-
-
[求助][栈溢出导致访问违例,但不crash],内核查看发现svchost 出问题了 求思路
-
发表于: 2012-11-16 19:25 8674
-
os: windows server 2008 r2 x64
程序是32位的
==============================================
问题描述:
我们的一个程序调用memcpy时,size计算错误,将栈冲毁,最终会向非法页面写数据,触发异常,最终程序崩溃
这些都没问题,本来应该100%重现的问题,终于有一天出了“异常”
在一台VM上,本该崩溃的程序表现出无限的生命力,但是某些行为异常。。。
上面是用户态调试时,问题线程的分析数据,可以肯定的是该线程已经触发了异常,应该是进入异常分发阶段了
然后用LiveKD抓了个内核dump
得到结果:
如果要分析svchost出了什么问题,还要如何继续分析下去呢?
程序是32位的
==============================================
问题描述:
我们的一个程序调用memcpy时,size计算错误,将栈冲毁,最终会向非法页面写数据,触发异常,最终程序崩溃
这些都没问题,本来应该100%重现的问题,终于有一天出了“异常”
在一台VM上,本该崩溃的程序表现出无限的生命力,但是某些行为异常。。。
0:080:x86> kv fff
Memory ChildEBP RetAddr Args to Child
15b6f870 15268882 15b6f970 15f02d68 fffffffe msvcr90!memcpy+0x5a
WARNING: Stack unwind information not available. Following frames may be wrong.
88 15b6f8f8 15268d79 04d07470 15b6f970 00000008 ExcepApp+0x78882
34 15b6f92c 1526cb07 04d07470 15b6f970 00000008 ExcepApp+0x78d79
270 15b6fb9c 00000000 1636f520 5c3bd1f5 8000003a ExcepApp+0x7cb07
0:080:x86> r
eax=15f02d66 ebx=04cc2560 ecx=3ffffe5b edx=00000002 esi=15f033f8 edi=15b70000
eip=74cbae7a esp=15b6f868 ebp=15b6f870 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
msvcr90!memcpy+0x5a:
74cbae7a f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:080:x86> dd edi L4
15b70000 ???????? ???????? ???????? ????????
0:080:x86> dd edi-4 L4
15b6fffc 00000000 ???????? ???????? ????????上面是用户态调试时,问题线程的分析数据,可以肯定的是该线程已经触发了异常,应该是进入异常分发阶段了
然后用LiveKD抓了个内核dump
得到结果:
0: kd> !thread fffffa800694fb60
THREAD fffffa800694fb60 Cid 0a0c.14dc Teb: 000000007ee81000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
FreezeCount 1
fffffa800694fe38 Semaphore Limit 0x2
Waiting for reply to ALPC Message fffff8a00d7492c0 : queued at port fffffa8007e79090 : owned by process fffffa8007b82b30
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8005e05b30 Image: AppName.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16200644 Ticks: 80631 (0:00:20:59.859)
Context Switch Count 273333
UserTime 00:00:56.593
KernelTime 00:00:04.593
Win32 Start Address 0x0000000074ca345e
Stack Init fffff8800540ddb0 Current fffff8800540c200
Base fffff8800540e000 Limit fffff88005408000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`0540c240 fffff800`01688f92 : fffffa80`0694fb60 fffffa80`0694fb60 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a
fffff880`0540c380 fffff800`0168b7af : 00000000`00000000 00000002`00000000 fffffa80`00000000 fffff800`016864da : nt!KiCommitThreadWait+0x1d2
fffff880`0540c410 fffff800`01676734 : 00000000`00000000 00000000`00000005 00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`0540c4b0 fffff800`016773b1 : fffffa80`0694fb60 fffffa80`0694fbb0 00000000`001fffff fffffa80`00000000 : nt!KiSuspendThread+0x54
fffff880`0540c4f0 fffff800`0168919d : fffffa80`0694fb60 00000000`00000000 fffff800`016766e0 00000000`00000000 : nt!KiDeliverApc+0x201
fffff880`0540c570 fffff800`0168b7af : 00000000`00000000 fffffa80`0694fb60 fffffa80`00000000 fffff800`0168a03a : nt!KiCommitThreadWait+0x3dd
fffff880`0540c600 fffff800`016a5d4f : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`0540c6a0 fffff800`01993506 : fffffa80`06b938c8 fffffa80`0694ff20 fffff8a0`0c91f901 00000000`00000000 : nt!AlpcpSignalAndWait+0x8f
fffff880`0540c750 fffff800`01992c00 : 00000000`00000000 fffff880`0540ccf0 00000000`00000000 fffffa80`03da3000 : nt!AlpcpReceiveSynchronousReply+0x46
fffff880`0540c7b0 fffff800`019909fb : fffffa80`08d3bbb0 fffff800`00120000 fffff880`0540ccf0 fffff880`0540cc00 : nt!AlpcpProcessSynchronousRequest+0x33d
fffff880`0540c8f0 fffff800`01682f93 : fffffa80`0694fb60 fffff880`0540ca90 00000000`00000000 00000000`00000000 : nt!NtAlpcSendWaitReceivePort+0x1ab
fffff880`0540c9a0 fffff800`0167f530 : fffff800`01a717b6 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0540ca10)
fffff880`0540cba8 fffff800`01a717b6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
fffff880`0540cbb0 fffff800`019c5981 : 00000000`80010001 fffffa80`04cbc780 00000000`00000000 00000000`00000000 : nt!DbgkpSendErrorMessage+0x266
fffff880`0540ccd0 fffff800`016cf6bc : fffff880`0540da00 fffff880`0540d340 fffff880`0540dc20 00000000`00000002 : nt! ?? ::NNGAKEGL::`string'+0x35d28
fffff880`0540ce10 fffff800`016d19ac : fffff880`0540da00 fffff880`0540da00 fffff880`0540dc20 fffff880`0540d4e0 : nt! ?? ::FNODOBFM::`string'+0x49961
fffff880`0540d4b0 fffff800`016859fb : fffff880`0540da00 fffffa80`0694fb60 00000000`754f867b 00000000`00000000 : nt!KiRaiseException+0x1b4
fffff880`0540dae0 fffff800`01682f93 : 00000000`00000001 fffffa80`0694fb60 00000000`00369e01 00000000`7ee81000 : nt!NtRaiseException+0x7b
fffff880`0540dc20 00000000`754fc9f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0540dc20)
00000000`14c0e120 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x754fc9f1
0: kd> !alpc /m fffff8a00d7492c0
Message @ fffff8a00d7492c0
MessageID : 0x0584 (1412)
CallbackID : 0x240B6D1 (37795537)
SequenceNumber : 0x00000001 (1)
Type : LPC_EXCEPTION
DataLength : 0x00E8 (232)
TotalLength : 0x0110 (272)
Canceled : No
Release : No
ReplyWaitReply : No
Continuation : Yes
OwnerPort : fffffa8008d3bbb0 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread : fffffa800694fb60
QueueType : ALPC_MSGQUEUE_PENDING
QueuePort : fffffa8007e79090 [ALPC_CONNECTION_PORT]
QueuePortOwnerProcess : fffffa8007b82b30 (svchost.exe)
ServerThread : fffffa8006b937c0
QuotaCharged : No
CancelQueuePort : 0000000000000000
CancelSequencePort : 0000000000000000
CancelSequenceNumber : 0x00000000 (0)
ClientContext : 0000000000000000
ServerContext : 0000000000000000
PortContext : d8000000000f5c76
CancelPortContext : 0000000000000000
SecurityData : 0000000000000000
View : 0000000000000000
0: kd> .thread fffffa8006b937c0
Implicit thread is now fffffa80`06b937c0
0: kd> !thread fffffa8006b937c0
THREAD fffffa8006b937c0 Cid 1e8c.220c Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa8006b93b80 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16312516
Context Switch Count 1755
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000007feefe94c88
Stack Init fffff88007af2db0 Current fffff88007af2750
Base fffff88007af3000 Limit fffff88007aed000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`07af2790 fffff800`01688f92 : fffffa80`06b937c0 fffffa80`06b937c0 00000000`00000000 fffff8a0`00000001 : nt!KiSwapContext+0x7a
fffff880`07af28d0 fffff800`0168b7af : 00000000`00000000 fffff800`016cf8dc 00000000`000000c4 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`07af2960 fffff800`0198fc19 : 00000000`00000000 00000000`00000010 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`07af2a00 fffff800`0198f69c : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!AlpcpReceiveMessagePort+0x189
fffff880`07af2a60 fffff800`01990a36 : fffffa80`07e79090 00000000`00000000 00000000`00000000 fffffa80`07e79090 : nt!AlpcpReceiveMessage+0x2d9
fffff880`07af2b00 fffff800`01682f93 : fffffa80`06b937c0 fffff880`07af2ca0 00000000`00c1f048 fffff880`07af2ca0 : nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`07af2bb0 00000000`77bf1b6a : 00364bfb`002cf47b 00364bfc`002cf47c 00364c02`002cf482 00364c1a`002cf49a : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07af2c20)
00000000`00c1f028 00364bfb`002cf47b : 00364bfc`002cf47c 00364c02`002cf482 00364c1a`002cf49a 00364c28`002cf4a8 : ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`00c1f030 00364bfc`002cf47c : 00364c02`002cf482 00364c1a`002cf49a 00364c28`002cf4a8 00364c32`002cf4b2 : 0x364bfb`002cf47b
00000000`00c1f038 00364c02`002cf482 : 00364c1a`002cf49a 00364c28`002cf4a8 00364c32`002cf4b2 00364afc`002cf4c4 : 0x364bfc`002cf47c
00000000`00c1f040 00364c1a`002cf49a : 00364c28`002cf4a8 00364c32`002cf4b2 00364afc`002cf4c4 00364b06`002cf4ce : 0x364c02`002cf482
00000000`00c1f048 00364c28`002cf4a8 : 00364c32`002cf4b2 00364afc`002cf4c4 00364b06`002cf4ce 00364b1a`002cf4e2 : 0x364c1a`002cf49a
00000000`00c1f050 00364c32`002cf4b2 : 00364afc`002cf4c4 00364b06`002cf4ce 00364b1a`002cf4e2 00364b24`002cf4ec : 0x364c28`002cf4a8
00000000`00c1f058 00364afc`002cf4c4 : 00364b06`002cf4ce 00364b1a`002cf4e2 00364b24`002cf4ec 00364b44`002cf50c : 0x364c32`002cf4b2
00000000`00c1f060 00364b06`002cf4ce : 00364b1a`002cf4e2 00364b24`002cf4ec 00364b44`002cf50c 00364b4f`002cf517 : 0x364afc`002cf4c4
00000000`00c1f068 00364b1a`002cf4e2 : 00364b24`002cf4ec 00364b44`002cf50c 00364b4f`002cf517 00364b56`002cf51e : 0x364b06`002cf4ce
00000000`00c1f070 00364b24`002cf4ec : 00364b44`002cf50c 00364b4f`002cf517 00364b56`002cf51e 00364b5d`002cf525 : 0x364b1a`002cf4e2
00000000`00c1f078 00364b44`002cf50c : 00364b4f`002cf517 00364b56`002cf51e 00364b5d`002cf525 00364b67`002cf52f : 0x364b24`002cf4ec
00000000`00c1f080 00364b4f`002cf517 : 00364b56`002cf51e 00364b5d`002cf525 00364b67`002cf52f 00364b6c`002cf534 : 0x364b44`002cf50c
00000000`00c1f088 00364b56`002cf51e : 00364b5d`002cf525 00364b67`002cf52f 00364b6c`002cf534 00364b72`002cf53a : 0x364b4f`002cf517
00000000`00c1f090 00364b5d`002cf525 : 00364b67`002cf52f 00364b6c`002cf534 00364b72`002cf53a 0035797c`002cf548 : 0x364b56`002cf51e
00000000`00c1f098 00364b67`002cf52f : 00364b6c`002cf534 00364b72`002cf53a 0035797c`002cf548 0039a8d0`002cf560 : 0x364b5d`002cf525
00000000`00c1f0a0 00364b6c`002cf534 : 00364b72`002cf53a 0035797c`002cf548 0039a8d0`002cf560 0039a8d8`002cf568 : 0x364b67`002cf52f
00000000`00c1f0a8 00364b72`002cf53a : 0035797c`002cf548 0039a8d0`002cf560 0039a8d8`002cf568 0039a8de`002cf56e : 0x364b6c`002cf534
00000000`00c1f0b0 0035797c`002cf548 : 0039a8d0`002cf560 0039a8d8`002cf568 0039a8de`002cf56e 0039a8e6`002cf576 : 0x364b72`002cf53a
00000000`00c1f0b8 0039a8d0`002cf560 : 0039a8d8`002cf568 0039a8de`002cf56e 0039a8e6`002cf576 0039a8ec`002cf57c : 0x35797c`002cf548
00000000`00c1f0c0 0039a8d8`002cf568 : 0039a8de`002cf56e 0039a8e6`002cf576 0039a8ec`002cf57c 0039a8f4`002cf584 : 0x39a8d0`002cf560
00000000`00c1f0c8 0039a8de`002cf56e : 0039a8e6`002cf576 0039a8ec`002cf57c 0039a8f4`002cf584 0039a8fa`002cf58a : 0x39a8d8`002cf568
00000000`00c1f0d0 0039a8e6`002cf576 : 0039a8ec`002cf57c 0039a8f4`002cf584 0039a8fa`002cf58a 0039a902`002cf592 : 0x39a8de`002cf56e
00000000`00c1f0d8 0039a8ec`002cf57c : 0039a8f4`002cf584 0039a8fa`002cf58a 0039a902`002cf592 0039a908`002cf598 : 0x39a8e6`002cf576
00000000`00c1f0e0 0039a8f4`002cf584 : 0039a8fa`002cf58a 0039a902`002cf592 0039a908`002cf598 0039a911`002cf5a1 : 0x39a8ec`002cf57c
00000000`00c1f0e8 0039a8fa`002cf58a : 0039a902`002cf592 0039a908`002cf598 0039a911`002cf5a1 0039a919`002cf5a9 : 0x39a8f4`002cf584
00000000`00c1f0f0 0039a902`002cf592 : 0039a908`002cf598 0039a911`002cf5a1 0039a919`002cf5a9 0039a920`002cf5af : 0x39a8fa`002cf58a
00000000`00c1f0f8 0039a908`002cf598 : 0039a911`002cf5a1 0039a919`002cf5a9 0039a920`002cf5af 0039a925`002cf5b4 : 0x39a902`002cf592
00000000`00c1f100 0039a911`002cf5a1 : 0039a919`002cf5a9 0039a920`002cf5af 0039a925`002cf5b4 0039a92f`002cf5be : 0x39a908`002cf598
00000000`00c1f108 0039a919`002cf5a9 : 0039a920`002cf5af 0039a925`002cf5b4 0039a92f`002cf5be 0039a93c`002cf5cb : 0x39a911`002cf5a1
00000000`00c1f110 0039a920`002cf5af : 0039a925`002cf5b4 0039a92f`002cf5be 0039a93c`002cf5cb 0039a955`002cf5e4 : 0x39a919`002cf5a9
00000000`00c1f118 0039a925`002cf5b4 : 0039a92f`002cf5be 0039a93c`002cf5cb 0039a955`002cf5e4 0039a95e`002cf5ed : 0x39a920`002cf5af
00000000`00c1f120 0039a92f`002cf5be : 0039a93c`002cf5cb 0039a955`002cf5e4 0039a95e`002cf5ed 0039a969`002cf5f8 : 0x39a925`002cf5b4
00000000`00c1f128 0039a93c`002cf5cb : 0039a955`002cf5e4 0039a95e`002cf5ed 0039a969`002cf5f8 0039a96d`002cf5fc : 0x39a92f`002cf5be
大概能看到这里,后面就不知道如何看了, 该svchost共有5个线程,还有一个类似上面那个,不知道在做什么,感觉栈已经快用光了
0: kd> !process fffffa8007b82b30
PROCESS fffffa8007b82b30
SessionId: 0 Cid: 1e8c Peb: 7fffffda000 ParentCid: 01ec
DirBase: 76373000 ObjectTable: fffff8a005c89110 HandleCount: 85.
Image: svchost.exe
VadRoot fffffa800532bef0 Vads 59 Clone 0 Private 316. Modified 0. Locked 0.
DeviceMap fffff8a000006110
Token fffff8a00c08ea40
ElapsedTime 1 Day 03:52:52.918
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (1008, 50, 345) (4032KB, 200KB, 1380KB)
PeakWorkingSetSize 1033
VirtualSize 42 Mb
PeakVirtualSize 43 Mb
PageFaultCount 1064
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 396
THREAD fffffa800854d060 Cid 1e8c.119c Teb: 000007fffffde000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8008022d50 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 10895488 Ticks: 5385787 (0:23:22:32.921)
Context Switch Count 16
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x00000000ff74246c
Stack Init fffff8800782cdb0 Current fffff8800782c900
Base fffff8800782d000 Limit fffff88007827000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`0782c940 fffff800`01688f92 nt!KiSwapContext+0x7a
fffff880`0782ca80 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
fffff880`0782cb10 fffff800`01979b2e nt!KeWaitForSingleObject+0x19f
fffff880`0782cbb0 fffff800`01682f93 nt!NtWaitForSingleObject+0xde
fffff880`0782cc20 00000000`77bf135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0782cc20)
00000000`000ff918 00000000`00000000 ntdll!NtWaitForSingleObject+0xa
THREAD fffffa8007c83060 Cid 1e8c.23e8 Teb: 000007fffffd8000 Win32Thread: fffff900c224c010 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8006d94b30 ProcessObject
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 9857430 Ticks: 6423845 (1:03:52:52.578)
Context Switch Count 275 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address ntdll!TppWorkerThread (0x0000000077bbfbc0)
Stack Init fffff88007c84db0 Current fffff88007c84900
Base fffff88007c85000 Limit fffff88007c7c000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`07c84940 fffff800`01688f92 nt!KiSwapContext+0x7a
fffff880`07c84a80 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
fffff880`07c84b10 fffff800`01979b2e nt!KeWaitForSingleObject+0x19f
fffff880`07c84bb0 fffff800`01682f93 nt!NtWaitForSingleObject+0xde
fffff880`07c84c20 00000000`77bf135a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07c84c20)
00000000`005aec18 0013ec00`0013eea1 ntdll!NtWaitForSingleObject+0xa
00000000`005aec20 00000000`0013e6e0 0x13ec00`0013eea1
00000000`005aec28 00000000`00000000 0x13e6e0
THREAD fffffa80050b29d0 Cid 1e8c.1f04 Teb: 000007fffffd4000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa8006b11060 SynchronizationTimer
fffffa8006246550 NotificationEvent
fffffa8007739890 SynchronizationTimer
fffffa8006c2b230 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 9863169 Ticks: 6418106 (1:03:51:22.906)
Context Switch Count 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x0000000077bbaec0)
Stack Init fffff88007a94db0 Current fffff88007a93fc0
Base fffff88007a95000 Limit fffff88007a8f000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr Call Site
fffff880`07a94000 fffff800`01688f92 nt!KiSwapContext+0x7a
fffff880`07a94140 fffff800`016884aa nt!KiCommitThreadWait+0x1d2
fffff880`07a941d0 fffff800`01979e5f nt!KeWaitForMultipleObjects+0x272
fffff880`07a94490 fffff800`0197a1ce nt!ObpWaitForMultipleObjects+0x294
fffff880`07a94960 fffff800`01682f93 nt!NtWaitForMultipleObjects+0xe5
fffff880`07a94bb0 00000000`77bf18ca nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07a94c20)
00000000`00b2f988 000d6e3c`00037503 ntdll!NtWaitForMultipleObjects+0xa
00000000`00b2f990 000d6e44`0003750b 0xd6e3c`00037503
00000000`00b2f998 000d6e65`0003752c 0xd6e44`0003750b
00000000`00b2f9a0 000d6e7d`00037544 0xd6e65`0003752c
00000000`00b2f9a8 000d6e88`0003754f 0xd6e7d`00037544
00000000`00b2f9b0 000d6e98`0003755b 0xd6e88`0003754f
00000000`00b2f9b8 000d6ea6`00037565 0xd6e98`0003755b
00000000`00b2f9c0 000d6ec7`00037586 0xd6ea6`00037565
00000000`00b2f9c8 000d6ed0`0003758f 0xd6ec7`00037586
00000000`00b2f9d0 000d6ed7`00037596 0xd6ed0`0003758f
00000000`00b2f9d8 000d6ee9`000375a8 0xd6ed7`00037596
00000000`00b2f9e0 000d6f01`000375c0 0xd6ee9`000375a8
00000000`00b2f9e8 000d6f16`000375d5 0xd6f01`000375c0
00000000`00b2f9f0 000d6f37`000375f6 0xd6f16`000375d5
00000000`00b2f9f8 000d6f46`00037605 0xd6f37`000375f6
00000000`00b2fa00 000d6f5c`0003761b 0xd6f46`00037605
00000000`00b2fa08 000d6f64`00037623 0xd6f5c`0003761b
00000000`00b2fa10 000d6f73`00037632 0xd6f64`00037623
00000000`00b2fa18 000d6f87`00037646 0xd6f73`00037632
00000000`00b2fa20 000d6f8a`00037649 0xd6f87`00037646
00000000`00b2fa28 000d6f96`00037655 0xd6f8a`00037649
00000000`00b2fa30 000d6f9f`0003765e 0xd6f96`00037655
00000000`00b2fa38 000d6fa7`00037666 0xd6f9f`0003765e
00000000`00b2fa40 000d6fa9`00037668 0xd6fa7`00037666
00000000`00b2fa48 000d6fab`0003766a 0xd6fa9`00037668
00000000`00b2fa50 000d6fb2`00037671 0xd6fab`0003766a
00000000`00b2fa58 000d6fba`00037679 0xd6fb2`00037671
00000000`00b2fa60 000d6fc1`00037680 0xd6fba`00037679
00000000`00b2fa68 000d6fcc`0003768b 0xd6fc1`00037680
00000000`00b2fa70 000d6fd4`00037693 0xd6fcc`0003768b
00000000`00b2fa78 000d6ff5`000376b4 0xd6fd4`00037693
00000000`00b2fa80 000d7000`000376bf 0xd6ff5`000376b4
00000000`00b2fa88 000d700d`000376cc 0xd7000`000376bf
00000000`00b2fa90 000d7011`000376d0 0xd700d`000376cc
THREAD fffffa8006b937c0 Cid 1e8c.220c Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
fffffa8006b93b80 Semaphore Limit 0x1
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16312516
Context Switch Count 1755
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000007feefe94c88
Stack Init fffff88007af2db0 Current fffff88007af2750
Base fffff88007af3000 Limit fffff88007aed000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`07af2790 fffff800`01688f92 nt!KiSwapContext+0x7a
fffff880`07af28d0 fffff800`0168b7af nt!KiCommitThreadWait+0x1d2
fffff880`07af2960 fffff800`0198fc19 nt!KeWaitForSingleObject+0x19f
fffff880`07af2a00 fffff800`0198f69c nt!AlpcpReceiveMessagePort+0x189
fffff880`07af2a60 fffff800`01990a36 nt!AlpcpReceiveMessage+0x2d9
fffff880`07af2b00 fffff800`01682f93 nt!NtAlpcSendWaitReceivePort+0x1e6
fffff880`07af2bb0 00000000`77bf1b6a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07af2c20)
00000000`00c1f028 00364bfb`002cf47b ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`00c1f030 00364bfc`002cf47c 0x364bfb`002cf47b
00000000`00c1f038 00364c02`002cf482 0x364bfc`002cf47c
00000000`00c1f040 00364c1a`002cf49a 0x364c02`002cf482
00000000`00c1f048 00364c28`002cf4a8 0x364c1a`002cf49a
00000000`00c1f050 00364c32`002cf4b2 0x364c28`002cf4a8
00000000`00c1f058 00364afc`002cf4c4 0x364c32`002cf4b2
00000000`00c1f060 00364b06`002cf4ce 0x364afc`002cf4c4
00000000`00c1f068 00364b1a`002cf4e2 0x364b06`002cf4ce
00000000`00c1f070 00364b24`002cf4ec 0x364b1a`002cf4e2
00000000`00c1f078 00364b44`002cf50c 0x364b24`002cf4ec
