zoukankan      html  css  js  c++  java

  • windbg学习---!process

    !process 0 0 显示进程列表:

    kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

PROCESS 8241d490  SessionId: none  Cid: 0178    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 02b40040  ObjectTable: e148a4a0  HandleCount:  19.
    Image: smss.exe

PROCESS 824d6268  SessionId: 0  Cid: 0264    Peb: 7ffd4000  ParentCid: 0178
    DirBase: 02b40060  ObjectTable: e148fa18  HandleCount: 383.
    Image: csrss.exe
....
    !process XXX显示指定进程的所有信息, !process XXX 0显示指定进程的基本信息

    XXX可以为EPROCESS或进程ID

    kd> !process @$proc 0
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

kd> !process 4 0
Searching for Process with Cid == 4
Cid Handle table at e1005000 with 366 Entries in use
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System
    !process 0 0 XXX.exe查找进程

    kd> !process 0 0  smss.exe
PROCESS 8241d490  SessionId: none  Cid: 0178    Peb: 7ffdf000  ParentCid: 0004
    DirBase: 02b40040  ObjectTable: e148a4a0  HandleCount:  19.
    Image: smss.exe

kd> !process 0 0 system
PROCESS 825b7830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 02b40020  ObjectTable: e1003e00  HandleCount: 254.
    Image: System

    注意只有sytem,没有sytem.exe!!!

    kd> !process 0 0 system.exe

    上述命令是找不到的
  • 相关阅读:
    C++位运算详解
    SQL语句获取时间的方法
    redis在windows下安装和ThinkPHP中使用
    数据同步存储过程代码
    C#重写OnKeyPress方法
    SQL Server 2008数据库生成数据库脚本(并带数据)
    C#中邮件的发送
    C#中DGV分页功能
    C#中保持文件夹A与B同步
    C# 获取文件大小,创建时间,文件信息,FileInfo类的属性表
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693350.html
Copyright © 2011-2022 走看看