Windbg命令学习3(lmf和r)

以下的所有示例都是加载calc程序

1 lmf

lmf可以列出当前进程中加载的所有DLL文件和对应的路径

给个例子:

0:001> lmf
start    end        module name
01000000 0101f000   calc     C:\WINDOWS\system32\calc.exe
10000000 100b0000   safemon  C:\Program Files\360\360Safe\safemon\safemon.dll
58fb0000 5917a000   AcGenral C:\WINDOWS\AppPatch\AcGenral.DLL
5adc0000 5adf7000   UxTheme  C:\WINDOWS\system32\UxTheme.dll
5cc30000 5cc56000   ShimEng  C:\WINDOWS\system32\ShimEng.dll
62c20000 62c29000   LPK      C:\WINDOWS\system32\LPK.DLL
71a10000 71a18000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
71a20000 71a37000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
73640000 7366e000   msctfime C:\WINDOWS\system32\msctfime.ime
73fa0000 7400b000   USP10    C:\WINDOWS\system32\USP10.dll
74680000 746cc000   MSCTF    C:\WINDOWS\system32\MSCTF.dll
759d0000 75a7f000   USERENV  C:\WINDOWS\system32\USERENV.dll
76300000 7631d000   IMM32    C:\WINDOWS\system32\IMM32.DLL
765e0000 76673000   CRYPT32  C:\WINDOWS\system32\CRYPT32.dll
76680000 76726000   WININET  C:\WINDOWS\system32\WININET.dll
76990000 76ace000   ole32    C:\WINDOWS\system32\ole32.dll
76b10000 76b3a000   WINMM    C:\WINDOWS\system32\WINMM.dll
76bc0000 76bcb000   PSAPI    C:\WINDOWS\system32\PSAPI.DLL
76db0000 76dc2000   MSASN1   C:\WINDOWS\system32\MSASN1.dll
770f0000 7717b000   OLEAUT32 C:\WINDOWS\system32\OLEAUT32.dll
77180000 77283000   comctl32 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
77bb0000 77bc5000   MSACM32  C:\WINDOWS\system32\MSACM32.dll
77bd0000 77bd8000   VERSION  C:\WINDOWS\system32\VERSION.dll
77be0000 77c38000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
77d10000 77da0000   USER32   C:\WINDOWS\system32\USER32.dll
77da0000 77e49000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e50000 77ee3000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
77ef0000 77f39000   GDI32    C:\WINDOWS\system32\GDI32.dll
77f40000 77fb6000   SHLWAPI  C:\WINDOWS\system32\SHLWAPI.dll
77fc0000 77fd1000   Secur32  C:\WINDOWS\system32\Secur32.dll
7c800000 7c91e000   kernel32 C:\WINDOWS\system32\kernel32.dll
7c920000 7c9b3000   ntdll    C:\WINDOWS\system32\ntdll.dll
7d590000 7dd84000   SHELL32  C:\WINDOWS\system32\SHELL32.dll

 2.r

r 命令显示或修改寄存器、浮点寄存器、标志位、伪寄存器和预定义别名

直接用r，会显示当前线程的寄存器状态

~0 r表示显示0号线程的寄存器状态

~* r会显示所有线程的寄存器状态

~0 r eax = 0x1可以对1线程进行eax赋值

~*  r eax =0x1，可以对所有线程进行eax赋值

给个例子:

0:001> r 
eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> ~1 r
eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> ~0 r
eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
0:001> ~* r
eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> r eax = 1
0:001> r
eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> ~0 r eax =0
0:001> r
eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> ~* r
eax=00000000 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:001> ~* r eax=9
0:001> ~* r
eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c92120e cc              int     3