Case, You get a Dump from a live proudction Server, (which has some performance problem for some real cusomters. ), at first you want to dump out all the requests that the server is handling.
Her is a how to tutorial.
#List all Requests 0:030> !DumpHeap -type System.Web.HttpRequest -short 026a0a78 026d6510 026da4dc 0676ea70 0a6dad80 0a6dd820 0a8044d0 0a805efc 0a808d88 0a810c04 0e72b648 0e76e80c 0e76f228 0e7707ec 0e7780bc 0e77ebb0 |
here , we get the Request address. let’s pick any of them. like 0e7810bc
!do 0e7810bc # Dump the object WebRequest 0:030> !do 0e77ebb0 Name: System.Web.HttpRequest MethodTable: 6614c58c EEClass: 65f50b50 Size: 172(0xac) bytes (C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll) Fields: MT Field Offset Type VT Attr Value Name 6614e9b8 4001079 4 ...HttpWorkerRequest 0 instance 0e77e3ec _wr 6614ab4c 400107a 8 ...m.Web.HttpContext 0 instance 0e77eaf0 _context 793308ec 400107b c System.String 0 instance 0e77e61c _httpMethod 66126cf0 400107c 98 System.Int32 1 instance 2 _httpVerb 793308ec 400107d 10 System.String 0 instance 00000000 _requestType 6614776c 400107e 14 ...m.Web.VirtualPath 0 instance 0e77f92c _path 793308ec 400107f 18 System.String 0 instance 00000000 _rewrittenUrl 793043b8 4001080 a0 System.Boolean 1 instance 0 _computePathInfo 6614776c 4001081 1c ...m.Web.VirtualPath 0 instance 0e77ed34 _filePath 6614776c 4001082 20 ...m.Web.VirtualPath 0 instance 00000000 _currentExecutionFilePath 6614776c 4001083 24 ...m.Web.VirtualPath 0 instance 00000000 _pathInfo 793308ec 4001084 28 System.String 0 instance 0e781028 _queryStringText 793043b8 4001085 a1 System.Boolean 1 instance 0 _queryStringOverriden 7933335c 4001086 2c System.Byte[] 0 instance 0e780e00 _queryStringBytes 793308ec 4001087 30 System.String 0 instance 0e77e670 _pathTranslated 793308ec 4001088 34 System.String 0 instance 00000000 _contentType 79332b38 4001089 9c System.Int32 1 instance -1 _contentLength 793308ec 400108a 38 System.String 0 instance 00000000 _clientTarget 793040bc 400108b 3c System.Object[] 0 instance 00000000 _acceptTypes 793040bc 400108c 40 System.Object[] 0 instance 00000000 _userLanguages 660fe570 400108d 44 ...owserCapabilities 0 instance 0a7f9178 _browsercaps 7a5ec77c 400108e 48 System.Uri 0 instance 0e7810bc _url 7a5ec77c 400108f 4c System.Uri 0 instance 00000000 _referrer 66153a28 4001090 50 ...b.HttpInputStream 0 instance 00000000 _inputStream 660fefa4 4001091 54 ...ClientCertificate 0 instance 00000000 _clientCertificate 79328f08 4001092 58 ...l.WindowsIdentity 0 instance 00000000 _logonUserIdentity 660fe224 4001093 5c ...tpValueCollection 0 instance 00000000 _params 660fe224 4001094 60 ...tpValueCollection 0 instance 0e780e10 _queryString 660fe224 4001095 64 ...tpValueCollection 0 instance 00000000 _form 66153264 4001096 68 ...pHeaderCollection 0 instance 00000000 _headers 660fe2f4 4001097 6c ...verVarsCollection 0 instance 00000000 _serverVariables 661519e4 4001098 70 ...pCookieCollection 0 instance 00000000 _cookies 66119620 4001099 74 ...ttpFileCollection 0 instance 00000000 _files 66153618 400109a 78 ...awUploadedContent 0 instance 00000000 _rawContent 793043b8 400109b a2 System.Boolean 1 instance 0 _readEntityBody 793040bc 400109c 7c System.Object[] 0 instance 00000000 _multipartContentElements 7933325c 400109d 80 System.Text.Encoding 0 instance 06698c34 _encoding 66113a6c 400109e 84 ...treamFilterSource 0 instance 00000000 _filterSource 7932e5e8 400109f 88 System.IO.Stream 0 instance 00000000 _installedFilter 6610b028 40010a0 a4 ...SimpleBitVector32 1 instance 0e77ec54 _flags 793308ec 40010a3 8c System.String 0 instance 00000000 _AnonymousId 6614776c 40010a4 90 ...m.Web.VirtualPath 0 instance 0e77ed34 _clientFilePath 6614776c 40010a5 94 ...m.Web.VirtualPath 0 instance 00000000 _clientBaseDir 79330508 40010a1 d8 System.Object 0 shared static s_browserLock >> Domain:Value 000d5050:NotInit 000f8758:0a6c8f30 00157af8:0a6db934 << 793043b8 40010a2 7e0 System.Boolean 1 shared static s_browserCapsEvaled >> Domain:Value 000d5050:NotInit 000f8758:1 00157af8:1 << |
in this request 0e77ebb0 , the _Url in red above is not null. the Address of the Url is
0e7810bc , this space is stored as the base object address 0e77ebb0 +48 Offset.
