Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

Maybe it became the thread itself and is simulating a jump to cause the
return from the thread!?

IFF this is true then it seems to me that returning from the thread is a
cleaner and less obscure way to terminate.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 11:47 AM
To: NT Developers Interest List
Subject: [ntdev] Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

On second thought. Like I said, I am not an expert on anything

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 11:47 AM
To: NT Developers Interest List
Subject: [ntdev] Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Isn’t it simply wrong disassembly or symbols? IDA shows me correct code. I’d
look at address 805dfbad to see the code there.

IDA disassembly:

PAGE:0048E7AD ; NTSTATUS __stdcall xxxxx@4(NTSTATUS
ExitStatus)
PAGE:0048E7AD public _PsTerminateSystemThread@4
PAGE:0048E7AD xxxxx@4 proc near
PAGE:0048E7AD
PAGE:0048E7AD ExitStatus = dword ptr 4
PAGE:0048E7AD
PAGE:0048E7AD mov eax, large fs:124h
PAGE:0048E7B3 test byte ptr [eax+248h], 10h
PAGE:0048E7BA jz loc_4BF87F
PAGE:0048E7C0 push [esp+ExitStatus]
PAGE:0048E7C4 push eax
PAGE:0048E7C5 call _PspTerminateThreadByPointer@8 ;
PspTerminateThreadByPointer(x,x)
PAGE:0048E7CA
PAGE:0048E7CA locret_48E7CA: ; CODE XREF:
PAGE:004BF884j
PAGE:0048E7CA retn 4

…

PAGE:004BF87F loc_4BF87F: ; CODE XREF:
PsTerminateSystemThread(x)+Dj
PAGE:004BF87F mov eax, 0C000000Dh
PAGE:004BF884 jmp locret_48E7CA

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, July 08, 2003 9:25 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Disassembler question?

<<message: ugly html message>>
>
></message:>

The machine code reads 0f84 85c00600. Now, the Intel book says that 0f84 is
a 32-bit relative jump near, so, the instruction says, jump to IP plus
0x6c085. The current IP is 80573b28 (that’s the first byte after the “je”,
which is the address of the first “push” instruction), therefore it will
jump to 0x80573b28 + 0x6c085 = 0x805dfbad. The address in parenthesis is
correct. The symbolic address (nt!PsTerminateSystemThread+0xf) may not be,
are you sure you transcribed it right ? This could be a bug in the debugger,
or a wrong or damaged symbol file, or some more esoteric effect. Did you try
to unassemble 805dfbad-0xf to see what you get ?

Hope this helps,

Alberto.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 3:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

On second thought… Like I said, I am not an expert on anything

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 11:47 AM
To: NT Developers Interest List
Subject: [ntdev] Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer (80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Jamey,

I may have confused the list members, my question has
nothing to do with PsTerminateSystemThread. I wanted to know why windbg
is showing 0x805dfbad address as nt!PsTerminateSystemThread+0xf while
0x80573ba5 is nt!PsTerminateSystemThread?

-Srin.

PS: I am using local kernel debugging on Windows XP, SP1.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 12:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

On second thought… Like I said, I am not an expert on anything

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 11:47 AM
To: NT Developers Interest List
Subject: [ntdev] Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’ve seen this strange flow-control behavior as well - where a function
in the NT kernel transfers control to a pseudo-subroutine somewhere else
in memory, but the WinDbg symbols still show the subroutine as being
part of the original function. This sort of thing is driving me nuts
right now because I’m trying to debug a problem in NtfsFsdCreate and it
jumps all over the map.

My GUESS is that these pseudo-subroutines are macros that for whatever
reason weren’t compiled inline, but are still considered to be part of
the function by the code generating the .pdb. I’m also guessing you
wouldn’t see this on checked code (I’m about to throw in a checked build
of ntfs.sys to verify this).

xxxxx@NAI.com wrote:

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer (80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If
nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

---

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–

• Nick Ryan (MVP for DDK)

Whatever tool you use, the output is bogus.

Either symbolic name or address is incorectly computed.
The target of this jump should some code like

mov eax, ErrorStatus
ret 0x4

or similar constructs. It basicaly bails put for a non-system thread.
Its coded here to prevent this API to be called on win32 threads.

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

; This code checks to see if this is the current thread that
is being asked

; to terminate.

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

; If it is, jump to the common exit code; same exit routine
if you simply returned

; from the thread function.

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

; Oops, this is not the current thread that is terminating.
So, the thread pointer

; is extracted off of the stack (Hmmm. Does Windows allow
you to pass something

; other than STATUS_?)

; This is the thread.

80573b28 ff742404 push dword ptr [esp+0x4]

; This is the STATUS code.

80573b2c 50 push eax

; This routine will schedule an APC to the thread being
asked to terminate.

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

; Execution will only reach this point if the thread is not
the current thread and an

; APC was scheduled.

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

Much better output!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Tuesday, July 08, 2003 12:48 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Isn’t it simply wrong disassembly or symbols? IDA shows me correct code.
I’d
look at address 805dfbad to see the code there.

IDA disassembly:

PAGE:0048E7AD ; NTSTATUS __stdcall xxxxx@4(NTSTATUS
ExitStatus)
PAGE:0048E7AD public _PsTerminateSystemThread@4
PAGE:0048E7AD xxxxx@4 proc near
PAGE:0048E7AD
PAGE:0048E7AD ExitStatus = dword ptr 4
PAGE:0048E7AD
PAGE:0048E7AD mov eax, large fs:124h
PAGE:0048E7B3 test byte ptr [eax+248h], 10h
PAGE:0048E7BA jz loc_4BF87F
PAGE:0048E7C0 push [esp+ExitStatus]
PAGE:0048E7C4 push eax
PAGE:0048E7C5 call _PspTerminateThreadByPointer@8 ;
PspTerminateThreadByPointer(x,x)
PAGE:0048E7CA
PAGE:0048E7CA locret_48E7CA: ; CODE XREF:
PAGE:004BF884j
PAGE:0048E7CA retn 4

…

PAGE:004BF87F loc_4BF87F: ; CODE XREF:
PsTerminateSystemThread(x)+Dj
PAGE:004BF87F mov eax, 0C000000Dh
PAGE:004BF884 jmp locret_48E7CA

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, July 08, 2003 9:25 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Disassembler question?

<<message: ugly html message>>
>
>

—
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</message:>

I guess is due to insane compiler optimizations emplyed in XP+.
Try using checked images of kerenl for debugging, they tend to be much less
optimized

Doesn’t show the machine code, though.

Alberto.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 4:21 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Much better output!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Tuesday, July 08, 2003 12:48 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Isn’t it simply wrong disassembly or symbols? IDA shows me correct code.
I’d
look at address 805dfbad to see the code there.

IDA disassembly:

PAGE:0048E7AD ; NTSTATUS __stdcall xxxxx@4(NTSTATUS
ExitStatus)
PAGE:0048E7AD public _PsTerminateSystemThread@4
PAGE:0048E7AD xxxxx@4 proc near
PAGE:0048E7AD
PAGE:0048E7AD ExitStatus = dword ptr 4
PAGE:0048E7AD
PAGE:0048E7AD mov eax, large fs:124h
PAGE:0048E7B3 test byte ptr [eax+248h], 10h
PAGE:0048E7BA jz loc_4BF87F
PAGE:0048E7C0 push [esp+ExitStatus]
PAGE:0048E7C4 push eax
PAGE:0048E7C5 call _PspTerminateThreadByPointer@8 ;
PspTerminateThreadByPointer(x,x)
PAGE:0048E7CA
PAGE:0048E7CA locret_48E7CA: ; CODE XREF:
PAGE:004BF884j
PAGE:0048E7CA retn 4

…

PAGE:004BF87F loc_4BF87F: ; CODE XREF:
PsTerminateSystemThread(x)+Dj
PAGE:004BF87F mov eax, 0C000000Dh
PAGE:004BF884 jmp locret_48E7CA

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, July 08, 2003 9:25 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Disassembler question?

<<message: ugly html message>>
>
>

—
You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.</message:>

Dan,
The disassembly exactly looks like what you said. The symbols
are used from symbol server. Here is the output for you again. Seeing
the below output this looks like some compiler optimization or some
disassembly bug in windbg.

-Srin.

Symbol search path is:
SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
symbols\localtest

Microsoft (R) Windows Debugger Version 6.2.0007.4
Copyright (c) Microsoft Corporation. All rights reserved.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Symbol search path is:
SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
symbols\localtest
Executable search path is:
************************************************************************
*******
WARNING: Local kernel debugging requires booting with /debug to work
optimally.
************************************************************************
*******
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp1.020828-1920
Kernel base = 0x804d0000 PsLoadedModuleList = 0x80547e30
Debug session time: Tue Jul 08 14:57:34 2003
System Uptime: 0 days 0:07:01.213
Symbol search path is:
SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
symbols\localtest
lkd> lmi
start end module name
804d0000 806c2980 nt (pdb symbols) ntoskrnl.exe

Unloaded modules:
f1b59000 f1b80000 kmixer.sys
f25c7000 f25ee000 kmixer.sys
f8b44000 f8b45000 drmkaud.sys
f25ee000 f2611000 aec.sys
f2761000 f276e000 DMusic.sys
f2771000 f277f000 swmidi.sys
f8af8000 f8afa000 splitter.sys
f891e000 f8923000 Cdaudio.SYS
f8a02000 f8a05000 Sfloppy.SYS

lkd> x nt!*PsTerminate*
80573b15 nt!PsTerminateSystemThread
80633fdf nt!PsTerminateProcess
lkd> !sym noisy
noisy mode - symbol prompts on
lkd> .reload ntoskrnl.exe
lkd> .reload /u ntoskrnl.exe
Unloaded ntoskrnl.exe
lkd> .reload ntoskrnl.exe
lkd> lmi
start end module name
804d0000 806c2980 nt (deferred)

Unloaded modules:
f1a92000 f1ab9000 kmixer.sys
f1b59000 f1b80000 kmixer.sys
f25c7000 f25ee000 kmixer.sys
f8b44000 f8b45000 drmkaud.sys
f25ee000 f2611000 aec.sys
f2761000 f276e000 DMusic.sys
f2771000 f277f000 swmidi.sys
f8af8000 f8afa000 splitter.sys
f891e000 f8923000 Cdaudio.SYS
f8a02000 f8a05000 Sfloppy.SYS

lkd> .reload nt
DBGHELP: nt - public symbols

e:\symbols\websymbols\ntoskrnl.pdb\C95EC79CFBFB4220AF2B6E9D09551A1F2\nto
skrnl.pdb
lkd> u nt!PsTerminateSystemThread
nt!PsTerminateSystemThread:
80573b15 64a124010000 mov eax,fs:[00000124]
80573b1b f6804802000010 test byte ptr [eax+0x248],0x10
80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)
80573b28 ff742404 push dword ptr [esp+0x4]
80573b2c 50 push eax
80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)
80573b32 c20400 ret 0x4
80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0
lkd> u 805dfbad
nt!PsTerminateSystemThread+f:
805dfbad b80d0000c0 mov eax,0xc000000d
805dfbb2 e97b3ff9ff jmp nt!PsTerminateSystemThread+0x20
(80573b32)
805dfbb7 b8180000c0 mov eax,0xc0000018
805dfbbc e9777bfaff jmp nt!PspMapSystemDll+0x3f (80587738)
805dfbc1 c705849f548002000000 mov dword ptr [nt!PsPrioritySeperation
(80549f84)],0x2
805dfbcb e920dafcff jmp nt!PsChangeQuantumTable+0x21
(805ad5f0)
805dfbd0 803d9c40668000 cmp byte ptr [nt!PspUseJobSchedulingClasses
(8066409c)],0x0
805dfbd7 0f84c2dafcff je nt!PsChangeQuantumTable+0xe1
(805ad69f)

-----Original Message-----
From: xxxxx@rdsor.ro [mailto:xxxxx@rdsor.ro]
Sent: Tuesday, July 08, 2003 1:07 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Disassembler question?

Whatever tool you use, the output is bogus.

Either symbolic name or address is incorectly computed.
The target of this jump should some code like

mov eax, ErrorStatus
ret 0x4

or similar constructs. It basicaly bails put for a non-system thread.
Its coded here to prevent this API to be called on win32 threads.

---

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello Srin,

Ya, those are heavy compile / linker optimizations or whatever.
Some very common pieces of code , for which the compiler generates
same code, are discarded, and only one instance of that code is kept.

So you can have 2 functions like (very simple example)

NTSTATUS a (VOID) {
return STATUS_SUCCESS;
}

NTSTATUS b (VOID) {
return STATUS_SUCCESS;
}

getting compiled in .exe to something like:

proc a
jmp do_status_success
endp

proc b
jmp do_status_success
endp

do_status_success:
xor eax, eax
retn

now , I think that for full symbolic + source debugging some of the
original layout is keept in *.pdb files.

