我们将讨论调试器扩展,这些扩展允许您查看与LPC相关的问题。

LPC Kernel Debugger Extensions

Command

Description

!lpc

Display the list and description of all the !lpc commands

!lpc message [MessageId]

Display the message with a given ID and all related information by attempting to match the given Message ID to the EHTREAD->LpcReceivedMessageId and to the ETHREAD->LpcReplyMessageId of all threads in the system.

If the MessageId parameter is omitted then it attempts to display all the outstanding messages in the system by searching for the tag ‘LpcM’ in the pools.

!lpc port [PortAddress]

Displays port information. If a server connection port address is specified then only information about that port is displayed. If either a client or server communication port is specified it prints information about the specified communication port, the peer communication port and the server connection port.

If the PortAddress parameter is omitted then it attempts to walk the list of all objects of type “Port” and “WaitablePort” and display them. Note that for this feature to work the GFlags option “+otl” i.e. “Maintain a list of objects for each type” must be enabled.

!lpc scan PortAddress

Displays port information. It attempts to walk the list of all objects of type “Port” and “WaitablePort” and display the one matching the specified port address. Note that for this feature to work the GFlags option “+otl” i.e. “Maintain a list of objects for each type” must be enabled.

!lpc thread [ThreadAddr]

If ThreadAddr is specified it walks the list of threads in the ETHREAD-> LpcReplyChain to locate the list head i.e. a “Port” or “WaitablePort” object on which the thread is waiting for a reply.

If the ThreadAddr parameter is omitted then it attempts to find all LPC server threads by looking for threads with a non-NULL EHTREAD->LpcReceivedMessageId and all client threads by looking for threads with a non-NULL ETHREAD->LpcReplyMessageId and displays them.

!lpc PoolSearch

Toggles a setting that controls whether the “lpc message” command will search for LPC message tag (‘LpcM’) in the kernel pools or not.

LPC Kernel Debugger Extension Usage

来自调用堆栈的LPC连接端口信息
在LPC数据传输或LPC连接上阻塞的任何客户端或服务器线程的调用堆栈上,将有一个包含函数NtRequestWaitReplyPort()或NtReplyWaitReceivePortEx()之一的帧。其中任何一个函数的第一个参数是它们被阻塞的端口的句柄。

kd> !thread 810de2a8



THREAD 810de2a8 Cid 01dc.01f4 Teb: 7ffde000 Win32Thread:00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable81131188 Semaphore Limit 0x7fffffff810de398 NotificationTimer



Not impersonating



DeviceMap e196c460



Owning Process 810ddda0 Image: rpclpcs.exe



Wait Start TickCount64666666 Ticks: 402 (0:00:00:04.025)



Context Switch Count2UserTime00:00:00.000KernelTime00:00:00.000Win32 Start Address0x77e76bf0Start Address0x7c810856Stack Init f8e28000 Current f8e27c4c Base f8e28000 Limit f8e25000 Call0Priority8 BasePriority 8 PriorityDecrement 0 DecrementCount 0ChildEBP RetAddr Args to Child



f8e27c64 804dc6a6 810de318 810de2a8 804dc6f2 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])



f8e27c70 804dc6f2 e1084108 8055a540 e1084108 nt!KiSwapThread+0x46 (FPO: [0,0,0])



f8e27c98 8056a50a00000001 00000010 00000001 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])



f8e27d48 804df06b 000007c4 002bff7000000000 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])



f8e27d48 7c90eb94 000007c4 002bff7000000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f8e27d64)



002bff8000000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])



kd> !handle 7c4 3810ddda0



processor number0, process 810ddda0



PROCESS 810ddda0 SessionId:0Cid: 01dc Peb: 7ffd9000 ParentCid: 01b4



    DirBase: 058cd000 ObjectTable: e1a13278 HandleCount:18.



    Image: rpclpcs.exe



Handle table at e107d000 with18 Entries inuse



07c4: Object: e1084108 GrantedAccess: 001f0001 Entry: e107df88



Object: e1084108 Type: (812b5c80) Port



    ObjectHeader: e10840f0 (old version)



        HandleCount:1 PointerCount: 4Directory Object: e14c72c8 Name: rpclpc



kd> !lpc port e1084108



Server connection port e1084108 Name: rpclpc



    Handles:1 References: 4Server process : 810ddda0 (rpclpcs.exe)



    Queue semaphore :81131188Semaphore state0 (0x0)



    The message queue is empty



    The LpcDataInfoChainHead queue is empty



LPC Messages that are waiting to be picked up by the server thread

标签: none

添加新评论