r?命令可以让伪寄存器自动获取所赋参数的类型
(仅在指派伪寄存器时) 使得伪寄存器获得类型信息。可以使用任何类型
如,我们知道@$peb的类型是_PEB:
0:000> dt ntdll!*PEB*
ntdll!_PEB
ntdll!_PEB_LDR_DATA
0:000> ? @$peb
Evaluate expression: 2147344384 = 7ffde000
值为7ffde000
0:000> dt -v ntdll!_PEB @$peb
struct _PEB, 91 elements, 0x248 bytes
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x8 ''
+0x003 ImageUsesLargePages : Bitfield 0y0
+0x003 IsProtectedProcess : Bitfield 0y0
+0x003 IsLegacyProcess : Bitfield 0y0
+0x003 IsImageDynamicallyRelocated : Bitfield 0y1
+0x003 SkipPatchingUser32Forwarders : Bitfield 0y0
+0x003 SpareBits : Bitfield 0y000
+0x004 Mutant : 0xffffffff
+0x008 ImageBaseAddress : 0x00ac0000
+0x00c Ldr : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes
+0x010 ProcessParameters : 0x00321a80 struct _RTL_USER_PROCESS_PARAMETERS, 30 elements, 0x298 bytes
+0x014 SubSystemData : (null)
+0x018 ProcessHeap : 0x00320000
+0x01c FastPebLock : 0x77d97380 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes
+0x020 AtlThunkSListPtr : (null)
+0x024 IFEOKey : (null)
+0x028 CrossProcessFlags : 0
+0x028 ProcessInJob : Bitfield 0y0
+0x028 ProcessInitializing : Bitfield 0y0
+0x028 ProcessUsingVEH : Bitfield 0y0
+0x028 ProcessUsingVCH : Bitfield 0y0
+0x028 ProcessUsingFTH : Bitfield 0y0
+0x028 ReservedBits0 : Bitfield 0y000000000000000000000000000 (0)
+0x02c KernelCallbackTable : 0x76c4d568
+0x02c UserSharedInfoPtr : 0x76c4d568
+0x030 SystemReserved : [1] 0
+0x034 AtlThunkSListPtr32 : 0
+0x038 ApiSetMap : 0x77f00000
+0x03c TlsExpansionCounter : 0
+0x040 TlsBitmap : 0x77d97260
+0x044 TlsBitmapBits : [2] 0xffffffff
+0x04c ReadOnlySharedMemoryBase : 0x7f6f0000
+0x050 HotpatchInformation : (null)
+0x054 ReadOnlyStaticServerData : 0x7f6f0590 -> (null)
+0x058 AnsiCodePageData : 0x7ffa0000
+0x05c OemCodePageData : 0x7ffa0000
+0x060 UnicodeCaseTableData : 0x7ffd0024
+0x064 NumberOfProcessors : 4
+0x068 NtGlobalFlag : 0x70
+0x070 CriticalSectionTimeout : union _LARGE_INTEGER, 4 elements, 0x8 bytes
0xffffe86d`079b8000
+0x078 HeapSegmentReserve : 0x100000
+0x07c HeapSegmentCommit : 0x2000
+0x080 HeapDeCommitTotalFreeThreshold : 0x10000
+0x084 HeapDeCommitFreeBlockThreshold : 0x1000
+0x088 NumberOfHeaps : 0xc
+0x08c MaximumNumberOfHeaps : 0x10
+0x090 ProcessHeaps : 0x77d97500 -> 0x00320000
+0x094 GdiSharedHandleTable : 0x005c0000
+0x098 ProcessStarterHelper : (null)
+0x09c GdiDCAttributeList : 0x14
+0x0a0 LoaderLock : 0x77d97340 struct _RTL_CRITICAL_SECTION, 6 elements, 0x18 bytes
+0x0a4 OSMajorVersion : 6
+0x0a8 OSMinorVersion : 1
+0x0ac OSBuildNumber : 0x1db1
+0x0ae OSCSDVersion : 0x100
+0x0b0 OSPlatformId : 2
+0x0b4 ImageSubsystem : 2
+0x0b8 ImageSubsystemMajorVersion : 5
+0x0bc ImageSubsystemMinorVersion : 1
+0x0c0 ActiveProcessAffinityMask : 0xf
+0x0c4 GdiHandleBuffer : [34] 0
+0x14c PostProcessInitRoutine : (null)
+0x150 TlsExpansionBitmap : 0x77d97268
+0x154 TlsExpansionBitmapBits : [32] 1
+0x1d4 SessionId : 1
+0x1d8 AppCompatFlags : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
0x0
+0x1e0 AppCompatFlagsUser : union _ULARGE_INTEGER, 4 elements, 0x8 bytes
0x0
+0x1e8 pShimData : (null)
+0x1ec AppCompatInfo : (null)
+0x1f0 CSDVersion : struct _UNICODE_STRING, 3 elements, 0x8 bytes
"Service Pack 1"
+0x1f8 ActivationContextData : 0x00040000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes
+0x1fc ProcessAssemblyStorageMap : (null)
+0x200 SystemDefaultActivationContextData : 0x00030000 struct _ACTIVATION_CONTEXT_DATA, 0 elements, 0x0 bytes
+0x204 SystemAssemblyStorageMap : 0x00323e80 struct _ASSEMBLY_STORAGE_MAP, 0 elements, 0x0 bytes
+0x208 MinimumStackCommit : 0
+0x20c FlsCallback : 0x003262a8 struct _FLS_CALLBACK_INFO, 0 elements, 0x0 bytes
+0x210 FlsListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
[ 0x326088 - 0x326088 ]
+0x218 FlsBitmap : 0x77d97270
+0x21c FlsBitmapBits : [4] 0x1ff
+0x22c FlsHighIndex : 8
+0x230 WerRegistrationData : 0x00420000
+0x234 WerShipAssertPtr : (null)
+0x238 pContextData : 0x00050000
+0x23c pImageHeaderHash : (null)
+0x240 TracingFlags : 0
+0x240 HeapTracingEnabled : Bitfield 0y0
+0x240 CritSecTracingEnabled : Bitfield 0y0
+0x240 SpareTracingBits : Bitfield 0y000000000000000000000000000000 (0)
_PEB结构的大小为0x248 bytes,也可以这样看:
0:000> ?? @@c++(sizeof(ntdll!_PEB))
unsigned int 0x248
比如我们要把Ldr地址赋给伪寄存器,按理论:
+0x00c Ldr : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes
0:000> dt -v ntdll!_PEB -ny Ldr @$peb
struct _PEB, 91 elements, 0x248 bytes
+0x00c Ldr : 0x77d97880 struct _PEB_LDR_DATA, 9 elements, 0x30 bytes
应该是取@$peb+0xc=7ffde00c
使用r?,
0:000> r? $t0=@$peb->Ldr;r $t0
$t0=77d97880
我们发现取得了Ldr字段的内容,要取其地址,就使用&符号来取,和C++中含义一样:
0:000> r? $t0=&@$peb->Ldr;r $t0
$t0=7ffde00c
当然,我们也可以用*来取内容
0:000> r? @$t1=*(_PEB_LDR_DATA**)@$t0;r @$t1
$t1=77d97880
0:000> r? @$t1=*(DWORD**)@$t0;r @$t1
$t1=77d97880
0:000> r? @$t1=*@$t0;r @$t1
$t1=77d97880