[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)

发表于: 2013-9-14 23:23 218338

[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)

ddlx

2013-9-14 23:23

218338

0:000> [COLOR=Red]~*
.  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
   1  Id: b3c.be8 Suspend: 1 Teb: 7ffde000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
   2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
0:000> [COLOR=Red]~ 2 s
eax=00000000 ebx=00000000 ecx=00000000 edx=7ffdd000 esi=7c99b420 edi=7c99b440
eip=7c92e4f4 esp=0197ff70 ebp=0197ffb4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
0:002> [COLOR=Red]~*
#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
   1  Id: b3c.be8 Suspend: 1 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
.  2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~#
#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~.
.  2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 [COLOR=Black]Suspend: 3 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 m
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 2 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 f
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 2 Teb: 7ffde000 [COLOR=Red]Frozen  
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 u
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 2 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 3 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 kp 3
ChildEBP RetAddr  
0187ff98 7c92d1fc ntdll!KiFastSystemCallRet
0187ff9c 7c947f02 ntdll!NtDelayExecution+0xc
0187ffb4 7c80b713 ntdll!RtlpTimerThread+0x47
0:002> [COLOR=Red]~* kp 3

#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  
0012ede4 00414679 PEViewer!CPeListCtrl::ShowList(int flag = 0n5, int index = 0n0, int isDblclick = 0n0) [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]
0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnClickTree1(struct tagNMHDR * pNMHDR = 0x0012f3cc, long * pResult = 0x0012f1a0)+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 274]
0012ef74 78e6154a mfc100d!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x0012faa4, unsigned int nID = 0x3e9, int nCode = 0n65534, <function> * pfn = 0x0041199c, void * pExtra = 0x0012f040, unsigned int nSig = 0x3d, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1a9 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 112]

   1  Id: b3c.be8 Suspend: 3 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr  
0187ff98 7c92d1fc ntdll!KiFastSystemCallRet
0187ff9c 7c947f02 ntdll!NtDelayExecution+0xc
0187ffb4 7c80b713 ntdll!RtlpTimerThread+0x47

   2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr  
0197ff6c 7c92da2c ntdll!KiFastSystemCallRet
0197ff70 7c93026d ntdll!NtRemoveIoCompletion+0xc
0197ffb4 7c80b713 ntdll!RtlpWorkerThread+0x3d

   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
ChildEBP RetAddr  
01a7ff6c 7c92da2c ntdll!KiFastSystemCallRet
01a7ff70 7c93026d ntdll!NtRemoveIoCompletion+0xc
01a7ffb4 7c80b713 ntdll!RtlpWorkerThread+0x3d

0:000> kpnf 10
 #   Memory  ChildEBP RetAddr  
00           0012ecfc 0041ec28 PEViewer!CPeListCtrl::ShowImportFuncs(int index = 0n0)+0xe1 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 749]
01        e8 0012ede4 00414839 PEViewer!CPeListCtrl::ShowList(int flag = 0n5, int index = 0n0, int isDblclick = 0n1)+0xd8 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 77]
02       144 0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnDblclkTree1(struct tagNMHDR * pNMHDR = 0x0012f46c, long * pResult = 0x0012f1a0)+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 295]
03        4c 0012ef74 78e6154a mfc100d!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x0012faa4, unsigned int nID = 0x3e9, int nCode = 0n65533, <function> * pfn = 0x00411569, void * pExtra = 0x0012f040, unsigned int nSig = 0x3d, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1a9 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 112]
04        64 0012efd8 78ebb533 mfc100d!CCmdTarget::OnCmdMsg(unsigned int nID = 0x3e9, int nCode = 0n65533, void * pExtra = 0x0012f040, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x2ea [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 381]
05        3c 0012f014 78f99381 mfc100d!CDialog::OnCmdMsg(unsigned int nID = 0x3e9, int nCode = 0n5177341, void * pExtra = 0x0012f040, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x23 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 87]
06        34 0012f048 78f97ef3 mfc100d!CWnd::OnNotify(unsigned int __formal = 0x3e9, long lParam = 0n1242220, long * pResult = 0x0012f1a0)+0xf1 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2702]
07       174 0012f1bc 78f97dd2 mfc100d!CWnd::OnWndMsg(unsigned int message = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220, long * pResult = 0x0012f1d8)+0xe3 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2093]
08        20 0012f1dc 78f94383 mfc100d!CWnd::WindowProc(unsigned int message = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0x32 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2067]
09        80 0012f25c 78f94976 mfc100d!AfxCallWndProc(class CWnd * pWnd = 0x0012faa4, struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0xf3 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 248]
0a        20 0012f27c 78d80c7b mfc100d!AfxWndProc(struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0xa6 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 411]
0b        3c 0012f2b8 77d18734 mfc100d!AfxWndProcBase(struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0x5b [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp @ 420]
0c        2c 0012f2e4 77d18816 USER32!InternalCallWinProc+0x28
0d        68 0012f34c 77d2927b USER32!UserCallWinProcCheckWow+0x150
0e        3c 0012f388 77d292e3 USER32!SendMessageWorker+0x4a5
0f        20 0012f3a8 5d176751 USER32!SendMessageW+0x7f

0:000> dv /i /t /v
prv local  0012ece4 class CPeListCtrl * this = 0x0012fbb0
prv param  0012ed04 int index = 0n0
prv local  0012ec50 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecNames = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012ecc0 unsigned long valueAddr = 0x81dd0
prv local  0012ecd8 int rva = 0n530348
prv local  0012ec2c int nItems = 0n-858993460
prv local  0012ec6c class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecHints = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012ec88 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecFuncRaws = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012eccc long offset = 0n527276
prv local  0012eca4 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecFuncRvas = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >

0:000>[COLOR=Red] .frame 1
01 0012ede4 00414839 PEViewer!CPeListCtrl::ShowList+0xd8 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 77]
0:000> [COLOR=Red]dv /i /t /v
prv local  0012eddc class CPeListCtrl * this = 0x0012fbb0
prv param  0012edec int flag = 0n5
prv param  0012edf0 int index = 0n0
prv param  0012edf4 int isDblclick = 0n1
0:000> [COLOR=Red].frame 2
02 0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnDblclkTree1+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 295]
0:000> [COLOR=Red]dv /i /t /v
prv local  0012ef14 class CPEViewerDlg * this = 0x0012faa4
prv param  0012ef30 struct tagNMHDR * pNMHDR = 0x0012f46c
prv param  0012ef34 long * pResult = 0x0012f1a0
prv local  0012ef08 unsigned long dwpos = 0x1240302
prv local  0012eee4 int flag = 0n5
prv local  0012eef0 struct tagTVHITTESTINFO ht = struct tagTVHITTESTINFO
prv local  0012eed8 int index = 0n0
prv local  0012eecc class ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > strItem = class ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >

0:000>[COLOR=Red] dt this
Local var @ 0x12ece4 Type CPeListCtrl*
0x0012fbb0 
   +0x000 __VFN_table : 0x00436254 
   =00400000 classCObject     : CRuntimeClass
   =00400000 classCCmdTarget  : CRuntimeClass
   =00400000 _commandEntries  : [0] AFX_OLECMDMAP_ENTRY
   =00400000 commandMap       : AFX_OLECMDMAP
   =00400000 _dispatchEntries : [0] AFX_DISPMAP_ENTRY
   =00400000 _dispatchEntryCount : 0x905a4d
   =00400000 _dwStockPropMask : 0x905a4d
   =00400000 dispatchMap      : AFX_DISPMAP
   =00400000 _connectionEntries : [0] AFX_CONNECTIONMAP_ENTRY
   =00400000 connectionMap    : AFX_CONNECTIONMAP
   =00400000 _interfaceEntries : [0] AFX_INTERFACEMAP_ENTRY
   =00400000 interfaceMap     : AFX_INTERFACEMAP
   =00400000 _eventsinkEntries : [0] AFX_EVENTSINKMAP_ENTRY
   =00400000 _eventsinkEntryCount : 0x905a4d
   =00400000 eventsinkMap     : AFX_EVENTSINKMAP
   +0x004 m_dwRef          : 0n1
   +0x008 m_pOuterUnknown  : (null) 
   +0x00c m_xInnerUnknown  : 0
   +0x010 m_xDispatch      : CCmdTarget::XDispatch
   +0x014 m_bResultExpected : 0n1
   +0x018 m_xConnPtContainer : CCmdTarget::XConnPtContainer
   +0x01c m_pModuleState   : 0x00154e08 AFX_MODULE_STATE
   =00400000 classCWnd        : CRuntimeClass
   +0x020 m_hWnd           : 0x0004061a HWND__
   =00400000 wndTop           : CWnd
   =00400000 wndBottom        : CWnd
   =00400000 wndTopMost       : CWnd
   =00400000 wndNoTopMost     : CWnd
   +0x024 m_bEnableActiveAccessibility : 0
   +0x028 m_pStdObject     : (null) 
   +0x02c m_pProxy         : (null) 
   =00400000 _interfaceEntries : [0] AFX_INTERFACEMAP_ENTRY
   =00400000 interfaceMap     : AFX_INTERFACEMAP
   +0x030 m_xAccessible    : CWnd::XAccessible
   +0x034 m_xAccessibleServer : CWnd::XAccessibleServer
   +0x038 m_bIsTouchWindowRegistered : 0n0
   +0x03c m_ptGestureFrom  : CPoint
   +0x044 m_ulGestureArg   : 0
   +0x04c m_bGestureInited : 0n0
   +0x050 m_pCurrentGestureInfo : (null) 
   +0x054 m_hWndOwner      : (null) 
   +0x058 m_nFlags         : 0
   +0x05c m_pfnSuper       : 0xffff0403     long  +ffff0403
   =00400000 m_nMsgDragList   : 0x905a4d
   +0x060 m_nModalResult   : 0n0
   +0x064 m_pDropTarget    : (null) 
   +0x068 m_pCtrlCont      : (null) 
   +0x06c m_pCtrlSite      : (null) 
   +0x070 m_pMFCCtrlContainer : (null) 
   =00400000 classCListCtrl   : CRuntimeClass
   +0x074 m_peFile         : PeStruct

0:000> [COLOR=Red]bm peviewer!CPeListCtrl::Show*
  1: 004221b0 @!"PEViewer!CPeListCtrl::ShowImportDir"
  2: 004226e0 @!"PEViewer!CPeListCtrl::ShowSectionHeader"
  3: 00423a00 @!"PEViewer!CPeListCtrl::ShowImportFuncs"
  4: 0041eb50 @!"PEViewer!CPeListCtrl::ShowList"
  5: 0041f840 @!"PEViewer!CPeListCtrl::ShowFileHeader"
  6: 00423f00 @!"PEViewer!CPeListCtrl::ShowExportFuncs"
  7: 0041eef0 @!"PEViewer!CPeListCtrl::ShowDosHeader"
  8: 00420700 @!"PEViewer!CPeListCtrl::ShowOptionalHeader"
  9: 00423270 @!"PEViewer!CPeListCtrl::ShowExportDir"
0:000> [COLOR=Red]bl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
0:000> [COLOR=Red]~ 1 bp CPeListCtrl::CPeListCtrl
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
0:000> [COLOR=Red]dv
           this = 0x0012fbb0
          index = 0n0
       vecNames = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
      valueAddr = 0x81dd0
            rva = 0n530348
         nItems = 0n-858993460
       vecHints = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
    vecFuncRaws = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
         offset = 0n527276
    vecFuncRvas = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
0:000> [COLOR=Red]~ 0 ba w4 index
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
10 e 0012ed04 w 4 0001 (0001)  [COLOR=Blue]0:~000 
0:000> [COLOR=Red]bc 3
0:000> [COLOR=Red]bc 2
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
10 e 0012ed04 w 4 0001 (0001)  [COLOR=Blue]0:~000

WINDBG参考手册V0.6.rar

线程指令

查看调用栈

查看每层栈帧的局部变量以及栈帧切换

断点的使用

执行命令

反汇编指令

写汇编指令

显示符号指令

显示最近符号指令

C++表达式在windbg中的用法

一般表达式的计算

字符串比较介绍

无效内存检测

数值的格式化输出

获取当前线程的最近错误码

获取错误码的文字描述

查看最后一次事件信息

查看版本信息

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#调试逆向

上传的附件：

WINDBG参考手册V0.6.rar （241.63kb，8024次下载）

收藏・531

免费・12

支持

最新回复 (250) 1 2 3 4 5 6 7 8 9 10 11 ▶
sierra 雪币： 238 活跃值： (55) 能力值： ( LV5，RANK：70 ) 在线值：发帖 11 回帖 518 粉丝 0 关注私信	sierra 1 2 楼不错哦~~ 2013-9-14 23:28 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 3 楼 7. 执行命令：g g是执行命令，可以指定从某处执行，也可以在执行到某处时断下，如: g =00423aef 00423af3 修改当前eip为00423aef，执行到00423af3处中断当然也可以让某个线程继续执行，而其他的线程处在冻结状态。如： ~1 g 一号线程继续执行 8. 其他执行命令： p 单步步过 t 单步步入 gu 执行到返回 gc 从断点处继续执行，用在条件断点内 gn 忽略异常继续执行。允许应用程序的异常处理程序来处理异常。 gh 异常被处理，继续执行。 9. 显示汇编指令: u u 向下反汇编 ub向上反汇编 uf反汇编整个函数 0:000> [COLOR=Red]ub 00423bf5 [/COLOR]PEViewer!CPeListCtrl::ShowImportFuncs+0x1d5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]: 00423bd5 0fb7853cffffff movzx eax,word ptr [ebp-0C4h] 00423bdc 50 push eax 00423bdd 8d8d40feffff lea ecx,[ebp-1C0h] 00423be3 51 push ecx 00423be4 8b4de8 mov ecx,dword ptr [ebp-18h] 00423be7 83c174 add ecx,74h 00423bea e818e1feff call PEViewer!ILT+3330(?Num2StringPeStructQAE?AV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLKIHZ) (00411d07) 00423bef 8985e8fdffff mov dword ptr [ebp-218h],eax 0:000> [COLOR=Red]u 00423bf5 [/COLOR] PEViewer!CPeListCtrl::ShowImportFuncs+0x1f5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]: 00423bf5 8b95e8fdffff mov edx,dword ptr [ebp-218h] 00423bfb 8995e4fdffff mov dword ptr [ebp-21Ch],edx 00423c01 c645fc06 mov byte ptr [ebp-4],6 00423c05 8b85e4fdffff mov eax,dword ptr [ebp-21Ch] 00423c0b 50 push eax 00423c0c 8d8d70ffffff lea ecx,[ebp-90h] 00423c12 e8f1dafeff call PEViewer!ILT+1795(?push_back?$vectorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLV?$allocatorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLstdstdQAEX$$QAV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLZ) (00411708) 00423c17 c645fc03 mov byte ptr [ebp-4],3 10. 写入汇编指令: a 此命令可以直接修改代码段中的指令 0:000> [COLOR=Red].dvalloc 1000[/COLOR] //分配内存 Allocated 1000 bytes starting at 01190000 0:000> [COLOR=Red]a 01190000[/COLOR] //写入汇编 01190000 mov edi,edi [COLOR=Red]mov edi,edi[/COLOR] //写入的汇编指令 01190002 push ebp [COLOR=Red]push ebp[/COLOR] //写入的汇编指令 01190003 mov ebp,esp [COLOR=Red]mov ebp,esp[/COLOR] //写入的汇编指令 01190005 pop ebp [COLOR=Red]pop ebp[/COLOR] //写入的汇编指令 01190006 ret [COLOR=Red]ret [/COLOR]//写入的汇编指令 [COLOR=Red]//按Enter键返回[/COLOR] 0:000> [COLOR=Red]u 01190000[/COLOR] //反汇编 01190000 8bff mov edi,edi 01190002 55 push ebp 01190003 8bec mov ebp,esp 01190005 5d pop ebp 01190006 c3 ret 01190007 0000 add byte ptr [eax],al 01190009 0000 add byte ptr [eax],al 0119000b 0000 add byte ptr [eax],al 0:000> [COLOR=Red].dvfree 01190000 0[/COLOR] //释放内存 Freed 0 bytes starting at 01190000 11. 显示符号指令： x 不光可以显示全局符号，也可以显示局部符号其中符号包括：函数、全局对象、静态对象、参数、局部对象等 0:000>[COLOR=Red] x peviewer!CPeListCtrl::Show[/COLOR] 004221b0 PEViewer!CPeListCtrl::ShowImportDir (int) 004226e0 PEViewer!CPeListCtrl::ShowSectionHeader (int) 00423a00 PEViewer!CPeListCtrl::ShowImportFuncs (int) 0041eb50 PEViewer!CPeListCtrl::ShowList (int, int, int) 0041f840 PEViewer!CPeListCtrl::ShowFileHeader (void) 00423f00 PEViewer!CPeListCtrl::ShowExportFuncs (int) 0041eef0 PEViewer!CPeListCtrl::ShowDosHeader (void) 00420700 PEViewer!CPeListCtrl::ShowOptionalHeader (void) 00423270 PEViewer!CPeListCtrl::ShowExportDir (int) 12. 显示最近的符号*： ln 此命令在不知道某处地址是属于哪个函数时，此命令很有用。它可以告诉你此地址附近的函数是什么 0:000> [COLOR=Red]ln [/COLOR]c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(751)+0x8 (00423a00) PEViewer!CPeListCtrl::ShowImportFuncs+0xf3 \| (00423f00) PEViewer!CPeListCtrl::ShowExportFuncs 0:000> [COLOR=Red]ln 00423a00[/COLOR] c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(742) (00423a00) PEViewer!CPeListCtrl::ShowImportFuncs \| (00423f00) PEViewer!CPeListCtrl::ShowExportFuncs Exact matches: PEViewer!CPeListCtrl::ShowImportFuncs (int) 2013-9-15 00:06 0
Rookietp 雪币： 1042 活跃值： (500) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 795 粉丝 2 关注私信	Rookietp 4 楼 mark learn ..thank ``` 2013-9-15 00:41 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 5 楼 13. C++表达式的用法当我们查看某个变量或者下条件断点时，可能会获取一个对象中的成员值。那应该怎么获取呢？ 13.1. c++表达式求值运算：?? 0:000> [COLOR=Red]?? this->m_nFlags[/COLOR] //显示C++变量 unsigned int 0 //默认为unsigned int类型 0:000> [COLOR=Red]?? this->m_nFlags=0x78458789[/COLOR] //修改C++变量值 unsigned int 0x78458789 0:000> [COLOR=Red]?? (this->m_nFlags) [/COLOR] unsigned int 0x78458789 0:000> [COLOR=Red]?? int(this->m_nFlags) [/COLOR]//按int类型显示 int 0n2017822601 0:000> [COLOR=Red]?? (unsigned short)(this->m_nFlags) [/COLOR]//按unsigned short类型显示 unsigned short 0x8789 0:000> [COLOR=Red]?? (short)(this->m_nFlags)[/COLOR] //按short类型显示 short 0n-30839 0:000> [COLOR=Red]?? (unsigned char)(this->m_nFlags)[/COLOR] //按unsigned char类型显示 unsigned char 0x89 '' 0:000> [COLOR=Red]?? (char)(this->m_nFlags) [/COLOR]//按char类型显示 char 0n-119 '' 13.2. C++前缀：@@() [COLOR=Blue]//设置条件断点。当this->m_nFlags==0x78458789时断下[/COLOR] [COLOR=Red]bp 00423af9 ".if(@@(this->m_nFlags) == 0x78458789){}.else{gc;}"[/COLOR] 14. 一般表达式 14.1. 一般表达式求值：? [COLOR=Blue]//poi对地址取值函数。取出的字节数跟平台相关，32位取4个字节(同dwo)，64位取8个字节(同qwo)[/COLOR] 0:000>[COLOR=Red] ? poi(@@(&this->m_nFlags))[/COLOR] Evaluate expression: 2017822601 = 78458789 0:000> [COLOR=Red]? poi(esp)[/COLOR] Evaluate expression: 531920 = 00081dd0 //从esp地址中取单个字节 0:000> [COLOR=Red]? by(esp)[/COLOR] Evaluate expression: 208 = 000000d0 //从esp地址中取2个字节 0:000> [COLOR=Red]? wo(esp)[/COLOR] Evaluate expression: 7632 = 00001dd0 //从esp地址中取4个字节 0:000> [COLOR=Red]? dwo(esp)[/COLOR] Evaluate expression: 531920 = 00081dd0 //从esp地址中取8个字节 0:000>[COLOR=Red] ? qwo(esp)[/COLOR] Evaluate expression: 2463191519810035152 = 222f03a3`00081dd0 //获取一个32位数的低16位 0:000> [COLOR=Red]? low(poi(esp))[/COLOR] Evaluate expression: 7632 = 00001dd0 //获取一个32位数的高16位 0:000> [COLOR=Red]? hi(poi(esp))[/COLOR] Evaluate expression: 8 = 00000008 //与运算 0:000>[COLOR=Red] ? 4 and(1)[/COLOR] Evaluate expression: 0 = 00000000 //与运算 0:000> [COLOR=Red]? 4 and(f)[/COLOR] Evaluate expression: 4 = 00000004 //或运算 0:000> [COLOR=Red]? 4 \| f[/COLOR] Evaluate expression: 15 = 0000000f //或运算 0:000> [COLOR=Red]? 4 or 1[/COLOR] Evaluate expression: 5 = 00000005 //或运算 0:000> [COLOR=Red]? 4 \| 1[/COLOR] Evaluate expression: 5 = 00000005 //与运算 0:000> [COLOR=Red]? 4 & 1[/COLOR] Evaluate expression: 0 = 00000000 //非运算 0:000> [COLOR=Red]? 4 or 1[/COLOR] Evaluate expression: 5 = 00000005 //判断两个数是否相等 0:000> [COLOR=Red]? 4 == 1[/COLOR] Evaluate expression: 0 = 00000000 //判断两个数是否相等 0:000> [COLOR=Red]? 4 == 4[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? 4 > 4[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? 4 >= 4[/COLOR] Evaluate expression: 1 = 00000001 14.2. 字符串比较 [COLOR=Blue]//$scmp 为大小写敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR] 0:000> [COLOR=Red]? $scmp("abc","abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $scmp("Abc","abc")[/COLOR] Evaluate expression: -1 = ffffffff 0:000> [COLOR=Red]? $scmp("abc","Abc")[/COLOR] Evaluate expression: 1 = 00000001 [COLOR=Blue]//$sicmp 为大小写不敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR] 0:000> [COLOR=Red]? $sicmp("abc","Abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $sicmp("abc","Abcd")[/COLOR] Evaluate expression: -100 = ffffff9c 0:000> [COLOR=Red]? $sicmp("abcd","abc")[/COLOR] Evaluate expression: 100 = 00000064 [COLOR=Blue]//$spat 通配符匹配.返回值为0(false),1(true)之一。支持以下通配符： // * 表示0-n个任意字符 // ? 表示1个任意字符 // + 表示1-n个前面的字符 // [] 表示任意单个字符的列表。可以使用'-'表示一个范围 // # 表示0-n个前面的字符 //下面为示例用法：[/COLOR] 0:000> [COLOR=Red]? $spat("abcd","abc")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcd","abc+")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc[abc]")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc[abcd]")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcc","abc+")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcc","abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abc","abc?")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc?")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcde","abc?")[/COLOR] Evaluate expression: 0 = 00000000 14.3. 判断一个地址是否无效：$vvalid 返回0无效，1为有效 0:000> [COLOR=Red]? $vvalid(0, 100)[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $vvalid(0x400000, 100)[/COLOR] Evaluate expression: 1 = 00000001 14.4. 格式化数值：.formats 0:000>[COLOR=Red] .formats 1000[/COLOR] Evaluate expression: Hex: 00001000 Decimal: 4096 Octal: 00000010000 Binary: 00000000 00000000 00010000 00000000 Chars: .... Time: Thu Jan 01 09:08:16 1970 Float: low 5.73972e-042 high 0 Double: 2.02369e-320 15. 返回最近的错误码指令： !gle 与GetLastError相同 0:000> [COLOR=Red]!gle[/COLOR] LastErrorValue: (NTSTATUS) 0 (0) - STATUS_WAIT_0 LastStatusValue: (NTSTATUS) 0xc0000135 - { 16. 查询错误码含义： !error 0:000> [COLOR=Red][B]!error 2[/B][/COLOR] Error code: (Win32) 0x2 (2) - The system cannot find the file specified. 0:000> !error 2 1 Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2 17. 查看最后一次事件信息:* .lastevent 0:000> [COLOR=Red].lastevent[/COLOR] Last event: ea8.c98: [COLOR=Red]Hit breakpoint 2[/COLOR][COLOR=Blue](断点事件，中断到二号断点)[/COLOR] debugger time: Sun Sep 15 00:30:25.559 2013 (UTC + 8:00) 18. 查看版本信息： version、vertarget 0:000> [COLOR=Red]version[/COLOR] Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111) Machine Name: Debug session time: Sun Sep 15 01:15:25.871 2013 (UTC + 8:00) System Uptime: 0 days 4:42:50.824 Process Uptime: 0 days 3:46:38.188 Kernel time: 0 days 0:00:03.296 User time: 0 days 0:00:01.078 Live user mode: <Local> Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" ' Debugger Process 0xB68 dbgeng: image 6.12.0002.633, built Tue Feb 02 04:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll] dbghelp: image 6.12.0002.633, built Tue Feb 02 04:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] DIA version: 20921 Extension DLL search Path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\TortoiseSVN\bin Extension DLL chain: hs: built Sun Apr 28 08:53:56 2013 [path: C:\Program Files\Debugging Tools for Windows (x86)\hs.dll] dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 04:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll] exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:24 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll] uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:23 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll] ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 04:08:08 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll] 0:000>[COLOR=Red] vertarget[/COLOR] Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111) Machine Name: Debug session time: Sun Sep 15 01:15:45.106 2013 (UTC + 8:00) System Uptime: 0 days 4:43:10.054 Process Uptime: 0 days 3:46:57.423 Kernel time: 0 days 0:00:03.296 User time: 0 days 0:00:01.078 2013-9-15 01:22 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 6 楼睡觉先，睡醒继续 2013-9-15 01:28 0
Sam.com 雪币： 12688 活跃值： (4294) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 100 粉丝 1 关注私信	Sam.com 7 楼楼主做个文档什么的供下载吧~~谢谢 2013-9-15 03:16 0
kangcin 雪币： 602 活跃值： (45) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 482 粉丝 0 关注私信	kangcin 8 楼支持文档 2013-9-15 05:26 0
封心锁爱雪币： 239 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 170 粉丝 1 关注私信	封心锁爱 9 楼 Windbg命令 mark 2013-9-15 08:30 0
小小笑儿雪币： 61 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 85 粉丝 1 关注私信	小小笑儿 10 楼支持文档 2013-9-15 09:11 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 11 楼感谢关注，等写完了会做成chm格式文档 2013-9-15 10:08 0
Artmiss 雪币： 19 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 69 粉丝 1 关注私信	Artmiss 12 楼这个很好，支持一下 2013-9-15 10:12 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 13 楼在调试的过程中我们可能需要修改汇编代码，比如做个跳板改变执行流（在介绍a指令的时候有用到.在第三楼），或者把内存dump到文件中，或者把文件中的数据读入内存中。这就牵涉到怎么分配和释放内存，怎么读写内存等操作。下面我们一起来学习一下内存操作相关指令把。 19. 分配内存指令： .dvalloc .dvalloc指令类似与VirtualAlloc函数。可以指定分配的大小、类型（MEM_RESERVE \| MEM_COMMIT）(加上参数/r，申请的内存类型为MEM_RESERVE。默认为MEM_COMMIT)、起始地址(加上参数/b) 使用.dvalloc分配的内存都是PAGE_EXECUTE_READWRITE属性 0:000> [COLOR=Red].dvalloc 56[/COLOR] Allocated 1000 bytes starting at 00390000[COLOR=Blue] (分配的内存地址)[/COLOR] [COLOR=Blue]//保留一块内存[/COLOR] 0:000> [COLOR=Red].dvalloc /b 10000000 /r 56[/COLOR] Allocated 1000 bytes starting at 10000000 [COLOR=Blue]//如果内存存在，则会分配失败[/COLOR] 0:000> [COLOR=Red].dvalloc /b 400000 /r 56[/COLOR] Allocation failed, Win32 error 0n487 "试图访问无效的地址。" [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 10000000[/COLOR] BaseAddress: 10000000 AllocationBase: 10000000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00002000 MEM_RESERVE Type: 00020000 MEM_PRIVATE [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000[/COLOR] BaseAddress: 00390000 AllocationBase: 00390000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00001000 MEM_COMMIT Protect: 00000040 PAGE_EXECUTE_READWRITE Type: 00020000 MEM_PRIVATE 20. 释放内存指令: .dvfree 有分配就有释放.dvfree指令类似VirtualFree 函数。 [COLOR=Blue]//把内存类型设置成MEM_RESERVE状态[/COLOR] 0:000> [COLOR=Red].dvfree /d 00390000 1000[/COLOR] Freed 1000 bytes starting at 00390000 [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000 [/COLOR] BaseAddress: 00390000 AllocationBase: 00390000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00002000 MEM_RESERVE Type: 00020000 MEM_PRIVATE [COLOR=Blue]//完全释放内存[/COLOR] 0:000> [COLOR=Red].dvfree 00390000 0[/COLOR] Freed 0 bytes starting at 00390000 [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000 [/COLOR] BaseAddress: 00390000 AllocationBase: 00000000 RegionSize: 00070000 State: 00010000 MEM_FREE Protect: 00000001 PAGE_NOACCESS 21. 查看内存属性：!vprot !vprot指令类似与VirtualQuery 函数。可以获取一个内存块的各种属性。 0:000>[COLOR=Red] !vprot 400000[/COLOR] BaseAddress: 00400000 AllocationBase: 00400000 AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY RegionSize: 00001000 State: 00001000 MEM_COMMIT Protect: 00000002 PAGE_READONLY Type: 01000000 MEM_IMAGE 0:000>[COLOR=Red] !vprot 500000[/COLOR] BaseAddress: 00500000 AllocationBase: 00000000 RegionSize: 0fb00000 State: 00010000 MEM_FREE Protect: 00000001 PAGE_NOACCESS 22. 查询内存信息命令: !address !address命令可以按照性质(image or stack or heap or filemap...)、类型(MEM_IMAGE or MEM_MAPPED or MEM_PRIVATE) 、状态(MEM_COMMIT or MEM_FREE or MEM_RESERVE )、保护属性(PAGE_NOACCESS or PAGE_READONLY ...)等组合查询某一组内存列表。 [COLOR=Blue]//查看400000地址信息，类似!vprot[/COLOR] 0:000> [COLOR=Red]!address 400000[/COLOR] Usage: Image Allocation Base: 00400000 Base Address: 00400000 End Address: 00401000 Region Size: 00001000 Type: 01000000 MEM_IMAGE State: 00001000 MEM_COMMIT Protect: 00000002 PAGE_READONLY More info: lmv m PEViewer More info: !lmi PEViewer More info: ln 0x400000 [COLOR=Blue]//查看属于Image,Heap,Stack 性质的内存信息[/COLOR] 0:000> [COLOR=Red]!address /f:Image,Heap,Stack [/COLOR] BaseAddr EndAddr+1 RgnSize Type State Protect Usage ------------------------------------------------------------------------------------------- 30000 12d000 fd000 MEM_PRIVATE MEM_RESERVE Stack [a38.d98; ~0] 12d000 12e000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE\|PAGE_GUARD Stack [a38.d98; ~0] 12e000 130000 2000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [a38.d98; ~0] 400000 401000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 401000 411000 10000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_WRITECOPY Image "PEViewer.exe" 411000 434000 23000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "PEViewer.exe" 434000 43c000 8000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 43c000 43d000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "PEViewer.exe" 43d000 43e000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "PEViewer.exe" 43e000 43f000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "PEViewer.exe" 43f000 449000 a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 10200000 10201000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10201000 1035e000 15d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSVCR100D.dll" 1035e000 10364000 6000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10364000 10372000 e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10480000 10481000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCP100D.dll" 10481000 1052c000 ab000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSVCP100D.dll" 1052c000 10530000 4000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSVCP100D.dll" 10530000 10537000 7000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCP100D.dll" 5d170000 5d171000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\COMCTL32.dll" 5d171000 5d1e2000 71000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\COMCTL32.dll" 5d1e2000 5d1e5000 3000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\COMCTL32.dll" 5d1e5000 5d20a000 25000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\COMCTL32.dll" 762f0000 762f1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSIMG32.dll" 762f1000 762f2000 1000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSIMG32.dll" 762f2000 762f3000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSIMG32.dll" 762f3000 762f5000 2000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSIMG32.dll" 76990000 76991000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ole32.dll" 76991000 76ab6000 125000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\ole32.dll" 76ab6000 76abd000 7000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\ole32.dll" 76abd000 76acd000 10000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ole32.dll" 770f0000 770f1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\OLEAUT32.dll" 770f1000 77171000 80000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\OLEAUT32.dll" 77171000 77174000 3000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\OLEAUT32.dll" 77174000 7717b000 7000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\OLEAUT32.dll" 77be0000 77be1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\msvcrt.dll" 77be1000 77c2d000 4c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\msvcrt.dll" 77c2d000 77c34000 7000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\msvcrt.dll" 77c34000 77c38000 4000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\msvcrt.dll" 77d10000 77d11000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\USER32.dll" 77d11000 77d71000 60000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\USER32.dll" 77d71000 77d73000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\USER32.dll" 77d73000 77da0000 2d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\USER32.dll" 77da0000 77da1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77da1000 77e16000 75000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e16000 77e1b000 5000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e1b000 77e49000 2e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e50000 77e51000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\RPCRT4.dll" 77e51000 77edb000 8a000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\RPCRT4.dll" 77edb000 77edc000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\RPCRT4.dll" 77edc000 77ee2000 6000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\RPCRT4.dll" 77ef0000 77ef1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\GDI32.dll" 77ef1000 77f34000 43000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\GDI32.dll" 77f34000 77f36000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\GDI32.dll" 77f36000 77f39000 3000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\GDI32.dll" 77f40000 77f41000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77f41000 77fad000 6c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fad000 77fae000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fae000 77fb6000 8000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fc0000 77fc1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\Secur32.dll" 77fc1000 77fce000 d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\Secur32.dll" 77fce000 77fcf000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\Secur32.dll" 77fcf000 77fd1000 2000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\Secur32.dll" 78b60000 78b61000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\mfc100d.dll" 78b61000 79070000 50f000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\mfc100d.dll" 79070000 79080000 10000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\mfc100d.dll" 79080000 79203000 183000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\mfc100d.dll" 7c800000 7c801000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\kernel32.dll" 7c801000 7c885000 84000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\kernel32.dll" 7c885000 7c888000 3000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "C:\WINDOWS\system32\kernel32.dll" 7c888000 7c88a000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\kernel32.dll" 7c88a000 7c91e000 94000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\kernel32.dll" 7c920000 7c921000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "ntdll.dll" 7c921000 7c99b000 7a000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "ntdll.dll" 7c99b000 7c99e000 3000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "ntdll.dll" 7c99e000 7c9a0000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "ntdll.dll" 7c9a0000 7c9b3000 13000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "ntdll.dll" 23. 从文件中读入数据到内存指令: .readmem 直接使用例子演示。我在c盘下建立一个hello.txt的文件。文件中是一句话：hello pediy, I'm ddlx. 下面我把这个文件读入到内存 [COLOR=Blue]//分配一块内存[/COLOR] 0:000> [COLOR=Red].dvalloc 100[/COLOR] Allocated 1000 bytes starting at 00390000 [COLOR=Blue]//查看内存数据[/COLOR] 0:000>[COLOR=Red] db 00390000[/COLOR] 00390000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ [COLOR=Blue]//把c:\hello.txt文件中的内容读入到00390000内存中[/COLOR] 0:000>[COLOR=Red] .readmem c:\hello.txt 00390000 L0n22[/COLOR] Reading 16 bytes. [COLOR=Blue]//查看内存数据[/COLOR] 0:000> [COLOR=Red]db 00390000[/COLOR] 00390000 68 65 6c 6c 6f 20 70 65-64 69 79 2c 20 49 27 6d hello pediy, I'm 00390010 20 64 64 6c 78 2e 00 00-00 00 00 00 00 00 00 00 ddlx........... 00390020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 24. Dump内存指令：.writemem 我们经常会存在如下需求：有一个程序是压缩壳，需要把解压后的代码Dump出来；为了分析某些数据，需要把某个内存块Dump出来。那使用.writemem把。 .writemem与.readmem类似，是他的逆操作。 [COLOR=Blue]//演示吧peviewer的整个镜像写入文件 //查看peviewer模块信息[/COLOR] 0:000>[COLOR=Red] lm m peviewer[/COLOR] start end module name 00400000 00449000 PEViewer C (private pdb symbols) C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.pdb [COLOR=Blue]//dump到文件c:\dump_peviewer.exe[/COLOR] 0:000> [COLOR=Red].writemem c:\dump_peviewer.exe 00400000 00449000-1[/COLOR] Writing 49000 bytes.................................................................................................................................................. 上传的附件： dump_peviewer.JPG （101.70kb，20次下载） 2013-9-15 11:21 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 14 楼 25. 读内存指令：d 读指令是最常用的指令之一。它负责按照指定的格式，格式化输出内存数据。下面介绍一下读各种数据的方法： []da 按照ASCII字符串读取 []db 按照单字节和ASCII字符串读取 []dc 按照4字节和ASCII字符串读取 []dd 按照4字节读取 []dD 按照双浮点(8字节)格式读取 []df 按照单浮点(4字节)格式读取 []dp 按照指针(32位系统读取4字节，64位系统读取8字节)格式读取 []dq 按照8字节读取 []du 按照Unicode字符串读取 []dw 按照2字节读取 []dW 按照2字节和ASCII字符串读取 []dyb 按照单字节和二进制读取 []dyd 按照4字节和二进制读取 [COLOR=Blue]//分配内存[/COLOR] 0:000>[COLOR=Red] .dvalloc 1000[/COLOR] Allocated 1000 bytes starting at 003a0000 [COLOR=Blue]//写入unicode字符串在003a0000地址处[/COLOR] 0:000> [COLOR=Red]eu 003a0000 "my unicode string."[/COLOR] [COLOR=Blue]//写入ascii字符串在003a0026地址处[/COLOR] 0:000> [COLOR=Red]ea 003a0026 "my ascii string."[/COLOR] [COLOR=Blue]//按照单字节和ASCII字符串读取[/COLOR] 0:000> [COLOR=Red]db 003a0000[/COLOR] 003a0000 6d 00 79 00 20 00 75 00-6e 00 69 00 63 00 6f 00 m.y. .u.n.i.c.o. 003a0010 64 00 65 00 20 00 73 00-74 00 72 00 69 00 6e 00 d.e. .s.t.r.i.n. 003a0020 67 00 2e 00 00 00 6d 79-20 61 73 63 69 69 20 73 g.....my ascii s 003a0030 74 72 69 6e 67 2e 00 00-00 00 00 00 00 00 00 00 tring........... 003a0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0:000> [COLOR=Red]da 003a0000 [/COLOR] 003a0000 "m" 0:000> [COLOR=Red]da 003a0026 [/COLOR] 003a0026 "my ascii string." 0:000> [COLOR=Red]dc 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 m.y. .u.n.i.c.o. 003a0010 00650064 00730020 00720074 006e0069 d.e. .s.t.r.i.n. 003a0020 002e0067 796d0000 63736120 73206969 g.....my ascii s 003a0030 6e697274 00002e67 00000000 00000000 tring........... [COLOR=Blue]//按照4字节读取,读取0x10个单位[/COLOR] 0:000> [COLOR=Red]dd 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 003a0010 00650064 00730020 00720074 006e0069 003a0020 002e0067 796d0000 63736120 73206969 003a0030 6e697274 00002e67 00000000 00000000 0:000> [COLOR=Red]dD 003a0000 l8[/COLOR] 003a0000 1.86910550213e-306 1.37961301819e-306 1.69109959303e-306 003a0018 1.33511561534e-306 8.03237601403e+276 3.58592943091e+246 003a0030 2.52081032102e-310 0 0:000> [COLOR=Red]df 003a0000 l10[/COLOR] 003a0000 1.1112248e-038 1.0744798e-038 9.6428812e-039 1.0193879e-038 003a0010 9.2755252e-039 1.0561127e-038 1.0469409e-038 1.0102052e-038 003a0020 4.2245772e-039 7.6910897e+034 4.4895574e+021 1.2709129e+031 003a0030 1.8062093e+028 1.6646024e-041 0 0 0:000> [COLOR=Red]dp 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 003a0010 00650064 00730020 00720074 006e0069 003a0020 002e0067 796d0000 63736120 73206969 003a0030 6e697274 00002e67 00000000 00000000 0:000> [COLOR=Red]dq 003a0000 l8[/COLOR] 003a0000 00750020`0079006d 006f0063`0069006e 003a0010 00730020`00650064 006e0069`00720074 003a0020 796d0000`002e0067 73206969`63736120 003a0030 00002e67`6e697274 00000000`00000000 0:000> [COLOR=Red]du 003a0000 [/COLOR] 003a0000 "my unicode string." 0:000>[COLOR=Red] dw 003a0000 l20[/COLOR] 003a0000 006d 0079 0020 0075 006e 0069 0063 006f 003a0010 0064 0065 0020 0073 0074 0072 0069 006e 003a0020 0067 002e 0000 796d 6120 6373 6969 7320 003a0030 7274 6e69 2e67 0000 0000 0000 0000 0000 0:000>[COLOR=Red] dW 003a0000 l20[/COLOR] 003a0000 006d 0079 0020 0075 006e 0069 0063 006f m.y. .u.n.i.c.o. 003a0010 0064 0065 0020 0073 0074 0072 0069 006e d.e. .s.t.r.i.n. 003a0020 0067 002e 0000 796d 6120 6373 6969 7320 g.....my ascii s 003a0030 7274 6e69 2e67 0000 0000 0000 0000 0000 tring........... 0:000> [COLOR=Red]dyb 003a0000 l10[/COLOR] 76543210 76543210 76543210 76543210 -------- -------- -------- -------- 003a0000 01101101 00000000 01111001 00000000 6d 00 79 00 003a0004 00100000 00000000 01110101 00000000 20 00 75 00 003a0008 01101110 00000000 01101001 00000000 6e 00 69 00 003a000c 01100011 00000000 01101111 00000000 63 00 6f 00 0:000>[COLOR=Red] dyd 003a0000 l4[/COLOR] 3 2 1 0 10987654 32109876 54321098 76543210 -------- -------- -------- -------- 003a0000 00000000 01111001 00000000 01101101 0079006d 003a0004 00000000 01110101 00000000 00100000 00750020 003a0008 00000000 01101001 00000000 01101110 0069006e 003a000c 00000000 01101111 00000000 01100011 006f0063 0:000> [COLOR=Red].dvfree 003a0000 0[/COLOR] Freed 0 bytes starting at 003a0000 26. 显示符号表指令：* dds、dps、dqs 这个常用在查看虚函数表、导入地址等操作时使用。 [COLOR=Blue] //查看导入地址表[/COLOR] 0:000> [COLOR=Red]dps 0043D798 l10[/COLOR] 0043d798 7c809832 kernel32!InterlockedCompareExchange 0043d79c 7c933405 ntdll!RtlDecodePointer 0043d7a0 7c80981e kernel32!InterlockedExchange 0043d7a4 7c802446 kernel32!Sleep 0043d7a8 7c839481 kernel32!HeapSetInformation 0043d7ac 7c801e54 kernel32!GetStartupInfoW 0043d7b0 7c80a164 kernel32!WideCharToMultiByte 0043d7b4 7c813123 kernel32!IsDebuggerPresent 0043d7b8 7c809c88 kernel32!MultiByteToWideChar 0043d7bc 7c812a99 kernel32!RaiseException 0043d7c0 7c809856 kernel32!MulDiv 0043d7c4 7c80be46 kernel32!lstrlenA 0043d7c8 7c80ae30 kernel32!GetProcAddress 0043d7cc 7c80aedb kernel32!LoadLibraryW 0043d7d0 7c801e1a kernel32!TerminateProcess 0043d7d4 7c80de85 kernel32!GetCurrentProcess 27. 查看ascii字符串数组命令： dda、dpa、dqa 0:000>[COLOR=Red] .dvalloc 1000[/COLOR] Allocated 1000 bytes starting at 003a0000 0:000> [COLOR=Red]ea 003a0020 "string1"[/COLOR] 0:000>[COLOR=Red] ea 003a0030 "string2"[/COLOR] 0:000>[COLOR=Red] ea 003a0040 "string3"[/COLOR] 0:000> [COLOR=Red]ea 003a0050 "string4"[/COLOR] 0:000>[COLOR=Red] ea 003a0060 "string5"[/COLOR] 0:000> [COLOR=Red]ea 003a0070 "string6"[/COLOR] 0:000> [COLOR=Red]ed 003a0000 003a0020 003a0030 003a0040 003a0050 003a0060 003a0070 [/COLOR] 0:000> [COLOR=Red]dpa 003a0000 l8[/COLOR] 003a0000 003a0020 "string1" 003a0004 003a0030 "string2" 003a0008 003a0040 "string3" 003a000c 003a0050 "string4" 003a0010 003a0060 "string5" 003a0014 003a0070 "string6" 003a0018 00000000 003a001c 00000000 28. unicode字符串数组查看： ddu、 dqu、 dpu [COLOR=Blue]//内存清0[/COLOR] 0:000> [COLOR=Red].for (r $t1=0; @$t1<820; r$t1=@$t1+8){eq 003a0000+$t1 0;}[/COLOR] [COLOR=Blue]//构造unicode字符串数组[/COLOR] 0:000> .[COLOR=Red]for (r $t1=0; @$t1<6; r$t1=@$t1+1){r $t2=(003a0020+(@$t120)); ed 003a0000+@$t14 @$t2; eu @$t2 "ustring"; ew @$t2+0n14 @$t1+'1';}[/COLOR] [COLOR=Blue]//显示字符串数组[/COLOR] 0:000> [COLOR=Red]dpu 003a0000 l8[/COLOR] 003a0000 003a0020 "ustring1" 003a0004 003a0040 "ustring2" 003a0008 003a0060 "ustring3" 003a000c 003a0080 "ustring4" 003a0010 003a00a0 "ustring5" 003a0014 003a00c0 "ustring6" 003a0018 00000000 003a001c 00000000 29. 内存写入操作命令：* e 写指令是负责按照指定的格式，格式化输出内存数据，对命令中已经看到部分写命令的用法。下面介绍一下写各种数据的方法： []ea 写入ASCII字符串 []eb 写入单字节 []ed 写入4字节 []eD 写入双浮点(8字节)格式 []ef 写入单浮点(4字节)格式 []ep 写入指针(32位系统读取4字节，64位系统读取8字节)格式 []eq 写入8字节 []eu 写入Unicode字符串 []ew 写入2字节读取 []eza 写入无结束符的ASCII字符串 []ezu 写入无结束符的Unicode字符串 0:000> [COLOR=Red]ea 003a0000 "ascii string"[/COLOR] 0:000> [COLOR=Red]da 003a0000 [/COLOR] 003a0000 "ascii string" 0:000> [COLOR=Red]eb 003a0000 1 2 3 4 [/COLOR] 0:000> [COLOR=Red]db 003a0000 l4[/COLOR] 003a0000 01 02 03 04 .... 0:000>[COLOR=Red] ed 003a0000 1 2 3 4[/COLOR] 0:000> [COLOR=Red]dd 003a0000 l4[/COLOR] 003a0000 00000001 00000002 00000003 00000004 0:000> [COLOR=Red]eD 003a0000 1.2 2.3 3.4 4.5[/COLOR] 0:000> [COLOR=Red]dD 003a0000 l4[/COLOR] 003a0000 1.2 2.3 3.4 003a0018 4.5 0:000> [COLOR=Red]ef 003a0000 1.2 2.3 3.4 4.5[/COLOR] 0:000> [COLOR=Red]df 003a0000 l4[/COLOR] 003a0000 1.2 2.3 3.4000001 4.5 0:000> [COLOR=Red]ep 003a0000 0x400000 0x500000 0x600000[/COLOR] 0:000> [COLOR=Red]dp 003a0000 l3[/COLOR] 003a0000 00400000 00500000 00600000 0:000> [COLOR=Red]eq 003a0000 0x400000`123 0x500000`456 0x600000`789[/COLOR] 0:000> [COLOR=Red]dq 003a0000 l3[/COLOR] 003a0000 00000004`00000123 00000005`00000456 003a0010 00000006`00000789 0:000> [COLOR=Red]eu 003a0000 "unicodestring"[/COLOR] 0:000> [COLOR=Red]du 003a0000 [/COLOR] 003a0000 "unicodestring" 0:000> [COLOR=Red]ew 003a0000 123 456 789[/COLOR] 0:000> [COLOR=Red]dw 003a0000 l3[/COLOR] 003a0000 0123 0456 0789 30. 内存搜索指令：* s 内存搜索指令，在查找某种类型的数据的时候非常有用，我们来看一下内存搜索指令的用法 [COLOR=Blue]//内存清0[/COLOR] 0:000> [COLOR=Red].for (r $t1=0; @$t1< 100; r$t1=@$t1+1){eb 003a0000+$t1 0;}[/COLOR] /[COLOR=Blue]/写入数据[/COLOR] 0:000>[COLOR=Red] eu 003a0000 "ustring1"[/COLOR] 0:000> [COLOR=Red]eu 003a0010 "ustring2"[/COLOR] 0:000> [COLOR=Red]ea 003a0030 "astring1"[/COLOR] 0:000> [COLOR=Red]ea 003a0040 "astring2"[/COLOR] [COLOR=Blue]//搜索ascii字符串[/COLOR] 0:000> [COLOR=Red]s -a 003a0000 l1000 "string"[/COLOR] 003a0031 73 74 72 69 6e 67 31 00-00 00 00 00 00 00 00 61 string1........a 003a0041 73 74 72 69 6e 67 32 00-00 00 00 00 00 00 00 00 string2......... /[COLOR=Blue]/搜索unicode字符串[/COLOR] 0:000>[COLOR=Red] s -u 003a0000 l1000 "string"[/COLOR] 003a0002 0073 0074 0072 0069 006e 0067 0031 0075 s.t.r.i.n.g.1.u. 003a0012 0073 0074 0072 0069 006e 0067 0032 0000 s.t.r.i.n.g.2... [COLOR=Blue]//搜索word数值[/COLOR] 0:000>[COLOR=Red] s -w 003a0000 l1000 69 67[/COLOR] 0:000> [COLOR=Red]s -w 003a0000 l1000 69 6e[/COLOR] 003a0008 0069 006e 0067 0031 0075 0073 0074 0072 i.n.g.1.u.s.t.r. 003a0018 0069 006e 0067 0032 0000 0000 0000 0000 i.n.g.2......... 0:000>[COLOR=Red] .dvfree 003a0000 0[/COLOR] Freed 0 bytes starting at 003a0000 31. 物理内存读写操作指令 !d 读物理内存 !e 写物理内存这两个用的很少。不做过多介绍 lkd>[COLOR=Red] !db 0x1000[/COLOR] # 1000 30 32 00 00 01 00 00 00-00 00 00 00 f8 6f ff 23 02...........o.# # 1010 58 7b 00 24 0c 97 43 23-04 7c 00 24 0f 00 00 00 X{.$..C#.\|.$.... # 1020 00 00 00 00 34 70 ff 23-00 00 00 00 00 00 00 00 ....4p.#........ # 1030 00 00 00 00 14 70 ff 23-00 00 00 00 bc 70 ff 23 .....p.#.....p.# # 1040 bc 6f ff 23 00 00 00 00-c4 7d 01 00 91 45 05 00 .o.#.....}...E.. # 1050 09 00 00 00 00 00 00 00-00 00 00 00 01 02 00 00 ................ # 1060 00 00 00 00 8c 70 ff 23-00 00 00 00 00 00 00 00 .....p.#........ # 1070 01 14 00 00 28 00 04 44-4e 53 5f 54 59 50 45 5f ....(..DNS_TYPE_ 2013-9-15 14:30 0
xiejienet 雪币： 142 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 639 粉丝 0 关注私信	xiejienet 15 楼回帖收藏,楼主太有心了. 更新完后,能提供一个doc或者pdf不. 2013-9-15 14:55 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 16 楼可能做成chm格式 2013-9-15 15:14 0
zyr零零发雪币： 808 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 7 回帖 330 粉丝 0 关注私信	zyr零零发 1 17 楼很好啊，学习，谢谢。 2013-9-15 15:28 0
天高雪币： 623 活跃值： (40) 能力值： ( LV3，RANK：30 ) 在线值：发帖 3 回帖 166 粉丝 0 关注私信	天高 18 楼 mark，等你更新，哈 2013-9-15 15:29 0
patriots 雪币： 178 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 53 粉丝 0 关注私信	patriots 19 楼非常支持LZ制作成PDF或者CHM 2013-9-15 18:24 0
学者learner 雪币： 141 活跃值： (318) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	学者learner 20 楼原来很强大，只是没有善于发现。。支持 2013-9-16 09:35 0
AioliaSky 雪币： 257 活跃值： (67) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 668 粉丝 0 关注私信	AioliaSky 1 21 楼有点意思，来围观一下 2013-9-16 10:26 0
信念随心雪币： 33 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	信念随心 22 楼感谢楼主分享 2013-9-16 10:57 0
HOWMP 雪币： 2829 活跃值： (2633) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 248 粉丝 7 关注私信	HOWMP 1 23 楼回帖收藏，感谢楼主，辛苦了 2013-9-16 10:59 0
sidyh 雪币： 160 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 134 粉丝 0 关注私信	sidyh 24 楼碉堡了。 2013-9-16 12:35 0
fatecaster 雪币： 135 活跃值： (63) 能力值： ( LV5，RANK：60 ) 在线值：发帖 39 回帖 314 粉丝 0 关注私信	fatecaster 1 25 楼坐等更新，感觉以前讲windbg的帖子都很枯燥，一堆命令全忘了。 2013-9-16 13:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

