news 2026/5/20 0:47:45

从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread

作者头像

张小明

前端开发工程师

1.2k 24
文章封面图
从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread

从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread
1: kd> p
Breakpoint 37 hit
eax=0000001b ebx=00000000 ecx=89836020 edx=00000000 esi=00000000 edi=ffdff120
eip=80a41c28 esp=f789eeb0 ebp=f789eee0 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiDeferredReadyThread:
80a41c28 55 push ebp
0: kd> kc
#
00 nt!KiDeferredReadyThread
01 nt!KiProcessDeferredReadyList
02 nt!KiExitDispatcher
03 nt!KeSetEvent
04 USBPORT!USBPORT_SignalWorker
05 USBPORT!USBPORT_InvalidateEndpoint
06 USBPORT!USBPORT_FlushDoneTransferList
07 USBPORT!USBPORT_TransferFlushDpc
08 nt!KiRetireDpcList
09 nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
0a 0x0
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f789eeac 80a42c46 00000000 ffdff120 804edc6c nt!KiDeferredReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 156]
01 f789eebc 80a4002e 898d45c0 898d40e8 4f444648 nt!KiProcessDeferredReadyList+0x3a (FPO: [0,0,0]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 849]
02 f789eee0 80a342fd 00000000 f789ef18 bae8ac25 nt!KiExitDispatcher+0x42 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\waitsup.c @ 80]
03 f789eeec bae8ac25 028d45c0 00000001 00000000 nt!KeSetEvent+0xf7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\eventobj.c @ 443]
04 f789ef18 bae9516e 898d4030 898d4724 89861340 USBPORT!USBPORT_SignalWorker+0xe3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\thread.c @ 330]
05 f789ef44 baea0cb2 2b747461 89861340 00000002 USBPORT!USBPORT_InvalidateEndpoint+0x558 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 2586]
06 f789ef7c baea48a4 898d4030 ffdff980 baea4782 USBPORT!USBPORT_FlushDoneTransferList+0x28c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 2231]
07 f789ef9c 80a41432 898d4628 898d4030 00000000 USBPORT!USBPORT_TransferFlushDpc+0x122 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 850]
08 f789eff4 80b00756 ba1b0bf8 00000000 00000000 nt!KiRetireDpcList+0xd6 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\dpcsup.c @ 1076]
09 f789eff8 ba1b0bf8 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x36 (FPO: [Uses EBP] [0,0,1]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 226]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0a 80b00756 00000000 00000009 bb837775 00000128 0xba1b0bf8

VOID
FASTCALL
KiProcessDeferredReadyList (
IN PKPRCB CurrentPrcb
)
{

do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;
KiDeferredReadyThread(Thread);
} while (NextEntry != NULL);


ASSERT(Thread->State == DeferredReady);

0: kd> p
eax=0000001b ebx=00000000 ecx=89836020 edx=00000000 esi=89836020 edi=80a059f8
eip=80a41c3a esp=f789ee8c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x12:
80a41c3a 807e2c07 cmp byte ptr [esi+2Ch],7 ds:0023:8983604c=07
0: kd> dt kthread 89836020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89836030 - 0x89836030 ]
+0x018 InitialStack : 0xf701c000 Void
+0x01c StackLimit : 0xf7019000 Void
+0x020 KernelStack : 0xf701bce0 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x407
+0x02c State : 0x7 ''

typedef enum _KTHREAD_STATE {
Initialized,
Ready,
Running,
Standby,
Terminated,
Waiting,
Transition,
DeferredReady
} KTHREAD_STATE;

+0x1bf AdjustReason : 0x1 '' AdjustUnwait

typedef enum _ADJUST_REASON {
AdjustNone = 0,
AdjustUnwait = 1,
AdjustBoost = 2
} ADJUST_REASON;


//
// Check if a priority adjustment is requested.
//检查是否请求调整优先级。

if (Thread->AdjustReason == AdjustNone) {


0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89836054))
(*((CSRSRV!_KAPC_STATE *)0x89836054)) [Type: _KAPC_STATE]
[+0x000] ApcListHead [Type: _LIST_ENTRY [2]]
[+0x010] Process : 0x899a2278 [Type: _KPROCESS *]


} else if (Thread->AdjustReason == AdjustUnwait) {

//
// Priority adjustment as the result of an unwait operation.
//
// The priority increment is stored in the adjust increment field of
// the thread object.
//
// Acquire the thread lock.
//
// If the thread runs at a realtime priority level, then reset the
// thread quantum. Otherwise, compute the next thread priority and
// charge the thread for the wait operation.
//

Process = Thread->ApcState.Process;
KiAcquireThreadLock(Thread);
if (Thread->Priority < LOW_REALTIME_PRIORITY) {

LOW_REALTIME_PRIORITY equ 010H


+0x05b Priority : 9 ''


if (Thread->BasePriority >= TIME_CRITICAL_PRIORITY_BOUND) {
Thread->Quantum = Process->ThreadQuantum;

}

#define TIME_CRITICAL_PRIORITY_BOUND 14


+0x110 BasePriority : 8 ''

if ((Thread->PriorityDecrement == 0) && (Thread->AdjustIncrement > 0)) {
Thread->Quantum = Process->ThreadQuantum;
}


+0x113 Quantum : 31 ''


0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_KPROCESS *)0x899a2278)

[+0x062] BasePriority : 8 [Type: char]
[+0x063] ThreadQuantum : 36 '$' [Type: char]

+0x050 WaitStatus : 0n0


if (Thread->WaitStatus != STATUS_KERNEL_APC) {
Thread->Quantum -= WAIT_QUANTUM_DECREMENT;
if (Thread->Quantum <= 0) {
Thread->Quantum = Process->ThreadQuantum;
Thread->Priority = KiComputeNewPriority(Thread, 1);
}
}
}

WAIT_QUANTUM_DECREMENT equ 01H

+0x113 Quantum : 35 '#' 36-1=35

Priority = Thread->BasePriority + Thread->AdjustIncrement;


+0x1c0 AdjustIncrement : 1 ''
+0x110 BasePriority : 8 ''

+0x05b Priority : 9 ''

} else {

//
// Invalid priority adjustment reason.
//

ASSERT(FALSE);

Thread->AdjustReason = AdjustNone;
} 线程优先级调整部分结束。


Preempted = Thread->Preempted;
Thread->Preempted = FALSE;


+0x10a Preempted : 0 ''


0: kd> dv Preempted
Preempted = 0x00 ''

+0x10e IdealProcessor : 0x1 ''

+0x120 Affinity : 3

//
// Attempt to assign the thread on an idle processor.
//

CurrentPrcb = KeGetCurrentPrcb();


0: kd> p
eax=ffdff120 ebx=00000009 ecx=00000000 edx=00000009 esi=89836020 edi=80a059f8
eip=80a41fac esp=f789ee8c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x384:
80a41fac 0fb6860e010000 movzx eax,byte ptr [esi+10Eh] ds:0023:8983612e=01

0: kd> x nt!KiIdleSummary
80b16e80 nt!KiIdleSummary = 2


do {
Processor = Thread->IdealProcessor;
IdleSet = KiIdleSummary & Affinity; 3&2=2 选择1号处理器


0: kd> dv IdleSet
IdleSet = 2

#define AFFINITY_MASK(n) (KiAffinityArray[n])

TargetPrcb = KiProcessorBlock[Processor];

0: kd> dv Processor
Processor = 1

0: kd> x nt!KiProcessorBlock
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[32]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
0: kd> dx -r1 (*((ntkrnlmp!_KPRCB * (*)[32])0x80b20680))
(*((ntkrnlmp!_KPRCB * (*)[32])0x80b20680)) [Type: _KPRCB * [32]]
[0] : 0xffdff120 [Type: _KPRCB *]
[1] : 0xf7737120 [Type: _KPRCB *]


