汇编&反汇编
- u 地址 [长度] 反汇编之后代码
- Ub地址 [长度] 反汇编之前代码
- Up地址 [长度] 从物理地址反汇编
- Uf 地址 反汇编当前函数
- a 地址 在指定地址处写入汇编 16位
怎样打印某函数调用关系
| 命令 | 功能 | 适用范围 |
|---|---|---|
| uf /c /D 地址 | 打印当前函数对其他函数的调用 | 用户态/内核态 |
| # 函数名 起始地址 l长度 | 打印在某段地址范围内代码对该函数的引用 | 内核态/用户态 |
0:000> .frame 2
02 00000000`00effc70 00007ff6`52263c79 windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
0:000> !address windbg!main
Usage: Image
Allocation Base: 00007ff6`52260000
Base Address: 00007ff6`52261000
End Address: 00007ff6`52269000
Region Size: 00000000`00008000
Type: 01000000MEM_IMAGE
State: 00001000MEM_COMMIT
Protect: 00000020PAGE_EXECUTE_READ
More info: lmv m windbg
More info: !lmi windbg
More info: ln 0x7ff652261310
0:000> uf /c /D 0x7ff652261310
windbg!main (00007ff6`52261310) [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 44]
windbg!main+0x22 (00007ff6`52261332) [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 46]:
call to MSVCR90!printf (00000000`533b274c) [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 49]
怎样显示函数指令数?
| 命令 | 功能 | 适用范围 |
|---|---|---|
| uf /i /m 地址 | 显示函数指令数 |
0:000> uf /i main
10 instructions scanned
windbg!main [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 44]:
44 00007ff6`52261310 4889542410 mov qword ptr [rsp+10h],rdx
44 00007ff6`52261315 894c2408 mov dword ptr [rsp+8],ecx
44 00007ff6`52261319 4883ec38 sub rsp,38h
45 00007ff6`5226131d 48c74424200a000000 mov qword ptr [rsp+20h],0Ah
46 00007ff6`52261326 488b542420 mov rdx,qword ptr [rsp+20h]
46 00007ff6`5226132b 488d0db6850000 lea rcx,[windbg!__xi_z+0x150 (00007ff6`522698e8)]
46 00007ff6`52261332 ff15f8e60000 call qword ptr [windbg!_imp_printf (00007ff6`5226fa30)]
48 00007ff6`52261338 33c0 xor eax,eax
49 00007ff6`5226133a 4883c438 add rsp,38h
49 00007ff6`5226133e c3 ret
0:000> u 00007ff6`5226133d
windbg!main+0x2d [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 49]:
00007ff6`5226133d 38c3 cmp bl,al
00007ff6`5226133f cc int 3
00007ff6`52261340 cc int 3
00007ff6`52261341 cc int 3
00007ff6`52261342 cc int 3
00007ff6`52261343 cc int 3
00007ff6`52261344 cc int 3
00007ff6`52261345 cc int 3
0:000> .dml_flow windbg!main 00007ff6`5226133d
<No previous node>
windbg!main (00007ff6`52261310):
c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp
44 00007ff6`52261310 mov qword ptr [rsp+10h],rdx
44 00007ff6`52261315 mov dword ptr [rsp+8],ecx
44 00007ff6`52261319 sub rsp,38h
45 00007ff6`5226131d mov qword ptr [rsp+20h],0Ah
46 00007ff6`52261326 mov rdx,qword ptr [rsp+20h]
46 00007ff6`5226132b lea rcx,[windbg!__xi_z+0x150 (00007f
46 00007ff6`52261332 call qword ptr [windbg!_imp_printf (0
48 00007ff6`52261338 xor eax,eax
49 00007ff6`5226133a add rsp,38h
49 00007ff6`5226133e ret
<No next node>
怎样查找某地址附近的符号
| 命令 | 功能 | 适用范围 |
|---|---|---|
| ln 地址 | 查找某地址附近的符号 | 用户态/内核态 |
0:000> ln main-1
(00007ff6`52261181) [email protected]+0x18e | (00007ff6`52261310) windbg!main
回溯栈
回溯栈用来记录每一级函数返回地址
| 命令 | 功能 |
|---|---|
| k | 跟踪到第n分支指令 |
| kb | 执行到第n分支指令 |
| !stacks | 跟踪到第n分支指令 |
| !uniqstack | 执行到第n分支指令 |
0:000> kn
# Child-SP RetAddr Call Site
00 00000000`00efee48 00000000`533b27d8 MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
01 00000000`00eff158 00007ff6`52261338 MSVCR90!printf+0x8c [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 63]
02 00000000`00eff1a8 00000000`00effc73 windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
03 00000000`00eff1e8 00000000`0000000a 0xeffc73
04 00000000`00eff1f0 00000000`00000007 0xa
05 00000000`00eff1f8 00007ffd`803e9123 0x7
06 00000000`00eff200 00000000`533d6ede ntdll!KiUserExceptionDispatcher+0x53
07 00000000`00eff910 00000000`533b27d8 MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
08 00000000`00effc20 00007ff6`52261338 MSVCR90!printf+0x8c [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 63]
09 00000000`00effc70 00007ff6`52263c79 windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
0a 00000000`00effcb0 00007ff6`52263227 windbg!WinMain+0x149
