Pattern Cooperation
Here is another case study involving multiple patterns (most of them were published in the previous volumes): Incomplete Session, ALPC and Critical Section Wait Chains, Blocked Thread, and Dialog Box.
It was reported that a user couldn't start a session. A complete memory dump was generated and we found 3 sessions there. Looking at the last one we found it incomplete (page 150) with only 3 processes (a normal running user session after initialization was expected to have more than 3 processes):
0: kd> !session Sessions on machine: 3 Valid Sessions: 0 1 2
0: kd> !sprocess 2 Dumping Session 2
_MM_SESSION_SPACE fffffa600a3e1000 _MMSESSION fffffa600a3e1b40 PROCESS fffffa8007f6c040 SessionId: 2 Cid: 242c Peb: 7fffffd8000 ParentCid: 2374 DirBase: 58350000 ObjectTable: fffff8800f485630 HandleCount: 192. Image: csrss.exe
PROCESS fffffa8007de8130 SessionId: 2 Cid: 1a48 Peb: 7fffffde000 ParentCid: 2374 DirBase: 15755000 ObjectTable: fffff8800c742010 HandleCount: 240. Image: winlogon.exe
PROCESS fffffa8004c2e4a0 SessionId: 2 Cid: 17b8 Peb: 7efdf000 ParentCid: 144c DirBase: a3b80000 ObjectTable: fffff8800bf1d350 HandleCount: 168. Image: AppA.exe
Looking at AppA process we find its main thread (Volume 1, page 437) blocked in ALPC request (Volume 3, page 97) directed to ServiceA process:
0: kd> !process fffffa8004c2e4a0 3f PROCESS fffffa8004c2e4a0 SessionId: 2 Cid: 17b8 Peb: 7efdf000 ParentCid: 144c DirBase: a3b80000 ObjectTable: fffff8800bf1d350 HandleCount: 168. Image: AppA.exe VadRoot fffffa8006d7f310 Vads 192 Clone 0 Private 572. Modified 2. Locked 0. DeviceMap fffff88015685f30 Token fffff8800a245050 ElapsedTime 01:58:00.200 UserTime 00:00:00.000 KernelTime 00:00:00.015 QuotaPoolUsage[PagedPool] 140256 QuotaPoolUsage[NonPagedPool] 18368 Working Set Sizes (now,min,max) (2025, 50, 345) (8100KB, 200KB, 1380KB) PeakWorkingSetSize 2087 VirtualSize 74 Mb PeakVirtualSize 79 Mb PageFaultCount 2351 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 741 Job fffffa80063de710
THREAD fffffa8006db8440 Cid 17b8.20e0 Teb: 000000007efdb000 Win32Thread: fffff900c0b0c4f0 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8006db87d0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff8800f487cf0 : queued at port fffffa8004b37d90 : owned by process fffffa8004b11c10 Not impersonating DeviceMap fffff88015685f30 Owning Process fffffa8004c2e4a0 Image: AppA.exe Attached Process N/A Image: N/A Wait Start TickCount 4244174 Ticks: 453096 (0:01:57:59.625) Context Switch Count 132 LargeStack UserTime 00:00:00.031 KernelTime 00:00:00.109 Win32 Start Address AppA!WinMainCRTStartup (0×00000000658c9866) Stack Init fffffa6008832db0 Current fffffa6008832670 Base fffffa6008833000 Limit fffffa600882a000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`088326b0 fffff800`01e5ccfa nt!KiSwapContext+0×7f fffffa60`088327f0 fffff800`01e519bb nt!KiSwapThread+0×13a fffffa60`08832860 fffff800`01e86b12 nt!KeWaitForSingleObject+0×2cb fffffa60`088328f0 