typedef struct _ETHREAD {KTHREAD Tcb;// 線程創(chuàng)建時間LARGE_INTEGER CreateTime;union {// 線程退出時間LARGE_INTEGER ExitTime;// 用于跨進(jìn)程通信LIST_ENTRY LpcReplyChain;// 帶鍵事件等待鏈表 LIST_ENTRY KeyedWaitChain;};union {// 線程退出狀態(tài)NTSTATUS ExitStatus;// WRK不使用PVOID OfsChain;};//// Registry//// PCM_POST_BLOCK 鏈表頭，用于線程向配置管理器登記注冊表鍵的變化通知LIST_ENTRY PostBlockList;//// Single linked list of termination blocks//union {//// List of termination ports//// 線程退出時，系統(tǒng)通知所有已經(jīng)登記過要接收其終止事件的端口PTERMINATION_PORT TerminationPort;//// List of threads to be reaped. Only used at thread exit//// 線程退出時，該節(jié)點(diǎn)掛到 PsReaperListHead 鏈表上，在線程回收器（reaper）// 的工作項(xiàng)目（WorkItem）中該線程的內(nèi)核棧得以收回。struct _ETHREAD *ReaperLink;//// Keyvalue being waited for//// 帶鍵事件的鍵值PVOID KeyedWaitValue;};// 定時器鏈表自旋鎖KSPIN_LOCK ActiveTimerListLock;// 包含當(dāng)前線程的所有定時器LIST_ENTRY ActiveTimerListHead;// 線程唯一標(biāo)識符，由兩部分組成，UniqueProcess 和 UniqueThread，// UniqueProcess 等于所屬進(jìn)程的 UniqueProcessId ，UniqueThread 等于// 此線程對象在進(jìn)程句柄表中的句柄CLIENT_ID Cid;//// Lpc//union {// LPC應(yīng)答通知KSEMAPHORE LpcReplySemaphore;// 用于處理帶鍵的事件KSEMAPHORE KeyedWaitSemaphore;};// 通過最低位區(qū)分使用哪個，參見 base\ntos\lpc\lpcp.h 中的 LpcpGetThreadMessage // 和 LpcpGetThreadPort 宏union {// 指向 LPCP_MESSAGE 的指針，包含LPC應(yīng)答消息PVOID LpcReplyMessage; // -> Message that contains the reply// LPC 等待端口PVOID LpcWaitingOnPort;};//// Security////// Client - If non null, indicates the thread is impersonating// a client.//// 線程的模仿信息PPS_IMPERSONATION_INFORMATION ImpersonationInfo;//// Io//// 此鏈表包含當(dāng)前線程所有正在處理但尚未完成的I/O請求（IRP對象）LIST_ENTRY IrpList;//// File Systems//// 指向線程的頂級IRP，它或者指向NULL，或指向一個IRP，或包含了 fsrtl.h 中定義的標(biāo)記// FSRTL_FAST_IO_TOP_LEVEL_IRP 或FSRTL_FSP_TOP_LEVEL_IRP ，僅當(dāng)一個線程// 的I/O調(diào)用層次中最頂級的組件是文件系統(tǒng)時，TopLevelIrp 域才指向當(dāng)前 IRPULONG_PTR TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h// 指向一個待檢驗(yàn)的設(shè)備對象，當(dāng)磁盤或CD-ROM設(shè)備驅(qū)動發(fā)現(xiàn)自從上一次該線程訪問該設(shè)備以來，該// 設(shè)備似乎發(fā)生了變化，就會設(shè)置此域，從而使最高層的驅(qū)動程序，如文件系統(tǒng)，可以檢查到設(shè)備的變化struct _DEVICE_OBJECT *DeviceToVerify;// 當(dāng)前線程所屬的進(jìn)程，線程初始化時賦值（應(yīng)該是指父進(jìn)程，和ApcState里的要有所區(qū)分）// THREAD_TO_PROCESS 宏就是通過此成員實(shí)現(xiàn)的PEPROCESS ThreadsProcess;// 線程的啟動地址，這是真正的線程啟動地址，包含的通常是系統(tǒng)DLL中的線程啟動地址，因而// 往往是相同的（譬如kernel32.dll 中的BaseProcessStart 或BaseThreadStart 函數(shù)）PVOID StartAddress;// 當(dāng)windows子系統(tǒng)線程接收LPC消息時，它的Win32StartAddress 域也會被修改union {// windows子系統(tǒng)的啟動地址，即 CreateThread API 接收到的線程啟動地址PVOID Win32StartAddress;// 接收到的LPC消息的ID，此域僅當(dāng) SameThreadApcFlags 域中的 // LpcReceivedMsgIdValid 位被置上的時候才有效ULONG LpcReceivedMessageId;};//// Ps//// 冗余設(shè)計(jì)，鏈接所屬進(jìn)程的所有線程LIST_ENTRY ThreadListEntry;//// Rundown protection structure. Acquire this to do cross thread// TEB, TEB32 or stack references.//// 線程停止保護(hù)鎖，跨線程引用 TEB 結(jié)構(gòu)或者掛起線程等操作需要獲得此鎖才能進(jìn)行，// 以免在操作過程中線程被銷毀EX_RUNDOWN_REF RundownProtect;//// Lock to protect thread impersonation information//// 推鎖，保護(hù)線程數(shù)據(jù)屬性，例如 PspLockThreadSecurityExclusive 和// PspLockThreadSecurityShared 利用該域來保護(hù)線程的安全屬性EX_PUSH_LOCK ThreadLock;// 指明當(dāng)前線程正在等待對一個消息的應(yīng)答ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to// 指明了在一次I/O操作中讀取多少個頁面，用于頁面交換文件和內(nèi)存映射文件的讀操作ULONG ReadClusterSize;//// Client/server//// 線程訪問權(quán)限，詳見 public\sdk\inc\ntpsapi.h 中的宏THREAD_<XXX>，// 例如 THREAD_TERMINATE 代表終止線程的權(quán)限ACCESS_MASK GrantedAccess;//// Flags for cross thread access. Use interlocked operations// via PS_SET_BITS etc.////// Used to signify that the delete APC has been queued or the// thread has called PspExitThread itself.//#define PS_CROSS_THREAD_FLAGS_TERMINATED 0x00000001UL//// Thread create failed//#define PS_CROSS_THREAD_FLAGS_DEADTHREAD 0x00000002UL//// Debugger isn't shown this thread//#define PS_CROSS_THREAD_FLAGS_HIDEFROMDBG 0x00000004UL//// Thread is impersonating//#define PS_CROSS_THREAD_FLAGS_IMPERSONATING 0x00000008UL//// This is a system thread//#define PS_CROSS_THREAD_FLAGS_SYSTEM 0x00000010UL//// Hard errors are disabled for this thread//#define PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED 0x00000020UL//// We should break in when this thread is terminated//#define PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION 0x00000040UL//// This thread should skip sending its create thread message//#define PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG 0x00000080UL//// This thread should skip sending its final thread termination message//#define PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG 0x00000100ULunion {// 針對跨線程訪問的標(biāo)志位，詳見下面的位域結(jié)構(gòu)體ULONG CrossThreadFlags;//// The following fields are for the debugger only. Do not use.// Use the bit definitions instead.//struct {ULONG Terminated : 1; // 線程已執(zhí)行終止操作ULONG DeadThread : 1; // 創(chuàng)建失敗ULONG HideFromDebugger : 1; // 該線程對調(diào)試器不可見ULONG ActiveImpersonationInfo : 1; // 線程正在模仿ULONG SystemThread : 1; // 系統(tǒng)線程ULONG HardErrorsAreDisabled : 1; // 硬件錯誤無效ULONG BreakOnTermination : 1; // 調(diào)試器在線程終止時停下該線程ULONG SkipCreationMsg : 1; // 不向調(diào)試器發(fā)送創(chuàng)建消息ULONG SkipTerminationMsg : 1; // 不向調(diào)試器發(fā)送終止消息};};//// Flags to be accessed in this thread's context only at PASSIVE// level -- no need to use interlocked operations.//union {// 一些只有在最低中斷等級（0 被動級別）上才可以訪問的標(biāo)志位，并且只能被該線程自身訪問// 所以對這些標(biāo)志位的訪問不需要互鎖操作ULONG SameThreadPassiveFlags;struct {//// This thread is an active Ex worker thread; it should// not terminate.//ULONG ActiveExWorker : 1;ULONG ExWorkerCanWaitUser : 1;ULONG MemoryMaker : 1;//// Thread is active in the keyed event code. LPC should not run above this in an APC.//ULONG KeyedEventInUse : 1;};};//// Flags to be accessed in this thread's context only at APC_LEVEL.// No need to use interlocked operations.//union {// 一些在APC中斷級別上被該線程自身訪問的標(biāo)志位，同樣不需要互鎖ULONG SameThreadApcFlags;struct {//// The stored thread's MSGID is valid. This is only accessed// while the LPC mutex is held so it's an APC_LEVEL flag.//BOOLEAN LpcReceivedMsgIdValid : 1;BOOLEAN LpcExitThreadCalled : 1;BOOLEAN AddressSpaceOwner : 1;BOOLEAN OwnsProcessWorkingSetExclusive : 1;BOOLEAN OwnsProcessWorkingSetShared : 1;BOOLEAN OwnsSystemWorkingSetExclusive : 1;BOOLEAN OwnsSystemWorkingSetShared : 1;BOOLEAN OwnsSessionWorkingSetExclusive : 1;BOOLEAN OwnsSessionWorkingSetShared : 1;#define PS_SAME_THREAD_FLAGS_OWNS_A_WORKING_SET 0x000001F8ULBOOLEAN ApcNeeded : 1;};};// 指示是否僅僅前向聚集BOOLEAN ForwardClusterOnly;// 控制頁面交換的聚集與否BOOLEAN DisablePageFaultClustering;// 正在進(jìn)行之中的頁面錯誤數(shù)量UCHAR ActiveFaultCount;#if defined (PERF_DATA)ULONG PerformanceCountLow;LONG PerformanceCountHigh; #endif} ETHREAD, *PETHREAD;

總結(jié)

以上是生活随笔為你收集整理的ETHREAD 结构体属性介绍的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。