断点nt!KiDispatchInterrupt+0x4d可以截获CurrentThread被NextThread抢占后的线程切换的情况--server03调试指南
第一部分:
48 e Disable Clear 80b0076d [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 260] 0001 (0001) nt!KiDispatchInterrupt+0x4d
nt!KiQueueReadyThread
nt!SwapContext
hal!HalRequestSoftwareInterrupt
先查看两个线程的优先级和CurrentThread是否被抢占=Thread->Preempted
第二部分:
cmp dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; check if next thread
je kdi70 ; if eq, then no new thread 如果等于0则没有NextThread
;
; N.B. The following registers MUST be saved such that ebp is saved last.
; This is done so the debugger can find the saved ebp for a thread
; that is not currently in the running state.
;
.fpo (0, 0, 0, 3, 1, 0)
sub esp, 3*4
mov [esp+8], esi ; save registers
mov [esp+4], edi ;
mov [esp+0], ebp
第三部分:
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=899015b0 esi=804ecc3f edi=f7155ee1
eip=80b0076b esp=f78d2900 ebp=f78d2918 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiDispatchInterrupt+0x4b:
80b0076b 746d je nt!KiDispatchInterrupt+0xba (80b007da) [br=0]
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=899015b0 esi=804ecc3f edi=f7155ee1
eip=80b0076d esp=f78d2900 ebp=f78d2918 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiDispatchInterrupt+0x4d:
80b0076d 83ec0c sub esp,0Ch
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=899015b0 esi=804ecc3f edi=f7155ee1
eip=80b00770 esp=f78d28f4 ebp=f78d2918 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292
nt!KiDispatchInterrupt+0x50:
80b00770 89742408 mov dword ptr [esp+8],esi ss:0010:f78d28fc=00000386
第四部分:如何找到nt!_KPRCB中的CurrentThread和NextThread
0: kd> !pcr
KPCR for Processor 0 at ffdff000:
Major 1 Minor 1
NtTib.ExceptionList: f789e63c
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80042000
NtTib.Version: 0000864d
NtTib.UserPointer: 00000001
NtTib.SelfTib: 7ffd5000
SelfPcr: ffdff000
Prcb: ffdff120
Irql: 00000000
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 8003f400
GDT: 8003f000
TSS: 80042000
CurrentThread: 895f2a78
NextThread: 89555268
IdleThread: 80b200c0
DpcQueue: 0x898d4608 0xbaed7556 [Normal] USBPORT!USBPORT_IsrDpc
0x895350f8 0xf7119206 [Normal] NDIS!ndisMDpcX
0: kd> dt nt!KPCR ffdff000
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : 0xf789e63c _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : (null)
+0x008 PerfGlobalGroupMask : (null)
+0x00c TssCopy : 0x80042000 Void
+0x010 ContextSwitches : 0x864d
+0x014 SetMemberCopy : 1
+0x018 Used_Self : 0x7ffd5000 Void
+0x01c SelfPcr : 0xffdff000 _KPCR
+0x020 Prcb : 0xffdff120 _KPRCB
+0x024 Irql : 0 ''
+0x028 IRR : 0
+0x02c IrrActive : 0
+0x030 IDR : 0xffffffff
+0x034 KdVersionBlock : 0x80b0e468 Void
+0x038 IDT : 0x8003f400 _KIDTENTRY
+0x03c GDT : 0x8003f000 _KGDTENTRY
