Skip to content

2.19 获知被调试进程映像文件绝对路径

https://scz.617.cn/windows/201709261448.txt

Q:

在cdb中有时想获知被调试进程映像文件绝对路径。从cdb外部用Process Explorer查 看当然是可以的,但我想从cdb内部直接获取这种信息。已知这些命令达不到预期效 果:

| lmv m ping lmf !lmi ping

这些命令对.dll有效,对.exe无效,得不到.exe映像文件绝对路径。

A: scz 2017-09-26

!peb !peb @$peb ... WindowTitle: 'C:\Windows\system32\ping.exe' ImageFile: 'C:\Windows\SysWOW64\ping.exe' CommandLine: 'ping' ...

.shell -ci "!peb" findstr ImageFile: ImageFile: 'C:\Windows\SysWOW64\ping.exe'

dt ntdll!_PEB ProcessParameters->ImagePathName ProcessParameters->CommandLine ProcessParameters->WindowTitle @$peb +0x010 ProcessParameters : +0x038 ImagePathName : _UNICODE_STRING "C:\Windows\SysWOW64\ping.exe" +0x040 CommandLine : _UNICODE_STRING "ping" +0x070 WindowTitle : _UNICODE_STRING "C:\Windows\system32\ping.exe"

> !ustr poi(@$peb+0x10)+0x38

?? ((ntdll!_PEB*)@$peb)->ProcessParameters->ImagePathName ?? @$peb->ProcessParameters->ImagePathName struct _UNICODE_STRING "C:\Windows\SysWOW64\ping.exe" +0x000 Length : 0x38 +0x002 MaximumLength : 0x3a +0x004 Buffer : 0x005c2f8c "C:\Windows\SysWOW64\ping.exe"

!mapped_file ping Mapped file name for 008a0000: '\Device\HarddiskVolume2\Windows\SysWOW64\PING.EXE'