+0x014 SetMember : 2

Thread->State = Standby;
Thread->NextProcessor = (UCHAR)Processor;


0: kd> dt kthread 89836020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89836030 - 0x89836030 ]
+0x018 InitialStack : 0xf701c000 Void
+0x01c StackLimit : 0xf7019000 Void
+0x020 KernelStack : 0xf701bce0 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x407
+0x02c State : 0x3 ''

+0x10f NextProcessor : 0x1 ''


0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

TargetPrcb->NextThread = Thread;


0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x89836020 [Type: _KTHREAD *]


KiReleaseTwoPrcbLocks(CurrentPrcb, TargetPrcb);
return; 返回了!!!

第二部分:

0: kd> g
Breakpoint 41 hit
eax=0000001b ebx=804edc6c ecx=ffdff120 edx=00000000 esi=00000000 edi=ffdff120
eip=80a42c0c esp=f789ed04 ebp=f789ed24 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiProcessDeferredReadyList:
80a42c0c 53 push ebx
0: kd> kc
#
00 nt!KiProcessDeferredReadyList
01 nt!KiExitDispatcher
02 nt!KeInsertQueue
03 nt!ExQueueWorkItem
04 nt!PopUserPresentSet
05 nt!PopApplyAttributeState
06 nt!PoSetSystemState
07 mouclass!MouseClassServiceCallback
08 mouhid!MouHid_ReadComplete
09 nt!IopfCompleteRequest
0a HIDCLASS!HidpDistributeInterruptReport
0b HIDCLASS!HidpInterruptReadComplete
0c nt!IopfCompleteRequest
0d USBPORT!USBPORT_CompleteTransfer
0e USBPORT!USBPORT_DoneTransfer
0f USBPORT!USBPORT_FlushDoneTransferList
10 USBPORT!USBPORT_TransferFlushDpc
11 nt!KiRetireDpcList
12 nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
13 0x0
0: kd> dv
CurrentPrcb = 0x00000000
0: kd> kv 3
# ChildEBP RetAddr Args to Child
00 f789ed00 80a4002e 80b198e0 00000000 00000002 nt!KiProcessDeferredReadyList (FPO: [0,0,0]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 825]
01 f789ed24 80a38de1 80bf5cbc 00000000 f789ed50 nt!KiExitDispatcher+0x42 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\waitsup.c @ 80]
02 f789ed34 80af297b 80bf5cbc 80b198e0 897fa0d8 nt!KeInsertQueue+0x77 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\queueobj.c @ 165]
0: kd> !pcr


do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;
KiDeferredReadyThread(Thread);
} while (NextEntry != NULL);

0: kd> p
eax=00000000 ebx=00000000 ecx=00000002 edx=000c08e1 esi=00000000 edi=ffdff120
eip=80a42c46 esp=f789eeb4 ebp=f789eee0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiProcessDeferredReadyList+0x3a:
80a42c46 3bf3 cmp esi,ebx

