问题
I want to parse the full crash dump (*.dmp) file and get the private bytes data. I know that VMMap of SysInternals can tell me how much my private bytes, heap etc are all but what I need is if I have the dump, I should be able to parse it and get the Heap (managed Heap) Structure and data in the heap. I am already done with this by reading the PEB and then walking through heaps.
What I am not able to figure out is how to read the private bytes (other than Heap, which is supposed to be the process data for native code). Could anyone please point me in the right direction so that I am able to parse the private bytes other than heap from the crash dump.
Thanks.
回答1:
!address -summary
In the first section you get a breakdown of the usage:
--- Usage Summary ---------------- RgnCount ----------- Total Size -------- %ofBusy %ofTotal
Free 170 6f958000 ( 1.743 Gb) 87.18%
<unknown> 477 6998000 ( 105.594 Mb) 40.21% 5.16%
Stack 417 5d00000 ( 93.000 Mb) 35.42% 4.54%
Image 253 3970000 ( 57.438 Mb) 21.87% 2.80%
Heap 20 600000 ( 6.000 Mb) 2.28% 0.29%
TEB 93 5d000 ( 372.000 kb) 0.14% 0.02%
Other 9 32000 ( 200.000 kb) 0.07% 0.01%
PEB 1 1000 ( 4.000 kb) 0.00% 0.00%
Unknown would be virtual allocs.
To list the unknown memory regions you can run:
!address -f:VAR
VAR as defined in the debugger.chm - Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.
来源:https://stackoverflow.com/questions/4885429/parse-the-crash-dump-in-windbg-for-private-bytes-other-than-managed-heap