zoukankan      html  css  js  c++  java

  • windbg调试命令6(!peb、!teb)

    PEB(Process Environment Block,进程环境块)存放进程信息,每个进程都有自己的PEB信息。位于用户地址空间。

    TEB(Thread Environment Block,线程环境块)系统在此TEB中保存频繁使用的线程相关的数据。位于用户地址空间,在比 PEB 所在地址低的地方。进程中的每个线程都有自己的一个TEB。

    调试的程序的时候,了解PEB和TEB往往对分析很有帮助。 WinDBG中 !peb!teb 命令可以用来显示PEB和TEB:

    0:000> !peb
    PEB at 7ffd6000
    InheritedAddressSpace: No
    ReadImageFileExecOptions: No
    BeingDebugged: Yes
    ImageBaseAddress: 01000000
    Ldr 001a1ea0
    Ldr.Initialized: Yes
    Ldr.InInitializationOrderModuleList: 001a1f58 . 001a2850
    Ldr.InLoadOrderModuleList: 001a1ee0 . 001a2840
    Ldr.InMemoryOrderModuleList: 001a1ee8 . 001a2848
    Base TimeStamp Module
    1000000 3b7d8475 Aug 17 13:54:13 2001 C:/WINDOWS/system32/winmine.exe
    7c900000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/ntdll.dll
    7c800000 4802a12c Apr 13 17:11:24 2008 C:/WINDOWS/system32/kernel32.dll
    77c10000 4802a188 Apr 13 17:12:56 2008 C:/WINDOWS/system32/msvcrt.dll
    77dd0000 4802a0b2 Apr 13 17:09:22 2008 C:/WINDOWS/system32/ADVAPI32.dll
    77e70000 4802a106 Apr 13 17:10:46 2008 C:/WINDOWS/system32/RPCRT4.dll
    77fe0000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/Secur32.dll
    77f10000 49006fbe Oct 23 05:36:14 2008 C:/WINDOWS/system32/GDI32.dll
    7e410000 4802a11b Apr 13 17:11:07 2008 C:/WINDOWS/system32/USER32.dll
    7c9c0000 48e1c4d9 Sep 29 23:19:05 2008 C:/WINDOWS/system32/SHELL32.dll
    77f60000 4802a116 Apr 13 17:11:02 2008 C:/WINDOWS/system32/SHLWAPI.dll
    76b40000 4802a13c Apr 13 17:11:40 2008 C:/WINDOWS/system32/WINMM.dll
    773d0000 4802a094 Apr 13 17:08:52 2008 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83/COMCTL32.dll
    SubSystemData: 00000000
    ProcessHeap: 000a0000
    ProcessParameters: 00020000
    WindowTitle: 'C:/WINDOWS/system32/winmine.exe'
    ImageFile: 'C:/WINDOWS/system32/winmine.exe'
    CommandLine: 'winmine'
    DllPath: 'C:/WINDOWS/system32;C:/WINDOWS/system32;C:/WINDOWS/system;C:/WINDOWS;.;C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin'
    Environment: 00010000
    =::=::/
    ALLUSERSPROFILE=C:/Documents and Settings/All Users
    ANT_HOME=C:/Program Files/Apache-ant
    APPDATA=C:/Documents and Settings/WinGeek/Application Data
    AVENGINE=C:/PROGRA~1/CA/SHARED~1/SCANEN~1
    CommonProgramFiles=C:/Program Files/Common Files
    COMPUTERNAME=QI
    ComSpec=C:/WINDOWS/system32/cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=/Documents and Settings/WinGeek
    INOCULAN=C:/Program Files/CA/eTrust Antivirus
    JAVA_HOME=C:/Program Files/Java/jdk1.5.0_14
    LOGONSERVER=//QI
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:/Program Files/WinDbg/winext/arcade;C:/Tools/Perl/site/bin;C:/Tools/Perl/bin;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/PROGRA~1/CA/SHARED~1/SCANEN~1;C:/Program Files/CA/eTrust Antivirus;C:/Program Files/Java/jdk1.5.0_14/bin;C:/Program Files/Apache-ant/bin;C:/Program Files/WinDbg;C:/Tools;C:/Program Files/TortoiseSVN/bin
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 2, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0f02
    ProgramFiles=C:/Program Files
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:/WINDOWS
    TEMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
    TMP=C:/DOCUME~1/WinGeek/LOCALS~1/Temp
    USERDOMAIN=QI
    USERNAME=WinGeek
    USERPROFILE=C:/Documents and Settings/WinGeek
    VS80COMNTOOLS=C:/Program Files/Microsoft Visual Studio 8/Common7/Tools/
    VS90COMNTOOLS=C:/Program Files/Microsoft Visual Studio 9.0/Common7/Tools/
    WINDBG_DIR=C:/Program Files/WinDbg
    windir=C:/WINDOWS

    从以上!PEB输出结果,我们可以了解到进程的ImageBaseAddress,进程的堆(Heap)起始地址, 装载了那些DLL,命令行参数,系统的环境变量等等 。。。

    0:000> !teb
    TEB at 7ffdf000
    ExceptionList: 0007fd0c
    StackBase: 00080000
    StackLimit: 0007c000
    SubSystemTib: 00000000
    FiberData: 00001e00
    ArbitraryUserPointer: 00000000
    Self: 7ffdf000
    EnvironmentPointer: 00000000
    ClientId: 000014a8 . 000014ac
    RpcHandle: 00000000
    Tls Storage: 00000000
    PEB Address: 7ffd6000
    LastErrorValue: 0
    LastStatusValue: 0
    Count Owned Locks: 0
    HardErrorMode: 0

    从以上!TEB输出结果,我们可以了解到栈(stack)的起始地址,Tls Storage 的地址, 异常处理的地址,LastError的值等等。。。
  • 相关阅读:
    003 01 Android 零基础入门 01 Java基础语法 01 Java初识 03 Java程序的执行流程
    002 01 Android 零基础入门 01 Java基础语法 01 Java初识 02 Java简介
    001 01 Android 零基础入门 01 Java基础语法 01 Java初识 01 导学
    001 Android Studio 首次编译执行项目过程中遇到的几个常见问题
    Dora.Interception,为.NET Core度身打造的AOP框架 [2]:以约定的方式定义拦截器
    Dora.Interception,为.NET Core度身打造的AOP框架 [1]:更加简练的编程体验
    监视EntityFramework中的sql流转你需要知道的三种方式Log,SqlServerProfile, EFProfile
    轻量级ORM框架——第二篇:Dapper中的一些复杂操作和inner join应该注意的坑
    轻量级ORM框架——第一篇:Dapper快速学习
    CF888G Xor-MST(异或生成树模板)
  • 原文地址:https://www.cnblogs.com/guanlaiy/p/2825910.html
Copyright © 2011-2022 走看看