windows系统调用学习——调用相关结构体学习

来深入挖掘一下Windows系统调用的过程

相关结构体介绍

Trap_Frame

首先第一个要讲的是 Trap_Frame 结构，如下图所示。

栈帧结构体，用于 Windows API 保存现场。经过提权进入0环的时候，Windows就会遵守这个结构体保存一系列的数据，最后四个成员用于虚拟8086模式下，不属于保护模式的范畴。

中断发生时，若发生权限变换，则要保存旧堆栈，CPU压入的，由 HardwareEsp 和 HardwareSegSs 两个成员保存。

中断发生时，保存被中断的代码段和iret要返回的地址，CPU压入的，由 Eip，SegCs 和 EFlags 三个成员保存。

Windows 中非易失性寄存器需要在中断例程中先保存，其中非易失性寄存器指的是在调用之前和调用之后仍然会保持原值的寄存器。通常来说，调用例程会选择要么不去写这些寄存器，如果一定要写寄存器，则会通过堆栈在调用之前保存该值，调用结束之后重新取回。

KPCR

kpcr：cpu 核控制块，cpu 一个核一个 kpcr 结构，fs=0x30 在内核中的时候，指向的是 kpcr 结构，fs=0x3b 在应用层的时候，指向的是当前线程的 TEB

KPCR 里面还嵌套着两个结构体 TIB 和 KPRCB。

查看计算机有多少核：

1 2	kd> dd KeNumberProcessors L1 83daaa2c 00000001

查看 KPCR 结构体可以通过 KiProcessorBlock 数组得到。

kd> dd KiProcessorBlock
83daa980  80b97120 00000000 00000000 00000000
83daa990  00000000 00000000 00000000 00000000
83daa9a0  00000000 00000000 00000000 00000000
83daa9b0  00000000 00000000 00000000 00000000
83daa9c0  00000000 00000000 00000000 00000000
83daa9d0  00000000 00000000 00000000 00000000
83daa9e0  00000000 00000000 00000000 00000000
83daa9f0  00000000 00000000 00000000 00000000

因为只有一个核，所以看到只存储了一个 KPCR 指针，用 dt 命令查看结构体值。

kd> dt nt!_KPCR 80b97000
   +0x000 NtTib            : _NT_TIB
   +0x000 Used_ExceptionList : 0xa8d2706c _EXCEPTION_REGISTRATION_RECORD
   +0x004 Used_StackBase   : (null) 
   +0x008 Spare2           : (null) 
   +0x00c TssCopy          : 0x80b93c00 Void
   +0x010 ContextSwitches  : 0x35bf7
   +0x014 SetMemberCopy    : 1
   +0x018 Used_Self        : 0x7ffda000 Void
   +0x01c SelfPcr          : 0x80b97000 _KPCR
   +0x020 Prcb             : 0x80b97120 _KPRCB
   +0x024 Irql             : 0x1f ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : 0x83d6f5c0 Void
   +0x038 IDT              : 0x80b93000 _KIDTENTRY
   +0x03c GDT              : 0x80b93800 _KGDTENTRY
   +0x040 TSS              : 0x80b93c00 _KTSS
   +0x044 MajorVersion     : 1
   +0x046 MinorVersion     : 1
   +0x048 SetMember        : 1
   +0x04c StallScaleFactor : 0x973
   +0x050 SpareUnused      : 0 ''
   +0x051 Number           : 0 ''
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0
   +0x094 HalReserved      : [16] 0x1000000
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB

把里面存入的两个结构体 _NT_TIB 和 _KPRCB 介绍一下：

kd> dt nt!_NT_TIB 0xa8d2706c
   +0x000 ExceptionList    : 0xa8d270d4 _EXCEPTION_REGISTRATION_RECORD
   +0x004 StackBase        : 0x83cfe4a2 Void
   +0x008 StackLimit       : 0x5396aa78 Void
   +0x00c SubSystemTib     : (null) 
   +0x010 FiberData        : 0xa8d270e4 Void
   +0x010 Version          : 0xa8d270e4
   +0x014 ArbitraryUserPointer : 0x83cf9851 Void
   +0x018 Self             : 0x00000004 _NT_TIB

其中 _KPRCB 是直接包含而不是用指针引用的。

kd> dt nt!_KPRCB 0x80b97120
   +0x000 MinorVersion     : 1
   +0x002 MajorVersion     : 1
   +0x004 CurrentThread    : 0x88a20a60 _KTHREAD
   +0x008 NextThread       : (null) 
   +0x00c IdleThread       : 0x83d764c0 _KTHREAD
   +0x010 LegacyNumber     : 0 ''
   +0x011 NestingLevel     : 0x1 ''
   +0x012 BuildType        : 0
   +0x014 CpuType          : 6 ''
   +0x015 CpuID            : 1 ''
   +0x016 CpuStep          : 0xb701
   +0x016 CpuStepping      : 0x1 ''
   +0x017 CpuModel         : 0xb7 ''
   +0x018 ProcessorState   : _KPROCESSOR_STATE
   +0x338 KernelReserved   : [16] 0
   +0x378 HalReserved      : [16] 0x969600
   +0x3b8 CFlushSize       : 0x40
   +0x3bc CoresPerPhysicalProcessor : 0x1 ''
   +0x3bd LogicalProcessorsPerCore : 0x1 ''
   +0x3be PrcbPad0         : [2]  ""
   +0x3c0 MHz              : 0x973
   +0x3c4 CpuVendor        : 0x1 ''
   +0x3c5 GroupIndex       : 0 ''
   +0x3c6 Group            : 0
   +0x3c8 GroupSetMember   : 1
   +0x3cc Number           : 0
   +0x3d0 PrcbPad1         : [72]  ""
   +0x418 LockQueue        : [17] _KSPIN_LOCK_QUEUE
   +0x4a0 NpxThread        : 0x88a20a60 _KTHREAD
   +0x4a4 InterruptCount   : 0xaf7b
   +0x4a8 KernelTime       : 0x16d2
   +0x4ac UserTime         : 0x385
   +0x4b0 DpcTime          : 0x1fe
   +0x4b4 DpcTimeCount     : 0
   +0x4b8 InterruptTime    : 0x58
   +0x4bc AdjustDpcThreshold : 0x11
   +0x4c0 PageColor        : 0x1356
   +0x4c4 DebuggerSavedIRQL : 0x1c ''
   +0x4c5 NodeColor        : 0 ''
   +0x4c6 PrcbPad20        : [2]  ""
   +0x4c8 NodeShiftedColor : 0
   +0x4cc ParentNode       : 0x83d76440 _KNODE
   +0x4d0 SecondaryColorMask : 0xff
   +0x4d4 DpcTimeLimit     : 0
   +0x4d8 MsrIa32TsxCtrl   : 0
   +0x4e0 CcFastReadNoWait : 0
   +0x4e4 CcFastReadWait   : 0x1514
   +0x4e8 CcFastReadNotPossible : 0
   +0x4ec CcCopyReadNoWait : 0
   +0x4f0 CcCopyReadWait   : 0x176a
   +0x4f4 CcCopyReadNoWaitMiss : 0
   +0x4f8 MmSpinLockOrdering : 0n0
   +0x4fc IoReadOperationCount : 0n7085
   +0x500 IoWriteOperationCount : 0n1965
   +0x504 IoOtherOperationCount : 0n82423
   +0x508 IoReadTransferCount : _LARGE_INTEGER 0x30316f8
   +0x510 IoWriteTransferCount : _LARGE_INTEGER 0xc7b2db
   +0x518 IoOtherTransferCount : _LARGE_INTEGER 0x308a77
   +0x520 CcFastMdlReadNoWait : 0
   +0x524 CcFastMdlReadWait : 0
   +0x528 CcFastMdlReadNotPossible : 0
   +0x52c CcMapDataNoWait  : 0
   +0x530 CcMapDataWait    : 0x995f
   +0x534 CcPinMappedDataCount : 0x891
   +0x538 CcPinReadNoWait  : 0
   +0x53c CcPinReadWait    : 0x2b1
   +0x540 CcMdlReadNoWait  : 0
   +0x544 CcMdlReadWait    : 1
   +0x548 CcLazyWriteHotSpots : 0xd
   +0x54c CcLazyWriteIos   : 0x88
   +0x550 CcLazyWritePages : 0x375
   +0x554 CcDataFlushes    : 0x18e
   +0x558 CcDataPages      : 0x4ff
   +0x55c CcLostDelayedWrites : 0
   +0x560 CcFastReadResourceMiss : 0
