如何在WinDbg中找到內存映射文件的名稱?
[英]How do I find a memory mapped file's name in WinDbg?
問題描述
當我在VMMap中查看我的進程時,我可以看到內存映射文件的文件名。 我現在正在分析WinDbg中的內存轉儲,並想知道內存映射文件的文件名。 如何從WinDbg或.dmp文件中找到它?
2 個解決方案
解決方案1
4 2010-11-22 16:38:04
!address -f:FileMap適用於實時調試。
您可以查看!address文檔,了解有關可用於優化輸出的其他標志的更多詳細信息。
解決方案2
2 2010-11-20 07:30:33
基本上,一旦您設法獲取內存映射文件的句柄,就可以使用!handle <address> 0xF命令查看一些相關數據(包括其名稱)。
如果您沒有特定句柄,但只想查看進程中現有內存映射文件的名稱,則可以使用以下命令: !handle 0 0x4 Section 。
哪個應該提供類似於這個的輸出:
Handle 6bc
Name \BaseNamedObjects\NLS_CodePage_862_3_2_0_0
Handle 6cc
Name \BaseNamedObjects\MyMap
Handle 794
Name \BaseNamedObjects\Cor_Private_IPCBlock_v4_4092
Handle 798
Name \BaseNamedObjects\Cor_SxSPublic_IPCBlock_4092
Handle 7cc
Name \BaseNamedObjects\ShimSharedMemory
5 handles of type Section
如果您想查看實際的文件名,可以在內核調試器中發出!handle命令,以查看有關與File句柄對應的系統對象的一些信息。
例如:
lkd> !handle 0 0x3 2c4 File
Searching for Process with Cid == 2c4
Searching for handles of type File
PROCESS 89242da0 SessionId: 0 Cid: 02c4 Peb: 7ffdd000 ParentCid: 0b48
DirBase: 0a640dc0 ObjectTable: e1c361d0 HandleCount: 83.
Image: ConsoleApplication1.exe
Handle table at e11f6000 with 83 entries in use
000c: Object: 86a74868 GrantedAccess: 00100020 (Inherit) Entry: e11f6018
Object: 86a74868 Type: (89e2a730) File
ObjectHeader: 86a74850 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \Foo\Bar {HarddiskVolume2}
06d0: Object: 8669c4b8 GrantedAccess: 00100083 Entry: e11f6da0
Object: 8669c4b8 Type: (89e2a730) File
ObjectHeader: 8669c4a0 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \wubildr {HarddiskVolume1}
06d4: Object: 86bf1f58 GrantedAccess: 00120089 Entry: e11f6da8
Object: 86bf1f58 Type: (89e2a730) File
ObjectHeader: 86bf1f40 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \WINDOWS\assembly\pubpol6.dat {HarddiskVolume1}
06dc: Object: 892c43e0 GrantedAccess: 00120089 Entry: e11f6db8
Object: 892c43e0 Type: (89e2a730) File
ObjectHeader: 892c43c8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \WINDOWS\assembly\NativeImages_v4.0.30319_32\index1fe.dat {HarddiskVolume1}
06ec: Object: 892cf1f8 GrantedAccess: 00100001 Entry: e11f6dd8
Object: 892cf1f8 Type: (89e2a730) File
ObjectHeader: 892cf1e0 (old version)
HandleCount: 1 PointerCount: 1
如何在不知道文件大小的情況下在 Windows 平台中找到內存映射文件的末尾?
[英]How to find the end of a memory mapped file in Windows platform without previously knowing the size of the file?
Windows 中同一個內存映射文件的兩個視圖,它們如何以刷新方式交互?
[英]Two views of a same memory mapped file in windows, how do they interact flush-wise?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.