企业官网建设流程全解析

公关网站建设,wordpress 常见问题,商城网站建设要求,做那事的网站mouclass!MouseClassServiceCallback调用nt!IopfCompleteRequest向目标线程win32k!xxxDesktopThread插入KAPC的例子--非常重要目标线程正处于等待状态#xff01;#xff01;#xff01;KiInsertQueueApc会调用KiUnwaitThread函数将目标线程唤醒#xff01;#xff01;KiInsertQueueApc会调用KiUnwaitThread函数将目标线程唤醒VOIDFASTCALLKiInsertQueueApc (IN PKAPC InApc,IN KPRIORITY Increment){if (ThreadState Running) {KiRequestApcInterrupt(Thread-NextProcessor);} else if ((ThreadState Waiting) (Thread-WaitIrql 0) (Thread-SpecialApcDisable 0) ((Apc-NormalRoutine NULL) ||((Thread-KernelApcDisable 0) (Thread-ApcState.KernelApcInProgress FALSE)))) {KiUnwaitThread(Thread, STATUS_KERNEL_APC, Increment);第一部分VOIDMouseClassServiceCallback(IN PDEVICE_OBJECT DeviceObject,IN PMOUSE_INPUT_DATA InputDataStart,IN PMOUSE_INPUT_DATA InputDataEnd,IN OUT PULONG InputDataConsumed){//// Complete all the read requests we have fulfilled outside of the spin lock//while (! IsListEmpty (listHead)) {PLIST_ENTRY entry RemoveHeadList (listHead);irp CONTAINING_RECORD (entry, IRP, Tail.Overlay.ListEntry);ASSERT (NT_SUCCESS (irp-IoStatus.Status) irp-IoStatus.Status ! STATUS_PENDING);IoCompleteRequest (irp, IO_KEYBOARD_INCREMENT);IoReleaseRemoveLock (deviceExtension-RemoveLock, irp);}MouPrint((2,MOUCLASS-MouseClassServiceCallback: exit\n));}第二部分参考调用IoCompleteRequest函数之前IRP的系统缓冲区里面有一个数据了长度为0x18。0: kd dt _irp 89790488CSRSRV!_IRP0x000 Type : 0n60x002 Size : 0x1d80x004 MdlAddress : (null)0x008 Flags : 0x9700x00c AssociatedIrp : __unnamed0x010 ThreadListEntry : _LIST_ENTRY [ 0x894f8468 - 0x89804238 ]0x018 IoStatus : _IO_STATUS_BLOCK0x020 RequestorMode : 0 0x021 PendingReturned : 0 0x022 StackCount : 10 0x023 CurrentLocation : 10 0x024 Cancel : 0 0x025 CancelIrql : 0 0x026 ApcEnvironment : 0 0x027 AllocationFlags : 0x1 0x028 UserIosb : 0xe16349d8 _IO_STATUS_BLOCK0x02c UserEvent : (null)0x030 Overlay : __unnamed0x038 CancelRoutine : (null)0x03c UserBuffer : 0xe1634a08 Void0x040 Tail : __unnamed0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_IO_STATUS_BLOCK *)0x897904a0))(*((CSRSRV!_IO_STATUS_BLOCK *)0x897904a0)) [Type: _IO_STATUS_BLOCK][0x000] Status : 0 [Type: long][0x000] Pointer : 0x0 [Type: void *][0x004] Information : 0x18 [Type: unsigned long]InsertTailList (listHead, irp-Tail.Overlay.ListEntry);参考结束第三部分0: kd gBreakpoint 1 hiteax00000000 ebx00000000 ecx8979040b edxf789ed01 esi89790488 edi897904c8eip80a373e2 espf789ecdc ebpf789ed1c iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!KeInitializeApc:80a373e2 55 push ebp0: kd kc#00 nt!KeInitializeApc01 nt!IopfCompleteRequest02 mouclass!MouseClassServiceCallback03 mouhid!MouHid_ReadComplete04 nt!IopfCompleteRequest05 HIDCLASS!HidpDistributeInterruptReport06 HIDCLASS!HidpInterruptReadComplete07 nt!IopfCompleteRequest08 USBPORT!USBPORT_CompleteTransfer09 USBPORT!USBPORT_DoneTransfer0a USBPORT!USBPORT_FlushDoneTransferList0b USBPORT!USBPORT_DpcWorker0c USBPORT!USBPORT_IsrDpcWorker0d USBPORT!USBPORT_IsrDpc0e nt!KiRetireDpcList0f nt!KiDispatchInterruptWARNING: Frame IP not in any known module. Following frames may be wrong.10 0x00: kd dvApc 0x897904c8Thread 0x89804020Environment OriginalApcEnvironment (0n0)KernelRoutine 0x80a2bd0eRundownRoutine 0x80c72194NormalRoutine 0x00000000ApcMode 0n0 NormalContext 0x00000000thread Irp-Tail.Overlay.Thread;fileObject Irp-Tail.Overlay.OriginalFileObject;if (!Irp-Cancel) {KeInitializeApc( Irp-Tail.Apc,thread-Tcb,Irp-ApcEnvironment,IopCompleteRequest,IopAbortRequest,(PKNORMAL_ROUTINE) NULL,KernelMode,(PVOID) NULL );(VOID)KeInsertQueueApc( Irp-Tail.Apc,fileObject,(PVOID) saveAuxiliaryPointer,PriorityBoost );} else {VOIDFASTCALLIopfCompleteRequest(IN PIRP Irp,IN CCHAR PriorityBoost)0: kd dt ntkrnlmp!