Windbg script for kerneltimers view

1. $$ Author: Matthieu Suiche (msuiche / MoonSols)
2. $$ October 2011
3. $$ v 1.1
4.  
5. .printf "Offset DueTime Period(ms) Routine Signaled Module\n"
6.  
7. r? $t2 = 256
8.  
9. .for (r $t1 = 0; @$t1 < @$t2; r $t1 = @$t1 + 1)
10. {
11. .block
12. {
13. .if (low(dwo(nt!NtBuildNumber)) >= 0n7600)
14. {
15. $$ Windows 7
16. r? $t3 = @$pcr->PrcbData.TimerTable.TimerEntries[@$t1].Entry.Flink
17. }
18. .else
19. {
20. $$ Windows XP
21. r $t3 = nt!KiTimerTableListHead + (@@c++(sizeof(nt!_LIST_ENTRY)) * @$t1)
22. r? $t3 = ((nt!_LIST_ENTRY *)@$t3)->Flink
23. }
24. }
25. r? $t4 = @$t3
26. r? $t5 = 0
27.  
28. r $t8 = 0
29.  
30. .while (@$t5 != @$t3)
31. {
32. r $t5 = (@$t4 - @@c++(#FIELD_OFFSET(nt!_KTIMER, TimerListEntry)));
33. r? $t5 = (nt!_KTIMER *)@$t5;
34.  
35. $$ ? @$t5
36.  
37. r? $t6 = @$t5->Dpc
38.  
39. .if ($vvalid(@$t5, 1))
40. {
41. r $t7 = 0
42. $$ TimerNotificationObject
43. .if (@@c++(@$t5->Header.Type) == 8) { r $t7 = 1 }
44. $$ TimerSynchronizationObject
45. .if (@@c++(@$t5->Header.Type) == 8-9) { r $t7 = 1 }
46.  
47. $$ Is type valid
48. .if (@$t7)
49. {
50. .if ($vvalid(@$t6, 1))
51. {
52. r $t8 = 0
53. .if (@@c++(@$t6->DeferredRoutine))
54. {
55. $$ http://msdn.moonsols.com/win7rtm_x86/KOBJECTS.html
56. $$ DpcObject = 19 /*0x13*/,
57. .if (@@c++(@$t6->Type) == 0n19) { r $t8 = 1 }
58. $$ ThreadedDpcObject = 24 /*0x18*/
59. .if (@@c++(@$t6->Type) == 0n24) { r $t8 = 1 }
60. }
61.  
62. .if (@$t8)
63. {
64. .printf "%p %08X:%08X ", @$t5, @@c++(@$t5->DueTime.HighPart), @@c++(@$t5->DueTime.LowPart)
65.  
66. .if (@@c++(@$t5->Period) > 0)
67. {
68. .printf "%8d ", @@c++(@$t5->Period) }
69. .else
70. {
71. .printf "-------- "
72. }
73.  
74. .printf " %p ", @$t6
75.  
76. .if (@@c++(@$t5->Header.SignalState)) { .printf "Yes" } .else { .printf "---" }
77.  
78. .printf " %ly ", @@c++(@$t6->DeferredRoutine)
79.  
80. .printf "\n"
81. }
82. }
83.  
84. r $t8 = @$t8 + 1
85. }
86. $$ .else
87. $$ {
88. $$ .printf "(%3d) %p %08X:%08X ", @$t1, @$t5, @@c++(@$t5->DueTime.HighPart), @@c++(@$t5->DueTime.LowPart)
89. $$ .if (@@c++(@$t5->Header.SignalState)) { .printf "Yes" } .else { .printf "---" }
90. $$ }
91. }
92.  
93. r? $t4 = @$t5->TimerListEntry.Flink
94. r? $t5 = @$t4
95.  
96. .if (@$t5 == poi(@$t5)) { .break }
97. $$ Ugly hack to avoid infinite loop, in case a linked list is broken.
98. .if (@$t8 > 10) { .break }
99. }
100. }
101.  
102.