首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄,这个句柄是指向_EPROCESS结构的指针
以下以XP SP2为例(OS 版本: 5.1.2600 Service Pack 2 Build 2600)另附vista sp2的相关细节
打开windbg,设置好symbol file path (简单设置为srv*d:\symbolslocal*http://msdl.microsoft.com/download/symbols)
随便载入一个可执行文件,这里我以notepad为例.
载入成功后在调试窗口输入dt_EPROCESS
0:000> dt_EPROCESS
ntdll!_EPROCESS
+0×000 Pcb : _KPROCESS
+0×06c ProcessLock : _EX_PUSH_LOCK
+0×070 CreateTime : _LARGE_INTEGER
+0×078 ExitTime : _LARGE_INTEGER
+0×080 RundownProtect : _EX_RUNDOWN_REF
+0×084 UniqueProcessId : Ptr32 Void
+0×088 ActiveProcessLinks : _LIST_ENTRY
+0×090 QuotaUsage : [3] Uint4B
+0×09c QuotaPeak : [3] Uint4B
+0×0a8 CommitCharge : Uint4B
+0×0ac PeakVirtualSize : Uint4B
+0×0b0 VirtualSize : Uint4B
+0×0b4 SessionProcessLinks : _LIST_ENTRY
+0×0bc DebugPort : Ptr32 Void
+0×0c0 ExceptionPort : Ptr32 Void
+0×0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0×0c8 Token : _EX_FAST_REF
+0×0cc WorkingSetLock : _FAST_MUTEX
+0×0ec WorkingSetPage : Uint4B
+0×0f0 AddressCreationLock : _FAST_MUTEX
+0×110 HyperSpaceLock : Uint4B
+0×114 ForkInProgress : Ptr32 _ETHREAD
+0×118 HardwareTrigger : Uint4B
+0×11c VadRoot : Ptr32 Void
+0×120 VadHint : Ptr32 Void
+0×124 CloneRoot : Ptr32 Void
+0×128 NumberOfPrivatePages : Uint4B
+0×12c NumberOfLockedPages : Uint4B
+0×130 Win32Process : Ptr32 Void
+0×134 Job : Ptr32 _EJOB
+0×138 SectionObject : Ptr32 Void
+0×13c SectionBaseAddress : Ptr32 Void
+0×140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0×144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0×148 Win32WindowStation : Ptr32 Void
+0×14c InheritedFromUniqueProcessId : Ptr32 Void
+0×150 LdtInformation : Ptr32 Void
+0×154 VadFreeHint : Ptr32 Void
+0×158 VdmObjects : Ptr32 Void
+0×15c DeviceMap : Ptr32 Void
+0×160 PhysicalVadList : _LIST_ENTRY
+0×168 PageDirectoryPte : _HARDWARE_PTE_X86
+0×168 Filler : Uint8B
+0×170 Session : Ptr32 Void
+0×174 ImageFileName : [16] UChar
+0×184 JobLinks : _LIST_ENTRY
+0×18c LockedPagesList : Ptr32 Void
+0×190 ThreadListHead : _LIST_ENTRY
+0×198 SecurityPort : Ptr32 Void
+0×19c PaeTop : Ptr32 Void
+0×1a0 ActiveThreads : Uint4B
+0×1a4 GrantedAccess : Uint4B
+0×1a8 DefaultHardErrorProcessing : Uint4B
+0×1ac LastThreadExitStatus : Int4B
+0×1b0 Peb : Ptr32 _PEB
+0×1b4 PrefetchTrace : _EX_FAST_REF
+0×1b8 ReadOperationCount : _LARGE_INTEGER
+0×1c0 WriteOperationCount : _LARGE_INTEGER
+0×1c8 OtherOperationCount : _LARGE_INTEGER
+0×1d0 ReadTransferCount : _LARGE_INTEGER
+0×1d8 WriteTransferCount : _LARGE_INTEGER
+0×1e0 OtherTransferCount : _LARGE_INTEGER
+0×1e8 CommitChargeLimit : Uint4B
+0×1ec CommitChargePeak : Uint4B
+0×1f0 AweInfo : Ptr32 Void
+0×1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0×1f8 Vm : _MMSUPPORT
+0×238 LastFaultCount : Uint4B
+0×23c ModifiedPageCount : Uint4B
+0×240 NumberOfVads : Uint4B
+0×244 JobStatus : Uint4B
+0×248 Flags : Uint4B
+0×248 CreateReported : Pos 0, 1 Bit
+0×248 NoDebugInherit : Pos 1, 1 Bit
+0×248 ProcessExiting : Pos 2, 1 Bit
+0×248 ProcessDelete : Pos 3, 1 Bit
+0×248 Wow64SplitPages : Pos 4, 1 Bit
+0×248 VmDeleted : Pos 5, 1 Bit
+0×248 OutswapEnabled : Pos 6, 1 Bit
+0×248 Outswapped : Pos 7, 1 Bit
+0×248 ForkFailed : Pos 8, 1 Bit
+0×248 HasPhysicalVad : Pos 9, 1 Bit
+0×248 AddressSpaceInitialized : Pos 10, 2 Bits
+0×248 SetTimerResolution : Pos 12, 1 Bit
