试验1：观察Windows的内核模块、数据结构和函数

最新推荐文章于 2024-08-19 10:35:41 发布

金士顿

最新推荐文章于 2024-08-19 10:35:41 发布

阅读量1.2k

点赞数

分类专栏： windbg

本文链接：https://blog.csdn.net/wojiuguowei/article/details/78937906

版权

windbg 专栏收录该内容

26 篇文章 3 订阅

订阅专栏

1，启动WinDBG的本地内核调试（File> Kernel Debug… > Local）。

2，键入.symfix c:\symbols设置符号服务器和用于存储符号文件的本地目录。

3，键入.sympath观察当前的符号路径。其结果应该如下所示：

lkd> .sympath

Symbol search pathis:SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

4，键入.reload重新加载符号。可能需要较长时间，请耐心等待。

5，键入lm命令列出所有内核模块。寻找HAL，NT等模块，观察其在内存中的起止位置。

lkd> lm
start end module name
fffff800`0465e000 fffff800`04c43000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\F69D000687EC491E87FC0425D4D378AC2\ntkrnlmp.pdb

Unloaded modules:
fffff880`0cea5000 fffff880`0ceb3000 monitor.sys
fffff880`0e839000 fffff880`0e8aa000 spsys.sys
fffff880`22023000 fffff880`225f7000 iqvw64e.sys
fffff880`09781000 fffff880`097bf000 1394ohci.sys
fffff880`01480000 fffff880`0148e000 crashdmp.sys
fffff880`0148e000 fffff880`0149a000 dump_ataport.sys
fffff880`0149a000 fffff880`014a3000 dump_atapi.sys
fffff880`014a3000 fffff880`014b6000 dump_dumpfve.sys
fffff880`0a1d5000 fffff880`0a1e6000 WinUSB.sys
fffff880`0a000000 fffff880`0a031000 WUDFRd.sys

6，键入!process 0 0命令列出当前系统内运行的所有进程。

lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS fffffa800cd4a840
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000001730 HandleCount: 759.
Image: System

PROCESS fffffa800e55c040
SessionId: none Cid: 0178 Peb:7fffffd9000 ParentCid: 0004
DirBase: 3d3401000 ObjectTable: fffff8a000a5e960 HandleCount: 36.
Image: smss.exe

PROCESS fffffa800e5a4560
SessionId: 0 Cid: 0298 Peb: 7fffffdb000 ParentCid: 0270
DirBase: 3cbe47000 ObjectTable: fffff8a00b0a4a10 HandleCount: 1020.
Image: csrss.exe

PROCESS fffffa801157b060
SessionId: 0 Cid: 031c Peb: 7fffffd6000 ParentCid: 0270
DirBase: 3ca24d000 ObjectTable: fffff8a003441310 HandleCount: 84.
Image: wininit.exe

PROCESS fffffa801157d940
SessionId: 1 Cid: 032c Peb: 7fffffdb000 ParentCid: 0324
DirBase: 3cabe0000 ObjectTable: fffff8a00b0456f0 HandleCount: 780.
Image: csrss.exe

PROCESS fffffa8011672710
SessionId: 1 Cid: 037c Peb: 7fffffdb000 ParentCid: 0324
DirBase: 3c5c66000 ObjectTable: fffff8a013a3b600 HandleCount: 116.
Image: winlogon.exe

PROCESS fffffa800eb86b30
SessionId: 0 Cid: 03a8 Peb: 7fffffd9000 ParentCid: 031c
DirBase: 3c40eb000 ObjectTable: fffff8a0027b4690 HandleCount: 313.
Image: services.exe

PROCESS fffffa80117ad510
SessionId: 0 Cid: 03b0 Peb: 7fffffde000 ParentCid: 031c
DirBase: 39540b000 ObjectTable: fffff8a013a2ea10 HandleCount: 848.
Image: lsass.exe

PROCESS fffffa8011779b30
SessionId: 0 Cid: 03bc Peb: 7fffffdf000 ParentCid: 031c
DirBase: 396393000 ObjectTable: fffff8a0027cee40 HandleCount: 220.
Image: lsm.exe

PROCESS fffffa800f5a8310
SessionId: 0 Cid: 0154 Peb: 7fffffde000 ParentCid: 03a8
DirBase: 39151e000 ObjectTable: fffff8a00013f680 HandleCount: 420.
Image: svchost.exe

PROCESS fffffa800f5b1350
SessionId: 0 Cid: 02b8 Peb: 7fffffd6000 ParentCid: 03a8
DirBase: 3bff5a000 ObjectTable: fffff8a00265cc10 HandleCount: 80.
Image: ibmpmsvc.exe

PROCESS fffffa8010a5d730
SessionId: 0 Cid: 029c Peb: 7fffffde000 ParentCid: 03a8
DirBase: 3bfa68000 ObjectTable: fffff8a002955210 HandleCount: 136.
Image: nvvsvc.exe

PROCESS fffffa80115d5b30
SessionId: 0 Cid: 01e8 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 38ed10000 ObjectTable: fffff8a002759e30 HandleCount: 79.
Image: nvwmi64.exe

PROCESS fffffa801165e060
SessionId: 0 Cid: 03f8 Peb: 7efdf000 ParentCid: 03a8
DirBase: 38e49d000 ObjectTable: fffff8a0029b0ae0 HandleCount: 109.
Image: nvSCPAPISvr.exe

PROCESS fffffa8011658b30
SessionId: 0 Cid: 0414 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 3bddab000 ObjectTable: fffff8a0029c4e10 HandleCount: 449.
Image: svchost.exe

PROCESS fffffa80118a6b30
SessionId: 0 Cid: 0478 Peb: 7fffffd7000 ParentCid: 03a8
DirBase: 3bd53f000 ObjectTable: fffff8a002a8d010 HandleCount: 541.
Image: svchost.exe

PROCESS fffffa8011913060
SessionId: 0 Cid: 04c4 Peb: 7fffffdd000 ParentCid: 03a8
DirBase: 3bd8c7000 ObjectTable: fffff8a002b92450 HandleCount: 618.
Image: svchost.exe

PROCESS fffffa801192e060
SessionId: 0 Cid: 04f0 Peb: 7fffffda000 ParentCid: 03a8
DirBase: 3bd0cd000 ObjectTable: fffff8a002bb3380 HandleCount: 1470.
Image: svchost.exe

PROCESS fffffa80119b2b30
SessionId: 0 Cid: 0580 Peb: 7fffffdd000 ParentCid: 03a8
DirBase: 3ba3d6000 ObjectTable: fffff8a002b03630 HandleCount: 344.
Image: svchost.exe

PROCESS fffffa80119e0750
SessionId: 0 Cid: 05c8 Peb: 7fffffd5000 ParentCid: 03a8
DirBase: 3b98e3000 ObjectTable: fffff8a002bd8c50 HandleCount: 120.
Image: igfxCUIService.exe

PROCESS fffffa800e79ab30
SessionId: 0 Cid: 0670 Peb: 7fffffd9000 ParentCid: 04c4
DirBase: 3b886a000 ObjectTable: fffff8a002d7b330 HandleCount: 213.
Image: WUDFHost.exe

PROCESS fffffa8011a6bb30
SessionId: 0 Cid: 06a8 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 387c12000 ObjectTable: fffff8a002d9b930 HandleCount: 580.
Image: svchost.exe

PROCESS fffffa8011a95b30
SessionId: 0 Cid: 0708 Peb: 7fffffd3000 ParentCid: 04c4
DirBase: 3b71d6000 ObjectTable: fffff8a002df6b10 HandleCount: 409.
Image: wlanext.exe

PROCESS fffffa8011a90620
SessionId: 0 Cid: 0710 Peb: 7fffffdb000 ParentCid: 0298
DirBase: 3b672f000 ObjectTable: fffff8a002e08320 HandleCount: 33.
Image: conhost.exe

PROCESS fffffa8011766060
SessionId: 1 Cid: 0764 Peb: 7fffffdf000 ParentCid: 029c
DirBase: 385505000 ObjectTable: fffff8a002e342a0 HandleCount: 271.
Image: nvxdsync.exe

PROCESS fffffa800e790b30
SessionId: 1 Cid: 076c Peb: 7fffffdf000 ParentCid: 029c
DirBase: 384b8a000 ObjectTable: fffff8a002e2fdc0 HandleCount: 204.
Image: nvvsvc.exe

PROCESS fffffa8011b97b30
SessionId: 1 Cid: 0774 Peb: 7fffffd5000 ParentCid: 01e8
DirBase: 384a8f000 ObjectTable: fffff8a002e53600 HandleCount: 162.
Image: nvwmi64.exe

PROCESS fffffa8011bf8b30
SessionId: 0 Cid: 0798 Peb: 7fffffd7000 ParentCid: 03a8
DirBase: 3b3fcf000 ObjectTable: fffff8a00297c320 HandleCount: 327.
Image: spoolsv.exe

PROCESS fffffa8011c65b30
SessionId: 0 Cid: 07fc Peb: 7fffffd5000 ParentCid: 03a8
DirBase: 3b41e2000 ObjectTable: fffff8a00298d4d0 HandleCount: 332.
Image: svchost.exe

PROCESS fffffa8011cedb30
SessionId: 0 Cid: 05ec Peb: 7fffffd9000 ParentCid: 03a8
DirBase: 3b2dfb000 ObjectTable: fffff8a002f02ea0 HandleCount: 102.
Image: svchost.exe

PROCESS fffffa8011cf1b30
SessionId: 0 Cid: 080c Peb: 7fffffd5000 ParentCid: 03a8
DirBase: 382e01000 ObjectTable: fffff8a002f08760 HandleCount: 189.
Image: btwdins.exe

PROCESS fffffa8011d38b30
SessionId: 0 Cid: 0838 Peb: 7efdf000 ParentCid: 03a8
DirBase: 38220e000 ObjectTable: fffff8a002f24f10 HandleCount: 98.
Image: Crypserv.exe

PROCESS fffffa8011d59b30
SessionId: 0 Cid: 0864 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 3b122e000 ObjectTable: fffff8a002e91ca0 HandleCount: 279.
Image: EvtEng.exe

PROCESS fffffa800f671340
SessionId: 0 Cid: 09dc Peb: 7fffffd8000 ParentCid: 03a8
DirBase: 3aecb7000 ObjectTable: fffff8a002cdaed0 HandleCount: 79.
Image: IPROSetMonitor.exe

PROCESS fffffa800f6a1060
SessionId: 0 Cid: 0a00 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3ad63d000 ObjectTable: fffff8a002657bc0 HandleCount: 213.
Image: IpOverUsbSvc.exe

PROCESS fffffa800e913b30
SessionId: 0 Cid: 0ac8 Peb: 7efdf000 ParentCid: 03a8
DirBase: 37b792000 ObjectTable: fffff8a002f1c4e0 HandleCount: 67.
Image: nmesrvc.exe

PROCESS fffffa800f888b30
SessionId: 0 Cid: 0af8 Peb: 7efdf000 ParentCid: 03a8
DirBase: 379199000 ObjectTable: fffff8a0030a9c00 HandleCount: 174.
Image: omtsreco.exe

PROCESS fffffa800f894b30
SessionId: 0 Cid: 0b00 Peb: 7fffffd7000 ParentCid: 0298
DirBase: 378d10000 ObjectTable: fffff8a0030e30b0 HandleCount: 72.
Image: conhost.exe

PROCESS fffffa800f8a7b30
SessionId: 0 Cid: 0b14 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 3aa8b3000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa8011c2b060
SessionId: 0 Cid: 0ba0 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3746a0000 ObjectTable: fffff8a003271430 HandleCount: 443.
Image: QQProtect.exe

PROCESS fffffa8011c4d060
SessionId: 0 Cid: 0bc0 Peb: 7fffffd5000 ParentCid: 03a8
DirBase: 3a51a6000 ObjectTable: fffff8a003218d20 HandleCount: 102.
Image: RegSrvc.exe

PROCESS fffffa8011c39340
SessionId: 0 Cid: 0be4 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3a4dac000 ObjectTable: fffff8a00328d6b0 HandleCount: 258.
Image: secbizsrv.exe

PROCESS fffffa8011c7b060
SessionId: 0 Cid: 04ec Peb: 7efdf000 ParentCid: 03a8
DirBase: 3a4332000 ObjectTable: fffff8a0032ac8e0 HandleCount: 141.
Image: sntlkeyssrvr.exe

PROCESS fffffa8011c91060
SessionId: 0 Cid: 0630 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3a4f3e000 ObjectTable: fffff8a0032b0c30 HandleCount: 122.
Image: spnsrvnt.exe

PROCESS fffffa800f5d2b30
SessionId: 0 Cid: 091c Peb: 7fffffd7000 ParentCid: 03a8
DirBase: 3a60eb000 ObjectTable: fffff8a0032dbf90 HandleCount: 90.
Image: sqlwriter.exe

PROCESS fffffa800f85d340
SessionId: 0 Cid: 0964 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3a59f1000 ObjectTable: fffff8a0032e0340 HandleCount: 99.
Image: ss_conn_service.exe

PROCESS fffffa800f8c5060
SessionId: 0 Cid: 093c Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 3a4df6000 ObjectTable: fffff8a0032f93d0 HandleCount: 109.
Image: svchost.exe

PROCESS fffffa800f8ad060
SessionId: 0 Cid: 0980 Peb: 7efdf000 ParentCid: 03a8
DirBase: 3a4cfc000 ObjectTable: fffff8a0033057c0 HandleCount: 250.
Image: TBSecSvc.exe

PROCESS fffffa800f910060
SessionId: 0 Cid: 09f4 Peb: 7efdf000 ParentCid: 03a8
DirBase: 371d83000 ObjectTable: fffff8a003325f90 HandleCount: 421.
Image: TeamViewer_Service.exe

PROCESS fffffa8011d8c340
SessionId: 0 Cid: 0b50 Peb: 7efdf000 ParentCid: 03a8
DirBase: 36d089000 ObjectTable: fffff8a0032ae9e0 HandleCount: 339.
Image: TeamViewer_Service.exe

PROCESS fffffa800f88c060
SessionId: 0 Cid: 0c30 Peb: 7efdf000 ParentCid: 03a8
DirBase: 36808f000 ObjectTable: fffff8a0044a49c0 HandleCount: 86.
Image: vmnat.exe

