smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来

smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.

You should also verify that your symbol search path (.sympath) is correct.

0: kd> kc

00 smss!SmpStartCsr

01 smss!SmpApiLoop

0: kd> dv

SmApiMsg = 0x0030fea8

CallingClient = 0x001637b8

CallPort = 0x00000010

State = 0x00000000

InitialCommandProcessId = 0

InitialCommandProcess = 0x77f2f6e8

InitialCommand = ""

DefaultInitialCommand = ""

WindowsSubSysProcessId = 0x2e8

MuSessionId = 0x30fea8

0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)

((smss!_SMAPIMSG *)0x30fea8) : 0x30fea8 [Type: _SMAPIMSG *]

+0x000\] h \[Type: _PORT_MESSAGE

+0x018\] ApiNumber : SmStartCsrApi (5) \[Type: _SMAPINUMBER

+0x01c\] ReturnedStatus : 259 \[Type: long

+0x020\] u \[Type: __unnamed

0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))

(*((smss!__unnamed *)0x30fec8)) [Type: __unnamed]

+0x000\] CreateForeignSession \[Type: _SMCREATEFOREIGNSESSION

+0x000\] SessionComplete \[Type: _SMSESSIONCOMPLETE

+0x000\] TerminateForeignComplete \[Type: _SMTERMINATEFOREIGNSESSION

+0x000\] ExecPgm \[Type: _SMEXECPGM

+0x000\] LoadDefered \[Type: _SMLOADDEFERED

+0x000\] StartCsr \[Type: _SMSTARTCSR

+0x000\] StopCsr \[Type: _SMSTOPCSR

0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))

(*((smss!_SMSTARTCSR *)0x30fec8)) [Type: _SMSTARTCSR]

+0x000\] MuSessionId : 0xffffffff \[Type: unsigned long

+0x004\] InitialCommandLength : 0x0 \[Type: unsigned long

+0x008\] InitialCommand \[Type: unsigned short \[128\]

+0x108\] InitialCommandProcessId : 0x0 \[Type: unsigned long

+0x10c\] WindowsSubSysProcessId : 0xdba90 \[Type: unsigned long

0: kd> dv

SmApiMsg = 0x0030fea8

CallingClient = 0x001637b8

CallPort = 0x00000010

State = 0x00000000

InitialCommandProcessId = 0

InitialCommandProcess = 0x77f2f6e8

InitialCommand = ""

DefaultInitialCommand = ""

WindowsSubSysProcessId = 0x2e8

MuSessionId = 0x30fea8

0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)

((smss!_SMAPIMSG *)0x30fea8) : 0x30fea8 [Type: _SMAPIMSG *]

+0x000\] h \[Type: _PORT_MESSAGE

+0x018\] ApiNumber : SmStartCsrApi (5) \[Type: _SMAPINUMBER

+0x01c\] ReturnedStatus : 259 \[Type: long

+0x020\] u \[Type: __unnamed

0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))

(*((smss!__unnamed *)0x30fec8)) [Type: __unnamed]

+0x000\] CreateForeignSession \[Type: _SMCREATEFOREIGNSESSION

+0x000\] SessionComplete \[Type: _SMSESSIONCOMPLETE

+0x000\] TerminateForeignComplete \[Type: _SMTERMINATEFOREIGNSESSION

+0x000\] ExecPgm \[Type: _SMEXECPGM

+0x000\] LoadDefered \[Type: _SMLOADDEFERED

+0x000\] StartCsr \[Type: _SMSTARTCSR

+0x000\] StopCsr \[Type: _SMSTOPCSR

0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))

(*((smss!_SMSTARTCSR *)0x30fec8)) [Type: _SMSTARTCSR]

+0x000\] MuSessionId : 0xffffffff \[Type: unsigned long

+0x004\] InitialCommandLength : 0x0 \[Type: unsigned long

+0x008\] InitialCommand \[Type: unsigned short \[128\]

+0x108\] InitialCommandProcessId : 0x0 \[Type: unsigned long

+0x10c\] WindowsSubSysProcessId : 0xdba90 \[Type: unsigned long

//

// Load subsystems for this session.

//

WindowsSubSysProcessId = 0;

Status = SmpLoadSubSystemsForMuSession (&MuSessionId,

&WindowsSubSysProcessId,

0: kd> t

smss!SmpLoadSubSystemsForMuSession:

001b:4858aa7c 55 push ebp

0: kd> dv

pMuSessionId = 0x0030fe50

pWindowsSubSysProcessId = 0x0030fe3c

InitialCommand = 0x0030fe28 ""

Status = 0n0

FileName = struct _UNICODE_STRING "--- memory read error at address 0x00000010 ---"

Win32kFileName = struct _UNICODE_STRING ""

State = 0x00000018

DelayTime = {68722687656}

0: kd> gu

GDI: VerifierInitialization: failed to get info from ntoskrnl

(s: 0 0x180.18c smss.exe) USRK-[Wrn] *** win32k: DBCS:[0] IME:[0] MiddleEast:[0] CTFIME:[0]

Installed

Installed

Breakpoint 4 hit

nt!PspCreateProcess:

80d3a1c0 6834010000 push 134h

0: kd> kc

00 nt!PspCreateProcess

01 nt!NtCreateProcessEx

02 nt!NtCreateProcess

03 nt!_KiSystemService

04 SharedUserData!SystemCallStub

05 ntdll!NtCreateProcess

06 ntdll!RtlCreateUserProcess

07 smss!SmpExecuteImage

08 smss!SmpLoadSubSystem

09 smss!SmpExecuteCommand

0a smss!SmpLoadSubSystemsForMuSession

0b smss!SmpStartCsr

0c smss!SmpApiLoop

0: kd> dv

0: kd> gu

nt!NtCreateProcessEx+0xae:

80d3af36 eb05 jmp nt!NtCreateProcessEx+0xb5 (80d3af3d)

0: kd> !process 0 0

**** NT ACTIVE PROCESS DUMP ****

PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000

DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 320.

Image: System

PROCESS 894ddd88 SessionId: none Cid: 0180 Peb: 7ffdf000 ParentCid: 0004

DirBase: 7b189000 ObjectTable: e1278720 HandleCount: 20.

Image: smss.exe

PROCESS 8940cd88 SessionId: 0 Cid: 01b0 Peb: 7ffdf000 ParentCid: 0180

DirBase: 7aa43000 ObjectTable: e1458b40 HandleCount: 304.

Image: csrss.exe

PROCESS 898c8250 SessionId: 0 Cid: 01c8 Peb: 7ffdf000 ParentCid: 0180

DirBase: 7a448000 ObjectTable: e1457ad0 HandleCount: 479.

Image: winlogon.exe

PROCESS 897f5250 SessionId: 0 Cid: 01f4 Peb: 7ffdf000 ParentCid: 01c8

DirBase: 7a1cc000 ObjectTable: e1669ec0 HandleCount: 301.

Image: services.exe

PROCESS 8988a020 SessionId: 0 Cid: 0200 Peb: 7ffdf000 ParentCid: 01c8

DirBase: 7a2d4000 ObjectTable: e16dc8e0 HandleCount: 395.

Image: lsass.exe

PROCESS 898618d0 SessionId: 0 Cid: 02c4 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 79bc2000 ObjectTable: e144df68 HandleCount: 160.

Image: svchost.exe

PROCESS 8954f3f0 SessionId: 0 Cid: 02fc Peb: 7ffdf000 ParentCid: 01f4

DirBase: 79ca0000 ObjectTable: e144dfb8 HandleCount: 190.

Image: svchost.exe

PROCESS 894d0c10 SessionId: 0 Cid: 0388 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 09fea000 ObjectTable: e142f830 HandleCount: 130.

Image: svchost.exe

PROCESS 895d98c0 SessionId: 0 Cid: 03bc Peb: 7ffdf000 ParentCid: 01f4

DirBase: 796af000 ObjectTable: e1439930 HandleCount: 79.

Image: svchost.exe

PROCESS 895e0c10 SessionId: 0 Cid: 03d8 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 79575000 ObjectTable: e1439aa8 HandleCount: 589.

Image: svchost.exe

PROCESS 895538c0 SessionId: 0 Cid: 04a4 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 79347000 ObjectTable: e17da1f8 HandleCount: 125.

Image: spoolsv.exe

PROCESS 8988bbf8 SessionId: 0 Cid: 04c0 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 7908d000 ObjectTable: e17cab78 HandleCount: 159.

Image: msdtc.exe

PROCESS 894153f8 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 01f4

DirBase: 79413000 ObjectTable: e13d0140 HandleCount: 55.

Image: svchost.exe

PROCESS 89484950 SessionId: 0 Cid: 0594 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 78f9b000 ObjectTable: e17e30e8 HandleCount: 36.

Image: svchost.exe

PROCESS 894fbd88 SessionId: 0 Cid: 05bc Peb: 7ffdf000 ParentCid: 01f4

DirBase: 78da1000 ObjectTable: e1294788 HandleCount: 42.

Image: tftpd6.exe

PROCESS 8984fd88 SessionId: 0 Cid: 06a8 Peb: 7ffdf000 ParentCid: 01f4

DirBase: 788c2000 ObjectTable: e1770838 HandleCount: 51.

Image: dfssvc.exe

PROCESS 896b7538 SessionId: 1 Cid: 06d4 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7880e000 ObjectTable: e188c460 HandleCount: 0.
Image: csrss.exe

Image: csrss.exe 新的csrss.exe进程！！！父进程是smss！！！ParentCid: 0180