windows内核原理及实现-----进程线程管理------3.3节中 windows中进程线程的数据结构

3.3节中 windows中进程线程的数据结构

内核层进程对象:KPROCESS

typedef struct _KPROCESS {

//
// The dispatch header and profile listhead are fairly infrequently
// referenced.
//

DISPATCHER_HEADER Header;
LIST_ENTRY ProfileListHead;

//
// The following fields are referenced during context switches.
//

ULONG_PTR DirectoryTableBase[2];

#if defined(_X86_)

KGDTENTRY LdtDescriptor;
KIDTENTRY Int21Descriptor;
USHORT IopmOffset;
UCHAR Iopl;
BOOLEAN Unused;

#endif

#if defined(_AMD64_)

USHORT IopmOffset;

#endif

volatile KAFFINITY ActiveProcessors;

//
// The following fields are referenced during clock interrupts.
//

ULONG KernelTime;
ULONG UserTime;

//
// The following fields are referenced infrequently.
//

LIST_ENTRY ReadyListHead;
SINGLE_LIST_ENTRY SwapListEntry;

#if defined(_X86_)

PVOID VdmTrapcHandler;

#else

PVOID Reserved1;

#endif

LIST_ENTRY ThreadListHead;
KSPIN_LOCK ProcessLock;
KAFFINITY Affinity;

//
// N.B. The following bit number definitions must match the following
// bit field.
//
// N.B. These bits can only be written with interlocked operations.
//

#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2

union {
struct {
LONG AutoAlignment : 1;
LONG DisableBoost : 1;
LONG DisableQuantum : 1;
LONG ReservedFlags : 29;
};
LONG ProcessFlags;
};

SCHAR BasePriority;
SCHAR QuantumReset;
UCHAR State;
UCHAR ThreadSeed;
UCHAR PowerState;
UCHAR IdealNode;
BOOLEAN Visited;
union {
KEXECUTE_OPTIONS Flags;
UCHAR ExecuteOptions;
};

#if !defined(_X86_) && !defined(_AMD64_)

PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;

#endif

ULONG_PTR StackCount;
LIST_ENTRY ProcessListEntry;
} KPROCESS, *PKPROCESS, *PRKPROCESS;

个人觉得重要的字段:

DirectoryTableBase :2个item的数组,1个指向该进程页目录表地址,一个指向进程超空间页目录表地址

ThreadListHead: 指向一个链表头,此链表包含了进程所有的当前线程. 当线程被创建时将加入该链表,删除时将移除之

ProcessLock: 是个自旋锁对象, 保护此进程中的数据成员

ProcessFlags: 包括了进程一个标志,AutoAlignment, DisableBoost, DisableQuantum.分别是内存访问对齐设置,线程优先级提升,时限分配

ExecuteOptions: 用于设置一个进程的内存执行选项,为了支持NX机制而从windows 2003 开始引入的

内核线程对象_KTHREAD

typedef struct _KTHREAD {

//
// The dispatcher header and mutant listhead are fairly infrequently
// referenced.
//

DISPATCHER_HEADER Header;
LIST_ENTRY MutantListHead;

//
// The following fields are referenced during context switches and wait
// operatings. They have been carefully laid out to get the best cache
// hit ratios.
//

PVOID InitialStack;
PVOID StackLimit;
PVOID KernelStack;

KSPIN_LOCK ThreadLock;
union {
KAPC_STATE ApcState;
struct {
UCHAR ApcStateFill[KAPC_STATE_ACTUAL_LENGTH];
BOOLEAN ApcQueueable;
volatile UCHAR NextProcessor;
volatile UCHAR DeferredProcessor;
UCHAR AdjustReason;
SCHAR AdjustIncrement;
};
};

KSPIN_LOCK ApcQueueLock;

#if !defined(_AMD64_)

ULONG ContextSwitches;
volatile UCHAR State;
UCHAR NpxState;
KIRQL WaitIrql;
KPROCESSOR_MODE WaitMode;

#endif

LONG_PTR WaitStatus;
union {
PKWAIT_BLOCK WaitBlockList;
PKGATE GateObject;
};

BOOLEAN Alertable;
BOOLEAN WaitNext;
UCHAR WaitReason;
SCHAR Priority;
UCHAR EnableStackSwap;
volatile UCHAR SwapBusy;
BOOLEAN Alerted[MaximumMode];
union {
LIST_ENTRY WaitListEntry;
SINGLE_LIST_ENTRY SwapListEntry;
};

PRKQUEUE Queue;

#if !defined(_AMD64_)

ULONG WaitTime;
union {
struct {
SHORT KernelApcDisable;
SHORT SpecialApcDisable;
};

ULONG CombinedApcDisable;
};

#endif

PVOID Teb;
union {
KTIMER Timer;
struct {
UCHAR TimerFill[KTIMER_ACTUAL_LENGTH];

//
// N.B. The following bit number definitions must match the
// following bit field.
//
// N.B. These bits can only be written with interlocked
// operations.
//
#define KTHREAD_AUTO_ALIGNMENT_BIT 0
#define KTHREAD_DISABLE_BOOST_BIT 1
union {
struct {
LONG AutoAlignment : 1;
LONG DisableBoost : 1;
LONG ReservedFlags : 30;
};
LONG ThreadFlags;
};
};
};

union {
KWAIT_BLOCK WaitBlock[THREAD_WAIT_OBJECTS + 1];
struct {
UCHAR WaitBlockFill0[KWAIT_BLOCK_OFFSET_TO_BYTE0];
BOOLEAN SystemAffinityActive;
};

struct {
UCHAR WaitBlockFill1[KWAIT_BLOCK_OFFSET_TO_BYTE1];
CCHAR PreviousMode;
};

struct {
UCHAR WaitBlockFill2[KWAIT_BLOCK_OFFSET_TO_BYTE2];
UCHAR ResourceIndex;
};

struct {
UCHAR WaitBlockFill3[KWAIT_BLOCK_OFFSET_TO_BYTE3];
UCHAR LargeStack;
};

#if defined(_AMD64_)

struct {
UCHAR WaitBlockFill4[KWAIT_BLOCK_OFFSET_TO_LONG0];
ULONG ContextSwitches;
};

struct {
UCHAR WaitBlockFill5[KWAIT_BLOCK_OFFSET_TO_LONG1];
volatile UCHAR State;
UCHAR NpxState;
KIRQL WaitIrql;
KPROCESSOR_MODE WaitMode;
};

struct {
UCHAR WaitBlockFill6[KWAIT_BLOCK_OFFSET_TO_LONG2];
ULONG WaitTime;
};

struct {
UCHAR WaitBlockFill7[KWAIT_BLOCK_OFFSET_TO_LONG3];
union {
struct {
SHORT KernelApcDisable;
SHORT SpecialApcDisable;
};
ULONG CombinedApcDisable;
};
};

#endif

};

LIST_ENTRY QueueListEntry;

//
// The following fields are accessed during system service dispatch.
//

PKTRAP_FRAME TrapFrame;
PVOID CallbackStack;
PVOID ServiceTable;

#if defined(_AMD64_)

ULONG KernelLimit;

#endif

//
// The following fields are referenced during ready thread and wait
// completion.
//

UCHAR ApcStateIndex;
UCHAR IdealProcessor;
BOOLEAN Preempted;
BOOLEAN ProcessReadyQueue;

#if defined(_AMD64_)

PVOID Win32kTable;
ULONG Win32kLimit;

#endif

BOOLEAN KernelStackResident;
SCHAR BasePriority;
SCHAR PriorityDecrement;
CHAR Saturation;
KAFFINITY UserAffinity;
PKPROCESS Process;
KAFFINITY Affinity;

