如何在Windbg中获取类似于Ollydbg的内存映射功能的内存映射?我希望看到一个地址空间列表,依次显示加载到每个范围内的内容,理想情况下会显示内存保护。这是Ollydbg的内存映射的屏幕截图:
答案 0 :(得分:11)
!address
正好显示此信息。它适用于用户模式和内核模式。用户模式过程示例:
0:000> !address
BaseAddress EndAddress+1 RegionSize Type State Protect Usage
------------------------------------------------------------------------------------------------------------------------
+ 0`00000000 0`7ffe0000 0`7ffe0000 MEM_FREE PAGE_NOACCESS Free
+ 0`7ffe0000 0`7ffe1000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READONLY Other [User Shared Data]
0`7ffe1000 0`7fff0000 0`0000f000 MEM_PRIVATE MEM_RESERVE
+ 0`7fff0000 db`475a0000 da`c75b0000 MEM_FREE PAGE_NOACCESS Free
+ db`475a0000 db`475b0000 0`00010000 MEM_MAPPED MEM_COMMIT PAGE_READWRITE Heap [ID: 1; Handle: 000000db475a0000; Type: Segment]
+ db`475b0000 db`475c0000 0`00010000 MEM_FREE PAGE_NOACCESS Free
+ db`475c0000 db`475cf000 0`0000f000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [API Set Map]
+ db`475cf000 db`475d0000 0`00001000 MEM_FREE PAGE_NOACCESS Free
+ db`475d0000 db`475d1000 0`00001000 MEM_PRIVATE MEM_RESERVE Stack [~0; 2a7c.19a8]
db`475d1000 db`475d4000 0`00003000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE|PAGE_GUARD Stack [~0; 2a7c.19a8]
db`475d4000 db`476d0000 0`000fc000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Stack [~0; 2a7c.19a8]
+ db`476d0000 db`476d4000 0`00004000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [System Default Activation Context Data]
+ db`476d4000 db`476e0000 0`0000c000 MEM_FREE PAGE_NOACCESS Free
+ db`476e0000 db`476e1000 0`00001000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Activation Context Data]
+ db`476e1000 db`476f0000 0`0000f000 MEM_FREE PAGE_NOACCESS Free
+ db`476f0000 db`476f2000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE
+ db`476f2000 db`47700000 0`0000e000 MEM_FREE PAGE_NOACCESS Free
+ db`47700000 db`4777e000 0`0007e000 MEM_MAPPED MEM_COMMIT PAGE_READONLY MappedFile "\Device\HarddiskVolume2\Windows\System32\locale.nls"
+ db`4777e000 db`478c0000 0`00142000 MEM_FREE PAGE_NOACCESS Free
+ db`478c0000 db`478c6000 0`00006000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE Heap [ID: 0; Handle: 000000db478c0000; Type: Segment]
db`478c6000 db`479bf000 0`000f9000 MEM_PRIVATE MEM_RESERVE Heap [ID: 0; Handle: 000000db478c0000; Type: Segment]
db`479bf000 db`479c0000 0`00001000 MEM_PRIVATE MEM_RESERVE
+ db`479c0000 7ff7`3e0a0000 7f1b`f66e0000 MEM_FREE PAGE_NOACCESS Free
+ 7ff7`3e0a0000 7ff7`3e0a5000 0`00005000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [Read Only Shared Memory]
7ff7`3e0a5000 7ff7`3e1a0000 0`000fb000 MEM_MAPPED MEM_RESERVE MappedFile "PageFile"
+ 7ff7`3e1a0000 7ff7`3e1c3000 0`00023000 MEM_MAPPED MEM_COMMIT PAGE_READONLY Other [NLS Tables]
+ 7ff7`3e1c3000 7ff7`3e1c8000 0`00005000 MEM_FREE PAGE_NOACCESS Free
+ 7ff7`3e1c8000 7ff7`3e1c9000 0`00001000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PEB [2a7c]
+ 7ff7`3e1c9000 7ff7`3e1ce000 0`00005000 MEM_FREE PAGE_NOACCESS Free
+ 7ff7`3e1ce000 7ff7`3e1d0000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~0; 2a7c.19a8]
+ 7ff7`3e1d0000 7ff7`3f0f0000 0`00f20000 MEM_FREE PAGE_NOACCESS Free
+ 7ff7`3f0f0000 7ff7`3f0f1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [cmd; "cmd.exe"]
7ff7`3f0f1000 7ff7`3f11d000 0`0002c000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [cmd; "cmd.exe"]
7ff7`3f11d000 7ff7`3f11e000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [cmd; "cmd.exe"]
7ff7`3f11e000 7ff7`3f13a000 0`0001c000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [cmd; "cmd.exe"]
7ff7`3f13a000 7ff7`3f14b000 0`00011000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [cmd; "cmd.exe"]
+ 7ff7`3f14b000 7ffd`07920000 5`c87d5000 MEM_FREE PAGE_NOACCESS Free
+ 7ffd`07920000 7ffd`07921000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
7ffd`07921000 7ffd`07a0e000 0`000ed000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
7ffd`07a0e000 7ffd`07a11000 0`00003000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
7ffd`07a11000 7ffd`07a12000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
7ffd`07a12000 7ffd`07a2f000 0`0001d000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNELBASE; "C:\Windows\system32\KERNELBASE.dll"]
+ 7ffd`07a2f000 7ffd`07c60000 0`00231000 MEM_FREE PAGE_NOACCESS Free
+ 7ffd`07c60000 7ffd`07c61000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
7ffd`07c61000 7ffd`07d73000 0`00112000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
7ffd`07d73000 7ffd`07d74000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
7ffd`07d74000 7ffd`07d75000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
7ffd`07d75000 7ffd`07d99000 0`00024000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [KERNEL32; "C:\Windows\system32\KERNEL32.DLL"]
+ 7ffd`07d99000 7ffd`08200000 0`00467000 MEM_FREE PAGE_NOACCESS Free
+ 7ffd`08200000 7ffd`08201000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`08201000 7ffd`0828f000 0`0008e000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`0828f000 7ffd`08290000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`08290000 7ffd`08294000 0`00004000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`08294000 7ffd`0829f000 0`0000b000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`0829f000 7ffd`082a1000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
7ffd`082a1000 7ffd`082a7000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [msvcrt; "C:\Windows\system32\msvcrt.dll"]
+ 7ffd`082a7000 7ffd`0a3d0000 0`02129000 MEM_FREE PAGE_NOACCESS Free
+ 7ffd`0a3d0000 7ffd`0a3d1000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "ntdll.dll"]
7ffd`0a3d1000 7ffd`0a4f9000 0`00128000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE_READ Image [ntdll; "ntdll.dll"]
7ffd`0a4f9000 7ffd`0a4fa000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ntdll; "ntdll.dll"]
7ffd`0a4fa000 7ffd`0a4fc000 0`00002000 MEM_IMAGE MEM_COMMIT PAGE_WRITECOPY Image [ntdll; "ntdll.dll"]
7ffd`0a4fc000 7ffd`0a502000 0`00006000 MEM_IMAGE MEM_COMMIT PAGE_READWRITE Image [ntdll; "ntdll.dll"]
7ffd`0a502000 7ffd`0a510000 0`0000e000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "ntdll.dll"]
7ffd`0a510000 7ffd`0a511000 0`00001000 MEM_IMAGE MEM_COMMIT PAGE_EXECUTE Image [ntdll; "ntdll.dll"]
7ffd`0a511000 7ffd`0a579000 0`00068000 MEM_IMAGE MEM_COMMIT PAGE_READONLY Image [ntdll; "ntdll.dll"]
+ 7ffd`0a579000 7fff`fffe0000 2`f5a67000 MEM_FREE PAGE_NOACCESS Free
+ 7fff`fffe0000 7fff`ffff0000 0`00010000 MEM_PRIVATE MEM_RESERVE PAGE_NOACCESS