|
阅读:1690回复:2
tdi filter取process full path , 關於windbg測試windows2003全路徑的問題
我將windbg的測試過程貼上來 , 環境 : windows 2003 RC2 virtual machine
有幾個問題... 1. windbg.exe 與 conime.exe的PEB位址一樣, 為什麼會一樣?實際上去取全路徑, 只得到windbg.exe的全路徑. 2. 相同的方法去找ctfmon.exe的全路徑卻發生錯誤, 請各位大牛請多指教...(這個對我真的很難理解) 3. 在xp sp2並不會這樣, 請問位移量PEB_EPROCESS_OFFSET在windows2003有可能是一個變數嗎? 4. 有什麼做法可以解決在tdi filter取得全路徑的問題?當然我也考慮用_SE_AUDIT_PROCESS_CREATION_INFO來取得process name, 另外再對照symbolic name的磁碟代號. 請多多指教 謝謝 lkd> !sprocess ..... PROCESS 83727d88 SessionId: 0 Cid: 0488 Peb: 7ffdb000 ParentCid: 0168 DirBase: 17f603e0 ObjectTable: e1247538 HandleCount: 81. Image: ctfmon.exe PROCESS 83729bf0 SessionId: 0 Cid: 05a8 Peb: 7ffd8000 ParentCid: 0168 DirBase: 17f602a0 ObjectTable: e175e950 HandleCount: 101. Image: windbg.exe PROCESS 8344d2d8 SessionId: 0 Cid: 06d4 Peb: 7ffd3000 ParentCid: 0168 DirBase: 17f602e0 ObjectTable: e16ed4e8 HandleCount: 52. Image: 12001.exe PROCESS 8330b858 SessionId: 0 Cid: 0388 Peb: 7ffd8000 ParentCid: 06d4 DirBase: 17f60340 ObjectTable: e144caa0 HandleCount: 48. Image: conime.exe lkd> dt ntdll!_EPROCESS 8330b858 +0x000 Pcb : _KPROCESS +0x078 ProcessLock : _EX_PUSH_LOCK +0x080 CreateTime : _LARGE_INTEGER 0x1c8301c`7fd65b92 +0x088 ExitTime : _LARGE_INTEGER 0x0 +0x090 RundownProtect : _EX_RUNDOWN_REF +0x094 UniqueProcessId : 0x00000388 +0x098 ActiveProcessLinks : _LIST_ENTRY [ 0x808a61c8 - 0x8344d370 ] +0x0a0 QuotaUsage : [3] 0x7f8 +0x0ac QuotaPeak : [3] 0x960 +0x0b8 CommitCharge : 0xb3 +0x0bc PeakVirtualSize : 0x1da1000 +0x0c0 VirtualSize : 0x1a6e000 +0x0c4 SessionProcessLinks : _LIST_ENTRY [ 0xf799b010 - 0x8344d39c ] +0x0cc DebugPort : (null) +0x0d0 ExceptionPort : 0xe133f690 +0x0d4 ObjectTable : 0xe144caa0 _HANDLE_TABLE +0x0d8 Token : _EX_FAST_REF +0x0dc WorkingSetPage : 0x7d0a +0x0e0 AddressCreationLock : _KGUARDED_MUTEX +0x100 HyperSpaceLock : 0 +0x104 ForkInProgress : (null) +0x108 HardwareTrigger : 0 +0x10c PhysicalVadRoot : (null) +0x110 CloneRoot : (null) +0x114 NumberOfPrivatePages : 0x7a +0x118 NumberOfLockedPages : 0 +0x11c Win32Process : 0xe16e31c0 +0x120 Job : (null) +0x124 SectionObject : 0xe1320250 +0x128 SectionBaseAddress : 0x01000000 +0x12c QuotaBlock : 0x833ff8d0 _EPROCESS_QUOTA_BLOCK +0x130 WorkingSetWatch : (null) +0x134 Win32WindowStation : 0x0000004c +0x138 InheritedFromUniqueProcessId : 0x000006d4 +0x13c LdtInformation : (null) +0x140 VadFreeHint : (null) +0x144 VdmObjects : (null) +0x148 DeviceMap : 0xe16f8fd0 +0x14c Spare0 : [3] (null) +0x158 PageDirectoryPte : _HARDWARE_PTE_X86 +0x158 Filler : 0 +0x160 Session : 0xf799b000 +0x164 ImageFileName : [16] "conime.exe" +0x174 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x17c LockedPagesList : (null) +0x180 ThreadListHead : _LIST_ENTRY [ 0x832ed63c - 0x832ed63c ] +0x188 SecurityPort : (null) +0x18c PaeTop : 0xf7ad2340 +0x190 ActiveThreads : 1 +0x194 GrantedAccess : 0x1f0fff +0x198 DefaultHardErrorProcessing : 1 +0x19c LastThreadExitStatus : 0 +0x1a0 Peb : 0x7ffd8000 _PEB +0x1a4 PrefetchTrace : _EX_FAST_REF +0x1a8 ReadOperationCount : _LARGE_INTEGER 0x3 +0x1b0 WriteOperationCount : _LARGE_INTEGER 0x3 +0x1b8 OtherOperationCount : _LARGE_INTEGER 0xa6 +0x1c0 ReadTransferCount : _LARGE_INTEGER 0x114 +0x1c8 WriteTransferCount : _LARGE_INTEGER 0x15c +0x1d0 OtherTransferCount : _LARGE_INTEGER 0x8b0 +0x1d8 CommitChargeLimit : 0 +0x1dc CommitChargePeak : 0xb7 +0x1e0 AweInfo : (null) +0x1e4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x1e8 Vm : _MMSUPPORT +0x230 MmProcessLinks : _LIST_ENTRY [ 0x8089ff68 - 0x8344d508 ] +0x238 ModifiedPageCount : 0 +0x23c JobStatus : 0 +0x240 Flags : 0x450801 +0x240 CreateReported : 0y1 +0x240 NoDebugInherit : 0y0 +0x240 ProcessExiting : 0y0 +0x240 ProcessDelete : 0y0 +0x240 Wow64SplitPages : 0y0 +0x240 VmDeleted : 0y0 +0x240 OutswapEnabled : 0y0 +0x240 Outswapped : 0y0 +0x240 ForkFailed : 0y0 +0x240 Wow64VaSpace4Gb : 0y0 +0x240 AddressSpaceInitialized : 0y10 +0x240 SetTimerResolution : 0y0 +0x240 BreakOnTermination : 0y0 +0x240 SessionCreationUnderway : 0y0 +0x240 WriteWatch : 0y0 +0x240 ProcessInSession : 0y1 +0x240 OverrideAddressSpace : 0y0 +0x240 HasAddressSpace : 0y1 +0x240 LaunchPrefetched : 0y0 +0x240 InjectInpageErrors : 0y0 +0x240 VmTopDown : 0y0 +0x240 ImageNotifyDone : 0y1 +0x240 PdeUpdateNeeded : 0y0 +0x240 VdmAllowed : 0y0 +0x240 SmapAllowed : 0y0 +0x240 CreateFailed : 0y0 +0x240 DefaultIoPriority : 0y000 +0x240 Spare1 : 0y0 +0x240 Spare2 : 0y0 +0x244 ExitStatus : 259 +0x248 NextPageColor : 0xb48d +0x24a SubSystemMinorVersion : 0 '' +0x24b SubSystemMajorVersion : 0x4 '' +0x24a SubSystemVersion : 0x400 +0x24c PriorityClass : 0x2 '' +0x250 VadRoot : _MM_AVL_TABLE +0x270 Cookie : 0x7e1783b2 lkd> dt ntdll!_peb 0x7ffd8000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0 '' +0x003 BitField : 0 '' +0x003 ImageUsesLargePages : 0y0 +0x003 SpareBits : 0y0000000 (0) +0x004 Mutant : 0xffffffff +0x008 ImageBaseAddress : 0x01000000 +0x00c Ldr : 0x7c9b77e0 _PEB_LDR_DATA +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : (null) +0x018 ProcessHeap : 0x00090000 +0x01c FastPebLock : 0x7c9b7740 _RTL_CRITICAL_SECTION +0x020 AtlThunkSListPtr : (null) +0x024 SparePtr2 : (null) +0x028 EnvironmentUpdateCount : 1 +0x02c KernelCallbackTable : 0x77e129b0 +0x030 SystemReserved : [1] 0 +0x034 SpareUlong : 0 +0x038 FreeList : (null) +0x03c TlsExpansionCounter : 0 +0x040 TlsBitmap : 0x7c9b8fd8 +0x044 TlsBitmapBits : [2] 0x3fff +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 +0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000 +0x054 ReadOnlyStaticServerData : 0x7f6f0688 -> (null) +0x058 AnsiCodePageData : 0x7ffa0000 +0x05c OemCodePageData : 0x7ffa0000 +0x060 UnicodeCaseTableData : 0x7ffd1000 +0x064 NumberOfProcessors : 1 +0x068 NtGlobalFlag : 0 +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000 +0x078 HeapSegmentReserve : 0x100000 +0x07c HeapSegmentCommit : 0x2000 +0x080 HeapDeCommitTotalFreeThreshold : 0x10000 +0x084 HeapDeCommitFreeBlockThreshold : 0x1000 +0x088 NumberOfHeaps : 9 +0x08c MaximumNumberOfHeaps : 0x10 +0x090 ProcessHeaps : 0x7c9b8a20 -> 0x00090000 +0x094 GdiSharedHandleTable : 0x003b0000 +0x098 ProcessStarterHelper : (null) +0x09c GdiDCAttributeList : 0x14 +0x0a0 LoaderLock : 0x7c9b77a0 _RTL_CRITICAL_SECTION +0x0a4 OSMajorVersion : 5 +0x0a8 OSMinorVersion : 2 +0x0ac OSBuildNumber : 0xece +0x0ae OSCSDVersion : 0x200 +0x0b0 OSPlatformId : 2 +0x0b4 ImageSubsystem : 2 +0x0b8 ImageSubsystemMajorVersion : 4 +0x0bc ImageSubsystemMinorVersion : 0 +0x0c0 ImageProcessAffinityMask : 0 +0x0c4 GdiHandleBuffer : [34] 0 +0x14c PostProcessInitRoutine : (null) +0x150 TlsExpansionBitmap : 0x7c9b8fd0 +0x154 TlsExpansionBitmapBits : [32] 1 +0x1d4 SessionId : 0 +0x1d8 AppCompatFlags : _ULARGE_INTEGER 0x0 +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0 +0x1e8 pShimData : (null) +0x1ec AppCompatInfo : (null) +0x1f0 CSDVersion : _UNICODE_STRING "Service Pack 2" +0x1f8 ActivationContextData : 0x00080000 _ACTIVATION_CONTEXT_DATA +0x1fc ProcessAssemblyStorageMap : 0x00093978 _ASSEMBLY_STORAGE_MAP +0x200 SystemDefaultActivationContextData : 0x00070000 _ACTIVATION_CONTEXT_DATA +0x204 SystemAssemblyStorageMap : (null) +0x208 MinimumStackCommit : 0 +0x20c FlsCallback : 0x00093d28 -> (null) +0x210 FlsListHead : _LIST_ENTRY [ 0x91f60 - 0xad558 ] +0x218 FlsBitmap : 0x7c9b8fc0 +0x21c FlsBitmapBits : [4] 0xf +0x22c FlsHighIndex : 3 lkd> dt ntdll!_RTL_USER_PROCESS_PARAMETERS 0x00020000 +0x000 MaximumLength : 0x1000 +0x004 Length : 0x784 +0x008 Flags : 0x6001 +0x00c DebugFlags : 0 +0x010 ConsoleHandle : (null) +0x014 ConsoleFlags : 0 +0x018 StandardInput : (null) +0x01c StandardOutput : 0x00010001 +0x020 StandardError : (null) +0x024 CurrentDirectory : _CURDIR +0x030 DllPath : _UNICODE_STRING "C:\Program Files\Debugging Tools for Windows;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem" +0x038 ImagePathName : _UNICODE_STRING "C:\Program Files\Debugging Tools for Windows\windbg.exe" +0x040 CommandLine : _UNICODE_STRING ""C:\Program Files\Debugging Tools for Windows\windbg.exe" " +0x048 Environment : 0x00010000 +0x04c StartingX : 0 +0x050 StartingY : 0 +0x054 CountX : 0 +0x058 CountY : 0 +0x05c CountCharsX : 0 +0x060 CountCharsY : 0 +0x064 FillAttribute : 0 +0x068 WindowFlags : 0xc01 +0x06c ShowWindowFlags : 1 +0x070 WindowTitle : _UNICODE_STRING "C:\Documents and Settings\All Users\「開始」功能表\程式集\Debugging Tools for Windows\WinDbg.lnk" +0x078 DesktopInfo : _UNICODE_STRING "WinSta0\Default" +0x080 ShellInfo : _UNICODE_STRING "" +0x088 RuntimeData : _UNICODE_STRING "" +0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR lkd> dt ntdll!_peb 0x7ffdb000 ntdll!