Basic windbg-1. sosbasics (continued)

When the book is connected, we start to read several other commands.
If you look at me Code , You can find both value type and reference type. So, how can I view the information about the variables in the current thread status? For managed code, the Core Command is! Do (abbreviation of dump object), this! Do is followed by the address of the variable you want to see. So, how do I know the address of my variable?
Let's take a look at another command ,! DSO (short for dump stack objects), this command can be used to get all the variables on the current stack. Let's run this command: Exclamation point + DSO. Let's see the result:
0: 000>! DSO
OS thread ID: 0x1248 (0)
ESP/REG Object Name
002df0c4 0157651c Microsoft. win32.safehandles. safefilehandle
002df0d4 0157651c Microsoft. win32.safehandles. safefilehandle
002df108 015765b8 system. byte []
002df10c 01576530 system. Io. _ lelestream
002df130 01576560 system. Io. streamreader
002df134 01576560 system. Io. streamreader
002df138 01573750 sosbasics. matrixworld
002df148 01576560 system. Io. streamreader
002df14c 015768d4 system. Io. textreader + synctextreader
002df150 01573750 sosbasics. matrixworld
002df160 015768d4 system. Io. textreader + synctextreader
002df164 01573750 sosbasics. matrixworld
002df16c 01573750 sosbasics. matrixworld
002df178 01573628 system. object [] (system. String [])
002df234 01573628 system. object [] (system. String [])
002df3e0 01573628 system. object [] (system. String [])
002df408 01573628 system. object [] (system. String [])

First of all ,! DSO is thread-related. You can try it, switch to thread 1 or thread 2, and then execute it! What are the results of DSO? (In my example, you cannot see any results)
The list above is divided into three parts: What is the leftmost column, regardless of it. The middle column is the object address, and the right side is the object type. OK. Let's take a look at the line marked in red. Even in the code, mtraix has an object ID of 01573750. After finding this address, we will use it! Do command to dig it! Run! Do 01573750. Check the result.
0: 000>! Do 1, 01573750
Name: sosbasics. matrixworld
Methodtable: 004132ac
Eeclass: 0041142c
Size: 48 (0x30) bytes
(C: \ Users \ charju \ Documents \ Visual Studio 2008 \ projects \ basicwindbg \ sosbasics \ bin \ debug \ sosbasics.exe)
Fields:
MT field offset type vt attr Value Name
79102290 4000001 20 system. int32 0 instance 6 generation
7910c348 4000002 4 system. Double 0 instance 123456789.000000 gold
790fd8c4 4000003 C system. String 0 instance 01573780 name
7910c878 4000004 24 system. datetime1 Instance 01573774 age
79101fe4 4000005 10... ections. hashtable 0 instance 015739fc systemkey
7912d8f8 4000006 14 system. object [] 0 instance 01573ac4 leaders
790fd0f0 4000007 18 system. Object 0 instance 01573930 previusone
00413364 4000008 1C sosbasics. Zion 0 instance 01573af0 Zion
First, we can see the name: sosbasics. matrixworld, which indicates the class name of this object and the remaining lines. We don't need to worry about it for the moment. See the following table. The table has a total of seven columns, namely methodtable, field, offset, type, ulultable, attribute, value, and name. The content of each row is the content of object 01573750 that we are currently skin-polishing.
Command! The best thing about do is that all managed resources can be viewed in this way. So, let's first look at the generation of the first line. Oh, it has a value, that is, 6. Check my code. 6 indicates that the current NEO is the sixth generation and the master. Check the second row, which is gold and the value is 123456789, and its type is double. The third line is name. What is its value? It's 01573780!
This is Xiami Dongdong? This is also a managed object, so. Let's continue to use do to see it.
0: 000>! Do 1, 01573780
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 38 (0x26) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: The Matrix
Fields:
MT field offset type vt attr Value Name
79102290 4000096 4 system. int32 0 instance 11 m_arraylength
79102290 4000097 8 system. int32 0 instance 10 m_stringlength
790ff328 4000098 C system. Char 0 instance 54 m_firstchar
790fd8c4 4000099 10 system. String 0 shared static empty
> Domain: Value 004b54a8: 790d884c <
7912dd40 400009a 14 system. Char [] 0 shared static whitespacechars
> Domain: Value 004b54a8: 01521470 <

Pay attention to the red part! Indicates that it is a string with the value: the matrix. Take a closer look at this table and find a common string containing things such as arraylength and stringlength. Let's ignore this. Go back to the previous table and continue reading it.

The name is age and the address is 01573774. Continue! Do 01573774, oh, why?
0: 000>! Do 1, 01573774
<Note: This object has an invalid class field>
Invalid object
Is Xiami an invalid object? We can use it! Help dumpobj: View Command help
The column VT contains the value 1 if the field is a valuetype structure, and
0 if the field contains a pointer to another object. For valuetypes, you can
Take the methodtable pointer in the MT column, and the value and pass them
The command! Dumpvc.
Let's take a look at the dataetime extracted from the table above.
7910c878 4000004 24 system. datetime1Instance 01573774 age

OK, I understand. The VT column of this datetime is 1, so, we need to change the command to see :! Dumpvc, which requires two parameters: one is the corresponding methodtable and the other is the current value. Methodtable is the value on the leftmost side, and value is the penultimate value on the rightmost side. So, try again! Dumpvc 7910c878 01573774:
0: 000>! Dumpvc 7910 c878 01573774
Name: system. datetime
Methodtable 7910c878
Eeclass: 7910c7d8
Size: 16 (0x10) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
Fields:
MT field offset type vt attr Value Name
7910c19c 40000f4 0 system. uint64 0 instance 662065056000000000 datedata
7912d7c0 40000f0 30 system. int32 [] 0 shared static daystomonth365
> Domain: Value 004b54a8: 0157450c <
7912d7c0 40000f1 34 system. int32 [] 0 shared static daystomonth366
> Domain: Value 004b54a8: 015739bc <
7910c878 40000f2 28 system. datetime 1 shared static minvalue
> Domain: Value 004b54a8: 0157395c <
7910c878 40000f3 2C system. datetime 1 shared static maxvalue
> Domain: Value 004b54a8: 0157450c <
The first line shows that system. uint64 is our time. It should be a ticket (I guess)
Let's continue watching the 015739fc systemkey line. Similarly ,! Do 015739fc is also a big task!
0: 000>! Do 015739fc
Name: system. Collections. hashtable
Methodtable: 79101fe4
Eeclass: 79101f74
Size: 56 (0x38) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
Fields:
MT field offset type vt attr Value Name
7912d9bc 400092b 4... ashtable + bucket [] 0 instance 01573a34 buckets
79102290 400092c 1C system. int32 0 instance 3 count
79102290 400092d 20 system. int32 0 instance 1 occupancy
79102290 400092e 24 system. int32 0 instance 7 loadsize
7934790c 400092f 28 system. Single 0 instance 0.720000 loadfactor
79102290 4000930 2C system. int32 0 instance 3 version
7910be50 4000931 30 system. boolean 0 instance 0 iswriterinprogress
79347ef8 4000932 8... tions. icollection 0 instance 01575fcc keys
79347ef8 4000933 c... tions. icollection 0 instance 00000000 values
79347ef8 4000934 10... iequalitycomparer 0 instance 00000000 _ keycomparer
790fd0f0 4000935 14 system. Object 0 instance 00000000 _ syncroot
79111df0 4000936 18... serializationinfo 0 instance 00000000 m_siinfo
There are several interesting things.
The count in the second row is 3, which indicates that three items exist in hashtable. The fifth and fourth lines are keys and values. Let's take a look! Check keys first ,! Do 01575fcc
0: 000>! Do 01575fcc
Name: system. Collections. hashtable + keycollection
Methodtable: 7911cd80
Eeclass: 791fb9e8
Size: 12 (0xc) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
Fields:
MT field offset type vt attr Value Name
79101fe4 400093a 4... ections. hashtable 0 instance 015739fc _ Hashtable

Strange! Why do I have only one row? I have three lines of Data! And this value =015739fcWhy are you so familiar with this? Ha! This is not the above hashtable! How can we go around and get back?
OK. Let's start to look at the next command: dd.
Review the first line of hashtable: 7912d9bc 400092b 4... ashtable + bucket [] 0 instance 01573a34 buckets. Here there is a buckets. The address is 01573a34, so use dd to look at it:
0: 000> dd 01573a34
01573a34 7912d9bc 0000000b 00000000 00000000
01573a44 00000000 00000000 00000000 00000000
01573a5400000000 00000000 00000000 015737a8
01573a64 015737c8 E047abd0 00000000 00000000
01573a74 00000000 00000000 00000000 00000000
01573a84 00000000 00000000 00000000 00000000
01573a94 00000000 00000000 00000000 00000000
01573aa4 00000000 015737e8 0157380c 62e0f252
0: 000> dd
01573ab4 01573844 01573860 742f0848 00000000
01573ac4 7912d8f800000007 790fd8c4 01573880
0 1573ad4 01573898 015738b0 015738c8 015738e0
01573ae4 015738f801573910 00000000 00413364
01573af4 015738f800000000 791013a0 00000000
01573b04 00000000 00000000 00000000 00000000
01573b14 00000000 790fd0f0 00000000 40010000
01573b24 79101444 0000000b 00000004 00000100
Note that in the red part above, the first B indicates that this hashtable has 11 objects. Why are there so many objects? I don't know. Let's look at other
0: 000>! Do-nofields 015737a8
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 30 (0x1e) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: Oracle
0: 000>! Do-nofields 015737c8
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 32 (0x20) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: an old woman with changed faces
See? Our key is Oracle, and the value is: the old lady who will face it. Here, do has a parameter called-nofields, which is less output for the string type and looks more comfortable. Similarly, we can see the remaining 2 pairs of key/value.

