windbg*****************************TBD
achieve structure from a simple address
Dt address
know pending IRP in a module
!thread xxxxxx到底能提供哪些Information:
: kd> !thread
THREAD ffffe0000341f040 Cid 0004.0590 Teb: Win32Thread: RUNNING on processor
IRP List:
ffffe00002dadb10: (,03a0) Flags: Mdl:
Not impersonating
DeviceMap ffffc0000000c2e0
Owning Process ffffe0000023b700 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount Ticks: (:::59.468)
Context Switch Count IdealProcessor: NoStackSwap
UserTime ::00.000
KernelTime ::59.468
Win32 Start Address nt!ExpWorkerThread (0xfffff802e12b6118)
Stack Init ffffd00021c66c90 Current ffffd00021c66310
Base ffffd00021c67000 Limit ffffd00021c61000 Call
Priority BasePriority UnusualBoost ForegroundBoost IoPriority PagePriority
Child-SP RetAddr : Args to Child : Call Site
ffffd000`21c66400 fffff802`e12bb3c6 : ` ` ffffd000` ffffe000`0341f140 : nt! ?? ::FNODOBFM::`string'+0xc614
ffffd000`21c66500 fffff802`e13cee23 : ` ` ` ` : nt!KiDeliverApc+0x136
ffffd000`21c66580 fffff800`031d3368 : ` ffffd000`21c667b0 ffffe000`021d0ef0 ` : nt!KiApcInterrupt+0xc3 (TrapFrame @ ffffd000`21c66580)
ffffd000`21c66710 fffff800`031d28eb : fffff800`031d8000 ffffd000`21c66880 ` fffff800` : btfilter+0x2368
ffffd000`21c66780 fffff800`031d6010 : ffffe000`0375ebd0 ffffe000`0375ebd0 ` ffffe000`021d0ef0 : btfilter+0x18eb
ffffd000`21c66920 fffff802`e12bd118 : ffffe000`0375ebd0 ffffd000`21c66a09 ffffe000`021a9201 ffffe000`0375eee3 : btfilter+0x5010
ffffd000`21c66960 fffff800`02f0c604 : ffffe000`0341f040 ` ffffe000`0198a000 ffffe000`021a92a0 : nt!IopfCompleteRequest+0x438
ffffd000`21c66a70 fffff800`02f083de : ffffe000`0198a1a0 ` ffffe000`0198a050 ffffe000`02ab6130 : usbhub!UsbhPdoUnblockPendedD0IrpWI+0xb0
ffffd000`21c66ab0 fffff802`e12b5c87 : ffffe000`011a8400 ffffe000`0198a050 ` fffff802`e135c14e : usbhub!UsbhHubWorker+0x62
ffffd000`21c66af0 fffff802`e12b63cd : fffff802` fffff802`e12b5bac ffffd000`21c66bd0 ffffe000`011a8400 : nt!IopProcessWorkItem+0xdb
ffffd000`21c66b50 fffff802`e1361664 : ` ffffe000`0341f040 ffffe000`0341f040 ffffe000`0023b700 : nt!ExpWorkerThread+0x2b5
ffffd000`21c66c00 fffff802`e13d06c6 : ffffd000`201e7180 ffffe000`0341f040 ffffe000` `00000b9c : nt!PspSystemThreadStartup+0x58
ffffd000`21c66c60 ` : ffffd000`21c67000 ffffd000`21c61000 ` ` : nt!KiStartSystemThread+0x16
windows 8.1下thread的结构体
: kd> dt _ETHREAD
ACPI!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x5d0 CreateTime : _LARGE_INTEGER
+0x5d8 ExitTime : _LARGE_INTEGER
+0x5d8 KeyedWaitChain : _LIST_ENTRY
+0x5e8 ChargeOnlySession : Ptr64 Void
+0x5f0 PostBlockList : _LIST_ENTRY
+0x5f0 ForwardLinkShadow : Ptr64 Void
+0x5f8 StartAddress : Ptr64 Void
+0x600 TerminationPort : Ptr64 _TERMINATION_PORT
+0x600 ReaperLink : Ptr64 _ETHREAD
+0x600 KeyedWaitValue : Ptr64 Void
+0x608 ActiveTimerListLock : Uint8B
+0x610 ActiveTimerListHead : _LIST_ENTRY
+0x620 Cid : _CLIENT_ID
+0x630 KeyedWaitSemaphore : _KSEMAPHORE
+0x630 AlpcWaitSemaphore : _KSEMAPHORE
+0x650 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x658 IrpList : _LIST_ENTRY
+0x668 TopLevelIrp : Uint8B
+0x670 DeviceToVerify : Ptr64 _DEVICE_OBJECT
+0x678 Win32StartAddress : Ptr64 Void
+0x680 LegacyPowerObject : Ptr64 Void
+0x688 ThreadListEntry : _LIST_ENTRY
+0x698 RundownProtect : _EX_RUNDOWN_REF
+0x6a0 ThreadLock : _EX_PUSH_LOCK
+0x6a8 ReadClusterSize : Uint4B
+0x6ac MmLockOrdering : Int4B
+0x6b0 CmLockOrdering : Int4B
+0x6b4 CrossThreadFlags : Uint4B
+0x6b4 Terminated : Pos , Bit
+0x6b4 ThreadInserted : Pos , Bit
+0x6b4 HideFromDebugger : Pos , Bit
+0x6b4 ActiveImpersonationInfo : Pos , Bit
+0x6b4 HardErrorsAreDisabled : Pos , Bit
+0x6b4 BreakOnTermination : Pos , Bit
+0x6b4 SkipCreationMsg : Pos , Bit
+0x6b4 SkipTerminationMsg : Pos , Bit
+0x6b4 CopyTokenOnOpen : Pos , Bit
+0x6b4 ThreadIoPriority : Pos , Bits
+0x6b4 ThreadPagePriority : Pos , Bits
+0x6b4 RundownFail : Pos , Bit
+0x6b4 UmsForceQueueTermination : Pos , Bit
+0x6b4 ReservedCrossThreadFlags : Pos , Bits
+0x6b8 SameThreadPassiveFlags : Uint4B
+0x6b8 ActiveExWorker : Pos , Bit
+0x6b8 MemoryMaker : Pos , Bit
+0x6b8 ClonedThread : Pos , Bit
+0x6b8 KeyedEventInUse : Pos , Bit
+0x6b8 SelfTerminate : Pos , Bit
+0x6bc SameThreadApcFlags : Uint4B
+0x6bc HardFaultBehavior : Pos , Bit
+0x6bc StartAddressInvalid : Pos , Bit
+0x6bc EtwCalloutActive : Pos , Bit
+0x6bc OwnsProcessWorkingSetExclusive : Pos , Bit
+0x6bc OwnsProcessWorkingSetShared : Pos , Bit
+0x6bc OwnsSystemCacheWorkingSetExclusive : Pos , Bit
+0x6bc OwnsSystemCacheWorkingSetShared : Pos , Bit
+0x6bc OwnsSessionWorkingSetExclusive : Pos , Bit
+0x6bd OwnsSessionWorkingSetShared : Pos , Bit
+0x6bd OwnsProcessAddressSpaceExclusive : Pos , Bit
+0x6bd OwnsProcessAddressSpaceShared : Pos , Bit
+0x6bd SuppressSymbolLoad : Pos , Bit
+0x6bd Prefetching : Pos , Bit
+0x6bd OwnsVadExclusive : Pos , Bit
+0x6bd OwnsChangeControlAreaExclusive : Pos , Bit
+0x6bd OwnsChangeControlAreaShared : Pos , Bit
+0x6be OwnsPagedPoolWorkingSetExclusive : Pos , Bit
+0x6be OwnsPagedPoolWorkingSetShared : Pos , Bit
+0x6be OwnsSystemPtesWorkingSetExclusive : Pos , Bit
+0x6be OwnsSystemPtesWorkingSetShared : Pos , Bit
+0x6be TrimTrigger : Pos , Bits
+0x6be Spare2 : Pos , Bits
+0x6bf SystemPagePriorityActive : Pos , Bit
+0x6bf SystemPagePriority : Pos , Bits
+0x6bf Spare3 : Pos , Bits
+0x6c0 CacheManagerActive : UChar
+0x6c1 DisablePageFaultClustering : UChar
+0x6c2 ActiveFaultCount : UChar
+0x6c3 LockOrderState : UChar
+0x6c8 AlpcMessageId : Uint8B
+0x6d0 AlpcMessage : Ptr64 Void
+0x6d0 AlpcReceiveAttributeSet : Uint4B
+0x6d8 ExitStatus : Int4B
+0x6e0 AlpcWaitListEntry : _LIST_ENTRY
+0x6f0 CacheManagerCount : Uint4B
+0x6f4 IoBoostCount : Uint4B
+0x6f8 BoostList : _LIST_ENTRY
+0x708 DeboostList : _LIST_ENTRY
+0x718 BoostListLock : Uint8B
+0x720 IrpListLock : Uint8B
+0x728 ReservedForSynchTracking : Ptr64 Void
+0x730 CmCallbackListHead : _SINGLE_LIST_ENTRY
+0x738 ActivityId : Ptr64 _GUID
+0x740 SeLearningModeListHead : _SINGLE_LIST_ENTRY
+0x748 VerifierContext : Ptr64 Void
+0x750 KernelStackReference : Uint4B
+0x758 AdjustedClientToken : Ptr64 Void
+0x760 UserFsBase : Uint4B
+0x768 UserGsBase : Uint8B
+0x770 PicoContext : Ptr64 Void
: kd> dt _KTHREAD
ACPI!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x018 SListFaultAddress : Ptr64 Void
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr64 Void
+0x030 StackLimit : Ptr64 Void
+0x038 StackBase : Ptr64 Void
+0x040 ThreadLock : Uint8B
+0x048 CycleTime : Uint8B
+0x050 CurrentRunTime : Uint4B
+0x054 ExpectedRunTime : Uint4B
+0x058 KernelStack : Ptr64 Void
+0x060 StateSaveArea : Ptr64 _XSAVE_FORMAT
+0x068 SchedulingGroup : Ptr64 _KSCHEDULING_GROUP
+0x070 WaitRegister : _KWAIT_STATUS_REGISTER
+0x071 Running : UChar
+0x072 Alerted : [] UChar
+0x074 KernelStackResident : Pos , Bit
+0x074 ReadyTransition : Pos , Bit
+0x074 ProcessReadyQueue : Pos , Bit
+0x074 WaitNext : Pos , Bit
+0x074 SystemAffinityActive : Pos , Bit
+0x074 Alertable : Pos , Bit
+0x074 UserStackWalkActive : Pos , Bit
+0x074 ApcInterruptRequest : Pos , Bit
+0x074 QuantumEndMigrate : Pos , Bit
+0x074 UmsDirectedSwitchEnable : Pos , Bit
+0x074 TimerActive : Pos , Bit
+0x074 SystemThread : Pos , Bit
+0x074 ProcessDetachActive : Pos , Bit
+0x074 CalloutActive : Pos , Bit
+0x074 ScbReadyQueue : Pos , Bit
+0x074 ApcQueueable : Pos , Bit
+0x074 ReservedStackInUse : Pos , Bit
