Debugging Scenario

  1. WinScard!ScardConnect() to Card1
  2. WinScard!SCardConnect() to Card2
  3. WinScard!SCardBeginTransaction() to Card2
  4. WinScard!SCardTransmit() to Card2
  5. WinScard!SCardDisconnect() to Card1 then Irp will be pending.
  6. Remove Card1 from PC then Irp is completed due to deliver interrupt KAPC.

Debug Log
kd> !process 81706020 7
PROCESS 81706020 SessionId: 0 Cid: 06a4 Peb: 7ffde000 ParentCid: 0470
DirBase: 07fa0220 ObjectTable: e1973208 HandleCount: 55.
Image: SC2Con.exe
VadRoot 816b65b8 Vads 51 Clone 0 Private 104. Modified 0. Locked 0.
DeviceMap e1d5f890
Token e104d518
ElapsedTime 00:00:16.687
UserTime 00:00:00.015
KernelTime 00:00:00.046
QuotaPoolUsage[PagedPool] 35556
QuotaPoolUsage[NonPagedPool] 2040
Working Set Sizes (now,min,max) (569, 50, 345) (2276KB, 200KB, 1380KB)
PeakWorkingSetSize 569
VirtualSize 17 Mb
PeakVirtualSize 17 Mb
PageFaultCount 567
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 157

THREAD 8170c020 Cid 06a4.0874 Teb: 7ffdd000 Win32Thread: e20e9050 WAIT: (Executive) UserMode Non-Alertable
81982904 NotificationEvent
IRP List:
815de640: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
DeviceMap e1d5f890
Owning Process 81706020 Image: SC2Con.exe
Attached Process N/A Image: N/A
Wait Start TickCount 54475 Ticks: 1057 (0:00:00:16.515)
Context Switch Count 89 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address SC2Con (0x0040138b)
Start Address kernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init f751c000 Current f751bc1c Base f751c000 Limit f7517000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr Args to Child
f751bc34 80502ce6 8170c090 8170c020 804fbd72 nt!KiSwapContext+0x2e (FPO: [Uses EBP
] [0,0,4])
f751bc40 804fbd72 00000103 00000000 815de640 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f751bc68 80576e56 00000001 00000000 817cb701 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f751bc90 80573daa 817cb770 00000103 819828a8 nt!IopSynchronousServiceTail+0xe8 (FPO: [7,0,4])
f751bd38 8053f648 000000c8 000000cc 00000000 nt!NtReadFile+0x580 (FPO: [Non-Fpo])
f751bd38 7c94e4f4 000000c8 000000cc 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f751bd64)
0012f934 7c94d9bc 7c80199d 000000c8 000000cc ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012f938 7c80199d 000000c8 000000cc 00000000 ntdll!ZwReadFile+0xc (FPO: [9,0,0])
0012f9a0 7235050f 000000c8 0012f9f0 00000008 kernel32!ReadFile+0x10d (FPO: [Non-Fpo])
0012f9d8 7235029f 0012f9f0 00000000 00383de8 WinSCard!CComChannel::Receive+0x2c (FPO: [2,4,4])
0012f9f8 7234c322 00383e38 00000000 00383de8 WinSCard!CComObject::Receive+0x25 (FPO: [1,2,0])
0012fa64 72346351 00000000 00000000 00000a28 WinSCard!CReaderContext::Disconnect+0x80 (FPO: [1,21,0])
0012faac 004011c8 ea010000 00000000 7ffde000 WinSCard!SCardDisconnect+0x57 (FPO: [2,12,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ffc0 7c817067 00380035 00370034 7ffde000 SC2Con+0x11c8
0012fff0 00000000 0040138b 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> !irp 815de640 f
Irp is active with 1 stacks 1 is current (= 0x815de6b0)
No Mdl: No System Buffer: Thread 8170c020: Irp stack trace.
Flags = 00000900
ThreadListEntry.Flink = 8170c230
ThreadListEntry.Blink = 8170c230
IoStatus.Status = 00000000
IoStatus.Information = 00000000
RequestorMode = 00000001
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 00383e50
UserEvent = 818246c8
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00383e50
Overlay.AllocationSize = 00000000 – 00000000
CancelRoutine = f9cbc368 Npfs!NpCancelDataQueueIrp
UserBuffer = 0012f9f0
&Tail.Overlay.DeviceQueueEntry = 815de680
Tail.Overlay.Thread = 8170c020
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = 815de6b0
Tail.Overlay.OriginalFileObject = 819828a8
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
>[ 3, 0] 0 1 817cb770 819828a8 00000000-00000000 pending
\FileSystem\Npfs
Args: 00000008 00000000 00000000 00000000

