zoukankan      html  css  js  c++  java

  • Dump文件数据存储格式(七)

    九、模块列表流(ModuleListStream)

    ModuleListStream流包含进程已加载模块信息。它紧跟随在ThreadInfoListStream后面。ThreadInfoListStream信息如下:

    0x15f4+0n5068=0x29c0

    ModuleListStream如下

    可知ModuleListStream的RVA 为0x29c0,所以ModuleListStream紧挨着ThreadInfoListStream,大小为26680字节。数据如下:

    这些数据按如下结构组织在一起:

    typedef struct _MINIDUMP_MODULE_LIST {
  ULONG32         NumberOfModules;
  MINIDUMP_MODULE Modules[0];
} MINIDUMP_MODULE_LIST, *PMINIDUMP_MODULE_LIST;

    MINIDUMP_MODULE_LIST包含了模块列表,成员如下:

    NumberOfModules

    模块数组的元素个数。

    Modules

    MINIDUMP_MODULE结构的数组。

    而MINIDUMP_MODULE结构包含了每个模块的详细信息,结构如下

    typedef struct _MINIDUMP_MODULE {
  ULONG64                      BaseOfImage;
  ULONG32                      SizeOfImage;
  ULONG32                      CheckSum;
  ULONG32                      TimeDateStamp;
  RVA                          ModuleNameRva;
  VS_FIXEDFILEINFO             VersionInfo;
  MINIDUMP_LOCATION_DESCRIPTOR CvRecord;
  MINIDUMP_LOCATION_DESCRIPTOR MiscRecord;
  ULONG64                      Reserved0;
  ULONG64                      Reserved1;
} MINIDUMP_MODULE, *PMINIDUMP_MODULE;

    成员如下:

    BaseOfImage

    内存中模块可执行映像的基址。

    SizeOfImage

    内存中模块可执行映像的大小,单位为字节。

    CheckSum

    模块可执行映像的校验和值。

    TimeDateStamp

    模块可执行映像的时间戳值,采用time_t格式。

    ModuleNameRva

    指定模块名称的MINIDUMP_STRING结构的RVA。我们看一个例子

    文件内偏移0x9600,跳到此处看看

    VersionInfo

    指定模块版本的VS_FIXEDFILEINFO结构。

    CvRecord

    指定模块的CodeView记录的MINIDUMP_LOCATION_DESCRIPTOR结构。

    MiscRecord

    指定模块的杂项记录的MINIDUMP_LOCATION_DESCRIPTOR结构。

    Reserved0

    保留以备将来使用

    Reserved1

    保留以备将来使用

    MINIDUMP_STRING结构是模块名称信息,如下:

    typedef struct _MINIDUMP_STRING {
  ULONG32 Length;
  WCHAR   Buffer[0];
} MINIDUMP_STRING, *PMINIDUMP_STRING;

    Length

    Buffer成员的大小,以字节为单位。此大小不包括空终止字符。

    Buffer

    以null结尾的字符串。

    而VS_FIXEDFILEINFO结构包含文件的版本信息。此信息独立于语言和代码页。如下:

    typedef struct tagVS_FIXEDFILEINFO {
  DWORD dwSignature;
  DWORD dwStrucVersion;
  DWORD dwFileVersionMS;
  DWORD dwFileVersionLS;
  DWORD dwProductVersionMS;
  DWORD dwProductVersionLS;
  DWORD dwFileFlagsMask;
  DWORD dwFileFlags;
  DWORD dwFileOS;
  DWORD dwFileType;
  DWORD dwFileSubtype;
  DWORD dwFileDateMS;
  DWORD dwFileDateLS;
} VS_FIXEDFILEINFO;

    dwSignature

    Type: DWORD

    包含值0xFEEF04BD。在搜索文件以查找VS包含值0xFEEF04BD。在搜索文件以查找VS_FIXEDFILEINFO结构时,该值与VS_VERSIONINFO结构的szKey成员一起使用。FIXEDFILEINFO结构时,该值与VS_ERSIONINFO结构的szKey成员一起使用。

    dwStrucVersion

    Type: DWORD

    此结构的二进制版本号。此成员的高位字包含主版本号,低位字包含次版本号。

    dwFileVersionMS

    Type: DWORD

    文件二进制版本号中最重要的32位。此成员与dwFileVersionLS一起使用,以形成64位值,用于数值比较。

    dwFileVersionLS

    Type: DWORD

    文件二进制版本号的最低有效32位。此成员与dwFileVersionMS一起使用,以形成用于数字比较的64位值。

    dwProductVersionMS

    Type: DWORD

    与此文件一起分发的产品的二进制版本号的最有效的32位。此成员与dwProductVersionLS一起使用,以形成用于数字比较的64位值。

    dwProductVersionLS

    Type: DWORD

    与此文件一起分发的产品的二进制版本号的最低有效32位。此成员与dwProductVersionMS一起使用,以形成用于数字比较的64位值。

    dwFileFlagsMask

    Type: DWORD

    包含指定dwFileFlags中有效位的位掩码。位只有在创建文件时定义时才有效。

    dwFileFlags

    Type: DWORD

    包含指定文件的布尔属性的位掩码。此成员可以包含以下一个或多个值。

    ValueMeaning
    VS_FF_DEBUG
    0x00000001L
    		 The file contains debugging information or is compiled with debugging features enabled.
    VS_FF_INFOINFERRED
    0x00000010L
    		 The file's version structure was created dynamically; therefore, some of the members in this structure may be empty or incorrect. This flag should never be set in a file's VS_VERSIONINFO data.
    VS_FF_PATCHED
    0x00000004L
    		 The file has been modified and is not identical to the original shipping file of the same version number.
    VS_FF_PRERELEASE
    0x00000002L
    		 The file is a development version, not a commercially released product.
    VS_FF_PRIVATEBUILD
    0x00000008L
    		 The file was not built using standard release procedures. If this flag is set, the StringFileInfo structure should contain a PrivateBuild entry.
    VS_FF_SPECIALBUILD
    0x00000020L
    		 The file was built by the original company using standard release procedures but is a variation of the normal file of the same version number. If this flag is set, the StringFileInfo structure should contain a SpecialBuild entry.

    dwFileOS

    Type: DWORD

    为其设计此文件的操作系统。此成员可以是以下值之一。

    ValueMeaning
    VOS_DOS
    0x00010000L
    		 The file was designed for MS-DOS.
    VOS_NT
    0x00040000L
    		 The file was designed for Windows NT.
    VOS__WINDOWS16
    0x00000001L
    		 The file was designed for 16-bit Windows.
    VOS__WINDOWS32
    0x00000004L
    		 The file was designed for 32-bit Windows.
    VOS_OS216
    0x00020000L
    		 The file was designed for 16-bit OS/2.
    VOS_OS232
    0x00030000L
    		 The file was designed for 32-bit OS/2.
    VOS__PM16
    0x00000002L
    		 The file was designed for 16-bit Presentation Manager.
    VOS__PM32
    0x00000003L
    		 The file was designed for 32-bit Presentation Manager.
    VOS_UNKNOWN
    0x00000000L
    		 The operating system for which the file was designed is unknown to the system.

    应用程序可以组合这些值来指示该文件是为运行在另一个操作系统上的一个操作系统而设计的。下面的dwFileOS值是这方面的示例,但不是完整的列表。

    ValueMeaning
    VOS_DOS_WINDOWS16
    0x00010001L
    		 The file was designed for 16-bit Windows running on MS-DOS.
    VOS_DOS_WINDOWS32
    0x00010004L
    		 The file was designed for 32-bit Windows running on MS-DOS.
    VOS_NT_WINDOWS32
    0x00040004L
    		 The file was designed for Windows NT.
    VOS_OS216_PM16
    0x00020002L
    		 The file was designed for 16-bit Presentation Manager running on 16-bit OS/2.
    VOS_OS232_PM32
    0x00030003L
    		 The file was designed for 32-bit Presentation Manager running on 32-bit OS/2.

    dwFileType

    Type: DWORD

    文件的一般类型。此成员可以是以下值之一。保留所有其他值。

    ValueMeaning
    VFT_APP
    0x00000001L
    		 The file contains an application.
    VFT_DLL
    0x00000002L
    		 The file contains a DLL.
    VFT_DRV
    0x00000003L
    		 The file contains a device driver. If dwFileType is VFT_DRV, dwFileSubtype contains a more specific description of the driver.
    VFT_FONT
    0x00000004L
    		 The file contains a font. If dwFileType is VFT_FONT, dwFileSubtype contains a more specific description of the font file.
    VFT_STATIC_LIB
    0x00000007L
    		 The file contains a static-link library.
    VFT_UNKNOWN
    0x00000000L
    		 The file type is unknown to the system.
    VFT_VXD
    0x00000005L
    		 The file contains a virtual device.

    dwFileSubtype

    Type: DWORD

    文件的功能。可能的值取决于dwFileType的值。对于下表中未描述的dwFileType的所有值,dwFileSubtype为零。
    如果dwFileType为VFT_DRV,则dwFileSubtype可以是以下值之一。

    ValueMeaning
    VFT2_DRV_COMM
    0x0000000AL
    		 The file contains a communications driver.
    VFT2_DRV_DISPLAY
    0x00000004L
    		 The file contains a display driver.
    VFT2_DRV_INSTALLABLE
    0x00000008L
    		 The file contains an installable driver.
    VFT2_DRV_KEYBOARD
    0x00000002L
    		 The file contains a keyboard driver.
    VFT2_DRV_LANGUAGE
    0x00000003L
    		 The file contains a language driver.
    VFT2_DRV_MOUSE
    0x00000005L
    		 The file contains a mouse driver.
    VFT2_DRV_NETWORK
    0x00000006L
    		 The file contains a network driver.
    VFT2_DRV_PRINTER
    0x00000001L
    		 The file contains a printer driver.
    VFT2_DRV_SOUND
    0x00000009L
    		 The file contains a sound driver.
    VFT2_DRV_SYSTEM
    0x00000007L
    		 The file contains a system driver.
    VFT2_DRV_VERSIONED_PRINTER
    0x0000000CL
    		 The file contains a versioned printer driver.
    VFT2_UNKNOWN
    0x00000000L
    		 The driver type is unknown by the system.

     如果dwFileType为VFT_FONT,则dwFileSubtype可以是以下值之一。

    ValueMeaning
    VFT2_FONT_RASTER
    0x00000001L
    		 The file contains a raster font.
    VFT2_FONT_TRUETYPE
    0x00000003L
    		 The file contains a TrueType font.
    VFT2_FONT_VECTOR
    0x00000002L
    		 The file contains a vector font.
    VFT2_UNKNOWN
    0x00000000L
    		 The font type is unknown by the system.

    如果dwFileType是VFT_VXD,则dwFileSubtype包含虚拟设备控制块中包含的虚拟设备标识符。此处未列出的所有dwFileSubtype值都将保留

    dwFileDateMS

    Type: DWORD

    文件64位二进制创建日期和时间戳的最高有效的32位。

    dwFileDateLS

    Type: DWORD

    文件的64位二进制创建日期和时间戳的最低有效32位。

    我们可以通过lm指令查看相关信息

    0:035> lmt
    start    end        module name
    01590000 015a2000   zlib1     Wed Oct 17 11:00:09 2012 (507E1F39)
    10000000 1000e000   mxml1     Tue Mar 15 17:06:47 2016 (56E7D0A7)
    10010000 10629000   SogouPY   Wed Dec  4 12:04:09 2019 (5DE73039)
    10cb0000 10dcd000   Resource  Wed Dec  4 11:55:09 2019 (5DE72E1D)
    22e70000 22e88000   msctfui   B9A1C554 (This is a reproducible build file hash, not a timestamp)
    242c0000 242db000   UIAutomationProvider_ni  Tue Jul  7 07:23:33 2020 (5F03B275)
    246c0000 246fc000   WindowsCodecsExt  6F6F2A44 (This is a reproducible build file hash, not a timestamp)
    24f00000 24f65000   System_Dynamic_ni  Sat Mar  2 14:34:40 2019 (5C7A2400)
    26100000 26186000   UIAutomationTypes_ni  Tue Jul  7 07:23:33 2020 (5F03B275)
    261a0000 261bf000   clrcompression  Sat Mar  2 14:34:23 2019 (5C7A23EF)
    261e0000 2621e000   icm32     C09D0053 (This is a reproducible build file hash, not a timestamp)
    2ce50000 2dc96000   nvd3dum   Sun Sep 17 00:43:16 2017 (59BD54A4)
  • 相关阅读:
    nginx实现请求的负载均衡 + Keep Alive实现nginx的高可用
    理解什么是JWT(Json web token)及Python实现
    TCP/UDP协议到底是什么
    Redis实现分布式单点登录
    Python面试题---给定一个字符串 {xxx[xxx{xxx}]xx{x[xxx]xxx{xxx}xx}x} 判断其中的 {}[]() 是否成对出现
    Typora里面如何快捷改变字体颜色?
    基于Docker安装关系型数据库PostgrelSQL替代Mysql
    PEP8-Python编码规范
    欢迎来到我的友链小屋
    windows下lib和dll区别
  • 原文地址:https://www.cnblogs.com/yilang/p/13868075.html
Copyright © 2011-2022 走看看