Windowsカーネルアーキテクチャー、Big Data、IoT
DKOMベースWindows内部解析技術入門
本「IT談話館」は、Windowsメモリダンプの解析作業では、次のようなDKOM(Direct Kernel Object Manipulation)ベースの解析工程を採用しています。
- 「Windowsカーネルアーキテクチャー」知識を基に問題仮説を設定する。
- 上記問題仮説をC/C++とMASMの仕様を継承する「WinDbg内部解析専用言語」で独自解析コードとして実装する。
- 上記解析コードを実行し、設定した問題仮説の真偽を実証する。
- (必要に応じて)上記の工程を繰り返し、直面する問題を解決する。
この解析工程は次のような広範囲の分野に適応できます。
- システムクラッシュ原因の解析と特定
- パフォーマンス低下因子の解析と特定
- アプリケーション性能の分析と評価
- マルウェア感染の解析と対策
- Windowsカーネルアーキテクチャーの内部解析と研究
- Windowsソフトウェアビジネス動向の調査と研究
問題仮説を実装する「WinDbg内部解析専用言語」は、世界的に次のような評価を受けています。
- 習得に時間がかかる
- 希望通りに動作しない
- 適切な入門資料が存在しない
本「IT談話館」は、この「WinDbg内部解析専用言語」を長年使用し、その経験から、次のような評価をしています。
- 適切な助言を受ければ、習得に時間はかからない
- 希望通りにきちんと動作する
- 適切な入門資料が存在しないのは確かである
- C/C++とMASMの仕様を継承しているため、メモリダンプの隅々を解析できる
- カーネルメモリ空間への直接アクセスが可能であるため、Microsoft社の非公開の内部変更さえ把握できる
本稿では、この解析工程の威力と魅力の一端をご紹介いたします。
Windowsシステムを起動しますと、さまざまプロセスが動作を開始し、それぞれのプロセスが内部でスレッドを起動します。Windowsカーネルは、起動されたスレッドをシステム全体の状況を見ながら、次のように管理しています。
Initialized = 0n0
Ready = 0n1
Running = 0n2
Standby = 0n3
Terminated = 0n4
Waiting = 0n5
Transition = 0n6
DeferredReady = 0n7
GateWaitObsolete = 0n8
大多数のスレッドは、次のような多種多様な理由と事情により、待ち状態に置かれます。
Executive = 0n0
FreePage = 0n1
PageIn = 0n2
PoolAllocation = 0n3
DelayExecution = 0n4
Suspended = 0n5
UserRequest = 0n6
WrExecutive = 0n7
WrFreePage = 0n8
WrPageIn = 0n9
WrPoolAllocation = 0n10
WrDelayExecution = 0n11
WrSuspended = 0n12
WrUserRequest = 0n13
WrSpare0 = 0n14
WrQueue = 0n15
WrLpcReceive = 0n16
WrLpcReply = 0n17
WrVirtualMemory = 0n18
WrPageOut = 0n19
WrRendezvous = 0n20
WrKeyedEvent = 0n21
WrTerminated = 0n22
WrProcessInSwap = 0n23
WrCpuRateControl = 0n24
WrCalloutStack = 0n25
WrKernel = 0n26
WrResource = 0n27
WrPushLock = 0n28
WrMutex = 0n29
WrQuantumEnd = 0n30
WrDispatchInt = 0n31
WrPreempted = 0n32
WrYieldExecution = 0n33
WrFastMutex = 0n34
WrGuardedMutex = 0n35
WrRundown = 0n36
WrAlertByThreadId = 0n37
WrDeferredPreempt = 0n38
MaximumWaitReason = 0n39
これらの待ち状態に入る事情と理由は、Windowsシステムのバージョン毎に異なります。
カーネルメモリダンプやWindows 10 Active Memory Dumpの解析を依頼された場合、本「IT談話館」は、依頼者のお話をお伺いした後、ダンプ採取時点のシステムの概要を把握することがございます。そのような初期解析作業では、待ち状態に入っているスレッドの理由を調査しますと、問題仮説を立てる上で必要となる基礎データを得ることができます。
ここでは、プロセス間通信を示す「WrLpcReceive = 0n16」(受信待ち)と「WrLpcReply = 0n17」(応答待ち)に入っているプロセスとスレッドを調査した結果を(少し長くなりますが)ご紹介いたします。
ActiveThreads->162 Location->0xFFFFD68298224040 System
000 State->005 Reason->016 Thread->0xFFFFD6829992F040
ActiveThreads->002 Location->0xFFFFD68299938780 smss.exe
ActiveThreads->010 Location->0xFFFFD68299A6D080 csrss.exe
000 State->005 Reason->016 Thread->0xFFFFD68299BEF080
001 State->005 Reason->017 Thread->0xFFFFD6829A38A7C0
002 State->005 Reason->016 Thread->0xFFFFD68299ABD540
003 State->005 Reason->016 Thread->0xFFFFD68299E267C0
004 State->005 Reason->016 Thread->0xFFFFD6829AD8F080
ActiveThreads->000 Location->0xFFFFD6829A4B1780 smss.exe
ActiveThreads->002 Location->0xFFFFD6829A4AF080 wininit.exe
ActiveThreads->012 Location->0xFFFFD68299A11280 csrss.exe
000 State->005 Reason->016 Thread->0xFFFFD6829A405080
001 State->005 Reason->017 Thread->0xFFFFD6829AD207C0
002 State->005 Reason->016 Thread->0xFFFFD6829A925080
003 State->005 Reason->016 Thread->0xFFFFD6829AD712C0
004 State->005 Reason->016 Thread->0xFFFFD6829ADC27C0
005 State->005 Reason->016 Thread->0xFFFFD68299BD8080
ActiveThreads->007 Location->0xFFFFD6829A7AF780 services.exe
ActiveThreads->009 Location->0xFFFFD6829A7AD780 lsass.exe
000 State->005 Reason->016 Thread->0xFFFFD6829A8EB7C0
ActiveThreads->026 Location->0xFFFFD6829A7AB780 svchost.exe
ActiveThreads->016 Location->0xFFFFD6829A7A5780 svchost.exe
ActiveThreads->005 Location->0xFFFFD6829AD80500 winlogon.exe
ActiveThreads->099 Location->0xFFFFD6829ADA8780 svchost.exe
000 State->005 Reason->016 Thread->0xFFFFD6829B24E080
001 State->005 Reason->017 Thread->0xFFFFD6829A4CD7C0
ActiveThreads->036 Location->0xFFFFD6829ADA6780 svchost.exe
000 State->005 Reason->017 Thread->0xFFFFD68299E2E7C0
ActiveThreads->011 Location->0xFFFFD6829ADA4780 dwm.exe
ActiveThreads->031 Location->0xFFFFD6829ADA2780 svchost.exe
ActiveThreads->000 Location->0xFFFFD6829AFE8780 WUDFHost.exe
ActiveThreads->020 Location->0xFFFFD6829AD92780 svchost.exe
ActiveThreads->050 Location->0xFFFFD6829AD90780 svchost.exe
000 State->005 Reason->016 Thread->0xFFFFD6829B2DA080
ActiveThreads->029 Location->0xFFFFD6829AD8E780 svchost.exe
ActiveThreads->009 Location->0xFFFFD6829B2C5780 WUDFHost.exe
ActiveThreads->009 Location->0xFFFFD6829B27A780 svchost.exe
000 State->005 Reason->017 Thread->0xFFFFD68299440080
ActiveThreads->011 Location->0xFFFFD6829B26E780 svchost.exe
ActiveThreads->012 Location->0xFFFFD6829ACA1080 spoolsv.exe
ActiveThreads->009 Location->0xFFFFD6829AC7A780 svchost.exe
ActiveThreads->016 Location->0xFFFFD68299E79080 svchost.exe
ActiveThreads->027 Location->0xFFFFD6829AC82780 svchost.exe
ActiveThreads->009 Location->0xFFFFD6829993F080 IpOverUsbSvc.e
ActiveThreads->008 Location->0xFFFFD6829AC72780 Sysmon.exe
ActiveThreads->015 Location->0xFFFFD6829AC70780 svchost.exe
ActiveThreads->010 Location->0xFFFFD6829AC74780 svchost.exe
ActiveThreads->016 Location->0xFFFFD6829AC6E780 mqsvc.exe
ActiveThreads->027 Location->0xFFFFD6829AC6C780 MsMpEng.exe
ActiveThreads->048 Location->0xFFFFD6829B475040 MemCompression
ActiveThreads->007 Location->0xFFFFD6829B5DB780 SMSvcHost.exe
ActiveThreads->004 Location->0xFFFFD6829AB2E780 svchost.exe
ActiveThreads->006 Location->0xFFFFD6829ABB7780 SMSvcHost.exe
ActiveThreads->011 Location->0xFFFFD6829B6FC780 sihost.exe
ActiveThreads->015 Location->0xFFFFD6829B977780 svchost.exe
ActiveThreads->015 Location->0xFFFFD6829B99D780 taskhostw.exe
000 State->005 Reason->016 Thread->0xFFFFD6829B9A9080
ActiveThreads->037 Location->0xFFFFD6829B9DC600 RuntimeBroker.
