Windbg内存映射?

【问题标题】:Windbg memory map?Windbg内存映射?
【发布时间】:2014-05-08 11:26:07
【问题描述】:

如何在 Windbg 中获得类似于 Ollydbg 的内存映射功能的内存映射?我想按顺序查看地址空间列表,显示加载到每个范围内的内容,理想情况下显示内存保护。这是 Ollydbg 的内存映射的屏幕截图:

【问题讨论】:

  • Memory map in IDA Pro similar to OllyDbg 的可能重复项
  • @ThomasW。另一个问题是针对 IDA pro 而不是 Windbg。 IDA Pro 甚至不是调试器,它是一个静态分析工具。它们是完全不同的东西。

标签: debugging memory windbg ollydbg


【解决方案1】:

!address 准确显示此信息。它适用于用户模式和内核模式。用户态进程示例:


0:000> !address


        BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage
------------------------------------------------------------------------------------------------------------------------
+        0`00000000        0`7ffe0000        0`7ffe0000             MEM_FREE    PAGE_NOACCESS                      Free
+        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      Other      [User Shared Data]
         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE MEM_RESERVE                                    
+        0`7fff0000       db`475a0000       da`c75b0000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475a0000       db`475b0000        0`00010000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 1; Handle: 000000db475a0000; Type: Segment]
+       db`475b0000       db`475c0000        0`00010000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475c0000       db`475cf000        0`0000f000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [API Set Map]
+       db`475cf000       db`475d0000        0`00001000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475d0000       db`475d1000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; 2a7c.19a8]
        db`475d1000       db`475d4000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 2a7c.19a8]
        db`475d4000       db`476d0000        0`000fc000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 2a7c.19a8]
+       db`476d0000       db`476d4000        0`00004000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [System Default Activation Context Data]
+       db`476d4000       db`476e0000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476e0000       db`476e1000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Activation Context Data]
+       db`476e1000       db`476f0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476f0000       db`476f2000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     
+       db`476f2000       db`47700000        0`0000e000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`47700000       db`4777e000        0`0007e000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MappedFile "\Device\HarddiskVolume2\Windows\System32\locale.nls"
+       db`4777e000       db`478c0000        0`00142000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`478c0000       db`478c6000        0`00006000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`478c6000       db`479bf000        0`000f9000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`479bf000       db`479c0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    
+       db`479c0000     7ff7`3e0a0000     7f1b`f66e0000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e0a0000     7ff7`3e0a5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared Memory]
      7ff7`3e0a5000     7ff7`3e1a0000        0`000fb000 MEM_MAPPED  MEM_RESERVE                                    MappedFile "PageFile"
+     7ff7`3e1a0000     7ff7`3e1c3000        0`00023000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]
+     7ff7`3e1c3000     7ff7`3e1c8000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1c8000     7ff7`3e1c9000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [2a7c]
+     7ff7`3e1c9000     7ff7`3e1ce000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1ce000     7ff7`3e1d0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; 2a7c.19a8]
+     7ff7`3e1d0000     7ff7`3f0f0000        0`00f20000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3f0f0000     7ff7`3f0f1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
      7ff7`3f0f1000     7ff7`3f11d000        0`0002c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [cmd; "cmd.exe"]
      7ff7`3f11d000     7ff7`3f11e000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [cmd; "cmd.exe"]
      7ff7`3f11e000     7ff7`3f13a000        0`0001c000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [cmd; "cmd.exe"]
      7ff7`3f13a000     7ff7`3f14b000        0`00011000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
+     7ff7`3f14b000     7ffd`07920000        5`c87d5000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07920000     7ffd`07921000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07921000     7ffd`07a0e000        0`000ed000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a0e000     7ffd`07a11000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a11000     7ffd`07a12000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a12000     7ffd`07a2f000        0`0001d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
+     7ffd`07a2f000     7ffd`07c60000        0`00231000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07c60000     7ffd`07c61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07c61000     7ffd`07d73000        0`00112000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d73000     7ffd`07d74000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d74000     7ffd`07d75000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d75000     7ffd`07d99000        0`00024000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
+     7ffd`07d99000     7ffd`08200000        0`00467000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`08200000     7ffd`08201000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08201000     7ffd`0828f000        0`0008e000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0828f000     7ffd`08290000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08290000     7ffd`08294000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08294000     7ffd`0829f000        0`0000b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0829f000     7ffd`082a1000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`082a1000     7ffd`082a7000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
+     7ffd`082a7000     7ffd`0a3d0000        0`02129000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`0a3d0000     7ffd`0a3d1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a3d1000     7ffd`0a4f9000        0`00128000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ntdll; "ntdll.dll"]
      7ffd`0a4f9000     7ffd`0a4fa000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fa000     7ffd`0a4fc000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fc000     7ffd`0a502000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a502000     7ffd`0a510000        0`0000e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a510000     7ffd`0a511000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [ntdll; "ntdll.dll"]
      7ffd`0a511000     7ffd`0a579000        0`00068000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
+     7ffd`0a579000     7fff`fffe0000        2`f5a67000             MEM_FREE    PAGE_NOACCESS                      Free
+     7fff`fffe0000     7fff`ffff0000        0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS

【讨论】:

  • !address 绝对是您想要的用户模式调试,但在内核模式中 !address 做一些不同的事情。如果您处于内核模式并想查看所需进程的地址空间!vad
猜你喜欢
  • 2011-05-12
  • 2015-08-09
  • 1970-01-01
  • 2013-09-02
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2011-12-22
  • 2016-05-27
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode