我目前正在学习Windows内存转储分析,我想使用称为SwishDbgExt的 WinDbg的开源扩展。


0: kd> !load C:\Users\Martin\Desktop\SwishDbgExt-master\bin\x64\SwishDbgExt.dll SwishDbgExt v0.6.2.20150116 (Mar 27 2015) - Incident Response & Digital Forensics Debugging Extension SwishDbgExt Copyright (C) 2014 MoonSols Ltd SwishDbgExt Copyright (C) 2014 Matthieu Suiche (@msuiche) - This program comes with ABSOLUTELY NO NARRANTY; for details type 'show w'. This is free software, and you are welcome to redistribute it under certain conditions; type 'show c' for details. 0: kd> ! Commands for C:\Users\Martin\Desktop\SwishDbgExt-master\bin\x64\SwishDbgExt.dll: !help - Displays information on available extension commands !ms_callbacks - Display callback functions !ms_consoles - Display console command's history !ms_credentials - Display user's credentials (based on gentilwiki's mimikatz) !ms_drivers — Display list of drivers !ms_dump - Dump memory space on disk !ms_exqueue - Display Ex queued workers !ms_gdt — Display GDT !ms_hivelist - Display list of registry hives !ms_idt - Display IDT !ms_malscore — Analyze a memory space and returns a Malware Score Index (MSI) - (based on Frank Bo1dewin's work) !ms_mbr - Scan Master Boot Record (MBR) !ms_netstat — Display network information (sockets, connections, ...) !ms_object - Display list of object !ms_process - Display list of processes !ms_readkcb — Read key control block !ms_readknode - Read key node !ms_readkvalue - Read key value !ms_scanndishook — Scan and display suspicious NDIS hooks !ms_services - Display list of services !ms_ssdt - Display service descriptor table (SDT) functions !ms_store — Display information related to the Store Manager (ReadyBoost) !ms_timers - Display list of KTIMER !ms_vacbs — Display list of cached VACBs !help <cmd> will give more information for a particular command 0: kd> !ms_drivers ERROR: !ms_drivers: extension exception 0x80004005. "ExtRemoteTyped::ArrayElement: unable to retrieve element 0"