ActiveThreads->000 Location->0xFFFFD6829BA24780 userinit.exe
ActiveThreads->120 Location->0xFFFFD6829BA2A780 explorer.exe
000 State->005 Reason->017 Thread->0xFFFFD6829B9D1080
ActiveThreads->029 Location->0xFFFFD682996B0080 ShellExperienc
ActiveThreads->014 Location->0xFFFFD6829B9F7780 SearchIndexer.
ActiveThreads->035 Location->0xFFFFD68299A5E080 SearchUI.exe
ActiveThreads->008 Location->0xFFFFD68299BA8780 RAVCpl64.exe
ActiveThreads->005 Location->0xFFFFD68299BA5780 MSASCuiL.exe
ActiveThreads->005 Location->0xFFFFD6829964D780 fontdrvhost.ex
ActiveThreads->000 Location->0xFFFFD6829A5E8780 LogonUI.exe
ActiveThreads->005 Location->0xFFFFD68298E8B780 LockAppHost.ex
ActiveThreads->011 Location->0xFFFFD6829A608080 SkypeHost.exe
000 State->005 Reason->017 Thread->0xFFFFD6829C4C07C0
ActiveThreads->004 Location->0xFFFFD6829A6F3780 SettingSyncHos
ActiveThreads->000 Location->0xFFFFD68298B04600 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829C5A1780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68299A02780 audiodg.exe
ActiveThreads->000 Location->0xFFFFD6829C392780 windbg.exe
ActiveThreads->000 Location->0xFFFFD6829B634500 SearchProtocol
ActiveThreads->000 Location->0xFFFFD68298CDA240 SearchFilterHo
ActiveThreads->000 Location->0xFFFFD6829C067080 ImeBroker.exe
ActiveThreads->000 Location->0xFFFFD68299859080 WmiPrvSE.exe
ActiveThreads->000 Location->0xFFFFD68298D2B080 WmiApSrv.exe
ActiveThreads->004 Location->0xFFFFD6829BAB0380 svchost.exe
ActiveThreads->000 Location->0xFFFFD68298B46780 audiodg.exe
ActiveThreads->000 Location->0xFFFFD6829C459780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829C693780 notepad.exe
ActiveThreads->000 Location->0xFFFFD6829C458080 ImeBroker.exe
ActiveThreads->000 Location->0xFFFFD6829C631780 WmiPrvSE.exe
ActiveThreads->000 Location->0xFFFFD6829C4C2780 WmiApSrv.exe
ActiveThreads->000 Location->0xFFFFD68299435080 notepad.exe
ActiveThreads->000 Location->0xFFFFD6829B6CD080 windbg.exe
ActiveThreads->000 Location->0xFFFFD682987A4780 TrustedInstall
ActiveThreads->000 Location->0xFFFFD6829921A780 TiWorker.exe
ActiveThreads->000 Location->0xFFFFD6829C311080 WmiPrvSE.exe
ActiveThreads->000 Location->0xFFFFD6829C284780 WmiApSrv.exe
ActiveThreads->000 Location->0xFFFFD6829B8CA780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298F0A080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298CCC780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68299A1F500 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829B66D080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829862E080 WUDFHost.exe
ActiveThreads->000 Location->0xFFFFD6829A6E5780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298DD1080 svchost.exe
ActiveThreads->000 Location->0xFFFFD68299737780 WmiPrvSE.exe
ActiveThreads->000 Location->0xFFFFD68298E31780 TrustedInstall
ActiveThreads->000 Location->0xFFFFD682997D5780 VSSVC.exe
ActiveThreads->000 Location->0xFFFFD682997E3080 TiWorker.exe
ActiveThreads->000 Location->0xFFFFD682997D7780 audiodg.exe
ActiveThreads->000 Location->0xFFFFD6829D270780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298DE3780 backgroundTask
ActiveThreads->000 Location->0xFFFFD682986B8200 WmiApSrv.exe
ActiveThreads->000 Location->0xFFFFD6829B8C74C0 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD682988BA080 LockApp.exe
ActiveThreads->000 Location->0xFFFFD6829B222080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829D26E080 LockApp.exe
ActiveThreads->000 Location->0xFFFFD68299772780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829D110080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829B8D0080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829D2FA780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD682988CA600 LockApp.exe
ActiveThreads->000 Location->0xFFFFD6829D2E7580 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD682990ED780 LogonUI.exe
ActiveThreads->002 Location->0xFFFFD6829C055080 armsvc.exe
ActiveThreads->000 Location->0xFFFFD6829C88E080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829913B780 windbg.exe
ActiveThreads->000 Location->0xFFFFD6829C11A080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829B5DF080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298DA6080 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298C9B780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829CA72240 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829C30D080 LockApp.exe
ActiveThreads->000 Location->0xFFFFD6829C5C7780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298C116C0 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD68298623380 LockApp.exe
ActiveThreads->000 Location->0xFFFFD6829C67F780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829B20D500 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829C1B7780 LogonUI.exe
ActiveThreads->000 Location->0xFFFFD6829CE07780 LockApp.exe
ActiveThreads->000 Location->0xFFFFD6829979C640 LogonUI.exe
ActiveThreads->012 Location->0xFFFFD68298E9A080 NisSrv.exe
ActiveThreads->000 Location->0xFFFFD68298612780 LogonUI.exe
ActiveThreads->006 Location->0xFFFFD6829B860080 svchost.exe
ActiveThreads->039 Location->0xFFFFD6829AB32080 chrome.exe
000 State->005 Reason->017 Thread->0xFFFFD6829B848080
ActiveThreads->007 Location->0xFFFFD6829C278380 chrome.exe
ActiveThreads->007 Location->0xFFFFD6829BFA0780 chrome.exe
ActiveThreads->014 Location->0xFFFFD68298805080 chrome.exe
ActiveThreads->014 Location->0xFFFFD6829CA041C0 chrome.exe
ActiveThreads->006 Location->0xFFFFD68298666080 audiodg.exe
赤色のデータは、Google社のChromeブラウザのスレッド「0xFFFFD6829B848080」が他のプロセスからの応答を待っていることを指摘しています。次のようなコマンド操作を行いますと、関連情報を取り出すことができまます。
1: kd> !thread 0xFFFFD6829B848080
THREAD ffffd6829b848080 Cid 1294.06f8 Teb: 0000006b05a1e000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
ffffd6829b8486c0 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffffa18531f3a5d0 : queued at port ffffd682982fb4f0 : owned by process ffffd6829b27a780
Not impersonating
DeviceMap ffffa185318b66c0
Owning Process ffffd6829ab32080 Image: chrome.exe
Attached Process N/A Image: N/A
Wait Start TickCount 14907437 Ticks: 6 (0:00:00:00.093)
Context Switch Count 59 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x00007ffe30677970
Stack Init ffff8f81f0728d90 Current ffff8f81f0728550
Base ffff8f81f0729000 Limit ffff8f81f0723000 Call 0
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Page fffffffff too large to be in the dump file.
Page fffffffff too large to be in the dump file.
Child-SP RetAddr : Args to Child : Call Site
ffff8f81`f0728590 fffff800`e6eb7cdc : 00000000`00000000 00000000`00000000 ffffc580`00165de0 ffff8bbf`ff2bbd40 : nt!KiSwapContext+0x76
ffff8f81`f07286d0 fffff800`e6eb777f : ffffd682`982fb4f0 ffffa185`31f3a5d0 00000000`00000000 fffff800`e6fe860d : nt!KiSwapThread+0x17c
ffff8f81`f0728780 fffff800`e6eb9547 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x14f
ffff8f81`f0728820 fffff800`e6ec7a18 : ffffd682`9b8486c0 ffffd682`00000011 ffffd682`9831d901 ffffd682`00000000 : nt!KeWaitForSingleObject+0x377
ffff8f81`f07288d0 fffff800`e7297868 : 00000000`00000000 ffffd682`9b8486c0 00000000`00000011 ffffa185`31557e01 : nt!AlpcpSignalAndWait+0x1d8
ffff8f81`f0728970 fffff800`e7296541 : ffffd682`9cd65e20 000001da`26720170 ffffffff`ffffffff 000001da`26720170 : nt!AlpcpReceiveSynchronousReply+0x58
ffff8f81`f07289d0 fffff800`e729481d : ffffd682`9cd65e20 0000006b`00020000 000001da`26720170 000001da`26bb7c98 : nt!AlpcpProcessSynchronousRequest+0x301
ffff8f81`f0728ad0 fffff800`e6fd2d93 : ffff8f81`f0728ba8 ffffd682`9b848080 ffff8f81`f0728c80 0000006b`06dfd458 : nt!NtAlpcSendWaitReceivePort+0x23d
ffff8f81`f0728b90 00007ffe`61305f44 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffff8f81`f0728c00)
0000006b`06dfd438 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtAlpcSendWaitReceivePort+0x14
ご覧のように、このスレッドはALPC通信メカニズムを使って他のプロセスからの応答を待っています。Chromeが他のどのプロセスとどのような通信を行っているかは大変興味のあるところですが、本稿ではこれ以上の技術解説は割愛させていただきます。
次へ