_KAPC 0x897904c80x000 Type : 0n180x002 Size : 0n480x004 Spare0 : 00x008 Thread : 0x89804020 _KTHREAD0x00c ApcListEntry : _LIST_ENTRY [ 0x0 - 0x89804020 ]0x014 KernelRoutine : 0x80a2bd0e void nt!IopCompleteRequest00x018 RundownRoutine : 0x80c72194 void nt!IopAbortRequest00x01c NormalRoutine : (null)0x020 NormalContext : (null)0x024 SystemArgument1 : 0x895f1788 Void0x028 SystemArgument2 : (null)0x02c ApcStateIndex : 0 0x02d ApcMode : 0 0x02e Inserted : 0 0: kd !threadTHREAD 895f2a78 Cid 01c8.04bc Teb: 7ffd5000 Win32Thread: e17c0d18 RUNNING on processor 0Not impersonatingDeviceMap e10003d8Owning Process 8954e020 Image: winlogon.exeAttached Process N/A Image: N/AWait Start TickCount 274655191 Ticks: 282 (0:00:00:04.406)Context Switch Count 1136 IdealProcessor: 0 LargeStackUserTime 00:00:00.062KernelTime 00:00:00.281Win32 Start Address 0x771a0801Stack Init ba1b1000 Current ba1b0c5c Base ba1b1000 Limit ba1ad000 Call 00000000Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0ChildEBP RetAddr Args to Childf789ed1c f751a87a 897f90d8 89537b80 00000000 nt!IopfCompleteRequest0x2be (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c 3754]f789ed3c f76b8fbc 00000018 897f91d8 000000f0 mouclass!MouseClassServiceCallback0x2e4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\input\mouclass\mouclass.c 2776]f789ed74 80a26af4 00000000 02800cd8 017f90d8 mouhid!MouHid_ReadComplete0x438 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\input\hidport\mouhid\read.c 513]f789eda4 ba71bfdc f789edac f789edac 89761020 nt!IopfCompleteRequest0xf4 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c 3506]f789edd0 ba71cb3f 02761008 895cbb40 00000009 HIDCLASS!HidpDistributeInterruptReport0x134 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\input\hidclass\pingpong.c 524]f789ee08 80a26af4 00000000 898969a0 8940db78 HIDCLASS!HidpInterruptReadComplete0x2dd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\input\hidclass\pingpong.c 723]f789ee38 bae9aa07 898d4030 898969a0 80b019e8 nt!IopfCompleteRequest0xf4 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c 3506]f789eeac bae9f23e 43504974 02707269 898d4724 USBPORT!USBPORT_CompleteTransfer0x5af (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c 1238]f789eee0 baea0ca7 894d9008 898d40e8 f789ef28 USBPORT!USBPORT_DoneTransfer0x252 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c 997]f789ef10 baea3c3a 898d4030 898d40e8 898d40e8 USBPORT!USBPORT_FlushDoneTransferList0x281 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c 2228]f789ef40 baed70cc 898d4030 898d40e8 89845220 USBPORT!USBPORT_DpcWorker0x4d0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c 3865]f789ef78 baed77bc 898d4030 00000001 ffdff980 USBPORT!USBPORT_IsrDpcWorker0x7c8 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c 257]f789ef9c 80a41432 898d4608 898d4030 00000000 USBPORT!USBPORT_IsrDpc0x266 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c 333]f789eff4 80b00756 ba1b0bf8 00000000 00000000 nt!KiRetireDpcList0xd6 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\dpcsup.c 1076]f789eff8 ba1b0bf8 00000000 00000000 00000000 nt!KiDispatchInterrupt0x36 (FPO: [Uses EBP] [0,0,1]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm 226]WARNING: Frame IP not in any known module. Following frames may be wrong.80b00756 00000000 00000009 bb837775 00000128 0xba1b0bf80: kd !thread 0x89804020THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 