PROCESS fffffa800f8e1060
SessionId: 0 Cid: 0c4c Peb: 7fffffd4000 ParentCid: 03a8
DirBase: 3a07b3000 ObjectTable: fffff8a0044b7950 HandleCount: 154.
Image: svchost.exe

PROCESS fffffa800f916060
SessionId: 0 Cid: 0c64 Peb: 7fffffd3000 ParentCid: 03a8
DirBase: 39f139000 ObjectTable: fffff8a0044baf00 HandleCount: 260.
Image: ZeroConfigService.exe

PROCESS fffffa8011c9a060
SessionId: 0 Cid: 0ce8 Peb: 7efdf000 ParentCid: 03a8
DirBase: 39f23f000 ObjectTable: fffff8a0044fe2d0 HandleCount: 227.
Image: vmware-authd.exe

PROCESS fffffa8011df9b30
SessionId: 1 Cid: 0dc0 Peb: 7fffffd5000 ParentCid: 03a8
DirBase: 39bbe0000 ObjectTable: fffff8a004c4ce90 HandleCount: 187.
Image: taskhost.exe

PROCESS fffffa80122c8b30
SessionId: 1 Cid: 0e70 Peb: 7fffffd4000 ParentCid: 04c4
DirBase: 39965b000 ObjectTable: fffff8a002c1c700 HandleCount: 184.
Image: dwm.exe

PROCESS fffffa80122d7b30
SessionId: 1 Cid: 0e90 Peb: 7fffffda000 ParentCid: 0e60
DirBase: 3988c7000 ObjectTable: fffff8a004ccd960 HandleCount: 932.
Image: explorer.exe

PROCESS fffffa8011e43b30
SessionId: 0 Cid: 0f5c Peb: 7fffffd7000 ParentCid: 0154
DirBase: 397368000 ObjectTable: fffff8a002ff2ec0 HandleCount: 80.
Image: unsecapp.exe

PROCESS fffffa8011733b30
SessionId: 0 Cid: 0cf8 Peb: 7fffffd8000 ParentCid: 0154
DirBase: 35c50a000 ObjectTable: fffff8a0053e3b80 HandleCount: 173.
Image: WmiPrvSE.exe

PROCESS fffffa801244b960
SessionId: 0 Cid: 101c Peb: 7efdf000 ParentCid: 03a8
DirBase: 355c11000 ObjectTable: fffff8a004713b60 HandleCount: 54.
Image: vmnetdhcp.exe

PROCESS fffffa801244fb30
SessionId: 0 Cid: 1030 Peb: 7fffffd9000 ParentCid: 03a8
DirBase: 357698000 ObjectTable: fffff8a004721610 HandleCount: 142.
Image: vmware-usbarbitrator64.exe

PROCESS fffffa80123bb060
SessionId: 0 Cid: 1038 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 39455a000 ObjectTable: fffff8a0030fa180 HandleCount: 34.
Image: cmd.exe

PROCESS fffffa80123ae060
SessionId: 0 Cid: 1048 Peb: 7efdf000 ParentCid: 1038
DirBase: 35ba81000 ObjectTable: fffff8a004467200 HandleCount: 46.
Image: perl.exe

PROCESS fffffa801248fb30
SessionId: 1 Cid: 10a0 Peb: 7efdf000 ParentCid: 0980
DirBase: 38da75000 ObjectTable: fffff8a004747320 HandleCount: 566.
Image: TaobaoProtect.exe

PROCESS fffffa801247db30
SessionId: 0 Cid: 110c Peb: 7efdf000 ParentCid: 1048
DirBase: 38b1a9000 ObjectTable: fffff8a0033010d0 HandleCount: 40.
Image: cmd.exe

PROCESS fffffa8012490830
SessionId: 0 Cid: 111c Peb: 7efdf000 ParentCid: 110c
DirBase: 38cdfb000 ObjectTable: fffff8a0044ef970 HandleCount: 1125.
Image: java.exe

PROCESS fffffa800e594330
SessionId: 0 Cid: 1264 Peb: 7efdf000 ParentCid: 1048
DirBase: 388577000 ObjectTable: fffff8a0047d06d0 HandleCount: 455.
Image: emagent.exe

PROCESS fffffa800f84f730
SessionId: 1 Cid: 12e4 Peb: 7efdf000 ParentCid: 12b8
DirBase: 38617d000 ObjectTable: fffff8a00547f310 HandleCount: 99.
Image: aliwssv.exe

PROCESS fffffa801172b060
SessionId: 1 Cid: 12ec Peb: 7fffffdf000 ParentCid: 032c
DirBase: 34cf89000 ObjectTable: fffff8a005439c80 HandleCount: 36.
Image: conhost.exe

PROCESS fffffa80117b3b30
SessionId: 1 Cid: 137c Peb: 7fffffdf000 ParentCid: 0e90
DirBase: 38097e000 ObjectTable: fffff8a006d8a170 HandleCount: 278.
Image: RAVCpl64.exe

PROCESS fffffa800e7d7b30
SessionId: 1 Cid: 13a0 Peb: 7efdf000 ParentCid: 0e90
DirBase: 37f4fd000 ObjectTable: fffff8a006d37630 HandleCount: 109.
Image: lantern.exe

PROCESS fffffa8011b19730
SessionId: 1 Cid: 13ac Peb: 7efdf000 ParentCid: 0e90
DirBase: 34630d000 ObjectTable: fffff8a006dc27f0 HandleCount: 594.
Image: cloudmusic.exe

PROCESS fffffa800e93ab30
SessionId: 1 Cid: 12cc Peb: 7fffffde000 ParentCid: 0e90
DirBase: 383ffe000 ObjectTable: fffff8a0047f09d0 HandleCount: 249.
Image: BTTray.exe

PROCESS fffffa801243a060
SessionId: 1 Cid: 0464 Peb: 7fffffdb000 ParentCid: 0e90
DirBase: 36d03e000 ObjectTable: fffff8a005794080 HandleCount: 117.
Image: TSVNCache.exe

PROCESS fffffa800f7dd060
SessionId: 0 Cid: 12bc Peb: 7efdf000 ParentCid: 0ac8
DirBase: 36d460000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800e459b30
SessionId: 1 Cid: 0534 Peb: 7efdf000 ParentCid: 13b8
DirBase: 3e6650000 ObjectTable: fffff8a004746df0 HandleCount: 133.
Image: iusb3mon.exe

PROCESS fffffa80122da060
SessionId: 1 Cid: 09a4 Peb: 7efdf000 ParentCid: 13b8
DirBase: 367d6b000 ObjectTable: fffff8a002d4b190 HandleCount: 90.
Image: vmware-tray.exe

PROCESS fffffa801243e060
SessionId: 1 Cid: 0e08 Peb: 7fffffd9000 ParentCid: 13b8
DirBase: 365ff6000 ObjectTable: fffff8a0057671d0 HandleCount: 234.
Image: pcee4.exe

PROCESS fffffa8012481060
SessionId: 1 Cid: 0fa4 Peb: 7efdf000 ParentCid: 13ac
DirBase: 32ee15000 ObjectTable: fffff8a0054f3df0 HandleCount: 172.
Image: cloudmusic.exe

PROCESS fffffa8011db8340
SessionId: 0 Cid: 02d4 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 3669e6000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800f51eb30
SessionId: 1 Cid: 0470 Peb: 7efdf000 ParentCid: 13a0
DirBase: 36317d000 ObjectTable: fffff8a0057f7e30 HandleCount: 345.
Image: lantern.exe

