当前位置: 文江博客话题详情

如何在 WinDbg 中查找内存映射文件的名称?

发布于 2024-10-03 05:59:43 字数 103 浏览 3 评论 0原文

当我在 VMMap 中查看进程时,我可以看到内存映射文件的文件名。我现在正在分析 WinDbg 中的内存转储,并且想知道内存映射文件的文件名。如何从 WinDbg 或 .dmp 文件中找到它?

原文

When I look at my process in VMMap, I can see the filenames of memory mapped files. I'm now analysing a memory dump in WinDbg and would like to know the filenames of memory mapped files. How can I find this from WinDbg or a .dmp file?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

若能看破又如何 2024-10-10 05:59:43

!address -f:FileMap 适用于实时调试。

您可以查看 !address 文档,了解有关可用于优化输出的其他标志的更多详细信息。

!address -f:FileMap works in live debugging.

You can see the !address docs for more details about other flags you can use to refine the output.

回复 原文
感性不性感 2024-10-10 05:59:43

基本上,一旦您设法获取内存映射文件的句柄,您就可以使用 !handle

查看一些相关数据(包括其名称)。 0xF 命令。
如果您没有特定的句柄,但只想查看进程中现有内存映射文件的名称,可以使用以下命令:!handle 0 0x4 Section
它应该为您提供与此类似的输出:

Handle 6bc
  Name          \BaseNamedObjects\NLS_CodePage_862_3_2_0_0
Handle 6cc
  Name          \BaseNamedObjects\MyMap
Handle 794
  Name          \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092
Handle 798
  Name          \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092
Handle 7cc
  Name          \BaseNamedObjects\ShimSharedMemory
5 handles of type Section

如果您想查看实际的文件名,您可以在内核调试器中发出 !handle 命令来查看有关系统对象的一些信息对应于您的文件句柄。
例如:

lkd> !handle 0 0x3 2c4 File

Searching for Process with Cid == 2c4
Searching for handles of type File
PROCESS 89242da0  SessionId: 0  Cid: 02c4    Peb: 7ffdd000  ParentCid: 0b48
    DirBase: 0a640dc0  ObjectTable: e1c361d0  HandleCount:  83.
    Image: ConsoleApplication1.exe

Handle table at e11f6000 with 83 entries in use

000c: Object: 86a74868  GrantedAccess: 00100020 (Inherit) Entry: e11f6018
Object: 86a74868  Type: (89e2a730) File
    ObjectHeader: 86a74850 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Foo\Bar {HarddiskVolume2}

06d0: Object: 8669c4b8  GrantedAccess: 00100083 Entry: e11f6da0
Object: 8669c4b8  Type: (89e2a730) File
    ObjectHeader: 8669c4a0 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \wubildr {HarddiskVolume1}

06d4: Object: 86bf1f58  GrantedAccess: 00120089 Entry: e11f6da8
Object: 86bf1f58  Type: (89e2a730) File
    ObjectHeader: 86bf1f40 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1}

06dc: Object: 892c43e0  GrantedAccess: 00120089 Entry: e11f6db8
Object: 892c43e0  Type: (89e2a730) File
    ObjectHeader: 892c43c8 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1}

06ec: Object: 892cf1f8  GrantedAccess: 00100001 Entry: e11f6dd8
Object: 892cf1f8  Type: (89e2a730) File
    ObjectHeader: 892cf1e0 (old version)
        HandleCount: 1  PointerCount: 1

Basically, once you manage to obtain the handle to your memory mapped file, you could view some relevant data (including its name) using the !handle <address> 0xF command.
If you don't have a specific handle, but just want to view the names of the existing memory mapped files in the process, you could use the following command: !handle 0 0x4 Section.
Which should provide you with an output similar to this one:

Handle 6bc
  Name          \BaseNamedObjects\NLS_CodePage_862_3_2_0_0
Handle 6cc
  Name          \BaseNamedObjects\MyMap
Handle 794
  Name          \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092
Handle 798
  Name          \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092
Handle 7cc
  Name          \BaseNamedObjects\ShimSharedMemory
5 handles of type Section

If you'd like to view the actual filename, you could issue the !handle command in a kernel debugger to view some information about the system objects that correspond to your File handles.
For example:

lkd> !handle 0 0x3 2c4 File

Searching for Process with Cid == 2c4
Searching for handles of type File
PROCESS 89242da0  SessionId: 0  Cid: 02c4    Peb: 7ffdd000  ParentCid: 0b48
    DirBase: 0a640dc0  ObjectTable: e1c361d0  HandleCount:  83.
    Image: ConsoleApplication1.exe

Handle table at e11f6000 with 83 entries in use

000c: Object: 86a74868  GrantedAccess: 00100020 (Inherit) Entry: e11f6018
Object: 86a74868  Type: (89e2a730) File
    ObjectHeader: 86a74850 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Foo\Bar {HarddiskVolume2}

06d0: Object: 8669c4b8  GrantedAccess: 00100083 Entry: e11f6da0
Object: 8669c4b8  Type: (89e2a730) File
    ObjectHeader: 8669c4a0 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \wubildr {HarddiskVolume1}

06d4: Object: 86bf1f58  GrantedAccess: 00120089 Entry: e11f6da8
Object: 86bf1f58  Type: (89e2a730) File
    ObjectHeader: 86bf1f40 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1}

06dc: Object: 892c43e0  GrantedAccess: 00120089 Entry: e11f6db8
Object: 892c43e0  Type: (89e2a730) File
    ObjectHeader: 892c43c8 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1}

06ec: Object: 892cf1f8  GrantedAccess: 00100001 Entry: e11f6dd8
Object: 892cf1f8  Type: (89e2a730) File
    ObjectHeader: 892cf1e0 (old version)
        HandleCount: 1  PointerCount: 1
回复 原文
~没有更多了~

关于作者

_失温

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

束缚m

文章 0 评论 0

alipaysp_VP2a8Q4rgx

文章 0 评论 0

α

文章 0 评论 0

一口甜

文章 0 评论 0

厌味

文章 0 评论 0

转身泪倾城

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文