I often see the following order of function,and am always surpised how to get to the sequence.
ReadFile->ntdll!ntReadFile->nt!ntReadFile
Could someone give me a hand? Thanks
´ò¹¤£¬ÕõÇ®£¬Âò·¿×Ó£¬¿ìÀ´MClubÒ»Æ𡱽ðÎݲؽ¿¡±£¡
http://club.msn.cn/?from=10
zmerry wrote:
I often see the following order of function,and am always surpised how
to get to the sequence.
ReadFile->ntdll!ntReadFile->nt!ntReadFileCould someone give me a hand?
I don’t understand the question. Why are you surprised by this?
ReadFile is the advertised user-mode API. It calls into NtReadFile in
ntdll, which is an undocumented user-mode API, It crosses into kernel
mode to call nt!NtReadFile, which validates parameters and calls
ZwReadFile, which creates an IRP_MJ_READ IRP and calls the I/O manager.
These are all implementation details of the ReadFile API.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hello,
Are you trying to know the WinDbg command to achive function call tracing?
In this case, use “wt” command.
Arvind
I want to trace ReadFile from user mode into kernel mode using windbg ,so I ask the question.
Date: Fri, 17 Apr 2009 10:07:07 -0700
From: xxxxx@probo.com
To: xxxxx@lists.osr.com
Subject: Re: [windbg] A question about the order of call functionzmerry wrote:
> I often see the following order of function,and am always surpised how
> to get to the sequence.
> ReadFile->ntdll!ntReadFile->nt!ntReadFile
>
> Could someone give me a hand?I don’t understand the question. Why are you surprised by this?
ReadFile is the advertised user-mode API. It calls into NtReadFile in
ntdll, which is an undocumented user-mode API, It crosses into kernel
mode to call nt!NtReadFile, which validates parameters and calls
ZwReadFile, which creates an IRP_MJ_READ IRP and calls the I/O manager.
These are all implementation details of the ReadFile API.–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Live SearchÊÓƵËÑË÷£¬¿ìËÙ¼ìË÷ÊÓƵµÄÀûÆ÷£¡
http://www.live.com/?scope=video
Hi,
Sure! I want to know function call tracing.
windbg has lots of commands,so it’s really terrible for me .
‘wt’ command is cool,but it can only trace user mode apis ,excluding kernel mode apis(eg. nt!NtReadFile).
I want to trace both mode apis.
regards,
Matt
From: xxxxx@hotmail.com
Subject: Re:[windbg] A question about the order of call function
Date: Sat, 18 Apr 2009 21:15:42 +0530
To: xxxxx@lists.osr.comHello,
Are you trying to know the WinDbg command to achive function call tracing?
In this case, use “wt” command.Arvind
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
´ò¹¤£¬ÕõÇ®£¬Âò·¿×Ó£¬¿ìÀ´MClubÒ»Æ𡱽ðÎݲؽ¿¡±£¡
http://club.msn.cn/?from=10
zmerry wrote:
I want to trace ReadFile from user mode into kernel mode using
windbg ,so I ask the question.
To cross the user/kernel barrier, you will have to use the kernel
debugger. You cannot, for example, run a program in windbg and trace
into the kernel.
If you do have a two-machine setup, then it is possible, although it’s
still not easy. You can configure windbg in kernel debugging mode so
that it traps user-mode breakpoints, so you could insert a breakpoint in
your application just before the ReadFile, trap that, and start tracing
there.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.