声明:
内容都是书中或baidu的,很多在论坛都有出现,只是觉得有阅读和收藏整理以方便自己使用的必要。另外就是方便自己以后回头看看自己曾经走过的坎坷之路,仅此而已。
软件调试第8章windows概述,讲到了windows历史,进程对象的相关结构信息及windbg查看方法。对于模式切换讲到了int 2E和快速系统调用,而对于这个具体的过程需要自己再看看,目前只是从书中得到概念,实际的切换过程却是需要动手。
脚印:
2011.6.10 软件调试
!prcoess 0[显示所有,-1自身] 0[信息的详细程度,0最少]
代码:
Kd>!process 0 0 PROCESS 8242b3e0 SessionId: 0 Cid: 0d9c Peb: 7ffda000 ParentCid: 059c DirBase: 09a40340 ObjectTable: e16c5fb8 HandleCount: 42. Image: notepad.exe
Cid:也就是PID是用户态标识进程,而在内核使用EPROCESS指针
ParentCid:创建该进程的进程ID
DirBase:页目录基地址,即切换到该进程时,Cr3寄存器的内容,低12位为0,高20位又叫页帧编号(PFN),
!ptow 页帧编号 显示对应进程中所有物理地址到虚拟地址间映射
09a40340 -> 1001101001000000 001101000000
ObjectTable:对象表格是该进程的内核对象和句柄表格
在内核调试对话中命令格式为:!handle [要显示的句柄索引] [显示标志[进程ID或Eprocess[类型]]]
代码:
kd> !handle 0 0 8242b3e0 processor number 0, process 8242b3e0 PROCESS 8242b3e0 SessionId: 0 Cid: 0d9c Peb: 7ffda000 ParentCid: 059c DirBase: 09a40340 ObjectTable: e16c5fb8 HandleCount: 42. Image: notepad.exe Handle table at e1f9b000 with 42 Entries in use 0004: Object: e1000080 GrantedAccess: 000f0003 0008: Object: e157a030 GrantedAccess: 00000003
!object 可以进一步查看内核对象的信息
代码:
kd> !object e1000080 Object: e1000080 Type: (827b8ad0) KeyedEvent ObjectHeader: e1000068 (old version) HandleCount: 26 PointerCount: 27 Directory Object: e1000600 Name: CritSecOutOfMemoryEvent
kd> dt _eprocess 8242b3e0
dt 显示结构,后面跟结构名称,或加上结构地址
代码:
nt!_EPROCESS +0x000 Pcb : _KPROCESS //内核进程块,用来记录任务调度有关的信息 +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x1cc2642`55a83bcc //创建时间 +0x078 ExitTime : _LARGE_INTEGER 0x0 //退出时间 +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : 0x00000d9c //PID …… +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xf7ae1014 - 0x8243f6ec ] +0x0bc DebugPort : (null) //用户态调试端口 +0x0c0 ExceptionPort : 0xe1510918 //异常端口 +0x0c4 ObjectTable : 0xe16c5fb8 _HANDLE_TABLE //对象句柄表 +0x0c8 Token : _EX_FAST_REF //访问令牌 …… +0x11c VadRoot : 0x825f9598 //虚拟地址描述符二叉树的根节点 …… +0x170 Session : 0xf7ae1000 //所属会话对象 +0x174 ImageFileName : [16] "notepad.exe" +0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x18c LockedPagesList : (null) +0x190 ThreadListHead : _LIST_ENTRY [ 0x8242bfd4 - 0x8242bfd4 ] //线程列表 …… +0x1a8 DefaultHardErrorProcessing : 1 +0x1ac LastThreadExitStatus : 0 +0x1b0 Peb : 0x7ffda000 _PEB //进程环境块 …… +0x248 ProcessExiting : 0y0 //正在退出标志 +0x248 ProcessDelete : 0y0 //删除标志 +0x248 Wow64SplitPages : 0y0 …… +0x252 SubSystemMinorVersion : 0 '' +0x253 SubSystemMajorVersion : 0x4 '' +0x252 SubSystemVersion : 0x400 //环境子系统版本号 +0x254 PriorityClass : 0x2 '' +0x255 WorkingSetAcquiredUnsafe : 0 '' +0x258 Cookie : 0x57beca8e
代码:
kd> !process 8242b3e0 PROCESS 8242b3e0 SessionId: 0 Cid: 0d9c Peb: 7ffda000 ParentCid: 059c DirBase: 09a40340 ObjectTable: e16c5fb8 HandleCount: 42. Image: notepad.exe VadRoot 825f9598 Vads 65 Clone 0 Private 188. Modified 13. Locked 0. DeviceMap e1c64a98 Token e1e7a388 ElapsedTime 00:18:07.756 UserTime 00:00:00.046 KernelTime 00:00:00.671 QuotaPoolUsage[PagedPool] 62484 QuotaPoolUsage[NonPagedPool] 2600 Working Set Sizes (now,min,max) (886, 50, 345) (3544KB, 200KB, 1380KB) PeakWorkingSetSize 892 VirtualSize 31 Mb PeakVirtualSize 36 Mb PageFaultCount 939 MemoryPriority BACKGROUND ……
代码:
kd> !token e1e7a388 //!process Eprocess地址获得的Token地址 _TOKEN e1e7a388 TS Session ID: 0 User: S-1-5-21-484763869-2111687655-725345543-500 Groups: 00 S-1-5-21-484763869-2111687655-725345543-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 03 S-1-5-32-545 Attributes - Mandatory Default Enabled 04 S-1-5-4 Attributes - Mandatory Default Enabled 05 S-1-5-11 Attributes - Mandatory Default Enabled 06 S-1-5-5-0-61077 Attributes - Mandatory Default Enabled LogonId 07 S-1-2-0 Attributes - Mandatory Default Enabled Primary Group: S-1-5-21-484763869-2111687655-725345543-513 Privs: 00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 01 0x000000008 SeSecurityPrivilege Attributes - 02 0x000000011 SeBackupPrivilege Attributes - 03 0x000000012 SeRestorePrivilege Attributes - 04 0x00000000c SeSystemtimePrivilege Attributes - 05 0x000000013 SeShutdownPrivilege Attributes - 06 0x000000018 SeRemoteShutdownPrivilege Attributes - 07 0x000000009 SeTakeOwnershipPrivilege Attributes - 08 0x000000014 SeDebugPrivilege Attributes - 09 0x000000016 SeSystemEnvironmentPrivilege Attributes - 10 0x00000000b SeSystemProfilePrivilege Attributes - 11 0x00000000d SeProfileSingleProcessPrivilege Attributes - 12 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 13 0x00000000a SeLoadDriverPrivilege Attributes - Enabled 14 0x00000000f SeCreatePagefilePrivilege Attributes - 15 0x000000005 SeIncreaseQuotaPrivilege Attributes - 16 0x000000019 SeUndockPrivilege Attributes - Enabled 17 0x00000001c SeManageVolumePrivilege Attributes - 18 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default Authentication ID: (0,f079) Impersonation Level: Anonymous TokenType: Primary Source: User32 TokenFlags: 0x89 ( Token in use ) Token ID: 50dd6 ParentToken ID: 0 Modified ID: (0, 50dd8) RestrictedSidCount: 0 RestrictedSids: 00000000
代码:
kd> dt nt!_Token e1e7a388 +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER 0x7fffffff`ffffffff +0x030 TokenLock : 0x825886b0 _ERESOURCE +0x038 AuditPolicy : _SEP_AUDIT_POLICY +0x040 ModifiedId : _LUID +0x048 SessionId : 0 +0x04c UserAndGroupCount : 9 +0x050 RestrictedSidCount : 0 +0x054 PrivilegeCount : 0x14 +0x058 VariableLength : 0x214 +0x05c DynamicCharged : 0x1f4 +0x060 DynamicAvailable : 0 +0x064 DefaultOwnerIndex : 0 +0x068 UserAndGroups : 0xe1e7a518 _SID_AND_ATTRIBUTES +0x06c RestrictedSids : (null) +0x070 PrimaryGroup : 0xe1f45118 +0x074 Privileges : 0xe1e7a428 _LUID_AND_ATTRIBUTES +0x078 DynamicPart : 0xe1f45118 -> 0x501 +0x07c DefaultDacl : 0xe1f45134 _ACL +0x080 TokenType : 1 ( TokenPrimary ) +0x084 ImpersonationLevel : 0 ( SecurityAnonymous ) +0x088 TokenFlags : 0x89 +0x08c TokenInUse : 0x1 '' +0x090 ProxyData : (null) +0x094 AuditData : (null) +0x098 OriginatingLogonSession : _LUID +0x0a0 VariablePart : 0x17
kd> .process 8242b3e0
Implicit process is now 8242b3e0
显示进程环境块信息,此信息是内核建立后映射到用户空间的,多个进程的PEB地址可能是同一值
代码:
kd> dt _peb 0x7ffda000 nt!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0 '' //是否被调试 +0x003 SpareBool : 0 '' +0x004 Mutant : 0xffffffff +0x008 ImageBaseAddress : 0x01000000 //执行映像(EXE)的基地址 +0x00c Ldr : 0x001a1e90 _PEB_LDR_DATA +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : (null) +0x018 ProcessHeap : 0x000a0000 //进程堆 +0x01c FastPebLock : 0x7c99e4c0 _RTL_CRITICAL_SECTION ..... +0x064 NumberOfProcessors : 1 //Cpu个数 +0x068 NtGlobalFlag : 0 //全局标志 +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000 +0x078 HeapSegmentReserve : 0x100000 //默认进程堆的总保留空间,1M +0x07c HeapSegmentCommit : 0x2000 //默认进程堆已提交空间 +0x080 HeapDeCommitTotalFreeThreshold : 0x10000 +0x084 HeapDeCommitFreeBlockThreshold : 0x1000 +0x088 NumberOfHeaps : 9 //堆的个数 +0x08c MaximumNumberOfHeaps : 0x10 //堆的最多个数 +0x090 ProcessHeaps : 0x7c99de80 -> 0x000a0000 //保存堆句柄的数组地址 +0x094 GdiSharedHandleTable : 0x00470000 //GDI共享句柄表 +0x098 ProcessStarterHelper : (null) +0x09c GdiDCAttributeList : 0x14 +0x0a0 LoaderLock : 0x7c99c0d8 +0x0a4 OSMajorVersion : 5 //操作系统主版本号 +0x0a8 OSMinorVersion : 1 //操作系统子版本号 +0x0ac OSBuildNumber : 0xa28 //操作系统构建号,即2600 +0x0ae OSCSDVersion : 0x200 //Service pack 版本号 +0x0b0 OSPlatformId : 2 //系统类别,2 Nt,1 9X,3 WinCE +0x0b4 ImageSubsystem : 2 //环境子系统ID +0x0b8 ImageSubsystemMajorVersion : 4 //环境子系统主版本号 +0x0bc ImageSubsystemMinorVersion : 0 //环境子系统子版本号 +0x0c0 ImageProcessAffinityMask : 0 +0x0c4 GdiHandleBuffer : [34] 0 +0x14c PostProcessInitRoutine : (null) +0x150 TlsExpansionBitmap : 0x7c99e478 +0x154 TlsExpansionBitmapBits : [32] 0 +0x1d4 SessionId : 0 //所属会话ID ......
[code]kd> !peb 0x7ffda000
PEB at 7ffda000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 01000000
Ldr 001a1e90
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 001a1f28 . 001a2fa0
Ldr.InLoadOrderModuleList: 001a1ec0 . 001a2f90
Ldr.InMemoryOrderModuleList: 001a1ec8 . 001a2f98
Base TimeStamp Module
1000000 41107cc3 Aug 04 14:05:55 2004 ??????????????????????????
7c920000 4121457c Aug 17 07:38:36 2004 C:\WINDOWS\system32\ntdll.dll
7c800000 4121457c Aug 17 07:38:36 2004 C:\WINDOWS\system32\kernel32.dll
76320000 4121455b Aug 17 07:38:03 2004 C:\WINDOWS\system32\comdlg32.dll
77f40000 41214578 Aug 17 07:38:32 2004 C:\WINDOWS\system32\SHLWAPI.dll
77be0000 412145fe Aug 17 07:40:46 2004 C:\WINDOWS\system32\msvcrt.dll
77ef0000 4121453f Aug 17 07:37:35 2004 C:\WINDOWS\system32\GDI32.dll
77d10000 41214577 Aug 17 07:38:31 2004 C:\WINDOWS\system32\USER32.dll
77da0000 4121454d Aug 17 07:37:49 2004 C:\WINDOWS\system32\ADVAPI32.dll
77e50000 41214569 Aug 17 07:38:17 2004 C:\WINDOWS\system32\RPCRT4.dll
77180000 41214532 Aug 17 07:37:22 2004 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\COMCTL32.dll
773a0000 41214573 Aug 17 07:38:27 2004 C:\WINDOWS\system32\SHELL32.dll
72f70000 4121457a Aug 17 07:38:34 2004 C:\WINDOWS\system32\WINSPOOL.DRV
5cc30000 41214576 Aug 17 07:38:30 2004 C:\WINDOWS\system32\ShimEng.dll
58fb0000 41214534 Aug 17 07:37:24 2004 C:\WINDOWS\AppPatch\AcGenral.DLL
76b10000 4121459a Aug 17 07:39:06 2004 C:\WINDOWS\system32\WINMM.dll
.......