when you run dd 0e77ebb0 +48 l 1
0:030> dd 0e77ebb0 +48 l 1 0e77ebf8 0e7810bc So, we can get the address of the url by run the caculating the baseaddress of request plus the offset. |
then Inspect the Url object which is located in 0e7810bc
!do 0e7810bc 0:030> !do 0e7810bc Name: System.Uri MethodTable: 7a5ec77c EEClass: 7a4554f8 Size: 40(0x28) bytes (C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll) Fields: MT Field Offset Type VT Attr Value Name 793308ec 4001b52 c System.String 0 instance 0e781110 m_String 793308ec 4001b53 10 System.String 0 instance 00000000 m_originalUnicodeString 7a5ec934 4001b54 14 System.UriParser 0 instance 0669fc44 m_Syntax 793308ec 4001b55 18 System.String 0 instance 00000000 m_DnsSafeHost 7aa1303c 4001b56 4 System.UInt64 1 instance 37624152064 m_Flags 7a5ec9fc 4001b57 1c System.Uri+UriInfo 0 instance 0e78117c m_Info 793043b8 4001b58 20 System.Boolean 1 instance 0 m_iriParsing 793308ec 4001b47 644 System.String 0 shared static UriSchemeFile >> Domain:Value 000d5050:NotInit 000f8758:0e6a1434 00157af8:0e6a1434 << 793308ec 4001b48 648 System.String 0 shared static UriSchemeFtp >> Domain:Value 000d5050:NotInit 000f8758:0e6a141c 00157af8:0e6a141c << 793308ec 4001b49 64c System.String 0 shared static UriSchemeGopher >> Domain:Value 000d5050:NotInit 000f8758:0e6a1450 00157af8:0e6a1450 << 793308ec 4001b4a 650 System.String 0 shared static UriSchemeHttp >> Domain:Value 000d5050:NotInit 000f8758:0e6a13e4 00157af8:0e6a13e4 << 793308ec 4001b4b 654 System.String 0 shared static UriSchemeHttps >> Domain:Value 000d5050:NotInit 000f8758:0e6a1400 00157af8:0e6a1400 << |
then dumpobject
0e781110 , which you can get this value from base address+C
0:030> !do 0e781110 Name: System.String MethodTable: 793308ec EEClass: 790ed64c Size: 106(0x6a) bytes (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) String: http://localhost:88/WebSite/Default.aspx?q=1 Fields: MT Field Offset Type VT Attr Value Name 79332b38 4000096 4 System.Int32 1 instance 45 m_arrayLength 79332b38 4000097 8 System.Int32 1 instance 44 m_stringLength 793315cc 4000098 c System.Char 1 instance 68 m_firstChar 793308ec 4000099 10 System.String 0 shared static Empty >> Domain:Value 000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 << 7933151c 400009a 14 System.Char[] 0 shared static WhitespaceChars >> Domain:Value 000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac <<
|
here we get url. whole process is get the addressof Request, then get the address of URL by inspecting the memory offset 48. Get the URl Address B. then inspect B+offset c, get the string value.
When can put all into a foreach command.
0:030> .foreach (req {!DumpHeap -type System.Web.HttpRequest -short}) { .foreach /pS 1 (a {dd ${req}+48 l 1}) {.echo ${a}; !do poi(${a}+c)} } 026d342c Name: System.String MethodTable: 793308ec EEClass: 790ed64c Size: 106(0x6a) bytes (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) String: http://localhost:88/WebSite/Default.aspx?q=1 Fields: MT Field Offset Type VT Attr Value Name 79332b38 4000096 4 System.Int32 1 instance 45 m_arrayLength 79332b38 4000097 8 System.Int32 1 instance 44 m_stringLength 793315cc 4000098 c System.Char 1 instance 68 m_firstChar 793308ec 4000099 10 System.String 0 shared static Empty >> Domain:Value 000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 << 7933151c 400009a 14 System.Char[] 0 shared static WhitespaceChars >> Domain:Value 000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac << 00000000 Invalid parameter poi(00000000+c) 026dc358 Name: System.String MethodTable: 793308ec EEClass: 790ed64c Size: 106(0x6a) bytes (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) String: http://localhost:88/WebSite/Default.aspx?q=3 Fields: MT Field Offset Type VT Attr Value Name 79332b38 4000096 4 System.Int32 1 instance 45 m_arrayLength 79332b38 4000097 8 System.Int32 1 instance 44 m_stringLength 793315cc 4000098 c System.Char 1 instance 68 m_firstChar 793308ec 4000099 10 System.String 0 shared static Empty >> Domain:Value 000d5050:0a6901d0 000f8758:0a6901d0 00157af8:0a6901d0 << 7933151c 400009a 14 System.Char[] 0 shared static WhitespaceChars >> Domain:Value 000d5050:0a690728 000f8758:0e690a0c 00157af8:02697aac << 067705a8 Name: System.String MethodTable: 793308ec EEClass: 790ed64c Size: 98(0x62) bytes |
here we get all the ongoing request urls.
if you get errors like
00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)
00000000
Invalid parameter poi(00000000+c)
that means the application itself never query the url of the request. by default the _Url is keeped as binary format in the IISworkrequest.
No comments:
Post a Comment