[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)-软件逆向-看雪-安全社区|安全招聘|kanxue.com

531

[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)

发表于: 2013-9-14 23:23 218944

[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新，chm文档集成7篇实战18个辅助工具)

ddlx

2013-9-14 23:23

218944

0:000> [COLOR=Red]~*
.  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
   1  Id: b3c.be8 Suspend: 1 Teb: 7ffde000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
   2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
      Start: kernel32!BaseThreadStartThunk (7c8106e9) 
      Priority: 0  Priority class: 32  Affinity: 3
0:000> [COLOR=Red]~ 2 s
eax=00000000 ebx=00000000 ecx=00000000 edx=7ffdd000 esi=7c99b420 edi=7c99b440
eip=7c92e4f4 esp=0197ff70 ebp=0197ffb4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
0:002> [COLOR=Red]~*
#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
   1  Id: b3c.be8 Suspend: 1 Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
.  2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~#
#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
      Start: PEViewer!ILT+2905(_WinMainCRTStartup) (00411b5e) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~.
.  2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
      Start: ntdll!RtlpWorkerThread (7c930230) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 <b>[COLOR=Black]Suspend: 3</b> Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 m
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 <b>Suspend: 2 </b>Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 f
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 2 Teb: 7ffde000 <b>[COLOR=Red]Frozen  </b>
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 u
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 Suspend: 2 Teb: 7ffde000 <b>Unfrozen</b>
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 n
0:002> [COLOR=Red]~1
   1  Id: b3c.be8 <b>Suspend: 3 </b>Teb: 7ffde000 Unfrozen
      Start: ntdll!RtlpTimerThread (7c947ebb) 
      Priority: 0  Priority class: 32  Affinity: 3
0:002> [COLOR=Red]~1 kp 3
ChildEBP RetAddr  
0187ff98 7c92d1fc ntdll!KiFastSystemCallRet
0187ff9c 7c947f02 ntdll!NtDelayExecution+0xc
0187ffb4 7c80b713 ntdll!RtlpTimerThread+0x47
0:002> [COLOR=Red]~* kp 3
 
#  0  Id: b3c.b40 Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  
0012ede4 00414679 PEViewer!CPeListCtrl::ShowList(int flag = 0n5, int index = 0n0, int isDblclick = 0n0) [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]
0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnClickTree1(struct tagNMHDR * pNMHDR = 0x0012f3cc, long * pResult = 0x0012f1a0)+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 274]
0012ef74 78e6154a mfc100d!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x0012faa4, unsigned int nID = 0x3e9, int nCode = 0n65534, <function> * pfn = 0x0041199c, void * pExtra = 0x0012f040, unsigned int nSig = 0x3d, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1a9 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 112]
 
   1  Id: b3c.be8 Suspend: 3 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr  
0187ff98 7c92d1fc ntdll!KiFastSystemCallRet
0187ff9c 7c947f02 ntdll!NtDelayExecution+0xc
0187ffb4 7c80b713 ntdll!RtlpTimerThread+0x47
 
   2  Id: b3c.bec Suspend: 1 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr  
0197ff6c 7c92da2c ntdll!KiFastSystemCallRet
0197ff70 7c93026d ntdll!NtRemoveIoCompletion+0xc
0197ffb4 7c80b713 ntdll!RtlpWorkerThread+0x3d
 
   3  Id: b3c.bf0 Suspend: 1 Teb: 7ffdc000 Unfrozen
ChildEBP RetAddr  
01a7ff6c 7c92da2c ntdll!KiFastSystemCallRet
01a7ff70 7c93026d ntdll!NtRemoveIoCompletion+0xc
01a7ffb4 7c80b713 ntdll!RtlpWorkerThread+0x3d

0:000> kpnf 10
 #   Memory  ChildEBP RetAddr  
00           0012ecfc 0041ec28 PEViewer!CPeListCtrl::ShowImportFuncs(int index = 0n0)+0xe1 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 749]
01        e8 0012ede4 00414839 PEViewer!CPeListCtrl::ShowList(int flag = 0n5, int index = 0n0, int isDblclick = 0n1)+0xd8 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 77]
02       144 0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnDblclkTree1(struct tagNMHDR * pNMHDR = 0x0012f46c, long * pResult = 0x0012f1a0)+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 295]
03        4c 0012ef74 78e6154a mfc100d!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x0012faa4, unsigned int nID = 0x3e9, int nCode = 0n65533, <function> * pfn = 0x00411569, void * pExtra = 0x0012f040, unsigned int nSig = 0x3d, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1a9 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 112]
04        64 0012efd8 78ebb533 mfc100d!CCmdTarget::OnCmdMsg(unsigned int nID = 0x3e9, int nCode = 0n65533, void * pExtra = 0x0012f040, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x2ea [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 381]
05        3c 0012f014 78f99381 mfc100d!CDialog::OnCmdMsg(unsigned int nID = 0x3e9, int nCode = 0n5177341, void * pExtra = 0x0012f040, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x23 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 87]
06        34 0012f048 78f97ef3 mfc100d!CWnd::OnNotify(unsigned int __formal = 0x3e9, long lParam = 0n1242220, long * pResult = 0x0012f1a0)+0xf1 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2702]
07       174 0012f1bc 78f97dd2 mfc100d!CWnd::OnWndMsg(unsigned int message = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220, long * pResult = 0x0012f1d8)+0xe3 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2093]
08        20 0012f1dc 78f94383 mfc100d!CWnd::WindowProc(unsigned int message = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0x32 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2067]
09        80 0012f25c 78f94976 mfc100d!AfxCallWndProc(class CWnd * pWnd = 0x0012faa4, struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0xf3 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 248]
0a        20 0012f27c 78d80c7b mfc100d!AfxWndProc(struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0xa6 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 411]
0b        3c 0012f2b8 77d18734 mfc100d!AfxWndProcBase(struct HWND__ * hWnd = 0x00100518, unsigned int nMsg = 0x4e, unsigned int wParam = 0x3e9, long lParam = 0n1242220)+0x5b [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp @ 420]
0c        2c 0012f2e4 77d18816 USER32!InternalCallWinProc+0x28
0d        68 0012f34c 77d2927b USER32!UserCallWinProcCheckWow+0x150
0e        3c 0012f388 77d292e3 USER32!SendMessageWorker+0x4a5
0f        20 0012f3a8 5d176751 USER32!SendMessageW+0x7f

0:000> dv /i /t /v
prv local  0012ece4 class CPeListCtrl * this = 0x0012fbb0
prv param  0012ed04 int index = 0n0
prv local  0012ec50 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecNames = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012ecc0 unsigned long valueAddr = 0x81dd0
prv local  0012ecd8 int rva = 0n530348
prv local  0012ec2c int nItems = 0n-858993460
prv local  0012ec6c class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecHints = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012ec88 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecFuncRaws = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
prv local  0012eccc long offset = 0n527276
prv local  0012eca4 class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > > vecFuncRvas = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >

0:000>[COLOR=Red] .frame 1
01 0012ede4 00414839 PEViewer!CPeListCtrl::ShowList+0xd8 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 77]
0:000> [COLOR=Red]dv /i /t /v
prv local  0012eddc class CPeListCtrl * this = 0x0012fbb0
prv param  0012edec int flag = 0n5
prv param  0012edf0 int index = 0n0
prv param  0012edf4 int isDblclick = 0n1
0:000> [COLOR=Red].frame 2
02 0012ef28 78e60ef9 PEViewer!CPEViewerDlg::OnDblclkTree1+0x119 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\peviewerdlg.cpp @ 295]
0:000> [COLOR=Red]dv /i /t /v
prv local  0012ef14 class CPEViewerDlg * this = 0x0012faa4
prv param  0012ef30 struct tagNMHDR * pNMHDR = 0x0012f46c
prv param  0012ef34 long * pResult = 0x0012f1a0
prv local  0012ef08 unsigned long dwpos = 0x1240302
prv local  0012eee4 int flag = 0n5
prv local  0012eef0 struct tagTVHITTESTINFO ht = struct tagTVHITTESTINFO
prv local  0012eed8 int index = 0n0
prv local  0012eecc class ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > strItem = class ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >

0:000>[COLOR=Red] dt this
Local var @ 0x12ece4 Type CPeListCtrl*
0x0012fbb0 
   +0x000 __VFN_table : 0x00436254 
   =00400000 classCObject     : CRuntimeClass
   =00400000 classCCmdTarget  : CRuntimeClass
   =00400000 _commandEntries  : [0] AFX_OLECMDMAP_ENTRY
   =00400000 commandMap       : AFX_OLECMDMAP
   =00400000 _dispatchEntries : [0] AFX_DISPMAP_ENTRY
   =00400000 _dispatchEntryCount : 0x905a4d
   =00400000 _dwStockPropMask : 0x905a4d
   =00400000 dispatchMap      : AFX_DISPMAP
   =00400000 _connectionEntries : [0] AFX_CONNECTIONMAP_ENTRY
   =00400000 connectionMap    : AFX_CONNECTIONMAP
   =00400000 _interfaceEntries : [0] AFX_INTERFACEMAP_ENTRY
   =00400000 interfaceMap     : AFX_INTERFACEMAP
   =00400000 _eventsinkEntries : [0] AFX_EVENTSINKMAP_ENTRY
   =00400000 _eventsinkEntryCount : 0x905a4d
   =00400000 eventsinkMap     : AFX_EVENTSINKMAP
   +0x004 m_dwRef          : 0n1
   +0x008 m_pOuterUnknown  : (null) 
   +0x00c m_xInnerUnknown  : 0
   +0x010 m_xDispatch      : CCmdTarget::XDispatch
   +0x014 m_bResultExpected : 0n1
   +0x018 m_xConnPtContainer : CCmdTarget::XConnPtContainer
   +0x01c m_pModuleState   : 0x00154e08 AFX_MODULE_STATE
   =00400000 classCWnd        : CRuntimeClass
   +0x020 m_hWnd           : 0x0004061a HWND__
   =00400000 wndTop           : CWnd
   =00400000 wndBottom        : CWnd
   =00400000 wndTopMost       : CWnd
   =00400000 wndNoTopMost     : CWnd
   +0x024 m_bEnableActiveAccessibility : 0
   +0x028 m_pStdObject     : (null) 
   +0x02c m_pProxy         : (null) 
   =00400000 _interfaceEntries : [0] AFX_INTERFACEMAP_ENTRY
   =00400000 interfaceMap     : AFX_INTERFACEMAP
   +0x030 m_xAccessible    : CWnd::XAccessible
   +0x034 m_xAccessibleServer : CWnd::XAccessibleServer
   +0x038 m_bIsTouchWindowRegistered : 0n0
   +0x03c m_ptGestureFrom  : CPoint
   +0x044 m_ulGestureArg   : 0
   +0x04c m_bGestureInited : 0n0
   +0x050 m_pCurrentGestureInfo : (null) 
   +0x054 m_hWndOwner      : (null) 
   +0x058 m_nFlags         : 0
   +0x05c m_pfnSuper       : 0xffff0403     long  +ffff0403
   =00400000 m_nMsgDragList   : 0x905a4d
   +0x060 m_nModalResult   : 0n0
   +0x064 m_pDropTarget    : (null) 
   +0x068 m_pCtrlCont      : (null) 
   +0x06c m_pCtrlSite      : (null) 
   +0x070 m_pMFCCtrlContainer : (null) 
   =00400000 classCListCtrl   : CRuntimeClass
   +0x074 m_peFile         : PeStruct

0:000> [COLOR=Red]bm peviewer!CPeListCtrl::Show*
  1: 004221b0 @!"PEViewer!CPeListCtrl::ShowImportDir"
  2: 004226e0 @!"PEViewer!CPeListCtrl::ShowSectionHeader"
  3: 00423a00 @!"PEViewer!CPeListCtrl::ShowImportFuncs"
  4: 0041eb50 @!"PEViewer!CPeListCtrl::ShowList"
  5: 0041f840 @!"PEViewer!CPeListCtrl::ShowFileHeader"
  6: 00423f00 @!"PEViewer!CPeListCtrl::ShowExportFuncs"
  7: 0041eef0 @!"PEViewer!CPeListCtrl::ShowDosHeader"
  8: 00420700 @!"PEViewer!CPeListCtrl::ShowOptionalHeader"
  9: 00423270 @!"PEViewer!CPeListCtrl::ShowExportDir"
0:000> [COLOR=Red]bl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
0:000> [COLOR=Red]~ 1 bp CPeListCtrl::CPeListCtrl
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
0:000> [COLOR=Red]dv
           this = 0x0012fbb0
          index = 0n0
       vecNames = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
      valueAddr = 0x81dd0
            rva = 0n530348
         nItems = 0n-858993460
       vecHints = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
    vecFuncRaws = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
         offset = 0n527276
    vecFuncRvas = class std::vector<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >,std::allocator<ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > > > >
0:000> [COLOR=Red]~ 0 ba w4 index
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 2 e 004226e0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 578]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowSectionHeader
 3 e 00423a00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 742]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportFuncs
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
10 e 0012ed04 w 4 0001 (0001)  [COLOR=Blue]0:~000 
0:000> [COLOR=Red]bc 3
0:000> [COLOR=Red]bc 2
0:000> [COLOR=Red]bl
 0 e 0041e9c0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 19]    0001 (0001)  [COLOR=Blue]0:~001 PEViewer!CPeListCtrl::CPeListCtrl
 1 e 004221b0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 542]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowImportDir
 4 e 0041eb50 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 43]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowList
 5 e 0041f840 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 197]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowFileHeader
 6 e 00423f00 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 777]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportFuncs
 7 e 0041eef0 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 134]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowDosHeader
 8 e 00420700 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 349]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowOptionalHeader
 9 e 00423270 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 685]    0001 (0001)  0:**** PEViewer!CPeListCtrl::ShowExportDir
10 e 0012ed04 w 4 0001 (0001)  [COLOR=Blue]0:~000 

