I just read that great article : http://www.osronline.com/article.cfm?article=576 and did what it told.
I want to trace ntdll!KiFastSystemCall and see how system handle system call step by step.
But tracing(F11) isn’t working here as seen below. ntdll!KiFastSystemCall returns immediately. How can I do that?
Breakpoint 0 hit
ntdll!ZwCreateFile:
77b58008 b83c000000 mov eax,3Ch
kd> t
ntdll!ZwCreateFile+0x5:
77b5800d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
kd> t
ntdll!ZwCreateFile+0xa:
77b58012 ff12 call dword ptr [edx]
kd> t
ntdll!KiFastSystemCall:
77b59a90 8bd4 mov edx,esp
kd> t
ntdll!KiFastSystemCall+0x2:
77b59a92 0f34 sysenter
kd> t
ntdll!ZwCreateFile+0xc:
77b58014 c22c00 ret 2Ch
You can’t step into the sysenter this way, the debugger doesn’t support
that. You need to set a breakpoint in the fast call entry point.
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@windbg…
I just read that great article :
http://www.osronline.com/article.cfm?article=576 and did what it told.
I want to trace ntdll!KiFastSystemCall and see how system handle system call
step by step.
But tracing(F11) isn’t working here as seen below. ntdll!KiFastSystemCall
returns immediately. How can I do that?
Breakpoint 0 hit
ntdll!ZwCreateFile:
77b58008 b83c000000 mov eax,3Ch
kd> t
ntdll!ZwCreateFile+0x5:
77b5800d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub
(7ffe0300)
kd> t
ntdll!ZwCreateFile+0xa:
77b58012 ff12 call dword ptr [edx]
kd> t
ntdll!KiFastSystemCall:
77b59a90 8bd4 mov edx,esp
kd> t
ntdll!KiFastSystemCall+0x2:
77b59a92 0f34 sysenter
kd> t
ntdll!ZwCreateFile+0xc:
77b58014 c22c00 ret 2Ch