问题描述
我是调试的新手,我试图了解过程环境块(PEB)成员中正在填充哪些值。例如AnsiCodePageData的0x7fb80000是什么意思?如何阅读?
+0x050 SharedData : (null)
+0x054 ReadOnlyStaticServerData : 0x7fa504b0 -> (null)
+0x058 AnsiCodePageData : 0x7fb80000 Void
+0x05c OemCodePageData : 0x7fb80000 Void
+0x060 UnicodeCaseTableData : 0x7fba7c24 Void
+0x064 NumberOfProcessors : 2
+0x068 NtGlobalFlag : 0x70
解决方法
0:000> dt ntdll!_PEB -y Ansi @$peb
+0x058 AnsiCodePageData : 0x7ffb0000 Void
使用!地址
0:000> !address 7ffb0000
Usage: Other
Base Address: 7ffb0000
End Address: 7ffd3000
Region Size: 00023000 ( 140.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 00040000 MEM_MAPPED
Allocation Base: 7ffb0000
Allocation Protect: 00000002 PAGE_READONLY
Additional info: NLS Tables
Content source: 1 (target),length: 23000
倾销原始内容
0:000> dc 7ffb0000
7ffb0000 04e4000d 003f0001 003f003f 0000003f ......?.?.?.?...
7ffb0010 00000000 00000000 01030000 00010000 ................
7ffb0020 00030002 00050004 00070006 00090008 ................
7ffb0030 000b000a 000d000c 000f000e 00110010 ................
7ffb0040 00130012 00150014 00170016 00190018 ................
7ffb0050 001b001a 001d001c 001f001e 00210020 ............ .!.
7ffb0060 00230022 00250024 00270026 00290028 ".#.$.%.&.'.(.).
7ffb0070 002b002a 002d002c 002f002e 00310030 *.+.,.-.../.0.1.
0:000>
使用!vprot
0:000> !vprot 7ffb0000
BaseAddress: 7ffb0000
AllocationBase: 7ffb0000
AllocationProtect: 00000002 PAGE_READONLY
RegionSize: 00023000
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 00040000 MEM_MAPPED
0:000>