本文展示了使用调试工具kd对ZhuDongFangYu.exe进程进行详细分析的过程,包括进程的基本信息、内存使用情况、线程状态及特权信息等。通过这些信息可以帮助理解该进程的行为及其在系统中的作用。
!process 0 0 显示进程列表:
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 823b97c0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00355000 ObjectTable: e1001c48 HandleCount: 274.
Image: System
PROCESS 81dc0458 SessionId: none Cid: 0244 Peb: 7ffd3000 ParentCid: 0004
DirBase: 0cc00020 ObjectTable: e14129d8 HandleCount: 19.
Image: smss.exe
PROCESS 82169128 SessionId: 0 Cid: 0290 Peb: 7ffd4000 ParentCid: 0244
DirBase: 0cc00040 ObjectTable: e101e270 HandleCount: 464.
Image: csrss.exe
PROCESS 81dcdda0 SessionId: 0 Cid: 02a8 Peb: 7ffd4000 ParentCid: 0244
DirBase: 0cc00060 ObjectTable: e161f820 HandleCount: 461.
Image: winlogon.exe
PROCESS 81fcf2c0 SessionId: 0 Cid: 02d4 Peb: 7ffdd000 ParentCid: 02a8
DirBase: 0cc00080 ObjectTable: e1af8a00 HandleCount: 269.
Image: services.exe
PROCESS 81dd3020 SessionId: 0 Cid: 02e0 Peb: 7ffda000 ParentCid: 02a8
DirBase: 0cc000a0 ObjectTable: e1688bc8 HandleCount: 339.
Image: lsass.exe
PROCESS 8214eda0 SessionId: 0 Cid: 0384 Peb: 7ffdd000 ParentCid: 02d4
DirBase: 0cc000c0 ObjectTable: e1be3e40 HandleCount: 25.
Image: vmacthlp.exe
PROCESS 822b4020 SessionId: 0 Cid: 0394 Peb: 7ffd8000 ParentCid: 02d4
DirBase: 0cc000e0 ObjectTable: e1ad9288 HandleCount: 218.
Image: svchost.exe
PROCESS 82154020 SessionId: 0 Cid: 03e4 Peb: 7ffd4000 ParentCid: 02d4
DirBase: 0cc00100 ObjectTable: e1bec600 HandleCount: 247.
Image: svchost.exe
PROCESS 81fe1020 SessionId: 0 Cid: 0444 Peb: 7ffdd000 ParentCid: 02d4
DirBase: 0cc00120 ObjectTable: e1b9bc40 HandleCount: 1138.
Image: svchost.exe
PROCESS 82020910 SessionId: 0 Cid: 0468 Peb: 7ffd6000 ParentCid: 02d4
DirBase: 0cc00140 ObjectTable: e1c2bea8 HandleCount: 51.
Image: 360rps.exe
PROCESS 81e292a0 SessionId: 0 Cid: 04a4 Peb: 7ffd6000 ParentCid: 02d4
DirBase: 0cc00160 ObjectTable: e1852cc0 HandleCount: 77.
Image: svchost.exe
PROCESS 821d3da0 SessionId: 0 Cid: 054c Peb: 7ffd8000 ParentCid: 02d4
DirBase: 0cc001a0 ObjectTable: e1bfe4d8 HandleCount: 194.
Image: svchost.exe
PROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4
DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124.
Image: ZhuDongFangYu.exe
PROCESS 821cf8e8 SessionId: 0 Cid: 061c Peb: 7ffd6000 ParentCid: 02d4
DirBase: 0cc001e0 ObjectTable: e1d6d7c0 HandleCount: 129.
Image: spoolsv.exe
PROCESS 81ff03c8 SessionId: 0 Cid: 0740 Peb: 7ffda000 ParentCid: 02d4
DirBase: 0cc00200 ObjectTable: e1ffa9c0 HandleCount: 288.
Image: vmtoolsd.exe
PROCESS 822b9ac0 SessionId: 0 Cid: 0168 Peb: 7ffd4000 ParentCid: 02d4
DirBase: 0cc00260 ObjectTable: e211da28 HandleCount: 104.
Image: alg.exe
PROCESS 81ea9da0 SessionId: 0 Cid: 01ec Peb: 7ffde000 ParentCid: 02d4
DirBase: 0cc002a0 ObjectTable: e16a3ef8 HandleCount: 99.
Image: TPAutoConnSvc.exe
PROCESS 81ccb020 SessionId: 0 Cid: 0660 Peb: 7ffde000 ParentCid: 043c
DirBase: 0cc00280 ObjectTable: e2077560 HandleCount: 407.
Image: explorer.exe
PROCESS 81dec7e8 SessionId: 0 Cid: 069c Peb: 7ffda000 ParentCid: 01ec
DirBase: 0cc002e0 ObjectTable: e1c94a40 HandleCount: 67.
Image: TPAutoConnect.exe
PROCESS 81c02da0 SessionId: 0 Cid: 02d8 Peb: 7ffda000 ParentCid: 0660
DirBase: 0cc00300 ObjectTable: e1d679a0 HandleCount: 219.
Image: vmtoolsd.exe
PROCESS 81c09020 SessionId: 0 Cid: 010c Peb: 7ffd7000 ParentCid: 0660
DirBase: 0cc002c0 ObjectTable: e1d577c0 HandleCount: 69.
Image: ctfmon.exe
PROCESS 82328b08 SessionId: 0 Cid: 011c Peb: 7ffdf000 ParentCid: 0660
DirBase: 0cc00340 ObjectTable: e20704e8 HandleCount: 106.
Image: 360sd.exe
PROCESS 81c07da0 SessionId: 0 Cid: 01dc Peb: 7ffda000 ParentCid: 011c
DirBase: 0cc00320 ObjectTable: e1d6a008 HandleCount: 261.
Image: 360rp.exe
PROCESS 81ed6168 SessionId: 0 Cid: 035c Peb: 7ffde000 ParentCid: 02d4
DirBase: 0cc00360 ObjectTable: e1fdca38 HandleCount: 120.
Image: imapi.exe
PROCESS 822cf4f8 SessionId: 0 Cid: 0854 Peb: 7ffdc000 ParentCid: 0444
DirBase: 0cc00220 ObjectTable: e1451170 HandleCount: 173.
Image: wuauclt.exe
PROCESS 820113b8 SessionId: 0 Cid: 0934 Peb: 7ffde000 ParentCid: 0444
DirBase: 0cc00180 ObjectTable: e1b532c8 HandleCount: 140.
Image: wuauclt.exe
PROCESS 8200e3c0 SessionId: 0 Cid: 0a54 Peb: 7ffda000 ParentCid: 0660
DirBase: 0cc00380 ObjectTable: e1c91ad8 HandleCount: 48.
Image: regedit.exe
!process XXX显示指定进程的所有信息, !process XXX 0显示指定进程的基本信息
XXX可以为EPROCESS或进程ID
kd> !process 82155438
PROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4
DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124.
Image: ZhuDongFangYu.exe
VadRoot 8200f1d8 Vads 123 Clone 0 Private 1390. Modified 3. Locked 0.
