windbg学习---!thread和.thread

!thread扩展显示目标系统中线程包括ETHREAD块在内的摘要信息。该命令只能在内核模式调试下使用

!thread [-p] [-t] [Address [Flags]] 

-p

显示拥有该线程的进程的摘要信息。

-t

包含这个选项时，Address是线程ID，而不是线程地址。

Address

指定目标机上线程的16进制地址。如果Address为-1或省略，则表示当前线程。

Flags

指定显示的详细级别。Flags可以是下面这些位的任意组合。如果Flags为0，只会显示最少量的信息。默认为0x6： 

Bit 1 (0x2)

显示线程的等待状态。

Bit 2 (0x4)

如果不和Bit 1(0x2)一起使用则不会起作用。如果和Bit 1一起使用，线程会和调用堆栈一起显示出来。

Bit 3 (0x8)

(Windows XP和之后)  

在每个函数的显示信息中加入返回地址、堆栈指针、以及bsp寄存器的值(在Itanium系统中)，但是不显示函数的参数。

Bit 4 (0x10)

(Windows XP和之后) 在这个命令持续期间，将进程上下文设置为拥有指定线程的那个进程。这回使得线程调用堆栈的显示更加精确。

显示当前线程的详细信息：

kd> !thread -1 6
THREAD 821ec390  Cid 06e8.06e4  Teb: 7ffdd000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
    82265a38: (0006,0094) Flags: 00000a00  Mdl: 81e91b68
Not impersonating
DeviceMap                 e19c40c8
Owning Process            0       Image:         <Unknown>
Attached Process          821f5da0       Image:         test.exe
Wait Start TickCount      21156          Ticks: 1 (0:00:00:00.015)
Context Switch Count      22             
UserTime                  00:00:00.000
KernelTime                00:00:00.031
Win32 Start Address test (0x00401356)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init b2325000 Current b2324b84 Base b2325000 Limit b2322000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child              
b2324c80 80580982 82265aa8 00000000 82265a38 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b2324c94 8057e4c9 81e6a518 82265a38 822272d8 nt!IopSynchronousServiceTail+0x70 (FPO: [7,0,4])
b2324d38 8054261c 00000038 00000000 00000000 nt!NtWriteFile+0x5d7 (FPO: [Non-Fpo])
b2324d38 7c92e4f4 00000038 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b2324d64)
0012fee0 7c92df6c 7c810e86 00000038 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012fee4 7c810e86 00000038 00000000 00000000 ntdll!ZwWriteFile+0xc (FPO: [9,0,0])
0012ff44 00401070 00000038 0012ff60 0000000a kernel32!WriteFile+0xf7 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff7c 0040120e 00000001 003d3ef8 003d2eb8 test+0x1070
0012ffc0 7c817067 00310031 00330031 7ffde000 test+0x120e
0012fff0 00000000 00401356 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

.thread 命令指定哪个线程用作寄存器上下文。

和.process有点相似

当前线程：

kd> .thread
Implicit thread is now 

.thread /r /p xxx同样是切换到指定的线程，但.thread同时可以切换回中断的线程上下文

kd> .thread /p /r 81e64da8  
Implicit thread is now 81e64da8
Implicit process is now 821f5da0
.cache forcedecodeuser done
Loading User Symbols
.........
kd> kv
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
b29b6cb8 80504836 81e64e18 81e64da8 804fc068 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
b29b6cc4 804fc068 00000000 b29b6d1c 00000000 nt!KiSwapThread+0x8a (FPO: [0,0,0])
b29b6cec 805c1750 00000001 00000006 004db801 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b29b6d50 8054261c 00000010 00000000 b29b6d1c nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
b29b6d50 7c92e4f4 00000010 00000000 b29b6d1c nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b29b6d64)
003cfa70 7c92df3c 7c8025db 00000010 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
003cfa74 7c8025db 00000010 00000000 003cfaa8 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
003cfad8 7c802542 00000010 00002710 00000000 kernel32!WaitForSingleObjectEx+0xa8 (FPO: [Non-Fpo])
003cfaec 7c875f27 00000010 00002710 00000000 kernel32!WaitForSingleObject+0x12 (FPO: [2,0,0])
003cffb4 7c80b713 00000000 00610072 006f0074 kernel32!ConsoleIMERoutine+0xf4 (FPO: [1,300,4])
003cffec 00000000 7c875e33 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
kd> .thread
Implicit thread is now 821ec390
kd> kv
ChildEBP RetAddr  Args to Child              
b2324c80 80580982 82265aa8 00000000 82265a38 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b2324c94 8057e4c9 81e6a518 82265a38 822272d8 nt!IopSynchronousServiceTail+0x70 (FPO: [7,0,4])
b2324d38 8054261c 00000038 00000000 00000000 nt!NtWriteFile+0x5d7 (FPO: [Non-Fpo])
b2324d38 7c92e4f4 00000038 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b2324d64)
0012fee0 7c92df6c 7c810e86 00000038 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012fee4 7c810e86 00000038 00000000 00000000 ntdll!ZwWriteFile+0xc (FPO: [9,0,0])
*** ERROR: Module load completed but symbols could not be loaded for test.exe
0012ff44 00401070 00000038 0012ff60 0000000a kernel32!WriteFile+0xf7 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ff7c 0040120e 00000001 003d3ef8 003d2eb8 test+0x1070
0012ffc0 7c817067 00310031 00330031 7ffde000 test+0x120e

可以看到不同的线程时，对应不同的堆栈