标签:style blog color 使用 sp on div 2014 log
$$***************************************************************** $$ Script by kms_hhl to monitor process create and show call stack $$ Create Time 2014_11 $$ nt5 NtCreateProcess->NtCreateProcessEx->PspCreateProcess $$ nt6 NtCreateUserProcess $$ Execute by $$><D:\BaiduYunTongBu\百度云同步盘\windbg_sc\2sc_process_monitor_x32.txt $$ 我们通过遍历链表 ActiveProcessLinks的尾部 在ImageFileName里面的进程名字匹配上 $$ 的一瞬间断下来 $$***************************************************************** bp nt!pspcreateprocess" gu r @$t0=0 r @$t1=0 r @$t2=0 r @$t0=nt!PsActiveProcessHead+4 r @$t1=poi(@$t0) r? @$t2= #CONTAINING_RECORD(@$t1, nt!_EPROCESS, ActiveProcessLinks) as /x ${/v:$Procc} @$t2 as /ma $ImageName @@c++(&@$t2->ImageFileName[0]) .block { .if ($sicmp(\" ${$ImageName} \", \" calc.exe \") == 0) { .echo found the pattern .echo ${$ImageName} ad * } .else { .echo not found the pattern .echo ‘ ${$ImageName} ‘ ad * gc } }"
标签:style blog color 使用 sp on div 2014 log