How can I enumerate worker items?

Hi,

 

I’m reading a book that have a exercise for reader. It says that write a driver that enumerate all worker items in the system. I guess it would be a good exercise for understanding worker items and practice some kernel level programming.

 

I started digging into it and reverse engineered ExQueueWorkItem (on Win7x32). After spending some time on it, I figure out that there is an array which stores work items, nt!ExWorkerQueue. Subsequently I read some code from ReactOS, and also some articles on MSDN for understanding what is going on under the hood a bit more.

 

I created a worker item by myself for testing with Windbg. But looks like I did something wrong. I inserted a __debugbreak() in my worker routine so it breaked in it, then I investigated ExWorkerQueue:

 

kd> ? nt!ExWorkerQueue

Evaluate expression: -2102053504 = 82b53580

kd> dt nt!_EX_WORK_QUEUE 82b53580

   +0x000 WorkerQueue      : _KQUEUE

   +0x028 DynamicThreadCount : 0

   +0x02c WorkItemsProcessed : 0x33f0

   +0x030 WorkItemsProcessedLastPass : 0x33ec

   +0x034 QueueDepthLastPass : 0

   +0x038 Info             : EX_QUEUE_WORKER_INFO

kd> dt nt!_KQUEUE 82b53580

   +0x000 Header           : _DISPATCHER_HEADER

   +0x010 EntryListHead    : _LIST_ENTRY [0x82b53590 - 0x82b53590]

   +0x018 CurrentCount     : 1

   +0x01c MaximumCount     : 1

   +0x020 ThreadListHead   : _LIST_ENTRY [0x85211928 - 0x851ffe68]

 

I created my work item for CriticalWorkQueue. So I checked ExWorkerQueue[0]. When I look at EntryListHead its like 0x82b53590 - 0x82b53590. So there is no list entry? Whereas I created one, even I think that kernel should have some worker threads anyway… I started dig into deep and learned that work items removed from queue before its get called. So that put on a light why my wok item not in queue, but, where is the worker items which are created by kernel?

 

When I use !exqueue it gives me a worker threads includes mine. So there is another work items I assume. But why I cannot see them in ExWorkerQueue? I reverse engineered windbg extension to see how !exqueue works. Looks like it made what I made, uses ExWorkerQueue. 

 

I guess I stuck with it, I think that it would be awesome someone who experienced in kernel may show me a hint…

 

Best regards,

Bekir