PROCESS fffffa800e35bb30
SessionId: 1 Cid: 0ea4 Peb: 7efdf000 ParentCid: 13ac
DirBase: 359d25000 ObjectTable: fffff8a0057b15a0 HandleCount: 166.
Image: cloudmusic.exe

PROCESS fffffa8012434b30
SessionId: 0 Cid: 1414 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 35c76c000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa80123dd820
SessionId: 1 Cid: 14c0 Peb: 7fffffdf000 ParentCid: 0470
DirBase: 35b3c0000 ObjectTable: fffff8a000bb2120 HandleCount: 87.
Image: sysproxy-cmd.exe

PROCESS fffffa800e137b30
SessionId: 0 Cid: 1584 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 356672000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800e935b30
SessionId: 0 Cid: 1660 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 34dcf8000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa8011b0c740
SessionId: 0 Cid: 16e8 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 346f7e000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800cf83330
SessionId: 0 Cid: 17a4 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 309884000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800d037b30
SessionId: 1 Cid: 1460 Peb: 7efdf000 ParentCid: 12cc
DirBase: 33a057000 ObjectTable: fffff8a002d21db0 HandleCount: 92.
Image: rundll32.exe

PROCESS fffffa800d0e08e0
SessionId: 0 Cid: 14cc Peb: 7efdf000 ParentCid: 0ac8
DirBase: 2ff30a000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800d0b3a30
SessionId: 1 Cid: 1554 Peb: 7fffffdb000 ParentCid: 0154
DirBase: 331f3a000 ObjectTable: fffff8a00572f190 HandleCount: 384.
Image: BTStackServer.exe

PROCESS fffffa800cfe4730
SessionId: 0 Cid: 0f6c Peb: 7efdf000 ParentCid:0ac8
DirBase: 2f8990000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800d08f330
SessionId: 0 Cid: 1674 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 313898000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800cf5f9d0
SessionId: 1 Cid: 1768 Peb: 7efdf000 ParentCid: 09f4
DirBase: 32db45000 ObjectTable: fffff8a0057a9850 HandleCount: 517.
Image: TeamViewer.exe

PROCESS fffffa800d0c3b30
SessionId: 0 Cid: 17b8 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 2f129e000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800d0c8060
SessionId: 1 Cid: 14d4 Peb: 7efdf000 ParentCid: 09f4
DirBase: 3299cb000 ObjectTable: fffff8a007037cd0 HandleCount: 103.
Image: tv_w32.exe

PROCESS fffffa800d158060
SessionId: 1 Cid: 148c Peb: 7fffffd4000 ParentCid: 09f4
DirBase: 329250000 ObjectTable: fffff8a0049ff0f0 HandleCount: 96.
Image: tv_x64.exe

PROCESS fffffa800cfacb30
SessionId: 0 Cid: 00c0 Peb: 7efdf000 ParentCid: 0ac8
DirBase: 3203a4000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa8012498b30
SessionId: 0 Cid: 1598 Peb: 7efdf000 ParentCid: 09b4
DirBase: 324a55000 ObjectTable: 00000000 HandleCount: 0.
Image: emdctl.exe

PROCESS fffffa800d10a9d0
SessionId: 0 Cid: 10ec Peb: 7efdf000 ParentCid: 0ac8
DirBase: 31eb2a000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS fffffa800d131750
SessionId: 0 Cid: 0cc0 Peb: 7fffffd4000 ParentCid: 03a8
DirBase: 2dc706000 ObjectTable: fffff8a004c48cc0 HandleCount: 164.
Image: PresentationFontCache.exe

PROCESS fffffa800d657060
SessionId: 0 Cid: 0d9c Peb: 7fffffd3000 ParentCid: 03a8
DirBase: 31a7da000 ObjectTable: fffff8a007916ac0 HandleCount: 1031.
Image: SearchIndexer.exe

PROCESS fffffa800deae470
SessionId: 1 Cid: 0390 Peb: 7fffffd8000 ParentCid: 0b24
DirBase: 2d6291000 ObjectTable: fffff8a007b72630 HandleCount: 162.
Image: igfxEM.exe

PROCESS fffffa800df1d060
SessionId: 1 Cid: 0350 Peb: 7fffffd7000 ParentCid: 0b24
DirBase: 2da099000 ObjectTable: fffff8a0053c1600 HandleCount: 217.
Image: igfxHK.exe

PROCESS fffffa800def4060
SessionId: 0 Cid: 04b8 Peb: 7fffffd7000 ParentCid: 03a8
DirBase: 3114ff000 ObjectTable: fffff8a0075fe7d0 HandleCount: 118.
Image: svchost.exe

PROCESS fffffa800df97960
SessionId: 0 Cid: 1924 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 2d4a0b000 ObjectTable: fffff8a007960740 HandleCount: 112.
Image: svchost.exe

PROCESS fffffa800dfb4960
SessionId: 0 Cid: 1954 Peb: 7efdf000 ParentCid: 03a8
DirBase: 2d269f000 ObjectTable: fffff8a007bc7740 HandleCount: 417.
Image: LMS.exe

PROCESS fffffa800df4f750
SessionId: 0 Cid: 16c4 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 2faf46000 ObjectTable: fffff8a0049c9c00 HandleCount: 206.
Image: svchost.exe

PROCESS fffffa800d016810
SessionId: 0 Cid: 1a44 Peb: 7fffffdf000 ParentCid: 03a8
DirBase: 2f24e6000 ObjectTable: fffff8a007a2ca90 HandleCount: 361.
Image: svchost.exe

PROCESS fffffa80117d1b30
SessionId: 0 Cid: 0590 Peb: 7efdf000 ParentCid: 0154
DirBase: 23e9cb000 ObjectTable: fffff8a0053bc590 HandleCount: 363.
Image: WmiPrvSE.exe

PROCESS fffffa8012daeb30
SessionId: 1 Cid: 0efc Peb: 7efdf000 ParentCid: 0e90
DirBase: 19d183000 ObjectTable: fffff8a014237a80 HandleCount: 264.
Image: Everything.exe

PROCESS fffffa80125132f0
SessionId: 0 Cid: 172c Peb: 7fffffd3000 ParentCid: 0478
DirBase: 17d99f000 ObjectTable: fffff8a01418d780 HandleCount: 389.
Image: audiodg.exe

PROCESS fffffa8011629060
SessionId: 1 Cid: 1b60 Peb: 7efdf000 ParentCid: 0e90
DirBase: 1b4fd6000 ObjectTable: fffff8a01426d010 HandleCount: 882.
Image: WINWORD.EXE

PROCESS fffffa8011b0eb30
SessionId: 1 Cid: 0ca4 Peb: 7fffffd5000 ParentCid: 1b60
DirBase: 1b4469000 ObjectTable: fffff8a015908840 HandleCount: 72.
Image: splwow64.exe

PROCESS fffffa80116ee4c0
SessionId: 1 Cid: 1b28 Peb: 7fffffdf000 ParentCid: 0e90
DirBase: 1a0846000 ObjectTable: fffff8a015f460a0 HandleCount: 143.
Image: windbg.exe

PROCESS fffffa801181d620
SessionId: 1 Cid: 19f0 Peb: fffdf000 ParentCid: 1a58
DirBase: 196a4c000 ObjectTable: fffff8a015cc74e0 HandleCount: 1369.
Image: QQ.exe

