Necr0Potenc3
June 13th, 2004, 17:22
Anyone has the TCB structure for winnt? I have the one for win9x but I need the one for winnt
thanks in advance
thanks in advance
View Full Version : TCB - Thread control block
focht
June 13th, 2004, 23:03
Hi,
the TCB is documented in DDK i think.
Here is what i found using google:
typedef struct _KTHREAD {
/*000*/ DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C)
/*010*/ LIST_ENTRY MutantListHead;
/*018*/ PVOID InitialStack;
/*01C*/ PVOID StackLimit;
/*020*/ struct _TEB *Teb;
/*024*/ PVOID TlsArray;
/*028*/ PVOID KernelStack;
/*02C*/ BOOLEAN DebugActive;
/*02D*/ BYTE State; // THREAD_STATE_*
/*02E*/ BYTE Alerted[2];
/*030*/ BYTE Iopl;
/*031*/ BYTE NpxState;
/*032*/ BYTE Saturation;
/*033*/ BYTE Priority;
/*034*/ KAPC_STATE ApcState;
/*04C*/ DWORD ContextSwitches;
/*050*/ DWORD WaitStatus;
/*054*/ BYTE WaitIrql;
/*055*/ BYTE WaitMode;
/*056*/ BYTE WaitNext;
/*057*/ BYTE WaitReason;
/*058*/ PLIST_ENTRY WaitBlockList;
/*05C*/ LIST_ENTRY WaitListEntry; // see KiDispatcherReadyListHead
/*064*/ DWORD WaitTime;
/*068*/ BYTE BasePriority;
/*069*/ BYTE DecrementCount;
/*06A*/ BYTE PriorityDecrement;
/*06B*/ BYTE Quantum;
/*06C*/ KWAIT_BLOCK WaitBlock[4];
/*0CC*/ DWORD LegoData;
/*0D0*/ DWORD KernelApcDisable;
/*0D4*/ KAFFINITY UserAffinity;
/*0D8*/ BOOLEAN SystemAffinityActive;
/*0D9*/ BYTE PowerState;
/*0DA*/ BYTE NpxIrql;
/*0DB*/ BYTE Pad;
/*0DC*/ PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
/*0E0*/ PVOID Queue;
/*0E4*/ PVOID ApcQueueLock;
/*0E8*/ KTIMER Timer;
/*110*/ LIST_ENTRY QueueListEntry;
/*118*/ KAFFINITY Affinity;
/*11C*/ BOOLEAN Preempted;
/*11D*/ BOOLEAN ProcessReadyQueue;
/*11E*/ BOOLEAN KernelStackResident;
/*11F*/ BYTE NextProcessor;
/*120*/ PVOID CallbackStack;
/*124*/ PWIN32_THREAD Win32Thread;
/*128*/ PKTRAP_FRAME TrapFrame;
/*12C*/ PKAPC_STATE ApcStatePointer[2];
/*134*/ KPROCESSOR_MODE PreviousMode;
/*135*/ BOOLEAN EnableStackSwap;
/*136*/ BOOLEAN LargeStack;
/*137*/ BYTE ResourceIndex;
/*138*/ DWORD KernelTime; // ticks
/*13C*/ DWORD UserTime; // ticks
/*140*/ KAPC_STATE SavedApcState;
/*158*/ BOOLEAN Alertable;
/*159*/ BYTE ApcStateIndex;
/*15A*/ BOOLEAN ApcQueueable;
/*15B*/ BOOLEAN AutoAlignment;
/*15C*/ PVOID StackBase;
/*160*/ KAPC SuspendApc;
/*190*/ KSEMAPHORE SuspendSemaphore;
/*1A4*/ LIST_ENTRY ThreadListEntry; // see KPROCESS
/*1AC*/ BYTE FreezeCount;
/*1AD*/ BYTE SuspendCount;
/*1AE*/ BYTE IdealProcessor;
/*1AF*/ BOOLEAN DisableBoost;
/*1B0*/ } KTHREAD, *PKTHREAD;
Some fields are 2K+ only (mostly power state stuff).
Here is a good resource on (kernel) thread internals - although its a sample chapter - it might be of interest:
http://www.microsoft.com/mspress/books/sampchap/4354b.asp
("http://www.microsoft.com/mspress/books/sampchap/4354b.asp
")
Using windbg you could dump the ethread (kthread/tcb) structures right out of it (windbg loads extension dlls for the host system):
>!ethread
Regards,
A. Focht
the TCB is documented in DDK i think.
