Windows Debugging(1) process and thread

Posted on

Windows 调试(1)进程和线程

WinDBG 命令

  1. 列出系统内所有进程的属性
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa80490059e0
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00187000  ObjectTable: fffff8a000001850  HandleCount: 442.
    Image: System

PROCESS fffffa804a40f130
    SessionId: none  Cid: 0104    Peb: 7fffffd9000  ParentCid: 0004
    DirBase: 16458f000  ObjectTable: fffff8a000fc4990  HandleCount:  29.
    Image: smss.exe

PROCESS fffffa804a955730
    SessionId: 0  Cid: 0150    Peb: 7fffffdf000  ParentCid: 0148
    DirBase: 1639c9000  ObjectTable: fffff8a00363ed80  HandleCount: 326.
    Image: csrss.exe

PROCESS fffffa804a964060
    SessionId: 0  Cid: 0180    Peb: 7fffffd5000  ParentCid: 0148
    DirBase: 1265cf000  ObjectTable: fffff8a00368b140  HandleCount:  91.
    Image: wininit.exe

PROCESS fffffa804900c060
    SessionId: 1  Cid: 018c    Peb: 7fffffdf000  ParentCid: 0178
    DirBase: 126aa9000  ObjectTable: fffff8a00368a790  HandleCount: 152.
    Image: csrss.exe

PROCESS fffffa804a96c570
    SessionId: 1  Cid: 01ac    Peb: 7fffffd3000  ParentCid: 0178
    DirBase: 162caf000  ObjectTable: fffff8a003692ce0  HandleCount: 122.
    Image: winlogon.exe

PROCESS fffffa804a863b30
    SessionId: 0  Cid: 01ec    Peb: 7fffffdd000  ParentCid: 0180
    DirBase: 1623bd000  ObjectTable: fffff8a0067da330  HandleCount: 205.
    Image: services.exe

PROCESS fffffa804a9ad7b0
    SessionId: 0  Cid: 01f4    Peb: 7fffffd6000  ParentCid: 0180
    DirBase: 1621e0000  ObjectTable: fffff8a0067f01f0  HandleCount: 475.
    Image: lsass.exe

PROCESS fffffa804a940b30
    SessionId: 0  Cid: 01fc    Peb: 7fffffdf000  ParentCid: 0180
    DirBase: 161be6000  ObjectTable: fffff8a0067ffef0  HandleCount: 148.
    Image: lsm.exe

PROCESS fffffa804aa7ab30
    SessionId: 0  Cid: 0270    Peb: 7fffffdb000  ParentCid: 01ec
    DirBase: 161102000  ObjectTable: fffff8a001377440  HandleCount: 349.
    Image: svchost.exe
................................................................
  1. 输出notepad.exe的进程属性
1
2
3
4
5
kd> !process 0 0 notepad.exe
PROCESS fffffa804ae45b30
    SessionId: 1  Cid: 05d8    Peb: 7fffffda000  ParentCid: 0418
    DirBase: a9790000  ObjectTable: fffff8a00134aeb0  HandleCount:  62.
    Image: notepad.exe

其中,PROCESS fffffa804ae45b30表示EPROCESS结构地址为fffffa804ae45b30,Cid为进程ID,Image为映像名称。

  1. 查看EPROCESS的结构:

