0

我想使用其进程 ID 从 Sysinternals 的 livekd 获取有关进程的信息。我该怎么做呢?

MSDN ( https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-process )上 WinDBG 的 !process 命令的文档说,

!process [/s Session] [/m Module] [Process [Flags]]

提供有关“进程”指定的进程的信息。文件进一步说,

进程 - 指定目标计算机上进程的十六进制地址或进程 ID。

但是尽我所能,指定 PID 什么都没有,而且我看不到找到正在运行的进程的进程结构的十六进制地址的方法。

例如,在 Sysinternals 的 Process Explorer 中,我看到一个由 svchost.exe 支持的 PID 672 进程,如下所示:

在此处输入图像描述

但是当我使用带有 PID 672 或其十六进制 2A0 的 !process 命令时,我什么也得不到。见下文:

0: kd> !process 672
Searching for Process with Cid == 672
Cannot resolve nt!_EPROCESS object type
0: kd> !process 2A0
Searching for Process with Cid == 2a0
Cannot resolve nt!_EPROCESS object type

但是!process svchost.exe有效(对于正在运行的该图像的某些实例):

0: kd> !process svchost.exe
PROCESS ffffdc0a4b49b180
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001ad002  ObjectTable: ffff9a0ba4e3ee40  HandleCount: 6664.
    Image: System
    VadRoot ffffdc0a66ea3200 Vads 58 Clone 0 Private 30. Modified 31341619. Locked 192.
    DeviceMap ffff9a0ba4e36360
    Token                             ffff9a0ba4e072b0
    ElapsedTime                       5 Days 13:59:48.702

我也可以!process ffffdc0a4b49b180使用从 获得的信息!process svchost.exe,但我想使用进程 ID 来获取此信息。我该怎么做呢?

编辑 1:我认为我根据以下信息正确设置了符号:https ://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path 。请参阅下面的输出。

0: kd> .sympath
Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
0: kd> lml
start             end                 module name
fffff804`82200000 fffff804`83246000   nt         (pdb symbols)          c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
fffff804`a3420000 fffff804`a342d000   LiveKdD    (no symbols)           
0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload nt
SYMSRV:  BYINDEX: 0xF
         c:\symbols\*https://msdl.microsoft.com/download/symbols
         ntoskrnl.exe
         F05723421046000
SYMSRV:  PATH: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe
SYMSRV:  RESULT: 0x00000000
DBGHELP: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - OK
DBGENG:  c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - Mapped image memory
SYMSRV:  BYINDEX: 0x10
         c:\symbols\*https://msdl.microsoft.com/download/symbols
         ntkrnlmp.pdb
         1F9BB45B28B806E4D18925C06E924B8C1
SYMSRV:  PATH: c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
SYMSRV:  RESULT: 0x00000000
DBGHELP: nt - public symbols  
        c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
0: kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   ....

编辑 2

我刚刚发现 LiveKdD.sys 没有被加载。我已经重新安装了 Windows SDK,并卸载了我的防病毒软件。这并不能解决这个问题。

但是,LivekdD.sys 存在于它试图从中加载它的目录中。见下文。

PS C:\WINDOWS\system32\drivers> dir livekdd.sys


    Directory: C:\WINDOWS\system32\drivers


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        24-11-2021     21:53          39272 livekdd.sys


Launching D:\Windows Kits\10\Debuggers\x64\kd.exe:

Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`75400000 PsLoadedModuleList = 0xfffff807`7602a2d0
Debug session time: Wed Nov 24 22:03:56.831 2021 (UTC + 5:30)
System Uptime: 0 days 0:13:04.851
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................................
Loading User Symbols
..........................................
Loading unloaded module list
............
For analysis of this file, run !analyze -v
0: kd> .tlist notepad.exe
Unable to load image \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS, Win32 error 0n2
 0n3176 notepad.exe
4

1 回答 1

1

正如已经多次评论过的那样,它在这里工作的是 livekd 的输出

0: kd> .tlist calculator.exe
 0n1872 Calculator.exe
0: kd> !process 0n1872 0
Searching for Process with Cid == 750
PROCESS ffffc388a8cd5080
    SessionId: 5  Cid: 0750    Peb: 806522f000  ParentCid: 0250
    DirBase: 7a081002  ObjectTable: ffff8985feda39c0  HandleCount: 467.
    Image: Calculator.exe

0: kd> !process 0 0 calculator.exe
PROCESS ffffc388a8cd5080
    SessionId: 5  Cid: 0750    Peb: 806522f000  ParentCid: 0250
    DirBase: 7a081002  ObjectTable: ffff8985feda39c0  HandleCount: 467.
    Image: Calculator.exe

编辑

一个完整的会话

D:\>livekd

LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson

Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe:

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`3cc00000 PsLoadedModuleList = 0xfffff803`3d045f30
Debug session time: Wed Nov 24 06:55:11.500 2021 
System Uptime: 3 days 5:19:28.286
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................
Loading User Symbols

Loading unloaded module list
..................................................
0: kd> .tlist cmd.exe
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
 0n7836 cmd.exe
0: kd> !process 0n7836 0
Searching for Process with Cid == 1e9c
PROCESS ffffc388b2810080
    SessionId: 9  Cid: 1e9c    Peb: 7f78344000  ParentCid: 1468
    DirBase: 115d4a002  ObjectTable: ffff8985fed9ad40  HandleCount:  68.
    Image: cmd.exe

0: kd>

编辑 2

我的模块如下

0: kd> lmv live
start             end                 module name
fffff803`59090000 fffff803`5909d000   LiveKdD    (no symbols)
    Symbol file: LiveKdD.SYS
    Image path: \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS
    Image name: LiveKdD.SYS
    Timestamp:        Mon Apr 27 21:28:28 2020 (5EA70124)
    CheckSum:         00014362
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
0: kd>
于 2021-11-22T18:39:09.740 回答