Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

display symbol at some address

5 views
Skip to first unread message

George

unread,
Jun 30, 2008, 1:14:00 AM6/30/08
to
Hello everyone,


If there is an arbitrary address (e.g. 0x12345678), how to check whether it
is code or data or stack? Any command to display the information (suppose I
have symbol file) in the arbitrary address? Could we use WinDbg tool?


thanks in advance,
George

Ivan Brugiolo [MSFT]

unread,
Jun 30, 2008, 8:26:05 PM6/30/08
to
0:001> !address <address>
0:001> ln <address>

should give you the best information available on the address

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message
news:C755B682-DC9B-4862...@microsoft.com...

George

unread,
Jun 30, 2008, 9:17:01 PM6/30/08
to
Thanks Ivan,


I have followed your comments. Here are the output, and ln command has no
output. what information could you get from the output I posted? I expect it
output whether it is an instance of a type (e.g. some type of variable) on
stack/heap, code segment or something else.

--------------------
0:000> !address 00000000`0012f7c8
0000000000030000 : 000000000012b000 - 0000000000005000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageStack
Pid.Tid 1248.584
0:000> ln 00000000`0012f7c8
--------------------


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jun 30, 2008, 10:02:40 PM6/30/08
to
The first command tells that the addres belongs to the stack of a thread.
That is almost never a place to run code, and, that is normally the
indication of a stack overrun, mismatched calling convention, or stack
corruption.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:831A67BE-E7F4-482B...@microsoft.com...

George

unread,
Jun 30, 2008, 10:46:00 PM6/30/08
to
Thanks Ivan,


Here is what I read from debugger.chm.

--------------------
Filter value Memory type displayed
MEM_IMAGE Memory that is mapped from a file that is part of an executable
image.
MEM_MAPPED Memory that is mapped from a file that is not part of an
executable image. This memory includes memory that is mapped from the paging
file.
MEM_PRIVATE Memory that is private (that is, not shared by other processes)
and that is not mapped from any file.
--------------------

1.

I think MEM_IMAGE means executable code?

2.

MEM_PRIVATE means stack/heap data (e.g. local variable or heap variable)?

3.

MEM_MAPPED means data or code? I am confused. :-)


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jun 30, 2008, 10:54:04 PM6/30/08
to
Memory attribute protection are better unrestood from the
SDK documentation of APIs such as MapViewOfFile and VirtualProtect.
The answer to your question lives in the `RegionUsageStack`.
The other attributes can be explained separately, and,
they may or may not convey the meaning that you are giving to them.

#1
not all the pages mapped from a MEM_IMAGE section are executable.

#2
MEM_PRIVATE has to do with sharing flags in the VAD.
There is no relationship with heap/stack. You can have MEM_PRIVATE
that is neither of the two.

#3 MEM_MAPPED
You can map code, data, physical addresses, AGP aperture space, etc, etc.
Mapping and use of the mapped pages have no relationship.
You could be mapping firmware from a controller and execute ACPI methods on
it.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:4B68B353-C217-450E...@microsoft.com...

George

unread,
Jun 30, 2008, 11:28:01 PM6/30/08
to
Thanks Ivan,


Your long reply looks comprehensive. Could you just briefly describe how to
decide whether an address is code or data please -- this is the simple
question I asked? :-)


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jul 1, 2008, 2:39:19 AM7/1/08
to
There is no way to tell reliably for sure.
I could have an exeuctable fragment embdeed in a memory mapped file.
I could be re-interpreting code as data (there are obscure uses of compiler
generate jump-tables for switch statements as function tables).
I could be using a printable string as code [There are interesting
unicode-only or ansi-only executable translators, that are normally
used by root-kits or buffer overrun exploits.]
What the CPU can do with an address is a function of the CPU and it's
memory management properties. And, for given setups, any address
can be anything.
The address alone will give inconclusive results.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:506252BF-EED0-430A...@microsoft.com...

George

unread,
Jul 1, 2008, 2:55:00 AM7/1/08
to
Thanks Ivan,


1.

Do you mean simply given a memory address, there is no way to identify
whether it is code or data? The conclusion?

2.

I do not quite understand what means "re-interpreting code as data", could
you show me a sample please or a reference document?

3.

I do not quite understand what means "using a printable string as code",
could you show me a sample please or a reference document?


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jul 1, 2008, 4:51:01 PM7/1/08
to
> Do you mean simply given a memory address, there is no way to identify
> whether it is code or data? The conclusion?

