I was recently revisiting my old post about model-based definition of software defects in relation to their forthcoming classification. When thinking I recalled a three worlds diagram in Roger Penrose’s The Road to Reality book depicting the Platonic mathematical, the physical and the mental and came up with Software Generalist three worlds: World, Models and Software:
 Â
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Injected debugging thread to generate int 3 event (p. 218)
0:001> kL
Child-SP         RetAddr          Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
DbgSSReserved[1] as the handle to a debug object (p. 218) - It is NULL when I break into notepad.exe in both debuggee and debugger TEBs:
0:001> ~*kL
  0 Id: cf0.aa0 Suspend: 1 Teb: 000007ff`fffde000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`0016f788 00000000`7753d5be USER32!ZwUserGetMessage+0xa
00000000`0016f790 00000000`ffec6f4a USER32!GetMessageW+0x34
00000000`0016f7c0 00000000`ffecd00b notepad!WinMain+0x176
00000000`0016f840 00000000`7740be3d notepad!IsTextUTF8+0x24f
00000000`0016f900 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0016f930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
#Â 1Â Id: cf0.974 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`0355fdf8 00000000`776c0038 ntdll!DbgBreakPoint
00000000`0355fe00 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`0355fe30 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0355fe60 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:001> dt _TEB DbgSsReserved 000007fffffdc000
ntdll!_TEB
  +0x16a0 DbgSsReserved : [2] (null)
0:001> dq 000007fffffdc000+0x16a0 l2
000007ff`fffdd6a0Â 00000000`00000000 00000000`00000000
0:001> .dbgdbg
Debugger spawned, connect with
   "-remote npipe:icfenable,pipe=cdb_pipe,server=Computer"
0:003> ~*kL
  0 Id: 268.d70 Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`000fd660 00000000`7740fc13 ntdll!RtlLockHeap+0x1e
00000000`000fd6c0 000007fe`ff77218e kernel32!LocalLock+0x23
00000000`000fd700 000007fe`fe014772 IMM32!InternalImmLockIMC+0x138
00000000`000fd730 000007fe`fe014743 MSCTF!IMCLock::_LockIMC+0x1d
00000000`000fd760 000007fe`fe01a8fb MSCTF!IMCLock::IMCLock+0x33
00000000`000fd790 00000000`7753d53e MSCTF!CIMEUIWindowHandler::ImeUIWndProcWorke
r+0x2cd
00000000`000fd820 00000000`7753d7c6 USER32!UserCallWinProcCheckWow+0x1ad
00000000`000fd8e0 00000001`3f5a1bf0 USER32!DispatchMessageWorker+0x389
00000000`000fd960 00000001`3f5a1c70 windbg!ProcessNonDlgMessage+0x330
00000000`000fd9b0 00000001`3f5a850d windbg!ProcessPendingMessages+0x70
00000000`000fda20 00000001`3f5b3739 windbg!wmain+0x29d
00000000`000ffae0 00000000`7740be3d windbg!_CxxFrameHandler3+0x291
00000000`000ffb20 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`000ffb50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
  1 Id: 268.a6c Suspend: 1 Teb: 000007ff`fffdb000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`032bfa88 00000000`7741c0b0 ntdll!ZwWaitForSingleObject+0xa
00000000`032bfa90 00000000`7293e711 kernel32!WaitForSingleObjectEx+0x9c
00000000`032bfb50 00000001`3f575a4a dbgeng!DebugClient::DispatchCallbacks+0x61
00000000`032bfb90 00000000`7740be3d windbg!EngineLoop+0x37a
00000000`032bfbd0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`032bfc00 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
  2 Id: 268.bfc Suspend: 1 Teb: 000007ff`fffd7000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`0699f6c8 00000000`7740f65c ntdll!NtRemoveIoCompletion+0xa
00000000`0699f6d0 000007fe`fe165d0d kernel32!GetQueuedCompletionStatus+0x48
00000000`0699f730 000007fe`fe165b93 RPCRT4!COMMON_ProcessCalls+0x7d
00000000`0699f7c0 000007fe`fe147769 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0
x133
00000000`0699f870 000007fe`fe147714 RPCRT4!ProcessIOEventsWrapper+0x9
00000000`0699f8a0 000007fe`fe1477a4 RPCRT4!BaseCachedThreadRoutine+0x94
00000000`0699f8e0 00000000`7740be3d RPCRT4!ThreadStartRoutine+0x24
00000000`0699f910 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`0699f940 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
#Â 3Â Id: 268.f34 Suspend: 1 Teb: 000007ff`fffd9000 Unfrozen
Child-SP         RetAddr          Call Site
00000000`06b6fb68 00000000`776c0038 ntdll!DbgBreakPoint
00000000`06b6fb70 00000000`7740be3d ntdll!DbgUiRemoteBreakin+0x38
00000000`06b6fba0 00000000`77616a51 kernel32!BaseThreadInitThunk+0xd
00000000`06b6fbd0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:003> dt _TEB DbgSsReserved 000007ff`fffdb000
ntdll!_TEB
  +0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffdd000
ntdll!_TEB
  +0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffd7000
ntdll!_TEB
  +0x16a0 DbgSsReserved : [2] (null)
0:003> dt _TEB DbgSsReserved 000007ff`fffd9000
ntdll!_TEB
  +0x16a0 DbgSsReserved : [2] (null)
Image loader (pp. 220 - 221) - We can see loader functions (LdrXXX) in crash dumps when it fails due to 3rd-party hooksware and corrupt images or in memory dumps taken when we have deadlocks involving module load. Also in WOW64 processes we can see it on stack traces:
0:000> kL
Child-SP         RetAddr          Call Site
00000000`0010eb98 00000000`7572ab46 wow64cpu!WaitForMultipleObjects32+0x3a
00000000`0010ec40 00000000`7572a14c wow64!RunCpuSimulation+0xa
00000000`0010ec70 00000000`7762bf9d wow64!Wow64LdrpInitialize+0x4b4
00000000`0010f1d0 00000000`7762bb9c ntdll!LdrpInitializeProcess+0x1568
00000000`0010f490 00000000`776168de ntdll! ?? ::FNODOBFM::`string'+0x20959
00000000`0010f540 00000000`00000000 ntdll!LdrInitializeThunk+0xe
There are some patterns related to DLL load and linkage: http://www.dumpanalysis.org/blog/index.php/2009/02/17/dll-link-patterns/
_LDR_DATA_TABLE_ENTRY field description (p. 223)
0:000> dt _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
  +0x000 InLoadOrderLinks : _LIST_ENTRY
  +0x010 InMemoryOrderLinks : _LIST_ENTRY
  +0x020 InInitializationOrderLinks : _LIST_ENTRY
  +0x030 DllBase         : Ptr64 Void
  +0x038 EntryPoint      : Ptr64 Void
  +0x040 SizeOfImage     : Uint4B
  +0x048 FullDllName     : _UNICODE_STRING
  +0x058 BaseDllName     : _UNICODE_STRING
  +0x068 Flags           : Uint4B
  +0x06c LoadCount       : Uint2B
  +0x06e TlsIndex        : Uint2B
  +0x070 HashLinks       : _LIST_ENTRY
  +0x070 SectionPointer  : Ptr64 Void
  +0x078 CheckSum        : Uint4B
  +0x080 TimeDateStamp   : Uint4B
  +0x080 LoadedImports   : Ptr64 Void
  +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
  +0x090 PatchInformation : Ptr64 Void
  +0x098 ForwarderLinks  : _LIST_ENTRY
  +0x0a8 ServiceTagLinks : _LIST_ENTRY
  +0x0b8 StaticLinks     : _LIST_ENTRY
Handy full !list command for listing module linked lists (pp. 224 - 225) - I was thinking about writing it myself while reading the previous page :-)Â
Loader entry flags (p. 225)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
ETW components (p. 207) - A few years ago I made this UML component diagram showing the relation of various providers to OS components and interfaces:
My trace analysis patterns are largely based on ETW traces: http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/
Fragment of process image loading sequence when tracing Microsoft-Windows-Kernel-Process provider:
PIDÂ Â Â Â Â Â Â Â Â TIDÂ Â Â Â Â Â Â Â User DataÂ
0x00000AC8Â 0x0000086CÂ "\Device\HarddiskVolume2\Windows\System32\notepad.exe"
0x00000EBCÂ 0x000007E4Â "\Device\HarddiskVolume2\Windows\System32\notepad.exe"
0x00000EBCÂ 0x000007E4Â "\SystemRoot\System32\ntdll.dll"
0x00000EBCÂ 0x000007E4Â "\Windows\System32\kernel32.dll"
[...]
\Windows\Sysnative (p. 213)
Wow64Disable(Revert)Wow64FsRedirection (p. 213) - From W2K3 SP1. Code example: http://msdn.microsoft.com/en-us/library/aa365743(VS.85).aspx
KEY_WOW64_64(32)KEY flags for RegXXX API (p. 214)Â
DeviceIoControlFile and IoIs32bitProcess (pp. 214 - 215) - http://msdn.microsoft.com/en-us/library/aa490629.aspx
On WOW64 16-bit old IS and MS installers are substituted with 32-bit on the fly (p. 215)
User-mode debugging as a producer-consumer framework (p. 217) - Various debug-related function names to set breakpoints when studying debugging (_imp_* and dupilicates are not shown here):
0:000> x ntdll!Dbg*
00000000`7791af70 ntdll!DbgQueryDebugFilterState = <no type information>
00000000`7791af60 ntdll!DbgSetDebugFilterState = <no type information>
00000000`778c3840 ntdll!DbgPrintEx = <no type information>
00000000`779249a0 ntdll!DbgUiStopDebugging = <no type information>
00000000`778c6060 ntdll!DbgBreakPoint = <no type information>
00000000`77924a60 ntdll!DbgUiConnectToDbg = <no type information>
00000000`779249f0 ntdll!DbgUiWaitStateChange = <no type information>
00000000`77932710 ntdll!DbgUiIssueRemoteBreakin = <no type information>
00000000`77932780 ntdll!DbgUiDebugActiveProcess = <no type information>
00000000`778c6080 ntdll!DbgBreakPointWithStatus = <no type information>
00000000`7791af80 ntdll!DbgPrompt = <no type information>
00000000`778c6070 ntdll!DbgUserBreakPoint = <no type information>
00000000`77924a20 ntdll!DbgUiSetThreadDebugObject = <no typeinformation>
00000000`77924790 ntdll!DbgUiConvertStateChangeStructure = <no type information>
00000000`77892560 ntdll!DbgPrint = <no type information>
00000000`77950000 ntdll!DbgUiRemoteBreakin = <no type information>
00000000`779249c0 ntdll!DbgUiContinue = <no type information>
00000000`7793bf30 ntdll!DbgPrintReturnControlC = <no type information>
00000000`77924a40 ntdll!DbgUiGetThreadDebugObject = <no type information>
00000000`778c6082 ntdll!DbgBreakPointWithStatusEnd = <no type information>
0:000> x ntdll!*Debug*
00000000`779970c0 ntdll!LoaderLockDebug = <no type information>
00000000`778c7810 ntdll!ZwDebugActiveProcess = <no type information>
00000000`779350f0 ntdll!RtlDebugFreeHeap = <no type information>
00000000`7794ff40 ntdll!RtlpSetProcessDebugInformationRemote = <no type information>
00000000`77952960 ntdll!RtlpQueryProcessDebugInformationFromWow64 = <no type information>
00000000`779405b0 ntdll!RtlDebugCreateHeap = <no type information>
00000000`779988a0 ntdll!RtlCriticalSectionDebugSList = <no type information>
00000000`778c8550 ntdll!NtWaitForDebugEvent = <no type information>
00000000`7799b760 ntdll!RtlpDefaultHeapDebuggingOptions = <no type information>
00000000`778c7dd0 ntdll!NtQueryDebugFilterState = <no type information>
00000000`778c60cc ntdll!DebugService2 = <no type information>
00000000`778c81e0 ntdll!NtSetDebugFilterState = <no type information>
00000000`7791b740 ntdll!IsDebugPortPresent = <no type information>
00000000`778c7650 ntdll!ZwCreateDebugObject = <no type information>
00000000`77914020 ntdll!RtlpDebugPageHeapDestroy = <no type information>
00000000`778c8550 ntdll!ZwWaitForDebugEvent = <no type information>
00000000`7791bc80 ntdll!RtlpCommitQueryDebugInfo = <no type information>
00000000`778c7dd0 ntdll!ZwQueryDebugFilterState = <no type information>
00000000`778c81e0 ntdll!ZwSetDebugFilterState = <no type information>
00000000`778c7650 ntdll!NtCreateDebugObject = <no type information>
00000000`7791e190 ntdll!RtlIsAnyDebuggerPresent = <no type information>
00000000`77950050 ntdll!RtlQueryProcessDebugInformation = <no type information>
00000000`77954db0 ntdll!RtlpQueryProcessDebugInformationRemote = <no type information>
00000000`77913a30 ntdll!RtlSetLFHDebuggingInformation = <no type information>
00000000`778c7810 ntdll!NtDebugActiveProcess = <no type information>
00000000`77942b90 ntdll!RtlDebugCompactHeap = <no type information>
00000000`77997c70 ntdll!RtlpDebugPageHeapTable = <no type information>
00000000`77914630 ntdll!RtlDebugPrintTimes = <no type information>
00000000`77941af0 ntdll!RtlDebugDestroyHeap = <no type information>
00000000`7791dab0 ntdll!RtlpSubSegmentDebugInitialize = <no type information>
00000000`77992738 ntdll!RtlpStaticDebugInfoEnd = <no type information>
00000000`77997080 ntdll!RtlpDynamicFunctionTableLockDebug = <no type information>
00000000`7791bc50 ntdll!RtlpDeCommitQueryDebugInfo = <no type information>
00000000`778c8060 ntdll!NtRemoveProcessDebug = <no type information>
00000000`7793c6a0 ntdll!CpupDebugPrintOnAmd64 = <no type information>
00000000`77940c30 ntdll!RtlDebugSetUserFlagsHeap = <no type information>
00000000`778c8060 ntdll!ZwRemoveProcessDebug = <no type information>
00000000`77923b20 ntdll!RtlpChangeQueryDebugBufferTarget = <no type information>
00000000`77954b10 ntdll!RtlDebugCreateTagHeap = <no type information>
00000000`77923b10 ntdll!RtlCommitDebugInfo = <no type information>
00000000`77914030 ntdll!RtlpDebugPageHeapCreate = <no type information>
00000000`7799e9c8 ntdll!AVrfpDebug = <no type information>
00000000`77923720 ntdll!AVrfpIsDebuggerPresent = <no type information>
00000000`77940f70 ntdll!RtlDebugGetUserInfoHeap = <no type information>
00000000`77940ab0 ntdll!RtlDebugSizeHeap = <no type information>
00000000`77997050 ntdll!RtlCriticalSectionLock_DEBUG = <no type information>
00000000`778c7820 ntdll!ZwDebugContinue = <no type information>
00000000`778c8260 ntdll!ZwSetInformationDebugObject = <no type information>
00000000`77898b00 ntdll!RtlpFreeDebugInfo = <no type information>
00000000`778c60ac ntdll!DebugPrompt = <no type information>
00000000`778c8470 ntdll!NtSystemDebugControl = <no type information>
00000000`778c8470 ntdll!ZwSystemDebugControl = <no type information>
00000000`77935420 ntdll!RtlSetProcessDebugInformation = <no type information>
00000000`77941710 ntdll!RtlDebugAllocateHeap = <no type information>
00000000`7794f390 ntdll!RtlSetHeapDebuggingInformation = <no type information>
00000000`77928060 ntdll!RtlDestroyQueryDebugBuffer = <no type information>
00000000`7792d560 ntdll!RtlpGetColdpatchDebugSignature = <no type information>
00000000`778c608c ntdll!DebugPrint = <no type information>
00000000`7791c320 ntdll!LdrpDoDebuggerBreak = <no type information>
00000000`77940960 ntdll!RtlDebugQueryTagHeap = <no type information>
00000000`77923b00 ntdll!RtlDeCommitDebugInfo = <no type information>
00000000`778c8260 ntdll!NtSetInformationDebugObject = <no type information>
