在 WinDbg 中从 .NET 1.1 内存转储中转储所有字符串
Dump All Strings from .NET 1.1 Memory Dump in WinDbg
我有一个 .NET 1.1 内存转储我正在尝试分析它,虽然我可以加载 .NET 1.1 SOS.dll 很好,但问题是 SOS 扩展缺少很多命令。无法使用更高版本 .NET Framework 中的 SOS.dll,因为我收到此错误消息:
Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
2) the file mscordacwks.dll that matches your version of mscorwks.dll is
in the version directory
3) or, if you are debugging a dump file, verify that the file
mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
4) you are debugging on the same architecture as the dump file.
For example, an IA64 dump file must be debugged on an IA64
machine.
You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll. .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.
If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.
据我所知,.NET 1.1 中没有 mscordacwks DLL(除非它有不同的名称)
通常我会使用这个命令来转储所有字符串:
.foreach (obj {!dumpheap -type System.String -short}) {.printf "\n%mu",${obj}+0xc}
但是这不起作用,因为 dumpheap 在 .NET 1.1 中没有 -short 选项。
唯一可用的命令是:
0:000> !sos.help
SOS : Help
COMState | List COM state for each thread
ClrStack | Provides true managed stack trace, source and line numbers.
Additional parameters: -p[arams] -l[ocals] -r[egs] -a[ll].
DumpClass <addr> | Dump EEClass info
DumpDomain [<addr>] | List assemblies and modules in a domain
DumpHeap [-stat] [-min 100] [-max 2000] [-mt 0x3000000] [-type <partial type name>] [-fix] [start [end]] | Dump GC heap contents
DumpMD <addr> | Dump MethodDesc info
DumpMT [-MD] <addr> | Dump MethodTable info
DumpModule <addr> | Dump EE Module info
DumpObj <addr> | Dump an object on GC heap
DumpStack [-EE] [-smart] [top stack [bottom stack] | -EE only shows managed stack items.
DumpStackObjects [top stack [bottom stack]
DumpVC <mt> <addr> | Dump a value class object
EEHeap [-gc] [-win32] [-loader] | List GC/Loader heap info
EEStack [-short] [-EE] | List all stacks EE knows
EEVersion | List mscoree.dll version
FinalizeQueue [-detail] | Work queue for finalize thread
GCInfo [<MD>] [IP] | Dump GC encoding info for a managed method
GCRoot <addr> | Find roots on stack/handle for object
IP2MD <addr> | Find MethodDesc from IP
Name2EE <module name> <item name> | Find memory address of EE data given a class/method name
ObjSize [<addr>] | Find number of bytes that a root or all roots keep alive on GC heap.
ProcInfo [-env] [-time] [-mem] | Display the process info
RWLock [-all] <addr> | List info for a Read/Write lock
SyncBlk [-all|#] | List syncblock
ThreadPool | Display CLR threadpool state
Threads | List managed threads
Token2EE <module name> <mdToken> | Find memory address of EE data for metadata token
u [<MD>] [IP] | Unassembly a managed code
dumpheap 的输出是这样的:
0:000> !dumpheap -type System.String
Address MT Size
07291164 031342d8 28
072911dc 031342d8 32
072911fc 031342d8 32
0729121c 031342d8 20
07291268 031342d8 40
07291290 031342d8 76
072912dc 031342d8 32
072912fc 031342d8 84
07291350 031342d8 80
072913a0 031342d8 148
etc..
total 2140 objects
Statistics:
MT Count TotalSize Class Name
31342d8 2140 147000 System.String
Total 2140 objects
您可以使用带有 /pS 和 /ps 标志的 .foreach 命令。
使用/pS 3 跳过您不想处理的3 个初始单词("Address"、"MT" 和"Size")。接下来,该命令将处理地址 07291164。然后用 /ps 2 跳过另外 2 个令牌(“031342d8”和“28”),将处理下一个令牌,依此类推。
在涉及到统计信息之前,这会正常工作,因此最后会出现一些错误消息。
否则你可以看看一些可以为你做文本处理的 WinDbg 扩展,比如 pykd。
我有一个 .NET 1.1 内存转储我正在尝试分析它,虽然我可以加载 .NET 1.1 SOS.dll 很好,但问题是 SOS 扩展缺少很多命令。无法使用更高版本 .NET Framework 中的 SOS.dll,因为我收到此错误消息:
Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
2) the file mscordacwks.dll that matches your version of mscorwks.dll is
in the version directory
3) or, if you are debugging a dump file, verify that the file
mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
4) you are debugging on the same architecture as the dump file.
For example, an IA64 dump file must be debugged on an IA64
machine.
You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll. .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.
If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.
据我所知,.NET 1.1 中没有 mscordacwks DLL(除非它有不同的名称)
通常我会使用这个命令来转储所有字符串:
.foreach (obj {!dumpheap -type System.String -short}) {.printf "\n%mu",${obj}+0xc}
但是这不起作用,因为 dumpheap 在 .NET 1.1 中没有 -short 选项。 唯一可用的命令是:
0:000> !sos.help
SOS : Help
COMState | List COM state for each thread
ClrStack | Provides true managed stack trace, source and line numbers.
Additional parameters: -p[arams] -l[ocals] -r[egs] -a[ll].
DumpClass <addr> | Dump EEClass info
DumpDomain [<addr>] | List assemblies and modules in a domain
DumpHeap [-stat] [-min 100] [-max 2000] [-mt 0x3000000] [-type <partial type name>] [-fix] [start [end]] | Dump GC heap contents
DumpMD <addr> | Dump MethodDesc info
DumpMT [-MD] <addr> | Dump MethodTable info
DumpModule <addr> | Dump EE Module info
DumpObj <addr> | Dump an object on GC heap
DumpStack [-EE] [-smart] [top stack [bottom stack] | -EE only shows managed stack items.
DumpStackObjects [top stack [bottom stack]
DumpVC <mt> <addr> | Dump a value class object
EEHeap [-gc] [-win32] [-loader] | List GC/Loader heap info
EEStack [-short] [-EE] | List all stacks EE knows
EEVersion | List mscoree.dll version
FinalizeQueue [-detail] | Work queue for finalize thread
GCInfo [<MD>] [IP] | Dump GC encoding info for a managed method
GCRoot <addr> | Find roots on stack/handle for object
IP2MD <addr> | Find MethodDesc from IP
Name2EE <module name> <item name> | Find memory address of EE data given a class/method name
ObjSize [<addr>] | Find number of bytes that a root or all roots keep alive on GC heap.
ProcInfo [-env] [-time] [-mem] | Display the process info
RWLock [-all] <addr> | List info for a Read/Write lock
SyncBlk [-all|#] | List syncblock
ThreadPool | Display CLR threadpool state
Threads | List managed threads
Token2EE <module name> <mdToken> | Find memory address of EE data for metadata token
u [<MD>] [IP] | Unassembly a managed code
dumpheap 的输出是这样的:
0:000> !dumpheap -type System.String
Address MT Size
07291164 031342d8 28
072911dc 031342d8 32
072911fc 031342d8 32
0729121c 031342d8 20
07291268 031342d8 40
07291290 031342d8 76
072912dc 031342d8 32
072912fc 031342d8 84
07291350 031342d8 80
072913a0 031342d8 148
etc..
total 2140 objects
Statistics:
MT Count TotalSize Class Name
31342d8 2140 147000 System.String
Total 2140 objects
您可以使用带有 /pS 和 /ps 标志的 .foreach 命令。
使用/pS 3 跳过您不想处理的3 个初始单词("Address"、"MT" 和"Size")。接下来,该命令将处理地址 07291164。然后用 /ps 2 跳过另外 2 个令牌(“031342d8”和“28”),将处理下一个令牌,依此类推。
在涉及到统计信息之前,这会正常工作,因此最后会出现一些错误消息。
否则你可以看看一些可以为你做文本处理的 WinDbg 扩展,比如 pykd。