win7-winlogon!StateMachineRun函数分析之信号处理部分得到信号等待信号重置信号

sitelist2025-10-07 22:58

kd> t

winlogon!StateMachineRun:

001b:0059ede0 8bff mov edi,edi

kd> kc

00 winlogon!StateMachineRun

01 winlogon!WlStateMachineRun

02 winlogon!WinMain

03 winlogon!_initterm_e

04 kernel32!BaseThreadInitThunk

05 ntdll!__RtlUserThreadStart

06 ntdll!_RtlUserThreadStart

kd> kv

ChildEBP RetAddr Args to Child

00 001cfb70 00580bb8 000b0ce0 005b46f8 001cfbe0 winlogon!StateMachineRun (FPO: [Non-Fpo])

01 001cfb84 0057ec63 005b46f8 001cfbe0 0f4b761c winlogon!WlStateMachineRun+0x16 (FPO: [Non-Fpo])

02 001cfc04 0059d618 00570000 00000000 00081cd4 winlogon!WinMain+0xb10 (FPO: [Non-Fpo])

03 001cfc94 762d7647 7ffdf000 001cfce0 77600683 winlogon!_initterm_e+0x1a1 (FPO: [Non-Fpo])

04 001cfca0 77600683 7ffdf000 88a07a85 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])

05 001cfce0 776008df 0059d781 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])

06 001cfcf8 00000000 0059d781 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

kd> p

winlogon!StateMachineRun+0x2:

001b:0059ede2 55 push ebp

kd> p

winlogon!StateMachineRun+0x3:

001b:0059ede3 8bec mov ebp,esp

kd> p

winlogon!StateMachineRun+0x5:

001b:0059ede5 81ec90010000 sub esp,190h

kd> p

winlogon!StateMachineRun+0xb:

001b:0059edeb 834df4ff or dword ptr [ebp-0Ch],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0xf:

001b:0059edef 834decff or dword ptr [ebp-14h],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x13:

001b:0059edf3 834df8ff or dword ptr [ebp-8],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x17:

001b:0059edf7 53 push ebx

kd> p

winlogon!StateMachineRun+0x18:

001b:0059edf8 33c0 xor eax,eax

kd> p

winlogon!StateMachineRun+0x1a:

001b:0059edfa 56 push esi

kd> p

winlogon!StateMachineRun+0x1b:

001b:0059edfb 57 push edi

kd> p

winlogon!StateMachineRun+0x1c:

001b:0059edfc 33f6 xor esi,esi

kd> p

winlogon!StateMachineRun+0x1e:

001b:0059edfe 8975d8 mov dword ptr [ebp-28h],esi

kd> p

winlogon!StateMachineRun+0x21:

001b:0059ee01 8d7ddc lea edi,[ebp-24h]

kd> p

winlogon!StateMachineRun+0x24:

001b:0059ee04 ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x25:

001b:0059ee05 ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x26:

001b:0059ee06 ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x27:

001b:0059ee07 33c0 xor eax,eax

kd> p

winlogon!StateMachineRun+0x29:

001b:0059ee09 8975c8 mov dword ptr [ebp-38h],esi

kd> p

winlogon!StateMachineRun+0x2c:

001b:0059ee0c 8d7dcc lea edi,[ebp-34h]

kd> p

winlogon!StateMachineRun+0x2f:

001b:0059ee0f ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x30:

001b:0059ee10 ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x31:

001b:0059ee11 ab stos dword ptr es:[edi]

kd> p

winlogon!StateMachineRun+0x32:

001b:0059ee12 8975e8 mov dword ptr [ebp-18h],esi

kd> p

winlogon!StateMachineRun+0x35:

001b:0059ee15 397508 cmp dword ptr [ebp+8],esi

kd> p

winlogon!StateMachineRun+0x38:

001b:0059ee18 7516 jne winlogon!StateMachineRun+0x50 (0059ee30)

kd> p

winlogon!StateMachineRun+0x50:

001b:0059ee30 a10c405b00 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0x55:

001b:0059ee35 bf0c405b00 mov edi,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x5a:

001b:0059ee3a bbbc625700 mov ebx,offset winlogon!_sz_SspiCli_dll+0xc (005762bc)

kd> p

winlogon!StateMachineRun+0x5f:

001b:0059ee3f 3bc7 cmp eax,edi

kd> p

winlogon!StateMachineRun+0x61:

001b:0059ee41 741a je winlogon!StateMachineRun+0x7d (0059ee5d)

kd> p

winlogon!StateMachineRun+0x63:

001b:0059ee43 f6401c01 test byte ptr [eax+1Ch],1

kd> p

winlogon!StateMachineRun+0x67:

001b:0059ee47 7414 je winlogon!StateMachineRun+0x7d (0059ee5d)

kd> p

winlogon!StateMachineRun+0x69:

001b:0059ee49 80781905 cmp byte ptr [eax+19h],5

kd> p

winlogon!StateMachineRun+0x6d:

001b:0059ee4d 720e jb winlogon!StateMachineRun+0x7d (0059ee5d)

kd> p

winlogon!StateMachineRun+0x7d:

001b:0059ee5d 6a05 push 5

kd> p

winlogon!StateMachineRun+0x7f:

001b:0059ee5f 8d8570feffff lea eax,[ebp-190h]

kd> p

winlogon!StateMachineRun+0x85:

001b:0059ee65 50 push eax

kd> p

winlogon!StateMachineRun+0x86:

001b:0059ee66 e873fcffff call winlogon!StateMachineThreadContext_InitializeContextPool (0059eade)

kd> p

winlogon!StateMachineRun+0x8b:

001b:0059ee6b 8945f0 mov dword ptr [ebp-10h],eax

kd> p

winlogon!StateMachineRun+0x8e:

001b:0059ee6e 3bc6 cmp eax,esi

kd> p

winlogon!StateMachineRun+0x90:

001b:0059ee70 742e je winlogon!StateMachineRun+0xc0 (0059eea0)

kd> p

winlogon!StateMachineRun+0xc0:

001b:0059eea0 a10c405b00 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0xc5:

001b:0059eea5 bf0c405b00 mov edi,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0xca:

001b:0059eeaa 3bc7 cmp eax,edi

kd> p

winlogon!StateMachineRun+0xcc:

001b:0059eeac 7424 je winlogon!StateMachineRun+0xf2 (0059eed2)

kd> p

winlogon!StateMachineRun+0xce:

001b:0059eeae f6401c01 test byte ptr [eax+1Ch],1

kd> p

winlogon!StateMachineRun+0xd2:

001b:0059eeb2 741e je winlogon!StateMachineRun+0xf2 (0059eed2)

kd> p

winlogon!StateMachineRun+0xd4:

001b:0059eeb4 80781905 cmp byte ptr [eax+19h],5

kd> p

winlogon!StateMachineRun+0xd8:

001b:0059eeb8 7218 jb winlogon!StateMachineRun+0xf2 (0059eed2)

kd> p

winlogon!StateMachineRun+0xf2:

001b:0059eed2 8b4d08 mov ecx,dword ptr [ebp+8]

kd> p

winlogon!StateMachineRun+0xf5:

001b:0059eed5 8b4908 mov ecx,dword ptr [ecx+8]

kd> p

winlogon!StateMachineRun+0xf8:

001b:0059eed8 8b1cb1 mov ebx,dword ptr [ecx+esi*4]

kd> p

winlogon!StateMachineRun+0xfb:

001b:0059eedb 3bc7 cmp eax,edi

kd> p

winlogon!StateMachineRun+0xfd:

001b:0059eedd 741e je winlogon!StateMachineRun+0x11d (0059eefd)

kd> p

winlogon!StateMachineRun+0xff:

001b:0059eedf f6401c01 test byte ptr [eax+1Ch],1

kd> p

winlogon!StateMachineRun+0x103:

001b:0059eee3 7418 je winlogon!StateMachineRun+0x11d (0059eefd)

kd> p

winlogon!StateMachineRun+0x105:

001b:0059eee5 80781905 cmp byte ptr [eax+19h],5

kd> p

winlogon!StateMachineRun+0x109:

001b:0059eee9 7212 jb winlogon!StateMachineRun+0x11d (0059eefd)

kd> p

winlogon!StateMachineRun+0x11d:

001b:0059eefd 8d45e8 lea eax,[ebp-18h]

kd> p

winlogon!StateMachineRun+0x120:

001b:0059ef00 50 push eax

kd> p

winlogon!StateMachineRun+0x121:

001b:0059ef01 6a05 push 5

kd> p

winlogon!StateMachineRun+0x123:

001b:0059ef03 8d8570feffff lea eax,[ebp-190h]

kd> p

winlogon!StateMachineRun+0x129:

001b:0059ef09 50 push eax

kd> p

winlogon!StateMachineRun+0x12a:

001b:0059ef0a e8e9faffff call winlogon!StateMachineThreadContext_GetFreeContext (0059e9f8)

kd> p

winlogon!StateMachineRun+0x12f:

001b:0059ef0f 8b4d08 mov ecx,dword ptr [ebp+8]

kd> p

winlogon!StateMachineRun+0x132:

001b:0059ef12 83601800 and dword ptr [eax+18h],0

kd> p

winlogon!StateMachineRun+0x136:

001b:0059ef16 837d1000 cmp dword ptr [ebp+10h],0

kd> p

winlogon!StateMachineRun+0x13a:

001b:0059ef1a 894810 mov dword ptr [eax+10h],ecx

kd> p

winlogon!StateMachineRun+0x13d:

001b:0059ef1d 8b4d0c mov ecx,dword ptr [ebp+0Ch]

kd> p

winlogon!StateMachineRun+0x140:

001b:0059ef20 894814 mov dword ptr [eax+14h],ecx

kd> p

winlogon!StateMachineRun+0x143:

001b:0059ef23 8b4dec mov ecx,dword ptr [ebp-14h]

kd> p

winlogon!StateMachineRun+0x146:

001b:0059ef26 8d7824 lea edi,[eax+24h]

kd> p

winlogon!StateMachineRun+0x149:

001b:0059ef29 8d75d8 lea esi,[ebp-28h]

kd> p

winlogon!StateMachineRun+0x14c:

001b:0059ef2c a5 movs dword ptr es:[edi],dword ptr [esi]

kd> p

winlogon!StateMachineRun+0x14d:

001b:0059ef2d a5 movs dword ptr es:[edi],dword ptr [esi]

kd> p

winlogon!StateMachineRun+0x14e:

001b:0059ef2e a5 movs dword ptr es:[edi],dword ptr [esi]

kd> p

winlogon!StateMachineRun+0x14f:

001b:0059ef2f a5 movs dword ptr es:[edi],dword ptr [esi]

kd> p

winlogon!StateMachineRun+0x150:

001b:0059ef30 8945fc mov dword ptr [ebp-4],eax

kd> p

winlogon!StateMachineRun+0x153:

001b:0059ef33 894834 mov dword ptr [eax+34h],ecx

kd> p

winlogon!StateMachineRun+0x156:

001b:0059ef36 8bf0 mov esi,eax

kd> p

winlogon!StateMachineRun+0x158:

001b:0059ef38 740a je winlogon!StateMachineRun+0x164 (0059ef44)

kd> p

winlogon!StateMachineRun+0x15a:

001b:0059ef3a 8b4510 mov eax,dword ptr [ebp+10h]

kd> p

winlogon!StateMachineRun+0x15d:

001b:0059ef3d 8b00 mov eax,dword ptr [eax]

kd> p

winlogon!StateMachineRun+0x15f:

001b:0059ef3f 89461c mov dword ptr [esi+1Ch],eax

kd> p

winlogon!StateMachineRun+0x162:

001b:0059ef42 eb07 jmp winlogon!StateMachineRun+0x16b (0059ef4b)

kd> p

winlogon!StateMachineRun+0x16b:

001b:0059ef4b 33ff xor edi,edi

kd> p

winlogon!StateMachineRun+0x16d:

001b:0059ef4d 397b04 cmp dword ptr [ebx+4],edi

kd> p

winlogon!StateMachineRun+0x170:

001b:0059ef50 7432 je winlogon!StateMachineRun+0x1a4 (0059ef84)

kd> p

winlogon!StateMachineRun+0x1a4:

001b:0059ef84 397b08 cmp dword ptr [ebx+8],edi

kd> p

winlogon!StateMachineRun+0x1a7:

001b:0059ef87 0f84aa000000 je winlogon!StateMachineRun+0x257 (0059f037)

kd> p

winlogon!StateMachineRun+0x1ad:

001b:0059ef8d 397b0c cmp dword ptr [ebx+0Ch],edi

kd> p

winlogon!StateMachineRun+0x1b0:

001b:0059ef90 8b7d08 mov edi,dword ptr [ebp+8]

kd> p

winlogon!StateMachineRun+0x1b3:

001b:0059ef93 750d jne winlogon!StateMachineRun+0x1c2 (0059efa2)

kd> p

winlogon!StateMachineRun+0x1c2:

001b:0059efa2 ff7604 push dword ptr [esi+4]

kd> p

winlogon!StateMachineRun+0x1c5:

001b:0059efa5 895e08 mov dword ptr [esi+8],ebx

kd> p

winlogon!StateMachineRun+0x1c8:

001b:0059efa8 ff15f0115700 call dword ptr [winlogon!_imp__ResetEvent (005711f0)]

kd> p

winlogon!StateMachineRun+0x1ce:

001b:0059efae 85c0 test eax,eax

kd> p

winlogon!StateMachineRun+0x1d0:

001b:0059efb0 754d jne winlogon!StateMachineRun+0x21f (0059efff)

kd> p

winlogon!StateMachineRun+0x21f:

001b:0059efff 834e0cff or dword ptr [esi+0Ch],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x223:

001b:0059f003 a10c405b00 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0x228:

001b:0059f008 3d0c405b00 cmp eax,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x22d:

001b:0059f00d 741e je winlogon!StateMachineRun+0x24d (0059f02d)

kd> p

winlogon!StateMachineRun+0x22f:

001b:0059f00f f6401c01 test byte ptr [eax+1Ch],1

kd> p

winlogon!StateMachineRun+0x233:

001b:0059f013 7418 je winlogon!StateMachineRun+0x24d (0059f02d)

kd> p

winlogon!StateMachineRun+0x235:

001b:0059f015 80781905 cmp byte ptr [eax+19h],5

kd> p

winlogon!StateMachineRun+0x239:

001b:0059f019 7212 jb winlogon!StateMachineRun+0x24d (0059f02d)

kd> p

winlogon!StateMachineRun+0x24d:

001b:0059f02d ff36 push dword ptr [esi]

kd> p

winlogon!StateMachineRun+0x24f:

001b:0059f02f ff1570155700 call dword ptr [winlogon!_imp__TpPostWork (00571570)]

kd> p

winlogon!StateMachineRun+0x255:

001b:0059f035 eb03 jmp winlogon!StateMachineRun+0x25a (0059f03a)

kd> p

winlogon!StateMachineRun+0x25a:

001b:0059f03a a10c405b00 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0x25f:

001b:0059f03f 3d0c405b00 cmp eax,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x264:

001b:0059f044 741e je winlogon!StateMachineRun+0x284 (0059f064)

kd> p

winlogon!StateMachineRun+0x266:

001b:0059f046 f6401c01 test byte ptr [eax+1Ch],1

kd> p

winlogon!StateMachineRun+0x26a:

001b:0059f04a 7418 je winlogon!StateMachineRun+0x284 (0059f064)

kd> p

winlogon!StateMachineRun+0x26c:

001b:0059f04c 80781905 cmp byte ptr [eax+19h],5

kd> p

winlogon!StateMachineRun+0x270:

001b:0059f050 7212 jb winlogon!StateMachineRun+0x284 (0059f064)

kd> p

winlogon!StateMachineRun+0x284:

001b:0059f064 8d45c8 lea eax,[ebp-38h]

kd> p

winlogon!StateMachineRun+0x287:

001b:0059f067 50 push eax

kd> p

winlogon!StateMachineRun+0x288:

001b:0059f068 8d45f8 lea eax,[ebp-8]

kd> p

winlogon!StateMachineRun+0x28b:

001b:0059f06b 50 push eax

kd> p

winlogon!StateMachineRun+0x28c:

001b:0059f06c ff7710 push dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x28f:

001b:0059f06f ff7314 push dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x292:

001b:0059f072 ff7310 push dword ptr [ebx+10h]

kd> p

winlogon!StateMachineRun+0x295:

001b:0059f075 ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x297:

001b:0059f077 e83e090000 call winlogon!SignalManagerWaitForSignal (0059f9ba)

winlogon!SignalManagerWaitForSignal 关键等待函数

kd> p

winlogon!StateMachineRun+0x29c:

001b:0059f07c 837df8ff cmp dword ptr [ebp-8],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x2a0:

001b:0059f080 7517 jne winlogon!StateMachineRun+0x2b9 (0059f099)

kd> p

winlogon!StateMachineRun+0x2b9:

001b:0059f099 8b150c405b00 mov edx,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0x2bf:

001b:0059f09f 81fa0c405b00 cmp edx,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x2c5:

001b:0059f0a5 7424 je winlogon!StateMachineRun+0x2eb (0059f0cb)

kd> p

winlogon!StateMachineRun+0x2c7:

001b:0059f0a7 f6421c01 test byte ptr [edx+1Ch],1

kd> p

winlogon!StateMachineRun+0x2cb:

001b:0059f0ab 741e je winlogon!StateMachineRun+0x2eb (0059f0cb)

kd> p

winlogon!StateMachineRun+0x2cd:

001b:0059f0ad 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x2d1:

001b:0059f0b1 7218 jb winlogon!StateMachineRun+0x2eb (0059f0cb)

kd> p

winlogon!StateMachineRun+0x2eb:

001b:0059f0cb 8b45f8 mov eax,dword ptr [ebp-8]

kd> p

winlogon!StateMachineRun+0x2ee:

001b:0059f0ce 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x2f1:

001b:0059f0d1 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x2f4:

001b:0059f0d4 f744080801000000 test dword ptr [eax+ecx+8],1

kd> p

winlogon!StateMachineRun+0x2fc:

001b:0059f0dc 7473 je winlogon!StateMachineRun+0x371 (0059f151)

kd> p

winlogon!StateMachineRun+0x371:

001b:0059f151 837b0c00 cmp dword ptr [ebx+0Ch],0

kd> p

winlogon!StateMachineRun+0x375:

001b:0059f155 7443 je winlogon!StateMachineRun+0x3ba (0059f19a)

kd> p

winlogon!StateMachineRun+0x377:

001b:0059f157 81fa0c405b00 cmp edx,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x37d:

001b:0059f15d 741f je winlogon!StateMachineRun+0x39e (0059f17e)

kd> p

winlogon!StateMachineRun+0x37f:

001b:0059f15f f6421c01 test byte ptr [edx+1Ch],1

kd> p

winlogon!StateMachineRun+0x383:

001b:0059f163 7419 je winlogon!StateMachineRun+0x39e (0059f17e)

kd> p

winlogon!StateMachineRun+0x385:

001b:0059f165 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x389:

001b:0059f169 7213 jb winlogon!StateMachineRun+0x39e (0059f17e)

kd> p

winlogon!StateMachineRun+0x39e:

001b:0059f17e 8b45f8 mov eax,dword ptr [ebp-8]

kd> p

winlogon!StateMachineRun+0x3a1:

001b:0059f181 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x3a4:

001b:0059f184 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x3a7:

001b:0059f187 8b0408 mov eax,dword ptr [eax+ecx]

kd> p

winlogon!StateMachineRun+0x3aa:

001b:0059f18a 894638 mov dword ptr [esi+38h],eax

kd> p

winlogon!StateMachineRun+0x3ad:

001b:0059f18d 8d4610 lea eax,[esi+10h]

kd> p

winlogon!StateMachineRun+0x3b0:

001b:0059f190 50 push eax

kd> p

winlogon!StateMachineRun+0x3b1:

001b:0059f191 ff530c call dword ptr [ebx+0Ch]

kd> p

winlogon!StateMachineRun+0x3b4:

001b:0059f194 8b150c405b00 mov edx,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]

kd> p

winlogon!StateMachineRun+0x3ba:

001b:0059f19a 837b0800 cmp dword ptr [ebx+8],0

kd> p

winlogon!StateMachineRun+0x3be:

001b:0059f19e 744d je winlogon!StateMachineRun+0x40d (0059f1ed)

kd> p

winlogon!StateMachineRun+0x3c0:

001b:0059f1a0 81fa0c405b00 cmp edx,offset winlogon!WPP_GLOBAL_Control (005b400c)

kd> p

winlogon!StateMachineRun+0x3c6:

001b:0059f1a6 741f je winlogon!StateMachineRun+0x3e7 (0059f1c7)

kd> p

winlogon!StateMachineRun+0x3c8:

001b:0059f1a8 f6421c01 test byte ptr [edx+1Ch],1

kd> p

winlogon!StateMachineRun+0x3cc:

001b:0059f1ac 7419 je winlogon!StateMachineRun+0x3e7 (0059f1c7)

kd> p

winlogon!StateMachineRun+0x3ce:

001b:0059f1ae 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x3d2:

001b:0059f1b2 7213 jb winlogon!StateMachineRun+0x3e7 (0059f1c7)

kd> p

winlogon!StateMachineRun+0x3e7:

001b:0059f1c7 6aff push 0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x3e9:

001b:0059f1c9 ff7604 push dword ptr [esi+4]

kd> p

winlogon!StateMachineRun+0x3ec:

001b:0059f1cc ff15fc105700 call dword ptr [winlogon!_imp__WaitForSingleObject (005710fc)]

kd> p

winlogon!StateMachineRun+0x3f2:

001b:0059f1d2 85c0 test eax,eax

kd> pp

^ pass count must be preceeded by whitespace error in 'pp'

kd> p

winlogon!StateMachineRun+0x3f4:

001b:0059f1d4 7417 je winlogon!StateMachineRun+0x40d (0059f1ed)

kd> p

winlogon!StateMachineRun+0x40d:

001b:0059f1ed 8d45d8 lea eax,[ebp-28h]

kd> p

winlogon!StateMachineRun+0x410:

001b:0059f1f0 50 push eax

kd> p

winlogon!StateMachineRun+0x411:

001b:0059f1f1 8d45f4 lea eax,[ebp-0Ch]

kd> p

winlogon!StateMachineRun+0x414:

001b:0059f1f4 50 push eax

kd> p

winlogon!StateMachineRun+0x415:

001b:0059f1f5 ff7710 push dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x418:

001b:0059f1f8 ff7314 push dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x41b:

001b:0059f1fb ff7310 push dword ptr [ebx+10h]

kd> p

winlogon!StateMachineRun+0x41e:

001b:0059f1fe ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x420:

001b:0059f200 e8e8110000 call winlogon!SignalManagerGetSignal (005a03ed)

kd> p

winlogon!StateMachineRun+0x425:

001b:0059f205 837df4ff cmp dword ptr [ebp-0Ch],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x429:

001b:0059f209 752a jne winlogon!StateMachineRun+0x455 (0059f235)

kd> p

winlogon!StateMachineRun+0x455:

001b:0059f235 8b45f4 mov eax,dword ptr [ebp-0Ch]

kd> p

winlogon!StateMachineRun+0x458:

001b:0059f238 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x45b:

001b:0059f23b 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x45e:

001b:0059f23e 8b0408 mov eax,dword ptr [eax+ecx]

kd> p

winlogon!StateMachineRun+0x461:

001b:0059f241 8365f000 and dword ptr [ebp-10h],0

kd> p

winlogon!StateMachineRun+0x465:

001b:0059f245 837b1800 cmp dword ptr [ebx+18h],0

kd> p

winlogon!StateMachineRun+0x469:

001b:0059f249 8945ec mov dword ptr [ebp-14h],eax

kd> p

winlogon!StateMachineRun+0x46c:

001b:0059f24c 7639 jbe winlogon!StateMachineRun+0x4a7 (0059f287)

kd> p

winlogon!StateMachineRun+0x4a7:

001b:0059f287 33f6 xor esi,esi

kd> p

winlogon!StateMachineRun+0x4a9:

001b:0059f289 39770c cmp dword ptr [edi+0Ch],esi

kd> p

winlogon!StateMachineRun+0x4ac:

001b:0059f28c 761b jbe winlogon!StateMachineRun+0x4c9 (0059f2a9)

kd> p

winlogon!StateMachineRun+0x4ae:

001b:0059f28e 8b4710 mov eax,dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x4b1:

001b:0059f291 8b04b0 mov eax,dword ptr [eax+esi*4]

kd> p

winlogon!StateMachineRun+0x4b4:

001b:0059f294 f6400401 test byte ptr [eax+4],1

kd> p

winlogon!StateMachineRun+0x4b8:

001b:0059f298 7409 je winlogon!StateMachineRun+0x4c3 (0059f2a3)

kd> p

winlogon!StateMachineRun+0x4ba:

001b:0059f29a 50 push eax

kd> p

winlogon!StateMachineRun+0x4bb:

001b:0059f29b 56 push esi

kd> p

winlogon!StateMachineRun+0x4bc:

001b:0059f29c ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x4be:

001b:0059f29e e8890e0000 call winlogon!SignalManagerResetSignal (005a012c)

kd> p

winlogon!StateMachineRun+0x4c3:

001b:0059f2a3 46 inc esi

kd> p

winlogon!StateMachineRun+0x4c4:

001b:0059f2a4 3b770c cmp esi,dword ptr [edi+0Ch]

kd> p

winlogon!StateMachineRun+0x4c7:

001b:0059f2a7 72e5 jb winlogon!StateMachineRun+0x4ae (0059f28e)

kd> p

winlogon!StateMachineRun+0x4ae:

001b:0059f28e 8b4710 mov eax,dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x4b1:

001b:0059f291 8b04b0 mov eax,dword ptr [eax+esi*4]

kd> p

winlogon!StateMachineRun+0x4b4:

001b:0059f294 f6400401 test byte ptr [eax+4],1

kd> p

winlogon!StateMachineRun+0x4b8:

001b:0059f298 7409 je winlogon!StateMachineRun+0x4c3 (0059f2a3)

kd> p

winlogon!StateMachineRun+0x4ba:

001b:0059f29a 50 push eax

kd> p

winlogon!StateMachineRun+0x4bb:

001b:0059f29b 56 push esi

kd> p

winlogon!StateMachineRun+0x4bc:

001b:0059f29c ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x4be:

001b:0059f29e e8890e0000 call winlogon!SignalManagerResetSignal (005a012c)

kd> p

winlogon!StateMachineRun+0x4c3:

001b:0059f2a3 46 inc esi

kd> p

winlogon!StateMachineRun+0x4c4:

001b:0059f2a4 3b770c cmp esi,dword ptr [edi+0Ch]

kd> p

winlogon!StateMachineRun+0x4c7:

001b:0059f2a7 72e5 jb winlogon!StateMachineRun+0x4ae (0059f28e)

kd> p

winlogon!StateMachineRun+0x4ae:

001b:0059f28e 8b4710 mov eax,dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x4b1:

001b:0059f291 8b04b0 mov eax,dword ptr [eax+esi*4]

kd> p

winlogon!StateMachineRun+0x4b4:

001b:0059f294 f6400401 test byte ptr [eax+4],1

kd> p

winlogon!StateMachineRun+0x4b8:

001b:0059f298 7409 je winlogon!StateMachineRun+0x4c3 (0059f2a3)

kd> p

winlogon!StateMachineRun+0x4c3:

001b:0059f2a3 46 inc esi

kd> p

winlogon!StateMachineRun+0x4c4:

001b:0059f2a4 3b770c cmp esi,dword ptr [edi+0Ch]

kd> p

winlogon!StateMachineRun+0x4c7:

001b:0059f2a7 72e5 jb winlogon!StateMachineRun+0x4ae (0059f28e)

kd> p

winlogon!StateMachineRun+0x4ae:

001b:0059f28e 8b4710 mov eax,dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x4b1:

001b:0059f291 8b04b0 mov eax,dword ptr [eax+esi*4]

kd> p

winlogon!StateMachineRun+0x4b4:

001b:0059f294 f6400401 test byte ptr [eax+4],1

kd> p

winlogon!StateMachineRun+0x4b8:

001b:0059f298 7409 je winlogon!StateMachineRun+0x4c3 (0059f2a3)

kd> p

winlogon!StateMachineRun+0x4c3:

001b:0059f2a3 46 inc esi

kd> p

winlogon!StateMachineRun+0x4c4:

001b:0059f2a4 3b770c cmp esi,dword ptr [edi+0Ch]

kd> p

winlogon!StateMachineRun+0x4c7:

001b:0059f2a7 72e5 jb winlogon!StateMachineRun+0x4ae (0059f28e)

kd> p

kd> !PROCESS 9a846d40

PROCESS 9a846d40 SessionId: 2 Cid: 0350 Peb: 7ffdf000 ParentCid: 085c

DirBase: 7c5133a0 ObjectTable: 82004ef0 HandleCount: 103.

Image: winlogon.exe

VadRoot 97b15df8 Vads 74 Clone 0 Private 407. Modified 233. Locked 0.

DeviceMap 8ba09a00

Token 91dcad18

ElapsedTime 00:42:01.307

UserTime 00:00:00.000

KernelTime 00:00:00.000

QuotaPoolUsage[PagedPool] 104308

QuotaPoolUsage[NonPagedPool] 4552

Working Set Sizes (now,min,max) (1852, 50, 345) (7408KB, 200KB, 1380KB)

PeakWorkingSetSize 2294

VirtualSize 44 Mb

PeakVirtualSize 65 Mb

PageFaultCount 5442

MemoryPriority BACKGROUND

BasePriority 13

CommitCharge 1019

THREAD 96da9d08 Cid 0350.045c Teb: 7ffde000 Win32Thread: ffb758f0 WAIT: (UserRequest) UserMode Non-Alertable

97b06cf8 SynchronizationEvent

Not impersonating

DeviceMap 8ba09a00

Owning Process 9a846d40 Image: winlogon.exe

Attached Process N/A Image: N/A

Wait Start TickCount 275143552 Ticks: 1010 (0:00:00:15.756)

Context Switch Count 122 IdealProcessor: 0

UserTime 00:00:00.000

KernelTime 00:00:08.330

Win32 Start Address winlogon!WinMainCRTStartup (0x0059d781)

Stack Init 975fffd0 Current 975ffbd0 Base 97600000 Limit 975fd000 Call 00000000

Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5

ChildEBP RetAddr

975ffbe8 82873fae nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])

975ffc20 82875583 nt!KiSwapThread+0x394

975ffc48 82866a1d nt!KiCommitThreadWait+0x461

975ffcb8 82ebdbb9 nt!KeWaitForSingleObject+0x505

975ffd20 829a9913 nt!NtWaitForSingleObject+0xe7

975ffd20 775fa084 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ 975ffd34)

001cf8f4 775d19c0 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

001cf8f8 753025b8 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])

001cf964 762d686f KERNELBASE!WaitForSingleObjectEx+0x98 (FPO: [Non-Fpo])

001cf97c 762b3c97 kernel32!WaitForSingleObjectExImplementation+0x75 (FPO: [Non-Fpo])

001cf990 0059fb2b kernel32!WaitForSingleObject+0x12 (FPO: [Non-Fpo])
001cf9b4 0059f07c winlogon!SignalManagerWaitForSignal+0x171 (FPO: [Non-Fpo])
001cfb70 00580bb8 winlogon!StateMachineRun+0x29c (FPO: [Non-Fpo])

001cfb84 0057ec63 winlogon!WlStateMachineRun+0x16 (FPO: [Non-Fpo])

001cfc04 0059d618 winlogon!WinMain+0xb10 (FPO: [Non-Fpo])

001cfc94 762d7647 winlogon!_initterm_e+0x1a1 (FPO: [Non-Fpo])

001cfca0 77600683 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])

001cfce0 776008df ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])

001cfcf8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

(引用

kernel32!SetEvent

winlogon!SignalManagerSetSignal

winlogon!WlStateMachineSetSignal

winlogon!WMsgKMessageHandle

winlogon!I_WMsgSendMessage)

相关推荐
sitelist17 天前
winlogon!SignalManagerResetSignal函数分析之循环的次数和信号管理数组的->20h有关
resetsignal
热门推荐
01GitHub 镜像站点02UV安装并设置国内源03BongoCat - 跨平台键盘猫动画工具04GitLab 零基础入门指南:从安装到项目管理全流程05Linux下V2Ray安装配置指南06NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南07安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)08Labelme从安装到标注:零基础完整指南09jdk21下载、安装(Windows、Linux、macOS)10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)