tailieunhanh - Windows Internals covering windows server 2008 and windows vista- P12

Windows Internals covering windows server 2008 and windows vista- P12: In this chapter, we’ll introduce the key Microsoft Windows operating system concepts and terms we’ll be using throughout this book, such as the Windows API, processes, threads, virtual memory, kernel mode and user mode, objects, handles, security, and the registry. | You shouldn t see anything happen and you should be able to click the Exit button to quit the application. However you should still see the Notmyfault process in Task Manager or Process Explorer. Attempts to terminate the process will fail because Windows will wait forever for the IRP to complete given that Myfault doesn t register a cancel routine. To debug an issue such as this you can use WinDbg to look at what the thread is currently doing or you could use Process Explorer s Stack view on the Threads tab . Open a local kernel debugger session and start by listing the information about the process with the process command 1. lkd process 0 7 2. PROCESS 86843ab0 Sessionld 1 Cid 0594 Peb 7ffd8000 ParentCid 05c8 3. DirBase ce21f380 ObjectTable 9cfb5070 HandleCount 33. 4. Image 5. VadRoot 86658138 Vads 44 Clone 0 Private 210. Modified 5. Locked 0. 6. DeviceMap 987545a8 7. . 8. THREAD 868139b8 Cid Teb 7ffde000 Win32Thread 00000000 WAIT 9. Executive KernelMode Non-Alertable 10. 86797c64 NotificationEvent 11. IRP List 12. 86a51228 0006 0094 Flags 00060000 Mdl 00000000 13. ChildEBP RetAddr Args to Child 14. 88ae4b78 81cf23bf 868139b8 86813a40 00000000 nt KiSwapContext 0x26 15. 88ae4bbc 81c8fcf8 868139b8 86797c08 86797c64 nt KiSwapThread 0x44f 16. 88ae4c14 81e8a356 86797c64 00000000 00000000 nt KeWaitForSingleObject 0x492 17. 88ae4c40 81e875a3 86a51228 86797c08 86a51228 nt IopCancelAlertedRequest 0x6d 18. 88ae4c64 81e87cba 00000103 86797c08 00000000 nt IopSynchronousServiceTail 0x267 19. 88ae4d00 81e7198e 86727920 86a51228 00000000 nt IopXxxControlFile 0x6b7 20. 88ae4d34 81c92a7a 0000007c 00000000 00000000 nt NtDeviceIoControlFile 0x2a 21. 88ae4d34 77139a94 0000007c 00000000 00000000 nt KiFastCallEntry 0x12a 22. 01d5fecc 00000000 00000000 00000000 00000000 ntdll KiFastSystemCallRet 23. . From the stack trace you can see that the thread that initiated the I O realized that the IRP had been cancelled .

TỪ KHÓA LIÊN QUAN