ddlx

发帖

245

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (250) 1 2 3 4 5 6 7 8 9 10 11 ▶
sierra 雪币： 238 活跃值： (55) 能力值： ( LV5，RANK：70 ) 在线值：发帖 11 回帖 518 粉丝 0 关注私信	sierra 1 2 楼不错哦~~ 2013-9-14 23:28 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 3 楼 7. 执行命令：g g是执行命令，可以指定从某处执行，也可以在执行到某处时断下，如: g =00423aef 00423af3 修改当前eip为00423aef，执行到00423af3处中断当然也可以让某个线程继续执行，而其他的线程处在冻结状态。如： ~1 g 一号线程继续执行 8. 其他执行命令： p 单步步过 t 单步步入 gu 执行到返回 gc 从断点处继续执行，用在条件断点内 gn 忽略异常继续执行。允许应用程序的异常处理程序来处理异常。 gh 异常被处理，继续执行。 9. 显示汇编指令: u u 向下反汇编 ub向上反汇编 uf反汇编整个函数 0:000> [COLOR=Red]ub 00423bf5 [/COLOR]PEViewer!CPeListCtrl::ShowImportFuncs+0x1d5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]: 00423bd5 0fb7853cffffff movzx eax,word ptr [ebp-0C4h] 00423bdc 50 push eax 00423bdd 8d8d40feffff lea ecx,[ebp-1C0h] 00423be3 51 push ecx 00423be4 8b4de8 mov ecx,dword ptr [ebp-18h] 00423be7 83c174 add ecx,74h 00423bea e818e1feff call PEViewer!ILT+3330(?Num2StringPeStructQAE?AV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLKIHZ) (00411d07) 00423bef 8985e8fdffff mov dword ptr [ebp-218h],eax 0:000> [COLOR=Red]u 00423bf5 [/COLOR] PEViewer!CPeListCtrl::ShowImportFuncs+0x1f5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]: 00423bf5 8b95e8fdffff mov edx,dword ptr [ebp-218h] 00423bfb 8995e4fdffff mov dword ptr [ebp-21Ch],edx 00423c01 c645fc06 mov byte ptr [ebp-4],6 00423c05 8b85e4fdffff mov eax,dword ptr [ebp-21Ch] 00423c0b 50 push eax 00423c0c 8d8d70ffffff lea ecx,[ebp-90h] 00423c12 e8f1dafeff call PEViewer!ILT+1795(?push_back?$vectorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLV?$allocatorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLstdstdQAEX$$QAV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLZ) (00411708) 00423c17 c645fc03 mov byte ptr [ebp-4],3 10. 写入汇编指令: a 此命令可以直接修改代码段中的指令 0:000> [COLOR=Red].dvalloc 1000[/COLOR] //分配内存 Allocated 1000 bytes starting at 01190000 0:000> [COLOR=Red]a 01190000[/COLOR] //写入汇编 01190000 mov edi,edi [COLOR=Red]mov edi,edi[/COLOR] //写入的汇编指令 01190002 push ebp [COLOR=Red]push ebp[/COLOR] //写入的汇编指令 01190003 mov ebp,esp [COLOR=Red]mov ebp,esp[/COLOR] //写入的汇编指令 01190005 pop ebp [COLOR=Red]pop ebp[/COLOR] //写入的汇编指令 01190006 ret [COLOR=Red]ret [/COLOR]//写入的汇编指令 [COLOR=Red]//按Enter键返回[/COLOR] 0:000> [COLOR=Red]u 01190000[/COLOR] //反汇编 01190000 8bff mov edi,edi 01190002 55 push ebp 01190003 8bec mov ebp,esp 01190005 5d pop ebp 01190006 c3 ret 01190007 0000 add byte ptr [eax],al 01190009 0000 add byte ptr [eax],al 0119000b 0000 add byte ptr [eax],al 0:000> [COLOR=Red].dvfree 01190000 0[/COLOR] //释放内存 Freed 0 bytes starting at 01190000 11. 显示符号指令： x 不光可以显示全局符号，也可以显示局部符号其中符号包括：函数、全局对象、静态对象、参数、局部对象等 0:000>[COLOR=Red] x peviewer!CPeListCtrl::Show[/COLOR] 004221b0 PEViewer!CPeListCtrl::ShowImportDir (int) 004226e0 PEViewer!CPeListCtrl::ShowSectionHeader (int) 00423a00 PEViewer!CPeListCtrl::ShowImportFuncs (int) 0041eb50 PEViewer!CPeListCtrl::ShowList (int, int, int) 0041f840 PEViewer!CPeListCtrl::ShowFileHeader (void) 00423f00 PEViewer!CPeListCtrl::ShowExportFuncs (int) 0041eef0 PEViewer!CPeListCtrl::ShowDosHeader (void) 00420700 PEViewer!CPeListCtrl::ShowOptionalHeader (void) 00423270 PEViewer!CPeListCtrl::ShowExportDir (int) 12. 显示最近的符号*： ln 此命令在不知道某处地址是属于哪个函数时，此命令很有用。它可以告诉你此地址附近的函数是什么 0:000> [COLOR=Red]ln [/COLOR]c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(751)+0x8 (00423a00) PEViewer!CPeListCtrl::ShowImportFuncs+0xf3 \| (00423f00) PEViewer!CPeListCtrl::ShowExportFuncs 0:000> [COLOR=Red]ln 00423a00[/COLOR] c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(742) (00423a00) PEViewer!CPeListCtrl::ShowImportFuncs \| (00423f00) PEViewer!CPeListCtrl::ShowExportFuncs Exact matches: PEViewer!CPeListCtrl::ShowImportFuncs (int) 2013-9-15 00:06 0
Rookietp 雪币： 1042 活跃值： (500) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 795 粉丝 2 关注私信	Rookietp 4 楼 mark learn ..thank ``` 2013-9-15 00:41 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 5 楼 13. C++表达式的用法当我们查看某个变量或者下条件断点时，可能会获取一个对象中的成员值。那应该怎么获取呢？ 13.1. c++表达式求值运算：?? 0:000> [COLOR=Red]?? this->m_nFlags[/COLOR] //显示C++变量 unsigned int 0 //默认为unsigned int类型 0:000> [COLOR=Red]?? this->m_nFlags=0x78458789[/COLOR] //修改C++变量值 unsigned int 0x78458789 0:000> [COLOR=Red]?? (this->m_nFlags) [/COLOR] unsigned int 0x78458789 0:000> [COLOR=Red]?? int(this->m_nFlags) [/COLOR]//按int类型显示 int 0n2017822601 0:000> [COLOR=Red]?? (unsigned short)(this->m_nFlags) [/COLOR]//按unsigned short类型显示 unsigned short 0x8789 0:000> [COLOR=Red]?? (short)(this->m_nFlags)[/COLOR] //按short类型显示 short 0n-30839 0:000> [COLOR=Red]?? (unsigned char)(this->m_nFlags)[/COLOR] //按unsigned char类型显示 unsigned char 0x89 '' 0:000> [COLOR=Red]?? (char)(this->m_nFlags) [/COLOR]//按char类型显示 char 0n-119 '' 13.2. C++前缀：@@() [COLOR=Blue]//设置条件断点。当this->m_nFlags==0x78458789时断下[/COLOR] [COLOR=Red]bp 00423af9 ".if(@@(this->m_nFlags) == 0x78458789){}.else{gc;}"[/COLOR] 14. 一般表达式 14.1. 一般表达式求值：? [COLOR=Blue]//poi对地址取值函数。取出的字节数跟平台相关，32位取4个字节(同dwo)，64位取8个字节(同qwo)[/COLOR] 0:000>[COLOR=Red] ? poi(@@(&this->m_nFlags))[/COLOR] Evaluate expression: 2017822601 = 78458789 0:000> [COLOR=Red]? poi(esp)[/COLOR] Evaluate expression: 531920 = 00081dd0 //从esp地址中取单个字节 0:000> [COLOR=Red]? by(esp)[/COLOR] Evaluate expression: 208 = 000000d0 //从esp地址中取2个字节 0:000> [COLOR=Red]? wo(esp)[/COLOR] Evaluate expression: 7632 = 00001dd0 //从esp地址中取4个字节 0:000> [COLOR=Red]? dwo(esp)[/COLOR] Evaluate expression: 531920 = 00081dd0 //从esp地址中取8个字节 0:000>[COLOR=Red] ? qwo(esp)[/COLOR] Evaluate expression: 2463191519810035152 = 222f03a3`00081dd0 //获取一个32位数的低16位 0:000> [COLOR=Red]? low(poi(esp))[/COLOR] Evaluate expression: 7632 = 00001dd0 //获取一个32位数的高16位 0:000> [COLOR=Red]? hi(poi(esp))[/COLOR] Evaluate expression: 8 = 00000008 //与运算 0:000>[COLOR=Red] ? 4 and(1)[/COLOR] Evaluate expression: 0 = 00000000 //与运算 0:000> [COLOR=Red]? 4 and(f)[/COLOR] Evaluate expression: 4 = 00000004 //或运算 0:000> [COLOR=Red]? 4 \| f[/COLOR] Evaluate expression: 15 = 0000000f //或运算 0:000> [COLOR=Red]? 4 or 1[/COLOR] Evaluate expression: 5 = 00000005 //或运算 0:000> [COLOR=Red]? 4 \| 1[/COLOR] Evaluate expression: 5 = 00000005 //与运算 0:000> [COLOR=Red]? 4 & 1[/COLOR] Evaluate expression: 0 = 00000000 //非运算 0:000> [COLOR=Red]? 4 or 1[/COLOR] Evaluate expression: 5 = 00000005 //判断两个数是否相等 0:000> [COLOR=Red]? 4 == 1[/COLOR] Evaluate expression: 0 = 00000000 //判断两个数是否相等 0:000> [COLOR=Red]? 4 == 4[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? 4 > 4[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? 4 >= 4[/COLOR] Evaluate expression: 1 = 00000001 14.2. 字符串比较 [COLOR=Blue]//$scmp 为大小写敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR] 0:000> [COLOR=Red]? $scmp("abc","abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $scmp("Abc","abc")[/COLOR] Evaluate expression: -1 = ffffffff 0:000> [COLOR=Red]? $scmp("abc","Abc")[/COLOR] Evaluate expression: 1 = 00000001 [COLOR=Blue]//$sicmp 为大小写不敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR] 0:000> [COLOR=Red]? $sicmp("abc","Abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $sicmp("abc","Abcd")[/COLOR] Evaluate expression: -100 = ffffff9c 0:000> [COLOR=Red]? $sicmp("abcd","abc")[/COLOR] Evaluate expression: 100 = 00000064 [COLOR=Blue]//$spat 通配符匹配.返回值为0(false),1(true)之一。支持以下通配符： // * 表示0-n个任意字符 // ? 表示1个任意字符 // + 表示1-n个前面的字符 // [] 表示任意单个字符的列表。可以使用'-'表示一个范围 // # 表示0-n个前面的字符 //下面为示例用法：[/COLOR] 0:000> [COLOR=Red]? $spat("abcd","abc")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcd","abc+")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc[abc]")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc[abcd]")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcc","abc+")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcc","abc")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abc","abc?")[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $spat("abcd","abc?")[/COLOR] Evaluate expression: 1 = 00000001 0:000> [COLOR=Red]? $spat("abcde","abc?")[/COLOR] Evaluate expression: 0 = 00000000 14.3. 判断一个地址是否无效：$vvalid 返回0无效，1为有效 0:000> [COLOR=Red]? $vvalid(0, 100)[/COLOR] Evaluate expression: 0 = 00000000 0:000> [COLOR=Red]? $vvalid(0x400000, 100)[/COLOR] Evaluate expression: 1 = 00000001 14.4. 格式化数值：.formats 0:000>[COLOR=Red] .formats 1000[/COLOR] Evaluate expression: Hex: 00001000 Decimal: 4096 Octal: 00000010000 Binary: 00000000 00000000 00010000 00000000 Chars: .... Time: Thu Jan 01 09:08:16 1970 Float: low 5.73972e-042 high 0 Double: 2.02369e-320 15. 返回最近的错误码指令： !gle 与GetLastError相同 0:000> [COLOR=Red]!gle[/COLOR] LastErrorValue: (NTSTATUS) 0 (0) - STATUS_WAIT_0 LastStatusValue: (NTSTATUS) 0xc0000135 - { 16. 查询错误码含义： !error 0:000> [COLOR=Red][B]!error 2[/B][/COLOR] Error code: (Win32) 0x2 (2) - The system cannot find the file specified. 0:000> !error 2 1 Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2 17. 查看最后一次事件信息:* .lastevent 0:000> [COLOR=Red].lastevent[/COLOR] Last event: ea8.c98: [COLOR=Red]Hit breakpoint 2[/COLOR][COLOR=Blue](断点事件，中断到二号断点)[/COLOR] debugger time: Sun Sep 15 00:30:25.559 2013 (UTC + 8:00) 18. 查看版本信息： version、vertarget 0:000> [COLOR=Red]version[/COLOR] Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111) Machine Name: Debug session time: Sun Sep 15 01:15:25.871 2013 (UTC + 8:00) System Uptime: 0 days 4:42:50.824 Process Uptime: 0 days 3:46:38.188 Kernel time: 0 days 0:00:03.296 User time: 0 days 0:00:01.078 Live user mode: <Local> Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" ' Debugger Process 0xB68 dbgeng: image 6.12.0002.633, built Tue Feb 02 04:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll] dbghelp: image 6.12.0002.633, built Tue Feb 02 04:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] DIA version: 20921 Extension DLL search Path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\TortoiseSVN\bin Extension DLL chain: hs: built Sun Apr 28 08:53:56 2013 [path: C:\Program Files\Debugging Tools for Windows (x86)\hs.dll] dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 04:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll] exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:24 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll] uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:23 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll] ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 04:08:08 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll] 0:000>[COLOR=Red] vertarget[/COLOR] Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111) Machine Name: Debug session time: Sun Sep 15 01:15:45.106 2013 (UTC + 8:00) System Uptime: 0 days 4:43:10.054 Process Uptime: 0 days 3:46:57.423 Kernel time: 0 days 0:00:03.296 User time: 0 days 0:00:01.078 2013-9-15 01:22 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 6 楼睡觉先，睡醒继续 2013-9-15 01:28 0
Sam.com 雪币： 12688 活跃值： (4294) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 100 粉丝 1 关注私信	Sam.com 7 楼楼主做个文档什么的供下载吧~~谢谢 2013-9-15 03:16 0
kangcin 雪币： 602 活跃值： (45) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 482 粉丝 0 关注私信	kangcin 8 楼支持文档 2013-9-15 05:26 0
封心锁爱雪币： 239 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 170 粉丝 1 关注私信	封心锁爱 9 楼 Windbg命令 mark 2013-9-15 08:30 0
小小笑儿雪币： 61 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 85 粉丝 1 关注私信	小小笑儿 10 楼支持文档 2013-9-15 09:11 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 11 楼感谢关注，等写完了会做成chm格式文档 2013-9-15 10:08 0
Artmiss 雪币： 19 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 69 粉丝 1 关注私信	Artmiss 12 楼这个很好，支持一下 2013-9-15 10:12 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 13 楼在调试的过程中我们可能需要修改汇编代码，比如做个跳板改变执行流（在介绍a指令的时候有用到.在第三楼），或者把内存dump到文件中，或者把文件中的数据读入内存中。这就牵涉到怎么分配和释放内存，怎么读写内存等操作。下面我们一起来学习一下内存操作相关指令把。 19. 分配内存指令： .dvalloc .dvalloc指令类似与VirtualAlloc函数。可以指定分配的大小、类型（MEM_RESERVE \| MEM_COMMIT）(加上参数/r，申请的内存类型为MEM_RESERVE。默认为MEM_COMMIT)、起始地址(加上参数/b) 使用.dvalloc分配的内存都是PAGE_EXECUTE_READWRITE属性 0:000> [COLOR=Red].dvalloc 56[/COLOR] Allocated 1000 bytes starting at 00390000[COLOR=Blue] (分配的内存地址)[/COLOR] [COLOR=Blue]//保留一块内存[/COLOR] 0:000> [COLOR=Red].dvalloc /b 10000000 /r 56[/COLOR] Allocated 1000 bytes starting at 10000000 [COLOR=Blue]//如果内存存在，则会分配失败[/COLOR] 0:000> [COLOR=Red].dvalloc /b 400000 /r 56[/COLOR] Allocation failed, Win32 error 0n487 "试图访问无效的地址。" [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 10000000[/COLOR] BaseAddress: 10000000 AllocationBase: 10000000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00002000 MEM_RESERVE Type: 00020000 MEM_PRIVATE [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000[/COLOR] BaseAddress: 00390000 AllocationBase: 00390000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00001000 MEM_COMMIT Protect: 00000040 PAGE_EXECUTE_READWRITE Type: 00020000 MEM_PRIVATE 20. 释放内存指令: .dvfree 有分配就有释放.dvfree指令类似VirtualFree 函数。 [COLOR=Blue]//把内存类型设置成MEM_RESERVE状态[/COLOR] 0:000> [COLOR=Red].dvfree /d 00390000 1000[/COLOR] Freed 1000 bytes starting at 00390000 [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000 [/COLOR] BaseAddress: 00390000 AllocationBase: 00390000 AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE RegionSize: 00001000 State: 00002000 MEM_RESERVE Type: 00020000 MEM_PRIVATE [COLOR=Blue]//完全释放内存[/COLOR] 0:000> [COLOR=Red].dvfree 00390000 0[/COLOR] Freed 0 bytes starting at 00390000 [COLOR=Blue]//查看内存属性[/COLOR] 0:000> [COLOR=Red]!vprot 00390000 [/COLOR] BaseAddress: 00390000 AllocationBase: 00000000 RegionSize: 00070000 State: 00010000 MEM_FREE Protect: 00000001 PAGE_NOACCESS 21. 查看内存属性：!vprot !vprot指令类似与VirtualQuery 函数。可以获取一个内存块的各种属性。 0:000>[COLOR=Red] !vprot 400000[/COLOR] BaseAddress: 00400000 AllocationBase: 00400000 AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY RegionSize: 00001000 State: 00001000 MEM_COMMIT Protect: 00000002 PAGE_READONLY Type: 01000000 MEM_IMAGE 0:000>[COLOR=Red] !vprot 500000[/COLOR] BaseAddress: 00500000 AllocationBase: 00000000 RegionSize: 0fb00000 State: 00010000 MEM_FREE Protect: 00000001 PAGE_NOACCESS 22. 查询内存信息命令: !address !address命令可以按照性质(image or stack or heap or filemap...)、类型(MEM_IMAGE or MEM_MAPPED or MEM_PRIVATE) 、状态(MEM_COMMIT or MEM_FREE or MEM_RESERVE )、保护属性(PAGE_NOACCESS or PAGE_READONLY ...)等组合查询某一组内存列表。 [COLOR=Blue]//查看400000地址信息，类似!vprot[/COLOR] 0:000> [COLOR=Red]!address 400000[/COLOR] Usage: Image Allocation Base: 00400000 Base Address: 00400000 End Address: 00401000 Region Size: 00001000 Type: 01000000 MEM_IMAGE State: 00001000 MEM_COMMIT Protect: 00000002 PAGE_READONLY More info: lmv m PEViewer More info: !lmi PEViewer More info: ln 0x400000 [COLOR=Blue]//查看属于Image,Heap,Stack 性质的内存信息[/COLOR] 0:000> [COLOR=Red]!address /f:Image,Heap,Stack [/COLOR] BaseAddr EndAddr+1 RgnSize Type State Protect Usage ------------------------------------------------------------------------------------------- 30000 12d000 fd000 MEM_PRIVATE MEM_RESERVE Stack [a38.d98; ~0] 12d000 12e000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE\|PAGE_GUARD Stack [a38.d98; ~0] 12e000 130000 2000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [a38.d98; ~0] 400000 401000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 401000 411000 10000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_WRITECOPY Image "PEViewer.exe" 411000 434000 23000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "PEViewer.exe" 434000 43c000 8000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 43c000 43d000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "PEViewer.exe" 43d000 43e000 1000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "PEViewer.exe" 43e000 43f000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "PEViewer.exe" 43f000 449000 a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "PEViewer.exe" 10200000 10201000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10201000 1035e000 15d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSVCR100D.dll" 1035e000 10364000 6000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10364000 10372000 e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCR100D.dll" 10480000 10481000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCP100D.dll" 10481000 1052c000 ab000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSVCP100D.dll" 1052c000 10530000 4000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSVCP100D.dll" 10530000 10537000 7000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSVCP100D.dll" 5d170000 5d171000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\COMCTL32.dll" 5d171000 5d1e2000 71000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\COMCTL32.dll" 5d1e2000 5d1e5000 3000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\COMCTL32.dll" 5d1e5000 5d20a000 25000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\COMCTL32.dll" 762f0000 762f1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSIMG32.dll" 762f1000 762f2000 1000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\MSIMG32.dll" 762f2000 762f3000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\MSIMG32.dll" 762f3000 762f5000 2000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\MSIMG32.dll" 