模块名称与其图像文件名称不同
Module name different from its Image File name
所以在 windbg 上调试可执行文件后,我注意到模块名称与图像名称不同。
第一次加载可执行文件并在入口点之前设置断点时,lm vm/!for_each_module 命令显示了这一点。
start end module name
00a30000 00a38000 Injection C (no symbols)
Loaded symbol image file: C:\Users\user\Downloads\Bird.exe
Image path: Injection.exe
Image name: Injection.exe
Browse all global symbols functions data
Timestamp: Mon May 24 22:30:53 2021 (60AC0CFD)
CheckSum: 00000000
ImageSize: 00008000
如您所见,Image Name 字段与 Loaded symbol image file 名称不对应。
知道为什么吗?跟.pdb文件路径有关系吗?
我在 PE 格式中找不到任何相关信息。
如何才能做到这一点?
有人提到 lm as well as !for_each_module
的文档中两者可能存在显着差异
infact !for_each_module 有两个命令字符串,一个是 @#ModuleName 另一个是 @#ImageName
我没怎么看,但有时我看到 foo_1480xxx 等替代品
您是否有显示此行为的可共享二进制文件
编辑
只是浏览了文件,二进制文件中出现了 pdb 文件的名称
是 Injection.pdb
编译后可执行文件已重命名
F:\Latebird>ls
LateBird.exe
F:\Latebird>file LateBird.exe
LateBird.exe: PE32 executable (console) Intel 80386, for MS Windows
F:\Latebird>certutil -hashfile LateBird.exe sha1
943710a2a04caeae3ab21cc8be83ebc1d556e127
F:\Latebird>certutil -hashfile LateBird.exe md5
c8e3b7b9dc2541574335f9141e3ca4bf
F:\Latebird>dbh LateBird.exe
LateBird [1000000]: i
ModuleName : LateBird
ImageName : LateBird.exe
LoadedImageName : F:\Latebird\LateBird.exe
LoadedPdbName :
CVSig : 0x53445352
CVData : C:\Users\Dynamic\source\repos\Injection\Release\Injection.pdb
PdbAge : 0xa
PdbUnmatched : false
MachineType : I386
LateBird [1000000]:
只是为了再次确认我编译了一个 Messagebox 并在编译后重命名了它
加载它 windbg 并检查 lmvm
结果如下
ls -lg
total 17
-rwxr-xr-x 1 12800 LateBird.exe
-rw-r--r-- 1 165 LateBirdie.cpp
cat LateBirdie.cpp
#include <windows.h>
int WINAPI WinMain (_In_ HINSTANCE,_In_opt_ HINSTANCE,_In_ LPSTR,_In_ int ){
return MessageBoxA(NULL, "LateBirdie", "Early Birdie", 0);
}
cl /Zi /W4 /analyze /Od /nologo LateBirdie.cpp /link /release user32.lib /entry:WinMain
LateBirdie.cpp
file LateBirdie.exe
LateBirdie.exe: PE32+ executable (GUI) x86-64, for MS Windows
ren LateBirdie.exe EarlyBirdie.exe
cdb -c ".reload /f; lmvm *bird*;q" EarlyBirdie.exe | awk "/Reading/,/quit/"
0:000> cdb: Reading initial command '.reload /f; lmvm *bird*;q'
Reloading current modules
start end module name
00007ff6`87e50000 00007ff6`87e54000 LateBirdie F:\Latebird\LateBirdie.pdb
Loaded symbol image file: F:\Latebird\EarlyBirdie.exe
Image path: LateBirdie.exe
Image name: LateBirdie.exe
Timestamp: Tue Jun 1 02:56:35 2021 (60B5548B)
CheckSum: 0000FCA9
ImageSize: 00004000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
quit:
所以在 windbg 上调试可执行文件后,我注意到模块名称与图像名称不同。
第一次加载可执行文件并在入口点之前设置断点时,lm vm/!for_each_module 命令显示了这一点。
start end module name
00a30000 00a38000 Injection C (no symbols)
Loaded symbol image file: C:\Users\user\Downloads\Bird.exe
Image path: Injection.exe
Image name: Injection.exe
Browse all global symbols functions data
Timestamp: Mon May 24 22:30:53 2021 (60AC0CFD)
CheckSum: 00000000
ImageSize: 00008000
如您所见,Image Name 字段与 Loaded symbol image file 名称不对应。
知道为什么吗?跟.pdb文件路径有关系吗?
我在 PE 格式中找不到任何相关信息。
如何才能做到这一点?
有人提到 lm as well as !for_each_module
的文档中两者可能存在显着差异infact !for_each_module 有两个命令字符串,一个是 @#ModuleName 另一个是 @#ImageName
我没怎么看,但有时我看到 foo_1480xxx 等替代品
您是否有显示此行为的可共享二进制文件
编辑
只是浏览了文件,二进制文件中出现了 pdb 文件的名称 是 Injection.pdb 编译后可执行文件已重命名
F:\Latebird>ls
LateBird.exe
F:\Latebird>file LateBird.exe
LateBird.exe: PE32 executable (console) Intel 80386, for MS Windows
F:\Latebird>certutil -hashfile LateBird.exe sha1
943710a2a04caeae3ab21cc8be83ebc1d556e127
F:\Latebird>certutil -hashfile LateBird.exe md5
c8e3b7b9dc2541574335f9141e3ca4bf
F:\Latebird>dbh LateBird.exe
LateBird [1000000]: i
ModuleName : LateBird
ImageName : LateBird.exe
LoadedImageName : F:\Latebird\LateBird.exe
LoadedPdbName :
CVSig : 0x53445352
CVData : C:\Users\Dynamic\source\repos\Injection\Release\Injection.pdb
PdbAge : 0xa
PdbUnmatched : false
MachineType : I386
LateBird [1000000]:
只是为了再次确认我编译了一个 Messagebox 并在编译后重命名了它
加载它 windbg 并检查 lmvm
结果如下
ls -lg
total 17
-rwxr-xr-x 1 12800 LateBird.exe
-rw-r--r-- 1 165 LateBirdie.cpp
cat LateBirdie.cpp
#include <windows.h>
int WINAPI WinMain (_In_ HINSTANCE,_In_opt_ HINSTANCE,_In_ LPSTR,_In_ int ){
return MessageBoxA(NULL, "LateBirdie", "Early Birdie", 0);
}
cl /Zi /W4 /analyze /Od /nologo LateBirdie.cpp /link /release user32.lib /entry:WinMain
LateBirdie.cpp
file LateBirdie.exe
LateBirdie.exe: PE32+ executable (GUI) x86-64, for MS Windows
ren LateBirdie.exe EarlyBirdie.exe
cdb -c ".reload /f; lmvm *bird*;q" EarlyBirdie.exe | awk "/Reading/,/quit/"
0:000> cdb: Reading initial command '.reload /f; lmvm *bird*;q'
Reloading current modules
start end module name
00007ff6`87e50000 00007ff6`87e54000 LateBirdie F:\Latebird\LateBirdie.pdb
Loaded symbol image file: F:\Latebird\EarlyBirdie.exe
Image path: LateBirdie.exe
Image name: LateBirdie.exe
Timestamp: Tue Jun 1 02:56:35 2021 (60B5548B)
CheckSum: 0000FCA9
ImageSize: 00004000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
quit: