hello, this url no find,,can you tell me how to find des PID and TID ? thanks!
"i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"
在 2019年4月12日星期五 UTC+8上午10:38:59,xiaopot...@gmail.com写道:--------------------------------------
hello, this url no find,,can you tell me how to find des PID and TID ? thanks!
"i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"
test is not PID & TID:
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 0 = 00000000
Evaluate expression: 0 = 00000000
Evaluate expression: 1155524051 = 44dfe5d3
Evaluate expression: 298899562 = 11d0d86a
Evaluate expression: 298899562 = 11d0d86a
Evaluate expression: 0 = 00000000
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 0 = 00000000
在 2019年4月12日星期五 UTC+8上午10:47:23,xiaopot...@gmail.com写道:If you're analyzing a user-mode memory dump and want to find the destination Process ID (PID) or Thread ID (TID) for an RPC (Remote Procedure Call) call, and you don't have access to the rpcexts.dll extension, you might need to use alternative debugging
在 2019年4月12日星期五 UTC+8上午10:38:59,xiaopot...@gmail.com写道:
hello, this url no find,,can you tell me how to find des PID and TID ? thanks!
"i found this blog which explained how top do this http://blogs.technet.com/marcelofartura/archive/2007/07/13/how-to-identify-the-process-and-thread-being-called-in-a-com-call-from-a-thread-stack.aspx"
test is not PID & TID:--------------------------------------
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 0 = 00000000
Evaluate expression: 0 = 00000000
Evaluate expression: 1155524051 = 44dfe5d3
Evaluate expression: 298899562 = 11d0d86a
Evaluate expression: 298899562 = 11d0d86a
Evaluate expression: 0 = 00000000
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 298812044 = 11cf828c
Evaluate expression: 0 = 00000000
test:
0:000> dt CRpcChannelBuffer 00568030
ole32!CRpcChannelBuffer
+0x000 lpVtbl : 0x76bd7c08 IRpcChannelBufferVtbl
+0x004 lpVtbl : 0x76bb92c0 IRpcChannelBufferVtbl
+0x008 _cRefs : 4
+0x00c state : 2
+0x010 _pRpcDefault : (null)
+0x014 _pRpcCustom : 0x0054e810 CChannelHandle
+0x018 _pOXIDEntry : 0x00559e68 OXIDEntry
+0x01c _pIPIDEntry : 0x0055b0e8 tagIPIDEntry
+0x020 _pInterfaceInfo : 0x00554780 Void
+0x024 _pStdId : 0x00568590 CStdIdentity
+0x028 _destObj : CDestObject
0:000> dt OXIDEntry 0x00559e68
ole32!OXIDEntry
+0x000 _pNext : 0x76cc68f8 OXIDEntry
+0x004 _pPrev : 0x00559de8 OXIDEntry
+0x008 _dwPid : 0x3e0
+0x00c _dwTid : 0
+0x010 _moxid : _GUID {629ccdea-5f91-1bc2-1fd7-85b418005454}
+0x020 _mid : 0x54540018`b485d71f
+0x028 _ipidRundown : _GUID {0000d800-03e0-0000-8ea9-5038c3148d7c}
+0x038 _dwFlags : 0x42
+0x03c _hServerSTA : (null)
+0x040 _pParentApt : (null)
+0x044 _pRpc : 0x0054e630 CChannelHandle
+0x048 _pAuthId : (null)
+0x04c _pBinding : 0x00522998 tagDUALSTRINGARRAY
+0x050 _dwAuthnHint : 4
+0x054 _dwAuthnSvc : 0xffffffff
+0x058 _pMIDEntry : 0x00559c40 MIDEntry
+0x05c _pRUSTA : 0x00563dac IRemUnknown
+0x060 _cRefs : 0n3
+0x064 _hComplete : (null)
+0x068 _cCalls : 0n0
+0x06c _cResolverRef : 0n7
+0x070 _dwExpiredTime : 0
+0x074 _version : tagCOMVERSION
+0x078 _ulMarshaledTargetInfoLength : 0
+0x07c _pMarshaledTargetInfo : (null)
=76cc7128 OXIDEntry::_palloc : CPageAllocator
0:000> ? 0x3e0
Evaluate expression: 992 = 000003e0
0:000> dd esp
002feb24 76bb9d01 00568030 002fec30 002fec18
now 992--->svchost /k netsvcs.exe
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 293 |
Nodes: | 16 (2 / 14) |
Uptime: | 225:45:35 |
Calls: | 6,624 |
Calls today: | 6 |
Files: | 12,171 |
Messages: | 5,318,605 |