_PEB +0x000 InheritedAddressSpace : ?? +0x001 ReadImageFileExecOptions : ?? +0x002 BeingDebugged : ?? +0x003 BitField : ?? +0x003 ImageUsesLargePages : ?? +0x003 SpareBits : ?? +0x004 Mutant : ???? +0x008 ImageBaseAddress : ???? +0x00c Ldr : ???? +0x010 ProcessParameters : ???? +0x014 SubSystemData : ???? +0x018 ProcessHeap : ???? +0x01c FastPebLock : ???? +0x020 AtlThunkSListPtr : ???? +0x024 SparePtr2 : ???? +0x028 EnvironmentUpdateCount : ?? +0x02c KernelCallbackTable : ???? +0x030 SystemReserved : [1] ?? +0x034 SpareUlong : ?? +0x038 FreeList : ???? +0x03c TlsExpansionCounter : ?? +0x040 TlsBitmap : ???? +0x044 TlsBitmapBits : [2] ?? +0x04c ReadOnlySharedMemoryBase : ???? +0x050 ReadOnlySharedMemoryHeap : ???? +0x054 ReadOnlyStaticServerData : ???? +0x058 AnsiCodePageData : ???? +0x05c OemCodePageData : ???? +0x060 UnicodeCaseTableData : ???? +0x064 NumberOfProcessors : ?? +0x068 NtGlobalFlag : ?? +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : ?? +0x07c HeapSegmentCommit : ?? +0x080 HeapDeCommitTotalFreeThreshold : ?? +0x084 HeapDeCommitFreeBlockThreshold : ?? +0x088 NumberOfHeaps : ?? +0x08c MaximumNumberOfHeaps : ?? +0x090 ProcessHeaps : ???? +0x094 GdiSharedHandleTable : ???? +0x098 ProcessStarterHelper : ???? +0x09c GdiDCAttributeList : ?? +0x0a0 LoaderLock : ???? +0x0a4 OSMajorVersion : ?? +0x0a8 OSMinorVersion : ?? +0x0ac OSBuildNumber : ?? +0x0ae OSCSDVersion : ?? +0x0b0 OSPlatformId : ?? +0x0b4 ImageSubsystem : ?? +0x0b8 ImageSubsystemMajorVersion : ?? +0x0bc ImageSubsystemMinorVersion : ?? +0x0c0 ImageProcessAffinityMask : ?? +0x0c4 GdiHandleBuffer : [34] ?? +0x14c PostProcessInitRoutine : ???? +0x150 TlsExpansionBitmap : ???? +0x154 TlsExpansionBitmapBits : [32] ?? +0x1d4 SessionId : ?? +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : ???? +0x1ec AppCompatInfo : ???? +0x1f0 CSDVersion : _UNICODE_STRING +0x1f8 ActivationContextData : ???? +0x1fc ProcessAssemblyStorageMap : ???? +0x200 SystemDefaultActivationContextData : ???? +0x204 SystemAssemblyStorageMap : ???? +0x208 MinimumStackCommit : ?? +0x20c FlsCallback : ???? +0x210 FlsListHead : _LIST_ENTRY +0x218 FlsBitmap : ???? +0x21c FlsBitmapBits : [4] ?? +0x22c FlsHighIndex : ?? Memory read error 7ffdb22c |
|
|
沙发#
发布于:2007-11-27 11:38
怎么是繁体字,看着累,你在台湾公司?
>>1. windbg.exe 與 conime.exe的PEB位址一樣, 為什麼會一樣?實際上去取全路徑, 只得到windbg.exe的全路徑. 当然可能一样,不同的进程不同的地址空间,peb地址一样,并不代表指向的是同一块内存。 你取到是当前进程的全路径名。如果要取其他进程,先要切换进程地址空间 >>2. 相同的方法去找ctfmon.exe的全路徑卻發生錯誤, 請各位大牛請多指教...(這個對我真的很難理解) 什么错误? >>3. 在xp sp2並不會這樣, 請問位移量PEB_EPROCESS_OFFSET在windows2003有可能是一個變數嗎? 不同的os版本,这个值可能不一样 >>4. 有什麼做法可以解決在tdi filter取得全路徑的問題?當然我也考慮用_SE_AUDIT_PROCESS_CREATION_INFO來取得process name, 另外再對照symbolic name的磁碟代號. 以上方法是可行的。 |
|
|
板凳#
发布于:2007-11-27 13:55
Re:tdi filter取process full path , 關於windbg測試w
>> 怎么是繁体字,看着累,你在台湾公司?是的....簡繁體 看久也就習慣了^^....就跟英文看久了....不習慣也是要強迫習慣...- -... >>当然可能一样,不同的进程不同的地址空间,peb地址一样,并不代表指向的是同一块内存。 >>你取到是当前进程的全路径名。如果要取其他进程,先要切换进程地址空间 聽君一席話...勝讀十年書... 此外這個問題我目前是解決了...方法如下 還是先從processid 下手 用PsLookupProcessByProcessId取得EPROCESS address EPROCESS_PEB_OFFSET 就我的調試結果...xp sp2, w2k sp4 用 0x01B0 就可以了 w2k3 rc2 用0x01A0 (這個跟網路上的0x0190不一樣) PEB_PROCESS_PARAMETER_OFFSET 0x0010 PROCESS_PARAMETER_FULL_IMAGE_NAME 0x003C 另外用__try {} __except(EXCEPTION_EXECUTE_HANDLER) {} 防止access invalid memory BSOD 這樣基本上我在DbgView是有看到正確的完整路徑名稱 |
|