今天刚刚听到windows 内部系列的讲座,对使用windbg敢了兴趣。开始使用下载地址:
http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.9.3.113.msi
按照默认开始安装直到结束开始使用(File->Kernel Debug->Local)
然后输入!process 0 0 发现出现了错误,没有设置symbols path。
开始在google上查找symbols path的方法但是说的都不明确。
根据自己的方法总结如下:
1、按Ctrl + S(或者File ->Symbol File Path ...)
2、在出现的对话框中输入Symbol File Path
(换行用Ctrl + Enter)
D:/symbolslocal;
C:/Program Files/Microsoft Visual Studio .NET 2003/SDK/v1.1/symbols;
;.sympath SRV*D:/symbolslocal*http://msdl.microsoft.com/download/symbols
这里一般都说做如下设置SRV*D:/symbolslocal*http://msdl.microsoft.com/download/symbols,个人以为在命令框中输入即可
但是出现错误Couldn't resolve error at rv*D:/symbolslocal*http://msdl.microsoft.com/download/symbols'。不知道说的对不对请
高手请教
3、在下面的命令框中输入.reload 稍后即可
4、输入!process 0 0 出现下面的信息
Unable to read selector for PCR for processor 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 867b59c8 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 06f40020 ObjectTable: e1000e80 HandleCount: 1408.
Image: System
PROCESS 85d515b0 SessionId: none Cid: 0390 Peb: 7ffd5000 ParentCid: 0004
DirBase: 06f40040 ObjectTable: e100cfb8 HandleCount: 17.
Image: smss.exe
PROCESS 85cc92c0 SessionId: 0 Cid: 03e0 Peb: 7ffdf000 ParentCid: 0390
DirBase: 06f40060 ObjectTable: e15c6538 HandleCount: 498.
Image: csrss.exe
PROCESS 85c7a2a0 SessionId: 0 Cid: 041c Peb: 7ffdf000 ParentCid: 0390
DirBase: 06f40080 ObjectTable: e171c878 HandleCount: 515.
Image: winlogon.exe
PROCESS 85c89a20 SessionId: 0 Cid: 0448 Peb: 7ffdf000 ParentCid: 041c
DirBase: 06f400a0 ObjectTable: e2653b08 HandleCount: 304.
Image: services.exe
PROCESS 85d44ac8 SessionId: 0 Cid: 0454 Peb: 7ffdf000 ParentCid: 041c
DirBase: 06f400c0 ObjectTable: e1f84568 HandleCount: 371.
Image: lsass.exe
PROCESS 85c64da0 SessionId: 0 Cid: 0500 Peb: 7ffdf000 ParentCid: 0448
DirBase: 06f400e0 ObjectTable: e26d9608 HandleCount: 132.
Image: svchost.exe
PROCESS 85c34020 SessionId: 0 Cid: 0564 Peb: 7ffd7000 ParentCid: 0448
DirBase: 06f40100 ObjectTable: e2a28418 HandleCount: 308.
Image: svchost.exe
PROCESS 85c1eda0 SessionId: 0 Cid: 05e8 Peb: 7ffde000 ParentCid: 0448
DirBase: 06f40140 ObjectTable: e1a21b60 HandleCount: 1487.
Image: svchost.exe
PROCESS 85c20da0 SessionId: 0 Cid: 0618 Peb: 7ffd7000 ParentCid: 0448
DirBase: 06f40160 ObjectTable: e2736360 HandleCount: 91.
Image: svchost.exe
PROCESS 85c47da0 SessionId: 0 Cid: 06ac Peb: 7ffd7000 ParentCid: 0448
DirBase: 06f40180 ObjectTable: e1f7baf0 HandleCount: 127.
Image: svchost.exe
PROCESS 85c0abc0 SessionId: 0 Cid: 06c8 Peb: 7ffd7000 ParentCid: 0448
DirBase: 06f401a0 ObjectTable: e1f6e0d0 HandleCount: 29.
Image: aswUpdSv.exe
PROCESS 85c0fda0 SessionId: 0 Cid: 0704 Peb: 7ffde000 ParentCid: 0448
DirBase: 06f401c0 ObjectTable: e2a9ea80 HandleCount: 281.
Image: ashServ.exe
PROCESS 85c09bc8 SessionId: 0 Cid: 07dc Peb: 7ffd8000 ParentCid: 0448
DirBase: 06f401e0 ObjectTable: e272c090 HandleCount: 114.
Image: spoolsv.exe
PROCESS 85be23c0 SessionId: 0 Cid: 0174 Peb: 7ffde000 ParentCid: 041c
DirBase: 06f40220 ObjectTable: e26498f8 HandleCount: 261.
Image: syssafe.exe
PROCESS 85ba2990 SessionId: 0 Cid: 0258 Peb: 7ffd9000 ParentCid: 0448
DirBase: 06f40260 ObjectTable: e318d358 HandleCount: 90.
