I have been trying to write a kernel mode sampling profler (somewhat like
vtune) purely for my own edification.
I have set up a custom DPC on a periodic (1 ms) timer, and my DPC gets
called happily.
However the KTHREAD object often does not have a valid KTRAP_FRAME, and the
EBP does not point into the thread’s own kernel mode stack.
I then queue a special kernel mode APC (see: A Almeida bellow) to the thread
from within the DPC, and reliably find a KTRAP_FRAME and hence can log the
EIP. On reading the docs, I believe that other than queued DPCs and
interupts, the APC will be invoked immediately after the DPC, so the thread
will not have progressed it’s “normal execution” between the two
“interupts”.
Questions:
-
Is the assertion above right, that the APC is (in effect) reading the
state of the thread when interupted by the DPC? -
The APC only seems to get queued on threads that have a valid TEB in the
KTHREAD. Can APCs only work on non system threads? -
Why is the APC environment so different to the DPC one? The stack being
different makes sense (I have read about that). The TRAP_FRAME being
different does not. -
Is there a better way to approach this problem that the one I have found.
I don’t really want to get into adding ISR by patching IDTs (as archived
mails in this list have suggested). I aim to using a fully documented
approach!
Thanks in advance.
James Westland Cain, Ph.D.
Senior Engineer
Quantel Limited.
References:
A Almeida, Inside NT’s Asynchronous Procedure Call, Windows Devloper
Magazine, November 2002.