   +0x564 CcCopyReadWaitMiss : 0x371
   +0x568 CcFastMdlReadResourceMiss : 0
   +0x56c CcMapDataNoWaitMiss : 0
   +0x570 CcMapDataWaitMiss : 0x7f0
   +0x574 CcPinReadNoWaitMiss : 0
   +0x578 CcPinReadWaitMiss : 0x16
   +0x57c CcMdlReadNoWaitMiss : 0
   +0x580 CcMdlReadWaitMiss : 0
   +0x584 CcReadAheadIos   : 0x772
   +0x588 KeAlignmentFixupCount : 0
   +0x58c KeExceptionDispatchCount : 0x1d1
   +0x590 KeSystemCalls    : 0x75b693
   +0x594 AvailableTime    : 0x331
   +0x598 PrcbPad22        : [2] 0
   +0x5a0 PPLookasideList  : [16] _PP_LOOKASIDE_LIST
   +0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
   +0x1820 PacketBarrier    : 0
   +0x1824 ReverseStall     : 0n4
   +0x1828 IpiFrame         : (null) 
   +0x182c PrcbPad3         : [52]  ""
   +0x1860 CurrentPacket    : [3] (null) 
   +0x186c TargetSet        : 0
   +0x1870 WorkerRoutine    : (null) 
   +0x1874 IpiFrozen        : 0
   +0x1878 PrcbPad4         : [40]  ""
   +0x18a0 RequestSummary   : 0
   +0x18a4 SignalDone       : (null) 
   +0x18a8 TrappedSecurityDomain : 0x00000001`0000001d
   +0x18b0 BpbState         : 0x2 ''
   +0x18b0 BpbCpuIdle       : 0y0
   +0x18b0 BpbFlushRsbOnTrap : 0y1
   +0x18b0 BpbIbpbOnReturn  : 0y0
   +0x18b0 BpbIbpbOnTrap    : 0y0
   +0x18b0 BpbReserved      : 0y0000
   +0x18b1 BpbFeatures      : 0x2 ''
   +0x18b1 BpbClearOnIdle   : 0y0
   +0x18b1 BpbEnabled       : 0y1
   +0x18b1 BpbSmep          : 0y0
   +0x18b1 BpbFeaturesReserved : 0y00000 (0)
   +0x18b2 BpbCurrentSpecCtrl : 0x1 ''
   +0x18b3 BpbKernelSpecCtrl : 0x1 ''
   +0x18b4 BpbNmiSpecCtrl   : 0x1 ''
   +0x18b5 BpbUserSpecCtrl  : 0 ''
   +0x18b6 PrcbPad50        : [42]  ""
   +0x18e0 DpcData          : [2] _KDPC_DATA
   +0x1908 DpcStack         : 0x80d90000 Void
   +0x190c MaximumDpcQueueDepth : 0n4
   +0x1910 DpcRequestRate   : 0
   +0x1914 MinimumDpcRate   : 3
   +0x1918 DpcLastCount     : 0x496b
   +0x191c PrcbLock         : 0
   +0x1920 DpcGate          : _KGATE
   +0x1930 ThreadDpcEnable  : 0x1 ''
   +0x1931 QuantumEnd       : 0x1 ''
   +0x1932 DpcRoutineActive : 0 ''
   +0x1933 IdleSchedule     : 0 ''
   +0x1934 DpcRequestSummary : 0n8
   +0x1934 DpcRequestSlot   : [2] 0n8
   +0x1934 NormalDpcState   : 0n8
   +0x1936 DpcThreadActive  : 0y0
   +0x1936 ThreadDpcState   : 0n0
   +0x1938 TimerHand        : 0x1a56
   +0x193c LastTick         : 0x1a57
   +0x1940 MasterOffset     : 0n81398
   +0x1944 PrcbPad41        : [2] 0
   +0x194c PeriodicCount    : 0
   +0x1950 PeriodicBias     : 0
   +0x1958 TickOffset       : 0x1236b
   +0x1960 TimerTable       : _KTIMER_TABLE
   +0x31a0 CallDpc          : _KDPC
   +0x31c0 ClockKeepAlive   : 0n1
   +0x31c4 ClockCheckSlot   : 0 ''
   +0x31c5 ClockPollCycle   : 0xa8 ''
   +0x31c6 PrcbPad6         : [2]  ""
   +0x31c8 DpcWatchdogPeriod : 0n0
   +0x31cc DpcWatchdogCount : 0n0
   +0x31d0 ThreadWatchdogPeriod : 0n0
   +0x31d4 ThreadWatchdogCount : 0n0
   +0x31d8 KeSpinLockOrdering : 0n0
   +0x31dc PrcbPad70        : [1] 0
   +0x31e0 WaitListHead     : _LIST_ENTRY [ 0x87a1cdbc - 0x86928ae4 ]
   +0x31e8 WaitLock         : 0
   +0x31ec ReadySummary     : 0x100
   +0x31f0 QueueIndex       : 1
   +0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
   +0x31f8 StartCycles      : 0x0000005d`20e43ca2
   +0x3200 CycleTime        : 0x00000020`5b03abb8
   +0x3208 HighCycleTime    : 0x20
   +0x320c PrcbPad71        : 0
   +0x3210 PrcbPad72        : [2] 0
   +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0x80b9a340 - 0x80b9a340 ]
   +0x3320 ChainedInterruptList : (null) 
   +0x3324 LookasideIrpFloat : 0n2147483647
   +0x3328 MmPageFaultCount : 0n380185
   +0x332c MmCopyOnWriteCount : 0n6594
   +0x3330 MmTransitionCount : 0n139141
   +0x3334 MmCacheTransitionCount : 0n0
   +0x3338 MmDemandZeroCount : 0n227545
   +0x333c MmPageReadCount  : 0n43411
   +0x3340 MmPageReadIoCount : 0n10075
   +0x3344 MmCacheReadCount : 0n0
   +0x3348 MmCacheIoCount   : 0n0
   +0x334c MmDirtyPagesWriteCount : 0n0
   +0x3350 MmDirtyWriteIoCount : 0n0
   +0x3354 MmMappedPagesWriteCount : 0n0
   +0x3358 MmMappedWriteIoCount : 0n0
   +0x335c CachedCommit     : 0xa3
   +0x3360 CachedResidentAvailable : 0xf9
   +0x3364 HyperPte         : 0x80c00004 Void
   +0x3368 PrcbPad8         : [4]  ""
   +0x336c VendorString     : [13]  "GenuineIntel"
   +0x3379 InitialApicId    : 0 ''
   +0x337a LogicalProcessorsPerPhysicalProcessor : 0x1 ''
   +0x337b PrcbPad9         : [5]  ""
   +0x3380 FeatureBits      : 0x60cd3fff
   +0x3388 UpdateSignature  : _LARGE_INTEGER 0xffffffff`00000000
   +0x3390 IsrTime          : 0
   +0x3398 RuntimeAccumulation : 0x3eb41562
   +0x33a0 PowerState       : _PROCESSOR_POWER_STATE
   +0x3468 DpcWatchdogDpc   : _KDPC
   +0x3488 DpcWatchdogTimer : _KTIMER
   +0x34b0 WheaInfo         : 0x8691c0d0 Void
   +0x34b4 EtwSupport       : 0x868d17d8 Void
   +0x34b8 InterruptObjectPool : _SLIST_HEADER
   +0x34c0 HypercallPageList : _SLIST_HEADER
   +0x34c8 HypercallPageVirtual : 0x80d83000 Void
   +0x34cc VirtualApicAssist : (null) 
   +0x34d0 StatisticsPage   : (null) 
   +0x34d4 RateControl      : (null) 
   +0x34d8 Cache            : [5] _CACHE_DESCRIPTOR
   +0x3514 CacheCount       : 4
   +0x3518 CacheProcessorMask : [5] 1
   +0x352c PackageProcessorSet : _KAFFINITY_EX
   +0x3538 PrcbPad91        : [1] 0
   +0x353c CoreProcessorSet : 1
   +0x3540 TimerExpirationDpc : _KDPC
   +0x3560 SpinLockAcquireCount : 0x3465aa
   +0x3564 SpinLockContentionCount : 0xb
   +0x3568 SpinLockSpinCount : 0
   +0x356c IpiSendRequestBroadcastCount : 0
   +0x3570 IpiSendRequestRoutineCount : 0
   +0x3574 IpiSendSoftwareInterruptCount : 0
   +0x3578 ExInitializeResourceCount : 0x6bbf
   +0x357c ExReInitializeResourceCount : 0x563