Image: mdm.exe
PROCESS 85ba9da0 SessionId: 0 Cid: 029c Peb: 7ffd6000 ParentCid: 023c
DirBase: 06f40280 ObjectTable: e31abcb0 HandleCount: 607.
Image: explorer.exe
PROCESS 862da3a8 SessionId: 0 Cid: 05b8 Peb: 7ffdf000 ParentCid: 0448
DirBase: 06f40240 ObjectTable: e2faecd0 HandleCount: 89.
Image: ashMaiSv.exe
PROCESS 85b57da0 SessionId: 0 Cid: 05d0 Peb: 7ffde000 ParentCid: 0448
DirBase: 06f402c0 ObjectTable: e1fec3c0 HandleCount: 130.
Image: ashWebSv.exe
PROCESS 85b943b8 SessionId: 0 Cid: 07d8 Peb: 7ffd7000 ParentCid: 029c
DirBase: 06f402e0 ObjectTable: e33f4820 HandleCount: 119.
Image: ashDisp.exe
PROCESS 85abc3a8 SessionId: 0 Cid: 01cc Peb: 7ffd4000 ParentCid: 029c
DirBase: 06f40320 ObjectTable: e34382b0 HandleCount: 153.
Image: RTHDCPL.exe
PROCESS 85abfb98 SessionId: 0 Cid: 03d0 Peb: 7ffde000 ParentCid: 029c
DirBase: 06f40300 ObjectTable: e26af4b8 HandleCount: 63.
Image: SoundMan.exe
PROCESS 85aa35b0 SessionId: 0 Cid: 056c Peb: 7ffd3000 ParentCid: 029c
DirBase: 06f40360 ObjectTable: e33f6128 HandleCount: 125.
Image: ctfmon.exe
PROCESS 8599dd10 SessionId: 0 Cid: 0b30 Peb: 7ffd5000 ParentCid: 029c
DirBase: 06f40120 ObjectTable: e12a5718 HandleCount: 642.
Image: BitComet.exe
PROCESS 85728a70 SessionId: 0 Cid: 0cb0 Peb: 7ffd6000 ParentCid: 029c
DirBase: 06f402a0 ObjectTable: 00000000 HandleCount: 0.
Image: Maxthon.exe
PROCESS 8560a940 SessionId: 0 Cid: 0200 Peb: 7ffd5000 ParentCid: 029c
DirBase: 06f40340 ObjectTable: e12fcd78 HandleCount: 254.
Image: delphi32.exe
PROCESS 85775438 SessionId: 0 Cid: 08d8 Peb: 7ffd9000 ParentCid: 029c
DirBase: 06f403a0 ObjectTable: e41b38e0 HandleCount: 602.
Image: WINWORD.EXE
PROCESS 85882358 SessionId: 0 Cid: 0d54 Peb: 7ffd3000 ParentCid: 029c
DirBase: 06f40400 ObjectTable: 00000000 HandleCount: 0.
Image: foobar2000.exe
PROCESS 85801558 SessionId: 0 Cid: 0b74 Peb: 7ffda000 ParentCid: 029c
DirBase: 06f403e0 ObjectTable: e40ff9a0 HandleCount: 136.
Image: FOXITR~1.EXE
PROCESS 8599a9a8 SessionId: 0 Cid: 052c Peb: 7ffdc000 ParentCid: 029c
DirBase: 06f40380 ObjectTable: e13e88d8 HandleCount: 169.
Image: daemon.exe
PROCESS 85670020 SessionId: 0 Cid: 0e94 Peb: 7ffda000 ParentCid: 029c
DirBase: 06f403c0 ObjectTable: 00000000 HandleCount: 0.
Image: mpcstar.exe
PROCESS 85587c88 SessionId: 0 Cid: 0ec4 Peb: 7ffda000 ParentCid: 0f04
DirBase: 06f40200 ObjectTable: e30cd498 HandleCount: 447.
Image: YodaoDict.exe
PROCESS 858d0a18 SessionId: 0 Cid: 03dc Peb: 7ffd4000 ParentCid: 0200
DirBase: 06f40440 ObjectTable: 00000000 HandleCount: 0.
Image: InitCC32.exe
PROCESS 852ff020 SessionId: 0 Cid: 025c Peb: 7ffd5000 ParentCid: 029c
DirBase: 06f40480 ObjectTable: e42d4ad0 HandleCount: 541.
Image: mpcstar.exe
PROCESS 855dec98 SessionId: 0 Cid: 09f4 Peb: 7ffda000 ParentCid: 029c
DirBase: 06f40420 ObjectTable: e343be48 HandleCount: 1221.
Image: Maxthon.exe
PROCESS 85845530 SessionId: 0 Cid: 0528 Peb: 7ffd3000 ParentCid: 029c
DirBase: 06f404a0 ObjectTable: e144b270 HandleCount: 430.
Image: windbg.exe