Anyone know why sysinternal's livekd would sometimes let me view ntoskrnl.exe, and sometimes not? I grabbed disassembly of a function for tonight's blog post a few days ago but now I can't see ntoskrnl.exe at all
No, maybe a mp vs up issue? (i.e. ntoskrnl vs ntkrnlmp) What does lm mnt say?
-
-
Ah - that was the vital clue. lm mnt mentions module nt which contains the function I am interested in. ETW lists that function as being in ntoskrnl.exe. On my dual-socket workstation livekd also found it there, at least a few days ago. I can now disassemble the problematic func.
-
It turns out that the reason it worked the first time was that I went "uf <address>". This time I tried doing "uf ntoskrnl!function_name" and that didn't work. Next time I'll remember that nt == ntoskrnl.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.