Windbg尋找Managed Founction參數(shù)值
問題源自一個(gè)Seminar,如何使用Windbg找到在函數(shù)調(diào)用的時(shí)候,所傳遞的參數(shù)的值。
當(dāng)使用live Debug模式attach到一個(gè)managed Process的時(shí)候,默認(rèn)情況下并不顯示函數(shù)內(nèi)部之間的調(diào)用,這個(gè)時(shí)候,需要在這個(gè)函數(shù)沒調(diào)用之間給下一個(gè)斷點(diǎn)。
基于對一個(gè)托管函數(shù)下斷點(diǎn)的兩種方法,在上面一片文章里面已經(jīng)講過了,這里就顯的容易多了。首先還是找上篇文章里面的程序作為例子:
class Program
{
static void Main(string[] args)
{
System.Console.WriteLine("Show Params in Windbg");
Program p = new Program();
p.ShowParams(123456, "TestParams", 'L');
System.Console.ReadLine();
}
public void ShowParams(int a, string b ,char c)
{
}
}
這里的目的,是把調(diào)用能夠ShowParams這個(gè)方法的幾個(gè)參數(shù)找到。如果使用live Debug的話,使用!Clrstack命令并不能得到這個(gè)結(jié)果:
0:000> !clrstack
OS Thread Id: 0x11a0 (0)
ESP EIP
0012f3e0 7c90eb94 [NDirectMethodFrameStandaloneCleanup: 0012f3e0]
System.IO.__ConsoleStream.ReadFile
(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)
0012f3fc 7948d2bb System.IO.__ConsoleStream.ReadFileNative
(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte[], Int32, Int32, Int32, Int32 ByRef)
0012f428 7948d1ed System.IO.__ConsoleStream.Read(Byte[], Int32, Int32)
0012f448 793a3350 System.IO.StreamReader.ReadBuffer()
0012f458 793aaa2f System.IO.StreamReader.ReadLine()
0012f46c 79497b5a System.IO.TextReader+SyncTextReader.ReadLine()
0012f474 793e99f0 System.Console.ReadLine()
0012f478 00db00c7 FounctionParams.Program.Main(System.String[])
0012f69c 79e7c74b [GCFrame: 0012f69c]
可以看到,這里直接略過了函數(shù)內(nèi)部的調(diào)用,從Main直接到了ReadLine(),而使用!Clrstack –p命令也是不能顯示出內(nèi)部函數(shù)調(diào)用的傳遞的參數(shù)的值的。
可以這樣得到中間調(diào)用的函數(shù)傳遞的參數(shù)的值:
首先Dattach掉,然后加載Exe可執(zhí)行模塊,來進(jìn)行動(dòng)態(tài)調(diào)試:
0:000> sxe ld:mscorjit
0:000> g
ModLoad: 79060000 790b6000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
eax=00000000 ebx=00000000 ecx=00d90000 edx=7c90eb94 esi=00000000 edi=00000000
eip=7c90eb94 esp=0012e554 ebp=0012e648 iopl=0 nv up ei ng nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000296
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
這個(gè)時(shí)候可以加載SOS模塊了,加載好了之后:
0:000> !thread
No export thread found
0:000> !threads
ThreadCount: 2
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
PreEmptive GC Alloc
ID GC Context Domain Count APT Exception
0 1 Enabled 013f16d0:013f1fe8 0015c410 2 MTA
2 2 Enabled 00000000:00000000 0015c410 0 MTA (Finalizer)
好的,接下來dump domain:
0:000> !dumpdomain 0015c410
--------------------------------------
Domain 1: 0015c410
LowFrequencyHeap: 0015c434
HighFrequencyHeap: 0015c48c
StubHeap: 0015c4e4
Stage: OPEN
SecurityDescriptor: 0015d740
Name: FounctionParams.exe
Assembly: 0019f3f8
[C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll]
ClassLoader: 0019f490
SecurityDescriptor: 0019be78
Module Name
790c2000
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Assembly: 001a6e80
[E:\myProject\FounctionParams\FounctionParams\bin\Debug\FounctionParams.exe]
ClassLoader: 001a6f18
SecurityDescriptor: 001a6db0
