Peta memori Windbg?

Bagaimana saya bisa mendapatkan peta memori di Windbg yang mirip dengan fungsi peta memori Ollydbg? Saya ingin melihat daftar ruang alamat secara berurutan menunjukkan apa yang dimuat ke dalam setiap rentang, idealnya dengan perlindungan memori yang ditunjukkan. Berikut ini cuplikan layar peta memori Ollydbg:

masukkan deskripsi gambar di sini

Tyler Durden 28.03.2014 sumber

comment

kemungkinan duplikat Peta memori di IDA Pro mirip dengan OllyDbg - Thomas Weller 30.03.2014

comment

@ThomasW. Pertanyaan lainnya adalah untuk IDA pro bukan Windbg. IDA Pro bahkan bukan debugger, ini adalah alat analisis statis. Itu adalah hal yang sangat berbeda. - Tyler Durden 30.03.2014

comment

Ok aku paham. Saya pasti melewatkan tagnya. Terimakasih atas klarifikasinya. - Thomas Weller 31.03.2014

Jawaban (1)

arrow_upward
16
arrow_downward

!address menampilkan informasi ini dengan tepat. Ia bekerja dalam mode pengguna dan mode kernel. Contoh untuk proses mode pengguna:


0:000> !address


        BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage
------------------------------------------------------------------------------------------------------------------------
+        0`00000000        0`7ffe0000        0`7ffe0000             MEM_FREE    PAGE_NOACCESS                      Free
+        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      Other      [User Shared Data]
         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE MEM_RESERVE                                    
+        0`7fff0000       db`475a0000       da`c75b0000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475a0000       db`475b0000        0`00010000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 1; Handle: 000000db475a0000; Type: Segment]
+       db`475b0000       db`475c0000        0`00010000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475c0000       db`475cf000        0`0000f000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [API Set Map]
+       db`475cf000       db`475d0000        0`00001000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475d0000       db`475d1000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; 2a7c.19a8]
        db`475d1000       db`475d4000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 2a7c.19a8]
        db`475d4000       db`476d0000        0`000fc000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 2a7c.19a8]
+       db`476d0000       db`476d4000        0`00004000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [System Default Activation Context Data]
+       db`476d4000       db`476e0000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476e0000       db`476e1000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Activation Context Data]
+       db`476e1000       db`476f0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476f0000       db`476f2000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     
+       db`476f2000       db`47700000        0`0000e000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`47700000       db`4777e000        0`0007e000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MappedFile "\Device\HarddiskVolume2\Windows\System32\locale.nls"
+       db`4777e000       db`478c0000        0`00142000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`478c0000       db`478c6000        0`00006000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`478c6000       db`479bf000        0`000f9000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`479bf000       db`479c0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    
+       db`479c0000     7ff7`3e0a0000     7f1b`f66e0000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e0a0000     7ff7`3e0a5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared Memory]
      7ff7`3e0a5000     7ff7`3e1a0000        0`000fb000 MEM_MAPPED  MEM_RESERVE                                    MappedFile "PageFile"
+     7ff7`3e1a0000     7ff7`3e1c3000        0`00023000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]
+     7ff7`3e1c3000     7ff7`3e1c8000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1c8000     7ff7`3e1c9000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [2a7c]
+     7ff7`3e1c9000     7ff7`3e1ce000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1ce000     7ff7`3e1d0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; 2a7c.19a8]
+     7ff7`3e1d0000     7ff7`3f0f0000        0`00f20000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3f0f0000     7ff7`3f0f1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
      7ff7`3f0f1000     7ff7`3f11d000        0`0002c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [cmd; "cmd.exe"]
      7ff7`3f11d000     7ff7`3f11e000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [cmd; "cmd.exe"]
      7ff7`3f11e000     7ff7`3f13a000        0`0001c000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [cmd; "cmd.exe"]
      7ff7`3f13a000     7ff7`3f14b000        0`00011000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
+     7ff7`3f14b000     7ffd`07920000        5`c87d5000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07920000     7ffd`07921000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07921000     7ffd`07a0e000        0`000ed000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a0e000     7ffd`07a11000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a11000     7ffd`07a12000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a12000     7ffd`07a2f000        0`0001d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
+     7ffd`07a2f000     7ffd`07c60000        0`00231000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07c60000     7ffd`07c61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07c61000     7ffd`07d73000        0`00112000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d73000     7ffd`07d74000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d74000     7ffd`07d75000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d75000     7ffd`07d99000        0`00024000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
+     7ffd`07d99000     7ffd`08200000        0`00467000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`08200000     7ffd`08201000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08201000     7ffd`0828f000        0`0008e000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0828f000     7ffd`08290000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08290000     7ffd`08294000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08294000     7ffd`0829f000        0`0000b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0829f000     7ffd`082a1000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`082a1000     7ffd`082a7000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
+     7ffd`082a7000     7ffd`0a3d0000        0`02129000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`0a3d0000     7ffd`0a3d1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a3d1000     7ffd`0a4f9000        0`00128000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ntdll; "ntdll.dll"]
      7ffd`0a4f9000     7ffd`0a4fa000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fa000     7ffd`0a4fc000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fc000     7ffd`0a502000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a502000     7ffd`0a510000        0`0000e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a510000     7ffd`0a511000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [ntdll; "ntdll.dll"]
      7ffd`0a511000     7ffd`0a579000        0`00068000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
+     7ffd`0a579000     7fff`fffe0000        2`f5a67000             MEM_FREE    PAGE_NOACCESS                      Free
+     7fff`fffe0000     7fff`ffff0000        0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS

seva titov 29.03.2014

comment

!address jelas merupakan apa yang Anda inginkan untuk debugging mode pengguna, tetapi dalam mode kernel !address melakukan sesuatu yang berbeda. Jika Anda berada dalam mode kernel dan ingin melihat ruang alamat suatu proses yang Anda inginkan !vad - snoone; 03.04.2014

Peta memori Windbg?

Jawaban (1)

Pertanyaan tentang topik tersebut