Observe Windows Kernel Modules, data structures, and functions

Observe Windows Kernel Modules, data structures, and functions

1. Start local Kernel debugging of WinDbg (File> Kernel Debug... > Local ).

2. type. symfix c: "symbols to set the symbol server and the local directory used to store the symbol file.

3. type. sympath to observe the current symbolic path. The result is as follows:

Lkd>. sympath

Symbol search path is: SRV * c: "symbols * http://msdl.microsoft.com/download/symbols

4. type. reload to reload the symbol. It may take a long time. Please wait.

5. Enter the lm command to list all kernel modules. Find HAL, NT, and other modules and observe their starting and ending positions in the memory.

6. type! Process 0 0 command to list all processes running in the current system.

7. type! Process 4 displays the overview of the System process and various threads. Record the PROCESS structure address of the PROCESS.

Lkd>! Process 4

Searching for Process with Cid = 4

PROCESS86fb7660 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000

DirBase: 00039000 ObjectTable: e1001c78 HandleCount: 396.

Image: System

VadRoot 86fae870 Vads 4 Clone 0 Private 3. Modified 124205. Locked 0.

DeviceMap e1005470

8. Run the dt command (dt nt! _ EPROCESS) observe the _ EPROCESS structure of the process.

9, in dt nt! Add the address recorded in step 1 after the _ EPROCESS command to display the values of the _ EPROCESS structure of the system process.

Lkd> dt nt! _ EPROCESS 86fb7660

+ 0x000 Pcb: _ KPROCESS

+ 0x06c ProcessLock: _ EX_PUSH_LOCK

10, Type x nt! * Command to list the symbols contained in the kernel file (NTOSKRNL. Try to use different expressions to select to display some symbols, such as x nt! Dbgk * displays all symbols starting with Dbgk.

11. Disable WinDbg and complete debugging.