Kernel stack not resident (Using .pagein)

最新推荐文章于 2022-04-29 09:24:01 发布

转载最新推荐文章于 2022-04-29 09:24:01 发布 · 536 阅读

文章标签：

#thread #semaphore #debugging #exception #token #image

Debug 专栏收录该内容

2 篇文章

订阅专栏

本文详细介绍了在调试过程中遇到内存页被换出时，如何使用kd命令进行操作，从Kernelside和Userside获取所需信息。包括使用kd命令定位线程、页面内核栈、等待状态等关键信息，以及如何通过.pagein命令将内存页带入，以继续调试。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

You might find yourself debugging an issue and a thread you areinterested in is paged out. Here's the steps to use to page in the stackfor the kernel side and user side... Be careful when doing this ona live machine that you want to release after debugging as paging in certainsection of memory can cause it to bugcheck...

2:kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
OwningProcess           fffffa80046e5610      Image:         snmp.exe
Wait Start TickCount     367059906      Ticks: 15906005 (2:20:55:35.268)//Beenwaiting a while.
Context Switch Count      13819416
UserTime                 00:00:38.173
KernelTime               00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident. // Wecan't see what the stack looks like as it been waiting so long its been pagedout.

2:kd> .pagein fffffa600440d6e0  //GrabCurrent from above... This will get us the kernel side...
You need to continue execution (press 'g' <enter>) for the pagein to bebrought in. When the debugger breaks in again, the page will be present.
2: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0cc             int     3
1: kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
OwningProcess           fffffa80046e5610      Image:         snmp.exe
Wait Start TickCount     367059906      Ticks: 15906070 (2:20:55:36.282)
Context Switch Count      13819416
UserTime                 00:00:38.173
KernelTime               00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP         RetAddr           : Args toChild                                                          : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da8800000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`0000001100000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`0000000000000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`0002000000000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca000000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 00000000`00000000 00000000`0000000000000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame@ fffffa60`0440dc20)
00000000`016aebc8 00000000`00000000: 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :0x77af4dca

1:kd> .pagein /p fffffa80046e5610 00000000`016aebc8 //We take theprocess ID of the thread and the usermode address at the bottom of the stack.
You need to continue execution (press 'g' <enter>) for the pagein to bebrought in. When the debugger breaks in again, the page will be present.
1: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0cc             int     3

1: kd> !thread fffffa8004415460 //Viola! Now we have the whole stack, you might need to do a .reload for symbols.
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
OwningProcess           fffffa80046e5610      Image:         snmp.exe
Wait Start TickCount     367059906      Ticks: 15906135 (2:20:55:37.296)
Context Switch Count      13819416
UserTime                 00:00:38.173
KernelTime               00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP         RetAddr           : Args toChild                                                          : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da8800000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`0000001100000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`0000000000000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`0002000000000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca000000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 000007fe`fea5c72b 00000000`0000100000000000`016aee90 00000000`01460058 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame@ fffffa60`0440dc20)
00000000`016aebc8 000007fe`fea5c72b : 00000000`00001000 00000000`016aee9000000000`01460058 00000000`0030ed80 : ntdll!NtAlpcSendWaitReceivePort+0xa
00000000`016aebd0 000007fe`fea6c592 : 00000000`00302b50 00000000`016aef30000007fe`fe95c8b8 00000000`00001000 : RPCRT4!LRPC_CCALL::SendReceive+0xbb
00000000`016aec50 000007fe`fea6c5e2 : 00000000`016aed00 00000000`0000000000000000`00000000 00000000`01460058 : RPCRT4!I_RpcSendReceive+0x42
00000000`016aec80 000007fe`feafad2c : 00000000`016aef30 00000000`0000000000000000`00000000 00000000`0030ed80 : RPCRT4!NdrSendReceive+0x32
00000000`016aecb0 000007fe`feafaef0 : 00000000`00000000 000007fe`fe95d09000000000`00000011 00000000`016aece0 : RPCRT4!NdrpClientCall3+0x11c
00000000`016aef00 00000000`00000000 : 00000000`00000000 00000000`0000000000000000`00000000 00000000`00000000 : RPCRT4!NdrClientCall3+0x7c