+0x040 TSS : 0x80042000 _KTSS
+0x044 MajorVersion : 1
+0x046 MinorVersion : 1
+0x048 SetMember : 1
+0x04c StallScaleFactor : 0xe10
+0x050 SpareUnused : 0 ''
+0x051 Number : 0 ''
0: kd> dx -id 0,0,8954e020 -r1 ((ntkrnlmp!_KPRCB *)0xffdff120)
((ntkrnlmp!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x895f2a78 [Type: _KTHREAD *]
[+0x008] NextThread : 0x89555268 [Type: _KTHREAD *]
[+0x00c] IdleThread : 0x80b200c0 [Type: _KTHREAD *]
[+0x010] Number : 0 [Type: char]
[+0x011] Reserved : 0 [Type: char]
[+0x012] BuildType : 0x1 [Type: unsigned short]
[+0x014] SetMember : 0x1 [Type: unsigned long]
[+0x018] CpuType : 6 [Type: char]
[+0x019] CpuID : 1 [Type: char]
[+0x01a] CpuStep : 0x503 [Type: unsigned short]
[+0x01c] ProcessorState [Type: _KPROCESSOR_STATE]
[+0x33c] KernelReserved [Type: unsigned long [16]]
[+0x37c] HalReserved [Type: unsigned long [16]]
[+0x3bc] PrcbPad0 [Type: unsigned char [92]]
[+0x418] LockQueue [Type: _KSPIN_LOCK_QUEUE [16]]
[+0x498] PrcbPad1 [Type: unsigned char [8]]
[+0x4a0] NpxThread : 0x0 [Type: _KTHREAD *]
[+0x4a4] InterruptCount : 0x4ddd [Type: unsigned long]
[+0x4a8] KernelTime : 0x1db8 [Type: unsigned long]
[+0x4ac] UserTime : 0x22 [Type: unsigned long]
[+0x4b0] DpcTime : 0x72 [Type: unsigned long]
[+0x4b4] DebugDpcTime : 0x0 [Type: unsigned long]
[+0x4b8] InterruptTime : 0x197 [Type: unsigned long]
[+0x4bc] AdjustDpcThreshold : 0xf [Type: unsigned long]
[+0x4c0] PageColor : 0x181c [Type: unsigned long]
[+0x4c4] SkipTick : 0x1 [Type: unsigned char]
[+0x4c5] DebuggerSavedIRQL : 0x1c [Type: unsigned char]
[+0x4c6] Spare1 [Type: unsigned char [6]]
[+0x4cc] ParentNode : 0x80b20640 [Type: _KNODE *]
[+0x4d0] MultiThreadProcessorSet : 0x3 [Type: unsigned long]
[+0x4d4] MultiThreadSetMaster : 0xffdff120 [Type: _KPRCB *]
[+0x4d8] ThreadStartCount [Type: unsigned long [2]]
[+0x4e0] CcFastReadNoWait : 0x0 [Type: unsigned long]
[+0x4e4] CcFastReadWait : 0xcf [Type: unsigned long]
[+0x4e8] CcFastReadNotPossible : 0x0 [Type: unsigned long]
[+0x4ec] CcCopyReadNoWait : 0x3f [Type: unsigned long]
[+0x4f0] CcCopyReadWait : 0x1ff [Type: unsigned long]
[+0x4f4] CcCopyReadNoWaitMiss : 0x3 [Type: unsigned long]
[+0x4f8] KeAlignmentFixupCount : 0x0 [Type: unsigned long]
[+0x4fc] SpareCounter0 : 0x0 [Type: unsigned long]
[+0x500] KeDcacheFlushCount : 0x0 [Type: unsigned long]
[+0x504] KeExceptionDispatchCount : 0x1334 [Type: unsigned long]
[+0x508] KeFirstLevelTbFills : 0x0 [Type: unsigned long]
[+0x50c] KeFloatingEmulationCount : 0x0 [Type: unsigned long]
[+0x510] KeIcacheFlushCount : 0x0 [Type: unsigned long]
[+0x514] KeSecondLevelTbFills : 0x0 [Type: unsigned long]
[+0x518] KeSystemCalls : 0x2d5c0 [Type: unsigned long]
[+0x51c] SpareCounter1 : 0x0 [Type: unsigned long]
[+0x520] PPLookasideList [Type: _PP_LOOKASIDE_LIST [16]]
[+0x5a0] PPNPagedLookasideList [Type: _PP_LOOKASIDE_LIST [32]]
[+0x6a0] PPPagedLookasideList [Type: _PP_LOOKASIDE_LIST [32]]
[+0x7a0] PacketBarrier : 0x0 [Type: unsigned long]
[+0x7a4] ReverseStall : 0xcf [Type: unsigned long]
[+0x7a8] IpiFrame : 0xba360930 [Type: void *]
[+0x7ac] PrcbPad2 [Type: unsigned char [52]]
[+0x7e0] CurrentPacket [Type: void * [3]]
[+0x7ec] TargetSet : 0x0 [Type: unsigned long]
[+0x7f0] WorkerRoutine : 0x80a360f8 [Type: void (*)(void *,void *,void *,void *)]
[+0x7f4] IpiFrozen : 0x24 [Type: unsigned long]
[+0x7f8] PrcbPad3 [Type: unsigned char [40]]
[+0x820] RequestSummary : 0x0 [Type: unsigned long]
[+0x824] SignalDone : 0x0 [Type: _KPRCB *]
[+0x828] PrcbPad4 [Type: unsigned char [56]]
[+0x860] DpcData [Type: _KDPC_DATA [2]]
[+0x888] DpcStack : 0xf789f000 [Type: void *]
[+0x88c] MaximumDpcQueueDepth : 0x4 [Type: unsigned long]
[+0x890] DpcRequestRate : 0x0 [Type: unsigned long]
[+0x894] MinimumDpcRate : 0x3 [Type: unsigned long]
[+0x898] DpcInterruptRequested : 0x1 [Type: unsigned char]
[+0x899] DpcThreadRequested : 0x0 [Type: unsigned char]
[+0x89a] DpcRoutineActive : 0x1 [Type: unsigned char]
[+0x89b] DpcThreadActive : 0x0 [Type: unsigned char]
[+0x89c] PrcbLock : 0x0 [Type: unsigned long]
[+0x8a0] DpcLastCount : 0x13e4 [Type: unsigned long]
[+0x8a4] TimerHand : 0x105ee84c [Type: unsigned long]
[+0x8a8] TimerRequest : 0xf789ed84 [Type: unsigned long]
[+0x8ac] DpcThread : 0x0 [Type: void *]
[+0x8b0] DpcEvent [Type: _KEVENT]
[+0x8c0] ThreadDpcEnable : 0x0 [Type: unsigned char]
[+0x8c1] QuantumEnd : 0x1 [Type: unsigned char]
[+0x8c2] PrcbPad50 : 0x0 [Type: unsigned char]
[+0x8c3] IdleSchedule : 0x0 [Type: unsigned char]
[+0x8c4] DpcSetEventRequest : 0 [Type: long]
[+0x8c8] PrcbPad5 [Type: unsigned char [22]]
[+0x8e0] CallDpc [Type: _KDPC]
[+0x900] PrcbPad7 [Type: unsigned long [8]]
[+0x920] WaitListHead [Type: _LIST_ENTRY]
[+0x928] ReadySummary : 0x2000 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]
[+0xa34] PrcbPad72 [Type: unsigned long [11]]
[+0xa60] ChainedInterruptList : 0x0 [Type: void *]
[+0xa64] LookasideIrpFloat : 32720 [Type: long]
[+0xa68] SpareFields0 [Type: unsigned long [4]]
[+0xa78] VendorString [Type: unsigned char [13]]
[+0xa85] InitialApicId : 0x0 [Type: unsigned char]
[+0xa86] LogicalProcessorsPerPhysicalProcessor : 0x2 [Type: unsigned char]
[+0xa88] MHz : 0xe10 [Type: unsigned long]
[+0xa8c] FeatureBits : 0x33fff [Type: unsigned long]
[+0xa90] UpdateSignature : {876173328384} [Type: _LARGE_INTEGER]
[+0xa98] IsrTime : 0x0 [Type: unsigned __int64]
[+0xaa0] NpxSaveArea [Type: _FX_SAVE_AREA]
[+0xcb0] PowerState [Type: _PROCESSOR_POWER_STATE]
