PsGetcurrentProcessId在不同版本不兼容(在看雪论坛发的)

Windows线程切换相关的结构保存在KPCR和KPRCB结构内,对应每一个CPU有一个处理器控制区(Processor Control Region)KPCR。

在windows2012下使用WDK8.0编译的驱动出现问题,用Windbg看下。

kd>u nt!PsGetCurrentProcessId

822ad1f0 64a124010000 mov eax,dword ptr fs:[00000124h]

822ad1f6 8b8074030000 mov eax,dword ptr [eax+374h]

822ad1fc c3 ret

822ad1fd cc int 3

822ad1fe cc int 3

fs寄存器在Ring0中指向一个KPCR的数据结构,看一下KPCR结构。

kd> dt nt!_KPCR

+0x000 NtTib : _NT_TIB

+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD

+0x004 Used_StackBase : Ptr32 Void

+0x008 MxCsr : Uint4B

+0x00c TssCopy : Ptr32 Void

+0x010 ContextSwitches : Uint4B

+0x014 SetMemberCopy : Uint4B

+0x018 Used_Self : Ptr32 Void

+0x01c SelfPcr : Ptr32 _KPCR

+0x020 Prcb : Ptr32 _KPRCB

+0x024 Irql : UChar

+0x028 IRR : Uint4B

+0x02c IrrActive : Uint4B

+0x030 IDR : Uint4B

+0x034 KdVersionBlock : Ptr32 Void

+0x038 IDT : Ptr32 _KIDTENTRY

+0x03c GDT : Ptr32 _KGDTENTRY

+0x040 TSS : Ptr32 _KTSS

+0x044 MajorVersion : Uint2B

+0x046 MinorVersion : Uint2B

+0x048 SetMember : Uint4B

+0x04c StallScaleFactor : Uint4B

+0x050 SpareUnused : UChar

+0x051 Number : UChar

+0x052 Spare0 : UChar

+0x053 SecondLevelCacheAssociativity : UChar

+0x054 VdmAlert : Uint4B

+0x058 KernelReserved : [14] Uint4B

+0x090 SecondLevelCacheSize : Uint4B

+0x094 HalReserved : [16] Uint4B

+0x0d4 InterruptMode : Uint4B

+0x0d8 Spare1 : UChar

+0x0dc KernelReserved2 : [17] Uint4B

+0x120 PrcbData : _KPRCB

这样fs:[124]其实是指向当前线程的_KTHREAD,

kd> dt nt!_KPRCB

+0x000 MinorVersion : Uint2B

+0x002 MajorVersion : Uint2B

+0x004 CurrentThread : Ptr32 _KTHREAD

+0x008 NextThread : Ptr32 _KTHREAD

+0x00c IdleThread : Ptr32 _KTHREAD

+0x010 LegacyNumber : UChar

+0x011 NestingLevel : UChar

+0x012 BuildType : Uint2B

+0x014 CpuType : Char

+0x015 CpuID : Char

+0x016 CpuStep : Uint2B

+0x016 CpuStepping : UChar

+0x017 CpuModel : UChar

+0x018 ProcessorState : _KPROCESSOR_STATE

+0x338 ParentNode : Ptr32 _KNODE

+0x33c PriorityState : Ptr32 Char

+0x340 KernelReserved : [14] Uint4B

….. 省略

+0x48e0 RequestMailbox : [1] _REQUEST_MAILBOX

32位 Windows7

kd> u nt!PsgetCurrentProcessId

nt!PsGetCurrentProcessId:

840c17d6 64a124010000 mov eax,dword ptr fs:[00000124h]

840c17dc 8b802c020000 mov eax,dword ptr [eax+22Ch]

840c17e2 c3 ret

fs[124h]指向_KTHREAD结构

kd> dt nt!_KTHREAD

+0x000 Header : _DISPATCHER_HEADER

+0x010 CycleTime : Uint8B

+0x018 HighCycleTime : Uint4B

+0x020 QuantumTarget : Uint8B

+0x028 InitialStack : Ptr32 Void

+0x02c StackLimit : Ptr32 Void

+0x030 KernelStack : Ptr32 Void

+0x034 ThreadLock : Uint4B

+0x038 WaitRegister : _KWAIT_STATUS_REGISTER

+0x039 Running : UChar

+0x03a Alerted : [2] UChar

+0x03c KernelStackResident : Pos 0, 1 Bit

+0x03c ReadyTransition : Pos 1, 1 Bit

+0x03c ProcessReadyQueue : Pos 2, 1 Bit

+0x03c WaitNext : Pos 3, 1 Bit

+0x03c SystemAffinityActive : Pos 4, 1 Bit

+0x03c Alertable : Pos 5, 1 Bit

+0x03c GdiFlushActive : Pos 6, 1 Bit

+0x03c UserStackWalkActive : Pos 7, 1 Bit

+0x03c ApcInterruptRequest : Pos 8, 1 Bit

+0x03c ForceDeferSchedule : Pos 9, 1 Bit

+0x03c QuantumEndMigrate : Pos 10, 1 Bit

+0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit

+0x03c TimerActive : Pos 12, 1 Bit

+0x03c Reserved : Pos 13, 19 Bits

+0x03c MiscFlags : Int4B

+0x040 ApcState : _KAPC_STATE

+0x040 ApcStateFill : [23] UChar

+0x057 Priority : Char

+0x058 NextProcessor : Uint4B

+0x05c DeferredProcessor : Uint4B

+0x060 ApcQueueLock : Uint4B

+0x064 ContextSwitches : Uint4B

+0x068 State : UChar

+0x069 NpxState : Char

+0x06a WaitIrql : UChar

+0x06b WaitMode : Char

+0x06c WaitStatus : Int4B

+0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK

+0x074 WaitListEntry : _LIST_ENTRY

+0x074 SwapListEntry : _SINGLE_LIST_ENTRY

+0x07c Queue : Ptr32 _KQUEUE

+0x080 WaitTime : Uint4B

+0x084 KernelApcDisable : Int2B

+0x086 SpecialApcDisable : Int2B

+0x084 CombinedApcDisable : Uint4B

+0x088 Teb : Ptr32 Void

+0x090 Timer : _KTIMER

+0x0b8 AutoAlignment : Pos 0, 1 Bit

+0x0b8 DisableBoost : Pos 1, 1 Bit

+0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit

+0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit

+0x0b8 CalloutActive : Pos 4, 1 Bit

+0x0b8 ApcQueueable : Pos 5, 1 Bit

+0x0b8 EnableStackSwap : Pos 6, 1 Bit

+0x0b8 GuiThread : Pos 7, 1 Bit

+0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit

+0x0b8 ReservedFlags : Pos 9, 23 Bits

+0x0b8 ThreadFlags : Int4B

+0x0bc ServiceTable : Ptr32 Void

+0x0c0 WaitBlock : [4] _KWAIT_BLOCK

+0x120 QueueListEntry : _LIST_ENTRY

+0x128 TrapFrame : Ptr32 _KTRAP_FRAME

+0x12c FirstArgument : Ptr32 Void

+0x130 CallbackStack : Ptr32 Void

+0x130 CallbackDepth : Uint4B

+0x134 ApcStateIndex : UChar

+0x135 BasePriority : Char

+0x136 PriorityDecrement : Char

+0x136 ForegroundBoost : Pos 0, 4 Bits

+0x136 UnusualBoost : Pos 4, 4 Bits

+0x137 Preempted : UChar

+0x138 AdjustReason : UChar

+0x139 AdjustIncrement : Char

+0x13a PreviousMode : Char

+0x13b Saturation : Char

+0x13c SystemCallNumber : Uint4B

+0x140 FreezeCount : Uint4B

+0x144 UserAffinity : _GROUP_AFFINITY

+0x150 Process : Ptr32 _KPROCESS

+0x154 Affinity : _GROUP_AFFINITY

+0x160 IdealProcessor : Uint4B

+0x164 UserIdealProcessor : Uint4B

+0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE

+0x170 SavedApcState : _KAPC_STATE

+0x170 SavedApcStateFill : [23] UChar

+0x187 WaitReason : UChar

+0x188 SuspendCount : Char

+0x189 Spare1 : Char

+0x18a OtherPlatformFill : UChar

+0x18c Win32Thread : Ptr32 Void

+0x190 StackBase : Ptr32 Void

+0x194 SuspendApc : _KAPC

+0x194 SuspendApcFill0 : [1] UChar

+0x195 ResourceIndex : UChar

+0x194 SuspendApcFill1 : [3] UChar

+0x197 QuantumReset : UChar

+0x194 SuspendApcFill2 : [4] UChar

+0x198 KernelTime : Uint4B

+0x194 SuspendApcFill3 : [36] UChar

+0x1b8 WaitPrcb : Ptr32 _KPRCB

+0x194 SuspendApcFill4 : [40] UChar

+0x1bc LegoData : Ptr32 Void

+0x194 SuspendApcFill5 : [47] UChar

+0x1c3 LargeStack : UChar

+0x1c4 UserTime : Uint4B

+0x1c8 SuspendSemaphore : _KSEMAPHORE

+0x1c8 SuspendSemaphorefill : [20] UChar

+0x1dc SListFaultCount : Uint4B

+0x1e0 ThreadListEntry : _LIST_ENTRY

+0x1e8 MutantListHead : _LIST_ENTRY

+0x1f0 SListFaultAddress : Ptr32 Void

+0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS

+0x1f8 XStateSave : Ptr32 _XSTATE_SAVE

可以看出来在windows7下编译出来的sys文件到windows2012是不兼容的 。 PsGetCurrentProcessId在不同二进制版本是不兼容的 。至于具体实现,欢迎那位补充 。

发表评论