Windbg命令学习1(vertarget和lm和lmvm)
1.g可以让目标程序继续执行,ctrl+break可以挂起正在运行的目标程序回到调试模式
2.vertarget
vertarget 命令显示目标机的Microsoft Windows操作系统版本
给个示例:
0:011> vertarget Windows XP Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS kernel32.dll version: Machine Name: Debug session time: Wed May 9 16:33:38.600 2012 (GMT+8) System Uptime: 1 days 7:30:56.583 Process Uptime: 0 days 0:06:44.442 Kernel time: 0 days 0:00:01.062 User time: 0 days 0:00:01.843
上面示例的意思是X86,4核,XPSP3,该机已持续运行1天7小时30分56秒,当前调试进程运行时间为6分44秒.
3.lm
lm命令显示指定的已加载/未加载模块。输出中包含模块状态和路径
给个例子:
0:015> lm start end module name 00400000 00670000 360se (export symbols) C:\Program Files\360\360se3\360se.exe 00de0000 00edd000 Favorites (export symbols) C:\Program Files\360\360se3\Favorites\Favorites.dll 00ee0000 01029000 LoginEnrol (export symbols) C:\Program Files\360\360se3\LoginEnrol\LoginEnrol.dll 01130000 011e0000 safemon (export symbols) C:\Program Files\360\360Safe\safemon\safemon.dll 017e0000 0183c000 urlproc (export symbols) C:\Program Files\360\360Safe\safemon\urlproc.dll 01b60000 01bdb000 heavygate (export symbols) C:\Program Files\360\360Safe\deepscan\heavygate.dll 020c0000 02126000 sqlite3 (export symbols) C:\Program Files\360\360se3\sqlite3.dll 021d0000 023be000 doctor (export symbols) C:\Program Files\360\360se3\doctor.dll 024c0000 02567000 ExtLoginAssis (export symbols) C:\Documents and Settings\Administrator\Application Data\360SE\apps\LoginAssis\ExtLoginAssis.dll 025a0000 02ae9000 xpsp2res (no symbols) 02e50000 02e8d000 sepro (export symbols) C:\Program Files\360\360Safe\safemon\sepro.dll 035f0000 0365f000 PENCHS (export symbols) C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL 039e0000 03b3e000 wdui2 (export symbols) C:\Program Files\360\360se3\SafeCentral\wdui2.dll 066d0000 07010000 Flash32_11_2_202_235 (export symbols) C:\WINDOWS\system32\Macromed\Flash\Flash32_11_2_202_235.ocx 10000000 100ea000 SafeCentral (export symbols) C:\Program Files\360\360se3\SafeCentral\SafeCentral.dll 25060000 25077000 net_monitor2_0_2_6 (export symbols) C:\Program Files\Common Files\Thunder Network\NetMon\net_monitor2.0.2.6.dll 4ae90000 4b03b000 gdiplus (pdb symbols) C:\MyLocalSymbols\gdiplus.pdb\E55758F17CA94EDBAC732C65F6FD77DF2\gdiplus.pdb 5adc0000 5adf7000 UxTheme (pdb symbols) C:\WINDOWS\symbols\dll\uxtheme.pdb 5dd50000 5de73000 msxml3 (pdb symbols) C:\MyLocalSymbols\msxml3.pdb\2D362E3E2D824B188B516102CA1D0EFC2\msxml3.pdb 5e400000 5e40c000 pngfilt (deferred) 5fdd0000 5fe25000 NETAPI32 (deferred) 60180000 601bd000 sptip (deferred) 60fd0000 61025000 hnetcfg (deferred) 61880000 618ba000 OLEACC (deferred) 61be0000 61bed000 MFC42LOC (deferred) 62c20000 62c29000 LPK (deferred) 64000000 64021000 mdnsNSP (deferred) 65700000 65727000 iNetSafe (deferred) 65d00000 65d38000 urlproc_65d00000 (deferred) 66b50000 66b5c000 ImgUtil (deferred) 67140000 67180000 iepeers (deferred) 68000000 68036000 rsaenh (deferred) 6c140000 6c176000 dxtrans (deferred) 6c180000 6c1da000 dxtmsft (deferred) 6d7c0000 6d7ca000 ddrawex (deferred) 71800000 7187c000 shdoclc (deferred) 719c0000 719fe000 mswsock (deferred) 71a00000 71a08000 wshtcpip (deferred) 71a10000 71a18000 WS2HELP (deferred) 71a20000 71a37000 WS2_32 (deferred) 71a40000 71a4b000 wsock32 (deferred) 72240000 72245000 sensapi (deferred) 727a0000 72892000 mfc42u (deferred) 72c80000 72c88000 msacm32 (deferred) 72c90000 72c99000 wdmaud (deferred) 72f70000 72f96000 WINSPOOL (deferred) 73640000 7366e000 msctfime (deferred) 736d0000 7371b000 DDRAW (deferred) 73aa0000 73ab5000 mscms (deferred) 73b30000 73b36000 DCIMAN32 (deferred) 73c50000 73c71000 T2EMBED (deferred) 73dc0000 73dc3000 LZ32 (deferred) 73e70000 73ecc000 dsound (deferred) 73fa0000 7400b000 USP10 (deferred) 74620000 74647000 msls31 (deferred) 74650000 7467a000 msimtf (deferred) 74680000 746cc000 MSCTF (deferred) 74cf0000 74d81000 MLANG (deferred) 75430000 754a1000 CRYPTUI (deferred) 759d0000 75a7f000 USERENV (deferred) 75bc0000 75c3d000 jscript (deferred) 75e00000 75eae000 SXS (deferred) 75ff0000 76055000 MSVCP60 (deferred) 76060000 761b6000 SETUPAPI (deferred) 762f0000 762f5000 MSIMG32 (deferred) 76300000 7631d000 IMM32 (deferred) 76320000 76367000 comdlg32 (deferred) 765e0000 76673000 CRYPT32 (deferred) 76680000 76726000 WININET (deferred) 76760000 7676c000 cryptdll (deferred) 767c0000 767e9000 schannel (deferred) 76990000 76ace000 ole32 (deferred) 76af0000 76b01000 ATL (deferred) 76b10000 76b3a000 WINMM (deferred) 76bc0000 76bcb000 psapi (deferred) 76c00000 76c2e000 WINTRUST (deferred) 76c60000 76c88000 IMAGEHLP (deferred) 76d30000 76d48000 iphlpapi (deferred) 76d70000 76d92000 appHelp (deferred) 76db0000 76dc2000 MSASN1 (deferred) 76e50000 76e5e000 rtutils (deferred) 76e60000 76e72000 rasman (deferred) 76e80000 76eaf000 TAPI32 (deferred) 76eb0000 76eec000 RASAPI32 (deferred) 76ef0000 76f17000 DNSAPI (deferred) 76f30000 76f5c000 WLDAP32 (deferred) 76f90000 76f96000 rasadhlp (deferred) 76fa0000 7701f000 CLBCATQ (deferred) 77020000 770ba000 COMRes (deferred) 770f0000 7717b000 OLEAUT32 (deferred) 77180000 77283000 COMCTL32 (deferred) 77ba0000 77ba7000 midimap (deferred) 77bb0000 77bc5000 MSACM32_77bb0000 (deferred) 77bd0000 77bd8000 VERSION (deferred) 77be0000 77c38000 msvcrt (deferred) 77c40000 77c65000 msv1_0 (deferred) 77d10000 77da0000 USER32 (deferred) 77da0000 77e49000 ADVAPI32 (deferred) 77e50000 77ee3000 RPCRT4 (deferred) 77ef0000 77f39000 GDI32 (deferred) 77f40000 77fb6000 SHLWAPI (deferred) 77fc0000 77fd1000 Secur32 (deferred) 7c340000 7c396000 MSVCR71 (deferred) 7c3a0000 7c41b000 MSVCP71 (deferred) 7c800000 7c91e000 kernel32 (deferred) 7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb 7c9c0000 7cc7c000 msi (deferred) 7d590000 7dd84000 SHELL32 (deferred) 7e210000 7e50c000 mshtml (deferred) 7e550000 7e6c3000 shdocvw (deferred) 7eae0000 7eb81000 urlmon (deferred) Unloaded modules: 753b0000 75421000 mshtmled.dll 74d90000 74dfd000 RichEd20.dll 71dd0000 71de5000 msapsspc.dll 78080000 78091000 MSVCRT40.dll 767c0000 767e9000 schannel.dll 759d0000 75a7f000 USERENV.dll 757f0000 75805000 digest.dll 72f10000 72f57000 msnsspc.dll 78080000 78091000 MSVCRT40.dll 72c90000 72c99000 wdmaud.drv 06200000 06218000 360verify.dll 066d0000 07010000 Flash32_11_2_202_235.ocx 73aa0000 73ab5000 mscms.dll 753b0000 75421000 mshtmled.dll 67140000 67180000 iepeers.dll 72f70000 72f96000 WINSPOOL.DRV
deferred表示目前并没有加载对应模块的symbol,注意是symbol,我当初就想歪了,还以为是未加载这个模块呢,事实上,未加载模块用Unloaded modules:表示出来了.
4.lmvm
如果想要了解该模块的详细信息,使用lmvm 命令
lmvm命令可以查看任意一个已加载的DLL/EXE的详细信息,以及symbol的情况, 特别提醒的是,不要加后缀名(无论EXE/DLL),我开始学习时就出过这样的错
针对3的已加载模块
给个例子:
0:015> lmvm ntdll
start end module name
7c920000 7c9b3000 ntdll (pdb symbols) C:\WINDOWS\symbols\dll\ntdll.pdb
Loaded symbol image file: C:\WINDOWS\system32\ntdll.dll
Image path: C:\WINDOWS\system32\ntdll.dll
Image name: ntdll.dll
Timestamp: Mon Apr 14 10:13:25 2008 (4802BDC5)
CheckSum: 00097CB7
ImageSize: 00093000
File version: 5.1.2600.5512
Product version: 5.1.2600.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: ntdll.dll
OriginalFilename: ntdll.dll
ProductVersion: 5.1.2600.5512
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileDescription: NT Layer DLL
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
对比前面,可以看到symbol位置都被打印了,
如果加后缀名,就是这样了:
0:015> lmvm ntdll.dll start end module name
这意思就是没找到
我们再打印个前面deferred的模块试试:
0:015> lmvm urlmon
start end module name
7eae0000 7eb81000 urlmon (deferred)
Image path: C:\WINDOWS\system32\urlmon.dll
Image name: urlmon.dll
Timestamp: Wed Feb 29 02:49:46 2012 (4F4D21CA)
CheckSum: 000A06D3
ImageSize: 000A1000
File version: 6.0.2900.6197
Product version: 6.0.2900.6197
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: UrlMon.dll
OriginalFilename: UrlMon.dll
ProductVersion: 6.00.2900.6197
FileVersion: 6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
FileDescription: OLE32 Extensions for Win32
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
可以看出它和lm打印出来的一样,
我们再打印Unloaded modules:下的模块:
0:015> lmvm mshtmled start end module nme
很明显,这意思就是没找到
所以lmvm可以查看任意一个已加载的DLL/EXE的详细信息,但不能查看未加载的DLL/EXE,也不能带后缀名
hgy413 ---2012.5.22附加:
lmvm可以打印出带通配符的模块:
0:002> lmvm s*
start end module name
5cc30000 5cc56000 ShimEng (deferred)
Image path: C:\WINDOWS\system32\ShimEng.dll
Image name: ShimEng.dll
Timestamp: Mon Apr 14 10:13:13 2008 (4802BDB9)
CheckSum: 0001F66F
ImageSize: 00026000
File version: 5.1.2600.5512
Product version: 5.1.2600.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: Shim Engine DLL (IAT)
OriginalFilename: Shim Engine DLL (IAT)
ProductVersion: 5.1.2600.5512
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
FileDescription: Shim Engine DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
77f40000 77fb6000 SHLWAPI (deferred)
Image path: C:\WINDOWS\system32\SHLWAPI.dll
Image name: SHLWAPI.dll
Timestamp: Tue Dec 08 17:23:33 2009 (4B1E1B15)
CheckSum: 00079E4B
ImageSize: 00076000
File version: 6.0.2900.5912
Product version: 6.0.2900.5912
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: SHLWAPI
OriginalFilename: SHLWAPI.DLL
ProductVersion: 6.00.2900.5912
FileVersion: 6.00.2900.5912 (xpsp_sp3_gdr.091207-1454)
FileDescription: Shell Light-weight Utility Library
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
77fc0000 77fd1000 Secur32 (deferred)
Image path: C:\WINDOWS\system32\Secur32.dll
Image name: Secur32.dll
Timestamp: Thu Jun 25 16:24:50 2009 (4A433452)
CheckSum: 00015AE9
ImageSize: 00011000
File version: 5.1.2600.5834
Product version: 5.1.2600.5834
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: security.dll
OriginalFilename: security.dll
ProductVersion: 5.1.2600.5834
FileVersion: 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305)
FileDescription: Security Support Provider Interface
LegalCopyright: © Microsoft Corporation. All rights reserved.
7d590000 7dd84000 SHELL32 (deferred)
Image path: C:\WINDOWS\system32\SHELL32.dll
Image name: SHELL32.dll
Timestamp: Fri Jan 21 22:44:09 2011 (4D399BB9)
CheckSum: 007FB35C
ImageSize: 007F4000
File version: 6.0.2900.6072
Product version: 6.0.2900.6072
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: SHELL32
OriginalFilename: SHELL32.DLL
ProductVersion: 6.00.2900.6072
FileVersion: 6.00.2900.6072 (xpsp_sp3_gdr.110121-1719)
FileDescription: Windows Shell Common Dll
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
hgy413记于2012.5.9日晚.
