PEB = Process Environment Block –basic image information (base address, version numbers, module list)
–process heap information
–environment variables
–command-line parameter
–DLL search path
–Display it: !peb, dt nt!_PEB
TEB = Thread Environment block –stack information (stack-base and stack-limit)
–TLS (Thread Local Storage) array
–Display it: !teb, dt nt!_TEB
FACT: Many WinDbg commands (lm, !dlls, !imgreloc, !tls, !gle) rely on the data
retrieved from PEB and TEB.
0:003> dt nt!_PEB -r @$peb // @$peb = address of our process’s PEB (see pseudo-register syntax
ntdll!_PEB
+0x000 InheritedAddressSpace : 0 ''
+0x001 ReadImageFileExecOptions : 0 ''
+0x002 BeingDebugged : 0x1 ''
+0x003 BitField : 0x4 ''
+0x003 ImageUsesLargePages : 0y0
+0x003 IsProtectedProcess : 0y0
+0x003 IsImageDynamicallyRelocated : 0y1
+0x003 SkipPatchingUser32Forwarders : 0y0
+0x003 IsPackagedProcess : 0y0
+0x003 IsAppContainer : 0y0
+0x003 IsProtectedProcessLight : 0y0
+0x003 IsLongPathAwareProcess : 0y0
+0x004 Padding0 : [4] ""
+0x008 Mutant : 0xffffffff`ffffffff Void
+0x010 ImageBaseAddress : 0x00007ff7`366a0000 Void
+0x018 Ldr : 0x00007ffc`832bb340 _PEB_LDR_DATA
+0x000 Length : 0x58
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`02289ee0 - 0x00000000`061a3ee0 ]
+0x000 Flink : 0x00000000`02289ee0 _LIST_ENTRY [ 0x00000000`02285ee0 - 0x00007ffc`832bb350 ]
+0x008 Blink : 0x00000000`061a3ee0 _LIST_ENTRY [ 0x00007ffc`832bb350 - 0x00000000`06140ee0 ]
+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`02289ef0 - 0x00000000`061a3ef0 ]
+0x000 Flink : 0x00000000`02289ef0 _LIST_ENTRY [ 0x00000000`02285ef0 - 0x00007ffc`832bb360 ]
+0x008 Blink : 0x00000000`061a3ef0 _LIST_ENTRY [ 0x00007ffc`832bb360 - 0x00000000`06140ef0 ]
+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`02285f00 - 0x00000000`061a3f00 ]
+0x000 Flink : 0x00000000`02285f00 _LIST_ENTRY [ 0x00000000`02291f00 - 0x00007ffc`832bb370 ]
+0x008 Blink : 0x00000000`061a3f00 _LIST_ENTRY [ 0x00007ffc`832bb370 - 0x00000000`06134f00 ]
+0x040 EntryInProgress : (null)
+0x048 ShutdownInProgress : 0 ''
+0x050 ShutdownThreadId : (null)
+0x020 ProcessParameters : 0x00000000`0227d7d0 _RTL_USER_PROCESS_PARAMETERS
+0x000 MaximumLength : 0x824
+0x004 Length : 0x824
+0x008 Flags : 0x2001
+0x00c DebugFlags : 0
+0x010 ConsoleHandle : 0x00000000`00000464 Void
+0x018 ConsoleFlags : 0
+0x020 StandardInput : 0x00000000`00000468 Void
+0x028 StandardOutput : 0x00000000`0000046c Void
+0x030 StandardError : 0x00000000`00000470 Void
+0x038 CurrentDirectory : _CURDIR
+0x000 DosPath : _UNICODE_STRING "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\"
+0x010 Handle : 0x00000000`00000060 Void
+0x050 DllPath : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x008 Buffer : (null)
+0x060 ImagePathName : _UNICODE_STRING "C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe"
+0x000 Length : 0xa0
+0x002 MaximumLength : 0xa2
+0x008 Buffer : 0x00000000`0227dde8 "C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe"
+0x070 CommandLine : _UNICODE_STRING ""C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe""
+0x000 Length : 0xa4
+0x002 MaximumLength : 0xa6
+0x008 Buffer : 0x00000000`0227de8a ""C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe""
+0x080 Environment : 0x00000000`02fad070 Void
+0x088 StartingX : 0
+0x08c StartingY : 0
+0x090 CountX : 0
+0x094 CountY : 0
+0x098 CountCharsX : 0
+0x09c CountCharsY : 0
+0x0a0 FillAttribute : 0
+0x0a4 WindowFlags : 0
+0x0a8 ShowWindowFlags : 0
+0x0b0 WindowTitle : _UNICODE_STRING "C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe"
+0x000 Length : 0xa0
+0x002 MaximumLength : 0xa2
+0x008 Buffer : 0x00000000`0227df30 "C:\Users\winne\Documents\Visual Studio 2008\Projects\tamade\x64\Debug\tamade.exe"
+0x0c0 DesktopInfo : _UNICODE_STRING "Winsta0\Default"
+0x000 Length : 0x1e
+0x002 MaximumLength : 0x20
+0x008 Buffer : 0x00000000`0227dfd2 "Winsta0\Default"
+0x0d0 ShellInfo : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 2
+0x008 Buffer : 0x00000000`0227dff2 ""
+0x0e0 RuntimeData : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 0
+0x008 Buffer : (null)
+0x0f0 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
+0x000 Flags : 0
+0x002 Length : 0
+0x004 TimeStamp : 0
+0x008 DosPath : _STRING ""
+0x3f0 EnvironmentSize : 0xf86
+0x3f8 EnvironmentVersion : 6
+0x400 PackageDependencyData : (null)
+0x408 ProcessGroupId : 0x324
+0x40c LoaderThreads : 0
+0x028 SubSystemData : (null)
+0x030 ProcessHeap : 0x00000000`02200000 Void
+0x038 FastPebLock : 0x00007ffc`832bae60 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0x00007ffc`832b9be0 _RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 1
+0x008 CriticalSection : 0x00007ffc`832bae60 _RTL_CRITICAL_SECTION
+0x010 ProcessLocksList : _LIST_ENTRY [ 0x00007ffc`832b9c20 - 0x00007ffc`832b5620 ]
+0x020 EntryCount : 0
+0x024 ContentionCount : 0
+0x028 Flags : 0
+0x02c CreatorBackTraceIndexHigh : 0
+0x02e SpareUSHORT : 0
+0x008 LockCount : 0n-1
+0x00c RecursionCount : 0n0
+0x010 OwningThread : (null)
+0x018 LockSemaphore : (null)
+0x020 SpinCount : 0x20007d0
+0x040 AtlThunkSListPtr : (null)
+0x048 IFEOKey : (null)
+0x050 CrossProcessFlags : 5
+0x050 ProcessInJob : 0y1
+0x050 ProcessInitializing : 0y0
+0x050 ProcessUsingVEH : 0y1
+0x050 ProcessUsingVCH : 0y0
+0x050 ProcessUsingFTH : 0y0
+0x050 ProcessPreviouslyThrottled : 0y0
+0x050 ProcessCurrentlyThrottled : 0y0
+0x050 ReservedBits0 : 0y0000000000000000000000000 (0)
+0x054 Padding1 : [4] ""
+0x058 KernelCallbackTable : (null)
+0x058 UserSharedInfoPtr : (null)
+0x060 SystemReserved : [1] 0
+0x064 AtlThunkSListPtr32 : 0
+0x068 ApiSetMap : 0x00000000`00690000 Void
+0x070 TlsExpansionCounter : 0
+0x074 Padding2 : [4] ""
+0x078 TlsBitmap : 0x00007ffc`832bb2b0 Void
+0x080 TlsBitmapBits : [2] 0x1001f
+0x088 ReadOnlySharedMemoryBase : 0x00007ff7`35bf0000 Void
+0x090 SharedData : (null)
+0x098 ReadOnlyStaticServerData : 0x00007ff7`35bf0f60 -> (null)
+0x0a0 AnsiCodePageData : 0x00007ff7`35cf0000 Void
+0x0a8 OemCodePageData : 0x00007ff7`35cf0000 Void
+0x0b0 UnicodeCaseTableData : 0x00007ff7`35d20028 Void
+0x0b8 NumberOfProcessors : 8
+0x0bc NtGlobalFlag : 0x2000100
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER 0xffffe86d`079b8000
+0x000 LowPart : 0x79b8000
+0x004 HighPart : 0n-6035
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0x79b8000
+0x004 HighPart : 0n-6035
+0x000 QuadPart : 0n-25920000000000
+0x0c8 HeapSegmentReserve : 0x100000
+0x0d0 HeapSegmentCommit : 0x2000
+0x0d8 HeapDeCommitTotalFreeThreshold : 0x10000
+0x0e0 HeapDeCommitFreeBlockThreshold : 0x1000
+0x0e8 NumberOfHeaps : 5
+0x0ec MaximumNumberOfHeaps : 0x10
+0x0f0 ProcessHeaps : 0x00007ffc`832b9ae0 -> 0x00000000`032a0000 Void
+0x0f8 GdiSharedHandleTable : (null)
+0x100 ProcessStarterHelper : (null)
+0x108 GdiDCAttributeList : 0
+0x10c Padding3 : [4] ""
+0x110 LoaderLock : 0x00007ffc`832b55a8 _RTL_CRITICAL_SECTION
+0x000 DebugInfo : 0x00007ffc`832b59a8 _RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 0
