易春木Blog: Windbg 指令與分析之教學筆記

追朔根源就是微軟的工具, 因此必須閱讀官方手冊:
1. 微軟教學:Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)
2. 微軟教學: ACPI Debugging
3. 微軟教學: Getting Started with WinDbg (Kernel-Mode)
4. 微軟說明:debugger commands

有幾個系列的影片教學, 可以身歷其境的感受一下 windbg的強大, 分別是:
1. 影片教學: WinDbg Basics for Malware Analysis
2. 影片教學: Windows Kernel Programming Tutorials for Beginners

3. 教學 Remote debugging

4. 微軟教學影片: Debugging KMDF Drivers

!load wdfkd.dll   #載入Windows Driver Framework Extensions (Wdfkd.dll), 有更多好用的指令!chain        #列出所有已加載的debugger extension!wdfhelp      #ugger extension!wdfhelp      #幫助說明!wdflogdump   #顯示 WDF In-flight Recorder log records!wdfldr       #顯示目前bound to WDF的drivers資訊  !wdftmffile!wdfdriverinfo!wdfhandle!wdfobject!wdfdevice!wdfusbdevice!wdfopenhandles!wdfqueue!wdfreuest

其他在網路上的先進們分享知識的 Windbg專欄部落格:
1. hgy413的专栏windbg
2. 匠心十年: WinDbg 命令手册

或是特別說明一些其他技巧與步驟, 小軟體工具之類:
1. symbol: WinDbg 設定 symbol file path 的四種方法

先知道格式吧:
srv*{cache path}*{symbol server}
我的寫法填入Windbg GUI下拉的Sympol File Path:
srv*C:\Symbol*https://msdl.microsoft.com/download/symbols

2. symbol: 使用SymChk獲取符號文件
3. PDB: 你可能會想知道的關於 .PDB 檔的一些事
4. break point: WinDBG 技巧：设断点命令详解(bp, bu, bm, ba 以及bl, bc, bd, be)
5. BSOD情況分析: Trace BSOD with WinDbg
6. 如何進安全模式:幾種 Windows 10 進入安全模式的方法
因為有時候無法開機的原因，可能是系統中的某些驅動程式出了問題，或是在載入某些開機時要一起載入的程式，導致無法開機。而當我們選用安全模式啟動時，僅載入開機時最必要的檔案，其它多餘的檔案、驅動程式一律都不載入，因此如果無法進入Windows桌面是這方面問題所導致的，那麼用安全模式就應該可以順利排除問題，讓你可以進入Windows系統桌面。

7.什麼是SysWow64: SysWow64檔夾，是64位Windows用來存放32位元Windows系統檔的地方。
8.win10的快速啟動是什麼:win10電腦的「快速啟動」模式你知多少？
9.基本:9招解決 Windows 系統問題或故障，不用靠別人、自己來搞定

一些有用的工具:

1. 小軟體: BlueScreenview
2. 小軟體: Windows Repair
3. 小軟體: CCleaner
4. 微軟 Process explorer: 類似Windows「工作管理員」的程式，主要功能就是列出目前電腦中正在運行的全部程式以及跟運行中程式相關的全部詳細資料

5. 微軟 Process dump: 命令行工具, 它的主要目的是監控應用程序的CPU異常動向, 並在此異常時生成crash dump文件, 供研發人員和管理員確定問題發生的原因.你還可以把它作為生成dump的工具使用在其他的腳本中.ProcDump與Procexp一樣是Windows平台上的內部調試工具，Procexp採用圖形界面體現系統整體及個別進程的性能信息，而ProcDump則與我們在Unix平台上使用的性能分析工具類似使用CLI命令行界面。

6. 微軟 LiveKD:使用Microsoft內核調試器檢查系統。

Windbg 基本操作指令:

開啟crash dump檔案路徑為 File > Open crash dump
以下指令載入symbols:
.symfix C:\symbols: 設定local端的symbol目錄位置
.reload : 重載一次
.sympath : 顯示目前的symbol path

Windbg一般與幫助指令:

指令: ?
顯示說明基本的各種輸入常規指令

0:000> ?Open debugger.chm for complete debugger documentationB[C|D|E][] - clear/disable/enable breakpoint(s)BL - list breakpointsBA    - set processor breakpointBP  - set soft breakpointD[type][] - dump memoryDT [-n|y] [[mod!]name] [[-n|y]fields]   [address] [-l list] [-a[]|c|i|o|r[#]|v] - dump using type informationDV [] - dump local variablesDX [-r[#]]  - display C++ expression using extension model (e.g.: NatVis)E[type]  [] - enter memory valuesG[H|N] [= [...]] - goK  - stacktraceKP  - stacktrace with source argumentsLM[k|l|u|v] - list modulesLN  - list nearest symbolsP [=] [] - step overQ - quitR [[ [= ]]] - view or set registersS[]   - search memorySX [{e|d|i|n} [-c "Cmd1"] [-c2 "Cmd2"] [-h] {Exception|Event|*}] - event filterT [=] [] - trace intoU [] - unassembleversion - show debuggee and debugger versionX [<*|module>!]<*|symbol> - view symbols?  - display expression??  - display C++ expression$<  - take input from a command fileHit Enter... unary ops: + - not by wo dwo qwo poi hi low       binary ops: + - * / mod(%) and(&) xor(^) or(|)       comparisons: == (=) < > !=       operands: number in current radix, public symbol,  : b (byte), w (word), d[s] (doubleword [with symbols]),         a (ascii), c (dword and Char), u (unicode), l (list)         f (float), D (double), s|S (ascii/unicode string)         q (quadword) : [(nt | )!] ( can include ? and *) :          :  L User-mode options:~ - list threads status~#s - set default thread| - list processes status|#s - set default processx64 options:DG  - dump selector : [r|e]ax, [r|e]bx, [r|e]cx, [r|e]dx, [r|e]si, [r|e]di, [r|e]bp, [r|e]sp, [r|e]ip, [e]fl,        r8-r15 with b/w/d subregisters        al, ah, bl, bh, cl, ch, dl, dh, cs, ds, es, fs, gs, ss        sil, dil, bpl, spl        dr0, dr1, dr2, dr3, dr6, dr7        fpcw, fpsw, fptw, st0-st7, mm0-mm7         xmm0-xmm15 : iopl, of, df, if, tf, sf, zf, af, pf, cf : #<16-bit protect-mode [seg:]address>,         &Open debugger.chm for complete debugger documentation

