news 2026/6/10 2:58:41

从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread

作者头像

张小明

前端开发工程师

1.2k 24
文章封面图
从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread

从nt!KeSetEvent到nt!KiExitDispatcher到nt!KiProcessDeferredReadyList到nt!KiDeferredReadyThread
1: kd> p
Breakpoint 37 hit
eax=0000001b ebx=00000000 ecx=89836020 edx=00000000 esi=00000000 edi=ffdff120
eip=80a41c28 esp=f789eeb0 ebp=f789eee0 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiDeferredReadyThread:
80a41c28 55 push ebp
0: kd> kc
#
00 nt!KiDeferredReadyThread
01 nt!KiProcessDeferredReadyList
02 nt!KiExitDispatcher
03 nt!KeSetEvent
04 USBPORT!USBPORT_SignalWorker
05 USBPORT!USBPORT_InvalidateEndpoint
06 USBPORT!USBPORT_FlushDoneTransferList
07 USBPORT!USBPORT_TransferFlushDpc
08 nt!KiRetireDpcList
09 nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
0a 0x0
0: kd> kv
# ChildEBP RetAddr Args to Child
00 f789eeac 80a42c46 00000000 ffdff120 804edc6c nt!KiDeferredReadyThread (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 156]
01 f789eebc 80a4002e 898d45c0 898d40e8 4f444648 nt!KiProcessDeferredReadyList+0x3a (FPO: [0,0,0]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 849]
02 f789eee0 80a342fd 00000000 f789ef18 bae8ac25 nt!KiExitDispatcher+0x42 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\waitsup.c @ 80]
03 f789eeec bae8ac25 028d45c0 00000001 00000000 nt!KeSetEvent+0xf7 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\eventobj.c @ 443]
04 f789ef18 bae9516e 898d4030 898d4724 89861340 USBPORT!USBPORT_SignalWorker+0xe3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\thread.c @ 330]
05 f789ef44 baea0cb2 2b747461 89861340 00000002 USBPORT!USBPORT_InvalidateEndpoint+0x558 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 2586]
06 f789ef7c baea48a4 898d4030 ffdff980 baea4782 USBPORT!USBPORT_FlushDoneTransferList+0x28c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 2231]
07 f789ef9c 80a41432 898d4628 898d4030 00000000 USBPORT!USBPORT_TransferFlushDpc+0x122 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\core.c @ 850]
08 f789eff4 80b00756 ba1b0bf8 00000000 00000000 nt!KiRetireDpcList+0xd6 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\dpcsup.c @ 1076]
09 f789eff8 ba1b0bf8 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x36 (FPO: [Uses EBP] [0,0,1]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 226]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0a 80b00756 00000000 00000009 bb837775 00000128 0xba1b0bf8

VOID
FASTCALL
KiProcessDeferredReadyList (
IN PKPRCB CurrentPrcb
)
{

do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;
KiDeferredReadyThread(Thread);
} while (NextEntry != NULL);


ASSERT(Thread->State == DeferredReady);

0: kd> p
eax=0000001b ebx=00000000 ecx=89836020 edx=00000000 esi=89836020 edi=80a059f8
eip=80a41c3a esp=f789ee8c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x12:
80a41c3a 807e2c07 cmp byte ptr [esi+2Ch],7 ds:0023:8983604c=07
0: kd> dt kthread 89836020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89836030 - 0x89836030 ]
+0x018 InitialStack : 0xf701c000 Void
+0x01c StackLimit : 0xf7019000 Void
+0x020 KernelStack : 0xf701bce0 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x407
+0x02c State : 0x7 ''

typedef enum _KTHREAD_STATE {
Initialized,
Ready,
Running,
Standby,
Terminated,
Waiting,
Transition,
DeferredReady
} KTHREAD_STATE;

+0x1bf AdjustReason : 0x1 '' AdjustUnwait

typedef enum _ADJUST_REASON {
AdjustNone = 0,
AdjustUnwait = 1,
AdjustBoost = 2
} ADJUST_REASON;


//
// Check if a priority adjustment is requested.
//检查是否请求调整优先级。

if (Thread->AdjustReason == AdjustNone) {


0: kd> dx -id 0,0,8954e020 -r1 (*((CSRSRV!_KAPC_STATE *)0x89836054))
(*((CSRSRV!_KAPC_STATE *)0x89836054)) [Type: _KAPC_STATE]
[+0x000] ApcListHead [Type: _LIST_ENTRY [2]]
[+0x010] Process : 0x899a2278 [Type: _KPROCESS *]


} else if (Thread->AdjustReason == AdjustUnwait) {

//
// Priority adjustment as the result of an unwait operation.
//
// The priority increment is stored in the adjust increment field of
// the thread object.
//
// Acquire the thread lock.
//
// If the thread runs at a realtime priority level, then reset the
// thread quantum. Otherwise, compute the next thread priority and
// charge the thread for the wait operation.
//

Process = Thread->ApcState.Process;
KiAcquireThreadLock(Thread);
if (Thread->Priority < LOW_REALTIME_PRIORITY) {

LOW_REALTIME_PRIORITY equ 010H


+0x05b Priority : 9 ''


if (Thread->BasePriority >= TIME_CRITICAL_PRIORITY_BOUND) {
Thread->Quantum = Process->ThreadQuantum;

}

#define TIME_CRITICAL_PRIORITY_BOUND 14


+0x110 BasePriority : 8 ''

if ((Thread->PriorityDecrement == 0) && (Thread->AdjustIncrement > 0)) {
Thread->Quantum = Process->ThreadQuantum;
}


+0x113 Quantum : 31 ''


0: kd> dx -id 0,0,8954e020 -r1 ((CSRSRV!_KPROCESS *)0x899a2278)

[+0x062] BasePriority : 8 [Type: char]
[+0x063] ThreadQuantum : 36 '$' [Type: char]

+0x050 WaitStatus : 0n0


if (Thread->WaitStatus != STATUS_KERNEL_APC) {
Thread->Quantum -= WAIT_QUANTUM_DECREMENT;
if (Thread->Quantum <= 0) {
Thread->Quantum = Process->ThreadQuantum;
Thread->Priority = KiComputeNewPriority(Thread, 1);
}
}
}

WAIT_QUANTUM_DECREMENT equ 01H

+0x113 Quantum : 35 '#' 36-1=35

Priority = Thread->BasePriority + Thread->AdjustIncrement;


+0x1c0 AdjustIncrement : 1 ''
+0x110 BasePriority : 8 ''

+0x05b Priority : 9 ''

} else {

//
// Invalid priority adjustment reason.
//

ASSERT(FALSE);

Thread->AdjustReason = AdjustNone;
} 线程优先级调整部分结束。


Preempted = Thread->Preempted;
Thread->Preempted = FALSE;


+0x10a Preempted : 0 ''


0: kd> dv Preempted
Preempted = 0x00 ''

+0x10e IdealProcessor : 0x1 ''

+0x120 Affinity : 3

//
// Attempt to assign the thread on an idle processor.
//

CurrentPrcb = KeGetCurrentPrcb();


0: kd> p
eax=ffdff120 ebx=00000009 ecx=00000000 edx=00000009 esi=89836020 edi=80a059f8
eip=80a41fac esp=f789ee8c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiDeferredReadyThread+0x384:
80a41fac 0fb6860e010000 movzx eax,byte ptr [esi+10Eh] ds:0023:8983612e=01

0: kd> x nt!KiIdleSummary
80b16e80 nt!KiIdleSummary = 2


do {
Processor = Thread->IdealProcessor;
IdleSet = KiIdleSummary & Affinity; 3&2=2 选择1号处理器


0: kd> dv IdleSet
IdleSet = 2

#define AFFINITY_MASK(n) (KiAffinityArray[n])

TargetPrcb = KiProcessorBlock[Processor];

0: kd> dv Processor
Processor = 1

0: kd> x nt!KiProcessorBlock
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[32]
80b20680 nt!KiProcessorBlock = struct _KPRCB *[]
0: kd> dx -r1 (*((ntkrnlmp!_KPRCB * (*)[32])0x80b20680))
(*((ntkrnlmp!_KPRCB * (*)[32])0x80b20680)) [Type: _KPRCB * [32]]
[0] : 0xffdff120 [Type: _KPRCB *]
[1] : 0xf7737120 [Type: _KPRCB *]


+0x014 SetMember : 2

Thread->State = Standby;
Thread->NextProcessor = (UCHAR)Processor;


0: kd> dt kthread 89836020
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x89836030 - 0x89836030 ]
+0x018 InitialStack : 0xf701c000 Void
+0x01c StackLimit : 0xf7019000 Void
+0x020 KernelStack : 0xf701bce0 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x407
+0x02c State : 0x3 ''

+0x10f NextProcessor : 0x1 ''


0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

TargetPrcb->NextThread = Thread;


0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xf7737120)
((basesrv!_KPRCB *)0xf7737120) : 0xf7737120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0xf7739fa0 [Type: _KTHREAD *]
[+0x008] NextThread : 0x89836020 [Type: _KTHREAD *]


KiReleaseTwoPrcbLocks(CurrentPrcb, TargetPrcb);
return; 返回了!!!

