- 说明:
0x776d7880+0x00c为ntdll!_PEB_LDR_DATA首地址+ntdll!_LIST_ENTRY.FLink的偏移
kd> !list "-t ntdll!_LIST_ENTRY.FLink -e -x \"dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c\" 0x776d7880+0x00c" dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 776d788c 002117a8 0021edd0 002117b0 0021edd8 +0x000 Length : 0x30 +0x004 Initialized : 0x1 '' +0x008 SsHandle : (null) +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x2117a8 - 0x21edd0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x2117b0 - 0x21edd8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x211838 - 0x21eae0 ] +0x024 EntryInProgress : (null) +0x028 ShutdownInProgress : 0 '' +0x02c ShutdownThreadId : (null) dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 002117a8 00211828 776d788c 00211830 776d7894 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c08 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x211828 - 0x776d788c ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x211830 - 0x776d7894 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x0 - 0x0 ] +0x024 EntryInProgress : 0x00690000 Void +0x028 ShutdownInProgress : 0x2d '-' +0x02c ShutdownThreadId : 0x0001a000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00211828 00211b20 002117a8 00211b28 002117b0 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c1f Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x211b20 - 0x2117a8 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x211b28 - 0x2117b0 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x211c18 - 0x776d789c ] +0x024 EntryInProgress : 0x77600000 Void +0x028 ShutdownInProgress : 0 '' +0x02c ShutdownThreadId : 0x0013c000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00211b20 00211c08 00211828 00211c10 00211830 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c05 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x211c08 - 0x211828 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x211c10 - 0x211830 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x212470 - 0x211c18 ] +0x024 EntryInProgress : 0x75f80000 Void +0x028 ShutdownInProgress : 0xe4 '' +0x02c ShutdownThreadId : 0x000d4000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00211c08 00212350 00211b20 00212358 00211b28 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c05 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x212350 - 0x211b20 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x212358 - 0x211b28 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x211b30 - 0x211838 ] +0x024 EntryInProgress : 0x759d0000 Void +0x028 ShutdownInProgress : 0xe0 '' +0x02c ShutdownThreadId : 0x0004a000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00212350 00212460 00211c08 00212468 00211c10 +0x000 Length : 0x380032 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x212460 - 0x211c08 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x212468 - 0x211c10 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21dbd8 - 0x212590 ] +0x024 EntryInProgress : 0x771a0000 Void +0x028 ShutdownInProgress : 0x9 '' +0x02c ShutdownThreadId : 0x0004e000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00212460 00212580 00212350 00212588 00212358 +0x000 Length : 0x650000 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x212580 - 0x212350 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x212588 - 0x212358 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x212798 - 0x211b30 ] +0x024 EntryInProgress : 0x75eb0000 Void +0x028 ShutdownInProgress : 0x11 '' +0x02c ShutdownThreadId : 0x000c9000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00212580 002126c0 00212460 002126c8 00212468 +0x000 Length : 0x6c +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c07 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x2126c0 - 0x212460 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x2126c8 - 0x212468 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x212360 - 0x2126d0 ] +0x024 EntryInProgress : 0x75c70000 Void +0x028 ShutdownInProgress : 0x6c 'l' +0x02c ShutdownThreadId : 0x0000a000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 002126c0 00212788 00212580 00212790 00212588 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x212788 - 0x212580 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x212790 - 0x212588 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x212590 - 0x212798 ] +0x024 EntryInProgress : 0x760c0000 Void +0x028 ShutdownInProgress : 0xd7 '' +0x02c ShutdownThreadId : 0x0009d000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 00212788 0021dbc8 002126c0 0021dbd0 002126c8 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21dbc8 - 0x2126c0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21dbd0 - 0x2126c8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x2126d0 - 0x212470 ] +0x024 EntryInProgress : 0x76300000 Void +0x028 ShutdownInProgress : 0x72 'r' +0x02c ShutdownThreadId : 0x000ac000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021dbc8 0021d928 00212788 0021d930 00212790 +0x000 Length : 0x6c +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21d928 - 0x212788 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21d930 - 0x212790 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21da00 - 0x212360 ] +0x024 EntryInProgress : 0x741d0000 Void +0x028 ShutdownInProgress : 0xdd '' +0x02c ShutdownThreadId : 0x00040000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021d928 0021d9f0 0021dbc8 0021d9f8 0021dbd0 +0x000 Length : 0x6c002d +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21d9f0 - 0x21dbc8 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21d9f8 - 0x21dbd0 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21de38 - 0x21da00 ] +0x024 EntryInProgress : 0x77760000 Void +0x028 ShutdownInProgress : 0x55 'U' +0x02c ShutdownThreadId : 0x0001f000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021d9f0 0021da70 0021d928 0021da78 0021d930 +0x000 Length : 0 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21da70 - 0x21d928 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21da78 - 0x21d930 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21d938 - 0x21dbd8 ] +0x024 EntryInProgress : 0x763f0000 Void +0x028 ShutdownInProgress : 0x8b '' +0x02c ShutdownThreadId : 0x000cc000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021da70 0021df30 0021d9f0 0021df38 0021d9f8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c1f Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21df30 - 0x21d9f0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21df38 - 0x21d9f8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21ede0 - 0x21df40 ] +0x024 EntryInProgress : 0x71ee0000 Void +0x028 ShutdownInProgress : 0x48 'H' +0x02c ShutdownThreadId : 0x0001b000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021df30 0021dc98 0021da70 0021dca0 0021da78 +0x000 Length : 0x6c +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21dc98 - 0x21da70 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21dca0 - 0x21da78 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21da80 - 0x21e7e0 ] +0x024 EntryInProgress : 0x71d80000 Void +0x028 ShutdownInProgress : 0xda '' +0x02c ShutdownThreadId : 0x00151000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021dc98 0021dd60 0021df30 0021dd68 0021df38 +0x000 Length : 0x6c006c +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c05 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21dd60 - 0x21df30 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21dd68 - 0x21df38 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e760 - 0x21dd70 ] +0x024 EntryInProgress : 0x77510000 Void +0x028 ShutdownInProgress : 0xe5 '' +0x02c ShutdownThreadId : 0x000a0000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021dd60 0021de28 0021dc98 0021de30 0021dca0 +0x000 Length : 0x6c +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21de28 - 0x21dc98 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21de30 - 0x21dca0 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21dca8 - 0x21de38 ] +0x024 EntryInProgress : 0x75bc0000 Void +0x028 ShutdownInProgress : 0x75 'u' +0x02c ShutdownThreadId : 0x00019000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021de28 0021e6d0 0021dd60 0021e6d8 0021dd68 +0x000 Length : 0x6c0000 +0x004 Initialized : 0xdc '' +0x008 SsHandle : 0x08009c06 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e6d0 - 0x21dd60 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e6d8 - 0x21dd68 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21dd70 - 0x21d938 ] +0x024 EntryInProgress : 0x77780000 Void +0x028 ShutdownInProgress : 0x33 '3' +0x02c ShutdownThreadId : 0x000a1000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e6d0 0021e750 0021de28 0021e758 0021de30 +0x000 Length : 0xf0e0d0c0 +0x004 Initialized : 0xbf '' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e750 - 0x21de28 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e758 - 0x21de30 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e960 - 0x21e760 ] +0x024 EntryInProgress : 0x73d70000 Void +0x028 ShutdownInProgress : 0xe1 '' +0x02c ShutdownThreadId : 0x000fb000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e750 0021e7d0 0021e6d0 0021e7d8 0021e6d8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x8f '' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e7d0 - 0x21e6d0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e7d8 - 0x21e6d8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e6e0 - 0x21dca8 ] +0x024 EntryInProgress : 0x75a50000 Void +0x028 ShutdownInProgress : 0x3d '=' +0x02c ShutdownThreadId : 0x0015c000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e7d0 0021e850 0021e750 0021e858 0021e758 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x9f '' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e850 - 0x21e750 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e858 - 0x21e758 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21df40 - 0x21e860 ] +0x024 EntryInProgress : 0x71d50000 Void +0x028 ShutdownInProgress : 0xf8 '' +0x02c ShutdownThreadId : 0x0002c000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e850 0021e8d0 0021e7d0 0021e8d8 0021e7d8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x6f 'o' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e8d0 - 0x21e7d0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e8d8 - 0x21e7d8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e7e0 - 0x21ea60 ] +0x024 EntryInProgress : 0x71d10000 Void +0x028 ShutdownInProgress : 0xb7 '' +0x02c ShutdownThreadId : 0x0003a000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e8d0 0021e950 0021e850 0021e958 0021e858 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x7f '' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e950 - 0x21e850 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e958 - 0x21e858 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21ea60 - 0x21e9e0 ] +0x024 EntryInProgress : 0x71c80000 Void +0x028 ShutdownInProgress : 0xb0 '' +0x02c ShutdownThreadId : 0x00083000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e950 0021e9d0 0021e8d0 0021e9d8 0021e8d8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x4f 'O' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21e9d0 - 0x21e8d0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21e9d8 - 0x21e8d8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e9e0 - 0x21e6e0 ] +0x024 EntryInProgress : 0x749a0000 Void +0x028 ShutdownInProgress : 0x20 ' ' +0x02c ShutdownThreadId : 0x00009000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021e9d0 0021ea50 0021e950 0021ea58 0021e958 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x5f '_' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21ea50 - 0x21e950 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21ea58 - 0x21e958 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e8e0 - 0x21e960 ] +0x024 EntryInProgress : 0x73ea0000 Void +0x028 ShutdownInProgress : 0x3f '?' +0x02c ShutdownThreadId : 0x00013000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021ea50 0021ead0 0021e9d0 0021ead8 0021e9d8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x2f '/' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21ead0 - 0x21e9d0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21ead8 - 0x21e9d8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21e860 - 0x21e8e0 ] +0x024 EntryInProgress : 0x77740000 Void +0x028 ShutdownInProgress : 0x38 '8' +0x02c ShutdownThreadId : 0x00005000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021ead0 0021ed50 0021ea50 0021ed58 0021ea58 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0x3f '?' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21ed50 - 0x21ea50 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21ed58 - 0x21ea58 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x776d789c - 0x21ed60 ] +0x024 EntryInProgress : 0x757f0000 Void +0x028 ShutdownInProgress : 0x6d 'm' +0x02c ShutdownThreadId : 0x0002d000 Void dd @$extret l4; dt ntdll!_PEB_LDR_DATA @$extret-0x00c 0021ed50 0021edd0 0021ead0 0021edd8 0021ead8 +0x000 Length : 0x1d7c948 +0x004 Initialized : 0xcf '' +0x008 SsHandle : 0x88000000 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x21edd0 - 0x21ead0 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x21edd8 - 0x21ead8 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x21eae0 - 0x21ede0 ] +0x024 EntryInProgress : 0x75820000 Void +0x028 ShutdownInProgress : 0x8a '' +0x02c ShutdownThreadId : 0x0011d000 Void