0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xffdff120)
((basesrv!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x895f2a78 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x0 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]
[+0xa34] PrcbPad72 [Type: unsigned long [11]]
[+0xa60] ChainedInterruptList : 0x0 [Type: void *]
[+0xa64] LookasideIrpFloat : 32720 [Type: long]
[+0xa68] SpareFields0 [Type: unsigned long [4]]
[+0xa78] VendorString [Type: unsigned char [13]]
[+0xa85] InitialApicId : 0x0 [Type: unsigned char]
[+0xa86] LogicalProcessorsPerPhysicalProcessor : 0x2 [Type: unsigned char]
[+0xa88] MHz : 0xe10 [Type: unsigned long]
[+0xa8c] FeatureBits : 0x33fff [Type: unsigned long]
[+0xa90] UpdateSignature : {876173328384} [Type: _LARGE_INTEGER]
[+0xa98] IsrTime : 0x0 [Type: unsigned __int64]
[+0xaa0] NpxSaveArea [Type: _FX_SAVE_AREA]
[+0xcb0] PowerState [Type: _PROCESSOR_POWER_STATE]
0: kd> dx -id 0,0,8954e020 -r1 (*((basesrv!_SINGLE_LIST_ENTRY *)0xffdffb50))
(*((basesrv!_SINGLE_LIST_ENTRY *)0xffdffb50)) [Type: _SINGLE_LIST_ENTRY]
[+0x000] Next : 0x8999d680 [Type: _SINGLE_LIST_ENTRY *]
0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_SINGLE_LIST_ENTRY *)0x8999d680)
((basesrv!_SINGLE_LIST_ENTRY *)0x8999d680) : 0x8999d680 [Type: _SINGLE_LIST_ENTRY *]
[+0x000] Next : 0x0 [Type: _SINGLE_LIST_ENTRY *]


FORCEINLINE
VOID
FASTCALL
KiInsertDeferredReadyList (
IN PKTHREAD Thread
)
{

Prcb = KeGetCurrentPrcb();
Thread->State = DeferredReady;
Thread->DeferredProcessor = Prcb->Number;
PushEntryList(&Prcb->DeferredReadyListHead,
&Thread->SwapListEntry);


#define PushEntryList(ListHead,Entry) \
(Entry)->Next = (ListHead)->Next; \
(ListHead)->Next = (Entry)

+0x060 WaitListEntry : _LIST_ENTRY [ 0x0 - 0xf7737a98 ]
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY


0: kd> dt kthread 0x8999d680-60
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x8999d630 - 0x8999d630 ]
+0x018 InitialStack : 0xf78e7000 Void
+0x01c StackLimit : 0xf78e4000 Void
+0x020 KernelStack : 0xf78e6cf8 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x1c0
+0x02c State : 0x7 ''

do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;

0: kd> p
eax=0000001b ebx=00000000 ecx=8999d620 edx=00000000 esi=8999d680 edi=ffdff120
eip=80a42c3f esp=f789ecf8 ebp=f789ed24 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiProcessDeferredReadyList+0x33:
80a42c3f 8b36 mov esi,dword ptr [esi] ds:0023:8999d680=00000000


0: kd> dd 8999d680
8999d680 00000000

版权声明: 本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
网站建设 2026/5/18 15:29:50

Python 爬虫实战:从零搭建第一个网页爬虫

前言 在数据驱动的时代&#xff0c;网页爬虫作为获取互联网公开数据的核心技术&#xff0c;已成为 Python 开发者必备的技能之一。无论是数据分析、竞品调研还是内容聚合&#xff0c;爬虫都能高效地将分散在网页中的结构化、非结构化数据整合为可利用的格式。本文将从零基础出…

作者头像 李华
网站建设 2026/5/19 16:56:39

28、Linux 用户账户与权限管理全攻略

Linux 用户账户与权限管理全攻略 在 Linux 系统中,账户管理和权限使用是保障系统安全和正常运行的关键环节。下面将详细介绍如何安全使用 root 权限、管理用户账户和创建用户组。 安全使用 root 权限 root 权限在 Linux 系统中拥有极大的权力,但同时也伴随着很高的风险。一…

作者头像 李华
网站建设 2026/5/19 6:10:46

Ansible(一)—— 自动化运维工具 Ansible:集中化管理服务器

提示&#xff1a;文章写完后&#xff0c;目录可以自动生成&#xff0c;如何生成可参考右边的帮助文档 文章目录前言一、Ansible 概述和运行机制1.1 Ansible 概述1.2 Ansible 工作机制1.3 Ansible 角色 (Role)二、Ansible 环境安装部署2.1 环境规划2.2 安装步骤2.3 主机清单配置…

作者头像 李华