//
// The below fields are infrequently referenced.
//

PKAPC_STATE ApcStatePointer[2];
union {
KAPC_STATE SavedApcState;
struct {
UCHAR SavedApcStateFill[KAPC_STATE_ACTUAL_LENGTH];
CCHAR FreezeCount;
CCHAR SuspendCount;
UCHAR UserIdealProcessor;
UCHAR CalloutActive;

#if defined(_AMD64_)

BOOLEAN CodePatchInProgress;

#elif defined(_X86_)

UCHAR Iopl;

#else

UCHAR OtherPlatformFill;

#endif

};
};

PVOID Win32Thread;
PVOID StackBase;
union {
KAPC SuspendApc;
struct {
UCHAR SuspendApcFill0[KAPC_OFFSET_TO_SPARE_BYTE0];
SCHAR Quantum;
};

struct {
UCHAR SuspendApcFill1[KAPC_OFFSET_TO_SPARE_BYTE1];
UCHAR QuantumReset;
};

struct {
UCHAR SuspendApcFill2[KAPC_OFFSET_TO_SPARE_LONG];
ULONG KernelTime;
};

struct {
UCHAR SuspendApcFill3[KAPC_OFFSET_TO_SYSTEMARGUMENT1];
PVOID TlsArray;
};

struct {
UCHAR SuspendApcFill4[KAPC_OFFSET_TO_SYSTEMARGUMENT2];
PVOID BBTData;
};

struct {
UCHAR SuspendApcFill5[KAPC_ACTUAL_LENGTH];
UCHAR PowerState;
ULONG UserTime;
};
};

union {
KSEMAPHORE SuspendSemaphore;
struct {
UCHAR SuspendSemaphorefill[KSEMAPHORE_ACTUAL_LENGTH];
ULONG SListFaultCount;
};
};

LIST_ENTRY ThreadListEntry;
PVOID SListFaultAddress;

#if defined(_WIN64)

LONG64 ReadOperationCount;
LONG64 WriteOperationCount;
LONG64 OtherOperationCount;
LONG64 ReadTransferCount;
LONG64 WriteTransferCount;
LONG64 OtherTransferCount;

#endif

} KTHREAD, *PKTHREAD, *PRKTHREAD;

个人觉得重要字段:

InitialStack,StackLimit,KernelStack,StackBase 分别是:原始栈位置, 栈的地址, 内核调用栈开始位置, 当前栈基位置

teb: 指向进程地址空间中的teb结构

timer: 附在线程上的定时器,当使用了等待函数如WaitForSingleObject 会使用到

CallbackStack: 包含了线程回调栈地址

ServiceTable: 该线程使用的系统服务表(KeServiceDescriptorTable),如果是GUI程序指向KeServiceDescriptorTableShadow

执行体层

EPROCESS

typedef struct _EPROCESS {
KPROCESS Pcb;

//
// Lock used to protect:
// The list of threads in the process.
// Process token.
// Win32 process field.
// Process and thread affinity setting.
//

EX_PUSH_LOCK ProcessLock;

LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;

//
// Structure to allow lock free cross process access to the process
// handle table, process section and address space. Acquire rundown
// protection with this if you do cross process handle table, process
// section or address space references.
//

EX_RUNDOWN_REF RundownProtect;

HANDLE UniqueProcessId;

//
// Global list of all processes in the system. Processes are removed
// from this list in the object deletion routine. References to
// processes in this list must be done with ObReferenceObjectSafe
// because of this.
//

LIST_ENTRY ActiveProcessLinks;

//
// Quota Fields.
//

SIZE_T QuotaUsage[PsQuotaTypes];
SIZE_T QuotaPeak[PsQuotaTypes];
SIZE_T CommitCharge;

//
// VmCounters.
//

SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;

LIST_ENTRY SessionProcessLinks;

PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;

//
// Security.
//

EX_FAST_REF Token;

PFN_NUMBER WorkingSetPage;
KGUARDED_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;

struct _ETHREAD *ForkInProgress;
ULONG_PTR HardwareTrigger;

