当前位置: 首页 > news >正文

win32k!xxxDesktopThread线程分析之调用win32k!StartDeviceRead到mouclass!MouseClassHandleRead没有数据可读时进入等待状态

news 2026/3/27 3:36:46

win32k!xxxDesktopThread线程分析之调用win32k!StartDeviceRead到mouclass!MouseClassHandleRead没有数据可读时进入等待状态


1: kd> g
Breakpoint 58 hit
eax=00000003 ebx=00000000 ecx=898fda68 edx=89839c90 esi=89839c90 edi=897a0c78
eip=f751bc0a esp=f75f672c ebp=f75f6744 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
mouclass!MouseClassRead:
f751bc0a 55 push ebp
1: kd> dv
Device = 0x897a0c78 Device for "\Driver\Mouclass"
Irp = 0x89839c90

1: kd> kc
#
00 mouclass!MouseClassRead
01 nt!IofCallDriver
02 nt!IopSynchronousServiceTail
03 nt!NtReadFile
04 nt!_KiSystemService
05 nt!ZwReadFile
06 win32k!StartDeviceRead
07 win32k!InputApc
08 nt!KiDeliverApc
09 nt!KiSwapThread
0a nt!KeWaitForMultipleObjects
0b win32k!xxxMsgWaitForMultipleObjects
0c win32k!xxxDesktopThread
0d win32k!xxxCreateSystemThreads
0e win32k!NtUserCallOneParam
0f nt!_KiSystemService
10 SharedUserData!SystemCallStub
11 winsrv!NtUserCallOneParam

1: kd> g
Breakpoint 59 hit
eax=00000000 ebx=00000103 ecx=00000000 edx=00000000 esi=89839c90 edi=897a0d30
eip=f7519f1c esp=f75f6710 ebp=f75f6728 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
mouclass!MouseClassHandleRead:
f7519f1c 55 push ebp
1: kd> dv
DeviceExtension = 0x897a0d30
Irp = 0x89839c90
status = 0n-145645795
completeIrp = 0x00 ''
irql = 0x00 ''
1: kd> dx -id 0,0,89831250 -r1 ((mouclass!_DEVICE_EXTENSION *)0x897a0d30)
((mouclass!_DEVICE_EXTENSION *)0x897a0d30) : 0x897a0d30 [Type: _DEVICE_EXTENSION *]
[+0x000] Self : 0x897a0c78 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x004] TrueClassDevice : 0x897a0c78 : Device for "\Driver\Mouclass" [Type: _DEVICE_OBJECT *]
[+0x008] TopPort : 0x897f9020 : Device for "\Driver\mouhid" [Type: _DEVICE_OBJECT *]
[+0x00c] PDO : 0x89764948 : Device for "\Driver\hidusb" [Type: _DEVICE_OBJECT *]
[+0x010] RemoveLock [Type: _IO_REMOVE_LOCK]
[+0x068] PnP : 0x1 [Type: unsigned char]
[+0x069] Started : 0x1 [Type: unsigned char]
[+0x06a] OkayToLogOverflow : 0x1 [Type: unsigned char]
[+0x06c] WaitWakeSpinLock : 0x0 [Type: unsigned long]
[+0x070] TrustedSubsystemCount : 0x1 [Type: unsigned long]
[+0x074] InputCount : 0x0 [Type: unsigned long]
[+0x078] SymbolicLinkName : "\??\HID#Vid_0e0f&Pid_0003&MI_01#8&51f168b&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}" [Type: _UNICODE_STRING]
[+0x080] InputData : 0x8988f530 [Type: _MOUSE_INPUT_DATA *]
[+0x084] DataIn : 0x8988f5a8 [Type: _MOUSE_INPUT_DATA *]
[+0x088] DataOut : 0x8988f5a8 [Type: _MOUSE_INPUT_DATA *]
[+0x08c] MouseAttributes [Type: _MOUSE_ATTRIBUTES]
[+0x098] SpinLock : 0x0 [Type: unsigned long]
[+0x09c] ReadQueue [Type: _LIST_ENTRY]
[+0x0a4] SequenceNumber : 0x4 [Type: unsigned long]
[+0x0a8] DeviceState : PowerDeviceD0 (1) [Type: _DEVICE_POWER_STATE]
[+0x0ac] SystemState : PowerSystemWorking (1) [Type: _SYSTEM_POWER_STATE]
[+0x0b0] UnitId : 0x0 [Type: unsigned long]
[+0x0b4] WmiLibInfo [Type: _WMILIB_CONTEXT]
[+0x0d4] SystemToDeviceState [Type: _DEVICE_POWER_STATE [5]]
[+0x0e8] MinDeviceWakeState : PowerDeviceD0 (1) [Type: _DEVICE_POWER_STATE]
[+0x0ec] MinSystemWakeState : PowerSystemSleeping1 (2) [Type: _SYSTEM_POWER_STATE]
[+0x0f0] WaitWakeIrp : 0x0 [Type: _IRP *]
[+0x0f4] ExtraWaitWakeIrp : 0x0 [Type: _IRP *]
[+0x0f8] TargetNotifyHandle : 0x0 [Type: void *]
[+0x0fc] Link [Type: _LIST_ENTRY]
[+0x104] File : 0x0 [Type: _FILE_OBJECT *]
[+0x108] Enabled : 0x0 [Type: unsigned char]
[+0x109] WaitWakeEnabled : 0x0 [Type: unsigned char]
[+0x10a] SurpriseRemoved : 0x0 [Type: unsigned char]
1: kd> g
Breakpoint 46 hit
eax=00000000 ebx=f7737000 ecx=00000000 edx=f7739fa0 esi=f7739fa0 edi=89804020
eip=80b007f0 esp=f75f6934 ebp=f75f697c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!SwapContext:
80b007f0 51 push ecx


1: kd> g
Breakpoint 4 hit
eax=00000002 ebx=8979d3c0 ecx=89485cd8 edx=00000000 esi=898d4030 edi=898d40f4
eip=80a26a00 esp=f789ee3c ebp=f789eeac iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopfCompleteRequest:
80a26a00 55 push ebp
0: kd> !thread 89804020
THREAD 89804020 Cid 01b0.01e0 Teb: 7ffd8000 Win32Thread: e1639460 WAIT: (WrUserRequest) UserMode Non-Alertable
8957cd20 SynchronizationEvent
89505548 SynchronizationEvent
89804b80 SynchronizationEvent
IRP List:
89839c90: (0006,01d8) Flags: 00000970 Mdl: 00000000
894f8458: (0006,01d8) Flags: 00000970 Mdl: 00000000
8989e008: (0006,0190) Flags: 00000970 Mdl: 00000000
89756e70: (0006,0190) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 89831250 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274655524 Ticks: 2 (0:00:00:00.031)
Context Switch Count 622 IdealProcessor: 1 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.484
Stack Init f75f7000 Current f75f692c Base f75f7000 Limit f75f4000 Call 00000000
Priority 15 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
f75f6944 80a440eb f7737120 89804020 89804080 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
f75f697c 80a358c7 00000000 e1639460 00000002 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
f75f69b4 bf8a4685 00000003 89804b50 00000001 nt!KeWaitForMultipleObjects+0x3b5 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\wait.c @ 816]
f75f6a04 bf8b123e 00000002 89804b50 bf8fe215 win32k!xxxMsgWaitForMultipleObjects+0xeb (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\queue.c @ 4540]
f75f6d1c bf8b21ba bfa70aa0 00000001 f75f6d48 win32k!xxxDesktopThread+0x437 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 594]
f75f6d2c bf806d52 bfa70aa0 f75f6d58 008cfff4 win32k!xxxCreateSystemThreads+0x9c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\desktop.c @ 347]
f75f6d48 80afbcb2 00000000 00000022 80afb956 win32k!NtUserCallOneParam+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\kernel\ntstubs.c @ 4789]
f75f6d48 7ffe0304 00000000 00000022 80afb956 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ f75f6d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00000000 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

http://www.jsqmd.com/news/122818/

相关文章:

  • 基于回归分析的武当山景点游客流量分析与预测选题审批表
  • 一文搞懂:AI Agent 八大核心概念(小白程序员收藏版)
  • 为什么你的系统总被攻破?Open-AutoGLM告诉你3个致命盲区
  • 工程师福音!LLM-TSFD:人机环路诊断,让工业故障分析效率飙升,经验不再是壁垒!
  • 【Open-AutoGLM电商库存监控】:揭秘AI驱动的实时库存预警系统(20年专家亲授)
  • 从mouhid!MouHid_ReadComplete到mouclass!MouseClassServiceCallback
  • 收藏级干货:从Copilot到Agent,产品经理的下一站与50个高价值落地场景
  • 【好写作AI】3分钟,从论文焦虑到初稿完成:你的AI科研写作搭档
  • 基于Spring Boot和Redis的在线购物平台设计与实现毕业设计
  • PCB湿法蚀刻工艺关键指标一定要盯紧
  • 收藏!大龄程序员转型难在哪?4大核心痛点拆解+破局方向
  • 企业级大模型部署指南:7大框架对比与最佳实践【程序员必备】
  • LangFlow Facade门面模式简化复杂调用
  • LangFlow + 大模型Token服务:构建企业级AI应用的最佳组合
  • 【Open-AutoGLM电商自动化革命】:揭秘商品智能上下架背后的技术引擎
  • LangFlow图形化界面重磅上线,快速构建大模型AI工作流
  • PCB蚀刻常见缺陷-资深工程师的经验总结
  • 零基础学网安,NISP 证书到底值不值?别白花钱还没效果!
  • COMSOL模拟:压电-热释电纳米发电系统中的压电薄膜三维模型文章复现
  • Playwright 数据提取和验证
  • 前端debugger怎么用
  • 基于Spring Boot和Vue的教育网站的开发与建设毕设源码
  • Python 异常处理完全指南
  • PCB精细线路蚀刻工艺控制
  • 手把手教你配置Open-AutoGLM账号锁定策略(含生产环境最佳实践)
  • 2025最全AI Agent零基础教程,从入门到精通就看这一篇
  • 鸿蒙前端开发,零基础入门到精通,收藏这篇就够了
  • LangFlow Strategy策略模式切换算法
  • Open-AutoGLM安全加固全解析(从日志识别到自动封禁IP)
  • 还在被暴力破解困扰?Open-AutoGLM动态防御机制这样设计才安全