追朔根源就是微軟的工具, 因此必須閱讀官方手冊:
1. 微軟教學:Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)
2. 微軟教學: ACPI Debugging
3. 微軟教學: Getting Started with WinDbg (Kernel-Mode)
4. 微軟說明:debugger commands
有幾個系列的影片教學, 可以身歷其境的感受一下 windbg的強大, 分別是:
1. 影片教學: WinDbg Basics for Malware Analysis
2. 影片教學: Windows Kernel Programming Tutorials for Beginners
3. 教學 Remote debugging
4. 微軟教學影片: Debugging KMDF Drivers
!load wdfkd.dll #載入Windows Driver Framework Extensions (Wdfkd.dll), 有更多好用的指令!chain #列出所有已加載的debugger extension!wdfhelp #ugger extension!wdfhelp #幫助說明!wdflogdump #顯示 WDF In-flight Recorder log records!wdfldr #顯示目前bound to WDF的drivers資訊 !wdftmffile!wdfdriverinfo!wdfhandle!wdfobject!wdfdevice!wdfusbdevice!wdfopenhandles!wdfqueue!wdfreuest
其他在網路上的先進們分享知識的 Windbg專欄部落格:
1. hgy413的专栏windbg
2. 匠心十年: WinDbg 命令手册
或是特別說明一些其他技巧與步驟, 小軟體工具之類:
1. symbol: WinDbg 設定 symbol file path 的四種方法
先知道格式吧:
srv*{cache path}*{symbol server}
我的寫法填入Windbg GUI下拉的Sympol File Path:
srv*C:\Symbol*https://msdl.microsoft.com/download/symbols
2. symbol: 使用SymChk獲取符號文件
3. PDB: 你可能會想知道的關於 .PDB 檔的一些事
4. break point: WinDBG 技巧:设断点命令详解(bp, bu, bm, ba 以及bl, bc, bd, be)
5. BSOD情況分析: Trace BSOD with WinDbg
6. 如何進安全模式:幾種 Windows 10 進入安全模式的方法
因為有時候無法開機的原因,可能是系統中的某些驅動程式出了問題,或是在載入某些開機時要一起載入的程式,導致無法開機。而當我們選用安全模式啟動時,僅載入開機時最必要的檔案,其它多餘的檔案、驅動程式一律都不載入,因此如果無法進入Windows桌面是這方面問題所導致的,那麼用安全模式就應該可以順利排除問題,讓你可以進入Windows系統桌面。
7.什麼是SysWow64: SysWow64檔夾,是64位Windows用來存放32位元Windows系統檔的地方。
8.win10的快速啟動是什麼:win10電腦的「快速啟動」模式你知多少?
9.基本:9招解決 Windows 系統問題或故障,不用靠別人、自己來搞定
一些有用的工具:
1. 小軟體: BlueScreenview
2. 小軟體: Windows Repair
3. 小軟體: CCleaner
4. 微軟 Process explorer: 類似Windows「工作管理員」的程式,主要功能就是列出目前電腦中正在運行的全部程式以及跟運行中程式相關的全部詳細資料
5. 微軟 Process dump: 命令行工具, 它的主要目的是監控應用程序的CPU異常動向, 並在此異常時生成crash dump文件, 供研發人員和管理員確定問題發生的原因.你還可以把它作為生成dump的工具使用在其他的腳本中.ProcDump與Procexp一樣是Windows平台上的內部調試工具,Procexp採用圖形界面體現系統整體及個別進程的性能信息,而ProcDump則與我們在Unix平台上使用的性能分析工具類似使用CLI命令行界面。
6. 微軟 LiveKD:使用Microsoft內核調試器檢查系統。
Windbg 基本操作指令:
- 開啟crash dump檔案路徑為 File > Open crash dump
- 以下指令載入symbols:
- .symfix C:\symbols: 設定local端的symbol目錄位置
- .reload : 重載一次
- .sympath : 顯示目前的symbol path
Windbg一般與幫助指令:
指令: ?
顯示說明基本的各種輸入常規指令
0:000> ?Open debugger.chm for complete debugger documentationB[C|D|E][] - clear/disable/enable breakpoint(s)BL - list breakpointsBA - set processor breakpointBP - set soft breakpointD[type][] - dump memoryDT [-n|y] [[mod!]name] [[-n|y]fields] [address] [-l list] [-a[]|c|i|o|r[#]|v] - dump using type informationDV [] - dump local variablesDX [-r[#]] - display C++ expression using extension model (e.g.: NatVis)E[type] [] - enter memory valuesG[H|N] [= [...]] - goK - stacktraceKP - stacktrace with source argumentsLM[k|l|u|v] - list modulesLN - list nearest symbolsP [=] [] - step overQ - quitR [[ [= ]]] - view or set registersS[] - search memorySX [{e|d|i|n} [-c "Cmd1"] [-c2 "Cmd2"] [-h] {Exception|Event|*}] - event filterT [=] [] - trace intoU [] - unassembleversion - show debuggee and debugger versionX [<*|module>!]<*|symbol> - view symbols? - display expression?? - display C++ expression$< - take input from a command fileHit Enter... unary ops: + - not by wo dwo qwo poi hi low binary ops: + - * / mod(%) and(&) xor(^) or(|) comparisons: == (=) < > != operands: number in current radix, public symbol, : b (byte), w (word), d[s] (doubleword [with symbols]), a (ascii), c (dword and Char), u (unicode), l (list) f (float), D (double), s|S (ascii/unicode string) q (quadword) : [(nt | )!] ( can include ? and *) : : L User-mode options:~ - list threads status~#s - set default thread| - list processes status|#s - set default processx64 options:DG - dump selector : [r|e]ax, [r|e]bx, [r|e]cx, [r|e]dx, [r|e]si, [r|e]di, [r|e]bp, [r|e]sp, [r|e]ip, [e]fl, r8-r15 with b/w/d subregisters al, ah, bl, bh, cl, ch, dl, dh, cs, ds, es, fs, gs, ss sil, dil, bpl, spl dr0, dr1, dr2, dr3, dr6, dr7 fpcw, fpsw, fptw, st0-st7, mm0-mm7 xmm0-xmm15 : iopl, of, df, if, tf, sf, zf, af, pf, cf : #<16-bit protect-mode [seg:]address>, &Open debugger.chm for complete debugger documentation
指令: .help
說明系統指令
第一排還有快速連結個字母開頭的
0:000> .help A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All. commands: .allow_exec_cmds [0|1] - control execution commands .allow_image_mapping [0|1] - control on-demand image file mapping .apply_dbp [] - add current data breakpoint state to a register context .asm [] - set disassembly options .asm- [] - clear disassembly options .attach - attach to at next execution .block { } - brackets a set of commands for nested execution .break - break out of the enclosing loop .cache [] - virtual memory cache control .call (, , ...) - run a function in the debuggee .catch { } - catch failures in commands .chain - list current extensions .clients - list currently active clients .continue - continue the enclosing loop .copysym [] - copy current symbol files to a directory .create - create a new process .createdir [] [] - control process creation options .cxr - dump context record at specified address k* after this gives cxr stack .dbgdbg - attach a debugger to the current debugger .debug_sw_wow [0|1] - allow interaction with software WOW emulation .detach - detach from the current process/dump .dml_file - output DML content from file .dml_flow - show basic block code flow .dml_start [] - navigable overview of debugger activities .do { } () - execute until is zero .drivers - This command was removed -- use 'lm' or .reload -l) .dump [] - create a dump file on the host system .dumpcab [] - create a CAB for an open dump .dumpdebug - display detailed information about the dump file .dvalloc [] - VirtualAlloc memory in the debuggee .dvfree [] - VirtualFree memory in the debuggee .echo [""|] - echo string .echotime - output debugger time .echotimestamps [0|1] - toggle timestamp output on events .ecxr - dump context record for current exception .excr - dump context record for current exception .effmach [] - change current machine type .else { } - if/then/else conditional execution .elsif () { } [] - if/then/else conditional execution .enable_long_status [0|1] - dump LONG types in default base .enable_unicode [0|1] - dump USHORT array/pointers and unicode strings .endsrv - disable the given engine server .endpsrv - cause the current session's remote server to exit .enumtag - enumerate available tagged data .eventlog - display log of recent events .events - display and select available events .eventstr - display any event strings registered by debuggee .exepath [[;...]] - set executable search path .exepath+ [[;...]] - append executable search path .expr - control expression evaluator .exptr - do .exr and .cxr for EXCEPTION_POINTERS .exr - dump exception record at specified address .extmatch [] - display all extensions matching pattern .extpath [[;...]] - set extension search path .extpath+ [[;...]] - append extension search path .f+ - set current stack frame to caller of current frame .f- - set current stack frame to callee of current frame .fiber - sets context of fiber at address resets context if no address specified .fiximports - attempts to link imports for images .fnent - dump function entry for the given code address .fnret [] - display formatted return value .for ( ; ; ) { } - execute and until is zero .force_radix_output [0|1] - dump integer types in default base .force_system_init [] - force pending systems to initialize if possible .force_tb - forcibly allow branch tracing .foreach [opts] ( { } ) { } - execute for each token in the output of .fpo - control override FPO information .frame [] - set current stack frame for locals .formats - displays expression result in many formats .help [] - display this help .holdmem [range] - hold and compare memory data .if () { } [] - if/then/else conditional execution .ignore_missing_pages [0|1] - control kernel summary dump missing page error message .imgscan - scan memory for PE images .jdinfo [/u] - interpret AeDebug information .kframes - set default stack trace depth .lastevent - display the last event that occurred .leave - exit the enclosing .catch .lines - toggle line symbol loading .load - add this extension DLL to the extension chain .loadby - add the extension DLL in the module directory to the extension chain .locale [] - set the current locale .logfile - display log status .logopen [] - open new log file .logappend [] - append to log file .logclose - close log file .netsyms [0|1] - allow/disallow net symbol paths .netuse [] - manage net connections .noshell - disable shell commands .noversion - disable extension version checking .nvlist - display the set of .NATVIS files loaded into the debugger .nvload - load a .NATVIS file .nvunload - unload a .NATVIS file .nvunloadall - unload all .NATVIS files .ofilter - filter debuggee output against the given pattern .opendump - open a dump file .outmask - set bits in the current output mask .outmask- - clear bits in the current output mask .pcmd [] - control per-prompt command .pop [] - pop state .prefer_dml [0|1] - control DML mode default .printf "", - formatted output .process [] - sets implicit process resets default if no address specified .process_info - display security related information of current process .prompt_allow [] - control what information can be displayed at the prompt .push [] - push state .quit_lock [] - locks session against unexpected quit .readmem - read raw memory from a file .record_branches [0|1] - controls recording of processor branching .reload [[=,]] - reload symbols .restart - request a session restart .remote - start remote.exe server .secure [0|1] - disallow operations dangerous for the host .scriptlist - display the set of scripts loaded into the debugger .scriptload - load a script file .scriptproviders - display the set of script providers in the debugger .scriptunload - unload a script file .send_file - send files to remote server .server - start engine server .servers - list active remoting servers .setdll - debugger will search for extensions in this DLL first .settings - manage settings .shell [] - execute shell command .show_read_failures [] - control extra read failure output .show_sym_failures [] - control extra symbol failure output .sleep - debugger sleeps for given duration useful for allowing access to a machine that's broken in on an ntsd -d .srcfix [] - fix source search path .srcfix+ [] - append fixed source search path .srcnoisy [0|1] - control verbose source loading output .srcpath [[;...]] - set source search path .srcpath+ [[;...]] - append source search path .step_filter [] ["[;...]"] - Set symbol patterns to skip when stepping .symfix [] - fix symbol search path .symfix+ [] - append fixed symbol search path .symopt - set symbol options .symopt+ - set symbol options .symopt- - clear symbol options .sympath [[;...]] - set symbol search path .sympath+ [[;...]] - append symbol search path .thread [] - sets context of thread at address resets default context if no address specified .time - displays session time information .timezone - display timezone information .ttime - displays thread time information .tlist - list running processes .typeopt - set/clear type options .unload - remove this extension DLL from the list of extension DLLs .unloadall - remove all extension DLLs from the list of extensions DLLs .wake - wake up a .sleep'ing debugger .while () { } - execute while is non-zero .writemem - write raw memory to a file .rrestart - register current session for Application Restart .urestart - unregister current session from Application Restart .inline - query the state whether debuggers should query inline functions .stackprovider - query the state whether debugger should query stack dump providers .stkwalk_force_frame_pointer - query or set the state whether debuggers should unwind stack solely based on frame pointer .hideinjectedcode [] - Hide injected calls from stepping in source mode .enablepackagedebug - Enable debugging for UWP application. .disablepackagedebug - Disable debugging for UWP application. .suspendpackage - Suspends a UWP application. .resumepackage - Resumes a UWP application. .querypackage - Displays the state of a UWP application. .querypackages - Lists all UWP applications and their state. .createpackageapp [] - Enables debugging and launches a UWP application. .terminatepackageapp - Terminates all processes for UWP application. .activatepackagebgtask - Enables debugging and launches a UWP background task.Use ".hh " or open debugger.chm in the debuggers directory to getdetailed documentation on a command.
指令:.chain
列出所有已加載的調試器擴展 (List Debugger Extensions)
0:000> .chainExtension DLL search Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\arcade;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\pri;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\Modules\TShell\TShell\;C:\Program Files\Java\jdk1.8.0_45\bin;C:\Program Files\nodejs\;C:\Program Files\TortoiseSVN\bin;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\;C:\Program Files (x86)\Windows Kits\8.0\Windows Performance Toolkit\;C:\Users\Jamie\AppData\Local\Microsoft\WindowsApps;Extension DLL chain: dbghelp: image 10.0.14321.1024, API 10.0.6, built Sat Jul 16 09:29:50 2016 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbghelp.dll] ext: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:29:44 2016 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\ext.dll] exts: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:28:14 2016 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\exts.dll] uext: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:28:11 2016 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\uext.dll] ntsdexts: image 10.0.14393.33, API 1.0.0, built Thu Jul 28 13:23:56 2016 [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\ntsdexts.dll]
指令: .extmatch
.extmatch /D /e XXXXX * 顯示由當前加載的與指定模式匹配的擴展DLL導出的擴展命令
0:000> .extmatch /D /e ntsdexts *!ntsdexts.critsec!ntsdexts.dp!ntsdexts.dreg!ntsdexts.dt!ntsdexts.gatom!ntsdexts.handle!ntsdexts.help!ntsdexts.hleak!ntsdexts.htrace!ntsdexts.locks!ntsdexts.runaway!ntsdexts.threadtoken0:000> .extmatch /D /e uext *!uext.evlog!uext.findstack!uext.handle!uext.help!uext.mapped_file!uext.runaway!uext.uniqstack!uext.vadump!uext.vprot
指令:.hh
打開 WinDbg 的幫助文件
指令: .restart
重新啟動被調試的應用程式(Restart Target Application)
指令: version
顯示調試器版本信息和已加載的調試器擴展
指令: vercommand
顯示調試器啟動文件的路徑
0:000> vercommandcommand line: '"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" '
指令: vertarget
顯示目標機器Microsoft Windows操作系统版本資訊
0:000> vertargetWindows 10 Version 14393 MP (4 procs) Free x64Product: WinNt, suite: SingleUserTSkernel32.dll version: 10.0.14393.2214 (rs1_release_1.180402-1758)Machine Name:Debug session time: Tue Dec 10 10:26:46.000 2019 (UTC + 8:00)System Uptime: 39 days 17:48:11.976Process Uptime: 39 days 17:45:01.000 Kernel time: 0 days 0:00:04.000 User time: 0 days 0:00:02.000
指令: .effmach
顯示目標機器的處理器模資訊
.effmach .
.effmach #
.effmach x86 | amd64 | ia64 | ebc
0:000> .effmachEffective machine: x64 (AMD64)
指令: .cls
清理螢幕
指令: .echo
輸出字串 e.g. .echo “Hello World”
指令: .time
顯示系統記錄的各種時間
組合鍵: ctrl+alt+v
能切換詳細模式的打開和關閉
打開詳細模式後,一些顯示命令會產生更詳細的輸出,發送給調試器的每個模塊加載操作都會被顯示出來
並且操作系統每次加載驅動或都DLL也會提示
Windbg 模塊Module加载命令
指令: lm
列出已載入模塊(List Loaded Modules)
lm: List modules
lmv: List module versions
lmvm: List specific module versions
lm m ModuleName
0:000> lmstart end module name00000000`6a030000 00000000`6a0f9000 msvcr80 (deferred) 00000001`40000000 00000001`40016000 valWBFPolicyService (deferred) 00007ffa`a9110000 00007ffa`a9171000 wevtapi (deferred) 00007ffa`aab40000 00007ffa`aab68000 devobj (deferred) 00007ffa`aada0000 00007ffa`aadf4000 mintdh (deferred) 00007ffa`aae00000 00007ffa`aaeae000 tdh (deferred) 00007ffa`ab940000 00007ffa`ab96b000 bcrypt (deferred) 00007ffa`abde0000 00007ffa`abdf0000 msasn1 (deferred) 00007ffa`abdf0000 00007ffa`ac00d000 KERNELBASE (pdb symbols) c:\symbols\kernelbase.pdb\C1CB335438FC484B842D02CB20116D3A1\kernelbase.pdb00007ffa`ac010000 00007ffa`ac190000 gdi32full (deferred) 00007ffa`ac190000 00007ffa`ac1ae000 win32u (deferred) 00007ffa`ac1b0000 00007ffa`ac1f2000 cfgmgr32 (deferred) 00007ffa`ac8e0000 00007ffa`acaa9000 crypt32 (deferred) 00007ffa`acb60000 00007ffa`acc55000 ucrtbase (deferred) 00007ffa`acc60000 00007ffa`accfc000 msvcp_win (deferred) 00007ffa`acd60000 00007ffa`acdca000 bcryptPrimitives (deferred) 00007ffa`ad120000 00007ffa`ad1df000 oleaut32 (deferred) 00007ffa`ad240000 00007ffa`ad508000 combase (deferred) 00007ffa`ad5b0000 00007ffa`ad9d9000 setupapi (deferred) 00007ffa`ad9e0000 00007ffa`adb01000 rpcrt4 (deferred) 00007ffa`adb10000 00007ffa`adb69000 sechost (deferred) 00007ffa`adbe0000 00007ffa`adc14000 gdi32 (deferred) 00007ffa`adc20000 00007ffa`adcbe000 msvcrt (deferred) 00007ffa`af330000 00007ffa`af3dc000 kernel32 (deferred) 00007ffa`af3e0000 00007ffa`af518000 ole32 (deferred) 00007ffa`af550000 00007ffa`af6b5000 user32 (deferred) 00007ffa`af6c0000 00007ffa`af762000 advapi32 (deferred) 00007ffa`af850000 00007ffa`af86c000 imagehlp (deferred) 00007ffa`af870000 00007ffa`af878000 psapi (deferred) 00007ffa`af8f0000 00007ffa`afac2000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\3FED89B476364D33AA918AE74196DAF21\ntdll.pdb
指令: !dlls
列出所有加載的模塊和加載數量
0:000> !dlls This is Win8 with the loader DAG.0x00592920: C:\WINDOWS\system32\valWBFPolicyService.exe Base 0x140000000 EntryPoint 0x140007710 Size 0x00016000 DdagNode 0x00592a50 Flags 0x000022cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_LOAD_NOTIFICATIONS_SENT LDRP_IMAGE_DLL0x00592790: C:\WINDOWS\SYSTEM32\ntdll.dll Base 0x7ffaaf8f0000 EntryPoint 0x00000000 Size 0x001d2000 DdagNode 0x005928c0 Flags 0x0000a2c4 TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_IMAGE_DLL0x00592db0: C:\WINDOWS\System32\KERNEL32.DLL Base 0x7ffaaf330000 EntryPoint 0x7ffaaf338400 Size 0x000ac000 DdagNode 0x00592ee0 Flags 0x000ca2cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_LOAD_NOTIFICATIONS_SENT LDRP_IMAGE_DLL LDRP_DONT_CALL_FOR_THREADS LDRP_PROCESS_ATTACH_CALLED...
指令: !lmi
显示模块的详细信息,包括加载符号信息
!lmi Module
0:000> !lmi kernel32Loaded Module Info: [kernel32] Module: kernel32 Base Address: 00007ffaaf330000 Image Name: kernel32.dll Machine Type: 34404 (X64) Time Stamp: 5ac2f8e6 Tue Apr 3 11:45:42 2018 Size: ac000 CheckSum: b4571Characteristics: 2022 Debug Data Dirs: Type Size VA Pointer CODEVIEW 25, 84b40, 83140 RSDS - GUID: {996833D4-6FC4-412D-A9DE-305E863A2B34} Age: 1, Pdb: kernel32.pdb ?? 4ec, 84b68, 83168 [Data not mapped] Image Type: MEMORY - Image read successfully from loaded memory. Symbol Type: PDB - Symbols loaded successfully from image header. c:\symbols\kernel32.pdb\996833D46FC4412DA9DE305E863A2B341\kernel32.pdb Load Report: public symbols , not source indexed c:\symbols\kernel32.pdb\996833D46FC4412DA9DE305E863A2B341\kernel32.pdbWindbg 符号Symbol加载命令
指令 ld
加載指定模塊的符號 (Load Symbols), 注意藥此symbol的module是已經載入, 若未載入就先lm該module吧 (範例參考:lm ld x)
ld * 加載所有模塊的符號
