WinDbg : !lmi
The !lmi extension module will give specific information about a loaded image. it can be useful to look at this output while debugging specific cases.
kd> !lmi nt
Loaded Module Info: [nt]
Module: ntkrpamp
Base Address: 82608000
Image Name: ntkrpamp.exe
Machine Type: 332 (I386)
Time Stamp: 4ce78a09 Sat Nov 20 14:12:49 2010
Size: 412000
CheckSum: 3c88ac
Characteristics: 122 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 25, 11e03c, 11d83c RSDS - GUID: {684DA42A-30CC-450F-81C5-35B4D18944B1}
Age: 2, Pdb: ntkrpamp.pdb
CLSID 4, 11e038, 11d838 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from image header.
C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
Load Report: public symbols , not source indexed
C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
The !lmi extension module will give specific information about a loaded image. it can be useful to look at this output while debugging specific cases.
kd> !lmi nt
Loaded Module Info: [nt]
Module: ntkrpamp
Base Address: 82608000
Image Name: ntkrpamp.exe
Machine Type: 332 (I386)
Time Stamp: 4ce78a09 Sat Nov 20 14:12:49 2010
Size: 412000
CheckSum: 3c88ac
Characteristics: 122 perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 25, 11e03c, 11d83c RSDS - GUID: {684DA42A-30CC-450F-81C5-35B4D18944B1}
Age: 2, Pdb: ntkrpamp.pdb
CLSID 4, 11e038, 11d838 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from image header.
C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
Load Report: public symbols , not source indexed
C:\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\684DA42A30CC450F81C535B4D18944B12\ntkrpamp.pdb
Note the Characteristics field in the display (marked in bold for your convenience).This gives us the abbreviations related to the specific symbols. Here is a list of some of the common ones, the complete list can be found with WinDbg help, by searching for 'Symbol Status Abbreviations'.
|
Abbreviation
|
Meaning
|
|
deferred
|
The module has been loaded, but
the debugger has not attempted to load the symbols. Symbols will be loaded
when needed
|
|
#
|
There is a mismatch between the
symbol file and the executable, either in their timestamps or in their
checksums.
|
|
T
|
The timestamp is missing, not
accessible, or equal to zero.
|
|
C
|
The checksum is missing, not
accessible, or equal to zero.
|
|
DIA
|
Symbol files were loaded through
Debug Interface Access (DIA).
|
|
Export
|
No actual symbol files were found,
so symbol information was extracted from the binary file's export table.
|
|
M
|
There is a mismatch between the
symbol file and the executable, either in their timestamps or in their
checksums. However, symbol files have been loaded anyway due to the symbol
option settings.
|
|
PERF
|
This binary contains performance-optimized
code. Standard address arithmetic may not produce correct results.
|
|
Stripped
|
Debug information was stripped
from the image file.
|
|
PDB
|
The symbols are in .pdb format.
|
|
COFF
|
The symbols are in common object
file format (COFF) symbol format.
|
No comments:
Post a Comment