Dump文件数据存储格式(六)

八、线程信息列表流(ThreadInfoListStream)

ThreadInfoListStream包含了线程状态信息,在ThreadListStream的后面就是ThreadInfoListStream了。

ThreadListStream如下:

0x720+0n3796=0x15F4

ThreadInfoListStream如下:

所以ThreadInfoListStream紧挨着ThreadListStream,大小为5068字节。数据如下:

ThreadInfoListStream的数据由两个结构组成,一个是MINIDUMP_THREAD_INFO_LIST,另一个是MINIDUMP_THREAD_INFO。

MINIDUMP_THREAD_INFO_LIST包含数据大小的信息,相当于头部结构,如下:

typedef struct _MINIDUMP_THREAD_INFO_LIST {
  ULONG SizeOfHeader;
  ULONG SizeOfEntry;
  ULONG NumberOfEntries;
} MINIDUMP_THREAD_INFO_LIST, *PMINIDUMP_THREAD_INFO_LIST;

成员如下:

SizeOfHeader

流的头数据的大小,以字节为单位。这通常是sizeof(MINIDUMP_THREAD_INFO_LIST)。

SizeOfEntry

头后面的每个条目的大小(以字节为单位)。这通常是sizeof(MINIDUMP_THREAD_INFO)。

NumberOfEntries

流中的条目数。这些通常是MINIDUMP_THREAD_INFO结构。条目跟随头部。

根据以上信息,我们可以做如下计算:

12+64*79=5068,刚好等于流目录里的DataSize,如下:

而MINIDUMP_THREAD_INFO结构包含线程真实的状态信息,如下:

typedef struct _MINIDUMP_THREAD_INFO {
  ULONG32 ThreadId;
  ULONG32 DumpFlags;
  ULONG32 DumpError;
  ULONG32 ExitStatus;
  ULONG64 CreateTime;
  ULONG64 ExitTime;
  ULONG64 KernelTime;
  ULONG64 UserTime;
  ULONG64 StartAddress;
  ULONG64 Affinity;
} MINIDUMP_THREAD_INFO, *PMINIDUMP_THREAD_INFO;

成员如下:

ThreadId

线程标识

DumpFlags

指示线程状态的标志。此成员可以是0或以下值之一。

Members
ValueMeaning
MINIDUMP_THREAD_INFO_ERROR_THREAD
0x00000001
A placeholder thread due to an error accessing the thread. No thread information exists beyond the thread identifier.
MINIDUMP_THREAD_INFO_EXITED_THREAD
0x00000004
The thread has exited (not running any code) at the time of the dump.
MINIDUMP_THREAD_INFO_INVALID_CONTEXT
0x00000010
Thread context could not be retrieved.
MINIDUMP_THREAD_INFO_INVALID_INFO
0x00000008
Thread information could not be retrieved.
MINIDUMP_THREAD_INFO_INVALID_TEB
0x00000020
TEB information could not be retrieved.
MINIDUMP_THREAD_INFO_WRITING_THREAD
0x00000002
This is the thread that called MiniDumpWriteDump.

DumpError

一个指示转储状态HRESULT值 .

ExitStatus

线程退出状态码

CreateTime

线程创建的时间,从1601年1月1日(UTC)开始,以100纳秒为间隔。

ExitTime

线程退出的时间,从1601年1月1日(UTC)开始,以100纳秒为间隔。

KernelTime

在内核模式下执行的时间,以100纳秒为间隔。

UserTime

在用户模式下执行的时间,以100纳秒为间隔。

StartAddress

线程的起始地址。

Affinity

处理器关联掩码

 

我们可以用如下命令查看上述数据信息

0:035> ~*e ? $tid;.ttime
Evaluate expression: 7148 = 00001bec
Created: Tue Oct 13 08:54:28.460 2020 (UTC + 8:00)
Kernel:  0 days 0:08:04.015
User:    0 days 1:46:31.640
Evaluate expression: 1788 = 000006fc
Created: Tue Oct 13 08:54:31.761 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
 -- User interrupted operation
0:035> ~*e ? $tid;.ttime
Evaluate expression: 7148 = 00001bec
Created: Tue Oct 13 08:54:28.460 2020 (UTC + 8:00)
Kernel:  0 days 0:08:04.015
User:    0 days 1:46:31.640
Evaluate expression: 1788 = 000006fc
Created: Tue Oct 13 08:54:31.761 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 16144 = 00003f10
Created: Tue Oct 13 08:54:32.119 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 14276 = 000037c4
Created: Tue Oct 13 08:54:32.285 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 12280 = 00002ff8
Created: Tue Oct 13 08:54:32.290 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 13948 = 0000367c
Created: Tue Oct 13 08:54:32.298 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 15564 = 00003ccc
Created: Tue Oct 13 08:54:32.660 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.015
User:    0 days 0:00:00.000
Evaluate expression: 8216 = 00002018
Created: Tue Oct 13 08:54:32.665 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 5576 = 000015c8
Created: Tue Oct 13 08:54:32.772 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.031
User:    0 days 0:00:00.015
Evaluate expression: 7684 = 00001e04
Created: Tue Oct 13 08:54:33.886 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.546
User:    0 days 0:00:00.812
Evaluate expression: 8120 = 00001fb8
Created: Tue Oct 13 08:54:34.390 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 12296 = 00003008
Created: Tue Oct 13 08:54:34.390 2020 (UTC + 8:00)
Kernel:  0 days 0:07:59.875
User:    0 days 0:10:34.984
Evaluate expression: 16120 = 00003ef8
Created: Tue Oct 13 08:54:34.425 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000
Evaluate expression: 16104 = 00003ee8
Created: Tue Oct 13 08:54:34.426 2020 (UTC + 8:00)
Kernel:  0 days 0:00:00.000
User:    0 days 0:00:00.000

posted on 2020-10-28 07:48  活着的虫子  阅读(293)  评论(0编辑  收藏  举报

导航