在哪里可以找到Windows进程中已卸载模块的列表?
[英]Where do I find the list of unloaded modules in a Windows process?
问题描述
I have some native (as in /SUBSYSTEM:NATIVE ) Windows programs that I'd like to generate minidumps for in case they crash. 
我有一些本机(如/SUBSYSTEM:NATIVE )Windows程序,我想生成minidumps以防万一他们崩溃。 Normally, I'd use dbghelp.dll , but since native processes can only use functions exported from ntdll.dll , I can't. 通常,我会使用dbghelp.dll ,但由于本机进程只能使用从ntdll.dll导出的函数,所以我不能。
So I've implemented the dumper myself. 所以我自己实施了自卸车。 It's almost done, but unfortunately, I've been unable to locate the list of unloaded modules in the crashed process (the list is certainly stored somewhere, since WinDbg is able to display it). 它差不多完成了,但不幸的是,我一直无法在崩溃的进程中找到卸载的模块列表(列表肯定存储在某个地方,因为WinDbg能够显示它)。
Where do I find the list of unloaded modules in a Windows process? 在哪里可以找到Windows进程中已卸载模块的列表?
Edit: The list is certainly stored somewhere in the process memory, WinDbg can display the list even if I attach it after the modules were unloaded. 编辑:列表肯定存储在进程内存中的某个位置,即使我在卸载模块后附加它,WinDbg也可以显示列表。 There's also a note in the documentation of WinDbg : WinDbg的文档中还有一个注释:
Microsoft Windows Server 2003 and later versions of Windows maintain an unloaded module list for user-mode processes.
4 个解决方案
解决方案1
4 已采纳 2009-08-17 21:19:27
See RtlGetUnloadEventTrace and RtlGetUnloadEventTraceEx . 请参阅RtlGetUnloadEventTrace和RtlGetUnloadEventTraceEx 。
I am not entirely sure about how it works, but I believe the actual list is stored by ntdll.dll in the loader code. 我不完全确定它是如何工作的,但我相信实际列表是由ntdll.dll存储在加载程序代码中的。 It keeps track of the 16 (or 64, according to MSDN) last unloaded DLLs in the specific process. 它跟踪特定进程中最后卸载的16个(或64个,根据MSDN)。 The information is not linked from PEB or PEB_LDR_DATA. 该信息未与PEB或PEB_LDR_DATA链接。
解决方案2
1 2009-08-17 21:05:50
If you need it just for native process, it's not necessary to find the list, as native process cannot load any dlls, so there are not any unloaded. 如果您只需要本机进程,则无需查找列表,因为本机进程无法加载任何dll,因此没有任何卸载。 But from technical point of view I'm curious where are the unloaded data located in process. 但从技术角度来看,我很好奇卸载的数据在哪里。
解决方案3
0 2009-08-17 14:21:53
WinDbg may just create the list itself. WinDbg可能只是创建列表本身。 A debugger in windows will get module load and unload events as the program executes. Windows中的调试器将在程序执行时获取模块加载和卸载事件。 So a debugger would just need to watch for these events and update lists as it goes. 因此,调试器只需要监视这些事件并更新列表。
See: http://msdn.microsoft.com/en-us/library/ms679308%28VS.85%29.aspx 请参阅: http : //msdn.microsoft.com/en-us/library/ms679308%28VS.85%29.aspx
specifically the parts about UNLOAD_DLL_DEBUG_INFO and LOAD_DLL_DEBUG_INFO . 特别是关于UNLOAD_DLL_DEBUG_INFO和LOAD_DLL_DEBUG_INFO的部分。
I recommend you do it that way, I am unaware of any internal list which tracks unloaded modules, after all, the OS itself has little need for that type of data. 我建议你这样做,我不知道跟踪卸载模块的任何内部列表,毕竟,操作系统本身几乎不需要这种类型的数据。
解决方案4
0 2009-08-17 16:10:19
我猜想这是exe的导入表中列出的模块与当前加载的模块之间的区别。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.