WAIT: (WrUserRequest) UserMode Non-Alertable8957cd20 SynchronizationEvent89505548 SynchronizationEvent89804b80 SynchronizationEventIRP List:89790488: (0006,01d8) Flags: 00000970 Mdl: 00000000894f8458: (0006,01d8) Flags: 00000970 Mdl: 000000008989e008: (0006,0190) Flags: 00000970 Mdl: 0000000089756e70: (0006,0190) Flags: 00000970 Mdl: 00000000Not impersonatingDeviceMap e10003d8Owning Process 89831250 Image: csrss.exeAttached Process N/A Image: N/AWait Start TickCount 274655417 Ticks: 56 (0:00:00:00.875)Context Switch Count 619 IdealProcessor: 1 LargeStackUserTime 00:00:00.000KernelTime 00:00:01.328Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0ChildEBP RetAddr Args to Childf75f6944 80a440eb f7737120 89804020 89804080 nt!KiSwapContext0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm 139]f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c 2000]f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c 816]f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c 4540]f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c 594]f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c 347]f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c 4789]f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService0x13f (FPO: [0,3] TrapFrame f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm 1328]00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub0x4 (FPO: [0,0,0])参考;; Thread State Enumerated Type Values;Initialized equ 00000HReady equ 00001HRunning equ 00002HStandby equ 00003HTerminated equ 00004HWaiting equ 00005H参考0: kd dt kthread 0x89804020CSRSRV!KTHREAD0x000 Header : _DISPATCHER_HEADER0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]0x018 InitialStack : 0xf75f7000 Void0x01c StackLimit : 0xf75f4000 Void0x020 KernelStack : 0xf75f692c Void0x024 ThreadLock : 00x028 ContextSwitches : 0x26b0x02c State : 0x5 0x02d NpxState : 0xa 0x02e WaitIrql : 0 0x02f WaitMode : 1 0x030 Teb : 0x7ffd8000 Void0x034 ApcState : _KAPC_STATE0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89804054))(*((CSRSRV!_KAPC_STATE *)0x89804054)) [Type: _KAPC_STATE][0x000] ApcListHead [Type: _LIST_ENTRY [2]][0x010] Process : 0x89831250 [Type: _KPROCESS *][0x014] KernelApcInProgress : 0x0 [Type: unsigned char][0x015] KernelApcPending : 0x0 [Type: unsigned char][0x016] UserApcPending : 0x0 [Type: unsigned char]0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054))(*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054)) [Type: _LIST_ENTRY [2]][0] [Type: _LIST_ENTRY][1] [Type: _LIST_ENTRY]0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89804054))(*((CSRSRV!_LIST_ENTRY *)0x89804054)) [Type: _LIST_ENTRY][0x000] Flink : 0x89804054 [Type: _LIST_ENTRY *][0x004] Blink : 0x89804054 [Type: _LIST_ENTRY *]0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x8980405c))(*((CSRSRV!_LIST_ENTRY *)0x8980405c)) [Type: _LIST_ENTRY][0x000] Flink : 0x8980405c [Type: _LIST_ENTRY *][0x004] Blink : 0x8980405c [Type: _LIST_ENTRY *]第四部分0: kd teax00000006 ebx00000000 ecx8979040b edxf789ed01 esi89790488 edi897904c8eip80a26c3e espf789ecf4 ebpf789ed1c iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!IopfCompleteRequest0x23e:80a26c3e 57 push edi0: kd teax00000006 ebx00000000 ecx8979040b edxf789ed01 esi89790488 edi897904c8eip80a3750e espf789ecec ebpf789ed1c iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!KeInsertQueueApc:80a3750e 55 push ebp0: kd kc#00 nt!KeInsertQueueApc01 nt!IopfCompleteRequest02 mouclass!MouseClassServiceCallback03 mouhid!MouHid_ReadComplete04 nt!IopfCompleteRequest05 HIDCLASS!HidpDistributeInterruptReport06 HIDCLASS!HidpInterruptReadComplete07 nt!IopfCompleteRequest08 USBPORT!USBPORT_CompleteTransfer09 USBPORT!USBPORT_DoneTransfer0a USBPORT!USBPORT_FlushDoneTransferList0b USBPORT!USBPORT_DpcWorker0c USBPORT!USBPORT_IsrDpcWorker0d USBPORT!USBPORT_IsrDpc0e nt!KiRetireDpcList0f nt!KiDispatchInterruptWARNING: Frame IP not in any known module. Following frames may be wrong.10 0x00: kd dvApc 0x897904c8SystemArgument1 0x895f1788SystemArgument2 0x00000000Increment 0n6LockHandle struct _KLOCK_QUEUE_HANDLE0: kd gueax00000001 ebx00000000 ecx00000041 edx000c08e1 esi89790488 edi897904c8eip80a26c44 espf789ed00 ebpf789ed1c iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!IopfCompleteRequest0x244:80a26c44 e9b2feffff jmp nt!IopfCompleteRequest0xfb (80a26afb)0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89804054))(*((CSRSRV!_KAPC_STATE *)0x89804054)) [Type: _KAPC_STATE][0x000] ApcListHead [Type: _LIST_ENTRY [2]][0x010] Process : 0x89831250 [Type: _KPROCESS *][0x014] KernelApcInProgress : 0x0 [Type: unsigned char][0x015] KernelApcPending : 0x1 [Type: unsigned char][0x016] UserApcPending : 0x0 [Type: unsigned char]0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054))(*((CSRSRV!_LIST_ENTRY (*)[2])0x89804054)) [Type: _LIST_ENTRY [2]][0] [Type: _LIST_ENTRY][1] [Type: _LIST_ENTRY]0: kd dx -id 0,0,8954e020 -r1 (*((CSRSRV!_LIST_ENTRY *)0x89804054))(*((CSRSRV!_LIST_ENTRY *)0x89804054)) [Type: _LIST_ENTRY][0x000] Flink : 0x897904d4 [Type: _LIST_ENTRY *][0x004] Blink : 0x897904d4 [Type: _LIST_ENTRY *]第五部分参考;; Thread State Enumerated Type Values;Initialized equ 00000HReady equ 00001HRunning equ 00002HStandby equ 00003HTerminated equ 00004HWaiting equ 00005H参考0: kd dt kthread 0x89804020CSRSRV!KTHREAD0x000 Header : _DISPATCHER_HEADER0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]0x018 InitialStack : 0xf75f7000 Void0x01c StackLimit : 0xf75f4000 Void0x020 KernelStack : 0xf75f692c Void0x024 ThreadLock : 00x028 ContextSwitches : 0x26b0x02c State : 0x3 0x02d NpxState : 0xa 0: kd dt KPCR f7737000basesrv!KPCR0x000 NtTib : _NT_TIB0x000 Used_ExceptionList : 0xffffffff _EXCEPTION_REGISTRATION_RECORD0x004 Used_StackBase : (null)0x008 PerfGlobalGroupMask : (null)0x00c TssCopy : 0xf7737ef0 Void0x010 ContextSwitches : 0x8a650x014 SetMemberCopy : 20x018 Used_Self : (null)0x01c SelfPcr : 0xf7737000 _KPCR0x020 Prcb : 0xf7737120 _KPRCB0x024 Irql : 0 0x028 IRR : 00x02c IrrActive : 00x030 IDR : 0xffffffff0x034 KdVersionBlock : (null)0x038 IDT : 0xf773d6e0 _KIDTENTRY0x03c GDT : 0xf773d2e0 _KGDTENTRY0x040 TSS : 0xf7737ef0 _KTSS0x044 MajorVersion : 10x046 MinorVersion : 10x048 SetMember : 20x04c StallScaleFactor : 0xe100x050 SpareUnused : 0 0x051 Number : 0x1 0x052 Spare0 : 0 0x053 SecondLevelCacheAssociativity : 0 0x054 VdmAlert : 00x058 KernelReserved : [14] 00x090 SecondLevelCacheSize : 00x094 HalReserved : [16] 10x0d4 InterruptMode : 00x0d8 Spare1 : 0 0x0dc KernelReserved2 : [17] 00x120 PrcbData : _KPRCB0: kd dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *][0x000] MinorVersion : 0x1 [Type: unsigned short][0x002] MajorVersion : 0x1 [Type: unsigned short][0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *][0x008] NextThread : 0x89804020 [Type: _KTHREAD *][0x00c] IdleThread : 0xf7739fa0 [Type: _KTHREAD *]0: kd gBreakpoint 46 hitWARNING: Process directory table base 7B884000 doesnt match CR3 00039000WARNING: Process directory table base 7B884000 doesnt match CR3 00039000eax00000002 ebxf7737000 ecx00000001 edx0000001b esi89804020 edif7739fa0eip80b007f0 espf78aad54 ebp80b20320 iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!SwapContext:80b007f0 51 push ecx第六部分第六部分AVOIDFASTCALLKiUnwaitThread (IN PRKTHREAD Thread,IN LONG_PTR WaitStatus,IN KPRIORITY Increment){//// Unlink thread from the appropriate wait queues and set the wait// completion status.