0:000> ld *Symbols already loaded for msvcr80Symbols already loaded for valWBFPolicyServiceSymbols already loaded for wevtapiSymbols already loaded for devobjSymbols already loaded for mintdhSymbols already loaded for tdhSymbols already loaded for bcryptSymbols already loaded for msasn1Symbols already loaded for KERNELBASESymbols already loaded for gdi32fullSymbols already loaded for win32uSymbols already loaded for cfgmgr32Symbols already loaded for crypt32Symbols already loaded for ucrtbaseSymbols already loaded for msvcp_winSymbols already loaded for bcryptPrimitivesSymbols already loaded for oleaut32Symbols already loaded for combaseSymbols already loaded for setupapiSymbols already loaded for rpcrt4Symbols already loaded for sechostSymbols already loaded for gdi32Symbols already loaded for msvcrtSymbols already loaded for kernel32Symbols already loaded for ole32Symbols already loaded for user32Symbols already loaded for advapi32Symbols already loaded for imagehlpSymbols already loaded for psapiSymbols already loaded for ntdll
指令 x
搜尋匹配的符号資訊(Examine Symbols)
x [Options] ModuleName!SymbolName 以!為界module與symbol
用法:
x *! 列出所有模块Module
0:000> x *!start end module name00000000`6a030000 00000000`6a0f9000 msvcr80 (deferred) 00000001`40000000 00000001`40016000 valWBFPolicyService (deferred) 00007ffa`a9110000 00007ffa`a9171000 wevtapi (deferred) 00007ffa`aab40000 00007ffa`aab68000 devobj (deferred) 00007ffa`aada0000 00007ffa`aadf4000 mintdh (deferred) 00007ffa`aae00000 00007ffa`aaeae000 tdh (deferred) 00007ffa`ab940000 00007ffa`ab96b000 bcrypt (deferred) 00007ffa`abde0000 00007ffa`abdf0000 msasn1 (deferred) 00007ffa`abdf0000 00007ffa`ac00d000 KERNELBASE (pdb symbols) c:\symbols\kernelbase.pdb\C1CB335438FC484B842D02CB20116D3A1\kernelbase.pdb00007ffa`ac010000 00007ffa`ac190000 gdi32full (deferred) 00007ffa`ac190000 00007ffa`ac1ae000 win32u (deferred) 00007ffa`ac1b0000 00007ffa`ac1f2000 cfgmgr32 (deferred) 00007ffa`ac8e0000 00007ffa`acaa9000 crypt32 (deferred) 00007ffa`acb60000 00007ffa`acc55000 ucrtbase (deferred) 00007ffa`acc60000 00007ffa`accfc000 msvcp_win (deferred) 00007ffa`acd60000 00007ffa`acdca000 bcryptPrimitives (deferred) 00007ffa`ad120000 00007ffa`ad1df000 oleaut32 (deferred) 00007ffa`ad240000 00007ffa`ad508000 combase (deferred) 00007ffa`ad5b0000 00007ffa`ad9d9000 setupapi (deferred) 00007ffa`ad9e0000 00007ffa`adb01000 rpcrt4 (deferred) 00007ffa`adb10000 00007ffa`adb69000 sechost (deferred) 00007ffa`adbe0000 00007ffa`adc14000 gdi32 (deferred) 00007ffa`adc20000 00007ffa`adcbe000 msvcrt (deferred) 00007ffa`af330000 00007ffa`af3dc000 kernel32 (deferred) 00007ffa`af3e0000 00007ffa`af518000 ole32 (deferred) 00007ffa`af550000 00007ffa`af6b5000 user32 (deferred) 00007ffa`af6c0000 00007ffa`af762000 advapi32 (deferred) 00007ffa`af850000 00007ffa`af86c000 imagehlp (deferred) 00007ffa`af870000 00007ffa`af878000 psapi (deferred) 00007ffa`af8f0000 00007ffa`afac2000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\3FED89B476364D33AA918AE74196DAF21\ntdll.pdb
x ntdll!a* 列出 ntdll 模块底下所有a開頭的symbol
0:000> x ntdll!ap*00007ffa`af9648b4 ntdll!AppModelPolicy_GetPolicy (void)00007ffa`af917250 ntdll!ApiSetQueryApiSetPresence (void)00007ffa`afa0d3b0 ntdll!AppModelLibraryLoadFailureSystemBinary = 00007ffa`afa0d420 ntdll!AppModelLibraryLoadFailureApplicationBinary = 00007ffa`af91767c ntdll!ApiSetResolveToHost ()00007ffa`afa0d450 ntdll!AppModelRuntimeProviderId = 00007ffa`afa0d3e0 ntdll!AppModelGenericLibraryLoadFailureNoTermination = 00007ffa`af9177a0 ntdll!ApiSetpSearchForApiSet ()00007ffa`afa0d390 ntdll!AppModelLibraryLoadFailureNgenBinary = 00007ffa`af916b68 ntdll!ApiSetpSearchForApiSetHost ()
指令!sym
獲取符號加載狀態
!sym noisy 讓調試器顯示符號搜索詳細信息
!sym quiet 默認項,不顯示符號搜索信息
指令.sympath
顯示和設置符號搜索路徑
.sympath+ 增加符號搜索路徑
.sympath+ C:\Symbols
指令.symfix
設置符號庫路徑
.sym+ DownstreamStore 添加符號庫路徑
指令 .reload
重新加載符號信息
Windbg 異常分析指令:
指令: dump
.dump d:/test.dump
也就是說可以透過windbg來產生dump檔案
e.g.
產生完整Kernel Mode Dump :
.dump /f C:\memory.dmp
產生 user mode Dump:
.dump /m C:\memory.dmp
產生 User mode + 其他資訊:
.dump /mfh C:\memory.dmp
指令: !analyze
!analyze -v
顯示當前異常的詳細信息
e.g. !analyze –v d:\test.dump
!analyze -hang
診斷線程調用棧上是否有任何線程阻塞了其他線程
!analyze -f
查看異常分析信息,儘管調試器並未診斷出異常
指令: .lastevent
显示最近一次发生的异常或事件
指令: .load wow64exts
指令: !wow64exts.sw
從64位模式切換到了32位
指令: !locks
顯示目前 locks 鎖
指令: !qlocks
顯示目前 spinlock鎖
Windbg 關於memory的指令
指令dt (Display Type)
dt ntdll!*IMAGE* :查找有什麼Headers
以下例子是 notepad在memory查找出PE header的位址, 然後透過dt指令就可以查到定義的結構內容:
指令: .Dvalloc
讓 Windows 以分配到目標進程的更多memory。
指令: r
显示或修改寄存器、浮点寄存器、标志位、伪寄存器和预定义别名。直接用r,会显示当前线程的寄存器状态
指令: d*
显示给定范围memory的内容。
da ASCII 字符
db 字节值和ASCII字符
指令: e*
e命令和d命令非常相似,一個讀取一個寫入編輯
ea ASCII 字符串(不以NULL结尾)。
eb 字节值。
0:000> .dvalloc 100Allocated 1000 bytes starting at 000800000:000> ea 00080000 "i am ansi "0:000> db 00080000 00080000 69 20 61 6d 20 61 6e 73-69 20 00 00 00 00 00 00 i am ansi ......