DeviceMap e1004440
Token e1c8d9d8
ElapsedTime 00:02:39.519
UserTime 00:00:00.125
KernelTime 00:00:00.187
QuotaPoolUsage[PagedPool] 76204
QuotaPoolUsage[NonPagedPool] 5240
Working Set Sizes (now,min,max) (2345, 50, 345) (9380KB, 200KB, 1380KB)
PeakWorkingSetSize 2365
VirtualSize 53 Mb
PeakVirtualSize 53 Mb
PageFaultCount 3925
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1572
THREAD 81fe33c8 Cid 0564.056c Teb: 7ffdd000 Win32Thread: e1c6fdb0 WAIT: (Executive) UserMode Non-Alertable
81eead14 NotificationEvent
IRP List:
822b83a0: (0006,0094) Flags: 00000900 Mdl: 00000000
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 4016 Ticks: 7693 (0:00:02:00.203)
Context Switch Count 146 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address nt_400000!FsRtlRemoveAndCompleteWaitIrp (0x004143da)
Start Address 0x7c8106f5
Stack Init f808b000 Current f808ac1c Base f808b000 Limit f8087000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
f808ac34 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f808ac40 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f808ac68 80575dd6 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f808ac90 80572d2a nt!IopSynchronousServiceTail+0xe8 (FPO: [7,0,4])
f808ad38 8053e638 nt!NtReadFile+0x580 (FPO: [Non-Fpo])
f808ad38 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f808ad64)
0012fbc8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81e2bda8 Cid 0564.05c0 Teb: 7ffdc000 Win32Thread: e2086eb0 WAIT: (DelayExecution) UserMode Non-Alertable
81e2be98 NotificationTimer
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 11705 Ticks: 4 (0:00:00:00.062)
Context Switch Count 1460 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address 0x77dc3519
Start Address 0x7c8106e9
Stack Init b2863000 Current b2862cbc Base b2863000 Limit b285f000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
b2862cd4 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b2862ce0 804fa79f nt!KiSwapThread+0x46 (FPO: [0,0,0])
b2862d0c 8060db19 nt!KeDelayExecutionThread+0x1c9 (FPO: [3,6,4])
b2862d54 8053e638 nt!NtDelayExecution+0x87 (FPO: [Non-Fpo])
b2862d54 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2862d64)
00a2ff20 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81fef438 Cid 0564.05c8 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
8221db78 NotificationEvent
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 1834 Ticks: 9875 (0:00:02:34.296)
Context Switch Count 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt_400000!CcExtendVacbArray (0x00410148)
Start Address 0x7c8106e9
Stack Init b28f7000 Current b28f6ca0 Base b28f7000 Limit b28f4000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.
ChildEBP RetAddr
b28f6cb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b28f6cc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b28f6cec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b28f6d50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
b28f6d50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28f6d64)
00c2ff4c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81e0eda8 Cid 0564.05cc Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReply) UserMode Non-Alertable
81e0ef9c Semaphore Limit 0x1
Waiting for reply to LPC MessageId 00007271:
Current LPC port e1c77bc0
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 4016 Ticks: 7693 (0:00:02:00.203)
Context Switch Count 533
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt_400000!FsRtlAddLargeMcbEntry (0x00411b61)
Start Address 0x7c8106e9
Stack Init b296f000 Current b296eb94 Base b296f000 Limit b296c000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.
ChildEBP RetAddr
b296ebac 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b296ebb8 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b296ebe0 805996cb nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b296ec94 f854bc80 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
b296ed50 8053e638 Hookport+0x2c80
b296ed50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b296ed64)
00d2fb20 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81dd2da8 Cid 0564.05d0 Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
81dfd188 Semaphore Limit 0x7fffffff
81dd2e98 NotificationTimer
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 7594 Ticks: 4115 (0:00:01:04.296)
Context Switch Count 10
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x77e56c7d
Start Address 0x7c8106e9
Stack Init b289b000 Current b289ac4c Base b289b000 Limit b2898000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
b289ac64 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b289ac70 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b289ac98 8059c5b0 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b289ad48 8053e638 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
b289ad48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b289ad64)
00e2ff80 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 822f3da8 Cid 0564.05d4 Teb: 7ffd7000 Win32Thread: e20be2d0 WAIT: (WrUserRequest) UserMode Non-Alertable
821a8300 SynchronizationEvent
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 4017 Ticks: 7692 (0:00:02:00.187)
Context Switch Count 101 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.046
Win32 Start Address nt_400000!CcWorkerThread (0x0040f258)
Start Address 0x7c8106e9
Stack Init b2843000 Current b2842c20 Base b2843000 Limit b283f000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.
