Software Generalist

Reading Notebook: 18-March-10

Dmitry Vostokov — Fri, 19 Mar 2010 02:38:19 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Deferred ready and standby thread states (p. 400)

Gait waiting (p. 401)

Transition state as state with paged out kernel stack (p. 401) - flattening thread state transition diagram for ready state:

deferred ready -> ready <-> running

Thread state counter in Performance Monitor (pp. 402 - 404)

Per-processor ready queues and O(1) (pp. 404 - 405)

PRCB (p. 404) - rather a huge structure on x64 W2K8:

0: kd> dt nt!_KPRCB +0x000 MxCsr : Uint4B +0x004 Number : Uint2B +0x006 InterruptRequest : UChar +0x007 IdleHalt : UChar +0x008 CurrentThread : Ptr64 _KTHREAD +0x010 NextThread : Ptr64 _KTHREAD +0x018 IdleThread : Ptr64 _KTHREAD +0x020 NestingLevel : UChar +0x021 Group : UChar +0x022 PrcbPad00 : [6] UChar +0x028 RspBase : Uint8B +0x030 PrcbLock : Uint8B +0x038 SetMember : Uint8B +0x040 ProcessorState : _KPROCESSOR_STATE +0x5f0 CpuType : Char +0x5f1 CpuID : Char +0x5f2 CpuStep : Uint2B +0x5f2 CpuStepping : UChar +0x5f3 CpuModel : UChar +0x5f4 MHz : Uint4B +0x5f8 HalReserved : [8] Uint8B +0x638 MinorVersion : Uint2B +0x63a MajorVersion : Uint2B +0x63c BuildType : UChar +0x63d CpuVendor : UChar +0x63e CoresPerPhysicalProcessor : UChar +0x63f LogicalProcessorsPerCore : UChar +0x640 ApicMask : Uint4B +0x644 CFlushSize : Uint4B +0x648 AcpiReserved : Ptr64 Void +0x650 InitialApicId : Uint4B +0x654 Stride : Uint4B +0x658 PrcbPad01 : [3] Uint8B +0x670 LockQueue : [49] _KSPIN_LOCK_QUEUE +0x980 PPLookasideList : [16] _PP_LOOKASIDE_LIST +0xa80 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL +0x1680 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL +0x2280 PacketBarrier : Uint8B +0×2288 DeferredReadyListHead : _SINGLE_LIST_ENTRY +0×2290 MmPageFaultCount : Int4B +0×2294 MmCopyOnWriteCount : Int4B +0×2298 MmTransitionCount : Int4B +0×229c MmDemandZeroCount : Int4B +0×22a0 MmPageReadCount : Int4B +0×22a4 MmPageReadIoCount : Int4B +0×22a8 MmDirtyPagesWriteCount : Int4B +0×22ac MmDirtyWriteIoCount : Int4B +0×22b0 MmMappedPagesWriteCount : Int4B +0×22b4 MmMappedWriteIoCount : Int4B +0×22b8 KeSystemCalls : Uint4B +0×22bc KeContextSwitches : Uint4B +0×22c0 CcFastReadNoWait : Uint4B +0×22c4 CcFastReadWait : Uint4B +0×22c8 CcFastReadNotPossible : Uint4B +0×22cc CcCopyReadNoWait : Uint4B +0×22d0 CcCopyReadWait : Uint4B +0×22d4 CcCopyReadNoWaitMiss : Uint4B +0×22d8 LookasideIrpFloat : Int4B +0×22dc IoReadOperationCount : Int4B +0×22e0 IoWriteOperationCount : Int4B +0×22e4 IoOtherOperationCount : Int4B +0×22e8 IoReadTransferCount : _LARGE_INTEGER +0×22f0 IoWriteTransferCount : _LARGE_INTEGER +0×22f8 IoOtherTransferCount : _LARGE_INTEGER +0×2300 TargetSet : Uint8B +0×2308 IpiFrozen : Uint4B +0×230c PrcbPad3 : [116] UChar +0×2380 RequestMailbox : [64] _REQUEST_MAILBOX +0×3380 SenderSummary : Uint8B +0×3388 PrcbPad4 : [120] UChar +0×3400 DpcData : [2] _KDPC_DATA +0×3440 DpcStack : Ptr64 Void +0×3448 SparePtr0 : Ptr64 Void +0×3450 MaximumDpcQueueDepth : Int4B +0×3454 DpcRequestRate : Uint4B +0×3458 MinimumDpcRate : Uint4B +0×345c DpcInterruptRequested : UChar +0×345d DpcThreadRequested : UChar +0×345e DpcRoutineActive : UChar +0×345f DpcThreadActive : UChar +0×3460 TimerHand : Uint8B +0×3460 TimerRequest : Uint8B +0×3468 TickOffset : Int4B +0×346c MasterOffset : Int4B +0×3470 DpcLastCount : Uint4B +0×3474 ThreadDpcEnable : UChar +0×3475 QuantumEnd : UChar +0×3476 PrcbPad50 : UChar +0×3477 IdleSchedule : UChar +0×3478 DpcSetEventRequest : Int4B +0×347c KeExceptionDispatchCount : Uint4B +0×3480 DpcEvent : _KEVENT +0×3498 PrcbPad51 : Ptr64 Void +0×34a0 CallDpc : _KDPC +0×34e0 ClockKeepAlive : Int4B +0×34e4 ClockCheckSlot : UChar +0×34e5 ClockPollCycle : UChar +0×34e6 PrcbPad6 : [2] UChar +0×34e8 DpcWatchdogPeriod : Int4B +0×34ec DpcWatchdogCount : Int4B +0×34f0 PrcbPad70 : [2] Uint8B +0×3500 WaitListHead : _LIST_ENTRY +0×3510 WaitLock : Uint8B +0×3518 ReadySummary : Uint4B +0×351c QueueIndex : Uint4B +0×3520 PrcbPad71 : [12] Uint8B +0×3580 DispatcherReadyListHead : [32] _LIST_ENTRY +0×3780 InterruptCount : Uint4B +0×3784 KernelTime : Uint4B +0×3788 UserTime : Uint4B +0×378c DpcTime : Uint4B +0×3790 InterruptTime : Uint4B +0×3794 AdjustDpcThreshold : Uint4B +0×3798 SkipTick : UChar +0×3799 DebuggerSavedIRQL : UChar +0×379a PollSlot : UChar +0×379b PrcbPad80 : [5] UChar +0×37a0 DpcTimeCount : Uint4B +0×37a4 DpcTimeLimit : Uint4B +0×37a8 PeriodicCount : Uint4B +0×37ac PeriodicBias : Uint4B +0×37b0 PrcbPad81 : [2] Uint8B +0×37c0 ParentNode : Ptr64 _KNODE +0×37c8 MultiThreadProcessorSet : Uint8B +0×37d0 MultiThreadSetMaster : Ptr64 _KPRCB +0×37d8 StartCycles : Uint8B +0×37e0 MmSpinLockOrdering : Int4B +0×37e4 PageColor : Uint4B +0×37e8 NodeColor : Uint4B +0×37ec NodeShiftedColor : Uint4B +0×37f0 SecondaryColorMask : Uint4B +0×37f4 Sleeping : Int4B +0×37f8 CycleTime : Uint8B +0×3800 CcFastMdlReadNoWait : Uint4B +0×3804 CcFastMdlReadWait : Uint4B +0×3808 CcFastMdlReadNotPossible : Uint4B +0×380c CcMapDataNoWait : Uint4B +0×3810 CcMapDataWait : Uint4B +0×3814 CcPinMappedDataCount : Uint4B +0×3818 CcPinReadNoWait : Uint4B +0×381c CcPinReadWait : Uint4B +0×3820 CcMdlReadNoWait : Uint4B +0×3824 CcMdlReadWait : Uint4B +0×3828 CcLazyWriteHotSpots : Uint4B +0×382c CcLazyWriteIos : Uint4B +0×3830 CcLazyWritePages : Uint4B +0×3834 CcDataFlushes : Uint4B +0×3838 CcDataPages : Uint4B +0×383c CcLostDelayedWrites : Uint4B +0×3840 CcFastReadResourceMiss : Uint4B +0×3844 CcCopyReadWaitMiss : Uint4B +0×3848 CcFastMdlReadResourceMiss : Uint4B +0×384c CcMapDataNoWaitMiss : Uint4B +0×3850 CcMapDataWaitMiss : Uint4B +0×3854 CcPinReadNoWaitMiss : Uint4B +0×3858 CcPinReadWaitMiss : Uint4B +0×385c CcMdlReadNoWaitMiss : Uint4B +0×3860 CcMdlReadWaitMiss : Uint4B +0×3864 CcReadAheadIos : Uint4B +0×3868 MmCacheTransitionCount : Int4B +0×386c MmCacheReadCount : Int4B +0×3870 MmCacheIoCount : Int4B +0×3874 PrcbPad91 : [3] Uint4B +0×3880 PowerState : _PROCESSOR_POWER_STATE +0×3998 KeAlignmentFixupCount : Uint4B +0×399c VendorString : [13] UChar +0×39a9 PrcbPad10 : [3] UChar +0×39ac FeatureBits : Uint4B +0×39b0 UpdateSignature : _LARGE_INTEGER +0×39b8 DpcWatchdogDpc : _KDPC +0×39f8 DpcWatchdogTimer : _KTIMER +0×3a38 Cache : [5] _CACHE_DESCRIPTOR +0×3a74 CacheCount : Uint4B +0×3a78 CachedCommit : Uint4B +0×3a7c CachedResidentAvailable : Uint4B +0×3a80 HyperPte : Ptr64 Void +0×3a88 WheaInfo : Ptr64 Void +0×3a90 EtwSupport : Ptr64 Void +0×3aa0 InterruptObjectPool : _SLIST_HEADER +0×3ab0 HypercallPageList : _SLIST_HEADER +0×3ac0 HypercallPageVirtual : Ptr64 Void +0×3ac8 VirtualApicAssist : Ptr64 Void +0×3ad0 StatisticsPage : Ptr64 Uint8B +0×3ad8 RateControl : Ptr64 Void +0×3ae0 CacheProcessorMask : [5] Uint8B +0×3b08 PackageProcessorSet : Uint8B +0×3b10 CoreProcessorSet : Uint8B

Changes thread quantum accounting in Vista, quantum targets, partial quantum decay (pp. 406 - 407)

The mystery of huge number in KiCyclesPerClockQuantum (p. 408) - here is an output on my PC:

0: kd> dd KiCyclesPerClockQuantum l1 fffff800`01a45170 008e58db

0: kd> !cpuinfo CP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features 0 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe 1 6,15,2 GenuineIntel 1794 0000005600000000 20193ffe Cached Update Signature 0000005a00000000 Initial Update Signature 0000005600000000

C:\>C:\DL\Clockres.exe

Maximum timer interval: 15.600 ms Minimum timer interval: 0.500 ms Current timer interval: 1.000 ms

HKLM\S\CCS\C\PriorityControl\Win32PrioritySeparation vs. PsPrioritySeperation - looks like a misprint that needs fixing in the next version of Windows Why it was a deliberate misspelling (p. 411) we can only guess…

0: kd> dd PsPrioritySeperation l1 fffff800`01a45228 00000002

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 15-March-10

Dmitry Vostokov — Tue, 16 Mar 2010 10:31:46 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Limiting high-priority ready threads by a processor affinity (p. 391)

Thread dispatch reasons: ready, leaves running state, priority change, processor affinity change (p. 392)

Thread vs. process scheduling granularity (pp. 392 - 393)

Thread priority level 0 is reserved for zero page thread (p. 393)

2 pespectives on thread priority levels (pp. 393 - 394)

Changing CPU-intensive process base priority instead of priority of individual threads (p. 395)

Increased based priority for special processes (p. 395) - here is a comparison of base priorities between lsm.exe and smss.exe from x64 W2K8:

0: kd> !process fffffa80047ffc10 PROCESS fffffa80047ffc10 SessionId: 0 Cid: 0294 Peb: 7fffffd6000 ParentCid: 0238 DirBase: b1c4e000 ObjectTable: fffff88007f05cd0 HandleCount: 173. Image: lsm.exe VadRoot fffffa80046dd720 Vads 68 Clone 0 Private 462. Modified 0. Locked 0. DeviceMap fffff88000007310 Token fffff88007f376f0 ElapsedTime 00:04:17.552 UserTime 00:00:00.015 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 69000 QuotaPoolUsage[NonPagedPool] 7072 Working Set Sizes (now,min,max) (1314, 50, 345) (5256KB, 200KB, 1380KB) PeakWorkingSetSize 1318 VirtualSize 36 Mb PeakVirtualSize 38 Mb PageFaultCount 1375 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 756

0: kd> !process fffffa80046d9040 PROCESS fffffa80046d9040 SessionId: none Cid: 019c Peb: 7fffffdf000 ParentCid: 0004 DirBase: bccd5000 ObjectTable: fffff880005f45b0 HandleCount: 33. Image: smss.exe VadRoot fffffa80046d97e0 Vads 19 Clone 0 Private 96. Modified 24. Locked 0. DeviceMap fffff88000007310 Token fffff88000964af0 ElapsedTime 00:04:40.343 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 10392 QuotaPoolUsage[NonPagedPool] 1728 Working Set Sizes (now,min,max) (254, 50, 345) (1016KB, 200KB, 1380KB) PeakWorkingSetSize 254 VirtualSize 6 Mb PeakVirtualSize 16 Mb PageFaultCount 458 MemoryPriority BACKGROUND BasePriority 11 CommitCharge 127

Sleep(0) to relinquish the rest of quantum (p. 396)

Realtime Notepad (pp. 397 - 398) - I’m often asked why it doesn’t affect performance? This is because most threads in a system are waiting and notepad is waiting for window messages to process like keyboard and mouse. It is more noticeable when a realtime thread starts looping - it becomes scheduled every time

WSRM (Windows System Resource Manager) (pp. 398 - 399) - Looks good to prevent CPU spikes and memory leaks to come out of control

Thread priorities and IRQL (pp. 399 - 400) - in another words these concepts are orthogonal (independent from each other)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 11-March-10

Dmitry Vostokov — Thu, 11 Mar 2010 17:11:58 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Clock cycle counter for measuring CPU activity (p. 382)

Process Explorer usage to inspect hung threads (p. 383) - useful for coupled processes (http://www.dumpanalysis.org/blog/index.php/2007/09/26/crash-dump-analysis-patterns-part-28/) and could be great with simultaneous WinDbg session to inspect wait chains (http://www.dumpanalysis.org/blog/index.php/2009/02/17/wait-chain-patterns/)

Process Explorer shows both thread and WOW64 thread stacks on x64 (p. 384)

Thread stack and context query limitations for protected processes (pp. 384 - 386)

Thread pool mechanism was moved into kernel space in Vista (p. 387)

TpWorkerFactory and I/O completion ports and KQUEUE (pp. 387 - 388) - see also a “brief guide” to I/O completion ports: http://www.dumpanalysis.org/blog/index.php/2007/11/27/understanding-io-completion-ports/

The mystery of ntdll!TppWorkerThread in stack traces (pp. 389 - 390)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 10-March-10

Dmitry Vostokov — Thu, 11 Mar 2010 00:29:06 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):

0: kd> dt _W32THREAD win32k!_W32THREAD +0x000 pEThread : Ptr64 _ETHREAD +0x008 RefCount : Uint4B +0x010 ptlW32 : Ptr64 _TL +0x018 pgdiDcattr : Ptr64 Void +0x020 pgdiBrushAttr : Ptr64 Void +0x028 pUMPDObjs : Ptr64 Void +0x030 pUMPDHeap : Ptr64 Void +0x038 pUMPDObj : Ptr64 Void +0x040 pProxyPort : Ptr64 Void +0x048 pClientID : Ptr64 Void +0x050 GdiTmpTgoList : _LIST_ENTRY

!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/

tlist utility (p. 377)

Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CreateThread kernel32!CreateThread (00000000`7731c1c0) kernel32!CreateThread+0x28 (00000000`7731c1e8): call to kernel32!CreateRemoteThread (00000000`7731c200)

0: kd> uf /c CreateRemoteThread Flow analysis was incomplete, some code may be missing kernel32!CreateRemoteThread (00000000`7731c200) kernel32!CreateRemoteThread+0x134 (00000000`7731c334): call to ntdll!NtCreateThreadEx (00000000`77477790) kernel32!CreateRemoteThread+0×166 (00000000`7731c366): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4): call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20) kernel32!CreateRemoteThread+0×241 (00000000`7731c441): call to ntdll!CsrClientCallServer (00000000`7747a460) kernel32!CreateRemoteThread+0×281 (00000000`7731c47d): call to ntdll!ZwResumeThread (00000000`77477230) kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae): call to kernel32!_security_check_cookie (00000000`7732c200)

0: kd> uf /c NtCreateThreadEx ntdll!NtCreateThreadEx (00000000`77477790) no calls found

0: kd> uf NtCreateThreadEx ntdll!NtCreateThreadEx: 00000000`77477790 4c8bd1 mov r10,rcx 00000000`77477793 b8a5000000 mov eax,0A5h 00000000`77477798 0f05 syscall 00000000`7747779a c3 ret

0: kd> uf /c nt!NtCreateThreadEx nt!NtCreateThreadEx (fffff800`01af60fc) nt!NtCreateThreadEx+0x3d (fffff800`01af6139): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0x5b (fffff800`01af6157): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0x99 (fffff800`01af6195): call to nt!memset (fffff800`0187a4d0) nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4): call to nt!PspBuildCreateProcessContext (fffff800`01af5204) nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd): call to nt!PspCreateThread (fffff800`01af5d40) nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec): call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)

0: kd> uf /c nt!PspCreateThread nt!PspCreateThread (fffff800`01af5d40) nt!PspCreateThread+0x102 (fffff800`01af5e42): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateThread+0x15b (fffff800`01af5e9b): call to nt!ObfReferenceObject (fffff800`01883250) nt!PspCreateThread+0x22f (fffff800`01af5f6f): call to nt!PspAllocateThread (fffff800`01af6338) nt!PspCreateThread+0x243 (fffff800`01af5f83): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateThread+0x2a6 (fffff800`01af5fe6): call to nt!PspInsertThread (fffff800`01af4c10) nt!PspCreateThread+0x318 (fffff800`01af6058): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateThread+0x32a (fffff800`01af606a): call to nt!_security_check_cookie (fffff800`01895e50) nt!PspCreateThread+0x36a (fffff800`01af60aa): call to nt!ObfReferenceObject (fffff800`01883250) nt!PspCreateThread+0x3a2 (fffff800`01af60e2): call to nt!ExfAcquireRundownProtection (fffff800`0184f66c) nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca): call to nt!ExfReleaseRundownProtection (fffff800`0184f690) nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304): call to nt!ExfReleaseRundownProtection (fffff800`0184f690) nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337): call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 01-March-10