指令u* :
命令显示指定的内存中的程序代码的反汇编。如果要反汇编某一个地址,直接用u命令加地址
ub 指示要反汇编的区域是向后计算的。
uf 命令显示内存中指定函数的反汇编代码。
指令x:
命令显示所有上下文中匹配指定模板的符号。可用字符通配符
指令: s (Search Memory)
搜索内存查找指定模板
指令: dt:
命令显示局部变量、全局变量或数据类型的信息。它也可以仅显示数据类型。即结构和联合(union)的信息
dt最方便处是查找结构体,查找结构体一定要使用dt,不要使用x
PE文件解析
1.dos头:
0:001> dt IMAGE_DOS_HEADER 01230000
2.nt头
e_lfanew定义了真正的PE文件头的相对偏移量RVA
0:001> da 01230000 +0n224
012300e0 “PE”
0:001> dt IMAGE_NT_HEADERS 01230000 +0n224
3.文件头
0:001> dt IMAGE_FILE_HEADER 01230000 +0n224+0x4
4.扩展文件头
0:001> dt _IMAGE_OPTIONAL_HEADER 01230000 +0n224+0x18
指令: dh
!dh 擴展顯示指定映像的頭部。
指令:!address
顯示整個地址空間和使用摘要的信息
0:000> !address Mapping file section regions...Mapping module regions...Mapping PEB regions...Mapping TEB and stack regions...Mapping heap regions...Mapping page heap regions...Mapping other regions...Mapping stack trace database regions...Mapping activation context regions... BaseAddress EndAddress+1 RegionSize Type State Protect Usage--------------------------------------------------------------------------------------------------------------------------+ 0`00000000 0`00010000 0`00010000 MEM_FREE PAGE_NOACCESS Free + 0`00010000 0`00020000 0`00010000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 0000000000010000; Type: Segment]+ 0`00020000 0`00021000 0`00001000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [............NSDS]+ 0`00021000 0`00030000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 0`00030000 0`00046000 0`00016000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [API Set Map]+ 0`00046000 0`00050000 0`0000a000 MEM_FREE PAGE_NOACCESS Free + 0`00050000 0`00143000 0`000f3000 MEM_PRIVATE MEM_RESERVE Stack [~0; b60.b64] 0`00143000 0`00146000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~0; b60.b64] 0`00146000 0`00150000 0`0000a000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; b60.b64]+ 0`00150000 0`00154000 0`00004000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [System Default Activation Context Data]+ 0`00154000 0`00160000 0`0000c000 MEM_FREE PAGE_NOACCESS Free + 0`00160000 0`00161000 0`00001000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Activation Context Data]+ 0`00161000 0`00170000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 0`00170000 0`00172000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE [................]+ 0`00172000 0`00180000 0`0000e000 MEM_FREE PAGE_NOACCESS Free + 0`00180000 0`00183000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 0000000000590000; Type: Front End] 0`00183000 0`0019a000 0`00017000 MEM_PRIVATE MEM_RESERVE Heap [ID: 0; Handle: 0000000000590000; Type: Front End]+ 0`0019a000 0`001a0000 0`00006000 MEM_FREE PAGE_NOACCESS Free + 0`001a0000 0`001a1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 2; Handle: 0000000000860000; Type: Front End] 0`001a1000 0`001ba000 0`00019000 MEM_PRIVATE MEM_RESERVE Heap [ID: 2; Handle: 0000000000860000; Type: Front End]+ 0`001ba000 0`001c0000 0`00006000 MEM_FREE PAGE_NOACCESS Free + 0`001c0000 0`001c1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE [................]+ 0`001c1000 0`001d0000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 0`001d0000 0`001d1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE [................]+ 0`001d1000 0`001e0000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 0`001e0000 0`001e5000 0`00005000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE [................]+ 0`001e5000 0`001f0000 0`0000b000 MEM_FREE PAGE_NOACCESS Free + 0`001f0000 0`001f4000 0`00004000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [RESCDIR.........]+ 0`001f4000 0`00200000 0`0000c000 MEM_FREE PAGE_NOACCESS Free + 0`00200000 0`003be000 0`001be000 MEM_PRIVATE MEM_RESERVE 0`003be000 0`003bf000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB [b60] 0`003bf000 0`003c1000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~0; b60.b64] 0`003c1000 0`003c5000 0`00004000 MEM_PRIVATE MEM_RESERVE 0`003c5000 0`003c7000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~1; b60.dc4] 0`003c7000 0`003c9000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~2; b60.e28] 0`003c9000 0`003cb000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~3; b60.e2c] 0`003cb000 0`00400000 0`00035000 MEM_PRIVATE MEM_RESERVE + 0`00400000 0`004c1000 0`000c1000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [................]+ 0`004c1000 0`004d0000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 0`004d0000 0`004ed000 0`0001d000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [..........0.5...] 0`004ed000 0`00590000 0`000a3000 MEM_MAPPED MEM_RESERVE + 0`00590000 0`0068f000 0`000ff000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 0000000000590000; Type: Segment] 0`0068f000 0`00690000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`00690000 0`006b0000 0`00020000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE [................]+ 0`006b0000 0`006b3000 0`00003000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [MZ..............]+ 0`006b3000 0`00790000 0`000dd000 MEM_FREE PAGE_NOACCESS Free + 0`00790000 0`00791000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 3; Handle: 0000000000cc0000; Type: Front End] 0`00791000 0`007aa000 0`00019000 MEM_PRIVATE MEM_RESERVE Heap [ID: 3; Handle: 0000000000cc0000; Type: Front End]+ 0`007aa000 0`007d0000 0`00026000 MEM_FREE PAGE_NOACCESS Free + 0`007d0000 0`007d1000 0`00001000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE [RESCHIT.........]+ 0`007d1000 0`00860000 0`0008f000 MEM_FREE PAGE_NOACCESS Free + 0`00860000 0`00867000 0`00007000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 2; Handle: 0000000000860000; Type: Segment] 0`00867000 0`0086a000 0`00003000 MEM_PRIVATE MEM_RESERVE Heap [ID: 2; Handle: 0000000000860000; Type: Segment] 0`0086a000 0`0086f000 0`00005000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 2; Handle: 0000000000860000; Type: Segment] 0`0086f000 0`00870000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`00870000 0`00872000 0`00002000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [................] 0`00872000 0`009f0000 0`0017e000 MEM_MAPPED MEM_RESERVE 0`009f0000 0`009f5000 0`00005000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [............H...] 0`009f5000 0`009f8000 0`00003000 MEM_MAPPED MEM_RESERVE + 0`009f8000 0`00a00000 0`00008000 MEM_FREE PAGE_NOACCESS Free + 0`00a00000 0`00b81000 0`00181000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [GDI Shared Handle Table]+ 0`00b81000 0`00cc0000 0`0013f000 MEM_FREE PAGE_NOACCESS Free + 0`00cc0000 0`00ccf000 0`0000f000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 3; Handle: 0000000000cc0000; Type: Segment] 0`00ccf000 0`00cd0000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`00cd0000 0`00dca000 0`000fa000 MEM_PRIVATE MEM_RESERVE Stack [~1; b60.dc4] 0`00dca000 0`00dcd000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~1; b60.dc4] 0`00dcd000 0`00dd0000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~1; b60.dc4]+ 0`00dd0000 0`00dfd000 0`0002d000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 3; Handle: 0000000000cc0000; Type: Segment] 0`00dfd000 0`00ecf000 0`000d2000 MEM_PRIVATE MEM_RESERVE Heap [ID: 3; Handle: 0000000000cc0000; Type: Segment] 0`00ecf000 0`00ed0000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`00ed0000 0`00fca000 0`000fa000 MEM_PRIVATE MEM_RESERVE Stack [~2; b60.e28] 0`00fca000 0`00fcd000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~2; b60.e28] 0`00fcd000 0`00fd0000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~2; b60.e28]+ 0`00fd0000 0`010cb000 0`000fb000 MEM_PRIVATE MEM_RESERVE Stack [~3; b60.e2c] 0`010cb000 0`010ce000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~3; b60.e2c] 0`010ce000 0`010d0000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~3; b60.e2c]+ 0`010d0000 0`01280000 0`001b0000 MEM_FREE PAGE_NOACCESS Free + 0`01280000 0`012da000 0`0005a000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 2; Handle: 0000000000860000; Type: Segment] 0`012da000 0`0137f000 0`000a5000 MEM_PRIVATE MEM_RESERVE Heap [ID: 2; Handle: 0000000000860000; Type: Segment] 0`0137f000 0`01380000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`01380000 0`0177f000 0`003ff000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [RESCSEG.........]+ 0`0177f000 0`01780000 0`00001000 MEM_FREE PAGE_NOACCESS Free + 0`01780000 0`0197f000 0`001ff000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 0000000000590000; Type: Segment] 0`0197f000 0`01980000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`01980000 0`019f0000 0`00070000 MEM_FREE PAGE_NOACCESS Free + 0`019f0000 0`01aef000 0`000ff000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 0000000000590000; Type: Segment] 0`01aef000 0`01af0000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`01af0000 0`01e84000 0`00394000 MEM_MAPPED MEM_COMMIT PAGE_READONLY [RESCSEG.........]+ 0`01e84000 0`01e90000 0`0000c000 MEM_FREE PAGE_NOACCESS Free + 0`01e90000 0`01ea6000 0`00016000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 0000000000590000; Type: Segment] 0`01ea6000 0`0228f000 0`003e9000 MEM_PRIVATE MEM_RESERVE Heap [ID: 0; Handle: 0000000000590000; Type: Segment] 0`0228f000 0`02290000 0`00001000 MEM_PRIVATE MEM_RESERVE + 0`02290000 0`6a030000 0`67da0000 MEM_FREE PAGE_NOACCESS Free + 0`6a030000 0`6a031000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"] 0`6a031000 0`6a0cd000 0`0009c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"] 0`6a0cd000 0`6a0e9000 0`0001c000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"] 0`6a0e9000 0`6a0ee000 0`00005000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"] 0`6a0ee000 0`6a0ef000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"] 0`6a0ef000 0`6a0f9000 0`0000a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]+ 0`6a0f9000 0`7ffe0000 0`15ee7000 MEM_FREE PAGE_NOACCESS Free + 0`7ffe0000 0`7ffe1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY Other [User Shared Data] 0`7ffe1000 0`7fff0000 0`0000f000 MEM_PRIVATE MEM_RESERVE + 0`7fff0000 1`40000000 0`c0010000 MEM_FREE PAGE_NOACCESS Free + 1`40000000 1`40001000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`40001000 1`4000b000 0`0000a000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`4000b000 1`40011000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`40011000 1`40012000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`40012000 1`40013000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`40013000 1`40015000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"] 1`40015000 1`40016000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]+ 1`40016000 7ff5`ffec0000 7ff4`bfeaa000 MEM_FREE PAGE_NOACCESS Free + 7ff5`ffec0000 7ff5`ffec5000 0`00005000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Read Only Shared Memory] 7ff5`ffec5000 7ff5`fffc0000 0`000fb000 MEM_MAPPED MEM_RESERVE + 7ff5`fffc0000 7ff5`ffff3000 0`00033000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [NLS Tables]+ 7ff5`ffff3000 7ffa`a9110000 4`a911d000 MEM_FREE PAGE_NOACCESS Free + 7ffa`a9110000 7ffa`a9111000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [wevtapi; "C:\Windows\System32\wevtapi.dll"] 7ffa`a9111000 7ffa`a914f000 0`0003e000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [wevtapi; "C:\Windows\System32\wevtapi.dll"] 7ffa`a914f000 7ffa`a9168000 0`00019000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [wevtapi; "C:\Windows\System32\wevtapi.dll"] 7ffa`a9168000 7ffa`a9169000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [wevtapi; "C:\Windows\System32\wevtapi.dll"] 7ffa`a9169000 7ffa`a9171000 0`00008000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [wevtapi; "C:\Windows\System32\wevtapi.dll"]+ 7ffa`a9171000 7ffa`aab40000 0`019cf000 MEM_FREE PAGE_NOACCESS Free + 7ffa`aab40000 7ffa`aab41000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [devobj; "C:\Windows\System32\devobj.dll"] 7ffa`aab41000 7ffa`aab59000 0`00018000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [devobj; "C:\Windows\System32\devobj.dll"] 7ffa`aab59000 7ffa`aab62000 0`00009000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [devobj; "C:\Windows\System32\devobj.dll"] 7ffa`aab62000 7ffa`aab63000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [devobj; "C:\Windows\System32\devobj.dll"] 7ffa`aab63000 7ffa`aab68000 0`00005000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [devobj; "C:\Windows\System32\devobj.dll"]+ 7ffa`aab68000 7ffa`aada0000 0`00238000 MEM_FREE PAGE_NOACCESS Free + 7ffa`aada0000 7ffa`aada1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [mintdh; "C:\Windows\System32\mintdh.dll"] 7ffa`aada1000 7ffa`aadd9000 0`00038000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [mintdh; "C:\Windows\System32\mintdh.dll"] 7ffa`aadd9000 7ffa`aaded000 0`00014000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [mintdh; "C:\Windows\System32\mintdh.dll"] 7ffa`aaded000 7ffa`aadee000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [mintdh; "C:\Windows\System32\mintdh.dll"] 7ffa`aadee000 7ffa`aadf4000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [mintdh; "C:\Windows\System32\mintdh.dll"]+ 7ffa`aadf4000 7ffa`aae00000 0`0000c000 MEM_FREE PAGE_NOACCESS Free + 7ffa`aae00000 7ffa`aae01000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aae01000 7ffa`aae1a000 0`00019000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aae1a000 7ffa`aae75000 0`0005b000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aae75000 7ffa`aae76000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aae76000 7ffa`aaea0000 0`0002a000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aaea0000 7ffa`aaea2000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aaea2000 7ffa`aaea5000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [tdh; "C:\Windows\System32\tdh.dll"] 7ffa`aaea5000 7ffa`aaeae000 0`00009000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [tdh; "C:\Windows\System32\tdh.dll"]+ 7ffa`aaeae000 7ffa`ab940000 0`00a92000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ab940000 7ffa`ab941000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcrypt; "C:\Windows\System32\bcrypt.dll"] 7ffa`ab941000 7ffa`ab960000 0`0001f000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [bcrypt; "C:\Windows\System32\bcrypt.dll"] 7ffa`ab960000 7ffa`ab966000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcrypt; "C:\Windows\System32\bcrypt.dll"] 7ffa`ab966000 7ffa`ab967000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [bcrypt; "C:\Windows\System32\bcrypt.dll"] 7ffa`ab967000 7ffa`ab96b000 0`00004000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcrypt; "C:\Windows\System32\bcrypt.dll"]+ 7ffa`ab96b000 7ffa`abde0000 0`00475000 MEM_FREE PAGE_NOACCESS Free + 7ffa`abde0000 7ffa`abde1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msasn1; "C:\Windows\System32\msasn1.dll"] 7ffa`abde1000 7ffa`abde9000 0`00008000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [msasn1; "C:\Windows\System32\msasn1.dll"] 7ffa`abde9000 7ffa`abdec000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msasn1; "C:\Windows\System32\msasn1.dll"] 7ffa`abdec000 7ffa`abded000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msasn1; "C:\Windows\System32\msasn1.dll"] 7ffa`abded000 7ffa`abdf0000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msasn1; "C:\Windows\System32\msasn1.dll"]+ 7ffa`abdf0000 7ffa`abdf1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"] 7ffa`abdf1000 7ffa`abec1000 0`000d0000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"] 7ffa`abec1000 7ffa`abfde000 0`0011d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"] 7ffa`abfde000 7ffa`abfe2000 0`00004000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"] 7ffa`abfe2000 7ffa`abfe3000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"] 7ffa`abfe3000 7ffa`ac00d000 0`0002a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]+ 7ffa`ac00d000 7ffa`ac010000 0`00003000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ac010000 7ffa`ac011000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32full; "C:\Windows\System32\gdi32full.dll"] 7ffa`ac011000 7ffa`ac0cf000 0`000be000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [gdi32full; "C:\Windows\System32\gdi32full.dll"] 7ffa`ac0cf000 7ffa`ac170000 0`000a1000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32full; "C:\Windows\System32\gdi32full.dll"] 7ffa`ac170000 7ffa`ac174000 0`00004000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [gdi32full; "C:\Windows\System32\gdi32full.dll"] 7ffa`ac174000 7ffa`ac190000 0`0001c000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32full; "C:\Windows\System32\gdi32full.dll"]+ 7ffa`ac190000 7ffa`ac191000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [win32u; "C:\Windows\System32\win32u.dll"] 7ffa`ac191000 7ffa`ac19a000 0`00009000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [win32u; "C:\Windows\System32\win32u.dll"] 7ffa`ac19a000 7ffa`ac1a7000 0`0000d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [win32u; "C:\Windows\System32\win32u.dll"] 7ffa`ac1a7000 7ffa`ac1a8000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [win32u; "C:\Windows\System32\win32u.dll"] 7ffa`ac1a8000 7ffa`ac1ae000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [win32u; "C:\Windows\System32\win32u.dll"]+ 7ffa`ac1ae000 7ffa`ac1b0000 0`00002000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ac1b0000 7ffa`ac1b1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"] 7ffa`ac1b1000 7ffa`ac1de000 0`0002d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"] 7ffa`ac1de000 7ffa`ac1eb000 0`0000d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"] 7ffa`ac1eb000 7ffa`ac1ec000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"] 7ffa`ac1ec000 7ffa`ac1f2000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]+ 7ffa`ac1f2000 7ffa`ac8e0000 0`006ee000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ac8e0000 7ffa`ac8e1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [crypt32; "C:\Windows\System32\crypt32.dll"] 7ffa`ac8e1000 7ffa`ac9d7000 0`000f6000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [crypt32; "C:\Windows\System32\crypt32.dll"] 7ffa`ac9d7000 7ffa`aca0e000 0`00037000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [crypt32; "C:\Windows\System32\crypt32.dll"] 7ffa`aca0e000 7ffa`aca15000 0`00007000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [crypt32; "C:\Windows\System32\crypt32.dll"] 7ffa`aca15000 7ffa`acaa9000 0`00094000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [crypt32; "C:\Windows\System32\crypt32.dll"]+ 7ffa`acaa9000 7ffa`acb60000 0`000b7000 MEM_FREE PAGE_NOACCESS Free + 7ffa`acb60000 7ffa`acb61000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ucrtbase; "C:\Windows\System32\ucrtbase.dll"] 7ffa`acb61000 7ffa`acc0c000 0`000ab000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [ucrtbase; "C:\Windows\System32\ucrtbase.dll"] 7ffa`acc0c000 7ffa`acc45000 0`00039000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ucrtbase; "C:\Windows\System32\ucrtbase.dll"] 7ffa`acc45000 7ffa`acc48000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ucrtbase; "C:\Windows\System32\ucrtbase.dll"] 7ffa`acc48000 7ffa`acc55000 0`0000d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]+ 7ffa`acc55000 7ffa`acc60000 0`0000b000 MEM_FREE PAGE_NOACCESS Free + 7ffa`acc60000 7ffa`acc61000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"] 7ffa`acc61000 7ffa`accb2000 0`00051000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"] 7ffa`accb2000 7ffa`accf1000 0`0003f000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"] 7ffa`accf1000 7ffa`accf2000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"] 7ffa`accf2000 7ffa`accf5000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"] 7ffa`accf5000 7ffa`accfc000 0`00007000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]+ 7ffa`accfc000 7ffa`acd60000 0`00064000 MEM_FREE PAGE_NOACCESS Free + 7ffa`acd60000 7ffa`acd61000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"] 7ffa`acd61000 7ffa`acdb1000 0`00050000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"] 7ffa`acdb1000 7ffa`acdc4000 0`00013000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"] 7ffa`acdc4000 7ffa`acdc5000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"] 7ffa`acdc5000 7ffa`acdca000 0`00005000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]+ 7ffa`acdca000 7ffa`ad120000 0`00356000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ad120000 7ffa`ad121000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [oleaut32; "C:\Windows\System32\oleaut32.dll"] 7ffa`ad121000 7ffa`ad1a9000 0`00088000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [oleaut32; "C:\Windows\System32\oleaut32.dll"] 7ffa`ad1a9000 7ffa`ad1ce000 0`00025000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [oleaut32; "C:\Windows\System32\oleaut32.dll"] 7ffa`ad1ce000 7ffa`ad1d1000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [oleaut32; "C:\Windows\System32\oleaut32.dll"] 7ffa`ad1d1000 7ffa`ad1df000 0`0000e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [oleaut32; "C:\Windows\System32\oleaut32.dll"]+ 7ffa`ad1df000 7ffa`ad240000 0`00061000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ad240000 7ffa`ad241000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad241000 7ffa`ad409000 0`001c8000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad409000 7ffa`ad4be000 0`000b5000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad4be000 7ffa`ad4bf000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad4bf000 7ffa`ad4c0000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad4c0000 7ffa`ad4c3000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad4c3000 7ffa`ad4c4000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [combase; "C:\Windows\System32\combase.dll"] 7ffa`ad4c4000 7ffa`ad508000 0`00044000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [combase; "C:\Windows\System32\combase.dll"]+ 7ffa`ad508000 7ffa`ad5b0000 0`000a8000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ad5b0000 7ffa`ad5b1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [setupapi; "C:\Windows\System32\setupapi.dll"] 7ffa`ad5b1000 7ffa`ad65e000 0`000ad000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [setupapi; "C:\Windows\System32\setupapi.dll"] 7ffa`ad65e000 7ffa`ad68c000 0`0002e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [setupapi; "C:\Windows\System32\setupapi.dll"] 7ffa`ad68c000 7ffa`ad68d000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [setupapi; "C:\Windows\System32\setupapi.dll"] 7ffa`ad68d000 7ffa`ad68e000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [setupapi; "C:\Windows\System32\setupapi.dll"] 7ffa`ad68e000 7ffa`ad9d9000 0`0034b000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [setupapi; "C:\Windows\System32\setupapi.dll"]+ 7ffa`ad9d9000 7ffa`ad9e0000 0`00007000 MEM_FREE PAGE_NOACCESS Free + 7ffa`ad9e0000 7ffa`ad9e1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [rpcrt4; "C:\Windows\System32\rpcrt4.dll"] 7ffa`ad9e1000 7ffa`adac0000 0`000df000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [rpcrt4; "C:\Windows\System32\rpcrt4.dll"] 7ffa`adac0000 7ffa`adaea000 0`0002a000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [rpcrt4; "C:\Windows\System32\rpcrt4.dll"] 7ffa`adaea000 7ffa`adaec000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [rpcrt4; "C:\Windows\System32\rpcrt4.dll"] 7ffa`adaec000 7ffa`adb01000 0`00015000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]+ 7ffa`adb01000 7ffa`adb10000 0`0000f000 MEM_FREE PAGE_NOACCESS Free + 7ffa`adb10000 7ffa`adb11000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb11000 7ffa`adb42000 0`00031000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb42000 7ffa`adb60000 0`0001e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb60000 7ffa`adb61000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb61000 7ffa`adb62000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb62000 7ffa`adb63000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [sechost; "C:\Windows\System32\sechost.dll"] 7ffa`adb63000 7ffa`adb69000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [sechost; "C:\Windows\System32\sechost.dll"]+ 7ffa`adb69000 7ffa`adbe0000 0`00077000 MEM_FREE PAGE_NOACCESS Free + 7ffa`adbe0000 7ffa`adbe1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32; "C:\Windows\System32\gdi32.dll"] 7ffa`adbe1000 7ffa`adbf3000 0`00012000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [gdi32; "C:\Windows\System32\gdi32.dll"] 7ffa`adbf3000 7ffa`adc0e000 0`0001b000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32; "C:\Windows\System32\gdi32.dll"] 7ffa`adc0e000 7ffa`adc0f000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [gdi32; "C:\Windows\System32\gdi32.dll"] 7ffa`adc0f000 7ffa`adc14000 0`00005000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [gdi32; "C:\Windows\System32\gdi32.dll"]+ 7ffa`adc14000 7ffa`adc20000 0`0000c000 MEM_FREE PAGE_NOACCESS Free + 7ffa`adc20000 7ffa`adc21000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adc21000 7ffa`adc96000 0`00075000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adc96000 7ffa`adcaf000 0`00019000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adcaf000 7ffa`adcb1000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adcb1000 7ffa`adcb4000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adcb4000 7ffa`adcb6000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adcb6000 7ffa`adcb7000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [msvcrt; "C:\Windows\System32\msvcrt.dll"] 7ffa`adcb7000 7ffa`adcbe000 0`00007000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\System32\msvcrt.dll"]+ 7ffa`adcbe000 7ffa`af330000 0`01672000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af330000 7ffa`af331000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [kernel32; "C:\Windows\System32\kernel32.dll"] 7ffa`af331000 7ffa`af3a4000 0`00073000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [kernel32; "C:\Windows\System32\kernel32.dll"] 7ffa`af3a4000 7ffa`af3d3000 0`0002f000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [kernel32; "C:\Windows\System32\kernel32.dll"] 7ffa`af3d3000 7ffa`af3d4000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [kernel32; "C:\Windows\System32\kernel32.dll"] 7ffa`af3d4000 7ffa`af3dc000 0`00008000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [kernel32; "C:\Windows\System32\kernel32.dll"]+ 7ffa`af3dc000 7ffa`af3e0000 0`00004000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af3e0000 7ffa`af3e1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ole32; "C:\Windows\System32\ole32.dll"] 7ffa`af3e1000 7ffa`af497000 0`000b6000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [ole32; "C:\Windows\System32\ole32.dll"] 7ffa`af497000 7ffa`af4ee000 0`00057000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ole32; "C:\Windows\System32\ole32.dll"] 7ffa`af4ee000 7ffa`af4f0000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ole32; "C:\Windows\System32\ole32.dll"] 7ffa`af4f0000 7ffa`af518000 0`00028000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ole32; "C:\Windows\System32\ole32.dll"]+ 7ffa`af518000 7ffa`af550000 0`00038000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af550000 7ffa`af551000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [user32; "C:\Windows\System32\user32.dll"] 7ffa`af551000 7ffa`af5ee000 0`0009d000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [user32; "C:\Windows\System32\user32.dll"] 7ffa`af5ee000 7ffa`af60b000 0`0001d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [user32; "C:\Windows\System32\user32.dll"] 7ffa`af60b000 7ffa`af60d000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [user32; "C:\Windows\System32\user32.dll"] 7ffa`af60d000 7ffa`af6b5000 0`000a8000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [user32; "C:\Windows\System32\user32.dll"]+ 7ffa`af6b5000 7ffa`af6c0000 0`0000b000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af6c0000 7ffa`af6c1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af6c1000 7ffa`af720000 0`0005f000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af720000 7ffa`af754000 0`00034000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af754000 7ffa`af755000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af755000 7ffa`af756000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af756000 7ffa`af758000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af758000 7ffa`af759000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [advapi32; "C:\Windows\System32\advapi32.dll"] 7ffa`af759000 7ffa`af762000 0`00009000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [advapi32; "C:\Windows\System32\advapi32.dll"]+ 7ffa`af762000 7ffa`af850000 0`000ee000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af850000 7ffa`af851000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af851000 7ffa`af85c000 0`0000b000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af85c000 7ffa`af863000 0`00007000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af863000 7ffa`af864000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af864000 7ffa`af865000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af865000 7ffa`af867000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af867000 7ffa`af86a000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"] 7ffa`af86a000 7ffa`af86c000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [imagehlp; "C:\Windows\System32\imagehlp.dll"]+ 7ffa`af86c000 7ffa`af870000 0`00004000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af870000 7ffa`af871000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [psapi; "C:\Windows\System32\psapi.dll"] 7ffa`af871000 7ffa`af872000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [psapi; "C:\Windows\System32\psapi.dll"] 7ffa`af872000 7ffa`af874000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [psapi; "C:\Windows\System32\psapi.dll"] 7ffa`af874000 7ffa`af875000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [psapi; "C:\Windows\System32\psapi.dll"] 7ffa`af875000 7ffa`af878000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [psapi; "C:\Windows\System32\psapi.dll"]+ 7ffa`af878000 7ffa`af8f0000 0`00078000 MEM_FREE PAGE_NOACCESS Free + 7ffa`af8f0000 7ffa`af8f1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`af8f1000 7ffa`af9f9000 0`00108000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`af9f9000 7ffa`afa3d000 0`00044000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`afa3d000 7ffa`afa3e000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`afa3e000 7ffa`afa40000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`afa40000 7ffa`afa46000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ntdll; "C:\Windows\System32\ntdll.dll"] 7ffa`afa46000 7ffa`afac2000 0`0007c000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "C:\Windows\System32\ntdll.dll"]+ 7ffa`afac2000 7fff`fffe0000 5`5051e000 MEM_FREE PAGE_NOACCESS Free + 7fff`fffe0000 7fff`ffff0000 0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS
指令: !vadump : 這個會顯示所有的虛擬內存區域和它的保護屬性
指令: !runaway : 顯示每個Thread消費的時間
Bit 0 (0x1) 讓調試器顯示每個Thread消耗的用戶模式時間(user time),默認不加就是0x1
Bit 1 (0x2) 顯示每個Thread消耗的內核時間(kernel time)。
Bit 2 (0x4) 顯示每個Thread從創建開始經歷了多少時間。
Windbg 關於process的指令:
指令: |
顯示當前Process的信息
0:000> |. 0 id: b60 examine name: C:\Windows\System32\valWBFPolicyService.exe
指令: !dml_proc
顯示當前Process的信息
0:000> !dml_procDbgId PID Image file name0 b60 C:\Windows\System32\valWBFPolicyService.exe
指令: .tlist
顯示本機當前所有Process
指令: process
!process 0 0 顯示進程列表
Windbg 關於thread的指令:
指令: ~ (Thread Status):
波形符(~) 命令显示指定线程或当前进程中的所有线程的信息, ~和~*还是有点区别的,~*会把入口函数和优先级都打印出来
指令: ~
顯示所有thread信息
0:000> ~. 0 Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen 1 Id: b60.dc4 Suspend: 0 Teb: 00000000`003c5000 Unfrozen 2 Id: b60.e28 Suspend: 0 Teb: 00000000`003c7000 Unfrozen 3 Id: b60.e2c Suspend: 0 Teb: 00000000`003c9000 Unfrozen
指令: ~*
顯示所有thread
. 0 Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen Start: valWBFPolicyService+0x7710 (00000001`40007710) Priority: 0 Priority class: 32 Affinity: f 1 Id: b60.dc4 Suspend: 0 Teb: 00000000`003c5000 Unfrozen Start: sechost!ScSvcctrlThreadA (00007ffa`adb23db0) Priority: 0 Priority class: 32 Affinity: f 2 Id: b60.e28 Suspend: 0 Teb: 00000000`003c7000 Unfrozen Start: valWBFPolicyService+0x1087 (00000001`40001087) Priority: 0 Priority class: 32 Affinity: f 3 Id: b60.e2c Suspend: 0 Teb: 00000000`003c9000 Unfrozen Start: valWBFPolicyService+0x1064 (00000001`40001064) Priority: 0 Priority class: 32 Affinity: f
指令: ~.
顯示當下thread
0:000> ~ .. 0 Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen Start: valWBFPolicyService+0x7710 (00000001`40007710) Priority: 0 Priority class: 32 Affinity: f
指令: ~# 引發當前事件或異常的thread
指令: ~Number 顯示指定序號的thread
指令: ~* k 顯示所有thread的調用棧
指令: ~2 f 凍結2號thread
指令: ~# f 凍結引發異常的thread
指令: ~3 u 解除對3號thread的凍結
指令: ~2 k 顯示2號thread的調用棧
指令: ~0s 切換到 thread 0
指令: !thread
擴展顯示目標系統中線程包括ETHREAD塊在內的摘要信息。該命令只能在內核模式調試下使用
Windbg 關於Stack的指令
指令: k*:
命令顯示給定Thread的調用Stack,以及其他相關信息
~0 k表示顯示0號Thread的調用Stack,直接用k表示打印當前Thread的調用堆棧
kb 顯示傳遞給Stack回溯中的每個函數的前三個參數
kp 顯示傳遞給Stack回溯中的每個函數的所有參數
指令: !findstack
擴展查找包含指定符號或模塊的所有stack
Windbg腳本
指令: .foreach
分析一個或多個命令的輸出並將該輸出中每一個值作為另一個或多個命令的輸入
.foreach [Options] ( Variable { InCommands } ) { OutCommands }
指令: .printf
和C中的printf 语句类似
各種分析情況劇情:
可參考: ephrain
分析 Stack overflow (recursive)
分析 .NET framework process crash
分析 WoW64 process
分析 memory leak
分析 infinite wait
分析 kernel dump
分析 kernel dump for memory problem
分析 complete kernel dump
