| Application |
| Standalone Executable Program |
| For Instance *.exe, *.com etc. |
| Example |
| autochk.exe | | x86 C:\Windows\SysWOW64\autochk.exe | | x64 C:\Windows\System32\autochk.exe |
|
| winver.exe | | x86 C:\Windows\SysWOW64\winver.exe | | x64 C:\Windows\System32\winver.exe |
|
| tree.com | | x86 C:\Windows\SysWOW64\tree.com | | x64 C:\Windows\System32\tree.com |
|
autochk.exe : Native Application (Cannot be Run in Win32 Mode)
winver.exe : Windows GUI Application
tree.com : Windows CUI Application |
| Entry Points like NtProcessStartup, mainCRTStartup, wWinMainCRTStartup etc. |
| Application Extension |
| Shared Library and Component Executable Program |
| For Instance *.dll, *.sys etc. |
| Example |
| null.sys | | x86 C:\Windows\SysWOW64\drivers\null.sys | | x64 C:\Windows\System32\drivers\null.sys |
|
| shell32.dll | | x86 C:\Windows\SysWOW64\shell32.dll | | x64 C:\Windows\System32\shell32.dll |
|
| ulib.dll | | x86 C:\Windows\SysWOW64\ulib.dll | | x64 C:\Windows\System32\ulib.dll |
|
null.sys : Native Application Extension
shell32.dll : Windows GUI Application Extension
ulib.dll : Windows CUI Application Extension |
| Entry Points like DriverEntry, DllMainCRTStartup etc. |
| Process |
| Running Instance of Application |
| Identified by Process Identifier |
| How To |
| List Running Processes | CMD@ tlist.exe -t |
tlist.exe : Program, Process List Utility
-t : Switch, Specifies Tree View |
| Alternatively, RUN@ taskmgr.exe → Details |
| Thread |
| Running Instance of Program in Process |
| Identified by Thread Identifier |
| How To |
| List Running Threads | CDB@ ~ * |
~ : Standard Command, To Display Thread Status
* : Parameter, All Thread |
| Alternatively, RUN@ windbg.exe → View → Processes and Threads (Alt+9) |
| Loader |
| Load and Map Images into Virtual Address Space |
| Identified by Ldr Prefix |
| How To |
| Break on Module Load | CDB@ sxe ld {Module} |
sxe : Standard Command, To Set Exception Enabled
ld : Option, Specifies Load Symbol
{Module} : Parameter, Module Name |
| Alternatively, RUN@ windbg.exe → Debug → Event Filters... |
| Virtual Address Space |
| Virtual Memory Address of Process |
| For Instance User, System etc. |
| Usage |
| User Space | Private Virtual Address Space |
| System Space | Shared Virtual Address Space |
|
| How To |
| Dump User Space | CDB@ !address |
| !address : Extension Command, To Display Address Space |
| Alternatively, RUN@ windbg.exe → View → Command (Alt+1) → !address |
| Module |
| Executable Image in Process Memory |
| Most Cases without Extension of Image File |
| How To |
| List Module | CDB@ lm |
| lm : Standard Command, To Display Loaded Module |
| Alternatively, RUN@ windbg.exe → Debug → Modules... |
| Also Known As Executable Image |
| How To |
| Dump Image Information | CDB@ lmv m {Module | Address} |
lmv : Standard Command, To Display Loaded Module Verbose
m : Option, Specifies Pattern
{Module | Address} : Parameter, Module Name or Module Base Address |
| Alternatively, RUN@ windbg.exe → View → Command (Alt+1) → lmv m {Module | Address} |
| Memory Dump |
| Snapshot of Process Memory |
| For Instance Full, Mini etc. |
| How To |
| Create Dump File | CDB@ .dump /mfh {Dump} |
.dump : Meta Command, To Create Memory Dump File
/mfh : Option, Specifies Minidump + Full Memory + Handles Information
{Dump} : Parameter, Dump File Name |
| Alternatively, RUN@ taskmgr.exe → Details → Process (Right Click) → Create memory dump file → Open file location |