Читаем Windows® Internals, Sixth Edition, Part 1 полностью

You should ignore any values that do not correspond to the given object type, because they might be either incorrectly decoded by the debugger (because the wrong type or field is being used) or simply contain stale or invalid data from a previous allocation value. There is no defined correlation you can see between which fields apply to which object, other than by looking at the Windows kernel source code or the WDK header files’ comments. For convenience, Table 3-21 lists the dispatcher header flags and the objects to which they apply.

Table 3-21. Usage and Meaning of the Dispatcher Header Flags

Flag

Applies To

Meaning

Absolute

Timers

The expiration time is absolute, not relative.

Coalescable

Periodic Timers

Indicates whether coalescing should be used for this timer.

KeepShifting

Coalescable Timers

Indicates whether or not the kernel dispatcher should continue attempting to shift the timer’s expiration time. When alignment is reached with the machine’s periodic interval, this eventually becomes FALSE.

EncodedTolerableDelay

Coalescable Timers

The maximum amount of tolerance (shifted as a power of two) that the timer can support when running outside of its expected periodicity.

Abandoned

Mutexes

The thread holding the mutex was terminated.

Signaling

Gates

A priority boost should be applied to the woken thread when the gate is signaled.

CpuThrottled

Threads

CPU throttling has been enabled for this thread, such as when running under DFSS mode (Distributed Fair-Share Scheduler).

CycleProfiling

Threads

CPU cycle profiling has been enabled for this thread.

CounterProfiling

Threads

Hardware CPU performance counter monitoring/profiling has been enabled for this thread.

Size

All objects

Size of the object divided by 4, to fit in a single byte.

Hand

Timers

Index into the timer handle table.

Index

Timers

Index into the timer expiration table.

Inserted

Timers

Set if the timer was inserted into the timer handle table.

Expired

Timers

Set if the timer has already expired.

DebugActive

Processes

Specifies whether the process is being debugged.

ActiveDR7

Thread

Hardware breakpoints are being used, so DR7 is active and should be sanitized during context operations.

Instrumented

Thread

Specifies whether the thread has a user-mode instrumentation callback (supported only on Windows for x64 processors).

UmsScheduled

Thread

This thread is a UMS Worker (scheduled) thread.

UmsPrimary

Thread

This thread is a UMS Scheduler (primary) thread.

DpcActive

Mutexes

The mutex was acquired during a DPC.

Lock

All objects

Used for locking an object during wait operations which need to modify its state or linkage; actually corresponds to bit 7 (0x80) of the Type field.

Apart from these flags, the Type field contains the identifier for the object. This identifier corresponds to a number in the KOBJECTS enumeration, which you can dump with the debugger:lkd> dt nt!_KOBJECTS EventNotificationObject = 0 EventSynchronizationObject = 1 MutantObject = 2 ProcessObject = 3 QueueObject = 4 SemaphoreObject = 5 ThreadObject = 6 GateObject = 7 TimerNotificationObject = 8 TimerSynchronizationObject = 9 Spare2Object = 10 Spare3Object = 11 Spare4Object = 12 Spare5Object = 13 Spare6Object = 14 Spare7Object = 15 Spare8Object = 16 Spare9Object = 17 ApcObject = 18 DpcObject = 19 DeviceQueueObject = 20 EventPairObject = 21 InterruptObject = 22 ProfileObject = 23 ThreadedDpcObject = 24 MaximumKernelObject = 25

When the wait list head pointers are identical, there are either zero threads or one thread waiting on this object. Dumping a wait block for an object that is part of a multiple wait from a thread, or that multiple threads are waiting on, can yield the following:dt nt!_KWAIT_BLOCK 0xfffffa80'053cf628 +0x000 WaitListEntry : _LIST_ENTRY [ 0xfffffa80'02efe568 - 0xfffffa80'02803468 ] +0x010 Thread : 0xfffffa80'053cf520 _KTHREAD +0x018 Object : 0xfffffa80'02803460 +0x020 NextWaitBlock : 0xfffffa80'053cf628 _KWAIT_BLOCK +0x028 WaitKey : 0 +0x02a WaitType : 0x1 '' +0x02b BlockState : 0x2 '' +0x02c SpareLong : 8

If the wait list has more than one entry, you can execute the same command on the second pointer value in the WaitListEntry field of each wait block (by executing !thread on the thread pointer in the wait block) to traverse the list and see what other threads are waiting for the object. This would indicate more than one thread waiting on this object. On the other hand, when dealing with an object that’s part of a collection of objects being waited on by a single thread, you have to parse the NextWaitBlock field instead.

Keyed Events