Windows进程&线程
ERPCOESS内容Windbg实例显示
2023-11-03
2
0
使用Windbg命令显示所有的进程:
!process 0 0
输出内容为:
: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffa9821b4cf040
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ab002 ObjectTable: ffff8082a4a01080 HandleCount: <Data Not Accessible>
Image: System
PROCESS ffffa982690f9040
SessionId: none Cid: 015c Peb: 899aa69000 ParentCid: 0004
DirBase: 1fe9c002 ObjectTable: ffff8082a50c5440 HandleCount: <Data Not Accessible>
Image: smss.exe
PROCESS ffffa9826c11d780
SessionId: 0 Cid: 01f4 Peb: 4bf934a000 ParentCid: 01e0
DirBase: 0a5b7002 ObjectTable: ffff8082a90cab80 HandleCount: <Data Not Accessible>
Image: csrss.exe
PROCESS ffffa9826ca014c0
SessionId: 1 Cid: 0248 Peb: 50a3e11000 ParentCid: 015c
DirBase: 0d428002 ObjectTable: 00000000 HandleCount: 0.
Image: smss.exe
PROCESS ffffa9826ca05300
SessionId: 0 Cid: 0250 Peb: 5ee10f3000 ParentCid: 01e0
DirBase: 0d4c8002 ObjectTable: ffff8082abd2eb40 HandleCount: <Data Not Accessible>
Image: wininit.exe
PROCESS ffffa9826ca09600
SessionId: 1 Cid: 0258 Peb: a27a656000 ParentCid: 0248
DirBase: 0d567002 ObjectTable: ffff8082a5886940 HandleCount: <Data Not Accessible>
Image: csrss.exe
PROCESS ffffa9826cb3d780
SessionId: 0 Cid: 02a4 Peb: 28158a000 ParentCid: 0250
DirBase: 7dd96002 ObjectTable: ffff8082a4b0f640 HandleCount: <Data Not Accessible>
Image: services.exe
PROCESS ffffa9826cb64780
SessionId: 0 Cid: 02ac Peb: d01a751000 ParentCid: 0250
DirBase: 7bb0f002 ObjectTable: ffff8082a58dd040 HandleCount: <Data Not Accessible>
Image: lsass.exe
PROCESS ffffa9826cb70080
SessionId: 1 Cid: 02d0 Peb: 447b7f000 ParentCid: 0248
DirBase: 7b854002 ObjectTable: ffff8082abd384c0 HandleCount: <Data Not Accessible>
Image: winlogon.exe
PROCESS ffffa9826cbeb780
SessionId: 0 Cid: 0344 Peb: b9f0f6d000 ParentCid: 02a4
DirBase: 7a23a002 ObjectTable: ffff8082ac5de040 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffa9826e486780
SessionId: 0 Cid: 0380 Peb: 5474d94000 ParentCid: 02a4
DirBase: 79d7f002 ObjectTable: ffff8082ac605040 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffa9826e4b8780
SessionId: 1 Cid: 013c Peb: 4089be5000 ParentCid: 02d0
DirBase: 78d84002 ObjectTable: 00000000 HandleCount: 0.
Image: LogonUI.exe
找到任意一进程,如LogonUI.exe
0: kd> dt _EPROCESS ffffa9826e4b8780
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 RundownProtect : _EX_RUNDOWN_REF
+0x2e8 UniqueProcessId : 0x00000000`0000013c Void
+0x2f0 ActiveProcessLinks : _LIST_ENTRY [ 0xffffa982`6e529a70 - 0xffffa982`6e486a70 ]
+0x300 Flags2 : 0x200d000
+0x300 JobNotReallyActive : 0y0
+0x300 AccountingFolded : 0y0
+0x300 NewProcessReported : 0y0
+0x300 ExitProcessReported : 0y0
+0x300 ReportCommitChanges : 0y0
+0x300 LastReportMemory : 0y0
+0x300 ForceWakeCharge : 0y0
+0x300 CrossSessionCreate : 0y0
+0x300 NeedsHandleRundown : 0y0
+0x300 RefTraceEnabled : 0y0
+0x300 DisableDynamicCode : 0y0
+0x300 EmptyJobEvaluated : 0y0
+0x300 DefaultPagePriority : 0y101
+0x300 PrimaryTokenFrozen : 0y1
+0x300 ProcessVerifierTarget : 0y0
+0x300 StackRandomizationDisabled : 0y0
+0x300 AffinityPermanent : 0y0
+0x300 AffinityUpdateEnable : 0y0
+0x300 PropagateNode : 0y0
+0x300 ExplicitAffinity : 0y0
+0x300 ProcessExecutionState : 0y00
+0x300 DisallowStrippedImages : 0y0
+0x300 HighEntropyASLREnabled : 0y1
+0x300 ExtensionPointDisable : 0y0
+0x300 ForceRelocateImages : 0y0
+0x300 ProcessStateChangeRequest : 0y00
+0x300 ProcessStateChangeInProgress : 0y0
+0x300 DisallowWin32kSystemCalls : 0y0
+0x304 Flags : 0x564c0c3d
+0x304 CreateReported : 0y1
+0x304 NoDebugInherit : 0y0
+0x304 ProcessExiting : 0y1
+0x304 ProcessDelete : 0y1
+0x304 ControlFlowGuardEnabled : 0y1
+0x304 VmDeleted : 0y1
+0x304 OutswapEnabled : 0y0
+0x304 Outswapped : 0y0
+0x304 FailFastOnCommitFail : 0y0
+0x304 Wow64VaSpace4Gb : 0y0
+0x304 AddressSpaceInitialized : 0y11
+0x304 SetTimerResolution : 0y0
+0x304 BreakOnTermination : 0y0
+0x304 DeprioritizeViews : 0y0
+0x304 WriteWatch : 0y0
+0x304 ProcessInSession : 0y0
+0x304 OverrideAddressSpace : 0y0
+0x304 HasAddressSpace : 0y1
+0x304 LaunchPrefetched : 0y1
+0x304 Background : 0y0
+0x304 VmTopDown : 0y0
+0x304 ImageNotifyDone : 0y1
+0x304 PdeUpdateNeeded : 0y0
+0x304 VdmAllowed : 0y0
+0x304 ProcessRundown : 0y1
+0x304 ProcessInserted : 0y1
+0x304 DefaultIoPriority : 0y010
+0x304 ProcessSelfDelete : 0y1
+0x304 SetTimerResolutionLink : 0y0
+0x308 CreateTime : _LARGE_INTEGER 0x01da0e2d`fe5e20a2
+0x310 ProcessQuotaUsage : [2] 0
+0x320 ProcessQuotaPeak : [2] 0x96f8
+0x330 PeakVirtualSize : 0x00000200`1f36b000
+0x338 VirtualSize : 0
+0x340 SessionProcessLinks : _LIST_ENTRY [ 0xffffa982`6e529ac0 - 0xffffa982`6cb703c0 ]
+0x350 ExceptionPortData : 0xffffa982`6ca0b490 Void
+0x350 ExceptionPortValue : 0xffffa982`6ca0b490
+0x350 ExceptionPortState : 0y000
+0x358 Token : _EX_FAST_REF
+0x360 WorkingSetPage : 0x78d87
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : (null)
+0x380 ForkInProgress : (null)
+0x388 CommitChargeJob : (null)
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : 0
+0x3a0 NumberOfLockedPages : 0
+0x3a8 Win32Process : (null)
+0x3b0 Job : (null)
+0x3b8 SectionObject : (null)
+0x3c0 SectionBaseAddress : 0x00007ff7`2d4c0000 Void
+0x3c8 Cookie : 0x8c70af7c
+0x3d0 WorkingSetWatch : (null)
+0x3d8 Win32WindowStation : 0x00000000`000000b4 Void
+0x3e0 InheritedFromUniqueProcessId : 0x00000000`000002d0 Void
+0x3e8 LdtInformation : (null)
+0x3f0 OwnerProcessId : 0
+0x3f8 Peb : 0x00000040`89be5000 _PEB
+0x400 Session : 0xffffc081`62194000 _MM_SESSION_SPACE
+0x408 AweInfo : (null)
+0x410 QuotaBlock : 0xfffff800`b5da2980 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : (null)
+0x420 DebugPort : (null)
+0x428 WoW64Process : (null)
+0x430 DeviceMap : 0xffff8082`a4a17cb0 Void
+0x438 EtwDataSource : 0xffffa982`6e51d080 Void
+0x440 PageDirectoryPte : 0
+0x448 ImageFilePointer : (null)
+0x450 ImageFileName : [15] "LogonUI.exe"
+0x45f PriorityClass : 0x3 ''
+0x460 SecurityPort : 0x00000000`00000001 Void
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x480 HighestUserAddress : 0x00007fff`ffff0000 Void
+0x488 ThreadListHead : _LIST_ENTRY [ 0xffffa982`6e4b8c08 - 0xffffa982`6e4b8c08 ]
+0x498 ActiveThreads : 0
+0x49c ImagePathHash : 0
+0x4a0 DefaultHardErrorProcessing : 0
+0x4a4 LastThreadExitStatus : 0n0
+0x4a8 PrefetchTrace : _EX_FAST_REF
+0x4b0 LockedPagesList : (null)
+0x4b8 ReadOperationCount : _LARGE_INTEGER 0x4a
+0x4c0 WriteOperationCount : _LARGE_INTEGER 0x1
+0x4c8 OtherOperationCount : _LARGE_INTEGER 0x4ae
+0x4d0 ReadTransferCount : _LARGE_INTEGER 0x1266e5
+0x4d8 WriteTransferCount : _LARGE_INTEGER 0xa0
+0x4e0 OtherTransferCount : _LARGE_INTEGER 0x14ed4
+0x4e8 CommitChargeLimit : 0
+0x4f0 CommitCharge : 0
+0x4f8 CommitChargePeak : 0x60ad
+0x500 Vm : _MMSUPPORT_FULL
+0x610 MmProcessLinks : _LIST_ENTRY [ 0xffffa982`6e529d90 - 0xffffa982`6e486d90 ]
+0x620 VadRoot : _RTL_AVL_TREE
+0x628 ModifiedPageCount : 0x2d5
+0x62c ExitStatus : 0n0
+0x630 VadHint : (null)
+0x638 VadCount : 0
+0x640 VadPhysicalPages : 0
+0x648 VadPhysicalPagesLimit : 0
+0x650 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x670 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x680 TimerResolutionStackRecord : (null)
+0x688 RequestedTimerResolution : 0
+0x68c SmallestTimerResolution : 0
+0x690 ExitTime : _LARGE_INTEGER 0x01da0e2e`03dfb65f
+0x698 InvertedFunctionTable : (null)
+0x6a0 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x6a8 ActiveThreadsHighWatermark : 0x1e
+0x6ac LargePrivateVadCount : 0
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : 0xffff8082`ac7e6520 Void
+0x6c0 Spare0 : 0
+0x6c8 SignatureLevel : 0 ''
+0x6c9 SectionSignatureLevel : 0 ''
+0x6ca Protection : _PS_PROTECTION
+0x6cb HangCount : 0 ''
+0x6cc Flags3 : 0x800000
+0x6cc Minimal : 0y0
+0x6cc ReplacingPageRoot : 0y0
+0x6cc DisableNonSystemFonts : 0y0
+0x6cc AuditNonSystemFontLoading : 0y0
+0x6cc Crashed : 0y0
+0x6cc JobVadsAreTracked : 0y0
+0x6cc VadTrackingDisabled : 0y0
+0x6cc AuxiliaryProcess : 0y0
+0x6cc SubsystemProcess : 0y0
+0x6cc IndirectCpuSets : 0y0
+0x6cc InPrivate : 0y0
+0x6cc ProhibitRemoteImageMap : 0y0
+0x6cc ProhibitLowILImageMap : 0y0
+0x6cc SignatureMitigationOptIn : 0y0
+0x6cc DisableDynamicCodeAllowOptOut : 0y0
+0x6cc EnableFilteredWin32kAPIs : 0y0
+0x6cc AuditFilteredWin32kAPIs : 0y0
+0x6cc PreferSystem32Images : 0y0
+0x6cc RelinquishedCommit : 0y0
+0x6cc AutomaticallyOverrideChildProcessPolicy : 0y0
+0x6cc HighGraphicsPriority : 0y0
+0x6cc CommitFailLogged : 0y0
+0x6cc ReserveFailLogged : 0y0
+0x6cc AddressPolicyFrozen : 0y1
+0x6cc RestrictIndirectBranchPrediction : 0y0
+0x6cc SpeculativeStoreBypassDisable : 0y0
+0x6d0 DeviceAsid : 0n0
+0x6d8 SvmData : (null)
+0x6e0 SvmProcessLock : _EX_PUSH_LOCK
+0x6e8 SvmLock : 0
+0x6f0 SvmProcessDeviceListHead : _LIST_ENTRY [ 0xffffa982`6e4b8e70 - 0xffffa982`6e4b8e70 ]
+0x700 LastFreezeInterruptTime : 0
+0x708 DiskCounters : 0xffffa982`6e4b8f40 _PROCESS_DISK_COUNTERS
+0x710 PicoContext : (null)
+0x718 TrustletIdentity : 0
+0x720 KeepAliveCounter : 0
+0x724 NoWakeKeepAliveCounter : 0
+0x728 HighPriorityFaultsAllowed : 0
+0x730 EnergyValues : 0xffffa982`6e4b8f68 _PROCESS_ENERGY_VALUES
+0x738 VmContext : (null)
+0x740 SequenceNumber : 0xe
+0x748 CreateInterruptTime : 0x4fa2fd8
+0x750 CreateUnbiasedInterruptTime : 0x4fa2fd8
+0x758 TotalUnbiasedFrozenTime : 0
+0x760 LastAppStateUpdateTime : 0xa1d4bf3
+0x768 LastAppStateUptime : 0y0000000000000000000000000000000000101001000110001110000011011 (0x5231c1b)
+0x768 LastAppState : 0y011
+0x770 SharedCommitCharge : 0
+0x778 SharedCommitLock : _EX_PUSH_LOCK
+0x780 SharedCommitLinks : _LIST_ENTRY [ 0xffffa982`6e4b8f00 - 0xffffa982`6e4b8f00 ]
+0x790 AllowedCpuSets : 0
+0x798 DefaultCpuSets : 0
+0x790 AllowedCpuSetsIndirect : (null)
+0x798 DefaultCpuSetsIndirect : (null)
+0x7a0 DiskIoAttribution : (null)
+0x7a8 ReadyTime : 0
+0x7b0 DxgProcess : (null)
+0x7b8 SecurityDomain : 0
KRPOCESS内容:
0: kd> dt _KPROCESS ffffa9826e4b8780
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x018 ProfileListHead : _LIST_ENTRY [ 0xffffa982`6e4b8798 - 0xffffa982`6e4b8798 ]
+0x028 DirectoryTableBase : 0x78d84002
+0x030 ThreadListHead : _LIST_ENTRY [ 0xffffa982`6e4b87b0 - 0xffffa982`6e4b87b0 ]
+0x040 ProcessLock : 0
+0x044 Spare0 : 0
+0x048 DeepFreezeStartTime : 0
+0x050 Affinity : _KAFFINITY_EX
+0x0f8 ReadyListHead : _LIST_ENTRY [ 0xffffa982`6e4b8878 - 0xffffa982`6e4b8878 ]
+0x108 SwapListEntry : _SINGLE_LIST_ENTRY
+0x110 ActiveProcessors : _KAFFINITY_EX
+0x1b8 AutoAlignment : 0y0
+0x1b8 DisableBoost : 0y0
+0x1b8 DisableQuantum : 0y0
+0x1b8 DeepFreeze : 0y0
+0x1b8 TimerVirtualization : 0y0
+0x1b8 CheckStackExtents : 0y1
+0x1b8 SpareFlags0 : 0y00
+0x1b8 ActiveGroupsMask : 0y00000000000000000001 (0x1)
+0x1b8 ReservedFlags : 0y0000
+0x1b8 ProcessFlags : 0n288
+0x1bc BasePriority : 13 ''
+0x1bd QuantumReset : 6 ''
+0x1be Visited : 0 ''
+0x1bf Flags : _KEXECUTE_OPTIONS
+0x1c0 ThreadSeed : [20] 1
+0x210 IdealNode : [20] 0
+0x238 IdealGlobalNode : 0
+0x23a Spare1 : 0
+0x23c StackCount : _KSTACK_COUNT
+0x240 ProcessListEntry : _LIST_ENTRY [ 0xffffa982`6e5299c0 - 0xffffa982`6e4869c0 ]
+0x250 CycleTime : 0x91bc0982
+0x258 ContextSwitches : 0x121e
+0x260 SchedulingGroup : (null)
+0x268 FreezeCount : 0
+0x26c KernelTime : 0x19
+0x270 UserTime : 0x15
+0x274 Spare2 : [75] ""
+0x2bf AddressPolicy : 0x1 ''
+0x2c0 UserDirectoryTableBase : 1
+0x2c8 InstrumentationCallback : (null)
+0x2d0 SecurePid : 0
