Dump文件数据存储格式(七)

九、模块列表流(ModuleListStream)

ModuleListStream流包含进程已加载模块信息。它紧跟随在ThreadInfoListStream后面。ThreadInfoListStream信息如下:

0x15f4+0n5068=0x29c0

ModuleListStream如下

可知ModuleListStream的RVA 为0x29c0,所以ModuleListStream紧挨着ThreadInfoListStream,大小为26680字节。数据如下:

这些数据按如下结构组织在一起:

typedef struct _MINIDUMP_MODULE_LIST {
  ULONG32         NumberOfModules;
  MINIDUMP_MODULE Modules[0];
} MINIDUMP_MODULE_LIST, *PMINIDUMP_MODULE_LIST;

MINIDUMP_MODULE_LIST包含了模块列表,成员如下:

NumberOfModules

模块数组的元素个数。

Modules

MINIDUMP_MODULE结构的数组。

而MINIDUMP_MODULE结构包含了每个模块的详细信息,结构如下

typedef struct _MINIDUMP_MODULE {
  ULONG64                      BaseOfImage;
  ULONG32                      SizeOfImage;
  ULONG32                      CheckSum;
  ULONG32                      TimeDateStamp;
  RVA                          ModuleNameRva;
  VS_FIXEDFILEINFO             VersionInfo;
  MINIDUMP_LOCATION_DESCRIPTOR CvRecord;
  MINIDUMP_LOCATION_DESCRIPTOR MiscRecord;
  ULONG64                      Reserved0;
  ULONG64                      Reserved1;
} MINIDUMP_MODULE, *PMINIDUMP_MODULE;

成员如下:

BaseOfImage

内存中模块可执行映像的基址。

SizeOfImage

内存中模块可执行映像的大小,单位为字节。

CheckSum

模块可执行映像的校验和值。

TimeDateStamp

模块可执行映像的时间戳值,采用time_t格式。

ModuleNameRva

指定模块名称的MINIDUMP_STRING结构的RVA。我们看一个例子

文件内偏移0x9600,跳到此处看看

VersionInfo

指定模块版本的VS_FIXEDFILEINFO结构。

CvRecord

指定模块的CodeView记录的MINIDUMP_LOCATION_DESCRIPTOR结构。

MiscRecord

指定模块的杂项记录的MINIDUMP_LOCATION_DESCRIPTOR结构。

Reserved0

保留以备将来使用

Reserved1

保留以备将来使用

 

MINIDUMP_STRING结构是模块名称信息,如下:

typedef struct _MINIDUMP_STRING {
  ULONG32 Length;
  WCHAR   Buffer[0];
} MINIDUMP_STRING, *PMINIDUMP_STRING;

Length

Buffer成员的大小,以字节为单位。此大小不包括空终止字符。

Buffer

以null结尾的字符串。

而VS_FIXEDFILEINFO结构包含文件的版本信息。此信息独立于语言和代码页。如下:

typedef struct tagVS_FIXEDFILEINFO {
  DWORD dwSignature;
  DWORD dwStrucVersion;
  DWORD dwFileVersionMS;
  DWORD dwFileVersionLS;
  DWORD dwProductVersionMS;
  DWORD dwProductVersionLS;
  DWORD dwFileFlagsMask;
  DWORD dwFileFlags;
  DWORD dwFileOS;
  DWORD dwFileType;
  DWORD dwFileSubtype;
  DWORD dwFileDateMS;
  DWORD dwFileDateLS;
} VS_FIXEDFILEINFO;

dwSignature

Type: DWORD

包含值0xFEEF04BD。在搜索文件以查找VS包含值0xFEEF04BD。在搜索文件以查找VS_FIXEDFILEINFO结构时,该值与VS_VERSIONINFO结构的szKey成员一起使用。FIXEDFILEINFO结构时,该值与VS_ERSIONINFO结构的szKey成员一起使用。

dwStrucVersion

Type: DWORD

此结构的二进制版本号。此成员的高位字包含主版本号,低位字包含次版本号。

dwFileVersionMS

Type: DWORD

文件二进制版本号中最重要的32位。此成员与dwFileVersionLS一起使用,以形成64位值,用于数值比较。

dwFileVersionLS

Type: DWORD

文件二进制版本号的最低有效32位。此成员与dwFileVersionMS一起使用,以形成用于数字比较的64位值。

dwProductVersionMS

Type: DWORD

与此文件一起分发的产品的二进制版本号的最有效的32位。此成员与dwProductVersionLS一起使用,以形成用于数字比较的64位值。

dwProductVersionLS

Type: DWORD

与此文件一起分发的产品的二进制版本号的最低有效32位。此成员与dwProductVersionMS一起使用,以形成用于数字比较的64位值。

dwFileFlagsMask

Type: DWORD

包含指定dwFileFlags中有效位的位掩码。位只有在创建文件时定义时才有效。

dwFileFlags

Type: DWORD

包含指定文件的布尔属性的位掩码。此成员可以包含以下一个或多个值。

Table 1
ValueMeaning
VS_FF_DEBUG
0x00000001L
The file contains debugging information or is compiled with debugging features enabled.
VS_FF_INFOINFERRED
0x00000010L
The file's version structure was created dynamically; therefore, some of the members in this structure may be empty or incorrect. This flag should never be set in a file's VS_VERSIONINFO data.
VS_FF_PATCHED
0x00000004L
The file has been modified and is not identical to the original shipping file of the same version number.
VS_FF_PRERELEASE
0x00000002L
The file is a development version, not a commercially released product.
VS_FF_PRIVATEBUILD
0x00000008L
The file was not built using standard release procedures. If this flag is set, the StringFileInfo structure should contain a PrivateBuild entry.
VS_FF_SPECIALBUILD
0x00000020L
The file was built by the original company using standard release procedures but is a variation of the normal file of the same version number. If this flag is set, the StringFileInfo structure should contain a SpecialBuild entry.

dwFileOS

Type: DWORD

为其设计此文件的操作系统。此成员可以是以下值之一。

Table 2
ValueMeaning
VOS_DOS
0x00010000L
The file was designed for MS-DOS.
VOS_NT
0x00040000L
The file was designed for Windows NT.
VOS__WINDOWS16
0x00000001L
The file was designed for 16-bit Windows.
VOS__WINDOWS32
0x00000004L
The file was designed for 32-bit Windows.
VOS_OS216
0x00020000L
The file was designed for 16-bit OS/2.
VOS_OS232
0x00030000L
The file was designed for 32-bit OS/2.
VOS__PM16
0x00000002L
The file was designed for 16-bit Presentation Manager.
VOS__PM32
0x00000003L
The file was designed for 32-bit Presentation Manager.
VOS_UNKNOWN
0x00000000L
The operating system for which the file was designed is unknown to the system.

 

应用程序可以组合这些值来指示该文件是为运行在另一个操作系统上的一个操作系统而设计的。下面的dwFileOS值是这方面的示例,但不是完整的列表。

Table 3
ValueMeaning
VOS_DOS_WINDOWS16
0x00010001L
The file was designed for 16-bit Windows running on MS-DOS.
VOS_DOS_WINDOWS32
0x00010004L
The file was designed for 32-bit Windows running on MS-DOS.
VOS_NT_WINDOWS32
0x00040004L
The file was designed for Windows NT.
VOS_OS216_PM16
0x00020002L
The file was designed for 16-bit Presentation Manager running on 16-bit OS/2.
VOS_OS232_PM32
0x00030003L
The file was designed for 32-bit Presentation Manager running on 32-bit OS/2.

dwFileType

Type: DWORD

文件的一般类型。此成员可以是以下值之一。保留所有其他值。

Table 4
ValueMeaning
VFT_APP
0x00000001L
The file contains an application.
VFT_DLL
0x00000002L
The file contains a DLL.
VFT_DRV
0x00000003L
The file contains a device driver. If dwFileType is VFT_DRV, dwFileSubtype contains a more specific description of the driver.
VFT_FONT
0x00000004L
The file contains a font. If dwFileType is VFT_FONT, dwFileSubtype contains a more specific description of the font file.
VFT_STATIC_LIB
0x00000007L
The file contains a static-link library.
VFT_UNKNOWN
0x00000000L
The file type is unknown to the system.
VFT_VXD
0x00000005L
The file contains a virtual device.

