win32k!xxxDesktopThread线程分析之从nt!KiDeliverApc到win32k!InputApc--重要
1: kd> g
Breakpoint 29 hit
eax=0000003d ebx=00000100 ecx=0000003d edx=80010031 esi=804edc30 edi=00000000
eip=80a3c776 esp=baa9493c ebp=baa9497c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeliverApc:
80a3c776 55 push ebp
1: kd> kc
00 nt!KiDeliverApc
01 nt!KiSwapThread
02 nt!KeWaitForMultipleObjects
03 win32k!xxxMsgWaitForMultipleObjects
04 win32k!xxxDesktopThread
05 win32k!xxxCreateSystemThreads
06 win32k!NtUserCallOneParam
07 nt!_KiSystemService
08 SharedUserData!SystemCallStub
09 winsrv!NtUserCallOneParam
1: kd> !thread
THREAD 8964dda0 Cid 01c4.01f4 Teb: 7ffd8000 Win32Thread: e165a9e0 RUNNING on processor 1
IRP List:
8929e008: (0006,01d8) Flags: 00000970 Mdl: 00000000
892aee20: (0006,01d8) Flags: 00000970 Mdl: 00000000
8964d8a0: (0006,0190) Flags: 00000970 Mdl: 00000000
89bb62a8: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10026b8
Owning Process 8965d020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274653496 Ticks: 0
Context Switch Count 196 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.015
Stack Init baa95000 Current baa9492c Base baa95000 Limit baa92000 Call 00000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
baa94938 80a44106 00000000 00000000 00000000 nt!KiDeliverApc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 135]
baa9497c 80a358c7 00000000 e165a9e0 00000002 nt!KiSwapThread+0x642 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2004]
baa949b4 bf8a4685 00000003 8964e2f8 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
baa94a04 bf8b123e 00000002 8964e2f8 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
baa94d1c bf8b21ba bfa70aa0 00000001 baa94d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
baa94d2c bf806d52 bfa70aa0 baa94d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
baa94d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
baa94d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ baa94d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]
1: kd> dt kTHREAD 8964dda0
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x8964ddb0 - 0x8964ddb0 ]
+0x018 InitialStack : 0xbaa95000 Void
+0x01c StackLimit : 0xbaa92000 Void
+0x020 KernelStack : 0xbaa9492c Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0xc4
+0x02c State : 0x2 ''
+0x02d NpxState : 0xa ''
+0x02e WaitIrql : 0 ''
+0x02f WaitMode : 1 ''
+0x030 Teb : 0x7ffd8000 Void
+0x034 ApcState : _KAPC_STATE
+0x04c ApcQueueLock : 0
+0x050 WaitStatus : 0n256
+0x054 WaitBlockList : 0x8964de40 _KWAIT_BLOCK
+0x058 Alertable : 0 ''
+0x059 WaitNext : 0 ''
+0x05a WaitReason : 0xd ''
+0x05b Priority : 15 ''
+0x05c EnableStackSwap : 0x1 ''
+0x05d SwapBusy : 0 ''
+0x05e Alerted : [2] ""
+0x060 WaitListEntry : _LIST_ENTRY [ 0x0 - 0x8966bb80 ]
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 Queue : (null)
+0x06c WaitTime : 0x105ee138
+0x070 KernelApcDisable : 0n0
+0x072 SpecialApcDisable : 0n0
+0x070 CombinedApcDisable : 0
+0x078 Timer : _KTIMER
+0x0a0 WaitBlock : [4] _KWAIT_BLOCK
+0x100 QueueListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x108 ApcStateIndex : 0 ''
+0x109 ApcQueueable : 0x1 ''
+0x10a Preempted : 0 ''
+0x10b ProcessReadyQueue : 0 ''
+0x10c KernelStackResident : 0x1 ''
+0x10d Saturation : 0 ''
+0x10e IdealProcessor : 0x1 ''
+0x10f NextProcessor : 0x1 ''
+0x110 BasePriority : 13 ''
+0x111 Spare4 : 0 ''
+0x112 PriorityDecrement : 0 ''
+0x113 Quantum : 36 '$'
+0x114 SystemAffinityActive : 0 ''
+0x115 PreviousMode : 1 ''
+0x116 ResourceIndex : 0 ''
+0x117 DisableBoost : 0 ''
+0x118 UserAffinity : 3
+0x11c Process : 0x8965d020 _KPROCESS
+0x120 Affinity : 3
+0x124 ServiceTable : 0x80b207a0 Void
+0x128 ApcStatePointer : [2] 0x8964ddd4 _KAPC_STATE
+0x130 SavedApcState : _KAPC_STATE
+0x148 CallbackStack : (null)
+0x14c Win32Thread : 0xe165a9e0 Void
+0x150 TrapFrame : 0xbaa94d64 _KTRAP_FRAME
+0x154 KernelTime : 0x41
+0x158 UserTime : 0
+0x15c StackBase : 0xbaa95000 Void
+0x160 SuspendApc : _KAPC
+0x190 SuspendSemaphore : _KSEMAPHORE
+0x1a4 TlsArray : (null)
+0x1a8 LegoData : (null)
+0x1ac ThreadListEntry : _LIST_ENTRY [ 0x89641c8c - 0x8964f484 ]
+0x1b4 LargeStack : 0x1 ''
+0x1b5 PowerState : 0 ''
+0x1b6 NpxIrql : 0 ''
+0x1b7 Spare5 : 0 ''
+0x1b8 AutoAlignment : 0 ''
+0x1b9 Iopl : 0 ''
+0x1ba FreezeCount : 0 ''
+0x1bb SuspendCount : 0 ''
+0x1bc Spare0 : [1] ""
+0x1bd UserIdealProcessor : 0x1 ''
