Author: ThunderCats
Subject: Thread Stack in Procmon and Process Explorer
Posted: 18 September 2013 at 6:33am
Hi Dax,
Thanks for response. Let me clarify what i meant to say
1) If thread call stack in process explorer displays state of thread at a certain moment then two call stacks taken at two different times should be totally different. See below for my notepad.exe thread stack that i took when i started notepad process
========================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0xbc
ntkrnlpa.exe!PsDereferencePrimaryToken+0x342
ntkrnlpa.exe!KiDeliverApc+0x124
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
========================================================================
After about ten minutes, i took another thread stack of same thread and it was as follow
========================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntdll.dll!KiFastSystemCallRet
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
NDIS.sys!NdisFreeToBlockPool+0x15df
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
========================================================================
we can clearly see that second one has more functions called then the first. Now per thread call stack definition, the bottom of stack is where thread started. If i took a thread stack trace at time = 1 second and another at time = 10 mins,and we agree that thread stack keeps changing why at time = 10mins i am seeing the bottom of both stacks exactly identical? Why would thread stack in second case (time = 10 mins) is same for first four functions (from bottom of stack) and then different for next three four functions? What my understanding is that for second case i should see call stack something like below
======================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntdll.dll!KiFastSystemCallRet
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
NDIS.sys!NdisFreeToBlockPool+0x15df
ntkrnlpa.exe!KiUnexpectedInterrupt+0xbc
ntkrnlpa.exe!PsDereferencePrimaryToken+0x342
ntkrnlpa.exe!KiDeliverApc+0x124
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
======================================================================
2)Per my understanding, Each event in procmon is caused by a thread and
every event's call stack is basically the thread's call stack. so for same notepad example here is call stack of one event (RegOpenKey)that i took @ t1
=====================================================================
0 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
1 s s + 0x22839 0x7c922839 INDOWS\system32\ntdll.dllWS\s
2 s s + 0x227e5 0x7c9227e5 INDOWS\system32\ntdll.dllWS\s
3 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
======================================================================
Now immediately after that another event (Create file) happened and its call stack is
======================================================================
0 fltMgr.sys FltRequestOperationStatusCallback + 0xf52 0xba5e1888 C:\WINDOWS\System32\Drivers\fltMgr.sys
1 fltMgr.sys FltGetIrpName + 0x4e2 0xba5e32a0 C:\WINDOWS\System32\Drivers\fltMgr.sys
2 fltMgr.sys FltProcessFileLock + 0x1cdb 0xba5f0217 C:\WINDOWS\System32\Drivers\fltMgr.sys
3 fltMgr.sys FltProcessFileLock + 0x2206 0xba5f0742 C:\WINDOWS\System32\Drivers\fltMgr.sys
4 ntkrnlpa.exe IoBuildPartialMdl + 0xed 0x804ef18f C:\WINDOWS\system32\ntkrnlpa.exe
5 ntkrnlpa.exe NtMakePermanentObject + 0x11b2 0x805bf444 C:\WINDOWS\system32\ntkrnlpa.exe
6 ntkrnlpa.exe ObOpenObjectByName + 0xea 0x805bb9d0 C:\WINDOWS\system32\ntkrnlpa.exe
7 ntkrnlpa.exe IoCreateDevice + 0x745 0x80576033 C:\WINDOWS\system32\ntkrnlpa.exe
8 ntkrnlpa.exe IoCreateFile + 0x8e 0x805769aa C:\WINDOWS\system32\ntkrnlpa.exe
9 ntkrnlpa.exe NtOpenFile + 0x27 0x8057a1a9 C:\WINDOWS\system32\ntkrnlpa.exe
10 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
11 s s + 0x21c78 0x7c921c78 INDOWS\system32\ntdll.dllWS\s
12 s s + 0x2108f 0x7c92108f INDOWS\system32\ntdll.dllWS\s
13 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
=======================================================================
so far good... but now the call stack of next event (load image)
=======================================================================
0 ntkrnlpa.exe PsRemoveLoadImageNotifyRoutine + 0xb4 0x805d00b0 C:\WINDOWS\system32\ntkrnlpa.exe
1 ntkrnlpa.exe MmGetSystemRoutineAddress + 0x3265 0x805b1421 C:\WINDOWS\system32\ntkrnlpa.exe
2 ntkrnlpa.exe MmMapViewOfSection + 0x13c 0x805b1efe C:\WINDOWS\system32\ntkrnlpa.exe
3 ntkrnlpa.exe NtMapViewOfSection + 0x2bd 0x805b22c3 C:\WINDOWS\system32\ntkrnlpa.exe
4 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
5 s s + 0x1624a 0x7c91624a INDOWS\system32\ntdll.dllWS\s
6 s s + 0x21dca 0x7c921dca INDOWS\system32\ntdll.dllWS\s
7 s s + 0x2108f 0x7c92108f INDOWS\system32\ntdll.dllWS\s
8 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
=======================================================================
You can see that call stack is same for 7&8 but then it became different. So question is if its the same thread, shouldnt procmon diplay a cumulative call stack for event and what rules it follow to display those call stacks?
Really appreciate your help!
