!dh:扩展显示指定映像的头部
0:004> !dh -h Usage: dh [options] address Dumps headers from an image based at address Options: -a Dump everything -f Dump file headers -s Dump section headers也就这三个属性,默认是使用-a
0:004> !dh ntdll
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
5 number of sections
4EC49B60 time date stamp Thu Nov 17 13:28:00 2011
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
D5000 size of code
63200 size of initialized data
0 size of uninitialized data
0 address of entry point
1000 base of code
----- new -----
775a0000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
13C000 size of image
400 size of headers
141016 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
36190 [ F018] address [size] of Export Directory
0 [ 0] address [size] of Import Directory
E0000 [ 560D8] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
137000 [ 3918] address [size] of Security Directory
137000 [ 4C50] address [size] of Base Relocation Directory
D5D5C [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
1E0A8 [ 40] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
0 [ 0] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
D4DBA virtual size
1000 virtual address
D4E00 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
Debug Directories(2)
Type Size Address Pointer
cv 22 d5d98 d5198 Format: RSDS, guid, 2, ntdll.pdb
( 10) 4 d5d94 d5194
SECTION HEADER #2
RT name
1DC virtual size
D6000 virtual address
200 size of raw data
D5200 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
SECTION HEADER #3
.data name
8064 virtual size
D7000 virtual address
6C00 size of raw data
D5400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write
SECTION HEADER #4
.rsrc name
560D8 virtual size
E0000 virtual address
56200 size of raw data
DC000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only
SECTION HEADER #5
.reloc name
4C50 virtual size
137000 virtual address
4E00 size of raw data
132200 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
可以比对LoadPE工具,可以发现完全一样:
!lmi 扩展显示某个模块的详细信息
0:004> !lmi ntdll
Loaded Module Info: [ntdll]
Module: ntdll
Base Address: 775a0000
Image Name: C:\Windows\SYSTEM32\ntdll.dll
Machine Type: 332 (I386)
Time Stamp: 4ec49b60 Thu Nov 17 13:28:00 2011
Size: 13c000
CheckSum: 141016
Characteristics: 2102
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 22, d5d98, d5198 RSDS - GUID: {093D2CD7-F95B-4CC6-B531-8D405CC31566}
Age: 2, Pdb: ntdll.pdb
CLSID 4, d5d94, d5194 [Data not mapped]
Image Type: FILE - Image read successfully from debugger.
C:\Windows\SYSTEM32\ntdll.dll
Symbol Type: EXPORT - PDB not found
Load Report: export symbols