WINDBG参考手册V0.6.rar

线程指令

查看调用栈

查看每层栈帧的局部变量以及栈帧切换

断点的使用

执行命令

反汇编指令

写汇编指令

显示符号指令

显示最近符号指令

C++表达式在windbg中的用法

一般表达式的计算

字符串比较介绍

无效内存检测

数值的格式化输出

获取当前线程的最近错误码

获取错误码的文字描述

查看最后一次事件信息

查看版本信息

登录后可查看完整内容

[招生]科锐逆向工程师培训(2025年3月11日实地，远程教学同时开班, 第52期)！

#调试逆向

上传的附件：

WINDBG参考手册V0.6.rar （241.63kb，8028次下载）

收藏・531

免费・12

支持

赞赏记录

参与人

雪币

留言

时间

Youlor

感谢你的贡献，论坛因你而更加精彩！

2024-8-21 01:18

伟叔叔

看雪因你而更加精彩！

2024-6-14 06:56

心游尘世外

为你点赞~

2024-5-31 06:26

QinBeast

为你点赞~

2024-5-31 06:16

飘零丶

为你点赞~

2024-4-3 00:58

mb_pdeivpxj

为你点赞~

2023-8-9 10:45

伯爵的信仰

为你点赞~

2023-8-7 00:04

codeoooo

为你点赞~

2023-7-26 11:42

PLEBFE

为你点赞~

2023-3-5 04:18

shinratensei

为你点赞~

2023-2-22 11:27

Ysiel

为你点赞~

2022-6-17 00:56

APT_华生

为你点赞~

2021-5-10 18:50

最新回复 (250)

sierra

雪币： 238

活跃值： (55)

能力值：

( LV5，RANK：70 )

在线值：

发帖

回帖

518

粉丝

关注

私信

sierra 1: 2 楼

不错哦~~

2013-9-14 23:28

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 3 楼

7. 执行命令：g
g是执行命令，可以指定从某处执行，也可以在执行到某处时断下，如:
g =00423aef 00423af3
修改当前eip为00423aef，执行到00423af3处中断
当然也可以让某个线程继续执行，而其他的线程处在冻结状态。如：
~1 g 一号线程继续执行

8. 其他执行命令：
p 单步步过
t 单步步入
gu 执行到返回
gc 从断点处继续执行，用在条件断点内
gn 忽略异常继续执行。允许应用程序的异常处理程序来处理异常。
gh 异常被处理，继续执行。

9. 显示汇编指令: u
u 向下反汇编
ub向上反汇编
uf反汇编整个函数

0:000> [COLOR=Red]ub 00423bf5 
[/COLOR]PEViewer!CPeListCtrl::ShowImportFuncs+0x1d5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]:
00423bd5 0fb7853cffffff  movzx   eax,word ptr [ebp-0C4h]
00423bdc 50              push    eax
00423bdd 8d8d40feffff    lea     ecx,[ebp-1C0h]
00423be3 51              push    ecx
00423be4 8b4de8          mov     ecx,dword ptr [ebp-18h]
00423be7 83c174          add     ecx,74h
00423bea e818e1feff      call    PEViewer!ILT+3330(?Num2StringPeStructQAE?AV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLKIHZ) (00411d07)
00423bef 8985e8fdffff    mov     dword ptr [ebp-218h],eax
0:000> [COLOR=Red]u 00423bf5 [/COLOR]
PEViewer!CPeListCtrl::ShowImportFuncs+0x1f5 [c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp @ 755]:
00423bf5 8b95e8fdffff    mov     edx,dword ptr [ebp-218h]
00423bfb 8995e4fdffff    mov     dword ptr [ebp-21Ch],edx
00423c01 c645fc06        mov     byte ptr [ebp-4],6
00423c05 8b85e4fdffff    mov     eax,dword ptr [ebp-21Ch]
00423c0b 50              push    eax
00423c0c 8d8d70ffffff    lea     ecx,[ebp-90h]
00423c12 e8f1dafeff      call    PEViewer!ILT+1795(?push_back?$vectorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLV?$allocatorV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLstdstdQAEX$$QAV?$CStringTDV?$StrTraitMFC_DLLDV?$ChTraitsCRTDATLATLZ) (00411708)
00423c17 c645fc03        mov     byte ptr [ebp-4],3

10. 写入汇编指令: a
此命令可以直接修改代码段中的指令

0:000> [COLOR=Red].dvalloc 1000[/COLOR] //分配内存
Allocated 1000 bytes starting at 01190000
0:000> [COLOR=Red]a 01190000[/COLOR] //写入汇编
01190000 mov edi,edi
[COLOR=Red]mov edi,edi[/COLOR] //写入的汇编指令
01190002 push ebp
[COLOR=Red]push ebp[/COLOR] //写入的汇编指令
01190003 mov ebp,esp
[COLOR=Red]mov ebp,esp[/COLOR] //写入的汇编指令
01190005 pop ebp
[COLOR=Red]pop ebp[/COLOR] //写入的汇编指令
01190006 ret
[COLOR=Red]ret [/COLOR]//写入的汇编指令
 
[COLOR=Red]//按Enter键返回[/COLOR]
 
0:000> [COLOR=Red]u 01190000[/COLOR] //反汇编
01190000 8bff            mov     edi,edi
01190002 55              push    ebp
01190003 8bec            mov     ebp,esp
01190005 5d              pop     ebp
01190006 c3              ret
01190007 0000            add     byte ptr [eax],al
01190009 0000            add     byte ptr [eax],al
0119000b 0000            add     byte ptr [eax],al
0:000> [COLOR=Red].dvfree 01190000 0[/COLOR] //释放内存
Freed 0 bytes starting at 01190000

11. 显示符号指令： x
不光可以显示全局符号，也可以显示局部符号
其中符号包括：函数、全局对象、静态对象、参数、局部对象等

0:000>[COLOR=Red] x peviewer!CPeListCtrl::Show*[/COLOR]
004221b0 PEViewer!CPeListCtrl::ShowImportDir (int)
004226e0 PEViewer!CPeListCtrl::ShowSectionHeader (int)
00423a00 PEViewer!CPeListCtrl::ShowImportFuncs (int)
0041eb50 PEViewer!CPeListCtrl::ShowList (int, int, int)
0041f840 PEViewer!CPeListCtrl::ShowFileHeader (void)
00423f00 PEViewer!CPeListCtrl::ShowExportFuncs (int)
0041eef0 PEViewer!CPeListCtrl::ShowDosHeader (void)
00420700 PEViewer!CPeListCtrl::ShowOptionalHeader (void)
00423270 PEViewer!CPeListCtrl::ShowExportDir (int)

12. 显示最近的符号： ln
此命令在不知道某处地址是属于哪个函数时，此命令很有用。它可以告诉你此地址附近的函数是什么

0:000> [COLOR=Red]ln
[/COLOR]c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(751)+0x8
(00423a00)   PEViewer!CPeListCtrl::ShowImportFuncs+0xf3   |  (00423f00)   PEViewer!CPeListCtrl::ShowExportFuncs
0:000> [COLOR=Red]ln 00423a00[/COLOR]
c:\documents and settings\administrator\桌面\peviewer0.9\peviewer\pelistctrl.cpp(742)
(00423a00)   PEViewer!CPeListCtrl::ShowImportFuncs   |  (00423f00)   PEViewer!CPeListCtrl::ShowExportFuncs
Exact matches:
    PEViewer!CPeListCtrl::ShowImportFuncs (int)

2013-9-15 00:06

Rookietp

雪币： 1042

活跃值： (630)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

798

粉丝

关注

私信

Rookietp: 4 楼

mark learn ..thank ```

2013-9-15 00:41

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 5 楼

13. C++表达式的用法
当我们查看某个变量或者下条件断点时，可能会获取一个对象中的成员值。那应该怎么获取呢？
13.1. c++表达式求值运算：??

0:000> [COLOR=Red]?? this->m_nFlags[/COLOR] //显示C++变量
unsigned int 0 //默认为unsigned int类型
0:000> [COLOR=Red]?? this->m_nFlags=0x78458789[/COLOR] //修改C++变量值
unsigned int 0x78458789
0:000> [COLOR=Red]?? (this->m_nFlags) [/COLOR]
unsigned int 0x78458789
0:000> [COLOR=Red]?? int(this->m_nFlags) [/COLOR]//按int类型显示
int 0n2017822601
0:000> [COLOR=Red]?? (unsigned short)(this->m_nFlags) [/COLOR]//按unsigned short类型显示
unsigned short 0x8789
0:000> [COLOR=Red]?? (short)(this->m_nFlags)[/COLOR] //按short类型显示
short 0n-30839
0:000> [COLOR=Red]?? (unsigned char)(this->m_nFlags)[/COLOR] //按unsigned char类型显示
unsigned char 0x89 ''
0:000> [COLOR=Red]?? (char)(this->m_nFlags) [/COLOR]//按char类型显示
char 0n-119 ''

13.2. C++前缀：@@()

1 2	`[COLOR=Blue]//设置条件断点。当this->m_nFlags==0x78458789时断下[/COLOR]` `[COLOR=Red]bp 00423af9` `".if(@@(this->m_nFlags) == 0x78458789){}.else{gc;}"[/COLOR]`

14. 一般表达式
14.1. 一般表达式求值：?

[COLOR=Blue]//poi对地址取值函数。取出的字节数跟平台相关，32位取4个字节(同dwo)，64位取8个字节(同qwo)[/COLOR]
0:000>[COLOR=Red] ? poi(@@(&this->m_nFlags))[/COLOR]
Evaluate expression: 2017822601 = 78458789
0:000> [COLOR=Red]? poi(esp)[/COLOR]
Evaluate expression: 531920 = 00081dd0
//从esp地址中取单个字节
0:000> [COLOR=Red]? by(esp)[/COLOR]
Evaluate expression: 208 = 000000d0
//从esp地址中取2个字节
0:000> [COLOR=Red]? wo(esp)[/COLOR]
Evaluate expression: 7632 = 00001dd0
//从esp地址中取4个字节
0:000> [COLOR=Red]? dwo(esp)[/COLOR]
Evaluate expression: 531920 = 00081dd0
//从esp地址中取8个字节
0:000>[COLOR=Red] ? qwo(esp)[/COLOR]
Evaluate expression: 2463191519810035152 = 222f03a3`00081dd0
//获取一个32位数的低16位
0:000> [COLOR=Red]? low(poi(esp))[/COLOR]
Evaluate expression: 7632 = 00001dd0
//获取一个32位数的高16位
0:000> [COLOR=Red]? hi(poi(esp))[/COLOR]
Evaluate expression: 8 = 00000008
//与运算
0:000>[COLOR=Red] ? 4 and(1)[/COLOR]
Evaluate expression: 0 = 00000000
//与运算
0:000> [COLOR=Red]? 4 and(f)[/COLOR]
Evaluate expression: 4 = 00000004
//或运算
0:000> [COLOR=Red]? 4 | f[/COLOR]
Evaluate expression: 15 = 0000000f
//或运算
0:000> [COLOR=Red]? 4 or 1[/COLOR]
Evaluate expression: 5 = 00000005
//或运算
0:000> [COLOR=Red]? 4 | 1[/COLOR]
Evaluate expression: 5 = 00000005
//与运算
0:000> [COLOR=Red]? 4 & 1[/COLOR]
Evaluate expression: 0 = 00000000
//非运算
0:000> [COLOR=Red]? 4 or 1[/COLOR]
Evaluate expression: 5 = 00000005
//判断两个数是否相等
0:000> [COLOR=Red]? 4 == 1[/COLOR]
Evaluate expression: 0 = 00000000
//判断两个数是否相等
0:000> [COLOR=Red]? 4 == 4[/COLOR]
Evaluate expression: 1 = 00000001
 
0:000> [COLOR=Red]? 4 > 4[/COLOR]
Evaluate expression: 0 = 00000000
 
0:000> [COLOR=Red]? 4 >= 4[/COLOR]
Evaluate expression: 1 = 00000001

14.2. 字符串比较

[COLOR=Blue]//$scmp 为大小写敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR]
0:000> [COLOR=Red]? $scmp("abc","abc")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $scmp("Abc","abc")[/COLOR]
Evaluate expression: -1 = ffffffff
0:000> [COLOR=Red]? $scmp("abc","Abc")[/COLOR]
Evaluate expression: 1 = 00000001
[COLOR=Blue]//$sicmp 为大小写不敏感的字符串比较函数.返回值为-1,0,1之一[/COLOR]
0:000> [COLOR=Red]? $sicmp("abc","Abc")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $sicmp("abc","Abcd")[/COLOR]
Evaluate expression: -100 = ffffff9c
0:000> [COLOR=Red]? $sicmp("abcd","abc")[/COLOR]
Evaluate expression: 100 = 00000064
 
[COLOR=Blue]//$spat 通配符匹配.返回值为0(false),1(true)之一。支持以下通配符：
// * 表示0-n个任意字符
// ? 表示1个任意字符
// + 表示1-n个前面的字符
// [] 表示任意单个字符的列表。可以使用'-'表示一个范围
// # 表示0-n个前面的字符
//下面为示例用法：[/COLOR]
0:000> [COLOR=Red]? $spat("abcd","abc*")[/COLOR]
Evaluate expression: 1 = 00000001
0:000> [COLOR=Red]? $spat("abcd","abc+")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $spat("abcd","abc[abc]")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $spat("abcd","abc[abcd]")[/COLOR]
Evaluate expression: 1 = 00000001
0:000> [COLOR=Red]? $spat("abcc","abc+")[/COLOR]
Evaluate expression: 1 = 00000001
0:000> [COLOR=Red]? $spat("abcc","abc")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $spat("abc","abc?")[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $spat("abcd","abc?")[/COLOR]
Evaluate expression: 1 = 00000001
0:000> [COLOR=Red]? $spat("abcde","abc?")[/COLOR]
Evaluate expression: 0 = 00000000

14.3. 判断一个地址是否无效：$vvalid
返回0无效，1为有效

0:000> [COLOR=Red]? $vvalid(0, 100)[/COLOR]
Evaluate expression: 0 = 00000000
0:000> [COLOR=Red]? $vvalid(0x400000, 100)[/COLOR]
Evaluate expression: 1 = 00000001

14.4. 格式化数值：.formats

0:000>[COLOR=Red] .formats 1000[/COLOR]
Evaluate expression:
  Hex:     00001000
  Decimal: 4096
  Octal:   00000010000
  Binary:  00000000 00000000 00010000 00000000
  Chars:   ....
  Time:    Thu Jan 01 09:08:16 1970
  Float:   low 5.73972e-042 high 0
  Double:  2.02369e-320

15. 返回最近的错误码指令： !gle
与GetLastError相同

0:000> [COLOR=Red]!gle[/COLOR]
LastErrorValue: (NTSTATUS) 0 (0) - STATUS_WAIT_0
LastStatusValue: (NTSTATUS) 0xc0000135 - {

16. 查询错误码含义： !error

0:000> [COLOR=Red][B]!error 2[/B][/COLOR]
Error code: (Win32) 0x2 (2) - The system cannot find the file specified.
0:000> !error 2 1
Error code: (NTSTATUS) 0x2 - STATUS_WAIT_2

17. 查看最后一次事件信息: .lastevent

0:000> [COLOR=Red].lastevent[/COLOR]
Last event: ea8.c98: [COLOR=Red]Hit breakpoint 2[/COLOR][COLOR=Blue](断点事件，中断到二号断点)[/COLOR]
  debugger time: Sun Sep 15 00:30:25.559 2013 (UTC + 8:00)

18. 查看版本信息： version、vertarget

0:000> [COLOR=Red]version[/COLOR]
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111)
Machine Name:
Debug session time: Sun Sep 15 01:15:25.871 2013 (UTC + 8:00)
System Uptime: 0 days 4:42:50.824
Process Uptime: 0 days 3:46:38.188
  Kernel time: 0 days 0:00:03.296
  User time: 0 days 0:00:01.078
Live user mode: <Local>
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
command line: '"C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe" '  Debugger Process 0xB68 
dbgeng:  image 6.12.0002.633, built Tue Feb 02 04:08:31 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll]
dbghelp: image 6.12.0002.633, built Tue Feb 02 04:08:26 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
        DIA version: 20921
Extension DLL search Path:
    C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\TortoiseSVN\bin
Extension DLL chain:
    hs: built Sun Apr 28 08:53:56 2013
        [path: C:\Program Files\Debugging Tools for Windows (x86)\hs.dll]
    dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 04:08:26 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
    ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:31 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
    exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:24 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
    uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:23 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\uext.dll]
    ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 04:08:08 2010
        [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]
0:000>[COLOR=Red] vertarget[/COLOR]
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 5.1.2600.5512 (xpsp.080413-2111)
Machine Name:
Debug session time: Sun Sep 15 01:15:45.106 2013 (UTC + 8:00)
System Uptime: 0 days 4:43:10.054
Process Uptime: 0 days 3:46:57.423
  Kernel time: 0 days 0:00:03.296
  User time: 0 days 0:00:01.078

2013-9-15 01:22

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 6 楼

睡觉先，睡醒继续

2013-9-15 01:28

Sam.com

雪币： 13320

活跃值： (4876)

能力值：

( LV3，RANK：30 )

在线值：

发帖

回帖

100

粉丝

关注

私信

Sam.com: 7 楼

楼主做个文档什么的供下载吧~~谢谢

2013-9-15 03:16

kangcin

雪币： 602

活跃值： (45)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

482

粉丝

关注

私信

kangcin: 8 楼

支持文档

2013-9-15 05:26

封心锁爱

雪币： 239

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

170

粉丝

关注

私信

封心锁爱: 9 楼

Windbg命令 mark

2013-9-15 08:30

小小笑儿

雪币： 61

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

小小笑儿: 10 楼

支持文档

2013-9-15 09:11

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 11 楼

感谢关注，等写完了会做成chm格式文档

2013-9-15 10:08

Artmiss

雪币： 19

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

Artmiss: 12 楼

这个很好，支持一下

2013-9-15 10:12

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 13 楼

在调试的过程中我们可能需要修改汇编代码，比如做个跳板改变执行流（在介绍a指令的时候有用到.在第三楼），或者把内存dump到文件中，或者把文件中的数据读入内存中。这就牵涉到怎么分配和释放内存，怎么读写内存等操作。下面我们一起来学习一下内存操作相关指令把。

19. 分配内存指令： .dvalloc
.dvalloc指令类似与VirtualAlloc函数。可以指定分配的大小、类型（MEM_RESERVE | MEM_COMMIT）(加上参数/r，申请的内存类型为MEM_RESERVE。默认为MEM_COMMIT)、起始地址(加上参数/b)
使用.dvalloc分配的内存都是PAGE_EXECUTE_READWRITE属性

0:000> [COLOR=Red].dvalloc 56[/COLOR]
Allocated 1000 bytes starting at 00390000[COLOR=Blue] (分配的内存地址)[/COLOR]
[COLOR=Blue]//保留一块内存[/COLOR]
0:000> [COLOR=Red].dvalloc /b 10000000 /r 56[/COLOR]
Allocated 1000 bytes starting at 10000000
[COLOR=Blue]//如果内存存在，则会分配失败[/COLOR]
0:000> [COLOR=Red].dvalloc /b 400000 /r 56[/COLOR]
Allocation failed, Win32 error 0n487
    "试图访问无效的地址。"
[COLOR=Blue]//查看内存属性[/COLOR]
0:000> [COLOR=Red]!vprot 10000000[/COLOR]
BaseAddress:       10000000
AllocationBase:    10000000
AllocationProtect: 00000040  PAGE_EXECUTE_READWRITE
RegionSize:        00001000
State:             00002000  MEM_RESERVE
Type:              00020000  MEM_PRIVATE
[COLOR=Blue]//查看内存属性[/COLOR]
0:000> [COLOR=Red]!vprot 00390000[/COLOR]
BaseAddress:       00390000
AllocationBase:    00390000
AllocationProtect: 00000040  PAGE_EXECUTE_READWRITE
RegionSize:        00001000
State:             00001000  MEM_COMMIT
Protect:           00000040  PAGE_EXECUTE_READWRITE
Type:              00020000  MEM_PRIVATE

20. 释放内存指令: .dvfree
有分配就有释放.dvfree指令类似VirtualFree 函数。

[COLOR=Blue]//把内存类型设置成MEM_RESERVE状态[/COLOR]
0:000> [COLOR=Red].dvfree /d 00390000 1000[/COLOR]
Freed 1000 bytes starting at 00390000
[COLOR=Blue]//查看内存属性[/COLOR]
0:000> [COLOR=Red]!vprot 00390000 [/COLOR]
BaseAddress:       00390000
AllocationBase:    00390000
AllocationProtect: 00000040  PAGE_EXECUTE_READWRITE
RegionSize:        00001000
State:             00002000  MEM_RESERVE
Type:              00020000  MEM_PRIVATE
[COLOR=Blue]//完全释放内存[/COLOR]
0:000> [COLOR=Red].dvfree 00390000 0[/COLOR]
Freed 0 bytes starting at 00390000
[COLOR=Blue]//查看内存属性[/COLOR]
0:000> [COLOR=Red]!vprot 00390000 [/COLOR]
BaseAddress:       00390000
AllocationBase:    00000000
RegionSize:        00070000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

21. 查看内存属性：!vprot
!vprot指令类似与VirtualQuery 函数。可以获取一个内存块的各种属性。

0:000>[COLOR=Red] !vprot 400000[/COLOR]
BaseAddress:       00400000
AllocationBase:    00400000
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        00001000
State:             00001000  MEM_COMMIT
Protect:           00000002  PAGE_READONLY
Type:              01000000  MEM_IMAGE
0:000>[COLOR=Red] !vprot 500000[/COLOR]
BaseAddress:       00500000
AllocationBase:    00000000
RegionSize:        0fb00000
State:             00010000  MEM_FREE
Protect:           00000001  PAGE_NOACCESS

22. 查询内存信息命令: !address
!address命令可以按照性质(image or stack or heap or filemap...)、类型(MEM_IMAGE or MEM_MAPPED or MEM_PRIVATE) 、状态(MEM_COMMIT or MEM_FREE or MEM_RESERVE )、保护属性(PAGE_NOACCESS or PAGE_READONLY ...)等组合查询某一组内存列表。

[COLOR=Blue]//查看400000地址信息，类似!vprot[/COLOR]
0:000> [COLOR=Red]!address 400000[/COLOR]
Usage:                  Image
Allocation Base:        00400000
Base Address:           00400000
End Address:            00401000
Region Size:            00001000
Type:                   01000000    MEM_IMAGE
State:                  00001000    MEM_COMMIT
Protect:                00000002    PAGE_READONLY
More info:              lmv m PEViewer
More info:              !lmi PEViewer
More info:              ln 0x400000
 