Thank you
Subject: Thread Stack in Procmon and Process Explorer
Posted: 18 September 2013 at 6:33am
Hi Dax,
Thanks for response. Let me clarify what i meant to say
1) If thread call stack in process explorer displays state of thread at a certain moment then two call stacks taken at two different times should be totally different. See below for my notepad.exe thread stack that i took when i started notepad process
========================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0xbc
ntkrnlpa.exe!PsDereferencePrimaryToken+0x342
ntkrnlpa.exe!KiDeliverApc+0x124
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
========================================================================
After about ten minutes, i took another thread stack of same thread and it was as follow
========================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntdll.dll!KiFastSystemCallRet
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
NDIS.sys!NdisFreeToBlockPool+0x15df
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
========================================================================
we can clearly see that second one has more functions called then the first. Now per thread call stack definition, the bottom of stack is where thread started. If i took a thread stack trace at time = 1 second and another at time = 10 mins,and we agree that thread stack keeps changing why at time = 10mins i am seeing the bottom of both stacks exactly identical? Why would thread stack in second case (time = 10 mins) is same for first four functions (from bottom of stack) and then different for next three four functions? What my understanding is that for second case i should see call stack something like below
======================================================================
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c8e
ntkrnlpa.exe!ZwYieldExecution+0x2570
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntdll.dll!KiFastSystemCallRet
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
NDIS.sys!NdisFreeToBlockPool+0x15df
ntkrnlpa.exe!KiUnexpectedInterrupt+0xbc
ntkrnlpa.exe!PsDereferencePrimaryToken+0x342
ntkrnlpa.exe!KiDeliverApc+0x124
ntdll.dll!KiFastSystemCallRet
notepad.exe+0x2a1b
notepad.exe+0x7511
kernel32.dll!RegisterWaitForInputIdle+0x49
======================================================================
2)Per my understanding, Each event in procmon is caused by a thread and
every event's call stack is basically the thread's call stack. so for same notepad example here is call stack of one event (RegOpenKey)that i took @ t1
=====================================================================
0 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
1 s s + 0x22839 0x7c922839 INDOWS\system32\ntdll.dllWS\s
2 s s + 0x227e5 0x7c9227e5 INDOWS\system32\ntdll.dllWS\s
3 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
======================================================================
Now immediately after that another event (Create file) happened and its call stack is
======================================================================
0 fltMgr.sys FltRequestOperationStatusCallback + 0xf52 0xba5e1888 C:\WINDOWS\System32\Drivers\fltMgr.sys
1 fltMgr.sys FltGetIrpName + 0x4e2 0xba5e32a0 C:\WINDOWS\System32\Drivers\fltMgr.sys
2 fltMgr.sys FltProcessFileLock + 0x1cdb 0xba5f0217 C:\WINDOWS\System32\Drivers\fltMgr.sys
3 fltMgr.sys FltProcessFileLock + 0x2206 0xba5f0742 C:\WINDOWS\System32\Drivers\fltMgr.sys
4 ntkrnlpa.exe IoBuildPartialMdl + 0xed 0x804ef18f C:\WINDOWS\system32\ntkrnlpa.exe
5 ntkrnlpa.exe NtMakePermanentObject + 0x11b2 0x805bf444 C:\WINDOWS\system32\ntkrnlpa.exe
6 ntkrnlpa.exe ObOpenObjectByName + 0xea 0x805bb9d0 C:\WINDOWS\system32\ntkrnlpa.exe
7 ntkrnlpa.exe IoCreateDevice + 0x745 0x80576033 C:\WINDOWS\system32\ntkrnlpa.exe
8 ntkrnlpa.exe IoCreateFile + 0x8e 0x805769aa C:\WINDOWS\system32\ntkrnlpa.exe
9 ntkrnlpa.exe NtOpenFile + 0x27 0x8057a1a9 C:\WINDOWS\system32\ntkrnlpa.exe
10 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
11 s s + 0x21c78 0x7c921c78 INDOWS\system32\ntdll.dllWS\s
12 s s + 0x2108f 0x7c92108f INDOWS\system32\ntdll.dllWS\s
13 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
=======================================================================
so far good... but now the call stack of next event (load image)
=======================================================================
0 ntkrnlpa.exe PsRemoveLoadImageNotifyRoutine + 0xb4 0x805d00b0 C:\WINDOWS\system32\ntkrnlpa.exe
1 ntkrnlpa.exe MmGetSystemRoutineAddress + 0x3265 0x805b1421 C:\WINDOWS\system32\ntkrnlpa.exe
2 ntkrnlpa.exe MmMapViewOfSection + 0x13c 0x805b1efe C:\WINDOWS\system32\ntkrnlpa.exe
3 ntkrnlpa.exe NtMapViewOfSection + 0x2bd 0x805b22c3 C:\WINDOWS\system32\ntkrnlpa.exe
4 ntkrnlpa.exe KeReleaseInStackQueuedSpinLockFromDpcLevel + 0xb74 0x8054161c C:\WINDOWS\system32\ntkrnlpa.exe
5 s s + 0x1624a 0x7c91624a INDOWS\system32\ntdll.dllWS\s
6 s s + 0x21dca 0x7c921dca INDOWS\system32\ntdll.dllWS\s
7 s s + 0x2108f 0x7c92108f INDOWS\system32\ntdll.dllWS\s
8 s s + 0xe437 0x7c90e437 INDOWS\system32\ntdll.dllWS\s
=======================================================================
You can see that call stack is same for 7&8 but then it became different. So question is if its the same thread, shouldnt procmon diplay a cumulative call stack for event and what rules it follow to display those call stacks?
Really appreciate your help!
Thank you