解析 WinDbg 中的故障转储以获取私有字节(托管堆除外)? [英] Parse the crash dump in WinDbg for private bytes (other than managed heap)?
问题描述
我想解析完整的故障转储 (*.dmp) 文件并获取私有字节数据.我知道 SysInternals 的 VMMap 可以告诉我我的私有字节、堆等有多少,但我需要的是如果我有转储,我应该能够解析它并获得堆(托管堆)结构和数据堆.通过阅读 PEB 然后遍历堆,我已经完成了这项工作.
I want to parse the full crash dump (*.dmp) file and get the private bytes data. I know that VMMap of SysInternals can tell me how much my private bytes, heap etc are all but what I need is if I have the dump, I should be able to parse it and get the Heap (managed Heap) Structure and data in the heap. I am already done with this by reading the PEB and then walking through heaps.
我无法弄清楚的是如何读取私有字节(堆除外,它应该是本机代码的进程数据).任何人都可以指出我正确的方向,以便我能够从故障转储中解析除堆以外的私有字节.
What I am not able to figure out is how to read the private bytes (other than Heap, which is supposed to be the process data for native code). Could anyone please point me in the right direction so that I am able to parse the private bytes other than heap from the crash dump.
谢谢.
推荐答案
!address -summary
在第一部分中,您将获得使用细目:
In the first section you get a breakdown of the usage:
--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free 170 6f958000 ( 1.743 Gb) 87.18%
<unknown> 477 6998000 ( 105.594 Mb) 40.21% 5.16%
Stack 417 5d00000 ( 93.000 Mb) 35.42% 4.54%
Image 253 3970000 ( 57.438 Mb) 21.87% 2.80%
Heap 20 600000 ( 6.000 Mb) 2.28% 0.29%
TEB 93 5d000 ( 372.000 kb) 0.14% 0.02%
Other 9 32000 ( 200.000 kb) 0.07% 0.01%
PEB 1 1000 ( 4.000 kb) 0.00% 0.00%
未知将是虚拟分配.
要列出您可以运行的未知内存区域:
To list the unknown memory regions you can run:
!address -f:VAR
在 debugger.chm 中定义的 VAR - 繁忙区域.这些区域包括所有虚拟分配块、SBH 堆、来自自定义分配器的内存以及地址空间中不属于其他类别的所有其他区域.
VAR as defined in the debugger.chm - Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.
这篇关于解析 WinDbg 中的故障转储以获取私有字节(托管堆除外)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
