有点纳闷,进程的其他信息都可以查看,唯独PEB信息看不了。提示Memory read error 7ffd7208。不知道那个地方不对。重新加载了符号文件也没有能够成功。
详细情况如下所示:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86Copyright (c) Microsoft Corporation. All rights reserved.
Unable to read head of debugger data listConnected to Windows XP 2600 x86 compatible target, ptr64 FALSESymbol search path is: *** Invalid ******************************************************************************** Symbol loading may be unreliable without a symbol search path. ** Use .symfix to have the debugger choose a symbol path. ** After setting your symbol path, use .reload to refresh symbol locations. *****************************************************************************Executable search path is: ********************************************************************** Symbols can not be loaded because symbol path is not initialized. ** ** The Symbol Path can be set by: ** using the _NT_SYMBOL_PATH environment variable. ** using the -y <symbol_path> argument when starting the debugger. ** using .sympath and .sympath+ ************************************************************************* ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe - KdDebuggerDataBlock not available!*******************************************************************************WARNING: Local kernel debugging requires booting with kerneldebugging support (/debug or bcdedit -debug on) to work optimally.*******************************************************************************Windows XP Kernel Version 2600 UP Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTSKernel base = 0x804d8000 PsLoadedModuleList = 0x8055b620Debug session time: Fri Apr 17 10:48:29.750 2009 (GMT+8)System Uptime: 0 days 0:35:41.343lkd> .reloadUnable to read head of debugger data listConnected to Windows XP 2600 x86 compatible target, ptr64 FALSELoading Kernel Symbols....................................................................................................Loading User Symbols.........................................................Loading unloaded module list...............lkd> .reloadUnable to read head of debugger data listConnected to Windows XP 2600 x86 compatible target, ptr64 FALSELoading Kernel Symbols....................................................................................................Loading User Symbols.........................................................Loading unloaded module list...............lkd> !process 0 0 netopad.exelkd> !process 0 0**** NT ACTIVE PROCESS DUMP ****PROCESS 81ed39c8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1000d18 HandleCount: 246. Image: System
PROCESS 81afc788 SessionId: none Cid: 0260 Peb: 7ffdc000 ParentCid: 0004 DirBase: 04361000 ObjectTable: e131f778 HandleCount: 25. Image: smss.exe
PROCESS 81adf9e0 SessionId: 0 Cid: 0290 Peb: 7ffd9000 ParentCid: 0260 DirBase: 056cf000 ObjectTable: e1404c00 HandleCount: 258. Image: csrss.exe
PROCESS 81ab8620 SessionId: 0 Cid: 02a8 Peb: 7ffd4000 ParentCid: 0260 DirBase: 0738d000 ObjectTable: e14ac328 HandleCount: 410. Image: winlogon.exe
PROCESS 81af8da0 SessionId: 0 Cid: 02d4 Peb: 7ffd6000 ParentCid: 02a8 DirBase: 07c19000 ObjectTable: e17ab5a8 HandleCount: 249. Image: services.exe
