有关于电脑ntsd.exe程序~~~请各位高手帮帮忙!
发布网友
发布时间:2022-10-16 17:39
共3个回答
热心网友
时间:2023-10-21 20:45
进程文件: ntsd or ntsd.exe
进程名称: Symbolic Debugger for Windows 。ntsd.exe是Microsoft Windows 2000系统自带的用户态调试工具。可用它结束掉除System、SMSS.EXE、CSRSS.EXE以外的所有进程。该程序经常病毒利用,用来强制结束杀毒软件进程。
出品者: Microsoft
属于: Microsoft Windows Operating System
系统进程: 是
使用网络: 是
硬件相关: 否
常见错误: 未知N/A
内存使用: 未知N/A
间谍软件: 否
广告软件: 否
Virus: 否
木马: 否
使用
[编辑本段]
NTSD(Microsoft Windows NT Symbolic/Systems Debugger)是Windows 2000默认安装的一
个调试器。这其实是一个命令行版本的WinDBG,功能上稍微缩了一点水,但是对一般的调试
来说是足够用了。
usage: NTSD [-v] [-2] [-d] [-o] [-g] [-G] [-w] [-lines]
[-aDllName] [-s] [-r BreakErrorLevel] [-t PrintErrorLevel]
[-hd] [-x | -xd [except#] | -xe [except#]] [-e] [-z]
[-- | -p pid | command-line]
where: -? displays this help text
-aDllName sets the default extension DLL
-c executes the following debugger command
指定要执行的调试命令,多个命令之间用“;”分隔
-d sends all debugger output to kernel debugger via DbgPrint
-g ignores initial breakpoint in debuggee
-G ignores final breakpoint at process termination
-hd disables heap manager validity checking
-i ignores AV generated by loader fixups on pre3.51 systems
-lines requests that line number information be used if present
-netsyms:{yes|no} allow or disallow loading symbols from a network path
-o debugs all processes launched by debuggee
-r specifies the (0-3) error level to break on (SeeSetErrorLevel)
-s disables lazy symbol loading
-t specifies the (0-3) error level to display (SeeSetErrorLevel)
-v enables verbose output from debugger
-n enables verbose output from symbol handler
-w specifies to debug 16 bit applications in a separate VDM
-x disables break on AV exceptions
-xd disables stopping on specified exception
-xe enables stopping on specified exception
-z reserved for OS/2 debugging
-2 creates a separate console window for debuggee
对于控制台程序,将输出定向到另一个窗口而不在NTSD窗口显示
-- is the same as -G -g -o -p -1
-p pid specifies the decimal process Id to attach to
指定要调试的进程号,用于调试已经运行的程序
command-line is the command to run under the debugger
Environment Variables:
_NT_SYMBOL_PATH=[Drive:][Path]
Specify symbol image path. (Default = %SystemRoot%)
_NT_ALT_SYMBOL_PATH=[Drive:][Path]
Specify an alternate symbol image path.
_NT_DEBUG_EXTENSIONS=dllname(s)
If specified, it is a semi-colon separated list of debugger extension DLL names
This specifies the search order when resolving debugger extension commands
A [<address>] - assemble
在指定地址输入汇编语句
BC[<bp>] - clear breakpoint(s)
清除断点
BD[<bp>] - disable breakpoint(s)
禁用断点
BE[<bp>] - enable breakpoint(s)
启用断点
BL[<bp>] - list breakpoint(s)
列出断点
BP[#] <address> - set breakpoint
设断点
C <range> <address> - compare
比较地址
D[type][<range>] - mp memory
显示指定内存范围
E[type] <address> [<list>] - enter
在指定地址输入数据
F <range> <list> - fill
在指定内存段填充数据
G [=<address> [<address>...]] - go
运行到某个地址
J<expr> [']cmd1['];[']cmd2['] - conditional execution
条件执行
K <count> - stacktrace
堆栈回溯
KB = <base> <stack> <ip> - stacktrace from specific state
L{+|-}[lost*] - Control source options
LN <expr> - list near
参数为地址或者函数,显示距离参数中指定地址或者函数最近的函数
LS[.] [<first>][,<count>] - List source file lines
LSA <addr>[,<first>][,<count>] - List source file lines at addr
LSC - Show current source file and line
LSF[-] <file> - Load or unload a source file for browsing
M <range> <address> - move
N [<radix>] - set / show radix
P[R] [=<addr>] [<value>] - program step
单步执行
Q - quit
#R - multiprocessor register mp
多处理器环境下显示寄存器
