-
-
[讨论]windbg中栈回溯怎么理清函数的调用关系
-
发表于: 2013-8-30 08:11
-
先看windbg
kd> kn
# ChildEBP RetAddr
01 b263e924 805425ed win32k!NtGdiFlushUserBatch+0x11b
02 b263e958 805de640 nt!KiFastCallEntry+0xcd
03 b263e9e4 bf8b1860 nt!RtlQueryAtomInAtomTable+0x198
04 b263ed58 8054261c win32k!ClientLoadLibrary+0x15a
05 b263ed58 7c92e4f4 nt!KiFastCallEntry+0xfc
06 0012adb0 7c92e453 ntdll!KiFastSystemCallRet
07 0012adb0 805026ec ntdll!KiUserCallbackDispatcher+0x13
08 b263ebec 805a2d39 nt!KiCallUserMode+0x4
09 b263ec48 bf813d1b nt!KeUserModeCallback+0x87
0a b263eccc bf803530 win32k!SfnDWORD+0xa8
0b b263ed0c bf80ebe0 win32k!xxxDispatchMessage+0x1dc
0c b263ed58 8054261c win32k!NtUserDispatchMessage+0x39
0d b263ed58 7c92e4f4 nt!KiFastCallEntry+0xfc
0e 0012adb0 7c92e453 ntdll!KiFastSystemCallRet
0f 0012add4 77d194d2 ntdll!KiUserCallbackDispatcher+0x13
10 0012ae1c 77d18a10 USER32!NtUserDispatchMessage+0xc
11 0012ae2c 5d1a2d93 USER32!DispatchMessageW+0xf
12 0012ae70 5d1d106f COMCTL32!CheckForDragBegin+0xc1
13 0012aeec 5d1d115f COMCTL32!ListView_HandleMouse+0x4bc
14 0012af0c 5d1790a8 COMCTL32!ListView_OnButtonDown+0x1b
15 0012b08c 77d18734 COMCTL32!ListView_WndProc+0x70c
16 0012b0b8 77d18816 USER32!InternalCallWinProc+0x28
17 0012b120 77d2a013 USER32!UserCallWinProcCheckWow+0x150
18 0012b150 77d2a039 USER32!CallWindowProcAorW+0x98
19 0012b170 5f802189 USER32!CallWindowProcW+0x1b
1a 0012b190 5f801bdc MFC42u!CWnd::DefWindowProcW+0x42
1b 0012b1ac 5f801b36 MFC42u!CWnd::WindowProc+0x39
1c 0012b20c 5f801a8e MFC42u!AfxCallWndProc+0x91
1d 0012b22c 5f88cd62 MFC42u!AfxWndProc+0x34
1e 0012b258 77d18734 MFC42u!AfxWndProcBase+0x39
1f 0012b284 77d18816 USER32!InternalCallWinProc+0x28
20 0012b2ec 77d189cd USER32!UserCallWinProcCheckWow+0x150
21 0012b34c 77d18a10 USER32!DispatchMessageWorker+0x306
22 0012b35c 77d274ff USER32!DispatchMessageW+0xf
23 0012b380 5f809ae3 USER32!IsDialogMessageW+0x572
24 0012b390 5f809a9b MFC42u!CWnd::IsDialogMessageW+0x2f
25 0012b398 5f809b9b MFC42u!CWnd::PreTranslateInput+0x29
26 0012b3a8 5f8013df MFC42u!CDialog::PreTranslateMessage+0x94
27 0012b3b8 5f80138d MFC42u!CWnd::WalkPreTranslateTree+0x1f
28 0012b3cc 5f8012ca MFC42u!CWinThread::PreTranslateMessage+0x2f
29 0012b3dc 5f80d476 MFC42u!CWinThread::PumpMessage+0x28
2a 0012b400 5f80d022 MFC42u!CWnd::RunModalLoop+0xd9
2b 0012b43c 0042b50e MFC42u!CDialog::DoModal+0xe8
WARNING: Stack unwind information not available. Following frames may be wrong.
2c 0012ffc0 7c817067 XueTr_400000+0x2b50e
2d 0012fff0 00000000 kernel32!BaseProcessStart+0x23
红色是目标函数,下面的是环三的用户层函数,我的思路是直接在返回地址处用ub来看,但大家还有更好的更直接的方法吗?
kd> kn
# ChildEBP RetAddr
01 b263e924 805425ed win32k!NtGdiFlushUserBatch+0x11b
02 b263e958 805de640 nt!KiFastCallEntry+0xcd
03 b263e9e4 bf8b1860 nt!RtlQueryAtomInAtomTable+0x198
04 b263ed58 8054261c win32k!ClientLoadLibrary+0x15a
05 b263ed58 7c92e4f4 nt!KiFastCallEntry+0xfc
06 0012adb0 7c92e453 ntdll!KiFastSystemCallRet
07 0012adb0 805026ec ntdll!KiUserCallbackDispatcher+0x13
08 b263ebec 805a2d39 nt!KiCallUserMode+0x4
09 b263ec48 bf813d1b nt!KeUserModeCallback+0x87
0a b263eccc bf803530 win32k!SfnDWORD+0xa8
0b b263ed0c bf80ebe0 win32k!xxxDispatchMessage+0x1dc
0c b263ed58 8054261c win32k!NtUserDispatchMessage+0x39
0d b263ed58 7c92e4f4 nt!KiFastCallEntry+0xfc
0e 0012adb0 7c92e453 ntdll!KiFastSystemCallRet
0f 0012add4 77d194d2 ntdll!KiUserCallbackDispatcher+0x13
10 0012ae1c 77d18a10 USER32!NtUserDispatchMessage+0xc
11 0012ae2c 5d1a2d93 USER32!DispatchMessageW+0xf
12 0012ae70 5d1d106f COMCTL32!CheckForDragBegin+0xc1
13 0012aeec 5d1d115f COMCTL32!ListView_HandleMouse+0x4bc
14 0012af0c 5d1790a8 COMCTL32!ListView_OnButtonDown+0x1b
15 0012b08c 77d18734 COMCTL32!ListView_WndProc+0x70c
16 0012b0b8 77d18816 USER32!InternalCallWinProc+0x28
17 0012b120 77d2a013 USER32!UserCallWinProcCheckWow+0x150
18 0012b150 77d2a039 USER32!CallWindowProcAorW+0x98
19 0012b170 5f802189 USER32!CallWindowProcW+0x1b
1a 0012b190 5f801bdc MFC42u!CWnd::DefWindowProcW+0x42
1b 0012b1ac 5f801b36 MFC42u!CWnd::WindowProc+0x39
1c 0012b20c 5f801a8e MFC42u!AfxCallWndProc+0x91
1d 0012b22c 5f88cd62 MFC42u!AfxWndProc+0x34
1e 0012b258 77d18734 MFC42u!AfxWndProcBase+0x39
1f 0012b284 77d18816 USER32!InternalCallWinProc+0x28
20 0012b2ec 77d189cd USER32!UserCallWinProcCheckWow+0x150
21 0012b34c 77d18a10 USER32!DispatchMessageWorker+0x306
22 0012b35c 77d274ff USER32!DispatchMessageW+0xf
23 0012b380 5f809ae3 USER32!IsDialogMessageW+0x572
24 0012b390 5f809a9b MFC42u!CWnd::IsDialogMessageW+0x2f
25 0012b398 5f809b9b MFC42u!CWnd::PreTranslateInput+0x29
26 0012b3a8 5f8013df MFC42u!CDialog::PreTranslateMessage+0x94
27 0012b3b8 5f80138d MFC42u!CWnd::WalkPreTranslateTree+0x1f
28 0012b3cc 5f8012ca MFC42u!CWinThread::PreTranslateMessage+0x2f
29 0012b3dc 5f80d476 MFC42u!CWinThread::PumpMessage+0x28
2a 0012b400 5f80d022 MFC42u!CWnd::RunModalLoop+0xd9
2b 0012b43c 0042b50e MFC42u!CDialog::DoModal+0xe8
WARNING: Stack unwind information not available. Following frames may be wrong.
2c 0012ffc0 7c817067 XueTr_400000+0x2b50e
2d 0012fff0 00000000 kernel32!BaseProcessStart+0x23
红色是目标函数,下面的是环三的用户层函数,我的思路是直接在返回地址处用ub来看,但大家还有更好的更直接的方法吗?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