+0×248 BreakOnTermination : Pos 13, 1 Bit
+0×248 SessionCreationUnderway : Pos 14, 1 Bit
+0×248 WriteWatch : Pos 15, 1 Bit
+0×248 ProcessInSession : Pos 16, 1 Bit
+0×248 OverrideAddressSpace : Pos 17, 1 Bit
+0×248 HasAddressSpace : Pos 18, 1 Bit
+0×248 LaunchPrefetched : Pos 19, 1 Bit
+0×248 InjectInpageErrors : Pos 20, 1 Bit
+0×248 VmTopDown : Pos 21, 1 Bit
+0×248 Unused3 : Pos 22, 1 Bit
+0×248 Unused4 : Pos 23, 1 Bit
+0×248 VdmAllowed : Pos 24, 1 Bit
+0×248 Unused : Pos 25, 5 Bits
+0×248 Unused1 : Pos 30, 1 Bit
+0×248 Unused2 : Pos 31, 1 Bit
+0×24c ExitStatus : Int4B
+0×250 NextPageColor : Uint2B
+0×252 SubSystemMinorVersion : UChar
+0×253 SubSystemMajorVersion : UChar
+0×252 SubSystemVersion : Uint2B
+0×254 PriorityClass : UChar
+0×255 WorkingSetAcquiredUnsafe : UChar
+0×258 Cookie : Uint4B
从上面这个结构可以看出,进程名称就是ImageFileName,只要用_EPROCESS的基地址加上偏移地址0×174就可以得到进程名称的地址,代码如下:
char *ProcessName = (char*)PsGetCurrentProcess() + 0×174;
KdPrint((“Current Process Name: %s\n”, ProcessName));
如何得到完整进程名:
存在peb结构中,位于EPROCESS+0×1b0
在windbg中输入!peb查看该结构
0:000> !peb
PEB at 7ffd8000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr 001a1ea0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2920
Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2910
Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2918
Base TimeStamp Module
1000000 41107cc3 Aug 04 14:05:55 2004 C:\WINDOWS\NOTEPAD.EXE
7c920000 4121457c Aug 17 07:38:36 2004 C:\WINDOWS\system32\ntdll.dll
7c800000 46239c32 Apr 16 23:54:26 2007 C:\WINDOWS\system32\kernel32.dll
76320000 4121455b Aug 17 07:38:03 2004 C:\WINDOWS\system32\comdlg32.dll
77f40000 470dbeb6 Oct 11 14:12:06 2007 C:\WINDOWS\system32\SHLWAPI.dll
77da0000 4121454d Aug 17 07:37:49 2004 C:\WINDOWS\system32\ADVAPI32.dll
77e50000 46923396 Jul 09 21:09:42 2007 C:\WINDOWS\system32\RPCRT4.dll
77fc0000 4121457b Aug 17 07:38:35 2004 C:\WINDOWS\system32\Secur32.dll
77ef0000 4677dad9 Jun 19 21:32:09 2007 C:\WINDOWS\system32\GDI32.dll
77d10000 45f02db2 Mar 08 23:37:22 2007 C:\WINDOWS\system32\USER32.dll
77be0000 412145fe Aug 17 07:40:46 2004 C:\WINDOWS\system32\msvcrt.dll
77180000 44ef1c15 Aug 25 23:49:41 2006 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
7d590000 4720ca57 Oct 26 00:54:47 2007 C:\WINDOWS\system32\SHELL32.dll
72f70000 4121457a Aug 17 07:38:34 2004 C:\WINDOWS\system32\WINSPOOL.DRV
SubSystemData: 00000000
ProcessHeap: 000a0000
ProcessParameters: 00020000
WindowTitle: ‘C:\WINDOWS\NOTEPAD.EXE’
ImageFile: ‘C:\WINDOWS\NOTEPAD.EXE’
CommandLine: ‘C:\WINDOWS\NOTEPAD.EXE’
DllPath: ‘C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem’
Environment: 00010000
=::=::\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHINA-4D20140AE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\CHINA-4D20140AE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=170a
ProgramFiles=C:\Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=CHINA-4D20140AE
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)
windir=C:\WINDOWS
从WinDbg输出的PEB结构信息可以看出ProcessParameters的地址为0×20000,ImageFile字段就是进程的完整路径。那么PorcessParamters的地址又保存在_PEB结构的什么地方呢?_PEB结构的基地址为0×7ffd8000,通过WinDbg的“db 0×7ffd8000” 命令显示0×7ffdf000地址的信息可以发现ProcessParameters的地址保存在_PEB结构的0×10偏移量处
0:000> db 0×7ffd8000
7ffd8000 00 00 01 00 ff ff ff ff-00 00 00 01 a0 1e 1a 00 …………….