00000000`778c7820 ntdll!NtDebugContinue = <no type information>
00000000`77941110 ntdll!RtlDebugReAllocateHeap = <no type information>
00000000`779408d0 ntdll!RtlDebugWalkHeap = <no type information>
00000000`779988c0 ntdll!RtlpStaticDebugInfo = <no type information>
00000000`7791ba70 ntdll!RtlCreateQueryDebugBuffer = <no type information>
00000000`7794eda0 ntdll!RtlpSetHeapDebuggingInformation = <no type information>
00000000`77934fd0 ntdll!RtlDebugZeroHeap = <no type information>
00000000`77992640 ntdll!RtlFailedCriticalDebugAllocations = <no type information>
00000000`77940df0 ntdll!RtlDebugSetUserValueHeap = <no type information>
00000000`779925d0 ntdll!LdrpDebugFlags = <no type information>
0:000> x kernel32!Dbg*
00000000`77791bd0 kernel32!DbgUiStopDebugging = <no type information>
00000000`77791b7c kernel32!DbgBreakPoint = <no type information>
00000000`77791bb8 kernel32!DbgUiConnectToDbg = <no type information>
00000000`77791b88 kernel32!DbgUiWaitStateChange = <no type information>
00000000`77791bdc kernel32!DbgUiIssueRemoteBreakin = <no type information>
00000000`77791bc4 kernel32!DbgUiDebugActiveProcess = <no type information>
00000000`77791ba0 kernel32!DbgUiConvertStateChangeStructure = <no type information>
00000000`7775d970 kernel32!DbgPrint = <no type information>
00000000`77791bac kernel32!DbgUiContinue = <no type information>
00000000`77791be8 kernel32!DbgUiGetThreadDebugObject = <no type information>
00000000`777e5170 kernel32!DbgPrintOut = <no type information>
0:000> x kernel32!*Debug*
00000000`777e41d0 kernel32!DebugActiveProcessStop = <no type information>
00000000`777e4230 kernel32!ContinueDebugEvent = <no type information>
00000000`7780e9b0 kernel32!_imp_NtRemoveProcessDebug = <no type information>
00000000`7780b780 kernel32!WerpLaunchAeDebug = <no type information>
00000000`777a2b20 kernel32!DebugTest = <no type information>
00000000`777b4340 kernel32!BasepIsDebugPortPresent = <no type information>
00000000`777b7540 kernel32!DebugSetProcessKillOnExit = <no type information>
00000000`77791c0c kernel32!NtRemoveProcessDebug = <no type information>
00000000`777ceac0 kernel32!WaitForDebugEvent = <no type information>
00000000`777b7650 kernel32!CheckRemoteDebuggerPresent = <no type information>
00000000`777e9ad0 kernel32!PatchDebug<_IMAGE_NT_HEADERS> = <no type information>
00000000`7775db30 kernel32!OutputDebugStringA = <no type information>
00000000`777a8f40 kernel32!DebugBreak = <no type information>
00000000`777efaf0 kernel32!WerpGetDebugger = <no type information>
00000000`777e98b0 kernel32!PatchDebug<_IMAGE_NT_HEADERS64> = <no type information>
00000000`777b75a0 kernel32!DebugBreakProcess = <no type information>
00000000`77791bf4 kernel32!NtSetInformationDebugObject = <no type information>
00000000`777ea590 kernel32!WerpIsProcessInAeDebugExclusionList = <no type information>
00000000`7775dcd0 kernel32!OutputDebugStringW = <no type information>
00000000`777cea50 kernel32!DebugActiveProcess = <no type information>
00000000`777a61b0 kernel32!BasepIsKernelDebuggerPresent = <no type information>
00000000`77757d20 kernel32!IsDebuggerPresent = <no type information>
0:000> x user32!*Debug*
00000000`776cc560 USER32!_fnHkINLPDEBUGHOOKSTRUCT = <no type information>
00000000`776beff0 USER32!SetDebugErrorLevel = <no type information>
0:000> x user32!Dbg*
00000000`77700a74 USER32!DbgPrint = <no type information>
0:000> x advapi32!Dbg*
000007fe`fecc9d40 ADVAPI32!DbgTrace = <no type information>
000007fe`fece9670 ADVAPI32!DbgPrint = <no type information>
000007fe`fec52c30 ADVAPI32!DbgStartTrace = <no type information>
0:000> x advapi32!*Debug*
000007fe`fed34ba8 ADVAPI32!fDebugInitialised = <no type information>
000007fe`fec88c10 ADVAPI32!InitDebugSupport = <no type information>
000007fe`fecbbd80 ADVAPI32!_DebugMsg = <no type information>
000007fe`fed21484 ADVAPI32!gDebugLevel = <no type information>
000007fe`fed117e0 ADVAPI32!cszPerfDebugTraceLevel = <no type information>
000007fe`fed21488 ADVAPI32!gDebugBreak = <no type information>
000007fe`fece1eb0 ADVAPI32!InitDebug = <no type information>
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
InitOnceExecuteOnce API, synchronous (p. 197) - new in Vista and W2K8, http://msdn.microsoft.com/en-us/library/ms683493(VS.85).aspx
InitOnceBeginInitialize / InitOnceComplete API, asynchronous (p. 197) - code examples for one-time initialization: http://msdn.microsoft.com/en-us/library/ms686934(VS.85).aspx
Dynamic worker threads (pp. 199 - 200)
ALPC (pp. 202 - 206) - ALPC is used extensively in terminal services environments. Here is the sample output from WinDbg to mine for ALPC wait chains in frozen systems and blocked services:Â
1: kd> !process 0 ff
[...]