PROCESS fffffa8012f13060
SessionId: 1 Cid: 1758 Peb: 7efdf000 ParentCid:0154
DirBase: 1941bd000 ObjectTable: fffff8a014f311a0 HandleCount: 114.
Image: TXPlatform.exe

PROCESS fffffa8013079b30
SessionId: 1 Cid: 190c Peb: 7fffffdf000 ParentCid: 137c
DirBase: 167f28000 ObjectTable: fffff8a015711950 HandleCount: 124.
Image: FMAPP.exe

PROCESS fffffa8012cb7750
SessionId: 0 Cid: 0d70 Peb: 7fffffd3000 ParentCid: 0154
DirBase: 141c7a000 ObjectTable: fffff8a014a0fa90 HandleCount: 164.
Image: WmiPrvSE.exe

PROCESS fffffa800d847060
SessionId: 0 Cid: 1378 Peb: 7efdf000 ParentCid: 0154
DirBase: 143e7f000 ObjectTable: fffff8a0159ccf90 HandleCount: 223.
Image: WmiPrvSE.exe

PROCESS fffffa801319d290
SessionId: 0 Cid: 10f4 Peb: 7fffffdb000 ParentCid: 04f0
DirBase: 14fcc1000 ObjectTable: fffff8a0072853e0 HandleCount: 95.
Image: taskeng.exe

PROCESS fffffa8012ffcb30
SessionId: 0 Cid: 05f0 Peb: 7fffffdf000 ParentCid: 0d9c
DirBase: 13e2fe000 ObjectTable: fffff8a0148dc7a0 HandleCount: 321.
Image: SearchProtocolHost.exe

PROCESS fffffa801309cb30
SessionId: 0 Cid: 0dd8 Peb: 7fffffdc000 ParentCid: 0d9c
DirBase: a1403000 ObjectTable: fffff8a015eb3360 HandleCount: 95.
Image: SearchFilterHost.exe

7，键入!process 4显示系统进程（System）的概况和各个线程。记录下该进程的进程结构（PROCESS）地址。

lkd> !process 4
Searching for Process with Cid == 4
Cid handle table at fffff8a0029bd000 with 1584 entries in use

PROCESS fffffa800cd4a840
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00187000 ObjectTable: fffff8a000001730 HandleCount: 755.
Image: System
VadRoot fffffa800cd4a770 Vads 14 Clone 0 Private 14. Modified322189. Locked 128.
DeviceMap fffff8a0000060b0
Token    fffff8a000004b20
ElapsedTime    00:46:52.545
UserTime    00:00:00.000
KernelTime    00:00:25.584
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (327, 0, 0) (1308KB, 0KB,0KB)
PeakWorkingSetSize    3211
VirtualSize    4 Mb
PeakVirtualSize    15 Mb
PageFaultCount    95637
MemoryPriority    BACKGROUND
BasePriority    8
CommitCharge    35

THREAD fffffa800cd4a2b0 Cid 0004.0008 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrFreePage)KernelMode Non-Alertable
fffff800048a1f40 Gate
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 180910 Ticks: 10 (0:00:00:00.156)
Context Switch Count 31207
UserTime    00:00:00.000
KernelTime    00:00:05.896
Win32 Start Address nt!Phase1Initialization(0xfffff80004b58e20)
Stack Init fffff880009a9c70 Currentfffff880009a9870
Base fffff880009aa000 Limit fffff880009a4000 Call 0
Priority 1 BasePriority 0 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`009a98b0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`009a99f0 fffff800`046964fbnt!KiCommitThreadWait+0x1d2
fffff880`009a9a80 fffff800`046969eant!KeWaitForGate+0xfb
fffff880`009a9ad0 fffff800`049702eant!MmZeroPageThread+0x2ed
fffff880`009a9c00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`009a9c40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cdc1040 Cid 0004.000c Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive)KernelMode Non-Alertable
fffff80004883520 SynchronizationEvent
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 7407   Ticks: 173524 (0:00:45:06.991)
Context Switch Count 3
UserTime    00:00:00.000
KernelTime    00:00:00.000
Win32 Start Address nt!PopIrpWorkerControl(0xfffff800047f0170)
Stack Init fffff880009e7c70 Currentfffff880009e7910
Base fffff880009e8000 Limit fffff880009e2000 Call 0
Priority 15 BasePriority 13 UnusualBoost 2ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`009e7950 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`009e7a90 fffff800`046da99fnt!KiCommitThreadWait+0x1d2
fffff880`009e7b20 fffff800`047f019bnt!KeWaitForSingleObject+0x19f
fffff880`009e7bc0 fffff800`049702eant!PopIrpWorkerControl+0x2b
fffff880`009e7c00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`009e7c40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cddd040 Cid 0004.0010 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive)KernelMode Non-Alertable
fffff80004883b40 SemaphoreLimit 0x7fffffff
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 178107 Ticks: 2836 (0:00:00:44.241)
Context Switch Count 191
UserTime    00:00:00.000
KernelTime    00:00:00.062
Win32 Start Address nt!PopIrpWorker(0xfffff800047efaf0)
Stack Init fffff880009eec70 Currentfffff880009ee8a0
Base fffff880009ef000 Limit fffff880009e9000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`009ee8e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`009eea20 fffff800`046da99fnt!KiCommitThreadWait+0x1d2
fffff880`009eeab0 fffff800`047efc52nt!KeWaitForSingleObject+0x19f
fffff880`009eeb50 fffff800`049702eant!PopIrpWorker+0x162
fffff880`009eec00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`009eec40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cd7bb50 Cid 0004.0014 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive)KernelMode Non-Alertable
fffff80004883b40 SemaphoreLimit 0x7fffffff
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 178105 Ticks: 2850 (0:00:00:44.460)
Context Switch Count 137
UserTime    00:00:00.000
KernelTime    00:00:00.109
Win32 Start Address nt!PopIrpWorker(0xfffff800047efaf0)
Stack Init fffff880009f5c70 Currentfffff880009f58a0
Base fffff880009f6000 Limit fffff880009f0000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`009f58e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`009f5a20 fffff800`046da99fnt!KiCommitThreadWait+0x1d2
fffff880`009f5ab0 fffff800`047efc52nt!KeWaitForSingleObject+0x19f
fffff880`009f5b50 fffff800`049702eant!PopIrpWorker+0x162
fffff880`009f5c00 fffff800`046c48e6 nt!PspSystemThreadStartup+0x5a
fffff880`009f5c40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cdcfb50 Cid 0004.0018 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserModeNon-Alertable
fffff80004879280 QueueObject
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 178115 Ticks: 2851 (0:00:00:44.475)
Context Switch Count 45900
UserTime    00:00:00.000
KernelTime    00:00:00.280
Win32 Start Address nt!ExpWorkerThread(0xfffff800046dd150)
Stack Init fffff8800494ec70 Currentfffff8800494e8a0
Base fffff8800494f000 Limit fffff88004949000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0494e8e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`0494ea20 fffff800`046db1e3nt!KiCommitThreadWait+0x1d2
fffff880`0494eab0 fffff800`046dd239nt!KeRemoveQueueEx+0x323
fffff880`0494eb70 fffff800`049702eant!ExpWorkerThread+0xe9
fffff880`0494ec00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`0494ec40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cdc89d0 Cid 0004.001c Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserModeNon-Alertable
fffff80004879280 QueueObject
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 180896 Ticks: 82 (0:00:00:01.279)
Context Switch Count 268976
UserTime    00:00:00.000
KernelTime    00:00:01.575
Win32 Start Address nt!ExpWorkerThread(0xfffff800046dd150)
Stack Init fffff88004955c70 Currentfffff880049558a0
Base fffff88004956000 Limit fffff88004950000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`049558e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`04955a20 fffff800`046db1e3nt!KiCommitThreadWait+0x1d2
fffff880`04955ab0 fffff800`046dd239nt!KeRemoveQueueEx+0x323
fffff880`04955b70 fffff800`049702eant!ExpWorkerThread+0xe9
fffff880`04955c00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`04955c40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cd5fb50 Cid 0004.0020 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserModeNon-Alertable
fffff80004879280 QueueObject
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 180962   Ticks: 28 (0:00:00:00.436)
Context Switch Count 126127
UserTime    00:00:00.000
KernelTime    00:00:00.608
Win32 Start Address nt!ExpWorkerThread(0xfffff800046dd150)
Stack Init fffff8800495cc70 Currentfffff8800495c8a0
Base fffff8800495d000 Limit fffff88004957000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0495c8e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`0495ca20 fffff800`046db1e3nt!KiCommitThreadWait+0x1d2
fffff880`0495cab0 fffff800`046dd239nt!KeRemoveQueueEx+0x323
fffff880`0495cb70 fffff800`049702eant!ExpWorkerThread+0xe9
fffff880`0495cc00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`0495cc40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cdbab50 Cid 0004.0024 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserModeNon-Alertable
fffff80004879280 QueueObject
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 180896 Ticks: 105 (0:00:00:01.638)
Context Switch Count 27635
UserTime    00:00:00.000
KernelTime    00:00:00.312
Win32 Start Address nt!ExpWorkerThread(0xfffff800046dd150)
Stack Init fffff88004963c70 Currentfffff880049638a0
Base fffff88004964000 Limit fffff8800495e000 Call 0
Priority 14 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`049638e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`04963a20 fffff800`046db1e3nt!KiCommitThreadWait+0x1d2
fffff880`04963ab0 fffff800`046dd239nt!KeRemoveQueueEx+0x323
fffff880`04963b70 fffff800`049702eant!ExpWorkerThread+0xe9
fffff880`04963c00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`04963c40 00000000`00000000nt!KiStartSystemThread+0x16

