• Windbg命令学习1(vertarget和lm和lmvm)


    1.g可以让目标程序继续执行,ctrl+break可以挂起正在运行的目标程序回到调试模式

    2.vertarget

    vertarget 命令显示目标机的Microsoft Windows操作系统版本

    给个示例:

    0:011> vertarget
    Windows XP Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
    Product: WinNt, suite: SingleUserTS
    kernel32.dll version: 
    Machine Name:
    Debug session time: Wed May  9 16:33:38.600 2012 (GMT+8)
    System Uptime: 1 days 7:30:56.583
    Process Uptime: 0 days 0:06:44.442
      Kernel time: 0 days 0:00:01.062
      User time: 0 days 0:00:01.843
    
    
    

    上面示例的意思是X86,4核,XPSP3,该机已持续运行1天7小时30分56秒,当前调试进程运行时间为6分44秒.

     3.lm

    lm命令显示指定的已加载/未加载模块。输出中包含模块状态和路径

    给个例子:

    0:015> lm
    start    end        module name
    00400000 00670000   360se      (export symbols)       C:\Program Files\360\360se3\360se.exe
    00de0000 00edd000   Favorites   (export symbols)       C:\Program Files\360\360se3\Favorites\Favorites.dll
    00ee0000 01029000   LoginEnrol   (export symbols)       C:\Program Files\360\360se3\LoginEnrol\LoginEnrol.dll
    01130000 011e0000   safemon    (export symbols)       C:\Program Files\360\360Safe\safemon\safemon.dll
    017e0000 0183c000   urlproc    (export symbols)       C:\Program Files\360\360Safe\safemon\urlproc.dll
    01b60000 01bdb000   heavygate   (export symbols)       C:\Program Files\360\360Safe\deepscan\heavygate.dll
    020c0000 02126000   sqlite3    (export symbols)       C:\Program Files\360\360se3\sqlite3.dll
    021d0000 023be000   doctor     (export symbols)       C:\Program Files\360\360se3\doctor.dll
    024c0000 02567000   ExtLoginAssis   (export symbols)       C:\Documents and Settings\Administrator\Application Data\360SE\apps\LoginAssis\ExtLoginAssis.dll
    025a0000 02ae9000   xpsp2res   (no symbols)           
    02e50000 02e8d000   sepro      (export symbols)       C:\Program Files\360\360Safe\safemon\sepro.dll
    035f0000 0365f000   PENCHS     (export symbols)       C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL
    039e0000 03b3e000   wdui2      (export symbols)       C:\Program Files\360\360se3\SafeCentral\wdui2.dll
    066d0000 07010000   Flash32_11_2_202_235   (export symbols)       C:\WINDOWS\system32\Macromed\Flash\Flash32_11_2_202_235.ocx
    10000000 100ea000   SafeCentral   (export symbols)       C:\Program Files\360\360se3\SafeCentral\SafeCentral.dll
    25060000 25077000   net_monitor2_0_2_6   (export symbols)       C:\Program Files\Common Files\Thunder Network\NetMon\net_monitor2.0.2.6.dll
    4ae90000 4b03b000   gdiplus    (pdb symbols)          C:\MyLocalSymbols\gdiplus.pdb\E55758F17CA94EDBAC732C65F6FD77DF2\gdiplus.pdb
    5adc0000 5adf7000   UxTheme    (pdb symbols)          C:\WINDOWS\symbols\dll\uxtheme.pdb
    5dd50000 5de73000   msxml3     (pdb symbols)          C:\MyLocalSymbols\msxml3.pdb\2D362E3E2D824B188B516102CA1D0EFC2\msxml3.pdb
    5e400000 5e40c000   pngfilt    (deferred)             
    5fdd0000 5fe25000   NETAPI32   (deferred)             
    60180000 601bd000   sptip      (deferred)             
    60fd0000 61025000   hnetcfg    (deferred)             
    61880000 618ba000   OLEACC     (deferred)             
    61be0000 61bed000   MFC42LOC   (deferred)             
    62c20000 62c29000   LPK        (deferred)             
    64000000 64021000   mdnsNSP    (deferred)             
    65700000 65727000   iNetSafe   (deferred)             
    65d00000 65d38000   urlproc_65d00000   (deferred)             
    66b50000 66b5c000   ImgUtil    (deferred)             
    67140000 67180000   iepeers    (deferred)             
    68000000 68036000   rsaenh     (deferred)             
    6c140000 6c176000   dxtrans    (deferred)             
    6c180000 6c1da000   dxtmsft    (deferred)             
    6d7c0000 6d7ca000   ddrawex    (deferred)             
    71800000 7187c000   shdoclc    (deferred)             
    719c0000 719fe000   mswsock    (deferred)             
    71a00000 71a08000   wshtcpip   (deferred)             
    71a10000 71a18000   WS2HELP    (deferred)             
    71a20000 71a37000   WS2_32     (deferred)             
    71a40000 71a4b000   wsock32    (deferred)             
    72240000 72245000   sensapi    (deferred)             
    727a0000 72892000   mfc42u     (deferred)             
    72c80000 72c88000   msacm32    (deferred)             
    72c90000 72c99000   wdmaud     (deferred)             
    72f70000 72f96000   WINSPOOL   (deferred)             
    73640000 7366e000   msctfime   (deferred)             
    736d0000 7371b000   DDRAW      (deferred)             
    73aa0000 73ab5000   mscms      (deferred)             
    73b30000 73b36000   DCIMAN32   (deferred)             
    73c50000 73c71000   T2EMBED    (deferred)             
    73dc0000 73dc3000   LZ32       (deferred)             
    73e70000 73ecc000   dsound     (deferred)             
    73fa0000 7400b000   USP10      (deferred)             
    74620000 74647000   msls31     (deferred)             
    74650000 7467a000   msimtf     (deferred)             
    74680000 746cc000   MSCTF      (deferred)             
    74cf0000 74d81000   MLANG      (deferred)             
    75430000 754a1000   CRYPTUI    (deferred)             
    759d0000 75a7f000   USERENV    (deferred)             
    75bc0000 75c3d000   jscript    (deferred)             
    75e00000 75eae000   SXS        (deferred)             
    75ff0000 76055000   MSVCP60    (deferred)             
    76060000 761b6000   SETUPAPI   (deferred)             
    762f0000 762f5000   MSIMG32    (deferred)             
    76300000 7631d000   IMM32      (deferred)             
    76320000 76367000   comdlg32   (deferred)             
    765e0000 76673000   CRYPT32    (deferred)             
    76680000 76726000   WININET    (deferred)             
    76760000 7676c000   cryptdll   (deferred)             
    767c0000 767e9000   schannel   (deferred)             
    76990000 76ace000   ole32      (deferred)             
    76af0000 76b01000   ATL        (deferred)             
    76b10000 76b3a000   WINMM      (deferred)             
    76bc0000 76bcb000   psapi      (deferred)             
    76c00000 76c2e000   WINTRUST   (deferred)             
    76c60000 76c88000   IMAGEHLP   (deferred)             
    76d30000 76d48000   iphlpapi   (deferred)             
    76d70000 76d92000   appHelp    (deferred)             
    76db0000 76dc2000   MSASN1     (deferred)             
    76e50000 76e5e000   rtutils    (deferred)             
    76e60000 76e72000   rasman     (deferred)             
    76e80000 76eaf000   TAPI32     (deferred)             
    76eb0000 76eec000   RASAPI32   (deferred)             
    76ef0000 76f17000   DNSAPI     (deferred)             
    76f30000 76f5c000   WLDAP32    (deferred)             
    76f90000 76f96000   rasadhlp   (deferred)             
    76fa0000 7701f000   CLBCATQ    (deferred)             
    77020000 770ba000   COMRes     (deferred)             
    770f0000 7717b000   OLEAUT32   (deferred)             
    77180000 77283000   COMCTL32   (deferred)             
    77ba0000 77ba7000   midimap    (deferred)             
    77bb0000 77bc5000   MSACM32_77bb0000   (deferred)             
    77bd0000 77bd8000   VERSION    (deferred)             
    77be0000 77c38000   msvcrt     (deferred)             
    77c40000 77c65000   msv1_0     (deferred)             
    77d10000 77da0000   USER32     (deferred)             
    77da0000 77e49000   ADVAPI32   (deferred)             
    77e50000 77ee3000   RPCRT4     (deferred)             
    77ef0000 77f39000   GDI32      (deferred)             
    77f40000 77fb6000   SHLWAPI    (deferred)             
    77fc0000 77fd1000   Secur32    (deferred)             
    7c340000 7c396000   MSVCR71    (deferred)             
    7c3a0000 7c41b000   MSVCP71    (deferred)             
    7c800000 7c91e000   kernel32   (deferred)             
    7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
    7c9c0000 7cc7c000   msi        (deferred)             
    7d590000 7dd84000   SHELL32    (deferred)             
    7e210000 7e50c000   mshtml     (deferred)             
    7e550000 7e6c3000   shdocvw    (deferred)             
    7eae0000 7eb81000   urlmon     (deferred)             
    
    Unloaded modules:
    753b0000 75421000   mshtmled.dll
    74d90000 74dfd000   RichEd20.dll
    71dd0000 71de5000   msapsspc.dll
    78080000 78091000   MSVCRT40.dll
    767c0000 767e9000   schannel.dll
    759d0000 75a7f000   USERENV.dll
    757f0000 75805000   digest.dll
    72f10000 72f57000   msnsspc.dll
    78080000 78091000   MSVCRT40.dll
    72c90000 72c99000   wdmaud.drv
    06200000 06218000   360verify.dll
    066d0000 07010000   Flash32_11_2_202_235.ocx
    73aa0000 73ab5000   mscms.dll
    753b0000 75421000   mshtmled.dll
    67140000 67180000   iepeers.dll
    72f70000 72f96000   WINSPOOL.DRV
    
    

    deferred表示目前并没有加载对应模块的symbol,注意是symbol,我当初就想歪了,还以为是未加载这个模块呢,事实上,未加载模块用Unloaded modules:表示出来了.

     4.lmvm

    如果想要了解该模块的详细信息,使用lmvm 命令

    lmvm命令可以查看任意一个已加载的DLL/EXE的详细信息,以及symbol的情况, 特别提醒的是,不要加后缀名(无论EXE/DLL),我开始学习时就出过这样的错

    针对3的已加载模块

    给个例子:

    0:015> lmvm ntdll
    start    end        module name
    7c920000 7c9b3000   ntdll      (pdb symbols)          C:\WINDOWS\symbols\dll\ntdll.pdb
        Loaded symbol image file: C:\WINDOWS\system32\ntdll.dll
        Image path: C:\WINDOWS\system32\ntdll.dll
        Image name: ntdll.dll
        Timestamp:        Mon Apr 14 10:13:25 2008 (4802BDC5)
        CheckSum:         00097CB7
        ImageSize:        00093000
        File version:     5.1.2600.5512
        Product version:  5.1.2600.5512
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0804.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft(R) Windows(R) Operating System
        InternalName:     ntdll.dll
        OriginalFilename: ntdll.dll
        ProductVersion:   5.1.2600.5512
        FileVersion:      5.1.2600.5512 (xpsp.080413-2111)
        FileDescription:  NT Layer DLL
        LegalCopyright:   (C) Microsoft Corporation. All rights reserved.
    
    

    对比前面,可以看到symbol位置都被打印了,

    如果加后缀名,就是这样了:

    0:015> lmvm ntdll.dll
    start    end        module name
    
    

    这意思就是没找到

    我们再打印个前面deferred的模块试试:

    0:015> lmvm urlmon
    start    end        module name
    7eae0000 7eb81000   urlmon     (deferred)             
        Image path: C:\WINDOWS\system32\urlmon.dll
        Image name: urlmon.dll
        Timestamp:        Wed Feb 29 02:49:46 2012 (4F4D21CA)
        CheckSum:         000A06D3
        ImageSize:        000A1000
        File version:     6.0.2900.6197
        Product version:  6.0.2900.6197
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0804.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft(R) Windows(R) Operating System
        InternalName:     UrlMon.dll
        OriginalFilename: UrlMon.dll
        ProductVersion:   6.00.2900.6197
        FileVersion:      6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
        FileDescription:  OLE32 Extensions for Win32
        LegalCopyright:   (C) Microsoft Corporation. All rights reserved.
    
     

    可以看出它和lm打印出来的一样,

    我们再打印Unloaded modules:下的模块:

    0:015> lmvm mshtmled
    start    end        module nme
    


    很明显,这意思就是没找到

    所以lmvm可以查看任意一个已加载的DLL/EXE的详细信息,但不能查看未加载的DLL/EXE,也不能带后缀名

    hgy413 ---2012.5.22附加:

    lmvm可以打印出带通配符的模块:

    0:002> lmvm s*
    start    end        module name
    5cc30000 5cc56000   ShimEng    (deferred)             
        Image path: C:\WINDOWS\system32\ShimEng.dll
        Image name: ShimEng.dll
        Timestamp:        Mon Apr 14 10:13:13 2008 (4802BDB9)
        CheckSum:         0001F66F
        ImageSize:        00026000
        File version:     5.1.2600.5512
        Product version:  5.1.2600.5512
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     Shim Engine DLL (IAT)
        OriginalFilename: Shim Engine DLL (IAT)
        ProductVersion:   5.1.2600.5512
        FileVersion:      5.1.2600.5512 (xpsp.080413-2105)
        FileDescription:  Shim Engine DLL
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    77f40000 77fb6000   SHLWAPI    (deferred)             
        Image path: C:\WINDOWS\system32\SHLWAPI.dll
        Image name: SHLWAPI.dll
        Timestamp:        Tue Dec 08 17:23:33 2009 (4B1E1B15)
        CheckSum:         00079E4B
        ImageSize:        00076000
        File version:     6.0.2900.5912
        Product version:  6.0.2900.5912
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0804.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft(R) Windows(R) Operating System
        InternalName:     SHLWAPI
        OriginalFilename: SHLWAPI.DLL
        ProductVersion:   6.00.2900.5912
        FileVersion:      6.00.2900.5912 (xpsp_sp3_gdr.091207-1454)
        FileDescription:  Shell Light-weight Utility Library
        LegalCopyright:   (C) Microsoft Corporation. All rights reserved.
    77fc0000 77fd1000   Secur32    (deferred)             
        Image path: C:\WINDOWS\system32\Secur32.dll
        Image name: Secur32.dll
        Timestamp:        Thu Jun 25 16:24:50 2009 (4A433452)
        CheckSum:         00015AE9
        ImageSize:        00011000
        File version:     5.1.2600.5834
        Product version:  5.1.2600.5834
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     security.dll
        OriginalFilename: security.dll
        ProductVersion:   5.1.2600.5834
        FileVersion:      5.1.2600.5834 (xpsp_sp3_gdr.090624-1305)
        FileDescription:  Security Support Provider Interface
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    7d590000 7dd84000   SHELL32    (deferred)             
        Image path: C:\WINDOWS\system32\SHELL32.dll
        Image name: SHELL32.dll
        Timestamp:        Fri Jan 21 22:44:09 2011 (4D399BB9)
        CheckSum:         007FB35C
        ImageSize:        007F4000
        File version:     6.0.2900.6072
        Product version:  6.0.2900.6072
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0804.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft(R) Windows(R) Operating System
        InternalName:     SHELL32
        OriginalFilename: SHELL32.DLL
        ProductVersion:   6.00.2900.6072
        FileVersion:      6.00.2900.6072 (xpsp_sp3_gdr.110121-1719)
        FileDescription:  Windows Shell Common Dll
        LegalCopyright:   (C) Microsoft Corporation. All rights reserved.


     

    hgy413记于2012.5.9日晚.

  • 相关阅读:
    CF 633 E. Binary Table
    BZOJ 4589 Hard Nim
    不走弯路,微信小程序的快速入门?
    如果通过cookies和localStorage取值?
    Airbub 弃用React Native
    如何在登陆注册的时候,实现密码框的小眼睛的显示与与隐藏?
    js 实用封装 点击按钮复制到剪贴板
    css渐变写法 从左到右渐变三种颜色示例;
    vue-router 使用二级路由去实现子组件的显示和隐藏
    vue 路由传参中刷新页面参数丢失 及传参的几种方式?
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693719.html
Copyright © 2020-2023  润新知