WinDBG调试线程
WinDBG调试线程,理解线程内部机制。初学WinDBG,参考一些文章进行简单的线程调试。
参考资料:http://bbs.pediy.com/showthread.php?p=791936
准备工作:运行被调试程序,!analyze -v分析程序,kb查看堆栈(函数执行流程)。
步骤总结:线程状态下断点,通过堆栈查看函数执行流程,查看函数反汇编代码理解内核工作流程。
个人经验:通过KB查看堆栈中函数的执行流程,并研究相关内核函数的反汇编代码,即能理解内核的工作机理,内核调试理解系统即是如此。
函数流程:
=====================================================================
->SwapContext->NtWaitForMultipleObjects->KiFastCallEntry->KiExceptionExit->MAIN
->KiReadyThread->KiDispatchInterrupt->HalEndSystemInterrupt->KeUpdateSystemTime ->MAIN
->SwapContext->KiFastCallEntry->KiExceptionExit->MAIN
->KiReadyThread->KiDispatchInterrupt->HalEndSystemInterrupt->KeUpdateSystemTime ->MAIN
->KiDispatchInterrupt->HalEndSystemInterrupt->KeUpdateSystemTime->MAIN
->SwapContext->NtWaitForMultipleObjects->KiFastCallEntry->KiExceptionExit->MAIN
=====================================================================
-> main
-> KiReadyThread /* 改变线程工作状态的函数 */
// DispatcherReadyListHead
// KiReadySummary
-> KiDispatchInterrupt /* KiReadyThread -> SwapContext -> KiSwapContext */
// KiReadyThread
// SwapContext
-> HalEndSystemInterrupt
-> KeUpdateSystemTime
-> KiReadyThread /* 循环 */
=====================================================================
1.定位进程与线程结构
process ff3659a0 // 进程地址
ethread ff3c95d0 // 线程结构ETHREAD地址
2.线程状态
ethread.status ff3c95d0+2d ff3c95fd
3.在线程状态处下断点 // CPU在切换线程的时候会修改这个值
kd> ba w4 ff3c95fc // 注意是fc,Data breakpoint must be aligned。
kd> g // 运行
Breakpoint 0 hit
nt!KiReadyThread+0x3a:
80501942 833d84bd548000 cmp dword ptr [nt!KiIdleSummary (8054bd84)],0
5.查看堆栈 // 当前线程:KiReadyThread
kd> kb // 查看堆栈
ChildEBP RetAddr Args to Child
fc2ba838 805428a8 fc2ba864 4fce168a 00000000 nt!KiReadyThread+0x3a
6.反汇编查看KiReadyThread函数代码
nt!KiReadyThread: //反汇编查看 805428a8 地址,找到nt!KiReadyThread:
80501908 8bff mov edi,edi
8050190a 55 push ebp
8050190b 8bec mov ebp,esp
8050190d 51 push ecx
8050190e 51 push ecx
8050190f 8bc1 mov eax,ecx
80501911 8d8828010000 lea ecx,[eax+128h]
80501917 53 push ebx
80501918 8a19 mov bl,byte ptr [ecx]
8050191a c60100 mov byte ptr [ecx],0
8050191d 8b15a0bd5480 mov edx,dword ptr [nt!KeTickCount (8054bda0)]
80501923 0fbe4833 movsx ecx,byte ptr [eax+33h]
80501927 56 push esi
80501928 895068 mov dword ptr [eax+68h],edx
8050192b 8b5044 mov edx,dword ptr [eax+44h]
8050192e 57 push edi
8050192f eb5e jmp nt!KiReadyThread+0x87 (8050198f)
80501931 80b82a01000000 cmp byte ptr [eax+12Ah],0
80501938 0f84ac000000 je nt!KiReadyThread+0xe2 (805019ea)
8050193e c6402d03 mov byte ptr [eax+2Dh],3
80501942 833d84bd548000 cmp dword ptr [nt!KiIdleSummary (8054bd84)],0
80501949 8b3d403e5580 mov edi,dword ptr [nt!KiProcessorBlock (80553e40)]
8050194f 0f85cb000000 jne nt!KiReadyThread+0x118 (80501a20)
80501955 8b5708 mov edx,dword ptr [edi+8]
80501958 85d2 test edx,edx
8050195a 0f84c9000000 je nt!KiReadyThread+0x121 (80501a29)
80501960 0fbe7233 movsx esi,byte ptr [edx+33h]
80501964 3bce cmp ecx,esi
80501966 0f8ed4000000 jle nt!KiReadyThread+0x138 (80501a40)
8050196c 8db228010000 lea esi,[edx+128h]
80501972 c60601 mov byte ptr [esi],1
80501975 894708 mov dword ptr [edi+8],eax
80501978 8a1e mov bl,byte ptr [esi]
8050197a c60600 mov byte ptr [esi],0
8050197d 0fbe4a33 movsx ecx,byte ptr [edx+33h]
80501981 8b35a0bd5480 mov esi,dword ptr [nt!KeTickCount (8054bda0)]
80501987 8bc2 mov eax,edx
80501989 897268 mov dword ptr [edx+68h],esi
8050198c 8b5244 mov edx,dword ptr [edx+44h]
8050198f 807a6500 cmp byte ptr [edx+65h],0
80501993 749c je nt!KiReadyThread+0x29 (80501931)
80501995 c6402d01 mov byte ptr [eax+2Dh],1
80501999 c6802901000001 mov byte ptr [eax+129h],1
805019a0 83c060 add eax,60h
805019a3 8d4a40 lea ecx,[edx+40h]
805019a6 8b7104 mov esi,dword ptr [ecx+4]
805019a9 8908 mov dword ptr [eax],ecx
805019ab 897004 mov dword ptr [eax+4],esi
805019ae 8906 mov dword ptr [esi],eax
805019b0 894104 mov dword ptr [ecx+4],eax
805019b3 807a6501 cmp byte ptr [edx+65h],1
805019b7 0f85bb000000 jne nt!KiReadyThread+0x170 (80501a78)
805019bd c6426502 mov byte ptr [edx+65h],2
805019c1 a1e03d5580 mov eax,dword ptr [nt!KiProcessInSwapListHead (80553de0)]
805019c6 8d7248 lea esi,[edx+48h]
805019c9 8975f8 mov dword ptr [ebp-8],esi
805019cc 8945fc mov dword ptr [ebp-4],eax
805019cf 8906 mov dword ptr [esi],eax
805019d1 8bf8 mov edi,eax
805019d3 8b45fc mov eax,dword ptr [ebp-4]
805019d6 b9e03d5580 mov ecx,offset nt!KiProcessInSwapListHead (80553de0)
805019db 8b55f8 mov edx,dword ptr [ebp-8]
805019de 0fb111 cmpxchg dword ptr [ecx],edx
805019e1 3bc7 cmp eax,edi
805019e3 8945fc mov dword ptr [ebp-4],eax
805019e6 75e7 jne nt!KiReadyThread+0xc7 (805019cf)
805019e8 eb2f jmp nt!KiReadyThread+0x111 (80501a19)
805019ea 66ff4260 inc word ptr [edx+60h]
805019ee 8d7060 lea esi,[eax+60h]
805019f1 c6402d06 mov byte ptr [eax+2Dh],6
805019f5 a1d83d5580 mov eax,dword ptr [nt!KiStackInSwapListHead (80553dd8)]
805019fa 8975f8 mov dword ptr [ebp-8],esi
805019fd 8945fc mov dword ptr [ebp-4],eax
80501a00 8906 mov dword ptr [esi],eax