Dmitry Vostokov — Tue, 02 Mar 2010 00:51:52 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

NtCreateProcess (pp. 349 - 351) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateProcess nt!NtCreateProcess (fffff800`01c51770) nt!NtCreateProcess+0x64 (fffff800`01c517d4): call to nt!NtCreateProcessEx (fffff800`01c516e0)

0: kd> uf /c nt!NtCreateProcessEx nt!NtCreateProcessEx (fffff800`01c516e0) nt!NtCreateProcessEx+0x7d (fffff800`01c5175d): call to nt!PspCreateProcess (fffff800`01c51410)

0: kd> uf /c nt!PspCreateProcess nt!PspCreateProcess (fffff800`01c51410) nt!PspCreateProcess+0xd0 (fffff800`01c514e0): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateProcess+0xff (fffff800`01c5150f): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x146 (fffff800`01c51556): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!PspCreateProcess+0x1a6 (fffff800`01c515b6): call to nt!PspAllocateProcess (fffff800`01aac690) nt!PspCreateProcess+0x202 (fffff800`01c51612): call to nt!PspInsertProcess (fffff800`01aa6520) nt!PspCreateProcess+0x21b (fffff800`01c5162b): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt!PspCreateProcess+0x26f (fffff800`01c5167f): call to nt!SeDeleteAccessState (fffff800`01b02f8c) nt!PspCreateProcess+0x27a (fffff800`01c5168a): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x287 (fffff800`01c51697): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x294 (fffff800`01c516a4): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!PspCreateProcess+0x2a7 (fffff800`01c516b7): call to nt!_security_check_cookie (fffff800`01895e50)

NtCreateUserProcess (pp. 351 - 360) - a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c nt!NtCreateUserProcess nt!NtCreateUserProcess (fffff800`01ab2238) nt!NtCreateUserProcess+0x97 (fffff800`01ab22cf): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0xb4 (fffff800`01ab22ec): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0x184 (fffff800`01ab23bc): call to nt!ExRaiseDatatypeMisalignment (fffff800`01bddd20) nt!NtCreateUserProcess+0x1c2 (fffff800`01ab23fb): call to nt!memset (fffff800`0187a4d0) nt!NtCreateUserProcess+0x1dd (fffff800`01ab2416): call to nt!PspBuildCreateProcessContext (fffff800`01af5204) nt!NtCreateUserProcess+0x207 (fffff800`01ab2440): call to nt!PspCaptureCreateInfo (fffff800`01aad390) nt!NtCreateUserProcess+0x2d1 (fffff800`01ab250a): call to nt!ZwOpenFile (fffff800`01873480) nt!NtCreateUserProcess+0x311 (fffff800`01ab254a): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!NtCreateUserProcess+0x378 (fffff800`01ab25b1): call to nt!ZwCreateSection (fffff800`01873760) nt!NtCreateUserProcess+0x3af (fffff800`01ab25e8): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt!NtCreateUserProcess+0x412 (fffff800`01ab264b): call to nt!PspCaptureProcessParameters (fffff800`01aae128) nt!NtCreateUserProcess+0x483 (fffff800`01ab26bc): call to nt!PspAllocateProcess (fffff800`01aac690) nt!NtCreateUserProcess+0x546 (fffff800`01ab277f): call to nt!ObfReferenceObject (fffff800`01883250) nt!NtCreateUserProcess+0x630 (fffff800`01ab2869): call to nt!PspAllocateThread (fffff800`01af6338) nt!NtCreateUserProcess+0x69f (fffff800`01ab28d8): call to nt!PspInsertProcess (fffff800`01aa6520) nt!NtCreateUserProcess+0x70e (fffff800`01ab2947): call to nt!PspInsertThread (fffff800`01af4c10) nt!NtCreateUserProcess+0x74f (fffff800`01ab2988): call to nt!PspCreateObjectHandle (fffff800`01b01e10) nt!NtCreateUserProcess+0x775 (fffff800`01ab29ae): call to nt!memmove (fffff800`0186fce0) nt!NtCreateUserProcess+0x7ca (fffff800`01ab2a03): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt!NtCreateUserProcess+0x7d9 (fffff800`01ab2a12): call to nt!SeDeleteAccessState (fffff800`01b02f8c) nt!NtCreateUserProcess+0x7e9 (fffff800`01ab2a22): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!NtCreateUserProcess+0x7f1 (fffff800`01ab2a2a): call to nt!ObfDereferenceObject (fffff800`0187cde0) nt!NtCreateUserProcess+0x7fe (fffff800`01ab2a37): call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0) nt!NtCreateUserProcess+0x810 (fffff800`01ab2a49): call to nt!_security_check_cookie (fffff800`01895e50) nt!NtCreateUserProcess+0x862 (fffff800`01ab2a9b): call to nt!ZwOpenFile (fffff800`01873480) nt!NtCreateUserProcess+0x884 (fffff800`01ab2abd): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt! ?? ::NNGAKEGL::`string'+0x4f944 (fffff800`01b55164): call to nt!ObReferenceObjectByHandle (fffff800`01ad8110) nt! ?? ::NNGAKEGL::`string'+0x4f9a5 (fffff800`01b551c5): call to nt!PspUpdateCreateInfo (fffff800`01aadc9c) nt! ?? ::NNGAKEGL::`string'+0x4fa80 (fffff800`01b55298): call to nt!PspGetContextThreadInternal (fffff800`01b02660) nt! ?? ::NNGAKEGL::`string'+0x4faf3 (fffff800`01b55303): call to nt!ExfTryToWakePushLock (fffff800`0186b924) nt! ?? ::NNGAKEGL::`string'+0x4fb21 (fffff800`01b55325): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x4fb3e (fffff800`01b55342): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt! ?? ::NNGAKEGL::`string'+0x4fb92 (fffff800`01b55392): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x4fba0 (fffff800`01b553a0): call to nt!PspDoHandleSweepSingle (fffff800`01b92770) nt! ?? ::NNGAKEGL::`string'+0x4fbb2 (fffff800`01b553b2): call to nt!PsTerminateProcess (fffff800`01b94140)

The check for import of disallowed API during post-process initialization (p. 361)

CsrCreateProcess (pp. 361 - 362) - Here’s a condensed view of top level function calls on x64 W2K8:

0: kd> uf /c CsrCreateProcess CSRSRV!CsrCreateProcess (000007fe`fd8c76c8) CSRSRV!CsrCreateProcess+0x18 (000007fe`fd8c76e0): call to CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)

0: kd> uf /c CsrpCreateProcess CSRSRV!CsrpCreateProcess (000007fe`fd8c7280) CSRSRV!CsrpCreateProcess+0x2e (000007fe`fd8c72ae): call to ntdll!RtlEnterCriticalSection (00000000`77478920) CSRSRV!CsrpCreateProcess+0x66 (000007fe`fd8c72e6): call to CSRSRV!CsrCreateThread (000007fe`fd8c77fc) CSRSRV!CsrpCreateProcess+0x78 (000007fe`fd8c72f8): call to ntdll!ZwClose (00000000`77476e00) CSRSRV!CsrpCreateProcess+0x83 (000007fe`fd8c7303): call to CSRSRV!CsrAllocateProcess (000007fe`fd8c715c) CSRSRV!CsrpCreateProcess+0xa4 (000007fe`fd8c7324): call to CSRSRV!CsrGetProcessLuid (000007fe`fd8c8790) CSRSRV!CsrpCreateProcess+0x114 (000007fe`fd8c7394): call to CSRSRV!memcpy (000007fe`fd8cadec) CSRSRV!CsrpCreateProcess+0x1ab (000007fe`fd8c742b): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x1d2 (000007fe`fd8c7452): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x257 (000007fe`fd8c74d7): call to ntdll!NtSetInformationProcess (00000000`77476ed0) CSRSRV!CsrpCreateProcess+0x277 (000007fe`fd8c74f7): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x2d8 (000007fe`fd8c7558): call to ntdll!NtQueryInformationThread (00000000`77476f60) CSRSRV!CsrpCreateProcess+0x2f0 (000007fe`fd8c7570): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x2fd (000007fe`fd8c757d): call to CSRSRV!CsrAllocateThread (000007fe`fd8c7b94) CSRSRV!CsrpCreateProcess+0x32d (000007fe`fd8c75ad): call to CSRSRV!CsrInsertThread (000007fe`fd8c7bfc) CSRSRV!CsrpCreateProcess+0x344 (000007fe`fd8c75c4): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x356 (000007fe`fd8c75d6): call to ntdll!RtlFreeHeap (00000000`77478c80) CSRSRV!CsrpCreateProcess+0x365 (000007fe`fd8c75e5): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) CSRSRV!CsrpCreateProcess+0x393 (000007fe`fd8c7613): call to CSRSRV!CsrSetBackgroundPriority (000007fe`fd8c712c) CSRSRV!CsrpCreateProcess+0x3b6 (000007fe`fd8c7636): call to CSRSRV!CsrInsertProcess (000007fe`fd8c71f0) CSRSRV!CsrpCreateProcess+0x3d8 (000007fe`fd8c7658): call to ntdll!RtlLeaveCriticalSection (00000000`77478960)

No elevation, virtualization and compatibility checks for protected processes (p. 362)

KiThreadStartup (p. 363) - it looks like on x64 W2K8 it is KxStartUserThread that has this high-level call structure:

0: kd> uf /c nt!KxStartUserThread nt!KxStartUserThread (fffff800`018b56e0) nt!KiStartUserThread+0x12 (fffff800`018b5756): unresolvable call: call qword ptr [rsp+10h] nt!KiStartUserThread+0x9f (fffff800`018b57e3): call to nt!KiInitiateUserApc (fffff800`0189d710) nt!KiStartUserThread+0xbc (fffff800`018b5800): call to nt!KiRestoreDebugRegisterState (fffff800`01878860)

PspUserThreadStartup (p. 363) - high-level call structure on x64 W2K8

0: kd> uf /c PspUserThreadStartup nt!PspUserThreadStartup (fffff800`01b01ae4) nt!PspUserThreadStartup+0xa1 (fffff800`01b01b85): call to nt!MmGetSessionLocaleId (fffff800`01b028a4) nt!PspUserThreadStartup+0xdc (fffff800`01b01bc0): call to nt!DbgkCreateThread (fffff800`01b02cc0) nt!PspUserThreadStartup+0x100 (fffff800`01b01be4): call to nt!PfProcessCreateNotification (fffff800`01ab46cc) nt!PspUserThreadStartup+0x121 (fffff800`01b01c05): call to nt!PspInitializeThunkContext (fffff800`01b028e4) nt! ?? ::NNGAKEGL::`string'+0x42263 (fffff800`01b48d5a): call to nt!ExfAcquirePushLockExclusive (fffff800`0186aa60) nt! ?? ::NNGAKEGL::`string'+0x4226b (fffff800`01b48d62): call to nt!ExfReleasePushLockExclusive (fffff800`018c4b98) nt! ?? ::NNGAKEGL::`string'+0x42283 (fffff800`01b48d7a): call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754) nt! ?? ::NNGAKEGL::`string'+0x42299 (fffff800`01b48d90): call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)

System-wide cookie in SharedUserData for pointer encoding/decoding API (p. 363)

LdrInitializeThunk (p. 364) - high-level call structure on x64 W2K8

0: kd> uf /c LdrInitializeThunk ntdll!LdrInitializeThunk (00000000`774568d0) ntdll!LdrInitializeThunk+0x9 (00000000`774568d9): call to ntdll!LdrpInitialize (00000000`77456990) ntdll!LdrInitializeThunk+0×13 (00000000`774568e3): call to ntdll!ZwContinue (00000000`77477140) ntdll!LdrInitializeThunk+0×1a (00000000`774568ea): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll!RtlAllocateActivationContextStack+0×29 (00000000`7745692d): call to ntdll!RtlAllocateHeap (00000000`774789b0)

0: kd> uf /c LdrpInitialize Matched: 00000000`774567f0 ntdll!LdrpInitialize = Matched: 00000000`77456990 ntdll!LdrpInitialize = Ambiguous symbol error at ‘LdrpInitialize’

0: kd> uf /c 00000000`77456990 Flow analysis was incomplete, some code may be missing ntdll!LdrpInitialize (00000000`77456990) ntdll!LdrpInitialize+0xaa (00000000`7745689a): call to ntdll!LdrpInitializeThread (00000000`77470770) ntdll!LdrpInitialize+0xaf (00000000`7745689f): call to ntdll!ZwTestAlert (00000000`77478490) ntdll! ?? ::FNODOBFM::`string’+0×20948 (00000000`7746bb8b): call to ntdll!RtlInitializeSRWLock (00000000`774687f0) ntdll! ?? ::FNODOBFM::`string’+0×20954 (00000000`7746bb97): call to ntdll!LdrpInitializeProcess (00000000`7746ca20) ntdll! ?? ::FNODOBFM::`string’+0×20b40 (00000000`7746d540): call to ntdll!InitSecurityCookie (00000000`7746d560) ntdll! ?? ::FNODOBFM::`string’+0×20ae4 (00000000`7746e52f): call to ntdll!NtDelayExecution (00000000`77477050)

0: kd> uf /c ntdll!LdrpInitializeThread ntdll!LdrpInitializeThread (00000000`77470770) ntdll!LdrShutdownThread+0x139 (00000000`77437544): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrpInitializeThread+0x16d (00000000`774376f8): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrShutdownThread+0x124 (00000000`77448199): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrShutdownThread+0x149 (00000000`774481b5): unresolvable call: call rsi ntdll!LdrShutdownThread+0x151 (00000000`774481bd): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrShutdownThread+0x68 (00000000`77448238): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrShutdownThread+0x1cd (00000000`774483cf): call to ntdll!LdrpFreeTls (00000000`774482f0) ntdll!LdrShutdownThread+0x1e1 (00000000`774483e3): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrShutdownThread+0x1e6 (00000000`774483e8): call to ntdll!LdrpCleanupThreadTlsData (00000000`77448490) ntdll!LdrShutdownThread+0x213 (00000000`77448415): call to ntdll!RtlFreeHeap (00000000`77478c80) ntdll!LdrShutdownThread+0x246 (00000000`77448448): call to ntdll!RtlFreeActivationContextStack (00000000`774480a0) ntdll!LdrpInitializeThread+0x264 (00000000`774706bf): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrpInitializeThread+0x43 (00000000`774707b3): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) ntdll!LdrpInitializeThread+0x5f (00000000`774707cf): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrpInitializeThread+0x65 (00000000`774707d5): call to ntdll!LdrpAllocateTls (00000000`774569d0) ntdll!LdrpInitializeThread+0x13e (00000000`774708ae): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrpInitializeThread+0x161 (00000000`774708d5): unresolvable call: call rsi ntdll!LdrpInitializeThread+0x17c (00000000`774708e1): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrpInitializeThread+0x1a9 (00000000`7749017c): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll!LdrpInitializeThread+0x1b5 (00000000`77490188): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll!LdrpInitializeThread+0x1d0 (00000000`774901a3): call to ntdll!NtDelayExecution (00000000`77477050) ntdll!LdrpInitializeThread+0x1dc (00000000`774901af): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll!LdrpInitializeThread+0x233 (00000000`7749020a): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrpInitializeThread+0x245 (00000000`7749021c): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrpInitializeThread+0x250 (00000000`77490227): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll!LdrShutdownThread+0x1ab (00000000`7749027e): call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0) ntdll!LdrShutdownThread+0x1bd (00000000`77490290): call to ntdll!LdrpCallTlsInitializers (00000000`77437630) ntdll!LdrShutdownThread+0x1c8 (00000000`7749029b): call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00) ntdll! ?? ::FNODOBFM::`string'+0x15c61 (00000000`774bd160): call to ntdll!NtDelayExecution (00000000`77477050) ntdll! ?? ::FNODOBFM::`string'+0x15c6e (00000000`774bd16d): call to ntdll!RtlRaiseStatus (00000000`774e8fa0) ntdll! ?? ::FNODOBFM::`string'+0x15cb0 (00000000`774bd1a6): call to ntdll!RtlEnterCriticalSection (00000000`77478920) ntdll! ?? ::FNODOBFM::`string'+0x15cbc (00000000`774bd1b2): call to ntdll!RtlLeaveCriticalSection (00000000`77478960) ntdll! ?? ::FNODOBFM::`string'+0x15cd7 (00000000`774bd1cd): call to ntdll!RtlFreeHeap (00000000`77478c80) ntdll! ?? ::FNODOBFM::`string'+0x15cfd (00000000`774bd1f3): call to ntdll!RtlFreeHeap (00000000`77478c80)

0: kd> uf /c ntdll!LdrpInitializeProcess Flow analysis was incomplete, some code may be missing ntdll!LdrpInitializeProcess (00000000`7746ca20) ntdll!LdrpInitializeProcess+0xf88 (00000000`7746bc0d): call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0) ntdll!LdrpInitializeProcess+0xf9c (00000000`7746bc21): call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50) ntdll!LdrpInitializeProcess+0xfa4 (00000000`7746bc29): call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380) ntdll!LdrpInitializeProcess+0x1098 (00000000`7746bc76): call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00) ntdll!LdrpInitializeProcess+0x10f1 (00000000`7746bccd): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0x110f (00000000`7746bceb): call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0) ntdll!LdrpInitializeProcess+0x1123 (00000000`7746bcff): call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50) ntdll!LdrpInitializeProcess+0x1128 (00000000`7746bd04): call to ntdll!RtlInitializeHistoryTable (00000000`7746da90) ntdll!LdrpInitializeProcess+0x11c9 (00000000`7746bd4f): call to ntdll!RtlpInitCurrentDir (00000000`7746db70) ntdll!LdrpInitializeProcess+0x1648 (00000000`7746bdca): call to ntdll!LdrLoadDll (00000000`77463e30) ntdll!LdrpInitializeProcess+0x16ba (00000000`7746bdf9): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x171f (00000000`7746be16): call to ntdll!LdrpWalkImportDescriptor (00000000`77466390) ntdll!LdrpInitializeProcess+0x18cd (00000000`7746be5b): call to ntdll!LdrpInitializeTls (00000000`7746e380) ntdll!LdrpInitializeProcess+0x1940 (00000000`7746be88): call to ntdll!LdrpRunInitializeRoutines (00000000`77464650) ntdll!LdrpInitializeProcess+0x138e (00000000`7746bedf): call to ntdll!LdrLoadDll (00000000`77463e30) ntdll!LdrpInitializeProcess+0x13ff (00000000`7746bf0d): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x1475 (00000000`7746bf3b): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x14eb (00000000`7746bf69): call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10) ntdll!LdrpInitializeProcess+0x19f5 (00000000`7746bfc5): call to ntdll!_security_check_cookie (00000000`7747acb0) ntdll!LdrpInitializeProcess+0x32 (00000000`7746ca52): call to ntdll!RtlSetUnhandledExceptionFilter (00000000`7746c2d0) ntdll!LdrpInitializeProcess+0xe9 (00000000`7746ca9a): call to ntdll!RtlInitNlsTables (00000000`7746c920) ntdll!LdrpInitializeProcess+0xf6 (00000000`7746caa7): call to ntdll!RtlResetRtlTranslations (00000000`7746c410) ntdll!LdrpInitializeProcess+0xfe (00000000`7746caaf): call to ntdll!RtlpInitSRWLock (00000000`7746c530) ntdll!LdrpInitializeProcess+0x103 (00000000`7746cab4): call to ntdll!RtlpInitConditionVariable (00000000`7746c550) ntdll!LdrpInitializeProcess+0x213 (00000000`7746cb7d): call to ntdll!RtlImageNtHeader (00000000`774567b0) ntdll!LdrpInitializeProcess+0x273 (00000000`7746cbd7): call to ntdll!LdrpInitializeExecutionOptions (00000000`7746c6b0) ntdll!LdrpInitializeProcess+0x353 (00000000`7746cc2f): call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940) ntdll!LdrpInitializeProcess+0x3cd (00000000`7746cc95): call to ntdll!RtlNormalizeProcessParams (00000000`7746c2f0) ntdll!LdrpInitializeProcess+0x423 (00000000`7746cce3): call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940) ntdll!LdrpInitializeProcess+0x448 (00000000`7746cd02): call to ntdll!memset (00000000`77478830) ntdll!LdrpInitializeProcess+0x58c (00000000`7746cd53): call to ntdll!RtlpInitDeferredCriticalSection (00000000`7746c640) ntdll!LdrpInitializeProcess+0x7d5 (00000000`7746ceb5): call to ntdll!RtlInitializeCriticalSection (00000000`77455d20) ntdll!LdrpInitializeProcess+0x7fb (00000000`7746cedb): call to ntdll!RtlInitializeHeapManager (00000000`7746c7a0) ntdll!LdrpInitializeProcess+0x84b (00000000`7746cf2a): call to ntdll!RtlCreateHeap (00000000`77466ed0) ntdll!LdrpInitializeProcess+0x8e2 (00000000`7746cf51): call to ntdll!RtlAllocateActivationContextStack (00000000`77456900) ntdll!LdrpInitializeProcess+0x8f6 (00000000`7746cf65): call to ntdll!EtwpInitializeDll (00000000`7746c250) ntdll!LdrpInitializeProcess+0x916 (00000000`7746cf85): call to ntdll!RtlCreateTagHeap (00000000`7746d320) ntdll!LdrpInitializeProcess+0x942 (00000000`7746cfb1): call to ntdll!RtlCreateTagHeap (00000000`7746d320) ntdll!LdrpInitializeProcess+0x962 (00000000`7746cfd1): call to ntdll!RtlpInitEnvironmentBlock (00000000`7746d380) ntdll!LdrpInitializeProcess+0x96f (00000000`7746cfde): call to ntdll!RtlpInitParameterBlock (00000000`7746d7f0) ntdll!LdrpInitializeProcess+0xa5e (00000000`7746d068): call to ntdll!RtlInitUnicodeString (00000000`7747ad10) ntdll!LdrpInitializeProcess+0xa73 (00000000`7746d07d): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0xa87 (00000000`7746d091): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0xaf0 (00000000`7746d0fe): call to ntdll!ZwOpenDirectoryObject (00000000`77477290) ntdll!LdrpInitializeProcess+0xc2a (00000000`7746d171): call to ntdll!ZwOpenSymbolicLinkObject (00000000`77477cb0) ntdll!LdrpInitializeProcess+0xc6b (00000000`7746d1b2): call to ntdll!ZwQuerySymbolicLinkObject (00000000`77477f60) ntdll!LdrpInitializeProcess+0xc7a (00000000`7746d1c1): call to ntdll!ZwClose (00000000`77476e00) ntdll!LdrpInitializeProcess+0xe50 (00000000`7746d24d): call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380) ntdll!LdrpInitializeProcess+0xee4 (00000000`7746d289): call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00) ntdll!LdrpInitializeProcess+0x30d (00000000`77473eb0): call to ntdll!NtQueryInformationProcess (00000000`77476ea0) ntdll!LdrpInitializeProcess+0x635 (00000000`77473ef0): call to ntdll!RtlSetBits (00000000`77466c00) ntdll!LdrpInitializeProcess+0x873 (00000000`77473f19): call to ntdll!RtlCreateHeap (00000000`77466ed0) ntdll!LdrpInitializeProcess+0xbb8 (00000000`774744f9): call to ntdll!ZwOpenDirectoryObject (00000000`77477290) ntdll!LdrpInitializeProcess+0xe10 (00000000`77474554): call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0) ntdll!LdrpInitializeProcess+0x77 (00000000`77490a96): call to ntdll!NtQueryVirtualMemory (00000000`77476f40) ntdll!LdrpInitializeProcess+0xb3 (00000000`77490ad2): call to ntdll!NtQueryVirtualMemory (00000000`77476f40) ntdll!LdrpInitializeProcess+0x2d2 (00000000`77490b92): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x2db (00000000`77490b9d): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x720 (00000000`77490d34): call to ntdll!LdrQueryImageFileExecutionOptions (00000000`77473260) ntdll!LdrpInitializeProcess+0x790 (00000000`77490da4): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x79a (00000000`77490dae): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x7c6 (00000000`77490dda): call to ntdll!RtlControlStackTraceDataBase (00000000`774e3cd0) ntdll!LdrpInitializeProcess+0x8ac (00000000`77490e27): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0x8bf (00000000`77490e3a): call to ntdll!DbgBreakPoint (00000000`77476060) ntdll!LdrpInitializeProcess+0x9ff (00000000`77490e8c): call to ntdll!RtlQueryImageFileKeyOption (00000000`77473320) ntdll!LdrpInitializeProcess+0xb0f (00000000`77490ee2): call to ntdll!RtlInitUnicodeString (00000000`7747ad10) ntdll!LdrpInitializeProcess+0xcea (00000000`77490f57): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0xd01 (00000000`77490f6e): call to ntdll!LdrpInitializationFailure (00000000`774ed120) ntdll!LdrpInitializeProcess+0xd3f (00000000`77490f82): call to ntdll!RtlAllocateHeap (00000000`774789b0) ntdll!LdrpInitializeProcess+0xd7d (00000000`77490fc0): call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0) ntdll!LdrpInitializeProcess+0xd90 (00000000`77490fd3): call to ntdll!DbgBreakPoint (00000000`77476060)

Private vs. shared assemblies (p. 365)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 09-February-10

Dmitry Vostokov — Tue, 09 Feb 2010 21:51:34 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

CreateProcess and Increase Scheduling Priority privilege (p. 351)

MS-DOS apps share the same VDM (p. 353)

HKLM\S\CCS\C\WOW\DefaultSeparateVDM (p. 353)

IMAGE_FILE_UP_SYSTEM_ONLY PE characteristic to run on a single CPU (p. 358)

Upon creation initial thread starts in kernel mode in KiThreadStartup (p. 360)

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 25-January-10

Dmitry Vostokov — Mon, 25 Jan 2010 22:23:10 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Kernel Process variables (p. 343)

0: kd> !process poi(PsIdleProcess) PROCESS fffff800019910c0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 00124000 ObjectTable: fffff88000000080 HandleCount: 606. Image: Idle VadRoot fffffa8003b97c70 Vads 1 Clone 0 Private 1. Modified 0. Locked 0. DeviceMap 0000000000000000 Token fffff88000003330 ElapsedTime 00:00:00.000 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (6, 50, 450) (24KB, 200KB, 1800KB) PeakWorkingSetSize 6 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 1 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 0

THREAD fffff80001990b80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019910c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 16021 Ticks: 13224 (0:00:03:26.295) Context Switch Count 142852 UserTime 00:00:00.000 KernelTime 00:06:13.700 Win32 Start Address nt!KiIdleLoop (0xfffff80001876880) Stack Init fffff80002bdadb0 Current fffff80002bdad40 Base fffff80002bdb000 Limit fffff80002bd5000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffff800`02bdad80 fffff800`01a43860 nt!KiIdleLoop+0x11b fffff800`02bdadb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

THREAD fffffa60005f5d40 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap fffff88000007310 Owning Process fffff800019910c0 Image: Idle Attached Process fffffa8003bf1040 Image: System Wait Start TickCount 0 Ticks: 29245 (0:00:07:36.224) Context Switch Count 162365 UserTime 00:00:00.000 KernelTime 00:06:14.808 Win32 Start Address nt!KiIdleLoop (0xfffff80001876880) Stack Init fffffa600191bdb0 Current fffffa600191bd40 Base fffffa600191c000 Limit fffffa6001916000 Call 0 Priority 16 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site fffffa60`0191bd80 fffff800`01a43860 nt!KiIdleLoop+0x11b fffffa60`0191bdb0 00000000`00000000 nt!zzz_AsmCodeRange_End+0x4

Relevant process functions (pp. 344 - 345) - More of them can be found here: http://msdn.microsoft.com/en-us/library/ms684847(VS.85).aspx

Protected processes (pp. 346 - 348) - It can be seen in _EPROCESS block (the output taken from a complete memory dump):

0: kd> dt _EPROCESS fffffa8004b5e040 ntdll!_EPROCESS [...] +0x36c ProtectedProcess : 0y1 [...]

The following script lists protected processes on W2K8:

0: kd> !for_each_process "dt _EPROCESS ImageFileName @#Process; dt _EPROCESS ProtectedProcess @#Process" ntdll!_EPROCESS +0x238 ImageFileName : [16] "System" ntdll!_EPROCESS +0x36c ProtectedProcess : 0y1 [...] ntdll!_EPROCESS +0x238 ImageFileName : [16] "audiodg.exe" ntdll!_EPROCESS +0x36c ProtectedProcess : 0y1 [...]

System process is protected because of Ksecdd.sys stores info in user space (p. 347)

PROCESS_QUERY_LIMITED_INFORMATION (p. 347)

Access violation by design for Protected Media Path processes when a kernel-mode debugger is enabled (p. 348) - this is not an optimal design in my opinion - I had problems with that: http://www.dumpanalysis.org/blog/index.php/2010/01/08/live-kernel-debugging-of-a-system-freeze-case-study/. The better way is to show a message box and gracefully exit and only emit AV if message box is bypassed.

Advanced .NET Debugging by M. Hewardt:

PE format and its relation to .NET (pp. 26 - 27)

AddressOfEntryPoint (pp. 28 - 29 and p. 31) - we can also use !dh command to find that address (similar to what dumpbin.exe does):

0:001> lm m notepad start end module name 00000000`ff180000 00000000`ff1af000 notepad (deferred)

0:001> !dh 00000000`ff180000 [...] OPTIONAL HEADER VALUES 20B magic # 8.00 linker version E400 size of code 1CC00 size of initialized data 0 size of uninitialized data D1B4 address of entry point 1000 base of code —– new —– 00000000ff180000 image base 1000 section alignment 200 file alignment 2 subsystem (Windows GUI) 6.00 operating system version 6.00 image version 6.00 subsystem version 2F000 size of image 400 size of headers 32C26 checksum […]

0:001> u 00000000`ff180000+D1B4 notepad!WinMainCRTStartup: 00000000`ff18d1b4 4883ec28 sub rsp,28h 00000000`ff18d1b8 e88b020000 call notepad!_security_init_cookie (00000000`ff18d448) 00000000`ff18d1bd 4883c428 add rsp,28h 00000000`ff18d1c1 e9b6fcffff jmp notepad!IsTextUTF8+0xc0 (00000000`ff18ce7c) 00000000`ff18d1c6 cc int 3 00000000`ff18d1c7 cc int 3 00000000`ff18d1c8 cc int 3 00000000`ff18d1c9 cc int 3

Application domains in ASP.NET; 3 default app domains (system, shared, default) in normal app (p. 34)

!dumpdomain SOS command (pp. 35 - 36)

Low(High)FrequencyHeap and StubHeap (p. 36) - Looks like they are not normal heaps or heap segments. I plan to test all commands on x64 .NET:

0:003> !dumpdomain -------------------------------------- System Domain: 000007fef15a8ef0 LowFrequencyHeap: 000007fef15a8f38 HighFrequencyHeap: 000007fef15a8fc8 StubHeap: 000007fef15a9058 Stage: OPEN Name: None -------------------------------------- Shared Domain: 000007fef15a9860 LowFrequencyHeap: 000007fef15a98a8 HighFrequencyHeap: 000007fef15a9938 StubHeap: 000007fef15a99c8 Stage: OPEN Name: None Assembly: 0000000000372d10 -------------------------------------- Domain 1: 0000000000360840 LowFrequencyHeap: 0000000000360888 HighFrequencyHeap: 0000000000360918 StubHeap: 00000000003609a8 Stage: OPEN SecurityDescriptor: 00000000003630e0 Name: TestCLR.exe [...]

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 04-January-10

Dmitry Vostokov — Mon, 04 Jan 2010 16:48:57 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

Diagnostic Policy Service, DPS (pp. 330 - 331)

SMART (p. 332) - Don’t confuse with recursive acronym Smart Memory Analysis in Real Time (coined by me)

Windows system responsiveness performance diagnostics (p. 332)

Program Compatibility Assistant, PCA (p. 333)

_EPROCESS and _KPROCESS (pp. 337 - 339) - x64 equivalents from W2K8:

lkd> dt _EPROCESS ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x0c0 ProcessLock : _EX_PUSH_LOCK +0x0c8 CreateTime : _LARGE_INTEGER +0x0d0 ExitTime : _LARGE_INTEGER +0x0d8 RundownProtect : _EX_RUNDOWN_REF +0x0e0 UniqueProcessId : Ptr64 Void +0x0e8 ActiveProcessLinks : _LIST_ENTRY +0x0f8 QuotaUsage : [3] Uint8B +0x110 QuotaPeak : [3] Uint8B +0x128 CommitCharge : Uint8B +0x130 PeakVirtualSize : Uint8B +0x138 VirtualSize : Uint8B +0x140 SessionProcessLinks : _LIST_ENTRY +0x150 DebugPort : Ptr64 Void +0x158 ExceptionPortData : Ptr64 Void +0x158 ExceptionPortValue : Uint8B +0x158 ExceptionPortState : Pos 0, 3 Bits +0x160 ObjectTable : Ptr64 _HANDLE_TABLE +0x168 Token : _EX_FAST_REF +0x170 WorkingSetPage : Uint8B +0x178 AddressCreationLock : _EX_PUSH_LOCK +0x180 RotateInProgress : Ptr64 _ETHREAD +0x188 ForkInProgress : Ptr64 _ETHREAD +0x190 HardwareTrigger : Uint8B +0x198 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE +0x1a0 CloneRoot : Ptr64 Void +0x1a8 NumberOfPrivatePages : Uint8B +0x1b0 NumberOfLockedPages : Uint8B +0x1b8 Win32Process : Ptr64 Void +0x1c0 Job : Ptr64 _EJOB +0x1c8 SectionObject : Ptr64 Void +0x1d0 SectionBaseAddress : Ptr64 Void +0x1d8 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK +0x1e0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY +0x1e8 Win32WindowStation : Ptr64 Void +0x1f0 InheritedFromUniqueProcessId : Ptr64 Void +0x1f8 LdtInformation : Ptr64 Void +0x200 Spare : Ptr64 Void +0x208 VdmObjects : Ptr64 Void +0x210 DeviceMap : Ptr64 Void +0x218 EtwDataSource : Ptr64 Void +0x220 FreeTebHint : Ptr64 Void +0x228 PageDirectoryPte : _HARDWARE_PTE +0x228 Filler : Uint8B +0x230 Session : Ptr64 Void +0x238 ImageFileName : [16] UChar +0x248 JobLinks : _LIST_ENTRY +0x258 LockedPagesList : Ptr64 Void +0x260 ThreadListHead : _LIST_ENTRY +0x270 SecurityPort : Ptr64 Void +0x278 Wow64Process : Ptr64 Void +0x280 ActiveThreads : Uint4B +0x284 ImagePathHash : Uint4B +0x288 DefaultHardErrorProcessing : Uint4B +0x28c LastThreadExitStatus : Int4B +0x290 Peb : Ptr64 _PEB +0x298 PrefetchTrace : _EX_FAST_REF +0x2a0 ReadOperationCount : _LARGE_INTEGER +0x2a8 WriteOperationCount : _LARGE_INTEGER +0x2b0 OtherOperationCount : _LARGE_INTEGER +0x2b8 ReadTransferCount : _LARGE_INTEGER +0x2c0 WriteTransferCount : _LARGE_INTEGER +0x2c8 OtherTransferCount : _LARGE_INTEGER +0x2d0 CommitChargeLimit : Uint8B +0x2d8 CommitChargePeak : Uint8B +0x2e0 AweInfo : Ptr64 Void +0x2e8 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x2f0 Vm : _MMSUPPORT +0x358 MmProcessLinks : _LIST_ENTRY +0x368 ModifiedPageCount : Uint4B +0x36c Flags2 : Uint4B +0x36c JobNotReallyActive : Pos 0, 1 Bit +0x36c AccountingFolded : Pos 1, 1 Bit +0x36c NewProcessReported : Pos 2, 1 Bit +0x36c ExitProcessReported : Pos 3, 1 Bit +0x36c ReportCommitChanges : Pos 4, 1 Bit +0x36c LastReportMemory : Pos 5, 1 Bit +0x36c ReportPhysicalPageChanges : Pos 6, 1 Bit +0x36c HandleTableRundown : Pos 7, 1 Bit +0x36c NeedsHandleRundown : Pos 8, 1 Bit +0x36c RefTraceEnabled : Pos 9, 1 Bit +0x36c NumaAware : Pos 10, 1 Bit +0x36c ProtectedProcess : Pos 11, 1 Bit +0x36c DefaultPagePriority : Pos 12, 3 Bits +0x36c PrimaryTokenFrozen : Pos 15, 1 Bit +0x36c ProcessVerifierTarget : Pos 16, 1 Bit +0x36c StackRandomizationDisabled : Pos 17, 1 Bit +0x36c AffinityPermanent : Pos 18, 1 Bit +0x36c AffinityUpdateEnable : Pos 19, 1 Bit +0x36c CrossSessionCreate : Pos 20, 1 Bit +0x370 Flags : Uint4B +0x370 CreateReported : Pos 0, 1 Bit +0x370 NoDebugInherit : Pos 1, 1 Bit +0x370 ProcessExiting : Pos 2, 1 Bit +0x370 ProcessDelete : Pos 3, 1 Bit +0x370 Wow64SplitPages : Pos 4, 1 Bit +0x370 VmDeleted : Pos 5, 1 Bit +0x370 OutswapEnabled : Pos 6, 1 Bit +0x370 Outswapped : Pos 7, 1 Bit +0x370 ForkFailed : Pos 8, 1 Bit +0x370 Wow64VaSpace4Gb : Pos 9, 1 Bit +0x370 AddressSpaceInitialized : Pos 10, 2 Bits +0x370 SetTimerResolution : Pos 12, 1 Bit +0x370 BreakOnTermination : Pos 13, 1 Bit +0x370 DeprioritizeViews : Pos 14, 1 Bit +0x370 WriteWatch : Pos 15, 1 Bit +0x370 ProcessInSession : Pos 16, 1 Bit +0x370 OverrideAddressSpace : Pos 17, 1 Bit +0x370 HasAddressSpace : Pos 18, 1 Bit +0x370 LaunchPrefetched : Pos 19, 1 Bit +0x370 InjectInpageErrors : Pos 20, 1 Bit +0x370 VmTopDown : Pos 21, 1 Bit +0x370 ImageNotifyDone : Pos 22, 1 Bit +0x370 PdeUpdateNeeded : Pos 23, 1 Bit +0x370 VdmAllowed : Pos 24, 1 Bit +0x370 SmapAllowed : Pos 25, 1 Bit +0x370 ProcessInserted : Pos 26, 1 Bit +0x370 DefaultIoPriority : Pos 27, 3 Bits +0x370 ProcessSelfDelete : Pos 30, 1 Bit +0x370 SpareProcessFlags : Pos 31, 1 Bit +0x374 ExitStatus : Int4B +0x378 Spare7 : Uint2B +0x37a SubSystemMinorVersion : UChar +0x37b SubSystemMajorVersion : UChar +0x37a SubSystemVersion : Uint2B +0x37c PriorityClass : UChar +0x380 VadRoot : _MM_AVL_TABLE +0x3c0 Cookie : Uint4B +0x3c8 AlpcContext : _ALPC_PROCESS_CONTEXT

lkd> dt _KPROCESS ntdll!_KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x018 ProfileListHead : _LIST_ENTRY +0x028 DirectoryTableBase : Uint8B +0x030 Unused0 : Uint8B +0x038 IopmOffset : Uint2B +0x040 ActiveProcessors : Uint8B +0x048 KernelTime : Uint4B +0x04c UserTime : Uint4B +0x050 ReadyListHead : _LIST_ENTRY +0x060 SwapListEntry : _SINGLE_LIST_ENTRY +0x068 InstrumentationCallback : Ptr64 Void +0x070 ThreadListHead : _LIST_ENTRY +0x080 ProcessLock : Uint8B +0x088 Affinity : Uint8B +0x090 AutoAlignment : Pos 0, 1 Bit +0x090 DisableBoost : Pos 1, 1 Bit +0x090 DisableQuantum : Pos 2, 1 Bit +0x090 ReservedFlags : Pos 3, 29 Bits +0x090 ProcessFlags : Int4B +0x094 BasePriority : Char +0x095 QuantumReset : Char +0x096 State : UChar +0x097 ThreadSeed : UChar +0x098 PowerState : UChar +0x099 IdealNode : UChar +0x09a Visited : UChar +0x09b Flags : _KEXECUTE_OPTIONS +0x09b ExecuteOptions : UChar +0x0a0 StackCount : Uint8B +0x0a8 ProcessListEntry : _LIST_ENTRY +0x0b8 CycleTime : Uint8B

Working set list, MMWSL (p. 340) - I guessed the structure name right:

lkd> dt _MMWSL nt!_MMWSL +0x000 FirstFree : Uint4B +0x004 FirstDynamic : Uint4B +0x008 LastEntry : Uint4B +0x00c NextSlot : Uint4B +0x010 Wsle : Ptr64 _MMWSLE +0x018 LowestPagableAddress : Ptr64 Void +0x020 LastInitializedWsle : Uint4B +0x024 NextEstimationSlot : Uint4B +0x028 NextAgingSlot : Uint4B +0x02c EstimatedAvailable : Uint4B +0x030 GrowthSinceLastEstimate : Uint4B +0x034 NumberOfCommittedPageTables : Uint4B +0x038 VadBitMapHint : Uint4B +0x03c NonDirectCount : Uint4B +0x040 LastVadBit : Uint4B +0x044 MaximumLastVadBit : Uint4B +0x048 LastAllocationSizeHint : Uint4B +0x04c LastAllocationSize : Uint4B +0x050 NonDirectHash : Ptr64 _MMWSLE_NONDIRECT_HASH +0x058 HashTableStart : Ptr64 _MMWSLE_HASH +0x060 HighestPermittedHashAddress : Ptr64 _MMWSLE_HASH +0x068 HighestUserAddress : Ptr64 Void +0x070 MaximumUserPageTablePages : Uint4B +0x074 MaximumUserPageDirectoryPages : Uint4B +0x078 CommittedPageTables : Ptr64 Uint4B +0x080 NumberOfCommittedPageDirectories : Uint4B +0x088 CommittedPageDirectories : [128] Uint8B +0x488 NumberOfCommittedPageDirectoryParents : Uint4B +0x490 CommittedPageDirectoryParents : [1] Uint8B

PEB (pp. 341 - 342) - here’s x64 PEB structure from W2K8:

lkd> dt _PEB ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x008 Mutant : Ptr64 Void +0x010 ImageBaseAddress : Ptr64 Void +0x018 Ldr : Ptr64 _PEB_LDR_DATA +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS +0x028 SubSystemData : Ptr64 Void +0x030 ProcessHeap : Ptr64 Void +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION +0x040 AtlThunkSListPtr : Ptr64 Void +0x048 IFEOKey : Ptr64 Void +0x050 CrossProcessFlags : Uint4B +0x050 ProcessInJob : Pos 0, 1 Bit +0x050 ProcessInitializing : Pos 1, 1 Bit +0x050 ProcessUsingVEH : Pos 2, 1 Bit +0x050 ProcessUsingVCH : Pos 3, 1 Bit +0x050 ReservedBits0 : Pos 4, 28 Bits +0x058 KernelCallbackTable : Ptr64 Void +0x058 UserSharedInfoPtr : Ptr64 Void +0x060 SystemReserved : [1] Uint4B +0x064 SpareUlong : Uint4B +0x068 SparePebPtr0 : Uint8B +0x070 TlsExpansionCounter : Uint4B +0x078 TlsBitmap : Ptr64 Void +0x080 TlsBitmapBits : [2] Uint4B +0x088 ReadOnlySharedMemoryBase : Ptr64 Void +0x090 HotpatchInformation : Ptr64 Void +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void +0x0a0 AnsiCodePageData : Ptr64 Void +0x0a8 OemCodePageData : Ptr64 Void +0x0b0 UnicodeCaseTableData : Ptr64 Void +0x0b8 NumberOfProcessors : Uint4B +0x0bc NtGlobalFlag : Uint4B +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER +0x0c8 HeapSegmentReserve : Uint8B +0x0d0 HeapSegmentCommit : Uint8B +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B +0x0e8 NumberOfHeaps : Uint4B +0x0ec MaximumNumberOfHeaps : Uint4B +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void +0x0f8 GdiSharedHandleTable : Ptr64 Void +0x100 ProcessStarterHelper : Ptr64 Void +0x108 GdiDCAttributeList : Uint4B +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION +0x118 OSMajorVersion : Uint4B +0x11c OSMinorVersion : Uint4B +0x120 OSBuildNumber : Uint2B +0x122 OSCSDVersion : Uint2B +0x124 OSPlatformId : Uint4B +0x128 ImageSubsystem : Uint4B +0x12c ImageSubsystemMajorVersion : Uint4B +0x130 ImageSubsystemMinorVersion : Uint4B +0x138 ActiveProcessAffinityMask : Uint8B +0x140 GdiHandleBuffer : [60] Uint4B +0x230 PostProcessInitRoutine : Ptr64 void +0x238 TlsExpansionBitmap : Ptr64 Void +0x240 TlsExpansionBitmapBits : [32] Uint4B +0x2c0 SessionId : Uint4B +0x2c8 AppCompatFlags : _ULARGE_INTEGER +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER +0x2d8 pShimData : Ptr64 Void +0x2e0 AppCompatInfo : Ptr64 Void +0x2e8 CSDVersion : _UNICODE_STRING +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x318 MinimumStackCommit : Uint8B +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO +0x328 FlsListHead : _LIST_ENTRY +0x338 FlsBitmap : Ptr64 Void +0x340 FlsBitmapBits : [4] Uint4B +0x350 FlsHighIndex : Uint4B +0x358 WerRegistrationData : Ptr64 Void +0x360 WerShipAssertPtr : Ptr64 Void

PEB and pointers to process heap (p. 340) - couldn’t find them after PEB on x86 and x64. Needs more clarification:

7: kd> !peb PEB at 7ffdb000 [...]

7: kd> dt _PEB ntdll!_PEB [...] +0x22c FlsHighIndex : Uint4B

7: kd> dd 7ffdb000 +0x22c +4 7ffdb230 00000000 00000000 00000000 00000000 7ffdb240 00000000 00000000 00000000 00000000 7ffdb250 00000000 00000000 00000000 00000000 7ffdb260 00000000 00000000 00000000 00000000 7ffdb270 00000000 00000000 00000000 00000000 7ffdb280 00000000 00000000 00000000 00000000 7ffdb290 00000000 00000000 00000000 00000000 7ffdb2a0 00000000 00000000 00000000 00000000

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 07-December-09

Dmitry Vostokov — Tue, 08 Dec 2009 10:21:04 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

WMI CIM Studio (pp. 321 - 322)

dynamic and static MOF classes (p. 323)

WbemTest, BMF (binary MOF), Mofcomp.exe (p. 323)

Object keys as WMI class instance specifiers (\\computer\root\namespace:class_name.Key1=”…”, Key2=”…”, … ) (pp. 324 - 325)

WMI association classes (p. 325)

WQL exampe (p. 327)

wmiprvse.exe as a WMI provider host (p. 327)

wmic.exe (p. 328)

Namespace level WMI secutiry (p. 329)

WDI, Windows Diagnostic Infrastructure and its instrumentation, DiagLog, SEM Scenario Event Mapper, on-demand diagnosis (pp. 329 - 330) - looks interesting, especially in the context of possible first fault software problem solving techniques (OpenTask has published a book on this topic: http://www.dumpanalysis.com/First+Fault+Software+Problem+Solving)

Advanced Windows Debugging by M. Hewardt and D. Pravat:

LRPC_CCALL(ADDRESS) vs. OSF_CCALL(ADDRESS) vs. DG_CCALL(ADDRESS) (pp. 389 - 390)

Undocumented MSRPC (p. 391) - there is an empirical technique to find LRPC server endpoint: http://www.dumpanalysis.org/blog/index.php/2008/07/11/in-search-of-lost-pid/

!lpc message (p. 393) - some additional scenarios can be found in patterns: http://www.dumpanalysis.org/blog/index.php/2008/12/17/crash-dump-analysis-patterns-part-42e/, http://www.dumpanalysis.org/blog/index.php/2007/11/29/crash-dump-analysis-patterns-part-9d/ and various case studies involving LPC chains: http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

_PS_IMPERSONATION_INFORMATION (p. 395) - Looks like on W2K8 x64 it is another bit union:

lkd> dt -r _ETHREAD […] +0×3b0 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT +0×000 ImpersonationData : Uint8B +0×000 ImpersonationToken : Ptr64 Void +0×000 ImpersonationLevel : Pos 0, 2 Bits +0×000 EffectiveOnly : Pos 2, 1 Bit

RPC cell debugging configuration (pp. 397 - 398)

Advanced .NET Debugging by M. Hewardt:

Lutz Roeder’s .NET Reflector (pp. 15 - 16)

Roberto Farah’s PowerDbg (pp. 17 -18)

MDA Managed Debugging Assistants (pp. 19 - 21) - looks similar to WDI (Windows Diagnostic Infrastructure) on-demand diagnostics for unmanaged code mentioned in Windows Internals book

CLI(+BCL) -> CLR (p. 24)

Rotor (p. 25) - looks like it has the same value as WINE for unmanaged code: http://www.dumpanalysis.org/blog/index.php/2006/11/16/how-wine-can-help-in-crash-dump-analysis/

- Dmitry Vostokov @ SoftwareGeneralist.com -

Reading Notebook: 25-November-09

Dmitry Vostokov — Wed, 25 Nov 2009 22:48:30 +0000

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

FailureActionsOnNonCrashFailures (p. 310)

WaitToKillApp(Service)Timeout (p. 311)

Shutdown ordering and preshutdown notification (pp. 312 - 313)

Shared services vulnerability to a crashing bug (p. 313) - Because an exception in one thread doesn’t affect another thread if there is no dependency (see MTCrash application, http://www.dumpanalysis.org/blog/index.php/2008/12/31/mtcrash/) if we preserve the crashed process, for example, using Crash2Hang tool (http://www.dumpanalysis.org/blog/index.php/2008/12/29/crash2hang/) we might temporarily preserve functionality of the remaining services (if there is no dependency)

CNG-KeyIso service (p. 313)

Viewing services inside processes (pp. 315 - 316) - We can also see them in Task Manager when we sort Processes by PID:

SubProcessTag (p. 316) - Here is an example from svchost.exe PID 1016 from the screenshot above:

lkd> !process 0n1016 1f Searching for Process with Cid == 3f8 Cid Handle table at fffff88008156000 with 1063 Entries in use PROCESS fffffa8004adec10 SessionId: 0 Cid: 03f8 Peb: 7fffffdd000 ParentCid: 0280 DirBase: add75000 ObjectTable: fffff88007f3c4d0 HandleCount: 436. Image: svchost.exe VadRoot fffffa80048b9220 Vads 153 Clone 0 Private 1630. Modified 1512. Locked 6. DeviceMap fffff8800802ef40 Token fffff880080aa060 ElapsedTime 5 Days 01:31:56.632 UserTime 00:00:05.257 KernelTime 00:00:04.555 QuotaPoolUsage[PagedPool] 132496 QuotaPoolUsage[NonPagedPool] 21488 Working Set Sizes (now,min,max) (3650, 50, 345) (14600KB, 200KB, 1380KB) PeakWorkingSetSize 3725 VirtualSize 78 Mb PeakVirtualSize 84 Mb PageFaultCount 38144 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 3976

[...]

THREAD fffffa8004b55060 Cid 03f8.046c Teb: 000007fffff9e000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8004b54a80 NotificationEvent fffffa8004b52a50 SynchronizationEvent fffffa8004b55e00 NotificationEvent fffffa8004b55118 NotificationTimer Not impersonating DeviceMap fffff8800802ef40 Owning Process fffffa8004adec10 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 28044441 Ticks: 4968 (0:00:01:17.501) Context Switch Count 3784 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address dhcpcsvc6!Dhcpv6Main (0×000007fefd726884) Stack Init fffffa6003c47db0 Current fffffa6003c47230 Base fffffa6003c48000 Limit fffffa6003c42000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`03c47270 fffff800`018a46fa nt!KiSwapContext+0×7f fffffa60`03c473b0 fffff800`018a9feb nt!KiSwapThread+0×13a fffffa60`03c47420 fffff800`01b03a8e nt!KeWaitForMultipleObjects+0×2eb fffffa60`03c474a0 fffff800`01b040d3 nt!ObpWaitForMultipleObjects+0×26e fffffa60`03c47960 fffff800`018a1ef3 nt!NtWaitForMultipleObjects+0xe2 fffffa60`03c47bb0 00000000`776e72ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`03c47c20) 00000000`0272f5e8 00000000`7758bc03 ntdll!ZwWaitForMultipleObjects+0xa 00000000`0272f5f0 000007fe`fd726117 kernel32!WaitForMultipleObjectsEx+0×10b 00000000`0272f700 000007fe`fd726944 dhcpcsvc6!ProcessDhcpv6RequestForever+0×143 00000000`0272f7c0 00000000`7758be3d dhcpcsvc6!Dhcpv6Main+0xc0 00000000`0272f800 00000000`776c6a51 kernel32!BaseThreadInitThunk+0xd 00000000`0272f830 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

[...]

lkd> dt _TEB 000007fffff9e000 SubProcessTag ntdll!_TEB +0x1720 SubProcessTag : 0x00000000`00000011

Advanced .NET Debugging by M. Hewardt:

Debugging Tools for Windows (pp. 3 -4) - Here are quick links for download: http://windbg.org

No major CLR changes for .NET 3.x (p. 5)

DbgClr (p. 6)

MSBUILD XML example (pp. 6 - 7)

.load vs. .loadby (pp. 8 - 11) - Some additional load scenarios for legacy SOS and its server version can be found in comments to Managed Code Exception pattern: http://www.dumpanalysis.org/blog/index.php/2007/07/20/crash-dump-analysis-patterns-part-17/

SOSEX (pp. 10 - 11) - Added to my blog roll and links on http://DumpAnalysis.org

CLR Profiler (pp. 11 - 13) - Looks similar to functionality of unmanaged UMDH tool (user mode heap stack trace database)

- Dmitry Vostokov @ SoftwareGeneralist.com -