7ffd8010 00 00 02 00 00 00 00 00-00 00 0a 00 c0 e4 99 7c ……………|
7ffd8020 05 10 92 7c ed 10 92 7c-01 00 00 00 00 00 00 00 …|…|……..
7ffd8030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
7ffd8040 80 e4 99 7c 01 00 00 00-00 00 00 00 00 00 6f 7f …|……….o.
7ffd8050 00 00 6f 7f 88 06 6f 7f-00 00 fa 7f 00 00 fa 7f ..o…o………
7ffd8060 00 10 fd 7f 01 00 00 00-70 00 00 00 00 00 00 00 ……..p…….
7ffd8070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ….m…….. ..
内容为0×20000。
继续用“db 0×20000”命令显示ProcessParameters地址的内容,偏移量为0×3C处保存完整路径的地址
0:000> db 0×20000
00020000 00 10 00 00 bc 06 00 00-01 20 00 00 00 00 00 00 ……… ……
00020010 00 00 00 00 00 00 00 00-00 00 00 00 01 00 01 00 …………….
00020020 00 00 00 00 66 00 08 02-90 02 02 00 60 02 00 00 ….f…….`…
00020030 6c 01 6e 01 98 04 02 00-2c 00 2e 00 08 06 02 00 l.n…..,…….
00020040 2c 00 2e 00 38 06 02 00-00 00 01 00 00 00 00 00 ,…8………..
00020050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00020060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00020070 2c 00 2e 00 68 06 02 00-1e 00 20 00 98 06 02 00 ,…h….. …..
0×3C处的内容如果是:0×20608,利用“db 0×20608”即可显示出完整路径。完整路径用UNICODE格式保存。
0:000> db 0×20608
00020608 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
00020618 57 00 53 00 5c 00 4e 00-4f 00 54 00 45 00 50 00 W.S.\.N.O.T.E.P.
00020628 41 00 44 00 2e 00 45 00-58 00 45 00 00 00 00 00 A.D…E.X.E…..
00020638 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
00020648 57 00 53 00 5c 00 4e 00-4f 00 54 00 45 00 50 00 W.S.\.N.O.T.E.P.
00020658 41 00 44 00 2e 00 45 00-58 00 45 00 00 00 00 00 A.D…E.X.E…..
00020668 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
00020678 57 00 53 00 5c 00 4e 00-4f 00 54 00 45 00 50 00 W.S.\.N.O.T.E.P.
我们利用程序模拟上面的步骤则可以得到当前进程的完整路径,代码如下:
PCWSTR GetCurrentProcessFileName()
{
DWORD dwAddress = (DWORD)PsGetCurrentProcess();
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF)
return NULL;
dwAddress += 0×1B0;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += 0×10;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += 0×3C;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
KdPrint((“Current Process Full Path Name: %ws\n”, (PCWSTR)dwAddress));
return (PCWSTR)dwAddress;
}
以下为vista相应的数据
0:000> dt_EPROCESS
ntdll!_EPROCESS
+0×000 Pcb : _KPROCESS
+0×080 ProcessLock : _EX_PUSH_LOCK
+0×088 CreateTime : _LARGE_INTEGER
+0×090 ExitTime : _LARGE_INTEGER
+0×098 RundownProtect : _EX_RUNDOWN_REF
+0×09c UniqueProcessId : Ptr32 Void
+0×0a0 ActiveProcessLinks : _LIST_ENTRY
+0×0a8 QuotaUsage : [3] Uint4B
+0×0b4 QuotaPeak : [3] Uint4B
+0×0c0 CommitCharge : Uint4B
+0×0c4 PeakVirtualSize : Uint4B
+0×0c8 VirtualSize : Uint4B
+0×0cc SessionProcessLinks : _LIST_ENTRY
+0×0d4 DebugPort : Ptr32 Void
+0×0d8 ExceptionPortData : Ptr32 Void
+0×0d8 ExceptionPortValue : Uint4B
+0×0d8 ExceptionPortState : Pos 0, 3 Bits
+0×0dc ObjectTable : Ptr32 _HANDLE_TABLE
+0×0e0 Token : _EX_FAST_REF
+0×0e4 WorkingSetPage : Uint4B
+0×0e8 AddressCreationLock : _EX_PUSH_LOCK
+0×0ec RotateInProgress : Ptr32 _ETHREAD
+0×0f0 ForkInProgress : Ptr32 _ETHREAD
+0×0f4 HardwareTrigger : Uint4B
+0×0f8 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0×0fc CloneRoot : Ptr32 Void
+0×100 NumberOfPrivatePages : Uint4B
+0×104 NumberOfLockedPages : Uint4B
+0×108 Win32Process : Ptr32 Void
+0×10c Job : Ptr32 _EJOB
+0×110 SectionObject : Ptr32 Void
+0×114 SectionBaseAddress : Ptr32 Void
+0×118 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0×11c WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0×120 Win32WindowStation : Ptr32 Void
+0×124 InheritedFromUniqueProcessId : Ptr32 Void
+0×128 LdtInformation : Ptr32 Void
+0×12c Spare : Ptr32 Void
+0×130 VdmObjects : Ptr32 Void
+0×134 DeviceMap : Ptr32 Void
+0×138 EtwDataSource : Ptr32 Void
+0×13c FreeTebHint : Ptr32 Void
+0×140 PageDirectoryPte : _HARDWARE_PTE_X86
+0×140 Filler : Uint8B
+0×148 Session : Ptr32 Void
+0×14c ImageFileName : [16] UChar
+0×15c JobLinks : _LIST_ENTRY
+0×164 LockedPagesList : Ptr32 Void
+0×168 ThreadListHead : _LIST_ENTRY
+0×170 SecurityPort : Ptr32 Void
+0×174 PaeTop : Ptr32 Void
+0×178 ActiveThreads : Uint4B
+0×17c ImagePathHash : Uint4B
+0×180 DefaultHardErrorProcessing : Uint4B
+0×184 LastThreadExitStatus : Int4B
+0×188 Peb : Ptr32 _PEB
+0×18c PrefetchTrace : _EX_FAST_REF
+0×190 ReadOperationCount : _LARGE_INTEGER
+0×198 WriteOperationCount : _LARGE_INTEGER
+0×1a0 OtherOperationCount : _LARGE_INTEGER
+0×1a8 ReadTransferCount : _LARGE_INTEGER
+0×1b0 WriteTransferCount : _LARGE_INTEGER
+0×1b8 OtherTransferCount : _LARGE_INTEGER
+0×1c0 CommitChargeLimit : Uint4B
+0×1c4 CommitChargePeak : Uint4B
+0×1c8 AweInfo : Ptr32 Void
+0×1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0×1d0 Vm : _MMSUPPORT
+0×218 MmProcessLinks : _LIST_ENTRY
+0×220 ModifiedPageCount : Uint4B
+0×224 Flags2 : Uint4B
+0×224 JobNotReallyActive : Pos 0, 1 Bit
+0×224 AccountingFolded : Pos 1, 1 Bit
+0×224 NewProcessReported : Pos 2, 1 Bit
+0×224 ExitProcessReported : Pos 3, 1 Bit
+0×224 ReportCommitChanges : Pos 4, 1 Bit
+0×224 LastReportMemory : Pos 5, 1 Bit
+0×224 ReportPhysicalPageChanges : Pos 6, 1 Bit
+0×224 HandleTableRundown : Pos 7, 1 Bit
+0×224 NeedsHandleRundown : Pos 8, 1 Bit
+0×224 RefTraceEnabled : Pos 9, 1 Bit
+0×224 NumaAware : Pos 10, 1 Bit
+0×224 ProtectedProcess : Pos 11, 1 Bit
+0×224 DefaultPagePriority : Pos 12, 3 Bits
+0×224 PrimaryTokenFrozen : Pos 15, 1 Bit
+0×224 ProcessVerifierTarget : Pos 16, 1 Bit
+0×224 StackRandomizationDisabled : Pos 17, 1 Bit
+0×224 AffinityPermanent : Pos 18, 1 Bit
+0×224 AffinityUpdateEnable : Pos 19, 1 Bit
+0×224 CrossSessionCreate : Pos 20, 1 Bit
+0×228 Flags : Uint4B
+0×228 CreateReported : Pos 0, 1 Bit
+0×228 NoDebugInherit : Pos 1, 1 Bit
+0×228 ProcessExiting : Pos 2, 1 Bit
+0×228 ProcessDelete : Pos 3, 1 Bit
+0×228 Wow64SplitPages : Pos 4, 1 Bit
+0×228 VmDeleted : Pos 5, 1 Bit
+0×228 OutswapEnabled : Pos 6, 1 Bit
+0×228 Outswapped : Pos 7, 1 Bit
+0×228 ForkFailed : Pos 8, 1 Bit
+0×228 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0×228 AddressSpaceInitialized : Pos 10, 2 Bits
+0×228 SetTimerResolution : Pos 12, 1 Bit
+0×228 BreakOnTermination : Pos 13, 1 Bit
+0×228 DeprioritizeViews : Pos 14, 1 Bit
+0×228 WriteWatch : Pos 15, 1 Bit
+0×228 ProcessInSession : Pos 16, 1 Bit
+0×228 OverrideAddressSpace : Pos 17, 1 Bit
+0×228 HasAddressSpace : Pos 18, 1 Bit
+0×228 LaunchPrefetched : Pos 19, 1 Bit
+0×228 InjectInpageErrors : Pos 20, 1 Bit
+0×228 VmTopDown : Pos 21, 1 Bit
+0×228 ImageNotifyDone : Pos 22, 1 Bit
+0×228 PdeUpdateNeeded : Pos 23, 1 Bit
+0×228 VdmAllowed : Pos 24, 1 Bit
+0×228 SmapAllowed : Pos 25, 1 Bit
+0×228 ProcessInserted : Pos 26, 1 Bit
+0×228 DefaultIoPriority : Pos 27, 3 Bits
+0×228 ProcessSelfDelete : Pos 30, 1 Bit
+0×228 SpareProcessFlags : Pos 31, 1 Bit
+0×22c ExitStatus : Int4B
+0×230 Spare7 : Uint2B
+0×232 SubSystemMinorVersion : UChar
+0×233 SubSystemMajorVersion : UChar
+0×232 SubSystemVersion : Uint2B
+0×234 PriorityClass : UChar
+0×238 VadRoot : _MM_AVL_TABLE
+0×258 Cookie : Uint4B
+0×25c AlpcContext : _ALPC_PROCESS_CONTEXT
0:000> !peb
PEB at 7ffdd000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00880000
Ldr 77724cc0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 001f1a50 . 001f3d78
Ldr.InLoadOrderModuleList: 001f19c0 . 001f3d68
Ldr.InMemoryOrderModuleList: 001f19c8 . 001f3d70
Base TimeStamp Module
880000 47918ea2 Jan 19 13:46:10 2008 C:\Windows\notepad.exe
77660000 49e03821 Apr 11 14:26:41 2009 C:\Windows\system32\ntdll.dll
777e0000 49e037dd Apr 11 14:25:33 2009 C:\Windows\system32\kernel32.dll
763d0000 49e03717 Apr 11 14:22:15 2009 C:\Windows\system32\ADVAPI32.dll
773a0000 49f05bcc Apr 23 20:15:08 2009 C:\Windows\system32\RPCRT4.dll
77350000 49e03728 Apr 11 14:22:32 2009 C:\Windows\system32\GDI32.dll
75ee0000 49e0380e Apr 11 14:26:22 2009 C:\Windows\system32\USER32.dll
75e30000 49e0379e Apr 11 14:24:30 2009 C:\Windows\system32\msvcrt.dll
760d0000 49e03809 Apr 11 14:26:17 2009 C:\Windows\system32\COMDLG32.dll
77470000 49e037f1 Apr 11 14:25:53 2009 C:\Windows\system32\SHLWAPI.dll
74ca0000 49e036f3 Apr 11 14:21:39 2009 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\COMCTL32.dll
76530000 49e037ec Apr 11 14:25:48 2009 C:\Windows\system32\SHELL32.dll
