hal!HalRequestSoftwareInterrupt是KAPC的情况和hal!HalpApcInterrupt调试记录

hal!HalRequestSoftwareInterrupt是KAPC的情况和hal!HalpApcInterrupt调试记录

1: kd> g

Breakpoint 16 hit

eax=8980412f ebx=00000418 ecx=f7737501 edx=80b16802 esi=89804020 edi=8989e048

eip=804ee4f8 esp=f75f6854 ebp=f75f6870 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalRequestSoftwareInterrupt:

804ee4f8 643a0d95000000 cmp cl,byte ptr fs:[95h] fs:0030:00000095=00

1: kd> kc

00 hal!HalRequestSoftwareInterrupt

01 nt!KiInsertQueueApc

02 nt!KeInsertQueueApc

03 nt!IopCompleteRequest

04 nt!KiDeliverApc

05 nt!KiSwapThread

06 nt!KeWaitForMultipleObjects

07 win32k!xxxMsgWaitForMultipleObjects

08 win32k!xxxDesktopThread

09 win32k!xxxCreateSystemThreads

0a win32k!NtUserCallOneParam

0b nt!_KiSystemService

0c SharedUserData!SystemCallStub

0d winsrv!NtUserCallOneParam

1: kd> bp nt!KiDeliverApc

breakpoint 31 redefined

1: kd> g

Breakpoint 50 hit

eax=00000000 ebx=804ee400 ecx=00000000 edx=1ba00001 esi=8989e048 edi=89804020

eip=804ee7d8 esp=f75f68f4 ebp=f75f6938 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt:

804ee7d8 54 push esp

1: kd> kc

00 hal!HalpApcInterrupt

WARNING: Frame IP not in any known module. Following frames may be wrong.

01 0x0

1: kd> p

eax=00000000 ebx=804ee400 ecx=00000000 edx=1ba00001 esi=8989e048 edi=89804020

eip=804ee7d9 esp=f75f68f0 ebp=f75f6938 iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0x1:

804ee7d9 55 push ebp

1: kd> p

eax=00000000 ebx=f75f6938 ecx=89804020 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee87e esp=f75f688c ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xa6:

804ee87e 895d00 mov dword ptr [ebp],ebx ss:0010:f75f688c=00000000

1: kd> p

eax=00000000 ebx=f75f6938 ecx=89804020 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee884 esp=f75f688c ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xac:

804ee884 b83d000000 mov eax,3Dh

1: kd> p

eax=0000003d ebx=f75f6938 ecx=89804020 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee889 esp=f75f688c ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xb1:

804ee889 8b0d8000feff mov ecx,dword ptr ds:[0FFFE0080h] ds:0023:fffe0080=000000ff

1: kd> p

eax=0000003d ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee88f esp=f75f688c ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xb7:

804ee88f 51 push ecx

1: kd> p

eax=0000003d ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee890 esp=f75f6888 ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xb8:

804ee890 a38000feff mov dword ptr ds:[FFFE0080h],eax ds:0023:fffe0080=000000ff

1: kd> p

eax=0000003d ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee895 esp=f75f6888 ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xbd:

804ee895 c705b000feff00000000 mov dword ptr ds:[0FFFE00B0h],0 ds:0023:fffe00b0=00000000

1: kd> p

eax=0000003d ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee89f esp=f75f6888 ebp=f75f688c iopl=0 nv up di pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046

hal!HalpApcInterrupt+0xc7:

804ee89f fb sti

1: kd> p

eax=0000003d ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8a0 esp=f75f6888 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xc8:

804ee8a0 8b456c mov eax,dword ptr [ebp+6Ch] ss:0010:f75f68f8=00000008

1: kd> p

eax=00000008 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8a3 esp=f75f6888 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xcb:

804ee8a3 83e001 and eax,1

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8a6 esp=f75f6888 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xce:

804ee8a6 55 push ebp

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8a7 esp=f75f6884 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xcf:

804ee8a7 6a00 push 0

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8a9 esp=f75f6880 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xd1:

804ee8a9 50 push eax

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=804ee8aa esp=f75f687c ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

hal!HalpApcInterrupt+0xd2:

804ee8aa ff1538b04e80 call dword ptr [hal!_imp__KiDeliverApc (804eb038)] ds:0023:804eb038={nt!KiDeliverApc (80a3c776)}

1: kd> t

Breakpoint 31 hit

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c776 esp=f75f6878 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc:

80a3c776 55 push ebp

1: kd> kc

00 nt!KiDeliverApc

01 hal!HalpApcInterrupt

02 hal!KfLowerIrql

03 nt!KiDeliverApc

04 nt!KiSwapThread

05 nt!KeWaitForMultipleObjects

06 win32k!xxxMsgWaitForMultipleObjects

07 win32k!xxxDesktopThread

08 win32k!xxxCreateSystemThreads

09 win32k!NtUserCallOneParam

0a nt!_KiSystemService

0b SharedUserData!SystemCallStub

0c winsrv!NtUserCallOneParam

1: kd> kv

ChildEBP RetAddr Args to Child

00 f75f6874 804ee8b0 00000000 00000000 f75f688c nt!KiDeliverApc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 135]

01 f75f6874 804edc60 00000000 00000000 f75f688c hal!HalpApcInterrupt+0xd8 (FPO: [0,2] TrapFrame @ f75f688c) [d:\srv03rtm\base\hals\halmps\i386\mpswint.asm @ 307]

02 f75f68fc 80a3c8c8 804edc30 00000100 00000000 hal!KfLowerIrql+0x30 (FPO: [0,0,0]) [d:\srv03rtm\base\hals\halmps\i386\mpirql.asm @ 344]

03 f75f6938 80a44106 00000000 00000000 00000000 nt!KiDeliverApc+0x152 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 335]

04 f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x642 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2004]

05 f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]

06 f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]

07 f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]

08 f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]

09 f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]

0a f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]

0b 008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

0c 008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]

windbg> .open -a ffffffff80a3c8c8

windbg> .open -a ffffffff804edc60

windbg> .open -a ffffffff80a3c776

1: kd> dv

PreviousMode = 0n0 ''

ExceptionFrame = 0x00000000

TrapFrame = 0xf75f688c

OldTrapFrame = 0x804edc60

NormalContext = 0xf75f688c

Process = 0x8989e048

KernelRoutine = 0xf75f6938

LockHandle = struct _KLOCK_QUEUE_HANDLE

SystemArgument1 = 0x00000000

SystemArgument2 = 0x80a3c776

NormalRoutine = 0x00000008

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c777 esp=f75f6874 ebp=f75f688c iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc+0x1:

80a3c777 8bec mov ebp,esp

1: kd> dx -r1 ((ntkrnlmp!_KTRAP_FRAME *)0xf75f688c)

((ntkrnlmp!_KTRAP_FRAME *)0xf75f688c) : 0xf75f688c [Type: _KTRAP_FRAME *]