R[F][L][M <expr>] [[<reg> [= <expr>]]] - reg/flag
显示寄存器
Rm[?] [<expr>] - Control prompt register output mask
S <range> <list> - search
在指定地址范围内搜寻字符串
0:000> s 77df0000 77e4c000 ff e4 //从user32的空间中找jmp esp
77e22c29
0:000> s 77df0000 77e4c000 'W' 'I' 'N' 'N' 'T' //搜索字符串“WINNT”
SS <n | a | w> - set symbol suffix
SX [e|d [<event>|*|<expr>]] - exception
T[R] [=<address>] [<expr>] - trace
U [<range>] - unassemble
显示反汇编语句,同softice的U命令
X [<*|mole>!]<*|symbol> - view symbols
显示符号,支持通配符,类似于softice的exp命令
0:000> x user32!* //显示user32的所有符号
…………
0:000> x user32!ws* //显示user32的所有以ws开头的符号
77dffa68 USER32!wsprintfW
77e0014a USER32!wsprintfA
.logopen [<file>] - open new log file
指定日志文件,开启屏幕记录非常有用的功能
.logappend [<file>] - append to log file
添加到已存在的日志文件
.logclose - close log file
停止记录
~ - list threads status
显示线程状态
~#s - set default thread
设置默认线程
~[.|#|*|ddd]f - freeze thread
~[.|#|ddd]k[expr] - backtrace stack
堆栈追踪
| - list processes status
显示进程状态
|#s - set default process
设置默认进程
|#<command> - default process override
? <expr> - display expression
显示地址或者符号信息
0:000> ? wsprintfA
Evaluate expression: 2011169098 = 77e0014a
0:000> ? eip
Evaluate expression: 2012813324 = 77f9180c
#<string> [address] - search for a string in the dissasembly
反汇编指定地址,但是只输出一行语句
$< <filename> - take input from a command file
从文件取得要输入的命令
<expr> ops: + - * / not by wo dw poi mod(%) and(&) xor(^) or(|) hi low
operands: number in current radix, public symbol, <reg>
<type> : b (byte), w (word), d[s] (doubleword [with symbols]),
a (ascii), c (dword and Char), u (unicode), l (list)
f (float), D (double), s|S (ascii/unicode string)
q (quadword)
: [(nt | <dll-name>)!]<var-name> (<var-name> can include ? and *)
<event> : ct, et, ld, av, cc
<radix> : 8, 10, 16
<reg> : $u0-$u9, $ea, $exp, $ra, $p
<addr> : %<32-bit address>
<range> : <address> <address>
: <address> L <count>
<list> : <byte> [<byte> ...]
User-mode options:
i386 options:
BA[#] <e|r|w|i><1|2|4> <addr> - addr bp
<reg> : [e]ax, [e]bx, [e]cx, [e]dx, [e]si, [e]di, [e]bp, [e]sp, [e]ip, [e]fl,
al, ah, bl, bh, cl, ch, dl, dh, cs, ds, es, fs, gs, ss
fpcw, fpsw, fptw, st0-st7, mm0-mm7
<flag> : iopl, of, df, if, tf, sf, zf, af, pf, cf
<addr> : #<16-bit protect-mode [seg:]address>,
&<V86-mode [seg:]address>
NTSD还支持一些很有用的命令,但是不知为什么帮助中却没有提,这里也列出来:
KD [<count>] - stack trace with raw data
raw模式堆栈回溯
SQ - set quiet mode
设置安静模式,运行一次打开,再运行则关闭
LD [<mole>] - refresh mole information
重新载入
LM list moles
列出进程加载的所有模块信息
DL <address> <maxcount> <size> - mp linked list
NTSD支持的表达式和WinDBG差不多是一样的,MASM的语法。
系统自带的NTSD也支持部分扩展命令,如:
!peb
!teb
英文版本
进程文件: ntsd.exe or ntsd
进程名称: Symbolic Debugger for Windows
描述:
ntsd.exe is a process belonging to the Microsoft symbolic debugger that enables you to debug user-mode applications. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
Recommendation for ntsd.exe:
ntsd.exe should not be disabled, required for essential applications to work properly.
Author: Microsoft
Part Of: Microsoft Windows Operating System
安全等级 (0-5): 0
间谍软件: No
病毒: No ( Remove ntsd.exe )
木马: No ( Remove ntsd.exe )
Memory Usage: N/A
System Process: Yes
Background Process: No
Uses Network: No
Hardware Related: No
Common ntsd.exe Errors: N/A
热心网友
时间:2023-10-21 20:46
杀完毒,
开始-运行-输入:regedit,然后回车
按f3,输入dbgeng.dll,回车
找到项以后删除!继续按f3,继续删!直到出现“注册表搜索完毕!”然后再开360试试!
我不确定重起了以后会不会好?要是不好再叫我,记住要杀毒哟!专业点的,360不大管用。
嫌麻烦我再支一招,在c:\winnt(或者windows)\system32\的目录下建一个文本文档,改名为dbgeng.dll 不过这招治标不止本,也不一定有用。
热心网友
时间:2023-10-21 20:46
