0x0 环境
Windows 7 32位
Windbg 32位
调试notepad.exe
0x1 步骤
打开notepad.exe
用windbg attach 到 notepad进程上
lm 查看模块和模块的加载情况
0:001> lm
start end module name
00300000 00330000 notepad (deferred)
6e870000 6e8c1000 WINSPOOL (deferred)
73c10000 73c23000 dwmapi (deferred)
73f40000 73f80000 uxtheme (deferred)
740c0000 7425e000 COMCTL32 (deferred)
74630000 74639000 VERSION (deferred)
75330000 7533c000 CRYPTBASE (deferred)
75490000 754da000 KERNELBASE (deferred)
756e0000 7575b000 COMDLG32 (deferred)
75a50000 75a69000 sechost (deferred)
75a70000 75b10000 ADVAPI32 (deferred)
75b10000 75bb1000 RPCRT4 (deferred)
75bd0000 75bef000 IMM32 (deferred)
75bf0000 75cc4000 kernel32 (deferred)
75dd0000 76a1a000 SHELL32 (deferred)
76bd0000 76c5f000 OLEAUT32 (deferred)
76c60000 76cfd000 USP10 (deferred)
76d00000 76e5c000 ole32 (deferred)
76e60000 76f29000 USER32 (deferred)
76f80000 76fce000 GDI32 (deferred)
76fd0000 7709c000 MSCTF (deferred)
770a0000 7714c000 msvcrt (deferred)
77290000 773cc000 ntdll (pdb symbols) c:symbols
tdll.pdb120028FA453F4CD5A6A404EC37396A582
tdll.pdb
77440000 77497000 SHLWAPI (deferred)
774b0000 774ba000 LPK (deferred)
lm 查看模块及模块的符号加载情况:
1. lm l,查看已加载符号的模块
2. lm m somemodulename*,查看和指定名称匹配的模块
3. lm v,查看所有模块及一些详细信息
4. !lmi moduleName,查看指定模块详细信息
5. !dh module Start Address | module Name -f,进一步查看模块头部信息,包括pdb信息,默认分配堆栈大小等
!dh -f notepad 显示notepad的头部
0:001> !dh -f notepad
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
4 number of sections
4A5BC60F time date stamp Tue Jul 14 07:41:03 2009
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
A800 size of code
22400 size of initialized data
0 size of uninitialized data
3689 address of entry point
1000 base of code
----- new -----
00300000 image base
1000 section alignment
200 file alignment
2 subsystem (Windows GUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
30000 size of image
400 size of headers
39741 checksum
00040000 size of stack reserve
00011000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
8140 DLL characteristics
Dynamic base
NX compatible
Terminal server aware
0 [ 0] address [size] of Export Directory
A048 [ 12C] address [size] of Import Directory
F000 [ 1F160] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
2F000 [ E34] address [size] of Base Relocation Directory
B62C [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
6D58 [ 40] address [size] of Load Configuration Directory
278 [ 128] address [size] of Bound Import Directory
1000 [ 400] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
[dt命令](https://blog.csdn.net/pureman_mega/article/details/78884277 )
dt -n (_IMAGE_DOS_HEADER)00300000
0:001> dt -n (_IMAGE_DOS_HEADER)00300000
uxtheme!_IMAGE_DOS_HEADER
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n224
dt -n (_IMAGE_NT_HEADERS)00300000+0n224
0:001> dt -n (_IMAGE_NT_HEADERS)00300000+0n224
uxtheme!_IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
查看PE头的地址
0:001> ? notepad
Evaluate expression: 3145728 = 00300000
0:001> ? notepad+0n224
Evaluate expression: 3145952 = 003000e0
查看
0:001> dt ntdll!_IMAGE_FILE_HEADER 003000e4
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 4
+0x004 TimeDateStamp : 0x4a5bc60f
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x102
查看
0:001> dt ntdll!_IMAGE_OPTIONAL_HEADER 003000f8
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x9 ''
+0x003 MinorLinkerVersion : 0 ''
+0x004 SizeOfCode : 0xa800
+0x008 SizeOfInitializedData : 0x22400
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0x3689
+0x014 BaseOfCode : 0x1000
+0x018 BaseOfData : 0xc000
+0x01c ImageBase : 0x300000
+0x020 SectionAlignment : 0x1000
+0x024 FileAlignment : 0x200
+0x028 MajorOperatingSystemVersion : 6
+0x02a MinorOperatingSystemVersion : 1
+0x02c MajorImageVersion : 6
+0x02e MinorImageVersion : 1
+0x030 MajorSubsystemVersion : 6
+0x032 MinorSubsystemVersion : 1
+0x034 Win32VersionValue : 0
+0x038 SizeOfImage : 0x30000
+0x03c SizeOfHeaders : 0x400
+0x040 CheckSum : 0x39741
+0x044 Subsystem : 2
+0x046 DllCharacteristics : 0x8140
+0x048 SizeOfStackReserve : 0x40000
+0x04c SizeOfStackCommit : 0x11000
+0x050 SizeOfHeapReserve : 0x100000
+0x054 SizeOfHeapCommit : 0x1000
+0x058 LoaderFlags : 0
+0x05c NumberOfRvaAndSizes : 0x10
+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY
查看DataDirectory
0:001> dt ntdll!_IMAGE_OPTIONAL_HEADER -v -ny DataDirectory 003000f8
struct _IMAGE_OPTIONAL_HEADER, 31 elements, 0xe0 bytes
+0x060 DataDirectory : [16] struct _IMAGE_DATA_DIRECTORY, 2 elements, 0x8 bytes
0:001> ? 003000f8+0x060
Evaluate expression: 3146072 = 00300158
0:001> dt ole32!_IMAGE_DATA_DIRECTORY 00300158
+0x000 VirtualAddress : 0
+0x004 Size : 0
0:001> dt /r1 ntdll!_IMAGE_NT_HEADERS notepad+e0
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x000 Machine : 0x14c
+0x002 NumberOfSections : 4
+0x004 TimeDateStamp : 0x4a5bc60f
+0x008 PointerToSymbolTable : 0
+0x00c NumberOfSymbols : 0
+0x010 SizeOfOptionalHeader : 0xe0
+0x012 Characteristics : 0x102
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
+0x000 Magic : 0x10b
+0x002 MajorLinkerVersion : 0x9 ''
+0x003 MinorLinkerVersion : 0 ''
+0x004 SizeOfCode : 0xa800
+0x008 SizeOfInitializedData : 0x22400
+0x00c SizeOfUninitializedData : 0
+0x010 AddressOfEntryPoint : 0x3689
+0x014 BaseOfCode : 0x1000
+0x018 BaseOfData : 0xc000
+0x01c ImageBase : 0x300000
+0x020 SectionAlignment : 0x1000
+0x024 FileAlignment : 0x200
+0x028 MajorOperatingSystemVersion : 6
+0x02a MinorOperatingSystemVersion : 1
+0x02c MajorImageVersion : 6
+0x02e MinorImageVersion : 1
+0x030 MajorSubsystemVersion : 6
+0x032 MinorSubsystemVersion : 1
+0x034 Win32VersionValue : 0
+0x038 SizeOfImage : 0x30000
+0x03c SizeOfHeaders : 0x400
+0x040 CheckSum : 0x39741
+0x044 Subsystem : 2
+0x046 DllCharacteristics : 0x8140
+0x048 SizeOfStackReserve : 0x40000
+0x04c SizeOfStackCommit : 0x11000
+0x050 SizeOfHeapReserve : 0x100000
+0x054 SizeOfHeapCommit : 0x1000
+0x058 LoaderFlags : 0
+0x05c NumberOfRvaAndSizes : 0x10
+0x060 DataDirectory : [16] _IMAGE_DATA_DIRECTORY
THE DOS Header
0:001> db 00300000 L0n224
00300000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00300010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00300020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00300030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
00300040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00300050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00300060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00300070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
00300080 b2 be c2 62 f6 df ac 31-f6 df ac 31 f6 df ac 31 ...b...1...1...1
00300090 ff a7 39 31 f5 df ac 31-ff a7 3f 31 eb df ac 31 ..91...1..?1...1
003000a0 f6 df ad 31 00 df ac 31-ff a7 2f 31 e9 df ac 31 ...1...1../1...1
003000b0 ff a7 28 31 f4 df ac 31-ff a7 38 31 f7 df ac 31 ..(1...1..81...1
003000c0 ff a7 3d 31 f7 df ac 31-52 69 63 68 f6 df ac 31 ..=1...1Rich...1
003000d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
NT Headers
OPtional Header
The DataDirectory
Locating the Section Headers
The Section Headers
00300000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00300010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00300020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00300030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
00300040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00300050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00300060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00300070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
00300080 b2 be c2 62 f6 df ac 31-f6 df ac 31 f6 df ac 31 ...b...1...1...1
00300090 ff a7 39 31 f5 df ac 31-ff a7 3f 31 eb df ac 31 ..91...1..?1...1
003000a0 f6 df ad 31 00 df ac 31-ff a7 2f 31 e9 df ac 31 ...1...1../1...1
003000b0 ff a7 28 31 f4 df ac 31-ff a7 38 31 f7 df ac 31 ..(1...1..81...1
003000c0 ff a7 3d 31 f7 df ac 31-52 69 63 68 f6 df ac 31 ..=1...1Rich...1
003000d0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003000e0 50 45 00 00 4c 01 04 00-0f c6 5b 4a 00 00 00 00 PE..L.....[J....
