当前位置: 文江博客话题详情

从 Windows 用户模式转储文件中识别主机

发布于 2024-07-04 18:49:37 字数 89 浏览 8 评论 0原文

有没有一种简单的方法可以找出通过 WinDbg 生成用户模式转储文件的计算机的主机名?

或者至少尝试确认两个转储文件来自同一系统的任何识别信息。

原文

Is there an easy way of finding out the host name of a machine that generated a user mode dump file via WinDbg?

Or at least any piece of identifying information to try and confirm that two dump files came from the same system.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

遗弃M 2024-07-11 18:49:37

在内核和用户模式下,

10: kd> !envvar COMPUTERNAME
COMPUTERNAME = a-host-name

检索目标 PC 的计算机名称(又名主机名)。

它需要加载 EXTS.dll 扩展,以及 Windows XP+(撰写本文时为 W10 RS3)。

在内核模式下,这不能直接工作,!envvar将返回空

10: kd> !peb
PEB NULL...

您当前的上下文是一个空闲线程。

WinDbg(Windows 10 RS3 16299.15 SDK)针对 !process 的帮助仅列出了位 0-4,但是我发现位 5 在与 0 和 4 一起使用时会转储整个环境。Flags = 0b110001。 所以我在 WinDbg 启动脚本期间使用它来自动记录计算机名称。

!process 0 0x31 wininit.exe

将转储所有环境变量:

10: kd> !process 0 0x31 wininit.exe
PROCESS ffffc485c82655c0
    SessionId: 0  Cid: 02d0    Peb: 8d04c6b000  ParentCid: 0258
    DirBase: 40452f000  ObjectTable: ffffe30b1150fb40  HandleCount: 163.
    Image: wininit.exe
    VadRoot ffffc485c862b990 Vads 61 Clone 0 Private 326. Modified 12. Locked 2.
    DeviceMap ffffe30b0a817880
    Token                             ffffe30b1150f060
    ElapsedTime                       00:00:18.541
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.015
    QuotaPoolUsage[PagedPool]         121696
    QuotaPoolUsage[NonPagedPool]      11448
    Working Set Sizes (now,min,max)  (1750, 50, 345) (7000KB, 200KB, 1380KB)
    PeakWorkingSetSize                1697
    VirtualSize                       2097239 Mb
    PeakVirtualSize                   2097239 Mb
    PageFaultCount                    2104
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      470

    PEB at 0000008d04c6b000            
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00007ff7be3d0000
    Ldr                       00007ff8dff4f3a0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 000001be470e1c10 . 000001be47128d60
    Ldr.InLoadOrderModuleList:           000001be470e1d80 . 000001be47128d40
    Ldr.InMemoryOrderModuleList:         000001be470e1d90 . 000001be47128d50
                    Base TimeStamp                     Module
            7ff7be3d0000 600d94df Jan 24 10:40:15 2021 C:\Windows\system32\wininit.exe
            7ff8dfdf0000 493793ea Dec 04 03:25:14 2008 C:\Windows\SYSTEM32\ntdll.dll
...
    SubSystemData:     0000000000000000
    ProcessHeap:       000001be470e0000
    ProcessParameters: 000001be470e1460
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  '< Name not readable >'
    ImageFile:    'C:\Windows\system32\wininit.exe'
    CommandLine:  'wininit.exe'
    DllPath:      '< Name not readable >'
    Environment:  000001be47104460
        ALLUSERSPROFILE=C:\ProgramData
        CommonProgramFiles=C:\Program Files\Common Files
        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
        CommonProgramW6432=C:\Program Files\Common Files
        COMPUTERNAME=a-host-name
        ComSpec=C:\Windows\system32\cmd.exe
        NUMBER_OF_PROCESSORS=16
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=AMD64
        PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 1, AuthenticAMD
        PROCESSOR_LEVEL=23
        PROCESSOR_REVISION=0101
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        ProgramFiles(x86)=C:\Program Files (x86)
        ProgramW6432=C:\Program Files
        PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
        PUBLIC=C:\Users\Public
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\temp
        TMP=C:\temp
        USERNAME=SYSTEM
        USERPROFILE=C:\Windows\system32\config\systemprofile
        windir=C:\Windows

您可以单击 PEB dml 链接,或通过 .process /p 切换上下文,然后 !envvar COMPUTERNAME 也会工作。

In both kernel and user mode,

10: kd> !envvar COMPUTERNAME
COMPUTERNAME = a-host-name

Retrieves the computer name aka hostname of the target PC.

