Reading Notebook: 10-March-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
W32THREAD (p. 371) - One candidate in _ETHREAD that points to it is Tcb.Win32Thread. One interesting code I found on how to extract window message queues from it: http://www.cc.gatech.edu/~brendan/volatility/dl/threadqueues.py. _W32THREAD structure on x64 W2K8 (we also see that is points to _ETHREAD):
0: kd> dt _W32THREAD
win32k!_W32THREAD
+0x000 pEThread : Ptr64 _ETHREAD
+0x008 RefCount : Uint4B
+0x010 ptlW32 : Ptr64 _TL
+0x018 pgdiDcattr : Ptr64 Void
+0x020 pgdiBrushAttr : Ptr64 Void
+0x028 pUMPDObjs : Ptr64 Void
+0x030 pUMPDHeap : Ptr64 Void
+0x038 pUMPDObj : Ptr64 Void
+0x040 pProxyPort : Ptr64 Void
+0x048 pClientID : Ptr64 Void
+0x050 GdiTmpTgoList : _LIST_ENTRY
!thread output fields (p. 376) - Stack Base and Limit fields can be useful to dump raw stack data via dps command to see execution residue or when reconstructing stack trace, see, for example, this pattern: http://www.dumpanalysis.org/blog/index.php/2009/10/23/crash-dump-analysis-patterns-part-88/
tlist utility (p. 377)
Thread creation calls (pp. 380 - 381) - a condensed view of top level function calls on x64 W2K8:
0: kd> uf /c CreateThread
kernel32!CreateThread (00000000`7731c1c0)
kernel32!CreateThread+0x28 (00000000`7731c1e8):
call to kernel32!CreateRemoteThread (00000000`7731c200)
0: kd> uf /c CreateRemoteThread
Flow analysis was incomplete, some code may be missing
kernel32!CreateRemoteThread (00000000`7731c200)
kernel32!CreateRemoteThread+0x134 (00000000`7731c334):
call to ntdll!NtCreateThreadEx (00000000`77477790)
kernel32!CreateRemoteThread+0×166 (00000000`7731c366):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
kernel32!CreateRemoteThread+0×1b4 (00000000`7731c3b4):
call to ntdll!RtlQueryInformationActivationContext (00000000`77456b20)
kernel32!CreateRemoteThread+0×241 (00000000`7731c441):
call to ntdll!CsrClientCallServer (00000000`7747a460)
kernel32!CreateRemoteThread+0×281 (00000000`7731c47d):
call to ntdll!ZwResumeThread (00000000`77477230)
kernel32!CreateRemoteThread+0×38b (00000000`7731c4ae):
call to kernel32!_security_check_cookie (00000000`7732c200)
0: kd> uf /c NtCreateThreadEx
ntdll!NtCreateThreadEx (00000000`77477790)
no calls found
0: kd> uf NtCreateThreadEx
ntdll!NtCreateThreadEx:
00000000`77477790 4c8bd1 mov r10,rcx
00000000`77477793 b8a5000000 mov eax,0A5h
00000000`77477798 0f05 syscall
00000000`7747779a c3 ret
0: kd> uf /c nt!NtCreateThreadEx
nt!NtCreateThreadEx (fffff800`01af60fc)
nt!NtCreateThreadEx+0x3d (fffff800`01af6139):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x5b (fffff800`01af6157):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0x99 (fffff800`01af6195):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateThreadEx+0xc8 (fffff800`01af61c4):
call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
nt!NtCreateThreadEx+0x1e1 (fffff800`01af62dd):
call to nt!PspCreateThread (fffff800`01af5d40)
nt!NtCreateThreadEx+0×1f0 (fffff800`01af62ec):
call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)
0: kd> uf /c nt!PspCreateThread
nt!PspCreateThread (fffff800`01af5d40)
nt!PspCreateThread+0x102 (fffff800`01af5e42):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateThread+0x15b (fffff800`01af5e9b):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x22f (fffff800`01af5f6f):
call to nt!PspAllocateThread (fffff800`01af6338)
nt!PspCreateThread+0x243 (fffff800`01af5f83):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x2a6 (fffff800`01af5fe6):
call to nt!PspInsertThread (fffff800`01af4c10)
nt!PspCreateThread+0x318 (fffff800`01af6058):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateThread+0x32a (fffff800`01af606a):
call to nt!_security_check_cookie (fffff800`01895e50)
nt!PspCreateThread+0x36a (fffff800`01af60aa):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!PspCreateThread+0x3a2 (fffff800`01af60e2):
call to nt!ExfAcquireRundownProtection (fffff800`0184f66c)
nt! ?? ::NNGAKEGL::`string'+0x2816e (fffff800`01b3628e):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281ad (fffff800`01b362ca):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ce (fffff800`01b362eb):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x281d8 (fffff800`01b362f5):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt! ?? ::NNGAKEGL::`string'+0x281e7 (fffff800`01b36304):
call to nt!ExfReleaseRundownProtection (fffff800`0184f690)
nt! ?? ::NNGAKEGL::`string'+0x281ff (fffff800`01b3631c):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x2821a (fffff800`01b36337):
call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)