固定用法:.process /p /r 进程物理地址; !process 进程物理地址 7
参考https://cloud.tencent.com/developer/article/1927567,用!mex.tl
代码语言:txt复制For analysis of this file, run !analyze -v
34: kd> .load e:Mexmex.dll
Mex External 3.0.0.7172 Loaded!
34: kd> !mex.tl
PID Address Name
============== ================ ===========================
0x0 0n0 fffff80081924a00 Idle
0x4 0n4 ffffe58a846b7080 System
0x35c 0n860 ffffe58a847b6040 Registry
0x678 0n1656 ffffe58aa279f280 smss.exe
0x6f0 0n1776 ffffe58aa59c4140 csrss.exe
0x73c 0n1852 ffffe58aa58410c0 wininit.exe
0x744 0n1860 ffffed8bca699140 csrss.exe
0x784 0n1924 ffffed8bca6a6080 winlogon.exe
0x7cc 0n1996 ffffe58accb50200 services.exe
0x7f4 0n2036 ffffe58aa422c0c0 svchost.exe(-p)
0x810 0n2064 ffffed8bca7b02c0 fontdrvhost.exe
0x818 0n2072 ffffe58accb522c0 fontdrvhost.exe
0x870 0n2160 ffffe58accb65240 svchost.exe
0x8a4 0n2212 ffffe58aa42d20c0 svchost.exe
0x918 0n2328 ffffe58aa421f0c0 svchost.exe
0x91c 0n2332 ffffe58aa42630c0 svchost.exe
0x928 0n2344 ffffe58aa2fae0c0 svchost.exe
0x934 0n2356 ffffe58aa42960c0 svchost.exe
0x998 0n2456 ffffe58aa27340c0 svchost.exe
0x9a0 0n2464 ffffe58aa27990c0 svchost.exe
0x9a8 0n2472 ffffe58aa27aa0c0 svchost.exe
0xa04 0n2564 ffffe58aa28460c0 svchost.exe
0xa44 0n2628 ffffed8bca863180 dwm.exe
0xa98 0n2712 ffffe58aa2b570c0 svchost.exe
0xad0 0n2768 ffffe58aa2c020c0 svchost.exe
0xaf4 0n2804 ffffe58aa2c680c0 svchost.exe
0xb70 0n2928 ffffe58aa2fa20c0 svchost.exe
0xb90 0n2960 ffffe58aa428a0c0 svchost.exe
0xbe4 0n3044 ffffe58aa4cc80c0 svchost.exe
0xbec 0n3052 ffffe58aa4d020c0 svchost.exe
0x808 0n2056 ffffe58aa4d230c0 svchost.exe
0xc1c 0n3100 ffffe58aa4dc80c0 svchost.exe
0xc64 0n3172 ffffe58aa51c80c0 svchost.exe
0xc88 0n3208 ffffe58aa52440c0 svchost.exe
0xcb4 0n3252 ffffe58aa53020c0 svchost.exe
0xd64 0n3428 ffffe58aa5b020c0 svchost.exe
0xd6c 0n3436 ffffe58aa5b230c0 svchost.exe
0xd74 0n3444 ffffe58aa5b440c0 svchost.exe
0xdd0 0n3536 ffffe58aa43cc0c0 svchost.exe
0xde8 0n3560 ffffe58accaad0c0 svchost.exe
0xe0c 0n3596 ffffe58accb020c0 svchost.exe
0xe68 0n3688 ffffe58aa438a0c0 svchost.exe
0xf28 0n3880 ffffe58aa2f6d0c0 svchost.exe
0xf44 0n3908 ffffe58aa4266080 svchost.exe
0xf68 0n3944 ffffe58aa3dc30c0 svchost.exe
0x1128 0n4392 ffffe58aa2955080 svchost.exe
0x1130 0n4400 ffffe58aa2966080 svchost.exe
0x113c 0n4412 ffffe58aa29bb080 svchost.exe
0x1144 0n4420 ffffe58aa2a88080 svchost.exe
0x115c 0n4444 ffffe58aa29dd080 svchost.exe
0x1164 0n4452 ffffe58aa2a55080 svchost.exe
0x116c 0n4460 ffffe58aa2f8f080 svchost.exe
0x1174 0n4468 ffffe58a90db1080 svchost.exe
0x1178 0n4472 ffffe58aa2fb1080 svchost.exe
0x1184 0n4484 ffffe58aa2fa0080 svchost.exe
0x11b4 0n4532 ffffe58aa2c33080 winvnc.exe
0x11c4 0n4548 ffffe58aa2d52080 vpnclient_x64.exe
0x11dc 0n4572 ffffe58aa2fc2080 vm3dservice.exe
0x1208 0n4616 ffffe58aa2c44080 svchost.exe
0x1244 0n4676 ffffe58aa5584080 MsMpEng.exe
0x12c8 0n4808 ffffe58aa5684080 svchost.exe
0x1310 0n4880 ffffe58aa5321080 svchost.exe
0x1350 0n4944 ffffe58a846ba080 svchost.exe
0x1370 0n4976 ffffed8bcaba5080 vm3dservice.exe
0x12b4 0n4788 ffffe58aa5421080 svchost.exe
0x1480 0n5248 ffffe58aa40430c0 svchost.exe
0x1a94 0n6804 ffffe58aa4192080 rlm.foundry.exe
0x1bc0 0n7104 ffffe58acccd6200 svchost.exe
0x1cc4 0n7364 ffffe58accebc240 WmiPrvSE.exe
0x1e50 0n7760 ffffe58acd06f080 SearchIndexer.exe
0x1ee4 0n7908 ffffe58acd0c3080 AggregatorHost.exe
0x1f84 0n8068 ffffe58acd11c080 svchost.exe
0x1c38 0n7224 ffffed8bcacaa0c0 winvnc.exe
0x1e7c 0n7804 ffffe58acd26c080 svchost.exe
0x2200 0n8704 ffffe58acd2e3080 NisSrv.exe
0x226c 0n8812 ffffe58acd2e4080 svchost.exe
0x2284 0n8836 ffffed8bcd21b080 sihost.exe
0x22bc 0n8892 ffffe58aa53c6080 svchost.exe
0x22e0 0n8928 ffffe58acd3020c0 MicrosoftEdgeUpdate.exe*32
0x2318 0n8984 ffffe58acd31a080 taskhostw.exe
0x2398 0n9112 ffffe58acd31f080 svchost.exe
0x23b4 0n9140 ffffe58acd320080 svchost.exe
0x23f4 0n9204 ffffe58acd3dc080 ctfmon.exe
0x2458 0n9304 ffffe58acd40f080 svchost.exe
0x24d4 0n9428 ffffed8bcd337080 explorer.exe
0x2558 0n9560 ffffe58acd489080 ChsIME.exe
0x2604 0n9732 ffffe58acd52f080 svchost.exe
0x26c8 0n9928 ffffe58aa29aa080 StartMenuExperienceHost.exe
0x270c 0n9996 ffffe58acd5f3080 svchost.exe
0x2768 0n10088 ffffe58acd6cf080 RuntimeBroker.exe
0x22f8 0n8952 ffffe58acd722080 SearchApp.exe
0x25e8 0n9704 ffffe58acd7560c0 RuntimeBroker.exe
0x2934 0n10548 ffffe58acd7c2080 RuntimeBroker.exe
0x2ad8 0n10968 ffffe58acd27d080 TextInputHost.exe
0x2b50 0n11088 ffffe58acd6de240 svchost.exe
0x2bb4 0n11188 ffffe58acd6e1080 MoUsoCoreWorker.exe
0x24e8 0n9448 ffffe58acd890080 SecurityHealthSystray.exe
0x2c20 0n11296 ffffe58acd7ea080 SecurityHealthService.exe
0x2c98 0n11416 ffffe58acd8710c0 vpnclient_x64.exe
0x2ce0 0n11488 ffffe58acdb7a080 msedge.exe
0x2cf8 0n11512 ffffe58acdb8d080 msedge.exe
0x2f70 0n12144 ffffe58acd9bc080 msedge.exe
0x2f78 0n12152 ffffe58acdd26080 msedge.exe
0x2f8c 0n12172 ffffe58acde350c0 msedge.exe
0x31a4 0n12708 ffffe58acdcf1080 svchost.exe
0x3224 0n12836 ffffe58acdc82080 vpncmgr_x64.exe
0x3298 0n12952 ffffe58acddb2080 cmd.exe
0x32a0 0n12960 ffffed8bcdd62200 conhost.exe
0x32ec 0n13036 ffffed8bcdd670c0 java.exe
0x32f4 0n13044 ffffed8bcdd780c0 jusched.exe*32
0x35d4 0n13780 ffffe58acdd9e080 svchost.exe
0x35b0 0n13744 ffffed8bca605240 rlm.foundry.exe
0xaa4 0n2724 ffffe58acddc4080 conhost.exe
0x3728 0n14120 ffffe58acdc3b080 cmd.exe
0x1b38 0n6968 ffffe58acdc3c080 cmd.exe
0x24dc 0n9436 ffffe58acdd7d080 conhost.exe
0x24c0 0n9408 ffffed8bcdfcb200 conhost.exe
0x2ab0 0n10928 ffffed8bcdd6a200 watcher.exe
0x2ab8 0n10936 ffffe58acdcde340 process-controller.exe*32
0x243c 0n9276 ffffe58acdbfb300 cmd.exe
0x22dc 0n8924 ffffe58acd313080 cmd.exe
0x31f8 0n12792 ffffe58acd9f02c0 conhost.exe
0x31cc 0n12748 ffffed8bcdfee200 conhost.exe
0x34fc 0n13564 ffffe58acdcf6080 vds.exe
0x354c 0n13644 ffffe58acd91a080 WmiPrvSE.exe
0x352c 0n13612 ffffe58acd488080 java.exe
0x1b18 0n6936 ffffe58acd862080 taskhostw.exe
0x32e0 0n13024 ffffed8bce4d1200 get_wmi_exporter.exe
0x3708 0n14088 ffffed8bce652200 get_wmi_exporter.exe
0xcd0 0n3280 ffffe58acdbe6080 svchost.exe
0x3254 0n12884 ffffe58acdc1c340 svchost.exe
0x3ac4 0n15044 ffffe58acd9ea300 SgrmBroker.exe
0x3b1c 0n15132 ffffe58acdc8d340 svchost.exe
0x3b50 0n15184 ffffe58ace0db340 svchost.exe
0x3bdc 0n15324 ffffe58acd982340 svchost.exe
0x3944 0n14660 ffffe58ace5710c0 windows_exporter.exe
0x2268 0n8808 ffffe58acf8ea080 svchost.exe
0x10e8 0n4328 ffffe58aa2bdf0c0 UserOOBEBroker.exe
0x38d0 0n14544 ffffe58acd487080 sesinetd.exe
0x29f8 0n10744 ffffe58acdd212c0 hserver.exe*32
0x35e0 0n13792 ffffe58acf8f3080 rlm.exe
0x1f04 0n7940 ffffed8bd43fc340 conhost.exe
0x30e8 0n12520 ffffed8bd4b53340 rlm.exe
0x3aac 0n15020 ffffed8bd181c200 hython.exe
0x230c 0n8972 ffffe58acceae0c0 svchost.exe
0x3e04 0n15876 ffffe58acdddc080 taskhostw.exe
0x2628 0n9768 ffffed8bcf92d200 ADPClientService.exe
0x3c2c 0n15404 ffffed8bcf930200 conhost.exe
0x13e8 0n5096 ffffed8bd2a9b200 cmd.exe
0x1344 0n4932 ffffed8bd2a9e200 pskill64.exe
============== ================ ===========================
PID Address Name进程信息毕竟有限,实在没思路的话,按开头那个固定用法把可疑的进程遍历一遍也无妨
代码语言:txt复制0x1344 0n4932 ffffed8bd2a9e200 pskill64.exe
.process /p /r ffffed8bd2a9e200; !process ffffed8bd2a9e200 7
这个case中从pskill64.exe中看到:
代码语言:txt复制 Owning Process ffffed8bd2a9e200 Image: pskill64.exe
Attached Process ffffe58aa422c0c0 Image: svchost.exe继而不断查看父进程,最终看到调用路径是这样的:
process-controller.exe → hython.exe → cmd.exe → pskill64.exe
其实,这个case从一开始能看到TerminateAllThreads和TerminateProcess
直接一个!thread -1就搞定了