   +0x3580 ExDeleteResourceCount : 0x58ac
   +0x3584 ExecutiveResourceAcquiresCount : 0x2c9bf6
   +0x3588 ExecutiveResourceContentionsCount : 0x649
   +0x358c ExecutiveResourceReleaseExclusiveCount : 0x803a3
   +0x3590 ExecutiveResourceReleaseSharedCount : 0x2494c7
   +0x3594 ExecutiveResourceConvertsCount : 0x1bf
   +0x3598 ExAcqResExclusiveAttempts : 0x7d665
   +0x359c ExAcqResExclusiveAcquiresExclusive : 0x6d87b
   +0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : 0xfdd4
   +0x35a4 ExAcqResExclusiveWaits : 0x346
   +0x35a8 ExAcqResExclusiveNotAcquires : 0x16
   +0x35ac ExAcqResSharedAttempts : 0x234556
   +0x35b0 ExAcqResSharedAcquiresExclusive : 0x3244
   +0x35b4 ExAcqResSharedAcquiresShared : 0x22d3fd
   +0x35b8 ExAcqResSharedAcquiresSharedRecursive : 0x3f15
   +0x35bc ExAcqResSharedWaits : 0x303
   +0x35c0 ExAcqResSharedNotAcquires : 0
   +0x35c4 ExAcqResSharedStarveExclusiveAttempts : 0x18051
   +0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : 1
   +0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : 0x17faa
   +0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : 0xa6
   +0x35d4 ExAcqResSharedStarveExclusiveWaits : 0
   +0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : 0
   +0x35dc ExAcqResSharedWaitForExclusiveAttempts : 0
   +0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : 0
   +0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : 0
   +0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : 0
   +0x35ec ExAcqResSharedWaitForExclusiveWaits : 0
   +0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : 0
   +0x35f4 ExSetResOwnerPointerExclusive : 0
   +0x35f8 ExSetResOwnerPointerSharedNew : 0x1d2
   +0x35fc ExSetResOwnerPointerSharedOld : 0x74
   +0x3600 ExTryToAcqExclusiveAttempts : 0
   +0x3604 ExTryToAcqExclusiveAcquires : 0
   +0x3608 ExBoostExclusiveOwner : 8
   +0x360c ExBoostSharedOwners : 0
   +0x3610 ExEtwSynchTrackingNotificationsCount : 0
   +0x3614 ExEtwSynchTrackingNotificationsAccountedCount : 0
   +0x3618 Context          : 0x80dc9340 _CONTEXT
   +0x361c ContextFlags     : 0x10057
   +0x3620 ExtendedState    : 0x80dc9000 _XSAVE_AREA
   +0x3624 VectorToInterruptObject : [208] (null) 
   +0x3964 PrcbPad100       : [15] 0
   +0x39a0 ProcessorSignature : 0xb0671
   +0x39a4 PrcbShadowMappedPagePad1 : [335] 0
   +0x3ee0 KernelDirectoryTableBase : 0
   +0x3ee4 EspBaseShadow    : 0
   +0x3ee8 UserEspShadow    : 0
   +0x3eec ShadowFlags      : 0
   +0x3ef0 UserDS           : 0
   +0x3ef4 UserES           : 0
   +0x3ef8 UserFS           : 0
   +0x3efc EspIretd         : (null) 
   +0x3f00 RestoreSegOption : 0
   +0x3f04 SavedEsi         : 0
   +0x3f08 VerwSelector     : 0
   +0x3f0a PrcbShadowPad    : 0
   +0x3f0c TaskSwitchCount  : 0
   +0x3f10 DbgLogs          : [512] 0
   +0x4710 DbgCount         : 0
   +0x4714 PrcbShadowMappedPagePad2 : [499] 0

