|
阅读:1594回复:3
【求助】哪位能帮我贴一下W2K下面EPROCESS结构成员变量的地址偏移量
我用Windbg调试VMWare的W2K虚拟机,
dt _EPROCESS 总是找不到symbol,不知为什么。WXP就可以。是不是MS的symbol server不提供W2K的了? 哪位能帮忙把上面这条命令的输出贴出来麽?多谢了! |
|
|
沙发#
发布于:2007-08-06 12:29
可能是哪里的设置有问题吧。我也注意到一个十分有意思的现象,就是用IDA反汇编2k的系统文件时,必须手动装载pdb文件IDA才回去连接MS的symbol server,不知道是否与此有关。以下是你要的_EPROCESS。
kd> dt _EPROCESS +0x000 Pcb : _KPROCESS +0x06c ExitStatus : Int4B +0x070 LockEvent : _KEVENT +0x080 LockCount : Uint4B +0x088 CreateTime : _LARGE_INTEGER +0x090 ExitTime : _LARGE_INTEGER +0x098 LockOwner : Ptr32 _KTHREAD +0x09c UniqueProcessId : Ptr32 Void +0x0a0 ActiveProcessLinks : _LIST_ENTRY +0x0a8 QuotaPeakPoolUsage : [2] Uint4B +0x0b0 QuotaPoolUsage : [2] Uint4B +0x0b8 PagefileUsage : Uint4B +0x0bc CommitCharge : Uint4B +0x0c0 PeakPagefileUsage : Uint4B +0x0c4 PeakVirtualSize : Uint4B +0x0c8 VirtualSize : Uint4B +0x0d0 Vm : _MMSUPPORT +0x118 SessionProcessLinks : _LIST_ENTRY +0x120 DebugPort : Ptr32 Void +0x124 ExceptionPort : Ptr32 Void +0x128 ObjectTable : Ptr32 _HANDLE_TABLE +0x12c Token : Ptr32 Void +0x130 WorkingSetLock : _FAST_MUTEX +0x150 WorkingSetPage : Uint4B +0x154 ProcessOutswapEnabled : UChar +0x155 ProcessOutswapped : UChar +0x156 AddressSpaceInitialized : UChar +0x157 AddressSpaceDeleted : UChar +0x158 AddressCreationLock : _FAST_MUTEX +0x178 HyperSpaceLock : Uint4B +0x17c ForkInProgress : Ptr32 _ETHREAD +0x180 VmOperation : Uint2B +0x182 ForkWasSuccessful : UChar +0x183 MmAgressiveWsTrimMask : UChar +0x184 VmOperationEvent : Ptr32 _KEVENT +0x188 PaeTop : Ptr32 Void +0x18c LastFaultCount : Uint4B +0x190 ModifiedPageCount : Uint4B +0x194 VadRoot : Ptr32 Void +0x198 VadHint : Ptr32 Void +0x19c CloneRoot : Ptr32 Void +0x1a0 NumberOfPrivatePages : Uint4B +0x1a4 NumberOfLockedPages : Uint4B +0x1a8 NextPageColor : Uint2B +0x1aa ExitProcessCalled : UChar +0x1ab CreateProcessReported : UChar +0x1ac SectionHandle : Ptr32 Void +0x1b0 Peb : Ptr32 _PEB +0x1b4 SectionBaseAddress : Ptr32 Void +0x1b8 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK +0x1bc LastThreadExitStatus : Int4B +0x1c0 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY +0x1c4 Win32WindowStation : Ptr32 Void +0x1c8 InheritedFromUniqueProcessId : Ptr32 Void +0x1cc GrantedAccess : Uint4B +0x1d0 DefaultHardErrorProcessing : Uint4B +0x1d4 LdtInformation : Ptr32 Void +0x1d8 VadFreeHint : Ptr32 Void +0x1dc VdmObjects : Ptr32 Void +0x1e0 DeviceMap : Ptr32 Void +0x1e4 SessionId : Uint4B +0x1e8 PhysicalVadList : _LIST_ENTRY +0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86 +0x1f0 Filler : Uint8B +0x1f8 PaePageDirectoryPage : Uint4B +0x1fc ImageFileName : [16] UChar +0x20c VmTrimFaultValue : Uint4B +0x210 SetTimerResolution : UChar +0x211 PriorityClass : UChar +0x212 SubSystemMinorVersion : UChar +0x213 SubSystemMajorVersion : UChar +0x212 SubSystemVersion : Uint2B +0x214 Win32Process : Ptr32 Void +0x218 Job : Ptr32 _EJOB +0x21c JobStatus : Uint4B +0x220 JobLinks : _LIST_ENTRY +0x228 LockedPagesList : Ptr32 Void +0x22c SecurityPort : Ptr32 Void +0x230 Wow64Process : Ptr32 _WOW64_PROCESS +0x238 ReadOperationCount : _LARGE_INTEGER +0x240 WriteOperationCount : _LARGE_INTEGER +0x248 OtherOperationCount : _LARGE_INTEGER +0x250 ReadTransferCount : _LARGE_INTEGER +0x258 WriteTransferCount : _LARGE_INTEGER +0x260 OtherTransferCount : _LARGE_INTEGER +0x268 CommitChargeLimit : Uint4B +0x26c CommitChargePeak : Uint4B +0x270 ThreadListHead : _LIST_ENTRY +0x278 VadPhysicalPagesBitMap : Ptr32 _RTL_BITMAP +0x27c VadPhysicalPages : Uint4B +0x280 AweLock : Uint4B +0x284 pImageFileName : Ptr32 _UNICODE_STRING +0x288 Session : Ptr32 Void +0x28c Flags : Uint4B |
|
|
|
板凳#
发布于:2007-08-06 15:23
有人回答了。。
|
|
|
|
地板#
发布于:2007-08-06 17:18
多谢!多谢!
这个symbol的问题真头疼。。。 |
|