LiveKD를 이용한 디버깅

보안, 개발 도구들 2008/03/17 11:19

livekd를 이용하면 현재 구동중인 윈도우즈 시스템의 커널 메모리 덤프를 실시간으로 뜰 수 있습니다. 라이브 시스템에서의 본격적인 디버깅은 필요 없이 단지 메모리 덤프를 통해서 문제 파악을 하고자 할 때에 유용한 툴입니다. 먼저 “Debugging Tools for Windows”가 먼저 설치 되어 있어야 합니다.

C:\Users\tester\Desktop>livekd

LiveKd v3.0 - Execute i386kd/windbg/dumpchk on a live system

Sysinternals - www.sysinternals.com

Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH

directory to reference the Microsoft symbol server so that symbols can be

obtained automatically? (y/n) y

Enter the folder to which symbols download (default is c:\symbols):

C:\Users\tester\Desktop>

C:\Users\tester\Desktop>livekd

LiveKd v3.0 - Execute i386kd/windbg/dumpchk on a live system

Sysinternals - www.sysinternals.com

Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH

directory to reference the Microsoft symbol server so that symbols can be

obtained automatically? (y/n) y

Enter the folder to which symbols download (default is c:\symbols):

Launching C:\program files\Debugging Tools for Windows\kd.exe:

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86

Loading Dump File [C:\Windows\system32\livekd.dmp]

Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'

Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows Kernel Version 6001 (Service Pack 1) UP Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840

Kernel base = 0x81642000 PsLoadedModuleList = 0x81759c70

Debug session time: Sat Feb 12 19:34:57.897 17420 (GMT-7)

System Uptime: 0 days 1:40:37.767

WARNING: Process directory table base 3E65B360 doesn't match CR3 3E65B340

Loading Kernel Symbols

................................................................................

.....................................................

Loading User Symbols

..........

Loading unloaded module list

.....

*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 0, {0, 0, 0, 0}

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: kernel32!pNlsUserInfo ***

*** ***

*************************************************************************

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: kernel32!pNlsUserInfo ***

*** ***

*************************************************************************

Probably caused by : LiveKdD.SYS ( LiveKdD+12d1 )

Followup: MachineOwner

---------

kd> .dump /f c:\dump.dmp

Creating c:\dump.dmp - Full kernel dump

Percent written 0

Percent written 1

Percent written 2

Percent written 3

Percent written 4

Percent written 5

Percent written 6

Percent written 7

Percent written 8

Percent written 9

Percent written 10

Percent written 11

Percent written 12

Percent written 13

Percent written 14

Percent written 15

Percent written 16

Percent written 17

Percent written 18

Percent written 19

Percent written 20

Percent written 21

Percent written 22

Percent written 23

Percent written 24

Percent written 25

Percent written 26

Percent written 27

Percent written 28

Percent written 29

Percent written 30

Percent written 31

Percent written 32

Percent written 33

Percent written 34

Percent written 35

Percent written 36

Percent written 37

Percent written 38

Percent written 39

Percent written 40

Percent written 41

Percent written 42

Percent written 43

Percent written 44

Percent written 45

Percent written 46

Percent written 47

Percent written 48

Percent written 49

Percent written 50

Percent written 51

Percent written 52

Percent written 53

Percent written 54

Percent written 55

Percent written 56

Percent written 57

Percent written 58

Percent written 59

Percent written 60

Percent written 61

Percent written 62

Percent written 63

Percent written 64

Percent written 65

Percent written 66

Percent written 67

Percent written 68

Percent written 69

Percent written 70

Percent written 71

Percent written 72

Percent written 73

Percent written 74

Percent written 75

Percent written 76

Percent written 77

Percent written 78

Percent written 79

Percent written 80

Percent written 81

Percent written 82

Percent written 83

Percent written 84

Percent written 85

Percent written 86

Percent written 87

Percent written 88

Percent written 89

Percent written 90

Percent written 91

Percent written 92

Percent written 93

Percent written 94

Percent written 95

Percent written 96

Percent written 97

Percent written 98

Percent written 99

Dump successfully written

kd>

태터데스크 관리자

태터데스크 메시지

저장하였습니다.

'보안, 개발 도구들' 카테고리의 다른 글

IP 주소 추적 회피툴-양파껍질 네트워크 TOR (0)	2008/03/17
LiveKD를 이용한 디버깅 (0)	2008/03/17
윈도우즈에서 Tail 사용하기 (0)	2008/03/17
심플한 윈도우즈용 유닉스 유틸리티 묶음-UnixUtil (0)	2008/03/17
User Mode Process Dumper by Microsoft: 안정적이면서 간단한 프로세스 덤퍼 (0)	2008/03/12
LADS-NTFS 파일의 보이지 않는 스트림 찾기 (1)	2008/03/06