按照圖片的步驟來

首先找到EPROCESS

以CMD.exe為例子

PROCESS 85fa2b38  SessionId: 0  Cid: 0fc8    Peb: 7ffda000  ParentCid: 05f8
    DirBase: 0f3c03a0  ObjectTable: e1fa93c8  HandleCount:  34.
    Image: cmd.exe

可以看到peb為 7ffda000  

進入程序空間

kd> .process 85fa2b38  
Implicit process is now 85fa2b38
WARNING: .cache forcedecodeuser is not enabled
 

kd> dt _PEB 7ffda000  
nt!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x4ad00000 Void
   +0x00c Ldr              : 0x00251e90 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00150000 Void
   +0x01c FastPebLock      : 0x7c99d600 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : 0x7c921000 Void
   +0x024 FastPebUnlockRoutine : 0x7c9210e0 Void
   +0x028 EnvironmentUpdateCount : 2
   +0x02c KernelCallbackTable : 0x77d12970 Void
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 FreeList         : (null) 
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x7c99d5c0 Void
   +0x044 TlsBitmapBits    : [2] 0xffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 Void
   +0x050 ReadOnlySharedMemoryHeap : 0x7f6f0000 Void
   +0x054 ReadOnlyStaticServerData : 0x7f6f0688  -> ???? 
   +0x058 AnsiCodePageData : 0x7ffa0000 Void
   +0x05c OemCodePageData  : 0x7ffa0000 Void
   +0x060 UnicodeCaseTableData : 0x7ffd1000 Void
   +0x064 NumberOfProcessors : 1
   +0x068 NtGlobalFlag     : 0
   +0x070 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 9
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x7c99cfc0  -> 0x00150000 Void
   +0x094 GdiSharedHandleTable : 0x00570000 Void
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x7c99b178 Void
   +0x0a4 OSMajorVersion   : 5
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0xa28
   +0x0ae OSCSDVersion     : 0x300
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 3
   +0x0b8 ImageSubsystemMajorVersion : 4
   +0x0bc ImageSubsystemMinorVersion : 0
   +0x0c0 ImageProcessAffinityMask : 0
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x7c99d5b8 Void
   +0x154 TlsExpansionBitmapBits : [32] 0
   +0x1d4 SessionId        : 0
   +0x1d8 AppCompatFlags   : _ULARGE_INTEGER 0x0
   +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : _UNICODE_STRING "--- memory read error at address 0x7f6f06c2 ---"
   +0x1f8 ActivationContextData : (null) 
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00140000 Void
   +0x204 SystemAssemblyStorageMap : (null) 
   +0x208 MinimumStackCommit : 0
 

_PEB_LDR_DATA

kd> dt _PEB_LDR_DATA 0x00251e90 
nt!_PEB_LDR_DATA
   +0x000 Length           : 0x28
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x251ec0 - 0x252ee0 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x251ec8 - 0x252ee8 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x251f28 - 0x252ef0 ]
   +0x024 EntryInProgress  : (null) 
 

kd> dt _LDR_DATA_TABLE_ENTRY 0x251ec0 
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x251f18 - 0x251e9c ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x251f20 - 0x251ea4 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x018 DllBase          : 0x4ad00000 Void
   +0x01c EntryPoint       : 0x4ad05046 Void
   +0x020 SizeOfImage      : 0x75000
   +0x024 FullDllName      : _UNICODE_STRING "???????????????????????????"
   +0x02c BaseDllName      : _UNICODE_STRING "???????"
   +0x034 Flags            : 0x5000
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x252dd4 - 0x7c99b270 ]
   +0x03c SectionPointer   : 0x00252dd4 Void
   +0x040 CheckSum         : 0x7c99b270
   +0x044 TimeDateStamp    : 0x48025baf
   +0x044 LoadedImports    : 0x48025baf Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 

可以看到我們的FullDLLName雖然顯示不出但是我們可以驗證下一個0x251f18

kd> dt _LDR_DATA_TABLE_ENTRY 0x251f18 
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ <span style="color:#ff0000;">0x251fc0</span> - 0x251ec0 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x251fc8 - 0x251ec8 ]
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x251fd0 - 0x251eac ]
   +0x018 DllBase          : 0x7c920000 Void
   +0x01c EntryPoint       : 0x7c932c28 Void
   +0x020 SizeOfImage      : 0x93000
   +0x024 FullDllName      : _UNICODE_STRING "C:\WINDOWS\system32\ntdll.dll"
   +0x02c BaseDllName      : _UNICODE_STRING "ntdll.dll"
   +0x034 Flags            : 0x80084004
   +0x038 LoadCount        : 0xffff
   +0x03a TlsIndex         : 0
   +0x03c HashLinks        : _LIST_ENTRY [ 0x7c99b2c8 - 0x7c99b2c8 ]
   +0x03c SectionPointer   : 0x7c99b2c8 Void
   +0x040 CheckSum         : 0x7c99b2c8
   +0x044 TimeDateStamp    : 0x4802bdc5
   +0x044 LoadedImports    : 0x4802bdc5 Void
   +0x048 EntryPointActivationContext : (null) 
   +0x04c PatchInformation : (null) 

然後再通過

 +0x000 InLoadOrderLinks : _LIST_ENTRY [ <span style="color:#ff0000;">0x251fc0</span> - 0x251ec0 ]

直到遍歷回最初的模組就是的了