73de0000 4a81a062 Aug 12 00:46:26 2009 C:\Windows\system32\WINSPOOL.DRV
770c0000 49e037d7 Apr 11 14:25:27 2009 C:\Windows\system32\ole32.dll
764a0000 49e037da Apr 11 14:25:30 2009 C:\Windows\system32\OLEAUT32.dll
SubSystemData: 00000000
ProcessHeap: 001f0000
ProcessParameters: 001f1220
WindowTitle: ‘C:\Windows\notepad.exe’
ImageFile: ‘C:\Windows\notepad.exe’
CommandLine: ‘C:\Windows\notepad.exe’
DllPath: ‘C:\Windows;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;D:\SoftWare\Bin;D:\SoftWare\mingw\bin;D:\SoftWare\Vim\vim72;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\’
Environment: 001f0808
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\釖釖\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NONE
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\釖釖
LOCALAPPDATA=C:\Users\釖釖\AppData\Local
LOGONSERVER=\\NONE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;D:\SoftWare\Bin;D:\SoftWare\mingw\bin;D:\SoftWare\Vim\vim72;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=170a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\釖釖\AppData\Local\Temp
TMP=C:\Users\釖釖\AppData\Local\Temp
TRACE_FORMAT_SEARCH_PATH=\\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18005.090410-1830\x86fre\symbols.pri\TraceFormat
USERDOMAIN=None
USERNAME=釖釖
USERPROFILE=C:\Users\釖釖
VS90COMNTOOLS=C:\Program Files\Microsoft Visual Studio 9.0\Common7\Tools\
WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)
windir=C:\Windows
0:000> db 0×7ffdd000
7ffdd000 00 00 01 08 ff ff ff ff-00 00 88 00 c0 4c 72 77 ………….Lrw
7ffdd010 20 12 1f 00 00 00 00 00-00 00 1f 00 60 44 72 77 ………..`Drw
7ffdd020 00 00 00 00 00 00 00 00-03 00 00 00 00 00 00 00 …………….
7ffdd030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
7ffdd040 f0 42 72 77 01 00 00 00-00 00 00 00 00 00 6f 7f .Brw……….o.
7ffdd050 00 00 00 00 88 05 6f 7f-00 00 fa 7f 00 00 fa 7f ……o………
7ffdd060 24 00 fd 7f 02 00 00 00-70 00 00 00 00 00 00 00 $…….p…….
7ffdd070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ….m…….. ..
0:000> db 0×1f1220
001f1220 86 07 00 00 86 07 00 00-01 20 00 00 00 00 00 00 ……… ……
001f1230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
001f1240 00 00 00 00 66 00 08 02-d4 1a 1f 00 0c 00 00 00 ….f………..
001f1250 3c 02 3e 02 bc 16 1f 00-2c 00 2e 00 fa 18 1f 00 <.>…..,…….
001f1260 2c 00 2e 00 28 19 1f 00-08 08 1f 00 00 00 00 00 ,…(………..
001f1270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
001f1280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
001f1290 2c 00 2e 00 56 19 1f 00-1e 00 20 00 84 19 1f 00 ,…V….. …..
0:000> db 0×1f18fa
001f18fa 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o.
001f190a 77 00 73 00 5c 00 6e 00-6f 00 74 00 65 00 70 00 w.s.\.n.o.t.e.p.
001f191a 61 00 64 00 2e 00 65 00-78 00 65 00 00 00 43 00 a.d…e.x.e…C.
001f192a 3a 00 5c 00 57 00 69 00-6e 00 64 00 6f 00 77 00 :.\.W.i.n.d.o.w.
001f193a 73 00 5c 00 6e 00 6f 00-74 00 65 00 70 00 61 00 s.\.n.o.t.e.p.a.
001f194a 64 00 2e 00 65 00 78 00-65 00 00 00 43 00 3a 00 d…e.x.e…C.:.
001f195a 5c 00 57 00 69 00 6e 00-64 00 6f 00 77 00 73 00 \.W.i.n.d.o.w.s.
001f196a 5c 00 6e 00 6f 00 74 00-65 00 70 00 61 00 64 00 \.n.o.t.e.p.a.d.
[...] 内核中获取当前进程完整路径« 釖釖De窝 [...]
jnczkbya…
jnczkbya…