 |
| Application |
| Standalone Program - To Execute |
| Such as *.exe, *.com etc. |
| Example |
| autochk.exe | | x86 C:\Windows\SysWOW64\autochk.exe | | x64 C:\Windows\System32\autochk.exe |
|
| winver.exe | | x86 C:\Windows\SysWOW64\winver.exe | | x64 C:\Windows\System32\winver.exe |
|
| tree.com | | x86 C:\Windows\SysWOW64\tree.com | | x64 C:\Windows\System32\tree.com |
|
autochk.exe : Native Application (Cannot be Run in Win32 Mode)
winver.exe : Windows GUI Application
tree.com : Windows CUI Application |
| Entry Points like NtProcessStartup, mainCRTStartup, wWinMainCRTStartup etc. |
|
 |
| Application Extension |
| Shared/Component Program - To Execute |
| Such as *.dll, *.sys etc. |
| Example |
| null.sys | | x86 C:\Windows\SysWOW64\drivers\null.sys | | x64 C:\Windows\System32\drivers\null.sys |
|
| shell32.dll | | x86 C:\Windows\SysWOW64\shell32.dll | | x64 C:\Windows\System32\shell32.dll |
|
| ulib.dll | | x86 C:\Windows\SysWOW64\ulib.dll | | x64 C:\Windows\System32\ulib.dll |
|
null.sys : Native Application Extension
shell32.dll : Windows GUI Application Extension
ulib.dll : Windows CUI Application Extension |
| Entry Points like DriverEntry, DllMainCRTStartup etc. |
|
| Process |
| Running Instance of Application |
| Identified by Process Identifier |
| How To |
| List Running Processes | CMD@ tlist.exe -t |
tlist.exe : Program, Process List Utility
-t : Switch, Tree View |
| Alternatively, RUN@ taskmgr.exe → Details |
|
| Thread |
| Running Instance of Program in Process |
| Identified by Thread Identifier |
| How To |
| List Running Threads | CDB@ ~ * |
~ : Standard Command, Display Thread Status
* : Parameter, All Thread |
| Alternatively, RUN@ windbg.exe → DBG@ → View → Processes and Threads (Alt+9) |
|
| Loader |
| Load and Map Images into Virtual Address Space |
| Identified by Ldr Prefix |
| How To |
| Break on Module Load | CDB@ sxe ld {Module} |
sxe : Standard Command, Set Exception Enabled
ld : Option, Load Symbol
{Module} : Parameter, Module Name |
| Alternatively, RUN@ windbg.exe → DBG@ → Debug → Event Filters... |
|
| Address Space |
| Virtual Memory Address of Process |
| Such as User, System etc. |
| Usage |
| User Space | Private Virtual Address Space |
| System Space | Shared Virtual Address Space |
|
| How To |
| Dump Address Space | CDB@ / KD@ !address |
| !address : Extension Command, Display Address Space |
| Alternatively, RUN@ windbg.exe → DBG@ → View → Command (Alt+1) → !address |
|
| Module |
| Executable Image in Process Memory |
| Most Cases without File Extension |
| How To |
| List Module | CDB@ lm |
| lm : Standard Command, Display Loaded Module |
| Alternatively, RUN@ windbg.exe → DBG@ → Debug → Modules... |
|
| Also Known As Executable Image |
| How To |
| Dump Image Information | CDB@ lmv m {Module | Address} |
lmv : Standard Command, Display Loaded Module Verbose
m : Option, Pattern
{Module | Address} : Parameter, Module Name or Module Base Address |
| Alternatively, RUN@ windbg.exe → DBG@ → View → Command (Alt+1) → lmv m {Module | Address} |
|
| Memory Dump |
| Snapshot of Process Memory |
| Such as Mini Dump, Full Dump etc. |
| How To |
| Create Dump File | CDB@ .dump /mfh {Dump} |
.dump : Meta Command, Create Memory Dump File
/mfh : Option, Minidump + Full Memory + Handles Information
{Dump} : Parameter, Dump File Name |
| Alternatively, RUN@ taskmgr.exe → MGR@ → Details → Go to Process (Right Click) → Create Memory Dump File → Open File Location → Verify Memory Dump File |
|
