Let's get right into it. Most of the time it is very easy where to find where a dll or exe is loaded using tlist.exe (aka task list). In an elevated prompt, type:
> tlist /m module.dll|exe
eg.
C:\Debuggers> tlist /m cfgmgr32.dll
C:\WINDOWS\System32\cfgmgr32.dll - 828 lsass.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1108 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1132 WUDFHost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1240 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1304 svchost.exe
C:\WINDOWS\System32\CFGMGR32.dll - 1556 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1652 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1676 dwm.exe DWM Notification Window
C:\WINDOWS\System32\cfgmgr32.dll - 1940 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 2016 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1348 svchost.exe
...
C:\Debuggers> tlist /m cfgmgr32.dll
C:\WINDOWS\System32\cfgmgr32.dll - 828 lsass.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1108 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1132 WUDFHost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1240 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1304 svchost.exe
C:\WINDOWS\System32\CFGMGR32.dll - 1556 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1652 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1676 dwm.exe DWM Notification Window
C:\WINDOWS\System32\cfgmgr32.dll - 1940 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 2016 svchost.exe
C:\WINDOWS\System32\cfgmgr32.dll - 1348 svchost.exe
...
I think generally though the idea is that you can use this to find the PID for debugging the component in question.
eg.
C:\Debuggers> tlist /m notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE - 12900 notepad.exe remote.txt - Notepad
C:\Debuggers> tlist /m notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE - 12900 notepad.exe remote.txt - Notepad
C:\Debuggers>windbg -p 12900
That is assuming that it is already loaded and running. What if it isn't loaded?
eg.
C:\Debuggers> tlist /m hotplug.dll
No tasks found using HOTPLUG.DLL
C:\Debuggers> tlist /m hotplug.dll
No tasks found using HOTPLUG.DLL
The easiest case is you know where it will be loaded. For example, you can know that exporer.exe will load it eventually. Then, you simply need to just attach a debugger to explorer.exe
eg.
C:\Debuggers> tlist explorer.exe
9020 explorer.exe Program Manager
CWD: C:\WINDOWS\system32\
CmdLine: "C:\WINDOWS\explorer.exe"
VirtualSize: 2148226416 KB PeakVirtualSize: 2149576868 KB
...
C:\Debuggers> windbg -p 9020
C:\Debuggers> tlist explorer.exe
9020 explorer.exe Program Manager
CWD: C:\WINDOWS\system32\
CmdLine: "C:\WINDOWS\explorer.exe"
VirtualSize: 2148226416 KB PeakVirtualSize: 2149576868 KB
...
C:\Debuggers> windbg -p 9020
After that, you can do standard WinDbg stuff like setting a breakpoint:
eg.
> bp hotplug!SomeFunction
> bp hotplug!SomeFunction
Or, if you need to break it before the DLL gets fully loaded, that is a little more work:
> sxe ld hotplug.dll
> bp hotplug!DllMain
> bp hotplug!DllMain
> g
What if you have no idea where hotplug.dll gets loaded? That is where using a KD comes in handy.
No comments:
Post a Comment