00000000`00c1f080 00364b4f`002cf517 0x364b44`002cf50c
00000000`00c1f088 00364b56`002cf51e 0x364b4f`002cf517
00000000`00c1f090 00364b5d`002cf525 0x364b56`002cf51e
00000000`00c1f098 00364b67`002cf52f 0x364b5d`002cf525
00000000`00c1f0a0 00364b6c`002cf534 0x364b67`002cf52f
00000000`00c1f0a8 00364b72`002cf53a 0x364b6c`002cf534
00000000`00c1f0b0 0035797c`002cf548 0x364b72`002cf53a
00000000`00c1f0b8 0039a8d0`002cf560 0x35797c`002cf548
00000000`00c1f0c0 0039a8d8`002cf568 0x39a8d0`002cf560
00000000`00c1f0c8 0039a8de`002cf56e 0x39a8d8`002cf568
00000000`00c1f0d0 0039a8e6`002cf576 0x39a8de`002cf56e
00000000`00c1f0d8 0039a8ec`002cf57c 0x39a8e6`002cf576
00000000`00c1f0e0 0039a8f4`002cf584 0x39a8ec`002cf57c
00000000`00c1f0e8 0039a8fa`002cf58a 0x39a8f4`002cf584
00000000`00c1f0f0 0039a902`002cf592 0x39a8fa`002cf58a
00000000`00c1f0f8 0039a908`002cf598 0x39a902`002cf592
00000000`00c1f100 0039a911`002cf5a1 0x39a908`002cf598
00000000`00c1f108 0039a919`002cf5a9 0x39a911`002cf5a1
00000000`00c1f110 0039a920`002cf5af 0x39a919`002cf5a9
00000000`00c1f118 0039a925`002cf5b4 0x39a920`002cf5af
00000000`00c1f120 0039a92f`002cf5be 0x39a925`002cf5b4
00000000`00c1f128 0039a93c`002cf5cb 0x39a92f`002cf5be
THREAD fffffa8007bbf060 Cid 1e8c.11a0 Teb: 000007fffffd6000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8008db8240 QueueObject
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa8007b82b30 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 16311264
Context Switch Count 1269
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x0000000077bbfbc0)
Stack Init fffff88008cb7db0 Current fffff88008cb77c0
Base fffff88008cb8000 Limit fffff88008cb2000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`08cb7800 fffff800`01688f92 nt!KiSwapContext+0x7a
fffff880`08cb7940 fffff800`0168bff3 nt!KiCommitThreadWait+0x1d2
fffff880`08cb79d0 fffff800`0196bd07 nt!KeRemoveQueueEx+0x323
fffff880`08cb7a90 fffff800`0166fbb6 nt!IoRemoveIoCompletion+0x47
fffff880`08cb7b20 fffff800`01682f93 nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880`08cb7c20 00000000`77bf2c1a nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08cb7c20)
00000000`0147f5f8 00000000`00000000 ntdll!ZwWaitForWorkViaWorkerFactory+0xa
0: kd> .thread fffffa8007bbf060
Implicit thread is now fffffa80`07bbf060
0: kd> kv ffff
Memory Child-SP RetAddr : Args to Child : Call Site
fffff880`08cb7800 fffff800`01688f92 : fffffa80`07bbf060 fffffa80`07bbf060 fffffa80`00000000 00000000`00000001 : nt!KiSwapContext+0x7a
140 fffff880`08cb7940 fffff800`0168bff3 : fffffa80`066d47c8 fffffa80`066d47f1 00000000`000000e0 ffffffff`fffffffb : nt!KiCommitThreadWait+0x1d2
90 fffff880`08cb79d0 fffff800`0196bd07 : 00000000`77ca4600 fffff800`01bf4b01 fffffa80`06b76101 00000000`00001000 : nt!KeRemoveQueueEx+0x323
c0 fffff880`08cb7a90 fffff800`0166fbb6 : 00000000`00000000 fffff880`08cb7ba8 fffff880`08cb7bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
90 fffff880`08cb7b20 fffff800`01682f93 : fffffa80`07bbf060 00000000`77ca45c0 fffff880`00000102 fffffa80`08022d50 : nt!NtWaitForWorkViaWorkerFactory+0x285
100 fffff880`08cb7c20 00000000`77bf2c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08cb7c20)
00000000`0147f5f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForWorkViaWorkerFactory+0xa
如果要分析svchost出了什么问题,还要如何继续分析下去呢?
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
