windbg学习笔记(5) --内核调试常用命令

• vertarget:用于显示被调试计算机的基本的信息。
  
• dg：用于显示段选择子的信息
  
  • 有dg的输出结果可以看到，cs段的范围是0x00000000-0xffffffff
• !cpuinfo:显示CPU的信息
  
• !pcr:显示处理器控制域，也就是KPCR块结构，每一个KPCR结构对应一个KPCR结构。

kd> !pcr
KPCR for Processor 0 at ffdff000:
    Major 1 Minor 1
	NtTib.ExceptionList: 8054a4b0
	    NtTib.StackBase: 8054acf0
	   NtTib.StackLimit: 80547f00
	 NtTib.SubSystemTib: 00000000
	      NtTib.Version: 00000000
	  NtTib.UserPointer: 00000000
	      NtTib.SelfTib: 00000000

	            SelfPcr: ffdff000   //PCR地址
	               Prcb: ffdff120
	               Irql: 00000000
	                IRR: 00000000
	                IDR: ffffffff
	      InterruptMode: 00000000
	                IDT: 8003f400    //IDT
	                GDT: 8003f000
	                TSS: 80042000    //TSS

	      CurrentThread: 80553740
	         NextThread: 00000000
	         IdleThread: 80553740

	          DpcQueue:

• 输出结果包括：SEH链表，IDT 中断，TSS表。有了PCR地址，我们可以使用dt命令dt _KPCR XXXXXXX来查看KPCR结构，或者使用?? @$pcr来查看。

  kd> ?? @$pcr
  struct _KPCR * 0xffdff000
     +0x000 NtTib            : _NT_TIB
     +0x01c SelfPcr          : 0xffdff000 _KPCR
     +0x020 Prcb             : 0xffdff120 _KPRCB
     +0x024 Irql             : 0 ''
     +0x028 IRR              : 0
     +0x02c IrrActive        : 0
     +0x030 IDR              : 0xffffffff
     +0x034 KdVersionBlock   : 0x80546ab8 
     +0x038 IDT              : 0x8003f400 _KIDTENTRY
     +0x03c GDT              : 0x8003f000 _KGDTENTRY
     +0x040 TSS              : 0x80042000 _KTSS
     +0x044 MajorVersion     : 1
     +0x046 MinorVersion     : 1
     +0x048 SetMember        : 1
     +0x04c StallScaleFactor : 0xa98
     +0x050 DebugActive      : 0 ''
     +0x051 Number           : 0 ''
     +0x052 Spare0           : 0 ''
     +0x053 SecondLevelCacheAssociativity : 0 ''
     +0x054 VdmAlert         : 0
     +0x058 KernelReserved   : [14] 0
     +0x090 SecondLevelCacheSize : 0
     +0x094 HalReserved      : [16] 0
     +0x0d4 InterruptMode    : 0
     +0x0d8 Spare1           : 0 ''
     +0x0dc KernelReserved2  : [17] 0
     +0x120 PrcbData         : _KPRCB

• !prcb：当前线程、Idle 线程等重要信息

  kd> !prcb
  PRCB for Processor 0 at ffdff120:
  Threads--  Current 80553740 Next 00000000 Idle 80553740
  Number 0 SetMember 00000001
  Interrupt Count -- 00004be9   //中断个数
  Times -- Dpc    00000019 Interrupt 00000083 
           Kernel 000028b9 User      000000ab

  • KPCR和KPRCB:KPRCR在KPCR的后面，位于KPCR的第0x120偏移处。利用?? @$PCR得到KPCR的起始地址是0xffdff000，加上0x120号偏移，0xffdff120，就是上面得到的KPCB的起始地址。

• !IDT:显示的是当前中断向量表的信息(不指定终端号，则显示全部的中断向量表)

• !IDT -a：显示所有的中断向量表

  kd> !idt
  
  Dumping IDT:
  
  37:	806d2728 hal!PicSpuriousService37
  3d:	806d3b70 hal!HalpApcInterrupt
  41:	806d39cc hal!HalpDispatchInterrupt
  50:	806d2800 hal!HalpApicRebootService
  62:	8a297cdc atapi!IdePortInterrupt (KINTERRUPT 8a297ca0)
  63:	89dc7dd4 USBPORT!USBPORT_InterruptService (KINTERRUPT 89dc7d98)
  73:	89dfbb3c SCSIPORT!ScsiPortInterrupt (KINTERRUPT 89dfbb00)
  	         USBPORT!USBPORT_InterruptService (KINTERRUPT 8a2533f0)
  82:	8a2972fc atapi!IdePortInterrupt (KINTERRUPT 8a2972c0)
  83:	8a24a89c *** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmci.sys - 
  vmci!DllUnload+0x7D6 (KINTERRUPT 8a24a860)
  	         portcls!CKsShellRequestor::`scalar deleting destructor'+0x26 (KINTERRUPT 89a2d470)
  93:	8a1a57e4 i8042prt!I8042KeyboardInterruptService (KINTERRUPT 8a1a57a8)
  a3:	8a1f7314 i8042prt!I8042MouseInterruptService (KINTERRUPT 8a1f72d8)
  b1:	8a2aa85c ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 8a2aa820)
  b4:	89e25cd4 NDIS!ndisMIsr (KINTERRUPT 89e25c98)
  c1:	806d2984 hal!HalpBroadcastCallService
  d1:	806d1d34 hal!HalpClockInterrupt
  e1:	806d2f0c hal!HalpIpiHandler
  e3:	806d2c70 hal!HalpLocalApicErrorService
  fd:	806d3464 hal!HalpProfileInterrupt

• !irql:中断的时候，显示终端响应级别

• !running(-it):显示正在运行的线程，如果是蓝屏文件可以确定是那个线程造成的蓝屏。

  kd> !running -it
  
  System Processors 1 (affinity mask)
    Idle Processors 1
  All processors idle.
  
       Prcb      Current   Next    
    0  ffdff120  80553740            ................
  
  ChildEBP RetAddr  
  8054abac 8054209d nt!RtlpBreakWithStatusInstruction
  8054abac baa0a162 nt!KeUpdateSystemTime+0x165
  8054ac50 80542af0 intelppm!AcpiC1Idle+0x12
  8054ac54 00000000 nt!KiIdleLoop+0x10

• !gflag：用于查看，设置系统的全局标志。

• !process:显示进程信息。

  • !process 0 0:显示当前进程的基本信息(第一个0表示的是当前进程列表，第二个0表示的是显示基本信息)
    
  • !process xxxxxxxx 0 xxxx可以是EPROCESS，也可以是进程ID，0表示显示基本信息(否则是完整信息)，
    
    
  • !process 0 0 xxx.exe：按照映像名称查找指定的进程信息。
    
  • !process -1 0:显示当前进程的基本信息
    
  • !process xxxxxxx 2:显示指定进程的基本信息，线程列表和每个线程的等待状态。
    

• .process：切换进程上下文,例如需要显示内存的内容，就需要切换到内存后，然后在显示内存。

  • .prcess /p/r xxxxx

    kd> db 1000000 L160    //显示内存
    01000000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000080  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    01000090  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    010000a0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    010000b0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    kd> !process 0 0 explorer.exe     //寻找explorer.exe的EPROCESS
    PROCESS 8a1ba5a8  SessionId: 0  Cid: 0538    Peb: 7ffdd000  ParentCid: 0524
        DirBase: 136001c0  ObjectTable: e191d458  HandleCount: 498.
        Image: explorer.exe
    
    kd> .process /r /p 8a1ba5a8     //切换进程
    Implicit process is now 8a1ba5a8
    .cache forcedecodeuser done
    Loading User Symbols
    ...................................................................................
    kd> db 1000000 L160          //显示内存
    01000000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
    01000010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
    01000020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    01000030  00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00  ................
    01000040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
    01000050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
    01000060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
    01000070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
    01000080  97 a6 b0 91 d3 c7 de c2-d3 c7 de c2 d3 c7 de c2  ................
    01000090  10 c8 d1 c2 d7 c7 de c2-d3 c7 df c2 48 c5 de c2  ............H...
    010000a0  10 c8 83 c2 c8 c7 de c2-10 c8 80 c2 d2 c7 de c2  ................
    010000b0  10 c8 be c2 fa c7 de c2-10 c8 81 c2 ce c7 de c2  ................
    010000c0  10 c8 84 c2 d2 c7 de c2-52 69 63 68 d3 c7 de c2  ........Rich....
    010000d0  00 00 00 00 00 00 00 00-50 45 00 00 4c 01 04 00  ........PE..L...

    • .process /i xxxxxxx:让操作系统实际切换进程上下文，在切换完成后，需要输入g命令，是的切换执行。

      kd> .process /i 8a0f24b0
      You need to continue execution (press 'g' <enter>) for the context
      to be switched. When the debugger breaks in again, you will be in
      the new process context.
      kd> g
      Break instruction exception - code 80000003 (first chance)
      nt!RtlpBreakWithStatusInstruction:
      80528bdc cc              int     3
      kd> dd 1000000 L600
      01000000  00000000 00000000 00000000 00000000
      01000010  00000000 00000000 00000000 00000000
      01000020  00000000 00000000 00000000 00000000
      01000030  00000000 00000000 00000000 00000000
      01000040  00000000 00000000 00000000 00000000
      01000050  00000000 00000000 00000000 00000000
      01000060  00000000 00000000 00000000 00000000
      01000070  00000000 00000000 00000000 00000000
      01000080  00000000 00000000 00000000 00000000
      01000090  00000000 00000000 00000000 00000000
      010000a0  00000000 00000000 00000000 00000000
      ``` 
      
         * !dml_proc:显示粗略的进程列表

kd> !dml_proc
Address PID Image file name
8a32c830 4 System
8a154270 228 smss.exe
8a147da0 258 csrss.exe
8a1d2a80 270 winlogon.exe
8a11cda0 29c services.exe
89f0c4e0 2a8 lsass.exe
8a1a4020 340 vmacthlp.exe
8a24cda0 34c svchost.exe
8a24c500 394 svchost.exe

* !thread tid:显示线程的信息（不加参数，或者指定为-1表示当前线程）

kd> !thread
THREAD 8a32a3c8 Cid 0004.0038 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
DeviceMap e1fe9718
Owning Process 8a0f24b0 Image: abexcm2-voiees.exe
Wait Start TickCount 30346 Ticks: 0
Context Switch Count 6586
UserTime 00:00:00.000
KernelTime 00:00:00.453
Start Address nt!ExpWorkerThread (0x80535b02)
Stack Init bad04000 Current bad03d1c Base bad04000 Limit bad01000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
bad03d20 80662097 00000007 8055c040 8055c0fc nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
bad03d74 80535c02 00000000 00000000 8a32a3c8 nt!ExpDebuggerWorker+0x91 (FPO: [Non-Fpo])
bad03dac 805c7160 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo])
bad03ddc 80542dd2 80535b02 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
```

• -t:显示指定线程的信息!thread -t TID
  • .thread (/p/r)tid:切换线程上下文