+0x1be DeferredProcessor : 0 ''
+0x1bf AdjustReason : 0 ''
+0x1c0 AdjustIncrement : 6 ''
+0x1c1 Spare2 : [3] ""
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_KAPC_STATE *)0xffffffff8964ddd4))
(*((CSRSRV!_KAPC_STATE *)0xffffffff8964ddd4)) [Type: _KAPC_STATE]
+0x000\] ApcListHead \[Type: _LIST_ENTRY \[2\]
+0x010\] Process : 0x8965d020 \[Type: _KPROCESS \*
+0x014\] KernelApcInProgress : 0x0 \[Type: unsigned char
+0x015\] KernelApcPending : 0x1 \[Type: unsigned char
+0x016\] UserApcPending : 0x0 \[Type: unsigned char
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0xffffffff8964ddd4))
(*((CSRSRV!_LIST_ENTRY (*)[2])0xffffffff8964ddd4)) [Type: _LIST_ENTRY [2]]
0\] \[Type: _LIST_ENTRY
1\] \[Type: _LIST_ENTRY
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY *)0xffffffff8964ddd4))
(*((CSRSRV!_LIST_ENTRY *)0xffffffff8964ddd4)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8929e054 \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8929e054 \[Type: _LIST_ENTRY \*
1: kd> dt kapc 0x8929e054-c
CSRSRV!KAPC
+0x000 Type : 0n18
+0x002 Size : 0n48
+0x004 Spare0 : 0
+0x008 Thread : 0x8964dda0 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x8964ddd4 - 0x8964ddd4 ]
+0x014 KernelRoutine : 0x80a2bd0e void nt!IopCompleteRequest+0
+0x018 RundownRoutine : 0x80c72194 void nt!IopAbortRequest+0
+0x01c NormalRoutine : (null)
+0x020 NormalContext : (null)
+0x024 SystemArgument1 : 0x8966d9c0 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0x1 ''
NextEntry = Thread->ApcState.ApcListHead[KernelMode].Flink;
1: kd> p
eax=8929e054 ebx=804ee400 ecx=8964ddd4 edx=00000000 esi=804edc30 edi=8964dda0
eip=80a3c7e7 esp=baa94904 ebp=baa94938 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiDeliverApc+0x71:
80a3c7e7 3bc1 cmp eax,ecx
Apc = CONTAINING_RECORD(NextEntry, KAPC, ApcListEntry);
1: kd> p
eax=8929e054 ebx=804ee400 ecx=8964ddd4 edx=00000000 esi=8929e048 edi=8964dda0
eip=80a3c7f2 esp=baa94904 ebp=baa94938 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283
nt!KiDeliverApc+0x7c:
80a3c7f2 8b4e14 mov ecx,dword ptr [esi+14h] ds:0023:8929e05c={nt!IopCompleteRequest (80a2bd0e)}
RemoveEntryList(NextEntry);
Apc->Inserted = FALSE;
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_KAPC_STATE *)0xffffffff8964ddd4))
(*((CSRSRV!_KAPC_STATE *)0xffffffff8964ddd4)) [Type: _KAPC_STATE]
+0x000\] ApcListHead \[Type: _LIST_ENTRY \[2\]
+0x010\] Process : 0x8965d020 \[Type: _KPROCESS \*
+0x014\] KernelApcInProgress : 0x0 \[Type: unsigned char
+0x015\] KernelApcPending : 0x0 \[Type: unsigned char
+0x016\] UserApcPending : 0x0 \[Type: unsigned char
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0xffffffff8964ddd4))
(*((CSRSRV!_LIST_ENTRY (*)[2])0xffffffff8964ddd4)) [Type: _LIST_ENTRY [2]]
0\] \[Type: _LIST_ENTRY
1\] \[Type: _LIST_ENTRY
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY *)0xffffffff8964ddd4))
(*((CSRSRV!_LIST_ENTRY *)0xffffffff8964ddd4)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8964ddd4 \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8964ddd4 \[Type: _LIST_ENTRY \*
1: kd> dt kapc 0x8929e054-c
CSRSRV!KAPC
+0x000 Type : 0n18
+0x002 Size : 0n48
+0x004 Spare0 : 0
+0x008 Thread : 0x8964dda0 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x8964ddd4 - 0x8964ddd4 ]
+0x014 KernelRoutine : 0x80a2bd0e void nt!IopCompleteRequest+0
+0x018 RundownRoutine : 0x80c72194 void nt!IopAbortRequest+0
+0x01c NormalRoutine : (null)
+0x020 NormalContext : (null)
+0x024 SystemArgument1 : 0x8966d9c0 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0 ''
1: kd> t
eax=baa94934 ebx=804ee400 ecx=0000003d edx=00000001 esi=8929e048 edi=8964dda0
eip=80a2bd0e esp=baa948ec ebp=baa94938 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopCompleteRequest:
80a2bd0e 6a28 push 28h
1: kd> kc
00 nt!IopCompleteRequest
01 nt!KiDeliverApc
02 nt!KiSwapThread
03 nt!KeWaitForMultipleObjects
04 win32k!xxxMsgWaitForMultipleObjects
05 win32k!xxxDesktopThread
06 win32k!xxxCreateSystemThreads
07 win32k!NtUserCallOneParam
08 nt!_KiSystemService
09 SharedUserData!SystemCallStub
0a winsrv!NtUserCallOneParam
1: kd> dv
Apc = 0x8929e048
NormalRoutine = 0xbaa94934
NormalContext = 0xbaa94928
SystemArgument1 = 0xbaa9492c
SystemArgument2 = 0xbaa94930
status = 0n48
irp = 0xffffffff
thread = 0x00000023
fileObject = 0xbaa949f4
key = 0x0000003d
createOperation = 0x89 ''
port = 0xbaa94934
1: kd> dt _irp 0x8929e048-40
