fabi/xenia-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

handoff: VSync/event-wedge fixes + iterate 2.A–2.BC research notes

Browse Source 
Source changes (dormant parity infra, retained from iterate 2.AI/2.AO):
- xenia-kernel/exports.rs: nt_create_event manual_reset polarity +
  related event wiring
- xenia-gpu/mmio_region.rs: D1MODE_VBLANK_VLINE_STATUS hardcode parity

Also lands the audit-runs/ analysis notes (.md/.txt/.json digests) for the
iterate 2.x VSync/0x10e8/0x1004 wedge investigation. Raw trace dumps
(.jsonl/.gz/.csv/.stdout) and agent worktrees (.claude/) are gitignored as
regenerable local artifacts — see memory + HANDOFF for the running findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-06-05 07:19:08 +02:00
parent acd1656753
commit ef93a4fa14
620 changed files with 108303 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
audit-runs/phase-nonmatch-investigation/build_profiles.py Normal file
View File

@@ -0,0 +1,218 @@
#!/usr/bin/env python3
"""
Phase Non-match Investigation: per-tid profile builder.
Streams a large canary cold jsonl and produces:
- per-tid event counts
- thread.create info (entry_pc, parent_tid, ctx_ptr, priority, name)
- thread.exit info (if any)
- top kernel.call by name (per tid)
- NtSetEvent handle distribution (per tid)
- wait.begin handle distribution (per tid)
- parent's last few kernel.calls + ExCreateThread LR (per spawn)
Usage:
python3 build_profiles.py <canary.jsonl> <output_dir>
"""
import json
import sys
import os
import collections
from pathlib import Path
def main():
if len(sys.argv) != 3:
print("usage: build_profiles.py <canary.jsonl> <output_dir>", file=sys.stderr)
sys.exit(1)
src = sys.argv[1]
out_dir = Path(sys.argv[2])
out_dir.mkdir(parents=True, exist_ok=True)
# Per-tid aggregations.
tid_event_count = collections.Counter()
tid_first_event = {} # tid -> first event (likely thread.create)
tid_thread_create = {} # tid -> thread.create payload (extracted)
tid_thread_exit = {} # tid -> (idx, host_ns)
tid_call_names = collections.defaultdict(collections.Counter) # tid -> Counter[fn_name]
tid_ntset_handles = collections.defaultdict(collections.Counter) # tid -> Counter[raw_handle]
tid_wait_handles = collections.defaultdict(collections.Counter) # tid -> Counter[raw_handle]
# Spawn-chain capture.
# For every kernel.call ExCreateThread / ExCreateThreadEx events: record (tid, idx, return_pc_LR, host_ns)
# For every thread.create event: record (tid, parent_tid_in_payload, parent_call_idx)
# We then match: for each thread.create, find the most recent ExCreateThread call from parent_tid prior to host_ns.
excreate_events = [] # list of {tid, idx, host_ns, name, lr, ctx}
create_thread_events = [] # list of full payloads
# Handle.create map: raw_handle (hex string lower) -> (object_type, sid, first_seen_tid)
handle_create = {}
# rolling per-tid last-call cache so we can capture LR
# For now: we extract any "lr" field present in kernel.call.
total_lines = 0
progress_every = 500_000
import time
t0 = time.time()
with open(src, 'r', encoding='utf-8', errors='replace') as f:
for line in f:
total_lines += 1
if total_lines % progress_every == 0:
elapsed = time.time() - t0
print(f" lines={total_lines:>10,} elapsed={elapsed:6.1f}s rate={total_lines/elapsed:,.0f}/s", file=sys.stderr)
try:
e = json.loads(line)
except Exception:
continue
tid = e.get('tid')
kind = e.get('kind')
tid_event_count[tid] += 1
if tid not in tid_first_event:
tid_first_event[tid] = e
if kind == 'thread.create':
p = e.get('payload', {}) or {}
child_tid = p.get('child_tid')
if child_tid is None:
# fallback: maybe payload has 'new_tid' or 'tid'
child_tid = p.get('new_tid') or p.get('thread_id')
tid_thread_create[child_tid] = {
'creator_tid': tid,
'event_idx': e.get('tid_event_idx'),
'host_ns': e.get('host_ns'),
'payload': p,
}
create_thread_events.append({
'creator_tid': tid,
'child_tid': child_tid,
'host_ns': e.get('host_ns'),
'payload': p,
})
elif kind == 'thread.exit':
tid_thread_exit[tid] = {
'event_idx': e.get('tid_event_idx'),
'host_ns': e.get('host_ns'),
'payload': e.get('payload', {}),
}
elif kind == 'handle.create':
p = e.get('payload', {}) or {}
raw = (p.get('raw_handle_id') or '').lower()
if raw:
handle_create.setdefault(raw, {
'object_type': p.get('object_type'),
'sid': p.get('handle_semantic_id'),
'object_name': p.get('object_name'),
'first_seen_tid': tid,
'first_seen_host_ns': e.get('host_ns'),
})
elif kind == 'wait.begin':
p = e.get('payload', {}) or {}
raw = (p.get('raw_handle_id') or p.get('handle_id') or '').lower()
if raw:
tid_wait_handles[tid][raw] += 1
elif kind in ('import.call', 'kernel.call'):
p = e.get('payload', {}) or {}
name = p.get('name') or p.get('import_name') or p.get('function')
if name:
tid_call_names[tid][name] += 1
if name in ('ExCreateThread', 'ExCreateThreadEx'):
excreate_events.append({
'tid': tid,
'idx': e.get('tid_event_idx'),
'host_ns': e.get('host_ns'),
'name': name,
'payload': p,
})
if name == 'NtSetEvent':
raw = (p.get('handle') or p.get('handle_id') or p.get('raw_handle_id') or '')
if isinstance(raw, int):
raw = f'0x{raw:08x}'
if isinstance(raw, str) and raw:
tid_ntset_handles[tid][raw.lower()] += 1
# Save raw aggregates.
with open(out_dir / 'tid-event-counts.csv', 'w') as fout:
fout.write('tid,event_count\n')
for tid, n in sorted(tid_event_count.items(), key=lambda x: -x[1]):
fout.write(f'{tid},{n}\n')
with open(out_dir / 'thread-creates.json', 'w') as fout:
json.dump(tid_thread_create, fout, indent=2, sort_keys=True, default=str)
with open(out_dir / 'thread-exits.json', 'w') as fout:
json.dump(tid_thread_exit, fout, indent=2, sort_keys=True, default=str)
with open(out_dir / 'excreate-events.json', 'w') as fout:
json.dump(excreate_events, fout, indent=2, default=str)
with open(out_dir / 'create-thread-events.json', 'w') as fout:
json.dump(create_thread_events, fout, indent=2, default=str)
with open(out_dir / 'handle-create.json', 'w') as fout:
json.dump(handle_create, fout, indent=2, default=str)
# Per-tid call counts top-20.
with open(out_dir / 'tid-top-calls.txt', 'w') as fout:
for tid in sorted(tid_event_count.keys(), key=lambda t: -tid_event_count[t]):
fout.write(f'=== tid={tid} total_events={tid_event_count[tid]:,} ===\n')
top = tid_call_names[tid].most_common(20)
for name, n in top:
fout.write(f' {n:>10,} {name}\n')
fout.write('\n')
# Per-tid NtSetEvent handle distribution.
with open(out_dir / 'tid-ntset-handles.txt', 'w') as fout:
for tid in sorted(tid_ntset_handles.keys(), key=lambda t: -sum(tid_ntset_handles[t].values())):
if not tid_ntset_handles[tid]:
continue
total = sum(tid_ntset_handles[tid].values())
fout.write(f'=== tid={tid} NtSetEvent total={total:,} ===\n')
for raw, n in tid_ntset_handles[tid].most_common(10):
hc = handle_create.get(raw, {})
fout.write(f' {n:>8,} {raw} obj_type={hc.get("object_type")} sid={hc.get("sid")} first_seen_tid={hc.get("first_seen_tid")}\n')
fout.write('\n')
# Per-tid wait.begin handle distribution.
with open(out_dir / 'tid-wait-handles.txt', 'w') as fout:
for tid in sorted(tid_wait_handles.keys(), key=lambda t: -sum(tid_wait_handles[t].values())):
if not tid_wait_handles[tid]:
continue
total = sum(tid_wait_handles[tid].values())
fout.write(f'=== tid={tid} wait.begin total={total:,} ===\n')
for raw, n in tid_wait_handles[tid].most_common(10):
hc = handle_create.get(raw, {})
fout.write(f' {n:>8,} {raw} obj_type={hc.get("object_type")} sid={hc.get("sid")} first_seen_tid={hc.get("first_seen_tid")}\n')
fout.write('\n')
# Spawn-chain matching.
# For each thread.create, find the immediately-preceding ExCreateThread* call on creator_tid before host_ns.
# Build per-tid sorted excreate list once.
excreate_by_tid = collections.defaultdict(list)
for ev in excreate_events:
excreate_by_tid[ev['tid']].append(ev)
for tid in excreate_by_tid:
excreate_by_tid[tid].sort(key=lambda e: e['host_ns'])
spawn_chain = []
for tc in create_thread_events:
ct = tc['creator_tid']
hns = tc['host_ns']
# Find newest ExCreateThread call on ct with host_ns <= hns
cand = excreate_by_tid.get(ct, [])
best = None
for ev in cand:
if ev['host_ns'] <= hns:
best = ev
else:
break
spawn_chain.append({
'child_tid': tc['child_tid'],
'creator_tid': ct,
'child_host_ns': hns,
'child_payload': tc['payload'],
'parent_excreate': best,
})
with open(out_dir / 'spawn-chain.json', 'w') as fout:
json.dump(spawn_chain, fout, indent=2, default=str)
print(f"\nDone. lines={total_lines:,} tids={len(tid_event_count)} outputs at {out_dir}")
if __name__ == '__main__':
main()

120
audit-runs/phase-nonmatch-investigation/canary-tid-profiles.md Normal file
View File

@@ -0,0 +1,120 @@
# Canary tid-profile catalogue (Phase Non-match Investigation, 2026-05-19)
Source: `xenia-canary/build-cross/bin/Windows/Debug/canary-jitter-1.jsonl`
(4.4 GB, 18,687,353 events, 28 tids, ~90 s wallclock cold run, jitter-1 sample).
## Per-tid headline
| tid | events | role | first kind | first host_ns | thread.exit |
|----:|-------:|------|------------|--------------:|:-----------:|
| 0 | 12 | bootstrap (`schema_version`) | schema_version | 400 | - |
| 1 | 69k | system (no spawn match) | import.call | 2.160 s | - |
| 2 | 20k | NtSetEvent service (13,536 ×) | - | 1.681 s | - |
| 4 | 196k | **XAudio submitter** (26,124 × XAudioSubmitRenderDriverFrame) | - | 1.813 s | - |
| 6 | 477k | **GUEST MAIN** (Sylpheed main) | - | 0.660 s | - |
| 7 | 32 | one-shot init (CreateSymbolicLink, ExRegisterTitleTerminate) | - | 1.422 s | - |
| 8 | 60 | small worker (spawned by tid=6, entry `0x82181830`) | - | 1.426 s | - |
| 9 | 8.3k | file-IO worker (NtCreateFile/NtOpenFile/NtSetInformationFile, entry `0x8245A5D0`) | - | 1.445 s | - |
| 10 | 63k | helper (NtCreateEvent/NtCreateSemaphore + ExCreateThread × 2; entry `0x82450A28`) | - | 1.453 s | - |
| 11 | 61k | NtWaitForMultipleObjectsEx (13,564 ×), entry `0x82457EF0` | - | 1.542 s | - |
| 12 | 37k | KeWaitForSingleObject (7,380 ×), entry `0x824CD458` | - | 1.602 s | - |
| 13 | 594k | **Renderer** (12,092 × VdGetSystemCommandBuffer + VdSwap), entry `0x822F1EE0` | - | 1.671 s | - |
| 14 | **6.15 M** | **XAudio voice-mask poll** (26,126 × XAudioGetVoiceCategoryVolumeChangeMask + KeReleaseSemaphore + KeWaitForSingleObject; 941,976 × IRQL raise/lock/release/lower triplets), entry `0x824D2878` (aff=16) | - | 1.727 s | - |
| 15 | **4.78 M** | **XAudio sister** (786,872 × IRQL raise; 26,126 × KeWaitForSingleObject; light KeSetEvent), entry `0x824D2940` (aff=32) | - | 1.728 s | - |
| 16 | 1.80 M | **XMA decoder / XMACreateContext** (196,976 × RtlEnterCS, 12,072 × NtWaitForSingleObjectEx), entry `0x82178950` | - | 1.932 s | - |
| 17 | 4.1k | helper (spawns tid=18 via `0x821C4AD0`), entry `0x821748F0` | - | 1.938 s | exit @ 2.092 s, code=0 |
| 18 | 33k | helper (RtlInitAnsi, NtCreateFile, NtDuplicateObject; spawns 2× `0x822C6870`), entry `0x821C4AD0` | - | 1.959 s | exit @ 2.870 s, code=1 |
| 19,20 | 9 each | tiny short-lived threads (RtlEnterCS + NtWaitForSingleObjectEx) | - | 1.962/1.963 s | - |
| 21 | 1.00 M | **NtWaitForMultipleObjectsEx worker** (223,636 ×), entry `0x824563E0` | - | 2.103 s | - |
| 22 | 51 | tiny worker (entry `0x82170430`) | - | 2.120 s | - |
| 23 | 17 | tiny (entry `0x823DDE30`) | - | 2.144 s | - |
| 24,25 | 8 each | tiny (entry `0x823DDB50`) | - | 2.145/2.146 s | - |
| 26 | 6.7k | helper-second-call of `0x821748F0` (NtYieldExecution × 1,282), entry `0x821748F0` | - | 10.080 s | exit @ 10.280 s, code=0 |
| 27 | 36k | **sub_825070F0 worker 1** (entry `0x82506558`, ctx `0xBCE251C0`, slot 36 of dispatcher vtable) | - | 10.707 s | - |
| 28 | **3.26 M** | **sub_825070F0 worker 0** (entry `0x82506528`, ctx `0xBCE251C0`, slot 35; 1.07 M × RtlEnterCS, 530 × NtReadFile) | - | 10.707 s | - |
| 29 | 91k | **sub_825070F0 worker 2** (entry `0x82506588`, ctx `0xBCE251C0`, slot 37; 7,252 × KeWait + heavy IRQL) | - | 12.375 s | - |
| - | - | **sub_825070F0 worker 3 (`0x825065B8`) NEVER STARTED** in this 90 s window | - | - | - |
## Spawn chain (chronological)
All `thread.create` events are emitted on the parent thread (per `event_log.cc:312-326`); `parent_tid` in payload duplicates the `tid` field.
| host_ns | spawner | entry_pc | ctx_ptr | aff | stk | susp | child tid | notes |
|--------:|--------:|---------:|--------:|----:|----:|:----:|----------:|-------|
| 1.425 s | 6 | `0x82181830` | `0x828F3D08` | 0 | 131,072 | F | 8 | first guest spawn |
| 1.444 s | 6 | `0x8245A5D0` | `0x828F4838` | 0 | 65,536 | F | 9 | file IO |
| 1.453 s | 6 | `0x82450A28` | `0x828F3B68` | 0 | 262,144 | F | 10 | helper |
| 1.542 s | 10 | `0x82457EF0` | `0x828F3B08` | 0 | 65,536 | F | 11 | tid=10 spawns tid=11 |
| 1.601 s | 6 | `0x824CD458` | `0xBE56BB3C` | 4 | 32,768 | F | 12 | KeWait worker |
| 1.670 s | 6 | `0x822F1EE0` | `0xBCE24A40` | 0 | 524,288 | **T** | 13 | renderer |
| 1.726 s | 6 | `0x824D2878` | `0x00000000` | 16 | 524,288 | **T** | 14 | **XAudio (huge)** |
| 1.727 s | 6 | `0x824D2940` | `0x00000000` | 32 | 524,288 | **T** | 15 | XAudio sister |
| 1.931 s | 6 | `0x82178950` | `0x828F3EC0` | 0 | 65,536 | F | 16 | XMA decoder |
| 1.935 s | 6 | `0x821748F0` | `0xBC365620` | 0 | 524,288 | **T** | 17 | spawner of 18 |
| 1.958 s | 17 | `0x821C4AD0` | `0xBCA44B60` | 0 | 65,536 | F | 18 | tid=17 spawns tid=18 |
| 1.962 s | 18 | `0x822C6870` | `0x828F3300` | 0 | 196,608 | **T** | 19 | tid=18 spawns 19 |
| 1.962 s | 18 | `0x822C6870` | `0x828F3300` | 0 | 196,608 | **T** | 20 | tid=18 spawns 20 |
| 2.103 s | 6 | `0x824563E0` | `0x828F3E70` | 0 | 16,384 | F | 21 | NtWaitForMultipleObjectsEx worker |
| 2.120 s | 6 | `0x82170430` | `0x828F4070` | 0 | 65,536 | F | 22 | tiny |
| 2.143 s | 6 | `0x823DDE30` | `0x828F3C4C` | 0 | 65,536 | F | 23 | tiny |
| 2.144 s | 6 | `0x823DDB50` | `0x828F3C88` | 0 | 524,288 | **T** | 24 | tiny |
| 2.145 s | 6 | `0x823DDB50` | `0x828F3C88` | 0 | 524,288 | **T** | 25 | tiny |
| 10.079 s | 6 | `0x821748F0` | `0xBC366EE0` | 0 | 524,288 | **T** | 26 | repeat of earlier spawn (different ctx) |
| **10.383 s** | **6** | **`0x82506528`** | **`0xBCE251C0`** | **0** | **65,536** | **T** | **28** | **sub_825070F0 worker 0** |
| **10.383 s** | **6** | **`0x82506558`** | **`0xBCE251C0`** | **0** | **65,536** | **T** | **27** | **sub_825070F0 worker 1** |
| **10.384 s** | **6** | **`0x82506588`** | **`0xBCE251C0`** | **0** | **65,536** | **T** | **29** | **sub_825070F0 worker 2** |
| **10.384 s** | **6** | **`0x825065B8`** | **`0xBCE251C0`** | **0** | **65,536** | **T** | (none) | **sub_825070F0 worker 3 unresumed** |
The 4 final spawns are **exactly** the AUDIT-058/063-predicted `sub_825070F0` worker batch (per dossier
`xenia-rs/docs/functions/sub_825070F0.md`: worker entries `0x82506528/58/88/B8`).
## Ours's spawn behaviour (Phase W ours-postfix.jsonl)
Ours emits **10 thread.create** events vs canary's **23**. Ours stops after spawn #10 (`0x821748F0` at 1.727 s).
| host_ns | spawner | entry_pc | ctx_ptr | stk | susp |
|--------:|--------:|---------:|--------:|----:|:----:|
| 0.469 s | 1 | `0x82181830` | `0x828F3D08` | 131,072 | F |
| 0.470 s | 1 | `0x8245A5D0` | `0x828F4838` | 65,536 | F |
| 0.471 s | 1 | `0x82450A28` | `0x828F3B68` | 262,144 | F |
| 0.488 s | **5** | `0x82457EF0` | `0x828F3B08` | 65,536 | F |
| 0.495 s | 1 | `0x824CD458` | `0x42453B3C` | 32,768 | F |
| 1.413 s | 1 | `0x822F1EE0` | `0x40D0CA40` | 0 | **T** |
| 1.626 s | 1 | `0x824D2878` | `0x00000000` | 0 | **T** |
| 1.626 s | 1 | `0x824D2940` | `0x00000000` | 0 | **T** |
| 1.727 s | 1 | `0x82178950` | `0x828F3EC0` | 65,536 | F |
| 1.727 s | 1 | `0x821748F0` | `0x4024D640` | 0 | **T** |
After spawn #10, ours **never produces another `thread.create`** in the 50 M-event trace window (~3 s wallclock window per ours's faster clock). The 13 subsequent canary spawns (including the critical 4 `sub_825070F0` workers at 10.38 s) are missing.
Also note ctx-ptr divergence: ours emits `0x42453B3C` / `0x40D0CA40` / `0x4024D640` where canary emits `0xBE56BB3C` / `0xBCE24A40` / `0xBC365620` — these are the same physical RAM offset displayed with different host-side base addresses (`0xBC000000` canary mapping vs ours's `0x40000000` mapping). Not a real divergence.
## XAudio context: `0xBCE251C0`
Search count across the 4.4 GB canary jsonl: **4 occurrences**, all in the 4 `sub_825070F0` worker spawn `ctx_ptr` fields.
Same address in ours-postfix.jsonl: **0 occurrences**. Ours **never allocates the dispatcher object** that lives at this address. Per the dossier, this is the XAudio2 / `XAudio*` master-voice dispatcher object whose vtable is `0x8200A208` (slot 1 → `sub_825070F0`).
## sub_825070F0 vtable dispatch confirmation
Per `sylpheed.db`:
- `sub_825070F0` is at vtable `0x8200A208` slot 1 (anonymous class `ANON_Class_713383D7`).
- It is also at vtable `0x8200A928` slot 1 (a sibling/derived class with the same layout).
- **Zero `vptr_writes` rows** target either `0x8200A208` or `0x8200A928`.
- **Zero `xrefs`** with `target=0x8200A208` or `0x8200A928`.
- **Zero `indirect_dispatch_candidates`** mapping any `bctrl` site to these vtables.
- **Zero instructions** with operand text `200A208` or `200A928` (no lis/addi/lis/ori pair).
This confirms AUDIT-067's "the vtable is installed host-side" assessment: there is no static guest reference that materialises this vtable address. The object pointer must come from a host shim (allocator, `XAudio2*` API wrapper, etc.) or via a TOC-style load that the static analyser doesn't model.
## sub_825070F0 internals (xrefs in `[0x825070F0, 0x825073DC)`)
The function performs four nearly-identical spawn blocks at PCs `0x825071F8 / 0x82507244 / 0x82507290 / 0x825072DC`. Each block:
```
addi rN, r0, 0x82506528 (or +0x30, +0x60, +0x90) ; ref to worker entry
bl sub_824AA388 ; spawn helper (probably wraps ExCreateThread)
bne ... ; success check
... vtable bctrl chains to set up worker state ...
```
So `sub_825070F0` calls `sub_824AA388` 4 times in sequence, each with a different `ANON_Class_713383D7` slot pointer. `sub_824AA388` is the actual ExCreateThread wrapper.

347
audit-runs/phase-nonmatch-investigation/create-thread-events.json Normal file
View File

@@ -0,0 +1,347 @@
[
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1424734300,
"payload": {
"handle_semantic_id": "a21da6e3283a24b9",
"parent_tid": 6,
"entry_pc": "0x82181830",
"ctx_ptr": "0x828f3d08",
"priority": 0,
"affinity": 0,
"stack_size": 131072,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1443949000,
"payload": {
"handle_semantic_id": "7fa63be80377df95",
"parent_tid": 6,
"entry_pc": "0x8245a5d0",
"ctx_ptr": "0x828f4838",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1452636400,
"payload": {
"handle_semantic_id": "82aca7574f07e563",
"parent_tid": 6,
"entry_pc": "0x82450a28",
"ctx_ptr": "0x828f3b68",
"priority": 0,
"affinity": 0,
"stack_size": 262144,
"suspended": false
}
},
{
"creator_tid": 10,
"child_tid": null,
"host_ns": 1541511900,
"payload": {
"handle_semantic_id": "42db1d4e8093a64f",
"parent_tid": 10,
"entry_pc": "0x82457ef0",
"ctx_ptr": "0x828f3b08",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1601365600,
"payload": {
"handle_semantic_id": "17d8b2ba9dd4ba13",
"parent_tid": 6,
"entry_pc": "0x824cd458",
"ctx_ptr": "0xbe56bb3c",
"priority": 0,
"affinity": 4,
"stack_size": 32768,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1670004300,
"payload": {
"handle_semantic_id": "201e8f7d7ed33ce1",
"parent_tid": 6,
"entry_pc": "0x822f1ee0",
"ctx_ptr": "0xbce24a40",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1725986600,
"payload": {
"handle_semantic_id": "a488577cb97ea7c4",
"parent_tid": 6,
"entry_pc": "0x824d2878",
"ctx_ptr": "0x00000000",
"priority": 0,
"affinity": 16,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1726733000,
"payload": {
"handle_semantic_id": "2d277fba6c47d941",
"parent_tid": 6,
"entry_pc": "0x824d2940",
"ctx_ptr": "0x00000000",
"priority": 0,
"affinity": 32,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1931052700,
"payload": {
"handle_semantic_id": "38a1db5b88b1b8e5",
"parent_tid": 6,
"entry_pc": "0x82178950",
"ctx_ptr": "0x828f3ec0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 1935433700,
"payload": {
"handle_semantic_id": "3bd922fbb385c2c9",
"parent_tid": 6,
"entry_pc": "0x821748f0",
"ctx_ptr": "0xbc365620",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 17,
"child_tid": null,
"host_ns": 1958253200,
"payload": {
"handle_semantic_id": "d6494a78268b1d61",
"parent_tid": 17,
"entry_pc": "0x821c4ad0",
"ctx_ptr": "0xbca44b60",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 18,
"child_tid": null,
"host_ns": 1961805200,
"payload": {
"handle_semantic_id": "44c12522436224af",
"parent_tid": 18,
"entry_pc": "0x822c6870",
"ctx_ptr": "0x828f3300",
"priority": 0,
"affinity": 0,
"stack_size": 196608,
"suspended": true
}
},
{
"creator_tid": 18,
"child_tid": null,
"host_ns": 1962234400,
"payload": {
"handle_semantic_id": "bb500f6b8f44e7cc",
"parent_tid": 18,
"entry_pc": "0x822c6870",
"ctx_ptr": "0x828f3300",
"priority": 0,
"affinity": 0,
"stack_size": 196608,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 2102593600,
"payload": {
"handle_semantic_id": "012a4851c459bcb4",
"parent_tid": 6,
"entry_pc": "0x824563e0",
"ctx_ptr": "0x828f3e70",
"priority": 0,
"affinity": 0,
"stack_size": 16384,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 2119532500,
"payload": {
"handle_semantic_id": "c798a1af262be9f2",
"parent_tid": 6,
"entry_pc": "0x82170430",
"ctx_ptr": "0x828f4070",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 2143148700,
"payload": {
"handle_semantic_id": "cd7dbdbbf2718d23",
"parent_tid": 6,
"entry_pc": "0x823dde30",
"ctx_ptr": "0x828f3c4c",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 2144427600,
"payload": {
"handle_semantic_id": "070f645e909f5fe5",
"parent_tid": 6,
"entry_pc": "0x823ddb50",
"ctx_ptr": "0x828f3c88",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 2145144100,
"payload": {
"handle_semantic_id": "b545ef4ec3ab9fea",
"parent_tid": 6,
"entry_pc": "0x823ddb50",
"ctx_ptr": "0x828f3c88",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 10079288200,
"payload": {
"handle_semantic_id": "3e6007fd9dc3c3f5",
"parent_tid": 6,
"entry_pc": "0x821748f0",
"ctx_ptr": "0xbc366ee0",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 10382912900,
"payload": {
"handle_semantic_id": "f28d7accba35656e",
"parent_tid": 6,
"entry_pc": "0x82506528",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 10383282200,
"payload": {
"handle_semantic_id": "44ac749e4b883854",
"parent_tid": 6,
"entry_pc": "0x82506558",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 10383647200,
"payload": {
"handle_semantic_id": "95f0b02d711132ad",
"parent_tid": 6,
"entry_pc": "0x82506588",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
}
},
{
"creator_tid": 6,
"child_tid": null,
"host_ns": 10384161700,
"payload": {
"handle_semantic_id": "130384779d24018e",
"parent_tid": 6,
"entry_pc": "0x825065b8",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
}
}
]

508
audit-runs/phase-nonmatch-investigation/excreate-events.json Normal file
View File

@@ -0,0 +1,508 @@
[
{
"tid": 6,
"idx": 102193,
"host_ns": 1424386900,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 102194,
"host_ns": 1424397900,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 102408,
"host_ns": 1443564400,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 102409,
"host_ns": 1443569500,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 102522,
"host_ns": 1452316400,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 102523,
"host_ns": 1452325200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 10,
"idx": 1215,
"host_ns": 1541022900,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 10,
"idx": 1216,
"host_ns": 1541030300,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 105132,
"host_ns": 1600992800,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 105133,
"host_ns": 1601005500,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 105349,
"host_ns": 1669629200,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 105350,
"host_ns": 1669634000,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 106750,
"host_ns": 1725590700,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 106751,
"host_ns": 1725595900,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 106767,
"host_ns": 1726177300,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 106768,
"host_ns": 1726182000,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108389,
"host_ns": 1930660600,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108390,
"host_ns": 1930665400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108473,
"host_ns": 1935129200,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108474,
"host_ns": 1935134700,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 17,
"idx": 620,
"host_ns": 1957712900,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 17,
"idx": 621,
"host_ns": 1957722200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 18,
"idx": 43,
"host_ns": 1961450700,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 18,
"idx": 44,
"host_ns": 1961455400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 18,
"idx": 60,
"host_ns": 1961924100,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 18,
"idx": 61,
"host_ns": 1961928800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108577,
"host_ns": 2101903100,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108578,
"host_ns": 2101910400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108675,
"host_ns": 2118834400,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108676,
"host_ns": 2118847200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108861,
"host_ns": 2142761800,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108862,
"host_ns": 2142784400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108883,
"host_ns": 2144057100,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108884,
"host_ns": 2144062400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 108904,
"host_ns": 2144787600,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 108905,
"host_ns": 2144793400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 303301,
"host_ns": 10078922200,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 303302,
"host_ns": 10078927100,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 305661,
"host_ns": 10382529100,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 305662,
"host_ns": 10382543700,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 305666,
"host_ns": 10382958700,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 305667,
"host_ns": 10382975800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 305671,
"host_ns": 10383305500,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 305672,
"host_ns": 10383322800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
},
{
"tid": 6,
"idx": 305676,
"host_ns": 10383687200,
"name": "ExCreateThread",
"payload": {
"module": "xboxkrnl.exe",
"ord": 13,
"name": "ExCreateThread"
}
},
{
"tid": 6,
"idx": 305677,
"host_ns": 10383735600,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
]

884
audit-runs/phase-nonmatch-investigation/handle-create.json Normal file
View File