    1
    dt _EPROCESS EPROCESS_ADDRESS

    上面的EPROCESS_ADDRESS为EPROCESS的地址。
    示例:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    kd> dt _EPROCESS fffffa804ae45b30
    ntdll!_EPROCESS
       +0x000 Pcb              : _KPROCESS
       +0x160 ProcessLock      : _EX_PUSH_LOCK
       +0x168 CreateTime       : _LARGE_INTEGER 0x01d777b9`30808aca
       +0x170 ExitTime         : _LARGE_INTEGER 0x0
       +0x178 RundownProtect   : _EX_RUNDOWN_REF
       +0x180 UniqueProcessId  : 0x00000000`000005d8 Void
       +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`4917d658 - 0xfffffa80`4acfa398 ]
       +0x198 ProcessQuotaUsage : [2] 0x1ba8
       +0x1a8 ProcessQuotaPeak : [2] 0x1d88
       +0x1b8 CommitCharge     : 0x172
       +0x1c0 QuotaBlock       : 0xfffffa80`4aab4900 _EPROCESS_QUOTA_BLOCK
       +0x1c8 CpuQuotaBlock    : (null) 
       +0x1d0 PeakVirtualSize  : 0x4f52000
       +0x1d8 VirtualSize      : 0x4ed2000
       +0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0xfffffa80`49231240 - 0xfffffa80`4acc5240 ]
       +0x1f0 DebugPort        : (null) 
       +0x1f8 ExceptionPortData : 0xfffffa80`4a966ac0 Void
       +0x1f8 ExceptionPortValue : 0xfffffa80`4a966ac0
       +0x1f8 ExceptionPortState : 0y000
       +0x200 ObjectTable      : 0xfffff8a0`0134aeb0 _HANDLE_TABLE
       +0x208 Token            : _EX_FAST_REF
       +0x210 WorkingSetPage   : 0xaa494
       +0x218 AddressCreationLock : _EX_PUSH_LOCK
       +0x220 RotateInProgress : (null) 
       +0x228 ForkInProgress   : (null) 
       +0x230 HardwareTrigger  : 0
       +0x238 PhysicalVadRoot  : (null) 
       +0x240 CloneRoot        : (null) 
       +0x248 NumberOfPrivatePages : 0x12f
       +0x250 NumberOfLockedPages : 0
       +0x258 Win32Process     : 0xfffff900`c00d0010 Void
       +0x260 Job              : (null) 
       +0x268 SectionObject    : 0xfffff8a0`0136d480 Void
       +0x270 SectionBaseAddress : 0x00000000`ffbf0000 Void
       +0x278 Cookie           : 0xbb6f0423
       +0x27c Spare8           : 0
       +0x280 WorkingSetWatch  : (null) 
       +0x288 Win32WindowStation : 0x00000000`0000003c Void
       +0x290 InheritedFromUniqueProcessId : 0x00000000`00000418 Void
       +0x298 LdtInformation   : (null) 
       +0x2a0 Spare            : (null) 
       +0x2a8 ConsoleHostProcess : 0
       +0x2b0 DeviceMap        : 0xfffff8a0`013a84f0 Void
       +0x2b8 EtwDataSource    : 0xfffffa80`50400650 Void
       +0x2c0 FreeTebHint      : 0x000007ff`fffde000 Void
       +0x2c8 PageDirectoryPte : _HARDWARE_PTE
       +0x2c8 Filler           : 0x00000001`00000000
       +0x2d0 Session          : (null) 
       +0x2d8 ImageFileName    : [15]  ""
       +0x2e7 PriorityClass    : 0x2e '.'
       +0x2e8 JobLinks         : _LIST_ENTRY [ 0x02000000`00657865 - 0x00000000`00000000 ]
       +0x2f8 LockedPagesList  : (null) 
       +0x300 ThreadListHead   : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa80`4af7a480 ]
       +0x310 SecurityPort     : 0xfffffa80`4af7a480 Void
       +0x318 Wow64Process     : (null) 
       +0x320 ActiveThreads    : 0
       +0x324 ImagePathHash    : 0
       +0x328 DefaultHardErrorProcessing : 1
       +0x32c LastThreadExitStatus : 0n-350513638
       +0x330 Peb              : 0x00000000`00000001 _PEB
       +0x338 PrefetchTrace    : _EX_FAST_REF
       +0x340 ReadOperationCount : _LARGE_INTEGER 0x0
       +0x348 WriteOperationCount : _LARGE_INTEGER 0x0
       +0x350 OtherOperationCount : _LARGE_INTEGER 0x0
       +0x358 ReadTransferCount : _LARGE_INTEGER 0x0
       +0x360 WriteTransferCount : _LARGE_INTEGER 0x0
       +0x368 OtherTransferCount : _LARGE_INTEGER 0x0
       +0x370 CommitChargeLimit : 0
       +0x378 CommitChargePeak : 0
       +0x380 AweInfo          : 0x00000000`00000189 Void
       +0x388 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
       +0x390 Vm               : _MMSUPPORT
       +0x418 MmProcessLinks   : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa80`4917d8f0 ]
       +0x428 HighestUserAddress : 0xfffffa80`4acfa630 Void
       +0x430 ModifiedPageCount : 0xffff0000
       +0x434 Flags2           : 0x7ff
       +0x434 JobNotReallyActive : 0y1
       +0x434 AccountingFolded : 0y1
       +0x434 NewProcessReported : 0y1
       +0x434 ExitProcessReported : 0y1
       +0x434 ReportCommitChanges : 0y1
       +0x434 LastReportMemory : 0y1
       +0x434 ReportPhysicalPageChanges : 0y1
       +0x434 HandleTableRundown : 0y1
       +0x434 NeedsHandleRundown : 0y1
       +0x434 RefTraceEnabled  : 0y1
       +0x434 NumaAware        : 0y1
       +0x434 ProtectedProcess : 0y0
       +0x434 DefaultPagePriority : 0y000
       +0x434 PrimaryTokenFrozen : 0y0
       +0x434 ProcessVerifierTarget : 0y0
       +0x434 StackRandomizationDisabled : 0y0
       +0x434 AffinityPermanent : 0y0
       +0x434 AffinityUpdateEnable : 0y0
       +0x434 PropagateNode    : 0y0
       +0x434 ExplicitAffinity : 0y0
       +0x438 Flags            : 2
       +0x438 CreateReported   : 0y0
       +0x438 NoDebugInherit   : 0y1
       +0x438 ProcessExiting   : 0y0
       +0x438 ProcessDelete    : 0y0
       +0x438 Wow64SplitPages  : 0y0
       +0x438 VmDeleted        : 0y0
       +0x438 OutswapEnabled   : 0y0
       +0x438 Outswapped       : 0y0
       +0x438 ForkFailed       : 0y0
       +0x438 Wow64VaSpace4Gb  : 0y0
       +0x438 AddressSpaceInitialized : 0y00
       +0x438 SetTimerResolution : 0y0
       +0x438 BreakOnTermination : 0y0
       +0x438 DeprioritizeViews : 0y0
       +0x438 WriteWatch       : 0y0
       +0x438 ProcessInSession : 0y0
       +0x438 OverrideAddressSpace : 0y0
       +0x438 HasAddressSpace  : 0y0
       +0x438 LaunchPrefetched : 0y0
       +0x438 InjectInpageErrors : 0y0
       +0x438 VmTopDown        : 0y0
       +0x438 ImageNotifyDone  : 0y0
       +0x438 PdeUpdateNeeded  : 0y0
       +0x438 VdmAllowed       : 0y0
       +0x438 CrossSessionCreate : 0y0
       +0x438 ProcessInserted  : 0y0
       +0x438 DefaultIoPriority : 0y000
       +0x438 ProcessSelfDelete : 0y0
       +0x438 SetTimerResolutionLink : 0y0
       +0x43c ExitStatus       : 0n53248
       +0x440 VadRoot          : _MM_AVL_TABLE
       +0x480 AlpcContext      : _ALPC_PROCESS_CONTEXT
       +0x4a0 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
       +0x4b0 RequestedTimerResolution : 0
       +0x4b4 ActiveThreadsHighWatermark : 0
       +0x4b8 SmallestTimerResolution : 0
       +0x4c0 TimerResolutionStackRecord : (null)

  2. 查看进程信息

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    kd> !process fffffa804ae45b30
    PROCESS fffffa804ae45b30
        SessionId: 1  Cid: 05d8    Peb: 7fffffda000  ParentCid: 0418
        DirBase: a9790000  ObjectTable: fffff8a00134aeb0  HandleCount:  62.
        Image: notepad.exe
        VadRoot fffffa8055ff91f0 Vads 60 Clone 0 Private 303. Modified 2. Locked 0.
        DeviceMap fffff8a0013a84f0
        Token                             fffff8a001bdc060
        ElapsedTime                       00:29:05.143
        UserTime                          00:00:00.000
        KernelTime                        00:00:00.000
        QuotaPoolUsage[PagedPool]         159888
        QuotaPoolUsage[NonPagedPool]      7080
        Working Set Sizes (now,min,max)  (1561, 50, 345) (6244KB, 200KB, 1380KB)
        PeakWorkingSetSize                1568
        VirtualSize                       78 Mb
        PeakVirtualSize                   79 Mb
        PageFaultCount                    1611
        MemoryPriority                    BACKGROUND
        BasePriority                      8
        CommitCharge                      370

            THREAD fffffa804af7a060  Cid 05d8.05d4  Teb: 000007fffffde000 Win32Thread: fffff900c2191010 WAIT: (WrUserRequest) UserMode Non-Alertable
                fffffa804a9f0e90  SynchronizationEvent
            Not impersonating
            DeviceMap                 fffff8a0013a84f0
            Owning Process            fffffa804ae45b30       Image:         notepad.exe
            Attached Process          N/A            Image:         N/A
            Wait Start TickCount      40071          Ticks: 4 (0:00:00:00.062)
            Context Switch Count      1778           IdealProcessor: 0                 LargeStack
            UserTime                  00:00:00.015
            KernelTime                00:00:00.156
            Win32 Start Address 0x00000000ffbf3570
            Stack Init fffff880032bfc70 Current fffff880032bf5b0
            Base fffff880032c0000 Limit fffff880032b6000 Call 0000000000000000
            Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5

  3. 观察指定地址上的值

    d{a|b|c|d|D|f|p|q|u|w|W} [Options] [Range]

    dy{b|d} [Options] [Range]

    d [Options] [Range]

    dt NAME ADDRESS

1
2
3
4
5
6
7
kd> db fffffa804ae45b30 fffffa80`4ae45b80
    fffffa80`4ae45b30  03 00 58 00 00 00 00 00-38 5b e4 4a 80 fa ff ff  ..X.....8[.J....
    fffffa80`4ae45b40  38 5b e4 4a 80 fa ff ff-48 5b e4 4a 80 fa ff ff  8[.J....H[.J....
    fffffa80`4ae45b50  48 5b e4 4a 80 fa ff ff-00 00 79 a9 00 00 00 00  H[.J......y.....
    fffffa80`4ae45b60  58 a3 f7 4a 80 fa ff ff-58 a3 f7 4a 80 fa ff ff  X..J....X..J....
    fffffa80`4ae45b70  00 00 00 00 00 00 00 00-01 00 04 00 00 00 00 00  ................
    fffffa80`4ae45b80  01

References

  1. docs.microsoft.com

  2. 《软件调试》(第二版)(上册)