windbg学习----!dh和!lmi显示映像的头部

!dh

!dh 扩展显示指定映像的头部。

语法

!dh [Options] Address 
!dh -h

参数

Options 下面的选项之一：

-f

显示文件头。

0:000>  !dh kernel32 -f

File Type: DLL
FILE HEADER VALUES
     14C machine (i386)
       4 number of sections
506DBD3E time date stamp Fri Oct 05 00:45:50 2012

       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
    2102 characteristics
            Executable
            32 bit word machine
            DLL

OPTIONAL HEADER VALUES
     10B magic #
    9.00 linker version
   C5000 size of code
    E000 size of initialized data
       0 size of uninitialized data
   4CD6F address of entry point
    1000 base of code
         ----- new -----
77250000 image base
    1000 section alignment
    1000 file alignment
       3 subsystem (Windows CUI)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
   D4000 size of image
    1000 size of headers
   E1125 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
     140  DLL characteristics
            Dynamic base
            NX compatible
   B51C0 [    A9B1] address [size] of Export Directory
   BFB74 [     1F4] address [size] of Import Directory
   C7000 [     528] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
   C8000 [    B0B0] address [size] of Base Relocation Directory
   C59B4 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
   82890 [      40] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
    1000 [     DFC] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

-s

显示节头。

0:000>  !dh kernel32 -s

SECTION HEADER #1
   .text name
   C4A15 virtual size
    1000 virtual address
   C5000 size of raw data
    1000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read


Debug Directories(2)
	Type       Size     Address  Pointer
	cv           25       c59f0    c59f0	Format: RSDS, guid, 2, kernel32.pdb
	(    10)       4       c59ec    c59ec

SECTION HEADER #2
   .data name
     FF0 virtual size
   C6000 virtual address
    1000 size of raw data
   C6000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #3
   .rsrc name
     528 virtual size
   C7000 virtual address
    1000 size of raw data
   C7000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #4
  .reloc name
    B0B0 virtual size
   C8000 virtual address
    C000 size of raw data
   C8000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         (no align specified)
         Read Only

-a 显示所有的头信息。 Address

指定映像的16进制地址。(最好直接写文件名，如kernel32,不需要后缀，如果要写地址，那么必须写文件起始地址，但!lmi可以)

0:000> .shell -ci "lm" find /I "kernel32"
77250000 77324000   kernel32   (deferred)             
.shell: Process exited
0:000> !dh 77250001 -a
No file header
0:000> !dh 77250000 -a

File Type: DLL
FILE HEADER VALUES

-h

在调试器命令窗口中显示该扩展命令的帮助文本。  

0:000> !dh -h
Usage: dh [options] address

Dumps headers from an image based at address

Options:

   -a      Dump everything
   -f      Dump file headers
   -s      Dump section headers

!lmi

!lmi 扩展显示某个模块的详细信息。

语法

!lmi Module 

参数

Module 用名字或者基地址（可以在地址范围内）指定一个已加载的模块。

0:000> !lmi kernel32
Loaded Module Info: [kernel32] 
         Module: kernel32
   Base Address: 77250000
     Image Name: C:\windows\system32\kernel32.dll
   Machine Type: 332 (I386)
     Time Stamp: 506dbd3e Fri Oct 05 00:45:50 2012
           Size: d4000
       CheckSum: e1125
Characteristics: 2102  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    25, c59f0,   c59f0 RSDS - GUID: {92AC7109-B0A9-4163-9805-C6AB38E38F99}
               Age: 2, Pdb: kernel32.pdb
                CLSID     4, c59ec,   c59ec [Data not mapped]
    Symbol Type: DEFERRED - No error - symbol load deferred
    Load Report: no symbols loaded
0:000> !lmi 772500ee
Loaded Module Info: [772500ee] 
         Module: kernel32
   Base Address: 77250000
     Image Name: C:\windows\system32\kernel32.dll
   Machine Type: 332 (I386)
     Time Stamp: 506dbd3e Fri Oct 05 00:45:50 2012
           Size: d4000
       CheckSum: e1125
Characteristics: 2102  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    25, c59f0,   c59f0 RSDS - GUID: {92AC7109-B0A9-4163-9805-C6AB38E38F99}
               Age: 2, Pdb: kernel32.pdb
                CLSID     4, c59ec,   c59ec [Data not mapped]
    Symbol Type: DEFERRED - No error - symbol load deferred
    Load Report: no symbols loaded

转载于:https://www.cnblogs.com/hgy413/p/3693398.html