ntsd
ntsd從Windows 2000開始就是系統(tǒng)自帶的進(jìn)程調(diào)試工具,在system32目錄下。NTSD的功能非常的強(qiáng)大,用法也比較復(fù)雜,但如果只用來結(jié)束一些進(jìn)程,那就比較簡單了。在Windows中只有System、SMSS.EXE和CSRSS.EXE不能殺。前兩個(gè)是純內(nèi)核態(tài)的,最后那個(gè)是Win32子系統(tǒng),ntsd本身需要它。lsass.exe也不要?dú)⒌?#xff0c;它是負(fù)責(zé)本地賬戶安全的。被調(diào)試器附著的進(jìn)程會隨調(diào)試器一起退出,所以可以用來在命令行下終止進(jìn)程。
打開cmd 后輸入以下命令就可以結(jié)束進(jìn)程:
方法一:利用進(jìn)程的PID結(jié)束進(jìn)程
命令格式:ntsd -c q -p pid
命令范例: ntsd -c q -p 1332 (結(jié)束explorer.exe進(jìn)程)
范例詳解:explorer.exe的pid為1332,但是如何獲取進(jìn)程的pid呢?在CMD下輸入TASKLIST就可以獲取當(dāng)前任務(wù)管理器所有進(jìn)程的PID。或者打開任務(wù)管理器,在菜單欄,選擇“查看”—“選擇列”,在打開的選擇項(xiàng)窗口中將“PID(進(jìn)程標(biāo)識符)”項(xiàng)選擇鉤上,這樣任務(wù)管理器的進(jìn)程中就會多出PID一項(xiàng)了。(PID的分配并不固定,是在進(jìn)程啟動是由系統(tǒng)隨機(jī)分配的,所以進(jìn)程每次啟動的進(jìn)程一般都不會一樣。)
可使用以下命令:
=================================================
@echo off
mode con cols=30 lines=5
color 1e
echo.
set /p t=請輸入進(jìn)程名:
tasklist /fo csv>2.txt
find "%t%" 2.txt>1.txt
for /f "delims=, tokens=2" %%i in (1.txt) do set a=%%i
ntsd -c q -p %a%
echo PID NAME
echo ============
echo %a% %T%
del 1.txt
del 2.txt
pause >nul
exit
=================================================
方法二:利用進(jìn)程名結(jié)束進(jìn)程
命令格式:ntsd -c q -pn ***.exe (***.exe 為進(jìn)程名,exe不能省)
命令范例:ntsd -c q -pn explorer.exe
另外的能結(jié)束進(jìn)程的DOS命令還有taskkill和tskill命令:
命令格式: taskkill /pid 1234 /f ( 也可以達(dá)到同樣的效果。)
如果上面這些還不能滿足您的求知欲,下面還有:
ntsd詳解
有一些高等級的進(jìn)程,tskill和taskkill或許無法結(jié)束,那么我們還有一個(gè)更強(qiáng)大的工具,那就是系統(tǒng)debug級的ntsd.準(zhǔn)確的說,ntsd是一個(gè)系統(tǒng)調(diào)試工具,只提供給系統(tǒng)開發(fā)級的管理員使用,但是對我們殺掉進(jìn)程還是很爽的.基本上除了WINDOWS系統(tǒng)自己的管理進(jìn)程,ntsd都可以殺掉。NTSD 調(diào)試程序在啟動時(shí)要求用戶指定一個(gè)要連接的進(jìn)程。使用 TLIST 或 PVIEWER,您可以獲得某個(gè)現(xiàn)有進(jìn)程的進(jìn)程 ID,然后鍵入 NTSD -p pid 來調(diào)試這個(gè)進(jìn)程。NTSD 命令行使用如下的句法:
NTSD [options] imagefile
其中,imagefile 是要調(diào)試的映像名稱。
用法usage: ntsd [-?] [-2] [-d] [-g] [-G] [-myob] [-lines] [-n] [-o] [-s] [-v] [-w]
[-r BreakErrorLevel] [-t PrintErrorLevel]
[-hd] [-pd] [-pe] [-pt #] [-pv] [-x | -x{e|d|n|i} <event>]
[-- | -p pid | -pn name | command-line | -z CrashDmpFile]
[-zp CrashPageFile] [-premote transport] [-robp]
[-aDllName] [-c "command"] [-i ImagePath] [-y SymbolsPath]
[-clines #] [-srcpath SourcePath] [-QR //machine] [-wake ]
[-remote transport:server=name,portid] [-server transport:portid]
[-ses] [-sfce] [-sicv] [-snul] [-noio] [-failinc] [-noshell]
where: -? displays this help text
command-line is the command to run under the debugger
-- is the same as -G -g -o -p -1 -d -pd
-aDllName sets the default extension DLL
-c executes the following debugger command
-clines number of lines of output history retrieved by a remote client
-failinc causes incomplete symbol and module loads to fail
-d sends all debugger output to kernel debugger via DbgPrint
-d cannot be used with debugger remoting
-d can only be used when the kernel debugger is enabled
-g ignores initial breakpoint in debuggee
-G ignores final breakpoint at process termination
-hd specifies that the debug heap should not be used