指令: .help
說明系統指令
第一排還有快速連結個字母開頭的

0:000> .help  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All. commands:   .allow_exec_cmds [0|1] - control execution commands   .allow_image_mapping [0|1] - control on-demand image file mapping   .apply_dbp [] - add current data breakpoint state to a                            register context   .asm [] - set disassembly options   .asm- [] - clear disassembly options   .attach  - attach to  at next execution   .block {  } - brackets a set of commands for nested execution   .break - break out of the enclosing loop   .cache [] - virtual memory cache control   .call (, , ...) - run a function in the debuggee   .catch {  } - catch failures in commands   .chain - list current extensions   .clients - list currently active clients   .continue - continue the enclosing loop   .copysym []  - copy current symbol files to a directory   .create  - create a new process   .createdir [] [] - control process creation options   .cxr  - dump context record at specified address                    k* after this gives cxr stack   .dbgdbg - attach a debugger to the current debugger   .debug_sw_wow [0|1] - allow interaction with software WOW emulation   .detach - detach from the current process/dump   .dml_file  - output DML content from file   .dml_flow   - show basic block code flow   .dml_start [] - navigable overview of debugger activities   .do {  } () - execute  until  is zero   .drivers - This command was removed -- use 'lm' or .reload -l)   .dump []  - create a dump file on the host system   .dumpcab []  - create a CAB for an open dump   .dumpdebug - display detailed information about the dump file   .dvalloc []  - VirtualAlloc memory in the debuggee   .dvfree []   - VirtualFree memory in the debuggee   .echo [""|] - echo string   .echotime - output debugger time   .echotimestamps [0|1] - toggle timestamp output on events   .ecxr - dump context record for current exception   .excr - dump context record for current exception   .effmach [] - change current machine type   .else {  } - if/then/else conditional execution   .elsif () {  } [] - if/then/else conditional                                                     execution   .enable_long_status [0|1] - dump LONG types in default base   .enable_unicode [0|1] - dump USHORT array/pointers and unicode strings   .endsrv  - disable the given engine server   .endpsrv - cause the current session's remote server to exit   .enumtag - enumerate available tagged data   .eventlog - display log of recent events   .events - display and select available events   .eventstr - display any event strings registered by debuggee   .exepath [[;...]] - set executable search path   .exepath+ [[;...]] - append executable search path   .expr - control expression evaluator   .exptr  - do .exr and .cxr for EXCEPTION_POINTERS   .exr  - dump exception record at specified address   .extmatch []  - display all extensions matching pattern   .extpath  [[;...]] - set extension search path   .extpath+  [[;...]] - append extension search path   .f+ - set current stack frame to caller of current frame   .f- - set current stack frame to callee of current frame   .fiber  - sets context of fiber at address                      resets context if no address specified   .fiximports  - attempts to link imports for images   .fnent  - dump function entry for the given code address   .fnret  [] - display formatted return value   .for (  ;  ;  ) {  } - execute  and                                                       until  is                                                      zero   .force_radix_output [0|1] - dump integer types in default base   .force_system_init [] - force pending systems to initialize if possible   .force_tb - forcibly allow branch tracing   .foreach [opts] (  {  } ) {  } - execute  for                                                         each token in the                                                         output of    .fpo  - control override FPO information   .frame [] - set current stack frame for locals   .formats  - displays expression result in many formats   .help [] - display this help   .holdmem  [range] - hold and compare memory data   .if () {  } [] - if/then/else conditional                                                  execution   .ignore_missing_pages [0|1] - control kernel summary dump missing                                 page error message   .imgscan  - scan memory for PE images   .jdinfo [/u]  - interpret AeDebug information   .kframes  - set default stack trace depth   .lastevent - display the last event that occurred   .leave - exit the enclosing .catch   .lines - toggle line symbol loading   .load  - add this extension DLL to the extension chain   .loadby   - add the extension DLL in the module                          directory to the extension chain   .locale [] - set the current locale   .logfile - display log status   .logopen [] - open new log file   .logappend [] - append to log file   .logclose - close log file   .netsyms [0|1] - allow/disallow net symbol paths   .netuse [] - manage net connections   .noshell - disable shell commands   .noversion - disable extension version checking   .nvlist - display the set of .NATVIS files loaded into the debugger   .nvload  - load a .NATVIS file   .nvunload  - unload a .NATVIS file   .nvunloadall - unload all .NATVIS files   .ofilter  - filter debuggee output against the given pattern   .opendump  - open a dump file   .outmask  - set bits in the current output mask   .outmask-  - clear bits in the current output mask   .pcmd [] - control per-prompt command   .pop [] - pop state   .prefer_dml [0|1] - control DML mode default   .printf "",  - formatted output   .process [] - sets implicit process                          resets default if no address specified   .process_info - display security related information of current process   .prompt_allow [] - control what information can be displayed                               at the prompt   .push [] - push state   .quit_lock [] - locks session against unexpected quit   .readmem   - read raw memory from a file   .record_branches [0|1] - controls recording of processor branching   .reload [[=,]] - reload symbols   .restart - request a session restart   .remote  - start remote.exe server   .secure [0|1] - disallow operations dangerous for the host   .scriptlist - display the set of scripts loaded into the debugger   .scriptload  - load a script file   .scriptproviders - display the set of script providers in the debugger   .scriptunload  - unload a script file   .send_file  - send files to remote server   .server  - start engine server   .servers - list active remoting servers   .setdll  - debugger will search for extensions in this DLL first   .settings - manage settings   .shell [] - execute shell command   .show_read_failures [] - control extra read failure output   .show_sym_failures [] - control extra symbol failure output   .sleep  - debugger sleeps for given duration                           useful for allowing access to a machine that's                           broken in on an ntsd -d   .srcfix [] - fix source search path   .srcfix+ [] - append fixed source search path   .srcnoisy [0|1] - control verbose source loading output   .srcpath [[;...]] - set source search path   .srcpath+ [[;...]] - append source search path   .step_filter [] ["[;...]"] - Set symbol patterns                                                        to skip when stepping   .symfix [] - fix symbol search path   .symfix+ [] - append fixed symbol search path   .symopt  - set symbol options   .symopt+  - set symbol options   .symopt-  - clear symbol options   .sympath [[;...]] - set symbol search path   .sympath+ [[;...]] - append symbol search path   .thread [] - sets context of thread at address                         resets default context if no address specified   .time - displays session time information   .timezone - display timezone information   .ttime - displays thread time information   .tlist - list running processes   .typeopt  - set/clear type options   .unload  - remove this extension DLL from the list of extension DLLs   .unloadall - remove all extension DLLs from the list of extensions DLLs   .wake - wake up a .sleep'ing debugger   .while () {  } - execute  while  is non-zero   .writemem   - write raw memory to a file   .rrestart - register current session for Application Restart   .urestart - unregister current session from Application Restart   .inline - query the state whether debuggers should query inline functions   .stackprovider - query the state whether debugger should query stack dump providers   .stkwalk_force_frame_pointer - query or set the state whether debuggers should unwind stack solely based on frame pointer   .hideinjectedcode [] - Hide injected calls from stepping in source mode   .enablepackagedebug  - Enable debugging for UWP application.   .disablepackagedebug  - Disable debugging for UWP application.   .suspendpackage  - Suspends a UWP application.   .resumepackage  - Resumes a UWP application.   .querypackage  - Displays the state of a UWP application.   .querypackages - Lists all UWP applications and their state.   .createpackageapp   [] - Enables debugging and launches a UWP application.   .terminatepackageapp  - Terminates all processes for UWP application.   .activatepackagebgtask   - Enables debugging and launches a UWP background task.Use ".hh " or open debugger.chm in the debuggers directory to getdetailed documentation on a command.

指令:.chain
列出所有已加載的調試器擴展 (List Debugger Extensions)

0:000> .chainExtension DLL search Path:    C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\arcade;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\pri;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\Program Files (x86)\Windows Kits\10\Debuggers\x86;C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\Modules\TShell\TShell\;C:\Program Files\Java\jdk1.8.0_45\bin;C:\Program Files\nodejs\;C:\Program Files\TortoiseSVN\bin;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;C:\Program Files\Microsoft\Web Platform Installer\;C:\Program Files (x86)\Microsoft ASP.NET\ASP.NET Web Pages\v1.0\;C:\Program Files (x86)\Windows Kits\8.0\Windows Performance Toolkit\;C:\Users\Jamie\AppData\Local\Microsoft\WindowsApps;Extension DLL chain:    dbghelp: image 10.0.14321.1024, API 10.0.6, built Sat Jul 16 09:29:50 2016        [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\dbghelp.dll]    ext: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:29:44 2016        [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\ext.dll]    exts: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:28:14 2016        [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\exts.dll]    uext: image 10.0.14321.1024, API 1.0.0, built Sat Jul 16 09:28:11 2016        [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext\uext.dll]    ntsdexts: image 10.0.14393.33, API 1.0.0, built Thu Jul 28 13:23:56 2016        [path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\WINXP\ntsdexts.dll]

