2015年2月17日星期二

内核中查看和切换某个进程的某个线程

0: kd> !process 81b3a020   7
PROCESS 81b3a020  SessionId: 0  Cid: 09c0    Peb: 7ffdc000  ParentCid: 0914
    DirBase: 02940340  ObjectTable: e25c91a0  HandleCount: 218.
    Image: WINWORD.EXE
    VadRoot 81ac60a0 Vads 69 Clone 0 Private 342. Modified 0. Locked 0.
    DeviceMap e1c1ea18
    Token                             e1973d48
    ElapsedTime                       00:00:55.875
    UserTime                          00:00:00.015
    KernelTime                        00:00:00.890
    QuotaPoolUsage[PagedPool]         138252
    QuotaPoolUsage[NonPagedPool]      2760
    Working Set Sizes (now,min,max)  (868, 50, 345) (3472KB, 200KB, 1380KB)
    PeakWorkingSetSize                871
    VirtualSize                       68 Mb
    PeakVirtualSize                   68 Mb
    PageFaultCount                    1496
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      1021

        THREAD 81e62020  Cid 09c0.09c4  Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
            826d8fe4  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1c1ea18
        Owning Process            0       Image:         <Unknown>
        Attached Process          81b3a020       Image:         WINWORD.EXE
        Wait Start TickCount      304841         Ticks: 3379 (0:00:00:52.796)
        Context Switch Count      1592           IdealProcessor: 0                 LargeStack
        UserTime                  00:00:00.000
        KernelTime                00:00:00.890
        Win32 Start Address WINWORD (0x300010cc)
        Start Address kernel32!BaseProcessStartThunk (0x7c810735)
        Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
        Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
        ChildEBP RetAddr  Args to Child            
        f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
        f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
        f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
        f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
        f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
        f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
        f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
        f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
        f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
        f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
        f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
        0012ad8c 7c92d76a 7c82f6dc 0012ad9c 3342c418 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0012ad90 7c82f6dc 0012ad9c 3342c418 0012adac ntdll!ZwQueryDefaultUILanguage+0xc (FPO: [1,0,0])
        0012ada0 32612b47 00000000 0012adbc 331dbc78 kernel32!GetUserDefaultUILanguage+0x10 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
        0012adac 331dbc78 00000194 00000190 0012ba88 mso+0x12b47
        0012adbc 32bd9d97 0012b434 00000001 0012ade4 mso+0xbdbc78
        0012ba88 32bd99c5 00000001 33428160 0012f764 mso+0x5d9d97
        0012dd38 3260cd6e 0012f760 00000000 7c80acaf mso+0x5d99c5
        0012f734 32606e77 33428160 0012f764 0012f760 mso+0xcd6e
        0012f768 32606da8 00000000 31246ce2 0012f760 mso+0x6e77
        0012f980 312448da 31244562 31240000 7c80ae40 mso+0x6da8
        0012ff0c 300015d7 30000000 00000000 00152349 wwlib!FMain+0x378
        0012ff30 3000155d 30000000 00000000 00152349 WINWORD+0x15d7
        0012ffc0 7c816037 00200020 00200020 7ffdc000 WINWORD+0x155d
        0012fff0 00000000 300010cc 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])


0: kd> !thread 81e62020   7
THREAD 81e62020  Cid 09c0.09c4  Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
    826d8fe4  SynchronizationEvent
Not impersonating
DeviceMap                 e1c1ea18
Owning Process            0       Image:         <Unknown>
Attached Process          81b3a020       Image:         WINWORD.EXE
Wait Start TickCount      304841         Ticks: 3379 (0:00:00:52.796)
Context Switch Count      1592           IdealProcessor: 0                 LargeStack
UserTime                  00:00:00.000
KernelTime                00:00:00.890
Win32 Start Address WINWORD (0x300010cc)
Start Address kernel32!BaseProcessStartThunk (0x7c810735)
Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child            
f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
0012ada0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

0: kd> .thread  /p /r 81e62020
Implicit thread is now 81e62020
Implicit process is now 81b3a020
.cache forcedecodeuser done
Loading User Symbols
..................
0: kd> k
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
f4feca6c 8050493e nt!KiSwapContext+0x2f
f4feca78 804fc0d8 nt!KiSwapThread+0x8a
f4fecaa0 8065b61e nt!KeWaitForSingleObject+0x1c2
f4fecac8 f4e273d2 nt!VerifierKeWaitForSingleObject+0x56
f4fecaf0 f4e2914c ahsh!get_old_handle+0x102 [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 ahsh!HookRegQueryValueKey+0x11c [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d nt!KiSystemServicePostCall
f4fecba4 8061274f nt!ZwQueryValueKey+0x11
f4fecd14 80612b33 nt!ExpGetCurrentUserUILanguage+0xed
f4fecd58 805427e8 nt!NtQueryDefaultUILanguage+0x49
f4fecd58 7c92e514 nt!KiSystemServicePostCall
0012ad8c 7c92d76a ntdll!KiFastSystemCallRet
0012ad90 7c82f6dc ntdll!ZwQueryDefaultUILanguage+0xc
0012ada0 32612b47 kernel32!GetUserDefaultUILanguage+0x10
WARNING: Stack unwind information not available. Following frames may be wrong.
0012adac 331dbc78 mso+0x12b47
0012adbc 32bd9d97 mso+0xbdbc78
0012ba88 32bd99c5 mso+0x5d9d97
0012dd38 3260cd6e mso+0x5d99c5
0012f734 32606e77 mso+0xcd6e
0012f768 32606da8 mso+0x6e77
0012f980 312448da mso+0x6da8
0012ff0c 300015d7 wwlib!FMain+0x378
0012ff30 3000155d WINWORD+0x15d7
0012ffc0 7c816037 WINWORD+0x155d
0012fff0 00000000 kernel32!BaseProcessStart+0x23
发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)