CSRSRV!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x1d8
+0x004 MdlAddress : (null)
+0x008 Flags : 0x970
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x892aee30 - 0x8964dfb8 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ''
+0x021 PendingReturned : 0x1 ''
+0x022 StackCount : 10 ''
+0x023 CurrentLocation : 12 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0x1 ''
+0x028 UserIosb : 0xe1672d68 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0xe1672d98 Void
+0x040 Tail : __unnamed
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_IO_STATUS_BLOCK *)0xffffffff8929e020))
(*((CSRSRV!_IO_STATUS_BLOCK *)0xffffffff8929e020)) [Type: _IO_STATUS_BLOCK]
+0x000\] Status : 0 \[Type: long
+0x000\] Pointer : 0x0 \[Type: void \*
+0x004\] Information : 0x18 \[Type: unsigned long
1: kd> p
eax=8929e048 ebx=8929e008 ecx=0000003d edx=00000001 esi=8929e048 edi=8964dda0
eip=80a2bd23 esp=baa948a4 ebp=baa948e8 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!IopCompleteRequest+0x15:
80a2bd23 648b0d24010000 mov ecx,dword ptr fs:[124h] fs:0030:00000124=8964dda0
1: kd> dd 0xbaa9492c
baa9492c 8966d9c0 00000000 00000000 baa9497c
baa9493c 80a44106 00000000 00000000 00000000
baa9494c f7737120 8964dda0 8964de00 bf8add6b
baa9495c 0000000a 8964dda0 80a05ed8 895a44d4
baa9496c bf8ab33d f77379bc e165a9e0 009ebb00
baa9497c baa949b4 80a358c7 00000000 e165a9e0
baa9498c 00000002 bf9ebd70 baa949a8 baa949c4
baa9499c 80aed504 00000000 8964de80 00000001
1: kd> dt file_object 8966d9c0
basesrv!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x896f0038 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x8966b3a0 Void
+0x010 FsContext2 : 0xf754180e Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40000
+0x030 FileName : _UNICODE_STRING ""
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((basesrv!_DEVICE_OBJECT *)0x896f0038)
((basesrv!_DEVICE_OBJECT *)0x896f0038) : 0x896f0038 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
\
Flags : 0x3040
UpperDevices : Immediately above is Device for "\Driver\mouhid" [at 0x896f0cb8]
LowerDevices : None
Driver : 0x898f9e00 : Driver "\Driver\hidusb" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,ffffffff8965d020 -r1 -n (*((basesrv!_DEVICE_OBJECT *)0x896f0038))
(*((basesrv!_DEVICE_OBJECT *)0x896f0038)) : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x30c \[Type: unsigned short
+0x004\] ReferenceCount : 1 \[Type: long
+0x008\] DriverObject : 0x898f9e00 : Driver "\\Driver\\hidusb" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x896f7cc0 : Device for "\\Driver\\hidusb" \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x896f0cb8 : Device for "\\Driver\\mouhid" \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x3040 \[Type: unsigned long
+0x020\] Characteristics : 0x80 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x896f00f0 \[Type: void \*
+0x02c\] DeviceType : 0x22 \[Type: unsigned long
+0x030\] StackSize : 8 \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0xe12a6de0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x1 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x896f0348 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((basesrv!_DEVICE_OBJECT *)0x896f0cb8)
((basesrv!_DEVICE_OBJECT *)0x896f0cb8) : 0x896f0cb8 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
\
Flags : 0x2000
UpperDevices : Immediately above is Device for "\Driver\Mouclass" [at 0x896f0640]
LowerDevices : Immediately below is Device for "\Driver\hidusb" [at 0x896f0038]
Driver : 0x898f28f8 : Driver "\Driver\mouhid" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,ffffffff8965d020 -r1 -n (*((basesrv!_DEVICE_OBJECT *)0x896f0cb8))
(*((basesrv!_DEVICE_OBJECT *)0x896f0cb8)) : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x1f0 \[Type: unsigned short
+0x004\] ReferenceCount : 0 \[Type: long
+0x008\] DriverObject : 0x898f28f8 : Driver "\\Driver\\mouhid" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x0 \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x896f0640 : Device for "\\Driver\\Mouclass" \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x2000 \[Type: unsigned long
+0x020\] Characteristics : 0x0 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x896f0d70 \[Type: void \*
+0x02c\] DeviceType : 0xf \[Type: unsigned long