Switch to a checked kernel build.

Tuesday, July 8, 2003, 11:06:18 PM, you wrote:

SNc> Dan,
SNc> The disassembly exactly looks like what you said. The symbols
SNc> are used from symbol server. Here is the output for you again. Seeing
SNc> the below output this looks like some compiler optimization or some
SNc> disassembly bug in windbg.

SNc> -Srin.

SNc> Symbol search path is:
SNc> SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
SNc> symbols\localtest

SNc> Microsoft (R) Windows Debugger Version 6.2.0007.4
SNc> Copyright (c) Microsoft Corporation. All rights reserved.

SNc> Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
SNc> Symbol search path is:
SNc> SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
SNc> symbols\localtest
SNc> Executable search path is:
SNc> ************************************************************************
SNc> *******
SNc> WARNING: Local kernel debugging requires booting with /debug to work
SNc> optimally.
SNc> ************************************************************************
SNc> *******
SNc> Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
SNc> Product: WinNt, suite: TerminalServer SingleUserTS
SNc> Built by: 2600.xpsp1.020828-1920
SNc> Kernel base = 0x804d0000 PsLoadedModuleList = 0x80547e30
SNc> Debug session time: Tue Jul 08 14:57:34 2003
SNc> System Uptime: 0 days 0:07:01.213
SNc> Symbol search path is:
SNc> SRV*e:\symbols\websymbols*http://msdl.microsoft.com/download/symbols;e:\
SNc> symbols\localtest
lkd>> lmi
SNc> start end module name
SNc> 804d0000 806c2980 nt (pdb symbols) ntoskrnl.exe

SNc> Unloaded modules:
SNc> f1b59000 f1b80000 kmixer.sys
SNc> f25c7000 f25ee000 kmixer.sys
SNc> f8b44000 f8b45000 drmkaud.sys
SNc> f25ee000 f2611000 aec.sys
SNc> f2761000 f276e000 DMusic.sys
SNc> f2771000 f277f000 swmidi.sys
SNc> f8af8000 f8afa000 splitter.sys
SNc> f891e000 f8923000 Cdaudio.SYS
SNc> f8a02000 f8a05000 Sfloppy.SYS

lkd>> x nt!*PsTerminate*
SNc> 80573b15 nt!PsTerminateSystemThread
SNc> 80633fdf nt!PsTerminateProcess
lkd>> !sym noisy
SNc> noisy mode - symbol prompts on
lkd>> .reload ntoskrnl.exe
lkd>> .reload /u ntoskrnl.exe
SNc> Unloaded ntoskrnl.exe
lkd>> .reload ntoskrnl.exe
lkd>> lmi
SNc> start end module name
SNc> 804d0000 806c2980 nt (deferred)

SNc> Unloaded modules:
SNc> f1a92000 f1ab9000 kmixer.sys
SNc> f1b59000 f1b80000 kmixer.sys
SNc> f25c7000 f25ee000 kmixer.sys
SNc> f8b44000 f8b45000 drmkaud.sys
SNc> f25ee000 f2611000 aec.sys
SNc> f2761000 f276e000 DMusic.sys
SNc> f2771000 f277f000 swmidi.sys
SNc> f8af8000 f8afa000 splitter.sys
SNc> f891e000 f8923000 Cdaudio.SYS
SNc> f8a02000 f8a05000 Sfloppy.SYS

