Difference between revisions of "Techwiki:Win32k/desktops"
ThePhysicist (talk | contribs) (Created page with " This is WIP! Desktop creation: ------------------------------------------------------ Unmapping the startup desktop (bt from XP): kd> k ChildEBP RetAddr f6f87aec 80602…") |
|||
Line 1: | Line 1: | ||
− | |||
This is WIP! | This is WIP! | ||
Line 12: | Line 11: | ||
Unmapping the startup desktop (bt from XP): | Unmapping the startup desktop (bt from XP): | ||
− | kd> k | + | kd> k |
− | ChildEBP RetAddr | + | ChildEBP RetAddr |
− | f6f87aec 806024b0 win32k!UnmapDesktop | + | f6f87aec 806024b0 win32k!UnmapDesktop |
− | f6f87b18 80602572 nt!ExpWin32SessionCallout+0x3c | + | f6f87b18 80602572 nt!ExpWin32SessionCallout+0x3c |
− | f6f87b44 805b11d3 nt!ExpWin32CloseProcedure+0x5c | + | f6f87b44 805b11d3 nt!ExpWin32CloseProcedure+0x5c |
− | f6f87b74 805b0b27 nt!ObpDecrementHandleCount+0x119 | + | f6f87b74 805b0b27 nt!ObpDecrementHandleCount+0x119 |
− | f6f87b9c 805b0bc5 nt!ObpCloseHandleTableEntry+0x14d | + | f6f87b9c 805b0bc5 nt!ObpCloseHandleTableEntry+0x14d |
− | f6f87be4 805b0cd6 nt!ObpCloseHandle+0x87 | + | f6f87be4 805b0cd6 nt!ObpCloseHandle+0x87 |
− | f6f87bf8 bf87b773 nt!ObCloseHandle+0x12 | + | f6f87bf8 bf87b773 nt!ObCloseHandle+0x12 |
− | f6f87c18 bf877114 win32k!DestroyProcessInfo+0x1f2 | + | f6f87c18 bf877114 win32k!DestroyProcessInfo+0x1f2 |
− | f6f87c40 bf8771bc win32k!xxxUserProcessCallout+0xb7 | + | f6f87c40 bf8771bc win32k!xxxUserProcessCallout+0xb7 |
− | f6f87c5c 805c761b win32k!W32pProcessCallout+0x42 | + | f6f87c5c 805c761b win32k!W32pProcessCallout+0x42 |
− | f6f87d08 805c7a3a nt!PspExitThread+0x423 | + | f6f87d08 805c7a3a nt!PspExitThread+0x423 |
− | f6f87d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 | + | f6f87d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 |
− | f6f87d54 8053cbc8 nt!NtTerminateProcess+0x105 | + | f6f87d54 8053cbc8 nt!NtTerminateProcess+0x105 |
− | f6f87d54 7c91eb94 nt!KiFastCallEntry+0xf8 | + | f6f87d54 7c91eb94 nt!KiFastCallEntry+0xf8 |
− | 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet | + | 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet |
− | 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc | + | 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc |
− | kd> k | + | kd> k |
− | ChildEBP RetAddr | + | ChildEBP RetAddr |
− | f9aad9d0 806024b0 win32k!FreeDesktop | + | f9aad9d0 806024b0 win32k!FreeDesktop |
− | f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c | + | f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c |
− | f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 | + | f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 |
− | f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf | + | f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf |
− | f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f | + | f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f |
− | f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe | + | f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe |
− | f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 | + | f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 |
− | f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 | + | f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 |
− | f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a | + | f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a |
− | f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 | + | f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 |
− | f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 | + | f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 |
− | 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet | + | 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet |
− | kd> k | + | kd> k |
− | ChildEBP RetAddr | + | ChildEBP RetAddr |
− | f9aad9d0 806024b0 win32k!FreeDesktop | + | f9aad9d0 806024b0 win32k!FreeDesktop |
− | f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c | + | f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c |
− | f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 | + | f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 |
− | f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf | + | f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf |
− | f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f | + | f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f |
− | f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe | + | f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe |
− | f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 | + | f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 |
