Reading Notebook: 12-August-09
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
int 2e is still available for legacy calls (p. 126)
rdmsr WinDbg command (p. 126)
Zw… as fake interrupts (p. 129) - here is another view (remember that there are ntdll!Nt… and nt!Nt… functions): http://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/
KiServiceTable entries on x64 (p. 132)
WinObj (pp. 133 - 134) - I also use !object WinDbg command to navigate the tree:
0: kd> !object \
Object: fffff88000005d50 Type: (fffffa8003bacdc0) Directory
ObjectHeader: fffff88000005d20 (old version)
HandleCount: 0 PointerCount: 49
Directory Object: 00000000 Name: \
Hash Address Type Name
---- ------- ---- ----
01 fffff88000005420 Directory ObjectTypes
03 fffffa8004bcd320 Event NETLOGON_SERVICE_STARTED
05 fffff88000952910 SymbolicLink SystemRoot
06 fffff880000e7900 Directory Sessions
07 fffffa8004b4d2b0 ALPC Port MmcssApiPort
08 fffffa8004839750 Event DSYSDBG.Debug.Trace.Memory.270
fffff880000138d0 Directory ArcName
09 fffff88000072bb0 Directory NLS
fffffa8004ce7cd0 ALPC Port XactSrvLpcPort
10 fffff880000079f0 Directory GLOBAL??
fffff880000e5ab0 Directory Windows
fffffa8004b80ee0 Event LanmanServerAnnounceEvent
11 fffff880000e7ab0 Directory RPC Control
13 fffffa80046bfd20 Event EFSInitEvent
14 fffffa8003eb5940 Device clfs
fffff88000962d20 SymbolicLink Dfs
15 fffffa8004690270 ALPC Port SeRmCommandPort
fffffa80047b3b00 Event CsrSbSyncEvent
16 fffff880000071c0 SymbolicLink DosDevices
fffffa80051ab8d0 Device Cdfs
17 fffff88000965b20 Directory KnownDlls32
fffffa8004c20060 ALPC Port AELPort
fffffa800487d620 Event EFSSrvInitEvent
18 fffff880000131e0 Key \REGISTRY
fffffa8004ca0a60 ALPC Port WindowsErrorReportingServicePort
19 fffff880061859f0 Directory BaseNamedObjects
21 fffff880000735c0 Directory UMDFCommunicationPorts
fffffa8004a67900 ALPC Port SmSsWinStationApiPort
fffffa8004251840 Event UniqueInteractiveSessionIdEvent
22 fffff88006117200 Directory KnownDlls
fffffa80054c6c80 Device FatCdrom
fffffa8005597b00 Device Fat
23 fffff8800008d2f0 Directory FileSystem
fffff88000005a20 Directory KernelObjects
fffffa8004059ad0 Device Ntfs
26 fffff88000005870 Directory Callback
fffffa800482fd90 ALPC Port SeLsaCommandPort
28 fffff88000009850 Directory Security
29 fffffa8004aeaa90 ALPC Port UxSmsApiPort
30 fffff880000135a0 Directory Device
fffffa80048776c0 Event EFSSmbInitEvent
32 fffffa8004876060 ALPC Port LsaAuthenticationPort
34 fffffa80046bf060 ALPC Port SmApiPort
fffff880066b2b00 Section LsaPerformance
fffffa80047aa840 Event UniqueSessionIdEvent
36 fffff8800008d4a0 Directory Driver
fffffa8004879eb0 Event SAM_SERVICE_STARTED
0: kd> !object \Driver
Object: fffff8800008d4a0 Type: (fffffa8003bacdc0) Directory
ObjectHeader: fffff8800008d470 (old version)
HandleCount: 0 PointerCount: 76
Directory Object: fffff88000005d50 Name: Driver
Hash Address Type Name
---- ------- ---- ----
01 fffffa800468e440 Driver NetBT
fffffa8004317ba0 Driver PptpMiniport
fffffa80042b49e0 Driver usbuhci
fffffa8003d64b90 Driver Wdf01000
02 fffffa8005532700 Driver MYFAULT
fffffa8004b82e70 Driver mpsdrv
03 fffffa800407f740 Driver disk
fffffa8004afe900 Driver lltdio
fffffa8004693ab0 Driver PSched
fffffa800453fc80 Driver NDProxy
04 fffffa8004c00e70 Driver HTTP
06 fffffa80042b02c0 Driver usbehci
fffffa80042a6a60 Driver tunnel
07 fffffa8003eba7c0 Driver partmgr
