2.1 WinDbg 的使用 - 漏洞分析基础 - 漏洞分析 - 看雪学苑-看雪-安全培训|安全招聘|www.kanxue.com

WinDbg 无疑是 Windows 下进行漏洞分析的首选工具，较之 OD、IDA 等调试器，作为微软内部开发的 WinDbg 其优势还是很明显的。它同时支持 ring3 层和 ring0 层的漏洞调试，特别是 ring0 层下，目前还没有哪个调试器能够与其相媲美。WinDbg 于 Windows 就好像 GDB 之于 Linux，固漏洞分析人员掌握其使用方法还是很有必要的，本部分内容将主要介绍 ring3 层和 ring0 层下 WinDbg 的一些常见命令及使用技巧。 **初识 WinDbg**  WinDbg 界面中包含多个子窗口，如命令窗口、寄存器窗口、内存窗口、反汇编窗口等，其中最重要的是命令窗口，其余子窗口显示的内容实际上都可以通过特定的命令来得到，可以说命令调试是 WinDbg 的精髓所在。 在安装完 WinDbg 后，我们要为其配置调试符号信息，即微软提供的 pdb 文件，除了可以通过符号服务器实时获取外，还可以到官网下载独立的符号文件安装包。当然，其它软件开发商可能也会提供符号信息，可以根据具体分析需求来进行设置。对程序调试而言有源文件自然是最好的，如果没有，能提供符号文件那么对漏洞的分析调试也会有莫大的帮助。当然，并非所有调试程序都有符号文件，比如饱受诟病的 Office 应用，这个时候就只能啃那些晦涩的汇编了。  我们还可以借助 WinDbg 分析蓝屏 dump 文件、调试含源文件的程序等，此外，自定义插件的编写也是支持的。总的来说，WinDbg 还是很强大的。 **ring3 常见命令及使用技巧** 要学习 WinDbg 的命令，首先得了解调试命令有哪些，这里面分为 3 种，即基本命令（无前缀）、元命令（前缀 “.”）和扩展命令（前缀 “!”），可分别通过`?`、`.help`和`!扩展模块名.help`命令来查看。其中，扩展模块名称可通过`version`或`.chain`命令查看，分析人员也可以编写自己的扩展模块（插件）。虽然这些命令看起来比较多，但调试过程中常用的命令其实并不多，关键靠平时积累。执行完前面的命令，界面可能比较乱了，先清下屏`.cls`。接着我们就来详细看下： - 列举调试的进线程状态，前面的小点表示当前进程或线程。 ``` 0:004> | . 0 id: 135c create name: notepad.exe 0:004> ~ 0 Id: 135c.ac4 Suspend: 1 Teb: 00000077`58a19000 Unfrozen 1 Id: 135c.eb0 Suspend: 1 Teb: 00000077`58a1b000 Unfrozen 2 Id: 135c.13b0 Suspend: 1 Teb: 00000077`58a1d000 Unfrozen 3 Id: 135c.810 Suspend: 1 Teb: 00000077`58a1f000 Unfrozen 4 Id: 135c.6b4 Suspend: 1 Teb: 00000077`58a21000 Unfrozen 5 Id: 135c.a58 Suspend: 1 Teb: 00000077`58a23000 Unfrozen 6 Id: 135c.448 Suspend: 1 Teb: 00000077`58a25000 Unfrozen . 7 Id: 135c.102c Suspend: 1 Teb: 00000077`58a2f000 Unfrozen 9 Id: 135c.a18 Suspend: 1 Teb: 00000077`58a2b000 Unfrozen ``` - 查看进程空间的信息。 ``` 0:005> !address Mapping file section regions... Mapping module regions... Mapping PEB regions... Mapping TEB and stack regions... Mapping heap regions... Mapping page heap regions... Mapping other regions... Mapping stack trace database regions... Mapping activation context regions... BaseAddress EndAddress+1 RegionSize Type State Protect Usage -------------------------------------------------------------------------------------------------------------------------- + 0`00000000 0`7ffe0000 0`7ffe0000 MEM_FREE PAGE_NOACCESS Free + 0`7ffe0000 0`7ffe1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY Other [User Shared Data] 0`7ffe1000 0`7fff0000 0`0000f000 MEM_PRIVATE MEM_RESERVE <unknown> + 0`7fff0000 b7`26350000 b6`a6360000 MEM_FREE PAGE_NOACCESS Free + b7`26350000 b7`263bc000 0`0006c000 MEM_PRIVATE MEM_RESERVE Stack [~0; 1534.8dc] b7`263bc000 b7`263bf000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~0; 1534.8dc] b7`263bf000 b7`263d0000 0`00011000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; 1534.8dc] + b7`263d0000 b7`26400000 0`00030000 MEM_FREE PAGE_NOACCESS Free + b7`26400000 b7`265f3000 0`001f3000 MEM_PRIVATE MEM_RESERVE <unknown> b7`265f3000 b7`265f4000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB [1534] ... ``` - 设置特定模块加载时中断程序，完成操作后记得置回默认值。 ``` 0:000> sxe ld KERNELBASE 0:000> g ModLoad: 00007ffc`b10b0000 00007ffc`b12cd000 C:/Windows/System32/KERNELBASE.dll ntdll!NtMapViewOfSection+0x14: 00007ffc`b3e55354 c3 ret 0:000> sxr sx state reset to defaults ``` - 查看进程模块的信息。 ``` 0:005> lmvm KERNELBASE Browse full module list start end module name 00007ffc`b10b0000 00007ffc`b12cd000 KERNELBASE (pdb symbols) c:/symbols/kernelbase.pdb/5D0E6B108BAA4E0CAD1C559120C6123F1kernelbase.pdb Loaded symbol image file: C:/Windows/System32/KERNELBASE.dll Image path: C:/Windows/System32/KERNELBASE.dll Image name: KERNELBASE.dll Browse all global symbols functions data Timestamp: Sat Jul 16 10:12:25 2016 (57899809) CheckSum: 00221D33 ImageSize: 0021D000 File version: 10.0.14393.0 Product version: 10.0.14393.0 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: Kernelbase.dll OriginalFilename: Kernelbase.dll ProductVersion: 10.0.14393.0 FileVersion: 10.0.14393.0 (rs1_release.160715-1616) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved. ``` - 加载符号文件。 ``` 0:000> .sympath Symbol search path is: C:/Symbols Expanded Symbol search path is: c:/symbols ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:/Symbols 0:000> .reload /f Reloading current modules ....................... 0:000> lm start end module name 00007ff6`c00a0000 00007ff6`c00ad000 calc (pdb symbols) c:/symbols/calc.pdb/BBD33747DAF54B2D9AD9F02861D972F81/calc.pdb 00007ffc`b02b0000 00007ffc`b02c4000 profapi (pdb symbols) c:/symbols/profapi.pdb/CAC4E3CC2E9B4973B17D131D0EFC8ACE1/profapi.pdb 00007ffc`b02e0000 00007ffc`b02ef000 kernel_appcore (pdb symbols) c:/symbols/Kernel.Appcore.pdb/C765CB33A55844379117C2F71220C8D71/Kernel.Appcore.pdb 00007ffc`b02f0000 00007ffc`b033c000 powrprof (pdb symbols) c:/symbols/powrprof.pdb/74B38765BC2D4D1B9E53834273CE9ABF1/powrprof.pdb 00007ffc`b0340000 00007ffc`b04c2000 gdi32full (pdb symbols) c:/symbols/gdi32full.pdb/9A1C5DBA389740BA8568049E4C0603491/gdi32full.pdb 00007ffc`b0530000 00007ffc`b0572000 cfgmgr32 (pdb symbols) c:/symbols/cfgmgr32.pdb/0C85585E81E54222A3065E20B6C913D41/cfgmgr32.pdb 00007ffc`b0580000 00007ffc`b0629000 shcore (pdb symbols) c:/symbols/shcore.pdb/1375C24C4D13484FB31C5B2E9E690F321/shcore.pdb 00007ffc`b0800000 00007ffc`b0eda000 windows_storage (pdb symbols) c:/symbols/Windows.Storage.pdb/FA91DDC596884A82AA032E2E9A652C4E1/Windows.Storage.pdb 00007ffc`b0f90000 00007ffc`b0fae000 win32u (pdb symbols) c:/symbols/win32u.pdb/CE777C7E22FC4E43A47A1D6EF5E1AF031/win32u.pdb 00007ffc`b0fb0000 00007ffc`b10a5000 ucrtbase (pdb symbols) c:/symbols/ucrtbase.pdb/5347FBF2D7FD4C99A15D54787482262A1/ucrtbase.pdb 00007ffc`b10b0000 00007ffc`b12cd000 KERNELBASE (pdb symbols) c:/symbols/kernelbase.pdb/5D0E6B108BAA4E0CAD1C559120C6123F1/kernelbase.pdb ... ``` - 单步步过、单步步入。查看反汇编代码时，“.” 表示当前运行的指令处，另外，在命令输入时如果直接回车，则完成的操作和上一条命令相同。 ``` 0:000:x86> ub KERNELBASE!LoadLibraryExW+0x23: 75a392b3 8b5d10 mov ebx,dword ptr [ebp+10h] 75a392b6 f7c30080ffff test ebx,0FFFF8000h 75a392bc 0f850a010000 jne KERNELBASE!LoadLibraryExW+0x13c (75a393cc) 75a392c2 8bf3 mov esi,ebx 75a392c4 83e642 and esi,42h 75a392c7 83fe42 cmp esi,42h 75a392ca 0f84fc000000 je KERNELBASE!LoadLibraryExW+0x13c (75a393cc) 75a392d0 50 push eax 0:000:x86> u . KERNELBASE!LoadLibraryExW+0x41: 75a392d1 8d442424 lea eax,[esp+24h] 75a392d5 50 push eax 75a392d6 ff157081ae75 call dword ptr [KERNELBASE!WakeConditionVariable+0x4756 (75ae8170)] 75a392dc 85c0 test eax,eax 75a392de 0f8801ac0300 js KERNELBASE!GetCurrentProcess+0x8425 (75a73ee5) 75a392e4 668b4c2420 mov cx,word ptr [esp+20h] 75a392e9 8b542424 mov edx,dword ptr [esp+24h] 75a392ed 6685c9 test cx,cx 0:000:x86> p KERNELBASE!LoadLibraryExW+0x45: 75a392d5 50 push eax 0:000:x86> KERNELBASE!LoadLibraryExW+0x46: 75a392d6 ff157081ae75 call dword ptr [KERNELBASE!WakeConditionVariable+0x4756 (75ae8170)] ds:002b:75ae8170={ntdll_77820000!RtlInitUnicodeStringEx (77853380)} 0:000:x86> t ntdll_77820000!RtlInitUnicodeStringEx: 77853380 8bff mov edi,edi ``` - 列举函数名、设置断点、查看寄存器和内存、查看调用栈的信息。其中，“L+数字” 表示输出数目，“*” 为通配符。 ``` 0:009> bc * 0:009> x KERNELBASE!LoadLibrary* 00000000`75a38c10 KERNELBASE!LoadLibraryExA (<no parameter info>) 00000000`75a39290 KERNELBASE!LoadLibraryExW (<no parameter info>) 00000000`75a3a2f0 KERNELBASE!LoadLibraryA (<no parameter info>) 00000000`75a3c590 KERNELBASE!LoadLibraryW (<no parameter info>) 0:009> bm KERNELBASE!LoadLibrary* 1: 00000000`75a38c10 @!"KERNELBASE!LoadLibraryExA" 2: 00000000`75a39290 @!"KERNELBASE!LoadLibraryExW" 3: 00000000`75a3a2f0 @!"KERNELBASE!LoadLibraryA" 4: 00000000`75a3c590 @!"KERNELBASE!LoadLibraryW" 0:009> bl 1 e x86 00000000`75a38c10 0001 (0001) 0:**** KERNELBASE!LoadLibraryExA 2 e x86 00000000`75a39290 0001 (0001) 0:**** KERNELBASE!LoadLibraryExW 3 e x86 00000000`75a3a2f0 0001 (0001) 0:**** KERNELBASE!LoadLibraryA 4 e x86 00000000`75a3c590 0001 (0001) 0:**** KERNELBASE!LoadLibraryW 0:009> bd 1 2 0:009> g Breakpoint 3 hit *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Program Files (x86)/Common Files/Microsoft Shared/office14/riched20.dll - KERNELBASE!LoadLibraryA: 75a3a2f0 8bff mov edi,edi 0:000:x86> r eax=00000000 ebx=00000000 ecx=00bdc355 edx=6fd20950 esi=6fd20890 edi=00000000 eip=75a3a2f0 esp=00bdc3b4 ebp=00bdc40c iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!LoadLibraryA: 75a3a2f0 8bff mov edi,edi 0:000:x86> dd esp L4 00bdc3b4 6fc0d839 6fd20950 000000cc 097d05c8 0:000:x86> da poi(esp+4) 6fd20950 "UxTheme.dll" 0:000:x86> bd * 0:000:x86> bp KERNELBASE!LoadLibraryA ".if(ebx=0){}.else{gc}" breakpoint 3 redefined 0:000:x86> g KERNELBASE!LoadLibraryA: 75a3a2f0 8bff mov edi,edi 0:000:x86> r eax=00000000 ebx=00000000 ecx=00bdc649 edx=6fd20930 esi=6fd20850 edi=00000000 eip=75a3a2f0 esp=00bdc6a0 ebp=00bdc6f8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 KERNELBASE!LoadLibraryA: 75a3a2f0 8bff mov edi,edi 0:000:x86> k L5 # ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00 00bdc69c 6fc0d839 KERNELBASE!LoadLibraryA 01 00bdc6f8 6fc1f79f riched20!IID_ITextServices2+0x3b09 02 00bdc718 6fc7e13f riched20!RichListBoxWndProc+0x13a8 03 00bdc738 6fc0a3b7 riched20!IID_ITextHost2+0x3672f 04 00bdc754 6fc09f8d riched20!IID_ITextServices2+0x687 ``` - 条件断点与硬件断点，设置断点时可通过`.echo`命令打印一些日志信息。 ``` 0:004> bp KERNELBASE!LoadLibraryA ".echo 'Hi, this is a LoadLibraryA break!'" 0:004> bl 0 e 00007ffa`7635b680 0001 (0001) 0:**** KERNELBASE!LoadLibraryA ".echo 'Hi, this is a LoadLibraryA break!'" 0:004> g ModLoad: 00007ffa`71f40000 00007ffa`71f76000 C:Windowssystem32xmllite.dll 'Hi, this is a LoadLibraryA break!' KERNELBASE!LoadLibraryA: 00007ffa`7635b680 48895c2408 mov qword ptr [rsp+8],rbx ss:000000dc`4db7f810=000000008004000a ... 0:000> bp KERNELBASE!LoadLibraryExW ".if(rax > 0xff){.echo 'rax > 0xff'}.else{.echo 'rax <= 0xff'; gc}" 0:000> bl 0 e 00007ffa`7631c8b0 0001 (0001) 0:**** KERNELBASE!LoadLibraryExW ".if(rax > 0xff){.echo 'rax > 0xff'}.else{.echo 'rax <= 0xff'; gc}" 0:000> g 'rax > 0xff' KERNELBASE!LoadLibraryExW: 00007ffa`7631c8b0 4055 push rbp 0:000> g ModLoad: 00007ffa`78460000 00007ffa`7848e000 C:WindowsSystem32IMM32.DLL 'rax <= 0xff' 'rax <= 0xff' 'rax <= 0xff' 'rax <= 0xff' 'rax <= 0xff' 'rax <= 0xff' 'rax <= 0xff' ModLoad: 00007ffa`73d80000 00007ffa`73e15000 C:Windowssystem32uxtheme.dll ModLoad: 00007ffa`76720000 00007ffa`7687b000 C:WindowsSystem32MSCTF.dll ModLoad: 00007ffa`73a30000 00007ffa`73a56000 C:Windowssystem32dwmapi.dll ModLoad: 00007ffa`78e70000 00007ffa`78f0f000 C:WindowsSystem32clbcatq.dll 'rax > 0xff' KERNELBASE!LoadLibraryExW: 00007ffa`7631c8b0 4055 push rbp 0:000> r rax rax=000000a0107cdf78 0:000> bc * 0:000> ba e1 00007ffa`7631c8b0 0:000> bl 0 e 00007ffa`7631c8b0 e 1 0001 (0001) 0:**** KERNELBASE!LoadLibraryExW 0:000> g Breakpoint 0 hit KERNELBASE!LoadLibraryExW: 00007ffa`7631c8b0 4055 push rbp ``` - 查看特定函数的反汇编代码。 ``` 0:001> uf KERNELBASE!LoadLibraryA Flow analysis was incomplete, some code may be missing KERNELBASE!LoadLibraryA: 00000000`75a3a2f0 8bff mov edi,edi 00000000`75a3a2f2 55 push rbp 00000000`75a3a2f3 8bec mov ebp,esp 00000000`75a3a2f5 51 push rcx 00000000`75a3a2f6 837d0800 cmp dword ptr [rbp+8],0 00000000`75a3a2fa 53 push rbx 00000000`75a3a2fb 56 push rsi 00000000`75a3a2fc 7418 je KERNELBASE!LoadLibraryA+0x26 (00000000`75a3a316) Branch KERNELBASE!LoadLibraryA+0xe: 00000000`75a3a2fe 68d0129b75 push offset KERNELBASE+0x412d0 (00000000`759b12d0) 00000000`75a3a303 ff7508 push qword ptr [rbp+8] 00000000`75a3a306 ff155886ae75 call qword ptr [00000000`eb522964] ... ``` - 查看内存堆信息、搜索内存。 ``` 0:005> !heap -h Index Address Name Debugging options enabled 1: 2d1990b0000 Segment at 000002d1990b0000 to 000002d1991af000 (00056000 bytes committed) 2: 2d198ff0000 Segment at 000002d198ff0000 to 000002d199000000 (00001000 bytes committed) 3: 2d1993c0000 Segment at 000002d1993c0000 to 000002d1993cf000 (00007000 bytes committed) 4: 2d199390000 Segment at 000002d199390000 to 000002d19939f000 (00009000 bytes committed) 0:005> !heap -p -a 2d1990b1000 address 000002d1990b1000 found in _HEAP @ 2d1990b0000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state 000002d1990b0ef0 00ca 0000 [00] 000002d1990b0f00 00c6c - (busy) 0:005> s -sa 2d1990b0000 L4000 000002d1`990b0736 "-3E" 000002d1`990b08e2 "_0*" 000002d1`990b08ea "`"0" 000002d1`990b243f "0@+" 000002d1`990b260f "0@$" 000002d1`990b3128 "PZm4" 000002d1`990b340f "0C:/Windows/System32/notepad.exe" 000002d1`990b3e11 "up4" 0:005> s -a 2d1990b0000 L4000 "notepad" 000002d1`990b3424 6e 6f 74 65 70 61 64 2e-65 78 65 00 ab ab ab ab notepad.exe..... ``` - 查看相关的符号信息。 ``` 0:000> dqs rsp 000000ad`0152f5e0 00000000`00000000 000000ad`0152f5e8 000000ad`0152f670 000000ad`0152f5f0 00000000`00000000 000000ad`0152f5f8 000000ad`0152f670 000000ad`0152f600 00000000`00000000 000000ad`0152f608 00007ffc`b3ebe0c0 ntdll!`string' 000000ad`0152f610 000000ad`017dc000 000000ad`0152f618 00007ffc`b3e41b92 ntdll!LdrpInitializeProcess+0x1962 000000ad`0152f620 00000000`00000000 000000ad`0152f628 00000000`00000003 000000ad`0152f630 00000000`00000003 000000ad`0152f638 00000000`00000003 000000ad`0152f640 00000000`00000000 000000ad`0152f648 000000ad`0152f900 000000ad`0152f650 00000000`00000000 000000ad`0152f658 00000000`00000000 0:000> kb # RetAddr : Args to Child : Call Site 00 00007ffc`b3e41b92 : 00000000`00000000 00000000`00000003 00000000`00000003 00000000`00000003 : ntdll!LdrpDoDebuggerBreak+0x30 01 00007ffc`b3e77af4 : 00000000`00000000 00007ffc`b3e38bc9 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1962 02 00007ffc`b3e28d5e : 000000ad`0152faf0 00000000`00000000 00000000`00000000 000000ad`017dc000 : ntdll!_LdrpInitialize+0x4ed40 03 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe 0:000> ln 00007ffc`b3e38bc9 Browse module Set bu breakpoint (00007ffc`b3e38b88) ntdll!InitSecurityCookie+0x41 | (00007ffc`b3e38bf0) ntdll!RtlDoesFileExists_U ``` - `?`在运算时还是很有用的，其中，“0x” 表示 16 进制、“0n” 表示 10 进制、“0t” 表示 8 进制、“0y” 表示 2 进制，默认情况是 16 进制。 ``` 0:004> ? 0x100 Evaluate expression: 256 = 00000000`00000100 0:004> ? 0n100 Evaluate expression: 100 = 00000000`00000064 0:004> ? 0t100 Evaluate expression: 64 = 00000000`00000040 0:004> ? 0y100 Evaluate expression: 4 = 00000000`00000004 0:004> ? 100 Evaluate expression: 256 = 00000000`00000100 0:004> ? 0x100+0n100 Evaluate expression: 356 = 00000000`00000164 0:004> qd ``` **ring0 常见命令及使用技巧** 这里用到双虚拟机调试环境，具体配置可参照[此文](https://ephrain.net/windbg-在-mac-virtualbox上設定-windows-kernel-debugging-環境/)，连接建立后会显示如下信息： ``` Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Opened .com1 Waiting to reconnect... Connected to Windows 10 14393 x64 target at (Tue Dec 19 15:55:49.108 2017 (UTC + 8:00)), ptr64 TRUE Kernel Debugger connection established. ************* Symbol Path validation summary ************** Response Time (ms) Location OK C:/Symbols Symbol search path is: C:/Symbols Executable search path is: Windows 10 Kernel Version 14393 MP (1 procs) Free x64 Built by: 14393.0.amd64fre.rs1_release.160715-1616 Machine Name: Kernel base = 0xfffff800`af419000 PsLoadedModuleList = 0xfffff800`af71e060 System Uptime: 0 days 0:00:00.025 KDTARGET: Refreshing KD connection ``` 说明一点，前面介绍的 ring3 层调试命令大多在 ring0 层也是适用的，同样，接下去介绍的有些命令也适用于 ring3 层，我们继续： - 查看进程列表、进程中的线程、切换进程上下文。 ``` kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffb98dd065a040 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa000 ObjectTable: ffff9e0212001340 HandleCount: <Data Not Accessible> Image: System PROCESS ffffb98dd18fd040 SessionId: none Cid: 0118 Peb: 63d31d1000 ParentCid: 0004 DirBase: 7be6d000 ObjectTable: ffff9e02125e9280 HandleCount: <Data Not Accessible> Image: smss.exe PROCESS ffffb98dd1c01780 SessionId: 0 Cid: 0168 Peb: ccec47a000 ParentCid: 0160 DirBase: 0c0c1000 ObjectTable: ffff9e0212132a80 HandleCount: <Data Not Accessible> Image: csrss.exe PROCESS ffffb98dd21de080 SessionId: 1 Cid: 019c Peb: ab7b3d9000 ParentCid: 0118 DirBase: 0e0c1000 ObjectTable: 00000000 HandleCount: 0. Image: smss.exe ... PROCESS ffffb98dd251b080 SessionId: 1 Cid: 0290 Peb: 68a6eb3000 ParentCid: 09d8 DirBase: 0fcaa000 ObjectTable: ffff9e0219d2dc40 HandleCount: <Data Not Accessible> Image: notepad.exe kd> !process ffffb98dd251b080 2 PROCESS ffffb98dd251b080 SessionId: 1 Cid: 0290 Peb: 68a6eb3000 ParentCid: 09d8 DirBase: 0fcaa000 ObjectTable: ffff9e0219d2dc40 HandleCount: <Data Not Accessible> Image: notepad.exe THREAD ffffb98dd2cd9080 Cid 0290.0370 Teb: 00000068a6eb4000 Win32Thread: ffffb98dd1068820 WAIT: (WrUserRequest) UserMode Non-Alertable ffffb98dd2d11de0 SynchronizationEvent THREAD ffffb98dd254f080 Cid 0290.0844 Teb: 00000068a6eb6000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffb98dd2238e80 QueueObject THREAD ffffb98dd108b080 Cid 0290.0854 Teb: 00000068a6eb8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffb98dd2e5f540 QueueObject THREAD ffffb98dd2572080 Cid 0290.08e0 Teb: 00000068a6eba000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffb98dd2e5f540 QueueObject ... kd> .process Implicit process is now ffffb98d`d065a040 kd> .process /i /p ffffb98dd251b080 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. kd> g Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus: fffff800`af568a60 cc int 3 kd> .process Implicit process is now ffffb98d`d251b080 ``` - 查看结构体的类型定义。 ``` kd> dt nt!_PEB dtx is unsupported for this scenario. It only recognizes dtx [<type>] [<address>] with -a, -h, and -r. Reverting to dt. +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit +0x003 IsPackagedProcess : Pos 4, 1 Bit +0x003 IsAppContainer : Pos 5, 1 Bit +0x003 IsProtectedProcessLight : Pos 6, 1 Bit +0x003 IsLongPathAwareProcess : Pos 7, 1 Bit +0x004 Padding0 : [4] UChar +0x008 Mutant : Ptr64 Void +0x010 ImageBaseAddress : Ptr64 Void ... ``` 参考： [1] Windbg调试命令详解 []() [2] Getting Started with Windows Debugging [https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging)