=================内核模式调试应用程序========================
kd> !process
PROCESS 805539a0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00af8000 ObjectTable: e1000cc0 HandleCount: 253.
Image: Idle
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 00000000
Token e10017e8
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:02:54.046
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (7, 50, 450) (28KB, 200KB, 1800KB)
PeakWorkingSetSize 0
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0
THREAD 80553740 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
kd> *********查看explorer.exe进程的EPROCESS地址**********
kd> !process 0 0 explorer.exe
PROCESS 81ffbda0 SessionId: 0 Cid: 0250 Peb: 7ffde000 ParentCid: 0204
DirBase: 08cc0260 ObjectTable: e1aab350 HandleCount: 508.
Image: explorer.exe
kd> *********切换进程到explorer.exe**********
kd> .process /i 81ffbda0
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80528bdc cc int 3
kd> ********再次查看当前进程**********
kd> !process
PROCESS 81ffbda0 SessionId: 0 Cid: 0250 Peb: 7ffde000 ParentCid: 0204
DirBase: 08cc0260 ObjectTable: e1aab350 HandleCount: 508.
Image: explorer.exe
VadRoot 81b710d0 Vads 320 Clone 0 Private 2292. Modified 5440. Locked 0.
DeviceMap e14db6a8
Token e1abc940
ElapsedTime 13 Days 22:30:09.824
UserTime 00:00:01.531
KernelTime 00:00:06.203
QuotaPoolUsage[PagedPool] 147804
QuotaPoolUsage[NonPagedPool] 15000
Working Set Sizes (now,min,max) (5047, 50, 345) (20188KB, 200KB, 1380KB)
PeakWorkingSetSize 5049
VirtualSize 81 Mb
PeakVirtualSize 88 Mb
PageFaultCount 9262
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 3560
THREAD 81fd0020 Cid 0250.0254 Teb: 7ffdd000 Win32Thread: e1a7d868 WAIT: (WrUserRequest) UserMode Non-Alertable
820788a0 SynchronizationEvent
THREAD 8207b020 Cid 0250.0260 Teb: 7ffdc000 Win32Thread: e200cb68 WAIT: (WrLpcReceive) UserMode Non-Alertable
81cab908 Semaphore Limit 0x7fffffff
8207b110 NotificationTimer
THREAD 81caba78 Cid 0250.0290 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Non-Alertable
81cabb68 NotificationTimer
THREAD 81eb9bb8 Cid 0250.03a8 Teb: 7ffda000 Win32Thread: e1fd7918 WAIT: (WrUserRequest) UserMode Non-Alertable
8207b2a8 SynchronizationEvent
THREAD 81f82a50 Cid 0250.02ec Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable
81f82b40 NotificationTimer
THREAD 82076778 Cid 0250.02f0 Teb: 7ffd8000 Win32Thread: e1aac4b0 WAIT: (WrQueue) UserMode Non-Alertable
81f87b30 Unknown
82076868 NotificationTimer
THREAD 81f87600 Cid 0250.0314 Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
81d58e30 NotificationTimer
81db7e28 SynchronizationEvent
81da9e00 NotificationEvent
THREAD 82046640 Cid 0250.03f4 Teb: 7ffd6000 Win32Thread: e1a20380 WAIT: (UserRequest) UserMode Alertable
81d575a4 NotificationEvent
81cbf5bc NotificationEvent
81d87fec NotificationEvent
81d94fec NotificationEvent
8205d544 NotificationEvent
8201bc5c NotificationEvent
81c9c32c NotificationEvent
82035fec NotificationEvent
81cdd808 SynchronizationEvent
THREAD 81c7cbe0 Cid 0250.064c Teb: 7ffd5000 Win32Thread: e1f05008 WAIT: (UserRequest) UserMode Non-Alertable
81b60698 SynchronizationEvent
81c7bdc8 SynchronizationEvent
THREAD 81d494e0 Cid 0250.0654 Teb: 7ffd3000 Win32Thread: e14d2ca8 WAIT: (UserRequest) UserMode Non-Alertable
81b60d18 SynchronizationEvent
81d49168 SynchronizationEvent
THREAD 82003da8 Cid 0250.06b0 Teb: 7ff9f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
81d59e98 SynchronizationEvent
81c995e0 NotificationEvent
THREAD 81d49da8 Cid 0250.06bc Teb: 7ff9e000 Win32Thread: e21d3558 WAIT: (WrUserRequest) UserMode Non-Alertable
81b70590 SynchronizationEvent
THREAD 81de1b38 Cid 0250.07e8 Teb: 7ff9d000 Win32Thread: e21126b0 WAIT: (WrUserRequest) UserMode Non-Alertable
8203d6c8 SynchronizationEvent
THREAD 81b67390 Cid 0250.07dc Teb: 7ff9c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
82053c18 SynchronizationEvent
81b78700 SynchronizationEvent
81b67480 NotificationTimer
THREAD 81b5da70 Cid 0250.00c0 Teb: 7ff9b000 Win32Thread: e224eeb0 WAIT: (WrLpcReceive) UserMode Non-Alertable
81cab908 Semaphore Limit 0x7fffffff
81b5db60 NotificationTimer
THREAD 81b6b598 Cid 0250.00dc Teb: 7ff9a000 Win32Thread: e1a20d48 WAIT: (WrLpcReceive) UserMode Non-Alertable
81cab908 Semaphore Limit 0x7fffffff
81b6b688 NotificationTimer
THREAD 8202a020 Cid 0250.0258 Teb: 7ff99000 Win32Thread: e2036eb0 WAIT: (UserRequest) UserMode Non-Alertable
81c71350 SynchronizationEvent
81c7b1c0 SynchronizationEvent
kd> ********切换到指定的线程**********
kd> .thread 81b6b598
Implicit thread is now 81b6b598
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
b247ac64 80501cd6 81b6b608 81b6b598 804fad62 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b247ac70 804fad62 e1abb3e8 80554960 e1abb3e8 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b247ac98 8059c5b0 00000001 00000010 81c8da01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
b247ad48 8053e638 00000188 02a4ff74 00000000 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
b247ad48 7c92e4f4 00000188 02a4ff74 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b247ad64)
02a4fe14 7c92da8c 77e565e3 00000188 02a4ff74 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
02a4fe18 77e565e3 00000188 02a4ff74 00000000 ntdll!ZwReplyWaitReceivePortEx+0xc (FPO: [5,0,0])
02a4ff80 77e56caf 02a4ffa8 77e56ad1 000aefa8 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x12a (FPO: [Non-Fpo])
02a4ff88 77e56ad1 000aefa8 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
02a4ffa8 77e56c97 000aee60 02a4ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0x79 (FPO: [Non-Fpo])
02a4ffb4 7c80b713 001362d8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1a (FPO: [Non-Fpo])
02a4ffec 00000000 77e56c7d 001362d8 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
说明:如果应用层的不显示符号如kernel32!BaseThreadStart+0x37可以使用 .reload /user 命令重新加载应用层符号.