发点感慨，牛就是牛，我等只能望其相背。
知道大家懒（其实是我比较懒），查了半天windbg的帮助手册，解释一下此文中一些不明觉厉的地方。
首先是传送门，本文需要结合ddlx牛的这篇文章看：
http://bbs.pediy.com/showthread.php?t=179566

对了，one more thing，fcitx码字不容易，错别字请见谅。

原文：

0: kd> r @$t0=@@(#FIELD_OFFSET(nt!_EPROCESS, ThreadListHead))

0: kd> !list "-t nt!_LIST_ENTRY.FLink -e -x \"r @$t3=@$extret-@$t1; r @$t4= @$t3+@$t2; r @$t5=poi(@$t4);.if(@@((unsigned long)@$t5>(unsigned long)0xeee0c000 && (unsigned long)@$t5<(unsigned long)0xeee36680)){r @$t3;dt -b nt!_ETHREAD Cid. @$t3; dds @$t4 l1;}; \" 867b5830+@$t0"

0: kd> r @$t0=eee33900; r @$t1=86699130; r@$t2=eee33800;?? ((nt!_KAPC*)@$t0)->Type=18;?? ((nt!_KAPC*)@$t0)->Size=sizeof(nt!_KAPC);?? ((nt!_KAPC*)@$t0)->Thread=@$t1;?? ((nt!_KAPC*)@$t0)->KernelRoutine=@$t2;?? ((nt!_KAPC*)@$t0)->Inserted=1;r @$t3=@@(&(((nt!_ETHREAD*)@$t1)->Tcb.ApcState.ApcListHead[0]));r @$t4=@@(&(((nt!_KAPC*)@$t0)->ApcListEntry));r @$t5=@@(((nt!_LIST_ENTRY*)@$t3)->Flink);?? ((nt!_LIST_ENTRY*)@$t4)->Flink=@$t5;?? ((nt!_LIST_ENTRY*)@$t4)->Blink=@$t3;?? ((nt!_LIST_ENTRY*)@$t5)->Blink=@$t4;?? ((nt!_LIST_ENTRY*)@$t3)->Flink=@$t4;?? ((nt!_ETHREAD*)@$t1)->Tcb.ApcState.KernelApcPending=1;

[培训]科锐逆向工程师培训第53期2025年7月8日开班！