⑴ntsd.exe(win能用的微软官方进程终止软件ntsd.exe)下载,可用于强制结束进程,NTSD的功能非常的强大,用它强行结束某个比较顽固的进程还是很好用的,基本上除了WINDOWS系统自己的管理进程,ntsd几乎都可以杀掉。XP下是自带的,但是Win没有,下载后解压到C:/windows/system下,然后在cmd下,就可以进行操作了。
⑵进程文件: ntsd or ntsd.exe
⑶进程名称: Symbolic Debugger for Windows 。ntsd.exe是Microsoft Windows
⑷系统自带的用户态调试工具。可用它结束掉除SystemSMSS.EXECSRSS.EXE以外的所有进程。该程序经常被病毒利用,用来强制结束杀毒软件进程。
⑸NTSD(Microsoft Windows NT Symbolic/Systems Debugger)是Windows (Microsoft
⑹Windows XP)默认安装的一
⑺个调试器。这其实是一个命令行版本的WinDBG,功能上稍微缩了一点水,但是对一般的调试
⑻来说是足够用了。
⑼NTSD的功能非常的强大,用它强行结束某个比较顽固的进程还是很好用的,基本上除了WINDOWS系统自己的管理进程,ntsd几乎都可以杀掉。XP下是自带的,但是Win没有,下载后解压到C:/windows/system下,然后在cmd下,就可以进行操作了。
⑽ntsd -c q -pn ***.exe (***.exe 为进程名,exe不能省)
⑾ntsd -c q -p PID
⑿命令范例:ntsd -c q -pn explorer.exe
⒀usage: NTSD [-v] [-] [-d] [-o] [-g] [-G] [-w] [-lines]
⒁[-aDllName] [-s] [-r BreakErrorLevel] [-t PrintErrorLevel]
⒂[-hd] [-x | -xd [except#] | -xe [except#]] [-e] [-z]
⒃[-- | -p pid | mand-line]
⒄where: -? displays this help text
⒅-aDllName sets the default extension DLL
⒆-c executes the following debugger mand
⒇指定要执行的调试命令,多个命令之间用“;”分隔
⒈-d sends all debugger output to kernel debugger via DbgPrint
⒉-g ignores initial breakpoint in debuggee
⒊-G ignores final breakpoint at process termination
⒋-hd disables heap manager validity checking
⒌-i ignores AV generated by loader fixups on pre. systems
⒍-lines requests that line number information be used if present
⒎-syms:{yes|no} allow or disallow loading symbols from a work path
⒏-o debugs all processes launched by debuggee
⒐-r specifies the (-) error level to break on (SeeSetErrorLevel)
⒑-s disables lazy symbol loading
⒒-t specifies the (-) error level to display (SeeSetErrorLevel)
⒓-v enables verbose output from debugger
⒔-n enables verbose output from symbol handler
⒕-w specifies to debug bit applications in a separate VDM
⒖-x disables break on AV exceptions
⒗-xd disables stopping on specified exception
⒘-xe enables stopping on specified exception
⒙-z reserved for OS/ debugging
⒚- creates a separate console window for debuggee
⒛对于控制台程序,将输出定向到另一个窗口而不在NTSD窗口显示
①-- is the same as -G -g -o -p -
②-p pid specifies the decimal process Id to attach to
③指定要调试的进程号,用于调试已经运行的程序
④mand-line is the mand to run under the debugger
⑤Environment Variables:
⑥_NT_SYMBOL_PATH=[Drive:][Path]
⑦Specify symbol image path. (Default = %SystemRoot%)
⑧_NT_ALT_SYMBOL_PATH=[Drive:][Path]
⑨Specify an alternate symbol image path.
⑩_NT_DEBUG_EXTENSIONS=dllname(s)
ⅠIf specified, it is a semi-colon separated list of debugger extension DLL
ⅡThis specifies the search order when resolving debugger extension
Ⅲmands
Ⅳ] - assemble
Ⅴ在指定地址输入汇编语句
ⅥBC[] - clear breakpoint(s)
ⅦBD[] - disable breakpoint(s)
ⅧBE[] - enable breakpoint(s)
ⅨBL[] - list breakpoint(s)
Ⅹ- set breakpoint
㈠- pare
㈡D[type][] - dump memory
㈢显示指定内存范围
㈣[] - enter
㈤在指定地址输入数据
㈥F - fill
㈦在指定内存段填充数据
㈧...]] - go
㈨J [']cmd['];[']cmd['] - conditional execution
㈩K - stacktrace
KB = - stacktrace from specific state
L{+|-}[lost*] - Control source options
LN - list near
参数为地址或者函数,显示距离参数中指定地址或者函数最近的函数
LS[.] [][,] - List source file lines
LSA [,][,] - List source file lines at addr
LSC - Show current source file and line
LSF[-] - Load or unload a source file for browsing
N [] - set / show radix
P[R] [=] [] - program step
Q - quit
#R - multiprocessor register dump
多处理器环境下显示寄存器
R[F][L][M ] [[ [= ]]] - reg/flag
Rm[?] [] - Control prompt register output mask
S - search
在指定地址范围内搜寻字符串
:> s df ec ff e //从user的空间中找jmp esp
:> s df ec 'W' 'I' 'N' 'N' 'T' //搜索字符串“WINNT”
SS - set symbol suffix
SX [e|d [|*|]] - exception
] [] - trace
U [] - unassemble
显示反汇编语句,同softice的U命令
X [!] - view symbols
显示符号,支持通配符,类似于softice的exp命令
:> x user!* //显示user的所有符号
:> x user!ws* //显示user的所有以ws开头的符号
dffa USER!wsprintfW
ea USER!wsprintfA
.logopen [] - open new log file
指定日志文件,开启屏幕记录非常有用的功能
.logappend [] - append to log file
添加到已存在的日志文件
.logclose - close log file
~ - list threads status
~#s - set default thread
~[.|#|*|ddd]f - freeze thread
~[.|#|ddd]k[expr] - backtrace stack
| - list processes status
|#s - set default process
|# - default process override
? - display expression
显示地址或者符号信息
:> ? wsprintfA
Evaluate expression: = ea
:> ? eip
Evaluate expression: = fc
# [address] - search for a string in the dissasembly
反汇编指定地址,但是只输出一行语句
从文件取得要输入的命令
ops: + - * / not by wo dw poi mod(%) and(&) xor(^) or(|) hi low
operands: number in current radix, public symbol,
: b (byte), w (word), d[s] (doubleword [with symbols]),
a (ascii), c (dword and Char), u (unicode), l (list)
f (float), D (double), s|S (ascii/unicode string)
q (quadword)
: [(nt | )!] ( can include ? and *)
: ct, et, ld, av,
: $u-$u, $ea, $exp, $ra, $p
: [ ...]
User-mode options:
i options:
BA[#] - addr bp
: [e]ax, [e]bx, [e]cx, [e]dx, [e]si, [e]di, [e]bp, [e]sp, [e]ip, [e]fl,
al, ah, bl, bh, cl, ch, dl, dh, cs, ds, es, fs, gs, ss
fpcw, fpsw, fptw, st-st, mm-mm
: iopl, of, df, if, tf, sf, zf, af, pf, cf
NTSD还支持一些很有用的命令,但是不知为什么帮助中却没有提,这里也列出来:
KD [] - stack trace with raw data
raw模式堆栈回溯
SQ - set quiet mode
设置安静模式,运行一次打开,再运行则关闭
LD [] - refresh module information
LM list modules
列出进程加载的所有模块信息
- dump linked list
NTSD支持的表达式和WinDBG差不多是一样的,MASM的语法。
系统自带的NTSD也支持部分扩展命令,如:
进程文件: ntsd.exe or ntsd
进程名称: Symbolic Debugger for Windows
ntsd.exe is a process belonging to the Microsoft symbolic debugger that
enables you to debug user-mode applications. This program is a non-essential
process, but should not be terminated unless suspected to be causing
problems.
Remendation for ntsd.exe:
ntsd.exe should not be disabled, required for essential applications to work
properly.
Author: Microsoft
Part Of: Microsoft Windows Operating System
安全等级 (-):
间谍软件: No
病毒: No ( Remove ntsd.exe )
木马: No ( Remove ntsd.exe )
Memory Usage: N/A
System Process: Yes
Background Process: No
Uses work: No
Hardware Related: No
mon ntsd.exe Errors: N/A