news 2026/5/13 16:22:38

KiFindReadyThread函数和KiSelectReadyThread函数和TargetPrcb->DispatcherReadyListHead数组的关系

作者头像

张小明

前端开发工程师

1.2k 24
文章封面图
KiFindReadyThread函数和KiSelectReadyThread函数和TargetPrcb->DispatcherReadyListHead数组的关系

KiFindReadyThread函数和KiDeferredReadyThread函数和KiSelectReadyThread函数和TargetPrcb->DispatcherReadyListHead数组的关系

第一部分:找出下一个线程,并下断点

KPCR for Processor 1 at f7737000:


[+0x928]ReadySummary : 0x200[Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]

0010 0000 0000

第九位


1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xf7737a98))
(*((basesrv!_LIST_ENTRY *)0xf7737a98)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89836080 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89836080 [Type: _LIST_ENTRY *]

1: kd>dt kthread 0x89836080-60
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89836030 - 0x89836030 ]
+0x018 InitialStack : 0xf701c000 Void
+0x01c StackLimit : 0xf7019000 Void
+0x020 KernelStack : 0xf701bce0 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x406
+0x02c State : 0x1 ''
+0x02d NpxState : 0xa ''
+0x02e WaitIrql : 0 ''
+0x02f WaitMode : 0 ''
+0x030 Teb : (null)
+0x034 ApcState : _KAPC_STATE
+0x04c ApcQueueLock : 0
+0x050 WaitStatus : 0n0
+0x054 WaitBlockList : 0x898360c0 _KWAIT_BLOCK
+0x058 Alertable : 0 ''
+0x059 WaitNext : 0 ''
+0x05a WaitReason : 0x5 ''
+0x05b Priority : 9 ''
+0x05c EnableStackSwap : 0x1 ''
+0x05d SwapBusy : 0 ''
+0x05e Alerted : [2] ""
+0x060 WaitListEntry : _LIST_ENTRY [ 0xf7737a98 - 0xf7737a98 ]

1: kd> !thread 0x89836080-60
THREAD 89836020 Cid 0004.0100 Teb: 00000000 Win32Thread: 00000000 READY on processor 1
Not impersonating
DeviceMap e10003d8
Owning Process 899a2278 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 274655207 Ticks: 4 (0:00:00:00.062)
Context Switch Count 1030 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.171
Stack Init f701c000 Current f701bce0 Base f701c000 Limit f7019000 Call 00000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f701bcf8 80a440eb 898360c0 89836020 898d45c0 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
f701bd30 80a35ea9 80a30b6a 898d40e8 4f444648 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f701bd64 bae8bf7b 898d45c0 00000005 00000000 nt!KeWaitForSingleObject+0x2d7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 1161]
f701bdac 80d391f0 898d4030 00000000 00000000 USBPORT!USBPORT_WorkerThread+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\thread.c @ 106]
f701bddc 80b00d52 bae8bf24 898d4030 00000000 nt!PspSystemThreadStartup+0x2e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ps\create.c @ 2213]
00000000 f000ff53 f000e2c3 f000ff53 f000ff53 nt!KiThreadStartup+0x16 [d:\srv03rtm\base\ntos\ke\i386\threadbg.asm @ 81]
WARNING: Frame IP not in any known module. Following frames may be wrong.
30000000 00000000 00000000 00000000 00000000 0xf000ff53


1: kd> bp 80a35ea9
1: kd> g
Breakpoint 39 hit
eax=00000000 ebx=898d45c0 ecx=00000000 edx=80010031 esi=89836020 edi=898360c0
eip=80a35ea9 esp=f701bd38 ebp=f701bd64 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeWaitForSingleObject+0x2d7:
80a35ea9 3d00010000 cmp eax,100h
1: kd> kc
#
00 nt!KeWaitForSingleObject
01 USBPORT!USBPORT_WorkerThread
02 nt!PspSystemThreadStartup
03 nt!KiThreadStartup

第二部分:查看让出cpu的线程的状态。


typedef enum _KTHREAD_STATE {
Initialized,
Ready,
Running,
Standby,
Terminated,
Waiting,


1: kd> dt kTHREAD 89804020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89804030 - 0x89804030 ]
+0x018 InitialStack : 0xf75f7000 Void
+0x01c StackLimit : 0xf75f4000 Void
+0x020 KernelStack : 0xf75f692c Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x25d
+0x02c State : 0x5 '' Waiting,

1: kd> !THREAD 89804020
THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 WAIT: (WrUserRequest) UserMode Non-Alertable
8957cd20 SynchronizationEvent
89505548 SynchronizationEvent
89804b80 SynchronizationEvent
IRP List:
894f8458: (0006,01d8) Flags: 00000970 Mdl: 00000000
8989e008: (0006,0190) Flags: 00000970 Mdl: 00000000
89530910: (0006,01d8) Flags: 00000970 Mdl: 00000000
89756e70: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655209 Ticks: 3 (0:00:00:00.046)
Context Switch Count 605 IdealProcessor: 1 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.796
Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75f6944 80a440eb f7737120 89804020 89804080 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

版权声明: 本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
网站建设 2026/5/13 10:10:13

抱歉,C# 已经跌出第一梯队!

作为.NET老鸟,真心劝你试试上位机开发!你手里的C#、WinForms/WPF技能直接能用,不用重新学新语言,上手贼快!现在工业自动化、设备数据采集需求爆增,企业缺的就是咱这种懂.NET的上位机人才,薪资比…

作者头像 李华
网站建设 2026/5/12 1:56:40

云原生安全:Falco 容器运行时监控

随着云原生技术的飞速发展,容器化部署已成为企业应用交付的主流方式。但容器的轻量级、动态化特性也带来了全新的安全挑战——传统的主机级安全工具难以适配容器的隔离环境,而容器镜像漏洞、运行时权限滥用、逃逸攻击等风险时刻威胁着业务安全。在众多云…

作者头像 李华
网站建设 2026/5/9 16:23:21

LobeChat网络安全等级保护方案

LobeChat网络安全等级保护方案 在企业加速推进数字化转型的今天,AI聊天系统正逐步从“锦上添花”的辅助工具演变为业务流程中的关键交互节点。尤其是在金融、政务、医疗等高敏感领域,一个看似简单的对话界面背后,可能涉及用户身份信息、内部…

作者头像 李华
网站建设 2026/5/10 23:06:03

EmotiVoice资源占用优化:在普通GPU上流畅运行

EmotiVoice资源占用优化:在普通GPU上流畅运行 在一台搭载RTX 3060、显存仅12GB的笔记本电脑上,能否实时生成带有情感色彩的定制化语音?对于许多开发者而言,这曾是一个奢望。高端语音合成模型动辄需要A100级别的算力支持&#xff0…

作者头像 李华
网站建设 2026/5/12 0:13:37

语音合成+大模型?EmotiVoice与LLM融合应用设想

语音合成与大模型的融合:让AI“有情有感”地说话 在智能助手越来越常见的今天,我们早已习惯了用手机发问:“明天会下雨吗?”“帮我设个闹钟”。但有没有觉得,这些回答虽然准确,却总少了点温度?就…

作者头像 李华