0: kd> !process Unable to get LeftChild of nt!_MMVAD_SHORT at ffffd50ec4706dc0 failed to count VADs PROCESS ffffd50ec4063080 SessionId: 0 Cid: 0110 Peb: 02e4a000 ParentCid: 0270 DirBase: 40efc002 ObjectTable: ffff9d8fb5f06640 HandleCount: 331. Image: svchost.exe VadRoot ffffd50ec4706dc0 Vads 0 Clone 0 Private 833. Modified 481. Locked 0. DeviceMap ffff9d8fae6146c0 Token ffff9d8fb8071670 ElapsedTime 00:06:34.936 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 107672 QuotaPoolUsage[NonPagedPool] 127872 Working Set Sizes (now,min,max) (0, 0, 0) (0KB, 0KB, 0KB) PeakWorkingSetSize 0 VirtualSize 122 Mb PeakVirtualSize 124 Mb PageFaultCount 0 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 1764 THREAD ffffd50ec3abc2c0 Cid 0110.0234 Teb: 0000000002e4c000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec341fce0 SynchronizationEvent THREAD ffffd50ec2f65080 Cid 0110.0d74 Teb: 0000000002e55000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5f460 NotificationEvent THREAD ffffd50ec0fc0080 Cid 0110.00b8 Teb: 0000000002e5b000 Win32Thread: ffffd50ec4706a50 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d621e0 NotificationEvent THREAD ffffd50ec48d6080 Cid 0110.0e78 Teb: 0000000002e5e000 Win32Thread: ffffd50ec4707860 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5fc60 NotificationEvent ffffd50ec4b08a80 QueueObject THREAD ffffd50ec2e9d080 Cid 0110.1580 Teb: 0000000002e64000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) UserMode Non-Alertable ffffffffffffffff NotificationEvent THREAD ffffd50ebdd8b080 Cid 0110.1728 Teb: 0000000002e67000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec37ef080 ProcessObject THREAD ffffd50ec4061080 Cid 0110.011c Teb: 0000000002e6a000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d62ee0 NotificationEvent THREAD ffffd50ec30db080 Cid 0110.0bc8 Teb: 0000000002e6d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d62460 NotificationEvent THREAD ffffd50ec0ee5080 Cid 0110.0c38 Teb: 0000000002e70000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d62660 NotificationEvent THREAD ffffd50ec3151080 Cid 0110.12c4 Teb: 0000000002e73000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d600e0 SynchronizationEvent ffffd50ec45c50c0 ProcessObject THREAD ffffd50ec2f5a080 Cid 0110.156c Teb: 0000000002e76000 Win32Thread: 0000000000000000 RUNNING on processor 0 THREAD ffffd50ec2887080 Cid 0110.1148 Teb: 0000000002e79000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d63560 NotificationEvent ffffd50ec4d63460 NotificationEvent ffffd50ec4d63ce0 NotificationEvent THREAD ffffd50ec473b080 Cid 0110.0f40 Teb: 0000000002e7c000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d63ce0 NotificationEvent THREAD ffffd50ec0f15040 Cid 0110.0df0 Teb: 0000000002e7f000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd50ec4b02b00 QueueObject THREAD ffffd50ec4067080 Cid 0110.0490 Teb: 0000000002e82000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffd50ec4b02b00 QueueObject THREAD ffffd50ec33dc080 Cid 0110.095c Teb: 0000000002e85000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5f3e0 NotificationEvent ffffd50ec4d5ffe0 NotificationEvent ffffd50ec4d5d460 NotificationEvent THREAD ffffd50ec3963080 Cid 0110.01e0 Teb: 0000000002e88000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5d460 NotificationEvent THREAD ffffd50ec3b4f080 Cid 0110.0e00 Teb: 0000000002e91000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5f260 NotificationEvent ffffd50ec4d5e060 NotificationEvent ffffd50ec4d5d8e0 NotificationEvent THREAD ffffd50ebdca8080 Cid 0110.17cc Teb: 0000000002e94000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5d8e0 