76990000 76991000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ole32.dll" 76991000 76ab6000 125000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\ole32.dll" 76ab6000 76abd000 7000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\ole32.dll" 76abd000 76acd000 10000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ole32.dll" 770f0000 770f1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\OLEAUT32.dll" 770f1000 77171000 80000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\OLEAUT32.dll" 77171000 77174000 3000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\OLEAUT32.dll" 77174000 7717b000 7000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\OLEAUT32.dll" 77be0000 77be1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\msvcrt.dll" 77be1000 77c2d000 4c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\msvcrt.dll" 77c2d000 77c34000 7000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\msvcrt.dll" 77c34000 77c38000 4000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\msvcrt.dll" 77d10000 77d11000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\USER32.dll" 77d11000 77d71000 60000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\USER32.dll" 77d71000 77d73000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\USER32.dll" 77d73000 77da0000 2d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\USER32.dll" 77da0000 77da1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77da1000 77e16000 75000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e16000 77e1b000 5000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e1b000 77e49000 2e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\ADVAPI32.dll" 77e50000 77e51000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\RPCRT4.dll" 77e51000 77edb000 8a000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\RPCRT4.dll" 77edb000 77edc000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\RPCRT4.dll" 77edc000 77ee2000 6000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\RPCRT4.dll" 77ef0000 77ef1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\GDI32.dll" 77ef1000 77f34000 43000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\GDI32.dll" 77f34000 77f36000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\GDI32.dll" 77f36000 77f39000 3000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\GDI32.dll" 77f40000 77f41000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77f41000 77fad000 6c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fad000 77fae000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fae000 77fb6000 8000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\SHLWAPI.dll" 77fc0000 77fc1000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\Secur32.dll" 77fc1000 77fce000 d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\Secur32.dll" 77fce000 77fcf000 1000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\Secur32.dll" 77fcf000 77fd1000 2000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\Secur32.dll" 78b60000 78b61000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\mfc100d.dll" 78b61000 79070000 50f000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\mfc100d.dll" 79070000 79080000 10000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\mfc100d.dll" 79080000 79203000 183000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\mfc100d.dll" 7c800000 7c801000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\kernel32.dll" 7c801000 7c885000 84000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "C:\WINDOWS\system32\kernel32.dll" 7c885000 7c888000 3000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "C:\WINDOWS\system32\kernel32.dll" 7c888000 7c88a000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "C:\WINDOWS\system32\kernel32.dll" 7c88a000 7c91e000 94000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "C:\WINDOWS\system32\kernel32.dll" 7c920000 7c921000 1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "ntdll.dll" 7c921000 7c99b000 7a000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image "ntdll.dll" 7c99b000 7c99e000 3000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image "ntdll.dll" 7c99e000 7c9a0000 2000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image "ntdll.dll" 7c9a0000 7c9b3000 13000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image "ntdll.dll" 23. 从文件中读入数据到内存指令: .readmem 直接使用例子演示。我在c盘下建立一个hello.txt的文件。文件中是一句话：hello pediy, I'm ddlx. 下面我把这个文件读入到内存 [COLOR=Blue]//分配一块内存[/COLOR] 0:000> [COLOR=Red].dvalloc 100[/COLOR] Allocated 1000 bytes starting at 00390000 [COLOR=Blue]//查看内存数据[/COLOR] 0:000>[COLOR=Red] db 00390000[/COLOR] 00390000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ [COLOR=Blue]//把c:\hello.txt文件中的内容读入到00390000内存中[/COLOR] 0:000>[COLOR=Red] .readmem c:\hello.txt 00390000 L0n22[/COLOR] Reading 16 bytes. [COLOR=Blue]//查看内存数据[/COLOR] 0:000> [COLOR=Red]db 00390000[/COLOR] 00390000 68 65 6c 6c 6f 20 70 65-64 69 79 2c 20 49 27 6d hello pediy, I'm 00390010 20 64 64 6c 78 2e 00 00-00 00 00 00 00 00 00 00 ddlx........... 00390020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00390070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 24. Dump内存指令：.writemem 我们经常会存在如下需求：有一个程序是压缩壳，需要把解压后的代码Dump出来；为了分析某些数据，需要把某个内存块Dump出来。那使用.writemem把。 .writemem与.readmem类似，是他的逆操作。 [COLOR=Blue]//演示吧peviewer的整个镜像写入文件 //查看peviewer模块信息[/COLOR] 0:000>[COLOR=Red] lm m peviewer[/COLOR] start end module name 00400000 00449000 PEViewer C (private pdb symbols) C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.pdb [COLOR=Blue]//dump到文件c:\dump_peviewer.exe[/COLOR] 0:000> [COLOR=Red].writemem c:\dump_peviewer.exe 00400000 00449000-1[/COLOR] Writing 49000 bytes.................................................................................................................................................. 上传的附件： dump_peviewer.JPG （101.70kb，20次下载） 2013-9-15 11:21 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 14 楼 25. 读内存指令：d 读指令是最常用的指令之一。它负责按照指定的格式，格式化输出内存数据。下面介绍一下读各种数据的方法： []da 按照ASCII字符串读取 []db 按照单字节和ASCII字符串读取 []dc 按照4字节和ASCII字符串读取 []dd 按照4字节读取 []dD 按照双浮点(8字节)格式读取 []df 按照单浮点(4字节)格式读取 []dp 按照指针(32位系统读取4字节，64位系统读取8字节)格式读取 []dq 按照8字节读取 []du 按照Unicode字符串读取 []dw 按照2字节读取 []dW 按照2字节和ASCII字符串读取 []dyb 按照单字节和二进制读取 []dyd 按照4字节和二进制读取 [COLOR=Blue]//分配内存[/COLOR] 0:000>[COLOR=Red] .dvalloc 1000[/COLOR] Allocated 1000 bytes starting at 003a0000 [COLOR=Blue]//写入unicode字符串在003a0000地址处[/COLOR] 0:000> [COLOR=Red]eu 003a0000 "my unicode string."[/COLOR] [COLOR=Blue]//写入ascii字符串在003a0026地址处[/COLOR] 0:000> [COLOR=Red]ea 003a0026 "my ascii string."[/COLOR] [COLOR=Blue]//按照单字节和ASCII字符串读取[/COLOR] 0:000> [COLOR=Red]db 003a0000[/COLOR] 003a0000 6d 00 79 00 20 00 75 00-6e 00 69 00 63 00 6f 00 m.y. .u.n.i.c.o. 003a0010 64 00 65 00 20 00 73 00-74 00 72 00 69 00 6e 00 d.e. .s.t.r.i.n. 003a0020 67 00 2e 00 00 00 6d 79-20 61 73 63 69 69 20 73 g.....my ascii s 003a0030 74 72 69 6e 67 2e 00 00-00 00 00 00 00 00 00 00 tring........... 003a0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 003a0070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0:000> [COLOR=Red]da 003a0000 [/COLOR] 003a0000 "m" 0:000> [COLOR=Red]da 003a0026 [/COLOR] 003a0026 "my ascii string." 0:000> [COLOR=Red]dc 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 m.y. .u.n.i.c.o. 003a0010 00650064 00730020 00720074 006e0069 d.e. .s.t.r.i.n. 003a0020 002e0067 796d0000 63736120 73206969 g.....my ascii s 003a0030 6e697274 00002e67 00000000 00000000 tring........... [COLOR=Blue]//按照4字节读取,读取0x10个单位[/COLOR] 0:000> [COLOR=Red]dd 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 003a0010 00650064 00730020 00720074 006e0069 003a0020 002e0067 796d0000 63736120 73206969 003a0030 6e697274 00002e67 00000000 00000000 0:000> [COLOR=Red]dD 003a0000 l8[/COLOR] 003a0000 1.86910550213e-306 1.37961301819e-306 1.69109959303e-306 003a0018 1.33511561534e-306 8.03237601403e+276 3.58592943091e+246 003a0030 2.52081032102e-310 0 0:000> [COLOR=Red]df 003a0000 l10[/COLOR] 003a0000 1.1112248e-038 1.0744798e-038 9.6428812e-039 1.0193879e-038 003a0010 9.2755252e-039 1.0561127e-038 1.0469409e-038 1.0102052e-038 003a0020 4.2245772e-039 7.6910897e+034 4.4895574e+021 1.2709129e+031 003a0030 1.8062093e+028 1.6646024e-041 0 0 0:000> [COLOR=Red]dp 003a0000 l10[/COLOR] 003a0000 0079006d 00750020 0069006e 006f0063 003a0010 00650064 00730020 00720074 006e0069 003a0020 002e0067 796d0000 63736120 73206969 003a0030 6e697274 00002e67 00000000 00000000 0:000> [COLOR=Red]dq 003a0000 l8[/COLOR] 003a0000 00750020`0079006d 006f0063`0069006e 003a0010 00730020`00650064 006e0069`00720074 003a0020 796d0000`002e0067 73206969`63736120 003a0030 00002e67`6e697274 00000000`00000000 0:000> [COLOR=Red]du 003a0000 [/COLOR] 003a0000 "my unicode string." 0:000>[COLOR=Red] dw 003a0000 l20[/COLOR] 003a0000 006d 0079 0020 0075 006e 0069 0063 006f 003a0010 0064 0065 0020 0073 0074 0072 0069 006e 003a0020 0067 002e 0000 796d 6120 6373 6969 7320 003a0030 7274 6e69 2e67 0000 0000 0000 0000 0000 0:000>[COLOR=Red] dW 003a0000 l20[/COLOR] 003a0000 006d 0079 0020 0075 006e 0069 0063 006f m.y. .u.n.i.c.o. 003a0010 0064 0065 0020 0073 0074 0072 0069 006e d.e. .s.t.r.i.n. 003a0020 0067 002e 0000 796d 6120 6373 6969 7320 g.....my ascii s 003a0030 7274 6e69 2e67 0000 0000 0000 0000 0000 tring........... 0:000> [COLOR=Red]dyb 003a0000 l10[/COLOR] 76543210 76543210 76543210 76543210 -------- -------- -------- -------- 003a0000 01101101 00000000 01111001 00000000 6d 00 79 00 003a0004 00100000 00000000 01110101 00000000 20 00 75 00 003a0008 01101110 00000000 01101001 00000000 6e 00 69 00 003a000c 01100011 00000000 01101111 00000000 63 00 6f 00 0:000>[COLOR=Red] dyd 003a0000 l4[/COLOR] 3 2 1 0 10987654 32109876 54321098 76543210 -------- -------- -------- -------- 003a0000 00000000 01111001 00000000 01101101 0079006d 003a0004 00000000 01110101 00000000 00100000 00750020 003a0008 00000000 01101001 00000000 01101110 0069006e 003a000c 00000000 01101111 00000000 01100011 006f0063 0:000> [COLOR=Red].dvfree 003a0000 0[/COLOR] Freed 0 bytes starting at 003a0000 26. 显示符号表指令：* dds、dps、dqs 这个常用在查看虚函数表、导入地址等操作时使用。 [COLOR=Blue] //查看导入地址表[/COLOR] 0:000> [COLOR=Red]dps 0043D798 l10[/COLOR] 0043d798 7c809832 kernel32!InterlockedCompareExchange 0043d79c 7c933405 ntdll!RtlDecodePointer 0043d7a0 7c80981e kernel32!InterlockedExchange 0043d7a4 7c802446 kernel32!Sleep 0043d7a8 7c839481 kernel32!HeapSetInformation 0043d7ac 7c801e54 kernel32!GetStartupInfoW 0043d7b0 7c80a164 kernel32!WideCharToMultiByte 0043d7b4 7c813123 kernel32!IsDebuggerPresent 0043d7b8 7c809c88 kernel32!MultiByteToWideChar 0043d7bc 7c812a99 kernel32!RaiseException 0043d7c0 7c809856 kernel32!MulDiv 0043d7c4 7c80be46 kernel32!lstrlenA 0043d7c8 7c80ae30 kernel32!GetProcAddress 0043d7cc 7c80aedb kernel32!LoadLibraryW 0043d7d0 7c801e1a kernel32!TerminateProcess 0043d7d4 7c80de85 kernel32!GetCurrentProcess 27. 查看ascii字符串数组命令： dda、dpa、dqa 0:000>[COLOR=Red] .dvalloc 1000[/COLOR] Allocated 1000 bytes starting at 003a0000 0:000> [COLOR=Red]ea 003a0020 "string1"[/COLOR] 0:000>[COLOR=Red] ea 003a0030 "string2"[/COLOR] 0:000>[COLOR=Red] ea 003a0040 "string3"[/COLOR] 0:000> [COLOR=Red]ea 003a0050 "string4"[/COLOR] 0:000>[COLOR=Red] ea 003a0060 "string5"[/COLOR] 0:000> [COLOR=Red]ea 003a0070 "string6"[/COLOR] 0:000> [COLOR=Red]ed 003a0000 003a0020 003a0030 003a0040 003a0050 003a0060 003a0070 [/COLOR] 0:000> [COLOR=Red]dpa 003a0000 l8[/COLOR] 003a0000 003a0020 "string1" 003a0004 003a0030 "string2" 003a0008 003a0040 "string3" 003a000c 003a0050 "string4" 003a0010 003a0060 "string5" 003a0014 003a0070 "string6" 003a0018 00000000 003a001c 00000000 28. unicode字符串数组查看： ddu、 dqu、 dpu [COLOR=Blue]//内存清0[/COLOR] 0:000> [COLOR=Red].for (r $t1=0; @$t1<820; r$t1=@$t1+8){eq 003a0000+$t1 0;}[/COLOR] [COLOR=Blue]//构造unicode字符串数组[/COLOR] 0:000> .[COLOR=Red]for (r $t1=0; @$t1<6; r$t1=@$t1+1){r $t2=(003a0020+(@$t120)); ed 003a0000+@$t14 @$t2; eu @$t2 "ustring"; ew @$t2+0n14 @$t1+'1';}[/COLOR] [COLOR=Blue]//显示字符串数组[/COLOR] 0:000> [COLOR=Red]dpu 003a0000 l8[/COLOR] 003a0000 003a0020 "ustring1" 003a0004 003a0040 "ustring2" 003a0008 003a0060 "ustring3" 003a000c 003a0080 "ustring4" 003a0010 003a00a0 "ustring5" 003a0014 003a00c0 "ustring6" 003a0018 00000000 003a001c 00000000 29. 内存写入操作命令：* e 写指令是负责按照指定的格式，格式化输出内存数据，对命令中已经看到部分写命令的用法。下面介绍一下写各种数据的方法： []ea 写入ASCII字符串 []eb 写入单字节 []ed 写入4字节 []eD 写入双浮点(8字节)格式 []ef 写入单浮点(4字节)格式 []ep 写入指针(32位系统读取4字节，64位系统读取8字节)格式 []eq 写入8字节 []eu 写入Unicode字符串 []ew 写入2字节读取 []eza 写入无结束符的ASCII字符串 []ezu 写入无结束符的Unicode字符串 0:000> [COLOR=Red]ea 003a0000 "ascii string"[/COLOR] 0:000> [COLOR=Red]da 003a0000 [/COLOR] 003a0000 "ascii string" 0:000> [COLOR=Red]eb 003a0000 1 2 3 4 [/COLOR] 0:000> [COLOR=Red]db 003a0000 l4[/COLOR] 003a0000 01 02 03 04 .... 0:000>[COLOR=Red] ed 003a0000 1 2 3 4[/COLOR] 0:000> [COLOR=Red]dd 003a0000 l4[/COLOR] 003a0000 00000001 00000002 00000003 00000004 0:000> [COLOR=Red]eD 003a0000 1.2 2.3 3.4 4.5[/COLOR] 0:000> [COLOR=Red]dD 003a0000 l4[/COLOR] 003a0000 1.2 2.3 3.4 003a0018 4.5 0:000> [COLOR=Red]ef 003a0000 1.2 2.3 3.4 4.5[/COLOR] 0:000> [COLOR=Red]df 003a0000 l4[/COLOR] 003a0000 1.2 2.3 3.4000001 4.5 0:000> [COLOR=Red]ep 003a0000 0x400000 0x500000 0x600000[/COLOR] 0:000> [COLOR=Red]dp 003a0000 l3[/COLOR] 003a0000 00400000 00500000 00600000 0:000> [COLOR=Red]eq 003a0000 0x400000`123 0x500000`456 0x600000`789[/COLOR] 0:000> [COLOR=Red]dq 003a0000 l3[/COLOR] 003a0000 00000004`00000123 00000005`00000456 003a0010 00000006`00000789 0:000> [COLOR=Red]eu 003a0000 "unicodestring"[/COLOR] 0:000> [COLOR=Red]du 003a0000 [/COLOR] 003a0000 "unicodestring" 0:000> [COLOR=Red]ew 003a0000 123 456 789[/COLOR] 0:000> [COLOR=Red]dw 003a0000 l3[/COLOR] 003a0000 0123 0456 0789 30. 内存搜索指令：* s 内存搜索指令，在查找某种类型的数据的时候非常有用，我们来看一下内存搜索指令的用法 [COLOR=Blue]//内存清0[/COLOR] 0:000> [COLOR=Red].for (r $t1=0; @$t1< 100; r$t1=@$t1+1){eb 003a0000+$t1 0;}[/COLOR] /[COLOR=Blue]/写入数据[/COLOR] 0:000>[COLOR=Red] eu 003a0000 "ustring1"[/COLOR] 0:000> [COLOR=Red]eu 003a0010 "ustring2"[/COLOR] 0:000> [COLOR=Red]ea 003a0030 "astring1"[/COLOR] 0:000> [COLOR=Red]ea 003a0040 "astring2"[/COLOR] [COLOR=Blue]//搜索ascii字符串[/COLOR] 0:000> [COLOR=Red]s -a 003a0000 l1000 "string"[/COLOR] 003a0031 73 74 72 69 6e 67 31 00-00 00 00 00 00 00 00 61 string1........a 003a0041 73 74 72 69 6e 67 32 00-00 00 00 00 00 00 00 00 string2......... /[COLOR=Blue]/搜索unicode字符串[/COLOR] 0:000>[COLOR=Red] s -u 003a0000 l1000 "string"[/COLOR] 003a0002 0073 0074 0072 0069 006e 0067 0031 0075 s.t.r.i.n.g.1.u. 003a0012 0073 0074 0072 0069 006e 0067 0032 0000 s.t.r.i.n.g.2... [COLOR=Blue]//搜索word数值[/COLOR] 0:000>[COLOR=Red] s -w 003a0000 l1000 69 67[/COLOR] 0:000> [COLOR=Red]s -w 003a0000 l1000 69 6e[/COLOR] 003a0008 0069 006e 0067 0031 0075 0073 0074 0072 i.n.g.1.u.s.t.r. 003a0018 0069 006e 0067 0032 0000 0000 0000 0000 i.n.g.2......... 0:000>[COLOR=Red] .dvfree 003a0000 0[/COLOR] Freed 0 bytes starting at 003a0000 31. 物理内存读写操作指令 !d 读物理内存 !e 写物理内存这两个用的很少。不做过多介绍 lkd>[COLOR=Red] !db 0x1000[/COLOR] # 1000 30 32 00 00 01 00 00 00-00 00 00 00 f8 6f ff 23 02...........o.# # 1010 58 7b 00 24 0c 97 43 23-04 7c 00 24 0f 00 00 00 X{.$..C#.\|.$.... # 1020 00 00 00 00 34 70 ff 23-00 00 00 00 00 00 00 00 ....4p.#........ # 1030 00 00 00 00 14 70 ff 23-00 00 00 00 bc 70 ff 23 .....p.#.....p.# # 1040 bc 6f ff 23 00 00 00 00-c4 7d 01 00 91 45 05 00 .o.#.....}...E.. # 1050 09 00 00 00 00 00 00 00-00 00 00 00 01 02 00 00 ................ # 1060 00 00 00 00 8c 70 ff 23-00 00 00 00 00 00 00 00 .....p.#........ # 1070 01 14 00 00 28 00 04 44-4e 53 5f 54 59 50 45 5f ....(..DNS_TYPE_ 2013-9-15 14:30 0
xiejienet 雪币： 142 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 639 粉丝 0 关注私信	xiejienet 15 楼回帖收藏,楼主太有心了. 更新完后,能提供一个doc或者pdf不. 2013-9-15 14:55 0
ddlx 雪币： 541 活跃值： (654) 能力值： ( LV12，RANK：250 ) 在线值：发帖 13 回帖 245 粉丝 44 关注私信	ddlx 5 16 楼可能做成chm格式 2013-9-15 15:14 0
zyr零零发雪币： 808 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 7 回帖 330 粉丝 0 关注私信	zyr零零发 1 17 楼很好啊，学习，谢谢。 2013-9-15 15:28 0
天高雪币： 623 活跃值： (40) 能力值： ( LV3，RANK：30 ) 在线值：发帖 3 回帖 166 粉丝 0 关注私信	天高 18 楼 mark，等你更新，哈 2013-9-15 15:29 0
patriots 雪币： 178 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 53 粉丝 0 关注私信	patriots 19 楼非常支持LZ制作成PDF或者CHM 2013-9-15 18:24 0
学者learner 雪币： 141 活跃值： (318) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	学者learner 20 楼原来很强大，只是没有善于发现。。支持 2013-9-16 09:35 0
AioliaSky 雪币： 257 活跃值： (67) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 668 粉丝 0 关注私信	AioliaSky 1 21 楼有点意思，来围观一下 2013-9-16 10:26 0
信念随心雪币： 33 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	信念随心 22 楼感谢楼主分享 2013-9-16 10:57 0
HOWMP 雪币： 2829 活跃值： (2633) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 248 粉丝 7 关注私信	HOWMP 1 23 楼回帖收藏，感谢楼主，辛苦了 2013-9-16 10:59 0
sidyh 雪币： 160 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 134 粉丝 0 关注私信	sidyh 24 楼碉堡了。 2013-9-16 12:35 0
fatecaster 雪币： 135 活跃值： (63) 能力值： ( LV5，RANK：60 ) 在线值：发帖 39 回帖 314 粉丝 0 关注私信	fatecaster 1 25 楼坐等更新，感觉以前讲windbg的帖子都很枯燥，一堆命令全忘了。 2013-9-16 13:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复