Reading Notebook: 21-July-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
W2K3, per-CPU scheduling queues (p. 43)
MmProductType (p. 45) - we can query the value from the dump, 1 is for server version:
3: kd> dd MmProductType l1
808a8d00 00000001
ASSERT (p. 48) - disassembly of the function in W2K8 shows this collapsed sequence (conditional flow is ignored):
0: kd> uf nt!RtlAssert
nt!RtlAssert:
call nt!RtlCaptureContext
call nt!DbgPrintEx
call nt!DbgPrompt
call nt!ZwTerminateThread
call nt!ZwTerminateProcess
call nt!DbgPrintEx
call nt!DbgBreakPoint
call nt!DbgBreakPoint
call nt!ZwTerminateProcess
Key system components (pp. 49 - 50) - I found it useful to look at thread stack traces from complete memory dumps to see the big picture of component relationships, for example, message loop:
kd> kc
nt!KiSwapContext
nt!KiSwapThread
nt!KeWaitForSingleObject
win32k!xxxSleepThread
win32k!xxxRealInternalGetMessage
win32k!NtUserGetMessage
nt!KiFastCallEntry
ntdll!KiFastSystemCallRet
USER32!NtUserGetMessage
USER32!GetMessageW
Application!WinMain
kernel32!BaseProcessStart
Some functions implemented in subsystem dlls (p. 53) - for example:
kd> uf GetCurrentProcess
kernel32!GetCurrentProcess:
77e62f9d or eax,0FFFFFFFFh
77e62fa0 ret
kd> uf GetCurrentProcessId
kernel32!GetCurrentProcessId:
77e63c78 mov eax,dword ptr fs:[00000018h]
77e63c7e mov eax,dword ptr [eax+20h]
77e63c81 ret
kd> uf GetCurrentThread
kernel32!GetCurrentThread:
77e63868 push 0FFFFFFFEh
77e6386a pop eax
77e6386b ret
kd> uf GetCurrentThreadId
kernel32!GetCurrentThreadId:
77e62fc7 mov eax,dword ptr fs:[00000018h]
77e62fcd mov eax,dword ptr [eax+24h]
77e62fd0 ret
Subsystem functions that require client-server call (p. 53) - collapsed disassembly example:
kd> uf CreateThread
call kernel32!CreateRemoteThread
kd> uf kernel32!CreateRemoteThread
call dword ptr [kernel32!_imp__CsrClientCallServer (77e41034)]
kd> dds 77e41034 l1
77e41034 7c82ebf3 ntdll!CsrClientCallServer
kd> uf ntdll!CsrClientCallServer
call ntdll!NtRequestWaitReplyPort
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
