查找具有崩溃转储功能的可执行文件。 [英] Find executable having it’s Crash Dump.
本文介绍了查找具有崩溃转储功能的可执行文件。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
问候,
我有一些可执行文件的崩溃转储。是否可以从中"提取"可执行文件的指纹/校验和,然后为几个不同的可执行文件计算相同的校验和 - 寻找匹配。
一般情况下 - 我需要做类似的事情适用于Windows的调试工具附带的symchk实用程序...
最好的问候......
解决方案
0:000> !chkimg notepad
0错误:记事本
0:000> lm vm notepad
start end module name
00080000 000b0000 notepad(deferred)
图片路径:notepad.exe
图片名称:notepad.exe
时间戳:Tue Jul 14 03:41:03 2009(4A5BC60F)
CheckSum:00039741
ImageSize:00030000
文件版本:6.1.7600.16385
产品版本:6.1.7600.16385
文件标志: 0(Mask 3F)
文件OS:40004 NT Win32
文件类型:1.0 App
文件日期:00000000.00000000
翻译:0409.04b0
公司名称:Microsoft Corporation
ProductName:Microsoft®Windows®操作系统
InternalName:记事本
OriginalFilename:NOTEPAD.EXE
ProductVersion:6.1.7600.16385
FileVersion:6.1.7600.16385(win7_rtm.090713-1255 )
FileDescription:Notepad
LegalCopyright:©Microsoft Corporation。版权所有。
0:000> !for_each_module .echo @#ModuleName @#Checksum
notepad 00039741
WINSPOOL 00053d1a
COMCTL32 001a0a38
VERSION 000138c1
KERNELBASE 00047684
LPK 000093af
RPCRT4 000aeb3b
GDI32 0004db62
ADVAPI32 000a29ff
kernel32 000e0558
COMDLG32 00081828
USP10 000a22e6
OLEAUT32 0008d63a
SHELL32 00c49767
msvcrt 000ae448
USER32 000cafcb
ole32 00166f16
ntdll 0014700f
SHLWAPI 0005a8d4
sechost 00025332
Greetings,
I have a Crash Dump of some executable. Is it possible to "extract" executable’s fingerprint/checksum from it and, then, calculate same checksum for several different executable – looking for a match.
In general – I need to do something like symchk utility that comes with the Debugging Tools for Windows…
Best regards…
解决方案
0:000> !chkimg notepad 0 errors : notepad 0:000> lm vm notepad start end module name 00080000 000b0000 notepad (deferred) Image path: notepad.exe Image name: notepad.exe Timestamp: Tue Jul 14 03:41:03 2009 (4A5BC60F) CheckSum: 00039741 ImageSize: 00030000 File version: 6.1.7600.16385 Product version: 6.1.7600.16385 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: Notepad OriginalFilename: NOTEPAD.EXE ProductVersion: 6.1.7600.16385 FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255) FileDescription: Notepad LegalCopyright: © Microsoft Corporation. All rights reserved. 0:000> !for_each_module .echo @#ModuleName @#Checksum notepad 00039741 WINSPOOL 00053d1a COMCTL32 001a0a38 VERSION 000138c1 KERNELBASE 00047684 LPK 000093af RPCRT4 000aeb3b GDI32 0004db62 ADVAPI32 000a29ff kernel32 000e0558 COMDLG32 00081828 USP10 000a22e6 OLEAUT32 0008d63a SHELL32 00c49767 msvcrt 000ae448 USER32 000cafcb ole32 00166f16 ntdll 0014700f SHLWAPI 0005a8d4 sechost 00025332
这篇关于查找具有崩溃转储功能的可执行文件。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文