80501a02 8bf8 mov edi,eax
80501a04 8b45fc mov eax,dword ptr [ebp-4]
80501a07 b9d83d5580 mov ecx,offset nt!KiStackInSwapListHead (80553dd8)
80501a0c 8b55f8 mov edx,dword ptr [ebp-8]
80501a0f 0fb111 cmpxchg dword ptr [ecx],edx
80501a12 3bc7 cmp eax,edi
80501a14 8945fc mov dword ptr [ebp-4],eax
80501a17 75e7 jne nt!KiReadyThread+0xf8 (80501a00)
80501a19 e8446bffff call nt!KiSetSwapEvent (804f8562)
80501a1e eb58 jmp nt!KiReadyThread+0x170 (80501a78)
7.查看函数执行流程 // 自写。更多信息:内核函数反汇编代码.cpp。
kd> kb
ChildEBP RetAddr Args to Child
fc2ba878 805428a8 fc2ba8a4 4fe85068 00000000 nt!KiReadyThread+0x13f
fc2ba888 806d3ca4 0000003d ffdff980 80542076 nt!KiDispatchInterrupt+0x78
fc2ba894 80542076 8053f001 000000d1 fc2ba92c hal!HalEndSystemInterrupt+0x54
fc2ba894 80542c41 8053f001 000000d1 fc2ba92c nt!KeUpdateSystemTime+0x13e
fc2ba92c 804fdb19 002bad64 00000000 00000000 nt!KiSetDebugActive+0x11
fc2bacf4 8053f081 fc2bad10 00000000 fc2bad64 nt!KiDispatchException+0x1db
fc2bad5c 8053f791 0012ff80 00401030 badb0d00 nt!CommonDispatchException+0x4d
fc2bad5c 00401030 0012ff80 00401030 badb0d00 nt!KiTrap03+0xad
0012ff80 00401199 00000001 00430aa0 00430a00 test!main+0x20 [C:\Documents and Settings\Administrator\桌面\test\test.cpp @ 13]
0012ffc0 7c817067 00390033 00320037 7ffdb000 test!mainCRTStartup+0xe9 [crt0.c @ 206]
0012fff0 00000000 004010b0 00000000 78746341 kernel32!c_OmapEntries_mlang+0x1b
8.
9.
kd> p // 逐过程
// 将DispatcherReadyListHead 所有状态为ready的线程链表头地址保存到edx
nt!KiReadyThread+0x141:
80501a49 8d14cd20485580 lea edx,nt!KiDispatcherReadyListHead (80554820)[ecx*8]
10.F10
kd> p
nt!KiReadyThread+0x148:
80501a50 740e je nt!KiReadyThread+0x158 (80501a60)
kd> p
nt!KiReadyThread+0x158:
80501a60 8b7204 mov esi,dword ptr [edx+4]
kd> p
nt!KiReadyThread+0x15b:
80501a63 8910 mov dword ptr [eax],edx
kd> p
nt!KiReadyThread+0x15d:
80501a65 897004 mov dword ptr [eax+4],esi
kd> p
nt!KiReadyThread+0x160:
80501a68 8906 mov dword ptr [esi],eax
kd> p
nt!KiReadyThread+0x162:
80501a6a 894204 mov dword ptr [edx+4],eax
kd> p
nt!KiReadyThread+0x165:
80501a6d 33c0 xor eax,eax
kd> p
nt!KiReadyThread+0x167:
80501a6f 40 inc eax
kd> p
nt!KiReadyThread+0x168:
80501a70 d3e0 shl eax,cl
kd> p
nt!KiReadyThread+0x16a:
80501a72 09058cbd5480 or dword ptr [nt!KiReadySummary (8054bd8c)],eax
kd> p
nt!KiReadyThread+0x170:
80501a78 5f pop edi
kd> p
nt!KiReadyThread+0x171:
80501a79 5e pop esi
kd> p
nt!KiReadyThread+0x172:
80501a7a 5b pop ebx
kd> p
nt!KiReadyThread+0x173:
80501a7b c9 leave
kd> p
nt!KiReadyThread+0x174: // KiReadyThread函数返回
80501a7c c3 ret
kd> p // KiDispatchInterrupt函数登场
nt!KiDispatchInterrupt+0x78:
805428a8 b101 mov cl,1
11.F10 // SwapContext
kd> p
nt!KiDispatchInterrupt+0x7a:
805428aa e831000000 call nt!SwapContext (805428e0)
805428af 8b2c24 mov ebp,dword ptr [esp]
805428b2 8b7c2404 mov edi,dword ptr [esp+4]
805428b6 8b742408 mov esi,dword ptr [esp+8]
805428ba 83c40c add esp,0Ch
805428bd c3 ret
805428be c783ac09000000000000 mov dword ptr [ebx+9ACh],0
805428c8 e8e9e2fbff call nt!KiQuantumEnd (80500bb6)
805428cd 0bc0 or eax,eax
805428cf 75a6 jne nt!KiDispatchInterrupt+0x47 (80542877)
805428d1 c3 ret
805428d2 8da42400000000 lea esp,[esp]
805428d9 8da42400000000 lea esp,[esp]
12.详细分析SwapContext
nt!SwapContext:
805428e0 0ac9 or cl,cl
805428e2 26c6462d02 mov byte ptr es:[esi+2Dh],2
805428e7 9c pushfd
805428e8 8b0b mov ecx,dword ptr [ebx]
805428ea 83bb9409000000 cmp dword ptr [ebx+994h],0
805428f1 51 push ecx
805428f2 0f8535010000 jne nt!SwapContext+0x14d (80542a2d)
805428f8 833d0cbf558000 cmp dword ptr [nt!PPerfGlobalGroupMask (8055bf0c)],0
805428ff 0f85ff000000 jne nt!SwapContext+0x124 (80542a04)
80542905 0f20c5 mov ebp,cr0
80542908 8bd5 mov edx,ebp
8054290a 8a4e2c mov cl,byte ptr [esi+2Ch]
8054290d 884b50 mov byte ptr [ebx+50h],cl
80542910 fa cli
80542911 896728 mov dword ptr [edi+28h],esp
80542914 8b4618 mov eax,dword ptr [esi+18h]
80542917 8b4e1c mov ecx,dword ptr [esi+1Ch]
8054291a 2d10020000 sub eax,210h
8054291f 894b08 mov dword ptr [ebx+8],ecx
80542922 894304 mov dword ptr [ebx+4],eax
80542925 33c9 xor ecx,ecx
80542927 8a4e31 mov cl,byte ptr [esi+31h]
8054292a 83e2f1 and edx,0FFFFFFF1h
8054292d 0bca or ecx,edx
8054292f 0b880c020000 or ecx,dword ptr [eax+20Ch]
80542935 3be9 cmp ebp,ecx
80542937 0f85bf000000 jne nt!SwapContext+0x11c (805429fc)
8054293d 8d4900 lea ecx,[ecx]
80542940 f740e400000200 test dword ptr [eax-1Ch],20000h
80542947 7503 jne nt!SwapContext+0x6c (8054294c)
80542949 83e810 sub eax,10h
8054294c 8b4b40 mov ecx,dword ptr [ebx+40h]
8054294f 894104 mov dword ptr [ecx+4],eax
80542952 8b6628 mov esp,dword ptr [esi+28h]
80542955 8b4620 mov eax,dword ptr [esi+20h]
80542958 894318 mov dword ptr [ebx+18h],eax
8054295b fb sti
8054295c 8b4744 mov eax,dword ptr [edi+44h]
8054295f 3b4644 cmp eax,dword ptr [esi+44h]
80542962 c6475000 mov byte ptr [edi+50h],0
80542966 742c je nt!SwapContext+0xb4 (80542994)
80542968 8b7e44 mov edi,dword ptr [esi+44h]
8054296b 66f74720ffff test word ptr [edi+20h],0FFFFh
80542971 755b jne nt!SwapContext+0xee (805429ce)
80542973 33c0 xor eax,eax
80542975 0f00d0 lldt ax
80542978 33c0 xor eax,eax
8054297a 8ee8 mov gs,ax
8054297c 8b4718 mov eax,dword ptr [edi+18h]
8054297f 8b6b40 mov ebp,dword ptr [ebx+40h]
80542982 8b4f30 mov ecx,dword ptr [edi+30h]
80542985 89451c mov dword ptr [ebp+1Ch],eax
80542988 0f22d8 mov cr3,eax
8054298b 66894d66 mov word ptr [ebp+66h],cx
8054298f eb03 jmp nt!SwapContext+0xb4 (80542994)
80542991 8d4900 lea ecx,[ecx]
80542994 8b4318 mov eax,dword ptr [ebx+18h]
80542997 8b4b3c mov ecx,dword ptr [ebx+3Ch]
8054299a 6689413a mov word ptr [ecx+3Ah],ax
8054299e c1e810 shr eax,10h
805429a1 88413c mov byte ptr [ecx+3Ch],al
805429a4 88613f mov byte ptr [ecx+3Fh],ah
805429a7 ff464c inc dword ptr [esi+4Ch]
805429aa ff831c060000 inc dword ptr [ebx+61Ch]
805429b0 59 pop ecx
805429b1 890b mov dword ptr [ebx],ecx
805429b3 807e4900 cmp byte ptr [esi+49h],0
805429b7 7504 jne nt!SwapContext+0xdd (805429bd)
805429b9 9d popfd
805429ba 33c0 xor eax,eax
805429bc c3 ret
805429bd 9d popfd
805429be 7503 jne nt!SwapContext+0xe3 (805429c3)
805429c0 b001 mov al,1
805429c2 c3 ret
805429c3 b101 mov cl,1
805429c5 ff1500874d80 call dword ptr [nt!_imp_HalRequestSoftwareInterrupt (804d8700)]
805429cb 33c0 xor eax,eax
805429cd c3 ret
805429ce 8b6b3c mov ebp,dword ptr [ebx+3Ch]
805429d1 8b4720 mov eax,dword ptr [edi+20h]
805429d4 894548 mov dword ptr [ebp+48h],eax
805429d7 8b4724 mov eax,dword ptr [edi+24h]
805429da 89454c mov dword ptr [ebp+4Ch],eax
805429dd b848000000 mov eax,48h
805429e2 8b6b38 mov ebp,dword ptr [ebx+38h]
805429e5 8b4f28 mov ecx,dword ptr [edi+28h]
805429e8 898d08010000 mov dword ptr [ebp+108h],ecx
805429ee 8b4f2c mov ecx,dword ptr [edi+2Ch]
805429f1 898d0c010000 mov dword ptr [ebp+10Ch],ecx
805429f7 e979ffffff jmp nt!SwapContext+0x95 (80542975)
805429fc 0f22c1 mov cr0,ecx
805429ff e93cffffff jmp nt!SwapContext+0x60 (80542940)
80542a04 a10cbf5580 mov eax,dword ptr [nt!PPerfGlobalGroupMask (8055bf0c)]
80542a09 83f800 cmp eax,0
80542a0c 0f84f3feffff je nt!SwapContext+0x25 (80542905)
80542a12 8bd6 mov edx,esi
80542a14 8bcf mov ecx,edi
80542a16 f7400404000000 test dword ptr [eax+4],4
80542a1d 0f84e2feffff je nt!SwapContext+0x25 (80542905)
80542a23 e8aaa81100 call nt!WmiTraceContextSwap (8065d2d2)
80542a28 e9d8feffff jmp nt!SwapContext+0x25 (80542905)
80542a2d 68b8000000 push 0B8h
80542a32 e84572fbff call nt!KeBugCheck (804f9c7c)
80542a37 c3 ret