WinDBG技巧:列出當前程序所有裝載的模組(DLL/EXE)
除錯的時候想要知道當前程序裝載了哪些模組,每個模組被裝載的程式碼地址段是在哪個範圍,可以使用lm命令。 拿notepad為例,輸入lm命令可以發現:
0:001> lm
start end module name
00830000 00858000 notepad (pdb symbols) c:/debuggers/externalsymbols/notepad.pdb/7DAC7B3D7D1D4E68BE2132EAB080D42C2/notepad.pdb
70990000 709d2000 WINSPOOL (export symbols) C:/Windows/system32/WINSPOOL.DRV
738c0000 738ff000 uxtheme (pdb symbols) c:/debuggers/externalsymbols/UxTheme.pdb/D6B5A4E899AF4946BA6E4611D58409C02/UxTheme.pdb
74a80000 74c1d000 COMCTL32 (export symbols) C:/Windows/WinSxS/x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.16497_none_5cc0004408832c27/COMCTL32.dll
75e30000 75e7b000 GDI32 (export symbols) C:/Windows/system32/GDI32.dll
75ec0000 75f32000 COMDLG32 (export symbols) C:/Windows/system32/COMDLG32.dll
75f40000 75fdd000 USER32 (pdb symbols) c:/debuggers/externalsymbols/user32.pdb/750E7375884C4EA592C8B0C8ADB018542/user32.pdb
(....省略)
從上面結果可以看出,uxtheme.dll 模組被裝載在地址738c0000 ~ 738ff000 。
另外,使用命令 lmf 可以顯示每個DLL/EXE 的具體路徑。
如果lm列表很長,希望過濾出自己感興趣的模組,可以使用lm m 表示式 命令。
0:001> lm m *theme*
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:/debuggers/externalsymbols/UxTheme.pdb/D6B5A4E899AF4946BA6E4611D58409C02/UxTheme.pdb
如果想要了解該模組的詳細資訊(比如版本,日期等)還可以加上v選項,使用lmvm 命令:
0:001> lmvm *theme*
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:/debuggers/externalsymbols/UxTheme.pdb/D6B5A4E899AF4946BA6E4611D58409C02/UxTheme.pdb
Loaded symbol image file: C:/Windows/system32/uxtheme.dll
Image path: C:/Windows/system32/uxtheme.dll
Image name: uxtheme.dll
Timestamp: Fri Jan 18 23:32:10 2008 (4791A77A)
CheckSum: 0004868F
ImageSize: 0003F000
File version: 6.0.6001.18000
Product version: 6.0.6001.18000
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: UxTheme.dll
OriginalFilename: UxTheme.dll
ProductVersion: 6.0.6001.18000
FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)
FileDescription: Microsoft UxTheme Library
LegalCopyright: © Microsoft Corporation. All rights reserved.
想要了解該uxtheme.dll 的詳細除錯檔案(PDB)資訊,可以使用!lmi 命令:
0:001> !lmi uxtheme
Loaded Module Info: [uxtheme]
Module: uxtheme
Base Address: 738c0000
Image Name: C:/Windows/system32/uxtheme.dll
Machine Type: 332 (I386)
Time Stamp: 4791a77a Fri Jan 18 23:32:10 2008
Size: 3f000
CheckSum: 4868f
Characteristics: 2102 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 24, 375a0, 369a0 RSDS - GUID: {D6B5A4E8-99AF-4946-BA6E-4611D58409C0}
Age: 2, Pdb: UxTheme.pdb
CLSID 4, 3759c, 3699c [Data not mapped]
Image Type: FILE - Image read successfully from debugger.
C:/Windows/system32/uxtheme.dll
Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:/debuggers/externalsymbols/UxTheme.pdb/D6B5A4E899AF4946BA6E4611D58409C02/UxTheme.pdb
Load Report: public symbols , not source indexed
c:/debuggers/externalsymbols/UxTheme.pdb/D6B5A4E899AF4946BA6E4611D58409C02/UxTheme.pdb