mouclass!MouseClassServiceCallback调用nt!IopfCompleteRequest向目标线程win32k!xxxDesktopThread插入KAPC的例子--非常重要
目标线程正处于等待状态!!!KiInsertQueueApc会调用KiUnwaitThread函数将目标线程唤醒!!!
VOID
FASTCALL
KiInsertQueueApc (
IN PKAPC InApc,
IN KPRIORITY Increment
)
{
if (ThreadState == Running) {
KiRequestApcInterrupt(Thread->NextProcessor);
} else if ((ThreadState == Waiting) &&
(Thread->WaitIrql == 0) &&
(Thread->SpecialApcDisable == 0) &&
((Apc->NormalRoutine == NULL) ||
((Thread->KernelApcDisable == 0) &&
(Thread->ApcState.KernelApcInProgress == FALSE)))) {
KiUnwaitThread(Thread, STATUS_KERNEL_APC, Increment);
第一部分:
VOID
MouseClassServiceCallback(
IN PDEVICE_OBJECT DeviceObject,
IN PMOUSE_INPUT_DATA InputDataStart,
IN PMOUSE_INPUT_DATA InputDataEnd,
IN OUT PULONG InputDataConsumed
)
{
//
// Complete all the read requests we have fulfilled outside of the spin lock
//
while (! IsListEmpty (&listHead)) {
PLIST_ENTRY entry = RemoveHeadList (&listHead);
irp = CONTAINING_RECORD (entry, IRP, Tail.Overlay.ListEntry);
ASSERT (NT_SUCCESS (irp->IoStatus.Status) &&
irp->IoStatus.Status != STATUS_PENDING);
IoCompleteRequest (irp, IO_KEYBOARD_INCREMENT);
IoReleaseRemoveLock (&deviceExtension->RemoveLock, irp);
}
MouPrint((2,"MOUCLASS-MouseClassServiceCallback: exit\n"));
}
第二部分:
参考:
调用IoCompleteRequest函数之前IRP的系统缓冲区里面有一个数据了,长度为0x18。
0: kd> dt _irp 89790488
CSRSRV!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x1d8
+0x004 MdlAddress : (null)
+0x008 Flags : 0x970
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x894f8468 - 0x89804238 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ''
+0x021 PendingReturned : 0 ''
+0x022 StackCount : 10 ''
+0x023 CurrentLocation : 10 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0x1 ''
+0x028 UserIosb : 0xe16349d8 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0xe1634a08 Void
+0x040 Tail : __unnamed
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_IO_STATUS_BLOCK *)0x897904a0))
(*((CSRSRV!_IO_STATUS_BLOCK *)0x897904a0)) [Type: _IO_STATUS_BLOCK]
[+0x000] Status : 0 [Type: long]
[+0x000] Pointer : 0x0 [Type: void *]
[+0x004] Information : 0x18 [Type: unsigned long]
InsertTailList (&listHead, &irp->Tail.Overlay.ListEntry);
参考结束:
第三部分:
0: kd> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=8979040b edx=f789ed01 esi=89790488 edi=897904c8
eip=80a373e2 esp=f789ecdc ebp=f789ed1c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInitializeApc:
80a373e2 55 push ebp
0: kd> kc
#
00 nt!KeInitializeApc
01 nt!IopfCompleteRequest
02 mouclass!MouseClassServiceCallback
03 mouhid!MouHid_ReadComplete
04 nt!IopfCompleteRequest
05 HIDCLASS!HidpDistributeInterruptReport
06 HIDCLASS!HidpInterruptReadComplete
07 nt!IopfCompleteRequest
08 USBPORT!USBPORT_CompleteTransfer
09 USBPORT!USBPORT_DoneTransfer
0a USBPORT!USBPORT_FlushDoneTransferList
0b USBPORT!USBPORT_DpcWorker
0c USBPORT!USBPORT_IsrDpcWorker
0d USBPORT!USBPORT_IsrDpc
0e nt!KiRetireDpcList
0f nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
10 0x0
0: kd> dv
Apc = 0x897904c8
Thread = 0x89804020
Environment = OriginalApcEnvironment (0n0)
KernelRoutine = 0x80a2bd0e
RundownRoutine = 0x80c72194
NormalRoutine = 0x00000000
ApcMode = 0n0 ''
NormalContext = 0x00000000
thread = Irp->Tail.Overlay.Thread;
fileObject = Irp->Tail.Overlay.OriginalFileObject;
if (!Irp->Cancel) {
KeInitializeApc( &Irp->Tail.Apc,
&thread->Tcb,
Irp->ApcEnvironment,
IopCompleteRequest,
IopAbortRequest,
(PKNORMAL_ROUTINE) NULL,
KernelMode,
(PVOID) NULL );
(VOID) KeInsertQueueApc( &Irp->Tail.Apc,
fileObject,
(PVOID) saveAuxiliaryPointer,
PriorityBoost );
} else {
VOID
FASTCALL
IopfCompleteRequest(
IN PIRP Irp,
IN CCHAR PriorityBoost
)
0: kd> dt ntkrnlmp!_KAPC 0x897904c8
+0x000 Type : 0n18
+0x002 Size : 0n48
+0x004 Spare0 : 0
+0x008 Thread : 0x89804020 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x0 - 0x89804020 ]
+0x014 KernelRoutine : 0x80a2bd0e void nt!IopCompleteRequest+0
+0x018 RundownRoutine : 0x80c72194 void nt!IopAbortRequest+0
+0x01c NormalRoutine : (null)
+0x020 NormalContext : (null)
+0x024 SystemArgument1 : 0x895f1788 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0 ''
0: kd> !thread
THREAD 895f2a78 Cid 01c8.04bc Teb: 7ffd5000 Win32Thread: e17c0d18 RUNNING on processor 0
Not impersonating
DeviceMap e10003d8
Owning Process 8954e020 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655191 Ticks: 282 (0:00:00:04.406)
Context Switch Count 1136 IdealProcessor: 0 LargeStack
UserTime 00:00:00.062
KernelTime 00:00:00.281
Win32 Start Address 0x771a0801
Stack Init ba1b1000 Current ba1b0c5c Base ba1b1000 Limit ba1ad000 Call 00000000
Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f789ed1c f751a87a 897f90d8 89537b80 00000000 nt!IopfCompleteRequest+0x2be (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 3754]
f789ed3c f76b8fbc 00000018 897f91d8 000000f0 mouclass!MouseClassServiceCallback+0x2e4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\input\mouclass\mouclass.c @ 2776]
f789ed74 80a26af4 00000000 02800cd8 017f90d8 mouhid!MouHid_ReadComplete+0x438 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\input\hidport\mouhid\read.c @ 513]
f789eda4 ba71bfdc f789edac f789edac 89761020 nt!IopfCompleteRequest+0xf4 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 3506]
f789edd0 ba71cb3f 02761008 895cbb40 00000009 HIDCLASS!HidpDistributeInterruptReport+0x134 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\input\hidclass\pingpong.c @ 524]
f789ee08 80a26af4 00000000 898969a0 8940db78 HIDCLASS!HidpInterruptReadComplete+0x2dd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\input\hidclass\pingpong.c @ 723]
f789ee38 bae9aa07 898d4030 898969a0 80b019e8 nt!IopfCompleteRequest+0xf4 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 3506]
f789eeac bae9f23e 43504974 02707269 898d4724 USBPORT!USBPORT_CompleteTransfer+0x5af (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 1238]
f789eee0 baea0ca7 894d9008 898d40e8 f789ef28 USBPORT!USBPORT_DoneTransfer+0x252 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 997]
f789ef10 baea3c3a 898d4030 898d40e8 898d40e8 USBPORT!USBPORT_FlushDoneTransferList+0x281 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 2228]
f789ef40 baed70cc 898d4030 898d40e8 89845220 USBPORT!USBPORT_DpcWorker+0x4d0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 3865]
f789ef78 baed77bc 898d4030 00000001 ffdff980 USBPORT!USBPORT_IsrDpcWorker+0x7c8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c @ 257]
f789ef9c 80a41432 898d4608 898d4030 00000000 USBPORT!USBPORT_IsrDpc+0x266 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c @ 333]
f789eff4 80b00756 ba1b0bf8 00000000 00000000 nt!KiRetireDpcList+0xd6 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\dpcsup.c @ 1076]
f789eff8 ba1b0bf8 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x36 (FPO: [Uses EBP] [0,0,1]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 226]
WARNING: Frame IP not in any known module. Following frames may be wrong.
