typedef struct _ETHREAD {
KTHREAD Tcb;//内嵌了KTHREAD对象作为第一个数据成员
LARGE_INTEGER CreateTime;//包含了线程创建时间,他是在线程创建时被赋值的。
union {
LARGE_INTEGER ExitTime;//包含了线程的退出时间,
LIST_ENTRY LpcReplyChain;//跨进程通信
LIST_ENTRY KeyedWaitChain;//代建事件的等待链表
};
union {
NTSTATUS ExitStatus;//线程的退出状态。
PVOID OfsChain;
};
//
// Registry
//
LIST_ENTRY PostBlockList;
//
// Single linked list of termination blocks
//
union {
//
// List of termination ports
//
PTERMINATION_PORT TerminationPort;//链表头当线程退出时,系统会通知所有已登记过要接收其终止事件的那些端口。
//
// List of threads to be reaped. Only used at thread exit
//
struct _ETHREAD *ReaperLink;//单链表节点,它仅在线程退出时使用,当线程被终止时,该节点被挂到PsReaperListHead.
//
// Keyvalue being waited for
//
PVOID KeyedWaitValue;//带键事件的键值。
};
KSPIN_LOCK ActiveTimerListLock;//操作次链表的自旋锁
LIST_ENTRY ActiveTimerListHead;//双链表头,包含了当前线程的所有的定时器
CLIENT_ID Cid;//包含了线程的唯一标识符。
//
// Lpc
//
union {
KSEMAPHORE LpcReplySemaphore;//用于LPC应答通知
KSEMAPHORE KeyedWaitSemaphore;//用于处理代建的事件
};
union {
PVOID LpcReplyMessage; // -> Message that contains the reply
PVOID LpcWaitingOnPort;//在哪个端口对象上等待。
};
//
// Security
//
//
// Client - If non null, indicates the thread is impersonating
// a client.
//
PPS_IMPERSONATION_INFORMATION ImpersonationInfo;//指向线程的模仿信息
//
// Io
//
LIST_ENTRY IrpList;//双链表头,包含了当前线程所有正在处理但尚未完成的I/O请求。
//
// File Systems
//
ULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h or 指向线程的顶级IRP
//仅当一个线程的I/O调用层次中最顶级的组件是文件系统时,TopLevelIrp才指向当前IRP
struct _DEVICE_OBJECT *DeviceToVerify;//待检验的设备对象.
PEPROCESS ThreadsProcess;//指向当前线程所属的进程,这是在线程初始化时赋值的。
PVOID StartAddress;//包含了线程启动地址
union {
PVOID Win32StartAddress;//windows子系统启动地址,CreateThread 函数接收到得线程启动地址。
ULONG LpcReceivedMessageId;//LPC消息ID
};
//
// Ps
//
LIST_ENTRY ThreadListEntry;//双链表节点,每个线程都会加入它所属进程EPROCESS结构的ThreadListHead双链表中。
//
// Rundown protection structure. Acquire this to do cross thread
// TEB, TEB32 or stack references.
//
EX_RUNDOWN_REF RundownProtect;//线程停止的保护锁。
//
// Lock to protect thread impersonation information
//
EX_PUSH_LOCK ThreadLock;//用于保护线程的数据属性
ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to
ULONG ReadClusterSize;//在一次I/O操作中读取多少个页面
//
// Client/server
//
ACCESS_MASK GrantedAccess;//包含了线程的访问权限
//
// Flags for cross thread access. Use interlocked operations
// via PS_SET_BITS etc.
//
//
// Used to signify that the delete APC has been queued or the
// thread has called PspExitThread itself.
//
#define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL
//
// Thread create failed
//
#define PS_CROSS_THREAD_FLAGS_DEADTHREAD 0x00000002UL
//
// Debugger isn't shown this thread
//
#define PS_CROSS_THREAD_FLAGS_HIDEFROMDBG 0x00000004UL
//
// Thread is impersonating
//
#define PS_CROSS_THREAD_FLAGS_IMPERSONATING 0x00000008UL
//
// This is a system thread
//
#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL
//
// Hard errors are disabled for this thread
//
#define PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED 0x00000020UL
//
// We should break in when this thread is terminated
//
#define PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION 0x00000040UL
//
// This thread should skip sending its create thread message
//
#define PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG 0x00000080UL
//
// This thread should skip sending its final thread termination message
//
#define PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG 0x00000100UL
union {
ULONG CrossThreadFlags;
//
// The following fields are for the debugger only. Do not use.
// Use the bit definitions instead.
//
struct {
ULONG Terminated : 1;
ULONG DeadThread : 1;
ULONG HideFromDebugger : 1;
ULONG ActiveImpersonationInfo : 1;
ULONG SystemThread : 1;
ULONG HardErrorsAreDisabled : 1;
ULONG BreakOnTermination : 1;
ULONG SkipCreationMsg : 1;
ULONG SkipTerminationMsg : 1;
};
};
//
// Flags to be accessed in this thread's context only at PASSIVE
// level -- no need to use interlocked operations.
//
union {
ULONG SameThreadPassiveFlags;
struct {
//
// This thread is an active Ex worker thread; it should
// not terminate.
//
ULONG ActiveExWorker : 1;
ULONG ExWorkerCanWaitUser : 1;
ULONG MemoryMaker : 1;
//
// Thread is active in the keyed event code. LPC should not run above this in an APC.
//
ULONG KeyedEventInUse : 1;
};
};
//
// Flags to be accessed in this thread's context only at APC_LEVEL.
// No need to use interlocked operations.
//
union {
ULONG SameThreadApcFlags;
struct {
//
// The stored thread's MSGID is valid. This is only accessed
// while the LPC mutex is held so it's an APC_LEVEL flag.
//
BOOLEAN LpcReceivedMsgIdValid : 1;
BOOLEAN LpcExitThreadCalled : 1;
BOOLEAN AddressSpaceOwner : 1;
BOOLEAN OwnsProcessWorkingSetExclusive : 1;
BOOLEAN OwnsProcessWorkingSetShared : 1;
BOOLEAN OwnsSystemWorkingSetExclusive : 1;
BOOLEAN OwnsSystemWorkingSetShared : 1;
BOOLEAN OwnsSessionWorkingSetExclusive : 1;
BOOLEAN OwnsSessionWorkingSetShared : 1;
#define PS_SAME_THREAD_FLAGS_OWNS_A_WORKING_SET 0x000001F8UL
BOOLEAN ApcNeeded : 1;
};
};
BOOLEAN ForwardClusterOnly;
BOOLEAN DisablePageFaultClustering;
UCHAR ActiveFaultCount;
#if defined (PERF_DATA)
ULONG PerformanceCountLow;
LONG PerformanceCountHigh;
#endif
} ETHREAD, *PETHREAD;
总结:
内核层进程和线程对象偏重于基本的功能和机制,执行体层的进程和线程对象更侧重于管理和策略。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
