如何在WinDbg中找到内存映射文件的名称?

时间:2010-11-19 18:48:33

标签: windows memory memory-management windbg

当我在VMMap中查看我的进程时,我可以看到内存映射文件的文件名。我现在正在分析WinDbg中的内存转储,并想知道内存映射文件的文件名。如何从WinDbg或.dmp文件中找到它?

2 个答案:

答案 0 :(得分:4)

!address -f:FileMap适用于实时调试。

您可以查看!address文档,了解有关可用于优化输出的其他标志的更多详细信息。

答案 1 :(得分:2)

基本上,一旦您设法获取内存映射文件的句柄,就可以使用!handle <address> 0xF命令查看一些相关数据(包括其名称)。
如果您没有特定句柄,但只想查看过程中现有内存映射文件的名称,则可以使用以下命令:!handle 0 0x4 Section
哪个应该为您提供类似于此的输出:

Handle 6bc
  Name          \BaseNamedObjects\NLS_CodePage_862_3_2_0_0
Handle 6cc
  Name          \BaseNamedObjects\MyMap
Handle 794
  Name          \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092
Handle 798
  Name          \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092
Handle 7cc
  Name          \BaseNamedObjects\ShimSharedMemory
5 handles of type Section

如果您想查看实际文件名,可以在内核调试器中发出!handle命令,以查看与文件句柄对应的系统对象的一些信息。
例如:

lkd> !handle 0 0x3 2c4 File

Searching for Process with Cid == 2c4
Searching for handles of type File
PROCESS 89242da0  SessionId: 0  Cid: 02c4    Peb: 7ffdd000  ParentCid: 0b48
    DirBase: 0a640dc0  ObjectTable: e1c361d0  HandleCount:  83.
    Image: ConsoleApplication1.exe

Handle table at e11f6000 with 83 entries in use

000c: Object: 86a74868  GrantedAccess: 00100020 (Inherit) Entry: e11f6018
Object: 86a74868  Type: (89e2a730) File
    ObjectHeader: 86a74850 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Foo\Bar {HarddiskVolume2}

06d0: Object: 8669c4b8  GrantedAccess: 00100083 Entry: e11f6da0
Object: 8669c4b8  Type: (89e2a730) File
    ObjectHeader: 8669c4a0 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \wubildr {HarddiskVolume1}

06d4: Object: 86bf1f58  GrantedAccess: 00120089 Entry: e11f6da8
Object: 86bf1f58  Type: (89e2a730) File
    ObjectHeader: 86bf1f40 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1}

06dc: Object: 892c43e0  GrantedAccess: 00120089 Entry: e11f6db8
Object: 892c43e0  Type: (89e2a730) File
    ObjectHeader: 892c43c8 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1}

06ec: Object: 892cf1f8  GrantedAccess: 00100001 Entry: e11f6dd8
Object: 892cf1f8  Type: (89e2a730) File
    ObjectHeader: 892cf1e0 (old version)
        HandleCount: 1  PointerCount: 1
相关问题
最新问题