kd> dt _FILE_OBJECT 819828a8
ntdll!_FILE_OBJECT
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817cb770 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0xe1d87490
+0x010 FsContext2 : 0x816b7458
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : 0x00000001
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ”
+0x025 DeletePending : 0 ”
+0x026 ReadAccess : 0 ”
+0x027 WriteAccess : 0 ”
+0x028 DeleteAccess : 0 ”
+0x029 SharedRead : 0 ”
+0x02a SharedWrite : 0 ”
+0x02b SharedDelete : 0 ”
+0x02c Flags : 0x40082
0x030 FileName : _UNICODE_STRING +“\Microsoft Smart Card Resource Manager0”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 1
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)

kd> dc 819828a8+4c
819828f4 00040001 00000000 819828fc 819828fc ………(…(..
81982904 00040000 00000000 8170c090 8170c090 ……….p…p.
81982914 00000000 0a060013 ee657645 00000003 ……..Eve…..
81982924 00000001 819c3980 00000000 8055c280 …..9……..U.
81982934 00000000 00040001 00000000 817303d0 …………..s.
81982944 817303d0 0a060006 ee657645 00000001 ..s…..Eve…..
81982954 00000001 819c3980 00000000 8055c280 …..9……..U.
81982964 00000000 81047001 00000000 81982970 …..p……p)..
kd> dc 819828a8+5c
81982904 00040000 00000000 8170c090 8170c090 ……….p…p.
81982914 00000000 0a060013 ee657645 00000003 ……..Eve…..
81982924 00000001 819c3980 00000000 8055c280 …..9……..U.
81982934 00000000 00040001 00000000 817303d0 …………..s.
81982944 817303d0 0a060006 ee657645 00000001 ..s…..Eve…..
81982954 00000001 819c3980 00000000 8055c280 …..9……..U.
81982964 00000000 81047001 00000000 81982970 …..p……p)..
81982974 81982970 0a050006 6e66744e 001c0707 p)……Ntfn….

kd> dt _KEVENT 81982904 /r
ntdll!_KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0 ”
+0x001 Absolute : 0 ”
+0x002 Size : 0x4 ”
+0x003 Inserted : 0 ”
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [ 0x8170c090 – 0x8170c090 ]
+0x000 Flink : 0x8170c090 _LIST_ENTRY [ 0x8198290c – 0x8198290c ]
+0x004 Blink : 0x8170c090 _LIST_ENTRY [ 0x8198290c – 0x8198290c ]

kd> ba w4 81982904 + 4

kd> g
Breakpoint 1 hit
nt!KeSetEvent+0x26:
804fafe2 eb30 jmp nt!KeSetEvent+0x58 (804fb014)

kd> kv100
ChildEBP RetAddr Args to Child
f751bb80 804f5d42 81982904 00000000 00000000 nt!KeSetEvent+0x26 (FPO: [3,0,4])
f751bbd8 804ffaf1 815de680 f751bc24 f751bc18 nt!IopCompleteRequest+0x25e (FPO: [Non-Fpo])
f751bc28 80502d04 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 (FPO: [3,10,0])
f751bc40 804fbd72 00000103 00000000 815de640 nt!KiSwapThread+0x64 (FPO: [0,0,0])
f751bc68 80576e56 00000001 00000000 817cb701 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f751bc90 80573daa 817cb770 00000103 819828a8 nt!IopSynchronousServiceTail+0xe8 (FPO: [7,0,4])
f751bd38 8053f648 000000c8 000000cc 00000000 nt!NtReadFile+0x580 (FPO: [Non-Fpo])
f751bd38 7c94e4f4 000000c8 000000cc 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f751bd64)
0012f934 7c94d9bc 7c80199d 000000c8 000000cc ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012f938 7c80199d 000000c8 000000cc 00000000 ntdll!ZwReadFile+0xc (FPO: [9,0,0])
0012f9a0 7235050f 000000c8 0012f9f0 00000008 kernel32!ReadFile+0x10d (FPO: [Non-Fpo])
0012f9d8 7235029f 0012f9f0 00000000 00383de8 WinSCard!CComChannel::Receive+0x2c (FPO: [2,4,4])
0012f9f8 7234c322 00383e38 00000000 00383de8 WinSCard!CComObject::Receive+0x25 (FPO: [1,2,0])
0012fa64 72346351 00000000 00000000 00000a28 WinSCard!CReaderContext::Disconnect+0x80 (FPO: [1,21,0])
0012faac 004011c8 ea010000 00000000 7ffde000 WinSCard!SCardDisconnect+0x57 (FPO: [2,12,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ffc0 7c817067 00380035 00370034 7ffde000 SC2Con+0x11c8
0012fff0 00000000 0040138b 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

Global Escalation Manager Tokyo
-fb