WinDBG命令输入dd Nt!NtOpenProcess正常显示了,但有的执行不了,
事例:
一,WinDBG命令输入!process 0 0提示错误
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
NT symbols are incorrect, please fix symbols
二,WinDBG命令输入dt _eprocess提示错误
lkd> dt _eprocess
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: _mprocess ***
*** ***
*************************************************************************
Symbol _mprocess not found.
解决方法:
1.看下杀毒软件关闭了么,如果没有,把360或杀毒关闭掉
2.比如你符号连接是在D盘WINDDK下symbols目录里
下面是讲符号连接需要的文件自动下载到了symbols目录里
srv*D:\WINDDK\symbols*http://msdl.microsoft.com/download/symbols
srv*D:\symbols*http://msdl.microsoft.com/download/symbols;D:\symbols
手动把symbols目录文件删掉,打开WinDBG->文件->符号文件路径(Ctrl+S)把上面代码复制里面就可以重新下载了,需要等会,在测试下OK
或者打开WinDBG->文件->符号文件路径(Ctrl+S)->浏览.选择找到下载好的symbols目录-重新加载,确定
ntkrpamp.pdb文件夹
u NtOpenProcess NtOpenProcess+100 //显示100行
本机调试:
文件-内核调试-本地的-确定
WinDbg->File->Kernel Debugging->Local->确定
bl //显示调用CALL堆栈
bd 0 //取消第一个调用CALL堆栈
bd 1 //取消第二个调用CALL堆栈
lm //查看驱动首地址
.reload //加载符号表
ba r1 804d9a24 //访问断点
ba e1 804d9a24 //执行断点,想当于OD里的F2
bp 804d9a24+10
eb 804f8876 //写内存1字节
ew 804f8876 //写内存2字节
ed 804f8876 //写内存4字节
dds esp
srv*D:\Program Files\Symbols*http://msdl.microsoft.com/download/symbols
