zoukankan      html  css  js  c++  java
  • Windbg命令学习3(lmf和r)

    以下的所有示例都是加载calc程序

    1 lmf

    lmf可以列出当前进程中加载的所有DLL文件和对应的路径

    给个例子:

    0:001> lmf
    start    end        module name
    01000000 0101f000   calc     C:\WINDOWS\system32\calc.exe
    10000000 100b0000   safemon  C:\Program Files\360\360Safe\safemon\safemon.dll
    58fb0000 5917a000   AcGenral C:\WINDOWS\AppPatch\AcGenral.DLL
    5adc0000 5adf7000   UxTheme  C:\WINDOWS\system32\UxTheme.dll
    5cc30000 5cc56000   ShimEng  C:\WINDOWS\system32\ShimEng.dll
    62c20000 62c29000   LPK      C:\WINDOWS\system32\LPK.DLL
    71a10000 71a18000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
    71a20000 71a37000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
    73640000 7366e000   msctfime C:\WINDOWS\system32\msctfime.ime
    73fa0000 7400b000   USP10    C:\WINDOWS\system32\USP10.dll
    74680000 746cc000   MSCTF    C:\WINDOWS\system32\MSCTF.dll
    759d0000 75a7f000   USERENV  C:\WINDOWS\system32\USERENV.dll
    76300000 7631d000   IMM32    C:\WINDOWS\system32\IMM32.DLL
    765e0000 76673000   CRYPT32  C:\WINDOWS\system32\CRYPT32.dll
    76680000 76726000   WININET  C:\WINDOWS\system32\WININET.dll
    76990000 76ace000   ole32    C:\WINDOWS\system32\ole32.dll
    76b10000 76b3a000   WINMM    C:\WINDOWS\system32\WINMM.dll
    76bc0000 76bcb000   PSAPI    C:\WINDOWS\system32\PSAPI.DLL
    76db0000 76dc2000   MSASN1   C:\WINDOWS\system32\MSASN1.dll
    770f0000 7717b000   OLEAUT32 C:\WINDOWS\system32\OLEAUT32.dll
    77180000 77283000   comctl32 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    77bb0000 77bc5000   MSACM32  C:\WINDOWS\system32\MSACM32.dll
    77bd0000 77bd8000   VERSION  C:\WINDOWS\system32\VERSION.dll
    77be0000 77c38000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
    77d10000 77da0000   USER32   C:\WINDOWS\system32\USER32.dll
    77da0000 77e49000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
    77e50000 77ee3000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
    77ef0000 77f39000   GDI32    C:\WINDOWS\system32\GDI32.dll
    77f40000 77fb6000   SHLWAPI  C:\WINDOWS\system32\SHLWAPI.dll
    77fc0000 77fd1000   Secur32  C:\WINDOWS\system32\Secur32.dll
    7c800000 7c91e000   kernel32 C:\WINDOWS\system32\kernel32.dll
    7c920000 7c9b3000   ntdll    C:\WINDOWS\system32\ntdll.dll
    7d590000 7dd84000   SHELL32  C:\WINDOWS\system32\SHELL32.dll
    


     2.r

    r 命令显示或修改寄存器、浮点寄存器、标志位、伪寄存器和预定义别名

    直接用r,会显示当前线程的寄存器状态

    ~0 r表示显示0号线程的寄存器状态

    ~* r会显示所有线程的寄存器状态

    ~0 r eax = 0x1可以对1线程进行eax赋值

    ~*  r eax =0x1,可以对所有线程进行eax赋值

    给个例子:

    0:001> r 
    eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> ~1 r
    eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> ~0 r
    eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
    eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    7c92e4f4 c3              ret
    0:001> ~* r
    eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
    eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    7c92e4f4 c3              ret
    eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> r eax = 1
    0:001> r
    eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> ~0 r eax =0
    0:001> r
    eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> ~* r
    eax=00000000 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
    eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    7c92e4f4 c3              ret
    eax=00000001 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    0:001> ~* r eax=9
    0:001> ~* r
    eax=00000009 ebx=00000000 ecx=002e3a80 edx=0000c0f1 esi=0007fee8 edi=01014018
    eip=7c92e4f4 esp=0007fde0 ebp=0007fdfc iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    7c92e4f4 c3              ret
    eax=00000009 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
    eip=7c92120e esp=00c1ffcc ebp=00c1fff4 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
    ntdll!DbgBreakPoint:
    7c92120e cc              int     3
    


     

  • 相关阅读:
    通过 AWS CLI 操作 AWS S3
    AWS S3文件存储服务器搭建(新)
    Vertx 接入MongoDB (九)
    Vertx 接入Redis (八)
    Vertx Mysql数据库优化 (七)
    Vertx 接入Mysql数据库 (六)
    Vertx 实现webapi实战项目(五)
    Vertx 实现webapi实战项目(四)
    Vertx 实现webapi实战项目(三)
    正则表达式:元字符(基本可用来匹配的字符)
  • 原文地址:https://www.cnblogs.com/hgy413/p/3693713.html
Copyright © 2011-2022 走看看