dwFileSubtype

Type: DWORD

文件的功能。可能的值取决于dwFileType的值。对于下表中未描述的dwFileType的所有值,dwFileSubtype为零。
如果dwFileType为VFT_DRV,则dwFileSubtype可以是以下值之一。

 

Table 5
ValueMeaning
VFT2_DRV_COMM
0x0000000AL
The file contains a communications driver.
VFT2_DRV_DISPLAY
0x00000004L
The file contains a display driver.
VFT2_DRV_INSTALLABLE
0x00000008L
The file contains an installable driver.
VFT2_DRV_KEYBOARD
0x00000002L
The file contains a keyboard driver.
VFT2_DRV_LANGUAGE
0x00000003L
The file contains a language driver.
VFT2_DRV_MOUSE
0x00000005L
The file contains a mouse driver.
VFT2_DRV_NETWORK
0x00000006L
The file contains a network driver.
VFT2_DRV_PRINTER
0x00000001L
The file contains a printer driver.
VFT2_DRV_SOUND
0x00000009L
The file contains a sound driver.
VFT2_DRV_SYSTEM
0x00000007L
The file contains a system driver.
VFT2_DRV_VERSIONED_PRINTER
0x0000000CL
The file contains a versioned printer driver.
VFT2_UNKNOWN
0x00000000L
The driver type is unknown by the system.

 如果dwFileType为VFT_FONT,则dwFileSubtype可以是以下值之一。

Table 6
ValueMeaning
VFT2_FONT_RASTER
0x00000001L
The file contains a raster font.
VFT2_FONT_TRUETYPE
0x00000003L
The file contains a TrueType font.
VFT2_FONT_VECTOR
0x00000002L
The file contains a vector font.
VFT2_UNKNOWN
0x00000000L
The font type is unknown by the system.

 

如果dwFileType是VFT_VXD,则dwFileSubtype包含虚拟设备控制块中包含的虚拟设备标识符。此处未列出的所有dwFileSubtype值都将保留

dwFileDateMS

Type: DWORD

文件64位二进制创建日期和时间戳的最高有效的32位。

dwFileDateLS

Type: DWORD

文件的64位二进制创建日期和时间戳的最低有效32位。

我们可以通过lm指令查看相关信息

0:035> lmt
start    end        module name
01590000 015a2000   zlib1     Wed Oct 17 11:00:09 2012 (507E1F39)
10000000 1000e000   mxml1     Tue Mar 15 17:06:47 2016 (56E7D0A7)
10010000 10629000   SogouPY   Wed Dec  4 12:04:09 2019 (5DE73039)
10cb0000 10dcd000   Resource  Wed Dec  4 11:55:09 2019 (5DE72E1D)
22e70000 22e88000   msctfui   B9A1C554 (This is a reproducible build file hash, not a timestamp)
242c0000 242db000   UIAutomationProvider_ni  Tue Jul  7 07:23:33 2020 (5F03B275)
246c0000 246fc000   WindowsCodecsExt  6F6F2A44 (This is a reproducible build file hash, not a timestamp)
24f00000 24f65000   System_Dynamic_ni  Sat Mar  2 14:34:40 2019 (5C7A2400)
26100000 26186000   UIAutomationTypes_ni  Tue Jul  7 07:23:33 2020 (5F03B275)
261a0000 261bf000   clrcompression  Sat Mar  2 14:34:23 2019 (5C7A23EF)
261e0000 2621e000   icm32     C09D0053 (This is a reproducible build file hash, not a timestamp)
2ce50000 2dc96000   nvd3dum   Sun Sep 17 00:43:16 2017 (59BD54A4)

posted on 2020-11-02 07:59  活着的虫子  阅读(407)  评论(0编辑  收藏  举报

导航