Remember the stuck analysis of a certain .NET medical device cleaning system

Record the stuck analysis of a certain .NET medical device cleaning system one: background 1. Storytelling Some time ago, I assisted a friend in the training camp to analyze a program stuck problem. Looking back, this case is relatively classic. I will briefly summarize it in this article to avoid pitfalls for newcomers. Two: WinDbg analysis 1. Why is it stuck Because it is a form program, it is natural to see what the main thread is doing at this time? You can use ~0s; k to take a look and you will know. 0:000>k #ChildEBP RetAddr 00 00aff168 75e3bb0a win32u!NtUserPeekMessage+0xc 01 00aff168 75e3ba7e USER32!_PeekMessage+0x2a 02 00aff1a4 6a5d711c USER32!PeekMessageW+0x16e 03 00aff1f0 6a5841a6 System_Windows_Forms_ni+0x23711c … 17 00afffbc 00000000 ntdll!_RtlUserThreadStart+0x1b Judging from the thread stack, the current method is stuck on win32u!NtUserPeekMessage. Friends who are familiar with Windows Forms messages know that this is the conventional logic for extracting Message Queue , the next step of this method is to enter the Windows kernel state through Wow64SystemServiceCall, which can be verified with the u command. 0:000>ub win32u!NtUserPeekMessage+0xc 761d1010 b801100000 mov eax,1001h 761d1015 ba10631d76 mov edx,offset win32u!Wow64SystemServiceCall (761d6310) 761d101a ffd2 call edx My friend also took a screenshot for me, and it was…