When Windows kernel terminates a process it inserts APC in each thread, in turn this APC calls PspExitThread that calls IoCancelThreadIo to cancel if possible all outstanding IRPs by calling IoCancelIrp and waits for IRP cancelation or completion. A thread waits only for IRPs that have been associated with a thread by calling IopQueueThreadIrp that adds IRP in a list of IRPs associated with a thread, the list head is IrpList field of the ETHREAD structure.
A thread will be blocked until any of the two conditions takes place
A thread will be blocked until any of the two conditions takes place
- IrpList becomes empty, that means all outstanding IRPs completed in a normal way or were cancelled
- 5 minutes timeout expired, in that case IopDisassociateThreadIrp is called to perform IRPs disassociation by removing them from IrpList and setting IRP->Tail.Overlay.Thread to NULL
Below is a call stack for a terminating thread with four outstanding IRPs ( marked yellow ).
THREAD 870788e8 Cid 1100.0f5c Teb: 7ffab000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable
86d29460 SynchronizationEvent
IRP List:
87305dc8: (0006,0100) Flags: 00060a00 Mdl: 00000000
86ecd6f8: (0006,0100) Flags: 00060a00 Mdl: 00000000
862fd7b8: (0006,0100) Flags: 00060a00 Mdl: 00000000
87221d80: (0006,0100) Flags: 00060a00 Mdl: 00000000
Not impersonating
DeviceMap 975b0820
Owning Process 8514a030 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22339 Ticks: 1 (0:00:00:00.015)
Context Switch Count 2734 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address 0x769842ed
Stack Init a86bfed0 Current a86bfa38 Base a86c0000 Limit a86bd000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 2
ChildEBP RetAddr
a86bfa50 82ad269d nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a86bfa88 82ad14f7 nt!KiSwapThread+0x266
a86bfab0 82ad11d5 nt!KiCommitThreadWait+0x1df
a86bfb0c 82cb9171 nt!KeDelayExecutionThread+0x2aa
a86bfb40 82cbe519 nt!IoCancelThreadIo+0x70
a86bfbb4 82cd2051 nt!PspExitThread+0x48e
a86bfbcc 82b058c0 nt!PsExitSpecialApc+0x22
a86bfc1c 82a922a4 nt!KiDeliverApc+0x28b
a86bfc1c 778770b4 nt!KiServiceExit+0x64 (FPO: [0,3] TrapFrame @ a86bfc34)
074fe3e4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 870788e8 Cid 1100.0f5c Teb: 7ffab000 Win32Thread: 00000000 WAIT: (DelayExecution) KernelMode Non-Alertable
86d29460 SynchronizationEvent
IRP List:
87305dc8: (0006,0100) Flags: 00060a00 Mdl: 00000000
86ecd6f8: (0006,0100) Flags: 00060a00 Mdl: 00000000
862fd7b8: (0006,0100) Flags: 00060a00 Mdl: 00000000
87221d80: (0006,0100) Flags: 00060a00 Mdl: 00000000
Not impersonating
DeviceMap 975b0820
Owning Process 8514a030 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 22339 Ticks: 1 (0:00:00:00.015)
Context Switch Count 2734 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address 0x769842ed
Stack Init a86bfed0 Current a86bfa38 Base a86c0000 Limit a86bd000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 2
ChildEBP RetAddr
a86bfa50 82ad269d nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a86bfa88 82ad14f7 nt!KiSwapThread+0x266
a86bfab0 82ad11d5 nt!KiCommitThreadWait+0x1df
a86bfb0c 82cb9171 nt!KeDelayExecutionThread+0x2aa
a86bfb40 82cbe519 nt!IoCancelThreadIo+0x70
a86bfbb4 82cd2051 nt!PspExitThread+0x48e
a86bfbcc 82b058c0 nt!PsExitSpecialApc+0x22
a86bfc1c 82a922a4 nt!KiDeliverApc+0x28b
a86bfc1c 778770b4 nt!KiServiceExit+0x64 (FPO: [0,3] TrapFrame @ a86bfc34)
074fe3e4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
A main process thread waits for child threads termination.
THREAD 86e307f0 Cid 1100.1104 Teb: 7ffdf000 Win32Thread: fe9c8a88 WAIT: (Executive) KernelMode Non-Alertable
870788e8 Thread
Not impersonating
DeviceMap 975b0820
Owning Process 8514a030 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 21665 Ticks: 675 (0:00:00:10.530)
Context Switch Count 15565 IdealProcessor: 1
UserTime 00:00:00.249
KernelTime 00:00:00.530
Win32 Start Address 0x00e50efa
Stack Init a87b5ed0 Current a87b5a38 Base a87b6000 Limit a87b3000 Call 4f0
Priority 12 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
ChildEBP RetAddr
a87b5a50 82ad269d nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a87b5a88 82ad14f7 nt!KiSwapThread+0x266
a87b5ab0 82acb0cf nt!KiCommitThreadWait+0x1df
a87b5b2c 82cbe28e nt!KeWaitForSingleObject+0x393
a87b5bb4 82cd2051 nt!PspExitThread+0x203
a87b5bcc 82b058c0 nt!PsExitSpecialApc+0x22
a87b5c1c 82a922a4 nt!KiDeliverApc+0x28b
a87b5c1c 77876fc0 nt!KiServiceExit+0x64 (FPO: [0,3] TrapFrame @ a87b5c34)
000ffb18 00000000 ntdll!KiUserCallbackDispatcher (FPO: [0,0,0])
THREAD 86e307f0 Cid 1100.1104 Teb: 7ffdf000 Win32Thread: fe9c8a88 WAIT: (Executive) KernelMode Non-Alertable
870788e8 Thread
Not impersonating
DeviceMap 975b0820
Owning Process 8514a030 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 21665 Ticks: 675 (0:00:00:10.530)
Context Switch Count 15565 IdealProcessor: 1
UserTime 00:00:00.249
KernelTime 00:00:00.530
Win32 Start Address 0x00e50efa
Stack Init a87b5ed0 Current a87b5a38 Base a87b6000 Limit a87b3000 Call 4f0
Priority 12 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
ChildEBP RetAddr
a87b5a50 82ad269d nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
a87b5a88 82ad14f7 nt!KiSwapThread+0x266
a87b5ab0 82acb0cf nt!KiCommitThreadWait+0x1df
a87b5b2c 82cbe28e nt!KeWaitForSingleObject+0x393
a87b5bb4 82cd2051 nt!PspExitThread+0x203
a87b5bcc 82b058c0 nt!PsExitSpecialApc+0x22
a87b5c1c 82a922a4 nt!KiDeliverApc+0x28b
a87b5c1c 77876fc0 nt!KiServiceExit+0x64 (FPO: [0,3] TrapFrame @ a87b5c34)
000ffb18 00000000 ntdll!KiUserCallbackDispatcher (FPO: [0,0,0])
No comments:
Post a Comment