Re: A question about the order of call function

WINDBG
1

as tim has already mentioned those are internals of user mode apis
you can step through them if you are interested to know about internals

but if thats a windbg related question and you want to know if there is a
trace and summary output you can use wt command
watch and trace

and user mode component display as follows

0:000> g
Breakpoint 0 hit
eax=0006a9e8 ebx=00000000 ecx=0006a548 edx=7c90eb94 esi=7c810976
edi=10000080
eip=7c80180e esp=0006a594 ebp=0006a9f8 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
kernel32!ReadFile:
7c80180e 6a20 push 20h
0:000> bl
0 e 7c80180e 0001 (0001) 0:**** kernel32!ReadFile
0:000> wt
Tracing kernel32!ReadFile to return address 77d544d6
3 0 [0] kernel32!ReadFile
19 0 [1] kernel32!_SEH_prolog
35 19 [0] kernel32!ReadFile
1 0 [1] ntdll!ZwReadFile
2 0 [1] ntdll!NtReadFile
2 0 [2] ntdll!KiFastSystemCall
1 0 [1] ntdll!NtReadFile
45 25 [0] kernel32!ReadFile
9 0 [1] kernel32!_SEH_epilog
46 34 [0] kernel32!ReadFile

80 instructions were executed in 79 events (0 from other threads)

Function Name Invocations MinInst MaxInst
AvgInst
kernel32!ReadFile 1 46 46
46
kernel32!_SEH_epilog 1 9
9 9
kernel32!_SEH_prolog 1 19 19
19
ntdll!KiFastSystemCall 1 2
2 2
ntdll!NtReadFile 2 1
2 1
ntdll!ZwReadFile 1 1
1 1

1 system call was executed

Calls System Call
1 ntdll!KiFastSystemCall

eax=00000001 ebx=00000000 ecx=7c801898 edx=ffffffff esi=7c810976
edi=10000080
eip=77d544d6 esp=0006a5ac ebp=0006a9f8 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
USER32!PrivateExtractIconsW+0x186:
77d544d6 83bdd0fbffff0c cmp dword ptr [ebp-430h],0Ch
ss:0023:0006a5c8=0000000c

regards

raj_r

On 4/17/09, zmerry wrote:
>
> I often see the following order of function,and am always surpised how to
> get to the sequence.
> ReadFile->ntdll!ntReadFile->nt!ntReadFile
>
> Could someone give me a hand? Thanks
>
> ------------------------------
> ??MSNװ???ֻ???Ȥ???ھ??? ???أ? http:</http:>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


thanks and regards

raj_r

2

Quote:

Function Name Invocations MinInst MaxInst AvgInst
kernel32!ReadFile 1 46 46 46
kernel32!_SEH_epilog 1 9 9 9
kernel32!_SEH_prolog 1 19 19 19
ntdll!KiFastSystemCall 1 2 2 2
ntdll!NtReadFile 2 1 2 1
ntdll!ZwReadFile 1 1 1 1

using wt can only see user mode APIs,so how can I see kernel mode (+ user mode) APIs by windbg?

eg.

nt!ZwReadFile

Regards,

Matt

Date: Fri, 17 Apr 2009 23:59:59 +0530
Subject: Re: [windbg] A question about the order of call function
From: xxxxx@gmail.com
To: xxxxx@lists.osr.com

as tim has already mentioned those are internals of user mode apis
you can step through them if you are interested to know about internals

but if thats a windbg related question and you want to know if there is a trace and summary output you can use wt command
watch and trace

and user mode component display as follows

0:000> g
Breakpoint 0 hit
eax=0006a9e8 ebx=00000000 ecx=0006a548 edx=7c90eb94 esi=7c810976 edi=10000080
eip=7c80180e esp=0006a594 ebp=0006a9f8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
kernel32!ReadFile:
7c80180e 6a20 push 20h
0:000> bl
0 e 7c80180e 0001 (0001) 0:**** kernel32!ReadFile
0:000> wt
Tracing kernel32!ReadFile to return address 77d544d6
3 0 [0] kernel32!ReadFile
19 0 [1] kernel32!_SEH_prolog
35 19 [0] kernel32!ReadFile
1 0 [1] ntdll!ZwReadFile
2 0 [1] ntdll!NtReadFile
2 0 [2] ntdll!KiFastSystemCall
1 0 [1] ntdll!NtReadFile
45 25 [0] kernel32!ReadFile
9 0 [1] kernel32!_SEH_epilog
46 34 [0] kernel32!ReadFile

80 instructions were executed in 79 events (0 from other threads)

Function Name Invocations MinInst MaxInst AvgInst
kernel32!ReadFile 1 46 46 46
kernel32!_SEH_epilog 1 9 9 9
kernel32!_SEH_prolog 1 19 19 19
ntdll!KiFastSystemCall 1 2 2 2
ntdll!NtReadFile 2 1 2 1
ntdll!ZwReadFile 1 1 1 1

1 system call was executed

Calls System Call
1 ntdll!KiFastSystemCall

eax=00000001 ebx=00000000 ecx=7c801898 edx=ffffffff esi=7c810976 edi=10000080
eip=77d544d6 esp=0006a5ac ebp=0006a9f8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
USER32!PrivateExtractIconsW+0x186:
77d544d6 83bdd0fbffff0c cmp dword ptr [ebp-430h],0Ch ss:0023:0006a5c8=0000000c

regards

raj_r

On 4/17/09, zmerry wrote:

I often see the following order of function,and am always surpised how to get to the sequence.
ReadFile->ntdll!ntReadFile->nt!ntReadFile

Could someone give me a hand? Thanks

°ÑMSN×°½øÊÖ»ú£¬¸ü¶àÁÄÌìÀÖȤµÈÄãÍÚ¾ò£¡ Á¢¿ÌÏÂÔØ£¡

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


thanks and regards

raj_r — WINDBG is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
_________________________________________________________________
MSN ±íÇéħ·¨Ê飬¸Ä±äÄãµÄ¶Ô»°Ê±´ú£¡
http://im.live.cn/emoticons/

3

not easy wt is mostly user mode only
if you need kernel trace use kd set a break on kernel api amd issue wt
if there is raise irql interrupt disabling (cli sti) etc in code path wt will lead to crash of your user mode app

and when it would work the output is normally undeciperable
here is a sample you can see the stacktrace containing user mode part and kernel mode part

use !process 0 0 “your.exe”
.process /p _eprocaddress of “your.exe”
bp /p for breaks to be more process specific

and when broken use wt

kd>
Breakpoint 0 hit
ChildEBP RetAddr Args to Child
f4f72d38 804df06b 000000a4 00000000 00000000 nt!NtReadFile
f4f72d38 7c90eb94 000000a4 00000000 00000000 nt!KiFastCallEntry+0xf8
0012fdc0 7c90e288 7c801875 000000a4 00000000 ntdll!KiFastSystemCallRet
0012fdc4 7c801875 000000a4 00000000 00000000 ntdll!NtReadFile+0xc
0012fe2c 00401271 000000a4 00178008 0000fffe kernel32!ReadFile+0x16c
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fe4c 77d48709 0004009a 00000111 00000001 file+0x1271
0012fe78 77d487eb 00401113 0004009a 00000111 user32!InternalCallWinProc+0x28
0012fee0 77d489a5 00000000 00401113 0004009a user32!UserCallWinProcCheckWow+0x150
0012ff40 77d4bccc 0012ff60 00000001 0012ffac user32!DispatchMessageWorker+0x306
0012ff50 0040110a 0012ff60 0004009a 0004009a user32!DispatchMessageA+0xf
0012ffac 00401026 00400000 00000000 00000000 file+0x110a
0012fff0 00000000 00401000 00000000 78746341 file+0x1026
kd> wt
Tracing nt!NtReadFile to return address 804df06b
2 0 [0] nt!NtReadFile
19 0 [1] nt!_SEH_prolog
19 19 [0] nt!NtReadFile
23 0 [1] nt!ObReferenceObjectByHandle
13 0 [2] nt!ExMapHandleToPointerEx
21 0 [3] nt!ExpLookupHandleTableEntry
35 21 [2] nt!ExMapHandleToPointerEx
59 56 [1] nt!ObReferenceObjectByHandle
22 0 [2] nt!ExUnlockHandleTableEntry
74 78 [1] nt!ObReferenceObjectByHandle
24 171 [0] nt!NtReadFile
20 0 [1] nt!IoGetRelatedDeviceObject
40 191 [0] nt!NtReadFile
129 0 [1] nt!ProbeForWrite
70 320 [0] nt!NtReadFile
14 0 [1] nt!ObfReferenceObject
81 334 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
1 0 [0] nt!NtReadFile
5 0 [1] nt!IoAllocateIrp
3 0 [1] nt!IopAllocateIrpPrivate
19 0 [2] nt!_SEH_prolog
38 19 [1] nt!IopAllocateIrpPrivate
14 0 [2] 0x00000000
199 33 [1] nt!IopAllocateIrpPrivate
9 0 [2] 0x00000000
200 42 [1] nt!IopAllocateIrpPrivate>> Unable to match return to 0x00000000

> Unable to match return to hal!KfRaiseIrql
>> Unable to match return to hal!KeRaiseIrqlToDpcLevel
> Unable to match return to 0x8229b9bd
6329 instructions were executed in 839 events (0 from other threads)

Function Name Invocations MinInst MaxInst AvgInst
Fastfat!ExAllocateFromNPagedLookasideList 1 4 4 4
Fastfat!ExFreeToNPagedLookasideList 0 -1 0 0
Fastfat!FatAcquireSharedFcb 1 1 1 1
Fastfat!FatCommonRead 118 1 1178 13
Fastfat!FatCreateIrpContext 11 1 481 44
Fastfat!FatDecodeFileObject 17 1 38 3
Fastfat!FatFsdRead 4 1 9 3
Fastfat!FatIsIrpTopLevel 1 1 1 1
Fastfat!FatMapUserBuffer 1 1 1 1
Fastfat!FatQuickVerifyVcb 1 1 1 1
Fastfat!FatUnpinRepinnedBcbs 0 -1 0 0
Fastfat!FatVerifyFcb 1 1 1 1
Fastfat!FatVerifyOperationIsLegal 1 1 1 1
Fastfat!KeGetCurrentThread 1 1 1 1
Fastfat!_SEH_epilog 1 1 1 1
Fastfat!_SEH_prolog 1 1 1 1
Fastfat!_abnormal_termination 1 1 1 1
hal!KeRaiseIrqlToDpcLevel 2 7 75 41
hal!KfLowerIrql 1 1 1 1
hal!KfRaiseIrql 2 1 1 1
hal!KfReleaseSpinLock 1 1 1 1
nt!CcCopyRead 1 1 1 1
nt!CcCreateVacbArray 1 1 1 1
nt!CcGetActiveVacb 1 1 1 1
nt!CcGetVacbMiss 0 -1 0 0
nt!CcGetVirtualAddress 7 1 1 1
nt!CcSetActiveVacb 0 -1 0 0
nt!ExAllocatePoolWithTag 1 2 2 2
nt!ExMapHandleToPointerEx 2 21 35 28
nt!ExQueueWorkItem 4 1 1 1
nt!ExReleaseResourceLite 2 26 26 26
nt!ExUnlockHandleTableEntry 2 19 22 20
nt!ExpLookupHandleTableEntry 2 12 21 16
nt!FsRtlCheckLockForReadAccess 1 1 1 1
nt!FsRtlCheckOplock 1 2 2 2
nt!FsRtlOplockIsFastIoPossible 1 1 1 1
nt!InterlockedPushEntrySList 0 -1 0 0
nt!IoAllocateIrp 1 5 5 5
nt!IoGetRelatedDeviceObject 2 20 26 23
nt!IoGetTopLevelIrp 1 1 1 1
nt!IoIsOperationSynchronous 1 2 2 2
nt!IoSetTopLevelIrp 2 1 3 2
nt!IofCallDriver 1 11 11 11
nt!IopAllocateIrpPrivate 2 1 200 100
nt!IopCompleteRequest 0 -1 0 0
nt!IopFreeIrp 0 -1 0 0
nt!IopSynchronousServiceTail 5 1 222 66
nt!IopUpdateReadOperationCount 1 1 1 1
nt!IopfCallDriver 0 -1 0 0
nt!IopfCompleteRequest 1 13 13 13
nt!KeEnterCriticalRegion 3 1 19 13
nt!KeInsertQueue 1 2 2 2
nt!KeSetEvent 0 -1 0 0
nt!KiInsertQueue 6 1 1 1
nt!KiReadyThread 5 1 1 1
nt!MiAddViewsForSection 1 1 1 1
nt!MiDetermineUserGlobalPteMask 1 1 1 1
nt!MiDoReplacement 1 9 9 9
nt!MiLocateAndReserveWsle 3 1 6 3
nt!MiMakeProtectionMask 1 1 1 1
nt!MiUnlinkPageFromList 1 1 1 1
nt!MiUpdateWsle 9 1 23 8
nt!MmCheckCachedPageState 115 1 80 5
nt!MmCreateSection 17 1 7 3
nt!MmMapViewInSystemCache 1 1 1 1
nt!NtReadFile 83 1 160 9
nt!ObCreateObject 0 -1 0 0
nt!ObDeleteCapturedInsertInfo 1 1 1 1
nt!ObReferenceObjectByHandle 2 37 74 55
nt!ObfReferenceObject 11 1 14 6
nt!ObpAllocateObject 33 1 43 5
nt!ObpCaptureObjectCreateInformation 19 1 19 6
nt!ProbeForWrite 2 1 129 65
nt!SetVacb 1 1 1 1
nt!_SEH_prolog 4 4 19 11

nt!KiFastCallEntry+0xf8:
804df06b 8be5 mov esp,ebp
kd> g
Breakpoint 0 hit
nt!NtReadFile:
80571b30 6a68 push 68h

regards

raj_r

4

Hi!

I found when you use ‘kb’ to view the stack, ‘kernel32!ReadFile+0x16c’ can be seen,however, when I traced readfile,'kernel32!ReadFile can’t be seen,as follows,

Could you tell me the reasons ? thanks!

Host OS: Winxp sp2

Guest OS: Winxp sp2 (VMware)

kd> !process 0 0 notepad.exe
PROCESS 86408158 SessionId: 0 Cid: 073c Peb: 7ffde000 ParentCid: 05a8
DirBase: 0ad80180 ObjectTable: e104a700 HandleCount: 30.
Image: notepad.exe

kd> .process /r /p 86408158
Implicit process is now 86408158
.cache forcedecodeuser done
Loading User Symbols

kd> bp /p 86408158 nt!ntreadfile
kd> g
Breakpoint 0 hit
nt!NtReadFile:
80570618 6a68 push 68h
kd> k
ChildEBP RetAddr
f5640d38 8053c808 nt!NtReadFile
f5640d38 7c90eb94 nt!KiFastCallEntry+0xf8
0007d290 7c90e288 ntdll!KiFastSystemCallRet
0007d294 77e80b4a ntdll!NtReadFile+0xc
0007d2cc 77e85349 RPCRT4!UTIL_ReadFile+0x43 ---------------------------------

0007d2f4 77e852a5 RPCRT4!CO_SubmitSyncRead+0x58 |
0007d314 77e8520d RPCRT4!CO_SyncRecv+0x4f |
0007d334 77e8565f RPCRT4!OSF_CCONNECTION::TransSendReceive+0x9d |
0007d43c 77e853ed RPCRT4!OSF_CCONNECTION::SendBindPacket+0x575 |
0007d484 77e84cf6 RPCRT4!OSF_CCONNECTION::ActuallyDoBinding+0xa6 |
0007d4d4 77e84e0d RPCRT4!OSF_CCONNECTION::OpenConnectionAndBind+0x20f |
0007d518 77e84d5c RPCRT4!OSF_CCALL::BindToServer+0xed |
0007d57c 77e800ac RPCRT4!OSF_BINDING_HANDLE::AllocateCCall+0x2b0 |
0007d5ac 77e78dc9 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax+0x28 |
0007d5c4 77e78e00 RPCRT4!I_RpcGetBufferWithObject+0x5b |
0007d5d4 77e7942d RPCRT4!I_RpcGetBuffer+0xf |
0007d5e4 77ef360b RPCRT4!NdrGetBuffer+0x28 |
0007d9c4 77de1cd0 RPCRT4!NdrClientCall2+0x195 |
0007d9d8 77de1c52 ADVAPI32!LsarOpenPolicy2+0x1b |
0007da2c 77dfcb54 ADVAPI32!LsaOpenPolicy+0x95 |
|
… |

use !process 0 0 “your.exe” |
.process /p _eprocaddress of “your.exe” |
bp /p for breaks to be more process specific |

… |

kd> |
Breakpoint 0 hit |
ChildEBP RetAddr Args to Child |
f4f72d38 804df06b 000000a4 00000000 00000000 nt!NtReadFile |
f4f72d38 7c90eb94 000000a4 00000000 00000000 nt!KiFastCallEntry+0xf8 |
0012fdc0 7c90e288 7c801875 000000a4 00000000 ntdll!KiFastSystemCallRet < -|
0012fdc4 7c801875 000000a4 00000000 00000000 ntdll!NtReadFile+0xc
0012fe2c 00401271 000000a4 00178008 0000fffe kernel32!ReadFile+0x16c
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fe4c 77d48709 0004009a 00000111 00000001 file+0x1271
0012fe78 77d487eb 00401113 0004009a 00000111 user32!InternalCallWinProc+0x28
0012fee0 77d489a5 00000000 00401113 0004009a user32!UserCallWinProcCheckWow+0x150
0012ff40 77d4bccc 0012ff60 00000001 0012ffac user32!DispatchMessageWorker+0x306
0012ff50 0040110a 0012ff60 0004009a 0004009a user32!DispatchMessageA+0xf
0012ffac 00401026 00400000 00000000 00000000 file+0x110a
0012fff0 00000000 00401000 00000000 78746341 file+0x1026

regards

raj_r

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

´ò¹¤£¬ÕõÇ®£¬Âò·¿×Ó£¬¿ìÀ´MClubÒ»Æ𡱽ðÎݲؽ¿¡±£¡
http://club.msn.cn/?from=10

5

zmerry wrote:

Hi!
I found when you use ‘kb’ to view the stack, ‘kernel32!ReadFile+0x16c’
can be seen,however, when I traced readfile,'kernel32!ReadFile can’t
be seen,as follows,
Could you tell me the reasons ?

Come on, you should have been able to figure this out for yourself. The
kernel NtReadFile API is used in many different places.
Kernel32!ReadFile happens to call NtReadFile, but many other user and
kernel APIs need to read files. In your second example, a user-mode app
has called LsaOpenPolicy, which needs to do a synchronous RPC call,
which requires sending a read request to an RPC driver. That crosses
over to NtReadFile.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.