使用CorDbg進行托管調試
Cordbg是和.Net Framework,以及Windows SDK一起ship的托管代碼的調試工具,相對于VS來說,它是一個比較low-level的調試工具.
本文的主要目的,就是看看Cordbg如何來進行托管調試,然后演示下其功能,看看其和其它的托管調試工具,譬如MDBG和windbg+SOS有啥不同.
Mdbg,是一個使用dbgeng.dll的調試接口來開發的一個開源調試工具,版本ms現在是2.0,很久沒更新了,主要是如果想依托MS的調試接口來開發一個調試器的話,可以參考這個open source的調試工具實現.不過mdbg也有一些比較有意思不錯的命令.
調試環境:
VS2008, Shared Source CLI 2.0, Clix.exe, Cordbg (Ver 2.0)
最新的MS關于Cordbg的命令行參考可以參考:
http://msdn.microsoft.com/en-us/library/a6zb7c8d.aspx#cpgrfruntimedebuggercordbgexeanchor4
A Victim Sample:
D:\Rotor\sscli20\binaries.x86dbg.rotor\test>type hello.cs
using System;
public class Hello
{
public static void Main()
{
string name = null;
int age = 0;
Console.Write("Enter your name: ");
name = Console.ReadLine();
Console.Write("Enter your age: ");
age = int.Parse(Console.ReadLine());
Console.WriteLine("Welcome {0}! You are {1} years old.",name, age);
}
}
這里,咱使用自己編譯出來的csc.exe:
D:\Rotor\sscli20\binaries.x86dbg.rotor\test>csc
Microsoft (R) Shared Source CLI C# Compiler version 2.0.0001
for Microsoft (R) Shared Source CLI version 2.0.0
Copyright (C) Microsoft Corporation. All rights reserved.
還有cordbg也是build出來的,還是build出來的好:
D:\Rotor\sscli20\binaries.x86dbg.rotor\test>cordbg
Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50826.0
Copyright (c) Microsoft Corporation. All rights reserved.
(cordbg)
編譯victim sample:
D:\Rotor\sscli20\binaries.x86dbg.rotor\test>csc /debug+ hello.cs
Microsoft (R) Shared Source CLI C# Compiler version 2.0.0001
for Microsoft (R) Shared Source CLI version 2.0.0
Copyright (C) Microsoft Corporation. All rights reserved.
得到兩個編譯之后的文件,hello.exe和hello.ildb,一個是可執行文件,一個是sscli調試下生成的symbol文件.
然后加載cordbg開始調試:
D:\Rotor\sscli20\binaries.x86dbg.rotor\test>cordbg hello.exe
Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50826.0
Copyright (c) Microsoft Corporation. All rights reserved.
(cordbg) run hello.exe
Process 3036/0xbdc created.
[thread 0x6e4] Thread created.
005: {
(cordbg)
這種是直接啟動hello.exe,然后停到源代碼第五行的大括號上面,也可以attach到一個process上面去.這個時候,可以直接查看源代碼,使用show命令:
(cordbg) sh
001: using System;
002: public class Hello
003: {
004: public static void Main()
005:* {
006: string name = null;
007: int age = 0;
008:
009: Console.Write("Enter your name: ");
010: name = Console.ReadLine();
011: Console.Write("Enter your age: ");
012: age = int.Parse(Console.ReadLine());
013: Console.WriteLine("Welcome {0}! You are {1} years old.",name, age);
014: }
015: }
(cordbg)
*號顯示的地方,表示的是當前調試step到的地方,一開始的時候是剛進入到main函數.也可以直接顯示diassemble之后的代碼:
(cordbg) dis
*[IL:0000] 00: nop
[IL:0001] 14: ldnull
[IL:0002] 0a: stloc.0
[IL:0003] 16: ldc.i4.0
[IL:0004] 0b: stloc.1
[IL:0005] 72:01000070 ldstr 70000001
(cordbg)
下一個斷點:
(cordbg) b hello::Main
#1 <UnknownModule>!hello::Main:0 [unbound]
(cordbg) b
#1 <UnknownModule>!hello::Main:0 [unbound]
顯示調用堆棧:
(cordbg) w
Thread 0x6e4 Current State:Normal
0)* hello!Hello::Main +0028 in D:\Rotor\sscli20\binaries.x86dbg.rotor\test\hello
.cs:5
--- Managed transition ---
(cordbg)
想往前step一下的時候,可以使用:
ss[ingle] Step into the next native or IL instruction
so Step over the next source line
si Step into the next source line
s[tep] Step into the next source line
i[n] Step into the next source line
(cordbg) s
006: string name = null;
(cordbg)
顯示寄存器內容:
(cordbg) reg
Thread 0xf84:
EIP = 038bfdb3 ESP = 001ae75c EBP = 001ae778 EAX = 00000000 ECX = 00000000
EDX = 001aed30 EBX = 7ffd5000 ESI = 00000000 EDI = 00000000
ST0 = n/a ST1 = n/a ST2 = n/a ST3 = n/a ST4 = n/a
ST5 = n/a ST6 = n/a ST7 = n/a
EFL = 0246 CS = 001b CY = 0 PE = 1 AC = 0 ZR = 1 PL = 0 EI = 1 UP = 0 OV = 0
ControlWord = ffff027f StatusWord = ffff0020 TagWord = ffffffff
ErrorOffset = 79c04362 ErrorSelector = 051c001b DataOffset = 001aaf28
DataSelector = ffff0023 Cr0NpxState = 00000000
(cordbg)
基本命令還有一些,不過大部分對經常使用基于dbgeng.dll的調試工具的人來說都不陌生.不過有一個命令使用起來特別有意思,感覺在顯示call tree方面是目前為止看到最強悍的:
Wt Track native instruction count and display call tree
(cordbg) wt
15 Hello::Main
20 Console::Write
55 Console::get_Out
40 Console::InitializeStdOutError
62 Console::get_InternalSyncObject
28 Object::.ctor
48 Console::get_InternalSyncObject
82 Console::InitializeStdOutError
54 Console::OpenStandardOutput
46 Console::GetStandardFile
24 SafeFileHandle::.ctor
33 SafeHandleZeroOrMinusOneIsInvalid::.ctor
22 SafeHandle::.ctor
20 CriticalFinalizerObject::.ctor
28 Object::.ctor
17 CriticalFinalizerObject::.ctor
53 SafeHandle::.ctor
22 GC::.cctor
28 Object::.ctor
24 GC::.cctor
61 GC::SuppressFinalize
7 SafeHandle::.ctor
41 BCLDebug::get_SafeHandleStackTracesEnabled
40 BCLDebug::CheckRegistry
22 AppDomain::get_CurrentDomain
26 Thread::GetDomain
74 Thread::get_CurrentThread
<Ctrl-C>
Async break not allowed at this time.
ControlC Trap
62 Thread::GetDomain
1054 instructions total
(cordbg)
這里的輸出要很久才能顯示完,故輸出了幾行就ctrl+c打斷了.
總的來說,用cordbg來進行托管調試還是不錯的,包含了windbg+sos的大部分功能.但是功能沒有windbg+sos強大,也沒有windbg圖形化調試各個窗口的狀態實時查看的清楚.所以,在某些場合下用用還是可以的.
Enjoy it. Cheer!
Lbq1221119@cnblogs first posted http://sscli.cnblogs.com
2008-11-13 00:53:28 AM
posted on 2008-11-17 22:23 lbq1221119 閱讀(2669) 評論(4) 收藏 舉報
浙公網安備 33010602011771號