Windbg内存映射?

时间:2014-03-28 20:12:29

标签: debugging memory windbg ollydbg

如何在Windbg中获取类似于Ollydbg的内存映射功能的内存映射?我希望看到一个地址空间列表,依次显示加载到每个范围内的内容,理想情况下会显示内存保护。这是Ollydbg的内存映射的屏幕截图:

enter image description here

1 个答案:

答案 0 :(得分:11)

!address正好显示此信息。它适用于用户模式和内核模式。用户模式过程示例:


0:000> !address


        BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage
------------------------------------------------------------------------------------------------------------------------
+        0`00000000        0`7ffe0000        0`7ffe0000             MEM_FREE    PAGE_NOACCESS                      Free
+        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      Other      [User Shared Data]
         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE MEM_RESERVE                                    
+        0`7fff0000       db`475a0000       da`c75b0000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475a0000       db`475b0000        0`00010000 MEM_MAPPED  MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 1; Handle: 000000db475a0000; Type: Segment]
+       db`475b0000       db`475c0000        0`00010000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475c0000       db`475cf000        0`0000f000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [API Set Map]
+       db`475cf000       db`475d0000        0`00001000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`475d0000       db`475d1000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; 2a7c.19a8]
        db`475d1000       db`475d4000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 2a7c.19a8]
        db`475d4000       db`476d0000        0`000fc000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 2a7c.19a8]
+       db`476d0000       db`476d4000        0`00004000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [System Default Activation Context Data]
+       db`476d4000       db`476e0000        0`0000c000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476e0000       db`476e1000        0`00001000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Activation Context Data]
+       db`476e1000       db`476f0000        0`0000f000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`476f0000       db`476f2000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     
+       db`476f2000       db`47700000        0`0000e000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`47700000       db`4777e000        0`0007e000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      MappedFile "\Device\HarddiskVolume2\Windows\System32\locale.nls"
+       db`4777e000       db`478c0000        0`00142000             MEM_FREE    PAGE_NOACCESS                      Free
+       db`478c0000       db`478c6000        0`00006000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`478c6000       db`479bf000        0`000f9000 MEM_PRIVATE MEM_RESERVE                                    Heap       [ID: 0; Handle: 000000db478c0000; Type: Segment]
        db`479bf000       db`479c0000        0`00001000 MEM_PRIVATE MEM_RESERVE                                    
+       db`479c0000     7ff7`3e0a0000     7f1b`f66e0000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e0a0000     7ff7`3e0a5000        0`00005000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [Read Only Shared Memory]
      7ff7`3e0a5000     7ff7`3e1a0000        0`000fb000 MEM_MAPPED  MEM_RESERVE                                    MappedFile "PageFile"
+     7ff7`3e1a0000     7ff7`3e1c3000        0`00023000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY                      Other      [NLS Tables]
+     7ff7`3e1c3000     7ff7`3e1c8000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1c8000     7ff7`3e1c9000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [2a7c]
+     7ff7`3e1c9000     7ff7`3e1ce000        0`00005000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3e1ce000     7ff7`3e1d0000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     TEB        [~0; 2a7c.19a8]
+     7ff7`3e1d0000     7ff7`3f0f0000        0`00f20000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ff7`3f0f0000     7ff7`3f0f1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
      7ff7`3f0f1000     7ff7`3f11d000        0`0002c000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [cmd; "cmd.exe"]
      7ff7`3f11d000     7ff7`3f11e000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [cmd; "cmd.exe"]
      7ff7`3f11e000     7ff7`3f13a000        0`0001c000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [cmd; "cmd.exe"]
      7ff7`3f13a000     7ff7`3f14b000        0`00011000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [cmd; "cmd.exe"]
+     7ff7`3f14b000     7ffd`07920000        5`c87d5000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07920000     7ffd`07921000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07921000     7ffd`07a0e000        0`000ed000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a0e000     7ffd`07a11000        0`00003000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a11000     7ffd`07a12000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
      7ffd`07a12000     7ffd`07a2f000        0`0001d000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
+     7ffd`07a2f000     7ffd`07c60000        0`00231000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`07c60000     7ffd`07c61000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07c61000     7ffd`07d73000        0`00112000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d73000     7ffd`07d74000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d74000     7ffd`07d75000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
      7ffd`07d75000     7ffd`07d99000        0`00024000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
+     7ffd`07d99000     7ffd`08200000        0`00467000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`08200000     7ffd`08201000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08201000     7ffd`0828f000        0`0008e000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0828f000     7ffd`08290000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08290000     7ffd`08294000        0`00004000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`08294000     7ffd`0829f000        0`0000b000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`0829f000     7ffd`082a1000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
      7ffd`082a1000     7ffd`082a7000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [msvcrt; "C:\Windows\system32\msvcrt.dll"]
+     7ffd`082a7000     7ffd`0a3d0000        0`02129000             MEM_FREE    PAGE_NOACCESS                      Free
+     7ffd`0a3d0000     7ffd`0a3d1000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a3d1000     7ffd`0a4f9000        0`00128000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE_READ                  Image      [ntdll; "ntdll.dll"]
      7ffd`0a4f9000     7ffd`0a4fa000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fa000     7ffd`0a4fc000        0`00002000 MEM_IMAGE   MEM_COMMIT  PAGE_WRITECOPY                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a4fc000     7ffd`0a502000        0`00006000 MEM_IMAGE   MEM_COMMIT  PAGE_READWRITE                     Image      [ntdll; "ntdll.dll"]
      7ffd`0a502000     7ffd`0a510000        0`0000e000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
      7ffd`0a510000     7ffd`0a511000        0`00001000 MEM_IMAGE   MEM_COMMIT  PAGE_EXECUTE                       Image      [ntdll; "ntdll.dll"]
      7ffd`0a511000     7ffd`0a579000        0`00068000 MEM_IMAGE   MEM_COMMIT  PAGE_READONLY                      Image      [ntdll; "ntdll.dll"]
+     7ffd`0a579000     7fff`fffe0000        2`f5a67000             MEM_FREE    PAGE_NOACCESS                      Free
+     7fff`fffe0000     7fff`ffff0000        0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS