windbg 使用
xinali opened this issue · 0 comments
xinali commented
windbg 使用
##k
**k***命令显示给定线程的调用堆栈,以及其他相关信息
~0 k表示打印0号线程的调用堆栈,直接用k表示打印当前线程的调用堆栈
r register 查看寄存器值
kb 显示传递给堆栈回溯中的每个函数的前三个参数
kp 显示传递给堆栈回溯中的每个函数的所有参数
0:000:x86> kb
ChildEBP RetAddr Args to Child
0015fce4 010e1415 00000012 00000034 00000056 test1!Add+0x1e [f:\test1\test1\test1.cpp @ 7]
0:000:x86> kp
ChildEBP RetAddr
0015fce4 010e1415 test1!Add(int a = 0n18, int b = 0n52, int c = 0n86, int d = 0n120, int e = 0n154, int f = 0n188)+0x1e [f:\test1\test1\test1.cpp @ 7]
0:000:x86> kP
ChildEBP RetAddr
0015fce4 010e1415 test1!Add(
int a = 0n18,
int b = 0n52,
int c = 0n86,
int d = 0n120,
int e = 0n154,
int f = 0n188)+0x1e [f:\test1\test1\test1.cpp @ 7]
0:000:x86> kv
ChildEBP RetAddr Args to Child
0015fce4 010e1415 00000012 00000034 00000056 test1!Add+0x1e (FPO: [Non-Fpo]) (CONV: cdecl) [f:\test1\test1\test1.cpp @ 7] u
**u **命令显示指定的内存中的程序代码的反汇编。 如果要反汇编某一个地址,直接用u 命令加地址
0:002> u 77d2929a
USER32!SendMessageW:
77d2929a 8bff mov edi,edi
77d2929c 55 push ebp
77d2929d 8bec mov ebp,esp
77d2929f 56 push esi
77d292a0 8b750c mov esi,dword ptr [ebp+0Ch]
77d292a3 f7c60000feff test esi,0FFFE0000h
77d292a9 0f85be800100 jne USER32!SendMessageW+0x11 (77d4136d)
77d292af 8b4d08 mov ecx,dword ptr [ebp+8] 如果存在符号文件,也可以这样直接加函数名:
0:002> u user32!SendMessagew
USER32!SendMessageW:
77d2929a 8bff mov edi,edi
77d2929c 55 push ebp
77d2929d 8bec mov ebp,esp
77d2929f 56 push esi
77d292a0 8b750c mov esi,dword ptr [ebp+0Ch]
77d292a3 f7c60000feff test esi,0FFFE0000h
77d292a9 0f85be800100 jne USER32!SendMessageW+0x11 (77d4136d)
77d292af 8b4d08 mov ecx,dword ptr [ebp+8] **uf **命令显示内存中指定函数的反汇编代码,前提是需要符号文件
x
x命令显示所有上下文中匹配指定模板的符号。可用字符通配符
> x user32!send*
77d53948 USER32!SendNotifyMessageA = <no type information>
77d2fb6b USER32!SendMessageTimeoutA = <no type information>
77d6b88f USER32!SendOpenStatusNotify = <no type information>
77d6b49e USER32!SendIMEMessageExA = <no type information>
77d2d64f USER32!SendNotifyMessageW = <no type information>
77d2cdaa USER32!SendMessageTimeoutW = <no type information>
77d65b26 USER32!SendHelpMessage = <no type information>
77d6b823 USER32!SendMessageToUI = <no type information>
77d6b48d USER32!SendIMEMessageExW = <no type information>
77d2cd08 USER32!SendMessageTimeoutWorker = <no type information>
77d203fc USER32!SendRegisterMessageToClass = <no type information>
77d3c2e7 USER32!SendDlgItemMessageA = <no type information>
77d2d6db USER32!SendMessageCallbackW = <no type information>
77d6b129 USER32!SendMessageCallbackA = <no type information>
77d273cc USER32!SendDlgItemMessageW = <no type information>
77d61930 USER32!SendWinHelpMessage = <no type information>
77d291b3 USER32!SendMessageWorker = <no type information>
77d2929a USER32!SendMessageW = <no type information>
77d2f3c2 USER32!SendMessageA = <no type information>x还有个作用,在函数断下来后输入x,会自动打印出当前的局部变量,可以配合.frame使用
0:000:x86> kn
# ChildEBP RetAddr
00 0039fd18 010e19a8 test1!wmain+0x1e [f:\test1\test1\test1.cpp @ 12]
01 0039fd68 010e17ef test1!__tmainCRTStartup+0x1a8 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 583]
0:000:x86> x
0039fd20 argc = 0n1
0039fd24 argv = 0x00033438
0039fd10 c = 0n-858993460 ChildEBP指的是当前堆栈运行时的ebp值
RetAddr指当前堆栈中函数退出时的下个EIP的值
d
dt 命令显示局部变量、全局变量或数据类型的信息
测试显示一下数据类型:
0:000> dt _PEB
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit
+0x003 IsPackagedProcess : Pos 4, 1 Bit
+0x003 IsAppContainer : Pos 5, 1 Bit
+0x003 IsProtectedProcessLight : Pos 6, 1 Bit
+0x003 IsLongPathAwareProcess : Pos 7, 1 Bit
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : Ptr32 _SLIST_HEADER
+0x024 IFEOKey : Ptr32 Void
+0x028 CrossProcessFlags : Uint4B通配出所有的结构名称:
0:000> dt ntdll!_peb*
ntdll!_PEB
ntdll!_PEB_LDR_DATA
ntdll!_PEBS_DS_SAVE_AREA
ntdll!_PEB32d*命令显示给定范围内存的内容
d, da, db, dc, dd, dD, df, dp, dq, du, dw, dW, dyb, dyd (Display Memory)
如果省略掉Range ,命令将会从上一条内存查看命令结束的位置开始。这使得可以连续的进行内存查看。
d这种显示的格式和最近一次d命令的格式相同。如果之前没有使用过d命令,d 和db 的效果相同。
da:ASCII 字符每行最多48个字符。显示一直继续直到遇到第一个null字节或者到达range 值指定的所有字符都已经显示。所有不可打印字符,如回车和换行都被显示为点号(.)。
dd和dc的区别
0:000> dd
0019fc3c 00000000 00000000 00000000 00000000
0019fc4c 00000200 00000000 00000000 00000000
0019fc5c 00000200 00000000 00000000 00000000
0019fc6c 00000200 00000000 00000000 00000000
0019fc7c 00000200 00000000 00000000 00000000
0019fc8c 301d5dce 0019fa70 00010000 0019fcf0
0019fc9c 77109fd0 471c5f2e fffffffe 0019fd00
0019fcac 770e8a42 301d5c66 00000000 00000000
0:000> dc
0019fcbc 003dc000 00000000 771ad000 00030000 ..=........w....
0019fccc 00000004 77090000 00000000 0019fd24 .......w....$...
0019fcdc 003df000 003dc000 00000000 0019fcb0 ..=...=.........
0019fcec 00000000 ffffffff 77109fd0 471c5f4e ...........wN_.G
0019fcfc 00000000 0019fd10 770e886c 00000000 ........l..w....
0019fd0c bb591b5e 00000000 00000000 0019fd24 ^.Y.........$...
0019fd1c 77090000 00000000 0001003f 00000000 ...w....?.......
0019fd2c 00000000 00000000 00000000 00000000 ................
dh(display header)显示文件头信息
> !dh -f ntdll
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
7 number of sections
802F667E time date stamp
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
.....