ChildEBP RetAddr
b2842c38 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b2842c44 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b2842c6c bf802f52 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b2842ca8 bf801b2a win32k!xxxSleepThread+0x192 (FPO: [3,5,4])
b2842cec bf819e6c win32k!xxxRealInternalGetMessage+0x418 (FPO: [6,9,4])
b2842d4c 8053e638 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
b2842d4c 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2842d64)
012afd30 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 82143460 Cid 0564.0624 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
8201d0d0 SynchronizationEvent
81e37190 SynchronizationEvent
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 1852 Ticks: 9857 (0:00:02:34.015)
Context Switch Count 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x019221a0
Start Address 0x7c8106e9
Stack Init b28cf000 Current b28ce95c Base b28cf000 Limit b28cc000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr
b28ce974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b28ce980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b28ce9b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
b28ced48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
b28ced48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28ced64)
01aafc48 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81dbcda8 Cid 0564.0628 Teb: 7ffd5000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
822db088 NotificationEvent
822db058 NotificationEvent
8201d0a0 SynchronizationEvent
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 1852 Ticks: 9857 (0:00:02:34.015)
Context Switch Count 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00ff4fa0
Start Address 0x7c8106e9
Stack Init b28bf000 Current b28be95c Base b28bf000 Limit b28bc000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
Kernel stack not resident.
ChildEBP RetAddr
b28be974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b28be980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b28be9b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
b28bed48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
b28bed48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28bed64)
01baff2c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81dbcb30 Cid 0564.062c Teb: 7ffd4000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
81e2ebe8 SynchronizationEvent
82181020 NotificationTimer
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 11708 Ticks: 1 (0:00:00:00.015)
Context Switch Count 79
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x76b2aeaf
Start Address 0x7c8106e9
Stack Init b28b7000 Current b28b695c Base b28b7000 Limit b28b4000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
b28b6974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b28b6980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b28b69b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
b28b6d48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
b28b6d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28b6d64)
01caffb4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 82181b60 Cid 0564.0630 Teb: 7ffd3000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
81dbcb00 NotificationEvent
822db020 NotificationEvent
IRP List:
822b88a8: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 1963 Ticks: 9746 (0:00:02:32.281)
Context Switch Count 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00f74f10
Start Address 0x7c8106e9
Stack Init b27d3000 Current b27d295c Base b27d3000 Limit b27d0000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 1 DecrementCount 16
Kernel stack not resident.
ChildEBP RetAddr
b27d2974 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b27d2980 804faae2 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b27d29b8 805b7418 nt!KeWaitForMultipleObjects+0x284 (FPO: [8,9,4])
b27d2d48 8053e638 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
b27d2d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b27d2d64)
01daff0c 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 81e0d7f0 Cid 0564.0654 Teb: 7ff9f000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
822ee288 NotificationEvent
81e0d8e0 NotificationTimer
IRP List:
81ed6710: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 11703 Ticks: 6 (0:00:00:00.093)
Context Switch Count 323
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x01f3ca3e
Start Address 0x7c8106e9
Stack Init f7fb0000 Current f7fafca0 Base f7fb0000 Limit f7fad000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
f7fafcb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f7fafcc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f7fafcec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f7fafd50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
f7fafd50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f7fafd64)
0209ff68 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 822ee2b8 Cid 0564.0658 Teb: 7ff9e000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
81fcd6e0 SynchronizationEvent
IRP List:
822b87e0: (0006,0094) Flags: 00000970 Mdl: 00000000
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 6731 Ticks: 4978 (0:00:01:17.781)
Context Switch Count 21
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x01f3a108
Start Address 0x7c8106e9
Stack Init b27bf000 Current b27beca0 Base b27bf000 Limit b27bc000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
b27becb8 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b27becc4 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b27becec 805b7126 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b27bed50 8053e638 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo])
b27bed50 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b27bed64)
0219e918 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
THREAD 82172da8 Cid 0564.0844 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
81dfd188 Semaphore Limit 0x7fffffff
82172e98 NotificationTimer
Not impersonating
DeviceMap e1004440
Owning Process 0 Image: <Unknown>
Attached Process 82155438 Image: ZhuDongFangYu.exe
Wait Start TickCount 7594 Ticks: 4115 (0:00:01:04.296)
Context Switch Count 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x77e56c7d
Start Address 0x7c8106e9
Stack Init b1ff4000 Current b1ff3c4c Base b1ff4000 Limit b1ff1000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr
b1ff3c64 80501cd6 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b1ff3c70 804fad62 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b1ff3c98 8059c5b0 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
b1ff3d48 8053e638 nt!NtReplyWaitReceivePortEx+0x3dc (FPO: [Non-Fpo])
b1ff3d48 7c92e4f4 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1ff3d64)
00b2ff80 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
!process 0 0 XXX.exe查找进程
kd> !process 0 0 ZhuDongFangYu.exe
PROCESS 82155438 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 02d4
DirBase: 0cc001c0 ObjectTable: e1fbbbb0 HandleCount: 124.
Image: ZhuDongFangYu.exe
查看下ZhuDongFangYu.exe 的token信息
kd> da e1c8d9d8
e1c8d9d8 "*SYSTEM*"
kd> u e1c8d9d8
e1c8d9d8 2a5359 sub dl,byte ptr [ebx+59h]
e1c8d9db 53 push ebx
e1c8d9dc 54 push esp
e1c8d9dd 45 inc ebp
e1c8d9de 4d dec ebp
e1c8d9df 2a00 sub al,byte ptr [eax]
e1c8d9e1 0000 add byte ptr [eax],al
e1c8d9e3 0000 add byte ptr [eax],al
kd> !token e1c8d9d8
_TOKEN e1c8d9d8
TS Session ID: 0
User: S-1-5-18
Groups:
00 S-1-5-32-544
Attributes - Default Enabled Owner
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-11
Attributes - Mandatory Default Enabled
Primary Group: S-1-5-18
Privs:
00 0x000000007 SeTcbPrivilege Attributes - Enabled Default
01 0x000000002 SeCreateTokenPrivilege Attributes -
02 0x000000009 SeTakeOwnershipPrivilege Attributes -
03 0x00000000f SeCreatePagefilePrivilege Attributes - Enabled Default
04 0x000000004 SeLockMemoryPrivilege Attributes - Enabled Default
05 0x000000003 SeAssignPrimaryTokenPrivilege Attributes -
06 0x000000005 SeIncreaseQuotaPrivilege Attributes -
07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - Enabled Default
08 0x000000010 SeCreatePermanentPrivilege Attributes - Enabled Default
09 0x000000014 SeDebugPrivilege Attributes - Enabled Default
10 0x000000015 SeAuditPrivilege Attributes - Enabled Default
11 0x000000008 SeSecurityPrivilege Attributes -
12 0x000000016 SeSystemEnvironmentPrivilege Attributes -
13 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
14 0x000000011 SeBackupPrivilege Attributes -
15 0x000000012 SeRestorePrivilege Attributes -
16 0x000000013 SeShutdownPrivilege Attributes -
17 0x00000000a SeLoadDriverPrivilege Attributes -
18 0x00000000d SeProfileSingleProcessPrivilege Attributes - Enabled Default
19 0x00000000c SeSystemtimePrivilege Attributes -
20 0x000000019 SeUndockPrivilege Attributes -
21 0x00000001c SeManageVolumePrivilege Attributes -
22 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default
23 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
Authentication ID: (0,3e7)
Impersonation Level: Anonymous
TokenType: Primary
Source: *SYSTEM* TokenFlags: 0x89 ( Token in use )
Token ID: 1237d ParentToken ID: 0
Modified ID: (0, 1237f)
RestrictedSidCount: 0 RestrictedSids: 00000000
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
