smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来 - 指南

smss!SmpStartCsr函数分析之SmpLoadSubSystemsForMuSession3389远程桌面新进程csrss.exe的由来

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
0: kd> kc
#
00 smss!SmpStartCsr
01 smss!SmpApiLoop
0: kd> dv
SmApiMsg = 0x0030fea8
CallingClient = 0x001637b8
CallPort = 0x00000010
State = 0x00000000
InitialCommandProcessId = 0
InitialCommandProcess = 0x77f2f6e8
InitialCommand = ""
DefaultInitialCommand = ""
WindowsSubSysProcessId = 0x2e8
MuSessionId = 0x30fea8
0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)
((smss!_SMAPIMSG *)0x30fea8) : 0x30fea8 [Type: _SMAPIMSG *]
[+0x000] h [Type: _PORT_MESSAGE]
[+0x018] ApiNumber : SmStartCsrApi (5) [Type: _SMAPINUMBER]
[+0x01c] ReturnedStatus : 259 [Type: long]
[+0x020] u [Type: __unnamed]
0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))
(*((smss!__unnamed *)0x30fec8)) [Type: __unnamed]
[+0x000] CreateForeignSession [Type: _SMCREATEFOREIGNSESSION]
[+0x000] SessionComplete [Type: _SMSESSIONCOMPLETE]
[+0x000] TerminateForeignComplete [Type: _SMTERMINATEFOREIGNSESSION]
[+0x000] ExecPgm [Type: _SMEXECPGM]
[+0x000] LoadDefered [Type: _SMLOADDEFERED]
[+0x000] StartCsr [Type: _SMSTARTCSR]
[+0x000] StopCsr [Type: _SMSTOPCSR]
0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))
(*((smss!_SMSTARTCSR *)0x30fec8)) [Type: _SMSTARTCSR]
[+0x000] MuSessionId : 0xffffffff [Type: unsigned long]
[+0x004] InitialCommandLength : 0x0 [Type: unsigned long]
[+0x008] InitialCommand [Type: unsigned short [128]]
[+0x108] InitialCommandProcessId : 0x0 [Type: unsigned long]
[+0x10c] WindowsSubSysProcessId : 0xdba90 [Type: unsigned long]

0: kd> dv
SmApiMsg = 0x0030fea8
CallingClient = 0x001637b8
CallPort = 0x00000010
State = 0x00000000
InitialCommandProcessId = 0
InitialCommandProcess = 0x77f2f6e8
InitialCommand = ""
DefaultInitialCommand = ""
WindowsSubSysProcessId = 0x2e8
MuSessionId = 0x30fea8
0: kd> dx -r1 ((smss!_SMAPIMSG *)0x30fea8)
((smss!_SMAPIMSG *)0x30fea8) : 0x30fea8 [Type: _SMAPIMSG *]
[+0x000] h [Type: _PORT_MESSAGE]
[+0x018] ApiNumber : SmStartCsrApi (5) [Type: _SMAPINUMBER]
[+0x01c] ReturnedStatus : 259 [Type: long]
[+0x020] u [Type: __unnamed]
0: kd> dx -r1 (*((smss!__unnamed *)0x30fec8))
(*((smss!__unnamed *)0x30fec8)) [Type: __unnamed]
[+0x000] CreateForeignSession [Type: _SMCREATEFOREIGNSESSION]
[+0x000] SessionComplete [Type: _SMSESSIONCOMPLETE]
[+0x000] TerminateForeignComplete [Type: _SMTERMINATEFOREIGNSESSION]
[+0x000] ExecPgm [Type: _SMEXECPGM]
[+0x000] LoadDefered [Type: _SMLOADDEFERED]
[+0x000] StartCsr [Type: _SMSTARTCSR]
[+0x000] StopCsr [Type: _SMSTOPCSR]
0: kd> dx -r1 (*((smss!_SMSTARTCSR *)0x30fec8))
(*((smss!_SMSTARTCSR *)0x30fec8)) [Type: _SMSTARTCSR]
[+0x000] MuSessionId : 0xffffffff [Type: unsigned long]
[+0x004] InitialCommandLength : 0x0 [Type: unsigned long]
[+0x008] InitialCommand [Type: unsigned short [128]]
[+0x108] InitialCommandProcessId : 0x0 [Type: unsigned long]
[+0x10c] WindowsSubSysProcessId : 0xdba90 [Type: unsigned long]

//
// Load subsystems for this session.
//

WindowsSubSysProcessId = 0;

Status = SmpLoadSubSystemsForMuSession (&MuSessionId,
&WindowsSubSysProcessId,

0: kd> t
smss!SmpLoadSubSystemsForMuSession:
001b:4858aa7c 55 push ebp
0: kd> dv
pMuSessionId = 0x0030fe50
pWindowsSubSysProcessId = 0x0030fe3c
InitialCommand = 0x0030fe28 ""
Status = 0n0
FileName = struct _UNICODE_STRING "--- memory read error at address 0x00000010 ---"
Win32kFileName = struct _UNICODE_STRING ""
State = 0x00000018
DelayTime = {68722687656}

0: kd> gu
GDI: VerifierInitialization: failed to get info from ntoskrnl

(s: 0 0x180.18c smss.exe) USRK-[Wrn] *** win32k: DBCS:[0] IME:[0] MiddleEast:[0] CTFIME:[0]
Installed
Installed
Breakpoint 4 hit
nt!PspCreateProcess:
80d3a1c0 6834010000 push 134h
0: kd> kc
#
00 nt!PspCreateProcess
01 nt!NtCreateProcessEx
02 nt!NtCreateProcess
03 nt!_KiSystemService
04 SharedUserData!SystemCallStub
05 ntdll!NtCreateProcess
06 ntdll!RtlCreateUserProcess
07 smss!SmpExecuteImage
08 smss!SmpLoadSubSystem
09 smss!SmpExecuteCommand
0a smss!SmpLoadSubSystemsForMuSession
0b smss!SmpStartCsr
0c smss!SmpApiLoop
0: kd> dv

0: kd> gu
nt!NtCreateProcessEx+0xae:
80d3af36 eb05 jmp nt!NtCreateProcessEx+0xb5 (80d3af3d)
0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 899a2278 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a200000 ObjectTable: e1000e38 HandleCount: 320.
Image: System

PROCESS 894ddd88 SessionId: none Cid: 0180 Peb: 7ffdf000 ParentCid: 0004
DirBase: 7b189000 ObjectTable: e1278720 HandleCount: 20.
Image: smss.exe

PROCESS 8940cd88 SessionId: 0 Cid: 01b0 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7aa43000 ObjectTable: e1458b40 HandleCount: 304.
Image: csrss.exe

PROCESS 898c8250 SessionId: 0 Cid: 01c8 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7a448000 ObjectTable: e1457ad0 HandleCount: 479.
Image: winlogon.exe

PROCESS 897f5250 SessionId: 0 Cid: 01f4 Peb: 7ffdf000 ParentCid: 01c8
DirBase: 7a1cc000 ObjectTable: e1669ec0 HandleCount: 301.
Image: services.exe

PROCESS 8988a020 SessionId: 0 Cid: 0200 Peb: 7ffdf000 ParentCid: 01c8
DirBase: 7a2d4000 ObjectTable: e16dc8e0 HandleCount: 395.
Image: lsass.exe

PROCESS 898618d0 SessionId: 0 Cid: 02c4 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 79bc2000 ObjectTable: e144df68 HandleCount: 160.
Image: svchost.exe

PROCESS 8954f3f0 SessionId: 0 Cid: 02fc Peb: 7ffdf000 ParentCid: 01f4
DirBase: 79ca0000 ObjectTable: e144dfb8 HandleCount: 190.
Image: svchost.exe

PROCESS 894d0c10 SessionId: 0 Cid: 0388 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 09fea000 ObjectTable: e142f830 HandleCount: 130.
Image: svchost.exe

PROCESS 895d98c0 SessionId: 0 Cid: 03bc Peb: 7ffdf000 ParentCid: 01f4
DirBase: 796af000 ObjectTable: e1439930 HandleCount: 79.
Image: svchost.exe

PROCESS 895e0c10 SessionId: 0 Cid: 03d8 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 79575000 ObjectTable: e1439aa8 HandleCount: 589.
Image: svchost.exe

PROCESS 895538c0 SessionId: 0 Cid: 04a4 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 79347000 ObjectTable: e17da1f8 HandleCount: 125.
Image: spoolsv.exe

PROCESS 8988bbf8 SessionId: 0 Cid: 04c0 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 7908d000 ObjectTable: e17cab78 HandleCount: 159.
Image: msdtc.exe

PROCESS 894153f8 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 01f4
DirBase: 79413000 ObjectTable: e13d0140 HandleCount: 55.
Image: svchost.exe

PROCESS 89484950 SessionId: 0 Cid: 0594 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 78f9b000 ObjectTable: e17e30e8 HandleCount: 36.
Image: svchost.exe

PROCESS 894fbd88 SessionId: 0 Cid: 05bc Peb: 7ffdf000 ParentCid: 01f4
DirBase: 78da1000 ObjectTable: e1294788 HandleCount: 42.
Image: tftpd6.exe

PROCESS 8984fd88 SessionId: 0 Cid: 06a8 Peb: 7ffdf000 ParentCid: 01f4
DirBase: 788c2000 ObjectTable: e1770838 HandleCount: 51.
Image: dfssvc.exe

PROCESS 896b7538 SessionId: 1 Cid: 06d4 Peb: 7ffdf000 ParentCid: 0180
DirBase: 7880e000 ObjectTable: e188c460 HandleCount: 0.
Image: csrss.exe

Image: csrss.exe 新的csrss.exe进程！！！父进程是smss！！！ParentCid: 0180