内核模式调试应用层程序

=================内核模式调试应用程序========================

kd> ********查看当前进程**********
kd> !process
PROCESS 805539a0  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
    DirBase: 00af8000  ObjectTable: e1000cc0  HandleCount: 253.
    Image: Idle
    VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0.
    DeviceMap 00000000
    Token                             e10017e8
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:02:54.046
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (7, 50, 450) (28KB, 200KB, 1800KB)
    PeakWorkingSetSize                0
    VirtualSize                       0 Mb
    PeakVirtualSize                   0 Mb
    PageFaultCount                    0
    MemoryPriority                    BACKGROUND
    BasePriority                      0
    CommitCharge                      0


        THREAD 80553740  Cid 0000.0000  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0


kd> *********查看explorer.exe进程的EPROCESS地址**********
kd> !process 0 0 explorer.exe
PROCESS 81ffbda0  SessionId: 0  Cid: 0250    Peb: 7ffde000  ParentCid: 0204
    DirBase: 08cc0260  ObjectTable: e1aab350  HandleCount: 508.
    Image: explorer.exe


kd> *********切换进程到explorer.exe**********
kd> .process /i 81ffbda0  
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.


kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80528bdc cc              int     3


kd> ********再次查看当前进程**********
kd> !process
PROCESS 81ffbda0  SessionId: 0  Cid: 0250    Peb: 7ffde000  ParentCid: 0204
    DirBase: 08cc0260  ObjectTable: e1aab350  HandleCount: 508.
    Image: explorer.exe
    VadRoot 81b710d0 Vads 320 Clone 0 Private 2292. Modified 5440. Locked 0.
    DeviceMap e14db6a8
    Token                             e1abc940
    ElapsedTime                       13 Days 22:30:09.824
    UserTime                          00:00:01.531
    KernelTime                        00:00:06.203
    QuotaPoolUsage[PagedPool]         147804
    QuotaPoolUsage[NonPagedPool]      15000
    Working Set Sizes (now,min,max)  (5047, 50, 345) (20188KB, 200KB, 1380KB)
    PeakWorkingSetSize                5049
    VirtualSize                       81 Mb
    PeakVirtualSize                   88 Mb
    PageFaultCount                    9262
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3560


        THREAD 81fd0020  Cid 0250.0254  Teb: 7ffdd000 Win32Thread: e1a7d868 WAIT: (WrUserRequest) UserMode Non-Alertable
            820788a0  SynchronizationEvent


        THREAD 8207b020  Cid 0250.0260  Teb: 7ffdc000 Win32Thread: e200cb68 WAIT: (WrLpcReceive) UserMode Non-Alertable
            81cab908  Semaphore Limit 0x7fffffff
            8207b110  NotificationTimer


        THREAD 81caba78  Cid 0250.0290  Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Non-Alertable
            81cabb68  NotificationTimer


        THREAD 81eb9bb8  Cid 0250.03a8  Teb: 7ffda000 Win32Thread: e1fd7918 WAIT: (WrUserRequest) UserMode Non-Alertable
            8207b2a8  SynchronizationEvent


        THREAD 81f82a50  Cid 0250.02ec  Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode Alertable
            81f82b40  NotificationTimer


        THREAD 82076778  Cid 0250.02f0  Teb: 7ffd8000 Win32Thread: e1aac4b0 WAIT: (WrQueue) UserMode Non-Alertable
            81f87b30  Unknown
            82076868  NotificationTimer


        THREAD 81f87600  Cid 0250.0314  Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
            81d58e30  NotificationTimer
            81db7e28  SynchronizationEvent
            81da9e00  NotificationEvent


        THREAD 82046640  Cid 0250.03f4  Teb: 7ffd6000 Win32Thread: e1a20380 WAIT: (UserRequest) UserMode Alertable
            81d575a4  NotificationEvent
            81cbf5bc  NotificationEvent
            81d87fec  NotificationEvent
            81d94fec  NotificationEvent
            8205d544  NotificationEvent
            8201bc5c  NotificationEvent
            81c9c32c  NotificationEvent
            82035fec  NotificationEvent
            81cdd808  SynchronizationEvent