[COLOR=Blue]//查看属于Image,Heap,Stack 性质的内存信息[/COLOR]
0:000> [COLOR=Red]!address /f:Image,Heap,Stack [/COLOR]
 
  BaseAddr EndAddr+1 RgnSize     Type       State                 Protect             Usage
-------------------------------------------------------------------------------------------
   30000   12d000    fd000 MEM_PRIVATE MEM_RESERVE                                    Stack [a38.d98; ~0]
  12d000   12e000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack [a38.d98; ~0]
  12e000   130000     2000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack [a38.d98; ~0]
  400000   401000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "PEViewer.exe"
  401000   411000    10000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_WRITECOPY             Image "PEViewer.exe"
  411000   434000    23000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "PEViewer.exe"
  434000   43c000     8000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "PEViewer.exe"
  43c000   43d000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "PEViewer.exe"
  43d000   43e000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image "PEViewer.exe"
  43e000   43f000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "PEViewer.exe"
  43f000   449000     a000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "PEViewer.exe"
10200000 10201000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSVCR100D.dll"
10201000 1035e000   15d000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\MSVCR100D.dll"
1035e000 10364000     6000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\MSVCR100D.dll"
10364000 10372000     e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSVCR100D.dll"
10480000 10481000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSVCP100D.dll"
10481000 1052c000    ab000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\MSVCP100D.dll"
1052c000 10530000     4000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\MSVCP100D.dll"
10530000 10537000     7000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSVCP100D.dll"
5d170000 5d171000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\COMCTL32.dll"
5d171000 5d1e2000    71000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\COMCTL32.dll"
5d1e2000 5d1e5000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\COMCTL32.dll"
5d1e5000 5d20a000    25000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\COMCTL32.dll"
762f0000 762f1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSIMG32.dll"
762f1000 762f2000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\MSIMG32.dll"
762f2000 762f3000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\MSIMG32.dll"
762f3000 762f5000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\MSIMG32.dll"
76990000 76991000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\ole32.dll"
76991000 76ab6000   125000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\ole32.dll"
76ab6000 76abd000     7000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\ole32.dll"
76abd000 76acd000    10000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\ole32.dll"
770f0000 770f1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\OLEAUT32.dll"
770f1000 77171000    80000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\OLEAUT32.dll"
77171000 77174000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\OLEAUT32.dll"
77174000 7717b000     7000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\OLEAUT32.dll"
77be0000 77be1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\msvcrt.dll"
77be1000 77c2d000    4c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\msvcrt.dll"
77c2d000 77c34000     7000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\msvcrt.dll"
77c34000 77c38000     4000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\msvcrt.dll"
77d10000 77d11000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\USER32.dll"
77d11000 77d71000    60000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\USER32.dll"
77d71000 77d73000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\USER32.dll"
77d73000 77da0000    2d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\USER32.dll"
77da0000 77da1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\ADVAPI32.dll"
77da1000 77e16000    75000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\ADVAPI32.dll"
77e16000 77e1b000     5000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\ADVAPI32.dll"
77e1b000 77e49000    2e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\ADVAPI32.dll"
77e50000 77e51000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\RPCRT4.dll"
77e51000 77edb000    8a000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\RPCRT4.dll"
77edb000 77edc000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\RPCRT4.dll"
77edc000 77ee2000     6000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\RPCRT4.dll"
77ef0000 77ef1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\GDI32.dll"
77ef1000 77f34000    43000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\GDI32.dll"
77f34000 77f36000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\GDI32.dll"
77f36000 77f39000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\GDI32.dll"
77f40000 77f41000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\SHLWAPI.dll"
77f41000 77fad000    6c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\SHLWAPI.dll"
77fad000 77fae000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\SHLWAPI.dll"
77fae000 77fb6000     8000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\SHLWAPI.dll"
77fc0000 77fc1000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\Secur32.dll"
77fc1000 77fce000     d000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\Secur32.dll"
77fce000 77fcf000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\Secur32.dll"
77fcf000 77fd1000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\Secur32.dll"
78b60000 78b61000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\mfc100d.dll"
78b61000 79070000   50f000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\mfc100d.dll"
79070000 79080000    10000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\mfc100d.dll"
79080000 79203000   183000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\mfc100d.dll"
7c800000 7c801000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\kernel32.dll"
7c801000 7c885000    84000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "C:\WINDOWS\system32\kernel32.dll"
7c885000 7c888000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image "C:\WINDOWS\system32\kernel32.dll"
7c888000 7c88a000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "C:\WINDOWS\system32\kernel32.dll"
7c88a000 7c91e000    94000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "C:\WINDOWS\system32\kernel32.dll"
7c920000 7c921000     1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "ntdll.dll"
7c921000 7c99b000    7a000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image "ntdll.dll"
7c99b000 7c99e000     3000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image "ntdll.dll"
7c99e000 7c9a0000     2000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image "ntdll.dll"
7c9a0000 7c9b3000    13000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image "ntdll.dll"

23. 从文件中读入数据到内存指令: .readmem
直接使用例子演示。我在c盘下建立一个hello.txt的文件。
文件中是一句话：hello pediy, I'm ddlx.
下面我把这个文件读入到内存

[COLOR=Blue]//分配一块内存[/COLOR]
0:000> [COLOR=Red].dvalloc 100[/COLOR]
Allocated 1000 bytes starting at 00390000
[COLOR=Blue]//查看内存数据[/COLOR]
0:000>[COLOR=Red] db 00390000[/COLOR]
00390000  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
[COLOR=Blue]//把c:\hello.txt文件中的内容读入到00390000内存中[/COLOR]
0:000>[COLOR=Red] .readmem c:\hello.txt 00390000 L0n22[/COLOR]
Reading 16 bytes.
[COLOR=Blue]//查看内存数据[/COLOR]
0:000> [COLOR=Red]db 00390000[/COLOR]
00390000  68 65 6c 6c 6f 20 70 65-64 69 79 2c 20 49 27 6d  hello pediy, I'm
00390010  20 64 64 6c 78 2e 00 00-00 00 00 00 00 00 00 00   ddlx...........
00390020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00390070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

24. Dump内存指令：.writemem
我们经常会存在如下需求：有一个程序是压缩壳，需要把解压后的代码Dump出来；为了分析某些数据，需要把某个内存块Dump出来。那使用.writemem把。
.writemem与.readmem类似，是他的逆操作。

[COLOR=Blue]//演示吧peviewer的整个镜像写入文件
//查看peviewer模块信息[/COLOR]
0:000>[COLOR=Red] lm m peviewer[/COLOR]
start    end        module name
00400000 00449000   PEViewer C (private pdb symbols)  C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.pdb
[COLOR=Blue]//dump到文件c:\dump_peviewer.exe[/COLOR]
0:000> [COLOR=Red].writemem c:\dump_peviewer.exe 00400000 00449000-1[/COLOR]
Writing 49000 bytes..................................................................................................................................................

