这里以WPF作为探测用的例子,简单一些,看看Title的值是什么样子。(之所以写这个,因为不是简单的一个!do就能看到东西的,中间要绕两下,这也涉及到了DependencyObject的实现机制及数据的存储机制)
首先用VS新建一个WPF工程,在XAML中我们修改一下Title属性和Background属性,运行,得到界面如下(我故意缩小了窗口宽度以及高度)
那么,Title的完整字符串是什么呢?窗体的背景色是什么呢?
与常规的managed debugging一样,首先attach到该进程上,然后加载sos
0:011> .loadby sos clr
窗体的类型默认是MainWindow,所以我们直接到heap里面去找。
0:011> !dumpheap -type MainWindow
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll -
PDB symbol for clr.dll not loaded
Address MT Size
0000008300043bc8 00007ffa11afb918 664
Statistics:
MT Count TotalSize Class Name
00007ffa11afb918 1 664 WindbgDependency.MainWindow
Total 1 objects
我们看到,只有一个object,地址是0000008300043bc8
然后我们来do一下看看
0:011> !do 0000008300043bc8
Name: WindbgDependency.MainWindow
MethodTable: 00007ffa11afb918
EEClass: 00007ffa11c41ec8
Size: 664(0x298) bytes
File: c:\users\charju\documents\visual studio 2013\Projects\WindbgDependency\WindbgDependency\bin\Debug\WindbgDependency.exe
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa50764130 4000e1f 8 ...eading.Dispatcher 0 instance 000000830000c748 _dispatcher
00007ffa5076ac00 400137d 10 ...endencyObjectType 0 instance 00000083000446c8 _dType
00007ffa6f67e0f0 400137e 18 System.Object 0 instance 0000000000000000 _contextStorage
00007ffa5076d668 400137f 20 ...ctiveValueEntry[] 0 instance 00000083000ad3c0 _effectiveValues
………………………..(这里忽略了其他输出)
00007ffa50764c80 4000330 1d0 ...spatcherOperation 0 instance 0000000000000000 _contentRenderedCallback
00007ffa6f679080 4000331 1d8 System.WeakReference 0 instance 0000000000000000 _currentPanningTarget
00007ffa50767440 40002e2 998 ...ependencyProperty 0 static 000000830001fdc0 TaskbarItemInfoProperty
00007ffa50767440 40002e3 9a0 ...ependencyProperty 0 static 00000083000203a0 AllowsTransparencyProperty
00007ffa50767440 40002e4 9a8 ...ependencyProperty 0 static 00000083000205a0 TitleProperty
00007ffa50767440 40002e5 9b0 ...ependencyProperty 0 static 00000083000207d8 IconProperty
00007ffa50767440 40002e6 9b8 ...ependencyProperty 0 static 00000083000209f0 SizeToContentProperty
00007ffa50767440 40002e7 9c0 ...ependencyProperty 0 static 0000008300020e48 TopProperty
有两个东西是我们感兴趣的,第一个_effectiveValues是一个列表,包含了该object所有属性的value。第二个TitleProperty是一个DependencyObject,包含了我们窗体Title的信息。
首先检查TitleProperty
0:011> !do 00000083000205a0
Name: System.Windows.DependencyProperty
MethodTable: 00007ffa50767440
EEClass: 00007ffa505e7040
Size: 88(0x58) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67db10 4001398 8 System.String 0 instance 000000830001d9f8 _name
00007ffa6f67f6e0 4001399 10 System.Type 0 instance 00000083000021d0 _propertyType
00007ffa6f67f6e0 400139a 18 System.Type 0 instance 000000830001d0f8 _ownerType
00007ffa50765ef8 400139b 20 ....PropertyMetadata 0 instance 0000008300020540 _defaultMetadata
00007ffa50766048 400139c 28 ...dateValueCallback 0 instance 0000008300020500 _validateValueCallback
00007ffa5076d520 400139d 30 ...ndencyPropertyKey 0 instance 0000000000000000 _readOnlyKey
00007ffa509d1f98 400139e 40 System.Int32 1 instance 262153 _packedData
00007ffa5076cf78 400139f 48 ....InsertionSortMap 1 instance 00000083000205e8 _metadataMap
00007ffa50766100 40013a0 38 ...erceValueCallback 0 instance 0000000000000000 _designerCoerceValueCallback
00007ffa6f67e0f0 4001397 838 System.Object 0 static 0000008300008740 UnsetValue
00007ffa5076b9a0 40013a1 830 ...ty, WindowsBase]] 1 static 0000008310007ce8 RegisteredPropertyList
00007ffa6f681670 40013a2 840 ...ections.Hashtable 0 static 0000008300009f78 PropertyFromName
00007ffa6f6803f8 40013a3 5d4 System.Int32 1 static 402 GlobalIndexCount
00007ffa6f67e0f0 40013a4 848 System.Object 0 static 0000008300009fc8 Synchronized
00007ffa6f67f6e0 40013a5 850 System.Type 0 static 0000008300009fe0 NullableType
重点在_packedData上,该值的低16位是一个PropertyIndex,既然是index,那么是哪个列表数据的index呢?其实就对应着上面的_effectiveValues。我们先查看index是什么
0:011> ? 0n262153
Evaluate expression: 262153 = 00000000`00040009
ok,低16位就是0009,那么我们此时就可以查看列表数据了
0:011> !da -details 00000083000ad3c0
Name: System.Windows.EffectiveValueEntry[]
MethodTable: 00007ffa5076d668
EEClass: 00007ffa50612f30
Size: 440(0x1b8) bytes
Array: Rank 1, Number of elements 26, Type VALUETYPE
Element Methodtable: 00007ffa507687d8
[0] 00000083000ad3d0
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 000000830000edf0 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 0 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
[1] 00000083000ad3e0
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 000000830001a9d8 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 3 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
[2] 00000083000ad3f0
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 000000830009fe10 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 5 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
[3] 00000083000ad400
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 000000830004b9f8 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 9 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
[4] 00000083000ad410
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 00000083000bea58 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 12 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
这个列表里面,第三个元素的_propertyIndex就是0009,它对应的_value是000000830004b9f8。到这里就ok了,直接do一下看看
0:011> !do 000000830004b9f8
Name: System.String
MethodTable: 00007ffa6f67db10
EEClass: 00007ffa6efb6a18
Size: 60(0x3c) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String: 魔法能量结合,巴啦啦能量,风雷电极
Title已经得到了,那么background是什么颜色呢?
类似的,
0:019> ? 0n131290
Evaluate expression: 131290 = 00000000`000200da
后16位是0xda,再转换一下,10进制对应的是218
0:019> ? da
Evaluate expression: 218 = 00000000`000000da
那么,从_effectiveValue中可以看到_propertyIndex=218的是16号元素
[16] 00000006e71a21c0
Name: System.Windows.EffectiveValueEntry
MethodTable: 00007ffa507687d8
EEClass: 00007ffa50611710
Size: 32(0x20) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa6f67e0f0 40013c9 0 System.Object 0 instance 00000006e70e8be8 _value
00007ffa6f654038 40013ca 8 System.Int16 1 instance 218 _propertyIndex
00007ffa509d2058 40013cb a System.Int16 1 instance 11 _source
看这个对象,实际上是一个纯色
0:019> !do 00000006e70e8be8
Name: System.Windows.Media.SolidColorBrush
对应的颜色,也是一个DependencyObject
0:019> !do 00000006e70e8be8
Name: System.Windows.Media.SolidColorBrush
MethodTable: 00007ffa4fc8fc60
EEClass: 00007ffa4f948c58
Size: 80(0x50) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa50764130 4000e1f 8 ...eading.Dispatcher 0 instance 0000000000000000 _dispatcher
00007ffa5076ac00 400137d 10 ...endencyObjectType 0 instance 00000006e70d03b8 _dType
00007ffa6f67e0f0 400137e 18 System.Object 0 instance 0000000000000000 _contextStorage
00007ffa5076d668 400137f 20 ...ctiveValueEntry[] 0 instance 00000006e70e8c78 _effectiveValues
00007ffa6f651800 4001380 28 System.UInt32 1 instance 1080557569 _packedData
00007ffa50767440 400137b 7f0 ...ependencyProperty 0 static 00000006e70b6038 DirectDependencyProperty
00007ffa5076d580 400137c 7f8 ...ndler, mscorlib]] 0 static 00000006e70b6090 InheritanceContextChangedHandlersField
00007ffa6f67e0f0 4001381 800 System.Object 0 static 00000006e70b60b0 ExpressionInAlternativeStore
00007ffa507693b0 4001382 808 ...onStorageCallback 0 static 00000006e70b7640 _getExpressionCore
00007ffa5076d5f8 4001383 810 ...bject, mscorlib]] 0 static 00000006e70b60c8 DependentListMapField
00007ffa5076ac00 4001384 818 ...endencyObjectType 0 static 00000006e70af4b0 DType
00007ffa50767440 40013ed 30 ...ependencyProperty 0 instance 0000000000000000 _property
00007ffa50770928 40013ec 8 ...able+EventStorage 0 TLstatic _eventStorage
>> Thread:Value <<
00007ffa5076dbd0 4000d59 d60 ...rence, mscorlib]] 0 static 0000000000000000 StoredWeakReferenceField
00007ffa50767440 4001ffd 2a70 ...ependencyProperty 0 static 00000006e70d05c0 OpacityProperty
00007ffa50767440 4001ffe 2a78 ...ependencyProperty 0 static 00000006e70d0748 TransformProperty
00007ffa50767440 4001fff 2a80 ...ependencyProperty 0 static 00000006e70d08d0 RelativeTransformProperty
00007ffa4fc8b388 4002000 2a88 ...s.Media.Transform 0 static 00000006e70b5840 s_Transform
00007ffa4fc8b388 4002001 2a90 ...s.Media.Transform 0 static 00000006e70b5840 s_RelativeTransform
00007ffa4fc92da8 4002369 38 ...tiChannelResource 1 instance 00000006e70e8c20 _duceResource
00007ffa50767440 4002368 3108 ...ependencyProperty 0 static 00000006e70d0360 ColorProperty
00007ffa4fc8c878 400236a 3100 ...ndows.Media.Color 1 static 00000006f708c898 s_Color
通过上面一样的步骤,我们最终找到这个ColorProperty的对应value如下:
0:019> !do 00000006e70e8c38
Name: System.Windows.Media.Color
MethodTable: 00007ffa4fc8c878
EEClass: 00007ffa4f948200
Size: 64(0x40) bytes
File: C:\WINDOWS\Microsoft.Net\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffa4fc90570 400206d 8 ...edia.ColorContext 0 instance 0000000000000000 context
00007ffa50396648 400206e 20 ...a.Color+MILColorF 1 instance 00000006e70e8c58 scRgbColor
00007ffa4fca4bb8 400206f 30 ...ia.Color+MILColor 1 instance 00000006e70e8c68 sRgbColor
00007ffa6f641be0 4002070 10 System.Single[] 0 instance 0000000000000000 nativeColorValue
00007ffa6f653968 4002071 18 System.Boolean 1 instance 0 isFromScRgb
如上的sRgbColor就是颜色了,注意它的VT=1,即是个值类型。
0:019> dd 00000006e70e8c68 l 1
00000006`e70e8c68 00a5ffff
如果稍微熟悉一下GDI,就知道它对应的RGB是0xff, 0xa5, 0x00,什么颜色呢?可以到mspaint里面简单看一下
额,知道了,就是橙色。
最后我们看一下这个简单窗口的全貌
(在女儿的教导下,小魔仙的各种咒语我几乎都倒背如流,我们还发明了其他的,比如:巴啦啦能量,净化!这是在晚上洗脸时念的;巴啦啦能量,冻结!这是对她晚安时说的)