+0x074 UmsPerformingSyscall : Pos , Bit
+0x074 ApcPendingReload : Pos , Bit
+0x074 Reserved : Pos , Bits
+0x074 MiscFlags : Int4B
+0x078 AutoAlignment : Pos , Bit
+0x078 DisableBoost : Pos , Bit
+0x078 UserAffinitySet : Pos , Bit
+0x078 AlertedByThreadId : Pos , Bit
+0x078 QuantumDonation : Pos , Bit
+0x078 EnableStackSwap : Pos , Bit
+0x078 GuiThread : Pos , Bit
+0x078 DisableQuantum : Pos , Bit
+0x078 ChargeOnlySchedulingGroup : Pos , Bit
+0x078 DeferPreemption : Pos , Bit
+0x078 QueueDeferPreemption : Pos , Bit
+0x078 ForceDeferSchedule : Pos , Bit
+0x078 SharedReadyQueueAffinity : Pos , Bit
+0x078 FreezeCount : Pos , Bit
+0x078 TerminationApcRequest : Pos , Bit
+0x078 AutoBoostEntriesExhausted : Pos , Bit
+0x078 EtwStackTraceApcInserted : Pos , Bits
+0x078 ReservedFlags : Pos , Bits
+0x078 ThreadFlags : Int4B
+0x07c Spare0 : Uint4B
+0x080 SystemCallNumber : Uint4B
+0x084 Spare1 : Uint4B
+0x088 FirstArgument : Ptr64 Void
+0x090 TrapFrame : Ptr64 _KTRAP_FRAME
+0x098 ApcState : _KAPC_STATE
+0x098 ApcStateFill : [] UChar
+0x0c3 Priority : Char
+0x0c4 UserIdealProcessor : Uint4B
+0x0c8 WaitStatus : Int8B
+0x0d0 WaitBlockList : Ptr64 _KWAIT_BLOCK
+0x0d8 WaitListEntry : _LIST_ENTRY
+0x0d8 SwapListEntry : _SINGLE_LIST_ENTRY
+0x0e8 Queue : Ptr64 _DISPATCHER_HEADER
+0x0f0 Teb : Ptr64 Void
+0x0f8 RelativeTimerBias : Uint8B
+0x100 Timer : _KTIMER
+0x140 WaitBlock : [] _KWAIT_BLOCK
+0x140 WaitBlockFill4 : [] UChar
+0x154 ContextSwitches : Uint4B
+0x140 WaitBlockFill5 : [] UChar
+0x184 State : UChar
+0x185 NpxState : Char
+0x186 WaitIrql : UChar
+0x187 WaitMode : Char
+0x140 WaitBlockFill6 : [] UChar
+0x1b4 WaitTime : Uint4B
+0x140 WaitBlockFill7 : [] UChar
+0x1e4 KernelApcDisable : Int2B
+0x1e6 SpecialApcDisable : Int2B
+0x1e4 CombinedApcDisable : Uint4B
+0x140 WaitBlockFill8 : [] UChar
+0x168 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+0x140 WaitBlockFill9 : [] UChar
+0x198 XStateSave : Ptr64 _XSTATE_SAVE
+0x140 WaitBlockFill10 : [] UChar
+0x1c8 Win32Thread : Ptr64 Void
+0x140 WaitBlockFill11 : [] UChar
+0x1f0 Ucb : Ptr64 _UMS_CONTROL_BLOCK
+0x1f8 Uch : Ptr64 _KUMS_CONTEXT_HEADER
+0x200 TebMappedLowVa : Ptr64 Void
+0x208 QueueListEntry : _LIST_ENTRY
+0x218 NextProcessor : Uint4B
+0x218 NextProcessorNumber : Pos , Bits
+0x218 SharedReadyQueue : Pos , Bit
+0x21c QueuePriority : Int4B
+0x220 Process : Ptr64 _KPROCESS
+0x228 UserAffinity : _GROUP_AFFINITY
+0x228 UserAffinityFill : [] UChar
