引子:可是在调试模式下查看64位的Windows内核和非调试模式下是不一样的,比如:系统进程的线程。
如要做到这,可以用ARK,这大多是没有符号的。
还可以用procexp.exe。
还可以用windbg的命令:!process.
但是我想在本地内核调试的模式下在windbg中看到类似于ARK/procexp.exe!process中显示的那样(甚至随心所欲)。
简而言之:!process显示的线程信息太多,太丰富,我要精简,然后再细化。
经过分析得出:
lkd> !list -t nt!_LIST_ENTRY.Flink -x "dt nt!_ethread StartAddress Cid.UniqueThread @@(#CONTAINING_RECORD(@$extret, nt!_ethread, ThreadListEntry))" -m 3 (poi(nt!PsInitialSystemProcess) + @@(#FIELD_OFFSET(nt!_EPROCESS, ThreadListHead)))
+0x390 StartAddress : (null)
+0x3b8 Cid :
+0x008 UniqueThread : (null)
+0x390 StartAddress : 0xfffff800`0375f4f0 Void
+0x3b8 Cid :
+0x008 UniqueThread : 0x00000000`00000008 Void
+0x390 StartAddress : 0xfffff800`033f1960 Void
+0x3b8 Cid :
+0x008 UniqueThread : 0x00000000`0000000c Void
注意:这里只显示前3个,而且第一个是无效的。
不过我最终得出的是符号地址,这里没有,如:%y,dps,ln之类的信息。
所以要学习WINDBG脚本,脚本内容如下:
r $t0 = (poi(nt!PsInitialSystemProcess) + @@(#FIELD_OFFSET(nt!_EPROCESS, ThreadListHead)))
.printf /D "%y\n", @$t0;
.for (r $t1 = poi(@$t0); (@$t1 != 0) & (@$t1 != @$t0); r $t1 = poi(@$t1))
{
r? $t2 = #CONTAINING_RECORD(@$t1, nt!_ETHREAD, ThreadListEntry);
r? $t3 = @@c++(&@$t2->Cid.UniqueThread);
.printf /D "UniqueThread:%d\t", poi(@$t3);
.printf /D "ETHREAD:%p\t", @$t2;
.printf /D "StartAddress:%y\n", poi(@@c++(&@$t2->StartAddress));
}
这里还可以用DML使每行高亮/链接,点击后运行个指令,如:!thread等。
运行结果如下:lkd> $$>< F:\windbg\PsInitialSystemProcess.txt
fffffa80`06752e18
UniqueThread:8 ETHREAD:fffffa8006752580 StartAddress:nt!Phase1Initialization (fffff800`0375f4f0)
UniqueThread:12 ETHREAD:fffffa80067583b0 StartAddress:nt!PopIrpWorkerControl (fffff800`033f1960)
UniqueThread:16 ETHREAD:fffffa8006759040 StartAddress:nt!PopIrpWorker (fffff800`033f12e0)
UniqueThread:20 ETHREAD:fffffa8006759b50 StartAddress:nt!PopIrpWorker (fffff800`033f12e0)
UniqueThread:24 ETHREAD:fffffa800675f850 StartAddress:nt!ExpWorkerThread (fffff800`032dc3a4)
UniqueThread:28 ETHREAD:fffffa800676ab50 StartAddress:nt!ExpWorkerThread (fffff800`032dc3a4)
UniqueThread:32 ETHREAD:fffffa800676a660 StartAddress:nt!ExpWorkerThread (fffff800`032dc3a4)
......
made by correy
made at 2016.02.01
http://correy.webs.com