THREAD fffffa8006ef7060 Cid 0350.279c Teb: 000007fffffa4000 Win32Thread: fffff900c22904f0 WAIT: (WrLpcReply) UserMode Non-Alertable
   fffffa8006ef73f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff880104eecf0 : queued at port fffffa80060d4c80 : owned by process fffffa8004c39040
IRP List:
   fffffa8006d21c60: (0006,03a0) Flags: 00060030 Mdl: 00000000
   fffffa8005f876c0: (0006,03a0) Flags: 00060030 Mdl: 00000000
Not impersonating
DeviceMap                fffff88000007450
Owning Process           fffffa80057844d0      Image:        svchost.exe
Attached Process         N/A           Image:        N/A
Wait Start TickCount     10908131      Ticks: 18864 (0:00:04:54.750)
Context Switch Count     12660                LargeStack
UserTime                 00:00:00.671
KernelTime               00:00:00.578
Win32 Start Address 0×000007fefe51fdec
Stack Init fffffa6006249db0 Current fffffa6006249670
Base fffffa600624a000 Limit fffffa6006243000 Call 0
Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP         RetAddr          Call Site
fffffa60`062496b0 fffff800`016a36fa nt!KiSwapContext+0×7f
fffffa60`062497f0 fffff800`0169835b nt!KiSwapThread+0×13a
fffffa60`06249860 fffff800`016cd4e2 nt!KeWaitForSingleObject+0×2cb
fffffa60`062498f0 fffff800`01916d14 nt!AlpcpSignalAndWait+0×92
fffffa60`06249980 fffff800`019137a6 nt!AlpcpReceiveSynchronousReply+0×44
fffffa60`062499e0 fffff800`0190330f nt!AlpcpProcessSynchronousRequest+0×24f
fffffa60`06249b00 fffff800`016a0ef3 nt!NtAlpcSendWaitReceivePort+0×19f
fffffa60`06249bb0 00000000`774d756a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`06249c20)
00000000`029decd8 00000000`00000000 0×774d756a
1: kd> !alpc /m fffff880104eecf0
Message @ fffff880104eecf0
 MessageID            : 0x053C (1340)
 CallbackID           : 0xC26264 (12739172)
 SequenceNumber       : 0x0000031F (799)
 Type                 : LPC_REQUEST
 DataLength           : 0x0048 (72)
 TotalLength          : 0x0070 (112)
 Canceled             : No
 Release              : No
 ReplyWaitReply       : No
 Continuation         : Yes
 OwnerPort            : fffffa800a7804d0 [ALPC_CLIENT_COMMUNICATION_PORT]
 WaitingThread        : fffffa8006ef7060
 QueueType            : ALPC_MSGQUEUE_PENDING
 QueuePort            : fffffa80060d4c80 [ALPC_CONNECTION_PORT]
 QueuePortOwnerProcess : fffffa8004c39040 (svchost.exe)
 ServerThread         : fffffa800aa8c700
 QuotaCharged         : No
 CancelQueuePort      : 0000000000000000
 CancelSequencePort   : 0000000000000000
 CancelSequenceNumber : 0×00000000 (0)
 ClientContext        : 0000000004e87390
 ServerContext        : 0000000000000000
 PortContext          : 0000000005615340
 CancelPortContext    : 0000000000000000
 SecurityData         : 0000000000000000
 View                 : 0000000000000000
1: kd> !alpc /p fffffa80060d4c80
Port @ fffffa80060d4c80
 Type                     : ALPC_CONNECTION_PORT
 CommunicationInfo        : fffff88007f66ba0
   ConnectionPort         : fffffa80060d4c80
   ClientCommunicationPort : 0000000000000000
   ServerCommunicationPort : 0000000000000000
 OwnerProcess             : fffffa8004c39040 (svchost.exe)
 SequenceNo               : 0x00000000 (0)
 CompletionPort           : fffffa80057d8040
 CompletionList           : 0000000000000000
 MessageZone              : 0000000000000000
 ConnectionPending        : No
 ConnectionRefused        : No
 Disconnected             : No
 Closed                   : No
 FlushOnClose             : Yes
 ReturnExtendedInfo       : No
 Waitable                 : No
 Security                 : Static
 Wow64CompletionList      : No
 Main queue is empty.
 Large message queue is empty.
 Pending queue has 192 message(s)
   fffff88012c7e030 0000201c 0000000000013f88:00000000000154fc 0000000000000000 fffffa8008573a30 LPC_CANCELED
   fffff88009a98cf0 0000221c 0000000000000b04:00000000000109b4 fffffa800b533bb0 fffffa8008ee7bb0 LPC_REQUEST
   fffff880129b9cf0 00001ffc 00000000000067d8:000000000000a85c fffffa800a032060 fffffa800a408060 LPC_REQUEST
   fffff8800ed62cf0 00001ea4 0000000000012c1c:0000000000013238 fffffa800afbcbb0 fffffa800bbf1060 LPC_REQUEST
   fffff88011fa7cf0 000014ec 0000000000000b04:0000000000013a38 fffffa80072c6bb0 fffffa800b4d2700 LPC_REQUEST
   fffff8801001e980 0000159c 000000000000b25c:0000000000003004 fffffa8006ebcbb0 fffffa8009c25060 LPC_REQUEST
   fffff88009a56cf0 00001f94 0000000000012940:0000000000015478 fffffa800a75d700 fffffa800b4b8060 LPC_REQUEST
[...]
   fffff880129aa640 000018f0 000000000000d31c:00000000000147c0 fffffa800ab9bbb0 fffffa8006ffb560 LPC_REQUEST
   fffff88008b29ac0 0000152c 000000000000fa5c:000000000000faa4 0000000000000000 fffffa800abadbb0 LPC_CANCELED
   fffff88009eaa460 000005dc 000000000000e13c:000000000000e3d4 fffffa800921b630 fffffa800a191060 LPC_REQUEST
 Canceled queue is empty.
The .NET Developer’s Guide to Windows Security by M. Brown:
Developing code in non-privileged way: two logons (p. 35)
whoami command (p. 37) - whoami /all
netsh command (p. 37)
runas /netonly (p. 39)
Nested runas commands (p. 40)
Debugger Users group (p. 41)Â
Run - install assumption (p. 46) - Got an idea for a bugtation: “You must assume that your program will be” coded “by one person and” debugged “by another!”
Least privilige for installer design (p. 46)
Software Requirements & Specifications by M. Jackson:
Indicative mood of formalizations (p. 9)
Application domain vs. generic domain and app. domain vs. environment (p. 9)
Structured Analysis of DeMArco / Gane / Sarson - the danger of thinking in terms of a machine when looking at the existing system (p. 10)
Costruction of difficulty from simplicity in software development, shorter vs. longer problem description spans (pp. 12 - 14) - lesson: create one structural UML diagram that covers all possible problem spans
Different views on the origin of software development disasters (pp. 14 - 15) - the view from memory dump analysis engineer: study crash dump analysis patterns (by applying bijectionism) and learn from them. Software artifacts are memory dumps. Software development is memory change.
Software technology as technology of description (p. 17)Â
- Dmitry Vostokov @ SoftwareGeneralist.com -
Because debugging is a part of software construction and software engineering in general I repeat on this blog the announcement of the free online version of Debugged! MZ/PE magazine under the code name DEMO that was launched last night:
Debugging Expert Magazine Online (www.DebuggingExpert.com)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
InitializeCriticalSectionAndSpinCount (p. 187) - API description: http://msdn.microsoft.com/en-us/library/ms683476(VS.85).aspx
Tricky behaviour of keyed events (p. 188)
0: kd> dt _ETHREAD
nt!_ETHREAD
 +0x000 Tcb : _KTHREAD
 +0x330 CreateTime : _LARGE_INTEGER
 +0x338 ExitTime : _LARGE_INTEGER
 +0×338 KeyedWaitChain : _LIST_ENTRY
 +0×348 ExitStatus : Int4B
 +0×348 OfsChain : Ptr64 Void
 +0×350 PostBlockList : _LIST_ENTRY
 +0×350 ForwardLinkShadow : Ptr64 Void
 +0×358 StartAddress : Ptr64 Void
 +0×360 TerminationPort : Ptr64 _TERMINATION_PORT
 +0×360 ReaperLink : Ptr64 _ETHREAD
 +0×360 KeyedWaitValue : Ptr64 Void
 +0×360 Win32StartParameter : Ptr64 Void
 +0×368 ActiveTimerListLock : Uint8B
 +0×370 ActiveTimerListHead : _LIST_ENTRY
 +0×380 Cid : _CLIENT_ID
 +0×390 KeyedWaitSemaphore : _KSEMAPHORE
 +0×390 AlpcWaitSemaphore : _KSEMAPHORE
Safe and unsafe acquisition of fast and guarded mutexes (p. 189)
Gate primitive as an optimized event (pp. 189 - 190)
Executive resources (pp. 190 - 192) - These objects make analysis of synchronization issue easier because they have an owner thread:
0: kd> dt _ERESOURCE
nt!_ERESOURCE
 +0x000 SystemResourcesList : _LIST_ENTRY
 +0×010 OwnerTable : Ptr64 _OWNER_ENTRY
 +0×018 ActiveCount : Int2B
 +0×01a Flag : Uint2B
 +0×020 SharedWaiters : Ptr64 _KSEMAPHORE
 +0×028 ExclusiveWaiters : Ptr64 _KEVENT
 +0×030 OwnerEntry : _OWNER_ENTRY
 +0×040 ActiveEntries : Uint4B
 +0×044 ContentionCount : Uint4B
 +0×048 NumberOfSharedWaiters : Uint4B
 +0×04c NumberOfExclusiveWaiters : Uint4B
 +0×050 Reserved2 : Ptr64 Void
 +0×058 Address : Ptr64 Void
 +0×058 CreatorBackTraceIndex : Uint8B
 +0×060 SpinLock : Uint8B
0: kd> dt _OWNER_ENTRY
nt!_OWNER_ENTRY
 +0×000 OwnerThread : Uint8B
 +0×008 OwnerCount : Int4B
 +0×008 TableSize : Uint4B
There are some crash dump analysis pattern examples that involve executive resources: Deadlock (executive resources), High Contention (executive resources) and Wait Chain (executive resources)
Pushlocks are built on gates, pointer-size and have shared/exclusive mode (p. 192)
Lock convoys (p. 193) - This article explains them using critical section example: http://en.wikipedia.org/wiki/Lock_convoy
Shared vs. exclusive use of user mode critical sections (pp. 194 - 195)
Condition variables (p. 195) - New in Vista and W2K8. MSDN example of usage: http://msdn.microsoft.com/en-us/library/ms682052(VS.85).aspx. So it seems (if I understand it correctly) Windows implemented Monitor concept at OS level. I’m not accustomed to think in “high-level ” monitor terms when designing concurrency on Windows although it is a natural concept in Java. Even when I was programming in Java in the past I was thinking Windows primitives.
SRW (Slim Reader Writer) Locks to replace critical sections in user mode (p. 196) - Looks like new to Vista and W2K8
SRW + conditional variable as ideal combination (p. 196)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
The .NET Developer’s Guide to Windows Security by M. Brown:
The principle of least privilege as software construction mindset (pp. 17 - 18)
Close a resource as you finish to avoid security intra-context leaks (p. 18)
Always think about failure (p. 23)
Multifactor authentication (p. 25) - Useful mnemonic HKM (Have, Know, Made of)Â
Default modes in Kerberos and SSL: client to prove identity and server to prove identity (p. 26)
Did you complete identity proof by checking GUI details? (p. 26)
The luring attack (p. 27)
“Security Is a Process, Not a Product” by B. Schneier (p. 32) - Thinking analogically, regarding supportability, software engineers need to write maintainable code with a support engineer in mind.
Software Requirements & Specifications by M. Jackson:
Need to read this book to refresh my past software design and architecture knowledge
Software development as logic and math, as socio-ethical challenge, as labour employment relations, as problem in manufacturing control, as engineering (p. 1) - I see it as memory changesÂ
Distinction between machine and app domain: how and what (p. 1) - Modeling?
Requirements are in app domain (p. 2)
The importance of explicit and precise domain descriptions (p. 2)
Modeling is always incomplete, coincidental similarity of many OO descriptions to the real world (p. 3)
Specification as interface description between machine and app domain (p. 3)
Scope vs. Span: classes vs. areas (pp. 3 - 4)
Partial descriptions as separating concerns (p. 4)
Moods in description: optative (what we want) and indicative (is) (p. 4)
The importance of problem frames and multi-frame problems (pp. 4 - 5)
- Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Queued spinlocks - spinning on a per-processor flag and FIFO ordering (p. 175) - Basic algorithm is described in this paper (section 2.1): Scalable Queue-Based Spin Locks with Timeout http://www.cs.rice.edu/~wns1/papers/2001-PPoPP-QBLTO.pdf
Executive resource is not a dispatcher object (p. 179) - Indeed it doesn’t start with _DISPATCHER_HEADER:
0: kd> dt _ERESOURCE
nt!_ERESOURCE
  +0x000 SystemResourcesList : _LIST_ENTRY
  +0x010 OwnerTable      : Ptr64 _OWNER_ENTRY
  +0x018 ActiveCount     : Int2B
  +0x01a Flag            : Uint2B
  +0x020 SharedWaiters   : Ptr64 _KSEMAPHORE
  +0x028 ExclusiveWaiters : Ptr64 _KEVENT
  +0x030 OwnerEntry      : _OWNER_ENTRY
  +0x040 ActiveEntries   : Uint4B
  +0x044 ContentionCount : Uint4B
  +0x048 NumberOfSharedWaiters : Uint4B
  +0x04c NumberOfExclusiveWaiters : Uint4B
  +0x050 Reserved2       : Ptr64 Void
  +0x058 Address         : Ptr64 Void
  +0x058 CreatorBackTraceIndex : Uint8B
  +0x060 SpinLock        : Uint8B
0: kd> dt _KSEMAPHORE
nt!_KSEMAPHORE
  +0×000 Header          : _DISPATCHER_HEADER
  +0×018 Limit           : Int4B
Difference between a mutex in kernel and user (exported) modes (p. 181)
Some values in _DISPATCHER_HEADER can be ignored (depends on Type) (p. 185)
Meaning of _DISPATCHER_HEADER flags, table (p. 185)
_KOBJECTS, _DISPATCHER_HEADER.Type (pp. 185 - 186)
Looking wait queues manually (pp. 184 - 186) - I mistakenly subjected WinDbg to !list command passing the address of thread _KWAIT_BLOCK to it:
THREAD fffffa8003c0e8f0Â Cid 0004.0070Â Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrVirtualMemory) UserMode Non-Alertable
  fffff800019d97a0 Semaphore Limit 0x7fffffff
  fffff800019d9860 NotificationEvent
  fffff800019d9980 NotificationEvent
  fffff800019c8840 NotificationEvent
  fffff800019c8860 SynchronizationEvent
Not impersonating
DeviceMap                fffff88000007400
Owning Process           fffffa8003bcd0b0      Image:        System
Attached Process         N/A           Image:        N/A
Wait Start TickCount     34801717      Ticks: 1683 (0:00:00:26.254)
Context Switch Count     12886           Â
UserTime                 00:00:00.000
KernelTime               00:00:00.702
Win32 Start Address nt!MiDereferenceSegmentThread (0xfffff8000193caa0)
Stack Init fffffa6001947db0 Current fffffa6001947a60
Base fffffa6001948000 Limit fffffa6001942000 Call 0
Priority 18 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP         RetAddr          Call Site
fffffa60`01947aa0 fffff800`0186d28a nt!KiSwapContext+0x7f
fffffa60`01947be0 fffff800`0186c896 nt!KiSwapThread+0x2fa
fffffa60`01947c50 fffff800`0193cb36 nt!KeWaitForMultipleObjects+0x2d6
fffffa60`01947cd0 fffff800`01a8bfd3 nt!MiDereferenceSegmentThread+0x96
fffffa60`01947d50 fffff800`018a1816 nt!PspSystemThreadStartup+0x57
fffffa60`01947d80 00000000`00000000 nt!KiStartSystemThread+0x16
0: kd> dt _KTHREAD fffffa8003c0e8f0
nt!_KTHREAD
  +0x000 Header          : _DISPATCHER_HEADER
  +0x018 CycleTime       : 0x55dc0a75
  +0x020 QuantumTarget   : 0x69dfdff1
  +0x028 InitialStack    : 0xfffffa60`01947db0
  +0x030 StackLimit      : 0xfffffa60`01942000
  +0x038 KernelStack     : 0xfffffa60`01947a60
  +0x040 ThreadLock      : 0
  +0x048 ApcState        : _KAPC_STATE
  +0x048 ApcStateFill    : [43] "8???"
