Monday, February 11, 2013

How To Find a User Mode Process With KD

Windbg, NTSD, and KD are based off the same debug engine so most things are the same; however, when debugging in kernel mode, some things are a little different.  Specifically you are debugging the entire computer and not an instance of the program.

How do you find your process within a kernel debugger (KD)?

Normally when you have a UM break in your KD, the debugger is put into the break's process and thread context.  What if you want to debug another process, say the RPC server?

!process is your command.  It lets you walk the kernel's list of process objects.

!process 0 0 <= will list the basic information about all processes
!process 0 7 <= will display detailed information about all process, this can be a lot
!process fb667780 7 <= will display detailed information about process fb667780, but you need to know the process ID or process address

If you don't know the process ID or address, but do know the name of the module that is in the process you are looking for, you can try this:

!process /m module.dll 0 0 <= this will give you the needed information like process ID to set the context to debug that process.

It will look something like this:

kd> !process /m my_module.dll 0 0
Searching processes with loaded module 'my_module.dll'
**** NT ACTIVE PROCESS DUMP ****
Unable to get LeftChild of nt!_MMVAD_SHORT at ffffe00002d075c0
failed to count VADs
PROCESS ffffe00002d0a940
    SessionId: 0  Cid: 0394    Peb: 7ff72d81d000  ParentCid: 025c
    DirBase: 0ca19000  ObjectTable: ffffc00001423e40  HandleCount: 706.
    Image: svchost.exe
...

No comments:

Post a Comment