如何从 windbg 内核调试器检查用户线程调用堆栈?
How to examine user thread call stack from windbg kernel debugger?
我的 exe-once 测试程序调用 CancelIo 并且它阻塞了,我想调查它阻塞了哪个函数,所以,当它阻塞时,我使用 windbg 远程侵入机器, 并尝试找出答案。
如图黄色标记,我的EXE有两个线程,fffffa8013958b60和fffffa8013aa1060。我已经知道 fffffa8013aa1060 是调用 CancelIo 的人。
那么,如何显示线程的当前调用堆栈fffffa8013aa1060?
1: kd> !process fffffa8014c25170 2
PROCESS fffffa8014c25170
SessionId: 1 Cid: 0ad4 Peb: 7fffffdf000 ParentCid: 07b8
DirBase: 2b451000 ObjectTable: fffff8a002e61620 HandleCount: 12.
Image: exe-once.exe
THREAD fffffa8013958b60 Cid 0ad4.0724 Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8013aa1060 Thread
THREAD fffffa8013aa1060 Cid 0ad4.01e8 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) KernelMode Non-Alertable
fffffa8013aa1420 Semaphore Limit 0x1
试试这个命令序列
.process /i fffffa8014c25170
g
.thread fffffa8013aa1060
.reload /user
k
WinDbg 文档摘录:
/i
[...] Specifies that Process is to be debugged invasively. This kind of debugging means that the operating system of the target computer actually makes the specified process active. [...] If you use /i, you must use the g (Go) command to execute the target. After several seconds, the target breaks back in to the debugger, and the specified Process is active and used for the process context.
我的 exe-once 测试程序调用 CancelIo 并且它阻塞了,我想调查它阻塞了哪个函数,所以,当它阻塞时,我使用 windbg 远程侵入机器, 并尝试找出答案。
如图黄色标记,我的EXE有两个线程,fffffa8013958b60和fffffa8013aa1060。我已经知道 fffffa8013aa1060 是调用 CancelIo 的人。
那么,如何显示线程的当前调用堆栈fffffa8013aa1060?
1: kd> !process fffffa8014c25170 2
PROCESS fffffa8014c25170
SessionId: 1 Cid: 0ad4 Peb: 7fffffdf000 ParentCid: 07b8
DirBase: 2b451000 ObjectTable: fffff8a002e61620 HandleCount: 12.
Image: exe-once.exe
THREAD fffffa8013958b60 Cid 0ad4.0724 Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8013aa1060 Thread
THREAD fffffa8013aa1060 Cid 0ad4.01e8 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) KernelMode Non-Alertable
fffffa8013aa1420 Semaphore Limit 0x1
试试这个命令序列
.process /i fffffa8014c25170
g
.thread fffffa8013aa1060
.reload /user
k
WinDbg 文档摘录:
/i [...] Specifies that Process is to be debugged invasively. This kind of debugging means that the operating system of the target computer actually makes the specified process active. [...] If you use /i, you must use the g (Go) command to execute the target. After several seconds, the target breaks back in to the debugger, and the specified Process is active and used for the process context.