调试的时候想要知道当前进程装载了哪些模块,每个模块被装载的代码地址段是在哪个范围,可以使用lm命令。 拿notepad为例,输入lm命令可以发现:
0:001> lm
start end module name
00830000 00858000 notepad (pdb symbols) c:\debuggers\externalsymbols\notepad.pdb\7DAC7B3D7D1D4E68BE2132EAB080D42C2\notepad.pdb
70990000 709d2000 WINSPOOL (export symbols) C:\Windows\system32\WINSPOOL.DRV
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
74a80000 74c1d000 COMCTL32 (export symbols) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.16497_none_5cc0004408832c27\COMCTL32.dll
75e30000 75e7b000 GDI32 (export symbols) C:\Windows\system32\GDI32.dll
75ec0000 75f32000 COMDLG32 (export symbols) C:\Windows\system32\COMDLG32.dll
75f40000 75fdd000 USER32 (pdb symbols) c:\debuggers\externalsymbols\user32.pdb\750E7375884C4EA592C8B0C8ADB018542\user32.pdb
start end module name
00830000 00858000 notepad (pdb symbols) c:\debuggers\externalsymbols\notepad.pdb\7DAC7B3D7D1D4E68BE2132EAB080D42C2\notepad.pdb
70990000 709d2000 WINSPOOL (export symbols) C:\Windows\system32\WINSPOOL.DRV
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
74a80000 74c1d000 COMCTL32 (export symbols) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.16497_none_5cc0004408832c27\COMCTL32.dll
75e30000 75e7b000 GDI32 (export symbols) C:\Windows\system32\GDI32.dll
75ec0000 75f32000 COMDLG32 (export symbols) C:\Windows\system32\COMDLG32.dll
75f40000 75fdd000 USER32 (pdb symbols) c:\debuggers\externalsymbols\user32.pdb\750E7375884C4EA592C8B0C8ADB018542\user32.pdb
(....省略)
从上面结果可以看出,uxtheme.dll 模块被装载在地址738c0000 ~ 738ff000 。
另外,使用命令 lmf 可以显示每个DLL/EXE 的具体路径。
如果lm列表很长,希望过滤出自己感兴趣的模块,可以使用lm m 表达式 命令。
0:001> lm m *theme*
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
如果想要了解该模块的详细信息(比如版本,日期等)还可以加上v选项,使用lmvm 命令:
0:001> lmvm *theme*
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
Loaded symbol image file: C:\Windows\system32\uxtheme.dll
Image path: C:\Windows\system32\uxtheme.dll
Image name: uxtheme.dll
Timestamp: Fri Jan 18 23:32:10 2008 (4791A77A)
CheckSum: 0004868F
ImageSize: 0003F000
File version: 6.0.6001.18000
Product version: 6.0.6001.18000
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: UxTheme.dll
OriginalFilename: UxTheme.dll
ProductVersion: 6.0.6001.18000
FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)
FileDescription: Microsoft UxTheme Library
LegalCopyright: © Microsoft Corporation. All rights reserved.
start end module name
738c0000 738ff000 uxtheme (pdb symbols) c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
Loaded symbol image file: C:\Windows\system32\uxtheme.dll
Image path: C:\Windows\system32\uxtheme.dll
Image name: uxtheme.dll
Timestamp: Fri Jan 18 23:32:10 2008 (4791A77A)
CheckSum: 0004868F
ImageSize: 0003F000
File version: 6.0.6001.18000
Product version: 6.0.6001.18000
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: UxTheme.dll
OriginalFilename: UxTheme.dll
ProductVersion: 6.0.6001.18000
FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)
FileDescription: Microsoft UxTheme Library
LegalCopyright: © Microsoft Corporation. All rights reserved.
想要了解该uxtheme.dll 的详细调试文件(PDB)信息,可以使用!lmi 命令:
0:001> !lmi uxtheme
Loaded Module Info: [uxtheme]
Module: uxtheme
Base Address: 738c0000
Image Name: C:\Windows\system32\uxtheme.dll
Machine Type: 332 (I386)
Time Stamp: 4791a77a Fri Jan 18 23:32:10 2008
Size: 3f000
CheckSum: 4868f
Characteristics: 2102 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 24, 375a0, 369a0 RSDS - GUID: {D6B5A4E8-99AF-4946-BA6E-4611D58409C0}
Age: 2, Pdb: UxTheme.pdb
CLSID 4, 3759c, 3699c [Data not mapped]
Image Type: FILE - Image read successfully from debugger.
C:\Windows\system32\uxtheme.dll
Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
Load Report: public symbols , not source indexed
c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
Loaded Module Info: [uxtheme]
Module: uxtheme
Base Address: 738c0000
Image Name: C:\Windows\system32\uxtheme.dll
Machine Type: 332 (I386)
Time Stamp: 4791a77a Fri Jan 18 23:32:10 2008
Size: 3f000
CheckSum: 4868f
Characteristics: 2102 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 24, 375a0, 369a0 RSDS - GUID: {D6B5A4E8-99AF-4946-BA6E-4611D58409C0}
Age: 2, Pdb: UxTheme.pdb
CLSID 4, 3759c, 3699c [Data not mapped]
Image Type: FILE - Image read successfully from debugger.
C:\Windows\system32\uxtheme.dll
Symbol Type: PDB - Symbols loaded successfully from symbol server.
c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
Load Report: public symbols , not source indexed
c:\debuggers\externalsymbols\UxTheme.pdb\D6B5A4E899AF4946BA6E4611D58409C02\UxTheme.pdb
本文转自 陈本峰 51CTO博客,原文链接:http://blog.51cto.com/wingeek/273939,如需转载请自行联系原作者
