在Windows内核syscall跟踪中,这些神秘地址是什么?
[英]In Windows kernel syscall traces, what are these mystery addresses?
问题描述
I am using Event Tracing for Windows (ETW) to do kernel tracing of syscalls in Windows Server 2008 R2. 
我正在使用Windows事件跟踪(ETW)对Windows Server 2008 R2中的系统调用进行内核跟踪。
I am running: 我在跑步:
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (process,thread,cswitch,syscall) -o events.etl -ets
In the resulting kernel traces, I am looking at the SysCallAddress attribute and I see lot of what I would expect: for example 0xFFFFF80001999EE0 which is nt!NtWriteFile. 在生成的内核跟踪中,我正在查看SysCallAddress属性,并且看到了很多期望的内容:例如0xFFFFF80001999EE0,它是nt!NtWriteFile。
The problem is that I am seeing a lot of address in the 0xFFFFF960 range, for example 0xFFFFF9600004421C and I don't know what is at these addresses. 问题是我看到0xFFFFF960范围内有很多地址,例如0xFFFFF9600004421C,但我不知道这些地址是什么。 The ln command in the kernel debugger returns no information for any of these addresses. 内核调试器中的ln命令不返回任何有关这些地址的信息。 Does anybody know what lives at these addresses that the kernel tracer regards as syscalls? 有人知道内核跟踪程序将这些地址视为系统调用时住的地方吗?
1 个解决方案
解决方案1
3 已采纳 2012-05-10 08:07:26
Those are syscalls into win32k.sys. 这些是对win32k.sys的syscall。 Think GetMessage, EndDraw, etc. 考虑GetMessage,EndDraw等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.