Hi,

I can't seem to get past the verification part of your book.  I've downloaded all the tools and utilities of the rootkit (chapter 1).  However, when trying to verify the Windbg part (entering !process 0 0 at the lkd> prompt), I get told this:

lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
NT symbols are incorrect, please fix symbols

...any ideas?  I've set the symbols path to C:\Windows\Symbols which is where the WinXP symbols installer defaulted to.

Here is what my .reload command looks like:

lkd> .reload
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
.................................................. .................................................. ....................
Loading User Symbols
.................................................. .............................
Loading unloaded module list
.........*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -

Thanks in advance.  I'm looking forward to exploring some more once I get past this initial hurdle.

Hey Joe:

You can modify your symbol path to:

http://msdl.microsoft.com/download/symbols; C:\Windows\Symbols

This will allow the debugger to check Microsoft for the required symbols.

I hope this helps.
Ric Vieler :-)

This worked, Ric. Thanks for responding.

Hi;
I am not sure where to put "lkd>!process 0 0"
There is no place to write this command. I tried the cmd.exe and WinDbg without getting any thing. Can any body help.

Thanks

All, I am in the 1st chapter of rootkits and am a bit confused about downloading the software. I was wondering if I have .net 2003, will this include all the software to compile, run and debug the examples from the book "Rootkits".
thanks