− | f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 | + | f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 |
− | f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a | + | f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a |
− | f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 | + | f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 |
− | f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 | + | f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 |
− | 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet | + | 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet |
− | kd> k | + | kd> k |
− | ChildEBP RetAddr | + | ChildEBP RetAddr |
− | f6845b34 806024b0 win32k!UnmapDesktop | + | f6845b34 806024b0 win32k!UnmapDesktop |
− | f6845b60 80602572 nt!ExpWin32SessionCallout+0x3c | + | f6845b60 80602572 nt!ExpWin32SessionCallout+0x3c |
− | f6845b8c 805b11d3 nt!ExpWin32CloseProcedure+0x5c | + | f6845b8c 805b11d3 nt!ExpWin32CloseProcedure+0x5c |
− | f6845bbc 805b0b27 nt!ObpDecrementHandleCount+0x119 | + | f6845bbc 805b0b27 nt!ObpDecrementHandleCount+0x119 |
− | f6845be4 805b72e3 nt!ObpCloseHandleTableEntry+0x14d | + | f6845be4 805b72e3 nt!ObpCloseHandleTableEntry+0x14d |
− | f6845c04 8060329f nt!ObpCloseHandleProcedure+0x1f | + | f6845c04 8060329f nt!ObpCloseHandleProcedure+0x1f |
− | f6845c34 805b73dc nt!ExSweepHandleTable+0x4f | + | f6845c34 805b73dc nt!ExSweepHandleTable+0x4f |
− | f6845c60 805c77e1 nt!ObKillProcess+0x5c | + | f6845c60 805c77e1 nt!ObKillProcess+0x5c |
− | f6845d08 805c7a3a nt!PspExitThread+0x5e9 | + | f6845d08 805c7a3a nt!PspExitThread+0x5e9 |
− | f6845d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 | + | f6845d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 |
− | f6845d54 8053cbc8 nt!NtTerminateProcess+0x105 | + | f6845d54 8053cbc8 nt!NtTerminateProcess+0x105 |
− | f6845d54 7c91eb94 nt!KiFastCallEntry+0xf8 | + | f6845d54 7c91eb94 nt!KiFastCallEntry+0xf8 |
− | 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet | + | 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet |
− | 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc | + | 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc |
− | 0022fec4 7c81ca96 ntdll!RtlAnsiStringToUnicodeString+0x7d | + | 0022fec4 7c81ca96 ntdll!RtlAnsiStringToUnicodeString+0x7d |
Revision as of 19:45, 11 October 2012
This is WIP!
Desktop creation:
Unmapping the startup desktop (bt from XP):
kd> k ChildEBP RetAddr f6f87aec 806024b0 win32k!UnmapDesktop f6f87b18 80602572 nt!ExpWin32SessionCallout+0x3c f6f87b44 805b11d3 nt!ExpWin32CloseProcedure+0x5c f6f87b74 805b0b27 nt!ObpDecrementHandleCount+0x119 f6f87b9c 805b0bc5 nt!ObpCloseHandleTableEntry+0x14d f6f87be4 805b0cd6 nt!ObpCloseHandle+0x87 f6f87bf8 bf87b773 nt!ObCloseHandle+0x12 f6f87c18 bf877114 win32k!DestroyProcessInfo+0x1f2 f6f87c40 bf8771bc win32k!xxxUserProcessCallout+0xb7 f6f87c5c 805c761b win32k!W32pProcessCallout+0x42 f6f87d08 805c7a3a nt!PspExitThread+0x423 f6f87d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 f6f87d54 8053cbc8 nt!NtTerminateProcess+0x105 f6f87d54 7c91eb94 nt!KiFastCallEntry+0xf8 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc
kd> k ChildEBP RetAddr f9aad9d0 806024b0 win32k!FreeDesktop f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k ChildEBP RetAddr f9aad9d0 806024b0 win32k!FreeDesktop f9aad9fc 8060262f nt!ExpWin32SessionCallout+0x3c f9aada14 805afb2f nt!ExpWin32DeleteProcedure+0x41 f9aada30 80522181 nt!ObpRemoveObjectRoutine+0xdf f9aada54 bf8038ee nt!ObfDereferenceObject+0x5f f9aada5c bf8029d3 win32k!UserDereferenceObject+0xe f9aada68 bf8a58ba win32k!PopAndFreeW32ThreadLock+0x25 f9aadd30 bf88dc63 win32k!xxxDesktopThread+0x864 f9aadd40 bf8010ba win32k!xxxCreateSystemThreads+0x6a f9aadd54 8053cbc8 win32k!NtUserCallOneParam+0x23 f9aadd54 7c91eb94 nt!KiFastCallEntry+0xf8 012dffe0 75b0ba1a ntdll!KiFastSystemCallRet
kd> k ChildEBP RetAddr f6845b34 806024b0 win32k!UnmapDesktop f6845b60 80602572 nt!ExpWin32SessionCallout+0x3c f6845b8c 805b11d3 nt!ExpWin32CloseProcedure+0x5c f6845bbc 805b0b27 nt!ObpDecrementHandleCount+0x119 f6845be4 805b72e3 nt!ObpCloseHandleTableEntry+0x14d f6845c04 8060329f nt!ObpCloseHandleProcedure+0x1f f6845c34 805b73dc nt!ExSweepHandleTable+0x4f f6845c60 805c77e1 nt!ObKillProcess+0x5c f6845d08 805c7a3a nt!PspExitThread+0x5e9 f6845d28 805c7c15 nt!PspTerminateThreadByPointer+0x52 f6845d54 8053cbc8 nt!NtTerminateProcess+0x105 f6845d54 7c91eb94 nt!KiFastCallEntry+0xf8 0022fdc4 7c91e89a ntdll!KiFastSystemCallRet 0022fe84 7c91f0aa ntdll!NtTerminateProcess+0xc 0022fec4 7c81ca96 ntdll!RtlAnsiStringToUnicodeString+0x7d