003000f0 00 00 00 00 e0 00 02 01-0b 01 09 00 00 a8 00 00 ................
00300100 00 24 02 00 00 00 00 00-89 36 00 00 00 10 00 00 .$.......6......
00300110 00 c0 00 00 00 00 30 00-00 10 00 00 00 02 00 00 ......0.........
00300120 06 00 01 00 06 00 01 00-06 00 01 00 00 00 00 00 ................
00300130 00 00 03 00 00 04 00 00-41 97 03 00 02 00 40 81 ........A.....@.
00300140 00 00 04 00 00 10 01 00-00 00 10 00 00 10 00 00 ................
00300150 00 00 00 00 10 00 00 00-00 00 00 00 00 00 00 00 ................
00300160 48 a0 00 00 2c 01 00 00-00 f0 00 00 60 f1 01 00 H...,.......`...
00300170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00300180 00 f0 02 00 34 0e 00 00-2c b6 00 00 38 00 00 00 ....4...,...8...
00300190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003001a0 00 00 00 00 00 00 00 00-58 6d 00 00 40 00 00 00 ........Xm..@...
003001b0 78 02 00 00 28 01 00 00-00 10 00 00 00 04 00 00 x...(...........
003001c0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003001d0 00 00 00 00 00 00 00 00-2e 74 65 78 74 00 00 00 .........text...
003001e0 8c a6 00 00 00 10 00 00-00 a8 00 00 00 04 00 00 ................
003001f0 00 00 00 00 00 00 00 00-00 00 00 00 20 00 00 60 ............ ..`
00300200 2e 64 61 74 61 00 00 00-64 21 00 00 00 c0 00 00 .data...d!......
00300210 00 10 00 00 00 ac 00 00-00 00 00 00 00 00 00 00 ................
00300220 00 00 00 00 40 00 00 c0-2e 72 73 72 63 00 00 00 ....@....rsrc...
00300230 60 f1 01 00 00 f0 00 00-00 f2 01 00 00 bc 00 00 `...............
00300240 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 40 ............@..@
00300250 2e 72 65 6c 6f 63 00 00-34 0e 00 00 00 f0 02 00 .reloc..4.......
00300260 00 10 00 00 00 ae 02 00-00 00 00 00 00 00 00 00 ................
00300270 00 00 00 00 40 00 00 42-7e d9 5b 4a 80 00 00 00 ....@..B~.[J....
00300280 ad da 5b 4a 8d 00 01 00-db da 5b 4a 9a 00 00 00 ..[J......[J....
00300290 dd d9 5b 4a a4 00 00 00-2f db 5b 4a ae 00 00 00 ..[J..../.[J....
003002a0 6f da 5b 4a b9 00 00 00-25 da 5b 4a c4 00 00 00 o.[J....%.[J....
003002b0 01 db 5b 4a d1 00 00 00-4b db 5b 4a dd 00 00 00 ..[J....K.[J....
003002c0 c7 da 5b 4a ea 00 00 00-05 db 5b 4a f4 00 00 00 ..[J......[J....
003002d0 76 d9 5b 4a 00 01 00 00-ca da 5b 4a 0d 01 00 00 v.[J......[J....
003002e0 db da 5b 4a 9a 00 00 00-2b db 5b 4a 1a 01 00 00 ..[J....+.[J....
003002f0 00 00 00 00 00 00 00 00-41 44 56 41 50 49 33 32 ........ADVAPI32
00300300 2e 64 6c 6c 00 4b 45 52-4e 45 4c 33 32 2e 64 6c .dll.KERNEL32.dl
00300310 6c 00 4e 54 44 4c 4c 2e-44 4c 4c 00 47 44 49 33 l.NTDLL.DLL.GDI3
00300320 32 2e 64 6c 6c 00 55 53-45 52 33 32 2e 64 6c 6c 2.dll.USER32.dll
00300330 00 6d 73 76 63 72 74 2e-64 6c 6c 00 43 4f 4d 44 .msvcrt.dll.COMD
00300340 4c 47 33 32 2e 64 6c 6c-00 53 48 45 4c 4c 33 32 LG32.dll.SHELL32
00300350 2e 64 6c 6c 00 57 49 4e-53 50 4f 4f 4c 2e 44 52 .dll.WINSPOOL.DR
00300360 56 00 6f 6c 65 33 32 2e-64 6c 6c 00 53 48 4c 57 V.ole32.dll.SHLW
00300370 41 50 49 2e 64 6c 6c 00-43 4f 4d 43 54 4c 33 32 API.dll.COMCTL32
00300380 2e 64 6c 6c 00 4f 4c 45-41 55 54 33 32 2e 64 6c .dll.OLEAUT32.dl
00300390 6c 00 56 45 52 53 49 4f-4e 2e 64 6c 6c 00 00 00 l.VERSION.dll...