PROCESS 81a9cbc0 SessionId: 0 Cid: 02e0 Peb: 7ffdd000 ParentCid: 02a8 DirBase: 07c2d000 ObjectTable: e1724a88 HandleCount: 290. Image: lsass.exe
PROCESS 81a77800 SessionId: 0 Cid: 0394 Peb: 7ffd3000 ParentCid: 02d4 DirBase: 0883a000 ObjectTable: e17a0520 HandleCount: 196. Image: svchost.exe
PROCESS 81a4eda0 SessionId: 0 Cid: 03ec Peb: 7ffd7000 ParentCid: 02d4 DirBase: 08c31000 ObjectTable: e17f75b8 HandleCount: 215. Image: svchost.exe
PROCESS 81a4f440 SessionId: 0 Cid: 03f4 Peb: 7ffd5000 ParentCid: 02a8 DirBase: 08ce2000 ObjectTable: e17de5b8 HandleCount: 153. Image: logonui.exe
PROCESS 81a42768 SessionId: 0 Cid: 0460 Peb: 7ffdc000 ParentCid: 02d4 DirBase: 090d8000 ObjectTable: e17f0558 HandleCount: 1053. Image: svchost.exe
PROCESS 81a46630 SessionId: 0 Cid: 049c Peb: 7ffd3000 ParentCid: 02d4 DirBase: 092d9000 ObjectTable: e1e99428 HandleCount: 79. Image: svchost.exe
PROCESS 81a04da0 SessionId: 0 Cid: 0598 Peb: 7ffd7000 ParentCid: 02d4 DirBase: 0a50e000 ObjectTable: e207f928 HandleCount: 109. Image: spoolsv.exe
PROCESS 81a3eda0 SessionId: 0 Cid: 06dc Peb: 7ffde000 ParentCid: 02d4 DirBase: 0b26d000 ObjectTable: e2166ea0 HandleCount: 102. Image: alg.exe
PROCESS 81a6c3c0 SessionId: 1 Cid: 07e4 Peb: 7ffd5000 ParentCid: 0260 DirBase: 0be12000 ObjectTable: e20c96f8 HandleCount: 117. Image: csrss.exe
PROCESS 819eb8b0 SessionId: 1 Cid: 0098 Peb: 7ffde000 ParentCid: 0260 DirBase: 0bf39000 ObjectTable: e17ac7b0 HandleCount: 227. Image: winlogon.exe
PROCESS 819f3958 SessionId: 1 Cid: 0178 Peb: 7ffd6000 ParentCid: 0098 DirBase: 0ce39000 ObjectTable: e2633c08 HandleCount: 114. Image: rdpclip.exe
PROCESS 819bfda0 SessionId: 1 Cid: 01e8 Peb: 7ffdb000 ParentCid: 0098 DirBase: 0d2be000 ObjectTable: 00000000 HandleCount: 0. Image: ati2evxx.exe
PROCESS 819ac260 SessionId: 1 Cid: 0190 Peb: 7ffdf000 ParentCid: 0200 DirBase: 0d4cd000 ObjectTable: e17a4128 HandleCount: 384. Image: explorer.exe
PROCESS 819a79e0 SessionId: 1 Cid: 03bc Peb: 7ffd3000 ParentCid: 0190 DirBase: 0e096000 ObjectTable: e29f0450 HandleCount: 71. Image: ctfmon.exe
PROCESS 819749e8 SessionId: 0 Cid: 04a8 Peb: 7ffd6000 ParentCid: 02d4 DirBase: 0f8a7000 ObjectTable: e2a95880 HandleCount: 138. Image: svchost.exe
PROCESS 819eeda0 SessionId: 0 Cid: 0310 Peb: 7ffd4000 ParentCid: 02a8 DirBase: 15397000 ObjectTable: e17167b8 HandleCount: 16. Image: logon.scr
PROCESS 8194aa10 SessionId: 1 Cid: 0100 Peb: 7ffd7000 ParentCid: 0190 DirBase: 17593000 ObjectTable: e23edf08 HandleCount: 47. Image: notepad.exe
PROCESS 81947bc0 SessionId: 1 Cid: 03b8 Peb: 7ffdb000 ParentCid: 0190 DirBase: 17c87000 ObjectTable: e29d6788 HandleCount: 155. Image: windbg.exe
lkd> !process 0 0 notepad.exePROCESS 8194aa10 SessionId: 1 Cid: 0100 Peb: 7ffd7000 ParentCid: 0190 DirBase: 17593000 ObjectTable: e23edf08 HandleCount: 47. Image: notepad.exe
lkd> dt _process 8194aa10*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\drivers\ALCXWDM.SYS*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\DRIVERS\NVENET.sys*** ERROR: Module load completed but symbols could not be loaded for snapman.sys*** ERROR: Symbol file could not be found. Defaulted to export symbols for \SystemRoot\system32\drivers\drmk.sys - *** ERROR: Module load completed but symbols could not be loaded for nv_agp.sys*** WARNING: Unable to verify timestamp for \SystemRoot\system32\DRIVERS\fdc.sys*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\DRIVERS\fdc.sys*** ERROR: Module load completed but symbols could not be loaded for SiWinAcc.sys**************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: _process ****** ****************************************************************************Symbol _process not found.lkd> .reloadUnable to read head of debugger data listConnected to Windows XP 2600 x86 compatible target, ptr64 FALSELoading Kernel Symbols....................................................................................................Loading User Symbols.........................................................Loading unloaded module list................lkd> dt _process 8194aa10*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\drivers\ALCXWDM.SYS*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\DRIVERS\NVENET.sys*** ERROR: Module load completed but symbols could not be loaded for snapman.sys*** ERROR: Symbol file could not be found. Defaulted to export symbols for \SystemRoot\system32\drivers\drmk.sys - *** ERROR: Module load completed but symbols could not be loaded for nv_agp.sys*** WARNING: Unable to verify timestamp for \SystemRoot\system32\DRIVERS\fdc.sys*** ERROR: Module load completed but symbols could not be loaded for \SystemRoot\system32\DRIVERS\fdc.sys*** ERROR: Module load completed but symbols could not be loaded for SiWinAcc.sys**************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: _process ****** ****************************************************************************Symbol _process not found.lkd> dt _EPROCESS 8194aa10ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER 0x1c9bf06`f0fd83e8 +0x078 ExitTime : _LARGE_INTEGER 0x0 +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : 0x00000100 +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x81947c48 - 0x819eee28 ] +0x090 QuotaUsage : [3] 0xb68 +0x09c QuotaPeak : [3] 0xf18 +0x0a8 CommitCharge : 0x1a7 +0x0ac PeakVirtualSize : 0x2543000 +0x0b0 VirtualSize : 0x2184000 +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x81947c74 - 0x819a7a94 ] +0x0bc DebugPort : (null) +0x0c0 ExceptionPort : 0xe22071c0 +0x0c4 ObjectTable : 0xe23edf08 _HANDLE_TABLE +0x0c8 Token : _EX_FAST_REF +0x0cc WorkingSetLock : _FAST_MUTEX +0x0ec WorkingSetPage : 0x1766e +0x0f0 AddressCreationLock : _FAST_MUTEX +0x110 HyperSpaceLock : 0 +0x114 ForkInProgress : (null) +0x118 HardwareTrigger : 0 +0x11c VadRoot : 0x81a2a7d8 +0x120 VadHint : 0x8199c550 +0x124 CloneRoot : (null) +0x128 NumberOfPrivatePages : 0xe0 +0x12c NumberOfLockedPages : 0 +0x130 Win32Process : 0xe114ba60 +0x134 Job : (null) +0x138 SectionObject : 0xe2964b80 +0x13c SectionBaseAddress : 0x01000000 +0x140 QuotaBlock : 0x819bd278 _EPROCESS_QUOTA_BLOCK +0x144 WorkingSetWatch : (null) +0x148 Win32WindowStation : 0x0000003c +0x14c InheritedFromUniqueProcessId : 0x00000190 +0x150 LdtInformation : (null) +0x154 VadFreeHint : (null) +0x158 VdmObjects : (null) +0x15c DeviceMap : 0xe2395e18 +0x160 PhysicalVadList : _LIST_ENTRY [ 0x8194ab70 - 0x8194ab70 ] +0x168 PageDirectoryPte : _HARDWARE_PTE_X86 +0x168 Filler : 0 +0x170 Session : 0xf89d1000 +0x174 