+0x030\] StackSize : 9 '\\t' \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0x0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x1 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x896f0ea8 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((basesrv!_DEVICE_OBJECT *)0x896f0640)
((basesrv!_DEVICE_OBJECT *)0x896f0640) : 0x896f0640 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
\
Flags : 0x2044
UpperDevices : None
LowerDevices : Immediately below is Device for "\Driver\mouhid" [at 0x896f0cb8]
Driver : 0x899898f0 : Driver "\Driver\Mouclass" [Type: _DRIVER_OBJECT *]
1: kd> dx -id 0,0,ffffffff8965d020 -r1 -n (*((basesrv!_DEVICE_OBJECT *)0x896f0640))
(*((basesrv!_DEVICE_OBJECT *)0x896f0640)) : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT]
+0x000\] Type : 3 \[Type: short
+0x002\] Size : 0x1c8 \[Type: unsigned short
+0x004\] ReferenceCount : 0 \[Type: long
+0x008\] DriverObject : 0x899898f0 : Driver "\\Driver\\Mouclass" \[Type: _DRIVER_OBJECT \*
+0x00c\] NextDevice : 0x89cb1e08 : Device for "\\Driver\\Mouclass" \[Type: _DEVICE_OBJECT \*
+0x010\] AttachedDevice : 0x0 \[Type: _DEVICE_OBJECT \*
+0x014\] CurrentIrp : 0x0 \[Type: _IRP \*
+0x018\] Timer : 0x0 \[Type: _IO_TIMER \*
+0x01c\] Flags : 0x2044 \[Type: unsigned long
+0x020\] Characteristics : 0x0 \[Type: unsigned long
+0x024\] Vpb : 0x0 \[Type: _VPB \*
+0x028\] DeviceExtension : 0x896f06f8 \[Type: void \*
+0x02c\] DeviceType : 0xf \[Type: unsigned long
+0x030\] StackSize : 10 '\\n' \[Type: char
+0x034\] Queue \[Type: __unnamed
+0x05c\] AlignmentRequirement : 0x0 \[Type: unsigned long
+0x060\] DeviceQueue \[Type: _KDEVICE_QUEUE
+0x074\] Dpc \[Type: _KDPC
+0x094\] ActiveThreadCount : 0x0 \[Type: unsigned long
+0x098\] SecurityDescriptor : 0xe12a6de0 \[Type: void \*
+0x09c\] DeviceLock \[Type: _KEVENT
+0x0ac\] SectorSize : 0x0 \[Type: unsigned short
+0x0ae\] Spare1 : 0x0 \[Type: unsigned short
+0x0b0\] DeviceObjectExtension : 0x896f0808 \[Type: _DEVOBJ_EXTENSION \*
+0x0b4\] Reserved : 0x0 \[Type: void \*
//
// Copy the information from the system buffer to the caller's
// buffer. This is done with an exception handler in case
// the operation fails because the caller's address space
// has gone away, or it's protection has been changed while
// the service was executing.
//
status = STATUS_SUCCESS;
try {
RtlCopyMemory( irp->UserBuffer,
irp->AssociatedIrp.SystemBuffer,
irp->IoStatus.Information );
1: kd> dt _irp 0x8929e048-40
CSRSRV!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x1d8
+0x004 MdlAddress : (null)
+0x008 Flags : 0x970
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x892aee30 - 0x8964dfb8 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ''
+0x021 PendingReturned : 0x1 ''
+0x022 StackCount : 10 ''
+0x023 CurrentLocation : 12 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0x1 ''
+0x028 UserIosb : 0xe1672d68 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0xe1672d98 Void
+0x040 Tail : __unnamed
1: kd> dd 0x8929e048-40
8929e008 01d80006 00000000 00000970 8964da38
8929e018 892aee30 8964dfb8 00000000 00000018
8929e028 0c0a0100 01000000 e1672d68 00000000
8929e038 bf8e7891 e1672d40 00000000 e1672d98
8929e048 00300012 00000000 8964dda0 8964ddd4
8929e058 8964ddd4 80a2bd0e 80c72194 00000000
8929e068 00000000 8966d9c0 00000000 00000000
8929e078 00000000 00000000 00000000 00000000
1: kd> dd 8964da38
8964da38 00010001 00000000 00000000 00006598
8964da48 00007f5a 00000000 8964d008 01e00000
irp->Flags &= ~(IRP_DEALLOCATE_BUFFER|IRP_BUFFERED_IO);
1: kd> dt _irp 0x8929e048-40
CSRSRV!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x1d8
+0x004 MdlAddress : (null)
+0x008 Flags : 0x940
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x892aee30 - 0x8964dfb8 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ''
+0x021 PendingReturned : 0x1 ''
+0x022 StackCount : 10 ''
+0x023 CurrentLocation : 12 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0x1 ''
+0x028 UserIosb : 0xe1672d68 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0xe1672d98 Void
+0x040 Tail : __unnamed
if (fileObject && fileObject->CompletionContext) {
port = fileObject->CompletionContext->Port;
key = fileObject->CompletionContext->Key;
}
1: kd> dt file_object 8966d9c0
basesrv!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x896f0038 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x8966b3a0 Void
+0x010 FsContext2 : 0xf754180e Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40000
+0x030 FileName : _UNICODE_STRING ""
