12.windbg-!address、!vadump、!vprot(读取内存状态)
来源:互联网 发布:闻道网络怎么样 编辑:程序博客网 时间:2024/05/18 03:05
!address
!address 扩展显示目标进程或目标机使用的内存信息
这个学习起来比较简单:我们直接使用!address -?就可以找到它的使用说明:
0:000> !address -?!address - prints information on the entire address space!address -? - prints this help!address <address> - prints available information about the region of the address space containing this address!address -summary - prints only summary information!address -RegionUsageXXX - fiters the output limiting the dispaly to one of the following types: RegionUsageIsVAD - `busy` region that could be charcterized better this includes Virtual-Alloc-ed blocks, SBH heap, memory from custom allocators, etc RegionUsageFree - availalble (neither committed nor reserved) region RegionUsageImage - region used by mapped images of binaries RegionUsageStack - stack of threads RegionUsageTeb - TEB of threads RegionUsageHeap - region in used by a heap RegionUsagePageHeap - region in use by full page-heap RegionUsagePeb - PEB of the process RegionUsageProcessParametrs - parameters of the process RegionUsageEnvironmentBlock - environment block
那么一个个说明吧:
!address显示整个地址空间和使用摘要的信息
这个太长了,它会把从0-7ffefff的全打印出来,熟悉核心编程的应该知道,正常的2G用户地址空间是这样划分的:0-ffff为64K空指针区,10000-7ffeffff为用户模式分区
之后64K为禁入分区,之后就是内核模式分区,要看它们的信息,需要用到以下的表,
下面这些Filter值按照内存类型来指定内存。
下面的Filter 值按照状态来指定内存:
比如一般30000不会被分配:
0:000> !address 30000 TEB 7efdd000 in range 7efdb000 7efde000 TEB 7efda000 in range 7efd8000 7efdb000 TEB 7efd7000 in range 7efd5000 7efd8000 ProcessParametrs 00641a40 in range 00640000 00648000 Environment 00640810 in range 00640000 00648000 00030000 : 00030000 - 00010000 Type 00000000 Protect 00000001 PAGE_NOACCESS State 00010000 MEM_FREE Usage RegionUsageFree表示输出表明这是以地址0x30000开头的一个大的内存区域,该区域中包含一个以0x30000 开头,大小为0x10000的小一些的区域。因此,这个小区域是从0x30000 到0x40000。它的内存类型为0、状态为 MEM_FREE、使用方式为RegionUsageFree。 (这些值的含义,查看前面的表格。)
我们调用.dvalloc来强制分配
0:000> .dvalloc /b 30000 100Allocated 1000 bytes starting at 00030000
0:000> !address 30000 TEB 7efdd000 in range 7efdb000 7efde000 TEB 7efda000 in range 7efd8000 7efdb000 TEB 7efd7000 in range 7efd5000 7efd8000 ProcessParametrs 00641a40 in range 00640000 00648000 Environment 00640810 in range 00640000 00648000 00030000 : 00030000 - 00001000 Type 00020000 MEM_PRIVATE Protect 00000040 PAGE_EXECUTE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD
!vadump
这个会显示所有的虚拟内存区域和它的保护属性
0:000> !vadumpBaseAddress: 00000000RegionSize: 00010000State: 00010000 MEM_FREEProtect: 00000001 PAGE_NOACCESSBaseAddress: 00010000RegionSize: 00010000State: 00001000 MEM_COMMITProtect: 00000004 PAGE_READWRITEType: 00040000 MEM_MAPPEDBaseAddress: 00020000RegionSize: 00010000State: 00010000 MEM_FREEProtect: 00000001 PAGE_NOACCESS
!vprot
!vprot扩展命令显示虚拟内存保护信息。可以用于活动调试和dump文件调试。
0:001> x test1!g_char00a67004 test1!g_char = 0x00a6573c "I am string"0:001> !vprot 00a67004 BaseAddress: 00a67000AllocationBase: 00a50000AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPYRegionSize: 00002000State: 00001000 MEM_COMMITProtect: 00000004 PAGE_READWRITEType: 01000000 MEM_IMAGE0:001> !vprot 30000BaseAddress: 00030000AllocationBase: 00000000RegionSize: 00010000State: 00010000 MEM_FREEProtect: 00000001 PAGE_NOACCESS
- windbg-!address、!vadump、!vprot(读取内存状态)
- 12.windbg-!address、!vadump、!vprot(读取内存状态)
- Windbg命令学习5(!address和s和!vadump)
- Windbg microsoft download address
- windbg : find kernel address's means
- 读取本地Mac address
- WinDbg定位内存泄露
- Windbg 分析内存泄漏
- windbg定位内存泄露
- WinDbg定位内存泄露
- Windbg 调试内存泄漏
- windbg调试内存泄漏
- Windbg 查内存泄漏
- windbg调试内存泄漏
- windbg 内存操作
- 29.windbg-!heap(堆状态)
- Paging – Virtual to Physical address translation via WinDbg
- Windbg之"查看内存"命令
- MySql的一些实用技巧
- 基于SDL-1.2.13的ARM环境下的编译
- NFS mount时出错的解决方法
- 关于printf的输出
- 学习java的好习惯
- 12.windbg-!address、!vadump、!vprot(读取内存状态)
- 关于Java RDP协议实现远程桌面连接的开源项目properjavardp
- 事件处理002
- effective c++ 的50个最佳实践(一)
- 函数返回指针和返回数组名的区别
- 线程、进程通信---sem=>信号量
- The .git Directory
- AOJ 231 Moo Volume(模拟)
- 跟着AARON一起学http协议(二)URL语法详细解释