WinDbg : !dh
The !dh command extension displays specific information about the headers of an image. it is a very useful command to analyze images and sections like import/export address tables etc. We will take up some such examples in other blog posts in such topics thus experimenting inside a debugger with this command will help making you comfortable with such debug scenarios. .
kd> !dh kernelbase
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
4 number of sections
4CE7B8F0 time date stamp Sat Nov 20 17:32:56 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
42400 size of code
3E00 size of initialized data
0 size of uninitialized data
7DE0 address of entry point
1000 base of code
----- new -----
75d70000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
4A000 size of image
400 size of headers
4984C checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
140 DLL characteristics
Dynamic base
NX compatible
18D4 [ 4E67] address [size] of Export Directory
406A8 [ 28] address [size] of Import Directory
46000 [ 530] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
47000 [ 25D0] address [size] of Base Relocation Directory
43294 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
1E110 [ 40] address [size] of Load Configuration Directory
278 [ 1C] address [size] of Bound Import Directory
1000 [ 65C] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
422F7 virtual size
1000 virtual address
42400 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
Debug Directories(2)
Type Size Address Pointer
Can't read debug dir
SECTION HEADER #2
.data name
1158 virtual size
44000 virtual address
1200 size of raw data
42800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write
SECTION HEADER #3
.rsrc name
530 virtual size
46000 virtual address
600 size of raw data
43A00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only
SECTION HEADER #4
.reloc name
25D0 virtual size
47000 virtual address
2600 size of raw data
44000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
Note: Try the -f and -s switches to trim the output of this command to what ever you need the most.
Note: Another useful debugger extension is the !lmi. Described here.
The !dh command extension displays specific information about the headers of an image. it is a very useful command to analyze images and sections like import/export address tables etc. We will take up some such examples in other blog posts in such topics thus experimenting inside a debugger with this command will help making you comfortable with such debug scenarios. .
kd> !dh kernelbase
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
4 number of sections
4CE7B8F0 time date stamp Sat Nov 20 17:32:56 2010
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
42400 size of code
3E00 size of initialized data
0 size of uninitialized data
7DE0 address of entry point
1000 base of code
----- new -----
75d70000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
4A000 size of image
400 size of headers
4984C checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
140 DLL characteristics
Dynamic base
NX compatible
18D4 [ 4E67] address [size] of Export Directory
406A8 [ 28] address [size] of Import Directory
46000 [ 530] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
47000 [ 25D0] address [size] of Base Relocation Directory
43294 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
1E110 [ 40] address [size] of Load Configuration Directory
278 [ 1C] address [size] of Bound Import Directory
1000 [ 65C] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
422F7 virtual size
1000 virtual address
42400 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
Debug Directories(2)
Type Size Address Pointer
Can't read debug dir
SECTION HEADER #2
.data name
1158 virtual size
44000 virtual address
1200 size of raw data
42800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write
SECTION HEADER #3
.rsrc name
530 virtual size
46000 virtual address
600 size of raw data
43A00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only
SECTION HEADER #4
.reloc name
25D0 virtual size
47000 virtual address
2600 size of raw data
44000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
Note: Try the -f and -s switches to trim the output of this command to what ever you need the most.
Note: Another useful debugger extension is the !lmi. Described here.
No comments:
Post a Comment