ڼС
梦回起点
做你害怕做的事,你会发现:不过如此
本站基于WordPress—主题by 设计窝
冀ICP备15003737号
梦回起点
Copyright © 2015-2024 All rights reserved.

Windbg查看进程信息

0: kd> !process
Unable to get LeftChild of nt!_MMVAD_SHORT at ffffd50ec4706dc0
failed to count VADs
PROCESS ffffd50ec4063080
    SessionId: 0  Cid: 0110    Peb: 02e4a000  ParentCid: 0270
    DirBase: 40efc002  ObjectTable: ffff9d8fb5f06640  HandleCount: 331.
    Image: svchost.exe
    VadRoot ffffd50ec4706dc0 Vads 0 Clone 0 Private 833. Modified 481. Locked 0.
    DeviceMap ffff9d8fae6146c0
    Token                             ffff9d8fb8071670
    ElapsedTime                       00:06:34.936
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         107672
    QuotaPoolUsage[NonPagedPool]      127872
    Working Set Sizes (now,min,max)  (0, 0, 0) (0KB, 0KB, 0KB)
    PeakWorkingSetSize                0
    VirtualSize                       122 Mb
    PeakVirtualSize                   124 Mb
    PageFaultCount                    0
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      1764

        THREAD ffffd50ec3abc2c0  Cid 0110.0234  Teb: 0000000002e4c000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec341fce0  SynchronizationEvent

        THREAD ffffd50ec2f65080  Cid 0110.0d74  Teb: 0000000002e55000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5f460  NotificationEvent

        THREAD ffffd50ec0fc0080  Cid 0110.00b8  Teb: 0000000002e5b000 Win32Thread: ffffd50ec4706a50 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d621e0  NotificationEvent

        THREAD ffffd50ec48d6080  Cid 0110.0e78  Teb: 0000000002e5e000 Win32Thread: ffffd50ec4707860 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5fc60  NotificationEvent
            ffffd50ec4b08a80  QueueObject

        THREAD ffffd50ec2e9d080  Cid 0110.1580  Teb: 0000000002e64000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable
            ffffffffffffffff  NotificationEvent

        THREAD ffffd50ebdd8b080  Cid 0110.1728  Teb: 0000000002e67000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec37ef080  ProcessObject

        THREAD ffffd50ec4061080  Cid 0110.011c  Teb: 0000000002e6a000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d62ee0  NotificationEvent

        THREAD ffffd50ec30db080  Cid 0110.0bc8  Teb: 0000000002e6d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d62460  NotificationEvent

        THREAD ffffd50ec0ee5080  Cid 0110.0c38  Teb: 0000000002e70000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d62660  NotificationEvent

        THREAD ffffd50ec3151080  Cid 0110.12c4  Teb: 0000000002e73000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d600e0  SynchronizationEvent
            ffffd50ec45c50c0  ProcessObject

        THREAD ffffd50ec2f5a080  Cid 0110.156c  Teb: 0000000002e76000 Win32Thread: 0000000000000000 RUNNING on processor 0
        THREAD ffffd50ec2887080  Cid 0110.1148  Teb: 0000000002e79000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d63560  NotificationEvent
            ffffd50ec4d63460  NotificationEvent
            ffffd50ec4d63ce0  NotificationEvent

        THREAD ffffd50ec473b080  Cid 0110.0f40  Teb: 0000000002e7c000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d63ce0  NotificationEvent

        THREAD ffffd50ec0f15040  Cid 0110.0df0  Teb: 0000000002e7f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffd50ec4b02b00  QueueObject

        THREAD ffffd50ec4067080  Cid 0110.0490  Teb: 0000000002e82000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffd50ec4b02b00  QueueObject

        THREAD ffffd50ec33dc080  Cid 0110.095c  Teb: 0000000002e85000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5f3e0  NotificationEvent
            ffffd50ec4d5ffe0  NotificationEvent
            ffffd50ec4d5d460  NotificationEvent

        THREAD ffffd50ec3963080  Cid 0110.01e0  Teb: 0000000002e88000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5d460  NotificationEvent

        THREAD ffffd50ec3b4f080  Cid 0110.0e00  Teb: 0000000002e91000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5f260  NotificationEvent
            ffffd50ec4d5e060  NotificationEvent
            ffffd50ec4d5d8e0  NotificationEvent

        THREAD ffffd50ebdca8080  Cid 0110.17cc  Teb: 0000000002e94000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5d8e0  NotificationEvent

        THREAD ffffd50ec3aad080  Cid 0110.0324  Teb: 0000000002e97000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d60fe0  NotificationEvent
            ffffd50ec4d5fd60  NotificationEvent
            ffffd50ec4d5f360  NotificationEvent

        THREAD ffffd50ec33f3080  Cid 0110.0bcc  Teb: 0000000002e9a000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d5f360  NotificationEvent

        THREAD ffffd50ec0aa8080  Cid 0110.1640  Teb: 0000000002e9d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d63de0  NotificationEvent
            ffffd50ec4d63ee0  NotificationEvent
            ffffd50ec4d624e0  NotificationEvent

        THREAD ffffd50ec39d3080  Cid 0110.0688  Teb: 0000000002ea0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d624e0  NotificationEvent

        THREAD ffffd50ebfc03080  Cid 0110.0118  Teb: 0000000002ea3000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d63d60  NotificationEvent
            ffffd50ec4d632e0  NotificationEvent
            ffffd50ec4d60160  NotificationEvent

        THREAD ffffd50ec3b81080  Cid 0110.1684  Teb: 0000000002ea6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d60160  NotificationEvent

        THREAD ffffd50ec2f71080  Cid 0110.0a30  Teb: 0000000002ea9000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec2c16f60  NotificationEvent
            ffffd50ec2c16c60  NotificationEvent
            ffffd50ec2c046e0  NotificationEvent

        THREAD ffffd50ec3c89080  Cid 0110.07fc  Teb: 0000000002eac000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec2c046e0  NotificationEvent

        THREAD ffffd50ec306d080  Cid 0110.09e8  Teb: 0000000002eaf000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d668e0  NotificationEvent
            ffffd50ec4d651e0  NotificationEvent
            ffffd50ec4d62760  NotificationEvent

        THREAD ffffd50ebdd1c080  Cid 0110.0a9c  Teb: 0000000002eb2000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec4d62760  NotificationEvent

        THREAD ffffd50ec31e7080  Cid 0110.00d4  Teb: 0000000002eb5000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec30051e0  NotificationEvent
            ffffd50ec3003de0  NotificationEvent
            ffffd50ec30032e0  NotificationEvent

        THREAD ffffd50ec306b080  Cid 0110.0f34  Teb: 0000000002eb8000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffd50ec30032e0  NotificationEvent

0: kd> !thread
THREAD ffffd50ec2f5a080  Cid 0110.156c  Teb: 0000000002e76000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap                 ffff9d8fae6146c0
Owning Process            ffffd50ec4063080       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      220864         Ticks: 1 (0:00:00:00.015)
Context Switch Count      2459           IdealProcessor: 1
UserTime                  00:00:00.000
KernelTime                00:00:00.015
Win32 Start Address 0x0000000010059a3f
Stack Init ffff818d12692c90 Current ffff818d12691b30
Base ffff818d12693000 Limit ffff818d1268d000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`03a7ec88 00000000`77e31b1d : 00000023`77eb1fdc 00000000`00000023 00000000`00000000 00000000`044ffd3c : ntdll!KiRaiseUserExceptionDispatcher
00000000`03a7ec90 00000000`77e31199 : 00000000`044ffa70 00007ffe`6b02c814 00000000`00000000 00007ffe`6b02bf10 : wow64cpu!Thunk0ArgReloadState+0x5
00000000`03a7ed40 00007ffe`6b02c72a : 00000000`039054f8 00000000`00000000 00000000`00000000 00000000`03a7f180 : wow64cpu!BTCpuSimulate+0x9
00000000`03a7ed80 00007ffe`6b02c5e7 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa
00000000`03a7edb0 00007ffe`6b35190b : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : wow64!Wow64LdrpInitialize+0x127
00000000`03a7f060 00007ffe`6b3517f3 : 00000000`00000000 00007ffe`6b2e0000 00000000`00000000 00000000`02e76000 : ntdll!_LdrpInitialize+0xff
00000000`03a7f100 00007ffe`6b35179e : 00000000`03a7f180 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b
00000000`03a7f130 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe

要加载某个特定模块的符号,必须得切换到加载了这个模块的进程。

2022-04-12
                         
暂无评论

发表回复