In my last post I showed you how to find your UM process in KD. It produced output something like this:
kd> !process /m my_module.dll 0 0
Searching processes with loaded module 'my_module.dll'
**** NT ACTIVE PROCESS DUMP ****
Unable to get LeftChild of nt!_MMVAD_SHORT at ffffe00002d075c0
failed to count VADs
PROCESS ffffe00002d0a940
SessionId: 0 Cid: 0394 Peb: 7ff72d81d000 ParentCid: 025c
DirBase: 0ca19000 ObjectTable: ffffc00001423e40 HandleCount: 706.
Image: svchost.exe
To change your context to this process, you use the .process command.
.process /r /p ffffe00002d0a940
/r <= is for reloading the symbols for the new process context
/p <= is for translating the page table entries so you can inspect the process' memory translated to KM
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment