แก้ไข

แชร์ผ่าน


!address

The !address extension displays information about the memory that the target process or target computer uses.

User-Mode

!address Address
!address -summary 
!address [-f:F1,F2,...] {[-o:{csv | tsv | 1}] | [-c:"Command"]}
!address -? | -help

Kernel-Mode

!address Address 
!address

Parameters

Address
Displays only the region of the address space that contains Address.

-summary
Displays only summary information.

-f:F1, F2, ...
Displays only the regions specified by the filters F1, F2, and so on.

The following filter values specify memory regions by the way that the target process is using them.

Filter value Memory regions displayed

VAR

Busy regions. These regions include all virtual allocation blocks, the SBH heap, memory from custom allocators, and all other regions of the address space that fall into no other classification.

Free

Free memory. This includes all memory that has not been reserved.

Image

Memory that is mapped to a file that is part of an executable image.

Stack

Memory used for thread stacks.

Teb

Memory used for thread environment blocks (TEBs).

Peb

Memory used for the process environment block (PEB).

Heap

Memory used for heaps.

PageHeap

The memory region used for the full-page heap.

CSR

CSR shared memory.

Actx

Memory used for activation context data.

NLS

Memory used for National Language Support (NLS) tables.

FileMap

Memory used for memory-mapped files. This filter is applicable only during live debugging.

The following filter values specify memory regions by the memory type.

Filter value Memory regions displayed

MEM_IMAGE

Memory that is mapped to a file that is part of an executable image.

MEM_MAPPED

Memory that is mapped to a file that is not part of an executable image. This includes memory that is mapped to the paging file.

MEM_PRIVATE

Private memory. This memory is not shared by any other process, and it is not mapped to any file.

The following filter values specify memory regions by the state of the memory.

Filter value Memory regions displayed

MEM_COMMIT

Committed memory.

MEM_FREE

Free memory. This includes all memory that has not been reserved.

MEM_RESERVE

Reserved memory.

The following filter values specify memory regions by the protection applied to the memory.

Filter value Memory regions displayed

PAGE_NOACCESS

Memory that cannot be accessed.

PAGE_READONLY

Memory that is readable, but not writable and not executable.

PAGE_READWRITE

Memory that is readable and writable, but not executable.

PAGE_WRITECOPY

Memory that has copy-on-write behavior.

PAGE_EXECUTE

Memory that is executable, but not readable and not writeable.

PAGE_EXECUTE_READ

Memory that is executable and readable, but not writable.

PAGE_EXECUTE_READWRITE

Memory that is executable, readable, and writable.

PAGE_EXECUTE_WRITECOPY

Memory that is executable and has copy-on-write behavior.

PAGE_GUARD

Memory that acts as a guard page.

PAGE_NOCACHE

Memory that is not cached.

PAGE_WRITECOMBINE

Memory that has write-combine access enabled.

-o:{csv | tsv | 1}
Displays the output according to one of the following options.

Option Output format

csv

Displays the output as comma-separated values.

tsv

Displays the output as tab-separated values.

1

Displays the output in bare format. This format works well when !address is used as input to .foreach.

-c:"Command"
Executes a custom command for each memory region. You can use the following placeholders in your command to represent output fields of the !address extension.

Placeholder Output field

%1

Base address

%2

End address + 1

%3

Region size

%4

Type

%5

State

%6

Protection

%7

Usage

For example, !address -f:Heap -c:".echo %1 %3 %5" displays the base address, size, and state for each memory region of type Heap.

Quotes in the command must be preceded by a back slash (\"). For example, !address -f:Heap -c:"s -a %1 %2 \"pad\"" searches each memory region of type Heap for the string "pad".

Multiple commands separated by semicolons are not supported.

-?
Displays minimal Help text for this extension in the Debugger Command window.

DLL

Ext.dll

Additional Information

For more information about how to display and search memory, see Reading and Writing Memory. For additional extensions that display memory properties, see !vm (kernel mode) and !vprot (user mode).

Remarks

Without any parameters, the !address extension displays information about the whole address space. The !address -summary command shows only the summary.

In kernel mode, this extension searches only kernel memory, even if you used .process (Set Process Context) to specify a given process' virtual address space. In user mode, the !address extension always refers to the memory that the target process owns.

In user mode, !address Address shows the characteristics of the region that the specified address belongs to. Without parameters, !address shows the characteristics of all memory regions. These characteristics include the memory usage, memory type, memory state, and memory protection. For more information about the meaning of this information, see the earlier tables in the description of the -f parameter.

The following example uses !address to retrieve information about a region of memory that is mapped to kernel32.dll.

0:000> !address 75831234
Usage:                  Image
Base Address:           75831000
End Address:            758f6000
Region Size:            000c5000
Type:                   01000000MEM_IMAGE
State:                  00001000MEM_COMMIT
Protect:                00000020PAGE_EXECUTE_READ
More info:              lmv m kernel32
More info:              !lmi kernel32
More info:              ln 0x75831234

This example uses an Address value of 0x75831234. The display shows that this address is in a memory region that begins with the address 0x75831000 and ends with the address 0x758f6000. The region has usage Image, type MEM_IMAGE, state MEM_COMMIT, and protection PAGE_EXECUTE_READ. (For more information about the meaning of these values, see the earlier tables.) The display also lists three other debugger commands that you can use to get more information about this memory address.

If you are starting with an address and trying to determine information about it, the usage information is frequently the most valuable. After you know the usage, you can use additional extensions to learn more about this memory. For example, if the usage is Heap, you can use the !heap extension to learn more.

The following example uses the s (Search Memory) command to search each memory region of type Image for the wide-character string "Note".

!address /f:Image /c:"s -u %1 %2 \"Note\""

*** Executing: s -u 0xab0000 0xab1000 "Note"
*** Executing: s -u 0xab1000 0xabc000 "Note"
00ab2936  004e 006f 0074 0065 0070 0061 0064 0000  N.o.t.e.p.a.d...
00ab2f86  004e 006f 0074 0065 0070 0061 0064 005c  N.o.t.e.p.a.d.\.
00ab32e4  004e 006f 0074 0065 0070 0061 0064 0000  N.o.t.e.p.a.d...
*** Executing: s -u 0xabc000 0xabd000 "Note"
. . .

In kernel mode, the output of !address is similar to the user mode output but contains less information. The following example shows the kernel mode output.

kd> !address
  804de000 - 00235000                           
 Usage       KernelSpaceUsageImage
          ImageName   ntoskrnl.exe

  80c00000 - 001e1000
          Usage       KernelSpaceUsagePFNDatabase

....

  f85b0000 - 00004000
          Usage       KernelSpaceUsageKernelStack
          KernelStack 817b4da0 : 324.368

 f880d000 - 073d3000
          Usage       KernelSpaceUsageNonPagedPoolExpansion

The meaning of "usage" is the same as in user mode. "ImageName" indicates the module that is associated with this address. "KernelStack" shows the address of this thread's ETHREAD block (0x817B4DA0), the process ID (0x324), and the thread ID (0x368).