3月17日，接着昨天的

系統的object的地址不是固定不變的，

下面是得到的一些有關的數據，直接列出來了

kd> !object 81316cb8
Object: 81316cb8  Type: (8189ad40) WindowStation
    ObjectHeader: 81316ca0
    HandleCount: 60  PointerCount: 96
    Directory Object: 815b5c70  Name: WinSta0

kd> dd 81316cb8
81316cb8  81306658 8130d458 a0178f80 00000000
81316cc8  e298fb68 00000000 00000000 00000000
81316cd8  00000000 a03c7ef8 e342ae28 00000004
81316ce8  0000001c 00000069 00000000 813169e8
81316cf8  00000000 00000000 0001642f 00000000
81316d08  e141f8e8 00000000 00000000 00000000
81316d18  00000000 40000800 01000005 6966744e
81316d28  8337e388 ffa9b3a8 00080041 00000000

kd> !object 81306658
Object: 81306658  Type: (8189ad40) WindowStation
    ObjectHeader: 81306640
    HandleCount: 21  PointerCount: 34
    Directory Object: 815b5c70  Name: Service-0x0-3e7$

kd> !object 8130d458
Object: 8130d458  Type: (8189ac40) Desktop
    ObjectHeader: 8130d440
    HandleCount: 38  PointerCount: 3186
    Directory Object: 00000000  Name: Default

kd> dd 81306658
81306658  81208a98 81304038 a0178800 00000004
81306668  00000000 00000000 00000000 00000000
81306678  00000000 00000000 00000000 00000000
81306688  00000000 00000000 00000000 81305aa8
81306698  00000000 00000000 00000000 00000000
813066a8  00000000 00000000 00000000 00000000
813066b8  0053030c 00580054 02018005 6d665346
813066c8  00000001 00000000 00000000 00040001

kd> !object 81208a98
Object: 81208a98  Type: (8189ad40) WindowStation
    ObjectHeader: 81208a80
    HandleCount: 2  PointerCount: 6
    Directory Object: 815b5c70  Name: SAWinSta

kd> !object 81304038
Object: 81304038  Type: (8189ac40) Desktop
    ObjectHeader: 81304020
    HandleCount: 11  PointerCount: 414
    Directory Object: 00000000  Name: Default

kd> dd 81208a98
81208a98  00000000 811fbf78 a0178800 00000004
81208aa8  00000000 00000000 00000000 00000000
81208ab8  00000000 00000000 00000000 00000000
81208ac8  00000000 00000000 00000000 812e6008
81208ad8  00000000 00000000 00000000 00000000
81208ae8  00000000 00000000 00000000 8125b400
81208af8  81208b00 00010008 04018005 6274624f
81208b08  00000000 00000016 e2bfc000 00000000

kd> !object 811fbf78
Object: 811fbf78  Type: (8189ac40) Desktop
    ObjectHeader: 811fbf60
    HandleCount: 1  PointerCount: 7
    Directory Object: 00000000  Name: SADesktop

可以看出是個鏈，每個windowstAtion都是結構

/*
 * Windowstation structure
 */
#define WSF_SWITCHLOCK          0x0001
#define WSF_OPENLOCK            0x0002
#define WSF_NOIO                0x0004
#define WSF_SHUTDOWN            0x0008
#define WSF_DYING               0x0010

#define WSF_REALSHUTDOWN        0x0020

typedef struct tagWINDOWSTATION {
    PWINDOWSTATION       rpwinstaNext;
    PDESKTOP             rpdeskList;

    PTERMINAL            pTerm;
    /*
     * Pointer to the currently active desktop for the window station.
     */
    DWORD                dwWSF_Flags;
    struct tagKL         *spklList;

    /*
     * Clipboard variables
     */
    PTHREADINFO          ptiClipLock;
    PTHREADINFO          ptiDrawingClipboard;
    PWND                 spwndClipOpen;
    PWND                 spwndClipViewer;
    PWND                 spwndClipOwner;
    struct tagCLIP       *pClipBase;
    int                  cNumClipFormats;
    UINT                 iClipSerialNumber;
    UINT                 iClipSequenceNumber;
    UINT                 fClipboardChanged : 1;
    UINT                 fInDelayedRendering : 1;

    /*
     * Global Atom table
     */
    PVOID                pGlobalAtomTable;

    LUID                 luidEndSession;
    LUID                 luidUser;
    PSID                 psidUser;
    PQ                   pqDesktop;

    DWORD                dwSessionId;

#if DBG
    PDESKTOP             pdeskCurrent;
#endif // DBG

} WINDOWSTATION;
//--------------------------------------------------------------------------------

不知道winstA0前面還有沒有了