ExceptionList

错误链表，指向EXCEPTION_REGISTRATION_RECORD的列表，用于SEH，即为结构化异常处理，里面记录了异常处理函数。有人会称它为SEH链入口。

CurrentThread

当前CPU所执行线程的ETHREAD结构体。

NextThread

下一个CPU所执行线程的ETHREAD结构体。

IdleThread

当所有的线程都执行完了CPU就执行这个线程。

Number

CPU编号。

ProcessorState

CPU状态，是_KPROCESSOR_STATE结构体。

NpxThread

Npx浮点处理器，最后一次用过浮点的线程。

LogicalProcessorsPerPhysicalProcessor

指明每个物理处理器有几个逻辑处理器。

MHz

CPU的频率。

ETHREAD

因为讲到了 KTHREAD 故把 ETHREAD 也讲一下。

kd> dt _ETHREAD
ntdll!_ETHREAD
   +0x000 Tcb              : _KTHREAD
   +0x200 CreateTime       : _LARGE_INTEGER
   +0x208 ExitTime         : _LARGE_INTEGER
   +0x208 KeyedWaitChain   : _LIST_ENTRY
   +0x210 ExitStatus       : Int4B
   +0x214 PostBlockList    : _LIST_ENTRY
   +0x214 ForwardLinkShadow : Ptr32 Void
   +0x218 StartAddress     : Ptr32 Void
   +0x21c TerminationPort  : Ptr32 _TERMINATION_PORT
   +0x21c ReaperLink       : Ptr32 _ETHREAD
   +0x21c KeyedWaitValue   : Ptr32 Void
   +0x220 ActiveTimerListLock : Uint4B
   +0x224 ActiveTimerListHead : _LIST_ENTRY
   +0x22c Cid              : _CLIENT_ID
   +0x234 KeyedWaitSemaphore : _KSEMAPHORE
   +0x234 AlpcWaitSemaphore : _KSEMAPHORE
   +0x248 ClientSecurity   : _PS_CLIENT_SECURITY_CONTEXT
   +0x24c IrpList          : _LIST_ENTRY
   +0x254 TopLevelIrp      : Uint4B
   +0x258 DeviceToVerify   : Ptr32 _DEVICE_OBJECT
   +0x25c CpuQuotaApc      : Ptr32 _PSP_CPU_QUOTA_APC
   +0x260 Win32StartAddress : Ptr32 Void
   +0x264 LegacyPowerObject : Ptr32 Void
   +0x268 ThreadListEntry  : _LIST_ENTRY
   +0x270 RundownProtect   : _EX_RUNDOWN_REF
   +0x274 ThreadLock       : _EX_PUSH_LOCK
   +0x278 ReadClusterSize  : Uint4B
   +0x27c MmLockOrdering   : Int4B
   +0x280 CrossThreadFlags : Uint4B
   +0x280 Terminated       : Pos 0, 1 Bit
   +0x280 ThreadInserted   : Pos 1, 1 Bit
   +0x280 HideFromDebugger : Pos 2, 1 Bit
   +0x280 ActiveImpersonationInfo : Pos 3, 1 Bit
   +0x280 Reserved         : Pos 4, 1 Bit
   +0x280 HardErrorsAreDisabled : Pos 5, 1 Bit
   +0x280 BreakOnTermination : Pos 6, 1 Bit
   +0x280 SkipCreationMsg  : Pos 7, 1 Bit
   +0x280 SkipTerminationMsg : Pos 8, 1 Bit
   +0x280 CopyTokenOnOpen  : Pos 9, 1 Bit
   +0x280 ThreadIoPriority : Pos 10, 3 Bits
   +0x280 ThreadPagePriority : Pos 13, 3 Bits
   +0x280 RundownFail      : Pos 16, 1 Bit
   +0x280 NeedsWorkingSetAging : Pos 17, 1 Bit
   +0x284 SameThreadPassiveFlags : Uint4B
   +0x284 ActiveExWorker   : Pos 0, 1 Bit
   +0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit
   +0x284 MemoryMaker      : Pos 2, 1 Bit
   +0x284 ClonedThread     : Pos 3, 1 Bit
   +0x284 KeyedEventInUse  : Pos 4, 1 Bit
   +0x284 RateApcState     : Pos 5, 2 Bits
   +0x284 SelfTerminate    : Pos 7, 1 Bit
   +0x288 SameThreadApcFlags : Uint4B
   +0x288 Spare            : Pos 0, 1 Bit
   +0x288 StartAddressInvalid : Pos 1, 1 Bit
   +0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit
   +0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
   +0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
   +0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
   +0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
   +0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
   +0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
   +0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
   +0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
   +0x289 SuppressSymbolLoad : Pos 3, 1 Bit
   +0x289 Prefetching      : Pos 4, 1 Bit
   +0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
   +0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
   +0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit
   +0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
   +0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
   +0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
   +0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
   +0x28a TrimTrigger      : Pos 4, 2 Bits
   +0x28a Spare1           : Pos 6, 2 Bits
   +0x28b PriorityRegionActive : UChar
   +0x28c CacheManagerActive : UChar
   +0x28d DisablePageFaultClustering : UChar
   +0x28e ActiveFaultCount : UChar
   +0x28f LockOrderState   : UChar
   +0x290 AlpcMessageId    : Uint4B
   +0x294 AlpcMessage      : Ptr32 Void
   +0x294 AlpcReceiveAttributeSet : Uint4B
   +0x298 AlpcWaitListEntry : _LIST_ENTRY
   +0x2a0 CacheManagerCount : Uint4B
   +0x2a4 IoBoostCount     : Uint4B
   +0x2a8 IrpListLock      : Uint4B
   +0x2ac ReservedForSynchTracking : Ptr32 Void
   +0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY
   +0x2b4 KernelStackReference : Uint4B

其中 TCB 就是 KTHREAD 结构体，因此 ETHREAD 包含 KTHREAD。

kd> dt _KTHREAD
ntdll!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 CycleTime        : Uint8B
   +0x018 HighCycleTime    : Uint4B
   +0x020 QuantumTarget    : Uint8B
   +0x028 InitialStack     : Ptr32 Void
   +0x02c StackLimit       : Ptr32 Void
   +0x030 KernelStack      : Ptr32 Void
   +0x034 ThreadLock       : Uint4B
   +0x038 WaitRegister     : _KWAIT_STATUS_REGISTER
   +0x039 Running          : UChar
   +0x03a Alerted          : [2] UChar
   +0x03c KernelStackResident : Pos 0, 1 Bit
   +0x03c ReadyTransition  : Pos 1, 1 Bit
   +0x03c ProcessReadyQueue : Pos 2, 1 Bit
   +0x03c WaitNext         : Pos 3, 1 Bit
   +0x03c SystemAffinityActive : Pos 4, 1 Bit
   +0x03c Alertable        : Pos 5, 1 Bit
   +0x03c GdiFlushActive   : Pos 6, 1 Bit
   +0x03c UserStackWalkActive : Pos 7, 1 Bit
   +0x03c ApcInterruptRequest : Pos 8, 1 Bit
   +0x03c ForceDeferSchedule : Pos 9, 1 Bit
   +0x03c QuantumEndMigrate : Pos 10, 1 Bit
   +0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit
   +0x03c TimerActive      : Pos 12, 1 Bit
   +0x03c SystemThread     : Pos 13, 1 Bit
   +0x03c Reserved         : Pos 14, 18 Bits
   +0x03c MiscFlags        : Int4B
   +0x040 ApcState         : _KAPC_STATE
   +0x040 ApcStateFill     : [23] UChar
   +0x057 Priority         : Char
   +0x058 NextProcessor    : Uint4B
   +0x05c DeferredProcessor : Uint4B
   +0x060 ApcQueueLock     : Uint4B
   +0x064 ContextSwitches  : Uint4B
   +0x068 State            : UChar
   +0x069 NpxState         : Char
   +0x06a WaitIrql         : UChar
   +0x06b WaitMode         : Char
   +0x06c WaitStatus       : Int4B
   +0x070 WaitBlockList    : Ptr32 _KWAIT_BLOCK
   +0x074 WaitListEntry    : _LIST_ENTRY
   +0x074 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x07c Queue            : Ptr32 _KQUEUE
   +0x080 WaitTime         : Uint4B
   +0x084 KernelApcDisable : Int2B
   +0x086 SpecialApcDisable : Int2B
   +0x084 CombinedApcDisable : Uint4B
   +0x088 Teb              : Ptr32 Void
   +0x090 Timer            : _KTIMER
   +0x0b8 AutoAlignment    : Pos 0, 1 Bit
   +0x0b8 DisableBoost     : Pos 1, 1 Bit
   +0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit
   +0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit
   +0x0b8 CalloutActive    : Pos 4, 1 Bit
   +0x0b8 ApcQueueable     : Pos 5, 1 Bit
   +0x0b8 EnableStackSwap  : Pos 6, 1 Bit
   +0x0b8 GuiThread        : Pos 7, 1 Bit
   +0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit
   +0x0b8 VdmSafe          : Pos 9, 1 Bit
   +0x0b8 UmsDispatched    : Pos 10, 1 Bit
   +0x0b8 ReservedFlags    : Pos 11, 21 Bits
   +0x0b8 ThreadFlags      : Int4B
   +0x0bc ServiceTable     : Ptr32 Void
   +0x0c0 WaitBlock        : [4] _KWAIT_BLOCK
   +0x120 QueueListEntry   : _LIST_ENTRY
   +0x128 TrapFrame        : Ptr32 _KTRAP_FRAME
   +0x12c FirstArgument    : Ptr32 Void
   +0x130 CallbackStack    : Ptr32 Void
   +0x130 CallbackDepth    : Uint4B
   +0x134 ApcStateIndex    : UChar
   +0x135 BasePriority     : Char
   +0x136 PriorityDecrement : Char
   +0x136 ForegroundBoost  : Pos 0, 4 Bits
   +0x136 UnusualBoost     : Pos 4, 4 Bits
   +0x137 Preempted        : UChar
   +0x138 AdjustReason     : UChar
   +0x139 AdjustIncrement  : Char
   +0x13a PreviousMode     : Char
   +0x13b Saturation       : Char
   +0x13c SystemCallNumber : Uint4B
   +0x140 FreezeCount      : Uint4B
   +0x144 UserAffinity     : _GROUP_AFFINITY
   +0x150 Process          : Ptr32 _KPROCESS
   +0x154 Affinity         : _GROUP_AFFINITY
   +0x160 IdealProcessor   : Uint4B
   +0x164 UserIdealProcessor : Uint4B
   +0x168 ApcStatePointer  : [2] Ptr32 _KAPC_STATE
   +0x170 SavedApcState    : _KAPC_STATE
   +0x170 SavedApcStateFill : [23] UChar
   +0x187 WaitReason       : UChar
   +0x188 SuspendCount     : Char
   +0x189 Spare1           : Char
   +0x18a OtherPlatformFill : UChar
   +0x18c Win32Thread      : Ptr32 Void
   +0x190 StackBase        : Ptr32 Void
   +0x194 SuspendApc       : _KAPC
   +0x194 SuspendApcFill0  : [1] UChar
   +0x195 ResourceIndex    : UChar
   +0x194 SuspendApcFill1  : [3] UChar
   +0x197 QuantumReset     : UChar
   +0x194 SuspendApcFill2  : [4] UChar
   +0x198 KernelTime       : Uint4B
   +0x194 SuspendApcFill3  : [36] UChar
   +0x1b8 WaitPrcb         : Ptr32 _KPRCB
   +0x194 SuspendApcFill4  : [40] UChar
   +0x1bc LegoData         : Ptr32 Void
   +0x194 SuspendApcFill5  : [47] UChar
   +0x1c3 LargeStack       : UChar
   +0x1c4 UserTime         : Uint4B
   +0x1c8 SuspendSemaphore : _KSEMAPHORE
   +0x1c8 SuspendSemaphorefill : [20] UChar
   +0x1dc SListFaultCount  : Uint4B
   +0x1e0 ThreadListEntry  : _LIST_ENTRY
   +0x1e8 MutantListHead   : _LIST_ENTRY
   +0x1f0 SListFaultAddress : Ptr32 Void
   +0x1f4 ThreadCounters   : Ptr32 _KTHREAD_COUNTERS
   +0x1f8 XStateSave       : Ptr32 _XSTATE_SAVE

来看看几个重要成员

PreviousMode：先前模式，如果0环调用的，值为0。如果为3环调用的，值为1。
DebugActive：调试活动状态，指示当前线程是否处于调试状态。如果这个成员被设成0，则会影响硬件断点无法断下。
TrapFrame：栈帧，一个线程一个栈帧结构体。