2.19 获知被调试进程映像文件绝对路径

https://scz.617.cn/windows/201709261448.txt

Q:

在cdb中有时想获知被调试进程映像文件绝对路径。从cdb外部用Process Explorer查
看当然是可以的，但我想从cdb内部直接获取这种信息。已知这些命令达不到预期效
果:

|
lmv m ping
lmf
!lmi ping

这些命令对.dll有效，对.exe无效，得不到.exe映像文件绝对路径。

A: scz 2017-09-26

--------------------------------------------------------------------------
> !peb
> !peb @$peb
...
    WindowTitle:  'C:\Windows\system32\ping.exe'
    ImageFile:    'C:\Windows\SysWOW64\ping.exe'
    CommandLine:  'ping'
...
--------------------------------------------------------------------------
> .shell -ci "!peb" findstr ImageFile:
    ImageFile:    'C:\Windows\SysWOW64\ping.exe'
--------------------------------------------------------------------------
> dt ntdll!_PEB ProcessParameters->ImagePathName ProcessParameters->CommandLine ProcessParameters->WindowTitle @$peb
   +0x010 ProcessParameters                :
      +0x038 ImagePathName                    : _UNICODE_STRING "C:\Windows\SysWOW64\ping.exe"
      +0x040 CommandLine                      : _UNICODE_STRING "ping"
      +0x070 WindowTitle                      : _UNICODE_STRING "C:\Windows\system32\ping.exe"
--------------------------------------------------------------------------
> !ustr poi(@$peb+0x10)+0x38
--------------------------------------------------------------------------
> ?? ((ntdll!_PEB*)@$peb)->ProcessParameters->ImagePathName
> ?? @$peb->ProcessParameters->ImagePathName
struct _UNICODE_STRING
 "C:\Windows\SysWOW64\ping.exe"
   +0x000 Length           : 0x38
   +0x002 MaximumLength    : 0x3a
   +0x004 Buffer           : 0x005c2f8c  "C:\Windows\SysWOW64\ping.exe"
--------------------------------------------------------------------------
> !mapped_file ping
Mapped file name for 008a0000: '\Device\HarddiskVolume2\Windows\SysWOW64\PING.EXE'
--------------------------------------------------------------------------