Here is what i found using google:
typedef struct _KTHREAD {
/*000*/ DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C)
/*010*/ LIST_ENTRY MutantListHead;
/*018*/ PVOID InitialStack;
/*01C*/ PVOID StackLimit;
/*020*/ struct _TEB *Teb;
/*024*/ PVOID TlsArray;
/*028*/ PVOID KernelStack;
/*02C*/ BOOLEAN DebugActive;
/*02D*/ BYTE State; // THREAD_STATE_*
/*02E*/ BYTE Alerted[2];
/*030*/ BYTE Iopl;
/*031*/ BYTE NpxState;
/*032*/ BYTE Saturation;
/*033*/ BYTE Priority;
/*034*/ KAPC_STATE ApcState;
/*04C*/ DWORD ContextSwitches;
/*050*/ DWORD WaitStatus;
/*054*/ BYTE WaitIrql;
/*055*/ BYTE WaitMode;
/*056*/ BYTE WaitNext;
/*057*/ BYTE WaitReason;
/*058*/ PLIST_ENTRY WaitBlockList;
/*05C*/ LIST_ENTRY WaitListEntry; // see KiDispatcherReadyListHead
/*064*/ DWORD WaitTime;
/*068*/ BYTE BasePriority;
/*069*/ BYTE DecrementCount;
/*06A*/ BYTE PriorityDecrement;
/*06B*/ BYTE Quantum;
/*06C*/ KWAIT_BLOCK WaitBlock[4];
/*0CC*/ DWORD LegoData;
/*0D0*/ DWORD KernelApcDisable;
/*0D4*/ KAFFINITY UserAffinity;
/*0D8*/ BOOLEAN SystemAffinityActive;
/*0D9*/ BYTE PowerState;
/*0DA*/ BYTE NpxIrql;
/*0DB*/ BYTE Pad;
/*0DC*/ PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable;
/*0E0*/ PVOID Queue;
/*0E4*/ PVOID ApcQueueLock;
/*0E8*/ KTIMER Timer;
/*110*/ LIST_ENTRY QueueListEntry;
/*118*/ KAFFINITY Affinity;
/*11C*/ BOOLEAN Preempted;
/*11D*/ BOOLEAN ProcessReadyQueue;
/*11E*/ BOOLEAN KernelStackResident;
/*11F*/ BYTE NextProcessor;
/*120*/ PVOID CallbackStack;
/*124*/ PWIN32_THREAD Win32Thread;
/*128*/ PKTRAP_FRAME TrapFrame;
/*12C*/ PKAPC_STATE ApcStatePointer[2];
/*134*/ KPROCESSOR_MODE PreviousMode;
/*135*/ BOOLEAN EnableStackSwap;
/*136*/ BOOLEAN LargeStack;
/*137*/ BYTE ResourceIndex;
/*138*/ DWORD KernelTime; // ticks
/*13C*/ DWORD UserTime; // ticks
/*140*/ KAPC_STATE SavedApcState;
/*158*/ BOOLEAN Alertable;
/*159*/ BYTE ApcStateIndex;
/*15A*/ BOOLEAN ApcQueueable;
/*15B*/ BOOLEAN AutoAlignment;
/*15C*/ PVOID StackBase;
/*160*/ KAPC SuspendApc;
/*190*/ KSEMAPHORE SuspendSemaphore;
/*1A4*/ LIST_ENTRY ThreadListEntry; // see KPROCESS
/*1AC*/ BYTE FreezeCount;
/*1AD*/ BYTE SuspendCount;
/*1AE*/ BYTE IdealProcessor;
/*1AF*/ BOOLEAN DisableBoost;
/*1B0*/ } KTHREAD, *PKTHREAD;
Some fields are 2K+ only (mostly power state stuff).
Here is a good resource on (kernel) thread internals - although its a sample chapter - it might be of interest:
http://www.microsoft.com/mspress/books/sampchap/4354b.asp
("http://www.microsoft.com/mspress/books/sampchap/4354b.asp
")
Using windbg you could dump the ethread (kthread/tcb) structures right out of it (windbg loads extension dlls for the host system):
>!ethread
Regards,
A. Focht
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.