It requires EXTS.dll extension to be loaded, and Windows XP+ (W10 RS3 at the time of writing).

In kernel mode, this does not work directly, !envvar will return empty

10: kd> !peb
PEB NULL...

Your current context is an idle thread.

WinDbg (Windows 10 RS3 16299.15 SDK) help for !process only lists bits 0-4, however I found bit 5 dumps whole environment when used with 0 and 4. Flags = 0b110001. So I use this during WinDbg startup script to automatically log the computer name.

!process 0 0x31 wininit.exe

Will dump the all the environment variables:

10: kd> !process 0 0x31 wininit.exe
PROCESS ffffc485c82655c0
    SessionId: 0  Cid: 02d0    Peb: 8d04c6b000  ParentCid: 0258
    DirBase: 40452f000  ObjectTable: ffffe30b1150fb40  HandleCount: 163.
    Image: wininit.exe
    VadRoot ffffc485c862b990 Vads 61 Clone 0 Private 326. Modified 12. Locked 2.
    DeviceMap ffffe30b0a817880
    Token                             ffffe30b1150f060
    ElapsedTime                       00:00:18.541
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.015
    QuotaPoolUsage[PagedPool]         121696
    QuotaPoolUsage[NonPagedPool]      11448
    Working Set Sizes (now,min,max)  (1750, 50, 345) (7000KB, 200KB, 1380KB)
    PeakWorkingSetSize                1697
    VirtualSize                       2097239 Mb
    PeakVirtualSize                   2097239 Mb
    PageFaultCount                    2104
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      470

    PEB at 0000008d04c6b000            
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00007ff7be3d0000
    Ldr                       00007ff8dff4f3a0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 000001be470e1c10 . 000001be47128d60
    Ldr.InLoadOrderModuleList:           000001be470e1d80 . 000001be47128d40
    Ldr.InMemoryOrderModuleList:         000001be470e1d90 . 000001be47128d50
                    Base TimeStamp                     Module
            7ff7be3d0000 600d94df Jan 24 10:40:15 2021 C:\Windows\system32\wininit.exe
            7ff8dfdf0000 493793ea Dec 04 03:25:14 2008 C:\Windows\SYSTEM32\ntdll.dll
...
    SubSystemData:     0000000000000000
    ProcessHeap:       000001be470e0000
    ProcessParameters: 000001be470e1460
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  '< Name not readable >'
    ImageFile:    'C:\Windows\system32\wininit.exe'
    CommandLine:  'wininit.exe'
    DllPath:      '< Name not readable >'
    Environment:  000001be47104460
        ALLUSERSPROFILE=C:\ProgramData
        CommonProgramFiles=C:\Program Files\Common Files
        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
        CommonProgramW6432=C:\Program Files\Common Files
        COMPUTERNAME=a-host-name
        ComSpec=C:\Windows\system32\cmd.exe
        NUMBER_OF_PROCESSORS=16
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=AMD64
        PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 1, AuthenticAMD
        PROCESSOR_LEVEL=23
        PROCESSOR_REVISION=0101
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        ProgramFiles(x86)=C:\Program Files (x86)
        ProgramW6432=C:\Program Files
        PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
        PUBLIC=C:\Users\Public
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\temp
        TMP=C:\temp
        USERNAME=SYSTEM
        USERPROFILE=C:\Windows\system32\config\systemprofile
        windir=C:\Windows

You could click on a PEB dml link, or switch context via .process /p <PROCESS_ADDRESS>, then !envvar COMPUTERNAME would also work.

回复 原文
朮生 2024-07-11 18:49:37

对于 IP 地址列表:
3:kd> 杜 poi(poi(srvnet!SrvAdminIpAddressList))
ffffe001<代码>d3d58450“127.0.0.1”
3:kd> 杜
ffffe001d3d58464“::1”
3:kd>
ffffe001<代码>d3d5846c“169.254.66.248”
3:kd>
ffffe001d3d5848a“”
3:kd>
ffffe001d3d5848c "fe80::f0cb:5439:f12f:42f8"
3:kd>
ffffe001d3d584c0“”
3:kd>
ffffe001<代码>d3d584c2“192.168.104.249”
3:kd>
ffffe001d3d584e2“”
3:kd>
ffffe001`d3d584e4“fe80::fc6f:ae16:b336:83dc”
3:kd>

For IP Address list:
3: kd> du poi(poi(srvnet!SrvAdminIpAddressList))
ffffe001d3d58450 "127.0.0.1"
3: kd> du
ffffe001d3d58464 "::1"
3: kd>
ffffe001d3d5846c "169.254.66.248"
3: kd>
ffffe001d3d5848a ""
3: kd>
ffffe001d3d5848c "fe80::f0cb:5439:f12f:42f8"
3: kd>
ffffe001d3d584c0 ""
3: kd>
ffffe001d3d584c2 "192.168.104.249"
3: kd>
ffffe001d3d584e2 ""
3: kd>
ffffe001`d3d584e4 "fe80::fc6f:ae16:b336:83dc"
3: kd>

回复 原文
将军与妓 2024-07-11 18:49:37

您可以通过使用 WinDbg 分析用户转储文件来完成此操作。 运行 !peb 命令并在其输出中查找 COMPUTERNAME 的值。

You can do so by analyzing the user dump file with WinDbg. Run the !peb command and look for the value of COMPUTERNAME in its output.

回复 原文
故乡的云 2024-07-11 18:49:37

来自 debugger.chm:

在内核模式转储文件中查找计算机名称

如果需要确定进行故障转储的计算机的名称,可以使用 !peb 扩展名并查看对于 COMPUTERNAME 的值,它是其输出。

或者您可以使用以下命令:

0: kd> x srv!SrvComputerName
be8ce2e8  srv!SrvComputerName  = _UNICODE_STRING "AIGM-MYCOMP-PUB01"

在内核模式转储文件中查找 IP 地址

要确定进行故障转储的计算机的 IP 地址,请查找显示某些发送信息的线程堆栈/接收网络活动。 打开发送数据包或接收数据包之一。 IP 地址将在该数据包中可见。

编辑:我会注意到,根据转储文件的创建方式,PEB 信息可能不可用,因此您总是无法找到计算机名称。 特别是如果某些内容来自 Microsoft Winqual 网站,则它已被清理。

在 PEB 中使用环境变量的快捷方式:!envvar COMPUTERNAME

From debugger.chm:

Finding the Computer Name in a Kernel-Mode Dump File

If you need to determine the name of the computer on which the crash dump was made, you can use the !peb extension and look for the value of COMPUTERNAME it its output.

Or you can use the following command:

0: kd> x srv!SrvComputerName
be8ce2e8  srv!SrvComputerName  = _UNICODE_STRING "AIGM-MYCOMP-PUB01"

Finding the IP Address in a Kernel-Mode Dump File

To determine the IP address of the computer on which the crash dump was made, find a thread stack that shows some send/receive network activity. Open one of the send packets or receive packets. The IP address will be visible in that packet.

EDIT: I will note that depending on how the dump file was created, the PEB information may not be available and so you won't always be able to find the computer name. Particularly if something came through the Microsoft Winqual site, it has been sanitized.

Using the shortcut for environment variables in the PEB: !envvar COMPUTERNAME

回复 原文
~没有更多了~

关于作者

百思不得你姐

暂无简介

0 文章
0 评论
351 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

苍风燃霜

文章 0 评论 0

我的黑色迷你裙

文章 0 评论 0

悸初

文章 0 评论 0

撧情箌佬

文章 0 评论 0

森罗

文章 0 评论 0

lyn1245

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文