windbg学习----r?-白红宇

windbg学习----r?

阅读量：4650 次

发布时间：2019-06-09

本文共 5320 字，大约阅读时间需要 17 分钟。

r?命令可以让伪寄存器自动获取所赋参数的类型

(仅在指派伪寄存器时) 使得伪寄存器获得类型信息。可以使用任何类型

如，我们知道@$peb的类型是_PEB:

0:000> dt ntdll!*PEB*          ntdll!_PEB          ntdll!_PEB_LDR_DATA

0:000> ? @$pebEvaluate expression: 2147344384 = 7ffde000

值为7ffde000

0:000> dt -v ntdll!_PEB  @$pebstruct _PEB, 91 elements, 0x248 bytes   +0x000 InheritedAddressSpace : 0 ''   +0x001 ReadImageFileExecOptions : 0 ''   +0x002 BeingDebugged    : 0x1 ''   +0x003 BitField         : 0x8 ''   +0x003 ImageUsesLargePages : Bitfield 0y0   +0x003 IsProtectedProcess : Bitfield 0y0   +0x003 IsLegacyProcess  : Bitfield 0y0   +0x003 IsImageDynamicallyRelocated : Bitfield 0y1   +0x003 SkipPatchingUser32Forwarders : Bitfield 0y0   +0x003 SpareBits        : Bitfield 0y000   +0x004 Mutant           : 0xffffffff    +0x008 ImageBaseAddress : 0x00ac0000    +0x00c Ldr              : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes   +0x010 ProcessParameters : 0x00321a80 struct _RTL_USER_PROCESS_PARAMETERS, 30 elements, 0x298 bytes   +0x014 SubSystemData    : (null)    +0x018 ProcessHeap      : 0x00320000    +0x01c FastPebLock      : 0x77d97380 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes   +0x020 AtlThunkSListPtr : (null)    +0x024 IFEOKey          : (null)    +0x028 CrossProcessFlags : 0   +0x028 ProcessInJob     : Bitfield 0y0   +0x028 ProcessInitializing : Bitfield 0y0   +0x028 ProcessUsingVEH  : Bitfield 0y0   +0x028 ProcessUsingVCH  : Bitfield 0y0   +0x028 ProcessUsingFTH  : Bitfield 0y0   +0x028 ReservedBits0    : Bitfield 0y000000000000000000000000000 (0)   +0x02c KernelCallbackTable : 0x76c4d568    +0x02c UserSharedInfoPtr : 0x76c4d568    +0x030 SystemReserved   : [1] 0   +0x034 AtlThunkSListPtr32 : 0   +0x038 ApiSetMap        : 0x77f00000    +0x03c TlsExpansionCounter : 0   +0x040 TlsBitmap        : 0x77d97260    +0x044 TlsBitmapBits    : [2] 0xffffffff   +0x04c ReadOnlySharedMemoryBase : 0x7f6f0000    +0x050 HotpatchInformation : (null)    +0x054 ReadOnlyStaticServerData : 0x7f6f0590  -> (null)    +0x058 AnsiCodePageData : 0x7ffa0000    +0x05c OemCodePageData  : 0x7ffa0000    +0x060 UnicodeCaseTableData : 0x7ffd0024    +0x064 NumberOfProcessors : 4   +0x068 NtGlobalFlag     : 0x70   +0x070 CriticalSectionTimeout : union _LARGE_INTEGER, 4 elements, 0x8 bytes 0xffffe86d`079b8000   +0x078 HeapSegmentReserve : 0x100000   +0x07c HeapSegmentCommit : 0x2000   +0x080 HeapDeCommitTotalFreeThreshold : 0x10000   +0x084 HeapDeCommitFreeBlockThreshold : 0x1000   +0x088 NumberOfHeaps    : 0xc   +0x08c MaximumNumberOfHeaps : 0x10   +0x090 ProcessHeaps     : 0x77d97500  -> 0x00320000    +0x094 GdiSharedHandleTable : 0x005c0000    +0x098 ProcessStarterHelper : (null)    +0x09c GdiDCAttributeList : 0x14   +0x0a0 LoaderLock       : 0x77d97340 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes   +0x0a4 OSMajorVersion   : 6   +0x0a8 OSMinorVersion   : 1   +0x0ac OSBuildNumber    : 0x1db1   +0x0ae OSCSDVersion     : 0x100   +0x0b0 OSPlatformId     : 2   +0x0b4 ImageSubsystem   : 2   +0x0b8 ImageSubsystemMajorVersion : 5   +0x0bc ImageSubsystemMinorVersion : 1   +0x0c0 ActiveProcessAffinityMask : 0xf   +0x0c4 GdiHandleBuffer  : [34] 0   +0x14c PostProcessInitRoutine : (null)    +0x150 TlsExpansionBitmap : 0x77d97268    +0x154 TlsExpansionBitmapBits : [32] 1   +0x1d4 SessionId        : 1   +0x1d8 AppCompatFlags   : union _ULARGE_INTEGER, 4 elements, 0x8 bytes 0x0   +0x1e0 AppCompatFlagsUser : union _ULARGE_INTEGER, 4 elements, 0x8 bytes 0x0   +0x1e8 pShimData        : (null)    +0x1ec AppCompatInfo    : (null)    +0x1f0 CSDVersion       : struct _UNICODE_STRING, 3 elements, 0x8 bytes "Service Pack 1"   +0x1f8 ActivationContextData : 0x00040000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes   +0x1fc ProcessAssemblyStorageMap : (null)    +0x200 SystemDefaultActivationContextData : 0x00030000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes   +0x204 SystemAssemblyStorageMap : 0x00323e80 struct _ASSEMBLY_STORAGE_MAP, 0 elements, 0x0 bytes   +0x208 MinimumStackCommit : 0   +0x20c FlsCallback      : 0x003262a8 struct _FLS_CALLBACK_INFO, 0 elements, 0x0 bytes   +0x210 FlsListHead      : struct _LIST_ENTRY, 2 elements, 0x8 bytes [ 0x326088 - 0x326088 ]   +0x218 FlsBitmap        : 0x77d97270    +0x21c FlsBitmapBits    : [4] 0x1ff   +0x22c FlsHighIndex     : 8   +0x230 WerRegistrationData : 0x00420000    +0x234 WerShipAssertPtr : (null)    +0x238 pContextData     : 0x00050000    +0x23c pImageHeaderHash : (null)    +0x240 TracingFlags     : 0   +0x240 HeapTracingEnabled : Bitfield 0y0   +0x240 CritSecTracingEnabled : Bitfield 0y0   +0x240 SpareTracingBits : Bitfield 0y000000000000000000000000000000 (0)

_PEB结构的大小为0x248 bytes，也可以这样看：

0:000> ?? @@c++(sizeof(ntdll!_PEB))unsigned int 0x248

比如我们要把Ldr地址赋给伪寄存器，按理论：

+0x00c Ldr              : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes

0:000> dt -v ntdll!_PEB -ny Ldr @$pebstruct _PEB, 91 elements, 0x248 bytes   +0x00c Ldr : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes

应该是取@$peb+0xc=7ffde00c

使用r?，

0:000> r? $t0=@$peb->Ldr;r $t0$t0=77d97880

我们发现取得了Ldr字段的内容，要取其地址，就使用&符号来取，和C++中含义一样：

0:000> r? $t0=&@$peb->Ldr;r $t0$t0=7ffde00c

当然，我们也可以用*来取内容

0:000> r? @$t1=*(_PEB_LDR_DATA**)@$t0;r @$t1$t1=77d97880

0:000> r? @$t1=*(DWORD**)@$t0;r @$t1$t1=77d978800:000> r? @$t1=*@$t0;r @$t1$t1=77d97880

转载于:https://www.cnblogs.com/hgy413/p/3693372.html

你可能感兴趣的文章

三种java 去掉字符串中的重复字符函数

查看>>

Android-Universal-Image-Loader 图片异步加载类库的使用（超详细配置）

查看>>

如何给C++设计一个GC

查看>>

【原】Ubuntu ATI/Intel双显卡驱动安装

查看>>

VMware-WorkStation 去掉VM工具栏

查看>>

开始写博客啦

查看>>

用TableAdapter创建DataTable定义及查询

查看>>

用 k8s 管理机密信息 - 每天5分钟玩转 Docker 容器技术（155）

最新GitHub新手使用教程(Windows Git从安装到使用)——详细图解

springboot + swagger2

查看>>

fastJson工具类

查看>>