标题:问个关于ntsd 命令的问题~~
只看楼主
ONEPROBLEM
Rank: 6Rank: 6
来 自:广西 南宁
等 级:贵宾
威 望:21
帖 子:1569
专家分:349
注 册:2008-7-11
结帖率:100%
 问题点数:0 回复次数:4 
问个关于ntsd 命令的问题~~
不知道那位朋友有过这样的经验:
电脑中毒后,往往除了杀毒软件及各安全软件无法启动之外,"任务管理器"也无法打开,所以一些病毒进程就没办法强行终止.
我在想,能不能通过CMD 进入DOS下,用 tasklist 命令获取所有进程的PID ?然后,再用 ntsd -c q -p PID 的命令进行终止?
知道的朋友告诉一下~~
搜索更多相关主题的帖子: ntsd 命令 
2008-11-05 21:12
cnhanxiao
Rank: 2
等 级:新手上路
威 望:4
帖 子:124
专家分:0
注 册:2008-10-17
得分:0 
没遇到这种情况,但是应该可以。
在控制台方式下:
tasklist /m > tasklist.txt
打开tasklist.txt找到所需终止的进程的PID,比如 PID=1136
ntsd -c q -p 1136
就关掉了对应的进程。

还有绑架成版主的?拒绝做版主——对不起啊!
2008-11-06 00:18
cnhanxiao
Rank: 2
等 级:新手上路
威 望:4
帖 子:124
专家分:0
注 册:2008-10-17
得分:0 
[bo]一、TASKLIST用法[/bo]

TASKLIST [/S system [/U username [/P [password]]]]
         [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
描述:
    这个命令行工具显示应用程序和本地
    或远程系统上运行的相关任务/进程的
    列表。
参数列表:
   /S     system           指定连接到的远程系统。
   /U     [domain\]user    指定应该在哪个用户上下文执行这个命令。
   /P     [password]       为提供的用户上下文指定密码。如果忽略,提示输入。
   /M     [module]         列出所有其中符合指定模式名的 DLL 模块的所有任务。
                           如果没有指定模块名,则显示每个任务加载的所有模块。
   /SVC                    显示每个进程中的服务。
   /V                      指定要显示详述信息。
   /FI    filter           显示一系列符合筛选器指定的标准的任务。
   /FO    format           指定输出格式。
                           有效值: "TABLE"、"LIST"、"CSV"。
   /NH                     指定栏标头不应该在输出中显示。
                           只对 "TABLE" 和 "CSV" 格式有效。
   /?                      显示帮助/用法。
筛选器:
    筛选器名        有效操作符                有效值
    -----------     ---------------           --------------
    STATUS          eq, ne                    正在运行 | 没有响应
    IMAGENAME       eq, ne                    图像名
    PID             eq, ne, gt, lt, ge, le    PID 值
    SESSION         eq, ne, gt, lt, ge, le    会话编号
    SESSIONNAME     eq, ne                    会话名
    CPUTIME         eq, ne, gt, lt, ge, le    CPU 时间,格式为
                                              hh:mm:ss。
                                              hh - 时,
                                              mm - 分,ss - 秒
    MEMUSAGE        eq, ne, gt, lt, ge, le    内存使用量(KB)
    USERNAME        eq, ne                    用户名,格式为 [domain\]user
    SERVICES        eq, ne                    服务名
    WINDOWTITLE     eq, ne                    窗口标题
    MODULES         eq, ne                    DLL 名

例如:
    TASKLIST
    TASKLIST /M
    TASKLIST /V
    TASKLIST /SVC
    TASKLIST /M wbem*
    TASKLIST /S system /FO LIST
    TASKLIST /S system /U domain\username /FO CSV /NH
    TASKLIST /S system /U username /P password /FO TABLE /NH
    TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"


[bo]二、ntsd用法[/bo]

usage: ntsd [-?] [-2] [-d] [-g] [-G] [-myob] [-lines] [-n] [-o] [-s] [-v] [-w]
            [-r BreakErrorLevel]  [-t PrintErrorLevel]
            [-hd] [-pd] [-pe] [-pt #] [-pv] [-x | -x{e|d|n|i} <event>]
            [-- | -p pid | -pn name | command-line | -z CrashDmpFile]
            [-zp CrashPageFile] [-premote transport] [-robp]
            [-aDllName] [-c "command"] [-i ImagePath] [-y SymbolsPath]
            [-clines #] [-srcpath SourcePath] [-QR \\machine] [-wake <pid>]
            [-remote transport:server=name,portid] [-server transport:portid]
            [-ses] [-sfce] [-sicv] [-snul] [-noio] [-failinc] [-noshell]