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
1: kd> dt _irp 0x8929e048-40
CSRSRV!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x1d8
+0x004 MdlAddress : (null)
+0x008 Flags : 0x940
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x892aee30 - 0x8964dfb8 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 0 ''
+0x021 PendingReturned : 0x1 ''
+0x022 StackCount : 10 ''
+0x023 CurrentLocation : 12 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0x1 ''
+0x028 UserIosb : 0xe1672d68 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : 0xe1672d98 Void
+0x040 Tail : __unnamed
} else if (fileObject) {
(VOID) KeSetEvent( &fileObject->Event, 0, FALSE );
fileObject->FinalStatus = irp->IoStatus.Status;
1: kd> dt file_object 8966d9c0
basesrv!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x896f0038 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x8966b3a0 Void
+0x010 FsContext2 : 0xf754180e Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40000
+0x030 FileName : _UNICODE_STRING ""
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((basesrv!_KEVENT *)0xffffffff8966da1c))
(*((basesrv!_KEVENT *)0xffffffff8966da1c)) [Type: _KEVENT]
+0x000\] Header \[Type: _DISPATCHER_HEADER
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((basesrv!_DISPATCHER_HEADER *)0xffffffff8966da1c))
(*((basesrv!_DISPATCHER_HEADER *)0xffffffff8966da1c)) [Type: _DISPATCHER_HEADER]
+0x000\] Type : 0x0 \[Type: unsigned char
+0x001\] Absolute : 0x0 \[Type: unsigned char
+0x002\] Size : 0x4 \[Type: unsigned char
+0x003\] Inserted : 0x0 \[Type: unsigned char
+0x003\] DebugActive : 0x0 \[Type: unsigned char
+0x000\] Lock : 262144 \[Type: long
+0x004\] SignalState : 1 \[Type: long
+0x008\] WaitListHead \[Type: _LIST_ENTRY
+0x030 Overlay : __unnamed
+0x000 AsynchronousParameters : __unnamed
+0x000 UserApcRoutine : Ptr32 void
+0x004 UserApcContext : Ptr32 Void
1: kd> dd 0x8929e048-40
8929e008 01d80006 00000000 00000940 8964da38
8929e018 8929e018 8929e018 00000000 00000018
8929e028 0c0a0100 01000000 e1672d68 00000000
8929e038 bf8e7891 e1672d40
1: kd> dd 0x8929e048-40
8929e008 01d80006 00000000 00000940 8964da38
8929e018 8929e018 8929e018 00000000 00000018
8929e028 0c0a0100 01000000 e1672d68 00000000
8929e038 bf8e7891 e1672d40 00000000 e1672d98
8929e048 00300012 00000000 8964dda0 8964ddd4
8929e058 8964ddd4 80a2bd0e 80c72194 00000000
8929e068 00000000 8966d9c0 00000000 00000000
8929e078 00000000 00000000 00000000 00000000
1: kd> u bf8e7891
win32k!InputApc [d:\srv03rtm\windows\core\ntuser\kernel\ntinput.c @ 2037]:
bf8e7891 55 push ebp
bf8e7892 8bec mov ebp,esp
bf8e7894 833d0c14a7bf00 cmp dword ptr [win32k!gptiRit (bfa7140c)],0
bf8e789b 53 push ebx
bf8e789c 56 push esi
bf8e789d 57 push edi
bf8e789e bb0026a0bf mov ebx,offset win32k!`string' (bfa02600)
bf8e78a3 bf2416a0bf mov edi,offset win32k!`string' (bfa01624)
if (irp->Overlay.AsynchronousParameters.UserApcRoutine) {
KeInitializeApc( &irp->Tail.Apc,
&thread->Tcb,
CurrentApcEnvironment,
IopUserCompletion,
(PKRUNDOWN_ROUTINE) IopUserRundown,
(PKNORMAL_ROUTINE) irp->Overlay.AsynchronousParameters.UserApcRoutine,
irp->RequestorMode,
irp->Overlay.AsynchronousParameters.UserApcContext );
KeInsertQueueApc( &irp->Tail.Apc,
irp->UserIosb,
NULL,
2 );
1: kd> t
eax=bf8e7891 ebx=8929e008 ecx=00000000 edx=8964dfb8 esi=8929e048 edi=8966d9c0
eip=80a373e2 esp=baa94880 ebp=baa948e8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInitializeApc:
80a373e2 55 push ebp
1: kd> dv
Apc = 0x8929e048
Thread = 0x8964dda0
Environment = CurrentApcEnvironment (0n2)
KernelRoutine = 0x80c6f9fa
RundownRoutine = 0x80c6fa9e
NormalRoutine = 0xbf8e7891
ApcMode = 0n0 ''
NormalContext = 0xe1672d40
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((ntkrnlmp!_KAPC *)0x8929e048)
((ntkrnlmp!_KAPC *)0x8929e048) : 0x8929e048 [Type: _KAPC *]
+0x000\] Type : 18 \[Type: short
+0x002\] Size : 48 \[Type: short
+0x004\] Spare0 : 0x0 \[Type: unsigned long
+0x008\] Thread : 0x8964dda0 \[Type: _KTHREAD \*
+0x00c\] ApcListEntry \[Type: _LIST_ENTRY
+0x014\] KernelRoutine : 0x80c6f9fa \[Type: void (\*)(_KAPC \*,void (\*\*)(void \*,void \*,void \*),void \* \*,void \* \*,void \* \*)
+0x018\] RundownRoutine : 0x80c6fa9e \[Type: void (\*)(_KAPC \*)
+0x01c\] NormalRoutine : 0xbf8e7891 \[Type: void (\*)(void \*,void \*,void \*)\] NormalRoutine = 0xbf8e7891 \[+0x020\] NormalContext : 0xe1672d40 \[Type: void \*\] NormalContext = 0xe1672d40 \[+0x024\] SystemArgument1 : 0x8966d9c0 \[Type: void \*
+0x028\] SystemArgument2 : 0x0 \[Type: void \*
+0x02c\] ApcStateIndex : 0 \[Type: char
+0x02d\] ApcMode : 0 \[Type: char
+0x02e\] Inserted : 0x0 \[Type: unsigned char
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((ntkrnlmp!_KTHREAD *)0x8964dda0)
((ntkrnlmp!_KTHREAD *)0x8964dda0) : 0x8964dda0 [Type: _KTHREAD *]
+0x000\] Header \[Type: _DISPATCHER_HEADER
+0x010\] MutantListHead \[Type: _LIST_ENTRY
+0x018\] InitialStack : 0xbaa95000 \[Type: void \*
+0x01c\] StackLimit : 0xbaa92000 \[Type: void \*
+0x020\] KernelStack : 0xbaa9492c \[Type: void \*
+0x024\] ThreadLock : 0x0 \[Type: unsigned long
+0x028\] ContextSwitches : 0xc4 \[Type: unsigned long
+0x02c\] State : 0x2 \[Type: unsigned char
+0x02d\] NpxState : 0xa \[Type: unsigned char
+0x02e\] WaitIrql : 0x0 \[Type: unsigned char
+0x02f\] WaitMode : 1 \[Type: char
+0x030\] Teb : 0x7ffd8000 \[Type: void \*
+0x034\] ApcState \[Type: _KAPC_STATE
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((ntkrnlmp!_KAPC_STATE *)0x8964ddd4))
(*((ntkrnlmp!_KAPC_STATE *)0x8964ddd4)) [Type: _KAPC_STATE]
+0x000\] ApcListHead \[Type: _LIST_ENTRY \[2\]
+0x010\] Process : 0x8965d020 \[Type: _KPROCESS \*
+0x014\] KernelApcInProgress : 0x0 \[Type: unsigned char
+0x015\] KernelApcPending : 0x0 \[Type: unsigned char
+0x016\] UserApcPending : 0x0 \[Type: unsigned char
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((ntkrnlmp!_LIST_ENTRY (*)[2])0x8964ddd4))
(*((ntkrnlmp!_LIST_ENTRY (*)[2])0x8964ddd4)) [Type: _LIST_ENTRY [2]]
0\] \[Type: _LIST_ENTRY
1\] \[Type: _LIST_ENTRY
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x8964ddd4))
(*((ntkrnlmp!_LIST_ENTRY *)0x8964ddd4)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8964ddd4 \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8964ddd4 \[Type: _LIST_ENTRY \*
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0x8964dddc))
(*((ntkrnlmp!_LIST_ENTRY *)0x8964dddc)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8964dddc \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8964dddc \[Type: _LIST_ENTRY \*
KeInsertQueueApc( &irp->Tail.Apc,
irp->UserIosb,
NULL,
2 );
+0x040 Tail : __unnamed
+0x000 Overlay : __unnamed
+0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
+0x000 DriverContext : [4] Ptr32 Void
+0x010 Thread : Ptr32 _ETHREAD
+0x014 AuxiliaryBuffer : Ptr32 Char
+0x018 ListEntry : _LIST_ENTRY
+0x020 CurrentStackLocation : Ptr32 _IO_STACK_LOCATION
+0x020 PacketType : Uint4B
+0x024 OriginalFileObject : Ptr32 _FILE_OBJECT
+0x000 Apc : _KAPC
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 Spare0 : Uint4B
+0x008 Thread : Ptr32 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY
+0x014 KernelRoutine : Ptr32 void
+0x018 RundownRoutine : Ptr32 void
+0x01c NormalRoutine : Ptr32 void
+0x020 NormalContext : Ptr32 Void
+0x024 SystemArgument1 : Ptr32 Void
+0x028 SystemArgument2 : Ptr32 Void
+0x02c ApcStateIndex : Char
+0x02d ApcMode : Char
+0x02e Inserted : UChar
1: kd> dd 0x8929e048-40
8929e008 01d80006 00000000 00000940 8964da38
8929e018 8929e018 8929e018 00000000 00000018
8929e028 0c0a0100 01000000 e1672d68 00000000
8929e038 bf8e7891 e1672d40 00000000 e1672d98
8929e048 00300012 00000000 8964dda0 8964ddd4
8929e058 8964ddd4 80c6f9fa 80c6fa9e bf8e7891
8929e068 e1672d40 8966d9c0 00000000 00000000
8929e078 00000000 00000000 00000000 00000000
1: kd> t
eax=e1672d40 ebx=8929e008 ecx=00000000 edx=8964dfb8 esi=8929e048 edi=8966d9c0
eip=80a3750e esp=baa94890 ebp=baa948e8 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KeInsertQueueApc:
80a3750e 55 push ebp
1: kd> dv
Apc = 0x8929e048
SystemArgument1 = 0xe1672d68
SystemArgument2 = 0x00000000
Increment = 0n2
LockHandle = struct _KLOCK_QUEUE_HANDLE
1: kd> kc
00 nt!KeInsertQueueApc
01 nt!IopCompleteRequest
02 nt!KiDeliverApc
03 nt!KiSwapThread
04 nt!KeWaitForMultipleObjects
05 win32k!xxxMsgWaitForMultipleObjects
06 win32k!xxxDesktopThread
07 win32k!xxxCreateSystemThreads
08 win32k!NtUserCallOneParam
09 nt!_KiSystemService
0a SharedUserData!SystemCallStub
0b winsrv!NtUserCallOneParam
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((ntkrnlmp!_KAPC *)0x8929e048)
((ntkrnlmp!_KAPC *)0x8929e048) : 0x8929e048 [Type: _KAPC *]
+0x000\] Type : 18 \[Type: short
+0x002\] Size : 48 \[Type: short
+0x004\] Spare0 : 0x0 \[Type: unsigned long