PMM_AVL_TABLE PhysicalVadRoot;
PVOID CloneRoot;
PFN_NUMBER NumberOfPrivatePages;
PFN_NUMBER NumberOfLockedPages;
PVOID Win32Process;
struct _EJOB *Job;
PVOID SectionObject;

PVOID SectionBaseAddress;

PEPROCESS_QUOTA_BLOCK QuotaBlock;

PPAGEFAULT_HISTORY WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;

PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;

PVOID Spare0[3];
union {
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
UCHAR ImageFileName[ 16 ];

LIST_ENTRY JobLinks;
PVOID LockedPagesList;

LIST_ENTRY ThreadListHead;

//
// Used by rdr/security for authentication.
//

PVOID SecurityPort;

#ifdef _WIN64
PWOW64_PROCESS Wow64Process;
#else
PVOID PaeTop;
#endif

ULONG ActiveThreads;

ACCESS_MASK GrantedAccess;

ULONG DefaultHardErrorProcessing;

NTSTATUS LastThreadExitStatus;

//
// Peb
//

PPEB Peb;

//
// Pointer to the prefetches trace block.
//
EX_FAST_REF PrefetchTrace;

LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;

SIZE_T CommitChargeLimit;
SIZE_T CommitChargePeak;

PVOID AweInfo;

//
// This is used for SeAuditProcessCreation.
// It contains the full path to the image file.
//

SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

MMSUPPORT Vm;

#if !defined(_WIN64)
LIST_ENTRY MmProcessLinks;
#else
ULONG Spares[2];
#endif

ULONG ModifiedPageCount;

#define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001UL
#define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002UL
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004UL
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008UL
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010UL
#define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020UL
#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES 0x00000040UL

ULONG JobStatus;

//
// Process flags. Use interlocked operations with PS_SET_BITS, etc
// to modify these.
//

#define PS_PROCESS_FLAGS_CREATE_REPORTED 0x00000001UL // Create process debug call has occurred
#define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT 0x00000002UL // Don't inherit debug port
#define PS_PROCESS_FLAGS_PROCESS_EXITING 0x00000004UL // PspExitProcess entered
#define PS_PROCESS_FLAGS_PROCESS_DELETE 0x00000008UL // Delete process has been issued
#define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES 0x00000010UL // Wow64 split pages
#define PS_PROCESS_FLAGS_VM_DELETED 0x00000020UL // VM is deleted
#define PS_PROCESS_FLAGS_OUTSWAP_ENABLED 0x00000040UL // Outswap enabled
#define PS_PROCESS_FLAGS_OUTSWAPPED 0x00000080UL // Outswapped
#define PS_PROCESS_FLAGS_FORK_FAILED 0x00000100UL // Fork status
#define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE 0x00000200UL // Wow64 process with 4gb virtual address space
#define PS_PROCESS_FLAGS_ADDRESS_SPACE1 0x00000400UL // Addr space state1
#define PS_PROCESS_FLAGS_ADDRESS_SPACE2 0x00000800UL // Addr space state2
#define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION 0x00001000UL // SetTimerResolution has been called
#define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION 0x00002000UL // Break on process termination
#define PS_PROCESS_FLAGS_CREATING_SESSION 0x00004000UL // Process is creating a session
#define PS_PROCESS_FLAGS_USING_WRITE_WATCH 0x00008000UL // Process is using the write watch APIs
#define PS_PROCESS_FLAGS_IN_SESSION 0x00010000UL // Process is in a session
#define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)
#define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE 0x00040000UL // This process has an address space
#define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED 0x00080000UL // Process launch was prefetched
#define PS_PROCESS_INJECT_INPAGE_ERRORS 0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too
#define PS_PROCESS_FLAGS_VM_TOP_DOWN 0x00200000UL // Process memory allocations default to top-down
#define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE 0x00400000UL // We have sent a message for this image
#define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED 0x00800000UL // The system PDEs need updating for this process (NT32 only)
#define PS_PROCESS_FLAGS_VDM_ALLOWED 0x01000000UL // Process allowed to invoke NTVDM support
#define PS_PROCESS_FLAGS_SMAP_ALLOWED 0x02000000UL // Process allowed to invoke SMAP support
#define PS_PROCESS_FLAGS_CREATE_FAILED 0x04000000UL // Process create failed

