Windows 7 在Windows中转储进程的所有VAD
我想得到一些特定进程的内存转储 我发现每个windows进程在一个EPROCESS中都包含VadRoot 我用windbg获得了一些关于这个结构的信息Windows 7 在Windows中转储进程的所有VAD,windows-7,windbg,Windows 7,Windbg,我想得到一些特定进程的内存转储 我发现每个windows进程在一个EPROCESS中都包含VadRoot 我用windbg获得了一些关于这个结构的信息 kd> dt nt!_MMVAD fffffa801b7011d0 +0x000 u1 : <unnamed-tag> +0x008 LeftChild : (null) +0x010 RightChild : (null) +0x018 Star
kd> dt nt!_MMVAD fffffa801b7011d0
+0x000 u1 : <unnamed-tag>
+0x008 LeftChild : (null)
+0x010 RightChild : (null)
+0x018 StartingVpn : 0x7fefe440
+0x020 EndingVpn : 0x7fefe4b0
+0x028 u : <unnamed-tag>
+0x030 PushLock : _EX_PUSH_LOCK
+0x038 u5 : <unnamed-tag>
+0x040 u2 : <unnamed-tag>
+0x048 Subsection : 0xfffffa80`19f62640 _SUBSECTION
+0x048 MappedSubsection : 0xfffffa80`19f62640 _MSUBSECTION
+0x050 FirstPrototypePte : 0xfffff8a0`00b3ac28 _MMPTE
+0x058 LastContiguousPte : 0xffffffff`fffffffc _MMPTE
+0x060 ViewLinks : _LIST_ENTRY [ 0xfffffa80`1b7a38c0 - 0xfffffa80`1aa6d6a0 ]
+0x070 VadsProcess : 0xfffffa80`1b7e8941 _EPROCESS
kd>dt-nt_MMVAD FFFFF A801B7011D0
+0x000 u1:
+0x008 LeftChild:(空)
+0x010 RightChild:(空)
+0x018启动VPN:0x7FE440
+0x020结束VPN:0x7FE4B0
+0x028 u:
+0x030推锁:
+0x038 u5:
+0x040 u2:
+0x048小节:0xfffffa80`19f62640\u小节
+0x048映射子节:0xfffffa80`19f62640\u子节
+0x050第一原型:0xfffff8a0`00b3ac28\u MMPTE
+0x058 LastContinguousPte:0xffffffff`FFFFFFF C\u MMPTE
+0x060视图链接:列表项[0xfffffa80`1b7a38c0-0xfffffa80`1aa6d6a0]
+0x070 VadsProcess:0xfffffa80`1b7e8941_EPROCESS
它是Win7 64位
我猜StartingVpn:0x7FE440包含了这个块的内存内容
但这是一个虚拟地址吗?还是实际地址?我不知道
它代表什么
谢谢 VAD是virtual地址描述符的缩写,VPN是virtual页码的缩写。所以它是一个虚拟地址,而不是物理地址 需要使用PTE(页表条目)将其转换为物理地址 给定我在用户模式调试会话中找到的用户模式地址:
0:032> !address
[...]
+ 7ff`fffdc000 7ff`fffde000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~1; 13ec.10fc]
0:032> dd 7ff`fffde000 L8
000007ff`fffde000 00000000 00000000 00240000 00000000
000007ff`fffde010 0022b000 00000000 00000000 00000000
我可以在内核调试会话中使用以下命令执行此操作:
请注意虚拟地址(
dd
)的内容如何与物理地址(dd/p
)相同。定位过程
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
设置流程上下文
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
查看所需模块
lkd> lm m explorer
start end module name
01000000 010ff000 Explorer (deferred)
获取当前进程上下文中虚拟地址的vDroot
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
转储当前进程上下文的所有VAD
lkd> !vad 8a120ed0 0
VAD level start end commit
8a03b1d8 ( 3) e50 e51 0 Mapped READONLY Pagefile-backed section
8a6fe240 ( 4) e60 e6f 0 Mapped READWRITE Pagefile-backed section
................................
89c86600 ( 5) ff0 ff0 1 Private READWRITE
8a120ed0 ( 0) 1000 10fe 3 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\explorer.exe
.................................
8a87bb18 ( 7) 26d0 2733 0 Mapped READWRITE \Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
8a74b420 ( 0) 3e1c0 3ec52 10 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\system32\ieframe.dll
8abfa398 ( 1) 7ffde 7ffde 1 Private READWRITE
总阀:1231,平均液位:5,最大深度:4294967295是和是。。那么,我如何将VPN转换为虚拟地址呢?在64位窗口。。。谢谢:)我稍后会尝试用一个例子来描述<代码>!vtop,
!ptov
,.process/p
和!pte
是相关的WinDbg命令。好的,我非常期待您的解释。谢谢:)顺便说一句,我发现我可以检索虚拟地址乘以0x1000到x86而不是x64的VPN。请给我解释为64位版本。非常感谢。@JaeHyukLee:0x1000是4k,页面大小是的是的,页面大小正确。但是x64呢?如果您想获得进程的内存转储,为什么不将WinDbg作为用户模式调试器附加,并执行.dump/ma
?请提供更多上下文。啊哈,这是一个不错的方法,但我正在虚拟机监视器上实现此技术。我只是在内核模式windbg上测试它,因为我实际上是Winodws的新手:(