HalpClockInterrupt函数调试指南之每次都在call hal!HalBeginSystemInterrupt下断点和开启hal!HalBeginSystemInterrupt断点非常重要

hal!HalpClockInterrupt函数调试指南之每次都在call hal!HalBeginSystemInterrupt下断点和开启hal!HalBeginSystemInterrupt断点

原则是用人家的时候在开启它，进入了函数后立马关闭，否则被优先级为0n29的抢占。

第一次调试记录：

0: kd> g
Breakpoint 20 hit
eax=00000041 ebx=f78cdff8 ecx=8999e620 edx=00001002 esi=00000000 edi=804edc60
eip=804ec714 esp=f78cdf5c ebp=f78cdf6c iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046
hal!HalpClockInterrupt:
804ec714 54 push esp
0: kd> g
Breakpoint 26 hit
eax=00000041 ebx=f78cdf6c ecx=8999e620 edx=00001002 esi=00000000 edi=80b00720
eip=804ec7d0 esp=f78cdee0 ebp=f78cdef4 iopl=0 nv up di ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000092
hal!HalpClockInterrupt+0xbc:
804ec7d0 e85f210000 call hal!HalBeginSystemInterrupt (804ee934)
0: kd> t
Breakpoint 25 hit
eax=00000041 ebx=f78cdf6c ecx=8999e620 edx=00001002 esi=00000000 edi=80b00720
eip=804ee934 esp=f78cdedc ebp=f78cdef4 iopl=0 nv up di ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000092
hal!HalBeginSystemInterrupt:
804ee934 33c0 xor eax,eax
0: kd> g
Breakpoint 6 hit
eax=0002625a ebx=00000000 ecx=00000100 edx=00001002 esi=00000000 edi=80b00720
eip=80affa28 esp=f78cdeec ebp=f78cdef4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeUpdateSystemTime:
80affa28 64803de405000000 cmp byte ptr fs:[5E4h],0 fs:0030:000005e4=01
0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 28 (CLOCK2_LEVEL)
0: kd> be 21
0: kd> g
Breakpoint 21 hit
eax=0002625a ebx=00000000 ecx=00000100 edx=00001002 esi=80affb51 edi=80b00720
eip=804ee8d0 esp=f78cdee8 ebp=f78cdef4 iopl=0 nv up di pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000006
hal!HalEndSystemInterrupt:
804ee8d0 33c9 xor ecx,ecx
0: kd> bd 21
0: kd> kc 3
#
00 hal!HalEndSystemInterrupt
01 nt!KeUpdateSystemTime
02 nt!KiDispatchInterrupt
0: kd> g
Breakpoint 23 hit
eax=0002625a ebx=00000000 ecx=00000041 edx=00000041 esi=80affb51 edi=80b00720
eip=80affb5d esp=f78cdef4 ebp=f78cdef4 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046
nt!KeUpdateSystemTime+0x135:
80affb5d e926cbffff jmp nt!KiExceptionExit (80afc688)
0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)

第二次调试记录：

0: kd> g
Breakpoint 20 hit
eax=00000041 ebx=f78cdff8 ecx=8999e620 edx=00001002 esi=00000000 edi=804edc60
eip=804ec714 esp=f78cdf5c ebp=f78cdf6c iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046
hal!HalpClockInterrupt:
804ec714 54 push esp
0: kd> bp hal!HalpClockInterrupt+0xbc
breakpoint 26 redefined
0: kd> g
Breakpoint 26 hit
eax=00000041 ebx=f78cdf6c ecx=8999e620 edx=00001002 esi=00000000 edi=80b00720
eip=804ec7d0 esp=f78cdee0 ebp=f78cdef4 iopl=0 nv up di ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000092
hal!HalpClockInterrupt+0xbc:
804ec7d0 e85f210000 call hal!HalBeginSystemInterrupt (804ee934)
0: kd> be 25
0: kd> t
Breakpoint 25 hit
eax=00000041 ebx=f78cdf6c ecx=8999e620 edx=00001002 esi=00000000 edi=80b00720
eip=804ee934 esp=f78cdedc ebp=f78cdef4 iopl=0 nv up di ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000092
hal!HalBeginSystemInterrupt:
804ee934 33c0 xor eax,eax
0: kd> kc 4
#
00 hal!HalBeginSystemInterrupt
01 hal!HalpClockInterrupt
02 nt!KiDispatchInterrupt
03 hal!HalpDispatchInterrupt
0: kd> !Irql
Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)
0: kd> g
Breakpoint 6 hit
eax=0002625a ebx=00000000 ecx=00000100 edx=00001002 esi=00000000 edi=80b00720
eip=80affa28 esp=f78cdeec ebp=f78cdef4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeUpdateSystemTime:
80affa28 64803de405000000 cmp byte ptr fs:[5E4h],0 fs:0030:000005e4=01
0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 28 (CLOCK2_LEVEL)
0: kd> kc 3
#
00 nt!KeUpdateSystemTime
01 nt!KiDispatchInterrupt
02 hal!HalpDispatchInterrupt
0: kd> bd 25
0: kd> be 21
0: kd> g
Breakpoint 21 hit
eax=0002625a ebx=00000000 ecx=00000100 edx=00001002 esi=80affb51 edi=80b00720
eip=804ee8d0 esp=f78cdee8 ebp=f78cdef4 iopl=0 nv up di pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000002
hal!HalEndSystemInterrupt:
804ee8d0 33c9 xor ecx,ecx
0: kd> kc 4
#
00 hal!HalEndSystemInterrupt
01 nt!KeUpdateSystemTime
02 nt!KiDispatchInterrupt
03 hal!HalpDispatchInterrupt
0: kd> bd 21
0: kd> !Irql
Debugger saved IRQL for processor 0x0 -- 28 (CLOCK2_LEVEL)
0: kd> g
Breakpoint 23 hit
eax=0002625a ebx=00000000 ecx=00000041 edx=00000041 esi=80affb51 edi=80b00720
eip=80affb5d esp=f78cdef4 ebp=f78cdef4 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000046
nt!KeUpdateSystemTime+0x135:
80affb5d e926cbffff jmp nt!KiExceptionExit (80afc688)
0: kd> kc 4
#
00 nt!KeUpdateSystemTime
01 nt!KiDispatchInterrupt
02 hal!HalpDispatchInterrupt
03 hal!KfLowerIrql
0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)

第三部分：hal!HalpClockInterrupt调试指南之调试断点收集

6 e Disable Clear 80affa28 0001 (0001) nt!KeUpdateSystemTime

20 e Disable Clear 804ec714 0001 (0001) hal!HalpClockInterrupt

21 d Enable Clear 804ee8d0 0001 (0001) hal!HalEndSystemInterrupt

23 e Disable Clear 80affb5d 0001 (0001) nt!KeUpdateSystemTime+0x135

25 d Enable Clear 804ee934 0001 (0001) hal!HalBeginSystemInterrupt
26 e Disable Clear 804ec7d0 0001 (0001) hal!HalpClockInterrupt+0xbc