//KiUnlinkThread(Thread, WaitStatus);//// Set unwait priority adjustment parameters.//ASSERT(Increment 0);Thread-AdjustIncrement (SCHAR)Increment;Thread-AdjustReason (UCHAR)AdjustUnwait;//// Ready the thread for execution.//KiReadyThread(Thread);return;}第六部分BVOIDFASTCALLKiReadyThread (IN PKTHREAD Thread){KiInsertDeferredReadyList(Thread);return;}}第六部分Cnt!KiProcessDeferredReadyList函数之后作为1号cpu的NextThread0: kd dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *][0x000] MinorVersion : 0x1 [Type: unsigned short][0x002] MajorVersion : 0x1 [Type: unsigned short][0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *][0x008] NextThread : 0x89804020 [Type: _KTHREAD *][0x00c] IdleThread : 0xf7739fa0 [Type: _KTHREAD *]第六部分Dnt!KiDispatchInterrupt0x4d函数中调用SwapContext;; Check to determine if a new thread has been selected for execution on this; processor.;cmp dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; check if next threadje kdi70 ; if eq, then no new thread;; N.B. The following registers MUST be saved such that ebp is saved last.; This is done so the debugger can find the saved ebp for a thread; that is not currently in the running state.;.fpo (0, 0, 0, 3, 1, 0)sub esp, 3*4mov [esp8], esi ; save registersmov [esp4], edi ;mov [esp0], ebp ;mov edi, [ebx].PcPrcbData.PbCurrentThread ; get current thread address (as old thread);; Raise IRQL to SYNCH level, set context swap busy for the old thread, and; acquire the current PRCB lock.;ifndef NT_UPcall dword ptr [__imp__KeRaiseIrqlToSynchLevel0] ; raise IRQL to SYNCHmov byte ptr [edi].ThSwapBusy, 1 ; set context swap busylea ecx, [ebx].PcPrcbData.PbPrcbLock ; get PRCB lock addresslock bts dword ptr [ecx], 0 ; try to acquire PRCB lockjnc short kdi50 ; if nc, PRCB lock acquiredfstCall KefAcquireSpinLockAtDpcLevel ; acquire current PRCB lockendif;; Get the next thread address, set the thread state to running, queue the old; running thread, and swap context to the next thread.;kdi50: mov esi, [ebx].PcPrcbData.PbNextThread ; get next thread addressand dword ptr [ebx].PcPrcbData.PbNextThread, 0 ; clear next thread addressmov [ebx].PcPrcbData.PbCurrentThread, esi ; set current thread addressmov byte ptr [esi]ThState, Running ; set thread state to runningmov byte ptr [edi].ThWaitReason, WrDispatchInt ; set wait reasonmov ecx, edi ; set address of curent threadlea edx, [ebx].PcPrcbData ; set address of PRCBfstCall KiQueueReadyThread ; ready thread for executionCAPSTART _KiDispatchInterrupt,SwapContextmov cl, APC_LEVEL ; set APC interrupt bypass disablecall SwapContext; swap contextCAPEND _KiDispatchInterrupt第七部分win32k!xxxDesktopThread线程切换回来之后的nt!KiSwapThread函数里面调用了 nt!KiDeliverApc1: kd ba e1 win32k!InputApc1: kd be 311: kd gBreakpoint 31 hiteax0000003d ebx00000100 ecx0000003d edx80010031 esi804edc30 edi00000000eip80a3c776 espf75f693c ebpf75f697c iopl0 nv up ei pl zr na pe nccs0008 ss0010 ds0023 es0023 fs0030 gs0000 efl00000246nt!KiDeliverApc:80a3c776 55 push ebp1: kd kc#00 nt!KiDeliverApc01 nt!KiSwapThread02 nt!KeWaitForMultipleObjects03 win32k!xxxMsgWaitForMultipleObjects04 win32k!xxxDesktopThread05 win32k!xxxCreateSystemThreads06 win32k!NtUserCallOneParam07 nt!_KiSystemService08 SharedUserData!SystemCallStub09 winsrv!NtUserCallOneParam