当前位置: 首页 > news >正文

win32k!xxxDesktopThread线程分析之调用win32k!StartDeviceRead到mouclass!MouseClassHandleRead没有数据可读时进入等待状态

win32k!xxxDesktopThread线程分析之调用win32k!StartDeviceRead到mouclass!MouseClassHandleRead没有数据可读时进入等待状态


1: kd> g
Breakpoint 58 hit
eax=00000003 ebx=00000000 ecx=898fda68 edx=89839c90 esi=89839c90 edi=897a0c78
eip=f751bc0a esp=f75f672c ebp=f75f6744 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
mouclass!MouseClassRead:
f751bc0a 55 push ebp
1: kd> dv
Device = 0x897a0c78 Device for "\Driver\Mouclass"
Irp = 0x89839c90

1: kd> kc
#
00 mouclass!MouseClassRead
01 nt!IofCallDriver
02 nt!IopSynchronousServiceTail
03 nt!NtReadFile
04 nt!_KiSystemService
05 nt!ZwReadFile
06 win32k!StartDeviceRead
07 win32k!InputApc
08 nt!KiDeliverApc
09 nt!KiSwapThread
0a nt!KeWaitForMultipleObjects
0b win32k!xxxMsgWaitForMultipleObjects
0c win32k!xxxDesktopThread
0d win32k!xxxCreateSystemThreads
0e win32k!NtUserCallOneParam
0f nt!_KiSystemService
10 SharedUserData!SystemCallStub
11 winsrv!NtUserCallOneParam

1: kd> g
Breakpoint 59 hit
eax=00000000 ebx=00000103 ecx=00000000 edx=00000000 esi=89839c90 edi=897a0d30
eip=f7519f1c esp=f75f6710 ebp=f75f6728 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
mouclass!MouseClassHandleRead:
f7519f1c 55 push ebp
1: kd> dv
DeviceExtension = 0x897a0d30
Irp = 0x89839c90
status = 0n-145645795
completeIrp = 0x00 ''
irql = 0x00 ''
1: kd> dx -id 0,0,89831250 -r1 ((mouclass!_DEVICE_EXTENSION *)0x897a0d30)
((mouclass!_DEVICE_EXTENSION *)0x897a0d30) : 0x897a0d30 [Type: _DEVICE_EXTENSION *]
[+0x000] Self : 0x897a0c78 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x004] TrueClassDevice : 0x897a0c78 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x008] TopPort : 0x897f9020 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
[+0x00c] PDO : 0x89764948 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
[+0x010] RemoveLock [Type: _IO_REMOVE_LOCK]
[+0x068] PnP : 0x1 [Type: unsigned char]
[+0x069] Started : 0x1 [Type: unsigned char]
[+0x06a] OkayToLogOverflow : 0x1 [Type: unsigned char]
[+0x06c] WaitWakeSpinLock : 0x0 [Type: unsigned long]
[+0x070] TrustedSubsystemCount : 0x1 [Type: unsigned long]
[+0x074] InputCount : 0x0 [Type: unsigned long]
[+0x078] SymbolicLinkName : "\??\HID#Vid_0e0f&Pid_0003&MI_01#8&51f168b&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" [Type: _UNICODE_STRING]
[+0x080] InputData : 0x8988f530 [Type: _MOUSE_INPUT_DATA *]
[+0x084] DataIn : 0x8988f5a8 [Type: _MOUSE_INPUT_DATA *]
[+0x088] DataOut : 0x8988f5a8 [Type: _MOUSE_INPUT_DATA *]
[+0x08c] MouseAttributes [Type: _MOUSE_ATTRIBUTES]
[+0x098] SpinLock : 0x0 [Type: unsigned long]
[+0x09c] ReadQueue [Type: _LIST_ENTRY]
[+0x0a4] SequenceNumber : 0x4 [Type: unsigned long]
[+0x0a8] DeviceState : PowerDeviceD0 (1) [Type: _DEVICE_POWER_STATE]
[+0x0ac] SystemState : PowerSystemWorking (1) [Type: _SYSTEM_POWER_STATE]
[+0x0b0] UnitId : 0x0 [Type: unsigned long]
[+0x0b4] WmiLibInfo [Type: _WMILIB_CONTEXT]
[+0x0d4] SystemToDeviceState [Type: _DEVICE_POWER_STATE [5]]
[+0x0e8] MinDeviceWakeState : PowerDeviceD0 (1) [Type: _DEVICE_POWER_STATE]
[+0x0ec] MinSystemWakeState : PowerSystemSleeping1 (2) [Type: _SYSTEM_POWER_STATE]
[+0x0f0] WaitWakeIrp : 0x0 [Type: _IRP *]
[+0x0f4] ExtraWaitWakeIrp : 0x0 [Type: _IRP *]
[+0x0f8] TargetNotifyHandle : 0x0 [Type: void *]
[+0x0fc] Link [Type: _LIST_ENTRY]
[+0x104] File : 0x0 [Type: _FILE_OBJECT *]
[+0x108] Enabled : 0x0 [Type: unsigned char]
[+0x109] WaitWakeEnabled : 0x0 [Type: unsigned char]
[+0x10a] SurpriseRemoved : 0x0 [Type: unsigned char]
1: kd> g
Breakpoint 46 hit
eax=00000000 ebx=f7737000 ecx=00000000 edx=f7739fa0 esi=f7739fa0 edi=89804020
eip=80b007f0 esp=f75f6934 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!SwapContext:
80b007f0 51 push ecx


1: kd> g
Breakpoint 4 hit
eax=00000002 ebx=8979d3c0 ecx=89485cd8 edx=00000000 esi=898d4030 edi=898d40f4
eip=80a26a00 esp=f789ee3c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopfCompleteRequest:
80a26a00 55 push ebp
0: kd> !thread 89804020
THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 WAIT: (WrUserRequest) UserMode Non-Alertable
8957cd20 SynchronizationEvent
89505548 SynchronizationEvent
89804b80 SynchronizationEvent
IRP List:
89839c90: (0006,01d8) Flags: 00000970 Mdl: 00000000
894f8458: (0006,01d8) Flags: 00000970 Mdl: 00000000
8989e008: (0006,0190) Flags: 00000970 Mdl: 00000000
89756e70: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655524 Ticks: 2 (0:00:00:00.031)
Context Switch Count 622 IdealProcessor: 1 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.484
Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75f6944 80a440eb f7737120 89804020 89804080 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

http://www.cnnetsun.cn/news/179386.html

相关文章:

  • 揭秘Open-AutoGLM自动报名系统:如何3步完成电商大促流量收割
  • Open-AutoGLM如何重构电商运营?:5大核心模块深度解析与落地指南
  • 零基础学网安,NISP 证书到底值不值?别白花钱还没效果!
  • PCB蚀刻常见缺陷-资深工程师的经验总结
  • COMSOL模拟:压电-热释电纳米发电系统中的压电薄膜三维模型文章复现
  • 鸿蒙前端开发,零基础入门到精通,收藏这篇就够了
  • vscode怎么启动前端项目,零基础入门到精通,收藏这篇就够了
  • 一文搞懂:AI Agent 八大核心概念(小白程序员收藏版)
  • 收藏!大龄程序员转型难在哪?4大核心痛点拆解+破局方向
  • 【Open-AutoGLM电商评价自动回复】:揭秘AI自动生成高转化率评价回复的底层逻辑
  • 9款AI写论文哪个好?实测对比后,只有宏智树AI能一键生成带真实数据图表+知网可查文献的毕业论文
  • 从泄露到合规:Open-AutoGLM日志权限改造全流程(含RBAC模型落地细节)
  • 阻塞队列:线程池核心机制take() vs poll()
  • 【2025最新】基于SpringBoot+Vue的宠物商城网站管理系统源码+MyBatis+MySQL
  • LangFlow Reactor反应器模式响应事件
  • ECharts 饼图(Pie Chart)教程
  • Open-AutoGLM日志加密部署难题:90%团队忽略的2个致命风险点
  • 精密机械工厂6个研发如何共享一台SolidWorks云工作站
  • Open-AutoGLM监控总失效?99%人忽略的3个配置陷阱
  • LangFlow静态站点生成(SSG)可行性探讨
  • Linux 如何设置开机自启:全面指南!
  • Docker Compose 实战教程,理解Docker Compose核心概念,学会编写 compose.yml,掌握常用命令!
  • 科研征途的“智慧导航”:书匠策AI文献综述功能开启学术新视界
  • C语言程序设计基础入门
  • 地埋式积水监测站:道路积水监测系统
  • Open-AutoGLM账号锁定策略配置全解析(企业级安全加固方案)
  • 基于深度学习风力叶片缺陷检测系统 无人机自动巡检风电场 - 风电运维智能诊断平台 - 缺陷生命周期追踪系统
  • 【企业安全防线升级】:基于Open-AutoGLM的7种典型异常访问识别方案
  • 【Open-AutoGLM防护优化终极指南】:破解暴力攻击防御瓶颈的5大核心技术
  • LangFlow Azure Functions部署踩坑记录