NT内核级进程隐藏3-线程调度链表及Hook 内核函数.pdf

NT内核级进程隐藏3-线程调度链表及Hook 内核函数 基于线程调度链表的检测和隐藏技术 1.什么是ETHREAD 和KTHREAD 块 学习各种外挂制作技术，马上去百度搜索 魔鬼作坊 点击第一个站进入、快速 成为做挂达人。 Windows2000是由执行程序线程（ETHREAD）块表示的，ETHREAD 成员都是指向的 系统空间，进程环境块（TEB）除外。ETHREAD 块中的第一个结构体就是内核线程 （KTHREAD）块。在KTHREAD 块中包含了windows2000内核需要访问的信息。这些信 息用于执行线程的调度和同步正在运行的线程。 kd!kthread struct_KTHREAD (sizeof=432) +000struct_DISPATCHER_HEADER Header +010struct_LIST_ENTRYMutantListHead +018void *InitialStack +01c void *StackLimit +020void *Teb +024void *TlsArray +028void *KernelStack +02c byteDebugActive +02dbyte State +02e byteAlerted[2] +030byte Iopl +031byte NpxState +032charSaturation +033charPriority +034struct_KAPC_STATEApcState +034struct_LIST_ENTRYApcListHead[2] +044struct_KPROCESS*Process +04c uint32 ContextSwitches +050int32 WaitStatus +054byte WaitIrql +055charWaitMode +056byte WaitNext +057byte WaitReason +058struct_KWAIT_BLOCK *WaitBlockList +05c struct_LIST_ENTRYWaitListEntry +064uint32 WaitTime +068charBasePriority +069byte DecrementCount +06a charPriorityDecrement +06bcharQuantum +06c struct_KWAIT_BLOCK WaitBlock[4] +0ccvoid *LegoData +0d0uint32 KernelApcDisable +0d4uint32 UserAffinity +0d8byte SystemAffinityActive +0d9byte PowerState +0da byteNpxIrql +0dbbyte Pad[1] +0dc void *ServiceTable +0e0 struct_KQUEUE *Queue +0e4 uint32ApcQueueLock +0e8 struct_KTIMER Timer +110struct_LIST_ENTRYQueueListEntry +118uint32Affinity +11cbyte Preempted +11dbyteProcessReadyQueue +11ebyte KernelStackResident +11fbyteNextProcessor +120void *CallbackStack +124void *Win32Thread +128struct_KTRAP_FRAME *TrapFrame +12c struct_KAPC_STATE*ApcStatePointer[2] +134charPreviousMode +135byte EnableStackSwap +136byte LargeStack +137byte ResourceIndex +138uint32 KernelTime +13c uint32 UserTime +140struct_KAPC_STATESavedApcState +158byteAlertable +159byteApcStateIndex +15a byteApcQueueable +15bbyteAutoAlignment +15c void *StackBase +160struct_KAPC SuspendApc +190struct_KSEMAPHORESuspendSem