dump 中的进程描述、用户和发布者信息
Process description,user and publisher information in dump
有没有办法从 Windows 内核故障转储中检索进程描述和发布者?
我尝试了 !process 和 !dml_proc。它不显示该信息。
说明应该从 exe 模块中获取。
示例:
0: kd> !PROCESS fffffa800482f940 2
GetPointerFromAddress: unable to read from fffff80397f65000
PROCESS fffffa800482f940
SessionId: 1 Cid: 0e3c Peb: 7f7cfefa000 ParentCid: 04bc
DirBase: 26bcc000 ObjectTable: fffff8a0028f4e80 HandleCount: <Data Not Accessible>
Image: Taskmgr.exe
0: kd> .process /p fffffa800482f940
Implicit process is now fffffa80`0482f940
0: kd> .reload /user
Loading User Symbols
..........................................................
0: kd> lmvm Taskmgr
Browse full module list
start end module name
000007f7`d08c0000 000007f7`d09da000 taskmgr (deferred)
Image path: C:\Windows\system32\taskmgr.exe
Image name: taskmgr.exe
Browse all global symbols functions data
Timestamp: Thu Jul 26 02:07:18 2012 (50107C26)
CheckSum: 00119B41
ImageSize: 0011A000
File version: 6.2.9200.16384
Product version: 6.2.9200.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: Taskmgr.exe
OriginalFilename: Taskmgr.exe
ProductVersion: 6.2.9200.16384
FileVersion: 6.2.9200.16384 (win8_rtm.120725-1247)
FileDescription: Task Manager
LegalCopyright: © Microsoft Corporation. All rights reserved.
我试图编辑 post 对 pykd-teams 答案的澄清,但结果证明编辑内容不多,所以 post 将其作为答案
lmvm 输出的 FileDescription 指的是任务管理器详细信息选项卡中的描述列
Company Name Refers 是指启动选项卡中的发布者列
C:\Windows\system32>wmic Startup where Caption="vmware user process" get /format:list
Caption=VMware User Process
Command="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Description=VMware User Process
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name=VMware User Process
SettingID=
User=Public
UserSID=
C:\Windows\system32>reg query hklm\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
您可以通过修改在启动时执行的任何文件的 rsrc 部分中的 FILE_VERSION_INFO 进行检查,请参见下面在 windbg 中编辑的发布者与上面 posted 相同的 exe
如何检查上述断言的有效性
open a live kd session
run task manager in target and select a startup
look at details and locate the process name say vmtoolsd.exe
break into kd using ctrl+break
!process 0 0 vmtoolsd.exe
.process /p /r EPROCESS ADDRESS OF vmtoolsd.exe
!dh vmtoolsd find the Data directory SECURITY DIRECTORY and start searching for FILE_VERSION_INFO
loacte the string value of Company Name
use eb Address to edit the Company Name to some random string
execute using g
now execute task manager and you will see the publisher column in startup tab reflecting the random string as publisher
username is not tied to file but to process grab the token
from !process <Eproc> 1 and pass the TOKEN value to !token -n
这里是用于检索每个 运行 进程的用户名的示例脚本
!for_each_process "r $t0=(@@c++(((_EPROCESS*) @#Process )->Token.Object)&0xfffffff8);r? $t1=@@c++(((_TOKEN*)@@(@$t0))->LogonSession->AccountName);r? $t2=@@c++(((_EPROCESS *) @#Process )->ImageFileName);.printf \"%mu\t\t\t%ma\n\",@@c++((wchar_t *)@$t1.Buffer),@@c++((char*)@$t2)"
应该得到这样的结果
kd> $$>a< getuname4proc.txt
xx-PC$ smss.exe
LOCAL SERVICE svchost.exe
xx taskhost.exe
您可以使用 DbgKit 中的 !ps 命令获取此信息以及更多信息。
注意: 从内核内存转储只能获取用户名。要获取用户名、文件描述和公司名称,您需要完整的内存转储。
- 将
dbgkit.dll复制到winext文件夹中(例如:C:\Program Files (x86)\Windows Kits\Debuggers\x64\winext)
- 在 WinDbg 中打开转储文件
- 运行
.load dbgkit 命令
- 运行
!ps命令(查看其他命令运行 !dbgkit.help)
有没有办法从 Windows 内核故障转储中检索进程描述和发布者?
我尝试了 !process 和 !dml_proc。它不显示该信息。
说明应该从 exe 模块中获取。 示例:
0: kd> !PROCESS fffffa800482f940 2
GetPointerFromAddress: unable to read from fffff80397f65000
PROCESS fffffa800482f940
SessionId: 1 Cid: 0e3c Peb: 7f7cfefa000 ParentCid: 04bc
DirBase: 26bcc000 ObjectTable: fffff8a0028f4e80 HandleCount: <Data Not Accessible>
Image: Taskmgr.exe
0: kd> .process /p fffffa800482f940
Implicit process is now fffffa80`0482f940
0: kd> .reload /user
Loading User Symbols
..........................................................
0: kd> lmvm Taskmgr
Browse full module list
start end module name
000007f7`d08c0000 000007f7`d09da000 taskmgr (deferred)
Image path: C:\Windows\system32\taskmgr.exe
Image name: taskmgr.exe
Browse all global symbols functions data
Timestamp: Thu Jul 26 02:07:18 2012 (50107C26)
CheckSum: 00119B41
ImageSize: 0011A000
File version: 6.2.9200.16384
Product version: 6.2.9200.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: Taskmgr.exe
OriginalFilename: Taskmgr.exe
ProductVersion: 6.2.9200.16384
FileVersion: 6.2.9200.16384 (win8_rtm.120725-1247)
FileDescription: Task Manager
LegalCopyright: © Microsoft Corporation. All rights reserved.
我试图编辑 post 对 pykd-teams 答案的澄清,但结果证明编辑内容不多,所以 post 将其作为答案
lmvm 输出的 FileDescription 指的是任务管理器详细信息选项卡中的描述列
Company Name Refers 是指启动选项卡中的发布者列
C:\Windows\system32>wmic Startup where Caption="vmware user process" get /format:list
Caption=VMware User Process
Command="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Description=VMware User Process
Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Name=VMware User Process
SettingID=
User=Public
UserSID=
C:\Windows\system32>reg query hklm\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
您可以通过修改在启动时执行的任何文件的 rsrc 部分中的 FILE_VERSION_INFO 进行检查,请参见下面在 windbg 中编辑的发布者与上面 posted 相同的 exe
如何检查上述断言的有效性
open a live kd session
run task manager in target and select a startup
look at details and locate the process name say vmtoolsd.exe
break into kd using ctrl+break
!process 0 0 vmtoolsd.exe
.process /p /r EPROCESS ADDRESS OF vmtoolsd.exe
!dh vmtoolsd find the Data directory SECURITY DIRECTORY and start searching for FILE_VERSION_INFO
loacte the string value of Company Name
use eb Address to edit the Company Name to some random string
execute using g
now execute task manager and you will see the publisher column in startup tab reflecting the random string as publisher
username is not tied to file but to process grab the token
from !process <Eproc> 1 and pass the TOKEN value to !token -n
这里是用于检索每个 运行 进程的用户名的示例脚本
!for_each_process "r $t0=(@@c++(((_EPROCESS*) @#Process )->Token.Object)&0xfffffff8);r? $t1=@@c++(((_TOKEN*)@@(@$t0))->LogonSession->AccountName);r? $t2=@@c++(((_EPROCESS *) @#Process )->ImageFileName);.printf \"%mu\t\t\t%ma\n\",@@c++((wchar_t *)@$t1.Buffer),@@c++((char*)@$t2)"
应该得到这样的结果
kd> $$>a< getuname4proc.txt
xx-PC$ smss.exe
LOCAL SERVICE svchost.exe
xx taskhost.exe
您可以使用 DbgKit 中的 !ps 命令获取此信息以及更多信息。
注意: 从内核内存转储只能获取用户名。要获取用户名、文件描述和公司名称,您需要完整的内存转储。
- 将
dbgkit.dll复制到winext文件夹中(例如:C:\Program Files (x86)\Windows Kits\Debuggers\x64\winext) - 在 WinDbg 中打开转储文件
- 运行
.load dbgkit命令 - 运行
!ps命令(查看其他命令运行 !dbgkit.help)