lkd>> .reload nt
SNc> DBGHELP: nt - public symbols

SNc> e:\symbols\websymbols\ntoskrnl.pdb\C95EC79CFBFB4220AF2B6E9D09551A1F2\nto
SNc> skrnl.pdb
lkd>> u nt!PsTerminateSystemThread
SNc> nt!PsTerminateSystemThread:
SNc> 80573b15 64a124010000 mov eax,fs:[00000124]
SNc> 80573b1b f6804802000010 test byte ptr [eax+0x248],0x10
SNc> 80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
SNc> (805dfbad)
SNc> 80573b28 ff742404 push dword ptr [esp+0x4]
SNc> 80573b2c 50 push eax
SNc> 80573b2d e85e300100 call nt!PspTerminateThreadByPointer
SNc> (80586b90)
SNc> 80573b32 c20400 ret 0x4
SNc> 80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0
lkd>> u 805dfbad
SNc> nt!PsTerminateSystemThread+f:
SNc> 805dfbad b80d0000c0 mov eax,0xc000000d
SNc> 805dfbb2 e97b3ff9ff jmp nt!PsTerminateSystemThread+0x20
SNc> (80573b32)
SNc> 805dfbb7 b8180000c0 mov eax,0xc0000018
SNc> 805dfbbc e9777bfaff jmp nt!PspMapSystemDll+0x3f (80587738)
SNc> 805dfbc1 c705849f548002000000 mov dword ptr [nt!PsPrioritySeperation
SNc> (80549f84)],0x2
SNc> 805dfbcb e920dafcff jmp nt!PsChangeQuantumTable+0x21
SNc> (805ad5f0)
SNc> 805dfbd0 803d9c40668000 cmp byte ptr [nt!PspUseJobSchedulingClasses
SNc> (8066409c)],0x0
SNc> 805dfbd7 0f84c2dafcff je nt!PsChangeQuantumTable+0xe1
SNc> (805ad69f)

> -----Original Message-----
> From: xxxxx@rdsor.ro [mailto:xxxxx@rdsor.ro]
> Sent: Tuesday, July 08, 2003 1:07 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Disassembler question?
>
> Whatever tool you use, the output is bogus.
>
> Either symbolic name or address is incorectly computed.
> The target of this jump should some code like
>
> mov eax, ErrorStatus
> ret 0x4
>
> or similar constructs. It basicaly bails put for a non-system thread.
> Its coded here to prevent this API to be called on win32 threads.
>
>
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nai.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

SNc> —
SNc> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
SNc> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Best regards,
Dan mailto:xxxxx@rdsor.ro

Jamey,

Thank you for such detailed explanation.

I have a question. You said (Not only you I believe couple of other
members in the list also said same thing)

; This code checks to see if this is the current thread that
is being asked

; to terminate.

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

windbg says " +0x248 SystemThread : Pos 4, 1 Bit"

according to this the above code is checking only if the current
thread is a system thread or not. I may be wrong, can you explain more
how testing the Bit4 at offset 0x248 asserts that it is the current
thread that is being asked to terminate?

Thank you for your time,

-Srin.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 1:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

; This code checks to see if this is the current thread that
is being asked

; to terminate.

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

; If it is, jump to the common exit code; same exit routine
if you simply returned

; from the thread function.

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

; Oops, this is not the current thread that is terminating.
So, the thread pointer

; is extracted off of the stack (Hmmm… Does Windows allow
you to pass something

; other than STATUS_?)

; This is the thread.

80573b28 ff742404 push dword ptr [esp+0x4]

; This is the STATUS code.

80573b2c 50 push eax

; This routine will schedule an APC to the thread being
asked to terminate.

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

; Execution will only reach this point if the thread is not
the current thread and an

; APC was scheduled.

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

No problem to turn it on in IDA. Similarly as “set code on” in SoftICE I
just don’t see a reason to have it on by default; normally, there is no
reason to see it.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

---

From:
xxxxx@compuware.com[SMTP:xxxxx@compuware.com]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, July 08, 2003 10:57 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Disassembler question?

Doesn’t show the machine code, though.

Alberto.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 4:21 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Much better output!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Tuesday, July 08, 2003 12:48 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Isn’t it simply wrong disassembly or symbols? IDA shows me correct code.
I’d
look at address 805dfbad to see the code there.

IDA disassembly:

PAGE:0048E7AD ; NTSTATUS __stdcall xxxxx@4(NTSTATUS
ExitStatus)
PAGE:0048E7AD public _PsTerminateSystemThread@4
PAGE:0048E7AD xxxxx@4 proc near
PAGE:0048E7AD
PAGE:0048E7AD ExitStatus = dword ptr 4
PAGE:0048E7AD
PAGE:0048E7AD mov eax, large fs:124h
PAGE:0048E7B3 test byte ptr [eax+248h], 10h
PAGE:0048E7BA jz loc_4BF87F
PAGE:0048E7C0 push [esp+ExitStatus]
PAGE:0048E7C4 push eax
PAGE:0048E7C5 call _PspTerminateThreadByPointer@8 ;
PspTerminateThreadByPointer(x,x)
PAGE:0048E7CA
PAGE:0048E7CA locret_48E7CA: ; CODE XREF:
PAGE:004BF884j
PAGE:0048E7CA retn 4

…

PAGE:004BF87F loc_4BF87F: ; CODE XREF:
PsTerminateSystemThread(x)+Dj
PAGE:004BF87F mov eax, 0C000000Dh
PAGE:004BF884 jmp locret_48E7CA

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

> ----------
> From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
> Reply To: xxxxx@lists.osr.com
> Sent: Tuesday, July 08, 2003 9:25 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] RE: Disassembler question?
>
> <<message: ugly html message>>
> >
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@compuware.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> The contents of this e-mail are intended for the named addressee only. It
> contains information that may be confidential. Unless you are the named
> addressee or an authorized designee, you may not copy or use it, or
> disclose
> it to anyone else. If you received it in error please notify us
> immediately
> and then destroy it.
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
></message:>

I guess it is assumed that if it is a system thread it must be the
current thread. So, maybe the APC is scheduled only if it is a user-mode
thread. I am not100% sure. This is all based on my stepping through
SoftIce this morning.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 3:26 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Jamey,

Thank you for such detailed explanation.

I have a question. You said (Not only you I believe couple of other
members in the list also said same thing)

; This code checks to see if this is the current thread that
is being asked

; to terminate.

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

windbg says " +0x248 SystemThread : Pos 4, 1 Bit"

according to this the above code is checking only if the current
thread is a system thread or not. I may be wrong, can you explain more
how testing the Bit4 at offset 0x248 asserts that it is the current
thread that is being asked to terminate?

Thank you for your time,

-Srin.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 1:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

; This code checks to see if this is the current thread that
is being asked

; to terminate.

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

; If it is, jump to the common exit code; same exit routine
if you simply returned

; from the thread function.

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

; Oops, this is not the current thread that is terminating.
So, the thread pointer

; is extracted off of the stack (Hmmm. Does Windows allow
you to pass something

; other than STATUS_?)

; This is the thread.

80573b28 ff742404 push dword ptr [esp+0x4]

; This is the STATUS code.

80573b2c 50 push eax

; This routine will schedule an APC to the thread being
asked to terminate.

80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

; Execution will only reach this point if the thread is not
the current thread and an

; APC was scheduled.

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Jamey misspoke. It is checking that it is a system thread that is
terminating, not the current thread.

There is another clarification to Jamey’s analysis:

If you look into disassembly of PsTerminateThreadByPointer(), you’ll see
that it only schedules an APC to terminate the thread -IF- we’re not
terminating ourselves. If we’re killing our self, then we just jump to
PspExitThread() and die. It’s only we try and terminate a different
thread that an APC is generated.

sm

-----Original Message-----
From: xxxxx@NAI.com [mailto:xxxxx@NAI.com]
Sent: Tuesday, July 08, 2003 3:26 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

Jamey,
Thank you for such detailed explanation.
I have a question. You said (Not only you I believe couple of other
members in the list also said same thing)

; This code checks to see if this is the current thread that
is being asked
; to terminate.
80573b15 64a124010000 mov eax,fs:[00000124]
80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

windbg says " +0x248 SystemThread : Pos 4, 1 Bit"
according to this the above code is checking only if the current
thread is a system thread or not. I may be wrong, can you explain more
how testing the Bit4 at offset 0x248 asserts that it is the current
thread that is being asked to terminate?

Thank you for your time,
-Srin.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 1:18 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

lkd> u nt!PsTerminateSystemThread
nt!PsTerminateSystemThread:

; This code checks to see if this is the current thread that
is being asked
; to terminate.
80573b15 64a124010000 mov eax,fs:[00000124]
80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

; If it is, jump to the common exit code; same exit routine
if you simply returned
; from the thread function.
80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf
(805dfbad)

; Oops, this is not the current thread that is terminating.
So, the thread pointer
; is extracted off of the stack (Hmmm… Does Windows allow
you to pass something
; other than STATUS_?)

; This is the thread.
80573b28 ff742404 push dword ptr [esp+0x4]
; This is the STATUS code.
80573b2c 50 push eax
; This routine will schedule an APC to the thread being
asked to terminate.
80573b2d e85e300100 call nt!PspTerminateThreadByPointer
(80586b90)

; Execution will only reach this point if the thread is not
the current thread and an
; APC was scheduled.
80573b32 c20400 ret 0x4
80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@softek.fujitsu.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The code optimizer can scatter the function a lot and do inter-function optimization, so, nothing strange.

Max
----- Original Message -----
From: xxxxx@NAI.com
To: NT Developers Interest List
Sent: Wednesday, July 09, 2003 12:01 AM
Subject: [ntdev] RE: Disassembler question?

Jamey,

I may have confused the list members, my question has nothing to do with PsTerminateSystemThread. I wanted to know why windbg is showing 0x805dfbad address as nt!PsTerminateSystemThread+0xf while 0x80573ba5 is nt!PsTerminateSystemThread?

-Srin.

PS: I am using local kernel debugging on Windows XP, SP1.

-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Tuesday, July 08, 2003 12:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Disassembler question?

On second thought. Like I said, I am not an expert on anything J

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@NAI.com
Sent: Tuesday, July 08, 2003 11:47 AM
To: NT Developers Interest List
Subject: [ntdev] Disassembler question?

lkd> u nt!PsTerminateSystemThread

nt!PsTerminateSystemThread:

80573b15 64a124010000 mov eax,fs:[00000124]

80573b1b f6804802000010 test byte ptr [eax+0x248],0x10

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

80573b28 ff742404 push dword ptr [esp+0x4]

80573b2c 50 push eax

80573b2d e85e300100 call nt!PspTerminateThreadByPointer (80586b90)

80573b32 c20400 ret 0x4

80573b35 807dff00 cmp byte ptr [ebp-0x1],0x0

I do not understand one concept in the above disassembly. The third line

80573b22 0f8485c00600 je nt!PsTerminateSystemThread+0xf (805dfbad)

who did nt!PsTerminateSystemThread+0xf become 0x805dfbad. If nt!PsTerminateSystemThread is 0x80573b15?

I may be missing something which is really obvious.

-Srin.

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> ----------

From: xxxxx@storagecraft.com[SMTP:xxxxx@storagecraft.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, July 09, 2003 3:10 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Disassembler question?

The code optimizer can scatter the function a lot and do
inter-function optimization, so, nothing strange.

Scattering isn’t strange. Disassembly jump to scattered piece as jump to
base function address + apparently wrong offset is. Funny thing is windbg
diassembly is OK without symbols but with symbols it displays such a
nonsense (addresses differ because of SMP kernel):

lkd> u nt!PsTerminateSystemThread
nt!PsTerminateSystemThread:
8055e7ad 64a124010000 mov eax,fs:[00000124]
8055e7b3 f6804802000010 test byte ptr [eax+0x248],0x10
8055e7ba 0f84bf100300 je nt!PsTerminateSystemThread+0xf (8058f87f)
8055e7c0 ff742404 push dword ptr [esp+0x4]
8055e7c4 50 push eax
8055e7c5 e8e082ffff call nt!PspTerminateThreadByPointer (80556aaa)
8055e7ca c20400 ret 0x4

now disassembly the jump target:

lkd> u 8058f87f
nt!PsTerminateSystemThread+f:
8058f87f b80d0000c0 mov eax,0xc000000d
8058f884 e941effcff jmp nt!PsTerminateSystemThread+0x20 (8055e7ca)
8058f889 b8180000c0 mov eax,0xc0000018
8058f88e e9eaf8fcff jmp nt!PspMapSystemDll+0x3f (8055f17d)

next instruction:

lkd> u 8058f884
nt!PsTerminateSystemThread+14:
8058f884 e941effcff jmp nt!PsTerminateSystemThread+0x20 (8055e7ca)
8058f889 b8180000c0 mov eax,0xc0000018
8058f88e e9eaf8fcff jmp nt!PspMapSystemDll+0x3f (8055f17d)

and next one:

lkd> u 8058f889
nt!PspMapSystemDll+3a:
8058f889 b8180000c0 mov eax,0xc0000018
8058f88e e9eaf8fcff jmp nt!PspMapSystemDll+0x3f (8055f17d)

next scattered piece and base address changes. Well, it can help to locate a
function where piece of code belongs to but still offsets should be correct.

BTW, livekd isn’t bad when one can’t have SoftICE loaded because needs
VMware (I wonder when it’ll be finally fixed [Alberto?]).

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]