Module Name
00a82c3c
E:\myProject\FounctionParams\FounctionParams\bin\Debug\FounctionParams.exe
恩,接下來是module的信息:
0:000> !dumpmodule -mt 00a82c3c
Name: E:\myProject\FounctionParams\FounctionParams\bin\Debug\FounctionParams.exe
Attributes: PEFile
Assembly: 001a6e80
LoaderHeap: 00000000
TypeDefToMethodTableMap: 00a80038
TypeRefToMethodTableMap: 00a80040
MethodDefToDescMap: 00a8008c
FieldDefToDescMap: 00a8009c
MemberRefToDescMap: 00a800a0
FileReferencesMap: 00a800ec
AssemblyReferencesMap: 00a800f0
MetaData start address: 00402094 (1580 bytes)
Types defined in this module
MT TypeDef Name
------------------------------------------------------------------------------
00a83038 0x02000002 FounctionParams.Program
Types referenced in this module
MT TypeRef Name
------------------------------------------------------------------------------
790fd0f0 0x01000001 System.Object
好了,拿到MT了:
0:000> !dumpmt -md 00a83038
EEClass: 00a811d8
Module: 00a82c3c
Name: FounctionParams.Program
mdToken: 02000002 (E:\myProject\FounctionParams\FounctionParams\bin\Debug\FounctionParams.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 7
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
79371278 7914b928 PreJIT System.Object.ToString()
7936b3b0 7914b930 PreJIT System.Object.Equals(System.Object)
7936b3d0 7914b948 PreJIT System.Object.GetHashCode()
793624d0 7914b950 PreJIT System.Object.Finalize()
00a8c011 00a83020 NONE FounctionParams.Program.Main(System.String[])
00a8c015 00a83028 NONE FounctionParams.Program.ShowParams(Int32, System.String, Char)
00a8c019 00a83030 NONE FounctionParams.Program..ctor()
OK,看到希望了,可以下斷點(diǎn)了:
0:000> !bpmd -md 00a83028
MethodDesc = 00a83028
Adding pending breakpoints...
OK,按以下F5,
0:000> g
(8b4.1574): CLR notification exception - code e0444143 (first chance)
JITTED FounctionParams!FounctionParams.Program.ShowParams(Int32, System.String, Char)
Setting breakpoint: bp 00DC0110 [FounctionParams.Program.ShowParams(Int32, System.String, Char)]
Breakpoint 1 hit
恩,可以查看調(diào)用堆棧了:
0:000> !clrstack
OS Thread Id: 0x1574 (0)
ESP EIP
0012f46c 00dc0110 FounctionParams.Program.ShowParams(Int32, System.String, Char)
0012f478 00dc00c0 FounctionParams.Program.Main(System.String[])
0012f69c 79e7c74b [GCFrame: 0012f69c]
查看參數(shù):
0:000> !clrstack -p
OS Thread Id: 0x1574 (0)
ESP EIP
0012f46c 00dc0110 FounctionParams.Program.ShowParams(Int32, System.String, Char)
PARAMETERS:
this = 0x013f34ac
a = 0x0001e240
b = 0x013f170c
c = 0x0000004c
0012f478 00dc00c0 FounctionParams.Program.Main(System.String[])
PARAMETERS:
args = 0x013f16c0
0012f69c 79e7c74b [GCFrame: 0012f69c]
上面的藍(lán)色的地方,分別顯示了參變量a,b,c的值。A,C是值類型,對應(yīng)的數(shù)值就是咱給的值。B是ref type,顯示的是Heap上面的一個(gè)地址了。
恩,到這里吧,就到這里吧。如果有空還寫一片,就結(jié)合K命令,還有EIP和ESP來查看參數(shù)的方法,這個(gè)比較值得說說,不過比較麻煩。^_^
Friday, October 17, 2008 7:03:07 PM
First Post at : http://sscli.cnblogs.com
posted on 2008-10-17 19:08 lbq1221119 閱讀(2582) 評論(6) 收藏 舉報(bào)
浙公網(wǎng)安備 33010602011771號