Dumping EPROCESS with windbg

Asked 19/6, 2012 at 17:42 Answered 20/6, 2012 at 17:41

I'm experimenting with LibVMI and Windows 7 32-bit; to properly set things up, I need to look at the first 8 bytes of an EPROCESS structure (the library searches memory for a magic number, this is supposed to be it).

My Windows-fu is not strong, so can anyone tell me how to dump the appropriate bit of memory? I'm running the local kernel debugger, and I've gotten as far as "dt nt!_EPROCESS" but that just seems to show me the format of the structure, not what's actually in it.

Vegetation answered 19/6, 2012 at 17:42 Comment(0)

The command is:

dt nt!_EPROCESS <address>

You should be able to obtain address from the output of the !process 0 7.

Echidna answered 20/6, 2012 at 6:44 Comment(0)

I figured it out--Seva Titov's answer is similar to what I did. Here's how I did it:

!process 0 0

which gives me a short list of processes running; I had specifically started calc.exe to have a simple little program going, so I looked at the list and then ran:

!process calc.exe

The first line of output started like with PROCESS 83f81178 which is the important bit. I then did:

db 83f81178

which showed me a chunk of memory starting at that offset, looking something like this:

83f81178 03 00 26 00 00 00 00 00--80 11 f8 83 80 11 f8 83 ..&............ 83f81188 88 11 f8 83 88 11 f8 83--80 23 e2 3e 00 00 00 00 ........#.>....

That was what I needed, so I stopped there.

Vegetation answered 20/6, 2012 at 17:41 Comment(0)

Recommended topics

Hot tags