How to find a process command-line using kernel debugger?


 


I hadn’t posted since two years ago; a lot of things happen in such a time and now I’m part of the IIS team. I’m not sure about what to talk about, so I will start with random stuff.


I found debugging very task oriented, there are a bunch of ways to get an answer to the same question; let’s say that someone gave you a machine ready to be debugged in kernel mode and you want to do .tlist -v to list all the processes and the additional information such as PID, Session, Command Line. If you are using a remote machine to access the target machine in kernel mode, .tlist will give you the process in the remote machine; to get the processes in the target machine and dump process information such as the Command Line arguments follow the next steps:


1. List the processes.


kd> !process 0 0


**** NT ACTIVE PROCESS DUMP ****
PROCESS 8447b790  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00122000  ObjectTable: 830002d8  HandleCount: 580.
    Image: System


… (some other processes)


PROCESS 867b7d90  SessionId: 0  Cid: 07a4    Peb: 7ffdf000  ParentCid: 0a00
    DirBase: 7ea6b560  ObjectTable: 83170470  HandleCount:  60.
    Image: appcmd.exe


2. Look for your process and copy the DirBase property, in this example I will use appcmd.exe (7ea6b560), and switch to the process’ context:


kd> .context 7ea6b560


3. Dump the process information, that information includes the command-line


kd> !peb


PEB at 7ffdf000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No


…. (more information)


    ImageFile:    ‘D:\Windows\System32\inetsrv\appcmd.exe’
    CommandLine:  ‘D:\Windows\System32\inetsrv\appcmd.exe clear config -section:system.web
Server/cgi’

Comments (0)