80b00756 00000000 00000009 bb837775 00000128 0xba1b0bf8
0: kd> !thread 0x89804020
THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 WAIT: (WrUserRequest) UserMode Non-Alertable
8957cd20 SynchronizationEvent
89505548 SynchronizationEvent
89804b80 SynchronizationEvent
IRP List:
89790488: (0006,01d8) Flags: 00000970 Mdl: 00000000
894f8458: (0006,01d8) Flags: 00000970 Mdl: 00000000
8989e008: (0006,0190) Flags: 00000970 Mdl: 00000000
89756e70: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655417 Ticks: 56 (0:00:00:00.875)
Context Switch Count 619 IdealProcessor: 1 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.328
Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75f6944 80a440eb f7737120 89804020 89804080 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
参考:
;
; Thread State Enumerated Type Values
;
Initialized equ 00000H
Ready equ 00001H
Running equ 00002H
Standby equ 00003H
Terminated equ 00004H
Waiting equ 00005H
参考:
0: kd> dt kthread 0x89804020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]
+0x018 InitialStack : 0xf75f7000 Void
+0x01c StackLimit : 0xf75f4000 Void
+0x020 KernelStack : 0xf75f692c Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x26b
+0x02c State : 0x5 ''
+0x02d NpxState : 0xa ''
+0x02e WaitIrql : 0 ''
+0x02f WaitMode : 1 ''
+0x030 Teb : 0x7ffd8000 Void
+0x034 ApcState : _KAPC_STATE
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89804054))
(*((CSRSRV!_KAPC_STATE *)0x89804054)) [Type: _KAPC_STATE]
[+0x000] ApcListHead [Type: _LIST_ENTRY [2]]
[+0x010] Process : 0x89831250 [Type: _KPROCESS *]
[+0x014] KernelApcInProgress : 0x0 [Type: unsigned char]
[+0x015] KernelApcPending : 0x0 [Type: unsigned char]
[+0x016] UserApcPending : 0x0 [Type: unsigned char]
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054))
(*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054)) [Type: _LIST_ENTRY [2]]
[0] [Type: _LIST_ENTRY]
[1] [Type: _LIST_ENTRY]
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89804054))
(*((CSRSRV!_LIST_ENTRY *)0x89804054)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89804054 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89804054 [Type: _LIST_ENTRY *]
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x8980405c))
(*((CSRSRV!_LIST_ENTRY *)0x8980405c)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x8980405c [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x8980405c [Type: _LIST_ENTRY *]
第四部分:
0: kd> t
eax=00000006 ebx=00000000 ecx=8979040b edx=f789ed01 esi=89790488 edi=897904c8
eip=80a26c3e esp=f789ecf4 ebp=f789ed1c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopfCompleteRequest+0x23e:
80a26c3e 57 push edi
0: kd> t
eax=00000006 ebx=00000000 ecx=8979040b edx=f789ed01 esi=89790488 edi=897904c8
eip=80a3750e esp=f789ecec ebp=f789ed1c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInsertQueueApc:
80a3750e 55 push ebp
0: kd> kc
#
00 nt!KeInsertQueueApc
01 nt!IopfCompleteRequest
02 mouclass!MouseClassServiceCallback
03 mouhid!MouHid_ReadComplete
04 nt!IopfCompleteRequest
05 HIDCLASS!HidpDistributeInterruptReport
06 HIDCLASS!HidpInterruptReadComplete
07 nt!IopfCompleteRequest
08 USBPORT!USBPORT_CompleteTransfer
09 USBPORT!USBPORT_DoneTransfer
0a USBPORT!USBPORT_FlushDoneTransferList
0b USBPORT!USBPORT_DpcWorker
0c USBPORT!USBPORT_IsrDpcWorker
0d USBPORT!USBPORT_IsrDpc
0e nt!KiRetireDpcList
0f nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
10 0x0
0: kd> dv
Apc = 0x897904c8
SystemArgument1 = 0x895f1788
SystemArgument2 = 0x00000000
Increment = 0n6
LockHandle = struct _KLOCK_QUEUE_HANDLE
0: kd> gu
eax=00000001 ebx=00000000 ecx=00000041 edx=000c08e1 esi=89790488 edi=897904c8
eip=80a26c44 esp=f789ed00 ebp=f789ed1c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopfCompleteRequest+0x244:
80a26c44 e9b2feffff jmp nt!IopfCompleteRequest+0xfb (80a26afb)
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89804054))
(*((CSRSRV!_KAPC_STATE *)0x89804054)) [Type: _KAPC_STATE]
[+0x000] ApcListHead [Type: _LIST_ENTRY [2]]
[+0x010] Process : 0x89831250 [Type: _KPROCESS *]
[+0x014] KernelApcInProgress : 0x0 [Type: unsigned char]
[+0x015] KernelApcPending : 0x1 [Type: unsigned char]
[+0x016] UserApcPending : 0x0 [Type: unsigned char]
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054))
(*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054)) [Type: _LIST_ENTRY [2]]
[0] [Type: _LIST_ENTRY]
[1] [Type: _LIST_ENTRY]
0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89804054))
(*((CSRSRV!_LIST_ENTRY *)0x89804054)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x897904d4 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x897904d4 [Type: _LIST_ENTRY *]
第五部分:
参考:
;
; Thread State Enumerated Type Values
;
Initialized equ 00000H
Ready equ 00001H
Running equ 00002H
Standby equ 00003H
Terminated equ 00004H
Waiting equ 00005H
参考:
0: kd> dt kthread 0x89804020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]
+0x018 InitialStack : 0xf75f7000 Void
+0x01c StackLimit : 0xf75f4000 Void
+0x020 KernelStack : 0xf75f692c Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x26b
+0x02c State : 0x3 ''
+0x02d NpxState : 0xa ''
0: kd> dt KPCR f7737000
basesrv!KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : (null)
+0x008 PerfGlobalGroupMask : (null)
+0x00c TssCopy : 0xf7737ef0 Void
+0x010 ContextSwitches : 0x8a65
+0x014 SetMemberCopy : 2
+0x018 Used_Self : (null)
+0x01c SelfPcr : 0xf7737000 _KPCR
+0x020 Prcb : 0xf7737120 _KPRCB
+0x024 Irql : 0 ''
+0x028 IRR : 0
+0x02c IrrActive : 0
+0x030 IDR : 0xffffffff
+0x034 KdVersionBlock : (null)
+0x038 IDT : 0xf773d6e0 _KIDTENTRY
+0x03c GDT : 0xf773d2e0 _KGDTENTRY
+0x040 TSS : 0xf7737ef0 _KTSS
+0x044 MajorVersion : 1
+0x046 MinorVersion : 1
+0x048 SetMember : 2
+0x04c StallScaleFactor : 0xe10
+0x050 SpareUnused : 0 ''
+0x051 Number : 0x1 ''
+0x052 Spare0 : 0 ''
+0x053 SecondLevelCacheAssociativity : 0 ''
+0x054 VdmAlert : 0
+0x058 KernelReserved : [14] 0
+0x090 SecondLevelCacheSize : 0
+0x094 HalReserved : [16] 1
+0x0d4 InterruptMode : 0
+0x0d8 Spare1 : 0 ''
+0x0dc KernelReserved2 : [17] 0
+0x120 PrcbData : _KPRCB
0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x89804020 [Type: _KTHREAD *]
[+0x00c] IdleThread : 0xf7739fa0 [Type: _KTHREAD *]
0: kd> g
Breakpoint 46 hit
WARNING: Process directory table base 7B884000 doesn't match CR3 00039000
WARNING: Process directory table base 7B884000 doesn't match CR3 00039000
eax=00000002 ebx=f7737000 ecx=00000001 edx=0000001b esi=89804020 edi=f7739fa0
eip=80b007f0 esp=f78aad54 ebp=80b20320 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!SwapContext:
80b007f0 51 push ecx
第六部分:
第六部分A:
VOID
FASTCALL
KiUnwaitThread (
IN PRKTHREAD Thread,
IN LONG_PTR WaitStatus,
IN KPRIORITY Increment
)
{
//
// Unlink thread from the appropriate wait queues and set the wait
// completion status.