指令: .extmatch
.extmatch /D /e XXXXX * 顯示由當前加載的與指定模式匹配的擴展DLL導出的擴展命令

0:000> .extmatch /D /e ntsdexts *!ntsdexts.critsec!ntsdexts.dp!ntsdexts.dreg!ntsdexts.dt!ntsdexts.gatom!ntsdexts.handle!ntsdexts.help!ntsdexts.hleak!ntsdexts.htrace!ntsdexts.locks!ntsdexts.runaway!ntsdexts.threadtoken0:000> .extmatch /D /e uext *!uext.evlog!uext.findstack!uext.handle!uext.help!uext.mapped_file!uext.runaway!uext.uniqstack!uext.vadump!uext.vprot

指令:.hh
打開 WinDbg 的幫助文件

指令: .restart
重新啟動被調試的應用程式(Restart Target Application)

指令: version
顯示調試器版本信息和已加載的調試器擴展

指令: vercommand
顯示調試器啟動文件的路徑

0:000> vercommandcommand line: '"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" '

指令: vertarget
顯示目標機器Microsoft Windows操作系统版本資訊

0:000> vertargetWindows 10 Version 14393 MP (4 procs) Free x64Product: WinNt, suite: SingleUserTSkernel32.dll version: 10.0.14393.2214 (rs1_release_1.180402-1758)Machine Name:Debug session time: Tue Dec 10 10:26:46.000 2019 (UTC + 8:00)System Uptime: 39 days 17:48:11.976Process Uptime: 39 days 17:45:01.000  Kernel time: 0 days 0:00:04.000  User time: 0 days 0:00:02.000

指令: .effmach
顯示目標機器的處理器模資訊
.effmach .
.effmach #
.effmach x86 | amd64 | ia64 | ebc

0:000> .effmachEffective machine: x64 (AMD64)

指令: .cls
清理螢幕

指令: .echo
輸出字串 e.g. .echo “Hello World”

指令: .time
顯示系統記錄的各種時間

組合鍵: ctrl+alt+v
能切換詳細模式的打開和關閉
打開詳細模式後，一些顯示命令會產生更詳細的輸出，發送給調試器的每個模塊加載操作都會被顯示出來
並且操作系統每次加載驅動或都DLL也會提示

Windbg 模塊Module加载命令

指令: lm
列出已載入模塊(List Loaded Modules)
lm: List modules
lmv: List module versions
lmvm: List specific module versions
lm m ModuleName

0:000> lmstart             end                 module name00000000`6a030000 00000000`6a0f9000   msvcr80    (deferred)             00000001`40000000 00000001`40016000   valWBFPolicyService   (deferred)             00007ffa`a9110000 00007ffa`a9171000   wevtapi    (deferred)             00007ffa`aab40000 00007ffa`aab68000   devobj     (deferred)             00007ffa`aada0000 00007ffa`aadf4000   mintdh     (deferred)             00007ffa`aae00000 00007ffa`aaeae000   tdh        (deferred)             00007ffa`ab940000 00007ffa`ab96b000   bcrypt     (deferred)             00007ffa`abde0000 00007ffa`abdf0000   msasn1     (deferred)             00007ffa`abdf0000 00007ffa`ac00d000   KERNELBASE   (pdb symbols)          c:\symbols\kernelbase.pdb\C1CB335438FC484B842D02CB20116D3A1\kernelbase.pdb00007ffa`ac010000 00007ffa`ac190000   gdi32full   (deferred)             00007ffa`ac190000 00007ffa`ac1ae000   win32u     (deferred)             00007ffa`ac1b0000 00007ffa`ac1f2000   cfgmgr32   (deferred)             00007ffa`ac8e0000 00007ffa`acaa9000   crypt32    (deferred)             00007ffa`acb60000 00007ffa`acc55000   ucrtbase   (deferred)             00007ffa`acc60000 00007ffa`accfc000   msvcp_win   (deferred)             00007ffa`acd60000 00007ffa`acdca000   bcryptPrimitives   (deferred)             00007ffa`ad120000 00007ffa`ad1df000   oleaut32   (deferred)             00007ffa`ad240000 00007ffa`ad508000   combase    (deferred)             00007ffa`ad5b0000 00007ffa`ad9d9000   setupapi   (deferred)             00007ffa`ad9e0000 00007ffa`adb01000   rpcrt4     (deferred)             00007ffa`adb10000 00007ffa`adb69000   sechost    (deferred)             00007ffa`adbe0000 00007ffa`adc14000   gdi32      (deferred)             00007ffa`adc20000 00007ffa`adcbe000   msvcrt     (deferred)             00007ffa`af330000 00007ffa`af3dc000   kernel32   (deferred)             00007ffa`af3e0000 00007ffa`af518000   ole32      (deferred)             00007ffa`af550000 00007ffa`af6b5000   user32     (deferred)             00007ffa`af6c0000 00007ffa`af762000   advapi32   (deferred)             00007ffa`af850000 00007ffa`af86c000   imagehlp   (deferred)             00007ffa`af870000 00007ffa`af878000   psapi      (deferred)             00007ffa`af8f0000 00007ffa`afac2000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\3FED89B476364D33AA918AE74196DAF21\ntdll.pdb

指令: !dlls
列出所有加載的模塊和加載數量

0:000> !dlls This is Win8 with the loader DAG.0x00592920: C:\WINDOWS\system32\valWBFPolicyService.exe      Base   0x140000000  EntryPoint  0x140007710  Size        0x00016000    DdagNode     0x00592a50      Flags  0x000022cc  TlsIndex    0x00000000  LoadCount   0xffffffff    NodeRefCount 0x00000000                          LDRP_LOAD_NOTIFICATIONS_SENT             LDRP_IMAGE_DLL0x00592790: C:\WINDOWS\SYSTEM32\ntdll.dll      Base   0x7ffaaf8f0000  EntryPoint  0x00000000  Size        0x001d2000    DdagNode     0x005928c0      Flags  0x0000a2c4  TlsIndex    0x00000000  LoadCount   0xffffffff    NodeRefCount 0x00000000                          LDRP_IMAGE_DLL0x00592db0: C:\WINDOWS\System32\KERNEL32.DLL      Base   0x7ffaaf330000  EntryPoint  0x7ffaaf338400  Size        0x000ac000    DdagNode     0x00592ee0      Flags  0x000ca2cc  TlsIndex    0x00000000  LoadCount   0xffffffff    NodeRefCount 0x00000000                          LDRP_LOAD_NOTIFICATIONS_SENT             LDRP_IMAGE_DLL             LDRP_DONT_CALL_FOR_THREADS             LDRP_PROCESS_ATTACH_CALLED...