+0x232 PreviousMode : Char
+0x233 BasePriority : Char
+0x234 PriorityDecrement : Char
+0x234 ForegroundBoost : Pos , Bits
+0x234 UnusualBoost : Pos , Bits
+0x235 Preempted : UChar
+0x236 AdjustReason : UChar
+0x237 AdjustIncrement : Char
+0x238 Affinity : _GROUP_AFFINITY
+0x238 AffinityFill : [] UChar
+0x242 ApcStateIndex : UChar
+0x243 WaitBlockCount : UChar
+0x244 IdealProcessor : Uint4B
+0x248 ApcStatePointer : [] Ptr64 _KAPC_STATE
+0x258 SavedApcState : _KAPC_STATE
+0x258 SavedApcStateFill : [] UChar
+0x283 WaitReason : UChar
+0x284 SuspendCount : Char
+0x285 Saturation : Char
+0x286 SListFaultCount : Uint2B
+0x288 SchedulerApc : _KAPC
+0x288 SchedulerApcFill0 : [] UChar
+0x289 ResourceIndex : UChar
+0x288 SchedulerApcFill1 : [] UChar
+0x28b QuantumReset : UChar
+0x288 SchedulerApcFill2 : [] UChar
+0x28c KernelTime : Uint4B
+0x288 SchedulerApcFill3 : [] UChar
+0x2c8 WaitPrcb : Ptr64 _KPRCB
+0x288 SchedulerApcFill4 : [] UChar
+0x2d0 LegoData : Ptr64 Void
+0x288 SchedulerApcFill5 : [] UChar
+0x2db CallbackNestingLevel : UChar
+0x2dc UserTime : Uint4B
+0x2e0 SuspendEvent : _KEVENT
+0x2f8 ThreadListEntry : _LIST_ENTRY
+0x308 MutantListHead : _LIST_ENTRY
+0x318 LockEntriesFreeList : _SINGLE_LIST_ENTRY
+0x320 LockEntries : [] _KLOCK_ENTRY
+0x560 PropagateBoostsEntry : _SINGLE_LIST_ENTRY
+0x568 IoSelfBoostsEntry : _SINGLE_LIST_ENTRY
+0x570 PriorityFloorCounts : [] UChar
+0x580 PriorityFloorSummary : Uint4B
+0x584 AbCompletedIoBoostCount : Int4B
+0x588 AbReferenceCount : Int2B
+0x58a AbFreeEntryCount : UChar
+0x58b AbWaitEntryCount : UChar
+0x58c ForegroundLossTime : Uint4B
+0x590 GlobalForegroundListEntry : _LIST_ENTRY
+0x590 ForegroundDpcStackListEntry : _SINGLE_LIST_ENTRY
+0x598 InGlobalForegroundList : Uint8B
+0x5a0 ReadOperationCount : Int8B
+0x5a8 WriteOperationCount : Int8B
+0x5b0 OtherOperationCount : Int8B
+0x5b8 ReadTransferCount : Int8B
+0x5c0 WriteTransferCount : Int8B
+0x5c8 OtherTransferCount : Int8B
windbg*****************************TBD的更多相关文章
- 透过WinDBG的视角看String
摘要 : 最近在博客园里面看到有人在讨论 C# String的一些特性. 大部分情况下是从CODING的角度来讨论String. 本人觉得非常好奇, 在运行时态, String是如何与这些特性联系上的 ...
- Windbg Extension NetExt 使用指南 【3】 ---- 挖掘你想要的数据 Managed Heap
摘要 : NetExt中有两个比较常用的命令可以用来分析heap上面的对象. 一个是!wheap, 另外一个是!windex. !wheap 这个命令可以用于打印出heap structure信息. ...
- Windbg Extension NetExt 使用指南 【2】 ---- NetExt 的基本命令介绍
摘要 : 本章节介绍NetExt常用的命令. 并且对SOS进行一些对比. NetExt的帮助 要想玩好NetExt, 入门就得看帮助. 看NetExt的帮助可以调用!whelp 命令. 这样hi列举出 ...
