Tuesday, April 17, 2012

Windows Kernel Debugging

How to set up the Windows Kernel Debugging, please see article:
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600

Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt  _heap_entry

Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser

> dt _peb <peb_address_of_Firefox>

> dd <address> // you can see the content of that location, like the x command in QEMU

> dd /p <address> // see the physical address content

> dt _heap <heap_address>

> dt _heap_entry <heap_entry_address>
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)