點在earlier answer機是32位和OS是Win7和WinDbg的版本是內幕預覽16278個命令如果有任何拱依賴
的走拱無關,指針運算通過是活的二進制不在傾倒,因爲是我要補充這個答案後
獲取內容構成部分很公平的機會,頁面可能已經在轉儲和演示調出可能是不確定的是有點令人費解
(有幾種類型的部分如
1)ALPC部分(com objects)
2)文件備份第
3)PageFileBacked科等
下面演練爲頁面文件備份部(最常見的類型)
假設你編譯和執行下面
代碼的exe將創建一個SectionObject在全局命名空間
和內容將被PagingFile備份,將等待 按鍵
#include <windows.h>
#include <stdio.h>
#define bsize 256
int main(){
char szMsg[]={"Message from blabb to lieven from Stack Overflow."};
int ret = NULL;
HANDLE hMap = CreateFileMapping((HANDLE)-1,NULL,4,0,bsize,"Global\\MyMap");
if(hMap){
PCHAR buff = (PCHAR) MapViewOfFile(hMap,0xf001f,0,0,bsize);
if(buff){
CopyMemory(buff, szMsg, sizeof(szMsg));
ret = getchar();
UnmapViewOfFile(buff);
}
CloseHandle(hMap);
}
return ret;
}
地設想ming該進程正在等待按鍵啓動livekd或設置一個實時內核調試連接,如果它正在遠程計算機上運行/ vm
C:> livekd -k「c:\ Program Files \ Windows Kits \ 10 \調試器\ 86 \的Cdb.exe」
LiveKd v5.62 - Execute kd/windbg on a live system
Launching c:\Program Files\Windows Kits\10\Debuggers\x86\cdb.exe:
Microsoft (R) Windows Debugger Version 10.0.16278.1000 X86
得到的_EPROCESS並設置背景
kd> !process 0 0 secobj.exe
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
kd> .process /p /r 8605ab28
Implicit process is now 8605ab28
kd> ? @$proc
Evaluate expression: -2046448856 = 8605ab28
kd> ?? (char *)@$proc->ImageFileName
char * 0x8605ac94
"secobj.exe"
找,因爲我們 部分類型部分的當前進程通知句柄全球命名南協商WinDbg的解密,對我們
kd> !handle 0 3 @$proc Section
Searching for handles of type Section
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
Handle table at c288ba00 with 9 entries in use
0024: Object: c238e9c8 GrantedAccess: 000f0007 Entry: c37b7048
Object: c238e9c8 Type: (84ec6040) Section
ObjectHeader: c238e9b0 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 98a0f170 Name: MyMap
傾銷SectionObject
kd> dt nt!_SECTION_OBJECT c238e9c8
+0x000 StartingVa : 0xc227e2c8 Void
+0x004 EndingVa : 0x00d3db6c Void
+0x008 Parent : 0xb0d3db20 Void
+0x00c LeftChild : (null)
+0x010 RightChild : 0x00000003 Void
+0x014 Segment : 0xc36aba20 _SEGMENT_OBJECT
KD> $$注意,最後段成員它不是SEGMENT_OBJECT但
NT!_segment或實際指針的ControlArea此節
kd> dt nt!_SEGMENT 0xc36aba20
+0x000 ControlArea : 0x85182d08 _CONTROL_AREA
+0x004 TotalNumberOfPtes : 1
+0x008 SegmentFlags : _SEGMENT_FLAGS
+0x00c NumberOfCommittedPages : 1
+0x010 SizeOfSegment : 0x1000
+0x018 ExtendInfo : (null)
+0x018 BasedAddress : (null)
+0x01c SegmentLock : _EX_PUSH_LOCK
+0x020 u1 : <unnamed-tag>
+0x024 u2 : <unnamed-tag>
+0x028 PrototypePte : 0xc36aba50 _MMPTE
+0x030 ThePtes : [1] _MMPTE
KD> $$可以擴大工會U2和轉儲工會FirstMappedVa看看這部分的內容
kd> dt nt!_SEGMENT u2.FirstMappedVa 0xc36aba20
+0x024 u2 :
+0x000 FirstMappedVa : 0x000e0000 Void
傾倒內容
kd> da 0xe0000
000e0000 "Message from blabb to lieven fro"
000e0020 "m Stack Overflow."
kd>
或做!CA獲得它指向第一頁FirstMappedVa
如果內容是大於一個頁面邊界獲取他們是
有點乏味,因爲它們可能已經被調出,將需要執行 操作,因而,頁面錯誤處理,讓他們眼簾
kd> !ca poi(0xc36aba20)
ControlArea @ 85182d08
Segment c36aba20 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 0 Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 00000000 ModWriteCount 0 System Views 0
WritableRefs 0
Flags (2000) Commit
Pagefile-backed section
Segment @ c36aba20
ControlArea 85182d08 ExtendInfo 00000000
Total Ptes 1
Segment Size 1000 Committed 1
CreatingProcess 8605ab28 FirstMappedVa e0000 <-------------
ProtoPtes c36aba50
Flags (80000) ProtectionMask
Subsection 1 @ 85182d58
ControlArea 85182d08 Starting Sector 0 Number Of Sectors 0
Base Pte c36aba50 Ptes In Subsect 1 Unused Ptes 0
Flags 8 Sector Offset 0 Protection 4
kd>
收到消息;)。在閱讀「幾種類型的章節」之後,它已經得到了提升,並且應該有可能不止一次地投票贊成......這對我來說是黃金! –
我很高興知道答案是有幫助的 – blabb