有没有办法从Windows内核故障转储中检索进程描述和发布者?
我试过了!process和!dml_proc 。 它没有显示这些信息。
Is there a way to retrieve the process description and publisher from a Windows Kernel crash dump?
I tried !process and !dml_proc. It doesn't show that information.
最满意答案
我试图编辑和发布澄清pykd团队的答案,但编辑结果不是很大,所以发布这个答案
lmvm输出中的FileDescription指任务管理器“详细信息”选项卡中的描述列
公司名称引用是指启动选项卡中的发布者列
C:\Windows\system32>wmic Startup where Caption="vmware user process" get /format:list Caption=VMware User Process Command="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Description=VMware User Process Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Name=VMware User Process SettingID= User=Public UserSID= C:\Windows\system32>reg query hklm\software\microsoft\windows\currentversion\run HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
您可以通过修改启动时执行的任何文件的rsrc部分中的FILE_VERSION_INFO来查看在下面发布的与上面发布的相同exe文件的windbg中编辑的发布者
如何检查上述断言的有效性
open a live kd session run task manager in target and select a startup look at details and locate the process name say vmtoolsd.exe break into kd using ctrl+break !process 0 0 vmtoolsd.exe .process /p /r EPROCESS ADDRESS OF vmtoolsd.exe !dh vmtoolsd find the Data directory SECURITY DIRECTORY and start searching for FILE_VERSION_INFO loacte the string value of Company Name use eb Address to edit the Company Name to some random string execute using g now execute task manager and you will see the publisher column in startup tab reflecting the random string as publisherusername is not tied to file but to process grab the token from !process <Eproc> 1 and pass the TOKEN value to !token -n
以下是用于检索每个正在运行的进程的用户名的示例脚本
!for_each_process "r $t0=(@@c++(((_EPROCESS*) @#Process )->Token.Object)&0xfffffff8);r? $t1=@@c++(((_TOKEN*)@@(@$t0))->LogonSession->AccountName);r? $t2=@@c++(((_EPROCESS *) @#Process )->ImageFileName);.printf \"%mu\t\t\t%ma\\n\",@@c++((wchar_t *)@$t1.Buffer),@@c++((char*)@$t2)"应该像这样得到你的结果
kd> $$>a< getuname4proc.txt xx-PC$ smss.exe LOCAL SERVICE svchost.exe xx taskhost.exei was trying to edit and post clarification to pykd-teams answer but the edit turned out ot be substantial so posted this as an answer
FileDescription from lmvm output refers to description column in Task manager Details tab
Company Name Refers refers to publisher column in startup tab
C:\Windows\system32>wmic Startup where Caption="vmware user process" get /format:list Caption=VMware User Process Command="C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Description=VMware User Process Location=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Name=VMware User Process SettingID= User=Public UserSID= C:\Windows\system32>reg query hklm\software\microsoft\windows\currentversion\run HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run VMware User Process REG_SZ "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusryou can check by modifiying the FILE_VERSION_INFO in rsrc section of any file that is executed in startup see below an edited publisher in windbg of the same exe as posted above
how to check for validity of the above assertion
open a live kd session run task manager in target and select a startup look at details and locate the process name say vmtoolsd.exe break into kd using ctrl+break !process 0 0 vmtoolsd.exe .process /p /r EPROCESS ADDRESS OF vmtoolsd.exe !dh vmtoolsd find the Data directory SECURITY DIRECTORY and start searching for FILE_VERSION_INFO loacte the string value of Company Name use eb Address to edit the Company Name to some random string execute using g now execute task manager and you will see the publisher column in startup tab reflecting the random string as publisher username is not tied to file but to process grab the token from !process <Eproc> 1 and pass the TOKEN value to !token -nhere is sample script to retrieve user names for each running process
!for_each_process "r $t0=(@@c++(((_EPROCESS*) @#Process )->Token.Object)&0xfffffff8);r? $t1=@@c++(((_TOKEN*)@@(@$t0))->LogonSession->AccountName);r? $t2=@@c++(((_EPROCESS *) @#Process )->ImageFileName);.printf \"%mu\t\t\t%ma\\n\",@@c++((wchar_t *)@$t1.Buffer),@@c++((char*)@$t2)"should get your results like this
kd> $$>a< getuname4proc.txt xx-PC$ smss.exe LOCAL SERVICE svchost.exe xx taskhost.exe更多推荐
发布评论