ImageFileName : [16] "notepad.exe" +0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x18c LockedPagesList : (null) +0x190 ThreadListHead : _LIST_ENTRY [ 0x81a3b7d4 - 0x81a3b7d4 ] +0x198 SecurityPort : (null) +0x19c PaeTop : (null) +0x1a0 ActiveThreads : 1 +0x1a4 GrantedAccess : 0x1f0fff +0x1a8 DefaultHardErrorProcessing : 1 +0x1ac LastThreadExitStatus : 0 +0x1b0 Peb : 0x7ffd7000 _PEB +0x1b4 PrefetchTrace : _EX_FAST_REF +0x1b8 ReadOperationCount : _LARGE_INTEGER 0x0 +0x1c0 WriteOperationCount : _LARGE_INTEGER 0x0 +0x1c8 OtherOperationCount : _LARGE_INTEGER 0x8b +0x1d0 ReadTransferCount : _LARGE_INTEGER 0x0 +0x1d8 WriteTransferCount : _LARGE_INTEGER 0x0 +0x1e0 OtherTransferCount : _LARGE_INTEGER 0x198 +0x1e8 CommitChargeLimit : 0 +0x1ec CommitChargePeak : 0x1a7 +0x1f0 AweInfo : (null) +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x1f8 Vm : _MMSUPPORT +0x238 LastFaultCount : 0 +0x23c ModifiedPageCount : 7 +0x240 NumberOfVads : 0x49 +0x244 JobStatus : 0 +0x248 Flags : 0xd0840 +0x248 CreateReported : 0y0 +0x248 NoDebugInherit : 0y0 +0x248 ProcessExiting : 0y0 +0x248 ProcessDelete : 0y0 +0x248 Wow64SplitPages : 0y0 +0x248 VmDeleted : 0y0 +0x248 OutswapEnabled : 0y1 +0x248 Outswapped : 0y0 +0x248 ForkFailed : 0y0 +0x248 HasPhysicalVad : 0y0 +0x248 AddressSpaceInitialized : 0y10 +0x248 SetTimerResolution : 0y0 +0x248 BreakOnTermination : 0y0 +0x248 SessionCreationUnderway : 0y0 +0x248 WriteWatch : 0y0 +0x248 ProcessInSession : 0y1 +0x248 OverrideAddressSpace : 0y0 +0x248 HasAddressSpace : 0y1 +0x248 LaunchPrefetched : 0y1 +0x248 InjectInpageErrors : 0y0 +0x248 VmTopDown : 0y0 +0x248 Unused3 : 0y0 +0x248 Unused4 : 0y0 +0x248 VdmAllowed : 0y0 +0x248 Unused : 0y00000 (0) +0x248 Unused1 : 0y0 +0x248 Unused2 : 0y0 +0x24c ExitStatus : 259 +0x250 NextPageColor : 0x2984 +0x252 SubSystemMinorVersion : 0 '' +0x253 SubSystemMajorVersion : 0x4 '' +0x252 SubSystemVersion : 0x400 +0x254 PriorityClass : 0x2 '' +0x255 WorkingSetAcquiredUnsafe : 0 '' +0x258 Cookie : 0xf11f9ebelkd> !process 8194aa10PROCESS 8194aa10 SessionId: 1 Cid: 0100 Peb: 7ffd7000 ParentCid: 0190 DirBase: 17593000 ObjectTable: e23edf08 HandleCount: 47. Image: notepad.exe VadRoot 81a2a7d8 Vads 73 Clone 0 Private 224. Modified 7. Locked 0. DeviceMap e2395e18 Token e11472b0 ElapsedTime 00:11:05.234 UserTime 00:00:00.031 KernelTime 00:00:00.062 QuotaPoolUsage[PagedPool] 34884 QuotaPoolUsage[NonPagedPool] 2920 Working Set Sizes (now,min,max) (988, 50, 345) (3952KB, 200KB, 1380KB) PeakWorkingSetSize 988 VirtualSize 33 Mb PeakVirtualSize 37 Mb PageFaultCount 1041 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 423
THREAD 81a3b5a8 Cid 0100.010c Teb: 7ffdf000 Win32Thread: e2a06498 WAIT: (WrUserRequest) UserMode Non-Alertable 81a095a0 SynchronizationEvent Not impersonating DeviceMap e2395e18 Owning Process 8194aa10 Image: notepad.exe Attached Process N/A Image: N/A Wait Start TickCount 137054 Ticks: 41259 (0:00:10:44.671) Context Switch Count 197 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.062 Win32 Start Address windbg!`string' (0x0100739d) Start Address kernel32!BaseProcessStartThunk (0x7c810665) Stack Init f4739000 Current f4738c20 Base f4739000 Limit f4734000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident.
lkd> !Token e11472b0_TOKEN e11472b0TS Session ID: 0x1User: S-1-5-21-789336058-839522115-725345543-500Groups: 00 S-1-5-21-789336058-839522115-725345543-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 03 S-1-5-32-545 Attributes - Mandatory Default Enabled 04 S-1-5-14 Attributes - Mandatory Default Enabled 05 S-1-5-4 Attributes - Mandatory Default Enabled 06 S-1-5-11 Attributes - Mandatory Default Enabled 07 S-1-5-5-0-62638 Attributes - Mandatory Default Enabled LogonId 08 S-1-2-0 Attributes - Mandatory Default Enabled Primary Group: S-1-5-21-789336058-839522115-725345543-513Privs: 00 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 01 0x000000008 SeSecurityPrivilege Attributes - 02 0x000000011 SeBackupPrivilege Attributes - 03 0x000000012 SeRestorePrivilege Attributes - 04 0x00000000c SeSystemtimePrivilege Attributes - 05 0x000000013 SeShutdownPrivilege Attributes - 06 0x000000018 SeRemoteShutdownPrivilege Attributes - 07 0x000000009 SeTakeOwnershipPrivilege Attributes - 08 0x000000014 SeDebugPrivilege Attributes - 09 0x000000016 SeSystemEnvironmentPrivilege Attributes - 10 0x00000000b SeSystemProfilePrivilege Attributes - 11 0x00000000d SeProfileSingleProcessPrivilege Attributes - 12 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 13 0x00000000a SeLoadDriverPrivilege Attributes - Enabled 14 0x00000000f SeCreatePagefilePrivilege Attributes - 15 0x000000005 SeIncreaseQuotaPrivilege Attributes - 16 0x000000019 SeUndockPrivilege Attributes - Enabled 17 0x00000001c SeManageVolumePrivilege Attributes - 18 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default Authentication ID: (0,f50e)Impersonation Level: AnonymousTokenType: PrimarySource: User32 TokenFlags: 0x89 ( Token in use )Token ID: 3f1d7 ParentToken ID: 0Modified ID: (0, 3f1d9)RestrictedSidCount: 0 RestrictedSids: 00000000lkd> .process 8194aa10Implicit process is now 8194aa10lkd> dt _PEB 7ffd7000ntdll!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged : ?? +0x003 SpareBool : ?? +0x004 Mutant : ???? +0x008 ImageBaseAddress : ???? +0x00c Ldr : ???? +0x010 ProcessParameters : ???? +0x014 SubSystemData : ???? +0x018 ProcessHeap : ???? +0x01c FastPebLock : ???? +0x020 FastPebLockRoutine : ???? +0x024 FastPebUnlockRoutine : ???? +0x028 EnvironmentUpdateCount : ?? +0x02c KernelCallbackTable : ???? +0x030 SystemReserved : [1] ?? +0x034 AtlThunkSListPtr32 : ?? +0x038 FreeList : ???? +0x03c TlsExpansionCounter : ?? +0x040 TlsBitmap : ???? +0x044 TlsBitmapBits : [2] ?? +0x04c ReadOnlySharedMemoryBase : ???? +0x050 ReadOnlySharedMemoryHeap : ???? +0x054 ReadOnlyStaticServerData : ???? +0x058 AnsiCodePageData : ???? +0x05c OemCodePageData : ???? +0x060 UnicodeCaseTableData : ???? +0x064 NumberOfProcessors : ?? +0x068 NtGlobalFlag : ?? +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : ?? +0x07c HeapSegmentCommit : ?? +0x080 HeapDeCommitTotalFreeThreshold : ?? +0x084 HeapDeCommitFreeBlockThreshold : ?? +0x088 NumberOfHeaps : ?? +0x08c MaximumNumberOfHeaps : ?? +0x090 ProcessHeaps : ???? +0x094 GdiSharedHandleTable : ???? +0x098 ProcessStarterHelper : ???? +0x09c GdiDCAttributeList : ?? +0x0a0 LoaderLock : ???? +0x0a4 OSMajorVersion : ?? +0x0a8 OSMinorVersion : ?? +0x0ac OSBuildNumber : ?? +0x0ae OSCSDVersion : ?? +0x0b0 OSPlatformId : ?? +0x0b4 ImageSubsystem : ?? +0x0b8 ImageSubsystemMajorVersion : ?? +0x0bc ImageSubsystemMinorVersion : ?? +0x0c0 ImageProcessAffinityMask : ?? +0x0c4 GdiHandleBuffer : [34] ?? +0x14c PostProcessInitRoutine : ???? +0x150 TlsExpansionBitmap : ???? +0x154 TlsExpansionBitmapBits : [32] ?? +0x1d4 SessionId : ?? +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : ???? +0x1ec AppCompatInfo : ???? +0x1f0 CSDVersion : _UNICODE_STRING +0x1f8 ActivationContextData : ???? +0x1fc ProcessAssemblyStorageMap : ???? +0x200 SystemDefaultActivationContextData : ???? +0x204 SystemAssemblyStorageMap : ???? +0x208 MinimumStackCommit : ??Memory read error 7ffd7208lkd> dt _PEB 7ffd7000ntdll!