Hashtable has come to an end temporarily. We will continue to go back to the first table to check other objects in matrixworld.
7912d8f8 4000006 14 system. object [] 0 instance 01573ac4 leaders
Leaders. This is an array type of system. object []. Let's do it :! Do 01573ac4
0: 000>! Do 01573ac4
Name: system. object []
Methodtable: 7912d8f8
Eeclass: 7912de6c
Size: 44 (0x2c) bytes
Array: Rank 1, number of elements 7, type class
Element type: system. String
Fields:
None
Obviously, it's not the expected result. It's just a bunch of nonsense: one-dimensional arrays, seven elements, all of which are of the string type. So what is the content of each element? For arrays, we can use! Da command (exclamation mark + DA ).! The result of DA 01573ac4 is as follows:
0: 000>! Da 01573ac4
Name: system. String []
Methodtable: 7912d8f8
Eeclass: 7912de6c
Size: 44 (0x2c) bytes
Array: Rank 1, number of elements 7, type class
Element methodtable: 790fd8c4
[0] 01573880
[1] 01573898
[2] 015738b0
[3] 015738c8
[4] 015738e0
[5] 015738f8
[6] 01573910
Well, very cool! A total of seven items have come out. We can do one, for example, the last one :! Do-nofields 01573910
0: 000>! Do-nofields 01573910
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 32 (0x20) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: the Indian girl
Ha, the 7th generation savior, the little Indian girl. In the same way, others can also come out.

Slow down. If there are hundreds or 80 arrays, isn't it exhausting? We! Help dumparray: Let's take a look at help. Oh, there is a parameter that can be used, called-details. So we can run the DA command :! Da-Details 01573ac4. The specific contact is left to everyone. No layout is occupied here.

Good! Come on, thank you for seeing so many copy/paste results. Sorry, hey.
Now let's continue watching 00413364 4000008 1C sosbasics. Zion 0 instance 01573af0 Zion. Oh, this is the second class we have defined: Zion, which is also a human, so, and do command .! Do 01573af0
0: 000>! Do 01573af0
Name: sosbasics. Zion
Method: 00413364
Eeclass: 004118ec
Size: 12 (0xc) bytes
(C: \ Users \ charju \ Documents \ Visual Studio 2008 \ projects \ basicwindbg \ sosbasics \ bin \ debug \ sosbasics.exe)
Fields:
MT field offset type vt attr Value Name
790fd8c4 4000009 4 system. String 0 instance 015738f8 one
Very powerful! There is only one field, which is our one. For it, continue to do :! Do-nofields 015738f8
0: 000>! Do-nofields 015738f8
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 24 (0x18) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: Neo

Cool !!! Neo found! (The last line output above)

Our do journey is about to be completed. Stick to it and check the last and second to last information: 790fd0f0 4000007 18 system. Object 0 instance 01573930 previusone
0: 000>! Do 1, 01573930
Name: system. String
Methodtable: 790fd8c4
Eeclass: 790fd824
Size: 42 (0x2a) bytes
(C: \ WINDOWS \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll)
String: The predecessor of NEO. I don't know who it is.
Fields:
MT field offset type vt attr Value Name
79102290 4000096 4 system. int32 0 instance 13 m_arraylength
79102290 4000097 8 system. int32 0 instance 12 m_stringlength
790ff328 4000098 C system. Char 0 instance 4E m_firstchar
790fd8c4 4000099 10 system. String 0 shared static empty
> Domain: Value 004b54a8: 790d884c <
7912dd40 400009a 14 system. Char [] 0 shared static whitespacechars
> Domain: Value 004b54a8: 01521470 <

A piece of cake, which is also a string, is the predecessor of NEO.

(Dizzy. The first part is not over yet. Open another post to continue reading things on heap)