指令: !lmi
显示模块的详细信息，包括加载符号信息
!lmi Module

0:000> !lmi kernel32Loaded Module Info: [kernel32]          Module: kernel32   Base Address: 00007ffaaf330000     Image Name: kernel32.dll   Machine Type: 34404 (X64)     Time Stamp: 5ac2f8e6 Tue Apr  3 11:45:42 2018           Size: ac000       CheckSum: b4571Characteristics: 2022  Debug Data Dirs: Type  Size     VA  Pointer             CODEVIEW    25, 84b40,   83140 RSDS - GUID: {996833D4-6FC4-412D-A9DE-305E863A2B34}               Age: 1, Pdb: kernel32.pdb                   ??   4ec, 84b68,   83168 [Data not mapped]     Image Type: MEMORY   - Image read successfully from loaded memory.    Symbol Type: PDB      - Symbols loaded successfully from image header.                 c:\symbols\kernel32.pdb\996833D46FC4412DA9DE305E863A2B341\kernel32.pdb    Load Report: public symbols , not source indexed                  c:\symbols\kernel32.pdb\996833D46FC4412DA9DE305E863A2B341\kernel32.pdb

Windbg 符号Symbol加载命令

指令 ld
加載指定模塊的符號 (Load Symbols), 注意藥此symbol的module是已經載入, 若未載入就先lm該module吧 (範例參考:lm ld x)
ld * 加載所有模塊的符號

0:000> ld *Symbols already loaded for msvcr80Symbols already loaded for valWBFPolicyServiceSymbols already loaded for wevtapiSymbols already loaded for devobjSymbols already loaded for mintdhSymbols already loaded for tdhSymbols already loaded for bcryptSymbols already loaded for msasn1Symbols already loaded for KERNELBASESymbols already loaded for gdi32fullSymbols already loaded for win32uSymbols already loaded for cfgmgr32Symbols already loaded for crypt32Symbols already loaded for ucrtbaseSymbols already loaded for msvcp_winSymbols already loaded for bcryptPrimitivesSymbols already loaded for oleaut32Symbols already loaded for combaseSymbols already loaded for setupapiSymbols already loaded for rpcrt4Symbols already loaded for sechostSymbols already loaded for gdi32Symbols already loaded for msvcrtSymbols already loaded for kernel32Symbols already loaded for ole32Symbols already loaded for user32Symbols already loaded for advapi32Symbols already loaded for imagehlpSymbols already loaded for psapiSymbols already loaded for ntdll

指令 x
搜尋匹配的符号資訊(Examine Symbols)
x [Options] ModuleName!SymbolName 以!為界module與symbol
用法:
x *! 列出所有模块Module

0:000> x *!start             end                 module name00000000`6a030000 00000000`6a0f9000   msvcr80    (deferred)             00000001`40000000 00000001`40016000   valWBFPolicyService   (deferred)             00007ffa`a9110000 00007ffa`a9171000   wevtapi    (deferred)             00007ffa`aab40000 00007ffa`aab68000   devobj     (deferred)             00007ffa`aada0000 00007ffa`aadf4000   mintdh     (deferred)             00007ffa`aae00000 00007ffa`aaeae000   tdh        (deferred)             00007ffa`ab940000 00007ffa`ab96b000   bcrypt     (deferred)             00007ffa`abde0000 00007ffa`abdf0000   msasn1     (deferred)             00007ffa`abdf0000 00007ffa`ac00d000   KERNELBASE   (pdb symbols)          c:\symbols\kernelbase.pdb\C1CB335438FC484B842D02CB20116D3A1\kernelbase.pdb00007ffa`ac010000 00007ffa`ac190000   gdi32full   (deferred)             00007ffa`ac190000 00007ffa`ac1ae000   win32u     (deferred)             00007ffa`ac1b0000 00007ffa`ac1f2000   cfgmgr32   (deferred)             00007ffa`ac8e0000 00007ffa`acaa9000   crypt32    (deferred)             00007ffa`acb60000 00007ffa`acc55000   ucrtbase   (deferred)             00007ffa`acc60000 00007ffa`accfc000   msvcp_win   (deferred)             00007ffa`acd60000 00007ffa`acdca000   bcryptPrimitives   (deferred)             00007ffa`ad120000 00007ffa`ad1df000   oleaut32   (deferred)             00007ffa`ad240000 00007ffa`ad508000   combase    (deferred)             00007ffa`ad5b0000 00007ffa`ad9d9000   setupapi   (deferred)             00007ffa`ad9e0000 00007ffa`adb01000   rpcrt4     (deferred)             00007ffa`adb10000 00007ffa`adb69000   sechost    (deferred)             00007ffa`adbe0000 00007ffa`adc14000   gdi32      (deferred)             00007ffa`adc20000 00007ffa`adcbe000   msvcrt     (deferred)             00007ffa`af330000 00007ffa`af3dc000   kernel32   (deferred)             00007ffa`af3e0000 00007ffa`af518000   ole32      (deferred)             00007ffa`af550000 00007ffa`af6b5000   user32     (deferred)             00007ffa`af6c0000 00007ffa`af762000   advapi32   (deferred)             00007ffa`af850000 00007ffa`af86c000   imagehlp   (deferred)             00007ffa`af870000 00007ffa`af878000   psapi      (deferred)             00007ffa`af8f0000 00007ffa`afac2000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\3FED89B476364D33AA918AE74196DAF21\ntdll.pdb

x ntdll!a* 列出 ntdll 模块底下所有a開頭的symbol

0:000> x ntdll!ap*00007ffa`af9648b4 ntdll!AppModelPolicy_GetPolicy (void)00007ffa`af917250 ntdll!ApiSetQueryApiSetPresence (void)00007ffa`afa0d3b0 ntdll!AppModelLibraryLoadFailureSystemBinary = 00007ffa`afa0d420 ntdll!AppModelLibraryLoadFailureApplicationBinary = 00007ffa`af91767c ntdll!ApiSetResolveToHost ()00007ffa`afa0d450 ntdll!AppModelRuntimeProviderId = 00007ffa`afa0d3e0 ntdll!AppModelGenericLibraryLoadFailureNoTermination = 00007ffa`af9177a0 ntdll!ApiSetpSearchForApiSet ()00007ffa`afa0d390 ntdll!AppModelLibraryLoadFailureNgenBinary = 00007ffa`af916b68 ntdll!ApiSetpSearchForApiSetHost ()

指令!sym
獲取符號加載狀態
!sym noisy 讓調試器顯示符號搜索詳細信息
!sym quiet 默認項，不顯示符號搜索信息

指令.sympath
顯示和設置符號搜索路徑
.sympath+ 增加符號搜索路徑
.sympath+ C:\Symbols

指令.symfix
設置符號庫路徑
.sym+ DownstreamStore 添加符號庫路徑

指令 .reload
重新加載符號信息

Windbg 異常分析指令:

指令: dump
.dump d:/test.dump
也就是說可以透過windbg來產生dump檔案
e.g.
產生完整Kernel Mode Dump :
.dump /f C:\memory.dmp

產生 user mode Dump:
.dump /m C:\memory.dmp

產生 User mode + 其他資訊:
.dump /mfh C:\memory.dmp

指令: !analyze
!analyze -v
顯示當前異常的詳細信息
e.g. !analyze –v d:\test.dump

!analyze -hang
診斷線程調用棧上是否有任何線程阻塞了其他線程

!analyze -f
查看異常分析信息，儘管調試器並未診斷出異常

指令: .lastevent
显示最近一次发生的异常或事件

指令: .load wow64exts
指令: !wow64exts.sw
從64位模式切換到了32位

指令: !locks
顯示目前 locks 鎖

指令: !qlocks
顯示目前 spinlock鎖

Windbg 關於memory的指令

指令dt (Display Type)
dt ntdll!*IMAGE* :查找有什麼Headers
以下例子是 notepad在memory查找出PE header的位址, 然後透過dt指令就可以查到定義的結構內容:

指令: .Dvalloc
讓 Windows 以分配到目標進程的更多memory。

指令: r
显示或修改寄存器、浮点寄存器、标志位、伪寄存器和预定义别名。直接用r，会显示当前线程的寄存器状态

指令: d*
显示给定范围memory的内容。
da ASCII 字符
db 字节值和ASCII字符

指令: e*
e命令和d命令非常相似，一個讀取一個寫入編輯
ea ASCII 字符串(不以NULL结尾)。
eb 字节值。

0:000> .dvalloc 100Allocated 1000 bytes starting at 000800000:000> ea 00080000 "i am ansi "0:000> db 00080000 00080000  69 20 61 6d 20 61 6e 73-69 20 00 00 00 00 00 00  i am ansi ......

指令u* :
命令显示指定的内存中的程序代码的反汇编。如果要反汇编某一个地址，直接用u命令加地址
ub 指示要反汇编的区域是向后计算的。
uf 命令显示内存中指定函数的反汇编代码。

指令x:
命令显示所有上下文中匹配指定模板的符号。可用字符通配符

指令: s (Search Memory)
搜索内存查找指定模板

指令: dt:
命令显示局部变量、全局变量或数据类型的信息。它也可以仅显示数据类型。即结构和联合(union)的信息
dt最方便处是查找结构体，查找结构体一定要使用dt，不要使用x
PE文件解析
1.dos头：
0:001> dt IMAGE_DOS_HEADER 01230000
2.nt头
e_lfanew定义了真正的PE文件头的相对偏移量RVA
0:001> da 01230000 +0n224
012300e0 “PE”
0:001> dt IMAGE_NT_HEADERS 01230000 +0n224
3.文件头
0:001> dt IMAGE_FILE_HEADER 01230000 +0n224+0x4
4.扩展文件头
0:001> dt _IMAGE_OPTIONAL_HEADER 01230000 +0n224+0x18

指令: dh
!dh 擴展顯示指定映像的頭部。

指令:!address
顯示整個地址空間和使用摘要的信息

0:000> !address     Mapping file section regions...Mapping module regions...Mapping PEB regions...Mapping TEB and stack regions...Mapping heap regions...Mapping page heap regions...Mapping other regions...Mapping stack trace database regions...Mapping activation context regions...        BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage--------------------------------------------------------------------------------------------------------------------------+        0`00000000        0`00010000        0`00010000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00010000        0`00020000        0`00010000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 1; Handle: 0000000000010000; Type: Segment]+        0`00020000        0`00021000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [............NSDS]+        0`00021000        0`00030000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00030000        0`00046000        0`00016000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [API Set Map]+        0`00046000        0`00050000        0`0000a000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00050000        0`00143000        0`000f3000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; b60.b64]         0`00143000        0`00146000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; b60.b64]         0`00146000        0`00150000        0`0000a000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; b60.b64]+        0`00150000        0`00154000        0`00004000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [System Default Activation Context Data]+        0`00154000        0`00160000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00160000        0`00161000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Activation Context Data]+        0`00161000        0`00170000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00170000        0`00172000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                       [................]+        0`00172000        0`00180000        0`0000e000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00180000        0`00183000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 0000000000590000; Type: Front End]         0`00183000        0`0019a000        0`00017000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 0; Handle: 0000000000590000; Type: Front End]+        0`0019a000        0`001a0000        0`00006000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`001a0000        0`001a1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 2; Handle: 0000000000860000; Type: Front End]         0`001a1000        0`001ba000        0`00019000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 2; Handle: 0000000000860000; Type: Front End]+        0`001ba000        0`001c0000        0`00006000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`001c0000        0`001c1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                       [................]+        0`001c1000        0`001d0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`001d0000        0`001d1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                       [................]+        0`001d1000        0`001e0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`001e0000        0`001e5000        0`00005000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                       [................]+        0`001e5000        0`001f0000        0`0000b000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`001f0000        0`001f4000        0`00004000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [RESCDIR.........]+        0`001f4000        0`00200000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00200000        0`003be000        0`001be000 MEM_PRIVATE MEM_RESERVE                                               0`003be000        0`003bf000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [b60]         0`003bf000        0`003c1000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; b60.b64]         0`003c1000        0`003c5000        0`00004000 MEM_PRIVATE MEM_RESERVE                                               0`003c5000        0`003c7000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~1; b60.dc4]         0`003c7000        0`003c9000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~2; b60.e28]         0`003c9000        0`003cb000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~3; b60.e2c]         0`003cb000        0`00400000        0`00035000 MEM_PRIVATE MEM_RESERVE                                      +        0`00400000        0`004c1000        0`000c1000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [................]+        0`004c1000        0`004d0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`004d0000        0`004ed000        0`0001d000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [..........0.5...]         0`004ed000        0`00590000        0`000a3000 MEM_MAPPED  MEM_RESERVE                                      +        0`00590000        0`0068f000        0`000ff000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 0000000000590000; Type: Segment]         0`0068f000        0`00690000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`00690000        0`006b0000        0`00020000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                       [................]+        0`006b0000        0`006b3000        0`00003000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [MZ..............]+        0`006b3000        0`00790000        0`000dd000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00790000        0`00791000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 3; Handle: 0000000000cc0000; Type: Front End]         0`00791000        0`007aa000        0`00019000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 3; Handle: 0000000000cc0000; Type: Front End]+        0`007aa000        0`007d0000        0`00026000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`007d0000        0`007d1000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                       [RESCHIT.........]+        0`007d1000        0`00860000        0`0008f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00860000        0`00867000        0`00007000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 2; Handle: 0000000000860000; Type: Segment]         0`00867000        0`0086a000        0`00003000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 2; Handle: 0000000000860000; Type: Segment]         0`0086a000        0`0086f000        0`00005000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 2; Handle: 0000000000860000; Type: Segment]         0`0086f000        0`00870000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`00870000        0`00872000        0`00002000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [................]         0`00872000        0`009f0000        0`0017e000 MEM_MAPPED  MEM_RESERVE                                               0`009f0000        0`009f5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [............H...]         0`009f5000        0`009f8000        0`00003000 MEM_MAPPED  MEM_RESERVE                                      +        0`009f8000        0`00a00000        0`00008000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00a00000        0`00b81000        0`00181000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [GDI Shared Handle Table]+        0`00b81000        0`00cc0000        0`0013f000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`00cc0000        0`00ccf000        0`0000f000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 3; Handle: 0000000000cc0000; Type: Segment]         0`00ccf000        0`00cd0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`00cd0000        0`00dca000        0`000fa000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~1; b60.dc4]         0`00dca000        0`00dcd000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~1; b60.dc4]         0`00dcd000        0`00dd0000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~1; b60.dc4]+        0`00dd0000        0`00dfd000        0`0002d000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 3; Handle: 0000000000cc0000; Type: Segment]         0`00dfd000        0`00ecf000        0`000d2000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 3; Handle: 0000000000cc0000; Type: Segment]         0`00ecf000        0`00ed0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`00ed0000        0`00fca000        0`000fa000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~2; b60.e28]         0`00fca000        0`00fcd000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~2; b60.e28]         0`00fcd000        0`00fd0000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~2; b60.e28]+        0`00fd0000        0`010cb000        0`000fb000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~3; b60.e2c]         0`010cb000        0`010ce000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~3; b60.e2c]         0`010ce000        0`010d0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~3; b60.e2c]+        0`010d0000        0`01280000        0`001b0000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`01280000        0`012da000        0`0005a000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 2; Handle: 0000000000860000; Type: Segment]         0`012da000        0`0137f000        0`000a5000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 2; Handle: 0000000000860000; Type: Segment]         0`0137f000        0`01380000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`01380000        0`0177f000        0`003ff000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [RESCSEG.........]+        0`0177f000        0`01780000        0`00001000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`01780000        0`0197f000        0`001ff000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 0000000000590000; Type: Segment]         0`0197f000        0`01980000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`01980000        0`019f0000        0`00070000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`019f0000        0`01aef000        0`000ff000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 0000000000590000; Type: Segment]         0`01aef000        0`01af0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`01af0000        0`01e84000        0`00394000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                        [RESCSEG.........]