where: -? displays this help text
       command-line is the command to run under the debugger
       -- is the same as -G -g -o -p -1 -d -pd
       -aDllName sets the default extension DLL
       -c executes the following debugger command
       -clines number of lines of output history retrieved by a remote client
       -failinc causes incomplete symbol and module loads to fail
       -d sends all debugger output to kernel debugger via DbgPrint
          -d cannot be used with debugger remoting
          -d can only be used when the kernel debugger is enabled
       -g ignores initial breakpoint in debuggee
       -G ignores final breakpoint at process termination
       -hd specifies that the debug heap should not be used
           for created processes.  This only works on Windows Whistler.
       -o debugs all processes launched by debuggee
       -p pid specifies the decimal process Id to attach to
       -pd specifies that the debugger should automatically detach
       -pe specifies that any attach should be to an existing debug port
       -pn name specifies the name of the process to attach to
       -pt # specifies the interrupt timeout
       -pv specifies that any attach should be noninvasive
       -r specifies the (0-3) error level to break on (SeeSetErrorLevel)
       -robp allows breakpoints to be set in read-only memory
       -t specifies the (0-3) error level to display (SeeSetErrorLevel)
       -w specifies to debug 16 bit applications in a separate VDM
       -x sets second-chance break on AV exceptions
       -x{e|d|n|i} <event> sets the break status for the specified event
       -2 creates a separate console window for debuggee
       -i ImagePath specifies the location of the executables that generated
          the fault (see _NT_EXECUTABLE_IMAGE_PATH)
       -lines requests that line number information be used if present
       -myob ignores version mismatches in DBGHELP.DLL
       -n enables verbose output from symbol handler
       -noio disables all I/O for dedicated remoting servers
       -noshell disables the .shell (!!) command
       -QR <\\machine> queries for remote servers
       -s disables lazy symbol loading
       -ses enables strict symbol loading
       -sfce fails critical errors encountered during file searching
       -sicv ignores the CV record when symbol loading
       -snul disables automatic symbol loading for unqualified names
       -srcpath <SourcePath> specifies the source search path
       -v enables verbose output from debugger
       -wake <pid> wakes up a sleeping debugger and exits
       -y <SymbolsPath> specifies the symbol search path (see _NT_SYMBOL_PATH)
       -z <CrashDmpFile> specifies the name of a crash dump file to debug
       -zp <CrashPageFile> specifies the name of a page.dmp file
                           to use with a crash dump
       -remote lets you connect to a debugger session started with -server
               must be the first argument if present
               transport: tcp | npipe | ssl | spipe | 1394 | com
               name: machine name on which the debug server was created
               portid: id of the port the debugger server was created on
                   for tcp use:  port=<socket port #>
                   for npipe use:  pipe=<name of pipe>
                   for 1394 use:  channel=<channel #>
                   for com use:  port=<COM port>,baud=<baud rate>,
                                 channel=<channel #>
                   for ssl and spipe see the documentation
               example: ... -remote npipe:server=yourmachine,pipe=foobar
       -server creates a debugger session other people can connect to
               must be the first argument if present
               transport: tcp | npipe | ssl | spipe | 1394 | com
               portid: id of the port remote users can connect to
                   for tcp use:  port=<socket port #>
                   for npipe use:  pipe=<name of pipe>
                   for 1394 use:  channel=<channel #>
                   for com use:  port=<COM port>,baud=<baud rate>,
                                 channel=<channel #>
                   for ssl and spipe see the documentation
               example: ... -server npipe:pipe=foobar
       -premote transport specifies the process server to connect to
              transport arguments are given as with remoting

Environment Variables:

    _NT_SYMBOL_PATH=[Drive:][Path]
        Specify symbol image path.

    _NT_ALT_SYMBOL_PATH=[Drive:][Path]
        Specify an alternate symbol image path.

    _NT_DEBUGGER_EXTENSION_PATH=[Drive:][Path]
        Specify a path which should be searched first for extensions dlls

    _NT_EXECUTABLE_IMAGE_PATH=[Drive:][Path]
        Specify executable image path.

    _NT_SOURCE_PATH=[Drive:][Path]
        Specify source file path.

    _NT_DEBUG_LOG_FILE_OPEN=filename
        If specified, all output will be written to this file from offset 0.

    _NT_DEBUG_LOG_FILE_APPEND=filename
        If specified, all output will be APPENDed to this file.

    _NT_DEBUG_HISTORY_SIZE=size
        Specifies the size of a server's output history in kilobytes

Control Keys:

     <Ctrl-B><Enter> Quit debugger
     <Ctrl-C>        Break into Target
     <Ctrl-F><Enter> Force a break into debuggee (same as Ctrl-C)
     <Ctrl-P><Enter> Debug Current debugger
     <Ctrl-V><Enter> Toggle Verbose mode
     <Ctrl-W><Enter> Print version information
ntsd: exiting - press enter ---

[[it] 本帖最后由 cnhanxiao 于 2008-11-6 00:28 编辑 [/it]]
收到的鲜花
  • ONEPROBLEM2008-11-06 07:04 送鲜花  30朵   附言:谢谢.

还有绑架成版主的?拒绝做版主——对不起啊!
2008-11-06 00:27
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
得分:0 
微软把用户模式下的调试器提供给我们了

不过 用这个杀病毒进程不太现实  要杀也是提升权限到system后再杀 呵呵

对于有守护进程的病毒 杀了它又建了 杀不掉 呵呵
2008-11-06 08:34
a2367961
Rank: 1
等 级:新手上路
帖 子:4
专家分:0
注 册:2008-9-30
得分:0 
2008-11-07 19:07



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-242614-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.961361 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved