nt!KiSwapThread函数分析之nt!KiFindReadyThread和nt!KiSwapContext汇编代码和分析

nt!KiSwapThread函数分析之nt!KiFindReadyThread和nt!KiSwapContext汇编代码和分析

第一部分：

当前处理器为1号处理器，对应的KPCR f7737000没有NextThread

和ReadySummary =0。的情况。

LONG_PTR
FASTCALL
KiSwapThread (
IN PKTHREAD OldThread,
IN PKPRCB CurrentPrcb
)
{

if ((NewThread = CurrentPrcb->NextThread) != NULL) {

//
// Clear the next thread address, set the current thread address, and
// set the thread state to running.
//

CurrentPrcb->NextThread = NULL;
CurrentPrcb->CurrentThread = NewThread;
NewThread->State = Running;

} else {

//
// Attempt to select a thread from the current processor dispatcher
// ready queues.
//

if ((NewThread = KiSelectReadyThread(0, CurrentPrcb)) != NULL) {
CurrentPrcb->CurrentThread = NewThread;
NewThread->State = Running;

} else {

第二部分：

1: kd> g
Breakpoint 30 hit
eax=ffdff120 ebx=f7737120 ecx=00000001 edx=ffdff120 esi=00000000 edi=80a059f8
eip=80a429d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!KiFindReadyThread:
80a429d8 55 push ebp
1: kd> kc
#
00 nt!KiFindReadyThread
01 nt!KiSwapThread
02 nt!KeWaitForMultipleObjects
03 win32k!xxxMsgWaitForMultipleObjects
04 win32k!xxxDesktopThread
05 win32k!xxxCreateSystemThreads
06 win32k!NtUserCallOneParam
07 nt!_KiSystemService
08 SharedUserData!SystemCallStub
09 winsrv!NtUserCallOneParam
1: kd> !pcr
KPCR for Processor 1 at f7737000:

1: kd> dt KPCR f7737000
basesrv!KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : 0xf75f6260 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : (null)
+0x008 PerfGlobalGroupMask : (null)
+0x00c TssCopy : 0xf7737ef0 Void
+0x010 ContextSwitches : 0x8a1e
+0x014 SetMemberCopy : 2
+0x018 Used_Self : 0x7ffd8000 Void
+0x01c SelfPcr : 0xf7737000 _KPCR
+0x020 Prcb : 0xf7737120 _KPRCB

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x89804020 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x0 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]
[+0xa34] PrcbPad72 [Type: unsigned long [11]]
[+0xa60] ChainedInterruptList : 0x0 [Type: void *]
[+0xa64] LookasideIrpFloat : 32720 [Type: long]
[+0xa68] SpareFields0 [Type: unsigned long [4]]
[+0xa78] VendorString [Type: unsigned char [13]]
[+0xa85] InitialApicId : 0x1 [Type: unsigned char]
[+0xa86] LogicalProcessorsPerPhysicalProcessor : 0x2 [Type: unsigned char]
[+0xa88] MHz : 0xe0f [Type: unsigned long]
[+0xa8c] FeatureBits : 0x33fff [Type: unsigned long]
[+0xa90] UpdateSignature : {876173328384} [Type: _LARGE_INTEGER]
[+0xa98] IsrTime : 0x0 [Type: unsigned __int64]
[+0xaa0] NpxSaveArea [Type: _FX_SAVE_AREA]
[+0xcb0] PowerState [Type: _PROCESSOR_POWER_STATE]
1: kd> kv
# ChildEBP RetAddr Args to Child
00 f75f6944 80a43dd9 f7737120 89804020 89804080 nt!KiFindReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 722]
01 f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x315 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]
02 f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
03 f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
04 f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
05 f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
06 f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
07 f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
08 008cffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
09 008cffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]
windbg> .open -a ffffffff80a43dd9

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xffdff120)
((basesrv!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x895f2a78 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x4000 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50))
(*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50)) [Type: _LIST_ENTRY [32]]

[14] [Type: _LIST_ENTRY]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))
(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x895552c8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x895552c8 [Type: _LIST_ENTRY *]

if (RemoveEntryList(&Thread->WaitListEntry) != FALSE) {
Prcb->ReadySummary ^= PRIORITY_MASK(HighPriority);
}

Thread->NextProcessor = (UCHAR)Number;
return Thread;

PrioritySet = Prcb->ReadySummary; edi=00004000

ASSERT(PrioritySet != 0);

1: kd> p
eax=ffdff120 ebx=ffdff120 ecx=00000001 edx=ffdff120 esi=00000000 edi=00004000
eip=80a429e9 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292
nt!KiFindReadyThread+0x11:
80a429e9 85ff test edi,edi

KeFindFirstSetLeftMember(PrioritySet, &HighPriority);

1: kd> p
eax=00000002 ebx=ffdffac0 ecx=00000001 edx=ffdff120 esi=89555268 edi=00004000
eip=80a42a92 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283
nt!KiFindReadyThread+0xba:
80a42a92 858620010000 test dword ptr [esi+120h],eax ds:0023:89555388=00000003

Thread = CONTAINING_RECORD(NextEntry, KTHREAD, WaitListEntry);
if ((Thread->Affinity & AFFINITY_MASK(Number)) != 0) {

1: kd> p
eax=00000002 ebx=ffdffac0 ecx=00000001 edx=ffdff120 esi=89555268 edi=00004000
eip=80a42a92 esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283
nt!KiFindReadyThread+0xba:
80a42a92 858620010000 test dword ptr [esi+120h],eax ds:0023:89555388=00000003

1: kd> dt kthread 89555268
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89555278 - 0x89555278 ]
+0x018 InitialStack : 0xf75d7000 Void
+0x01c StackLimit : 0xf75d4000 Void
+0x020 KernelStack : 0xf75d6a18 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0xa10
+0x02c State : 0x1 ''

+0x120 Affinity : 3

if (RemoveEntryList(&Thread->WaitListEntry) != FALSE) {
Prcb->ReadySummary ^= PRIORITY_MASK(HighPriority);
}

1: kd> dx -id 0,0,89831250 -r1 ((basesrv!_KPRCB *)0xffdff120)

[+0x928] ReadySummary : 0x0 [Type: unsigned long]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY (*)[32])0xffdffa50))

[14] [Type: _LIST_ENTRY]

1: kd> dx -id 0,0,89831250 -r1 (*((basesrv!_LIST_ENTRY *)0xffdffac0))
(*((basesrv!_LIST_ENTRY *)0xffdffac0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xffdffac0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xffdffac0 [Type: _LIST_ENTRY *]

Thread->NextProcessor = (UCHAR)Number;
return Thread;
}

1: kd> p
eax=89555268 ebx=80a05ee8 ecx=ffdffac0 edx=ffdff120 esi=89555268 edi=ffdff120
eip=80a42b5e esp=f75f6920 ebp=f75f6944 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiFindReadyThread+0x186:
80a42b5e 5f pop edi

if ((NewThread = CurrentPrcb->NextThread) == NULL) {
if ((TargetPrcb->ReadySummary != 0) &&
(NewThread = KiFindReadyThread(Processor,
TargetPrcb)) != NULL) { 返回到这里：

1: kd> p
eax=89555268 ebx=f7737120 ecx=ffdffac0 edx=ffdff120 esi=00000000 edi=80a059f8
eip=80a43dd9 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapThread+0x315:
80a43dd9 8bf0 mov esi,eax

NewThread = KiFindReadyThread(Processor,
TargetPrcb) =eax=89555268

//
// A new thread has been found to run on the
// current processor.
//

NewThread->State = Running;
KiReleasePrcbLock(TargetPrcb);
CurrentPrcb->CurrentThread = NewThread; CurrentThread : 0x89555268

1: kd>dt kthread 89555268
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89555278 - 0x89555278 ]
+0x018 InitialStack : 0xf75d7000 Void
+0x01c StackLimit : 0xf75d4000 Void
+0x020 KernelStack : 0xf75d6a18 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0xa10
+0x02c State : 0x2 '' Running

+0x10f NextProcessor : 0x1 ''

1: kd>
((ntkrnlmp!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x89555268[Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]
[+0x00c] IdleThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x010] Number : 1 [Type: char]

//
// Clear idle on the current processor and
// update the idle summary SMT set to indicate
// the physical processor is not entirely idle.
//

KiClearIdleSummary(AFFINITY_MASK(Processor));
KiClearSMTSummary(CurrentPrcb->MultiThreadProcessorSet);
goto ThreadFound; 马上交换线程。

#if !defined(_WIN64)

#define KiAffinityArray KiMask32Array

#endif

extern const ULONG_PTR KiAffinityArray[];

#define AFFINITY_MASK(n) (KiAffinityArray[n])

1: kd> x nt!KiIdleSummary
80b16e80 nt!KiIdleSummary = 0

1: kd> dv Processor
Processor = 1

[+0x4d0] MultiThreadProcessorSet : 0x3 [Type: unsigned long]

} else {
Pending = KiSwapContext(OldThread, NewThread);
}

;++
;
; BOOLEAN
; KiSwapContext (
; IN PKTHREAD OldThread
; IN PKTHREAD NewThread
; )
;
; Routine Description:
;
; This function is a small wrapper, callable from C code, that marshalls
; arguments and calls the actual swap context routine.
;
; Arguments:
;
; OldThread (ecx) - Supplies the address of the old thread ecx=89804020
; NewThread (edx) - Supplies the address of the new thread. edx=89555268
;
; Return Value:
;
; If a kernel APC is pending, then a value of TRUE is returned. Otherwise,
; a value of FALSE is returned.
;
;--

cPublicFastCall KiSwapContext, 2
.fpo (0, 0, 0, 4, 1, 0)

1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80a440e6 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216
nt!KiSwapThread+0x622:
80a440e6 e8edc50b00 call nt!KiSwapContext (80b006d8)
1: kd> t
eax=00000000 ebx=89804020ecx=89804020edx=89555268esi=89555268 edi=80a059f8
eip=80b006d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216
nt!KiSwapContext:
80b006d8 83ec10 sub esp,10h
1: kd> kc
#
00 nt!KiSwapContext
01 nt!KiSwapThread
WARNING: Frame IP not in any known module. Following frames may be wrong.
02 0x0

第三部分：

cPublicFastCall KiSwapContext, 2
.fpo (0, 0, 0, 4, 1, 0)

;
; N.B. The following registers MUST be saved such that ebp is saved last.
; This is done so the debugger can find the saved ebp for a thread
; that is not currently in the running state.
;

sub esp, 4*4
mov [esp+12], ebx ; save registers
mov [esp+8], esi ;
mov [esp+4], edi ;
mov [esp+0], ebp ;
mov ebx, PCR[PcSelfPcr] ; set address of PCR
mov edi, ecx ; set old thread address
mov esi, edx ; set next thread address
movzx ecx, byte ptr [edi].ThWaitirql ; set APC interrupt bypass disable

CAPSTART <@KiSwapContext@8,SwapContext>
call SwapContext ; swap context
CAPEND <@KiSwapContext@8>
mov ebp, [esp+0] ; restore registers
mov edi, [esp+4] ;
mov esi, [esp+8] ;
mov ebx, [esp+12] ;
add esp, 4*4 ;
fstRET KiSwapContext ;

fstENDP KiSwapContext

1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80a440e6 esp=f75f694c ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216
nt!KiSwapThread+0x622:
80a440e6 e8edc50b00 call nt!KiSwapContext (80b006d8)
1: kd> t
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006d8 esp=f75f6948 ebp=f75f697c iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000216
nt!KiSwapContext:
80b006d8 83ec10 sub esp,10h

1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006db esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x3:
80b006db 895c240c mov dword ptr [esp+0Ch],ebx ss:0010:f75f6944=00000316
1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006df esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x7:
80b006df 89742408 mov dword ptr [esp+8],esi ss:0010:f75f6940=00000008
1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006e3 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0xb:
80b006e3 897c2404 mov dword ptr [esp+4],edi ss:0010:f75f693c={nt!KiSwapContext (80b006d8)}
1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006e7 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0xf:
80b006e7 892c24 mov dword ptr [esp],ebp ss:0010:f75f6938=00000000
1: kd> p
eax=00000000 ebx=89804020 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006ea esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x12:
80b006ea 648b1d1c000000 mov ebx,dword ptr fs:[1Ch] fs:0030:0000001c=f7737000
1: kd> p
eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=80a059f8
eip=80b006f1 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x19:
80b006f1 8bf9 mov edi,ecx
1: kd> p
eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=89804020
eip=80b006f3 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x1b:
80b006f3 8bf2 mov esi,edx
1: kd> p
eax=00000000 ebx=f7737000 ecx=89804020 edx=89555268 esi=89555268 edi=89804020
eip=80b006f5 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x1d:
80b006f5 0fb64f2e movzx ecx,byte ptr [edi+2Eh] ds:0023:8980404e=00
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=89555268 esi=89555268 edi=89804020
eip=80b006f9 esp=f75f6938 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x21:
80b006f9 e8f2000000 call nt!SwapContext (80b007f0)
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=89804020
eip=80b006fe esp=f75d6a24 ebp=89831250 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapContext+0x26:
80b006fe 8b2c24 mov ebp,dword ptr [esp] ss:0010:f75d6a24=f75d6a68
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=89804020
eip=80b00701 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapContext+0x29:
80b00701 8b7c2404 mov edi,dword ptr [esp+4] ss:0010:f75d6a28={nt!`string' (80a059f8)}
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89555268 edi=80a059f8
eip=80b00705 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapContext+0x2d:
80b00705 8b742408 mov esi,dword ptr [esp+8] ss:0010:f75d6a2c=89836020
1: kd> p
eax=00000000 ebx=f7737000 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80b00709 esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapContext+0x31:
80b00709 8b5c240c mov ebx,dword ptr [esp+0Ch] ss:0010:f75d6a30=89555268
1: kd> p
eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80b0070d esp=f75d6a24 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapContext+0x35:
80b0070d 83c410 add esp,10h
1: kd> p
eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80b00710 esp=f75d6a34 ebp=f75d6a68 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapContext+0x38:
80b00710 c3 ret
1: kd> kc
#
00 nt!KiSwapContext
01 nt!KiSwapThread
WARNING: Frame IP not in any known module. Following frames may be wrong.
02 0x0
1: kd> !thread
THREAD 89555268 Cid 01b0.01dc Teb: 7ffd9000 Win32Thread: e1601268 RUNNING on processor 1
IRP List:
897fe008: (0006,0190) Flags: 00000970 Mdl: 00000000
897569a0: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655230 Ticks: 8 (0:00:00:00.125)
Context Switch Count 2577 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.625
Stack Init f75d7000 Current f75d6a18 Base f75d7000 Limit f75d4000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75d6a30 80a440eb f7737120 89555268 895552c8 nt!KiSwapContext+0x38 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 144]
00000000 f000ff53 f000e2c3 f000ff53 f000ff53 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
WARNING: Frame IP not in any known module. Following frames may be wrong.
30000000 00000000 00000000 00000000 00000000 0xf000ff53

#if !defined(NT_UP)

if (OldThread == NewThread) {
KiSetContextSwapIdle(OldThread);
Pending = (BOOLEAN)((NewThread->ApcState.KernelApcPending != FALSE) &&
(NewThread->SpecialApcDisable == 0) &&
(WaitIrql == 0));

} else {
Pending = KiSwapContext(OldThread, NewThread);新线程返回到这里：
}

#else

Pending = KiSwapContext(OldThread, NewThread);

#endif

//
// If a kernel APC should be delivered, then deliver it now.
//

WaitStatus = OldThread->WaitStatus;
if (Pending != FALSE) {

1: kd> p
eax=00000000 ebx=89555268 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80a440eb esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiSwapThread+0x627:
80a440eb 84c0test al,al
1: kd> kc
#
00 nt!KiSwapThread
01 nt!KeWaitForMultipleObjects
02 win32k!RawInputThread
03 win32k!xxxCreateSystemThreads
04 win32k!NtUserCallOneParam
05 nt!_KiSystemService
06 SharedUserData!SystemCallStub
07 winsrv!NtUserCallOneParam
1: kd> !thread
THREAD 89555268 Cid 01b0.01dc Teb: 7ffd9000 Win32Thread: e1601268 RUNNING on processor 1
IRP List:
897fe008: (0006,0190) Flags: 00000970 Mdl: 00000000
897569a0: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655230 Ticks: 8 (0:00:00:00.125)
Context Switch Count 2577 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.625
Stack Init f75d7000 Current f75d6a18 Base f75d7000 Limit f75d4000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75d6a68 80a358c7 bfa03214 bfa01624 00000000 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f75d6aa0 bf891bbd 00000007 89489d08 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
f75d6d1c bf8b21b0 00000002 00000002 f75d6d48 win32k!RawInputThread+0x712 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntinput.c @ 6349]
f75d6d2c bf806d52 f75c64a0 f75d6d58 0088fff4 win32k!xxxCreateSystemThreads+0x92 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 338]
f75d6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
f75d6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75d6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
0088ffe0 75340774 75318a89 00000000 00000022 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0088ffe8 00000000 00000022 00000004 00000000 winsrv!NtUserCallOneParam+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\umode\daytona\obj\i386\usrstubs.c @ 2683]

WaitStatus = OldThread->WaitStatus;
if (Pending != FALSE) {

1: kd> p
eax=00000000ebx=89555268ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80a440ed esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapThread+0x629:
80a440ed 8b5b50mov ebx,dword ptr [ebx+50h]ds:0023:895552b8=00000001
1: kd> p
eax=00000000 ebx=00000001 ecx=00000000 edx=80010031 esi=89836020 edi=80a059f8
eip=80a440f0 esp=f75d6a38 ebp=f75d6a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiSwapThread+0x62c:
80a440f0 8b350431a080 mov esi,dword ptr [nt!_imp_KfLowerIrql (80a03104)] ds:0023:80a03104={hal!KfLowerIrql (804edc30)}