解析 WinDbg 中的故障转储以获取私有字节(托管堆除外)?

发布于 2024-10-15 20:05:25 字数 232 浏览 5 评论 0原文

我想解析完整的故障转储 (*.dmp) 文件并获取私有字节数据。我知道 SysInternals 的 VMMap 可以告诉我我的私有字节、堆等有多少,但我需要的是,如果我有转储,我应该能够解析它并获取堆(托管堆)结构和数据堆。我已经通过阅读 PEB 然后遍历堆来完成此操作。

我无法弄清楚如何读取私有字节(堆除外,它应该是本机代码的过程数据)。谁能指出我正确的方向,以便我能够解析崩溃转储中除堆之外的私有字节。

谢谢。

I want to parse the full crash dump (*.dmp) file and get the private bytes data. I know that VMMap of SysInternals can tell me how much my private bytes, heap etc are all but what I need is if I have the dump, I should be able to parse it and get the Heap (managed Heap) Structure and data in the heap. I am already done with this by reading the PEB and then walking through heaps.

What I am not able to figure out is how to read the private bytes (other than Heap, which is supposed to be the process data for native code). Could anyone please point me in the right direction so that I am able to parse the private bytes other than heap from the crash dump.

Thanks.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

风轻花落早 2024-10-22 20:05:25
!address -summary

在第一部分中,您将获得使用情况的细分:

--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free                                    170          6f958000 (   1.743 Gb)           87.18%
<unknown>                               477           6998000 ( 105.594 Mb)  40.21%    5.16%
Stack                                   417           5d00000 (  93.000 Mb)  35.42%    4.54%
Image                                   253           3970000 (  57.438 Mb)  21.87%    2.80%
Heap                                     20            600000 (   6.000 Mb)   2.28%    0.29%
TEB                                      93             5d000 ( 372.000 kb)   0.14%    0.02%
Other                                     9             32000 ( 200.000 kb)   0.07%    0.01%
PEB                                       1              1000 (   4.000 kb)   0.00%    0.00%

未知是虚拟分配。

要列出未知的内存区域,您可以运行:

!address -f:VAR

VAR as returned in the debugger.chm - Busyregions。这些区域包括所有虚拟分配块、SBH 堆、来自自定义分配器的内存以及不属于其他分类的地址空间的所有其他区域。

!address -summary

In the first section you get a breakdown of the usage:

--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free                                    170          6f958000 (   1.743 Gb)           87.18%
<unknown>                               477           6998000 ( 105.594 Mb)  40.21%    5.16%
Stack                                   417           5d00000 (  93.000 Mb)  35.42%    4.54%
Image                                   253           3970000 (  57.438 Mb)  21.87%    2.80%
Heap                                     20            600000 (   6.000 Mb)   2.28%    0.29%
TEB                                      93             5d000 ( 372.000 kb)   0.14%    0.02%
Other                                     9             32000 ( 200.000 kb)   0.07%    0.01%
PEB                                       1              1000 (   4.000 kb)   0.00%    0.00%

Unknown would be virtual allocs.

To list the unknown memory regions you can run:

!address -f:VAR

VAR as defined in the debugger.chm - Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文