八、线程信息列表流(ThreadInfoListStream)
ThreadInfoListStream包含了线程状态信息,在ThreadListStream的后面就是ThreadInfoListStream了。
ThreadListStream如下:
0x720+0n3796=0x15F4
而ThreadInfoListStream如下:
所以ThreadInfoListStream紧挨着ThreadListStream,大小为5068字节。数据如下:
ThreadInfoListStream的数据由两个结构组成,一个是MINIDUMP_THREAD_INFO_LIST,另一个是MINIDUMP_THREAD_INFO。
MINIDUMP_THREAD_INFO_LIST包含数据大小的信息,相当于头部结构,如下:
typedef struct _MINIDUMP_THREAD_INFO_LIST { ULONG SizeOfHeader; ULONG SizeOfEntry; ULONG NumberOfEntries; } MINIDUMP_THREAD_INFO_LIST, *PMINIDUMP_THREAD_INFO_LIST;
成员如下:
SizeOfHeader
流的头数据的大小,以字节为单位。这通常是sizeof(MINIDUMP_THREAD_INFO_LIST)。
SizeOfEntry
头后面的每个条目的大小(以字节为单位)。这通常是sizeof(MINIDUMP_THREAD_INFO)。
NumberOfEntries
流中的条目数。这些通常是MINIDUMP_THREAD_INFO结构。条目跟随头部。
根据以上信息,我们可以做如下计算:
12+64*79=5068,刚好等于流目录里的DataSize,如下:
而MINIDUMP_THREAD_INFO结构包含线程真实的状态信息,如下:
typedef struct _MINIDUMP_THREAD_INFO { ULONG32 ThreadId; ULONG32 DumpFlags; ULONG32 DumpError; ULONG32 ExitStatus; ULONG64 CreateTime; ULONG64 ExitTime; ULONG64 KernelTime; ULONG64 UserTime; ULONG64 StartAddress; ULONG64 Affinity; } MINIDUMP_THREAD_INFO, *PMINIDUMP_THREAD_INFO;
成员如下:
ThreadId
线程标识
DumpFlags
指示线程状态的标志。此成员可以是0或以下值之一。
| Value | Meaning |
|---|---|
|
A placeholder thread due to an error accessing the thread. No thread information exists beyond the thread identifier. |
|
The thread has exited (not running any code) at the time of the dump. |
|
Thread context could not be retrieved. |
|
Thread information could not be retrieved. |
|
TEB information could not be retrieved. |
|
This is the thread that called MiniDumpWriteDump. |
DumpError
一个指示转储状态HRESULT值 .
ExitStatus
线程退出状态码
CreateTime
线程创建的时间,从1601年1月1日(UTC)开始,以100纳秒为间隔。
ExitTime
线程退出的时间,从1601年1月1日(UTC)开始,以100纳秒为间隔。
KernelTime
在内核模式下执行的时间,以100纳秒为间隔。
UserTime
在用户模式下执行的时间,以100纳秒为间隔。
StartAddress
线程的起始地址。
Affinity
处理器关联掩码
我们可以用如下命令查看上述数据信息
0:035> ~*e ? $tid;.ttime
Evaluate expression: 7148 = 00001bec
Created: Tue Oct 13 08:54:28.460 2020 (UTC + 8:00)
Kernel: 0 days 0:08:04.015
User: 0 days 1:46:31.640
Evaluate expression: 1788 = 000006fc
Created: Tue Oct 13 08:54:31.761 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
-- User interrupted operation
0:035> ~*e ? $tid;.ttime
Evaluate expression: 7148 = 00001bec
Created: Tue Oct 13 08:54:28.460 2020 (UTC + 8:00)
Kernel: 0 days 0:08:04.015
User: 0 days 1:46:31.640
Evaluate expression: 1788 = 000006fc
Created: Tue Oct 13 08:54:31.761 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 16144 = 00003f10
Created: Tue Oct 13 08:54:32.119 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 14276 = 000037c4
Created: Tue Oct 13 08:54:32.285 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 12280 = 00002ff8
Created: Tue Oct 13 08:54:32.290 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 13948 = 0000367c
Created: Tue Oct 13 08:54:32.298 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 15564 = 00003ccc
Created: Tue Oct 13 08:54:32.660 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.015
User: 0 days 0:00:00.000
Evaluate expression: 8216 = 00002018
Created: Tue Oct 13 08:54:32.665 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 5576 = 000015c8
Created: Tue Oct 13 08:54:32.772 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.031
User: 0 days 0:00:00.015
Evaluate expression: 7684 = 00001e04
Created: Tue Oct 13 08:54:33.886 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.546
User: 0 days 0:00:00.812
Evaluate expression: 8120 = 00001fb8
Created: Tue Oct 13 08:54:34.390 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 12296 = 00003008
Created: Tue Oct 13 08:54:34.390 2020 (UTC + 8:00)
Kernel: 0 days 0:07:59.875
User: 0 days 0:10:34.984
Evaluate expression: 16120 = 00003ef8
Created: Tue Oct 13 08:54:34.425 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000
Evaluate expression: 16104 = 00003ee8
Created: Tue Oct 13 08:54:34.426 2020 (UTC + 8:00)
Kernel: 0 days 0:00:00.000
User: 0 days 0:00:00.000