Correct, there is no way. It depends entirely on the context and on the
interpretation that is being given.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:389D0B30-FDEC-466A...@microsoft.com...

George

unread,
Jul 2, 2008, 8:12:00 AM7/2/08
to
Thanks Ivan,


What I am trying to do is to solve a sort of specific issues, when there is
OS error box which indicates my application is broken at some address (e.g.
0x12345678), because of unhandled exception or something corruption (e.g.
stack or access violation). I want to find out what actually resides in
address 0x12345678? Is it code or data?

Any advice or documents to refer?


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jul 2, 2008, 1:07:09 PM7/2/08
to
`!address <0x12345678>`
is your best friend.
If `!address` tells you that you are in a module,
then, try to use `ln <address>`.

Give the example you posted in the past, you have a stack overrun,
and, you are executing from the stack, that for machines with
the NX policy enabled, it going to trigger an access violation.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:3B1EC471-DB00-48BD...@microsoft.com...

George

unread,
Jul 6, 2008, 9:12:01 AM7/6/08
to
Thanks Ivan,


I like your solution and I have made several practices. For !address
command, I think it only display the type/protect/state/usage/fullpath of a
memory address, here is an example which I have tried, how could you decide
whether the address is in a module (EXE/DLL executing code) or not in a
module (e.g. stack/global data segment)?

0:000> !address 000007ff`571e2e50
000007ff57140000 : 000007ff57141000 - 0000000000231000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\system32\ole32.dll


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jul 6, 2008, 7:08:17 PM7/6/08
to
Each module has different sub-section
(ranges of pages within a VAD) mapped with different attributes.
Normally, the PE file format describes those sections,
and, the loader sets the appropriate protection attributes to the pages.

000007feff0a0000 : 000007feff0a0000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff0a1000 - 000000000015f000


Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff200000 - 0000000000048000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff248000 - 0000000000004000
Type 01000000 MEM_IMAGE
Protect 00000004 PAGE_READWRITE <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff24c000 - 0000000000007000
Type 01000000 MEM_IMAGE
Protect 00000008 PAGE_WRITECOPY <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff253000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000004 PAGE_READWRITE <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff254000 - 0000000000002000
Type 01000000 MEM_IMAGE
Protect 00000008 PAGE_WRITECOPY <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll
000007feff256000 - 0000000000022000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<


State 00001000 MEM_COMMIT
Usage RegionUsageImage

FullPath C:\Windows\system32\ole32.dll

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:E382D724-F309-4BE6...@microsoft.com...

George

unread,
Jul 6, 2008, 10:23:01 PM7/6/08
to
Thanks Ivan,


1.

Your list of output is from which command in WinDbg?

2.

From the output below, you can only find the address is from module
ole32.dll, but you can not tell whether it is data or code, correct?

--------------------


000007feff0a0000 : 000007feff0a0000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll

--------------------


regards,
George

Ivan Brugiolo [MSFT]

unread,
Jul 6, 2008, 11:29:04 PM7/6/08
to
#1
0:001> !address
without any other parameters

#2
It looks the `.rdata` section of the image.
What the compiler puts there,
is up to the compiler and the developer with the help of #pragma.
Please, refrain from using braod concepts such as `code` and `data`, because
there are quire a few subtelties that sometimes it s required to express.

SECTION HEADER #3
.rdata name
47300 virtual size
160000 virtual address (000007FF7C160000 to 000007FF7C1A72FF)
47400 size of raw data
15F400 file pointer to raw data (0015F400 to 001A67FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"George" <Geo...@discussions.microsoft.com> wrote in message

news:9978502D-6A8A-496D...@microsoft.com...

George

unread,
Jul 8, 2008, 1:59:00 AM7/8/08
to
Thanks Ivan,


I have tried !address command, looke great! I am interested in your below
output from section perspective. Which command in Windbg could be used for
display the real virtual address of section?

(previous, I am using DUMPBIN utility, which could only shows static point
of view an a PE, if there is dynamic point of view for sections --
application is actually loaded, it will be great!)

> SECTION HEADER #3
> .rdata name
> 47300 virtual size
> 160000 virtual address (000007FF7C160000 to 000007FF7C1A72FF)
> 47400 size of raw data
> 15F400 file pointer to raw data (0015F400 to 001A67FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 40000040 flags
> Initialized Data
> Read Only


regards,
George

0 new messages