  +0x073 Priority        : 18 ''
  +0x074 NextProcessor   : 0
  +0x076 DeferredProcessor : 1
  +0x078 ApcQueueLock    : 0
  +0x080 WaitStatus      : 0
  +0×088 WaitBlockList   : 0xfffff800`0198cfd0 _KWAIT_BLOCK
[…]
and it entered endless loop becoming unresponsive. CPU was spiking 50% (2 processor machine). I forced a crash dump in Task Manager (Spiking Thread pattern, http://www.dumpanalysis.org/blog/index.php/2007/05/11/crash-dump-analysis-patterns-part-14/):
0:000> kL
Child-SP         RetAddr          Call Site
00000000`0024bee8 000007fe`f507f0dd msftedit!CFormatRunPtr::GetFormat+0xa
00000000`0024bef0 000007fe`f507f54c msftedit!CTxtRange::SpanSubstring+0x101
00000000`0024bf50 000007fe`f5087d90 msftedit!CTxtRange::ItemizeRuns+0x2d8
00000000`0024c2c0 000007fe`f507dd0b msftedit!CRchTxtPtr::ItemizeReplaceRange+0x14c
00000000`0024c3c0 000007fe`f509d28f msftedit!CTxtRange::SetCharFormat+0xc77
00000000`0024c630 000007fe`f504f568 msftedit!CTxtSelection::SetCharFormat+0x23f
00000000`0024c770 000007fe`f50a3f84 msftedit!CTxtEdit::OnSetCharFormat+0x110
00000000`0024c910 000007fe`f50585b2 msftedit!CTxtEdit::TxSendMessage+0x23b0
00000000`0024cbb0 00000000`7769d53e msftedit!RichEditWndProc+0xcca
00000000`0024d5b0 00000000`7769b5b5 user32!UserCallWinProcCheckWow+0x1ad
00000000`0024d670 00000000`7769b649 user32!SendMessageWorker+0x64a
00000000`0024d700 00000001`3f9b3f9e user32!SendMessageW+0x5b
00000000`0024d750 00000001`3f9b41a0 windbg!RichEditAddRawText+0x13e
00000000`0024d7a0 00000001`3f9b47ef windbg!RichEditAddText+0x1b0
00000000`0024d840 00000001`3f977629 windbg!RichEditAddTextBuffer+0x13f
00000000`0024d9a0 00000001`3f9c8728 windbg!WinCommand::AddTextBuffer+0xb9
00000000`0024da10 00000001`3f9d3739 windbg!wmain+0x4b8
00000000`0024fad0 00000000`7776be3d windbg!_CxxFrameHandler3+0x291
00000000`0024fb10 00000000`778a6a51 kernel32!BaseThreadInitThunk+0xd
00000000`0024fb40 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:000> r
rax=0000000000000000 rbx=000000000008d64a rcx=000000000024bf10
rdx=0000000002603a00 rsi=0000000000000001 rdi=0000000000048b33
rip=000007fef50566f6 rsp=000000000024bee8 rbp=0000000000000000
 r8=000000000002b6e6 r9=0000000000000000 r10=000000000024bf90
r11=000000000024bf20 r12=00000000025e17d0 r13=000000000024bfd0
r14=0000000011461b46 r15=0000000000000000
iopl=0Â Â Â Â Â Â Â Â nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b            efl=00000206
msftedit!CFormatRunPtr::GetFormat+0xa:
000007fe`f50566f6 394208         cmp    dword ptr [rdx+8],eax ds:00000000`02603a08=00042d7a
0:000> !runaway
 User Mode Time
 Thread      Time
  0:d64      0 days 0:01:12.899
  1:f38      0 days 0:00:25.880
  3:c58      0 days 0:00:01.669
  6:12e4     0 days 0:00:00.000
  5:a84      0 days 0:00:00.000
  4:e88      0 days 0:00:00.000
  2:f80      0 days 0:00:00.000
The .NET Developer’s Guide to Windows Security by M. Brown:
Reading this book to refresh my knowledge of Windows security needed for my work on the next generation troubleshooting tools. I read the previous “Programming Windows Security” book more than 6 years ago
Data channel vs. control channel (p. 4)
Countermeasures in protection, detection and reaction (pp. 7 - 
- Troubleshooting tools: Supportability (code), Detection (monitoring) and Reaction (reporting, alerts)
Threat model (p. 12) -Â “Supportability model” in the sense of predicting issues and their servicing
Unqualifiability of “My System is Secure” () - “My System is Supportable”. An idea for a bugtation: “[…] it’s impossible to” support “a system that you don’t understand”. What about crash dump analysis then?
STRIDE (Howard, LeBlanc)Â (p. 13)
Repudiation as denial of an attack by an attacker (p. 13)
Compexity as a security enemy (p. 16) - An idea for another bugtation “compexity is the number-one enemy of” debugging. When IÂ was thinking prioritizing supportability features and idea of supportlets came to my mind
-Â Dmitry Vostokov @ SoftwareGeneralist.com -
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
Instancing the namespace in \Sessions\n (p. 167) - note that prior to Vista console session was 0 and was shared with services
DeviceMap _EPROCESS substructure (p. 168)
0: kd> dt _DEVICE_MAP
nt!_DEVICE_MAP
  +0x000 DosDevicesDirectory : Ptr64 _OBJECT_DIRECTORY
  +0x008 GlobalDosDevicesDirectory : Ptr64 _OBJECT_DIRECTORY
  +0x010 ReferenceCount  : Uint4B
  +0x014 DriveMap        : Uint4B
  +0x018 DriveType       : [32] UChar
Altitude object filtering concept (p. 170)
Incorrect sharing of memory example (p. 171) - although context switches emulate multiprocessor systems single-processor machines experience the same error conditions less frequently: http://www.dumpanalysis.org/blog/index.php/2007/04/14/race-conditions-on-a-uniprocessor-machine/
Spinlock illustration (pp. 173) - here is a “spinning” illustration in 3-dimensional abstract space: http://www.dumpanalysis.org/blog/index.php/2007/10/25/threads-as-braided-strings-in-abstract-space-part-1/
lock xadd and lock bts (pp. 172 - 173)
Spinlock busy wait CPU consumption (p. 174) - I had some cases and named a pattern called Dispatch Level Spin (not only applicable to spinlocks but to every loop at DPC level and higher(: http://www.dumpanalysis.org/blog/index.php/2008/01/25/crash-dump-analysis-patterns-part-44/
Pause instruction (p. 174) - Here’s a short description with disassembly example from Asmpedia: http://www.asmpedia.org/index.php?title=PAUSE
- Dmitry Vostokov @ SoftwareGeneralist.com -
Windows code, Unix code, MSDOS code, BeOS code, Cantor code, PDP code, x86 code, … Every such code has its distinct semantics and pragmatics, converging, evolving and coming to extinction, backed by economic, social and political forces, having its readers and writers. A few years ago I bought and started reading the book “Empires of the Word” by Nicholas Ostler and while thinking today whether I should buy its Folio edition I finally realised that there are also empires of the code intertwined with modern history. As usual, I reserve an ISBN number for this (978-1906717810) yet unwritten book and starting to think about collaborative writing.
- Dmitry Vostokov @ SoftwareGeneralist.com -