nt!KiSwapThread函数调用的nt!KiFindReadyThread函数分析

nt!KiSwapThread函数调用的nt!KiFindReadyThread函数分析
0: kd> g
Breakpoint 13 hit
eax=ffdff120 ebx=f7737120 ecx=00000001 edx=ffdff120 esi=00000000 edi=80a059f8
eip=80a429d8 esp=b9ebf940 ebp=b9ebf974 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!KiFindReadyThread:
80a429d8 55 push ebp
1: kd> kc
#
00 nt!KiFindReadyThread
01 nt!KiSwapThread
02 nt!KeWaitForMultipleObjects
03 nt!NtWaitForMultipleObjects
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 ntdll!ZwWaitForMultipleObjects
07 kernel32!WaitForMultipleObjectsEx
08 kernel32!WaitForMultipleObjects
09 srvsvc!SsScavengerThread
*** WARNING: symbols timestamp is wrong 0x66e5c17d 0x66e5bf0e for HelpSvc.exe
0a srvsvc!ServiceMain
0b HelpSvc!ServiceStarter
0c advapi32!ScSvcctrlThreadA
0d kernel32!BaseThreadStart

1: kd> kv
# ChildEBP RetAddr Args to Child
00 b9ebf93c 80a43dd9 f7737120 895f7228 895f7288 nt!KiFindReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 722]
01 b9ebf974 80a358c7 895f7228 00000000 00000005 nt!KiSwapThread+0x315 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]
02 b9ebf9ac 80d1f5d4 00000005 b9ebfbe0 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
03 b9ebfd3c 80afbcb2 00000005 0193fe10 00000001 nt!NtWaitForMultipleObjects+0x354 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obwait.c @ 747]
04 b9ebfd3c 7ffe0304 00000005 0193fe10 00000001 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9ebfd64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
05 0193fdc0 77f2fbb8 77e64294 00000005 0193fe10 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
06 0193fdc4 77e64294 00000005 0193fe10 00000001 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 2363]
07 0193fe6c 77e64849 00000005 0193fec4 00000000 kernel32!WaitForMultipleObjectsEx+0x11a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\synch.c @ 1512]
08 0193fe88 745d9854 00000005 0193fec4 00000000 kernel32!WaitForMultipleObjects+0x16 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\synch.c @ 1377]
09 0193ff04 745dd168 00000000 77e662fd 77e5e963 srvsvc!SsScavengerThread+0x2af (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\netapi\svcdlls\srvsvc\server\scavengr.c @ 568]
0a 0193ff6c 01002ed6 00000000 000ccd70 00000000 srvsvc!ServiceMain+0x2d9 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\netapi\svcdlls\srvsvc\server\srvmain.c @ 400]
0b 0193ffa4 77dc0bd4 00000001 000ccd70 00000000 HelpSvc!ServiceStarter+0x132 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\screg\sc\svchost\svchost.c @ 1049]
0c 0193ffb8 77e41be7 000ccd68 00000000 00000000 advapi32!ScSvcctrlThreadA+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\screg\sc\client\scapi.cxx @ 2760]
0d 0193ffec 00000000 77dc0bc4 000ccd68 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
1: kd> u 80a43dd9
nt!KiSwapThread+0x315 [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]:
80a43dd9 8bf0 mov esi,eax
80a43ddb 85f6 test esi,esi
80a43ddd 0f8544010000 jne nt!KiSwapThread+0x463 (80a43f27)
80a43de3 ff150831a080 call dword ptr [nt!_imp__KeGetCurrentIrql (80a03108)]
80a43de9 33f6 xor esi,esi
80a43deb 3c02 cmp al,2
80a43ded 7311 jae nt!KiSwapThread+0x33c (80a43e00)
80a43def 56 push esi
1: kd> u 80a43dd9-12
nt!KiSwapThread+0x303 [d:\srv03rtm\base\ntos\ke\thredsup.c @ 1854]:
80a43dc7 39b028090000 cmp dword ptr [eax+928h],esi
80a43dcd 7414 je nt!KiSwapThread+0x31f (80a43de3)
80a43dcf 8b4de0 mov ecx,dword ptr [ebp-20h]
80a43dd2 8bd0 mov edx,eax
80a43dd4 e8ffebffff call nt!KiFindReadyThread (80a429d8)
80a43dd9 8bf0 mov esi,eax
80a43ddb 85f6 test esi,esi
80a43ddd 0f8544010000 jne nt!KiSwapThread+0x463 (80a43f27)

1: kd> dt nt!_KPRCB 0xffdff120
+0x000 MinorVersion : 1
+0x002 MajorVersion : 1
+0x004 CurrentThread : 0x80b200c0 _KTHREAD
+0x008 NextThread : 0x89dc62a0 _KTHREAD
+0x00c IdleThread : 0x80b200c0 _KTHREAD
+0x010 Number : 0 ''
+0x011 Reserved : 0 ''
+0x012 BuildType : 1
+0x014 SetMember : 1
+0x018 CpuType : 6 ''
+0x019 CpuID : 1 ''
+0x01a CpuStep : 0xe03
+0x01c ProcessorState : _KPROCESSOR_STATE
+0x33c KernelReserved : [16] 0
+0x37c HalReserved : [16] 0
+0x3bc PrcbPad0 : [92] ""
+0x418 LockQueue : [16] _KSPIN_LOCK_QUEUE
+0x498 PrcbPad1 : [8] ""
+0x4a0 NpxThread : (null)
+0x4a4 InterruptCount : 0x56943a
+0x4a8 KernelTime : 0x4e1579
+0x4ac UserTime : 0xee
+0x4b0 DpcTime : 0x57
+0x4b4 DebugDpcTime : 0
+0x4b8 InterruptTime : 0x5fa
+0x4bc AdjustDpcThreshold : 3
+0x4c0 PageColor : 0x116df
+0x4c4 SkipTick : 0x1 ''
+0x4c5 DebuggerSavedIRQL : 0x6 ''
+0x4c6 Spare1 : [6] ""
+0x4cc ParentNode : 0x80b20640 _KNODE
+0x4d0 MultiThreadProcessorSet : 3
+0x4d4 MultiThreadSetMaster : 0xffdff120 _KPRCB
+0x4d8 ThreadStartCount : [2] 0
+0x4e0 CcFastReadNoWait : 0
+0x4e4 CcFastReadWait : 0xaf6
+0x4e8 CcFastReadNotPossible : 0
+0x4ec CcCopyReadNoWait : 0xa3
+0x4f0 CcCopyReadWait : 0xc7c
+0x4f4 CcCopyReadNoWaitMiss : 3
+0x4f8 KeAlignmentFixupCount : 0
+0x4fc SpareCounter0 : 0
+0x500 KeDcacheFlushCount : 0
+0x504 KeExceptionDispatchCount : 0x2a8
+0x508 KeFirstLevelTbFills : 0
+0x50c KeFloatingEmulationCount : 0
+0x510 KeIcacheFlushCount : 0
+0x514 KeSecondLevelTbFills : 0
+0x518 KeSystemCalls : 0x21a053
+0x51c SpareCounter1 : 0
+0x520 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x5a0 PPNPagedLookasideList : [32] _PP_LOOKASIDE_LIST
+0x6a0 PPPagedLookasideList : [32] _PP_LOOKASIDE_LIST
+0x7a0 PacketBarrier : 0
+0x7a4 ReverseStall : 0xd4
+0x7a8 IpiFrame : 0xf790ec14 Void
+0x7ac PrcbPad2 : [52] ""
+0x7e0 CurrentPacket : [3] (null)
+0x7ec TargetSet : 0
+0x7f0 WorkerRoutine : 0x80a3610e void nt!KiFlushTargetMultipleTb+0
+0x7f4 IpiFrozen : 2
+0x7f8 PrcbPad3 : [40] ""
+0x820 RequestSummary : 0
+0x824 SignalDone : (null)
+0x828 PrcbPad4 : [56] ""
+0x860 DpcData : [2] _KDPC_DATA
+0x888 DpcStack : 0xf789f000 Void
+0x88c MaximumDpcQueueDepth : 4
+0x890 DpcRequestRate : 0
+0x894 MinimumDpcRate : 3
+0x898 DpcInterruptRequested : 0 ''
+0x899 DpcThreadRequested : 0 ''
+0x89a DpcRoutineActive : 0x1 ''
+0x89b DpcThreadActive : 0 ''
+0x89c PrcbLock : 1
+0x8a0 DpcLastCount : 0x4526d
+0x8a4 TimerHand : 0x10ace04e
+0x8a8 TimerRequest : 0
+0x8ac DpcThread : (null)
+0x8b0 DpcEvent : _KEVENT
+0x8c0 ThreadDpcEnable : 0 ''
+0x8c1 QuantumEnd : 0 ''
+0x8c2 PrcbPad50 : 0 ''
+0x8c3 IdleSchedule : 0 ''
+0x8c4 DpcSetEventRequest : 0n0
+0x8c8 PrcbPad5 : [22] ""
+0x8e0 CallDpc : _KDPC
+0x900 PrcbPad7 : [8] 0
+0x920 WaitListHead : _LIST_ENTRY [ 0x89623cd0 - 0x89626350 ]
+0x928 ReadySummary : 0x2000
+0x92c SelectNextLast : 0
+0x930 DispatcherReadyListHead : [32] _LIST_ENTRY [ 0xffdffa50 - 0xffdffa50 ]
+0xa30 DeferredReadyListHead : _SINGLE_LIST_ENTRY

+0x928 ReadySummary : 0x2000

10 0000 0000 0000
13优先级

1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0xffffffffffdffab8))
(*((ntkrnlmp!_LIST_ENTRY *)0xffffffffffdffab8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89697080 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89dd0e00 [Type: _LIST_ENTRY *]
1: kd> dx -id 0,0,ffffffff89629788 -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89697080)
((ntkrnlmp!_LIST_ENTRY *)0x89697080) : 0x89697080 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x89dd0e00 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xffdffab8 [Type: _LIST_ENTRY *]

1: kd> dt kthread 0x89697080-60
ntdll!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89697030 - 0x89697030 ]
+0x018 InitialStack : 0xbaabd000 Void
+0x01c StackLimit : 0xbaaba000 Void
+0x020 KernelStack : 0xbaabca18 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x14ac80
+0x02c State : 0x1 ''

1: kd> dt kthread 0x89dd0e00-60
ntdll!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89dd0db0 - 0x89dd0db0 ]
+0x018 InitialStack : 0xf78d7000 Void
+0x01c StackLimit : 0xf78d4000 Void
+0x020 KernelStack : 0xf78d6cf8 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x8651
+0x02c State : 0x1 ''

ListHead = &Prcb->DispatcherReadyListHead[HighPriority];
NextEntry = ListHead->Flink;

1: kd> r
eax=ffdff120 ebx=ffdff120 ecx=00000001 edx=ffdff120 esi=00000000 edi=80a059f8
eip=80a429e3 esp=b9ebf918 ebp=b9ebf93c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiFindReadyThread+0xb:
80a429e3 8bbb28090000 mov edi,dword ptr [ebx+928h] ds:0023:ffdffa48=00002000

1: kd> x nt!KiProcessorBlock
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[32]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((ntkrnlmp!_KPRCB * (*)[32])0xffffffff80b20680))
(*((ntkrnlmp!_KPRCB * (*)[32])0xffffffff80b20680)) [Type: _KPRCB * [32]]
[0] : 0xffdff120 [Type: _KPRCB *]
[1] : 0xf7737120 [Type: _KPRCB *]
[2] : 0x0 [Type: _KPRCB *]
[3] : 0x0 [Type: _KPRCB *]

LONG_PTR
FASTCALL
KiSwapThread (
IN PKTHREAD OldThread,
IN PKPRCB CurrentPrcb
)
{

do {
TargetPrcb = KiProcessorBlock[Index];

if ((TargetPrcb->ReadySummary != 0) &&
(NewThread = KiFindReadyThread(Processor,
TargetPrcb)) != NULL) {

Index -= 1;
if (Index < 0) {
Index = Limit;
}

Number -= 1;
} while (Number >= 0);

1: kd> !pcr
KPCR for Processor 1 at f7737000:
Major 1 Minor 1
NtTib.ExceptionList: b9ebf230
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: f7737ef0
NtTib.Version: 0021f307
NtTib.UserPointer: 00000002
NtTib.SelfTib: 7ffa0000

SelfPcr: f7737000
Prcb: f7737120
Irql: 00000000
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: f773d6e0
GDT: f773d2e0
TSS: f7737ef0

