If there is an arbitrary address (e.g. 0x12345678), how to check whether it
is code or data or stack? Any command to display the information (suppose I
have symbol file) in the arbitrary address? Could we use WinDbg tool?
thanks in advance,
George
should give you the best information available on the address
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:C755B682-DC9B-4862...@microsoft.com...
I have followed your comments. Here are the output, and ln command has no
output. what information could you get from the output I posted? I expect it
output whether it is an instance of a type (e.g. some type of variable) on
stack/heap, code segment or something else.
--------------------
0:000> !address 00000000`0012f7c8
0000000000030000 : 000000000012b000 - 0000000000005000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageStack
Pid.Tid 1248.584
0:000> ln 00000000`0012f7c8
--------------------
regards,
George
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:831A67BE-E7F4-482B...@microsoft.com...
Here is what I read from debugger.chm.
--------------------
Filter value Memory type displayed
MEM_IMAGE Memory that is mapped from a file that is part of an executable
image.
MEM_MAPPED Memory that is mapped from a file that is not part of an
executable image. This memory includes memory that is mapped from the paging
file.
MEM_PRIVATE Memory that is private (that is, not shared by other processes)
and that is not mapped from any file.
--------------------
1.
I think MEM_IMAGE means executable code?
2.
MEM_PRIVATE means stack/heap data (e.g. local variable or heap variable)?
3.
MEM_MAPPED means data or code? I am confused. :-)
regards,
George
#1
not all the pages mapped from a MEM_IMAGE section are executable.
#2
MEM_PRIVATE has to do with sharing flags in the VAD.
There is no relationship with heap/stack. You can have MEM_PRIVATE
that is neither of the two.
#3 MEM_MAPPED
You can map code, data, physical addresses, AGP aperture space, etc, etc.
Mapping and use of the mapped pages have no relationship.
You could be mapping firmware from a controller and execute ACPI methods on
it.
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:4B68B353-C217-450E...@microsoft.com...
Your long reply looks comprehensive. Could you just briefly describe how to
decide whether an address is code or data please -- this is the simple
question I asked? :-)
regards,
George
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:506252BF-EED0-430A...@microsoft.com...
1.
Do you mean simply given a memory address, there is no way to identify
whether it is code or data? The conclusion?
2.
I do not quite understand what means "re-interpreting code as data", could
you show me a sample please or a reference document?
3.
I do not quite understand what means "using a printable string as code",
could you show me a sample please or a reference document?
regards,
George
Correct, there is no way. It depends entirely on the context and on the
interpretation that is being given.
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:389D0B30-FDEC-466A...@microsoft.com...
What I am trying to do is to solve a sort of specific issues, when there is
OS error box which indicates my application is broken at some address (e.g.
0x12345678), because of unhandled exception or something corruption (e.g.
stack or access violation). I want to find out what actually resides in
address 0x12345678? Is it code or data?
Any advice or documents to refer?
regards,
George
Give the example you posted in the past, you have a stack overrun,
and, you are executing from the stack, that for machines with
the NX policy enabled, it going to trigger an access violation.
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:3B1EC471-DB00-48BD...@microsoft.com...
I like your solution and I have made several practices. For !address
command, I think it only display the type/protect/state/usage/fullpath of a
memory address, here is an example which I have tried, how could you decide
whether the address is in a module (EXE/DLL executing code) or not in a
module (e.g. stack/global data segment)?
0:000> !address 000007ff`571e2e50
000007ff57140000 : 000007ff57141000 - 0000000000231000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\system32\ole32.dll
regards,
George
000007feff0a0000 : 000007feff0a0000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff0a1000 - 000000000015f000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff200000 - 0000000000048000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff248000 - 0000000000004000
Type 01000000 MEM_IMAGE
Protect 00000004 PAGE_READWRITE <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff24c000 - 0000000000007000
Type 01000000 MEM_IMAGE
Protect 00000008 PAGE_WRITECOPY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff253000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000004 PAGE_READWRITE <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff254000 - 0000000000002000
Type 01000000 MEM_IMAGE
Protect 00000008 PAGE_WRITECOPY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
000007feff256000 - 0000000000022000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:E382D724-F309-4BE6...@microsoft.com...
1.
Your list of output is from which command in WinDbg?
2.
From the output below, you can only find the address is from module
ole32.dll, but you can not tell whether it is data or code, correct?
--------------------
000007feff0a0000 : 000007feff0a0000 - 0000000000001000
Type 01000000 MEM_IMAGE
Protect 00000002 PAGE_READONLY <<<<<<<<<<<<<<<
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\Windows\system32\ole32.dll
--------------------
regards,
George
#2
It looks the `.rdata` section of the image.
What the compiler puts there,
is up to the compiler and the developer with the help of #pragma.
Please, refrain from using braod concepts such as `code` and `data`, because
there are quire a few subtelties that sometimes it s required to express.
SECTION HEADER #3
.rdata name
47300 virtual size
160000 virtual address (000007FF7C160000 to 000007FF7C1A72FF)
47400 size of raw data
15F400 file pointer to raw data (0015F400 to 001A67FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"George" <Geo...@discussions.microsoft.com> wrote in message
news:9978502D-6A8A-496D...@microsoft.com...
I have tried !address command, looke great! I am interested in your below
output from section perspective. Which command in Windbg could be used for
display the real virtual address of section?
(previous, I am using DUMPBIN utility, which could only shows static point
of view an a PE, if there is dynamic point of view for sections --
application is actually loaded, it will be great!)
> SECTION HEADER #3
> .rdata name
> 47300 virtual size
> 160000 virtual address (000007FF7C160000 to 000007FF7C1A72FF)
> 47400 size of raw data
> 15F400 file pointer to raw data (0015F400 to 001A67FF)
> 0 file pointer to relocation table
> 0 file pointer to line numbers
> 0 number of relocations
> 0 number of line numbers
> 40000040 flags
> Initialized Data
> Read Only
regards,
George