AdvDbg System Section

调试笔记：完美的堆栈信息

1: kd> kv
ChildEBP RetAddr  Args to Child             
eed9dbe4 f76089d6 853ad660 864c2ed8 00000000 usbhub!USBH_IoctlGetNodeConnectionInformation (FPO: [Non-Fpo])
eed9dc0c f7608a60 853ad660 864c2ed8 eed9dc50 usbhub!USBH_FdoDispatch+0x184 (FPO: [Non-Fpo])
eed9dc1c 804ee171 853ad5a8 864c2ed8 806be2e4 usbhub!USBH_HubDispatch+0x5c (FPO: [Non-Fpo])
eed9dc2c 80636110 84cd2230 806be2cc 864c2ed8 nt!IopfCallDriver+0x31 (FPO: [0,0,1])
eed9dc50 805674d2 864c2fd8 853fdc28 864c2ed8 nt!IovCallDriver+0x9e (FPO: [Non-Fpo])
eed9dc64 805681f6 853ad5a8 864c2ed8 853fdc28 nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo])
eed9dd00 80561288 000000bc 00000000 00000000 nt!IopXxxControlFile+0x5a6 (FPO: [Non-Fpo])
eed9dd34 805333c4 000000bc 00000000 00000000 nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo])
eed9dd34 7ffe0304 000000bc 00000000 00000000 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ eed9dd64)
0006f44c 77f75b1d 77e75630 000000bc 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0006f450 77e75630 000000bc 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc (FPO: [10,0,0])
0006f4b0 0100a95d 000000bc 0022040c 00095818 kernel32!DeviceIoControl+0xdd (FPO: [Non-Fpo])
0006f74c 0100a7a3 000957d8 000000bc 00000002 usbview!EnumerateHubPorts+0xdd (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\enum.c @ 678]
0006fa00 0100a1fe 00095638 00093f30 00000000 usbview!EnumerateHub+0x4f3 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\enum.c @ 542]
0006fa30 0100a291 0008c110 000000b0 010146c0 usbview!EnumerateHostController+0x7e (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\enum.c @ 231]
0006fa8c 01008f80 0008c110 0006fb20 00000001 usbview!EnumerateHostControllers+0x81 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\enum.c @ 289]
0006fb24 01008c1d 00340289 4e0a060f 0008ba90 usbview!RefreshTree+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\usbview.c @ 814]
0006fb58 010088ab 000400d0 000201ee 00000000 usbview!USBView_OnInitDialog+0x22d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\usbview.c @ 525]
0006fb70 77d43a68 000400d0 00000110 000201ee usbview!MainDlgProc+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\2600~1.110\src\wdm\usb\usbview\usbview.c @ 417]
0006fb9c 77d4c803 01008820 000400d0 00000110 USER32!InternalCallWinProc+0x1b

使用!irp 命令可以得到IRP的详细信息：

1: kd> !irp 864c2ed8
Irp is active with 5 stacks 5 is current (= 0x864c2fd8)
 No Mdl System buffer = 854ab158 Thread 84cd2020:  Irp stack trace. 
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000   

   Args: 00000000 00000000 00000000 00000000
>[  e, 0]   4  0 853ad5a8 853fdc28 00000000-00000000   
        \Driver\usbhub
   Args: 0000016d 0000016d 0022040c 00000000

【e,0】中的E代表IRP的主代码IRP_MJ_DEVICE_CONTORL。0022040c是ioControlCode，IOCTL_USB_GET_NODE_CONNECTION_INFORMATION。因为

<usbioctl.h>
#define IOCTL_USB_GET_NODE_CONNECTION_INFORMATION  CTL_CODE(FILE_DEVICE_USB,  \
                                                USB_GET_NODE_CONNECTION_INFORMATION,  \
                                                METHOD_BUFFERED,  \
                                                FILE_ANY_ACCESS)
<usbiodef.h>

#define FILE_DEVICE_USB FILE_DEVICE_UNKNOWN

<ntddk.h>

#define FILE_DEVICE_UNKNOWN             0x00000022

#define CTL_CODE( DeviceType, Function, Method, Access ) (                 \
    ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)

<usbiodef.h>

#define USB_GET_NODE_CONNECTION_INFORMATION         259

0x40c>>2 = 0x40c/4 = 0x103 = 259

使用!devobj命令可以得到进一步的device对象信息：

1: kd> !devobj 853ad5a8
Device object (853ad5a8) is for:
 00000064 \Driver\usbhub DriverObject 853a4590
Current Irp 00000000 RefCount 0 Type 00008600 Flags 00002040
Dacl e15a6904 DevExt 853ad660 DevObjExt 853ad8c8
ExtensionFlags (0xa0000000)  DOE_RAW_FDO, DOE_DESIGNATED_FDO
AttachedTo (Lower) 853a4a58 \Driver\adsight
Device queue is not busy.

使用!object 名利可以得到对应的文件对象的信息。它就是用户模式中使用CreateFile()或OpenFile()时所对应的文件对象。用户态使用的是句柄（bc），内核态会用ObReferenceObjectByHandle()之类的API得到文件对象。应该是在nt!IopXxxControlFile（）中作的。

1: kd> !object 853fdc28
Object: 853fdc28  Type: (855e6560) File
    ObjectHeader: 853fdc10
    HandleCount: 1  PointerCount: 2
1: kd> !handle bc
processor number 1, process 853512f0
PROCESS 853512f0  SessionId: 0  Cid: 0174    Peb: 7ffdf000  ParentCid: 00a0
    DirBase: 13f5c000  ObjectTable: e278a870  HandleCount:  54.
    Image: usbview.exe

New version of handle table at e10a0000 with 54 Entries in use
00bc: Object: 853fdc28  GrantedAccess: 00120196
Object: 853fdc28  Type: (855e6560) File
    ObjectHeader: 853fdc10
        HandleCount: 1  PointerCount: 2

posted on 2006年5月12日 21:54 由 Raymond