我想获得特定进程的内存转储。
我发现每个Windows进程都在EPROCESS中包含VadRoot。
我用windbg来获取这个结构的一些信息......
kd> dt nt!_MMVAD fffffa801b7011d0
+0x000 u1 : <unnamed-tag>
+0x008 LeftChild : (null)
+0x010 RightChild : (null)
+0x018 StartingVpn : 0x7fefe440
+0x020 EndingVpn : 0x7fefe4b0
+0x028 u : <unnamed-tag>
+0x030 PushLock : _EX_PUSH_LOCK
+0x038 u5 : <unnamed-tag>
+0x040 u2 : <unnamed-tag>
+0x048 Subsection : 0xfffffa80`19f62640 _SUBSECTION
+0x048 MappedSubsection : 0xfffffa80`19f62640 _MSUBSECTION
+0x050 FirstPrototypePte : 0xfffff8a0`00b3ac28 _MMPTE
+0x058 LastContiguousPte : 0xffffffff`fffffffc _MMPTE
+0x060 ViewLinks : _LIST_ENTRY [ 0xfffffa80`1b7a38c0 - 0xfffffa80`1aa6d6a0 ]
+0x070 VadsProcess : 0xfffffa80`1b7e8941 _EPROCESS
其Win7 64位。
我猜StartingVpn:0x7fefe440包含了这个块的内存内容。
但这是一个虚拟地址吗?或实际地址?我不知道
它代表什么......
感谢。
答案 0 :(得分:1)
VAD是虚拟地址描述符的缩写,VPN是虚拟页码的缩写。所以它是一个虚拟地址,而不是一个物理地址。
需要使用PTE(页表条目)将其转换为物理地址。
给定我在用户模式调试会话中找到的用户模式地址:
<% $.PREPARE %>我可以使用LiveKd (SysInternals):
在内核调试会话中执行此操作0:032> !address
[...]
+ 7ff`fffdc000 7ff`fffde000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~1; 13ec.10fc]
0:032> dd 7ff`fffde000 L8
000007ff`fffde000 00000000 00000000 00240000 00000000
000007ff`fffde010 0022b000 00000000 00000000 00000000
请注意虚拟地址(0: kd> !process 0 0 explorer.exe
PROCESS fffffa8012ce5b10
SessionId: 1 Cid: 13ec Peb: 7fffffd6000 ParentCid: 13c0
DirBase: 3029e8000 ObjectTable: fffff8a006139d60 HandleCount: 1078.
Image: explorer.exe
0: kd> .process /p /r fffffa8012ce5b10
Implicit process is now fffffa80`12ce5b10
Loading User Symbols
[...]
0: kd> !vtop 0 7fffffde000
Amd64VtoP: Virt 000007ff`fffde000, pagedir 00000003`029e8000
Amd64VtoP: PML4E 00000003`029e8078
Amd64VtoP: PDPE 00000003`00ebcff8
Amd64VtoP: PDE 00000003`0203dff8
Amd64VtoP: PTE 00000003`01ebeef0
Amd64VtoP: Mapped phys 00000002`ff44f000
Virtual address 7fffffde000 translates to physical address 2ff44f000.
0: kd> dd /p 2ff44f000 L8
00000002`ff44f000 00000000 00000000 00240000 00000000
00000002`ff44f010 0022b000 00000000 00000000 00000000
)的内容与物理地址(dd)的相同内容。
答案 1 :(得分:1)
找到流程
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
设置流程背景
lkd> .process /p /r 8a1908d0
查看reqd模块
lkd> lm m explorer
start end module name
01000000 010ff000 Explorer (deferred)
获取当前流程上下文中虚拟地址的vadroot
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
转储当前流程上下文的所有vads
lkd> !vad 8a120ed0 0
VAD level start end commit
8a03b1d8 ( 3) e50 e51 0 Mapped READONLY Pagefile-backed section
8a6fe240 ( 4) e60 e6f 0 Mapped READWRITE Pagefile-backed section
................................
89c86600 ( 5) ff0 ff0 1 Private READWRITE
8a120ed0 ( 0) 1000 10fe 3 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\explorer.exe
.................................
8a87bb18 ( 7) 26d0 2733 0 Mapped READWRITE \Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
8a74b420 ( 0) 3e1c0 3ec52 10 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\system32\ieframe.dll
8abfa398 ( 1) 7ffde 7ffde 1 Private READWRITE
总VAD:1231,平均水平:5,最大深度:4294967295