74680000 41214596 Aug 17 07:39:02 2004 C:\WINDOWS\system32\MSCTF.dll
73640000 41214597 Aug 17 07:39:03 2004 C:\WINDOWS\system32\msctfime.ime
SubSystemData: 00000000
ProcessHeap: 000a0000
ProcessParameters: 00020000
WindowTitle: '< Name not readable >'
ImageFile: '< Name not readable >'
CommandLine: '< Name not readable >'
DllPath: ''
Environment: 00140013
模式切换:
Eax 保存系统服务编号
Edx 保存参数
Int 2E 或快速系统调用切换到内核
kd> !idt 2e
Dumping IDT:
2e: 8053d651 nt!KiSystemService
快速系统调用使用MSR寄存器
IA-32中称为MSR(Model Specific Register)。这里牵涉到3个特殊寄存器:
代码:
SYSENTER_CS_MSR: New code segment selector 0x174 SYSENTER_ESP_MSR: New Stack Pointer 0x175 SYSENTER_EIP_MSR: New Instruction Pointer 0x176 kd> rdmsr 174 msr[174] = 00000000`00000008 kd> dg 8 //CS选择子 KGDT_R0_CODE 8 其他参见winDbg帮助关于Dg P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0008 00000000 ffffffff Code RE 0 Bg Pg P Nl 00000c9a kd> rdmsr 175 msr[175] = 00000000`f79ef000 kd> rdmsr 176 msr[176] = 00000000`8053d710 kd> x nt!kifastcallentry 8053d710 nt!KiFastCallEntry = <no type information>
RDMSR 0F 32 不影响标志位 把ECX指定的模型专用寄存器内容送EDX:EAX RDMSR
WRMSR 0F 30 不影响标志位 把EDX:EAX的内容写入ECX指定的模型专用寄存器 WRMSR
//coded by greatcsk
//开启BTS
mov ecx,MSR_DEBUGCTL
mov eax,0x1c
WRMSR
//关闭BTS
mov ecx,MSR_DEBUGCTL
xor eax,eax
WRMSR
1. 装载SYSENTER_CS_MSR 到CS 寄存器,设置目标代码段
2. 装载SYSENTER_EIP_MSR到 EIP寄存器,设置目标指令
3. SYSENTER_CS_MSR+8 装载到SS寄存器 ,设置栈段
4. 装载SYSENTER_ESP_MSR 到ESP寄存器,设置栈帧
5. 切换RING0.
6. 清除 EFLAGS的 VM标志
7. 执行RING0例程
1. SYSENTER_CS_MSR+16装载到 CS寄存器
2. 将EDX的值送入EIP
3. SYSENTER_CS_MSR+24 装载到SS寄存器
4. 将ECX的值送入ESP
5. 切换回RING3
6. 执行EIP处的RING3指令
我们在微软公开的内核WRK中发现关于这三个寄存器的设置,其中SYSENTER_EIP_MSR设置的值是KiFastCallEntry。
代码如下: (后来发现这是pediy的rookit专题里面的

[code]
VOID KiLoadFastSyscallMachineSpecificRegisters( IN PLONG Context )
/*++
Routine Description: Load MSRs used to support Fast Syscall/return. This routine is
run on all processors.
Arguments: None.
Return Value: None.
--*/
{
PKPRCB Prcb;
UNREFERENCED_PARAMETER (Context);
if (KiFastSystemCallIsIA32) {
Prcb = KeGetCurrentPrcb();
// Use Intel defined way of doing this.