第二部分:

0: kd> g
Breakpoint 41 hit
eax=0000001b ebx=804edc6c ecx=ffdff120 edx=00000000 esi=00000000 edi=ffdff120
eip=80a42c0c esp=f789ed04 ebp=f789ed24 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiProcessDeferredReadyList:
80a42c0c 53 push ebx
0: kd> kc
#
00 nt!KiProcessDeferredReadyList
01 nt!KiExitDispatcher
02 nt!KeInsertQueue
03 nt!ExQueueWorkItem
04 nt!PopUserPresentSet
05 nt!PopApplyAttributeState
06 nt!PoSetSystemState
07 mouclass!MouseClassServiceCallback
08 mouhid!MouHid_ReadComplete
09 nt!IopfCompleteRequest
0a HIDCLASS!HidpDistributeInterruptReport
0b HIDCLASS!HidpInterruptReadComplete
0c nt!IopfCompleteRequest
0d USBPORT!USBPORT_CompleteTransfer
0e USBPORT!USBPORT_DoneTransfer
0f USBPORT!USBPORT_FlushDoneTransferList
10 USBPORT!USBPORT_TransferFlushDpc
11 nt!KiRetireDpcList
12 nt!KiDispatchInterrupt
WARNING: Frame IP not in any known module. Following frames may be wrong.
13 0x0
0: kd> dv
CurrentPrcb = 0x00000000
0: kd> kv 3
# ChildEBP RetAddr Args to Child
00 f789ed00 80a4002e 80b198e0 00000000 00000002 nt!KiProcessDeferredReadyList (FPO: [0,0,0]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 825]
01 f789ed24 80a38de1 80bf5cbc 00000000 f789ed50 nt!KiExitDispatcher+0x42 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\waitsup.c @ 80]
02 f789ed34 80af297b 80bf5cbc 80b198e0 897fa0d8 nt!KeInsertQueue+0x77 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\queueobj.c @ 165]
0: kd> !pcr


do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;
KiDeferredReadyThread(Thread);
} while (NextEntry != NULL);

0: kd> p
eax=00000000 ebx=00000000 ecx=00000002 edx=000c08e1 esi=00000000 edi=ffdff120
eip=80a42c46 esp=f789eeb4 ebp=f789eee0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KiProcessDeferredReadyList+0x3a:
80a42c46 3bf3 cmp esi,ebx

0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_KPRCB *)0xffdff120)
((basesrv!_KPRCB *)0xffdff120) : 0xffdff120 [Type: _KPRCB *]
[+0x000] MinorVersion : 0x1 [Type: unsigned short]
[+0x002] MajorVersion : 0x1 [Type: unsigned short]
[+0x004] CurrentThread : 0x895f2a78 [Type: _KTHREAD *]
[+0x008] NextThread : 0x0 [Type: _KTHREAD *]

[+0x928] ReadySummary : 0x0 [Type: unsigned long]
[+0x92c] SelectNextLast : 0x0 [Type: unsigned long]
[+0x930] DispatcherReadyListHead [Type: _LIST_ENTRY [32]]
[+0xa30] DeferredReadyListHead [Type: _SINGLE_LIST_ENTRY]
[+0xa34] PrcbPad72 [Type: unsigned long [11]]
[+0xa60] ChainedInterruptList : 0x0 [Type: void *]
[+0xa64] LookasideIrpFloat : 32720 [Type: long]
[+0xa68] SpareFields0 [Type: unsigned long [4]]
[+0xa78] VendorString [Type: unsigned char [13]]
[+0xa85] InitialApicId : 0x0 [Type: unsigned char]
[+0xa86] LogicalProcessorsPerPhysicalProcessor : 0x2 [Type: unsigned char]
[+0xa88] MHz : 0xe10 [Type: unsigned long]
[+0xa8c] FeatureBits : 0x33fff [Type: unsigned long]
[+0xa90] UpdateSignature : {876173328384} [Type: _LARGE_INTEGER]
[+0xa98] IsrTime : 0x0 [Type: unsigned __int64]
[+0xaa0] NpxSaveArea [Type: _FX_SAVE_AREA]
[+0xcb0] PowerState [Type: _PROCESSOR_POWER_STATE]
0: kd> dx -id 0,0,8954e020 -r1 (*((basesrv!_SINGLE_LIST_ENTRY *)0xffdffb50))
(*((basesrv!_SINGLE_LIST_ENTRY *)0xffdffb50)) [Type: _SINGLE_LIST_ENTRY]
[+0x000] Next : 0x8999d680 [Type: _SINGLE_LIST_ENTRY *]
0: kd> dx -id 0,0,8954e020 -r1 ((basesrv!_SINGLE_LIST_ENTRY *)0x8999d680)
((basesrv!_SINGLE_LIST_ENTRY *)0x8999d680) : 0x8999d680 [Type: _SINGLE_LIST_ENTRY *]
[+0x000] Next : 0x0 [Type: _SINGLE_LIST_ENTRY *]


FORCEINLINE
VOID
FASTCALL
KiInsertDeferredReadyList (
IN PKTHREAD Thread
)
{

Prcb = KeGetCurrentPrcb();
Thread->State = DeferredReady;
Thread->DeferredProcessor = Prcb->Number;
PushEntryList(&Prcb->DeferredReadyListHead,
&Thread->SwapListEntry);


#define PushEntryList(ListHead,Entry) \
(Entry)->Next = (ListHead)->Next; \
(ListHead)->Next = (Entry)

+0x060 WaitListEntry : _LIST_ENTRY [ 0x0 - 0xf7737a98 ]
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY


0: kd> dt kthread 0x8999d680-60
CSRSRV!KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x8999d630 - 0x8999d630 ]
+0x018 InitialStack : 0xf78e7000 Void
+0x01c StackLimit : 0xf78e4000 Void
+0x020 KernelStack : 0xf78e6cf8 Void
+0x024 ThreadLock : 0
+0x028 ContextSwitches : 0x1c0
+0x02c State : 0x7 ''

do {
Thread = CONTAINING_RECORD(NextEntry, KTHREAD, SwapListEntry);
NextEntry = NextEntry->Next;

0: kd> p
eax=0000001b ebx=00000000 ecx=8999d620 edx=00000000 esi=8999d680 edi=ffdff120
eip=80a42c3f esp=f789ecf8 ebp=f789ed24 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!KiProcessDeferredReadyList+0x33:
80a42c3f 8b36 mov esi,dword ptr [esi] ds:0023:8999d680=00000000


0: kd> dd 8999d680
8999d680 00000000

版权声明: 本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
网站建设 2026/6/10 20:02:06

2025年折叠屏手机市场分析及主流产品特点介绍

当2025年折叠屏手机市场迈入竞争性日趋势于白热化之际&#xff0c;消费者于选购之时面对诸多选择&#xff0c;常常会把“性价比”当作核心考量要素。此处“性价比”并非单纯地表示价格低廉&#xff0c;而是全方位考量产品包含硬件配置、软件体验、耐用性并且还包括品牌服务的在…

作者头像 李华
网站建设 2026/6/10 21:25:47

震惊!云服务器选错损失惨重,这3家专业平台你必须知道!

震惊&#xff01;云服务器选错损失惨重&#xff0c;这3家专业平台你必须知道&#xff01;在数字化转型浪潮席卷各行各业的今天&#xff0c;云服务器已成为企业运营不可或缺的基石。然而&#xff0c;一个看似简单的选择背后&#xff0c;却可能隐藏着巨大的风险。选型不当不仅可能…

作者头像 李华
网站建设 2026/6/10 16:59:14

ZStack HelixOS通过openEuler认证 打造国内生态虚拟化新底座

近日&#xff0c;云轴科技ZStack研发的ZStack HelixOS操作系统&#xff08;以下简称“HelixOS”&#xff09;顺利通过openEuler社区的OSV技术测评认证&#xff0c;并获得认证证书。这标志着HelixOS在兼容性、稳定性、安全性以及生态适配能力等方面获得了开源社区和行业的权威认…

作者头像 李华
网站建设 2026/6/9 20:44:03

【技术深度】钱包安全威胁模型 + 防御蓝图

【技术深度】钱包安全威胁模型 防御蓝图 作者&#xff1a;ZFJ_张福杰 博客&#xff1a;https://zfj1128.blog.csdn.net 日期&#xff1a;2025-12-17 关键词&#xff1a;区块链、钱包、安全 一、整体攻击面总览 在区块链工作&#xff0c;安全是非常重要的&#xff0c;这里我从…

作者头像 李华
网站建设 2026/6/10 12:33:33

Kubernetes 滚动升级与回滚:生产级实践终极指南

在 Kubernetes 中,发布不是一次 kubectl apply,而是一场风险受控的工程行为。 真正成熟的团队,关注的不只是“如何升级成功”,而是: 升级过程中是否 不中断、不丢请求 新版本异常时能否 秒级止损 整个过程是否 可观测、可审计、可复盘 本文将从 滚动升级原理 → 参数调优…

作者头像 李华
网站建设 2026/6/10 12:34:06

Ollama 安装,流式输出,多模态,思考模型

接入ollama本地模型ollama是大语言模型的运行环境 &#xff0c; 支持将开源的大语言模型以离线的方式部署到本地&#xff0c;进行私有化部署。 这也是企业中常用的方案&#xff0c; 因为本地化部署能保证企业级的数据安全&#xff0c; 降低企业使用成本。可以将我们的 ollama 理…

作者头像 李华