上传的附件：

dump_peviewer.JPG （101.70kb，21次下载）

2013-9-15 11:21

ddlx

雪币： 541

活跃值： (654)

能力值：

( LV12，RANK：250 )

在线值：

发帖

回帖

245

粉丝

关注

私信

ddlx 5: 14 楼

25. 读内存指令：d
读指令是最常用的指令之一。它负责按照指定的格式，格式化输出内存数据。下面介绍一下读各种数据的方法：

[COLOR=Blue]//分配内存[/COLOR]
0:000>[COLOR=Red] .dvalloc 1000[/COLOR]
Allocated 1000 bytes starting at 003a0000
[COLOR=Blue]//写入unicode字符串在003a0000地址处[/COLOR]
0:000> [COLOR=Red]eu 003a0000 "my unicode string."[/COLOR]
[COLOR=Blue]//写入ascii字符串在003a0026地址处[/COLOR]
0:000> [COLOR=Red]ea 003a0026 "my ascii string."[/COLOR]
[COLOR=Blue]//按照单字节和ASCII字符串读取[/COLOR]
0:000> [COLOR=Red]db 003a0000[/COLOR]
003a0000  6d 00 79 00 20 00 75 00-6e 00 69 00 63 00 6f 00  m.y. .u.n.i.c.o.
003a0010  64 00 65 00 20 00 73 00-74 00 72 00 69 00 6e 00  d.e. .s.t.r.i.n.
003a0020  67 00 2e 00 00 00 6d 79-20 61 73 63 69 69 20 73  g.....my ascii s
003a0030  74 72 69 6e 67 2e 00 00-00 00 00 00 00 00 00 00  tring...........
003a0040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003a0050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003a0060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
003a0070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0:000> [COLOR=Red]da 003a0000  [/COLOR]
003a0000  "m"
0:000> [COLOR=Red]da 003a0026  [/COLOR]
003a0026  "my ascii string."
0:000> [COLOR=Red]dc 003a0000  l10[/COLOR]
003a0000  0079006d 00750020 0069006e 006f0063  m.y. .u.n.i.c.o.
003a0010  00650064 00730020 00720074 006e0069  d.e. .s.t.r.i.n.
003a0020  002e0067 796d0000 63736120 73206969  g.....my ascii s
003a0030  6e697274 00002e67 00000000 00000000  tring...........
[COLOR=Blue]//按照4字节读取,读取0x10个单位[/COLOR]
0:000> [COLOR=Red]dd 003a0000  l10[/COLOR]
003a0000  0079006d 00750020 0069006e 006f0063
003a0010  00650064 00730020 00720074 006e0069
003a0020  002e0067 796d0000 63736120 73206969
003a0030  6e697274 00002e67 00000000 00000000
0:000> [COLOR=Red]dD 003a0000  l8[/COLOR]
003a0000      1.86910550213e-306     1.37961301819e-306     1.69109959303e-306
003a0018      1.33511561534e-306     8.03237601403e+276     3.58592943091e+246
003a0030      2.52081032102e-310                      0
0:000> [COLOR=Red]df 003a0000  l10[/COLOR]
003a0000    1.1112248e-038   1.0744798e-038   9.6428812e-039   1.0193879e-038
003a0010    9.2755252e-039   1.0561127e-038   1.0469409e-038   1.0102052e-038
003a0020    4.2245772e-039   7.6910897e+034   4.4895574e+021   1.2709129e+031
003a0030    1.8062093e+028   1.6646024e-041                0                0
0:000> [COLOR=Red]dp 003a0000  l10[/COLOR]
003a0000  0079006d 00750020 0069006e 006f0063
003a0010  00650064 00730020 00720074 006e0069
003a0020  002e0067 796d0000 63736120 73206969
003a0030  6e697274 00002e67 00000000 00000000
0:000> [COLOR=Red]dq 003a0000  l8[/COLOR]
003a0000  00750020`0079006d 006f0063`0069006e
003a0010  00730020`00650064 006e0069`00720074
003a0020  796d0000`002e0067 73206969`63736120
003a0030  00002e67`6e697274 00000000`00000000
0:000> [COLOR=Red]du 003a0000  [/COLOR]
003a0000  "my unicode string."
0:000>[COLOR=Red] dw 003a0000  l20[/COLOR]
003a0000  006d 0079 0020 0075 006e 0069 0063 006f
003a0010  0064 0065 0020 0073 0074 0072 0069 006e
003a0020  0067 002e 0000 796d 6120 6373 6969 7320
003a0030  7274 6e69 2e67 0000 0000 0000 0000 0000
0:000>[COLOR=Red] dW 003a0000  l20[/COLOR]
003a0000  006d 0079 0020 0075 006e 0069 0063 006f  m.y. .u.n.i.c.o.
003a0010  0064 0065 0020 0073 0074 0072 0069 006e  d.e. .s.t.r.i.n.
003a0020  0067 002e 0000 796d 6120 6373 6969 7320  g.....my ascii s
003a0030  7274 6e69 2e67 0000 0000 0000 0000 0000  tring...........
0:000> [COLOR=Red]dyb 003a0000  l10[/COLOR]
          76543210 76543210 76543210 76543210
          -------- -------- -------- --------
003a0000  01101101 00000000 01111001 00000000  6d 00 79 00
003a0004  00100000 00000000 01110101 00000000  20 00 75 00
003a0008  01101110 00000000 01101001 00000000  6e 00 69 00
003a000c  01100011 00000000 01101111 00000000  63 00 6f 00
0:000>[COLOR=Red] dyd 003a0000  l4[/COLOR]
           3          2          1          0
          10987654 32109876 54321098 76543210
          -------- -------- -------- --------
003a0000  00000000 01111001 00000000 01101101  0079006d
003a0004  00000000 01110101 00000000 00100000  00750020
003a0008  00000000 01101001 00000000 01101110  0069006e
003a000c  00000000 01101111 00000000 01100011  006f0063
0:000> [COLOR=Red].dvfree 003a0000 0[/COLOR]
Freed 0 bytes starting at 003a0000

26. 显示符号表指令： dds、dps、dqs
这个常用在查看虚函数表、导入地址等操作时使用。

[COLOR=Blue]
//查看导入地址表[/COLOR]
0:000> [COLOR=Red]dps 0043D798 l10[/COLOR]
0043d798  7c809832 kernel32!InterlockedCompareExchange
0043d79c  7c933405 ntdll!RtlDecodePointer
0043d7a0  7c80981e kernel32!InterlockedExchange
0043d7a4  7c802446 kernel32!Sleep
0043d7a8  7c839481 kernel32!HeapSetInformation
0043d7ac  7c801e54 kernel32!GetStartupInfoW
0043d7b0  7c80a164 kernel32!WideCharToMultiByte
0043d7b4  7c813123 kernel32!IsDebuggerPresent
0043d7b8  7c809c88 kernel32!MultiByteToWideChar
0043d7bc  7c812a99 kernel32!RaiseException
0043d7c0  7c809856 kernel32!MulDiv
0043d7c4  7c80be46 kernel32!lstrlenA
0043d7c8  7c80ae30 kernel32!GetProcAddress
0043d7cc  7c80aedb kernel32!LoadLibraryW
0043d7d0  7c801e1a kernel32!TerminateProcess
0043d7d4  7c80de85 kernel32!GetCurrentProcess