fffff800`020d40b4 nt!AlpcpSignalAndWait+0×92 fffffa60`08832980 fffff800`020d0b46 nt!AlpcpReceiveSynchronousReply+0×44 fffffa60`088329e0 fffff800`020c06ef nt!AlpcpProcessSynchronousRequest+0×24f fffffa60`08832b00 fffff800`01e5a573 nt!NtAlpcSendWaitReceivePort+0×19f fffffa60`08832bb0 00000000`77cb76ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08832c20) 00000000`000be3f8 00000000`7578993f ntdll!ZwAlpcSendWaitReceivePort+0xa 00000000`000be400 00000000`7577a996 wow64!whNtAlpcSendWaitReceivePort+0×5f 00000000`000be450 00000000`75813688 wow64!Wow64SystemServiceEx+0xca 00000000`000bed00 00000000`7577ab46 wow64cpu!ServiceNoTurbo+0×28 00000000`000bed90 00000000`7577a14c wow64!RunCpuSimulation+0xa 00000000`000bedc0 00000000`77cabbb3 wow64!Wow64LdrpInitialize+0×4b4 00000000`000bf320 00000000`77cab83c ntdll!LdrpInitializeProcess+0×13eb 00000000`000bf5c0 00000000`77c9660e ntdll! ?? ::FNODOBFM::`string′+0×1fbc9 00000000`000bf670 00000000`00000000 ntdll!LdrInitializeThunk+0xe
0: kd> !alpc /m fffff8800f487cf0
Message @ fffff8800f487cf0 MessageID : 0x0640 (1600) CallbackID : 0x36C184 (3588484) SequenceNumber : 0x00000002 (2) Type : LPC_REQUEST DataLength : 0x0048 (72) TotalLength : 0x0070 (112) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa80061946c0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8006db8440 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa8004b37d90 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8004b11c10 (ServiceA.exe) ServerThread : fffffa80066d44b0 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 00000000007a5630 ServerContext : 0000000000000000 PortContext : 0000000005aa3ef0 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000
0: kd> !thread fffffa80066d44b0 3f THREAD fffffa80066d44b0 Cid 07d0.1bec Teb: 000007fffffa2000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa800728e420 SynchronizationEvent Impersonation token: fffff8800a245050 (Level Impersonation) DeviceMap fffff88015685f30 Owning Process fffffa8004b11c10 Image: ServiceA.exe Attached Process N/A Image: N/A Wait Start TickCount 4244188 Ticks: 453082 (0:01:57:59.406) Context Switch Count 43 UserTime 00:00:00.015 KernelTime 00:00:00.000 Win32 Start Address RPCRT4!ThreadStartRoutine (0×000007feff787780) Stack Init fffffa6009abbdb0 Current fffffa6009abb940 Base fffffa6009abc000 Limit fffffa6009ab6000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr Call Site fffffa60`09abb980 fffff800`01e5ccfa nt!KiSwapContext+0×7f fffffa60`09abbac0 fffff800`01e519bb nt!KiSwapThread+0×13a fffffa60`09abbb30 fffff800`020be7c8 nt!KeWaitForSingleObject+0×2cb fffffa60`09abbbc0 fffff800`01e5a573 nt!NtWaitForSingleObject+0×98 fffffa60`09abbc20 00000000`77cb6eba nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`09abbc20) 00000000`096eedb8 00000000`77c9577a ntdll!ZwWaitForSingleObject+0xa 00000000`096eedc0 00000000`77c95671 ntdll!RtlpWaitOnCriticalSection+0xea 00000000`096eee70 00000000`667dfe24 ntdll!RtlEnterCriticalSection+0xf4 [...]
If we examine ServiceA process we find a critical section wait chain (Volume 1, page 490) where an endpoint is blocked in a dialog box (Volume 6, page 63):
0: kd> .process /r /p fffffa8004b11c10 Implicit process is now fffffa80`04b11c10 Loading User Symbols
0: kd> !cs -l -o -s ----------------------------------------- DebugInfo = 0x00000000003a4880 Critical section = 0x000000006684d4c0 LOCKED LockCount = 0×3 WaiterWoken = No OwningThread = 0×00000000000023f0 RecursionCount = 0×1 LockSemaphore = 0×608 SpinCount = 0×0000000000000000 OwningThread = .thread fffffa8006948650 ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled. ______________ DebugInfo = 0×00000000003b7140 Critical section = 0×000000000023f188 (+0×23F188) LOCKED LockCount = 0×2 WaiterWoken = No OwningThread = 0×0000000000000a38 RecursionCount = 0×1 LockSemaphore = 0×344 SpinCount = 0×0000000000000000 OwningThread = .thread fffffa8005d3ebb0 ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled.
0: kd> .thread /r /p fffffa8006948650 Implicit thread is now fffffa80`06948650 Implicit process is now fffffa80`04b11c10 Loading User Symbols
0: kd> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffffa60`0b5ed980 fffff800`01e5ccfa nt!KiSwapContext+0x7f fffffa60`0b5edac0 fffff800`01e519bb nt!KiSwapThread+0x13a fffffa60`0b5edb30 fffff800`020be7c8 nt!KeWaitForSingleObject+0x2cb fffffa60`0b5edbc0 fffff800`01e5a573 nt!NtWaitForSingleObject+0x98 fffffa60`0b5edc20 00000000`77cb6eba nt!KiSystemServiceCopyEnd+0x13 00000000`089cef08 00000000`77c9577a ntdll!ZwWaitForSingleObject+0xa 00000000`089cef10 00000000`77c95671 ntdll!RtlpWaitOnCriticalSection+0xea 00000000`089cefc0 00000000`667e0ad7 ntdll!RtlEnterCriticalSection+0xf4 [...]
0: kd> .thread /r /p fffffa8005d3ebb0 Implicit thread is now fffffa80`05d3ebb0 Implicit process is now fffffa80`04b11c10 Loading User Symbols
0: kd> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site fffffa60`02ed4c50 fffff800`01e5ccfa nt!KiSwapContext+0x7f fffffa60`02ed4d90 fffff800`01e625eb nt!KiSwapThread+0x13a fffffa60`02ed4e00 fffff800`020bfc2e nt!KeWaitForMultipleObjects+0x2eb fffffa60`02ed4e80 fffff800`020c0273 nt!ObpWaitForMultipleObjects+0x26e fffffa60`02ed5340 fffff800`01e5a573 nt!NtWaitForMultipleObjects+0xe2 fffffa60`02ed5590 00000000`77cb742a nt!KiSystemServiceCopyEnd+0x13 00000000`034de248 00000000`77a8aff3 ntdll!NtWaitForMultipleObjects+0xa 00000000`034de250 00000000`77bbe2b5 kernel32!WaitForMultipleObjectsEx+0x10b 00000000`034de360 000007fe`fc3d14f2 USER32!RealMsgWaitForMultipleObjectsEx+0x129 00000000`034de400 000007fe`fc3d190f DUser!CoreSC::Wait+0x62 00000000`034de450 000007fe`fc3d188a DUser!CoreSC::WaitMessage+0x6f 00000000`034de490 00000000`77bc538e DUser!MphWaitMessageEx+0x36 00000000`034de4c0 00000000`77cb6db6 USER32!_ClientWaitMessageExMPH+0x1a 00000000`034de510 00000000`77bbd2ba ntdll!KiUserCallbackDispatcherContinue 00000000`034de578 00000000`77bc5118 USER32!NtUserWaitMessage+0xa 00000000`034de580 00000000`77bc5770 USER32!DialogBox2+0×261 00000000`034de600 00000000`77bc57e6 USER32!InternalDialogBox+0×134 00000000`034de660 00000000`77bc5e18 USER32!DialogBoxIndirectParamAorW+0×58 00000000`034de6a0 000007fe`fcf349a6 USER32!DialogBoxIndirectParamW+0×18 [...]
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.