WaxfordSqueers
July 15th, 2013, 22:49
Wondered about this for some time. If I am single stepping through kernel mode, and I encounter a call to WaitForSingleObject, or the likes, like a Sleep function call, mutex, etc., how does my single-stepping affect the call?
With the processor running at millions of instructions per second, it's not an issue, but with me single stepping, I am wondering if I am setting myself up for a long wait, translating to thousands of single-steps. My understanding with a sync object is that the kernel suspends a thread till a required event is signaled, and that several threads may be waiting on the same event.
If I step through the sync object code, like WaitForSingeObject, and other threads are waiting, I could be there for a long time, stepping endlessly through code. If I jump over the call, I may be shunted back around to the call again, till the event is signaled. Does anyone know the proper way to handle such a timing event while single-stepping?
I am bothered by the fact that the call may be re-entrant somewhere along the line and that I'll miss an important detour leading to essential code if I step over it. I don't yet know enough about sync objects to know how they are employed. I have a decent idea but not good enough.
I have encountered situations many times in the kernel where I find myself stepping through a function that is unrelated to the thread I am tracing. For example, last night I was tracing a thread related to CreateFile, and calls to getfiletime and setfiletime after returning from the call lead me into ntfs.sys, which is what I wanted. However, I soon found myself in acpi.sys and drivers related to the USB system.
I may have taken a wrong turn but I suspect I could have been diverted by synchronizing calls. Those functions may be waiting for the same event as my thread is waiting for.
Alternately, I am simply walking a stack of drivers and have given up too easily.
With the processor running at millions of instructions per second, it's not an issue, but with me single stepping, I am wondering if I am setting myself up for a long wait, translating to thousands of single-steps. My understanding with a sync object is that the kernel suspends a thread till a required event is signaled, and that several threads may be waiting on the same event.
If I step through the sync object code, like WaitForSingeObject, and other threads are waiting, I could be there for a long time, stepping endlessly through code. If I jump over the call, I may be shunted back around to the call again, till the event is signaled. Does anyone know the proper way to handle such a timing event while single-stepping?
I am bothered by the fact that the call may be re-entrant somewhere along the line and that I'll miss an important detour leading to essential code if I step over it. I don't yet know enough about sync objects to know how they are employed. I have a decent idea but not good enough.
I have encountered situations many times in the kernel where I find myself stepping through a function that is unrelated to the thread I am tracing. For example, last night I was tracing a thread related to CreateFile, and calls to getfiletime and setfiletime after returning from the call lead me into ntfs.sys, which is what I wanted. However, I soon found myself in acpi.sys and drivers related to the USB system.
I may have taken a wrong turn but I suspect I could have been diverted by synchronizing calls. Those functions may be waiting for the same event as my thread is waiting for.
Alternately, I am simply walking a stack of drivers and have given up too easily.