27. 查看ascii字符串数组命令： dda、dpa、dqa

0:000>[COLOR=Red] .dvalloc 1000[/COLOR]
Allocated 1000 bytes starting at 003a0000
0:000> [COLOR=Red]ea 003a0020 "string1"[/COLOR]
0:000>[COLOR=Red] ea 003a0030 "string2"[/COLOR]
0:000>[COLOR=Red] ea 003a0040 "string3"[/COLOR]
0:000> [COLOR=Red]ea 003a0050 "string4"[/COLOR]
0:000>[COLOR=Red] ea 003a0060 "string5"[/COLOR]
0:000> [COLOR=Red]ea 003a0070 "string6"[/COLOR]
0:000> [COLOR=Red]ed 003a0000 003a0020 003a0030 003a0040 003a0050 003a0060 003a0070 [/COLOR]
0:000> [COLOR=Red]dpa 003a0000 l8[/COLOR]
003a0000  003a0020 "string1"
003a0004  003a0030 "string2"
003a0008  003a0040 "string3"
003a000c  003a0050 "string4"
003a0010  003a0060 "string5"
003a0014  003a0070 "string6"
003a0018  00000000
003a001c  00000000

28. unicode字符串数组查看： ddu、 dqu、 dpu

[COLOR=Blue]//内存清0[/COLOR]
0:000> [COLOR=Red].for (r $t1=0; @$t1<8*20; r$t1=@$t1+8){eq 003a0000+$t1 0;}[/COLOR]
[COLOR=Blue]//构造unicode字符串数组[/COLOR]
0:000> .[COLOR=Red]for (r $t1=0; @$t1<6; r$t1=@$t1+1){r $t2=(003a0020+(@$t1*20)); ed 003a0000+@$t1*4 @$t2; eu @$t2 "ustring"; ew @$t2+0n14 @$t1+'1';}[/COLOR]
[COLOR=Blue]//显示字符串数组[/COLOR]
0:000> [COLOR=Red]dpu 003a0000 l8[/COLOR]
003a0000  003a0020 "ustring1"
003a0004  003a0040 "ustring2"
003a0008  003a0060 "ustring3"
003a000c  003a0080 "ustring4"
003a0010  003a00a0 "ustring5"
003a0014  003a00c0 "ustring6"
003a0018  00000000
003a001c  00000000

29. 内存写入操作命令： e
写指令是负责按照指定的格式，格式化输出内存数据，对命令中已经看到部分写命令的用法。下面介绍一下写各种数据的方法：

0:000> [COLOR=Red]ea 003a0000 "ascii string"[/COLOR]
0:000> [COLOR=Red]da 003a0000 [/COLOR]
003a0000  "ascii string"
0:000> [COLOR=Red]eb 003a0000 1 2 3 4 [/COLOR]
0:000> [COLOR=Red]db 003a0000 l4[/COLOR]
003a0000  01 02 03 04                                      ....
0:000>[COLOR=Red] ed 003a0000 1 2 3 4[/COLOR]
0:000> [COLOR=Red]dd 003a0000 l4[/COLOR]
003a0000  00000001 00000002 00000003 00000004
0:000> [COLOR=Red]eD 003a0000 1.2 2.3 3.4 4.5[/COLOR]
0:000> [COLOR=Red]dD 003a0000 l4[/COLOR]
003a0000                     1.2                    2.3                    3.4
003a0018                     4.5
0:000> [COLOR=Red]ef 003a0000 1.2 2.3 3.4 4.5[/COLOR]
0:000> [COLOR=Red]df 003a0000 l4[/COLOR]
003a0000               1.2              2.3        3.4000001              4.5
0:000> [COLOR=Red]ep 003a0000 0x400000 0x500000 0x600000[/COLOR]
0:000> [COLOR=Red]dp 003a0000 l3[/COLOR]
003a0000  00400000 00500000 00600000
0:000> [COLOR=Red]eq 003a0000 0x400000`123 0x500000`456 0x600000`789[/COLOR]
0:000> [COLOR=Red]dq 003a0000 l3[/COLOR]
003a0000  00000004`00000123 00000005`00000456
003a0010  00000006`00000789
0:000> [COLOR=Red]eu 003a0000 "unicodestring"[/COLOR]
0:000> [COLOR=Red]du 003a0000 [/COLOR]
003a0000  "unicodestring"
0:000> [COLOR=Red]ew 003a0000 123 456 789[/COLOR]
0:000> [COLOR=Red]dw 003a0000  l3[/COLOR]
003a0000  0123 0456 0789

30. 内存搜索指令： s
内存搜索指令，在查找某种类型的数据的时候非常有用，我们来看一下内存搜索指令的用法

[COLOR=Blue]//内存清0[/COLOR]
0:000> [COLOR=Red].for (r $t1=0; @$t1< 100; r$t1=@$t1+1){eb 003a0000+$t1 0;}[/COLOR]
/[COLOR=Blue]/写入数据[/COLOR]
0:000>[COLOR=Red] eu 003a0000 "ustring1"[/COLOR]
0:000> [COLOR=Red]eu 003a0010 "ustring2"[/COLOR]
0:000> [COLOR=Red]ea 003a0030 "astring1"[/COLOR]
0:000> [COLOR=Red]ea 003a0040 "astring2"[/COLOR]
[COLOR=Blue]//搜索ascii字符串[/COLOR]
0:000> [COLOR=Red]s -a 003a0000  l1000 "string"[/COLOR]
003a0031  73 74 72 69 6e 67 31 00-00 00 00 00 00 00 00 61  string1........a
003a0041  73 74 72 69 6e 67 32 00-00 00 00 00 00 00 00 00  string2.........
/[COLOR=Blue]/搜索unicode字符串[/COLOR]
0:000>[COLOR=Red] s -u 003a0000  l1000 "string"[/COLOR]
003a0002  0073 0074 0072 0069 006e 0067 0031 0075  s.t.r.i.n.g.1.u.
003a0012  0073 0074 0072 0069 006e 0067 0032 0000  s.t.r.i.n.g.2...
[COLOR=Blue]//搜索word数值[/COLOR]
0:000>[COLOR=Red] s -w 003a0000  l1000 69 67[/COLOR]
0:000> [COLOR=Red]s -w 003a0000  l1000 69 6e[/COLOR]
003a0008  0069 006e 0067 0031 0075 0073 0074 0072  i.n.g.1.u.s.t.r.
003a0018  0069 006e 0067 0032 0000 0000 0000 0000  i.n.g.2.........
0:000>[COLOR=Red] .dvfree 003a0000  0[/COLOR]
Freed 0 bytes starting at 003a0000

31. 物理内存读写操作指令
!d 读物理内存
!e 写物理内存
这两个用的很少。不做过多介绍

lkd>[COLOR=Red] !db 0x1000[/COLOR]
#    1000 30 32 00 00 01 00 00 00-00 00 00 00 f8 6f ff 23 02...........o.#
#    1010 58 7b 00 24 0c 97 43 23-04 7c 00 24 0f 00 00 00 X{.$..C#.|.$....
#    1020 00 00 00 00 34 70 ff 23-00 00 00 00 00 00 00 00 ....4p.#........
#    1030 00 00 00 00 14 70 ff 23-00 00 00 00 bc 70 ff 23 .....p.#.....p.#
#    1040 bc 6f ff 23 00 00 00 00-c4 7d 01 00 91 45 05 00 .o.#.....}...E..
#    1050 09 00 00 00 00 00 00 00-00 00 00 00 01 02 00 00 ................
#    1060 00 00 00 00 8c 70 ff 23-00 00 00 00 00 00 00 00 .....p.#........
#    1070 01 14 00 00 28 00 04 44-4e 53 5f 54 59 50 45 5f ....(..DNS_TYPE_