2012-11-06

Monitor process file operations by windbg command





windbg.org




* Monitor windows process activities by set breakpoint on API, and print out the parameter contents.

0:000> bp kernel32!CreateFileW ".echo ---------------------------------------;kL;du poi(@esp+4);gu;.echo =======;r eax;g"  
0:000> g  
ModLoad: 62c20000 62c29000   C:/WINDOWS/system32/LPK.DLL  
ModLoad: 77180000 77283000   C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03/comctl32.dll  
---------------------------------------  
ChildEBP RetAddr    
0012e374 7c814d65 kernel32!CreateFileW  
0012e5dc 7c801d3a kernel32!BasepLoadLibraryAsDataFile+0x125  
0012e640 7c8171dd kernel32!LoadLibraryExW+0x178  
0012e66c 7c81715d kernel32!BasepSxsFindSuitableManifestResourceFor+0x51  
0012e96c 7720b80d kernel32!CreateActCtxW+0x69e  
0012eba4 7720b83f comctl32_77180000!SHFusionInitializeIDCC+0x83  
0012ebb8 7720b857 comctl32_77180000!SHFusionInitializeID+0x12  
0012ebc8 771841a9 comctl32_77180000!SHFusionInitialize+0xf  
0012ebdc 77184267 comctl32_77180000!_ProcessAttach+0x32  
0012ebe8 7c9211a7 comctl32_77180000!LibMain+0x21  
0012ec08 7c93cbab ntdll!LdrpCallInitRoutine+0x14  
0012ed10 7c936178 ntdll!LdrpRunInitializeRoutines+0x344  
0012efbc 7c9362da ntdll!LdrpLoadDll+0x3e5  
0012f264 7c801bb9 ntdll!LdrLoadDll+0x230  
0012f2cc 7c80ae5c kernel32!LoadLibraryExW+0x18e  
0012f2e0 77f5b1a3 kernel32!LoadLibraryW+0x11  
0012f504 766a1110 SHLWAPI!LoadLibraryWrapW+0x51  
0012f53c 766a10af WININET!SHFusionLoadLibrary+0x29  
0012f548 766a107d WININET!DelayLoadCC+0x15  
0012f77c 766a0ff7 WININET!SHFusionInitializeIDCC+0x92  
0012e3d0  "C:/WINDOWS/WindowsShell.Manifest"  
0012e410  ""  
=======  
eax=00000794  
---------------------------------------  
ChildEBP RetAddr    
0012f8cc 7c801a4f kernel32!CreateFileW  
0012f8f0 76d357ff kernel32!CreateFileA+0x30  
0012f954 76d3570a iphlpapi!OpenIPDriver+0x115  
0012f99c 76d35454 iphlpapi!OpenTCPDriver+0xee  
0012f9d0 76d35351 iphlpapi!DllMain+0x157  
0012f9f0 7c9211a7 iphlpapi!_DllMainCRTStartup+0x52  
0012fa10 7c93cbab ntdll!LdrpCallInitRoutine+0x14  
0012fb18 7c94173e ntdll!LdrpRunInitializeRoutines+0x344  
0012fc94 7c941639 ntdll!LdrpInitializeProcess+0x1131  
0012fd1c 7c92eac7 ntdll!_LdrpInitialize+0x183  
00000000 00000000 ntdll!KiUserApcDispatcher+0x7  
7ffdfc00  "//./Ip"  
=======  
eax=00000780  
---------------------------------------  
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Program Files/Tencent/QQ2009/Bin/KernelUtil.dll -   
ChildEBP RetAddr    
0012fc34 0044a69c kernel32!CreateFileW  
*** ERROR: Module load completed but symbols could not be loaded for QQ.exe  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0012fca8 004029bd KernelUtil!Version::Init+0x8c  
0012ff08 004027d9 QQ+0x29bd  
0012ff28 00402635 QQ+0x27d9  
0012ffc0 7c816fd7 QQ+0x2635  
0012fff0 00000000 kernel32!BaseProcessStart+0x23  
00c8eca8  "C:/Program Files/Tencent/QQ2009/"  
00c8ece8  "Bin/vi.dat"  
=======  
eax=00000720  
---------------------------------------  
ChildEBP RetAddr    
0012eab4 0044a2ad kernel32!CreateFileW  
WARNING: Stack unwind information not available. Following frames may be wrong.  
0012fbb4 0044a4ea KernelUtil!Util::URL::OpenUrlWithTT+0x1cd  
0012fc4c 0044a6fc KernelUtil!Version::GetBuildVer+0xca  
0012fca8 004029bd KernelUtil!Version::Init+0xec  
0012ff08 004027d9 QQ+0x29bd  
0012ff28 00402635 QQ+0x27d9  
0012ffc0 7c816fd7 QQ+0x2635  
0012fff0 00000000 kernel32!BaseProcessStart+0x23  
00c8ede0  "C:/Program Files/Tencent/QQ2009/"  
00c8ee20  "Bin/QQ.exe"  
=======  
eax=00000720  



-->