+        0`01e84000        0`01e90000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`01e90000        0`01ea6000        0`00016000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 0000000000590000; Type: Segment]         0`01ea6000        0`0228f000        0`003e9000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 0; Handle: 0000000000590000; Type: Segment]         0`0228f000        0`02290000        0`00001000 MEM_PRIVATE MEM_RESERVE                                      +        0`02290000        0`6a030000        0`67da0000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`6a030000        0`6a031000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]         0`6a031000        0`6a0cd000        0`0009c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]         0`6a0cd000        0`6a0e9000        0`0001c000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]         0`6a0e9000        0`6a0ee000        0`00005000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]         0`6a0ee000        0`6a0ef000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]         0`6a0ef000        0`6a0f9000        0`0000a000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcr80; "C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_88e0de612fadfb38\msvcr80.dll"]+        0`6a0f9000        0`7ffe0000        0`15ee7000             MEM_FREE    PAGE_NOACCESS                      Free       +        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      Other      [User Shared Data]         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE MEM_RESERVE                                      +        0`7fff0000        1`40000000        0`c0010000             MEM_FREE    PAGE_NOACCESS                      Free       +        1`40000000        1`40001000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`40001000        1`4000b000        0`0000a000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`4000b000        1`40011000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`40011000        1`40012000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`40012000        1`40013000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`40013000        1`40015000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]         1`40015000        1`40016000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [valWBFPolicyService; "C:\Windows\System32\valWBFPolicyService.exe"]+        1`40016000     7ff5`ffec0000     7ff4`bfeaa000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ff5`ffec0000     7ff5`ffec5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared Memory]      7ff5`ffec5000     7ff5`fffc0000        0`000fb000 MEM_MAPPED  MEM_RESERVE                                      +     7ff5`fffc0000     7ff5`ffff3000        0`00033000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]+     7ff5`ffff3000     7ffa`a9110000        4`a911d000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`a9110000     7ffa`a9111000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [wevtapi; "C:\Windows\System32\wevtapi.dll"]      7ffa`a9111000     7ffa`a914f000        0`0003e000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [wevtapi; "C:\Windows\System32\wevtapi.dll"]      7ffa`a914f000     7ffa`a9168000        0`00019000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [wevtapi; "C:\Windows\System32\wevtapi.dll"]      7ffa`a9168000     7ffa`a9169000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [wevtapi; "C:\Windows\System32\wevtapi.dll"]      7ffa`a9169000     7ffa`a9171000        0`00008000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [wevtapi; "C:\Windows\System32\wevtapi.dll"]+     7ffa`a9171000     7ffa`aab40000        0`019cf000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`aab40000     7ffa`aab41000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [devobj; "C:\Windows\System32\devobj.dll"]      7ffa`aab41000     7ffa`aab59000        0`00018000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [devobj; "C:\Windows\System32\devobj.dll"]      7ffa`aab59000     7ffa`aab62000        0`00009000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [devobj; "C:\Windows\System32\devobj.dll"]      7ffa`aab62000     7ffa`aab63000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [devobj; "C:\Windows\System32\devobj.dll"]      7ffa`aab63000     7ffa`aab68000        0`00005000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [devobj; "C:\Windows\System32\devobj.dll"]+     7ffa`aab68000     7ffa`aada0000        0`00238000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`aada0000     7ffa`aada1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [mintdh; "C:\Windows\System32\mintdh.dll"]      7ffa`aada1000     7ffa`aadd9000        0`00038000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [mintdh; "C:\Windows\System32\mintdh.dll"]      7ffa`aadd9000     7ffa`aaded000        0`00014000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [mintdh; "C:\Windows\System32\mintdh.dll"]      7ffa`aaded000     7ffa`aadee000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [mintdh; "C:\Windows\System32\mintdh.dll"]      7ffa`aadee000     7ffa`aadf4000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [mintdh; "C:\Windows\System32\mintdh.dll"]+     7ffa`aadf4000     7ffa`aae00000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`aae00000     7ffa`aae01000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aae01000     7ffa`aae1a000        0`00019000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aae1a000     7ffa`aae75000        0`0005b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aae75000     7ffa`aae76000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aae76000     7ffa`aaea0000        0`0002a000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aaea0000     7ffa`aaea2000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aaea2000     7ffa`aaea5000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [tdh; "C:\Windows\System32\tdh.dll"]      7ffa`aaea5000     7ffa`aaeae000        0`00009000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [tdh; "C:\Windows\System32\tdh.dll"]+     7ffa`aaeae000     7ffa`ab940000        0`00a92000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ab940000     7ffa`ab941000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcrypt; "C:\Windows\System32\bcrypt.dll"]      7ffa`ab941000     7ffa`ab960000        0`0001f000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [bcrypt; "C:\Windows\System32\bcrypt.dll"]      7ffa`ab960000     7ffa`ab966000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcrypt; "C:\Windows\System32\bcrypt.dll"]      7ffa`ab966000     7ffa`ab967000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [bcrypt; "C:\Windows\System32\bcrypt.dll"]      7ffa`ab967000     7ffa`ab96b000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcrypt; "C:\Windows\System32\bcrypt.dll"]+     7ffa`ab96b000     7ffa`abde0000        0`00475000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`abde0000     7ffa`abde1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msasn1; "C:\Windows\System32\msasn1.dll"]      7ffa`abde1000     7ffa`abde9000        0`00008000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msasn1; "C:\Windows\System32\msasn1.dll"]      7ffa`abde9000     7ffa`abdec000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msasn1; "C:\Windows\System32\msasn1.dll"]      7ffa`abdec000     7ffa`abded000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msasn1; "C:\Windows\System32\msasn1.dll"]      7ffa`abded000     7ffa`abdf0000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msasn1; "C:\Windows\System32\msasn1.dll"]+     7ffa`abdf0000     7ffa`abdf1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]      7ffa`abdf1000     7ffa`abec1000        0`000d0000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]      7ffa`abec1000     7ffa`abfde000        0`0011d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]      7ffa`abfde000     7ffa`abfe2000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]      7ffa`abfe2000     7ffa`abfe3000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]      7ffa`abfe3000     7ffa`ac00d000        0`0002a000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\System32\KERNELBASE.dll"]+     7ffa`ac00d000     7ffa`ac010000        0`00003000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ac010000     7ffa`ac011000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32full; "C:\Windows\System32\gdi32full.dll"]      7ffa`ac011000     7ffa`ac0cf000        0`000be000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [gdi32full; "C:\Windows\System32\gdi32full.dll"]      7ffa`ac0cf000     7ffa`ac170000        0`000a1000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32full; "C:\Windows\System32\gdi32full.dll"]      7ffa`ac170000     7ffa`ac174000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [gdi32full; "C:\Windows\System32\gdi32full.dll"]      7ffa`ac174000     7ffa`ac190000        0`0001c000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32full; "C:\Windows\System32\gdi32full.dll"]+     7ffa`ac190000     7ffa`ac191000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [win32u; "C:\Windows\System32\win32u.dll"]      7ffa`ac191000     7ffa`ac19a000        0`00009000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [win32u; "C:\Windows\System32\win32u.dll"]      7ffa`ac19a000     7ffa`ac1a7000        0`0000d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [win32u; "C:\Windows\System32\win32u.dll"]      7ffa`ac1a7000     7ffa`ac1a8000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [win32u; "C:\Windows\System32\win32u.dll"]      7ffa`ac1a8000     7ffa`ac1ae000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [win32u; "C:\Windows\System32\win32u.dll"]+     7ffa`ac1ae000     7ffa`ac1b0000        0`00002000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ac1b0000     7ffa`ac1b1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]      7ffa`ac1b1000     7ffa`ac1de000        0`0002d000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]      7ffa`ac1de000     7ffa`ac1eb000        0`0000d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]      7ffa`ac1eb000     7ffa`ac1ec000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]      7ffa`ac1ec000     7ffa`ac1f2000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cfgmgr32; "C:\Windows\System32\cfgmgr32.dll"]+     7ffa`ac1f2000     7ffa`ac8e0000        0`006ee000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ac8e0000     7ffa`ac8e1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [crypt32; "C:\Windows\System32\crypt32.dll"]      7ffa`ac8e1000     7ffa`ac9d7000        0`000f6000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [crypt32; "C:\Windows\System32\crypt32.dll"]      7ffa`ac9d7000     7ffa`aca0e000        0`00037000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [crypt32; "C:\Windows\System32\crypt32.dll"]      7ffa`aca0e000     7ffa`aca15000        0`00007000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [crypt32; "C:\Windows\System32\crypt32.dll"]      7ffa`aca15000     7ffa`acaa9000        0`00094000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [crypt32; "C:\Windows\System32\crypt32.dll"]+     7ffa`acaa9000     7ffa`acb60000        0`000b7000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`acb60000     7ffa`acb61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]      7ffa`acb61000     7ffa`acc0c000        0`000ab000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]      7ffa`acc0c000     7ffa`acc45000        0`00039000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]      7ffa`acc45000     7ffa`acc48000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]      7ffa`acc48000     7ffa`acc55000        0`0000d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ucrtbase; "C:\Windows\System32\ucrtbase.dll"]+     7ffa`acc55000     7ffa`acc60000        0`0000b000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`acc60000     7ffa`acc61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]      7ffa`acc61000     7ffa`accb2000        0`00051000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]      7ffa`accb2000     7ffa`accf1000        0`0003f000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]      7ffa`accf1000     7ffa`accf2000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]      7ffa`accf2000     7ffa`accf5000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]      7ffa`accf5000     7ffa`accfc000        0`00007000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcp_win; "C:\Windows\System32\msvcp_win.dll"]+     7ffa`accfc000     7ffa`acd60000        0`00064000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`acd60000     7ffa`acd61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]      7ffa`acd61000     7ffa`acdb1000        0`00050000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]      7ffa`acdb1000     7ffa`acdc4000        0`00013000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]      7ffa`acdc4000     7ffa`acdc5000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]      7ffa`acdc5000     7ffa`acdca000        0`00005000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [bcryptPrimitives; "C:\Windows\System32\bcryptPrimitives.dll"]+     7ffa`acdca000     7ffa`ad120000        0`00356000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ad120000     7ffa`ad121000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [oleaut32; "C:\Windows\System32\oleaut32.dll"]      7ffa`ad121000     7ffa`ad1a9000        0`00088000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [oleaut32; "C:\Windows\System32\oleaut32.dll"]      7ffa`ad1a9000     7ffa`ad1ce000        0`00025000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [oleaut32; "C:\Windows\System32\oleaut32.dll"]      7ffa`ad1ce000     7ffa`ad1d1000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [oleaut32; "C:\Windows\System32\oleaut32.dll"]      7ffa`ad1d1000     7ffa`ad1df000        0`0000e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [oleaut32; "C:\Windows\System32\oleaut32.dll"]+     7ffa`ad1df000     7ffa`ad240000        0`00061000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ad240000     7ffa`ad241000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad241000     7ffa`ad409000        0`001c8000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad409000     7ffa`ad4be000        0`000b5000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad4be000     7ffa`ad4bf000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad4bf000     7ffa`ad4c0000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad4c0000     7ffa`ad4c3000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad4c3000     7ffa`ad4c4000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [combase; "C:\Windows\System32\combase.dll"]      7ffa`ad4c4000     7ffa`ad508000        0`00044000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [combase; "C:\Windows\System32\combase.dll"]+     7ffa`ad508000     7ffa`ad5b0000        0`000a8000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ad5b0000     7ffa`ad5b1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [setupapi; "C:\Windows\System32\setupapi.dll"]      7ffa`ad5b1000     7ffa`ad65e000        0`000ad000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [setupapi; "C:\Windows\System32\setupapi.dll"]      7ffa`ad65e000     7ffa`ad68c000        0`0002e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [setupapi; "C:\Windows\System32\setupapi.dll"]      7ffa`ad68c000     7ffa`ad68d000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [setupapi; "C:\Windows\System32\setupapi.dll"]      7ffa`ad68d000     7ffa`ad68e000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [setupapi; "C:\Windows\System32\setupapi.dll"]      7ffa`ad68e000     7ffa`ad9d9000        0`0034b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [setupapi; "C:\Windows\System32\setupapi.dll"]+     7ffa`ad9d9000     7ffa`ad9e0000        0`00007000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`ad9e0000     7ffa`ad9e1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]      7ffa`ad9e1000     7ffa`adac0000        0`000df000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]      7ffa`adac0000     7ffa`adaea000        0`0002a000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]      7ffa`adaea000     7ffa`adaec000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]      7ffa`adaec000     7ffa`adb01000        0`00015000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [rpcrt4; "C:\Windows\System32\rpcrt4.dll"]+     7ffa`adb01000     7ffa`adb10000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`adb10000     7ffa`adb11000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb11000     7ffa`adb42000        0`00031000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb42000     7ffa`adb60000        0`0001e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb60000     7ffa`adb61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb61000     7ffa`adb62000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb62000     7ffa`adb63000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [sechost; "C:\Windows\System32\sechost.dll"]      7ffa`adb63000     7ffa`adb69000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [sechost; "C:\Windows\System32\sechost.dll"]+     7ffa`adb69000     7ffa`adbe0000        0`00077000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`adbe0000     7ffa`adbe1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32; "C:\Windows\System32\gdi32.dll"]      7ffa`adbe1000     7ffa`adbf3000        0`00012000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [gdi32; "C:\Windows\System32\gdi32.dll"]      7ffa`adbf3000     7ffa`adc0e000        0`0001b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32; "C:\Windows\System32\gdi32.dll"]      7ffa`adc0e000     7ffa`adc0f000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [gdi32; "C:\Windows\System32\gdi32.dll"]      7ffa`adc0f000     7ffa`adc14000        0`00005000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [gdi32; "C:\Windows\System32\gdi32.dll"]+     7ffa`adc14000     7ffa`adc20000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`adc20000     7ffa`adc21000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adc21000     7ffa`adc96000        0`00075000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adc96000     7ffa`adcaf000        0`00019000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adcaf000     7ffa`adcb1000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adcb1000     7ffa`adcb4000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adcb4000     7ffa`adcb6000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adcb6000     7ffa`adcb7000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]      7ffa`adcb7000     7ffa`adcbe000        0`00007000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\System32\msvcrt.dll"]+     7ffa`adcbe000     7ffa`af330000        0`01672000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af330000     7ffa`af331000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [kernel32; "C:\Windows\System32\kernel32.dll"]      7ffa`af331000     7ffa`af3a4000        0`00073000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [kernel32; "C:\Windows\System32\kernel32.dll"]      7ffa`af3a4000     7ffa`af3d3000        0`0002f000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [kernel32; "C:\Windows\System32\kernel32.dll"]      7ffa`af3d3000     7ffa`af3d4000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [kernel32; "C:\Windows\System32\kernel32.dll"]      7ffa`af3d4000     7ffa`af3dc000        0`00008000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [kernel32; "C:\Windows\System32\kernel32.dll"]+     7ffa`af3dc000     7ffa`af3e0000        0`00004000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af3e0000     7ffa`af3e1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ole32; "C:\Windows\System32\ole32.dll"]      7ffa`af3e1000     7ffa`af497000        0`000b6000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ole32; "C:\Windows\System32\ole32.dll"]      7ffa`af497000     7ffa`af4ee000        0`00057000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ole32; "C:\Windows\System32\ole32.dll"]      7ffa`af4ee000     7ffa`af4f0000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ole32; "C:\Windows\System32\ole32.dll"]      7ffa`af4f0000     7ffa`af518000        0`00028000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ole32; "C:\Windows\System32\ole32.dll"]+     7ffa`af518000     7ffa`af550000        0`00038000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af550000     7ffa`af551000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [user32; "C:\Windows\System32\user32.dll"]      7ffa`af551000     7ffa`af5ee000        0`0009d000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [user32; "C:\Windows\System32\user32.dll"]      7ffa`af5ee000     7ffa`af60b000        0`0001d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [user32; "C:\Windows\System32\user32.dll"]      7ffa`af60b000     7ffa`af60d000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [user32; "C:\Windows\System32\user32.dll"]      7ffa`af60d000     7ffa`af6b5000        0`000a8000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [user32; "C:\Windows\System32\user32.dll"]+     7ffa`af6b5000     7ffa`af6c0000        0`0000b000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af6c0000     7ffa`af6c1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af6c1000     7ffa`af720000        0`0005f000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af720000     7ffa`af754000        0`00034000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af754000     7ffa`af755000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af755000     7ffa`af756000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af756000     7ffa`af758000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af758000     7ffa`af759000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [advapi32; "C:\Windows\System32\advapi32.dll"]      7ffa`af759000     7ffa`af762000        0`00009000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [advapi32; "C:\Windows\System32\advapi32.dll"]+     7ffa`af762000     7ffa`af850000        0`000ee000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af850000     7ffa`af851000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af851000     7ffa`af85c000        0`0000b000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af85c000     7ffa`af863000        0`00007000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af863000     7ffa`af864000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af864000     7ffa`af865000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af865000     7ffa`af867000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af867000     7ffa`af86a000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]      7ffa`af86a000     7ffa`af86c000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [imagehlp; "C:\Windows\System32\imagehlp.dll"]+     7ffa`af86c000     7ffa`af870000        0`00004000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af870000     7ffa`af871000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [psapi; "C:\Windows\System32\psapi.dll"]      7ffa`af871000     7ffa`af872000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [psapi; "C:\Windows\System32\psapi.dll"]      7ffa`af872000     7ffa`af874000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [psapi; "C:\Windows\System32\psapi.dll"]      7ffa`af874000     7ffa`af875000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [psapi; "C:\Windows\System32\psapi.dll"]      7ffa`af875000     7ffa`af878000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [psapi; "C:\Windows\System32\psapi.dll"]+     7ffa`af878000     7ffa`af8f0000        0`00078000             MEM_FREE    PAGE_NOACCESS                      Free       +     7ffa`af8f0000     7ffa`af8f1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`af8f1000     7ffa`af9f9000        0`00108000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`af9f9000     7ffa`afa3d000        0`00044000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`afa3d000     7ffa`afa3e000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`afa3e000     7ffa`afa40000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`afa40000     7ffa`afa46000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "C:\Windows\System32\ntdll.dll"]      7ffa`afa46000     7ffa`afac2000        0`0007c000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "C:\Windows\System32\ntdll.dll"]+     7ffa`afac2000     7fff`fffe0000        5`5051e000             MEM_FREE    PAGE_NOACCESS                      Free       +     7fff`fffe0000     7fff`ffff0000        0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS

指令: !vadump : 這個會顯示所有的虛擬內存區域和它的保護屬性

指令: !runaway : 顯示每個Thread消費的時間
  Bit 0 (0x1) 讓調試器顯示每個Thread消耗的用戶模式時間(user time)，默認不加就是0x1
  Bit 1 (0x2) 顯示每個Thread消耗的內核時間(kernel time)。
  Bit 2 (0x4) 顯示每個Thread從創建開始經歷了多少時間。

Windbg 關於process的指令:

指令: |
顯示當前Process的信息

0:000> |.  0	id: b60	examine	name: C:\Windows\System32\valWBFPolicyService.exe

指令: !dml_proc
顯示當前Process的信息

0:000> !dml_procDbgId  PID    Image file name0      b60    C:\Windows\System32\valWBFPolicyService.exe

指令: .tlist
顯示本機當前所有Process

指令: process
!process 0 0 顯示進程列表

Windbg 關於thread的指令:

指令: ~ (Thread Status):
波形符(~) 命令显示指定线程或当前进程中的所有线程的信息, ~和~*还是有点区别的，~*会把入口函数和优先级都打印出来

指令: ~
顯示所有thread信息

0:000> ~.  0  Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen   1  Id: b60.dc4 Suspend: 0 Teb: 00000000`003c5000 Unfrozen   2  Id: b60.e28 Suspend: 0 Teb: 00000000`003c7000 Unfrozen   3  Id: b60.e2c Suspend: 0 Teb: 00000000`003c9000 Unfrozen

指令: ~*
顯示所有thread

.  0  Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen      Start: valWBFPolicyService+0x7710 (00000001`40007710)      Priority: 0  Priority class: 32  Affinity: f   1  Id: b60.dc4 Suspend: 0 Teb: 00000000`003c5000 Unfrozen      Start: sechost!ScSvcctrlThreadA (00007ffa`adb23db0)      Priority: 0  Priority class: 32  Affinity: f   2  Id: b60.e28 Suspend: 0 Teb: 00000000`003c7000 Unfrozen      Start: valWBFPolicyService+0x1087 (00000001`40001087)      Priority: 0  Priority class: 32  Affinity: f   3  Id: b60.e2c Suspend: 0 Teb: 00000000`003c9000 Unfrozen      Start: valWBFPolicyService+0x1064 (00000001`40001064)      Priority: 0  Priority class: 32  Affinity: f

指令: ~.
顯示當下thread

0:000> ~ ..  0  Id: b60.b64 Suspend: 0 Teb: 00000000`003bf000 Unfrozen      Start: valWBFPolicyService+0x7710 (00000001`40007710)      Priority: 0  Priority class: 32  Affinity: f

指令: ~# 引發當前事件或異常的thread
指令: ~Number 顯示指定序號的thread
指令: ~* k 顯示所有thread的調用棧
指令: ~2 f 凍結2號thread
指令: ~# f 凍結引發異常的thread
指令: ~3 u 解除對3號thread的凍結
指令: ~2 k 顯示2號thread的調用棧
指令: ~0s 切換到 thread 0

指令: !thread
擴展顯示目標系統中線程包括ETHREAD塊在內的摘要信息。該命令只能在內核模式調試下使用

Windbg 關於Stack的指令

指令: k*:
命令顯示給定Thread的調用Stack，以及其他相關信息
~0 k表示顯示0號Thread的調用Stack，直接用k表示打印當前Thread的調用堆棧
kb 顯示傳遞給Stack回溯中的每個函數的前三個參數
kp 顯示傳遞給Stack回溯中的每個函數的所有參數

指令: !findstack
擴展查找包含指定符號或模塊的所有stack

Windbg腳本

指令: .foreach
分析一個或多個命令的輸出並將該輸出中每一個值作為另一個或多個命令的輸入
.foreach [Options] ( Variable { InCommands } ) { OutCommands }

指令: .printf
和C中的printf 语句类似

各種分析情況劇情:

可參考: ephrain
分析 Stack overflow (recursive)
分析 .NET framework process crash
分析 WoW64 process
分析 memory leak
分析 infinite wait
分析 kernel dump
分析 kernel dump for memory problem
分析 complete kernel dump

易春木Blog

2019/12/03

Windbg 指令與分析之教學筆記