nt!KiSwapThread函数分析之nt!KiFindReadyThread和nt!KiSwapContext汇编代码和分析

nt!KiSwapThread函数分析之nt!KiFindReadyThread和nt!KiSwapContext汇编代码和分析

第一部分：

当前处理器为1号处理器，对应的KPCR f7737000没有NextThread

和ReadySummary =0。的情况。

LONG_PTR

FASTCALL

KiSwapThread (

IN PKTHREAD OldThread,

IN PKPRCB CurrentPrcb

)

{

if ((NewThread = CurrentPrcb->NextThread) != NULL) {

//

// Clear the next thread address, set the current thread address, and

// set the thread state to running.

//

CurrentPrcb->NextThread = NULL;

CurrentPrcb->CurrentThread = NewThread;

NewThread->State = Running;

} else {

//

// Attempt to select a thread from the current processor dispatcher

// ready queues.

//

if ((NewThread = KiSelectReadyThread(0, CurrentPrcb)) != NULL) {

CurrentPrcb->CurrentThread = NewThread;

NewThread->State = Running;

} else {

第二部分：

1: kd> g

Breakpoint 30 hit

eax=ffdff120 ebx=f7737120 ecx=00000001 edx=ffdff120 esi=00000000 edi=80a059f8

eip=80a429d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206

nt!KiFindReadyThread:

80a429d8 55 push ebp

1: kd> kc

00 nt!KiFindReadyThread

01 nt!KiSwapThread

02 nt!KeWaitForMultipleObjects

03 win32k!xxxMsgWaitForMultipleObjects

04 win32k!xxxDesktopThread

05 win32k!xxxCreateSystemThreads

06 win32k!NtUserCallOneParam

07 nt!_KiSystemService

08 SharedUserData!SystemCallStub

09 winsrv!NtUserCallOneParam

1: kd> !pcr

KPCR for Processor 1 at f7737000:

1: kd> dt KPCR f7737000

basesrv!KPCR

+0x000 NtTib : _NT_TIB

+0x000 Used_ExceptionList : 0xf75f6260 _EXCEPTION_REGISTRATION_RECORD

+0x004 Used_StackBase : (null)

+0x008 PerfGlobalGroupMask : (null)

+0x00c TssCopy : 0xf7737ef0 Void

+0x010 ContextSwitches : 0x8a1e

+0x014 SetMemberCopy : 2

+0x018 Used_Self : 0x7ffd8000 Void

+0x01c SelfPcr : 0xf7737000 _KPCR

+0x020 Prcb : 0xf7737120 _KPRCB

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xf7737120)

((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]

+0x000\] MinorVersion : 0x1 \[Type: unsigned short

+0x002\] MajorVersion : 0x1 \[Type: unsigned short

+0x004\] CurrentThread : 0x89804020 \[Type: _KTHREAD \*

+0x008\] NextThread : 0x0 \[Type: _KTHREAD \*

+0x928\] ReadySummary : 0x0 \[Type: unsigned long

+0x92c\] SelectNextLast : 0x0 \[Type: unsigned long

+0x930\] DispatcherReadyListHead \[Type: _LIST_ENTRY \[32\]

+0xa30\] DeferredReadyListHead \[Type: _SINGLE_LIST_ENTRY

+0xa34\] PrcbPad72 \[Type: unsigned long \[11\]

+0xa60\] ChainedInterruptList : 0x0 \[Type: void \*

+0xa64\] LookasideIrpFloat : 32720 \[Type: long

+0xa68\] SpareFields0 \[Type: unsigned long \[4\]

+0xa78\] VendorString \[Type: unsigned char \[13\]

+0xa85\] InitialApicId : 0x1 \[Type: unsigned char

+0xa86\] LogicalProcessorsPerPhysicalProcessor : 0x2 \[Type: unsigned char

+0xa88\] MHz : 0xe0f \[Type: unsigned long

+0xa8c\] FeatureBits : 0x33fff \[Type: unsigned long

+0xa90\] UpdateSignature : {876173328384} \[Type: _LARGE_INTEGER

+0xa98\] IsrTime : 0x0 \[Type: unsigned __int64

+0xaa0\] NpxSaveArea \[Type: _FX_SAVE_AREA

+0xcb0\] PowerState \[Type: _PROCESSOR_POWER_STATE

1: kd> kv

ChildEBP RetAddr Args to Child

00 f75f6944 80a43dd9 f7737120 89804020 89804080 nt!KiFindReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 722]

01 f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x315 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]

02 f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]

03 f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]

04 f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]

05 f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]

06 f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]

07 f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]

08 008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

09 008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]

windbg> .open -a ffffffff80a43dd9

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xffdff120)

((basesrv!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]

+0x000\] MinorVersion : 0x1 \[Type: unsigned short

+0x002\] MajorVersion : 0x1 \[Type: unsigned short

+0x004\] CurrentThread : 0x895f2a78 \[Type: _KTHREAD \*

+0x008\] NextThread : 0x0 \[Type: _KTHREAD \*

+0x928\] ReadySummary : 0x4000 \[Type: unsigned long

+0x92c\] SelectNextLast : 0x0 \[Type: unsigned long

+0x930\] DispatcherReadyListHead \[Type: _LIST_ENTRY \[32\]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50))

(*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50)) [Type: _LIST_ENTRY [32]]

14\] \[Type: _LIST_ENTRY

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))

(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x895552c8 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x895552c8 \[Type: _LIST_ENTRY \*

if (RemoveEntryList(&Thread->WaitListEntry) != FALSE) {

Prcb->ReadySummary ^= PRIORITY_MASK(HighPriority);

}

Thread->NextProcessor = (UCHAR)Number;

return Thread;

PrioritySet = Prcb->ReadySummary; edi=00004000

ASSERT(PrioritySet != 0);

1: kd> p

eax=ffdff120 ebx=ffdff120 ecx=00000001 edx=ffdff120 esi=00000000 edi=00004000

eip=80a429e9 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292

nt!KiFindReadyThread+0x11:

80a429e9 85ff test edi,edi

KeFindFirstSetLeftMember(PrioritySet, &HighPriority);

1: kd> p

eax=00000002 ebx=ffdffac0 ecx=00000001 edx=ffdff120 esi=89555268 edi=00004000

eip=80a42a92 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!KiFindReadyThread+0xba:

80a42a92 858620010000 test dword ptr [esi+120h],eax ds:0023:89555388=00000003

Thread = CONTAINING_RECORD(NextEntry, KTHREAD, WaitListEntry);

if ((Thread->Affinity & AFFINITY_MASK(Number)) != 0) {

1: kd> p

eax=00000002 ebx=ffdffac0 ecx=00000001 edx=ffdff120 esi=89555268 edi=00004000

eip=80a42a92 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz na po cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283

nt!KiFindReadyThread+0xba:

80a42a92 858620010000 test dword ptr [esi+120h],eax ds:0023:89555388=00000003

1: kd> dt kthread 89555268

CSRSRV!KTHREAD

+0x000 Header : _DISPATCHER_HEADER

+0x010 MutantListHead : _LIST_ENTRY [ 0x89555278 - 0x89555278 ]

+0x018 InitialStack : 0xf75d7000 Void

+0x01c StackLimit : 0xf75d4000 Void

+0x020 KernelStack : 0xf75d6a18 Void

+0x024 ThreadLock : 0

+0x028 ContextSwitches : 0xa10

+0x02c State : 0x1 ''

+0x120 Affinity : 3

if (RemoveEntryList(&Thread->WaitListEntry) != FALSE) {

Prcb->ReadySummary ^= PRIORITY_MASK(HighPriority);

}

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xffdff120)

+0x928\] ReadySummary : 0x0 \[Type: unsigned long

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50))

14\] \[Type: _LIST_ENTRY

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))

(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0xffdffac0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0xffdffac0 \[Type: _LIST_ENTRY \*

Thread->NextProcessor = (UCHAR)Number;

return Thread;

}

1: kd> p

eax=89555268 ebx=80a05ee8 ecx=ffdffac0 edx=ffdff120 esi=89555268 edi=ffdff120

eip=80a42b5e esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiFindReadyThread+0x186:

80a42b5e 5f pop edi

if ((NewThread = CurrentPrcb->NextThread) == NULL) {

if ((TargetPrcb->ReadySummary != 0) &&

(NewThread = KiFindReadyThread(Processor,

TargetPrcb)) != NULL) { 返回到这里：

1: kd> p

eax=89555268 ebx=f7737120 ecx=ffdffac0 edx=ffdff120 esi=00000000 edi=80a059f8

eip=80a43dd9 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapThread+0x315:

80a43dd9 8bf0 mov esi,eax

NewThread = KiFindReadyThread(Processor,

TargetPrcb) =eax=89555268

//

// A new thread has been found to run on the

// current processor.

//

NewThread->State = Running;

KiReleasePrcbLock(TargetPrcb);

CurrentPrcb->CurrentThread = NewThread; CurrentThread : 0x89555268

1: kd> dt kthread 89555268

CSRSRV!KTHREAD

+0x000 Header : _DISPATCHER_HEADER

+0x010 MutantListHead : _LIST_ENTRY [ 0x89555278 - 0x89555278 ]

+0x018 InitialStack : 0xf75d7000 Void

+0x01c StackLimit : 0xf75d4000 Void

+0x020 KernelStack : 0xf75d6a18 Void

+0x024 ThreadLock : 0

+0x028 ContextSwitches : 0xa10

+0x02c State : 0x2 '' Running

+0x10f NextProcessor : 0x1 ''

1: kd>

((ntkrnlmp!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]

+0x000\] MinorVersion : 0x1 \[Type: unsigned short

+0x002\] MajorVersion : 0x1 \[Type: unsigned short

[+0x004] CurrentThread : 0x89555268 [Type: _KTHREAD *]

+0x008\] NextThread : 0x0 \[Type: _KTHREAD \*

+0x00c\] IdleThread : 0xf7739fa0 \[Type: _KTHREAD \*

+0x010\] Number : 1 \[Type: char

//

// Clear idle on the current processor and

// update the idle summary SMT set to indicate

// the physical processor is not entirely idle.

//

KiClearIdleSummary(AFFINITY_MASK(Processor));

KiClearSMTSummary(CurrentPrcb->MultiThreadProcessorSet);

goto ThreadFound; 马上交换线程。

#if !defined(_WIN64)

#define KiAffinityArray KiMask32Array

#endif

extern const ULONG_PTR KiAffinityArray[];

#define AFFINITY_MASK(n) (KiAffinityArray[n])

1: kd> x nt!KiIdleSummary

80b16e80 nt!KiIdleSummary = 0

1: kd> dv Processor

Processor = 1

+0x4d0\] MultiThreadProcessorSet : 0x3 \[Type: unsigned long

} else {

Pending = KiSwapContext(OldThread, NewThread);

}

;++

;

; BOOLEAN

; KiSwapContext (

; IN PKTHREAD OldThread

; IN PKTHREAD NewThread

; )

;

; Routine Description:

;

; This function is a small wrapper, callable from C code, that marshalls

; arguments and calls the actual swap context routine.

;

; Arguments:

;
; OldThread (ecx) - Supplies the address of the old thread ecx=89804020
; NewThread (edx) - Supplies the address of the new thread. edx=89555268

;

; Return Value:

;

; If a kernel APC is pending, then a value of TRUE is returned. Otherwise,

; a value of FALSE is returned.

;

;--

cPublicFastCall KiSwapContext, 2

.fpo (0, 0, 0, 4, 1, 0)

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80a440e6 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216

nt!KiSwapThread+0x622:

80a440e6 e8edc50b00 call nt!KiSwapContext (80b006d8)

1: kd> t

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216

nt!KiSwapContext:

80b006d8 83ec10 sub esp,10h

1: kd> kc

00 nt!KiSwapContext

01 nt!KiSwapThread

WARNING: Frame IP not in any known module. Following frames may be wrong.

02 0x0

第三部分：

cPublicFastCall KiSwapContext, 2

.fpo (0, 0, 0, 4, 1, 0)

;

; N.B. The following registers MUST be saved such that ebp is saved last.

; This is done so the debugger can find the saved ebp for a thread

; that is not currently in the running state.

;

sub esp, 4*4

mov [esp+12], ebx ; save registers

mov [esp+8], esi ;

mov [esp+4], edi ;

mov [esp+0], ebp ;

mov ebx, PCR[PcSelfPcr] ; set address of PCR

mov edi, ecx ; set old thread address

mov esi, edx ; set next thread address

movzx ecx, byte ptr [edi].ThWaitirql ; set APC interrupt bypass disable

CAPSTART <@KiSwapContext@8,SwapContext>

call SwapContext ; swap context

CAPEND <@KiSwapContext@8>

mov ebp, [esp+0] ; restore registers

mov edi, [esp+4] ;

mov esi, [esp+8] ;

mov ebx, [esp+12] ;

add esp, 4*4 ;

fstRET KiSwapContext ;

fstENDP KiSwapContext

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80a440e6 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216

nt!KiSwapThread+0x622:

80a440e6 e8edc50b00 call nt!KiSwapContext (80b006d8)

1: kd> t

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216

nt!KiSwapContext:

80b006d8 83ec10 sub esp,10h

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006db esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x3:

80b006db 895c240c mov dword ptr [esp+0Ch],ebx ss:0010:f75f6944=00000316

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006df esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x7:

80b006df 89742408 mov dword ptr [esp+8],esi ss:0010:f75f6940=00000008

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006e3 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0xb:

80b006e3 897c2404 mov dword ptr [esp+4],edi ss:0010:f75f693c={nt!KiSwapContext (80b006d8)}

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006e7 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0xf:

80b006e7 892c24 mov dword ptr [esp],ebp ss:0010:f75f6938=00000000

1: kd> p

eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006ea esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x12:

80b006ea 648b1d1c000000 mov ebx,dword ptr fs:[1Ch] fs:0030:0000001c=f7737000

1: kd> p

eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8

eip=80b006f1 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x19:

80b006f1 8bf9 mov edi,ecx

1: kd> p

eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=89804020

eip=80b006f3 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x1b:

80b006f3 8bf2 mov esi,edx

1: kd> p

eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=89804020

eip=80b006f5 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x1d:

80b006f5 0fb64f2e movzx ecx,byte ptr [edi+2Eh] ds:0023:8980404e=00

1: kd> p

eax=00000000 ebx=f7737000 ecx=00000000 edx=89555268 esi=89555268 edi=89804020

eip=80b006f9 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x21:

80b006f9 e8f2000000 call nt!SwapContext (80b007f0)

1: kd> p

eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=89804020

eip=80b006fe esp=f75d6a24 ebp=89831250 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapContext+0x26:

80b006fe 8b2c24 mov ebp,dword ptr [esp] ss:0010:f75d6a24=f75d6a68

1: kd> p

eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=89804020

eip=80b00701 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapContext+0x29:

80b00701 8b7c2404 mov edi,dword ptr [esp+4] ss:0010:f75d6a28={nt!`string' (80a059f8)}

1: kd> p

eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=80a059f8

eip=80b00705 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapContext+0x2d:

80b00705 8b742408 mov esi,dword ptr [esp+8] ss:0010:f75d6a2c=89836020

1: kd> p

eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80b00709 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapContext+0x31:

80b00709 8b5c240c mov ebx,dword ptr [esp+0Ch] ss:0010:f75d6a30=89555268

1: kd> p

eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80b0070d esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapContext+0x35:

80b0070d 83c410 add esp,10h

1: kd> p

eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80b00710 esp=f75d6a34 ebp=f75d6a68 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapContext+0x38:

80b00710 c3 ret

1: kd> kc

00 nt!KiSwapContext

01 nt!KiSwapThread

WARNING: Frame IP not in any known module. Following frames may be wrong.

02 0x0

1: kd> !thread

THREAD 89555268 Cid 01b0.01dc Teb: 7ffd9000 Win32Thread: e1601268 RUNNING on processor 1

IRP List:

897fe008: (0006,0190) Flags: 00000970 Mdl: 00000000

897569a0: (0006,0190) Flags: 00000970 Mdl: 00000000

Not impersonating

DeviceMap e10003d8

Owning Process 89831250 Image: csrss.exe

Attached Process N/A Image: N/A

Wait Start TickCount 274655230 Ticks: 8 (0:00:00:00.125)

Context Switch Count 2577 IdealProcessor: 0 LargeStack

UserTime 00:00:00.000

KernelTime 00:00:00.625

Stack Init f75d7000 Current f75d6a18 Base f75d7000 Limit f75d4000 Call 00000000

Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0

ChildEBP RetAddr Args to Child

f75d6a30 80a440eb f7737120 89555268 895552c8 nt!KiSwapContext+0x38 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 144]

00000000 f000ff53 f000e2c3 f000ff53 f000ff53 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]

WARNING: Frame IP not in any known module. Following frames may be wrong.

30000000 00000000 00000000 00000000 00000000 0xf000ff53

#if !defined(NT_UP)

if (OldThread == NewThread) {

KiSetContextSwapIdle(OldThread);

Pending = (BOOLEAN)((NewThread->ApcState.KernelApcPending != FALSE) &&

(NewThread->SpecialApcDisable == 0) &&

(WaitIrql == 0));

} else {

Pending = KiSwapContext(OldThread, NewThread); 新线程返回到这里：

}

#else

Pending = KiSwapContext(OldThread, NewThread);

#endif

//

// If a kernel APC should be delivered, then deliver it now.

//

WaitStatus = OldThread->WaitStatus;

if (Pending != FALSE) {

1: kd> p

eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80a440eb esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiSwapThread+0x627:

80a440eb 84c0 test al,al

1: kd> kc

00 nt!KiSwapThread

01 nt!KeWaitForMultipleObjects

02 win32k!RawInputThread

03 win32k!xxxCreateSystemThreads

04 win32k!NtUserCallOneParam

05 nt!_KiSystemService

06 SharedUserData!SystemCallStub

07 winsrv!NtUserCallOneParam

1: kd> !thread

THREAD 89555268 Cid 01b0.01dc Teb: 7ffd9000 Win32Thread: e1601268 RUNNING on processor 1

IRP List:

897fe008: (0006,0190) Flags: 00000970 Mdl: 00000000

897569a0: (0006,0190) Flags: 00000970 Mdl: 00000000

Not impersonating

DeviceMap e10003d8

Owning Process 89831250 Image: csrss.exe

Attached Process N/A Image: N/A

Wait Start TickCount 274655230 Ticks: 8 (0:00:00:00.125)

Context Switch Count 2577 IdealProcessor: 0 LargeStack

UserTime 00:00:00.000

KernelTime 00:00:00.625

Stack Init f75d7000 Current f75d6a18 Base f75d7000 Limit f75d4000 Call 00000000

Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0

ChildEBP RetAddr Args to Child

f75d6a68 80a358c7 bfa03214 bfa01624 00000000 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]

f75d6aa0 bf891bbd 00000007 89489d08 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]

f75d6d1c bf8b21b0 00000002 00000002 f75d6d48 win32k!RawInputThread+0x712 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntinput.c @ 6349]

f75d6d2c bf806d52 f75c64a0 f75d6d58 0088fff4 win32k!xxxCreateSystemThreads+0x92 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 338]

f75d6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]

f75d6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75d6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]

0088ffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

0088ffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]

WaitStatus = OldThread->WaitStatus;

if (Pending != FALSE) {

1: kd> p

eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80a440ed esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapThread+0x629:

80a440ed 8b5b50 mov ebx,dword ptr [ebx+50h] ds:0023:895552b8=00000001

1: kd> p

eax=00000000 ebx=00000001 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8

eip=80a440f0 esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiSwapThread+0x62c:

80a440f0 8b350431a080 mov esi,dword ptr [nt!_imp_KfLowerIrql (80a03104)] ds:0023:80a03104={hal!KfLowerIrql (804edc30)}