- Windbg Extension NetExt 使用指南 【1】 ---- NetExt 介绍
摘要 : 在使用WINDBG做debugging的时候,需要一个好的工具帮助进行数据分析. 最常见的extension包括SOS, PSSCOR. NetExt则是另外一种提供了丰富命令功能的deb ...
- Windbg跟踪临界区的BUG
最近跟踪了一个程序的界面卡死问题,该卡死偶尔出现,在抓到一次dump后用windbg载入分析,打印出函数调用堆栈后,一眼可以看出是临界区死锁了. 代码: 0:000:x86> kb ChildE ...
- 使用Windbg在XP下Heap追踪失败的原因
1.故事背景 最近同事的代码中碰到一个bug会导致奔溃的bug,从dump上看是由于某个对象的堆内存指针被释放了,但代码仍调用了该对象指针的虚函数,从而引起内存访问违法崩溃,由于该类被大量使 ...
- Windbg调试命令详解
作者:张佩][原文:http://www.yiiyee.cn/Blog] 1. 概述 用户成功安装微软Windows调试工具集后,能够在安装目录下发现四个调试器程序,分别是:cdb.exe.ntsd. ...
- windbg运行
运行起来会提示windbg is running. BUSY 这个是正常运行的状态,只有发生异常,或者被指定断点,才会中断.
- Windbg使用简明指南
第一章 准备 1.1. 环境配置 _NT_DEBUGGER_EXTENSION_PATH=C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 _NT_SY ...
随机推荐
- window.location.href 跳转无历史记录
需求:从页面a单点登录跳至页面b,在页面b里做判断符合条件后location.href至c页面 问题:在页面c中点击返回按钮页面回到了a,正常情况下应该回到页面b 原因:在当前页面的 onload 事 ...
- [USACO1.5]数字三角形 Number Triangles
题目描述 观察下面的数字金字塔. 写一个程序来查找从最高点到底部任意处结束的路径,使路径经过数字的和最大.每一步可以走到左下方的点也可以到达右下方的点. 7 3 8 8 1 0 2 7 4 4 4 5 ...
- 2018 Wannafly summer camp Day3--Knight
Knight 题目描述: 有一张无限大的棋盘,你要将马从\((0,0)\)移到\((n,m)\). 每一步中,如果马在\((x,y)(x,y)\),你可以将它移动到 \((x+1,y+2)(x+1,y ...
- 日常工作linux常用命令
1:cp 复制文件/文件夹 cp -r 源目录 目标目录 2:mv 文件重命名 mv 源文件/源目录 目标文件/目标目录 3:du -sh 查看当前目录大小 du -l 查看当前目录下文件大小 d ...
- MySQL数据库常见报错原因
1.启动数据库时报错 启动 # /etc/init.d/mysqld start Starting MySQL.Logging to '/application/mysql-5.6.36/data/m ...
- CentOS查看占用端口并关闭
1.查看占用的端口号 netstat -lnp|grep 80 #80 是你需要查看的端口号 二.查看进程的详细信息 ps 29280 #查看进行信息,是否是自己要找的进程 三.杀掉进程 kill ...
- (转)IP地址分配原理
网络模型介绍 在计算机网络中有著名的OSI七层协议体系结构,概念清楚,理论完整,但是它既复杂又不实用.TCP/IP体系结构则不同,得到的广泛的应用.最终结合OSI和TCP/IP的优点,采用了一种只有五 ...
- YII2 不通过composer安装Ueditor编辑器
今天用composer安装Ueditor,一直下载失败,不知道为什么,所以就手动安装了一下.记录一下安装步骤 GitHub地址 https://github.com/BigKuCha/yii2-ued ...
- centos 安装java1.8
https://www.cnblogs.com/xuliangxing/p/7066913.html
- go学习笔记-类型转换(Type Conversion)
类型转换(Type Conversion) 类型转换用于将一种数据类型的变量转换为另外一种类型的变,基本格式 type_name(expression) type_name 为类型,expressio ...