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged : ?? +0x003 SpareBool : ?? +0x004 Mutant : ???? +0x008 ImageBaseAddress : ???? +0x00c Ldr : ???? +0x010 ProcessParameters : ???? +0x014 SubSystemData : ???? +0x018 ProcessHeap : ???? +0x01c FastPebLock : ???? +0x020 FastPebLockRoutine : ???? +0x024 FastPebUnlockRoutine : ???? +0x028 EnvironmentUpdateCount : ?? +0x02c KernelCallbackTable : ???? +0x030 SystemReserved : [1] ?? +0x034 AtlThunkSListPtr32 : ?? +0x038 FreeList : ???? +0x03c TlsExpansionCounter : ?? +0x040 TlsBitmap : ???? +0x044 TlsBitmapBits : [2] ?? +0x04c ReadOnlySharedMemoryBase : ???? +0x050 ReadOnlySharedMemoryHeap : ???? +0x054 ReadOnlyStaticServerData : ???? +0x058 AnsiCodePageData : ???? +0x05c OemCodePageData : ???? +0x060 UnicodeCaseTableData : ???? +0x064 NumberOfProcessors : ?? +0x068 NtGlobalFlag : ?? +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : ?? +0x07c HeapSegmentCommit : ?? +0x080 HeapDeCommitTotalFreeThreshold : ?? +0x084 HeapDeCommitFreeBlockThreshold : ?? +0x088 NumberOfHeaps : ?? +0x08c MaximumNumberOfHeaps : ?? +0x090 ProcessHeaps : ???? +0x094 GdiSharedHandleTable : ???? +0x098 ProcessStarterHelper : ???? +0x09c GdiDCAttributeList : ?? +0x0a0 LoaderLock : ???? +0x0a4 OSMajorVersion : ?? +0x0a8 OSMinorVersion : ?? +0x0ac OSBuildNumber : ?? +0x0ae OSCSDVersion : ?? +0x0b0 OSPlatformId : ?? +0x0b4 ImageSubsystem : ?? +0x0b8 ImageSubsystemMajorVersion : ?? +0x0bc ImageSubsystemMinorVersion : ?? +0x0c0 ImageProcessAffinityMask : ?? +0x0c4 GdiHandleBuffer : [34] ?? +0x14c PostProcessInitRoutine : ???? +0x150 TlsExpansionBitmap : ???? +0x154 TlsExpansionBitmapBits : [32] ?? +0x1d4 SessionId : ?? +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : ???? +0x1ec AppCompatInfo : ???? +0x1f0 CSDVersion : _UNICODE_STRING +0x1f8 ActivationContextData : ???? +0x1fc ProcessAssemblyStorageMap : ???? +0x200 SystemDefaultActivationContextData : ???? +0x204 SystemAssemblyStorageMap : ???? +0x208 MinimumStackCommit : ??Memory read error 7ffd7208lkd> .reloadUnable to read head of debugger data listConnected to Windows XP 2600 x86 compatible target, ptr64 FALSELoading Kernel Symbols....................................................................................................Loading User SymbolsPEB is paged out (Peb.Ldr = 7ffd700c). Type ".hh dbgerr001" for detailsLoading unloaded module list...............lkd> !process 0 0 notepad.exePROCESS 8194aa10 SessionId: 1 Cid: 0100 Peb: 7ffd7000 ParentCid: 0190 DirBase: 17593000 ObjectTable: e23edf08 HandleCount: 47. Image: notepad.exe
lkd> !process 8194aa10PROCESS 8194aa10 SessionId: 1 Cid: 0100 Peb: 7ffd7000 ParentCid: 0190 DirBase: 17593000 ObjectTable: e23edf08 HandleCount: 47. Image: notepad.exe VadRoot 81a2a7d8 Vads 73 Clone 0 Private 224. Modified 7. Locked 0. DeviceMap e2395e18 Token e11472b0 ElapsedTime 00:28:30.937 UserTime 00:00:00.031 KernelTime 00:00:00.062 QuotaPoolUsage[PagedPool] 34884 QuotaPoolUsage[NonPagedPool] 2920 Working Set Sizes (now,min,max) (988, 50, 345) (3952KB, 200KB, 1380KB) PeakWorkingSetSize 988 VirtualSize 33 Mb PeakVirtualSize 37 Mb PageFaultCount 1041 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 423
THREAD 81a3b5a8 Cid 0100.010c Teb: 7ffdf000 Win32Thread: e2a06498 WAIT: (WrUserRequest) UserMode Non-Alertable 81a095a0 SynchronizationEvent Not impersonating DeviceMap e2395e18 Owning Process 8194aa10 Image: notepad.exe Attached Process N/A Image: N/A Wait Start TickCount 137054 Ticks: 108182 (0:00:28:10.343) Context Switch Count 197 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.062 Win32 Start Address 0x0100739d Start Address 0x7c810665 Stack Init f4739000 Current f4738c20 Base f4739000 Limit f4734000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16 Kernel stack not resident.
lkd> .process 8194aa10Implicit process is now 8194aa10lkd> dt _PEB 7ffd7000nt!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged : ?? +0x003 SpareBool : ?? +0x004 Mutant : ???? +0x008 ImageBaseAddress : ???? +0x00c Ldr : ???? +0x010 ProcessParameters : ???? +0x014 SubSystemData : ???? +0x018 ProcessHeap : ???? +0x01c FastPebLock : ???? +0x020 FastPebLockRoutine : ???? +0x024 FastPebUnlockRoutine : ???? +0x028 EnvironmentUpdateCount : ?? +0x02c KernelCallbackTable : ???? +0x030 SystemReserved : [1] ?? +0x034 AtlThunkSListPtr32 : ?? +0x038 FreeList : ???? +0x03c TlsExpansionCounter : ?? +0x040 TlsBitmap : ???? +0x044 TlsBitmapBits : [2] ?? +0x04c ReadOnlySharedMemoryBase : ???? +0x050 ReadOnlySharedMemoryHeap : ???? +0x054 ReadOnlyStaticServerData : ???? +0x058 AnsiCodePageData : ???? +0x05c OemCodePageData : ???? +0x060 UnicodeCaseTableData : ???? +0x064 NumberOfProcessors : ?? +0x068 NtGlobalFlag : ?? +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : ?? +0x07c HeapSegmentCommit : ?? +0x080 HeapDeCommitTotalFreeThreshold : ?? +0x084 HeapDeCommitFreeBlockThreshold : ?? +0x088 NumberOfHeaps : ?? +0x08c MaximumNumberOfHeaps : ?? +0x090 ProcessHeaps : ???? +0x094 GdiSharedHandleTable : ???? +0x098 ProcessStarterHelper : ???? +0x09c GdiDCAttributeList : ?? +0x0a0 LoaderLock : ???? +0x0a4 OSMajorVersion : ?? +0x0a8 OSMinorVersion : ?? +0x0ac OSBuildNumber : ?? +0x0ae OSCSDVersion : ?? +0x0b0 OSPlatformId : ?? +0x0b4 ImageSubsystem : ?? +0x0b8 ImageSubsystemMajorVersion : ?? +0x0bc ImageSubsystemMinorVersion : ?? +0x0c0 ImageProcessAffinityMask : ?? +0x0c4 GdiHandleBuffer : [34] ?? +0x14c PostProcessInitRoutine : ???? +0x150 TlsExpansionBitmap : ???? +0x154 TlsExpansionBitmapBits : [32] ?? +0x1d4 SessionId : ?? +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : ???? +0x1ec AppCompatInfo : ???? +0x1f0 CSDVersion : _UNICODE_STRING +0x1f8 ActivationContextData : ???? +0x1fc ProcessAssemblyStorageMap : ???? +0x200 SystemDefaultActivationContextData : ???? +0x204 SystemAssemblyStorageMap : ???? +0x208 MinimumStackCommit : ??Memory read error 7ffd7208
对嘛... 在“当前进程”里不切换怎么能够看到其它进程的空间呢?
另楼主先下载符号。
附上我原来一份代码的 PEB 遍历输出图:
Raymond wrote:PEB位于用户态空间中,所以是进程相关的,观察前应该使用.process /p命令切换进程,例如: PROCESS 8796f858 SessionId: 0 Cid: 17b8 Peb: 7ffdc000 ParentCid: 07e8 DirBase: 18900fa0 ObjectTable: 00000000 HandleCount: 0. Image: wmiprvse.exe lkd> .PROCESS /p 8796f858 Implicit process is now 8796f858 lkd> dt _PEB 8796f858 nt!_PEB +0x000 InheritedAddressSpace : 0x3 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1b '' +0x003 SpareBool : 0 '' +0x004 Mutant : 0x00000001
173页原文使用的是
.process 86a7d030 设置当前的隐含进程 而不是.process /p 86a7d030
我有使用这个命令哦。
lkd> .process 8194aa10Implicit process is now 8194aa10lkd> dt _PEB 7ffd7000