+0x008 CriticalSection : 0x00007ffc`832b55a8 _RTL_CRITICAL_SECTION
+0x010 ProcessLocksList : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x020 EntryCount : 0
+0x024 ContentionCount : 0
+0x028 Flags : 1
+0x02c CreatorBackTraceIndexHigh : 0
+0x02e SpareUSHORT : 0
+0x008 LockCount : 0n-1
+0x00c RecursionCount : 0n0
+0x010 OwningThread : (null)
+0x018 LockSemaphore : (null)
+0x020 SpinCount : 0x4000000
+0x118 OSMajorVersion : 0xa
+0x11c OSMinorVersion : 0
+0x120 OSBuildNumber : 0x3ad7
+0x122 OSCSDVersion : 0
+0x124 OSPlatformId : 2
+0x128 ImageSubsystem : 3
+0x12c ImageSubsystemMajorVersion : 5
+0x130 ImageSubsystemMinorVersion : 2
+0x134 Padding4 : [4] ""
+0x138 ActiveProcessAffinityMask : 0xff
+0x140 GdiHandleBuffer : [60] 0
+0x230 PostProcessInitRoutine : (null)
+0x238 TlsExpansionBitmap : 0x00007ffc`832bb290 Void
+0x240 TlsExpansionBitmapBits : [32] 1
+0x2c0 SessionId : 1
+0x2c4 Padding5 : [4] ""
+0x2c8 AppCompatFlags : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 QuadPart : 0
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : <unnamed-tag>
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 QuadPart : 0
+0x2d8 pShimData : 0x00000000`007d0000 Void
+0x2e0 AppCompatInfo : (null)
+0x2e8 CSDVersion : _UNICODE_STRING ""
+0x000 Length : 0
+0x002 MaximumLength : 2
+0x008 Buffer : 0x00007ff7`35bf0ffa ""
+0x2f8 ActivationContextData : 0x00000000`007c0000 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : 0x00000000`06195fd0 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : 0x00000000`007b0000 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : (null)
+0x318 MinimumStackCommit : 0
+0x320 FlsCallback : 0x00000000`061d9800 _FLS_CALLBACK_INFO
+0x328 FlsListHead : _LIST_ENTRY [ 0x00000000`061d7bf0 - 0x00000000`06203bf0 ]
+0x000 Flink : 0x00000000`061d7bf0 _LIST_ENTRY [ 0x00000000`06203bf0 - 0x00000000`0085e328 ]
+0x000 Flink : 0x00000000`06203bf0 _LIST_ENTRY [ 0x00000000`0085e328 - 0x00000000`061d7bf0 ]
+0x008 Blink : 0x00000000`0085e328 _LIST_ENTRY [ 0x00000000`061d7bf0 - 0x00000000`06203bf0 ]
+0x008 Blink : 0x00000000`06203bf0 _LIST_ENTRY [ 0x00000000`0085e328 - 0x00000000`061d7bf0 ]
+0x000 Flink : 0x00000000`0085e328 _LIST_ENTRY [ 0x00000000`061d7bf0 - 0x00000000`06203bf0 ]
+0x008 Blink : 0x00000000`061d7bf0 _LIST_ENTRY [ 0x00000000`06203bf0 - 0x00000000`0085e328 ]
+0x338 FlsBitmap : 0x00007ffc`832bb300 Void
+0x340 FlsBitmapBits : [4] 3
+0x350 FlsHighIndex : 1
+0x358 WerRegistrationData : (null)
+0x360 WerShipAssertPtr : (null)
+0x368 pUnused : (null)
+0x370 pImageHeaderHash : (null)
+0x378 TracingFlags : 0
+0x378 HeapTracingEnabled : 0y0
+0x378 CritSecTracingEnabled : 0y0
+0x378 LibLoaderTracingEnabled : 0y0
+0x378 SpareTracingBits : 0y00000000000000000000000000000 (0)
+0x37c Padding6 : [4] ""
+0x380 CsrServerReadOnlySharedMemoryBase : 0x00007ff7`d87d0000
+0x388 TppWorkerpListLock : 0
+0x390 TppWorkerpList : _LIST_ENTRY [ 0x00000000`069efc90 - 0x00000000`06aef990 ]
+0x000 Flink : 0x00000000`069efc90 _LIST_ENTRY [ 0x00000000`06aef990 - 0x00000000`0085e390 ]
+0x000 Flink : 0x00000000`06aef990 _LIST_ENTRY [ 0x00000000`0085e390 - 0x00000000`069efc90 ]
+0x008 Blink : 0x00000000`0085e390 _LIST_ENTRY [ 0x00000000`069efc90 - 0x00000000`06aef990 ]
+0x008 Blink : 0x00000000`06aef990 _LIST_ENTRY [ 0x00000000`0085e390 - 0x00000000`069efc90 ]
+0x000 Flink : 0x00000000`0085e390 _LIST_ENTRY [ 0x00000000`069efc90 - 0x00000000`06aef990 ]
+0x008 Blink : 0x00000000`069efc90 _LIST_ENTRY [ 0x00000000`06aef990 - 0x00000000`0085e390 ]
+0x3a0 WaitOnAddressHashTable : [128] (null)
WinDbg Commands for Retrieving Process and Module Information WinDbg Commands for Retrieving Process and Module Information
displays a formatted view of the information in the process environment block (PEB)
!peb
full PEB dump dt nt!_PEB Addr
-||-(output in Debugger Markup Language) lmD
display relocation information !imgreloc
same as before for kernel32 only !dlls –c kernel32
verbose output (including image and symbol information) for kernel32
lm vm kernel32
similar implementation as an extension !lmi kernel32
display list of loaded modules with loader specific information(entry point,load count)
!dlls
display the headers for kernel32
0:003> !dlls -c verifier
0x02291ee0: C:\Windows\System32\verifier.dll
Base 0x7ffc6a600000 EntryPoint 0x7ffc6a6097b0 Size 0x0006e000 DdagNode 0x02293fb0
Flags 0x0008a6c4 TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000
<unknown>
LDRP_IMAGE_DLL
LDRP_PROCESS_ATTACH_CALLED
0:003> lm vm verifier
Browse full module list
start end module name
00007ffc`6a600000 00007ffc`6a66e000 verifier (pdb symbols) c:\symbol\verifier.pdb\BF860890D45C57A0CDBCDE4A72BD25C01\verifier.pdb
Loaded symbol image file: C:\Windows\System32\verifier.dll
Image path: C:\Windows\System32\verifier.dll
Image name: verifier.dll
Browse all global symbols functions data
Timestamp: ***** Invalid (A841D401)
CheckSum: 00066EE1
ImageSize: 0006E000
File version: 10.0.15063.0
Product version: 10.0.15063.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: verifier.dll
OriginalFilename: verifier.dll
ProductVersion: 10.0.15063.0
FileVersion: 10.0.15063.0 (WinBuild.160101.0800)
FileDescription: Standard application verifier provider dll
LegalCopyright: © Microsoft Corporation. All rights reserved
WinDbg Commands for Retrieving Thread Information WinDbg Commands for Retrieving Thread Information
Get last error !gle
displays information about time consumed by each thread quick way to find out which threads are spinning out of control or consuming too much CPU time
!runaway
displays a formatted view of the information in the thread environment block (TEB)
!teb
full TEB dump
Example Example -Threads
0:003> !runaway 7
User Mode Time
Thread Time
3:714 0 days 0:00:00.000
2:14284 0 days 0:00:00.000
1:107f0 0 days 0:00:00.000
0:12578 0 days 0:00:00.000
Kernel Mode Time
Thread Time
0:12578 0 days 0:00:00.062
3:714 0 days 0:00:00.000
2:14284 0 days 0:00:00.000
1:107f0 0 days 0:00:00.000
Elapsed Time
Thread Time
0:12578 0 days 1:26:49.240
1:107f0 0 days 1:26:47.729
2:14284 0 days 1:21:34.048
3:714 0 days 0:53:52.516
0:003> ~*
0 Id: 5b88.12578 Suspend: 1 Teb: 00000000`0085f000 Unfrozen
Start: tamade!wmainCRTStartup (00007ff7`366a1280)
Priority: 0 Priority class: 32 Affinity: ff
1 Id: 5b88.107f0 Suspend: 1 Teb: 00000000`00861000 Unfrozen
Start: ntdll!TppWorkerThread (00007ffc`831a12c0)
Priority: 0 Priority class: 32 Affinity: ff
2 Id: 5b88.14284 Suspend: 1 Teb: 00000000`00863000 Unfrozen
Start: ntdll!TppWorkerThread (00007ffc`831a12c0)
Priority: 0 Priority class: 32 Affinity: ff
. 3 Id: 5b88.714 Suspend: 1 Teb: 00000000`00865000 Unfrozen
Start: ntdll!DbgUiRemoteBreakin (00007ffc`83235320)
Priority: 0 Priority class: 32 Affinity: ff
0:003> !gle
LastErrorValue: (NTSTATUS) 0 (0) - STATUS_SUCCESS
LastStatusValue: (NTSTATUS) 0 - STATUS_SUCCESS
4355
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