THREAD fffffa800cdddb50 Cid 0004.0028 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserModeNon-Alertable
fffff80004879280 QueueObject
Not impersonating
DeviceMap    fffff8a0000060b0
Owning Process    fffffa800cd4a840 Image:    System
Attached Process N/A Image:   N/A
Wait Start TickCount 178115 Ticks: 2898 (0:00:00:45.209)
Context Switch Count 180620
UserTime    00:00:00.000
KernelTime    00:00:01.014
Win32 Start Address nt!ExpWorkerThread(0xfffff800046dd150)
Stack Init fffff8800496ac70 Currentfffff8800496a8a0
Base fffff8800496b000 Limit fffff88004965000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
fffff880`0496a8e0 fffff800`046c95f2nt!KiSwapContext+0x7a
fffff880`0496aa20 fffff800`046db1e3nt!KiCommitThreadWait+0x1d2
fffff880`0496aab0 fffff800`046dd239nt!KeRemoveQueueEx+0x323
fffff880`0496ab70 fffff800`049702eant!ExpWorkerThread+0xe9
fffff880`0496ac00 fffff800`046c48e6nt!PspSystemThreadStartup+0x5a
fffff880`0496ac40 00000000`00000000nt!KiStartSystemThread+0x16

8，通过dt命令（dtnt!_EPROCESS）观察进程的_EPROCESS结构。

lkd> dt nt!_EPROCESS
+0x000 Pcb :_KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER
+0x170 ExitTime : _LARGE_INTEGER
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x198 ProcessQuotaUsage : [2] Uint8B
+0x1a8 ProcessQuotaPeak : [2] Uint8B
+0x1b8 CommitCharge : Uint8B
+0x1c0 QuotaBlock : Ptr64_EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK
+0x1d0 PeakVirtualSize : Uint8B
+0x1d8 VirtualSize : Uint8B
+0x1e0 SessionProcessLinks : _LIST_ENTRY
+0x1f0 DebugPort : Ptr64 Void
+0x1f8 ExceptionPortData : Ptr64 Void
+0x1f8 ExceptionPortValue : Uint8B
+0x1f8 ExceptionPortState : Pos 0, 3 Bits
+0x200 ObjectTable : Ptr64 _HANDLE_TABLE
+0x208 Token :_EX_FAST_REF
+0x210 WorkingSetPage : Uint8B
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : Ptr64 _ETHREAD
+0x228 ForkInProgress : Ptr64 _ETHREAD
+0x230 HardwareTrigger : Uint8B
+0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x240 CloneRoot : Ptr64 Void
+0x248 NumberOfPrivatePages : Uint8B
+0x250 NumberOfLockedPages : Uint8B
+0x258 Win32Process : Ptr64 Void
+0x260 Job : Ptr64_EJOB
+0x268 SectionObject : Ptr64 Void
+0x270 SectionBaseAddress : Ptr64 Void
+0x278 Cookie : Uint4B
+0x27c UmsScheduledThreads : Uint4B
+0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x288 Win32WindowStation : Ptr64 Void
+0x290 InheritedFromUniqueProcessId : Ptr64 Void
+0x298 LdtInformation : Ptr64 Void
+0x2a0 Spare : Ptr64 Void
+0x2a8 ConsoleHostProcess : Uint8B
+0x2b0 DeviceMap : Ptr64 Void
+0x2b8 EtwDataSource : Ptr64 Void
+0x2c0 FreeTebHint : Ptr64 Void
+0x2c8 FreeUmsTebHint : Ptr64 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : Uint8B
+0x2d8 Session : Ptr64 Void
+0x2e0 ImageFileName : [15] UChar
+0x2ef PriorityClass : UChar
+0x2f0 JobLinks : _LIST_ENTRY
+0x300 LockedPagesList : Ptr64 Void
+0x308 ThreadListHead : _LIST_ENTRY
+0x318 SecurityPort : Ptr64 Void
+0x320 Wow64Process : Ptr64 Void
+0x328 ActiveThreads : Uint4B
+0x32c ImagePathHash : Uint4B
+0x330 DefaultHardErrorProcessing : Uint4B
+0x334 LastThreadExitStatus : Int4B
+0x338 Peb : Ptr64_PEB
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER
+0x350 WriteOperationCount : _LARGE_INTEGER
+0x358 OtherOperationCount : _LARGE_INTEGER
+0x360 ReadTransferCount : _LARGE_INTEGER
+0x368 WriteTransferCount : _LARGE_INTEGER
+0x370 OtherTransferCount : _LARGE_INTEGER
+0x378 CommitChargeLimit : Uint8B
+0x380 CommitChargePeak : Uint8B
+0x388 AweInfo : Ptr64 Void
+0x390 SeAuditProcessCreationInfo :_SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm :_MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY
+0x430 HighestUserAddress : Ptr64 Void
+0x438 ModifiedPageCount : Uint4B
+0x43c Flags2 : Uint4B
+0x43c JobNotReallyActive : Pos 0, 1 Bit
+0x43c AccountingFolded : Pos 1, 1 Bit
+0x43c NewProcessReported : Pos 2, 1 Bit
+0x43c ExitProcessReported : Pos 3, 1 Bit
+0x43c ReportCommitChanges : Pos 4, 1 Bit
+0x43c LastReportMemory : Pos 5, 1 Bit
+0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x43c HandleTableRundown : Pos 7, 1 Bit
+0x43c NeedsHandleRundown : Pos 8, 1 Bit
+0x43c RefTraceEnabled : Pos 9, 1 Bit
+0x43c NumaAware : Pos 10, 1 Bit
+0x43c ProtectedProcess : Pos 11, 1 Bit
+0x43c DefaultPagePriority : Pos 12, 3 Bits
+0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x43c ProcessVerifierTarget : Pos 16, 1 Bit
+0x43c StackRandomizationDisabled : Pos 17, 1 Bit
+0x43c AffinityPermanent : Pos 18, 1 Bit
+0x43c AffinityUpdateEnable : Pos 19, 1 Bit
+0x43c PropagateNode : Pos 20, 1 Bit
+0x43c ExplicitAffinity : Pos 21, 1 Bit
+0x43c Spare1 : Pos 22, 1Bit
+0x43c ForceRelocateImages : Pos 23, 1 Bit
+0x43c DisallowStrippedImages : Pos 24, 1 Bit
+0x43c LowVaAccessible : Pos 25, 1 Bit
+0x440 Flags : Uint4B
+0x440 CreateReported : Pos 0, 1 Bit
+0x440 NoDebugInherit : Pos 1, 1 Bit
+0x440 ProcessExiting : Pos 2, 1 Bit
+0x440 ProcessDelete : Pos 3, 1 Bit
+0x440 Wow64SplitPages : Pos 4, 1 Bit
+0x440 VmDeleted : Pos 5, 1 Bit
+0x440 OutswapEnabled : Pos 6, 1 Bit
+0x440 Outswapped : Pos 7, 1 Bit
+0x440 ForkFailed : Pos 8, 1 Bit
+0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x440 AddressSpaceInitialized : Pos 10, 2 Bits
+0x440 SetTimerResolution : Pos 12, 1 Bit
+0x440 BreakOnTermination : Pos 13, 1 Bit
+0x440 DeprioritizeViews : Pos 14, 1 Bit
+0x440 WriteWatch : Pos 15, 1 Bit
+0x440 ProcessInSession : Pos 16, 1 Bit
+0x440 OverrideAddressSpace : Pos 17, 1 Bit
+0x440 HasAddressSpace : Pos 18, 1 Bit
+0x440 LaunchPrefetched : Pos 19, 1 Bit