@@ -0,0 +1,884 @@
{
"0xf8000000": {
"object_type": 1,
"sid": "094a821800278939",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 52300
},
"0x01000004": {
"object_type": 8,
"sid": "f917d79f8c2ab50c",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 275100
},
"0x01000008": {
"object_type": 8,
"sid": "d8e262809c955f1f",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 3596600
},
"0x0100000c": {
"object_type": 8,
"sid": "e39edee041c7266e",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 4960900
},
"0x01000010": {
"object_type": 5,
"sid": "f967f094ccb35c24",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 196260700
},
"0x01000014": {
"object_type": 5,
"sid": "4419c5051e509c95",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 196670300
},
"0x01000018": {
"object_type": 5,
"sid": "e3eef7d5824fcd86",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 262850200
},
"0x0100001c": {
"object_type": 5,
"sid": "2ea0cc45d3ed0df7",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 263199500
},
"0xf8000004": {
"object_type": 8,
"sid": "98ccb7bd5a0eea35",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 288190700
},
"0x01000020": {
"object_type": 5,
"sid": "c36e9046ae4d6059",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 636911600
},
"0xf8000008": {
"object_type": 5,
"sid": "6343c317124c914a",
"object_name": null,
"first_seen_tid": 0,
"first_seen_host_ns": 637223800
},
"0xf800000c": {
"object_type": 1,
"sid": "454e25a8ff5c2a7c",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 736411200
},
"0xf8000010": {
"object_type": 6,
"sid": "2faa9e8b4a9d1b10",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1408006400
},
"0xf8000014": {
"object_type": 1,
"sid": "1938a086284cdbf1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1420943800
},
"0xf8000018": {
"object_type": 6,
"sid": "0bfd4394bcd07081",
"object_name": null,
"first_seen_tid": 7,
"first_seen_host_ns": 1422493800
},
"0xf800001c": {
"object_type": 1,
"sid": "28a7203723b4a641",
"object_name": null,
"first_seen_tid": 7,
"first_seen_host_ns": 1423006500
},
"0xf8000020": {
"object_type": 1,
"sid": "c72f38c20c8623e1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1423938700
},
"0xf8000024": {
"object_type": 5,
"sid": "a21da6e3283a24b9",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1424405700
},
"0xf8000028": {
"object_type": 3,
"sid": "aafae4c71fd42890",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1442800300
},
"0xf800002c": {
"object_type": 6,
"sid": "a3cddefbdf2a3c86",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1443394600
},
"0xf8000030": {
"object_type": 6,
"sid": "ae125320a804b08e",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1448074000
},
"0xf8000034": {
"object_type": 1,
"sid": "cf2f57a69895b36c",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1451504600
},
"0xf8000038": {
"object_type": 1,
"sid": "fab0f392d666dbbf",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1452105900
},
"0xf800003c": {
"object_type": 3,
"sid": "a6f5e907ba7c86c1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1452188800
},
"0xf8000040": {
"object_type": 5,
"sid": "82aca7574f07e563",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1452332500
},
"0xf8000044": {
"object_type": 1,
"sid": "df686b147b291902",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1453827600
},
"0xf8000048": {
"object_type": 1,
"sid": "c7fa47e4333e6d0d",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1459409200
},
"0xf800004c": {
"object_type": 1,
"sid": "01f843111032afb8",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1530469100
},
"0xf8000050": {
"object_type": 1,
"sid": "67baabe3a48a877c",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1533527100
},
"0xf8000054": {
"object_type": 1,
"sid": "157cfe3b57f58fb3",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1540805200
},
"0xf8000058": {
"object_type": 3,
"sid": "7aae87e836ff2375",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1540927400
},
"0xf800005c": {
"object_type": 5,
"sid": "42db1d4e8093a64f",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1541039900
},
"0xf8000060": {
"object_type": 6,
"sid": "922e1607ab3262e9",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1543518700
},
"0xf8000064": {
"object_type": 1,
"sid": "c49d8f0ab90401ea",
"object_name": null,
"first_seen_tid": 12,
"first_seen_host_ns": 1602357800
},
"0xf8000068": {
"object_type": 1,
"sid": "3b234bbee19d74cf",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1669439900
},
"0xf800006c": {
"object_type": 1,
"sid": "f9051b3c278e1633",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1669527500
},
"0xf8000070": {
"object_type": 5,
"sid": "201e8f7d7ed33ce1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1669640500
},
"0xf8000074": {
"object_type": 1,
"sid": "867ec0050a9a9ae8",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1674936100
},
"0xf8000078": {
"object_type": 1,
"sid": "10c9a7222f9b41a4",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1675037700
},
"0xf800007c": {
"object_type": 1,
"sid": "b574eedd0bd942de",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1677161100
},
"0xf8000080": {
"object_type": 6,
"sid": "0dd25ee9a5fec44e",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1680842000
},
"0xf8000084": {
"object_type": 1,
"sid": "cae6c10ade1a6227",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1697406600
},
"0xf8000088": {
"object_type": 6,
"sid": "01ad9916c45e4c30",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1699045800
},
"0xf800008c": {
"object_type": 1,
"sid": "f985df1095cf1b43",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1699180000
},
"0xf8000090": {
"object_type": 1,
"sid": "66502bbbd9497833",
"object_name": null,
"first_seen_tid": 11,
"first_seen_host_ns": 1701885700
},
"0xf8000094": {
"object_type": 6,
"sid": "0a07e5ec33b3b938",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1703719100
},
"0xf8000098": {
"object_type": 1,
"sid": "7982be32b58fefcd",
"object_name": null,
"first_seen_tid": 4,
"first_seen_host_ns": 1813209900
},
"0xf800009c": {
"object_type": 1,
"sid": "6d9cd917fc873819",
"object_name": null,
"first_seen_tid": 4,
"first_seen_host_ns": 1813251700
},
"0xf80000a0": {
"object_type": 1,
"sid": "06c4e674804d9893",
"object_name": null,
"first_seen_tid": 14,
"first_seen_host_ns": 1823103200
},
"0xf80000a4": {
"object_type": 1,
"sid": "7cb1145729ea6fc4",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1857265300
},
"0xf80000a8": {
"object_type": 1,
"sid": "12921af6618f3730",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 1857352100
},
"0xf80000ac": {
"object_type": 1,
"sid": "a8a555b8469d1b4b",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1860167500
},
"0xf80000b0": {
"object_type": 1,
"sid": "7c3ecf32588bf619",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1940565300
},
"0xf80000b4": {
"object_type": 1,
"sid": "c81cbc62961a1421",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1947583500
},
"0xf80000b8": {
"object_type": 1,
"sid": "1070523eb111c6ea",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1948821700
},
"0xf80000bc": {
"object_type": 1,
"sid": "8f9a7dc2f2bc6f36",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1948911300
},
"0xf80000c0": {
"object_type": 6,
"sid": "fcc67c3108c11568",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1953302900
},
"0xf80000c4": {
"object_type": 1,
"sid": "a033396d170471d6",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1967022500
},
"0xf80000c8": {
"object_type": 6,
"sid": "97f6b095f5c22a67",
"object_name": null,
"first_seen_tid": 18,
"first_seen_host_ns": 1969993100
},
"0xf80000cc": {
"object_type": 1,
"sid": "b8f1d0d7589f5a24",
"object_name": null,
"first_seen_tid": 18,
"first_seen_host_ns": 1970772400
},
"0xf80000d0": {
"object_type": 1,
"sid": "da37836251a69925",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1970914600
},
"0xf80000d4": {
"object_type": 1,
"sid": "a1cd2f2091911c1e",
"object_name": null,
"first_seen_tid": 18,
"first_seen_host_ns": 1971448000
},
"0xf80000d8": {
"object_type": 6,
"sid": "9eb809d35376db9b",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1972169300
},
"0xf80000dc": {
"object_type": 1,
"sid": "a4dcf0afb04998ce",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1973476200
},
"0xf80000e0": {
"object_type": 1,
"sid": "8fa86cc34feddaee",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1980697900
},
"0xf80000e4": {
"object_type": 1,
"sid": "7f08a1e963f61760",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1986426300
},
"0xf80000e8": {
"object_type": 1,
"sid": "0b7d2ac238bec57d",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 1992386600
},
"0xf80000ec": {
"object_type": 1,
"sid": "25f70a9f2678ab1c",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1994665100
},
"0xf80000f0": {
"object_type": 6,
"sid": "9db15377f8825cce",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 1994940500
},
"0xf80000f4": {
"object_type": 1,
"sid": "01983dbc2e55a058",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 1995056900
},
"0xf80000f8": {
"object_type": 1,
"sid": "f7eebb971ecea737",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2004390300
},
"0xf80000fc": {
"object_type": 1,
"sid": "c2d1ed460425e2f8",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2006505100
},
"0xf8000100": {
"object_type": 1,
"sid": "7734c51c1adc26f3",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2009944600
},
"0xf8000104": {
"object_type": 1,
"sid": "0f13bc0c4a391185",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2011155600
},
"0xf8000108": {
"object_type": 1,
"sid": "0872d7cf8291a979",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2011241100
},
"0xf800010c": {
"object_type": 1,
"sid": "57b5a730b24a65c1",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2013865200
},
"0xf8000110": {
"object_type": 1,
"sid": "ba93add081616384",
"object_name": null,
"first_seen_tid": 17,
"first_seen_host_ns": 2015525100
},
"0xf8000114": {
"object_type": 3,
"sid": "2ccee7c9210002d1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2142665900
},
"0xf8000118": {
"object_type": 5,
"sid": "cd7dbdbbf2718d23",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2142793200
},
"0xf800011c": {
"object_type": 1,
"sid": "a319f9b0042204a9",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2143886900
},
"0xf8000120": {
"object_type": 3,
"sid": "c3b37fc42e6a813f",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2143992600
},
"0xf8000124": {
"object_type": 5,
"sid": "070f645e909f5fe5",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2144089500
},
"0xf8000128": {
"object_type": 5,
"sid": "b545ef4ec3ab9fea",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 2144801000
},
"0xf800012c": {
"object_type": 1,
"sid": "9d25debf1c78ee85",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 2144943000
},
"0xf8000130": {
"object_type": 1,
"sid": "d8ecc86984eae664",
"object_name": null,
"first_seen_tid": 14,
"first_seen_host_ns": 2365548400
},
"0xf8000134": {
"object_type": 1,
"sid": "967f078dba364a63",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 2396470600
},
"0xf8000138": {
"object_type": 1,
"sid": "8aac2cffe7f02507",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 2690487700
},
"0xf800013c": {
"object_type": 1,
"sid": "6012d48dcd2de3e7",
"object_name": null,
"first_seen_tid": 10,
"first_seen_host_ns": 2788305800
},
"0xf8000140": {
"object_type": 6,
"sid": "b431933102fabe30",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 2838385600
},
"0xf8000144": {
"object_type": 1,
"sid": "26d47b3d1680f735",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10078090000
},
"0xf8000148": {
"object_type": 1,
"sid": "195c35bfe47b1a61",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10078574600
},
"0xf800014c": {
"object_type": 5,
"sid": "3e6007fd9dc3c3f5",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10078937900
},
"0xf8000150": {
"object_type": 1,
"sid": "7d320d7f625ea04d",
"object_name": null,
"first_seen_tid": 26,
"first_seen_host_ns": 10081327100
},
"0xf8000154": {
"object_type": 1,
"sid": "5517ddb836331010",
"object_name": null,
"first_seen_tid": 26,
"first_seen_host_ns": 10086281400
},
"0xf8000158": {
"object_type": 1,
"sid": "c940a7814d02ac47",
"object_name": null,
"first_seen_tid": 26,
"first_seen_host_ns": 10088869900
},
"0xf800015c": {
"object_type": 1,
"sid": "f43298ffe1c9c983",
"object_name": null,
"first_seen_tid": 26,
"first_seen_host_ns": 10088991900
},
"0xf8000160": {
"object_type": 1,
"sid": "dbcc1c68fd085af4",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10095198000
},
"0xf8000164": {
"object_type": 6,
"sid": "1f41701d3d1215dc",
"object_name": null,
"first_seen_tid": 9,
"first_seen_host_ns": 10100618500
},
"0xf8000168": {
"object_type": 1,
"sid": "d18e7e2cf0dcf93d",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10337888000
},
"0xf800016c": {
"object_type": 1,
"sid": "9701c6ed8baf9412",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10338880600
},
"0xf8000170": {
"object_type": 1,
"sid": "39be045ab53bbccf",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10339497000
},
"0xf8000174": {
"object_type": 1,
"sid": "04a222e595796744",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10340182300
},
"0xf8000178": {
"object_type": 1,
"sid": "b48b4010134f8cb1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10340835500
},
"0xf800017c": {
"object_type": 1,
"sid": "2585c3cd174e0c26",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10341513100
},
"0xf8000180": {
"object_type": 6,
"sid": "58b0ee3535b1c55d",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10345325800
},
"0xf8000184": {
"object_type": 1,
"sid": "b592298a5cd3a147",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10346156200
},
"0xf8000188": {
"object_type": 1,
"sid": "5ed472f064e7f19e",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10346794500
},
"0xf800018c": {
"object_type": 1,
"sid": "0709e21de656fca1",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10347460200
},
"0xf8000190": {
"object_type": 1,
"sid": "30336f0a595625a8",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10348064600
},
"0xf8000194": {
"object_type": 1,
"sid": "764075d6e53743cb",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10348547800
},
"0xf8000198": {
"object_type": 1,
"sid": "e2eda31e266f1dd2",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10349281800
},
"0xf800019c": {
"object_type": 1,
"sid": "db8684f97faba9f5",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10350239600
},
"0xf80001a0": {
"object_type": 1,
"sid": "beb76be9e4f49dbc",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10350938400
},
"0xf80001a4": {
"object_type": 5,
"sid": "f28d7accba35656e",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10382553300
},
"0xf80001a8": {
"object_type": 5,
"sid": "44ac749e4b883854",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10382984600
},
"0xf80001ac": {
"object_type": 5,
"sid": "95f0b02d711132ad",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10383336600
},
"0xf80001b0": {
"object_type": 5,
"sid": "130384779d24018e",
"object_name": null,
"first_seen_tid": 6,
"first_seen_host_ns": 10383745900
},
"0xf80001b4": {
"object_type": 1,
"sid": "0f81c61b7f9ebc57",
"object_name": null,
"first_seen_tid": 13,
"first_seen_host_ns": 10705369400
},
"0xf80001b8": {
"object_type": 1,
"sid": "efa5088b519d3907",
"object_name": null,
"first_seen_tid": 13,
"first_seen_host_ns": 10705480400
},
"0xf80001bc": {
"object_type": 1,
"sid": "b5e6a174c3e309f7",
"object_name": null,
"first_seen_tid": 13,
"first_seen_host_ns": 10705598500
},
"0xf80001c0": {
"object_type": 1,
"sid": "b97c6dc87998f827",
"object_name": null,
"first_seen_tid": 13,
"first_seen_host_ns": 10705722600
},
"0xf80001c4": {
"object_type": 1,
"sid": "7ab1e5889bc6de89",
"object_name": null,
"first_seen_tid": 27,
"first_seen_host_ns": 10706794600
},
"0xf80001c8": {
"object_type": 1,
"sid": "fca70f3c8a615537",
"object_name": null,
"first_seen_tid": 27,
"first_seen_host_ns": 10846124400
},
"0xf80001cc": {
"object_type": 1,
"sid": "0fa42c04705f1297",
"object_name": null,
"first_seen_tid": 27,
"first_seen_host_ns": 10851552000
},
"0xf80001d0": {
"object_type": 1,
"sid": "b5fad4899fd2b167",
"object_name": null,
"first_seen_tid": 28,
"first_seen_host_ns": 12346670200
},
"0xf80001d4": {
"object_type": 1,
"sid": "a585676da218fd47",
"object_name": null,
"first_seen_tid": 13,
"first_seen_host_ns": 12374535200
}
}

156
audit-runs/phase-nonmatch-investigation/result.md Normal file
View File

@@ -0,0 +1,156 @@
# Phase Non-match Investigation — Results
**Date**: 2026-05-19
**Source**: `xenia-canary/build-cross/bin/Windows/Debug/canary-jitter-1.jsonl` (4.4 GB, 18.7M events, 28 tids)
**Companion ours data**: `audit-runs/phase-w-wedge-reattack/ours-postfix.jsonl` (121,569 events, 13 tids)
**Outcome**: **(A) — AUDIT-058/063/067 framing CONFIRMED** end-to-end using new Phase A thread.create events.
## TL;DR
Per Phase A `thread.create` events (wired in C+15-α), canary spawns **23 threads**; the final 4
fire at `host_ns ≈ 10.38 s` and have entry PCs `0x82506528 / 0x82506558 / 0x82506588 / 0x825065B8`
with shared context `0xBCE251C0` and stack 65,536 — these are **exactly** the 4 worker entries
documented in the `sub_825070F0` dossier. The historical AUDIT-058/063 framing is correct:
`sub_825070F0` is the one-shot 4-worker fan-out that ours never reaches.
Three of those four canary workers go on to dominate the trace:
**tid=28 (3.26M events, sub_82506528), tid=27 (36k events, sub_82506558), tid=29 (91k events, sub_82506588)**
— the fourth (`0x825065B8`) was never resumed in this 90s window.
Ours emits **10 thread.create** events vs canary's 23, stops after spawn #10 (`0x821748F0` at 1.727s),
and **never produces another thread.create** for the rest of the run. The 13 subsequent canary
spawns including the critical sub_825070F0 batch are entirely missing.
## What canary's heavy workers DO
| tid | events | role | entry_pc |
|----:|-------:|------|----------|
| 14 | **6.15 M** | **XAudio voice-mask poll** (26,126× XAudioGetVoiceCategoryVolumeChangeMask) | `0x824D2878` (aff=16) |
| 15 | **4.78 M** | XAudio sister (KeWaitForSingleObject + heavy IRQL spinlock cycle) | `0x824D2940` (aff=32) |
| 28 | **3.26 M** | **sub_825070F0 worker 0** (1.07 M × RtlEnterCS, 530× NtReadFile) | `0x82506528` (ctx `0xBCE251C0`) |
| 16 | 1.80 M | XMA decoder (`XMACreateContext`, RtlEnterCS heavy) | `0x82178950` |
| 21 | 1.00 M | NtWaitForMultipleObjectsEx worker | `0x824563E0` |
| 13 | 594 k | **Renderer** (12,092× VdSwap, VdGetSystemCommandBuffer; 1,805× Ke/NtSetEvent; 475× wait.begin) | `0x822F1EE0` |
The **biggest workers (tid=14, tid=15)** are NOT sub_825070F0 workers — they are spawned much earlier (1.726/1.727s)
via `sub_824D2878 / sub_824D2940` and run forever as XAudio render/voice threads. **Ours spawns these two
suspended (1.626s) but they never receive the resume call that would activate them** — ours produces 0
XAudio* events on these tids (verifiable from ours's tid event counts: ours has only 13 tids total, none
with the 6M-event signature).
## Spawn-chain summary (full table in `canary-tid-profiles.md`)
Three distinct fan-out clusters in canary, all from tid=6 (guest main):
1. **1.421.94 s — main init burst**: 10 spawns (tids 817). Ours matches this 1:1 in spawn count and entries.
2. **1.942.15 s — secondary burst** (XAM/XCONFIG helpers, tids 1825): 8 additional spawns. **Ours emits 0**.
3. **10.0810.38 s — XAudio worker fan-out**: 5 spawns (tids 26, 27, 28, 29, +1 unresumed). The last 4
are the `sub_825070F0` workers. **Ours emits 0**.
## sub_825070F0 spawn-chain confirmation (static + runtime)
- `sylpheed.db` confirms `sub_825070F0` lives in `vtable 0x8200A208 slot 1` and `0x8200A928 slot 1`
(anonymous class `ANON_Class_713383D7`, 7 slots each).
- **Zero `vptr_writes` / zero `xrefs` / zero `indirect_dispatch_candidates`** reach either vtable.
AUDIT-067's host-side install hypothesis is confirmed by static-analysis exhaustion.
- Function body contains the 4 sequential `addi rN, r0, 0x8250652X` + `bl sub_824AA388` (= ExCreateThread
wrapper) blocks at PCs `0x825071F8 / 0x82507244 / 0x82507290 / 0x825072DC`.
- The 4 worker entry thunks (`0x82506528 / 0x82506558 / 0x82506588 / 0x825065B8`) are uniform vtable-slot
callers: each loads `r3->vtable->[140|144|148|152]` and dispatches via CTR (offsets 35/36/37/38).
- Runtime ctx `0xBCE251C0` is referenced **4× in canary jsonl** (the 4 spawn events) and **0× in
ours-postfix.jsonl**. Ours never allocates the dispatcher object that holds the `0x8200A208` vtable.
## Wake/signal chain to wedge (partial)
- Phase W: ours's wedge handle `0x12d0` (`Event/Auto` waited at `sub_821CB030+0x1B0` on tid=13 the renderer);
main tid=1 join-waits on `Thread(id=13)` at `sub_82173990+0x2D4`.
- Canary tid=13 (renderer) creates **10 handles**, calls Ke/NtSetEvent **1,805×**, calls wait.begin **475×**
it is alive and signaling. Earliest tid=13 handle.create at 2.396 s; explosion at 10.7 s **once the
sub_825070F0 workers come online**.
- Canary tid=13's signals correlate with the sub_825070F0 worker batch coming up at 10.7 s (tid=27/28/29
first-events are all 10.705 s). Without those workers, ours's renderer has no producer to wake the
event it waits on, and main joins-on-renderer → full deadlock.
- Full SID-level mapping of "which canary worker fires the NtSetEvent that wakes the renderer's wait"
was not attempted (handle IDs and SIDs don't cross-correlate run-to-run; would require source-level
read of `sub_821CB030`). The class of producer (`sub_825070F0` workers) is identified.
## Reading-error / methodology notes
- **#16 EH-handler caution**: the `sub_824AA388` spawn helper is reached via `bl` (direct call, not via
EH unwind) — no risk of misanchoring on a catch handler.
- **#28 framing**: Phase A `thread.create.payload.parent_tid` redundantly equals the event's `tid` field
(per `event_log.cc:312-326`: emitted ON the parent thread's stream, child tid is NOT in payload).
Child-tid is recovered by FIFO matching to `first_event[tid]` chronologically.
- **#30 cross-engine SIDs**: ours's wedge handle SID `d5e23609d3948568` does not appear in canary because
these are worker-local Event handles, not process-global dispatchers; only the shared-global recipe
is scheduling-invariant.
- **Cold-run jitter** was not a factor here — only one canary jsonl was processed; the spawn-chain
identification is robust because the SID-independent entry_pc + ctx_ptr + stack_size triplet is
effectively a content-addressed fingerprint that survives reruns.
## Outcome: (A) — historical framing confirmed
The Phase A `thread.create` data directly corroborates AUDIT-058/063/067:
1. `sub_825070F0` IS the function that spawns the 4 sub_82506528-family workers (confirmed in canary
trace, never fires in ours).
2. The dispatcher class `ANON_Class_713383D7` whose vtable `0x8200A208` slot 1 points at `sub_825070F0`
has its vtable installed via a path invisible to static guest analysis (AUDIT-067 unresolved).
3. The HEAVY workers (tid=14/15 → XAudio; tid=16 → XMA; tid=21 → NtWait worker) are spawned **earlier**
via different entries (`sub_824D2878`, `sub_824D2940`, `sub_82178950`, `sub_824563E0`) but are all
suspended; their resume gate is also missing in ours (those threads exist in ours-postfix but emit
< 100 events each, all from the spawn-time bookkeeping).
## Recommended next attack target
**Re-attempt the deferred AUDIT-067 / AUDIT-068 host-side vptr install probe** with current tooling.
Specific subtasks:
1. **Identify the allocator that produces the `ANON_Class_713383D7` instance** with vtable `0x8200A208`.
- Static search: which fn loads `0x8200A208` as a constant? (database says nothing — confirm with a
fresh ghidra script that includes split-pair detection.)
- Runtime probe: instrument both engines to log every `stw vptr, 0(obj)` where `vptr ∈
{0x8200A208, 0x8200A928}`. In canary, this MUST fire ≥ 1× before the 10.38 s spawn burst;
in ours, it presumably never fires. Identify the PC.
2. **If host-side**: trace through the kernel exports table. The most likely path is one of
`XAudio2*Create`, `XMACreateContext`, `XMPCreate*`, or an undocumented `XAudio` API. Per the tid=14
call profile, `XAudioGetVoiceCategoryVolumeChangeMask` is the only XAudio API actively touched —
look at its dossier (or canary's `xboxkrnl_audio.cc` / `xam_audio.cc`) for object-construction
side-effects.
3. **Alternative**: identify which Sylpheed API call is the **trigger** for the 10.38 s `sub_825070F0`
firing. Canary main (tid=6) at host_ns ≈ 10.3010.38 s does the work that leads up to this; ~300 ms
before, tid=6 has activity that ours doesn't reach. Diff tid=6's event stream in canary vs ours's
tid=1 in the time window [10 s, 10.4 s] (canary) / [whatever ours's wallclock-equivalent is] — but
ours doesn't reach 10 s wallclock either, so the divergence is upstream.
4. **Secondary attack**: the XAudio tid=14/15 resume gate. Those threads are spawned suspended in
BOTH engines (canary at 1.726/1.727 s, ours at 1.626 s); canary resumes them within ~1 ms and they
emit 11 M events combined. **What guest call resumes them in canary?** Cross-thread NtResumeThread
on the tid=14 handle. Sylpheed presumably resumes them via an XAudio2 API. If we can identify the
resume call site in canary and figure out why ours doesn't reach it, we unblock 60% of the missing
event volume (XAudio) independent of `sub_825070F0`.
## Artifacts
All artifacts in `xenia-rs/audit-runs/phase-nonmatch-investigation/`:
- `build_profiles.py` — streaming jsonl profile builder (~200 LOC)
- `tid-event-counts.csv` — per-tid totals (28 rows)
- `tid-top-calls.txt` — per-tid top-20 kernel.call names
- `tid-ntset-handles.txt` — per-tid Ke/NtSetEvent handle distribution **(EMPTY — canary's
kernel.call payloads have `args:{}` for NtSetEvent; handle is in resolved-arg JSON not exposed
in current `args_resolved`. Not needed for Outcome (A) determination. Future Phase: extend
Phase A `kernel.call` to also surface ALL register args in `args` for diff-tool consumption.)**
- `tid-wait-handles.txt` — per-tid wait.begin handle distribution **(EMPTY for same reason: the
`wait.begin` events I sampled have `raw_handle_id=None` because the payload uses a
`handle_semantic_ids` array, not a single `raw_handle_id`. The handle.create map is populated
correctly — see `handle-create.json`.)**
- `thread-creates.json` — canary thread.create payloads keyed by child_tid (note: child_tid is FIFO-inferred, see profiles doc)
- `thread-exits.json` — canary thread.exit events (3 in this trace: tid=17/18/26)
- `excreate-events.json` — all ExCreateThread import.call events with idx/host_ns
- `create-thread-events.json` — full thread.create event payloads
- `handle-create.json` — all handle.create with raw_handle, sid, object_type
- `spawn-chain.json` — auto-correlated spawn → ExCreateThread linkage
- `canary-tid-profiles.md` — human-readable per-tid catalogue + spawn-chain tables
- `result.md` — this file

600
audit-runs/phase-nonmatch-investigation/spawn-chain.json Normal file
View File

@@ -0,0 +1,600 @@
[
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1424734300,
"child_payload": {
"handle_semantic_id": "a21da6e3283a24b9",
"parent_tid": 6,
"entry_pc": "0x82181830",
"ctx_ptr": "0x828f3d08",
"priority": 0,
"affinity": 0,
"stack_size": 131072,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 102194,
"host_ns": 1424397900,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1443949000,
"child_payload": {
"handle_semantic_id": "7fa63be80377df95",
"parent_tid": 6,
"entry_pc": "0x8245a5d0",
"ctx_ptr": "0x828f4838",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 102409,
"host_ns": 1443569500,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1452636400,
"child_payload": {
"handle_semantic_id": "82aca7574f07e563",
"parent_tid": 6,
"entry_pc": "0x82450a28",
"ctx_ptr": "0x828f3b68",
"priority": 0,
"affinity": 0,
"stack_size": 262144,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 102523,
"host_ns": 1452325200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 10,
"child_host_ns": 1541511900,
"child_payload": {
"handle_semantic_id": "42db1d4e8093a64f",
"parent_tid": 10,
"entry_pc": "0x82457ef0",
"ctx_ptr": "0x828f3b08",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 10,
"idx": 1216,
"host_ns": 1541030300,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1601365600,
"child_payload": {
"handle_semantic_id": "17d8b2ba9dd4ba13",
"parent_tid": 6,
"entry_pc": "0x824cd458",
"ctx_ptr": "0xbe56bb3c",
"priority": 0,
"affinity": 4,
"stack_size": 32768,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 105133,
"host_ns": 1601005500,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1670004300,
"child_payload": {
"handle_semantic_id": "201e8f7d7ed33ce1",
"parent_tid": 6,
"entry_pc": "0x822f1ee0",
"ctx_ptr": "0xbce24a40",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 105350,
"host_ns": 1669634000,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1725986600,
"child_payload": {
"handle_semantic_id": "a488577cb97ea7c4",
"parent_tid": 6,
"entry_pc": "0x824d2878",
"ctx_ptr": "0x00000000",
"priority": 0,
"affinity": 16,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 106751,
"host_ns": 1725595900,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1726733000,
"child_payload": {
"handle_semantic_id": "2d277fba6c47d941",
"parent_tid": 6,
"entry_pc": "0x824d2940",
"ctx_ptr": "0x00000000",
"priority": 0,
"affinity": 32,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 106768,
"host_ns": 1726182000,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1931052700,
"child_payload": {
"handle_semantic_id": "38a1db5b88b1b8e5",
"parent_tid": 6,
"entry_pc": "0x82178950",
"ctx_ptr": "0x828f3ec0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 108390,
"host_ns": 1930665400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 1935433700,
"child_payload": {
"handle_semantic_id": "3bd922fbb385c2c9",
"parent_tid": 6,
"entry_pc": "0x821748f0",
"ctx_ptr": "0xbc365620",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 108474,
"host_ns": 1935134700,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 17,
"child_host_ns": 1958253200,
"child_payload": {
"handle_semantic_id": "d6494a78268b1d61",
"parent_tid": 17,
"entry_pc": "0x821c4ad0",
"ctx_ptr": "0xbca44b60",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 17,
"idx": 621,
"host_ns": 1957722200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 18,
"child_host_ns": 1961805200,
"child_payload": {
"handle_semantic_id": "44c12522436224af",
"parent_tid": 18,
"entry_pc": "0x822c6870",
"ctx_ptr": "0x828f3300",
"priority": 0,
"affinity": 0,
"stack_size": 196608,
"suspended": true
},
"parent_excreate": {
"tid": 18,
"idx": 44,
"host_ns": 1961455400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 18,
"child_host_ns": 1962234400,
"child_payload": {
"handle_semantic_id": "bb500f6b8f44e7cc",
"parent_tid": 18,
"entry_pc": "0x822c6870",
"ctx_ptr": "0x828f3300",
"priority": 0,
"affinity": 0,
"stack_size": 196608,
"suspended": true
},
"parent_excreate": {
"tid": 18,
"idx": 61,
"host_ns": 1961928800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 2102593600,
"child_payload": {
"handle_semantic_id": "012a4851c459bcb4",
"parent_tid": 6,
"entry_pc": "0x824563e0",
"ctx_ptr": "0x828f3e70",
"priority": 0,
"affinity": 0,
"stack_size": 16384,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 108578,
"host_ns": 2101910400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 2119532500,
"child_payload": {
"handle_semantic_id": "c798a1af262be9f2",
"parent_tid": 6,
"entry_pc": "0x82170430",
"ctx_ptr": "0x828f4070",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 108676,
"host_ns": 2118847200,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 2143148700,
"child_payload": {
"handle_semantic_id": "cd7dbdbbf2718d23",
"parent_tid": 6,
"entry_pc": "0x823dde30",
"ctx_ptr": "0x828f3c4c",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": false
},
"parent_excreate": {
"tid": 6,
"idx": 108862,
"host_ns": 2142784400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 2144427600,
"child_payload": {
"handle_semantic_id": "070f645e909f5fe5",
"parent_tid": 6,
"entry_pc": "0x823ddb50",
"ctx_ptr": "0x828f3c88",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 108884,
"host_ns": 2144062400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 2145144100,
"child_payload": {
"handle_semantic_id": "b545ef4ec3ab9fea",
"parent_tid": 6,
"entry_pc": "0x823ddb50",
"ctx_ptr": "0x828f3c88",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 108905,
"host_ns": 2144793400,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 10079288200,
"child_payload": {
"handle_semantic_id": "3e6007fd9dc3c3f5",
"parent_tid": 6,
"entry_pc": "0x821748f0",
"ctx_ptr": "0xbc366ee0",
"priority": 0,
"affinity": 0,
"stack_size": 524288,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 303302,
"host_ns": 10078927100,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 10382912900,
"child_payload": {
"handle_semantic_id": "f28d7accba35656e",
"parent_tid": 6,
"entry_pc": "0x82506528",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 305662,
"host_ns": 10382543700,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 10383282200,
"child_payload": {
"handle_semantic_id": "44ac749e4b883854",
"parent_tid": 6,
"entry_pc": "0x82506558",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 305667,
"host_ns": 10382975800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 10383647200,
"child_payload": {
"handle_semantic_id": "95f0b02d711132ad",
"parent_tid": 6,
"entry_pc": "0x82506588",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 305672,
"host_ns": 10383322800,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
},
{
"child_tid": null,
"creator_tid": 6,
"child_host_ns": 10384161700,
"child_payload": {
"handle_semantic_id": "130384779d24018e",
"parent_tid": 6,
"entry_pc": "0x825065b8",
"ctx_ptr": "0xbce251c0",
"priority": 0,
"affinity": 0,
"stack_size": 65536,
"suspended": true
},
"parent_excreate": {
"tid": 6,
"idx": 305677,
"host_ns": 10383735600,
"name": "ExCreateThread",
"payload": {
"name": "ExCreateThread",
"args": {},
"args_resolved": {}
}
}
}
]

17
audit-runs/phase-nonmatch-investigation/thread-creates.json Normal file
View File

@@ -0,0 +1,17 @@
{
"null": {
"creator_tid": 6,
"event_idx": 305679,
"host_ns": 10384161700,
"payload": {
"affinity": 0,
"ctx_ptr": "0xbce251c0",
"entry_pc": "0x825065b8",
"handle_semantic_id": "130384779d24018e",
"parent_tid": 6,
"priority": 0,
"stack_size": 65536,
"suspended": true
}
}
}

23
audit-runs/phase-nonmatch-investigation/thread-exits.json Normal file
View File

@@ -0,0 +1,23 @@
{
"17": {
"event_idx": 4139,
"host_ns": 2091816600,
"payload": {
"exit_code": 0
}
},
"18": {
"event_idx": 33084,
"host_ns": 2870280100,
"payload": {
"exit_code": 1
}
},
"26": {
"event_idx": 6706,
"host_ns": 10280088600,
"payload": {
"exit_code": 0
}
}
}

0
audit-runs/phase-nonmatch-investigation/tid-ntset-handles.txt Normal file
View File

317
audit-runs/phase-nonmatch-investigation/tid-top-calls.txt Normal file
View File

@@ -0,0 +1,317 @@
=== tid=14 total_events=6,151,835 ===
1,048,332 KeRaiseIrqlToDpcLevel
941,976 KeAcquireSpinLockAtRaisedIrql
941,976 KeReleaseSpinLockFromRaisedIrql
941,976 KfLowerIrql
53,890 RtlEnterCriticalSection
53,890 RtlLeaveCriticalSection
29,812 KeSetEvent
26,126 KeWaitForSingleObject
26,126 XAudioGetVoiceCategoryVolumeChangeMask
26,126 KeReleaseSemaphore
350 KeQueryPerformanceFrequency
4 MmGetPhysicalAddress
=== tid=15 total_events=4,776,698 ===
786,872 KeRaiseIrqlToDpcLevel
785,086 KeAcquireSpinLockAtRaisedIrql
785,085 KeReleaseSpinLockFromRaisedIrql
785,084 KfLowerIrql
26,126 KeWaitForSingleObject
3,564 KeSetEvent
1,782 RtlEnterCriticalSection
1,782 RtlLeaveCriticalSection
374 KeQueryPerformanceFrequency
2 MmGetPhysicalAddress
=== tid=28 total_events=3,255,462 ===
1,076,058 RtlEnterCriticalSection
1,076,056 RtlLeaveCriticalSection
10,812 MmQueryAddressProtect
3,604 KeSetEvent
2,026 KeWaitForSingleObject
530 NtReadFile
530 RtlNtStatusToDosError
16 MmAllocatePhysicalMemoryEx
=== tid=16 total_events=1,799,931 ===
196,976 RtlEnterCriticalSection
196,974 KeRaiseIrqlToDpcLevel
196,972 RtlLeaveCriticalSection
196,814 KeAcquireSpinLockAtRaisedIrql
196,812 KeReleaseSpinLockFromRaisedIrql
196,812 KfLowerIrql
12,072 NtWaitForSingleObjectEx
18 MmGetPhysicalAddress
6 RtlInitializeCriticalSectionAndSpinCount
6 XMACreateContext
4 NtClose
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 KeQueryPerformanceFrequency
2 NtCreateEvent
2 RtlInitAnsiString
2 NtCreateFile
2 NtDuplicateObject
2 NtSetEvent
=== tid=21 total_events=1,006,388 ===
223,640 RtlEnterCriticalSection
223,640 RtlLeaveCriticalSection
223,636 NtWaitForMultipleObjectsEx
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 NtSetTimerEx
2 NtReleaseSemaphore
=== tid=13 total_events=593,522 ===
219,694 NtYieldExecution
42,432 RtlEnterCriticalSection
42,432 RtlLeaveCriticalSection
14,492 KeQueryPerformanceFrequency
12,092 VdGetSystemCommandBuffer
12,092 VdSwap
12,092 KeEnterCriticalRegion
12,092 VdRetrainEDRAM
12,092 KeLeaveCriticalRegion
11,856 NtWaitForMultipleObjectsEx
3,600 KeSetEvent
310 KeWaitForSingleObject
12 ObDereferenceObject
10 ObLookupThreadByThreadId
10 ObOpenObjectByPointer
10 NtSetEvent
10 NtWaitForSingleObjectEx
10 NtClose
8 KeResetEvent
6 NtResumeThread
=== tid=6 total_events=476,943 ===
99,008 RtlEnterCriticalSection
99,008 RtlLeaveCriticalSection
36,254 XamInputGetCapabilities
24,184 NtSetEvent
14,414 NtWaitForSingleObjectEx
13,434 XNotifyGetNext
12,084 XamInputGetState
12,082 XamInputGetKeystrokeEx
976 NtReleaseSemaphore
182 RtlInitializeCriticalSectionAndSpinCount
144 RtlInitializeCriticalSection
90 NtCreateEvent
90 KeRaiseIrqlToDpcLevel
76 KeAcquireSpinLockAtRaisedIrql
76 KeReleaseSpinLockFromRaisedIrql
76 KfLowerIrql
64 NtClose
56 MmAllocatePhysicalMemoryEx
50 RtlNtStatusToDosError
42 NtAllocateVirtualMemory
=== tid=4 total_events=195,940 ===
26,126 RtlEnterCriticalSection
26,126 KeSetEvent
26,126 KeWaitForMultipleObjects
26,124 XAudioSubmitRenderDriverFrame
26,124 RtlLeaveCriticalSection
=== tid=29 total_events=91,203 ===
14,522 RtlEnterCriticalSection
14,522 RtlLeaveCriticalSection
10,906 KeRaiseIrqlToDpcLevel
7,252 KeWaitForSingleObject
3,640 KeAcquireSpinLockAtRaisedIrql
3,640 KeReleaseSpinLockFromRaisedIrql
3,640 KfLowerIrql
=== tid=1 total_events=68,946 ===
22,982 KeAcquireSpinLockAtRaisedIrql
22,982 KeReleaseSpinLockFromRaisedIrql
=== tid=10 total_events=63,537 ===
14,454 NtWaitForMultipleObjectsEx
11,206 RtlEnterCriticalSection
11,206 RtlLeaveCriticalSection
852 NtClose
826 NtReleaseSemaphore
782 NtQueryInformationFile
776 NtCreateEvent
764 NtReadFile
764 RtlNtStatusToDosError
62 NtSetEvent
24 RtlInitializeCriticalSectionAndSpinCount
16 NtDuplicateObject
10 NtWaitForSingleObjectEx
8 MmFreePhysicalMemory
8 MmAllocatePhysicalMemoryEx
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 NtCreateSemaphore
2 ExCreateThread
=== tid=11 total_events=61,278 ===
13,634 RtlEnterCriticalSection
13,634 RtlLeaveCriticalSection
13,564 NtWaitForMultipleObjectsEx
10 NtSetEvent
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
=== tid=12 total_events=36,894 ===
7,380 KeWaitForSingleObject
7,378 RtlEnterCriticalSection
7,378 RtlLeaveCriticalSection
=== tid=27 total_events=36,029 ===
7,266 RtlEnterCriticalSection
7,266 RtlLeaveCriticalSection
3,636 KeSetEvent
3,628 KeWaitForSingleObject
506 NtReadFile
506 RtlNtStatusToDosError
=== tid=18 total_events=33,085 ===
10,858 RtlEnterCriticalSection
10,858 RtlLeaveCriticalSection
36 RtlInitAnsiString
28 NtReleaseSemaphore
28 NtWaitForSingleObjectEx
22 NtClose
20 NtQueryFullAttributesFile
20 RtlNtStatusToDosError
18 NtDuplicateObject
16 RtlInitializeCriticalSectionAndSpinCount
16 NtCreateFile
16 NtCreateEvent
6 MmAllocatePhysicalMemoryEx
4 ExCreateThread
4 ObReferenceObjectByHandle
4 KeSetAffinityThread
4 ObDereferenceObject
4 NtResumeThread
4 KeTlsSetValue
2 NtCreateSemaphore
=== tid=2 total_events=20,304 ===
13,536 NtSetEvent
=== tid=9 total_events=8,305 ===
1,866 RtlEnterCriticalSection
1,866 RtlLeaveCriticalSection
386 RtlInitAnsiString
244 NtClose
212 NtCreateFile
168 NtSetInformationFile
132 NtOpenFile
122 NtWriteFile
102 RtlNtStatusToDosError
84 NtQueryInformationFile
44 NtWaitForSingleObjectEx
42 NtQueryVolumeInformationFile
18 MmFreePhysicalMemory
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 NtQueryDirectoryFile
=== tid=26 total_events=6,707 ===
1,558 RtlEnterCriticalSection
1,558 RtlLeaveCriticalSection
1,282 NtYieldExecution
6 NtCreateEvent
6 RtlInitializeCriticalSectionAndSpinCount
6 NtClose
4 NtDuplicateObject
4 NtWaitForSingleObjectEx
4 KeTlsSetValue
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 ExGetXConfigSetting
2 RtlInitAnsiString
2 NtQueryFullAttributesFile
2 RtlNtStatusToDosError
2 NtSetEvent
2 NtReleaseSemaphore
2 KeTlsGetValue
2 ExTerminateThread
=== tid=17 total_events=4,140 ===
1,214 RtlEnterCriticalSection
1,214 RtlLeaveCriticalSection
38 NtClose
36 NtCreateEvent
32 NtDuplicateObject
30 RtlInitializeCriticalSectionAndSpinCount
22 RtlInitAnsiString
22 NtWaitForSingleObjectEx
18 NtQueryFullAttributesFile
18 RtlNtStatusToDosError
18 NtReleaseSemaphore
16 NtSetEvent
4 NtCreateFile
4 KeTlsSetValue
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 XNotifyPositionUI
2 ExGetXConfigSetting
2 ExCreateThread
=== tid=8 total_events=60 ===
16 RtlEnterCriticalSection
16 RtlLeaveCriticalSection
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 NtWaitForSingleObjectEx
=== tid=22 total_events=51 ===
16 RtlEnterCriticalSection
16 RtlLeaveCriticalSection
2 NtWaitForSingleObjectEx
=== tid=7 total_events=32 ===
6 RtlInitAnsiString
2 NtCreateFile
2 NtAllocateVirtualMemory
2 NtQueryVolumeInformationFile
2 ObCreateSymbolicLink
2 ExRegisterTitleTerminateNotification
2 KeSetEvent
2 KeWaitForSingleObject
=== tid=23 total_events=17 ===
2 RtlEnterCriticalSection
2 RtlLeaveCriticalSection
2 ObReferenceObjectByHandle
2 KeSetAffinityThread
2 ObDereferenceObject
2 NtWaitForMultipleObjectsEx
=== tid=0 total_events=12 ===
=== tid=19 total_events=9 ===
2 RtlEnterCriticalSection
2 RtlLeaveCriticalSection
2 NtWaitForSingleObjectEx
=== tid=20 total_events=9 ===
2 RtlEnterCriticalSection
2 RtlLeaveCriticalSection
2 NtWaitForSingleObjectEx
=== tid=24 total_events=8 ===
2 RtlEnterCriticalSection
2 RtlLeaveCriticalSection
2 NtWaitForMultipleObjectsEx
=== tid=25 total_events=8 ===
2 RtlEnterCriticalSection
2 RtlLeaveCriticalSection
2 NtWaitForMultipleObjectsEx

0
audit-runs/phase-nonmatch-investigation/tid-wait-handles.txt Normal file
View File