windbg学习----r?

r?命令可以让伪寄存器自动获取所赋参数的类型

(仅在指派伪寄存器时) 使得伪寄存器获得类型信息。可以使用任何类型

如，我们知道@$peb的类型是_PEB:

0:000> dt ntdll!*PEB*
          ntdll!_PEB
          ntdll!_PEB_LDR_DATA

0:000> ? @$peb
Evaluate expression: 2147344384 = 7ffde000

值为7ffde000

0:000> dt -v ntdll!_PEB  @$peb
struct _PEB, 91 elements, 0x248 bytes
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0x1 ''
   +0x003 BitField         : 0x8 ''
   +0x003 ImageUsesLargePages : Bitfield 0y0
   +0x003 IsProtectedProcess : Bitfield 0y0
   +0x003 IsLegacyProcess  : Bitfield 0y0
   +0x003 IsImageDynamicallyRelocated : Bitfield 0y1
   +0x003 SkipPatchingUser32Forwarders : Bitfield 0y0
   +0x003 SpareBits        : Bitfield 0y000
   +0x004 Mutant           : 0xffffffff 
   +0x008 ImageBaseAddress : 0x00ac0000 
   +0x00c Ldr              : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes
   +0x010 ProcessParameters : 0x00321a80 struct _RTL_USER_PROCESS_PARAMETERS, 30 elements, 0x298 bytes
   +0x014 SubSystemData    : (null) 
   +0x018 ProcessHeap      : 0x00320000 
   +0x01c FastPebLock      : 0x77d97380 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes
   +0x020 AtlThunkSListPtr : (null) 
   +0x024 IFEOKey          : (null) 
   +0x028 CrossProcessFlags : 0
   +0x028 ProcessInJob     : Bitfield 0y0
   +0x028 ProcessInitializing : Bitfield 0y0
   +0x028 ProcessUsingVEH  : Bitfield 0y0
   +0x028 ProcessUsingVCH  : Bitfield 0y0
   +0x028 ProcessUsingFTH  : Bitfield 0y0
   +0x028 ReservedBits0    : Bitfield 0y000000000000000000000000000 (0)
   +0x02c KernelCallbackTable : 0x76c4d568 
   +0x02c UserSharedInfoPtr : 0x76c4d568 
   +0x030 SystemReserved   : [1] 0
   +0x034 AtlThunkSListPtr32 : 0
   +0x038 ApiSetMap        : 0x77f00000 
   +0x03c TlsExpansionCounter : 0
   +0x040 TlsBitmap        : 0x77d97260 
   +0x044 TlsBitmapBits    : [2] 0xffffffff
   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000 
   +0x050 HotpatchInformation : (null) 
   +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null) 
   +0x058 AnsiCodePageData : 0x7ffa0000 
   +0x05c OemCodePageData  : 0x7ffa0000 
   +0x060 UnicodeCaseTableData : 0x7ffd0024 
   +0x064 NumberOfProcessors : 4
   +0x068 NtGlobalFlag     : 0x70
   +0x070 CriticalSectionTimeout : union _LARGE_INTEGER, 4 elements, 0x8 bytes
 0xffffe86d`079b8000
   +0x078 HeapSegmentReserve : 0x100000
   +0x07c HeapSegmentCommit : 0x2000
   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000
   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000
   +0x088 NumberOfHeaps    : 0xc
   +0x08c MaximumNumberOfHeaps : 0x10
   +0x090 ProcessHeaps     : 0x77d97500  -> 0x00320000 
   +0x094 GdiSharedHandleTable : 0x005c0000 
   +0x098 ProcessStarterHelper : (null) 
   +0x09c GdiDCAttributeList : 0x14
   +0x0a0 LoaderLock       : 0x77d97340 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes
   +0x0a4 OSMajorVersion   : 6
   +0x0a8 OSMinorVersion   : 1
   +0x0ac OSBuildNumber    : 0x1db1
   +0x0ae OSCSDVersion     : 0x100
   +0x0b0 OSPlatformId     : 2
   +0x0b4 ImageSubsystem   : 2
   +0x0b8 ImageSubsystemMajorVersion : 5
   +0x0bc ImageSubsystemMinorVersion : 1
   +0x0c0 ActiveProcessAffinityMask : 0xf
   +0x0c4 GdiHandleBuffer  : [34] 0
   +0x14c PostProcessInitRoutine : (null) 
   +0x150 TlsExpansionBitmap : 0x77d97268 
   +0x154 TlsExpansionBitmapBits : [32] 1
   +0x1d4 SessionId        : 1
   +0x1d8 AppCompatFlags   : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
 0x0
   +0x1e0 AppCompatFlagsUser : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
 0x0
   +0x1e8 pShimData        : (null) 
   +0x1ec AppCompatInfo    : (null) 
   +0x1f0 CSDVersion       : struct _UNICODE_STRING, 3 elements, 0x8 bytes
 "Service Pack 1"
   +0x1f8 ActivationContextData : 0x00040000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes
   +0x1fc ProcessAssemblyStorageMap : (null) 
   +0x200 SystemDefaultActivationContextData : 0x00030000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes
   +0x204 SystemAssemblyStorageMap : 0x00323e80 struct _ASSEMBLY_STORAGE_MAP, 0 elements, 0x0 bytes
   +0x208 MinimumStackCommit : 0
   +0x20c FlsCallback      : 0x003262a8 struct _FLS_CALLBACK_INFO, 0 elements, 0x0 bytes
   +0x210 FlsListHead      : struct _LIST_ENTRY, 2 elements, 0x8 bytes
 [ 0x326088 - 0x326088 ]
   +0x218 FlsBitmap        : 0x77d97270 
   +0x21c FlsBitmapBits    : [4] 0x1ff
   +0x22c FlsHighIndex     : 8
   +0x230 WerRegistrationData : 0x00420000 
   +0x234 WerShipAssertPtr : (null) 
   +0x238 pContextData     : 0x00050000 
   +0x23c pImageHeaderHash : (null) 
   +0x240 TracingFlags     : 0
   +0x240 HeapTracingEnabled : Bitfield 0y0
   +0x240 CritSecTracingEnabled : Bitfield 0y0
   +0x240 SpareTracingBits : Bitfield 0y000000000000000000000000000000 (0)

_PEB结构的大小为0x248 bytes，也可以这样看：

0:000> ?? @@c++(sizeof(ntdll!_PEB))
unsigned int 0x248

比如我们要把Ldr地址赋给伪寄存器，按理论：

   +0x00c Ldr              : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes

 

0:000> dt -v ntdll!_PEB -ny Ldr @$peb
struct _PEB, 91 elements, 0x248 bytes
   +0x00c Ldr : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes

应该是取@$peb+0xc=7ffde00c

使用r?，

0:000> r? $t0=@$peb->Ldr;r $t0
$t0=77d97880

我们发现取得了Ldr字段的内容，要取其地址，就使用&符号来取，和C++中含义一样：

0:000> r? $t0=&@$peb->Ldr;r $t0
$t0=7ffde00c

当然，我们也可以用*来取内容

0:000> r? @$t1=*(_PEB_LDR_DATA**)@$t0;r @$t1
$t1=77d97880

0:000> r? @$t1=*(DWORD**)@$t0;r @$t1
$t1=77d97880
0:000> r? @$t1=*@$t0;r @$t1
$t1=77d97880