreateTime;
        LARGE_INTEGER  UserTime;
        LARGE_INTEGER  KernelTime;
        UNICODE_STRING  ImageName;
        KPRIORITY  BasePriority;
        HANDLE  UniqueProcessId;
        HANDLE  InheritedFromUniqueProcessId;
        ULONG  HandleCount;
        ULONG  SessionId;
        ULONG_PTR  PageDirectoryBase;
        SIZE_T  PeakVirtualSize;
        SIZE_T  VirtualSize;
        ULONG  PageFaultCount;
        SIZE_T  PeakWorkingSetSize;
        SIZE_T  WorkingSetSize;
        SIZE_T  QuotaPeakPagedPoolUsage;
        SIZE_T  QuotaPagedPoolUsage;
        SIZE_T  QuotaPeakNonPagedPoolUsage;
        SIZE_T  QuotaNonPagedPoolUsage;
        SIZE_T  PagefileUsage;
        SIZE_T  PeakPagefileUsage;
        SIZE_T  PrivatePageCount;
        LARGE_INTEGER  ReadOperationCount;
        LARGE_INTEGER  WriteOperationCount;
        LARGE_INTEGER  OtherOperationCount;
        LARGE_INTEGER  ReadTransferCount;
        LARGE_INTEGER  WriteTransferCount;
        LARGE_INTEGER  OtherTransferCount;
}  SYSTEM_PROCESS_INFORMATION,  *PSYSTEM_PROCESS_INFORMATION;
2018-1-27 16:42
0
游客
登录 | 注册 方可回帖
返回
//