0b 00000000`00effd20 00007ffd`80272774 windbg!__tmainCRTStartup+0x15f [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crtexe.c @ 578]
0c 00000000`00effdd0 00007ffd`803b0d51 KERNEL32!BaseThreadInitThunk+0x14
0d 00000000`00effe00 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> kb 1
RetAddr : Args to Child : Call Site
00000000`533b27d8 : 00000000`0000000a 00000000`00eff1b0 00000000`00000000 00000000`00eff548 : MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
0:000> kb 5
RetAddr : Args to Child : Call Site
00000000`533b27d8 : 00000000`0000000a 00000000`00eff1b0 00000000`00000000 00000000`00eff548 : MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
00007ff6`52261338 : 00007ff6`522698e8 00000000`0000000a 00000000`5342d5c0 00000000`533a0000 : MSVCR90!printf+0x8c [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 63]
00000000`00effc73 : 00000000`0000000a 00000000`00000007 00007ffd`803e9123 00007ffd`804a0a44 : windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
00000000`0000000a : 00000000`00000007 00007ffd`803e9123 00007ffd`804a0a44 00000000`00eff2b8 : 0xeffc73
00000000`00000007 : 00007ffd`803e9123 00007ffd`804a0a44 00000000`00eff2b8 00000000`0000000a : 0xa
0:000> kv
Child-SP RetAddr : Args to Child : Call Site
00000000`00efee48 00000000`533b27d8 : 00000000`0000000a 00000000`00eff1b0 00000000`00000000 00000000`00eff548 : MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
00000000`00eff158 00007ff6`52261338 : 00007ff6`522698e8 00000000`0000000a 00000000`5342d5c0 00000000`533a0000 : MSVCR90!printf+0x8c [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 63]
00000000`00eff1a8 00000000`00effc73 : 00000000`0000000a 00000000`00000007 00007ffd`803e9123 00007ffd`804a0a44 : windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
00000000`00eff1e8 00000000`0000000a : 00000000`00000007 00007ffd`803e9123 00007ffd`804a0a44 00000000`00eff2b8 : 0xeffc73
00000000`00eff1f0 00000000`00000007 : 00007ffd`803e9123 00007ffd`804a0a44 00000000`00eff2b8 00000000`0000000a : 0xa
00000000`00eff1f8 00007ffd`803e9123 : 00007ffd`804a0a44 00000000`00eff2b8 00000000`0000000a 0000da94`001db000 : 0x7
00000000`00eff200 00000000`533d6ede : 00000000`742e7eaa 00000000`0000000a 00000000`00000007 00007ff6`52263227 : ntdll!KiUserExceptionDispatcher+0x53 (TrapFrame @ 00000000`00eff628)
00000000`00eff910 00000000`533b27d8 : 00000000`00000000 00000000`00effc78 00000000`00000000 00000000`533ecabc : MSVCR90!_output_l+0x452 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c @ 1643]
00000000`00effc20 00007ff6`52261338 : 00007ff6`522698e8 00000000`0000000a 00000000`044d0300 00000000`00000003 : MSVCR90!printf+0x8c [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\printf.c @ 63]
00000000`00effc70 00007ff6`52263c79 : 00000000`00000001 00000000`044da040 00000000`0000000a 00000000`533c3da4 : windbg!main+0x28 [c:\users\jack\documents\visual studio 2008\projects\windbg\windbg\main.cpp @ 48]
00000000`00effcb0 00007ff6`52263227 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`027b3c93 : windbg!WinMain+0x149
00000000`00effd20 00007ffd`80272774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : windbg!__tmainCRTStartup+0x15f [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crtexe.c @ 578]
00000000`00effdd0 00007ffd`803b0d51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00effe00 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
线程进程
| 命令 | 功能 | 适用范围 |
|---|---|---|
| |* | 显示所有进程 | 用户态 |
| |. | 显示当前活动进程 | 用户态 |
| |# | 显示触发异常进程 | 用户态 |
| |n | 显示n号进程 | 用户态 |
| ~ns | 切弧到n号线程 | 用户态 |
| ~* | 显示所有线程 | 用户态 |
| ~. | 显示当前活动线程 | 用户态 |
| ~# | 显示触发异常线程 | 用户态 |
| ~n | 显示n号线程 | 用户态 |
| ~ns | 切换到n号线程 | 用户态 |
| .process | 查看当前进程PEPROCESS地址 | 内核态 |
| .process [PEPROCESS地址] | 设置进程PEPROCESS地址 | 内核态 |
| !process | 查看指定进程信息 | 内核态 |
| .thread | 查看当前线程PETHREAD地址 | 内核态 |
| .thread [PETHREAD地址] | 设置当前线程PETHREAD地址 | 内核态 |
| !thread | 查看指定线程信息 | 内核态 |
| .context [用户态上下文地址] | 设置当前进程用户态上下文 | 内核态 |
![初学Windbg,从主题布局开始[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)