debugging - LiveKD 在 Windows 10 下不再工作？

问题描述

我正在尝试使用 Microsoft 的“LiveKD”实用程序。我的理解是，它是必须通过串行连接使用 WinDbg 和 KD 来“实时”调试内核的替代方法（并且系统不必在调试模式下启动）。我正在使用 Windows 10；但是，直到我启用调试选项并重新启动它才起作用。

欢迎任何帮助。

livekd.exe -w

LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson

Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe:


no debugger:

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'LiveKD live system view'

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\Symbols*https://msdl.microsoft.com/download/symbols
Executable search path is: 
**************************************************************************
THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.
**************************************************************************
Unable to read PsLoadedModuleList
**************************************************************************
THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.
**************************************************************************
KdDebuggerData.KernBase < SystemRangeStart
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Machine Name:
Kernel base = 0x00000000`00000000 PsLoadedModuleList = 0xfffff807`2a2460f0
Debug session time: Tue Oct 27 21:47:47.703 2020 (UTC)
System Uptime: not available
**************************************************************************
THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.
**************************************************************************
Unable to read PsLoadedModuleList
**************************************************************************
THIS DUMP FILE IS PARTIALLY CORRUPT.
KdDebuggerDataBlock is not present or unreadable.
**************************************************************************
KdDebuggerData.KernBase < SystemRangeStart
Loading Kernel Symbols
Unable to read PsLoadedModuleList
ReadVirtual() failed in GetXStateConfiguration() first read attempt (error == 0.)
GetContextState failed, 0xD0000147
CS descriptor lookup failed
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
For analysis of this file, run !analyze -v
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147

标签： debuggingwinapiwindbgcomputer-forensicslivekd