!dlls -a 输出 SECTION HEADER 都是 0。为什么？

Question

Windbg Command !dlls,为什么!dlls -a命令输出中，SECTION HEADER的值都是0？

以下是我的攻略：

0:000> !dlls -a 

0x00673270: D:\WinAfl\test\a.exe
      Base   0x00400000  EntryPoint  0x00401280  Size        0x0000a000
      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x0000ffff
             LDRP_ENTRY_PROCESSED

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
     14C machine (i386)
       8 number of sections
   50000 time date stamp Mon Jan 05 03:01:20 1970

    2800 file pointer to symbol table
     29C number of symbols
      E0 size of optional header
     307 characteristics
            Relocations stripped
            Executable
            Line numbers stripped
            32 bit word machine
            Debug information stripped

OPTIONAL HEADER VALUES
     10B magic #
    2.24 linker version
    1200 size of code
    2400 size of initialized data
     200 size of uninitialized data
    1280 address of entry point
    1000 base of code
    3000 base of data
         ----- new -----
00400000 image base
    1000 section alignment
     200 file alignment
       3 subsystem (Windows CUI)
    4.00 operating system version
    1.00 image version
    4.00 subsystem version
    A000 size of image
     400 size of headers
    C9C4 checksum
00200000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
00400098 Opt Hdr
       0 [       0] address [size] of Export Directory
    7000 [     3CC] address [size] of Import Directory
       0 [       0] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
       0 [       0] address [size] of Base Relocation Directory
       0 [       0] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
    9004 [      18] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
    70C8 [      8C] address [size] of Import Address Table Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory


SECTION HEADER #1
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #2
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #3
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #4
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #5
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #6
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #7
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #8
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

0x00673300: C:\windows\SysWOW64\ntdll.dll
      Base   0x77c60000  EntryPoint  0x00000000  Size        0x00180000
      Flags  0x00004004  LoadCount   0x0000ffff  TlsIndex    0x00000000
             LDRP_IMAGE_DLL
             LDRP_ENTRY_PROCESSED

File Type: DLL
FILE HEADER VALUES
     14C machine (i386)
       5 number of sections
598D4C81 time date stamp Fri Aug 11 14:19:45 2017

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
    2102 characteristics
            Executable
            32 bit word machine
            DLL

OPTIONAL HEADER VALUES
     10B magic #
    9.00 linker version
   D6200 size of code
   68400 size of initialized data
       0 size of uninitialized data
       0 address of entry point
   10000 base of code
   F0000 base of data
         ----- new -----
77c60000 image base
   10000 section alignment
     200 file alignment
       3 subsystem (Windows CUI)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  180000 size of image
     400 size of headers
  146B93 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
77c600f0 Opt Hdr
   101F8 [    F6B8] address [size] of Export Directory
       0 [       0] address [size] of Import Directory
  110000 [   5A028] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
  13D400 [    3940] address [size] of Security Directory
  170000 [    4CB8] address [size] of Base Relocation Directory
   E5E84 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
   75B50 [      40] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
       0 [       0] address [size] of Import Address Table Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory
       0 [       0] address [size] of Reserved Directory


SECTION HEADER #1
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #2
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #3
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #4
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #5
         name
       0 virtual size
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

Answer 1

!dll 仅在实时调试模式下工作
不在转储分析中

只转储一个模块，使用 -c { 表达式解析到某些模块的虚拟地址空间并寻址 }

见下文第二个查询

0:000> lm m calc
Browse full module list
start    end        module name
00710000 007d0000   calc       (deferred)             


0:000> !dlls -c calc

0x001321c8: C:\Windows\system32\calc.exe
      Base   0x00710000  EntryPoint  0x00722d6c  Size        0x000c0000
      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000
             LDRP_ENTRY_PROCESSED


0:000> !dlls -c 7c1234


0x001321c8: C:\Windows\system32\calc.exe
      Base   0x00710000  EntryPoint  0x00722d6c  Size        0x000c0000
      Flags  0x00004000  LoadCount   0x0000ffff  TlsIndex    0x00000000
             LDRP_ENTRY_PROCESSED

!dlls -a 在我的 windbg 输出中超过 27k 行解析所有依赖项

0:000> .shell -ci "!dlls -a -c 7c1234" wc -l
27872

输出 kernel32.dll 15 次

0:000> .shell -ci "!dlls -a -c 7c1234" grep -c -i kernel32.dll 
15