Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Connected to Windows XP 2600 x86 compatible target at (Mon Mar 12 17:51:45.346 2012 (UTC - 5:00)), ptr64 FALSE Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe - ******************************************************************************* WARNING: Local kernel debugging requires booting with kernel debugging support (/debug or bcdedit -debug on) to work optimally. ******************************************************************************* Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp.080413-2111 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0 Debug session time: Mon Mar 12 17:51:46.338 2012 (UTC - 5:00) System Uptime: 0 days 0:47:58.238 lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** NT symbols are incorrect, please fix symbols lkd> .reload Connected to Windows XP 2600 x86 compatible target at (Mon Mar 12 17:52:38.232 2012 (UTC - 5:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................................. Loading User Symbols ........................ Loading unloaded module list .............. lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 300. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 242. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 190. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 221. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1111. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 319. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 111. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 43. Image: windbg.exe PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe lkd> !process 81782190 7 PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe VadRoot 81a3edf8 Vads 20 Clone 0 Private 34. Modified 0. Locked 0. DeviceMap e1a0cbb8 Token e13145f0 ElapsedTime 00:01:53.653 UserTime 00:01:51.019 KernelTime 00:00:00.040 QuotaPoolUsage[PagedPool] 7812 QuotaPoolUsage[NonPagedPool] 800 Working Set Sizes (now,min,max) (142, 50, 345) (568KB, 200KB, 1380KB) PeakWorkingSetSize 142 VirtualSize 5 Mb PeakVirtualSize 5 Mb PageFaultCount 138 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 43 THREAD 81a2cb38 Cid 0090.01a0 Teb: 7ffdf000 Win32Thread: 00000000 READY Not impersonating DeviceMap e1a0cbb8 Owning Process 0 Image: Attached Process 81782190 Image: unlockme.exe Wait Start TickCount 296052 Ticks: 4 (0:00:00:00.040) Context Switch Count 5471 UserTime 00:01:51.049 KernelTime 00:00:00.040 Win32 Start Address 0x004012b2 Start Address kernel32!BaseProcessStartThunk (0x7c8106f5) Stack Init f7bd2000 Current f7bd1d44 Base f7bd2000 Limit f7bcf000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr Args to Child f7bd1d58 806f4a60 00000000 0012ff78 0040103b nt!KiDispatchInterrupt+0x7f (FPO: [Uses EBP] [0,0,3]) f7bd1d58 00401038 00000000 0012ff78 00401038 hal!HalpDispatchInterrupt2ndEntry+0x1b (FPO: [0,1] TrapFrame @ f7bd1d64) WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ff78 00000000 00000000 00000000 00000000 0x401038 lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 303. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 242. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 190. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 225. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1111. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 319. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 111. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 62. Image: windbg.exe PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe lkd> !db 07daf000+004 # 7daf004 67 20 f3 0f 00 00 00 00-00 00 00 00 00 00 00 00 g .............. # 7daf014 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf024 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf034 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf044 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf054 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf064 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf074 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0ff32000+4 # ff32004 25 c0 cc 0d 25 d0 fc 02-25 e0 cc 07 25 f0 58 0b %...%...%...%.X. # ff32014 25 00 3d 0d 25 10 51 03-25 20 b1 00 25 b0 d0 08 %.=.%.Q.% ..%... # ff32024 25 40 4b 04 25 50 ff 05-67 40 f5 05 67 80 e5 0a %@K.%P..g@..g... # ff32034 67 50 71 0c 00 00 00 00-00 00 00 00 00 00 00 00 gPq............. # ff32044 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ff32054 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ff32064 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ff32074 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0dccc000+0 # dccc000 55 8b ec 83 ec 0c c7 45-f8 48 69 4d 65 c7 45 fc U......E.HiMe.E. # dccc010 00 00 00 00 c7 45 f4 01-00 00 00 8d 45 f8 50 68 .....E......E.Ph # dccc020 04 b0 40 00 e8 42 00 00-00 83 c4 08 83 7d f4 00 ..@..B.......}.. # dccc030 74 0b 8b 4d fc 83 c1 01-89 4d fc eb ef 81 3d 00 t..M.....M....=. # dccc040 b0 40 00 f4 01 00 00 75-0f 68 24 b0 40 00 e8 18 .@.....u.h$.@... # dccc050 00 00 00 83 c4 04 eb 0d-68 38 b0 40 00 e8 09 00 ........h8.@.... # dccc060 00 00 83 c4 04 33 c0 8b-e5 5d c3 6a 0c 68 f0 99 .....3...].j.h.. # dccc070 40 00 e8 c9 13 00 00 33-c0 33 f6 39 75 08 0f 95 @......3.3.9u... lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 302. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 242. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 188. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 228. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1111. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 319. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 111. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 69. Image: windbg.exe PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe lkd> !process 81782190 7 PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe VadRoot 81a3edf8 Vads 20 Clone 0 Private 34. Modified 0. Locked 0. DeviceMap e1a0cbb8 Token e13145f0 ElapsedTime 00:09:47.755 UserTime 00:09:43.999 KernelTime 00:00:00.100 QuotaPoolUsage[PagedPool] 7812 QuotaPoolUsage[NonPagedPool] 800 Working Set Sizes (now,min,max) (142, 50, 345) (568KB, 200KB, 1380KB) PeakWorkingSetSize 142 VirtualSize 5 Mb PeakVirtualSize 5 Mb PageFaultCount 138 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 43 THREAD 81a2cb38 Cid 0090.01a0 Teb: 7ffdf000 Win32Thread: 00000000 READY Not impersonating DeviceMap e1a0cbb8 Owning Process 0 Image: Attached Process 81782190 Image: unlockme.exe Wait Start TickCount 343384 Ticks: 11 (0:00:00:00.110) Context Switch Count 19543 UserTime 00:09:43.989 KernelTime 00:00:00.100 Win32 Start Address 0x004012b2 Start Address kernel32!BaseProcessStartThunk (0x7c8106f5) Stack Init f7bd2000 Current f7bd1d44 Base f7bd2000 Limit f7bcf000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr Args to Child f7bd1d58 806f4a60 00000000 0012ff78 0040102c nt!KiDispatchInterrupt+0x7f (FPO: [Uses EBP] [0,0,3]) f7bd1d58 0040102c 00000000 0012ff78 0040102c hal!HalpDispatchInterrupt2ndEntry+0x1b (FPO: [0,1] TrapFrame @ f7bd1d64) WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ff78 00000000 00000000 00000000 00000000 0x40102c lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 301. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 242. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 190. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 226. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1111. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 319. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 111. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 66. Image: windbg.exe PROCESS 81782190 SessionId: 0 Cid: 0090 Peb: 7ffd8000 ParentCid: 0198 DirBase: 07daf000 ObjectTable: e15fed68 HandleCount: 7. Image: unlockme.exe lkd> !db 07daf000+000 # 7daf000 67 60 b7 0c 67 20 f3 0f-00 00 00 00 00 00 00 00 g`..g .......... # 7daf010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7daf070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cb76000+4Bc # cb764bc 67 b0 e3 0a 25 f0 6a 0a-25 00 6b 0a 00 00 00 00 g...%.j.%.k..... # cb764cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764fc 00 00 00 00 67 00 50 0b-67 10 10 00 67 40 e0 06 ....g.P.g...g@.. # cb7650c 67 b0 45 03 00 00 00 00-00 00 00 00 00 00 00 00 g.E............. # cb7651c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb7652c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cb76000+4Bc-C # cb764b0 00 00 00 00 80 02 00 00-67 90 60 0f 67 b0 e3 0a ........g.`.g... # cb764c0 25 f0 6a 0a 25 00 6b 0a-00 00 00 00 00 00 00 00 %.j.%.k......... # cb764d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb76500 67 00 50 0b 67 10 10 00-67 40 e0 06 67 b0 45 03 g.P.g...g@..g.E. # cb76510 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb76520 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cb76000+4B0 # cb764b0 00 00 00 00 80 02 00 00-67 90 60 0f 67 b0 e3 0a ........g.`.g... # cb764c0 25 f0 6a 0a 25 00 6b 0a-00 00 00 00 00 00 00 00 %.j.%.k......... # cb764d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb76500 67 00 50 0b 67 10 10 00-67 40 e0 06 67 b0 45 03 g.P.g...g@..g.E. # cb76510 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb76520 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cb76000+4BC-10 # cb764ac 00 00 00 00 00 00 00 00-80 02 00 00 67 90 60 0f ............g.`. # cb764bc 67 b0 e3 0a 25 f0 6a 0a-25 00 6b 0a 00 00 00 00 g...%.j.%.k..... # cb764cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764fc 00 00 00 00 67 00 50 0b-67 10 10 00 67 40 e0 06 ....g.P.g...g@.. # cb7650c 67 b0 45 03 00 00 00 00-00 00 00 00 00 00 00 00 g.E............. # cb7651c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cb76000+4BC # cb764bc 67 b0 e3 0a 25 f0 6a 0a-25 00 6b 0a 00 00 00 00 g...%.j.%.k..... # cb764cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb764fc 00 00 00 00 67 00 50 0b-67 10 10 00 67 40 e0 06 ....g.P.g...g@.. # cb7650c 67 b0 45 03 00 00 00 00-00 00 00 00 00 00 00 00 g.E............. # cb7651c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cb7652c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0ae3b000+f78 # ae3bf78 c0 ff 12 00 5c 12 40 00-01 00 00 00 a0 33 33 00 ....\.@......33. # ae3bf88 c0 33 33 00 33 a7 ca c3-20 e6 5e 17 a2 00 cd 01 .33.3... .^..... # ae3bf98 00 80 fd 7f ac ff 12 00-a2 00 cd 01 00 00 00 00 ................ # ae3bfa8 8c ff 12 00 a2 7f b9 61-e0 ff 12 00 a0 24 40 00 .......a.....$@. # ae3bfb8 e3 c2 98 c3 00 00 00 00-f0 ff 12 00 67 70 81 7c ............gp.| # ae3bfc8 20 e6 5e 17 a2 00 cd 01-00 80 fd 7f b8 b6 54 80 .^...........T. # ae3bfd8 c8 ff 12 00 38 cb a2 81-ff ff ff ff c0 9a 83 7c ....8..........| # ae3bfe8 70 70 81 7c 00 00 00 00-00 00 00 00 00 00 00 00 pp.|............ lkd> !db 0ae3b000+f78-c # ae3bf6c 01 00 00 00 48 69 4d 65-45 f3 1f b5 c0 ff 12 00 ....HiMeE....... # ae3bf7c 5c 12 40 00 01 00 00 00-a0 33 33 00 c0 33 33 00 \.@......33..33. # ae3bf8c 33 a7 ca c3 20 e6 5e 17-a2 00 cd 01 00 80 fd 7f 3... .^......... # ae3bf9c ac ff 12 00 a2 00 cd 01-00 00 00 00 8c ff 12 00 ................ # ae3bfac a2 7f b9 61 e0 ff 12 00-a0 24 40 00 e3 c2 98 c3 ...a.....$@..... # ae3bfbc 00 00 00 00 f0 ff 12 00-67 70 81 7c 20 e6 5e 17 ........gp.| .^. # ae3bfcc a2 00 cd 01 00 80 fd 7f-b8 b6 54 80 c8 ff 12 00 ..........T..... # ae3bfdc 38 cb a2 81 ff ff ff ff-c0 9a 83 7c 70 70 81 7c 8..........|pp.| lkd> !eb 0ae3b000+f78-c 00 lkd> !db 0ae3b000+f78-c # ae3bf6c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bf7c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bf8c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bf9c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bfac 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bfbc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bfcc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # ae3bfdc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0dccc000+0 # dccc000 55 8b ec 83 ec 0c c7 45-f8 48 69 4d 65 c7 45 fc U......E.HiMe.E. # dccc010 00 00 00 00 c7 45 f4 01-00 00 00 8d 45 f8 50 68 .....E......E.Ph # dccc020 04 b0 40 00 e8 42 00 00-00 83 c4 08 83 7d f4 00 ..@..B.......}.. # dccc030 74 0b 8b 4d fc 83 c1 01-89 4d fc eb ef 81 3d 00 t..M.....M....=. # dccc040 b0 40 00 f4 01 00 00 75-0f 68 24 b0 40 00 e8 18 .@.....u.h$.@... # dccc050 00 00 00 83 c4 04 eb 0d-68 38 b0 40 00 e8 09 00 ........h8.@.... # dccc060 00 00 83 c4 04 33 c0 8b-e5 5d c3 6a 0c 68 f0 99 .....3...].j.h.. # dccc070 40 00 e8 c9 13 00 00 33-c0 33 f6 39 75 08 0f 95 @......3.3.9u... lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 305. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 243. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 188. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 226. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1115. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 317. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 114. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 66. Image: windbg.exe PROCESS 817c46a0 SessionId: 0 Cid: 0420 Peb: 7ffd7000 ParentCid: 05b8 DirBase: 03479000 ObjectTable: e18c5888 HandleCount: 29. Image: calc.exe PROCESS 81a053d0 SessionId: 0 Cid: 051c Peb: 7ffd6000 ParentCid: 0198 DirBase: 07979000 ObjectTable: e1c04f10 HandleCount: 7. Image: unlockme.exe lkd> !db 07979000+4 # 7979004 67 00 c9 0c 00 00 00 00-00 00 00 00 00 00 00 00 g............... # 7979014 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979024 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979034 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979044 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979054 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979064 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979074 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0cc90000+2C # cc9002c 67 70 4a 03 67 b0 ae 0e-67 80 a2 00 00 00 00 00 gpJ.g...g....... # cc9003c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9004c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9005c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9006c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9007c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9008c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # cc9009c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7000+0 # 34a7000 f4 01 00 00 4d 79 20 73-74 61 63 6b 20 69 73 20 ....My stack is # 34a7010 61 72 6f 75 6e 64 20 68-65 72 65 3a 30 78 25 70 around here:0x%p # 34a7020 0a 00 00 00 4e 6f 20 70-72 69 7a 65 20 66 6f 72 ....No prize for # 34a7030 20 79 6f 75 21 00 00 00-45 78 63 65 6c 6c 65 6e you!...Excellen # 34a7040 74 21 21 00 01 00 00 00-c0 cb 40 00 00 00 00 00 t!!.......@..... # 34a7050 c0 cb 40 00 01 01 00 00-00 00 00 00 00 00 00 00 ..@............. # 34a7060 00 10 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7070 00 00 00 00 02 00 00 00-01 00 00 00 00 00 00 00 ................ lkd> !eb 034a7000+0 00 lkd> !db 034a7000+0 # 34a7000 00 01 00 00 4d 79 20 73-74 61 63 6b 20 69 73 20 ....My stack is # 34a7010 61 72 6f 75 6e 64 20 68-65 72 65 3a 30 78 25 70 around here:0x%p # 34a7020 0a 00 00 00 4e 6f 20 70-72 69 7a 65 20 66 6f 72 ....No prize for # 34a7030 20 79 6f 75 21 00 00 00-45 78 63 65 6c 6c 65 6e you!...Excellen # 34a7040 74 21 21 00 01 00 00 00-c0 cb 40 00 00 00 00 00 t!!.......@..... # 34a7050 c0 cb 40 00 01 01 00 00-00 00 00 00 00 00 00 00 ..@............. # 34a7060 00 10 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7070 00 00 00 00 02 00 00 00-01 00 00 00 00 00 00 00 ................ lkd> !db 034a7038 # 34a7038 45 78 63 65 6c 6c 65 6e-74 21 21 00 01 00 00 00 Excellent!!..... # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7038 "I am awesome." lkd> !db 034a7038 # 34a7038 45 78 63 65 6c 6c 65 6e-74 21 21 00 01 00 00 00 Excellent!!..... # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7038 "I" lkd> !db 034a7038 # 34a7038 45 78 63 65 6c 6c 65 6e-74 21 21 00 01 00 00 00 Excellent!!..... # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7038 46 lkd> !db 034a7038 # 34a7038 46 78 63 65 6c 6c 65 6e-74 21 21 00 01 00 00 00 Fxcellent!!..... # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7051 lkd> !db 034a7051 # 34a7051 cb 40 00 01 01 00 00 00-00 00 00 00 00 00 00 00 .@.............. # 34a7061 10 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7071 00 00 00 02 00 00 00 01-00 00 00 00 00 00 00 00 ................ # 34a7081 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7091 00 00 00 02 00 00 00 02-00 00 00 00 00 00 00 00 ................ # 34a70a1 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b1 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70c1 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7050 # 34a7050 c0 cb 40 00 01 01 00 00-00 00 00 00 00 00 00 00 ..@............. # 34a7060 00 10 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7070 00 00 00 00 02 00 00 00-01 00 00 00 00 00 00 00 ................ # 34a7080 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7090 00 00 00 00 02 00 00 00-02 00 00 00 00 00 00 00 ................ # 34a70a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7048 # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7040 # 34a7040 74 21 21 00 01 00 00 00-c0 cb 40 00 00 00 00 00 t!!.......@..... # 34a7050 c0 cb 40 00 01 01 00 00-00 00 00 00 00 00 00 00 ..@............. # 34a7060 00 10 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7070 00 00 00 00 02 00 00 00-01 00 00 00 00 00 00 00 ................ # 34a7080 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7090 00 00 00 00 02 00 00 00-02 00 00 00 00 00 00 00 ................ # 34a70a0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7042 # 34a7042 21 00 01 00 00 00 c0 cb-40 00 00 00 00 00 c0 cb !.......@....... # 34a7052 40 00 01 01 00 00 00 00-00 00 00 00 00 00 00 10 @............... # 34a7062 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7072 00 00 02 00 00 00 01 00-00 00 00 00 00 00 00 00 ................ # 34a7082 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7092 00 00 02 00 00 00 02 00-00 00 00 00 00 00 00 00 ................ # 34a70a2 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b2 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 034a7043 # 34a7043 00 01 00 00 00 c0 cb 40-00 00 00 00 00 c0 cb 40 .......@.......@ # 34a7053 00 01 01 00 00 00 00 00-00 00 00 00 00 00 10 00 ................ # 34a7063 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7073 00 02 00 00 00 01 00 00-00 00 00 00 00 00 00 00 ................ # 34a7083 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7093 00 02 00 00 00 02 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a3 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b3 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7043 46 lkd> !db 034a7043 # 34a7043 46 01 00 00 00 c0 cb 40-00 00 00 00 00 c0 cb 40 F......@.......@ # 34a7053 00 01 01 00 00 00 00 00-00 00 00 00 00 00 10 00 ................ # 34a7063 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7073 00 02 00 00 00 01 00 00-00 00 00 00 00 00 00 00 ................ # 34a7083 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7093 00 02 00 00 00 02 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a3 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70b3 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 034a7044 00 lkd> !eb 034a7044 20 lkd> !db 034a7038 # 34a7038 46 78 63 65 6c 6c 65 6e-74 21 21 46 20 00 00 00 Fxcellent!!F ... # 34a7048 c0 cb 40 00 00 00 00 00-c0 cb 40 00 01 01 00 00 ..@.......@..... # 34a7058 00 00 00 00 00 00 00 00-00 10 00 00 00 00 00 00 ................ # 34a7068 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7078 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a7088 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................ # 34a7098 02 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 34a70a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 303. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 241. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 188. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 226. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1113. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 317. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 114. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 66. Image: windbg.exe PROCESS 817c46a0 SessionId: 0 Cid: 0420 Peb: 7ffd7000 ParentCid: 05b8 DirBase: 03479000 ObjectTable: e18c5888 HandleCount: 29. Image: calc.exe PROCESS 81a053d0 SessionId: 0 Cid: 051c Peb: 7ffd6000 ParentCid: 0198 DirBase: 07979000 ObjectTable: e1c04f10 HandleCount: 7. Image: unlockme.exe lkd> !process 81a053d0 7 PROCESS 81a053d0 SessionId: 0 Cid: 051c Peb: 7ffd6000 ParentCid: 0198 DirBase: 07979000 ObjectTable: e1c04f10 HandleCount: 7. Image: unlockme.exe VadRoot 81b8d4b8 Vads 20 Clone 0 Private 34. Modified 0. Locked 0. DeviceMap e1a0cbb8 Token e10d0618 ElapsedTime 00:06:26.786 UserTime 00:06:24.202 KernelTime 00:00:00.280 QuotaPoolUsage[PagedPool] 7812 QuotaPoolUsage[NonPagedPool] 800 Working Set Sizes (now,min,max) (142, 50, 345) (568KB, 200KB, 1380KB) PeakWorkingSetSize 142 VirtualSize 5 Mb PeakVirtualSize 5 Mb PageFaultCount 138 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 43 THREAD 819bcda8 Cid 051c.05c0 Teb: 7ffdf000 Win32Thread: 00000000 READY Not impersonating DeviceMap e1a0cbb8 Owning Process 0 Image: Attached Process 81a053d0 Image: unlockme.exe Wait Start TickCount 508662 Ticks: 11 (0:00:00:00.110) Context Switch Count 13494 UserTime 00:06:24.192 KernelTime 00:00:00.280 Win32 Start Address 0x004012b2 Start Address kernel32!BaseProcessStartThunk (0x7c8106f5) Stack Init f7bae000 Current f7badd44 Base f7bae000 Limit f7bab000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child f7badd58 806f4a60 00000000 0012ff78 0040102c nt!KiDispatchInterrupt+0x7f (FPO: [Uses EBP] [0,0,3]) f7badd58 0040102c 00000000 0012ff78 0040102c hal!HalpDispatchInterrupt2ndEntry+0x1b (FPO: [0,1] TrapFrame @ f7badd64) WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ff78 00000000 00000000 00000000 00000000 0x40102c lkd> !db 07979000 # 7979000 67 10 89 07 67 00 c9 0c-00 00 00 00 00 00 00 00 g...g........... # 7979010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 7979070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 07891000+4BC # 78914bc 67 60 cd 0b 25 f0 6a 0a-25 00 6b 0a 00 00 00 00 g`..%.j.%.k..... # 78914cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 78914dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 78914ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 78914fc 00 00 00 00 67 b0 01 0e-67 c0 a1 05 67 f0 31 06 ....g...g...g.1. # 789150c 67 e0 d2 0a 00 00 00 00-00 00 00 00 00 00 00 00 g............... # 789151c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 789152c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 0bcd6000+f78 # bcd6f78 c0 ff 12 00 5c 12 40 00-01 00 00 00 a0 33 33 00 ....\.@......33. # bcd6f88 c0 33 33 00 26 b8 82 19-f0 b6 8e 39 a6 00 cd 01 .33.&......9.... # bcd6f98 00 60 fd 7f ac ff 12 00-a6 00 cd 01 00 00 00 00 .`.............. # bcd6fa8 8c ff 12 00 31 f3 c1 ed-e0 ff 12 00 a0 24 40 00 ....1........$@. # bcd6fb8 f6 dd d0 19 00 00 00 00-f0 ff 12 00 67 70 81 7c ............gp.| # bcd6fc8 f0 b6 8e 39 a6 00 cd 01-00 60 fd 7f b8 b6 54 80 ...9.....`....T. # bcd6fd8 c8 ff 12 00 a8 cd 9b 81-ff ff ff ff c0 9a 83 7c ...............| # bcd6fe8 70 70 81 7c 00 00 00 00-00 00 00 00 00 00 00 00 pp.|............ lkd> !db 0bcd6000+f78-C # bcd6f6c 01 00 00 00 48 69 4d 65-e5 fd 16 ae c0 ff 12 00 ....HiMe........ # bcd6f7c 5c 12 40 00 01 00 00 00-a0 33 33 00 c0 33 33 00 \.@......33..33. # bcd6f8c 26 b8 82 19 f0 b6 8e 39-a6 00 cd 01 00 60 fd 7f &......9.....`.. # bcd6f9c ac ff 12 00 a6 00 cd 01-00 00 00 00 8c ff 12 00 ................ # bcd6fac 31 f3 c1 ed e0 ff 12 00-a0 24 40 00 f6 dd d0 19 1........$@..... # bcd6fbc 00 00 00 00 f0 ff 12 00-67 70 81 7c f0 b6 8e 39 ........gp.|...9 # bcd6fcc a6 00 cd 01 00 60 fd 7f-b8 b6 54 80 c8 ff 12 00 .....`....T..... # bcd6fdc a8 cd 9b 81 ff ff ff ff-c0 9a 83 7c 70 70 81 7c ...........|pp.| lkd> !eb 0bcd6000+f78-C 00 lkd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81bcca00 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00039000 ObjectTable: e1001cd0 HandleCount: 241. Image: System PROCESS 819c4128 SessionId: none Cid: 0164 Peb: 7ffde000 ParentCid: 0004 DirBase: 05ec8000 ObjectTable: e13d9c80 HandleCount: 19. Image: smss.exe PROCESS 819de020 SessionId: 0 Cid: 023c Peb: 7ffdf000 ParentCid: 0164 DirBase: 06f6a000 ObjectTable: e14ded08 HandleCount: 305. Image: csrss.exe PROCESS 81983128 SessionId: 0 Cid: 0254 Peb: 7ffd6000 ParentCid: 0164 DirBase: 070ef000 ObjectTable: e14ca510 HandleCount: 508. Image: winlogon.exe PROCESS 81ac6390 SessionId: 0 Cid: 0280 Peb: 7ffdd000 ParentCid: 0254 DirBase: 07410000 ObjectTable: e16c7b40 HandleCount: 243. Image: services.exe PROCESS 81987458 SessionId: 0 Cid: 028c Peb: 7ffdc000 ParentCid: 0254 DirBase: 0741b000 ObjectTable: e16ca998 HandleCount: 320. Image: lsass.exe PROCESS 81aabb70 SessionId: 0 Cid: 0328 Peb: 7ffde000 ParentCid: 0280 DirBase: 07b66000 ObjectTable: e1724e98 HandleCount: 188. Image: svchost.exe PROCESS 81874828 SessionId: 0 Cid: 0378 Peb: 7ffdd000 ParentCid: 0280 DirBase: 07e91000 ObjectTable: e176d148 HandleCount: 228. Image: svchost.exe PROCESS 81869a00 SessionId: 0 Cid: 03d4 Peb: 7ffd8000 ParentCid: 0280 DirBase: 08017000 ObjectTable: e17722d8 HandleCount: 1113. Image: svchost.exe PROCESS 818627d0 SessionId: 0 Cid: 040c Peb: 7ffd7000 ParentCid: 0280 DirBase: 081aa000 ObjectTable: e177aba8 HandleCount: 80. Image: svchost.exe PROCESS 8198b4b8 SessionId: 0 Cid: 049c Peb: 7ffd6000 ParentCid: 0280 DirBase: 09273000 ObjectTable: e14c2a50 HandleCount: 195. Image: svchost.exe PROCESS 8199bda0 SessionId: 0 Cid: 05b8 Peb: 7ffda000 ParentCid: 05a4 DirBase: 0a70d000 ObjectTable: e1a95f48 HandleCount: 317. Image: explorer.exe PROCESS 818323b0 SessionId: 0 Cid: 05dc Peb: 7ffd6000 ParentCid: 0280 DirBase: 0ae80000 ObjectTable: e18c3c50 HandleCount: 105. Image: spoolsv.exe PROCESS 819b67e8 SessionId: 0 Cid: 0218 Peb: 7ffdb000 ParentCid: 03d4 DirBase: 03027000 ObjectTable: e18d0a70 HandleCount: 26. Image: wscntfy.exe PROCESS 8180b020 SessionId: 0 Cid: 03c4 Peb: 7ffde000 ParentCid: 0280 DirBase: 05ecd000 ObjectTable: e185dbb0 HandleCount: 105. Image: alg.exe PROCESS 81a2c890 SessionId: 0 Cid: 0434 Peb: 7ffde000 ParentCid: 05b8 DirBase: 096e3000 ObjectTable: e20fee88 HandleCount: 32. Image: cmd.exe PROCESS 81841020 SessionId: 0 Cid: 052c Peb: 7ffdf000 ParentCid: 05b8 DirBase: 04225000 ObjectTable: e1789518 HandleCount: 114. Image: notepad++.exe PROCESS 817b1da0 SessionId: 0 Cid: 0198 Peb: 7ffd5000 ParentCid: 05b8 DirBase: 0dd4e000 ObjectTable: e11c8fb8 HandleCount: 33. Image: cmd.exe PROCESS 817fc058 SessionId: 0 Cid: 065c Peb: 7ffd8000 ParentCid: 05b8 DirBase: 0a4b8000 ObjectTable: e201a4a0 HandleCount: 66. Image: windbg.exe PROCESS 817c46a0 SessionId: 0 Cid: 0420 Peb: 7ffd7000 ParentCid: 05b8 DirBase: 03479000 ObjectTable: e18c5888 HandleCount: 29. Image: calc.exe PROCESS 819bcda0 SessionId: 0 Cid: 01d8 Peb: 7ffdf000 ParentCid: 0198 DirBase: 0267e000 ObjectTable: e1075678 HandleCount: 7. Image: unlockme.exe lkd> !db 0267e000 # 267e000 67 c0 dc 03 67 b0 04 08-00 00 00 00 00 00 00 00 g...g........... # 267e010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 267e070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !db 03dcc000+4Bc # 3dcc4bc 67 10 dd 06 25 f0 6a 0a-25 00 6b 0a 00 00 00 00 g...%.j.%.k..... # 3dcc4cc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 3dcc4dc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 3dcc4ec 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 3dcc4fc 00 00 00 00 67 60 f1 04-67 70 2d 0c 67 a0 95 09 ....g`..gp-.g... # 3dcc50c 67 90 c6 03 00 00 00 00-00 00 00 00 00 00 00 00 g............... # 3dcc51c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ # 3dcc52c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ lkd> !eb 03dcc000+4Bc 65