CurrentThread: 895f7228
NextThread: 00000000
IdleThread: f7739fa0

DpcQueue:
1: kd> !pcr 0
KPCR for Processor 0 at ffdff000:
Major 1 Minor 1
NtTib.ExceptionList: ffffffff
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80042000
NtTib.Version: 0039913a
NtTib.UserPointer: 00000001
NtTib.SelfTib: 00000000

SelfPcr: ffdff000
Prcb: ffdff120
Irql: 00000000
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 8003f400
GDT: 8003f000
TSS: 80042000

CurrentThread: 80b200c0
NextThread: 89dc62a0
IdleThread: 80b200c0

DpcQueue:

1: kd> dt kthread 0x89697080-60
ntdll!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89697030 - 0x89697030 ]
+0x018 InitialStack : 0xbaabd000 Void
+0x01c StackLimit : 0xbaaba000 Void
+0x020 KernelStack : 0xbaabca18 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x14ac80
+0x02c State : 0x1 ''
+0x02d NpxState : 0xa ''
+0x02e WaitIrql : 0 ''
+0x02f WaitMode : 0 ''
+0x030 Teb : 0x7ffd9000 Void
+0x034 ApcState : _KAPC_STATE
+0x04c ApcQueueLock : 0
+0x050 WaitStatus : 0n2
+0x054 WaitBlockList : 0x896922a8 _KWAIT_BLOCK
+0x058 Alertable : 0x1 ''
+0x059 WaitNext : 0 ''
+0x05a WaitReason : 0xd ''
+0x05b Priority : 13 ''
+0x05c EnableStackSwap : 0x1 ''
+0x05d SwapBusy : 0 ''
+0x05e Alerted : [2] ""
+0x060 WaitListEntry : _LIST_ENTRY [ 0x89dd0e00 - 0xffdffab8 ]
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 Queue : (null)
+0x06c WaitTime : 0x10ace04e
+0x070 KernelApcDisable : 0n0
+0x072 SpecialApcDisable : 0n0
+0x070 CombinedApcDisable : 0
+0x078 Timer : _KTIMER
+0x0a0 WaitBlock : [4] _KWAIT_BLOCK
+0x100 QueueListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x108 ApcStateIndex : 0 ''
+0x109 ApcQueueable : 0x1 ''
+0x10a Preempted : 0 ''
+0x10b ProcessReadyQueue : 0 ''
+0x10c KernelStackResident : 0x1 ''
+0x10d Saturation : 0 ''
+0x10e IdealProcessor : 0 ''
+0x10f NextProcessor : 0 ''
+0x110 BasePriority : 13 ''
+0x111 Spare4 : 0 ''
+0x112 PriorityDecrement : 0 ''
+0x113 Quantum : 34 '"'
+0x114 SystemAffinityActive : 0 ''
+0x115 PreviousMode : 1 ''
+0x116 ResourceIndex : 0 ''
+0x117 DisableBoost : 0 ''
+0x118 UserAffinity : 3
+0x11c Process : 0x896a1248 _KPROCESS
+0x120 Affinity : 3
+0x124 ServiceTable : 0x80b207a0 Void
+0x128 ApcStatePointer : [2] 0x89697054 _KAPC_STATE
+0x130 SavedApcState : _KAPC_STATE
+0x148 CallbackStack : (null)
+0x14c Win32Thread : 0xe165b908 Void
+0x150 TrapFrame : 0xbaabcd64 _KTRAP_FRAME
+0x154 KernelTime : 0x15
+0x158 UserTime : 0
+0x15c StackBase : 0xbaabd000 Void
+0x160 SuspendApc : _KAPC
+0x190 SuspendSemaphore : _KSEMAPHORE
+0x1a4 TlsArray : (null)
+0x1a8 LegoData : (null)
+0x1ac ThreadListEntry : _LIST_ENTRY [ 0x8969cf4c - 0x899b49ec ]
+0x1b4 LargeStack : 0x1 ''
+0x1b5 PowerState : 0 ''
+0x1b6 NpxIrql : 0 ''
+0x1b7 Spare5 : 0 ''
+0x1b8 AutoAlignment : 0 ''
+0x1b9 Iopl : 0 ''
+0x1ba FreezeCount : 0 ''
+0x1bb SuspendCount : 0 ''
+0x1bc Spare0 : [1] ""
+0x1bd UserIdealProcessor : 0 ''
+0x1be DeferredProcessor : 0x1 ''
+0x1bf AdjustReason : 0 ''
+0x1c0 AdjustIncrement : 0 ''
+0x1c1 Spare2 : [3] ""
1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((ntdll!_LIST_ENTRY *)0xffffffff89697080))
(*((ntdll!_LIST_ENTRY *)0xffffffff89697080)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89dd0e00 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xffdffab8 [Type: _LIST_ENTRY *]

if (RemoveEntryList(&Thread->WaitListEntry) != FALSE) {
Prcb->ReadySummary ^= PRIORITY_MASK(HighPriority);
}

1: kd> !pcr 0
KPCR for Processor 0 at ffdff000:

1: kd> dx -id 0,0,ffffffff89629788 -r1 ((ntkrnlmp!_KPRCB *)0xffdff120)
((ntkrnlmp!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]

[+0x928] ReadySummary : 0x2000 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]

[13] [Type: _LIST_ENTRY]

1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((ntkrnlmp!_LIST_ENTRY *)0xffffffffffdffab8))
(*((ntkrnlmp!_LIST_ENTRY *)0xffffffffffdffab8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x89dd0e00 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89dd0e00 [Type: _LIST_ENTRY *]

0010 0000 0000 0000

[+0x928] ReadySummary : 0x2000 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]

第二部分：

1: kd> x win32k!apobjects
WARNING: Match string has trailing space
1: kd> x win32k!apobjects
bfa6ed8c win32k!apObjects = 0x89692618
1: kd> dd 0x89692618
89692618 89919da8 89bb0db8 89699498 89bdf258
89692628 80bf4220 89a2f948 89be0e60 00000000
89692638 1a140007 20707249 00940006 00000000
89692648 00000900 00000000 89692650 89692650
89692658 00000000 00000000 01010001 04000000
89692668 0006fc74 00000000 00000000 00000000
89692678 baa3d0c6 0006fd78 00000000 00000000
89692688 e1744b60 89669658 8963a410 00000000
1: kd> dt ktimer 89699498
winsrv!KTIMER
+0x000 Header : _DISPATCHER_HEADER
+0x010 DueTime : _ULARGE_INTEGER 0x000027c1`cb40e840
+0x018 TimerListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x020 Dpc : (null)
+0x024 Period : 0n0
1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((winsrv!_DISPATCHER_HEADER *)0xffffffff89699498))
(*((winsrv!_DISPATCHER_HEADER *)0xffffffff89699498)) [Type: _DISPATCHER_HEADER]
[+0x000] Type : 0x8 [Type: unsigned char]
[+0x001] Absolute : 0x0 [Type: unsigned char]
[+0x002] Size : 0xa [Type: unsigned char]
[+0x003] Inserted : 0x0 [Type: unsigned char]
[+0x003] DebugActive : 0x0 [Type: unsigned char]
[+0x000] Lock : 655368 [Type: long]
[+0x004] SignalState : 1 [Type: long]
[+0x008] WaitListHead [Type: _LIST_ENTRY]
1: kd> dx -id 0,0,ffffffff89629788 -r1 (*((winsrv!_LIST_ENTRY *)0xffffffff896994a0))
(*((winsrv!_LIST_ENTRY *)0xffffffff896994a0)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x896994a0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x896994a0 [Type: _LIST_ENTRY *]

第三部分：

1: kd> g
Breakpoint 15 hit
eax=00000002 ebx=00000000 ecx=00000000 edx=80010031 esi=bfa01624 edi=bfa03214
eip=bf891bbd esp=baabcac8 ebp=baabcd1c iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283
win32k!RawInputThread+0x712:
bf891bbd 3bc3 cmp eax,ebx
1: kd> kc
#
00 win32k!RawInputThread
01 win32k!xxxCreateSystemThreads
02 win32k!NtUserCallOneParam
03 nt!_KiSystemService
04 SharedUserData!SystemCallStub
05 winsrv!NtUserCallOneParam

1: kd> r
eax=00000002 ebx=00000000 ecx=00000000 edx=80010031 esi=bfa01624 edi=bfa03214
eip=bf891bbd esp=baabcac8 ebp=baabcd1c iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000283
win32k!RawInputThread+0x712:
bf891bbd 3bc3 cmp eax,ebx