winlogon源代码分析之nt!KiRetireDpcList函数分析和重要全局变量nt!KiTimerTableListHead的关系--非常重要

sitelist2025-12-09 10:43

winlogon源代码分析之nt!KiRetireDpcList函数分析和重要全局变量nt!KiTimerTableListHead的关系--非常重要

VOID

FASTCALL

KiRetireDpcList (

PKPRCB Prcb

)

{

//

// If the timer hand value is nonzero, then process expired timers.

//

if (Prcb->TimerRequest != 0) {

TimerHand = Prcb->TimerHand;

Prcb->TimerRequest = 0;

_enable();

KiTimerExpiration(NULL, NULL, (PVOID) TimerHand, NULL);

_disable();

}

+0x8a0\] DpcLastCount : 0x136e \[Type: unsigned long

+0x8a4\] TimerHand : 0x105ee57c \[Type: unsigned long

+0x8a8\] TimerRequest : 0xf75c6c60 \[Type: unsigned long

0: kd> t

eax=105ee57c ebx=ffdff120 ecx=ffdff120 edx=f75c6c48 esi=00000000 edi=ffdff980

eip=80a40bfe esp=f789efa0 ebp=f789eff4 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286

nt!KiTimerExpiration:

80a40bfe 55 push ebp

0: kd> dv

TimerDpc = 0x00000000

DeferredContext = 0x00000000

SystemArgument1 = 0x105ee57c

SystemArgument2 = 0x00000000

CurrentTime = {0xf789eff4ffdff120}

TimersExamined = 0

DpcTable = struct _DPC_ENTRY [4]

OldIrql = 0x10 ''

Period = 0n0

SystemTime = {0xffdff98000000030}

TimersProcessed = 8

DpcCount = 0x80a40bfe

Interval = {0}

HandLimit = 0n35

Index = 0n-1

SystemArgument1 = 0x105ee57c 滴答数

If the timer table has not wrapped, then start with the specified timer table index value, and scan for timer entries that have expired.

Otherwise, start with the specified timer table index value and scan the entire table for timer entries that have expired.

如果计时器表尚未包装,则从指定的计时器表索引值开始,并扫描已过期的计时器条目。

否则,从指定的计时器表索引值开始,扫描整个表以查找已过期的计时器条目。

Index = PtrToLong(SystemArgument1);

if ((ULONG)(HandLimit - Index) >= TIMER_TABLE_SIZE) {

HandLimit = Index + TIMER_TABLE_SIZE - 1;

}

Index -= 1;

HandLimit &= (TIMER_TABLE_SIZE - 1);

do {

Index = (Index + 1) & (TIMER_TABLE_SIZE - 1);

ListHead = &KiTimerTableListHead[Index];

NextEntry = ListHead->Flink;

0: kd> dv

TimerDpc = 0x00000000

DeferredContext = 0x00000000

SystemArgument1 = 0x105ee57c

SystemArgument2 = 0x00000000

CurrentTime = {0x2707e03765c2}

TimersExamined = 0x18

DpcTable = struct _DPC_ENTRY [4]

OldIrql = 0x02 ''

Period = 0n-2136732671

SystemTime = {0x1dc6727c288bdad}

TimersProcessed = 4

DpcCount = 0

Interval = {0}

HandLimit = 0n127

Index = 0n48

KiRemoveTreeTimer(Timer);

#if DBG

#define KiRemoveTreeTimer(Timer) \

(Timer)->Header.Inserted = FALSE; \

RemoveEntryList(&(Timer)->TimerListEntry); \

(Timer)->TimerListEntry.Flink = NULL; \

(Timer)->TimerListEntry.Blink = NULL

#else

#define KiRemoveTreeTimer(Timer) \

(Timer)->Header.Inserted = FALSE; \

RemoveEntryList(&(Timer)->TimerListEntry)

#endif

0: kd> dt ktimer baa7c6d0

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e02ed07e

+0x018 TimerListEntry : _LIST_ENTRY [ 0xbaa7c740 - 0x80b20c40 ]

+0x020 Dpc : 0xbaa7c6b0 _KDPC

+0x024 Period : 0n100

0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_DISPATCHER_HEADER *)0xbaa7c6d0))

(*((CSRSRV!_DISPATCHER_HEADER *)0xbaa7c6d0)) [Type: _DISPATCHER_HEADER]

+0x000\] Type : 0x8 \[Type: unsigned char

+0x001\] Absolute : 0x0 \[Type: unsigned char

+0x002\] Size : 0xa \[Type: unsigned char

+0x003\] Inserted : 0x0 \[Type: unsigned char

+0x003\] DebugActive : 0x0 \[Type: unsigned char

+0x000\] Lock : 655368 \[Type: long

+0x004\] SignalState : 1 \[Type: long

+0x008\] WaitListHead \[Type: _LIST_ENTRY

0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0xbaa7c6d8))

(*((CSRSRV!_LIST_ENTRY *)0xbaa7c6d8)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0xbaa7c6d8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0xbaa7c6d8 \[Type: _LIST_ENTRY \*

0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_KDPC *)0xbaa7c6b0)

((CSRSRV!_KDPC *)0xbaa7c6b0) : 0xbaa7c6b0 [Type: _KDPC *]

+0x000\] Type : 19 \[Type: short

+0x002\] Number : 0x20 \[Type: unsigned char

+0x003\] Importance : 0x1 \[Type: unsigned char

+0x004\] DpcListEntry \[Type: _LIST_ENTRY

+0x00c\] DeferredRoutine : 0xbaa4083e \[Type: void (\*)(_KDPC \*,void \*,void \*,void \*)

+0x010\] DeferredContext : 0xbaa7c6a0 \[Type: void \*

+0x014\] SystemArgument1 : 0x0 \[Type: void \*

+0x018\] SystemArgument2 : 0x0 \[Type: void \*

+0x01c\] DpcData : 0x0 \[Type: void \*

0: kd> u baa4083e

tcpip!TCBTimeoutdpc [d:\srv03rtm\net\tcpip\driver\tcp\tcb.c @ 172]:

baa4083e 55 push ebp

baa4083f 8bec mov ebp,esp

baa40841 8b450c mov eax,dword ptr [ebp+0Ch]

baa40844 ff700c push dword ptr [eax+0Ch]

baa40847 50 push eax

baa40848 ff5008 call dword ptr [eax+8]

baa4084b 5d pop ebp

baa4084c c21000 ret 10h

0: kd> dv

TimerDpc = 0x00000000

DeferredContext = 0x00000000

SystemArgument1 = 0x105ee57c

SystemArgument2 = 0x00000000

CurrentTime = {0x2707e03765c2}

TimersExamined = 0x17

DpcTable = struct _DPC_ENTRY [4]

OldIrql = 0x02 ''

Period = 0n-2136732671

SystemTime = {0x1dc6727c288bdad}

TimersProcessed = 3

DpcCount = 0

Interval = {0}

HandLimit = 0n127

Index = 0n124 Index = 0n124

注意: Index = 0n124的由来

Index -= 1;

HandLimit &= (TIMER_TABLE_SIZE - 1);

//

// Acquire the dispatcher database lock and read the current interrupt

// time to determine which timers have expired.

//

DpcCount = 0;

TimersExamined = MAXIMUM_TIMERS_EXAMINED;

TimersProcessed = MAXIMUM_TIMERS_PROCESSED;

KiLockDispatcherDatabase(&OldIrql);

do {

Index = (Index + 1) & (TIMER_TABLE_SIZE - 1);

SystemArgument1 = 0x105ee57c

0: kd> ?0x105ee57c&ff

Evaluate expression: 124 = 0000007c

注意: Index = 0n124的由来

注意: HandLimit = 0n127的由来

0: kd> p

eax=00002707 ebx=ffdff120 ecx=e03765c2 edx=f75c6c48 esi=00000000 edi=ffdff980

eip=80a40c42 esp=f789ef0c ebp=f789ef9c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

nt!KiTimerExpiration+0x44:

80a40c42 8b0d806fb180 mov ecx,dword ptr [nt!_KeTickCount (80b16f80)] ds:0023:80b16f80=105ee57f

参考现在的:

0: kd> x nt!_KeTickCount

80b16f80 nt!KeTickCount = struct _KSYSTEM_TIME

80b16f80 nt!_KeTickCount = 0x105ee580

0: kd> dx -r1 (*((ntkrnlmp!_KSYSTEM_TIME *)0x80b16f80))

(*((ntkrnlmp!_KSYSTEM_TIME *)0x80b16f80)) [Type: _KSYSTEM_TIME]

+0x000\] LowPart : 0x105ee580 \[Type: unsigned long

+0x004\] High1Time : 0 \[Type: long

+0x008\] High2Time : 0 \[Type: long

注意: HandLimit = 0n127的由来

0: kd> dx -r1 -c 100 (*((ntkrnlmp!_LIST_ENTRY (*)[256])0x80b20860))

(*((ntkrnlmp!_LIST_ENTRY (*)[256])0x80b20860)) [Type: _LIST_ENTRY [256]]

100\] \[Type: _LIST_ENTRY

124\] \[Type: _LIST_ENTRY

第1个节点:

0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b20c40))

(*((ntkrnlmp!_LIST_ENTRY *)0x80b20c40)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0xbaa7c6e8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x89764408 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0xbaa7c6e8-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e02ed07e <0xe03765c2过期了。

+0x018 TimerListEntry : _LIST_ENTRY [ 0xbaa7c740 - 0x80b20c40 ]

+0x020 Dpc : 0xbaa7c6b0 _KDPC

+0x024 Period : 0n100

0: kd> dt nt!CurrentTime

Local var @ 0xf789ef88 Type _ULARGE_INTEGER

0x00002707`e03765c2

+0x000 LowPart : 0xe03765c2

+0x004 HighPart : 0x2707

+0x000 u : __unnamed

+0x000 QuadPart : 0x00002707`e03765c2

第2个节点:

0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0xbaa7c6e8))

(*((CSRSRV!_LIST_ENTRY *)0xbaa7c6e8)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0xbaa7c740 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x80b20c40 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0xbaa7c740-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e02ed07e

+0x018 TimerListEntry : _LIST_ENTRY [ 0x899ab8b8 - 0x80b20c40 ]

+0x020 Dpc : 0xbaa7c708 _KDPC

+0x024 Period : 0n100

第3个节点:

0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_LIST_ENTRY *)0xbaa7c740)

((CSRSRV!_LIST_ENTRY *)0xbaa7c740) : 0xbaa7c740 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x899ab8b8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0xbaa7c6e8 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0x899ab8b8-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e29298b4 >0xe03765c2没到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x89764408 - 0xbaa7c740 ]

+0x020 Dpc : 0x899ab8c8 _KDPC

+0x024 Period : 0n10000

第4个节点:

0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_LIST_ENTRY *)0x899ab8b8)

((CSRSRV!_LIST_ENTRY *)0x899ab8b8) : 0x899ab8b8 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x89764408 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0xbaa7c740 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0x89764408-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e29298b4

+0x018 TimerListEntry : _LIST_ENTRY [ 0x80b20c40 - 0x899ab8b8 ]

+0x020 Dpc : 0x89764418 _KDPC

+0x024 Period : 0n10000

到链表头了。

0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_LIST_ENTRY *)0x89764408)

((CSRSRV!_LIST_ENTRY *)0x89764408) : 0x89764408 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x80b20c40 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x899ab8b8 \[Type: _LIST_ENTRY \*

124\] \[Type: _LIST_ENTRY

0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b20c40))

(*((ntkrnlmp!_LIST_ENTRY *)0x80b20c40)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0xbaa7c6e8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x89764408 \[Type: _LIST_ENTRY \*

125\] \[Type: _LIST_ENTRY

0: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x80b20c48))

(*((ntkrnlmp!_LIST_ENTRY *)0x80b20c48)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x80b20c48 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x80b20c48 \[Type: _LIST_ENTRY \*

126\] \[Type: _LIST_ENTRY

0: kd> dt ntkrnlmp!_LIST_ENTRY 0x80b20c48+8*1

0xba8d6cb8 - 0xba8d6cb8

+0x000 Flink : 0xba8d6cb8 _LIST_ENTRY [ 0x80b20c50 - 0x80b20c50 ]

+0x004 Blink : 0xba8d6cb8 _LIST_ENTRY [ 0x80b20c50 - 0x80b20c50 ]

0: kd> dt ktimer 0xba8d6cb8-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e033de70 <0xe03765c2到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x80b20c50 - 0x80b20c50 ]

+0x020 Dpc : 0xba8d6ce0 _KDPC

+0x024 Period : 0n0

0: kd> dt ntkrnlmp!_LIST_ENTRY 0x80b20c48+8*2

0x8978eee0 - 0x8980c6e0

+0x000 Flink : 0x8978eee0 _LIST_ENTRY [ 0x8952bca8 - 0x80b20c58 ]

+0x004 Blink : 0x8980c6e0 _LIST_ENTRY [ 0x80b20c58 - 0x898d46e0 ]

0: kd> dt ktimer 0x8978eee0-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e0357d7a <0xe03765c2到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x8952bca8 - 0x80b20c58 ]

+0x020 Dpc : (null)

+0x024 Period : 0n0

0: kd> dx -id 0,0,8954e020 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8978eee0)

((ntkrnlmp!_LIST_ENTRY *)0x8978eee0) : 0x8978eee0 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x8952bca8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x80b20c58 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0x8952bca8-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e035f78c <0xe03765c2到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x898d46e0 - 0x8978eee0 ]

+0x020 Dpc : (null)

+0x024 Period : 0n0

0: kd> dx -id 0,0,8954e020 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8952bca8)

((ntkrnlmp!_LIST_ENTRY *)0x8952bca8) : 0x8952bca8 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x898d46e0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x8978eee0 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0x898d46e0-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e03765c1 <0xe03765c2到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x8980c6e0 - 0x8952bca8 ]

+0x020 Dpc : 0x898d46a8 _KDPC

+0x024 Period : 0n0

0: kd> dx -id 0,0,8954e020 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x898d46e0)

((ntkrnlmp!_LIST_ENTRY *)0x898d46e0) : 0x898d46e0 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x8980c6e0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x8952bca8 \[Type: _LIST_ENTRY \*

0: kd> dt ktimer 0x8980c6e0-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e03765c1 <0xe03765c2到期

+0x018 TimerListEntry : _LIST_ENTRY [ 0x80b20c58 - 0x898d46e0 ]

+0x020 Dpc : 0x8980c6a8 _KDPC

+0x024 Period : 0n0

到达链表头:

0: kd> dx -id 0,0,8954e020 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x8980c6e0)

((ntkrnlmp!_LIST_ENTRY *)0x8980c6e0) : 0x8980c6e0 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x80b20c58 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x898d46e0 \[Type: _LIST_ENTRY \*

0: kd> dt ntkrnlmp!_LIST_ENTRY 0x80b20c48+8*3

0x8981b218 - 0x8981b218

+0x000 Flink : 0x8981b218 _LIST_ENTRY [ 0x80b20c60 - 0x80b20c60 ]

+0x004 Blink : 0x8981b218 _LIST_ENTRY [ 0x80b20c60 - 0x80b20c60 ]

0: kd> dt ktimer 0x8981b218-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`ee87e41c

+0x018 TimerListEntry : _LIST_ENTRY [ 0x80b20c60 - 0x80b20c60 ]

+0x020 Dpc : 0x8981b258 _KDPC

+0x024 Period : 0n0

0: kd> dt ntkrnlmp!_LIST_ENTRY 0x80b20c48+8*4

0x898397d0 - 0x898397d0

+0x000 Flink : 0x898397d0 _LIST_ENTRY [ 0x80b20c68 - 0x80b20c68 ]

+0x004 Blink : 0x898397d0 _LIST_ENTRY [ 0x80b20c68 - 0x80b20c68 ]

0: kd> dt ktimer 0x898397d0-18

CSRSRV!KTIMER

+0x000 Header : _DISPATCHER_HEADER

+0x010 DueTime : _ULARGE_INTEGER 0x00002707`e500de76

+0x018 TimerListEntry : _LIST_ENTRY [ 0x80b20c68 - 0x80b20c68 ]

+0x020 Dpc : (null)

+0x024 Period : 0n0

热门推荐
01GitHub 镜像站点02【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)03安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)04UV安装并设置国内源05React CVE-2025-55182漏洞排查与修复指南06Linux下V2Ray安装配置指南07BongoCat - 跨平台键盘猫动画工具08智能库存管理的需求预测模型:从业务痛点到落地代码的完整实践09从入门到实战:Gemini 3 使用指南速览10在VSCode配置Java开发环境的保姆级教程(适配各类AI编程IDE)