        THREAD 81c7cbe0  Cid 0250.064c  Teb: 7ffd5000 Win32Thread: e1f05008 WAIT: (UserRequest) UserMode Non-Alertable
            81b60698  SynchronizationEvent
            81c7bdc8  SynchronizationEvent


        THREAD 81d494e0  Cid 0250.0654  Teb: 7ffd3000 Win32Thread: e14d2ca8 WAIT: (UserRequest) UserMode Non-Alertable
            81b60d18  SynchronizationEvent
            81d49168  SynchronizationEvent


        THREAD 82003da8  Cid 0250.06b0  Teb: 7ff9f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
            81d59e98  SynchronizationEvent
            81c995e0  NotificationEvent


        THREAD 81d49da8  Cid 0250.06bc  Teb: 7ff9e000 Win32Thread: e21d3558 WAIT: (WrUserRequest) UserMode Non-Alertable
            81b70590  SynchronizationEvent


        THREAD 81de1b38  Cid 0250.07e8  Teb: 7ff9d000 Win32Thread: e21126b0 WAIT: (WrUserRequest) UserMode Non-Alertable
            8203d6c8  SynchronizationEvent


        THREAD 81b67390  Cid 0250.07dc  Teb: 7ff9c000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
            82053c18  SynchronizationEvent
            81b78700  SynchronizationEvent
            81b67480  NotificationTimer


        THREAD 81b5da70  Cid 0250.00c0  Teb: 7ff9b000 Win32Thread: e224eeb0 WAIT: (WrLpcReceive) UserMode Non-Alertable
            81cab908  Semaphore Limit 0x7fffffff
            81b5db60  NotificationTimer


        THREAD 81b6b598  Cid 0250.00dc  Teb: 7ff9a000 Win32Thread: e1a20d48 WAIT: (WrLpcReceive) UserMode Non-Alertable
            81cab908  Semaphore Limit 0x7fffffff
            81b6b688  NotificationTimer


        THREAD 8202a020  Cid 0250.0258  Teb: 7ff99000 Win32Thread: e2036eb0 WAIT: (UserRequest) UserMode Non-Alertable
            81c71350  SynchronizationEvent
            81c7b1c0  SynchronizationEvent


kd> ********切换到指定的线程**********
kd> .thread 81b6b598  
Implicit thread is now 81b6b598
kd> kv
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
b247ac64 80501cd6 81b6b608 81b6b598 804fad62 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b247ac70 804fad62 e1abb3e8 80554960 e1abb3e8 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b247ac98 8059c5b0 00000001 00000010 81c8da01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
b247ad48 8053e638 00000188 02a4ff74 00000000 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
b247ad48 7c92e4f4 00000188 02a4ff74 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b247ad64)
02a4fe14 7c92da8c 77e565e3 00000188 02a4ff74 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
02a4fe18 77e565e3 00000188 02a4ff74 00000000 ntdll!ZwReplyWaitReceivePortEx+0xc (FPO: [5,0,0])
02a4ff80 77e56caf 02a4ffa8 77e56ad1 000aefa8 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x12a (FPO: [Non-Fpo])
02a4ff88 77e56ad1 000aefa8 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo])
02a4ffa8 77e56c97 000aee60 02a4ffec 7c80b713 RPCRT4!BaseCachedThreadRoutine+0x79 (FPO: [Non-Fpo])
02a4ffb4 7c80b713 001362d8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1a (FPO: [Non-Fpo])
02a4ffec 00000000 77e56c7d 001362d8 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])


说明：如果应用层的不显示符号如kernel32!BaseThreadStart+0x37可以使用 .reload /user 命令重新加载应用层符号.