一、dumpbin 工具
1、概述
dumpbin 是 Microsoft Visual Studio 工具链中提供的 COFF 二进制文件转储工具,属于 Microsoft COFF Binary File Dumper。它是分析 Windows 平台可执行文件、库文件和对象文件的瑞士军刀。基本命令格式:
2、打开dumpbin工具
- 打开 VS 开发者命令提示符:在开始菜单搜索 “Developer Command Prompt for VS 2022” (或对应VS版本)
- 基本命令格式:常见的分析文件有
.exe、.obj、.dlldumpbin [选项] 文件名 [> 输出文件.txt]
3、核心功能详解
3.1、文件头分析 (/HEADERS)
功能:显示PE文件头部信息
示例:
dumpbin /HEADERS notepad.exe
输出解析:
FILE HEADER VALUES
Machine: x64 // 目标架构,常见X86、ARM、X64
Number of Sections: 5 // PE文件中段(section)的总数
Time Date Stamp: 5e0a7a2f // 文件创建时间戳(UNIX时间格式)
Pointer to Symbol Table: 0 // 符号表偏移(主要用于调试,现代PE通常为0)
Number of Symbols: 0 // 符号表中的符号数量(现代PE通常为0)
Size of Optional Header: 240 // 可选头的大小(对于32位PE通常是0xE0,64位是0xF0)
Characteristics: 22 // 文件属性标志
Executable
Application can handle large (>2GB) addresses
SECTION HEADER #1
.textbss name // 段名称,标识段的用途,常见有:.text、.data
10000 virtual size // 段加载到内存后的实际大小
1000 virtual address (0000000140001000 to 0000000140010FFF) // 段在内存中的相对虚拟地址,即相对于PE镜像基址的偏移量
0 size of raw data // 段在磁盘文件中的大小(按文件对齐值FileAlignment填充后的尺寸,通常是512或4096字节的整数倍)
0 file pointer to raw data // 段数据在PE文件中的物理偏移量(从文件开头计算的字节数)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E00000A0 flags // 段的权限和用途标志
Code
Uninitialized Data
Execute Read Write
...
典型用途:
- 确认文件是32位还是64位
- 检查编译时间戳
- 查找是否包含指定的段
dumpbin /HEADERS notepad.exe | find "SectionName"
3.2、节区分析 (/SECTION)
功能:显示特定节区的详细信息
示例:
dumpbin /SECTION:<段名> /RAWDATA[:BYTES|WORDS|DWORDS] <文件名>
/RAWDATA:BYTES:以字节形式显示(默认)
/RAWDATA:WORDS:以2字节字形式显示
/RAWDATA:DWORDS:以4字节双字形式显示
输出解析:
SECTION HEADER #7
CUSTOBJ name
329 virtual size
48000 virtual address (0000000140048000 to 0000000140048328)
400 size of raw data
34000 file pointer to raw data (00034000 to 000343FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
50000040 flags
Initialized Data
Shared
Read Only
RAW DATA #7
0000000140048000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400480F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048110: 00 04 04 40 01 00 00 00 00 00 00 00 00 00 00 00 ...@............
0000000140048120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400481F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000001400482F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000000140048320: 00 00 00 00 00 00 00 00 00 .........
Summary
1000 CUSTOBJ
3.3、导出表分析 (/EXPORTS)
功能:显示DLL的导出函数表
示例:
dumpbin /EXPORTS user32.dll
输出解析:
ordinal hint RVA name
1 0 0002B3A0 ActivateKeyboardLayout
2 1 0002B400 AdjustWindowRect
3 2 0002B460 AdjustWindowRectEx
关键字段:
- ordinal:导出序号
- hint:绑定时的提示值
- RVA:函数相对虚拟地址
- name:导出函数名(可能带修饰)
典型用途:
- 确认DLL是否包含特定API
- 检查函数名称修饰(C++的name mangling)
- 开发插件时验证导出接口
3.4、依赖项分析 (/DEPENDENTS)
功能:显示文件的动态链接依赖
示例:
dumpbin /DEPENDENTS chrome.exe
典型输出:
Image has the following dependencies:
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VCRUNTIME140.dll
典型用途:
- 排查"无法找到DLL"错误
- 检查应用程序运行环境需求
- 分析第三方二进制文件的依赖关系
3.5、导入表分析 (/IMPORTS)
功能:显示文件导入的函数
示例:
dumpbin /IMPORTS myapp.exe
输出解析:
Section contains the following imports:
KERNEL32.dll
403000 Import Address Table
403200 Import Name Table
0 time date stamp
0 Index of first forwarder reference
2B6 GetProcAddress
2D0 LoadLibraryA
365 Sleep
典型用途:
- 显示依赖的DLL列表,列出该PE文件运行时需要加载的所有动态链接库
- 显示导入函数,展示从每个DLL中导入的具体函数
- 分析外部依赖,帮助理解程序的模块化结构和外部接口依赖
4、高级分析技巧
4.1、反汇编 (/DISASM)
功能:反汇编代码段
示例:
dumpbin /DISASM /SECTION:.text myapp.exe
配合选项:
/OUT:disasm.txt输出到文件/RAWDATA:BYTES显示机器码
2. 符号信息 (/SYMBOLS)
功能:显示对象文件的符号表
示例:
dumpbin /SYMBOLS mylib.obj
输出解析:
COFF SYMBOL TABLE
000 00AB7323 ABS notype Static | @comp.id
001 80010190 SECT1 notype Static | .drectve
3. 重定位信息 (/RELOCATIONS)
功能:显示需要重定位的地址
示例:
dumpbin /RELOCATIONS mydll.dll
典型用途:
- 分析ASLR特性
- 检查DLL是否可重定位
4. 库内容分析 (/LIBRARY:CONTENTS)
功能:显示静态库包含的对象文件
示例:
dumpbin /LIBRARY:CONTENTS msvcrt.lib
四、实用场景案例
案例1:排查缺失DLL错误
dumpbin /DEPENDENTS myapp.exe > deps.txt
# 在输出中查找"cannot find"或缺失的DLL
案例2:验证函数导出
dumpbin /EXPORTS myplugin.dll | find "CreateInstance"
# 如果无输出表示未导出该函数
案例3:分析崩溃模块
dumpbin /HEADERS /IMPORTS faulty.dll
# 检查编译平台是否匹配,依赖项是否完整
案例4:比较两个版本DLL差异
dumpbin /EXPORTS v1.dll > v1_exports.txt
dumpbin /EXPORTS v2.dll > v2_exports.txt
fc v1_exports.txt v2_exports.txt
五、输出重定向与过滤
1. 输出到文件
dumpbin /EXPORTS large.dll > exports.txt
2. 使用findstr过滤
dumpbin /SYMBOLS mylib.obj | findstr "MyClass"
3. 分页查看
dumpbin /IMPORTS big.exe | more
六、注意事项
- 架构匹配:确保使用匹配的dumpbin版本(x86/x64)
- PDB文件:dumpbin不解析PDB调试符号
- 大型文件:分析大文件时可能消耗大量内存
- 管理员权限:某些系统文件需要管理员权限才能访问
- 替代工具:对于复杂分析可结合使用:
- Dependency Walker(depends.exe)
- PEView
- IDA Pro
Dumpbin是Windows开发者工具箱中不可或缺的工具,熟练掌握可以快速诊断二进制文件相关问题,极大提高开发调试效率。
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
