구조
procexp64.exe-메모장-Taskmgr.exe
!process 0 0 notepad.exe
2: kd> dt_EPROCESS ffffe28970fb7080
ntdll!_EPROCESS
+0x5a8 ImageFileName : [15] "notepad.exe"
+0x440 UniqueProcessId : 0x00000000`00000eec Void
+0x448 ActiveProcessLinks : _LIST_ENTRY [ 0xffffe289`731864c8 - 0xffffe289`72d18788 ]
+0x570 ObjectTable : 0xffffbe81`663ef540 _HANDLE_TABLE
2: kd> dx -id 0,0,ffffe289648a0040 -r1 (*((ntdll!_LIST_ENTRY *)0xffffe28970fb74c8))
(*((ntdll!_LIST_ENTRY *)0xffffe28970fb74c8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffffe289731864c8 [Type: _LIST_ENTRY *]
[+0x008] Blink : 0xffffe28972d18788 [Type: _LIST_ENTRY *]
2: kd> dx -id 0,0,ffffe289648a0040 -r1 ((ntdll!_HANDLE_TABLE *)0xffffbe81663ef540)
((ntdll!_HANDLE_TABLE *)0xffffbe81663ef540) : 0xffffbe81663ef540 [Type: _HANDLE_TABLE *]
[+0x000] NextHandleNeedingPool : 0x800 [Type: unsigned long]
[+0x004] ExtraInfoPages : 0 [Type: long]
[+0x008] TableCode : 0xffffbe816bafd001 [Type: unsigned __int64]
[+0x010] QuotaProcess : 0xffffe28970fb7080 [Type: _EPROCESS *]
[+0x018] HandleTableList [Type: _LIST_ENTRY]
[+0x028] UniqueProcessId : 0xeec [Type: unsigned long]
[+0x02c] Flags : 0x0 [Type: unsigned long]
[+0x02c ( 0: 0)] StrictFIFO : 0x0 [Type: unsigned char]
[+0x02c ( 1: 1)] EnableHandleExceptions : 0x0 [Type: unsigned char]
[+0x02c ( 2: 2)] Rundown : 0x0 [Type: unsigned char]
[+0x02c ( 3: 3)] Duplicated : 0x0 [Type: unsigned char]
[+0x02c ( 4: 4)] RaiseUMExceptionOnInvalidHandleClose : 0x0 [Type: unsigned char]
[+0x030] HandleContentionEvent [Type: _EX_PUSH_LOCK]
[+0x038] HandleTableLock [Type: _EX_PUSH_LOCK]
[+0x040] FreeLists [Type: _HANDLE_TABLE_FREE_LIST [1]]
[+0x040] ActualEntry [Type: unsigned char [32]]
[+0x060] DebugInfo : 0x0 [Type: _HANDLE_TRACE_DEBUG_INFO *]
2: kd> dx -id 0,0,ffffe289648a0040 -r1 (*((ntdll!_LIST_ENTRY *)0xffffbe81663ef558))
(*((ntdll!_LIST_ENTRY *)0xffffbe81663ef558)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffffbe816a103cd8 [Type: _LIST_ENTRY *]
[+0x008] Blink : 0xffffbe816a109798 [Type: _LIST_ENTRY *]
ActiveProcessList 손상이 발생해도 ObjectTable - HandleTableList 를 참조할 수 있으면 프로세스 리스트를 구성할 수 있다.
// +0x448 ActiveProcessLinks
2: kd> dt_EPROCESS ffffe289731864c8-448
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x440 UniqueProcessId : 0x00000000`00002360 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY [ 0xffffe289`70edf4c8 - 0xffffe289`70fb74c8 ]
+0x5a8 ImageFileName : [15] "procexp64.exe"
+0x570 ObjectTable : 0xffffbe81`6a103cc0 _HANDLE_TABLE
2: kd> dx -id 0,0,ffffe289648a0040 -r1 ((ntdll!_HANDLE_TABLE *)0xffffbe816a103cc0)
((ntdll!_HANDLE_TABLE *)0xffffbe816a103cc0) : 0xffffbe816a103cc0 [Type: _HANDLE_TABLE *]
[+0x000] NextHandleNeedingPool : 0x1000 [Type: unsigned long]
[+0x004] ExtraInfoPages : 0 [Type: long]
[+0x008] TableCode : 0xffffbe81674c3001 [Type: unsigned __int64]
[+0x010] QuotaProcess : 0xffffe28973186080 [Type: _EPROCESS *]
[+0x018] HandleTableList [Type: _LIST_ENTRY]
[+0x028] UniqueProcessId : 0x2360 [Type: unsigned long]
[+0x02c] Flags : 0x0 [Type: unsigned long]
[+0x02c ( 0: 0)] StrictFIFO : 0x0 [Type: unsigned char]
[+0x02c ( 1: 1)] EnableHandleExceptions : 0x0 [Type: unsigned char]
[+0x02c ( 2: 2)] Rundown : 0x0 [Type: unsigned char]
[+0x02c ( 3: 3)] Duplicated : 0x0 [Type: unsigned char]
[+0x02c ( 4: 4)] RaiseUMExceptionOnInvalidHandleClose : 0x0 [Type: unsigned char]
[+0x030] HandleContentionEvent [Type: _EX_PUSH_LOCK]
[+0x038] HandleTableLock [Type: _EX_PUSH_LOCK]
[+0x040] FreeLists [Type: _HANDLE_TABLE_FREE_LIST [1]]
[+0x040] ActualEntry [Type: unsigned char [32]]
[+0x060] DebugInfo : 0x0 [Type: _HANDLE_TRACE_DEBUG_INFO *]
2: kd> dx -id 0,0,ffffe289648a0040 -r1 (*((ntdll!_LIST_ENTRY *)0xffffbe816a103cd8))
(*((ntdll!_LIST_ENTRY *)0xffffbe816a103cd8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffffbe816a10abd8 [Type: _LIST_ENTRY *]
[+0x008] Blink : 0xffffbe81663ef558 [Type: _LIST_ENTRY *]
// +0x448 ActiveProcessLinks
2: kd> dt_EPROCESS ffffe28972d18788-448
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x440 UniqueProcessId : 0x00000000`00000b44 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY [ 0xffffe289`70fb74c8 - 0xffffe289`6fb934c8 ]
+0x5a8 ImageFileName : [15] "Taskmgr.exe"
+0x570 ObjectTable : 0xffffbe81`6a109780 _HANDLE_TABLE
2: kd> dx -id 0,0,ffffe289648a0040 -r1 ((ntdll!_HANDLE_TABLE *)0xffffbe816a109780)
((ntdll!_HANDLE_TABLE *)0xffffbe816a109780) : 0xffffbe816a109780 [Type: _HANDLE_TABLE *]
[+0x000] NextHandleNeedingPool : 0xc00 [Type: unsigned long]
[+0x004] ExtraInfoPages : 0 [Type: long]
[+0x008] TableCode : 0xffffbe816d5fc001 [Type: unsigned __int64]
[+0x010] QuotaProcess : 0xffffe28972d18340 [Type: _EPROCESS *]
[+0x018] HandleTableList [Type: _LIST_ENTRY]
[+0x028] UniqueProcessId : 0xb44 [Type: unsigned long]
[+0x02c] Flags : 0x0 [Type: unsigned long]
[+0x02c ( 0: 0)] StrictFIFO : 0x0 [Type: unsigned char]
[+0x02c ( 1: 1)] EnableHandleExceptions : 0x0 [Type: unsigned char]
[+0x02c ( 2: 2)] Rundown : 0x0 [Type: unsigned char]
[+0x02c ( 3: 3)] Duplicated : 0x0 [Type: unsigned char]
[+0x02c ( 4: 4)] RaiseUMExceptionOnInvalidHandleClose : 0x0 [Type: unsigned char]
[+0x030] HandleContentionEvent [Type: _EX_PUSH_LOCK]
[+0x038] HandleTableLock [Type: _EX_PUSH_LOCK]
[+0x040] FreeLists [Type: _HANDLE_TABLE_FREE_LIST [1]]
[+0x040] ActualEntry [Type: unsigned char [32]]
[+0x060] DebugInfo : 0x0 [Type: _HANDLE_TRACE_DEBUG_INFO *]
2: kd> dx -id 0,0,ffffe289648a0040 -r1 (*((ntdll!_LIST_ENTRY *)0xffffbe816a109798))
(*((ntdll!_LIST_ENTRY *)0xffffbe816a109798)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffffbe81663ef558 [Type: _LIST_ENTRY *]
[+0x008] Blink : 0xffffbe816a1031d8 [Type: _LIST_ENTRY *]
notepad.exe double linked list
2023. 4. 21. 14:23