1: kd> dx -id 0,0,8953a020 -r1 ((ntkrnlmp!_CONTROL_AREA *)0x895278d8)
((ntkrnlmp!_CONTROL_AREA *)0x895278d8) : 0x895278d8 [Type: _CONTROL_AREA *]
[+0x000] Segment : 0xe13a9bb0 [Type: _SEGMENT *]
[+0x004] DereferenceList [Type: _LIST_ENTRY]
[+0x00c] NumberOfSectionReferences : 0x1 [Type: unsigned long]
[+0x010] NumberOfPfnReferences : 0x78 [Type: unsigned long]
[+0x014] NumberOfMappedViews : 0x1 [Type: unsigned long]
[+0x018] NumberOfSystemCacheViews : 0x0 [Type: unsigned long]
[+0x01c] NumberOfUserReferences : 0x2 [Type: unsigned long]
[+0x020] u [Type: __unnamed]
[+0x024] FilePointer : 0x895da9b0 [Type: _FILE_OBJECT *]
[+0x028] WaitingForDeletion : 0x0 [Type: _EVENT_COUNTER *]
[+0x02c] ModifiedWriteCount : 0x0 [Type: unsigned short]
[+0x02e] FlushInProgressCount : 0x0 [Type: unsigned short]
1: kd> dt subsection 0x895278d8+0x30
nt!SUBSECTION
+0x000 ControlArea : 0x895278d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 2
+0x010 SubsectionBase : 0xe13a9be8 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 1
+0x01c NextSubsection : 0x89527928 _SUBSECTION
1: kd> dt subsection 89527928
nt!SUBSECTION
+0x000 ControlArea : 0x895278d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 2
+0x00c NumberOfFullSectors : 0x3fa
+0x010 SubsectionBase : 0xe13a9bec _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x80
+0x01c NextSubsection : 0x89527948 _SUBSECTION
1: kd> dt subsection 0x89527948
nt!SUBSECTION
+0x000 ControlArea : 0x895278d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0x3fc
+0x00c NumberOfFullSectors : 3
+0x010 SubsectionBase : 0xe13a9dec _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 5
+0x01c NextSubsection : 0x89527968 _SUBSECTION
1: kd> dt subsection 0x89527968
nt!SUBSECTION
+0x000 ControlArea : 0x895278d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0x3ff
+0x00c NumberOfFullSectors : 0x354
+0x010 SubsectionBase : 0xe13a9e00 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x6b
+0x01c NextSubsection : 0x89527988 _SUBSECTION
1: kd> dt subsection 0x89527988
nt!SUBSECTION
+0x000 ControlArea : 0x895278d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0x753
+0x00c NumberOfFullSectors : 0x39
+0x010 SubsectionBase : 0xe13a9fac _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 8
+0x01c NextSubsection : (null)
1: kd> dx -id 0,0,8953a020 -r1 ((ntkrnlmp!_FILE_OBJECT *)0x895da9b0)
((ntkrnlmp!_FILE_OBJECT *)0x895da9b0) : 0x895da9b0 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x89811788 : Device for "\Driver\Ftdisk" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x89909178 [Type: _VPB *]
[+0x00c] FsContext : 0xe1473a60 [Type: void *]
[+0x010] FsContext2 : 0xe1475d28 [Type: void *]
[+0x014] SectionObjectPointer : 0x8962a28c [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x0 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *]
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x1 [Type: unsigned char]
[+0x027] WriteAccess : 0x0 [Type: unsigned char]
[+0x028] DeleteAccess : 0x0 [Type: unsigned char]
[+0x029] SharedRead : 0x1 [Type: unsigned char]
[+0x02a] SharedWrite : 0x1 [Type: unsigned char]
[+0x02b] SharedDelete : 0x1 [Type: unsigned char]
[+0x02c] Flags : 0x44040 [Type: unsigned long]
[+0x030] FileName : "\WINDOWS\system32\kernel32.dll" [Type: _UNICODE_STRING]
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]
SECTION HEADER #1
.text name
7F298 virtual size
1000 virtual address (77E21000 to 77EA0297)
7F400 size of raw data
400 file pointer to raw data (00000400 to 0007F7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.data name
40EC virtual size
81000 virtual address (77EA1000 to 77EA50EB)
600 size of raw data
7F800 file pointer to raw data (0007F800 to 0007FDFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #3
.rsrc name
6A6A8 virtual size
86000 virtual address (77EA6000 to 77F106A7)
6A800 size of raw data
7FE00 file pointer to raw data (0007FE00 to 000EA5FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
SECTION HEADER #4
.reloc name
70BA virtual size
F1000 virtual address (77F11000 to 77F180B9)
7200 size of raw data
EA600 file pointer to raw data (000EA600 to 000F17FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
1: kd> dt _LDR_DATA_TABLE_ENTRY 0x262790-10
basesrv!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x262820 - 0x2626d8 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x262828 - 0x2626e0 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x2628d0 - 0x262648 ]
+0x018 DllBase : 0x77e20000 Void
+0x01c EntryPoint : 0x77e3e310 Void
+0x020 SizeOfImage : 0xf9000
+0x024 FullDllName : _UNICODE_STRING "C:\WINDOWS\system32\KERNEL32.dll"
+0x02c BaseDllName : _UNICODE_STRING "KERNEL32.dll"
+0x034 Flags : 0x4006
+0x038 LoadCount : 4
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x77fba2d0 - 0x77fba2d0 ]
+0x03c SectionPointer : 0x77fba2d0 Void
+0x040 CheckSum : 0x77fba2d0
+0x044 TimeDateStamp : 0x66e651b9
+0x044 LoadedImports : 0x66e651b9 Void
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : (null)
1: kd> dt IMAGE_DOS_HEADER 0x77e20000
basesrv!IMAGE_DOS_HEADER
+0x000 e_magic : 0x5a4d
+0x002 e_cblp : 0x90
+0x004 e_cp : 3
+0x006 e_crlc : 0
+0x008 e_cparhdr : 4
+0x00a e_minalloc : 0
+0x00c e_maxalloc : 0xffff
+0x00e e_ss : 0
+0x010 e_sp : 0xb8
+0x012 e_csum : 0
+0x014 e_ip : 0
+0x016 e_cs : 0
+0x018 e_lfarlc : 0x40
+0x01a e_ovno : 0
+0x01c e_res : [4] 0
+0x024 e_oemid : 0
+0x026 e_oeminfo : 0
+0x028 e_res2 : [10] 0
+0x03c e_lfanew : 0n224
1: kd> dt IMAGE_NT_HEADERS 0x77e20000+0n224
basesrv!IMAGE_NT_HEADERS
+0x000 Signature : 0x4550
+0x004 FileHeader : _IMAGE_FILE_HEADER
+0x018 OptionalHeader : _IMAGE_OPTIONAL_HEADER
1: kd> dx -id 0,0,8953a020 -r1 (*((basesrv!_IMAGE_FILE_HEADER *)0x77e200e4))
(*((basesrv!_IMAGE_FILE_HEADER *)0x77e200e4)) [Type: _IMAGE_FILE_HEADER]
[+0x000] Machine : 0x14c [Type: unsigned short]
[+0x002] NumberOfSections : 0x4 [Type: unsigned short]
[+0x004] TimeDateStamp : 0x66e651b9 [Type: unsigned long]
[+0x008] PointerToSymbolTable : 0x0 [Type: unsigned long]
[+0x00c] NumberOfSymbols : 0x0 [Type: unsigned long]
[+0x010] SizeOfOptionalHeader : 0xe0 [Type: unsigned short]
[+0x012] Characteristics : 0x210e [Type: unsigned short]
1: kd> dx -id 0,0,8953a020 -r1 (*((basesrv!_IMAGE_OPTIONAL_HEADER *)0x77e200f8))
(*((basesrv!_IMAGE_OPTIONAL_HEADER *)0x77e200f8)) [Type: _IMAGE_OPTIONAL_HEADER]
[+0x000] Magic : 0x10b [Type: unsigned short]
[+0x002] MajorLinkerVersion : 0x7 [Type: unsigned char]
[+0x003] MinorLinkerVersion : 0xa [Type: unsigned char]
[+0x004] SizeOfCode : 0x7f400 [Type: unsigned long]
[+0x008] SizeOfInitializedData : 0x75c00 [Type: unsigned long]
[+0x00c] SizeOfUninitializedData : 0x0 [Type: unsigned long]
[+0x010] AddressOfEntryPoint : 0x1e310 [Type: unsigned long]
[+0x014] BaseOfCode : 0x1000 [Type: unsigned long]
[+0x018] BaseOfData : 0x81000 [Type: unsigned long]
[+0x01c] ImageBase : 0x77e20000 [Type: unsigned long]
[+0x020] SectionAlignment : 0x1000 [Type: unsigned long]
[+0x024] FileAlignment : 0x200 [Type: unsigned long]
[+0x028] MajorOperatingSystemVersion : 0x5 [Type: unsigned short]
[+0x02a] MinorOperatingSystemVersion : 0x2 [Type: unsigned short]
[+0x02c] MajorImageVersion : 0x5 [Type: unsigned short]
[+0x02e] MinorImageVersion : 0x2 [Type: unsigned short]
[+0x030] MajorSubsystemVersion : 0x4 [Type: unsigned short]
[+0x032] MinorSubsystemVersion : 0x0 [Type: unsigned short]
[+0x034] Win32VersionValue : 0x0 [Type: unsigned long]
[+0x038] SizeOfImage : 0xf9000 [Type: unsigned long]
[+0x03c] SizeOfHeaders : 0x400 [Type: unsigned long]
[+0x040] CheckSum : 0xf938e [Type: unsigned long]
[+0x044] Subsystem : 0x3 [Type: unsigned short]
[+0x046] DllCharacteristics : 0x0 [Type: unsigned short]
[+0x048] SizeOfStackReserve : 0x40000 [Type: unsigned long]
[+0x04c] SizeOfStackCommit : 0x1000 [Type: unsigned long]
[+0x050] SizeOfHeapReserve : 0x100000 [Type: unsigned long]
[+0x054] SizeOfHeapCommit : 0x1000 [Type: unsigned long]
[+0x058] LoaderFlags : 0x0 [Type: unsigned long]
[+0x05c] NumberOfRvaAndSizes : 0x10 [Type: unsigned long]
[+0x060] DataDirectory [Type: _IMAGE_DATA_DIRECTORY [16]]
NtSection = IMAGE_FIRST_SECTION( NtHeaders );
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((UINT32)ntheader + \
FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
((PIMAGE_NT_HEADERS)(ntheader))->FileHeader.SizeOfOptionalHeader \
))
Summary
80000 .text
5000 .data
6B000 .rsrc
8000 .reloc
1: kd> dt IMAGE_SECTION_HEADER 77e200e0+18+e0
basesrv!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".text"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x1000
+0x010 SizeOfRawData : 0x7f400
+0x014 PointerToRawData : 0x400
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x60000020
1: kd> dt IMAGE_SECTION_HEADER 77e200e0+18+e0+28*1
basesrv!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".data"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x81000
+0x010 SizeOfRawData : 0x600
+0x014 PointerToRawData : 0x7f800
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0xc0000040
1: kd> dt IMAGE_SECTION_HEADER 77e200e0+18+e0+28*2
basesrv!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".rsrc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0x86000
+0x010 SizeOfRawData : 0x6a800
+0x014 PointerToRawData : 0x7fe00
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x40000040
1: kd> dt IMAGE_SECTION_HEADER 77e200e0+18+e0+28*3
basesrv!IMAGE_SECTION_HEADER
+0x000 Name : [8] ".reloc"
+0x008 Misc : __unnamed
+0x00c VirtualAddress : 0xf1000
+0x010 SizeOfRawData : 0x7200
+0x014 PointerToRawData : 0xea600
+0x018 PointerToRelocations : 0
+0x01c PointerToLinenumbers : 0
+0x020 NumberOfRelocations : 0
+0x022 NumberOfLinenumbers : 0
+0x024 Characteristics : 0x42000040
1: kd> !pte 77e21000
VA 77e21000
PDE at C030077C PTE at C01DF884
contains 7B259867 contains 7DE8E025
pfn 7b259 ---DA--UWEV pfn 7de8e ----A--UREV
1: kd> dd 0xe13a9be8
e13a9be8 7e198121 7de8e121 7dd8f860 7de90121
e13a9bf8 7ded1121 7df12860 f926946a 7dd93860
e13a9c08 7de54860 7ddd5121 7de56121 7ded7860
e13a9c18 7dd98860 7de59860 7de9a860 7de1b860
e13a9c28 7de5c860 7de9d860 7dd9e860 7dc9f860
e13a9c38 7de20860 7dd21860 7de22860 7dea3860
e13a9c48 7df24860 7dee5860 7dee6860 7dee7860
e13a9c58 7de68860 7de29860 7de6a121 7de6b121
1: kd> !dc 7e198000
#7e198000 00905a4d 00000003 00000004 0000ffff MZ..............
#7e198010 000000b8 00000000 00000040 00000000 ........@.......
#7e198020 00000000 00000000 00000000 00000000 ................
#7e198030 00000000 00000000 00000000 000000e0 ................
#7e198040 0eba1f0e cd09b400 4c01b821 685421cd ........!..L.!Th
#7e198050 70207369 72676f72 63206d61 6f6e6e61 is program canno
#7e198060 65622074 6e757220 206e6920 20534f44 t be run in DOS
#7e198070 65646f6d 0a0d0d2e 00000024 00000000 mode....$.......
1: kd> !dc 7de8e000
#7de8e000 77f2efac 77f2ec9c 77f90bb9 77f2a3a8 ...w...w...w...w
#7de8e010 77f2b940 77f2f1cc 77f2f40c 77f2f3cc @..w...w...w...w
#7de8e020 77f5e8aa 77f2f52c 77f2f85c 77f2f98c ...w,..w\..w...w
#7de8e030 77f2f8bc 77f33e36 77f2ee7c 77f2ebdc ...w6>.w|..w...w
#7de8e040 77f7b0f8 77f35abe 77f92c18 77f2f5bc ...w.Z.w.,.w...w
#7de8e050 77f2f1fc 77f2ef5c 77f2fa2c 77f2ecdc ...w\..w,..w...w
#7de8e060 77f9072b 77f91930 77f7a5ca 77f92bd4 +..w0..w...w.+.w
#7de8e070 77f58a6c 77f92ca2 77f2e212 77f690d6 l..w.,.w...w...w
1: kd> db 77e20000
77e20000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
77e20010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
77e20020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
77e20030 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
77e20040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
77e20050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
77e20060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
77e20070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
1: kd> dd 77e21000
77e21000 77f2efac 77f2ec9c 77f90bb9 77f2a3a8
77e21010 77f2b940 77f2f1cc 77f2f40c 77f2f3cc
77e21020 77f5e8aa 77f2f52c 77f2f85c 77f2f98c
77e21030 77f2f8bc 77f33e36 77f2ee7c 77f2ebdc
77e21040 77f7b0f8 77f35abe 77f92c18 77f2f5bc
77e21050 77f2f1fc 77f2ef5c 77f2fa2c 77f2ecdc
77e21060 77f9072b 77f91930 77f7a5ca 77f92bd4
77e21070 77f58a6c 77f92ca2 77f2e212 77f690d6
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