//
KiUnlinkThread(Thread, WaitStatus);
//
// Set unwait priority adjustment parameters.
//
ASSERT(Increment >= 0);
Thread->AdjustIncrement = (SCHAR)Increment;
Thread->AdjustReason = (UCHAR)AdjustUnwait;
//
// Ready the thread for execution.
//
KiReadyThread(Thread);
return;
}
第六部分B:
VOID
FASTCALL
KiReadyThread (
IN PKTHREAD Thread
)
{
KiInsertDeferredReadyList(Thread);
return;
}
}
第六部分C:
nt!KiProcessDeferredReadyList函数之后作为1号cpu的NextThread,
0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x89804020 [Type: _KTHREAD *]
[+0x00c] IdleThread : 0xf7739fa0 [Type: _KTHREAD *]
第六部分D:nt!KiDispatchInterrupt+0x4d函数中调用SwapContext
;
; Check to determine if a new thread has been selected for execution on this
; processor.
;
cmp dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; check if next thread
je kdi70 ; if eq, then no new thread
;
; N.B. The following registers MUST be saved such that ebp is saved last.
; This is done so the debugger can find the saved ebp for a thread
; that is not currently in the running state.
;
.fpo (0, 0, 0, 3, 1, 0)
sub esp, 3*4
mov [esp+8], esi ; save registers
mov [esp+4], edi ;
mov [esp+0], ebp ;
mov edi, [ebx].PcPrcbData.PbCurrentThread ; get current thread address (as old thread)
;
; Raise IRQL to SYNCH level, set context swap busy for the old thread, and
; acquire the current PRCB lock.
;
ifndef NT_UP
call dword ptr [__imp__KeRaiseIrqlToSynchLevel@0] ; raise IRQL to SYNCH
mov byte ptr [edi].ThSwapBusy, 1 ; set context swap busy
lea ecx, [ebx].PcPrcbData.PbPrcbLock ; get PRCB lock address
lock bts dword ptr [ecx], 0 ; try to acquire PRCB lock
jnc short kdi50 ; if nc, PRCB lock acquired
fstCall KefAcquireSpinLockAtDpcLevel ; acquire current PRCB lock
endif
;
; Get the next thread address, set the thread state to running, queue the old
; running thread, and swap context to the next thread.
;
kdi50: mov esi, [ebx].PcPrcbData.PbNextThread ; get next thread address
and dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; clear next thread address
mov [ebx].PcPrcbData.PbCurrentThread, esi ; set current thread address
mov byte ptr [esi]+ThState, Running ; set thread state to running
mov byte ptr [edi].ThWaitReason, WrDispatchInt ; set wait reason
mov ecx, edi ; set address of curent thread
lea edx, [ebx].PcPrcbData ; set address of PRCB
fstCall KiQueueReadyThread ; ready thread for execution
CAPSTART <_KiDispatchInterrupt,SwapContext>
mov cl, APC_LEVEL ; set APC interrupt bypass disable
call SwapContext ; swap context
CAPEND <_KiDispatchInterrupt>
第七部分:win32k!xxxDesktopThread线程切换回来之后的nt!KiSwapThread函数里面调用了 nt!KiDeliverApc
1: kd> ba e1 win32k!InputApc
1: kd> be 31
1: kd> g
Breakpoint 31 hit
eax=0000003d ebx=00000100 ecx=0000003d edx=80010031 esi=804edc30 edi=00000000
eip=80a3c776 esp=f75f693c ebp=f75f697c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeliverApc:
80a3c776 55 push ebp
1: kd> kc
#
00 nt!KiDeliverApc
01 nt!KiSwapThread
02 nt!KeWaitForMultipleObjects
03 win32k!xxxMsgWaitForMultipleObjects
04 win32k!xxxDesktopThread
05 win32k!xxxCreateSystemThreads
06 win32k!NtUserCallOneParam
07 nt!_KiSystemService
08 SharedUserData!SystemCallStub
09 winsrv!NtUserCallOneParam
扫一扫
274
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