#define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY 0x38000000UL // The default I/O priority for created threads. (3 bits)

#define PS_PROCESS_FLAGS_PRIORITY_SHIFT 27
#define PS_PROCESS_FLAGS_EXECUTE_SPARE1 0x40000000UL //
#define PS_PROCESS_FLAGS_EXECUTE_SPARE2 0x80000000UL //

union {

ULONG Flags;

//
// Fields can only be set by the PS_SET_BITS and other interlocked
// macros. Reading fields is best done via the bit definitions so
// references are easy to locate.
//

struct {
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG Wow64VaSpace4Gb : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG VmTopDown : 1;
ULONG ImageNotifyDone : 1;
ULONG PdeUpdateNeeded : 1; // NT32 only
ULONG VdmAllowed : 1;
ULONG SmapAllowed : 1;
ULONG CreateFailed : 1;
ULONG DefaultIoPriority : 3;
ULONG Spare1 : 1;
ULONG Spare2 : 1;
};
};

NTSTATUS ExitStatus;

USHORT NextPageColor;
union {
struct {
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;

MM_AVL_TABLE VadRoot;

ULONG Cookie;

} EPROCESS, *PEPROCESS;

重要字段:

UniqueProcessId: 进程唯一编号

ActiveProcessLinks: 双链表节点,所有活动进程连接成一个双链表

DebugPort 和ExceptionPort,分别指向调试端口和异常端口

ObjectTable: 进程句柄表,包含了所有已被该进程打开的那些对象的引用

SectionObject: :代表进程内存区对象基地址

ImageFileName:进程映像文件名

ThreadListHead: 双链表头结点,包含了一个进程所有线程

Peb: 进程环境块

_ETHREAD :

typedef struct _ETHREAD {
KTHREAD Tcb;

LARGE_INTEGER CreateTime;

union {
LARGE_INTEGER ExitTime;
LIST_ENTRY LpcReplyChain;
LIST_ENTRY KeyedWaitChain;
};
union {
NTSTATUS ExitStatus;
PVOID OfsChain;
};

//
// Registry
//

LIST_ENTRY PostBlockList;

//
// Single linked list of termination blocks
//

union {
//
// List of termination ports
//

PTERMINATION_PORT TerminationPort;

//
// List of threads to be reaped. Only used at thread exit
//

struct _ETHREAD *ReaperLink;

//
// Keyvalue being waited for
//
PVOID KeyedWaitValue;

};

KSPIN_LOCK ActiveTimerListLock;
LIST_ENTRY ActiveTimerListHead;

CLIENT_ID Cid;

//
// Lpc
//

union {
KSEMAPHORE LpcReplySemaphore;
KSEMAPHORE KeyedWaitSemaphore;
};

union {
PVOID LpcReplyMessage; // -> Message that contains the reply
PVOID LpcWaitingOnPort;
};

//
// Security
//
//
// Client - If non null, indicates the thread is impersonating
// a client.
//

PPS_IMPERSONATION_INFORMATION ImpersonationInfo;

//
// Io
//

LIST_ENTRY IrpList;

//
// File Systems
//

ULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h
struct _DEVICE_OBJECT *DeviceToVerify;

PEPROCESS ThreadsProcess;
PVOID StartAddress;
union {
PVOID Win32StartAddress;
ULONG LpcReceivedMessageId;
};
//
// Ps
//

LIST_ENTRY ThreadListEntry;

//
// Rundown protection structure. Acquire this to do cross thread
// TEB, TEB32 or stack references.
//

EX_RUNDOWN_REF RundownProtect;

//
// Lock to protect thread impersonation information
//
EX_PUSH_LOCK ThreadLock;

ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to

ULONG ReadClusterSize;

