Ring zero loops can sometimes be successfully analysed from a dump. The trick is knowing how to locate the register set at the time the dump was taken.
The Dump Formatter only implements the .R command, which obtains the registers from a stack frame on the thread's ring 0 stack. Under the kernel Debugger there is no problem: the R command will display the current system registers.
Note:
If a thread never runs in User Mode, such as the internal PID 0 threads then a stack frame is never built and .R will be unsuccessful in formatting the registers.
Fortunately there is a way of obtaining the current registers:
When a dump is initiated using Ctrl-Alt-Numlock-Numlock a keyboard interrupt is initiated by the processor hardware.
Via the IDT control passes to the interrupt router who is responsible for switching to the interrupt stack before passing control to the appropriate interrupt handler.
The interrupt router checks to see if the system is already running from the interrupt stack.
If it isn't then an interrupt stack frame is built on the current stack and the stack frame pointer is saved in fpoldstack. Then the SS selector is switched to the interrupt stack selector (E8).
If it is then a nested interrupt has occurred and the interrupt stack frame is built on the interrupt stack itself.
It is from fpoldstack that we are able to obtain the registers before any interrupt occurred. The following debug log illustrates this and many of the techniques previously discussed.