for created processes. This only works on Windows Whistler.
-o debugs all processes launched by debuggee
-p pid specifies the decimal process Id to attach to
-pd specifies that the debugger should automatically detach
-pe specifies that any attach should be to an existing debug port
-pn name specifies the name of the process to attach to
-pt # specifies the interrupt timeout
-pv specifies that any attach should be noninvasive
-r specifies the (0-3) error level to break on (SeeSetErrorLevel)
-robp allows breakpoints to be set in read-only memory
-t specifies the (0-3) error level to display (SeeSetErrorLevel)
-w specifies to debug 16 bit applications in a separate VDM
-x sets second-chance break on AV exceptions
-x{e|d|n|i} <event> sets the break status for the specified event
-2 creates a separate console window for debuggee
-i ImagePath specifies the location of the executables that generated
the fault (see _NT_EXECUTABLE_IMAGE_PATH)
-lines requests that line number information be used if present
-myob ignores version mismatches in DBGHELP.DLL
-n enables verbose output from symbol handler
-noio disables all I/O for dedicated remoting servers
-noshell disables the .shell (!!) command
-QR <//machine> queries for remote servers
-s disables lazy symbol loading
-ses enables strict symbol loading
-sfce fails critical errors encountered during file searching
-sicv ignores the CV record when symbol loading
-snul disables automatic symbol loading for unqualified names
-srcpath <SourcePath> specifies the source search path
-v enables verbose output from debugger
-wake wakes up a sleeping debugger and exits
-y <SymbolsPath> specifies the symbol search path (see _NT_SYMBOL_PATH)
-z <CrashDmpFile> specifies the name of a crash dump file to debug
-zp <CrashPageFile> specifies the name of a page.dmp file
to use with a crash dump
-remote lets you connect to a debugger session started with -server
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
name: machine name on which the debug server was created
portid: id of the port the debugger server was created on
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -remote npipe:server=yourmachine,pipe=foobar
-server creates a debugger session other people can connect to
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
portid: id of the port remote users can connect to
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -server npipe:pipe=foobar
-premote transport specifies the process server to connect to
transport arguments are given as with remoting
Environment Variables:
_NT_SYMBOL_PATH=[Drive:][Path]
Specify symbol image path.
_NT_ALT_SYMBOL_PATH=[Drive:][Path]
Specify an alternate symbol image path.
_NT_DEBUGGER_EXTENSION_PATH=[Drive:][Path]
Specify a path which should be searched first for extensions dlls
_NT_EXECUTABLE_IMAGE_PATH=[Drive:][Path]
Specify executable image path.
_NT_SOURCE_PATH=[Drive:][Path]
Specify source file path.
_NT_DEBUG_LOG_FILE_OPEN=filename
If specified, all output will be written to this file from offset 0.
_NT_DEBUG_LOG_FILE_APPEND=filename
If specified, all output will be APPENDed to this file.
_NT_DEBUG_HISTORY_SIZE=size
Specifies the size of a server's output history in kilobytes
Control Keys:
<Ctrl-B><Enter> Quit debugger
<Ctrl-C> Break into Target
<Ctrl-F><Enter> Force a break into debuggee (same as Ctrl-C)
<Ctrl-P><Enter> Debug Current debugger
<Ctrl-V><Enter> Toggle Verbose mode
<Ctrl-W><Enter> Print version information
ntsd: exiting - press enter ---
選項(xiàng)option:
-2打開一個(gè)用于調(diào)試字符模式的應(yīng)用程序的新窗口
-d將輸出重定向到調(diào)試終端-g 使執(zhí)行自動通過第一個(gè)斷點(diǎn)
-G使 NTSD 在子程序終止時(shí)立即退出o啟用多個(gè)進(jìn)程的調(diào)試,默認(rèn)值為由調(diào)試程序衍生的一個(gè)進(jìn)程
-p指定調(diào)試由進(jìn)程 ID 標(biāo)識的進(jìn)程
-v產(chǎn)生詳細(xì)的輸出。
例如,假設(shè) inetinfo.exe 的進(jìn)程 ID 為 104。鍵入命令“NTSD -p 104”將 NTSD 調(diào)試程序連接到 inetinfo 進(jìn)程 (IIS)。也可使用 NTSD 啟動一個(gè)新進(jìn)程來進(jìn)行調(diào)試。例如,NTSD notepad.exe 將啟動一個(gè)新的 notepad.exe 進(jìn)程,并與它建立連接。一旦連接到某個(gè)進(jìn)程,您就可以用各種命令來查看堆棧、設(shè)置斷點(diǎn)、轉(zhuǎn)儲內(nèi)存,等等。
命令含義~顯示所有線程的一個(gè)列表KB 顯示當(dāng)前線程的堆棧軌跡~*KB顯示所有線程的堆棧軌跡R顯示當(dāng)前
幀的寄存器輸出U反匯編代碼并顯示過程名和偏移量D[type][< range>]轉(zhuǎn)儲內(nèi)存BP設(shè)置斷點(diǎn)BC[]清除一個(gè)或多個(gè)斷點(diǎn)BD[]禁用一個(gè)或多個(gè)斷點(diǎn)BE[< bp>]啟用一個(gè)或多個(gè)斷點(diǎn)BL[]列出一個(gè)或多個(gè)斷點(diǎn)。
個(gè)人意見,有一個(gè)非常重要的參數(shù)就是-v參數(shù),我們可以通過它發(fā)現(xiàn)一個(gè)進(jìn)程下面掛接了哪些連接庫文件。有很多病毒,木馬,或者惡意軟件,都喜歡把自己做成動態(tài)庫,然后注冊到系統(tǒng)正常程序的加載庫列表中,達(dá)到隱藏自己的目的.
首先我們需要設(shè)置一下ntsd的輸出重定向,最好是重定向到一個(gè)文本文件,方便我們分析研究.
c:/>set _NT_DEBUG_LOG_FILE_APPEND=c:/pdw.txt
注意,雖然輸出重定向了,但是我們的輸出依然會繼續(xù)顯示在屏幕上,而且會進(jìn)入到debug模式,我們使用-c q參數(shù),就可以避免這個(gè)問題.
c:/>ntsd -c q -v notepad.exe
現(xiàn)在我們的pdw.txt文件中,就可以看見notepad.exe文件的調(diào)試信息.
可以知道,ntsd的軟件終止能力是很好很強(qiáng)大的,一些taskkill都無法終止的軟件(如Student.exe這一類或木馬)可以用ntsd輕易終止
總結(jié)
- 上一篇: 变频器按启动没反应_起重机软启动柜晶闸管
- 下一篇: java学习(85):Interage包