08 fffffa8004c50940 Driver PEAUTH
fffffa800430ee10 Driver iScsiPrt
fffffa80042d7dd0 Driver b57nd60a
fffffa8003c116f0 Driver ACPI_HAL
09 fffffa8004675e70 Driver RDPENCDD
fffffa800407e060 Driver spldr
10 fffffa800430ce10 Driver Rasl2tp
fffffa80040392c0 Driver storflt
fffffa8004269ad0 Driver HidUsb
11 fffffa8004dc5c00 Driver AsyncMac
fffffa8003bad7f0 Driver PnpManager
12 fffffa8004673610 Driver Null
fffffa800431f7e0 Driver rdpdr
14 fffffa80042dbbf0 Driver Serenum
fffffa8003ef27b0 Driver CLFS
15 fffffa80042f3d50 Driver Serial
fffffa80046729c0 Driver RDPCDD
fffffa8003ee97b0 Driver KSecDD
fffffa8003ebc7c0 Driver volmgr
16 fffffa8004333a30 Driver umbus
fffffa80040eb490 Driver crcdisk
17 fffffa80047b0e00 Driver Win32k
18 fffffa8004329730 Driver mouclass
fffffa80046894d0 Driver Smb
19 fffffa8003f47db0 Driver msisadrv
20 fffffa8004321510 Driver kbdclass
21 fffffa800407de70 Driver volsnap
fffffa800479ca60 Driver mouhid
22 fffffa80046c3550 Driver nsiproxy
fffffa8004673420 Driver VgaSave
fffffa8003bbfe70 Driver WMIxWDM
23 fffffa8003fab360 Driver Wanarpv6
fffffa8004678060 Driver tdx
fffffa8004671730 Driver RasAcd
fffffa800431d820 Driver RasSstp
25 fffffa8004319e70 Driver RasPppoe
fffffa80042b69c0 Driver HDAudBus
26 fffffa8004c68a00 Driver secdrv
27 fffffa80042dfe70 Driver Parport
fffffa800426a240 Driver kbdhid
28 fffffa8004b00a30 Driver rspndr
fffffa8004328a10 Driver TermDD
29 fffffa80046586a0 Driver HdAudAddService
fffffa8003f79710 Driver pci
fffffa800432c7d0 Driver mssmbios
fffffa8003eb87c0 Driver volmgrx
30 fffffa80042db370 Driver cdrom
fffffa8003ee3750 Driver NDIS
31 fffffa800432b420 Driver swenum
32 fffffa800433de70 Driver usbhub
fffffa8003f272a0 Driver Tcpip
33 fffffa80042aabc0 Driver intelppm
fffffa8003ec18f0 Driver atapi
34 fffffa800468d7c0 Driver AFD
fffffa800430a710 Driver NdisTapi
fffffa8003ec1e70 Driver mountmgr
fffffa8003ebee70 Driver intelide
35 fffffa8004c84db0 Driver tcpipreg
fffffa800465a060 Driver ksthunk
36 fffffa8004311640 Driver NdisWan
fffffa8003d96060 Driver ACPI
It might be interesting to signal these events manually and see what happens:
0: kd> !object \KernelObjects
Object: fffff88000005a20 Type: (fffffa8003bacdc0) Directory
ObjectHeader: fffff880000059f0 (old version)
HandleCount: 0 PointerCount: 18
Directory Object: fffff88000005d50 Name: KernelObjects
Hash Address Type Name
---- ------- ---- ----
00 fffffa8003c0f920 Event MemoryErrors
02 fffffa8003bfc510 Event LowNonPagedPoolCondition
04 fffffa80047be6b0 Session Session1
05 fffffa8003bef740 Event SuperfetchScenarioNotify
fffffa8003bef7c0 Event SuperfetchParametersChanged
06 fffffa8003c0b4e0 Event BootLoaderTraceReady
12 fffffa8003c0fa20 Event HighCommitCondition
14 fffffa8003bfb590 Event HighNonPagedPoolCondition
fffffa8003bfd590 Event HighMemoryCondition
21 fffff88000009060 KeyedEvent CritSecOutOfMemoryEvent
23 fffffa8003c0f9a0 Event MaximumCommitCondition
25 fffffa8003bfb510 Event LowCommitCondition
26 fffffa8003bfc590 Event HighPagedPoolCondition
28 fffffa8003c0e5d0 Event LowMemoryCondition
32 fffffa8003bfd510 Event LowPagedPoolCondition
fffffa80047ac520 Session Session0
34 fffffa8003bef6c0 Event PrefetchTracesReady
- Dmitry Vostokov @ SoftwareGeneralist.com -
_1125.png)
Coming Soon:
Management Bits: An Anthology from Reductionist Manager
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
