如何在等待 "WaitForMultipleObjects" 的调用堆栈帧中找到 objects/handles?
How to find objects/handles in call stack frame is waiting upon "WaitForMultipleObjects"?
在第 2 帧中,kernel32!WaitForMultipleObjects+0x19,win32 API 调用正在等待多个 objects/handles。
在 Windbg 中,我们如何确定该特定框架的句柄?
0:012> k
# ChildEBP RetAddr 00 093ffba0 7510285f ntdll!NtWaitForMultipleObjects+0xc
01 093ffd2c 76f89188 KERNELBASE!WaitForMultipleObjectsEx+0xcc
02 093ffd48 61006516 kernel32!WaitForMultipleObjects+0x19
03 093ffd80 610065b0 mshtml!CRenderThread::WaitForWork+0x82
04 093ffdc4 61130503 mshtml!CRenderThread::RenderThread+0x2b0
05 093ffdd4 6d363a31 mshtml!CRenderThread::StaticRenderThreadProc+0x23
06 (Inline) -------- IEShims!NS_CreateThread::ThreadProc+0x86
07 093ffe0c 76f8919f IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
08 093ffe18 776ead8f kernel32!BaseThreadInitThunk+0xe
09 093ffe60 776ead5a ntdll!__RtlUserThreadStart+0x2f
0a 093ffe70 00000000 ntdll!_RtlUserThreadStart+0x1b
**//Arguments passed in function call : kernel32!WaitForMultipleObjects+0x19**
0:012> dd 093ffd48
093ffd48 093ffd80 61006516 **00000002 093ffd6c**
093ffd58 **00000000 ffffffff** 00000000 00000000
093ffd68 05ef6078 00000778 000007c8 00000002
093ffd78 ffffffff 093ffdc4 093ffdc4 610065b0
093ffd88 093ffde0 00000000 00000006 61015990
093ffd98 1b541170 00000000 00000000 00000000
093ffda8 00000000 00000000 00000000 1b541170
093ffdb8 00000000 05ef6078 003ffdd4 093ffdd4
k的输出
kd> $$ 00adfb88 7755fe39 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
在 ebp 转储双字
kd> dd 00adfb88 l 8
00adfb88 77576a44 7755fe39 00000010 00412ca8
00adfb98 00000001 00000001 00000000 77cc0c57
kd> $$ ebp+8 = 第一个参数 = 10
kd> $$ ebp+c = 第二个参数 = * 处理 412ca8
kd> $$ 手柄是
kd> dd 412ca8 l10
00412ca8 000000f4 000000f0 0000069c 00000900
00412cb8 00000464 000007d0 0000081c 00000828
00412cc8 000006d8 00000640 00000634 0000056c
00412cd8 0000037c 00000460 00000654 00000100
像这样的脚本可以为您获取所有句柄
kd> .foreach /pS 1 /ps 1 (place { dd /c 1 412ca8 l10 } ) { !handle place 2}
产出
PROCESS 86f6a6c8 SessionId: 1 Cid: 0b78 Peb: 7ffd8000 ParentCid: 0b6c
DirBase: 7e26c4c0 ObjectTable: b908ef00 HandleCount: 1079.
Image: explorer.exe
Handle table at b908ef00 with 1079 entries in use
00f4: Object: 86945a90 GrantedAccess: 001f0003 Entry: b90951e8
Object: 86945a90 Type: (84eaf350) Timer
ObjectHeader: 86945a78 (new version)
HandleCount: 1 PointerCount: 2
00f0: Object: 869416c0 GrantedAccess: 00100002 Entry: b90951e0
Object: 869416c0 Type: (84eaf350) Timer
ObjectHeader: 869416a8 (new version)
HandleCount: 1 PointerCount: 2
069c: Object: 86a12388 GrantedAccess: 00100004 Entry: b9095d38
Object: 86a12388 Type: (84ed06b8) WmiGuid
ObjectHeader: 86a12370 (new version)
HandleCount: 1 PointerCount: 2
0900: Object: 869b2d38 GrantedAccess: 001f0003 Entry: b8601200
Object: 869b2d38 Type: (84eb0978) Event
ObjectHeader: 869b2d20 (new version)
HandleCount: 1 PointerCount: 2
0464: Object: 85540d00 GrantedAccess: 001f0003 Entry: b90958c8
Object: 85540d00 Type: (84eb0978) Event
ObjectHeader: 85540ce8 (new version)
HandleCount: 1 PointerCount: 3
07d0: Object: 8552a480 GrantedAccess: 001f0003 Entry: b9095fa0
Object: 8552a480 Type: (84eb0978) Event
ObjectHeader: 8552a468 (new version)
HandleCount: 1 PointerCount: 4
081c: Object: 85cdde78 GrantedAccess: 001f0003 Entry: b8601038
Object: 85cdde78 Type: (84eb0978) Event
ObjectHeader: 85cdde60 (new version)
HandleCount: 1 PointerCount: 3
Directory Object: 98a802a8 Name: PRS_EXTERNAL_CHECK_CHANGED_NOTIFY
0828: Object: 86c4c938 GrantedAccess: 001f0003 Entry: b8601050
Object: 86c4c938 Type: (84eb0978) Event
ObjectHeader: 86c4c920 (new version)
HandleCount: 2 PointerCount: 5
Directory Object: 98a802a8 Name: {43a2b8d7-6fed-4c18-bd36-b4630d61afb5}
06d8: Object: 86d014d0 GrantedAccess: 001f0003 Entry: b9095db0
Object: 86d014d0 Type: (84eb0978) Event
ObjectHeader: 86d014b8 (new version)
HandleCount: 1 PointerCount: 2
0640: Object: 85ce4380 GrantedAccess: 001f0003 Entry: b9095c80
Object: 85ce4380 Type: (84eb0978) Event
ObjectHeader: 85ce4368 (new version)
HandleCount: 1 PointerCount: 2
0634: Object: 86f17e20 GrantedAccess: 001f0003 Entry: b9095c68
Object: 86f17e20 Type: (84eb0978) Event
ObjectHeader: 86f17e08 (new version)
HandleCount: 1 PointerCount: 2
056c: Object: 85ce7750 GrantedAccess: 001f0003 Entry: b9095ad8
Object: 85ce7750 Type: (84eb0978) Event
ObjectHeader: 85ce7738 (new version)
HandleCount: 1 PointerCount: 2
037c: Object: 86bbcae8 GrantedAccess: 001f0003 Entry: b90956f8
Object: 86bbcae8 Type: (84eb0978) Event
ObjectHeader: 86bbcad0 (new version)
HandleCount: 2 PointerCount: 3
0460: Object: 86cdab88 GrantedAccess: 001f0003 Entry: b90958c0
Object: 86cdab88 Type: (84eb0978) Event
ObjectHeader: 86cdab70 (new version)
HandleCount: 1 PointerCount: 2
0654: Object: 85ce6838 GrantedAccess: 001f0003 Entry: b9095ca8
Object: 85ce6838 Type: (84eb0978) Event
ObjectHeader: 85ce6820 (new version)
HandleCount: 1 PointerCount: 2
0100: Object: 865bb170 GrantedAccess: 00100002 Entry: b9095200
Object: 865bb170 Type: (84eaf350) Timer
ObjectHeader: 865bb158 (new version)
HandleCount: 1 PointerCount: 2
kd>
在第 2 帧中,kernel32!WaitForMultipleObjects+0x19,win32 API 调用正在等待多个 objects/handles。
在 Windbg 中,我们如何确定该特定框架的句柄?
0:012> k # ChildEBP RetAddr 00 093ffba0 7510285f ntdll!NtWaitForMultipleObjects+0xc 01 093ffd2c 76f89188 KERNELBASE!WaitForMultipleObjectsEx+0xcc 02 093ffd48 61006516 kernel32!WaitForMultipleObjects+0x19 03 093ffd80 610065b0 mshtml!CRenderThread::WaitForWork+0x82 04 093ffdc4 61130503 mshtml!CRenderThread::RenderThread+0x2b0 05 093ffdd4 6d363a31 mshtml!CRenderThread::StaticRenderThreadProc+0x23 06 (Inline) -------- IEShims!NS_CreateThread::ThreadProc+0x86 07 093ffe0c 76f8919f IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 08 093ffe18 776ead8f kernel32!BaseThreadInitThunk+0xe 09 093ffe60 776ead5a ntdll!__RtlUserThreadStart+0x2f 0a 093ffe70 00000000 ntdll!_RtlUserThreadStart+0x1b **//Arguments passed in function call : kernel32!WaitForMultipleObjects+0x19** 0:012> dd 093ffd48 093ffd48 093ffd80 61006516 **00000002 093ffd6c** 093ffd58 **00000000 ffffffff** 00000000 00000000 093ffd68 05ef6078 00000778 000007c8 00000002 093ffd78 ffffffff 093ffdc4 093ffdc4 610065b0 093ffd88 093ffde0 00000000 00000006 61015990 093ffd98 1b541170 00000000 00000000 00000000 093ffda8 00000000 00000000 00000000 1b541170 093ffdb8 00000000 05ef6078 003ffdd4 093ffdd4
k的输出
kd> $$ 00adfb88 7755fe39 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
在 ebp 转储双字
kd> dd 00adfb88 l 8
00adfb88 77576a44 7755fe39 00000010 00412ca8
00adfb98 00000001 00000001 00000000 77cc0c57
kd> $$ ebp+8 = 第一个参数 = 10
kd> $$ ebp+c = 第二个参数 = * 处理 412ca8
kd> $$ 手柄是
kd> dd 412ca8 l10
00412ca8 000000f4 000000f0 0000069c 00000900
00412cb8 00000464 000007d0 0000081c 00000828
00412cc8 000006d8 00000640 00000634 0000056c
00412cd8 0000037c 00000460 00000654 00000100
像这样的脚本可以为您获取所有句柄
kd> .foreach /pS 1 /ps 1 (place { dd /c 1 412ca8 l10 } ) { !handle place 2}
产出
PROCESS 86f6a6c8 SessionId: 1 Cid: 0b78 Peb: 7ffd8000 ParentCid: 0b6c
DirBase: 7e26c4c0 ObjectTable: b908ef00 HandleCount: 1079.
Image: explorer.exe
Handle table at b908ef00 with 1079 entries in use
00f4: Object: 86945a90 GrantedAccess: 001f0003 Entry: b90951e8
Object: 86945a90 Type: (84eaf350) Timer
ObjectHeader: 86945a78 (new version)
HandleCount: 1 PointerCount: 2
00f0: Object: 869416c0 GrantedAccess: 00100002 Entry: b90951e0
Object: 869416c0 Type: (84eaf350) Timer
ObjectHeader: 869416a8 (new version)
HandleCount: 1 PointerCount: 2
069c: Object: 86a12388 GrantedAccess: 00100004 Entry: b9095d38
Object: 86a12388 Type: (84ed06b8) WmiGuid
ObjectHeader: 86a12370 (new version)
HandleCount: 1 PointerCount: 2
0900: Object: 869b2d38 GrantedAccess: 001f0003 Entry: b8601200
Object: 869b2d38 Type: (84eb0978) Event
ObjectHeader: 869b2d20 (new version)
HandleCount: 1 PointerCount: 2
0464: Object: 85540d00 GrantedAccess: 001f0003 Entry: b90958c8
Object: 85540d00 Type: (84eb0978) Event
ObjectHeader: 85540ce8 (new version)
HandleCount: 1 PointerCount: 3
07d0: Object: 8552a480 GrantedAccess: 001f0003 Entry: b9095fa0
Object: 8552a480 Type: (84eb0978) Event
ObjectHeader: 8552a468 (new version)
HandleCount: 1 PointerCount: 4
081c: Object: 85cdde78 GrantedAccess: 001f0003 Entry: b8601038
Object: 85cdde78 Type: (84eb0978) Event
ObjectHeader: 85cdde60 (new version)
HandleCount: 1 PointerCount: 3
Directory Object: 98a802a8 Name: PRS_EXTERNAL_CHECK_CHANGED_NOTIFY
0828: Object: 86c4c938 GrantedAccess: 001f0003 Entry: b8601050
Object: 86c4c938 Type: (84eb0978) Event
ObjectHeader: 86c4c920 (new version)
HandleCount: 2 PointerCount: 5
Directory Object: 98a802a8 Name: {43a2b8d7-6fed-4c18-bd36-b4630d61afb5}
06d8: Object: 86d014d0 GrantedAccess: 001f0003 Entry: b9095db0
Object: 86d014d0 Type: (84eb0978) Event
ObjectHeader: 86d014b8 (new version)
HandleCount: 1 PointerCount: 2
0640: Object: 85ce4380 GrantedAccess: 001f0003 Entry: b9095c80
Object: 85ce4380 Type: (84eb0978) Event
ObjectHeader: 85ce4368 (new version)
HandleCount: 1 PointerCount: 2
0634: Object: 86f17e20 GrantedAccess: 001f0003 Entry: b9095c68
Object: 86f17e20 Type: (84eb0978) Event
ObjectHeader: 86f17e08 (new version)
HandleCount: 1 PointerCount: 2
056c: Object: 85ce7750 GrantedAccess: 001f0003 Entry: b9095ad8
Object: 85ce7750 Type: (84eb0978) Event
ObjectHeader: 85ce7738 (new version)
HandleCount: 1 PointerCount: 2
037c: Object: 86bbcae8 GrantedAccess: 001f0003 Entry: b90956f8
Object: 86bbcae8 Type: (84eb0978) Event
ObjectHeader: 86bbcad0 (new version)
HandleCount: 2 PointerCount: 3
0460: Object: 86cdab88 GrantedAccess: 001f0003 Entry: b90958c0
Object: 86cdab88 Type: (84eb0978) Event
ObjectHeader: 86cdab70 (new version)
HandleCount: 1 PointerCount: 2
0654: Object: 85ce6838 GrantedAccess: 001f0003 Entry: b9095ca8
Object: 85ce6838 Type: (84eb0978) Event
ObjectHeader: 85ce6820 (new version)
HandleCount: 1 PointerCount: 2
0100: Object: 865bb170 GrantedAccess: 00100002 Entry: b9095200
Object: 865bb170 Type: (84eaf350) Timer
ObjectHeader: 865bb158 (new version)
HandleCount: 1 PointerCount: 2
kd>