+0x000\] DbgEbp : 0xf75f6938 \[Type: unsigned long

+0x004\] DbgEip : 0x804edc60 \[Type: unsigned long

+0x008\] DbgArgMark : 0xbadb0d00 \[Type: unsigned long

+0x00c\] DbgArgPointer : 0x1ba00001 \[Type: unsigned long

+0x010\] TempSegCs : 0x0 \[Type: unsigned long

+0x014\] TempEsp : 0x23 \[Type: unsigned long

+0x018\] Dr0 : 0x23 \[Type: unsigned long

+0x01c\] Dr1 : 0x1ba00001 \[Type: unsigned long

+0x020\] Dr2 : 0x0 \[Type: unsigned long

+0x024\] Dr3 : 0x0 \[Type: unsigned long

+0x028\] Dr6 : 0xffffffff \[Type: unsigned long

+0x02c\] Dr7 : 0x0 \[Type: unsigned long

+0x030\] SegGs : 0x30 \[Type: unsigned long

+0x034\] SegEs : 0x89804020 \[Type: unsigned long

+0x038\] SegDs : 0x8989e048 \[Type: unsigned long

+0x03c\] Edx : 0x1ba00001 \[Type: unsigned long

+0x040\] Ecx : 0x0 \[Type: unsigned long

+0x044\] Eax : 0x0 \[Type: unsigned long

+0x048\] PreviousPreviousMode : 0xffffffff \[Type: unsigned long

+0x04c\] ExceptionList : 0xf75f69f4 \[Type: _EXCEPTION_REGISTRATION_RECORD \*

+0x050\] SegFs : 0x146 \[Type: unsigned long

+0x054\] Edi : 0x89804020 \[Type: unsigned long

+0x058\] Esi : 0x8989e048 \[Type: unsigned long

+0x05c\] Ebx : 0x804ee400 \[Type: unsigned long

+0x060\] Ebp : 0xf75f6938 \[Type: unsigned long

+0x064\] ErrCode : 0x0 \[Type: unsigned long

+0x068\] Eip : 0x804edc60 \[Type: unsigned long

+0x06c\] SegCs : 0x8 \[Type: unsigned long

+0x070\] EFlags : 0x246 \[Type: unsigned long

+0x074\] HardwareEsp : 0x80a3c8c8 \[Type: unsigned long

+0x078\] HardwareSegSs : 0x804edc30 \[Type: unsigned long

+0x07c\] V86Es : 0x100 \[Type: unsigned long

+0x080\] V86Ds : 0x0 \[Type: unsigned long

+0x084\] V86Fs : 0x0 \[Type: unsigned long

+0x088\] V86Gs : 0x8980406c \[Type: unsigned long

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c779 esp=f75f6874 ebp=f75f6874 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc+0x3:

80a3c779 83ec28 sub esp,28h

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c77c esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292

nt!KiDeliverApc+0x6:

80a3c77c 8b4510 mov eax,dword ptr [ebp+10h] ss:0010:f75f6884=f75f688c

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c77f esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292

nt!KiDeliverApc+0x9:

80a3c77f 85c0 test eax,eax

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c781 esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiDeliverApc+0xb:

80a3c781 7417 je nt!KiDeliverApc+0x24 (80a3c79a) [br=0]

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=00000000 edx=1ba00001 esi=8989e048 edi=804edc60

eip=80a3c783 esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiDeliverApc+0xd:

80a3c783 8b5068 mov edx,dword ptr [eax+68h] ds:0023:f75f68f4=804edc60

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=00000000 edx=804edc60 esi=8989e048 edi=804edc60

eip=80a3c786 esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiDeliverApc+0x10:

80a3c786 b98c0db080 mov ecx,offset nt!ExpInterlockedPopEntrySListResume (80b00d8c)

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=80b00d8c edx=804edc60 esi=8989e048 edi=804edc60

eip=80a3c78b esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282

nt!KiDeliverApc+0x15:

80a3c78b 3bd1 cmp edx,ecx

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=80b00d8c edx=804edc60 esi=8989e048 edi=804edc60

eip=80a3c79a esp=f75f684c ebp=f75f6874 iopl=0 nv up ei ng nz ac pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297

nt!KiDeliverApc+0x24:

80a3c79a 57 push edi

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=80b00d8c edx=804edc60 esi=8989e048 edi=804edc60

eip=80a3c79b esp=f75f6848 ebp=f75f6874 iopl=0 nv up ei ng nz ac pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297

nt!KiDeliverApc+0x25:

80a3c79b 648b3d24010000 mov edi,dword ptr fs:[124h] fs:0030:00000124=89804020

1: kd> p

eax=f75f688c ebx=f75f6938 ecx=80b00d8c edx=804edc60 esi=8989e048 edi=89804020

eip=80a3c7a2 esp=f75f6848 ebp=f75f6874 iopl=0 nv up ei ng nz ac pe cy

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000297

nt!KiDeliverApc+0x2c:

80a3c7a2 66837f7200 cmp word ptr [edi+72h],0 ds:0023:89804092=0000

1: kd> p

eax=89831250 ebx=f75f6938 ecx=00000000 edx=804edc60 esi=8989e048 edi=89804020

eip=80a3c7c8 esp=f75f6840 ebp=f75f6874 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc+0x52:

80a3c7c8 8745ec xchg eax,dword ptr [ebp-14h] ss:0010:f75f6860=f75f6874

1: kd> p

eax=f75f6874 ebx=f75f6938 ecx=00000000 edx=804edc60 esi=8989e048 edi=89804020

eip=80a3c7cb esp=f75f6840 ebp=f75f6874 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc+0x55:

80a3c7cb 8b1d1031a080 mov ebx,dword ptr [nt!_imp_KeReleaseInStackQueuedSpinLock (80a03110)] ds:0023:80a03110={hal!KeReleaseInStackQueuedSpinLock (804ee400)}

VOID

KiDeliverApc (

IN KPROCESSOR_MODE PreviousMode,

IN PKEXCEPTION_FRAME ExceptionFrame,

IN PKTRAP_FRAME TrapFrame

)

{

KeMemoryBarrier();

while (IsListEmpty(&Thread->ApcState.ApcListHead[KernelMode]) == FALSE) {

1: kd> !thread

THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 RUNNING on processor 1

IRP List:

89790e20: (0006,01d8) Flags: 00000970 Mdl: 00000000

8989c958: (0006,01d8) Flags: 00000970 Mdl: 00000000

89756e70: (0006,0190) Flags: 00000970 Mdl: 00000000

Not impersonating

DeviceMap e10003d8

Owning Process 89831250 Image: csrss.exe

Attached Process N/A Image: N/A

Wait Start TickCount 274655368 Ticks: 18 (0:00:00:00.281)

Context Switch Count 612 IdealProcessor: 1 LargeStack

UserTime 00:00:00.000

KernelTime 00:00:01.109

Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000

Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0

ChildEBP RetAddr Args to Child

f75f6874 804ee8b0 00000000 00000000 f75f688c nt!KiDeliverApc+0x55 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 230]

f75f6874 804edc60 00000000 00000000 f75f688c hal!HalpApcInterrupt+0xd8 (FPO: [0,2] TrapFrame @ f75f688c) [d:\srv03rtm\base\hals\halmps\i386\mpswint.asm @ 307]

f75f68fc 80a3c8c8 804edc30 00000100 00000000 hal!KfLowerIrql+0x30 (FPO: [0,0,0]) [d:\srv03rtm\base\hals\halmps\i386\mpirql.asm @ 344]

f75f6938 80a44106 00000000 00000000 00000000 nt!KiDeliverApc+0x152 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\apcsup.c @ 335]

f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x642 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2004]

f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]

f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]

f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]

f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]

f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]

f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]

008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]

1: kd> dt kTHREAD 89804020

CSRSRV!KTHREAD

+0x000 Header : _DISPATCHER_HEADER

+0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]

+0x018 InitialStack : 0xf75f7000 Void

+0x01c StackLimit : 0xf75f4000 Void

+0x020 KernelStack : 0xf75f692c Void

+0x024 ThreadLock : 0

+0x028 ContextSwitches : 0x264

+0x02c State : 0x2 ''

+0x02d NpxState : 0xa ''

+0x02e WaitIrql : 0 ''

+0x02f WaitMode : 1 ''

+0x030 Teb : 0x7ffd8000 Void

+0x034 ApcState : _KAPC_STATE

1: kd> dx -id 0,0,89831250 -r1 (*((CSRSRV!_KAPC_STATE *)0x89804054))

(*((CSRSRV!_KAPC_STATE *)0x89804054)) [Type: _KAPC_STATE]

+0x000\] ApcListHead \[Type: _LIST_ENTRY \[2\]

+0x010\] Process : 0x89831250 \[Type: _KPROCESS \*

+0x014\] KernelApcInProgress : 0x1 \[Type: unsigned char

+0x015\] KernelApcPending : 0x0 \[Type: unsigned char

+0x016\] UserApcPending : 0x0 \[Type: unsigned char

1: kd> dx -id 0,0,89831250 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054))

(*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054)) [Type: _LIST_ENTRY [2]]

0\] \[Type: _LIST_ENTRY

1\] \[Type: _LIST_ENTRY

1: kd> dx -id 0,0,89831250 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89804054))

(*((CSRSRV!_LIST_ENTRY *)0x89804054)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x89804054 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x89804054 \[Type: _LIST_ENTRY \*

1: kd> dx -id 0,0,89831250 -r1 (*((CSRSRV!_LIST_ENTRY *)0x8980405c))

(*((CSRSRV!_LIST_ENTRY *)0x8980405c)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x8980405c \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x8980405c \[Type: _LIST_ENTRY \*

CheckProcess:

if (Thread->ApcState.Process != Process) {

KeBugCheckEx(INVALID_PROCESS_ATTACH_ATTEMPT,

(ULONG_PTR)Process,

(ULONG_PTR)Thread->ApcState.Process,

(ULONG)Thread->ApcStateIndex,

(ULONG)KeIsExecutingDpc());

}

//

// Restore the previous thread trap frame address.

//

Thread->TrapFrame = OldTrapFrame;

return;

}

1: kd> p

eax=00000000 ebx=f75f6938 ecx=00000000 edx=804edc60 esi=8989e048 edi=804edc60

eip=80a3c9f4 esp=f75f684c ebp=f75f6874 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246

nt!KiDeliverApc+0x27e:

80a3c9f4 c9 leave

1: kd> kc

00 nt!KiDeliverApc

01 hal!HalpApcInterrupt

02 hal!KfLowerIrql

03 nt!KiDeliverApc

04 nt!KiSwapThread

05 nt!KeWaitForMultipleObjects

06 win32k!xxxMsgWaitForMultipleObjects

07 win32k!xxxDesktopThread

08 win32k!xxxCreateSystemThreads

09 win32k!NtUserCallOneParam

0a nt!_KiSystemService