Windows 程序崩溃后恢复
场景一: 你正在写文档崩溃了怎么办
文档要如何恢复呢? 下面就写这个恢复过程
0x01:使用工具
windbag
win7 64位 安装使用的时候会缺少dll ,来这里下载这个更新就ok了
0x02 : 文档恢复
崩溃后会产生DMP文件,文件位置是在:C:\Users\ADMINI~1\AppData\Local\Temp*********.DMP
现在我们手工制造一个
找到这个DMP文件:
C:\Users\ADMINI~1\AppData\Local\Temp\notepad.DMP
利用windbag来载入
file---> open cash dump
打开文件如下
第一步: 查找文档里的内容 比如你写的第一句 方便一会dump出来
相关命令参考官方文献查找:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/s--search-memory-
s -u 0 l1000000 "这不是一个自由软件"
s (search memory)
-u Unicode字符
0 起始地址
l1000000 范围
找到了地址用du命令
du (displary memory unicode)
du 00157758 l1000
如下所示:
0:000> du 00157758 l1000
00000000`00157758 "这不是一个自由软件!您只能在不用于商业目的的前提下对程序代码进行"
00000000`00157798 "修改和使用;..''' 未经授权不允许对程序代码以任何形式任何目"
00000000`001577d8 "的的再发布。..''' ===================="
00000000`00157818 "================================"
00000000`00157858 "==============..''' 编写: IT平民..''"
00000000`00157898 "' 修改:IT平民 in 2014.07.....option "
00000000`001578d8 "explicit...session.codepage=6500"
00000000`00157918 "1...response.charset="utf-8"...s"
00000000`00157958 "erver.scripttimeout=999999...dim"
00000000`00157998 " in_sdcms:in_sdcms=true...dim db"
00000000`001579d8 "query:dbquery=0...dim startime:s"
00000000`00157a18 "tartime=timer()...'microsoft.xml"
00000000`00157a58 "http...'Msxml2.XMLHTTP...'WinHtt"
00000000`00157a98 "p.WinHttpRequest.5.1...'MSXML2.S"
00000000`00157ad8 "ERVERXMLHTTP.3.0...'以上为候选参数...di"
00000000`00157b18 "m xmlhttp:xmlhttp="MSXML2.XMLHTT"
00000000`00157b58 "P"...dim ismobile:ismobile=false"
00000000`00157b98 "..%>..(html comment removed: #include file="../conf"
00000000`00157bd8 "ig.asp")..(html comment removed: #include file="."
00000000`00157c18 "./version.asp")..(html comment removed: #include "
00000000`00157c58 "file="md5.asp")..(html comment removed: #include "
00000000`00157c98 "file="class/sdcms.db.asp")..<!"
00000000`00157cd8 "--#include file="class/sdcms.fun"
00000000`00157d18 ".asp"-->..(html comment removed: #include file="cla"
00000000`00157d58 "ss/sdcms.ip.asp")..(html comment removed: #includ"
00000000`00157d98 "e file="class/sdcms.page.asp")"
00000000`00157dd8 "..(html comment removed: #include file="class/sdcms"
00000000`00157e18 ".temp.asp")..<%...dim sqltime:"
00000000`00157e58 "sqltime="now()"...if not(datatyp"
00000000`00157e98 "e) then sqltime="GetDate()"...sd"
00000000`00157ed8 "cms.sitedb:sdcms.catedb:sdcms.au"
00000000`00157f18 "to_update...dim page:page=sdcms."
00000000`00157f58 "getint(sdcms.fget("page",0),1).."
00000000`00157f98 ".dim webmode:webmode=sdcms.getsy"
00000000`00157fd8 "s("webmode")...dim isgzip:isgzip"
00000000`00158018 "=sdcms.getsys("isgzip")...dim is"
00000000`00158058 "cache:iscache=sdcms.getsys("isca"
00000000`00158098 "che")...dim tempcache:tempcache="
00000000`001580d8 "sdcms.getsys("tempcache")...dim "
00000000`00158118 "cachedate:cachedate=sdcms.getsys"
00000000`00158158 "("cachedate")...dim thisurl:this"
00000000`00158198 "url=sdcms.getthisurl...dim htmld"
00000000`001581d8 "ir:htmldir=sdcms.getsys("htmldir"
00000000`00158218 "")...dim commentconfig:commentco"
00000000`00158258 "nfig=eval(sdcms.getsys("expand.c"
00000000`00158298 "omment"))...dim syscomment:sysco"
00000000`001582d8 "mment=commentconfig(0)...dim moo"
00000000`00158318 "dconfig:moodconfig=sdcms.getsys("
00000000`00158358 ""expand.mood")...ismobile=sdcms."
00000000`00158398 "get_ismobile...dim blacklist:bla"
00000000`001583d8 "cklist="javascript|Document|oner"
00000000`00158418 "ror|onload|onmouseover"...'ismob"
00000000`00158458 "ile=true..%>"
里面就是文档信息了
下一步就是提取出来:
.writemem filename range
0:000> .writemem c:\1.txt 00157758 l1000
Writing 1000 bytes..
打开之后 1.txt 需要修改文件类型
打开之后是乱码 修改一下文件头 添加unicode的识别标志 ff fe 如下
保存之后再打开就ok了 如下:
"这"刚才被我们插入fffe的时候覆盖了 这样就完成了
这个是个硬菜啊 一点都不水
em.....
真会一不小心把你当马国人了。😂
哈哈