windbg(GetProcessFullName)

kd> dt_EPROCESS
nt!_EPROCESS
   +0x1b0 Peb              : Ptr32 _PEB


kd> dt_peb
nt!_PEB
   +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS

kd> dt _RTL_USER_PROCESS_PARAMETERS
nt!_RTL_USER_PROCESS_PARAMETERS
   +0x038 ImagePathName    : _UNICODE_STRING
 

 

kd> dt _UNICODE_STRING
nt!_UNICODE_STRING
   +0x000 Length           : Uint2B
   +0x002 MaximumLength    : Uint2B
   +0x004 Buffer           : Ptr32 Uint2B

kd> !peb
PEB at 7ffdb000

kd> dd 7ffdb000+0x10
7ffdb010  00020000 00000000 00150000 7c99e4c0

kd> dd 0x00020000 +0x038 + 0x4
0002003c  00020650 00720070 000206c0 00010000

 

kd> db 00020650
00020650  43 00 3a 00 5c 00 50 00-72 00 6f 00 67 00 72 00  C.:.\.P.r.o.g.r.
00020660  61 00 6d 00 20 00 46 00-69 00 6c 00 65 00 73 00  a.m. .F.i.l.e.s.
00020670  5c 00 56 00 4d 00 77 00-61 00 72 00 65 00 5c 00  \.V.M.w.a.r.e.\.
00020680  56 00 4d 00 77 00 61 00-72 00 65 00 20 00 54 00  V.M.w.a.r.e. .T.
00020690  6f 00 6f 00 6c 00 73 00-5c 00 56 00 4d 00 77 00  o.o.l.s.\.V.M.w.
000206a0  61 00 72 00 65 00 53 00-65 00 72 00 76 00 69 00  a.r.e.S.e.r.v.i.
000206b0  63 00 65 00 2e 00 65 00-78 00 65 00 00 00 00 00  c.e...e.x.e.....

 

kd> dt 0x00020000 +0x038 _UNICODE_STRING
nt!_UNICODE_STRING
 "C:\Program Files\VMware\VMware Tools\VMwareService.exe"
   +0x000 Length           : 0x6c
   +0x002 MaximumLength    : 0x6e
   +0x004 Buffer           : 0x00020650  "C:\Program Files\VMware\VMware Tools\VMwareService.exe"

posted @ 2010-11-10 12:35  ahuo  阅读(403)  评论(0编辑  收藏  举报