//
// Client/server
//

ACCESS_MASK GrantedAccess;

//
// Flags for cross thread access. Use interlocked operations
// via PS_SET_BITS etc.
//

//
// Used to signify that the delete APC has been queued or the
// thread has called PspExitThread itself.
//

#define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL

//
// Thread create failed
//

#define PS_CROSS_THREAD_FLAGS_DEADTHREAD 0x00000002UL

//
// Debugger isn't shown this thread
//

#define PS_CROSS_THREAD_FLAGS_HIDEFROMDBG 0x00000004UL

//
// Thread is impersonating
//

#define PS_CROSS_THREAD_FLAGS_IMPERSONATING 0x00000008UL

//
// This is a system thread
//

#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL

//
// Hard errors are disabled for this thread
//

#define PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED 0x00000020UL

//
// We should break in when this thread is terminated
//

#define PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION 0x00000040UL

//
// This thread should skip sending its create thread message
//
#define PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG 0x00000080UL

//
// This thread should skip sending its final thread termination message
//
#define PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG 0x00000100UL

union {

ULONG CrossThreadFlags;

//
// The following fields are for the debugger only. Do not use.
// Use the bit definitions instead.
//

struct {
ULONG Terminated : 1;
ULONG DeadThread : 1;
ULONG HideFromDebugger : 1;
ULONG ActiveImpersonationInfo : 1;
ULONG SystemThread : 1;
ULONG HardErrorsAreDisabled : 1;
ULONG BreakOnTermination : 1;
ULONG SkipCreationMsg : 1;
ULONG SkipTerminationMsg : 1;
};
};

//
// Flags to be accessed in this thread's context only at PASSIVE
// level -- no need to use interlocked operations.
//

union {
ULONG SameThreadPassiveFlags;

struct {

//
// This thread is an active Ex worker thread; it should
// not terminate.
//

ULONG ActiveExWorker : 1;
ULONG ExWorkerCanWaitUser : 1;
ULONG MemoryMaker : 1;

//
// Thread is active in the keyed event code. LPC should not run above this in an APC.
//
ULONG KeyedEventInUse : 1;
};
};

//
// Flags to be accessed in this thread's context only at APC_LEVEL.
// No need to use interlocked operations.
//

union {
ULONG SameThreadApcFlags;
struct {

//
// The stored thread's MSGID is valid. This is only accessed
// while the LPC mutex is held so it's an APC_LEVEL flag.
//

BOOLEAN LpcReceivedMsgIdValid : 1;
BOOLEAN LpcExitThreadCalled : 1;
BOOLEAN AddressSpaceOwner : 1;
BOOLEAN OwnsProcessWorkingSetExclusive : 1;
BOOLEAN OwnsProcessWorkingSetShared : 1;
BOOLEAN OwnsSystemWorkingSetExclusive : 1;
BOOLEAN OwnsSystemWorkingSetShared : 1;
BOOLEAN OwnsSessionWorkingSetExclusive : 1;
BOOLEAN OwnsSessionWorkingSetShared : 1;

#define PS_SAME_THREAD_FLAGS_OWNS_A_WORKING_SET 0x000001F8UL

BOOLEAN ApcNeeded : 1;
};
};

BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
UCHAR ActiveFaultCount;

#if defined (PERF_DATA)
ULONG PerformanceCountLow;
LONG PerformanceCountHigh;
#endif

} ETHREAD, *PETHREAD;

Cid: 包含了线程唯一标识符包括UniqueProcess和UniqueThread 前者部分属于所属进程的UniqueProcessId,UniqueThread部分等于此线程对象所在进程句柄表中句柄

IrpList: 是一个双链表头,包含了当前线程所有正在处理但尚未完成的i/o请求

TopLevelIrp:指向线程的顶级IRP

ThreadsProcess:指向当前线程所属进程. 线程初始化时赋值的

StartAddress: 线程启动地址,是真正的线程启动地址

StartAddress:系统DLL中的线程启动地址