.net - 在 WinDbg 中转储 .NET 1.1 内存转储中的所有字符串

Question

我有一个 .NET 1.1 内存转储，我正在尝试分析它，虽然我可以很好地加载 .NET 1.1 SOS.dll，但问题是 SOS 扩展缺少很多命令。无法使用更高版本的 .NET 框架中的 SOS.dll，因为我收到此错误消息:

Failed to load data access DLL, 0x80004005
Verify that 1) you have a recent build of the debugger (6.2.14 or newer)
            2) the file mscordacwks.dll that matches your version of mscorwks.dll is 
                in the version directory
            3) or, if you are debugging a dump file, verify that the file 
                mscordacwks_<arch>_<arch>_<version>.dll is on your symbol path.
            4) you are debugging on the same architecture as the dump file.
                For example, an IA64 dump file must be debugged on an IA64
                machine.

You can also run the debugger command .cordll to control the debugger's
load of mscordacwks.dll.  .cordll -ve -u -l will do a verbose reload.
If that succeeds, the SOS command should work on retry.

If you are debugging a minidump, you need to make sure that your executable
path is pointing to mscorwks.dll as well.

据我所知，.NET 1.1 中没有 mscordacwks DLL(除非它有不同的名称)

通常我会使用此命令转储所有字符串:

.foreach (obj {!dumpheap -type System.String -short}) {.printf "\n%mu",${obj}+0xc}

但是这不起作用，因为 dumpheap 在 .NET 1.1 中没有 -short 选项。 唯一可用的命令是:

0:000> !sos.help
SOS : Help
COMState             | List COM state for each thread
ClrStack             | Provides true managed stack trace, source and line numbers.
                       Additional parameters: -p[arams] -l[ocals] -r[egs] -a[ll].
DumpClass <addr>     | Dump EEClass info
DumpDomain [<addr>]  | List assemblies and modules in a domain
DumpHeap [-stat] [-min 100] [-max 2000] [-mt 0x3000000] [-type <partial type name>] [-fix] [start [end]] | Dump GC heap contents
DumpMD <addr>        | Dump MethodDesc info
DumpMT [-MD] <addr>  | Dump MethodTable info
DumpModule <addr>    | Dump EE Module info
DumpObj <addr>       | Dump an object on GC heap
DumpStack [-EE] [-smart] [top stack [bottom stack] | -EE only shows managed stack items.
DumpStackObjects [top stack [bottom stack]
DumpVC <mt> <addr>   | Dump a value class object
EEHeap [-gc] [-win32] [-loader] | List GC/Loader heap info
EEStack [-short] [-EE] | List all stacks EE knows
EEVersion            | List mscoree.dll version
FinalizeQueue [-detail]     | Work queue for finalize thread
GCInfo [<MD>] [IP]   | Dump GC encoding info for a managed method
GCRoot <addr>        | Find roots on stack/handle for object
IP2MD <addr>         | Find MethodDesc from IP
Name2EE <module name> <item name> | Find memory address of EE data given a class/method name
ObjSize [<addr>]     | Find number of bytes that a root or all roots keep alive on GC heap.
ProcInfo [-env] [-time] [-mem] | Display the process info
RWLock [-all] <addr> | List info for a Read/Write lock
SyncBlk [-all|#]     | List syncblock
ThreadPool           | Display CLR threadpool state
Threads              | List managed threads
Token2EE  <module name> <mdToken> | Find memory address of EE data for metadata token
u [<MD>] [IP]        | Unassembly a managed code

dumpheap的输出是这样的:

0:000> !dumpheap -type System.String
 Address       MT     Size
07291164 031342d8       28
072911dc 031342d8       32
072911fc 031342d8       32
0729121c 031342d8       20
07291268 031342d8       40
07291290 031342d8       76
072912dc 031342d8       32
072912fc 031342d8       84
07291350 031342d8       80
072913a0 031342d8      148
etc..

total 2140 objects
Statistics:
      MT    Count TotalSize Class Name
 31342d8     2140    147000 System.String
Total 2140 objects

Answer 1

您可以将 .foreach 命令与 /pS 和 /ps 标志一起使用。

使用 /pS 3 跳过您不想处理的 3 个开头单词(“Address”、“MT”和“Size”)。接下来，该命令将处理地址 07291164。然后使用 /ps 2 跳过另外 2 个 token (“031342d8”和“28”)，将处理下一个 token ，依此类推。

在涉及统计数据之前，这一切都会正常工作，因此最后您会看到一些错误消息。

否则，您可以查看一些可以为您进行文本处理的 WinDbg 扩展，例如 pykd .