windows 如何在 WinDbg 中找到内存映射文件的名称?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4228319/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I find a memory mapped file's name in WinDbg?
提问by Sean
When I look at my process in VMMap, I can see the filenames of memory mapped files. I'm now analysing a memory dump in WinDbg and would like to know the filenames of memory mapped files. How can I find this from WinDbg or a .dmp file?
当我在 VMMap 中查看我的进程时,我可以看到内存映射文件的文件名。我现在正在分析 WinDbg 中的内存转储,并想知道内存映射文件的文件名。如何从 WinDbg 或 .dmp 文件中找到它?
回答by snoone
!address -f:FileMapworks in live debugging.
!address -f:FileMap在实时调试中工作。
You can see the !addressdocs for more details about other flags you can use to refine the output.
您可以查看!address文档以获取有关可用于优化输出的其他标志的更多详细信息。
回答by Liran
Basically, once you manage to obtain the handle to your memory mapped file, you could view some relevant data (including its name) using the !handle <address> 0xFcommand.
If you don't have a specific handle, but just want to view the names of the existing memory mapped files in the process, you could use the following command: !handle 0 0x4 Section.
Which should provide you with an output similar to this one:
基本上,一旦您设法获得内存映射文件的句柄,您就可以使用该!handle <address> 0xF命令查看一些相关数据(包括其名称)。
如果您没有特定的句柄,而只想查看进程中现有内存映射文件的名称,则可以使用以下命令:!handle 0 0x4 Section.
这应该为您提供与此类似的输出:
Handle 6bc
Name \BaseNamedObjects\NLS_CodePage_862_3_2_0_0
Handle 6cc
Name \BaseNamedObjects\MyMap
Handle 794
Name \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092
Handle 798
Name \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092
Handle 7cc
Name \BaseNamedObjects\ShimSharedMemory
5 handles of type Section
If you'd like to view the actual filename, you could issue the !handlecommand in a kernel debugger to view some information about the system objects that correspond to your File handles.
For example:
如果您想查看实际的文件名,您可以!handle在内核调试器中发出该命令以查看有关与您的文件句柄对应的系统对象的一些信息。
例如:
lkd> !handle 0 0x3 2c4 File
Searching for Process with Cid == 2c4
Searching for handles of type File
PROCESS 89242da0 SessionId: 0 Cid: 02c4 Peb: 7ffdd000 ParentCid: 0b48
DirBase: 0a640dc0 ObjectTable: e1c361d0 HandleCount: 83.
Image: ConsoleApplication1.exe
Handle table at e11f6000 with 83 entries in use
000c: Object: 86a74868 GrantedAccess: 00100020 (Inherit) Entry: e11f6018
Object: 86a74868 Type: (89e2a730) File
ObjectHeader: 86a74850 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \Foo\Bar {HarddiskVolume2}
06d0: Object: 8669c4b8 GrantedAccess: 00100083 Entry: e11f6da0
Object: 8669c4b8 Type: (89e2a730) File
ObjectHeader: 8669c4a0 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \wubildr {HarddiskVolume1}
06d4: Object: 86bf1f58 GrantedAccess: 00120089 Entry: e11f6da8
Object: 86bf1f58 Type: (89e2a730) File
ObjectHeader: 86bf1f40 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1}
06dc: Object: 892c43e0 GrantedAccess: 00120089 Entry: e11f6db8
Object: 892c43e0 Type: (89e2a730) File
ObjectHeader: 892c43c8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1}
06ec: Object: 892cf1f8 GrantedAccess: 00100001 Entry: e11f6dd8
Object: 892cf1f8 Type: (89e2a730) File
ObjectHeader: 892cf1e0 (old version)
HandleCount: 1 PointerCount: 1
