4,2 Segmentation and Paging under Windows

To view the constituents of these objects, use the following kernel debugger

commands:

kd>

dt

nil

JPROCESS

kd>

dt

nt!

KPROCESS

kd>

dt

ntl"

PEB

If you'd like to see the actual literal values that populate one of these blocks

for a process, you can issue the same command followed by the linear ad¬

dress of the block structure.

I<:d> dt nt!_eprocess 83275d90

As stated earlier, the !process 0 0 extension command will provide you with

the address of each EPROCESS block (in the PROCESS field).

kd> Iprocess 0 0

PROCESS 83275d90 SessTonId:0 C1d:

Oldc Peb: 7ffd7000

ParentCid: 01a4

DirBase: 1157bOOO ObjectTable:

8cedab48 HandleCount:

95.

Image; winirit.exe

If you look closely, you'll see that the listing produced also contains a Peb

field that specifies the linear address of the PEB. This will allow you to see

what's in a given PEB structure.

kd> dt nt!_peb 7ffd7000

If you'd rather view a human-readable summary of the PEB, you can issue

the !peb kernel-mode debugger extension command followed by the linear

address of the PEB.

kd>!peb 7ffd7000

If you read through a dump of the EPROCESS structure, you'll see that the KPRO-

CESS substructure just happens to be the first element of the EPROCESS block.

Thus, its linear address is the same as the linear address of the EPROCESS block.

kd> dt nt!_kprocess 83275d90

An alternative approach to dumping KPROCESS and PEB structures explicitly

is to use the recursive switch (-r) to view the values that populate all of the

substructures nested underneath an EPROCESS block.

kd> dt -r nt!_eprocess 83275d90

Parti I 129