1

我正在开发一个用于转储分析的 Windbg 扩展,该扩展需要来自已卸载模块的符号。我正在使用函数IDebugSymbols3::Reload,它类似于.reload命令。如果模块最初占用的区域不再可用,我必须明确指定一个新的基地址来加载。

如果我手动调试,我可能会使用!address扩展列出空闲区域并寻找一个足够大的区域。如何以编程方式在目标地址空间中找到要使用的适当位置?

4

1 回答 1

0

GetNumberModules(),用于计数已加载和卸载的模块
GetModuleParameters 在循环中获取基数和大小

或者 IDebugDataSpaces2::QueryVirtual

#include <engextcpp.cpp>
#define MAX_MOD 0x100
class EXT_CLASS : public ExtExtension
{
public:
    EXT_COMMAND_METHOD(getoff);
};
EXT_DECLARE_GLOBALS();
EXT_COMMAND(getoff,"","")
{
    ULONG Loaded = 0;
    ULONG UnLoaded = 0;
    m_Symbols->GetNumberModules(&Loaded,&UnLoaded);
    Out("No of Loaded Modules =%u\n" ,Loaded);
    Out("No of UnLoaded Modules =%u\n" ,UnLoaded);
    DEBUG_MODULE_PARAMETERS Mdprm[MAX_MOD] = {0}; //fix
    if(Loaded < MAX_MOD) 
    {
        for(ULONG i=0;i< Loaded;i++)
        {
            m_Symbols->GetModuleParameters(1,NULL,i,&Mdprm[i]);            
            Out("Base&Size Mod %2u %16I64x %8x\n",i,Mdprm[i].Base,Mdprm[i].Size);
        }
    }    
}

使用18362在win7 x86上编译并与vs2017 dev cmd提示链接包括

E:\sdk\getoff>cat complink.bat
cl /LD /nologo /W4 /Ox  /Zi /EHsc /IE:\windjs\windbg_18362\inc %1.cpp /link /EXPORT:DebugExtensionInitialize /Export:%1 /Export:help /RELEASE

导致

0:000> .load ./getoff.dll
0:000> !getoff
No of Loaded Modules =38
No of UnLoaded Modules =0
Base&Size Mod  0            90000    28000
Base&Size Mod  1         64ce0000   5e1000
Base&Size Mod  2         656c0000   190000
Base&Size Mod  3         65f80000    82000
Base&Size Mod  4         66010000    dc000
Base&Size Mod  5         662b0000     3000
Base&Size Mod  6         662c0000     5000
Base&Size Mod  7         662d0000     3000
Base&Size Mod  8         662f0000     3000
Base&Size Mod  9         66310000    10000
Base&Size Mod 10         66320000     3000
Base&Size Mod 11         667b0000     3000
Base&Size Mod 12         667c0000     3000
Base&Size Mod 13         66e80000     4000
Base&Size Mod 14         687d0000     4000
Base&Size Mod 15         68820000     4000
Base&Size Mod 16         68830000     3000
Base&Size Mod 17         68840000     3000
Base&Size Mod 18         6a200000     3000
Base&Size Mod 19         6a300000     3000
Base&Size Mod 20         6a340000     3000
Base&Size Mod 21         6a900000    10000
Base&Size Mod 22         6e660000     3000
Base&Size Mod 23         73b30000     4000
Base&Size Mod 24         74510000    2f000
Base&Size Mod 25         74890000     3000
Base&Size Mod 26         756f0000    17000
Base&Size Mod 27         75bc0000    4a000
Base&Size Mod 28         75f10000     a000
Base&Size Mod 29         761f0000    d4000
Base&Size Mod 30         76330000   15c000
Base&Size Mod 31         764d0000    c9000
Base&Size Mod 32         76790000    a1000
Base&Size Mod 33         76840000    9d000
Base&Size Mod 34         778b0000    8f000
Base&Size Mod 35         77940000    ac000
Base&Size Mod 36         779f0000   13c000
Base&Size Mod 37         77b40000    4e000
0:000>
于 2020-08-11T22:15:25.150 回答