WRMSR(MSR_SYSENTER_CS, KGDT_R0_CODE);
WRMSR(MSR_SYSENTER_EIP, (ULONGLONG)(ULONG)KiFastCallEntry);
WRMSR(MSR_SYSENTER_ESP, (ULONGLONG)(ULONG)Prcb->DpcStack);
}
}
看看我电脑的情况如下:
kd> rdmsr 176
msr[176] = 00000000`8053d710
kd> u 8053d710
nt!KiFastCallEntry:
8053d710 b923000000 mov ecx,23h
8053d715 6a30 push 30h
8053d717 0fa1 pop fs
8053d719 8ed9 mov ds,cx
8053d71b 8ec1 mov es,cx
8053d71d 8b0d40f0dfff mov ecx,dword ptr ds:[0FFDFF040h]
8053d723 8b6104 mov esp,dword ptr [ecx+4]
8053d726 6a23 push 23h
下面是rootkit.com上的一个例子,这个例子有点不厚道,在你卸载的时候会bsod.我简单修改了下,贴代码如下:
#include "ntddk.h"
ULONG d_origKiFastCallEntry; // Original value of ntoskrnl!KiFastCallEntry
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
_asm
{
mov ecx, 0x176
xor edx,edx
mov eax, d_origKiFastCallEntry // Hook function address
wrmsr // Write to the IA32_SYSENTER_EIP register
}
}
// Hook function
__declspec(naked) MyKiFastCallEntry()
{
__asm {
jmp [d_origKiFastCallEntry]
}
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
theDriverObject->DriverUnload = OnUnload;
__asm {
mov ecx, 0x176 //SYSENTER_EIP_MSR
rdmsr // read the value of the IA32_SYSENTER_EIP register
mov d_origKiFastCallEntry, eax
mov eax, MyKiFastCallEntry // Hook function address
wrmsr // Write to the IA32_SYSENTER_EIP register
}
return STATUS_SUCCESS;
}
Hook的思路就是修改MSR,176的SYSENTER_EIP_MSR所对应的KiFastCallEntry 地址
http://bbs.pediy.com/showthread.php?t=42705
没有实体的进程 系统进程和IDLE进程
系统进程PID为4(>=xp)或8,IDLE进程ID为0
通过显示处理器控制模块来获取IDLE信息
代码:
kd> !prcb PRCB for Processor 0 at ffdff120: Threads-- Current 827ba8b8 (当前的EThread指针) Next 00000000 Idle 80552920 Number 0 SetMember 1 Interrupt Count -- 00028774 Times -- Dpc 00000068 Interrupt 0000014f Kernel 0000336d User 0000044b kd> !thread 80552920 THREAD 80552920 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0 Not impersonating Owning Process 0 Image: <Unknown> Attached Process 80552b80 Image: Idle //EPROCESS信息 Wait Start TickCount 3510 Ticks: 10754 (0:00:02:48.031) Context Switch Count 21950 UserTime 00:00:00.000 KernelTime 00:01:59.703 Stack Init 8054a100 Current 80549e4c Base 8054a100 Limit 80547100 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child 80549e54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x5f (FPO: [0,0,0]) kd> dt _eprocess 80552b80 ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x174 ImageFileName : [16] "Idle" +0x252 SubSystemVersion : 0 +0x254 PriorityClass : 0 '' +0x255 WorkingSetAcquiredUnsafe : 0 '' +0x258 Cookie : 0 kd> !process 80552b80 PROCESS 80552b80 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 00b1f000 ObjectTable: e1000cc0 HandleCount: 247. Image: Idle VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0. DeviceMap 00000000 Token e10017e8 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 00:01:59.703 THREAD 80552920 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0 Not impersonating Owning Process 0 Image: <Unknown> Attached Process 80552b80 Image: Idle Wait Start TickCount 3510 Ticks: 10754 (0:00:02:48.031) Context Switch Count 21950 UserTime 00:00:00.000 KernelTime 00:01:59.703
会话管理器进程SMSS.exe 系统中第一个根据映像文件创建的进程,加载和初始化win32子系统的内核模块Win32.sys,创建win32子系统服务器进程CSRSS.exe 并创建登录进程WinLogon.exe
Windows子系统服务器进程CSRSS.exe, 负责维护windows子系统的”日常事务”,为子系统中的各个进程提供服务。
登录进程 WinLogon.exe 负责用法登录和安全有关的事务。启动后会创建LSASS进程和系统服务管理进程Services.exe。xp的文件保护功能(WFP)也是在这个进程中实现的(sfc.dll和sfc_os.dll)
本地安全和认证进程 LSASS.exe 负责用户身份验证,LSASS:loacl Security Authority Subsystem Service
服务管理进程 Services.exe 负责启动和管理系统服务程序Spoolsv.exe打印机脱机服务,WmiPrvSE.exe是WMI提供器管理服务,SvcHost.exe是一个通用的服务宿主程序
OS/2子系统和POSIX子系统服务进程,用于咋win系统中运行OS/2和符合OSIX标准的程序
壳程序(Shell) 默认为Explorer.exe,负责显示开始菜单,任务栏和桌面图标等
调试信息的Send时机:
在进程创建时如果没有其他线程就是进程,否则线程标志,在结束线程时如果线程数不为0则线程,否则进程
在LoadDll有NtMap和NtUnmap时都会调用发给调试子系统来判断是否有必要发调试
其他的异常事件都判断是否要发调试信息,在需要发时会关起进程(除被调试线程),调试器处理完返回时,在恢复。
_KTHREAD 中有成员表示当前挂起和解冻的线程数
+0x1b8 FreezeCount : 0 ''
+0x1b9 SuspendCount : 0 ''
+0x1ba IdealProcessor : 0 ''
+0x1bb DisableBoost : 0 ''
kd> dt _KTHREAD freezecount 8242bda8
ntdll!_KTHREAD
+0x1b8 FreezeCount : 0 ''