+0x008\] Thread : 0x8964dda0 \[Type: _KTHREAD \*
+0x00c\] ApcListEntry \[Type: _LIST_ENTRY
+0x014\] KernelRoutine : 0x80c6f9fa \[Type: void (\*)(_KAPC \*,void (\*\*)(void \*,void \*,void \*),void \* \*,void \* \*,void \* \*)
+0x018\] RundownRoutine : 0x80c6fa9e \[Type: void (\*)(_KAPC \*)
+0x01c\] NormalRoutine : 0xbf8e7891 \[Type: void (\*)(void \*,void \*,void \*)
+0x020\] NormalContext : 0xe1672d40 \[Type: void \*
+0x024\] SystemArgument1 : 0x8966d9c0 \[Type: void \*
+0x028\] SystemArgument2 : 0x0 \[Type: void \*
+0x02c\] ApcStateIndex : 0 \[Type: char
+0x02d\] ApcMode : 0 \[Type: char
+0x02e\] Inserted : 0x0 \[Type: unsigned char
if (Apc->NormalRoutine != NULL) {
if ((ApcMode != KernelMode) && (Apc->KernelRoutine == PsExitSpecialApc)) {
Thread->ApcState.UserApcPending = TRUE;
InsertHeadList(&ApcState->ApcListHead[ApcMode],
&Apc->ApcListEntry);
} else {
InsertTailList(&ApcState->ApcListHead[ApcMode],
&Apc->ApcListEntry);
1: kd> dt kapc 8929e048
CSRSRV!KAPC
+0x000 Type : 0n18
+0x002 Size : 0n48
+0x004 Spare0 : 0
+0x008 Thread : 0x8964dda0 _KTHREAD
+0x00c ApcListEntry : _LIST_ENTRY [ 0x8964ddd4 - 0x8964ddd4 ]
+0x014 KernelRoutine : 0x80c6f9fa void nt!IopUserCompletion+0
+0x018 RundownRoutine : 0x80c6fa9e void nt!IopUserRundown+0
+0x01c NormalRoutine : 0xbf8e7891 void win32k!InputApc+0
+0x020 NormalContext : 0xe1672d40 Void
+0x024 SystemArgument1 : 0xe1672d68 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0x1 ''
1: kd> dx -id 0,0,ffffffff8965d020 -r1 ((CSRSRV!_KTHREAD *)0x8964dda0)
((CSRSRV!_KTHREAD *)0x8964dda0) : 0x8964dda0 [Type: _KTHREAD *]
+0x000\] Header \[Type: _DISPATCHER_HEADER
+0x010\] MutantListHead \[Type: _LIST_ENTRY
+0x018\] InitialStack : 0xbaa95000 \[Type: void \*
+0x01c\] StackLimit : 0xbaa92000 \[Type: void \*
+0x020\] KernelStack : 0xbaa9492c \[Type: void \*
+0x024\] ThreadLock : 0x0 \[Type: unsigned long
+0x028\] ContextSwitches : 0xc4 \[Type: unsigned long
+0x02c\] State : 0x2 \[Type: unsigned char
+0x02d\] NpxState : 0xa \[Type: unsigned char
+0x02e\] WaitIrql : 0x0 \[Type: unsigned char
+0x02f\] WaitMode : 1 \[Type: char
+0x030\] Teb : 0x7ffd8000 \[Type: void \*
+0x034\] ApcState \[Type: _KAPC_STATE
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_KAPC_STATE *)0x8964ddd4))
(*((CSRSRV!_KAPC_STATE *)0x8964ddd4)) [Type: _KAPC_STATE]
+0x000\] ApcListHead \[Type: _LIST_ENTRY \[2\]
+0x010\] Process : 0x8965d020 \[Type: _KPROCESS \*
+0x014\] KernelApcInProgress : 0x0 \[Type: unsigned char
+0x015\] KernelApcPending : 0x0 \[Type: unsigned char
+0x016\] UserApcPending : 0x0 \[Type: unsigned char
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x8964ddd4))
(*((CSRSRV!_LIST_ENTRY (*)[2])0x8964ddd4)) [Type: _LIST_ENTRY [2]]
0\] \[Type: _LIST_ENTRY
1\] \[Type: _LIST_ENTRY
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x8964ddd4))
(*((CSRSRV!_LIST_ENTRY *)0x8964ddd4)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8929e054 \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8929e054 \[Type: _LIST_ENTRY \*
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x8964dddc))
(*((CSRSRV!_LIST_ENTRY *)0x8964dddc)) [Type: _LIST_ENTRY]
+0x000\] Flink : 0x8964dddc \[Type: _LIST_ENTRY \*
+0x004\] Blink : 0x8964dddc \[Type: _LIST_ENTRY \*
//
// Lower IRQL to its previous level.
//
KeLowerIrql(OldIrql);
return;
}
1: kd> p
eax=0000003d ebx=00000001 ecx=0000003d edx=00000000 esi=8929e048 edi=8966d9c0
eip=80a4028f esp=baa94860 ebp=baa94870 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiExitDispatcher+0x2a3:
80a4028f c9 leave
1: kd> kc
00 nt!KiExitDispatcher
01 nt!KeInsertQueueApc
02 nt!IopCompleteRequest
03 nt!KiDeliverApc
04 nt!KiSwapThread
05 nt!KeWaitForMultipleObjects
06 win32k!xxxMsgWaitForMultipleObjects
07 win32k!xxxDesktopThread
08 win32k!xxxCreateSystemThreads
09 win32k!NtUserCallOneParam
0a nt!_KiSystemService
0b SharedUserData!SystemCallStub
0c winsrv!NtUserCallOneParam
} else {
//
// First entry in the kernel APC queue is a normal kernel APC.
// If there is not a normal kernel APC in progress and kernel
// APC's are not disabled, then remove the entry from the APC
// queue, set its inserted state to FALSE, release the APC queue
// lock, call the specified kernel routine, set kernel APC in
// progress, lower the IRQL to zero, and call the normal kernel
// APC routine. On return raise IRQL to dispatcher level, lock
// the APC queue, and clear kernel APC in progress.
//
if ((Thread->ApcState.KernelApcInProgress == FALSE) &&
(Thread->KernelApcDisable == 0)) {
RemoveEntryList(NextEntry);
Apc->Inserted = FALSE;
KeReleaseInStackQueuedSpinLock(&LockHandle);
(KernelRoutine)(Apc,
&NormalRoutine,
&NormalContext,
&SystemArgument1,
&SystemArgument2);
#if DBG
if (KeGetCurrentIrql() != LockHandle.OldIrql) {
KeBugCheckEx(IRQL_UNEXPECTED_VALUE,
KeGetCurrentIrql() << 16 | LockHandle.OldIrql << 8 | 1,
(ULONG_PTR)KernelRoutine,
(ULONG_PTR)Apc,
(ULONG_PTR)NormalRoutine);
}
#endif
if (NormalRoutine != (PKNORMAL_ROUTINE)NULL) {
Thread->ApcState.KernelApcInProgress = TRUE;
KeLowerIrql(0);
(NormalRoutine)(NormalContext,
SystemArgument1,
SystemArgument2);
KeRaiseIrql(APC_LEVEL, &LockHandle.OldIrql);
}
1: kd> g
Breakpoint 17 hit
eax=00000000 ebx=804ee400 ecx=00000000 edx=80bf6160 esi=8929e048 edi=8964dda0
eip=bf8e7891 esp=baa948f4 ebp=baa94938 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
win32k!InputApc:
bf8e7891 55 push ebp
1: kd> kc
00 win32k!InputApc
01 nt!KiDeliverApc
02 nt!KiSwapThread
03 nt!KeWaitForMultipleObjects
04 win32k!xxxMsgWaitForMultipleObjects
05 win32k!xxxDesktopThread
06 win32k!xxxCreateSystemThreads
07 win32k!NtUserCallOneParam
08 nt!_KiSystemService
09 SharedUserData!SystemCallStub
0a winsrv!NtUserCallOneParam
1: kd> kv
ChildEBP RetAddr Args to Child
00 baa948f0 80a3c8d4 e1672d40 e1672d68 00000000 win32k!InputApc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntinput.c @ 2037]
01 baa94938 80a44106 00000000 00000000 00000000 nt!KiDeliverApc+0x15e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 337]
02 baa9497c 80a358c7 00000000 e165a9e0 00000002 nt!KiSwapThread+0x642 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2004]
03 baa949b4 bf8a4685 00000003 8964e2f8 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
04 baa94a04 bf8b123e 00000002 8964e2f8 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
05 baa94d1c bf8b21ba bfa70aa0 00000001 baa94d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
06 baa94d2c bf806d52 bfa70aa0 baa94d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
07 baa94d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
08 baa94d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ baa94d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
09 008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0a 008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]
windbg> .open -a ffffffff80a3c8d4
1: kd> dv
ApcContext = 0xe1672d40
IoStatusBlock = 0xe1672d68
Reserved = 0
windbg> .open -a ffffffffbf8e7891
1: kd> dt DEVICEINFO 0xe1672d40
win32k!DEVICEINFO
+0x000 head : _HEAD
+0x008 pNext : 0xe162cdd8 tagDEVICEINFO
+0x00c type : 0 ''
+0x00d bFlags : 0x2 ''
+0x00e usActions : 0
+0x010 nRetryRead : 0 ''
+0x014 ustrName : _UNICODE_STRING "\??\HID#Vid_0e0f&Pid_0003&MI_00#8&28f6544d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
+0x01c handle : 0x00000218 Void
+0x020 NotificationEntry : 0xe13ef200 Void
+0x024 pkeHidChangeCompleted : 0x896612d0 _KEVENT
+0x028 iosb : _IO_STATUS_BLOCK
+0x030 ReadStatus : 0n259
+0x034 OpenerProcess : 0x000001c4 Void
+0x038 OpenStatus : 0n0
+0x03c AttrStatus : 0n0
+0x040 timeStartRead : 0xffca7f0c
+0x044 timeEndRead : 0xffca7f0d
+0x048 nReadsOutstanding : 0n1
+0x04c mouse : tagMOUSE_DEVICE_INFO
+0x04c keyboard : tagKEYBOARD_DEVICE_INFO
+0x04c hid : tagHID_DEVICE_INFO
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((win32k!tagMOUSE_DEVICE_INFO *)0xffffffffe1672d8c))
(*((win32k!tagMOUSE_DEVICE_INFO *)0xffffffffe1672d8c)) [Type: tagMOUSE_DEVICE_INFO]
+0x000\] Attr \[Type: _MOUSE_ATTRIBUTES
+0x00c\] Data \[Type: _MOUSE_INPUT_DATA \[10\]
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((win32k!_MOUSE_INPUT_DATA (*)[10])0xffffffffe1672d98))
(*((win32k!_MOUSE_INPUT_DATA (*)[10])0xffffffffe1672d98)) [Type: _MOUSE_INPUT_DATA [10]]
0\] \[Type: _MOUSE_INPUT_DATA
1\] \[Type: _MOUSE_INPUT_DATA
2\] \[Type: _MOUSE_INPUT_DATA
3\] \[Type: _MOUSE_INPUT_DATA
4\] \[Type: _MOUSE_INPUT_DATA
5\] \[Type: _MOUSE_INPUT_DATA
6\] \[Type: _MOUSE_INPUT_DATA
7\] \[Type: _MOUSE_INPUT_DATA
8\] \[Type: _MOUSE_INPUT_DATA
9\] \[Type: _MOUSE_INPUT_DATA
1: kd> dx -id 0,0,ffffffff8965d020 -r1 (*((win32k!_MOUSE_INPUT_DATA *)0xffffffffe1672d98))
(*((win32k!_MOUSE_INPUT_DATA *)0xffffffffe1672d98)) [Type: _MOUSE_INPUT_DATA]
+0x000\] UnitId : 0x1 \[Type: unsigned short
+0x002\] Flags : 0x1 \[Type: unsigned short
+0x004\] Buttons : 0x0 \[Type: unsigned long
+0x004\] ButtonFlags : 0x0 \[Type: unsigned short
+0x006\] ButtonData : 0x0 \[Type: unsigned short
+0x008\] RawButtons : 0x0 \[Type: unsigned long
+0x00c\] LastX : 26008 \[Type: long
+0x010\] LastY : 32602 \[Type: long
+0x014\] ExtraInformation : 0x0 \[Type: unsigned long
1: kd> ?0n32602
Evaluate expression: 32602 = 00007f5a
1: kd> ?0n26008
Evaluate expression: 26008 = 00006598