Hi,
I’m reading a book that have a exercise for reader. It says that write a driver that enumerate all worker items in the system. I guess it would be a good exercise for understanding worker items and practice some kernel level programming.
I started digging into it and reverse engineered ExQueueWorkItem (on Win7x32). After spending some time on it, I figure out that there is an array which stores work items, nt!ExWorkerQueue. Subsequently I read some code from ReactOS, and also some articles on MSDN for understanding what is going on under the hood a bit more.
I created a worker item by myself for testing with Windbg. But looks like I did something wrong. I inserted a __debugbreak() in my worker routine so it breaked in it, then I investigated ExWorkerQueue:
kd> ? nt!ExWorkerQueue
Evaluate expression: -2102053504 = 82b53580
kd> dt nt!_EX_WORK_QUEUE 82b53580
+0x000 WorkerQueue : _KQUEUE
+0x028 DynamicThreadCount : 0
+0x02c WorkItemsProcessed : 0x33f0
+0x030 WorkItemsProcessedLastPass : 0x33ec
+0x034 QueueDepthLastPass : 0
+0x038 Info : EX_QUEUE_WORKER_INFO
kd> dt nt!_KQUEUE 82b53580
+0x000 Header : _DISPATCHER_HEADER
+0x010 EntryListHead : _LIST_ENTRY [0x82b53590 - 0x82b53590]
+0x018 CurrentCount : 1
+0x01c MaximumCount : 1
+0x020 ThreadListHead : _LIST_ENTRY [0x85211928 - 0x851ffe68]
I created my work item for CriticalWorkQueue. So I checked ExWorkerQueue[0]. When I look at EntryListHead its like 0x82b53590 - 0x82b53590. So there is no list entry? Whereas I created one, even I think that kernel should have some worker threads anyway… I started dig into deep and learned that work items removed from queue before its get called. So that put on a light why my wok item not in queue, but, where is the worker items which are created by kernel?
When I use !exqueue it gives me a worker threads includes mine. So there is another work items I assume. But why I cannot see them in ExWorkerQueue? I reverse engineered windbg extension to see how !exqueue works. Looks like it made what I made, uses ExWorkerQueue.
I guess I stuck with it, I think that it would be awesome someone who experienced in kernel may show me a hint…
Best regards,
Bekir