NotificationEvent THREAD ffffd50ec3aad080 Cid 0110.0324 Teb: 0000000002e97000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d60fe0 NotificationEvent ffffd50ec4d5fd60 NotificationEvent ffffd50ec4d5f360 NotificationEvent THREAD ffffd50ec33f3080 Cid 0110.0bcc Teb: 0000000002e9a000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d5f360 NotificationEvent THREAD ffffd50ec0aa8080 Cid 0110.1640 Teb: 0000000002e9d000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d63de0 NotificationEvent ffffd50ec4d63ee0 NotificationEvent ffffd50ec4d624e0 NotificationEvent THREAD ffffd50ec39d3080 Cid 0110.0688 Teb: 0000000002ea0000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d624e0 NotificationEvent THREAD ffffd50ebfc03080 Cid 0110.0118 Teb: 0000000002ea3000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d63d60 NotificationEvent ffffd50ec4d632e0 NotificationEvent ffffd50ec4d60160 NotificationEvent THREAD ffffd50ec3b81080 Cid 0110.1684 Teb: 0000000002ea6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d60160 NotificationEvent THREAD ffffd50ec2f71080 Cid 0110.0a30 Teb: 0000000002ea9000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec2c16f60 NotificationEvent ffffd50ec2c16c60 NotificationEvent ffffd50ec2c046e0 NotificationEvent THREAD ffffd50ec3c89080 Cid 0110.07fc Teb: 0000000002eac000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec2c046e0 NotificationEvent THREAD ffffd50ec306d080 Cid 0110.09e8 Teb: 0000000002eaf000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d668e0 NotificationEvent ffffd50ec4d651e0 NotificationEvent ffffd50ec4d62760 NotificationEvent THREAD ffffd50ebdd1c080 Cid 0110.0a9c Teb: 0000000002eb2000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec4d62760 NotificationEvent THREAD ffffd50ec31e7080 Cid 0110.00d4 Teb: 0000000002eb5000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec30051e0 NotificationEvent ffffd50ec3003de0 NotificationEvent ffffd50ec30032e0 NotificationEvent THREAD ffffd50ec306b080 Cid 0110.0f34 Teb: 0000000002eb8000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable ffffd50ec30032e0 NotificationEvent 0: kd> !thread THREAD ffffd50ec2f5a080 Cid 0110.156c Teb: 0000000002e76000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffff9d8fae6146c0 Owning Process ffffd50ec4063080 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 220864 Ticks: 1 (0:00:00:00.015) Context Switch Count 2459 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.015 Win32 Start Address 0x0000000010059a3f Stack Init ffff818d12692c90 Current ffff818d12691b30 Base ffff818d12693000 Limit ffff818d1268d000 Call 0 Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site 00000000`03a7ec88 00000000`77e31b1d : 00000023`77eb1fdc 00000000`00000023 00000000`00000000 00000000`044ffd3c : ntdll!KiRaiseUserExceptionDispatcher 00000000`03a7ec90 00000000`77e31199 : 00000000`044ffa70 00007ffe`6b02c814 00000000`00000000 00007ffe`6b02bf10 : wow64cpu!Thunk0ArgReloadState+0x5 00000000`03a7ed40 00007ffe`6b02c72a : 00000000`039054f8 00000000`00000000 00000000`00000000 00000000`03a7f180 : wow64cpu!BTCpuSimulate+0x9 00000000`03a7ed80 00007ffe`6b02c5e7 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa 00000000`03a7edb0 00007ffe`6b35190b : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : wow64!Wow64LdrpInitialize+0x127 00000000`03a7f060 00007ffe`6b3517f3 : 00000000`00000000 00007ffe`6b2e0000 00000000`00000000 00000000`02e76000 : ntdll!_LdrpInitialize+0xff 00000000`03a7f100 00007ffe`6b35179e : 00000000`03a7f180 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b 00000000`03a7f130 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
要加载某个特定模块的符号,必须得切换到加载了这个模块的进程。