When u debug the working set, strange issue:
!process 0 0
check the name and the address
dt _EPROCESS address
dt _MMSUPPORT address+0x1e8
dt PMMWSL address+0x1e8+0x028
you will get c0502000 all the time, this is because the pointer stores a virtualaddress in the process address space but WinDBG will show you the structure in the active process address space.
(seems like WinDBG translates the virtual addresses according to the current rocess page table?)
You have to achieve to be in the debugger while the current process is the one u are investigating, for instance by adding a system call and "Run To Cursor": in the debugger to your syscall..
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment