67.windbg-!thread、.thread（内核）

来源：互联网发布：app软件开发软件编辑：程序博客网时间：2024/05/16 00:42

!thread扩展显示目标系统中线程包括ETHREAD块在内的摘要信息。该命令只能在内核模式调试下使用

!thread [-p] [-t] [Address [Flags]]

-p

显示拥有该线程的进程的摘要信息。

-t

包含这个选项时，Address是线程ID，而不是线程地址。

Address

指定目标机上线程的16进制地址。如果Address为-1或省略，则表示当前线程。

Flags

指定显示的详细级别。Flags可以是下面这些位的任意组合。如果Flags为0，只会显示最少量的信息。默认为0x6：

Bit 1 (0x2): 显示线程的等待状态。
Bit 2 (0x4): 如果不和Bit 1(0x2)一起使用则不会起作用。如果和Bit 1一起使用，线程会和调用堆栈一起显示出来。
Bit 3 (0x8): (Windows XP和之后)
在每个函数的显示信息中加入返回地址、堆栈指针、以及bsp寄存器的值(在Itanium系统中)，但是不显示函数的参数。
Bit 4 (0x10): (Windows XP和之后) 在这个命令持续期间，将进程上下文设置为拥有指定线程的那个进程。这回使得线程调用堆栈的显示更加精确。

显示当前线程的详细信息：

kd> !thread -1 6THREAD 821ec390  Cid 06e8.06e4  Teb: 7ffdd000 Win32Thread: 00000000 RUNNING on processor 0IRP List:    82265a38: (0006,0094) Flags: 00000a00  Mdl: 81e91b68Not impersonatingDeviceMap                 e19c40c8Owning Process            0       Image:         <Unknown>Attached Process          821f5da0       Image:         test.exeWait Start TickCount      21156          Ticks: 1 (0:00:00:00.015)Context Switch Count      22             UserTime                  00:00:00.000KernelTime                00:00:00.031Win32 Start Address test (0x00401356)Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)Stack Init b2325000 Current b2324b84 Base b2325000 Limit b2322000 Call 0Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0ChildEBP RetAddr  Args to Child              b2324c80 80580982 82265aa8 00000000 82265a38 nt!IopfCallDriver+0x31 (FPO: [0,0,0])b2324c94 8057e4c9 81e6a518 82265a38 822272d8 nt!IopSynchronousServiceTail+0x70 (FPO: [7,0,4])b2324d38 8054261c 00000038 00000000 00000000 nt!NtWriteFile+0x5d7 (FPO: [Non-Fpo])b2324d38 7c92e4f4 00000038 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b2324d64)0012fee0 7c92df6c 7c810e86 00000038 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])0012fee4 7c810e86 00000038 00000000 00000000 ntdll!ZwWriteFile+0xc (FPO: [9,0,0])0012ff44 00401070 00000038 0012ff60 0000000a kernel32!WriteFile+0xf7 (FPO: [Non-Fpo])WARNING: Stack unwind information not available. Following frames may be wrong.0012ff7c 0040120e 00000001 003d3ef8 003d2eb8 test+0x10700012ffc0 7c817067 00310031 00330031 7ffde000 test+0x120e0012fff0 00000000 00401356 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

.thread 命令指定哪个线程用作寄存器上下文。

和.process有点相似

当前线程：

kd> .threadImplicit thread is now 80553740

.thread /r /p xxx同样是切换到指定的线程，但.thread同时可以切换回中断的线程上下文

kd> .thread /p /r 81e64da8  Implicit thread is now 81e64da8Implicit process is now 821f5da0.cache forcedecodeuser doneLoading User Symbols.........kd> kv  *** Stack trace for last set context - .thread/.cxr resets itChildEBP RetAddr  Args to Child              b29b6cb8 80504836 81e64e18 81e64da8 804fc068 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])b29b6cc4 804fc068 00000000 b29b6d1c 00000000 nt!KiSwapThread+0x8a (FPO: [0,0,0])b29b6cec 805c1750 00000001 00000006 004db801 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])b29b6d50 8054261c 00000010 00000000 b29b6d1c nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])b29b6d50 7c92e4f4 00000010 00000000 b29b6d1c nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b29b6d64)003cfa70 7c92df3c 7c8025db 00000010 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])003cfa74 7c8025db 00000010 00000000 003cfaa8 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])003cfad8 7c802542 00000010 00002710 00000000 kernel32!WaitForSingleObjectEx+0xa8 (FPO: [Non-Fpo])003cfaec 7c875f27 00000010 00002710 00000000 kernel32!WaitForSingleObject+0x12 (FPO: [2,0,0])003cffb4 7c80b713 00000000 00610072 006f0074 kernel32!ConsoleIMERoutine+0xf4 (FPO: [1,300,4])003cffec 00000000 7c875e33 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])kd> .threadImplicit thread is now 821ec390kd> kvChildEBP RetAddr  Args to Child              b2324c80 80580982 82265aa8 00000000 82265a38 nt!IopfCallDriver+0x31 (FPO: [0,0,0])b2324c94 8057e4c9 81e6a518 82265a38 822272d8 nt!IopSynchronousServiceTail+0x70 (FPO: [7,0,4])b2324d38 8054261c 00000038 00000000 00000000 nt!NtWriteFile+0x5d7 (FPO: [Non-Fpo])b2324d38 7c92e4f4 00000038 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b2324d64)0012fee0 7c92df6c 7c810e86 00000038 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])0012fee4 7c810e86 00000038 00000000 00000000 ntdll!ZwWriteFile+0xc (FPO: [9,0,0])*** ERROR: Module load completed but symbols could not be loaded for test.exe0012ff44 00401070 00000038 0012ff60 0000000a kernel32!WriteFile+0xf7 (FPO: [Non-Fpo])WARNING: Stack unwind information not available. Following frames may be wrong.0012ff7c 0040120e 00000001 003d3ef8 003d2eb8 test+0x10700012ffc0 7c817067 00310031 00330031 7ffde000 test+0x120e

可以看到不同的线程时，对应不同的堆栈

0 0