假如我們調試內核時,需要在kernel32中設斷點。一般情況下,使用調試器中斷到內核中時,當時進程和線程都是Idle,
kd> !process
PROCESS 8054a900 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 00039000 ObjectTable: e1000d68 HandleCount: 128.
Image: Idle
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0.
DeviceMap 00000000
Token e1000820
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 01:44:44.025
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (5, 50, 450) (20KB, 200KB, 1800KB)
PeakWorkingSetSize 5
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 1
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 0
THREAD 8054a6a0 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
kd> !thread
THREAD 8054a6a0 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
Owning Process 0 Image: <Unknown>
Attached Process 8054a900 Image: Idle
Wait Start TickCount 647712 Ticks: 71 (0:00:00:00.711)
Context Switch Count 108363
UserTime 00:00:00.000
KernelTime 01:44:44.025
Stack Init 80542200 Current 80541f4c Base 80542200 Limit 8053f200 Call 0
Priority 16 BasePriority 0 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
80541ebc 805120f8 00000001 00000202 00000030 nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
80541ebc 806ccefa 00000001 00000202 00000030 nt!KeUpdateSystemTime+0x142 (FPO: [0,2] TrapFrame @ 80541ed0)
WARNING: Frame IP not in any known module. Following frames may be wrong.
80541f40 804eed89 8054a6a0 ffdffc50 ffdff980 0x806ccefa
80541f50 804f1d65 00000000 0000000e 00000000 nt!PopIdle0+0x47 (FPO: [Non-Fpo])
80541f54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x10 (FPO: [0,0,0])
直接設斷點會提示錯誤,因爲kernel32模塊此時並沒有加載
kd> bp kernel32!TerminateProcess
Bp expression 'kernel32!TerminateProcess' could not be resolved, adding deferred bp
斷點狀態是unresolve