windbg调试命令6(!peb、!teb)
来源:互联网 发布:mac版qq怎么发送消息 编辑:程序博客网 时间:2024/05/22 13:53
windbg调试命令6(!peb、!teb)
PEB(Process Environment Block,进程环境块)存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。
TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间,在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。
调试的程序的时候,了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb 和 !teb 命令可以用来显示PEB和TEB:
0:000> !peb
PEB at 7ffd6000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr 001a1ea0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2850
Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2840
Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2848
Base TimeStamp Module
1000000 3b7d8475 Aug 17 13:54:13 2001 C:/WINDOWS/system32/winmine.exe
7c900000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/ntdll.dll
7c800000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/kernel32.dll
77c10000 4802a188 Apr 13 17:12:56 2008 C:/WINDOWS/system32/msvcrt.dll
77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:/WINDOWS/system32/ADVAPI32.dll
77e70000 4802a106 Apr 13 17:10:46 2008 C:/WINDOWS/system32/RPCRT4.dll
77fe0000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/Secur32.dll
77f10000 49006fbe Oct 23 05:36:14 2008 C:/WINDOWS/system32/GDI32.dll
7e410000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/USER32.dll
7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:/WINDOWS/system32/SHELL32.dll
77f60000 4802a116 Apr 13 17:11:02 2008 C:/WINDOWS/system32/SHLWAPI.dll
76b40000 4802a13c Apr 13 17:11:40 2008 C:/WINDOWS/system32/WINMM.dll
773d0000 4802a094 Apr 13 17:08:52 2008 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83/COMCTL32.dll
SubSystemData: 00000000
ProcessHeap: 000a0000
ProcessParameters: 00020000
WindowTitle: 'C:/WINDOWS/system32/winmine.exe'
ImageFile: 'C:/WINDOWS/system32/winmine.exe'
CommandLine: 'winmine'
DllPath: 'C:/WINDOWS/system32;C:/WINDOWS/system32;C:/WINDOWS/system;C:/WINDOWS;.;C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin'
Environment: 00010000
=::=::/
ALLUSERSPROFILE=C:/Documents and Settings/All Users
ANT_HOME=C:/Program Files/Apache-ant
APPDATA=C:/Documents and Settings/WinGeek/Application Data
AVENGINE=C:/PROGRA~1/CA/SHARED~1/SCANEN~1
CommonProgramFiles=C:/Program Files/Common Files
COMPUTERNAME=QI
ComSpec=C:/WINDOWS/system32/cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=/Documents and Settings/WinGeek
INOCULAN=C:/Program Files/CA/eTrust Antivirus
JAVA_HOME=C:/Program Files/Java/jdk1.5.0_14
LOGONSERVER=//QI
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f02
ProgramFiles=C:/Program Files
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:/WINDOWS
TEMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
TMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
USERDOMAIN=QI
USERNAME=WinGeek
USERPROFILE=C:/Documents and Settings/WinGeek
VS80COMNTOOLS=C:/Program Files/Microsoft Visual Studio 8/Common7/Tools/
VS90COMNTOOLS=C:/Program Files/Microsoft Visual Studio 9.0/Common7/Tools/
WINDBG_DIR=C:/Program Files/WinDbg
windir=C:/WINDOWS
从以上!PEB输出结果,我们可以了解到进程的ImageBaseAddress,进程的堆(Heap)起始地址, 装载了那些DLL,命令行参数,系统的环境变量等等 。。。
0:000> !teb
TEB at 7ffdf000
ExceptionList: 0007fd0c
StackBase: 00080000
StackLimit: 0007c000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdf000
EnvironmentPointer: 00000000
ClientId: 000014a8 . 000014ac
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7ffd6000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0
从以上!TEB输出结果,我们可以了解到栈(stack)的起始地址,Tls Storage 的地址, 异常处理的地址,LastError的值等等。。。
- windbg调试命令6(!peb、!teb)
- windbg调试命令6(!peb、!teb)
- windbg调试命令:!peb、!teb
- WinDBG 技巧:显示进程/线程环境参数(!peb 和 !teb 命令)
- TEB PEB
- fs TIB TEB PEB
- PEB,TEB初学.
- FS TIB TEB PEB
- get PEB or TEB
- PEB TEB结构体使用
- fs寄存器获取PEB/TEB
- !teb 调试
- TEB和PEB的知识复习
- 8.asm-PEB、TEB的地址(ntdll!RtlGetCurrentPeb得到PEB)
- windbg调试---基本命令
- WinDBG常用调试命令
- windbg调试命令
- windbg 调试命令
- Anthon OS 0.5.1b,新的开始
- windbg调试命令4(用户层.dump)
- POJ 3687 Labeling Balls
- windbg调试命令5(ln、伪寄存器)
- 10304 - Optimal Binary Search Tree
- windbg调试命令6(!peb、!teb)
- xbmc视频插件开发入门教程
- win7下安装ubuntu12.10
- C++中struct和class的区别和联系
- windbg调试命令7(!runaway、~)
- 服务器搭建(linux命令)
- windbg调试命令8(bp、bu、bm、bl、bc、ba、be、bd)
- POJ 3783 Balls
- LINUX下tar.xz格式文件的解压方法