+0x440 InjectInpageErrors : Pos 20, 1 Bit
+0x440 VmTopDown : Pos 21, 1 Bit
+0x440 ImageNotifyDone : Pos 22, 1 Bit
+0x440 PdeUpdateNeeded : Pos 23, 1 Bit
+0x440 VdmAllowed : Pos 24, 1 Bit
+0x440 CrossSessionCreate : Pos 25, 1 Bit
+0x440 ProcessInserted : Pos 26, 1 Bit
+0x440 DefaultIoPriority : Pos 27, 3 Bits
+0x440 ProcessSelfDelete : Pos 30, 1 Bit
+0x440 SetTimerResolutionLink : Pos 31, 1 Bit
+0x444 ExitStatus : Int4B
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY
+0x4b8 RequestedTimerResolution : Uint4B
+0x4bc ActiveThreadsHighWatermark : Uint4B
+0x4c0 SmallestTimerResolution : Uint4B
+0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD

9，在dtnt!_EPROCESS命令后加上第7步记录下的地址，显示系统进程的_EPROCESS结构的各个值。

lkd> dt nt!_EPROCESS fffffa800cd4a840
+0x000 Pcb :_KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER0x1d380a3`bcb1f511
+0x170 ExitTime : _LARGE_INTEGER0x0
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : 0x00000000`00000004 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`0e55c1c8 - 0xfffff800`048833d0]
+0x198 ProcessQuotaUsage : [2] 0
+0x1a8 ProcessQuotaPeak : [2] 0
+0x1b8 CommitCharge : 0x23
+0x1c0 QuotaBlock : 0xfffff800`04861940_EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : (null)
+0x1d0 PeakVirtualSize : 0xfec000
+0x1d8 VirtualSize : 0x4cd000
+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0x00000000`00000000 -0x0 ]
+0x1f0 DebugPort : (null)
+0x1f8 ExceptionPortData : (null)
+0x1f8 ExceptionPortValue : 0
+0x1f8 ExceptionPortState : 0y000
+0x200 ObjectTable : 0xfffff8a0`00001730_HANDLE_TABLE
+0x208 Token :_EX_FAST_REF
+0x210 WorkingSetPage : 0
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : (null)
+0x228 ForkInProgress : (null)
+0x230 HardwareTrigger : 0
+0x238 PhysicalVadRoot : 0xfffffa80`0cd8f060 _MM_AVL_TABLE
+0x240 CloneRoot : (null)
+0x248 NumberOfPrivatePages : 0xe
+0x250 NumberOfLockedPages : 0x80
+0x258 Win32Process : (null)
+0x260 Job :(null)
+0x268 SectionObject : (null)
+0x270 SectionBaseAddress : (null)
+0x278 Cookie : 0
+0x27c UmsScheduledThreads : 0
+0x280 WorkingSetWatch : (null)
+0x288 Win32WindowStation : (null)
+0x290 InheritedFromUniqueProcessId : (null)
+0x298 LdtInformation : (null)
+0x2a0 Spare :(null)
+0x2a8 ConsoleHostProcess : 0
+0x2b0 DeviceMap : 0xfffff8a0`000060b0Void
+0x2b8 EtwDataSource : (null)
+0x2c0 FreeTebHint : 0x000007ff`fffe0000 Void
+0x2c8 FreeUmsTebHint : 0x00000000`77c29000 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : 0
+0x2d8 Session : (null)
+0x2e0 ImageFileName : [15] "System"
+0x2ef PriorityClass : 0x2 ''
+0x2f0 JobLinks : _LIST_ENTRY [0x00000000`00000000 - 0x0 ]
+0x300 LockedPagesList : (null)
+0x308 ThreadListHead : _LIST_ENTRY [0xfffffa80`0cd4a6d8 - 0xfffffa80`119b8b78 ]
+0x318 SecurityPort : (null)
+0x320 Wow64Process : (null)
+0x328 ActiveThreads : 0xce
+0x32c ImagePathHash : 0
+0x330 DefaultHardErrorProcessing : 5
+0x334 LastThreadExitStatus : 0n0
+0x338 Peb :(null)
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER 0x11
+0x350 WriteOperationCount : _LARGE_INTEGER 0xe3
+0x358 OtherOperationCount : _LARGE_INTEGER 0x287
+0x360 ReadTransferCount : _LARGE_INTEGER 0x9a5ad88
+0x368 WriteTransferCount : _LARGE_INTEGER 0x1fc3c80
+0x370 OtherTransferCount : _LARGE_INTEGER 0x192f
+0x378 CommitChargeLimit : 0
+0x380 CommitChargePeak : 0x6d5
+0x388 AweInfo : (null)
+0x390 SeAuditProcessCreationInfo :_SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm :_MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY [0xfffffa80`0e55c460 - 0xfffff800`0485d5a0 ]
+0x430 HighestUserAddress : (null)
+0x438 ModifiedPageCount : 0x51422
+0x43c Flags2 : 0x2d800
+0x43c JobNotReallyActive : 0y0
+0x43c AccountingFolded : 0y0
+0x43c NewProcessReported : 0y0
+0x43c ExitProcessReported : 0y0
+0x43c ReportCommitChanges : 0y0
+0x43c LastReportMemory : 0y0
+0x43c ReportPhysicalPageChanges : 0y0
+0x43c HandleTableRundown : 0y0
+0x43c NeedsHandleRundown : 0y0
+0x43c RefTraceEnabled : 0y0
+0x43c NumaAware : 0y0
+0x43c ProtectedProcess : 0y1
+0x43c DefaultPagePriority : 0y101
+0x43c PrimaryTokenFrozen : 0y1
+0x43c ProcessVerifierTarget : 0y0
+0x43c StackRandomizationDisabled : 0y1
+0x43c AffinityPermanent : 0y0
+0x43c AffinityUpdateEnable : 0y0
+0x43c PropagateNode : 0y0
+0x43c ExplicitAffinity : 0y0
+0x43c Spare1 : 0y0
+0x43c ForceRelocateImages : 0y0
+0x43c DisallowStrippedImages : 0y0
+0x43c LowVaAccessible : 0y0
+0x440 Flags : 0x14040800
+0x440 CreateReported : 0y0
+0x440 NoDebugInherit : 0y0
+0x440 ProcessExiting : 0y0
+0x440 ProcessDelete : 0y0
+0x440 Wow64SplitPages : 0y0
+0x440 VmDeleted : 0y0
+0x440 OutswapEnabled : 0y0
+0x440 Outswapped : 0y0
+0x440 ForkFailed : 0y0
+0x440 Wow64VaSpace4Gb : 0y0
+0x440 AddressSpaceInitialized : 0y10
+0x440 SetTimerResolution : 0y0
+0x440 BreakOnTermination : 0y0
+0x440 DeprioritizeViews : 0y0
+0x440 WriteWatch : 0y0
+0x440 ProcessInSession : 0y0
+0x440 OverrideAddressSpace : 0y0
+0x440 HasAddressSpace : 0y1
+0x440 LaunchPrefetched : 0y0
+0x440 InjectInpageErrors : 0y0
+0x440 VmTopDown : 0y0
+0x440 ImageNotifyDone : 0y0
+0x440 PdeUpdateNeeded : 0y0
+0x440 VdmAllowed : 0y0
+0x440 CrossSessionCreate : 0y0
+0x440 ProcessInserted : 0y1
+0x440 DefaultIoPriority : 0y010
+0x440 ProcessSelfDelete : 0y0
+0x440 SetTimerResolutionLink : 0y0
+0x444 ExitStatus : 0n259
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 -0x0 ]
+0x4b8 RequestedTimerResolution : 0
+0x4bc ActiveThreadsHighWatermark : 0xd4
+0x4c0 SmallestTimerResolution : 0
+0x4c8 TimerResolutionStackRecord : (null)

10，键入x nt!*命令列出内核文件（NTOSKRNL）所包含的符号。尝试使用不同的表达式来选择显示某些符号，比如xnt!Dbgk*显示所有以Dbgk开头的符号。

lkd> x nt!*
fffff800`0469f6b0 nt!MiSyncSystemPdes = <no type information>
fffff800`04ae2860 nt!ObpStopRTStackTrace = <no type information>
fffff800`04935970 nt!RtlSetOwnerSecurityDescriptor = <no typeinformation>
fffff800`04bd8210 nt!PnpInitializeLegacyBusInformationTable = <no typeinformation>
fffff800`049742b0 nt!AlpcpDeleteBlob = <no type information>
fffff800`04a861b0 nt!TmpNamespaceEnumerate = <no type information>
fffff800`04beacf0 nt!IopStoreArcInformation = <no type information>
fffff800`04a98d50 nt!CmpUpdateParentForEachSon = <no type information>
fffff800`049bd9f0 nt!PsReferenceImpersonationToken = <no typeinformation>
fffff800`0470f040 nt! ?? ::FNODOBFM::`string' = <no type information>
fffff800`04aa3e50 nt!WmipGetDevicePDO = <no type information>
fffff800`046b9174 nt!KiSetPriorityThread = <no type information>
fffff800`04a65570 nt!CmpQueueLazyCommitWorker = <no type information>
fffff800`046d02f0 nt!KiInterruptDispatchNoEOI = <no type information>
fffff800`046bb76c nt!RtlFindLastBackwardRunClear = <no type information>
fffff800`0480a900 nt!_newclmap = <no type information>
fffff800`04857ca0 nt!_lc_codepage = <no type information>
fffff800`04793570 nt!PopQueueBatteryStatusTimeout = <no type information>
fffff800`04b0bbc0 nt!ExpGetSystemFirmwareTableInformation = <no typeinformation>
fffff800`04aa9dd0 nt!CmpDoReDoDeleteValue = <no type information>
fffff800`04ac5cd0 nt!SmKmSendDeviceControl = <no type information>
fffff800`046ce940 nt!ZwRenameTransactionManager = <no type information>
fffff800`04a637d0 nt!EtwpRemoveProviderTableEntry = <no type information>
fffff800`04b6d620 nt!ViShutdownWatchdogExecuteDpc = <no type information>
fffff800`04b1c320 nt!BiAddBootEntryToNvramDisplayOrder = <no typeinformation>
fffff800`04889984 nt!MmZeroedPageSingleBitErrorsDetected = <no typeinformation>
fffff800`04878310 nt!curr_y = <no type information>
fffff800`0490b180 nt!MmPageToNode = <no type information>
fffff800`04783b80 nt!InbvEnableBootDriver = <no type information>
fffff800`048d9510 nt!CmpLazyCommitListLock = <no type information>
fffff800`049f7d58 nt!PsReturnProcessPageFileQuota = <no type information>
fffff800`049c8ee0 nt! ?? ::LBKOJDO::`string' = <no type information>
fffff800`047b4b20 nt!B_TREE<unsignedlong,ST_STORE<SM_TRAITS>::_ST_REGION_ENTRY,4096,NP_CONTEXT>::BTreeInsertEx= <no type information>
fffff800`04942020 nt!SeValidateImageHeader = <no type information>
fffff800`04b38760 nt!BiIsVolumePartitionInformationRetained = <no typeinformation>
fffff800`04711370 nt! ?? ::FNODOBFM::`string' = <no type information>
fffff800`047ccf80 nt!SMKM_STORE_MGR<SM_TRAITS>::SmStoreContentsRundown =<no type information>
fffff800`046e5320 nt!IoSetTopLevelIrp = <no type information>
fffff800`04922610 nt!PoBroadcastSystemState = <no type information>
fffff800`04864800 nt!WheapPfaLock = <no type information>
fffff800`04b0de30 nt!ExUnregisterExtension = <no type information>
fffff800`04a915e0 nt!PnpQueryBusInformation = <no type information>