Easy list traversing (dt vs. !list)
Linked list 를 검색할 수 있는 방법을 찾기 위해 WinDbg help 에서 dt 명령을 찾아 보았습니다. 제가 만드는 구조체의 대부분은 LIST_ENTRY 를 첫 번째 멤버로 정의 합니다. 이 경우 dt 명령이 !list 명령보다 편리 합니다.
예를 들면
0:000> dt _MYBIGSTRUCTURE +0x000 Links : _LIST_ENTRY ... +0x080 SomeName : [33] Uint2B
0:000> dt _MYBIGSTRUCTURE
+0x000 Links : _LIST_ENTRY
...
+0x080 SomeName : [33] Uint2B
0:000> dd component!MyBigStructureListHead l1 01022cd0 0007fe58
0:000> dd component!MyBigStructureListHead l1
01022cd0
0:000> .enable_unicode 1
아래 명령의 결과는 모든 구조체의 리스트 입니다.
0:000> dt _MYBIGSTRUCTURE -l Links.Flink 0007fe58
0:000> dt _MYBIGSTRUCTURE -l Links.Flink
그리고 아래 명령의 결과는 리스트 중 특정 이름의 멤버 입니다.
0:000> dt _MYBIGSTRUCTURE -l Links.Flink -y SomeName 0007fe58 Links.Flink at 0×7fe58 +0×000 Links : [ 0×8e090 - 0×1022cd0 ] +0×080 SomeName : [33] “Foo” Links.Flink at 0×8e090 +0×000 Links : [ 0×913f8 - 0×7fe58 ] +0×080 SomeName : [33] “Bar”
0:000> dt _MYBIGSTRUCTURE -l Links.Flink -y SomeName
Links.Flink at 0×7fe58
+0×000 Links : [ 0×8e090 - 0×1022cd0 ]
+0×080 SomeName : [33] “Foo”
Links.Flink at 0×8e090
+0×000 Links : [ 0×913f8 - 0×7fe58 ]
+0×080 SomeName : [33] “Bar”
만약 멤버의 정확한 이름을 알 수 없다면 일부분의 이름만 사용할 수도 있습니다.
0:000> dt _MYBIGSTRUCTURE -l Links.Flink -y S 0007fe58
0:000> dt _MYBIGSTRUCTURE -l Links.Flink -y S
만약 LIST_ENTRY 가 구조체의 첫 번째 멤버가 아니라면 구조체 내에서의 위치를 알아야 합니다.
kd> dd nt!PsActiveProcessHead l1 808af068 85fa48b0
kd> dd nt!PsActiveProcessHead l1
808af068
kd> dt _EPROCESS +0x000 Pcb : _KPROCESS +0x078 ProcessLock : _EX_PUSH_LOCK +0x080 CreateTime : _LARGE_INTEGER +0x088 ExitTime : _LARGE_INTEGER +0x090 RundownProtect : _EX_RUNDOWN_REF +0x094 UniqueProcessId : Ptr32 Void +0×098 ActiveProcessLinks : _LIST_ENTRY
kd> dt _EPROCESS
+0x000 Pcb : _KPROCESS
+0x078 ProcessLock : _EX_PUSH_LOCK
+0x080 CreateTime : _LARGE_INTEGER
+0x088 ExitTime : _LARGE_INTEGER
+0x090 RundownProtect : _EX_RUNDOWN_REF
+0x094 UniqueProcessId : Ptr32 Void
+
ActiveProcessLinks : _LIST_ENTRY
kd> dt _EPROCESS -l ActiveProcessLinks.Flink -y ImageFileName 85fa48b0-0×98 ActiveProcessLinks.Flink at 0×85fa4818 +0×098 ActiveProcessLinks : [ 0×85d1ce20 - 0×808af068 ] +0×164 ImageFileName : [16] “System” ActiveProcessLinks.Flink at 0×85d1cd88 +0×098 ActiveProcessLinks : [ 0×85dba6b8 - 0×85fa48b0 ] +0×164 ImageFileName : [16] “smss.exe” ActiveProcessLinks.Flink at 0×85dba620 +0×098 ActiveProcessLinks : [ 0×858d20b8 - 0×85d1ce20 ] +0×164 ImageFileName : [16] “csrss.exe” ActiveProcessLinks.Flink at 0×858d2020 +0×098 ActiveProcessLinks : [ 0×858c20b8 - 0×85dba6b8 ] +0×164 ImageFileName : [16] “winlogon.exe” ActiveProcessLinks.Flink at 0×858c2020 +0×098 ActiveProcessLinks : [ 0×8589f0b8 - 0×858d20b8 ] +0×164 ImageFileName : [16] “services.exe”
kd> dt _EPROCESS -l ActiveProcessLinks.Flink -y ImageFileName
-
ActiveProcessLinks.Flink at 0×85fa4818
+0×098 ActiveProcessLinks : [ 0×85d1ce20 - 0×808af068 ]
+0×164 ImageFileName : [16] “System”
ActiveProcessLinks.Flink at 0×85d1cd88
+0×098 ActiveProcessLinks : [ 0×85dba6b8 - 0×85fa48b0 ]
+0×164 ImageFileName : [16] “smss.exe”
ActiveProcessLinks.Flink at 0×85dba620
+0×098 ActiveProcessLinks : [ 0×858d20b8 - 0×85d1ce20 ]
+0×164 ImageFileName : [16] “csrss.exe”
ActiveProcessLinks.Flink at 0×858d2020
+0×098 ActiveProcessLinks : [ 0×858c20b8 - 0×85dba6b8 ]
+0×164 ImageFileName : [16] “winlogon.exe”
ActiveProcessLinks.Flink at 0×858c2020
+0×098 ActiveProcessLinks : [ 0×8589f0b8 - 0×858d20b8 ]
+0×164 ImageFileName : [16] “services.exe”
LIST_ENTRY 를 사용하지는 않았지만 Single list 를 사용하는 예제가 있습니다.
0:000> !teb TEB at 7FFDE000 ExceptionList: 6fc54 Stack Base: 70000 Stack Limit: 6d000 SubSystemTib: 0 FiberData: 1e00 ArbitraryUser: 0 Self: 7ffde000 EnvironmentPtr: 0 ClientId: 22c.228 Real ClientId: 22c.228 RpcHandle: 0 Tls Storage: 742b8 PEB Address: 7ffdf000 LastErrorValue: 997 LastStatusValue: 103 Count Owned Locks:0 HardErrorsMode: 0
0:000> !teb
TEB at 7FFDE000
ExceptionList: 6fc54
Stack Base: 70000
Stack Limit: 6d000
SubSystemTib: 0
FiberData: 1e00
ArbitraryUser: 0
Self: 7ffde000
EnvironmentPtr: 0
ClientId: 22c.228
Real ClientId: 22c.228
RpcHandle: 0
Tls Storage: 742b8
PEB Address: 7ffdf000
LastErrorValue: 997
LastStatusValue: 103
Count Owned Locks:0
HardErrorsMode: 0
0:000> dt -r _TEB +0x000 NtTib : _NT_TIB +0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD +0×000 Next : Ptr32 _EXCEPTION_REGISTRATION_RECORD +0×004 Handler : Ptr32 +0×004 StackBase : Ptr32 Void +0×008 StackLimit : Ptr32 Void +0×00c SubSystemTib : Ptr32 Void +0×010 FiberData : Ptr32 Void +0×010 Version : Uint4B +0×014 ArbitraryUserPointer : Ptr32 Void +0×018 Self : Ptr32 _NT_TIB
0:000> dt -r _TEB
+0x000 NtTib : _NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0×004 Handler : Ptr32
+0×004 StackBase : Ptr32 Void
+0×008 StackLimit : Ptr32 Void
+0×00c SubSystemTib : Ptr32 Void
+0×010 FiberData : Ptr32 Void
+0×010 Version : Uint4B
+0×014 ArbitraryUserPointer : Ptr32 Void
+0×018 Self : Ptr32 _NT_TIB
0:000> dt _EXCEPTION_REGISTRATION_RECORD -l Next 7FFDE000 Next at 0x7ffde000 +0x000 Next : 0x0006fc54 _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x00070000 +70000 Next at 0x6fc54 +0x000 Next : 0x0006fcfc _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x7c5c1f44 KERNEL32!_except_handler3+0 Next at 0x6fcfc +0x000 Next : 0x0006ff5c _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x7c2e5649 ADVAPI32!_except_handler3+0 Next at 0x6ff5c +0x000 Next : 0x0006ffb0 _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x7c2e5649 ADVAPI32!_except_handler3+0 Next at 0x6ffb0 +0x000 Next : 0x0006ffe0 _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x01015878 component!_except_handler3+0 Next at 0x6ffe0 +0x000 Next : 0xffffffff _EXCEPTION_REGISTRATION_RECORD +0x004 Handler : 0x7c5c1f44 KERNEL32!_except_handler3+0
0:000> dt _EXCEPTION_REGISTRATION_RECORD -l Next 7FFDE000
Next at 0x7ffde000
+0x000 Next : 0x0006fc54 _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x00070000 +70000
Next at 0x6fc54
+0x000 Next : 0x0006fcfc _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x7c5c1f44 KERNEL32!_except_handler3+0
Next at 0x6fcfc
+0x000 Next : 0x0006ff5c _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x7c2e5649 ADVAPI32!_except_handler3+0
Next at 0x6ff5c
+0x000 Next : 0x0006ffb0 _EXCEPTION_REGISTRATION_RECORD
Next at 0x6ffb0
+0x000 Next : 0x0006ffe0 _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : 0x01015878 component!_except_handler3+0
Next at 0x6ffe0
+0x000 Next : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
- Dmitry Vostokov -