Windbg Command!dlls,为什么在!dlls -a命令输出中,SECTION HEADER值都是0?
以下是我的演练:
0:000> !dlls -a
0x00673270: D:\WinAfl\test\a.exe
Base 0x00400000 EntryPoint 0x00401280 Size 0x0000a000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x0000ffff
LDRP_ENTRY_PROCESSED
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
8 number of sections
50000 time date stamp Mon Jan 05 03:01:20 1970
2800 file pointer to symbol table
29C number of symbols
E0 size of optional header
307 characteristics
Relocations stripped
Executable
Line numbers stripped
32 bit word machine
Debug information stripped
OPTIONAL HEADER VALUES
10B magic #
2.24 linker version
1200 size of code
2400 size of initialized data
200 size of uninitialized data
1280 address of entry point
1000 base of code
3000 base of data
----- new -----
00400000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
4.00 operating system version
1.00 image version
4.00 subsystem version
A000 size of image
400 size of headers
C9C4 checksum
00200000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
00400098 Opt Hdr
0 [ 0] address [size] of Export Directory
7000 [ 3CC] address [size] of Import Directory
0 [ 0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
0 [ 0] address [size] of Base Relocation Directory
0 [ 0] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
9004 [ 18] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
70C8 [ 8C] address [size] of Import Address Table Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #2
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #3
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #4
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #5
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #6
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #7
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #8
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
0x00673300: C:\windows\SysWOW64\ntdll.dll
Base 0x77c60000 EntryPoint 0x00000000 Size 0x00180000
Flags 0x00004004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
5 number of sections
598D4C81 time date stamp Fri Aug 11 14:19:45 2017
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
D6200 size of code
68400 size of initialized data
0 size of uninitialized data
0 address of entry point
10000 base of code
F0000 base of data
----- new -----
77c60000 image base
10000 section alignment
200 file alignment
3 subsystem (Windows CUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
180000 size of image
400 size of headers
146B93 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
77c600f0 Opt Hdr
101F8 [ F6B8] address [size] of Export Directory
0 [ 0] address [size] of Import Directory
110000 [ 5A028] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
13D400 [ 3940] address [size] of Security Directory
170000 [ 4CB8] address [size] of Base Relocation Directory
E5E84 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
75B50 [ 40] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
0 [ 0] address [size] of Import Address Table Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #2
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #3
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #4
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
SECTION HEADER #5
name
0 virtual size
0 virtual address
0 size of raw data
0 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
0 flags
(no align specified)
答案 0 :(得分:1)
!dll仅在实时调试模式下工作
不在转储分析中
只转储一个模块使用 -c {表达式解析并在某些模块虚拟地址空间中解决}
见下面的第二个查询
0:000> lm m calc
Browse full module list
start end module name
00710000 007d0000 calc (deferred)
0:000> !dlls -c calc
0x001321c8: C:\Windows\system32\calc.exe
Base 0x00710000 EntryPoint 0x00722d6c Size 0x000c0000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
0:000> !dlls -c 7c1234
0x001321c8: C:\Windows\system32\calc.exe
Base 0x00710000 EntryPoint 0x00722d6c Size 0x000c0000
Flags 0x00004000 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_ENTRY_PROCESSED
!dlls -a在我的windbg输出中有超过27k行解析所有依赖项
0:000> .shell -ci "!dlls -a -c 7c1234" wc -l
27872
它输出kernel32.dll 15次
0:000> .shell -ci "!dlls -a -c 7c1234" grep -c -i kernel32.dll
15