多CPU下的调试

下面是我机器的输出：

1: kd> ln KiProcessorBlock
(8055c580)   nt!KiProcessorBlock   | (8055c600)   nt!KiFreezeFlag
Exact matches:
    nt!KiProcessorBlock = <no type information>

1: kd> dd KiProcessorBlock
8055c580 ffdff120 f78b2120 00000000 00000000
8055c590 00000000 00000000 00000000 00000000
8055c5a0 00000000 00000000 00000000 00000000

1: kd> dt nt!_KPRCB 0xffdff120
   +0x000 MinorVersion     : 1
   +0x002 MajorVersion     : 1
   +0x004 CurrentThread    : 0x8055be40 _KTHREAD
   +0x008 NextThread       : (null)
   +0x00c IdleThread       : 0x8055be40 _KTHREAD
   +0x010 Number           : 0 ''
   +0x011 Reserved         : 0 ''
   +0x012 BuildType        : 0
   +0x014 SetMember        : 1
   +0x018 CpuType          : 6 ''
   +0x019 CpuID            : 1 ''
   ......

1: kd> dt nt!_KPRCB f78b2120
   +0x000 MinorVersion     : 1
   +0x002 MajorVersion     : 1
   +0x004 CurrentThread    : 0x816aa830 _KTHREAD
   +0x008 NextThread       : (null)
   +0x00c IdleThread       : 0xf78b4e20 _KTHREAD
   +0x010 Number           : 1 ''
   +0x011 Reserved         : 0 ''
   +0x012 BuildType        : 0
   +0x014 SetMember        : 2
   +0x018 CpuType          : 6 ''
   +0x019 CpuID            : 1 ''
   ......

1: kd> !thread 0x8055be40
THREAD 8055be40 Cid 0.0 Teb: 00000000 Win32Thread: 00000001 RUNNING
IRP List:
unable to get IRP object
Not impersonating
Owning Process 8055c0a0
Wait Start TickCount    0             Elapsed Ticks: 6561
Context Switch Count    16922    NoStackSwap
UserTime                  9:03:58.0187
KernelTime                9:03:53.0812
Start Address 0x00000000
Stack Init 80551700 Current 8055144c Base 0 Limit 8054e700 Call 1
Priority 16 BasePriority 97 PriorityDecrement 0 DecrementCount 8
Kernel stack not resident.

ChildEBP RetAddr Args to Child
80551450 80545d2c 00000000 0000000e 00000000 intelppm!AcpiC1Idle+0x12
80551454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x10

1: kd> !thread 0x816aa830
THREAD 816aa830 Cid 0.816aaa14 Teb: 7ffde000 Win32Thread: 00000003 RUNNING
Waiting for reply to LPC MessageId 816aaa2c:
Pending LPC Reply Message:
    816aaa2c: [816aaa2c,816aaa2c]
IRP List:
unable to get IRP object
Not impersonating
Owning Process 816686e8
Wait Start TickCount    -144696204
Context Switch Count    844                   LargeStack
UserTime                 15:49:57.0937
KernelTime               15:49:53.0562
PerfCounter             1
Start Address 0x816837cc
Stack Init f5c93000 Current f5c92b7c Base 0 Limit f5c8f000 Call 3
Priority 15 BasePriority -96 PriorityDecrement 0 DecrementCount 25
Kernel stack not resident.

ChildEBP RetAddr Args to Child
f5c92998 8052b6f1 00000001 f5c92d64 017ed514 nt!RtlpBreakWithStatusInstruction
f5c92be4 8052b878 8052b858 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x10f
f5c92c00 f58537f4 f58536d0 81794118 f5c92d64 nt!DbgPrint+0x1a
f5c92c34 f5b89c00 00000029 f5c92d2c f5c92c4c Basic!HookFunction41+0xb4
f5c92c68 f5b8ce8a 00000029 f5c92d2c f5c92c98 hookport!HpCallHookPortItem+0x70
f5c92d48 8054160c 00000000 00000000 017ed52c hookport!ProxyNtUserFindWindowEx+0x4a
f5c92d48 7c92eb94 00000000 00000000 017ed52c nt!KiFastCallEntry+0xfc
017ed4f4 77d1fce8 77d3f23a 00000000 00000000 ntdll!KiFastSystemCallRet
017ed53c 77d3f25a 00000000 00000000 773aff24 +0x77d1fce8
017ed558 77417d14 773aff24 00000000 017edd40 +0x77d3f25a
017ed950 77418ab8 00000001 017ed968 00010102 +0x77417d14
017edd24 00411cb1 00000001 017edd40 00d550d8 +0x77418ab8
017edd28 00000000 017edd40 00d550d8 000e00e3 +0x411cb1

这就是两个核上的“当前线程”，某线程调用栈上居然还有 MJ 同学的 hookport ... 呵呵

Re: 多CPU下的调试

处于冻结状态的CPU是在KiFreezeTargetExecution函数中执行，因为会反复执行pause指令，可以认为是处于比较省电的状态，关键的汇编代码如下：

nt!KiFreezeTargetExecution+0x145:

818dbeb1 and dword ptr [esi+18F4h],0FFFFFFDFh

818dbeb8 mov eax,dword ptr [nt!KiFreezeOwner (81928d34)]

818dbebd or dword ptr [eax+18F4h],20h

818dbec4 pause

818dbec6 mov eax,dword ptr [esi+18F4h]

818dbecc and al,0Fh

818dbece cmp al,2

818dbed0 je nt!KiFreezeTargetExecution+0xf1 (818dbe5d)

相当于：

while( (Prcb->IpiFrozen & 0xF) == FROZEN /*0x2/* )

{

if(Prcb->IpiFrozen&0x20)

{

<将当前处理器切换为活动处理器>

}

_pause

}

使用WinDBG的!ipi命令可以看各个CPU的状态：

0: kd> !ipi

IPI State for Processor 0

TargetSet 0 PacketBarrier 0 IpiFrozen 24 [Active] [Freeze Owner]

IpiFrame 818f1ca4 SignalDone 00000000 RequestSummary 0

Packet State Stale WorkerRoutine nt!KiFlushProcessWriteBuffersTarget

Parameter[0] 00000000 Parameter[1] 00000000 Parameter[2] 00000000

IPI State for Processor 1

TargetSet 0 PacketBarrier 0 IpiFrozen 2 [Frozen]

IpiFrame 83c04ca4 SignalDone 00000000 RequestSummary 0

Packet State Stale WorkerRoutine nt!KiFlushProcessWriteBuffersTarget

Parameter[0] 00000000 Parameter[1] 00000000 Parameter[2] 00000000

IPI State for Processor 2

TargetSet 0 PacketBarrier 0 IpiFrozen 2 [Frozen]

IpiFrame 83c49ca4 SignalDone 00000000 RequestSummary 0

Packet State Stale WorkerRoutine nt!KiFlushTargetProcessTb

Parameter[0] 00000000 Parameter[1] 00000000 Parameter[2] 00000000

IPI State for Processor 3

TargetSet 0 PacketBarrier 0 IpiFrozen 2 [Frozen]

IpiFrame 847b4ca4 SignalDone 00000000 RequestSummary 0

Packet State Stale WorkerRoutine nt!KiFlushTargetSingleTb

Parameter[0] 00000000 Parameter[1] a0351000 Parameter[2] 00000000

WinDbg