Something related to the idle Process

Something related to the idle Process

Like the system process, the idle process is also a special process in the system. Strictly speaking, it is not a process, but it has its own eprocess and has an idlethread.

If it is regarded as a process, its process space, handle table, and Token are the same as those of the system process, that is, it shares the kernel data of the system, so it cannot be treated with common sense.

Two questions about the idle process:
1. Why can't idle processes be found on the active process chain?
In fact, the idle process is not hanging on the active process chain.

Some people will always see a very strange process when traversing activeprocesslink. PID is very strange, and the image name is not obtained, so they think it is an idle process.

In fact, it is psactiveprocesshead, which is the head of the linked list of the active process chain. It is only a list_entry structure, and reading the data after it is meaningless.
2. How to Find the idle process?

It seems that we have seen a brute-force search method, but in fact it is completely unnecessary.

Idlethread is stored in the processor control block. When the processor is idle, it will schedule this thread to complete some work (zero page processing ?).

Therefore, it is most convenient and convenient to find the idle process from the kprcb processor control domain.

The process is as follows:
Lkd> dt _ kprcb ffdff120

NT! _ Kprcb

+ 0x000 minorversion: 1

+ 0x002 majorversion: 1

+ 0x004 currentthread: 0x8958fda8 _ kthread

+ 0x008 nextthread: (null)

+ 0x00c idlethread: 0x80561c20 _ kthread // idle thread


Lkd> dt _ kthread 0x80561c20

NT! _ Kthread

+ 0x000 header: _ dispatcher_header

+ 0x010 mutantlisthead: _ list_entry [0x80561c30-0x80561c30]

+ 0x018 initialstack: 0x80559480

+ 0x01c stacklimit: 0x80556480

+ 0x020 Teb: (null)

+ 0x024 tlsarray: (null)

+ 0x028 kernelstack: 0x805591cc

....

+ 0x034 apcstate: _ kapc_state

Lkd> dt _ kapc_state 0x80561c20 + 34

NT! _ Kapc_state

+ 0x000 apclisthead: [2] _ list_entry [0x80561c54-0x80561c54]

+ 0x010 process: 0x80561e80 _ kprocess // This is the idle process.
+ 0x014 kernelapcinprogress: 0''
+ 0x015 kernelapcpending: 0''
+ 0x016 userapcpending: 0''

The code for getting idleprocess is as follows:
Void getidleprocess ()

{

Peprocess idleprocess;

_ ASM

{

MoV eax, FS: [0x20] // get kpcr
MoV eax, [eax + 0xc] // obtain idlethread
MoV eax, [eax + 0x44] // obtain apcstate-> Process
MoV idleprocess, eax

}

Dbuplint ("idleprocess = 0x % 08x \ n", idleprocess );

}

Four lines of code ~~

From: http://laokaddk.blog.51cto.com/368606/338720