!dh:扩展显示指定映像的头部

-h 在调试器命令窗口中显示该扩展命令的帮助文本。

0:004> !dh -h
Usage: dh [options] addressDumps headers from an image based at addressOptions:-a      Dump everything-f      Dump file headers-s      Dump section headers

也就这三个属性，默认是使用-a

0:004> !dh ntdllFile Type: DLL
FILE HEADER VALUES14C machine (i386)5 number of sections
4EC49B60 time date stamp Thu Nov 17 13:28:00 20110 file pointer to symbol table0 number of symbolsE0 size of optional header2102 characteristicsExecutable32 bit word machineDLLOPTIONAL HEADER VALUES10B magic #9.00 linker versionD5000 size of code63200 size of initialized data0 size of uninitialized data0 address of entry point1000 base of code----- new -----
775a0000 image base1000 section alignment200 file alignment3 subsystem (Windows CUI)6.01 operating system version6.01 image version6.01 subsystem version13C000 size of image400 size of headers141016 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit36190 [    F018] address [size] of Export Directory0 [       0] address [size] of Import DirectoryE0000 [   560D8] address [size] of Resource Directory0 [       0] address [size] of Exception Directory137000 [    3918] address [size] of Security Directory137000 [    4C50] address [size] of Base Relocation DirectoryD5D5C [      38] address [size] of Debug Directory0 [       0] address [size] of Description Directory0 [       0] address [size] of Special Directory0 [       0] address [size] of Thread Storage Directory1E0A8 [      40] address [size] of Load Configuration Directory0 [       0] address [size] of Bound Import Directory0 [       0] address [size] of Import Address Table Directory0 [       0] address [size] of Delay Import Directory0 [       0] address [size] of COR20 Header Directory0 [       0] address [size] of Reserved DirectorySECTION HEADER #1.text nameD4DBA virtual size1000 virtual addressD4E00 size of raw data400 file pointer to raw data0 file pointer to relocation table0 file pointer to line numbers0 number of relocations0 number of line numbers
60000020 flagsCode(no align specified)Execute ReadDebug Directories(2)Type       Size     Address  Pointercv           22       d5d98    d5198  Format: RSDS, guid, 2, ntdll.pdb(    10)       4       d5d94    d5194SECTION HEADER #2RT name1DC virtual sizeD6000 virtual address200 size of raw dataD5200 file pointer to raw data0 file pointer to relocation table0 file pointer to line numbers0 number of relocations0 number of line numbers
60000020 flagsCode(no align specified)Execute ReadSECTION HEADER #3.data name8064 virtual sizeD7000 virtual address6C00 size of raw dataD5400 file pointer to raw data0 file pointer to relocation table0 file pointer to line numbers0 number of relocations0 number of line numbers
C0000040 flagsInitialized Data(no align specified)Read WriteSECTION HEADER #4.rsrc name560D8 virtual sizeE0000 virtual address56200 size of raw dataDC000 file pointer to raw data0 file pointer to relocation table0 file pointer to line numbers0 number of relocations0 number of line numbers
40000040 flagsInitialized Data(no align specified)Read OnlySECTION HEADER #5.reloc name4C50 virtual size137000 virtual address4E00 size of raw data132200 file pointer to raw data0 file pointer to relocation table0 file pointer to line numbers0 number of relocations0 number of line numbers
42000040 flagsInitialized DataDiscardable(no align specified)Read Only

可以比对LoadPE工具，可以发现完全一样:

!lmi 扩展显示某个模块的详细信息

0:004> !lmi ntdll
Loaded Module Info: [ntdll] Module: ntdllBase Address: 775a0000Image Name: C:\Windows\SYSTEM32\ntdll.dllMachine Type: 332 (I386)Time Stamp: 4ec49b60 Thu Nov 17 13:28:00 2011Size: 13c000CheckSum: 141016
Characteristics: 2102
Debug Data Dirs: Type  Size     VA  PointerCODEVIEW    22, d5d98,   d5198 RSDS - GUID: {093D2CD7-F95B-4CC6-B531-8D405CC31566}Age: 2, Pdb: ntdll.pdbCLSID     4, d5d94,   d5194 [Data not mapped]Image Type: FILE     - Image read successfully from debugger.C:\Windows\SYSTEM32\ntdll.dllSymbol Type: EXPORT   - PDB not foundLoad Report: export symbols