[SIZE="4"][FONT="微软雅黑"]kd> !vm
1: kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 851757 ( 3407028 Kb)
Page File: \??\C:\pagefile.sys
Current: 3407028 Kb Free Space: 3407024 Kb
Minimum: 3407028 Kb Maximum: 4193280 Kb
Available Pages: 699186 ( 2796744 Kb)
ResAvail Pages: 757454 ( 3029816 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 370673 ( 1482692 Kb)
Modified Pages: 9799 ( 39196 Kb)
Modified PF Pages: 9798 ( 39192 Kb)
NonPagedPool Usage: 0 ( 0 Kb)
NonPagedPoolNx Usage: 8735 ( 34940 Kb)
NonPagedPool Max: 522368 ( 2089472 Kb)
PagedPool 0 Usage: 17573 ( 70292 Kb)
PagedPool 1 Usage: 2417 ( 9668 Kb)
PagedPool 2 Usage: 0 ( 0 Kb)
PagedPool 3 Usage: 0 ( 0 Kb)
PagedPool 4 Usage: 28 ( 112 Kb)
PagedPool Usage: 20018 ( 80072 Kb)
PagedPool Maximum: 523264 ( 2093056 Kb)[/FONT][/SIZE]

[FONT="微软雅黑"][SIZE="4"]lkd> ? poi(MmMaximumNonPagedPoolInBytes)
Evaluate expression: 2139619328 = 7f880000
lkd> ? poi(MmSizeOfPagedPoolInBytes)
Evaluate expression: 2143289344 = 7fc00000[/SIZE][/FONT]

[FONT="微软雅黑"][SIZE="4"][COLOR="Black"]//
//    Copyright (C) Microsoft.  All rights reserved.
//
rem
rem    Pooltag.txt
rem
rem    This file lists the tags used for pool allocations by kernel mode components
rem    and drivers.
rem
rem    The file has the following format:
rem       <PoolTag> - <binary-name> - <Description>
rem
rem    Pooltag.txt is installed with Debugging Tools for Windows (in %windbg%\triage)
rem    and with the Windows DDK (in %winddk%\tools\other\platform\poolmon, where
rem    platform is amd64, i386, or arm).
rem

@GMM - <unknown>    - (Intel video driver) Memory manager
@KCH - <unknown>    - (Intel video driver) Chipset specific service
@MP  - <unknown>    - (Intel video driver) Miniport related memory
@SB  - <unknown>    - (Intel video driver) Soft BIOS

_ATI - <unknown>    - ATI video driver

_LCD - monitor.sys  - Monitor PDO name buffer

8042 - i8042prt.sys - PS/2 keyboard and mouse

AdSv - vmsrvc.sys   - Virtual Machines Additions Service
ARPC - atmarpc.sys  - ATM ARP Client[/COLOR][/SIZE][/FONT]

[FONT="微软雅黑"][SIZE="4"][COLOR="Black"]strings %SYSTEMROOT%\system32\drivers\*.sys | findstr /i "abcd"[/COLOR][/SIZE][/FONT]

[FONT="微软雅黑"][SIZE="4"][COLOR="Black"]Strings %SystemRoot%\system32\drivers\*.sys | findstr Leak[/COLOR][/SIZE][/FONT]

[FONT="微软雅黑"][SIZE="4"][B]0:000> !heap -i 001a0000[/B]       //通过堆句柄指定特定堆的上下文
[B]Heap context set to the heap 0x001a0000 [/B]       
[B]0:000> !heap -i 1e2570 [/B]       //显示堆内特定块的信息
[B]Detailed information for block entry 001e2570[/B]
[B]Assumed heap : 0x001a0000 (Use !heap -i NewHeapHandle to change)[/B]
[B]Header content : 0x1570F4EC 0x0C0015BE (decoded : 0x07010006 0x0C00000D) [/B]       //该块的头部内容
[B]Owning segment : 0x001a0000 (offset 0) [/B]       //块所属的段，此例中所属段与所属堆相同
[B]Block flags : 0x1 (busy ) [/B]       //块标志，此例中该块处于忙碌状态
[B]Total block size : 0x6 units (0x30 bytes) [/B]       //块的总大小为48字节，包括6个单元，每单元8字节
[B]Requested size : 0x24 bytes (unused 0xc bytes) [/B]       //应用程序请求分配的大小为36字节，另外12字节未使用（36+12=48）
[B]Previous block size: 0xd units (0x68 bytes)  [/B]      //前一个块大小为104字节，包括13个单元，每单元8字节
[B]Block CRC : OK - 0x7[/B]        //本块的CRC（循环冗余校验）校验和正确
[B]Previous block : 0x001e2508 [/B]       //前一个块在本堆中的入口点
[B]Next block : 0x001e25a0[/B]        //下一个块在本堆中的入口点（验证：0x001e25a0 - 0x001e2570 = 0x30 = 48字节）[/SIZE][/FONT]

[FONT="微软雅黑"][SIZE="4"][COLOR="Black"]C:\Program Files\Microsoft SDKs\Windows\v7.1>dumpbin /headers c:\windows\system32\smss.exe
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file c:\windows\system32\smss.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
5 number of sections
4A5BC116 time date stamp Mon Jul 13 16:19:50 2009
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses[/COLOR][/SIZE][/FONT]

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)