zoukankan      html  css  js  c++  java

  • windbg调试命令6(!peb、!teb)

    PEB(Process Environment Block,进程环境块)存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。

    TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间,在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。

    调试的程序的时候,了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb!teb 命令可以用来显示PEB和TEB:

    0:000> !peb
    PEB at 7ffd6000
    InheritedAddressSpace: No
    ReadImageFileExecOptions: No
    BeingDebugged: Yes
    ImageBaseAddress: 01000000
    Ldr 001a1ea0
    Ldr.Initialized: Yes
    Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2850
    Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2840
    Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2848
    Base TimeStamp Module
    1000000 3b7d8475 Aug 17 13:54:13 2001 C:/WINDOWS/system32/winmine.exe
    7c900000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/ntdll.dll
    7c800000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/kernel32.dll
    77c10000 4802a188 Apr 13 17:12:56 2008 C:/WINDOWS/system32/msvcrt.dll
    77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:/WINDOWS/system32/ADVAPI32.dll
    77e70000 4802a106 Apr 13 17:10:46 2008 C:/WINDOWS/system32/RPCRT4.dll
    77fe0000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/Secur32.dll
    77f10000 49006fbe Oct 23 05:36:14 2008 C:/WINDOWS/system32/GDI32.dll
    7e410000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/USER32.dll
    7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:/WINDOWS/system32/SHELL32.dll
    77f60000 4802a116 Apr 13 17:11:02 2008 C:/WINDOWS/system32/SHLWAPI.dll
    76b40000 4802a13c Apr 13 17:11:40 2008 C:/WINDOWS/system32/WINMM.dll
    773d0000 4802a094 Apr 13 17:08:52 2008 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83/COMCTL32.dll
    SubSystemData: 00000000
    ProcessHeap: 000a0000
    ProcessParameters: 00020000
    WindowTitle: 'C:/WINDOWS/system32/winmine.exe'
    ImageFile: 'C:/WINDOWS/system32/winmine.exe'
    CommandLine: 'winmine'
    DllPath: 'C:/WINDOWS/system32;C:/WINDOWS/system32;C:/WINDOWS/system;C:/WINDOWS;.;C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin'
    Environment: 00010000
    =::=::/
    ALLUSERSPROFILE=C:/Documents and Settings/All Users
    ANT_HOME=C:/Program Files/Apache-ant
    APPDATA=C:/Documents and Settings/WinGeek/Application Data
    AVENGINE=C:/PROGRA~1/CA/SHARED~1/SCANEN~1
    CommonProgramFiles=C:/Program Files/Common Files
    COMPUTERNAME=QI
    ComSpec=C:/WINDOWS/system32/cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=/Documents and Settings/WinGeek
    INOCULAN=C:/Program Files/CA/eTrust Antivirus
    JAVA_HOME=C:/Program Files/Java/jdk1.5.0_14
    LOGONSERVER=//QI
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0f02
    ProgramFiles=C:/Program Files
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:/WINDOWS
    TEMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
    TMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
    USERDOMAIN=QI
    USERNAME=WinGeek
    USERPROFILE=C:/Documents and Settings/WinGeek
    VS80COMNTOOLS=C:/Program Files/Microsoft Visual Studio 8/Common7/Tools/
    VS90COMNTOOLS=C:/Program Files/Microsoft Visual Studio 9.0/Common7/Tools/
    WINDBG_DIR=C:/Program Files/WinDbg
    windir=C:/WINDOWS

    从以上!PEB输出结果,我们可以了解到进程的ImageBaseAddress,进程的堆(Heap)起始地址, 装载了那些DLL,命令行参数,系统的环境变量等等 。。。

    0:000> !teb
    TEB at 7ffdf000
    ExceptionList: 0007fd0c
    StackBase: 00080000
    StackLimit: 0007c000
    SubSystemTib: 00000000
    FiberData: 00001e00
    ArbitraryUserPointer: 00000000
    Self: 7ffdf000
    EnvironmentPointer: 00000000
    ClientId: 000014a8 . 000014ac
    RpcHandle: 00000000
    Tls Storage: 00000000
    PEB Address: 7ffd6000
    LastErrorValue: 0
    LastStatusValue: 0
    Count Owned Locks: 0
    HardErrorMode: 0

    从以上!TEB输出结果,我们可以了解到栈(stack)的起始地址,Tls Storage 的地址, 异常处理的地址,LastError的值等等。。。
  • 相关阅读:
    FlipReverseRotate Lab Report
    各种 LCD GDRAM 格式
    Stellaris Graphics Library : Image Format
    C语言宏 ## __VA_ARGS__
    Clipboard with Custom Clipboard Formats Delphi
    FTDI EEPROM
    SBFX 和 UBFX 有符号和无符号位域提取 BFC 和 BFI 位域清零和位域插入
    防止程序重复执行 Controling the number of application instances
    NAND Flash Page Read Command and Address
    Most Recently Used (MRU) menu component
  • 原文地址:https://www.cnblogs.com/guanlaiy/p/2825910.html
Copyright © 2011-2022 走看看