windbg基本簡單步驟

源碼

#include <stdio.h>
#include <string>


typedef struct _st{
int a;
int b;
}ST;


int fun(int* p, const ST& s)
{
*p = s.a + s.b;
return s.a < s.b ? s.a : s.b;
}


void main()
{
ST s;
s.a = 3;
s.b = 4;
int ret = -1;
int dd = fun(&ret, s);
printf("%d", dd);
getchar();
}

1. !address 查看最初斷點位置信息

ntdll!LdrpDoDebuggerBreak+0x2c:

77540ed4 cc              int     3
0:000> bp $exentry
*** WARNING: Unable to verify checksum for test.exe
0:000> bl
     0 e Disable Clear  00af127b     0001 (0001)  0:**** test!ILT+630(_mainCRTStartup)
0:000> !address 77540ed4 
                                     
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...


Usage:                  Image
Base Address:           774b0000
End Address:            77586000
Region Size:            000d6000 ( 856.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000020          PAGE_EXECUTE_READ
Type:                   01000000          MEM_IMAGE
Allocation Base:        774a0000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY
Image Path:             ntdll.dll
Module Name:            ntdll
Loaded Image Name:      C:\Windows\SysWOW64\ntdll.dll
Mapped Image Name:      
More info:              lmv m ntdll
More info:              !lmi ntdll
More info:              ln 0x77540ed4
More info:              !dh 0x774a0000

Content source: 1 (target), length: 12c

2.查看加載模塊信息

0:000> lm
start    end        module name
00ae0000 00b03000   test     C (private pdb symbols)  E:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sym\test.pdb\37CD5525EB634D36AC9FD918207AF1512\test.pdb
594f0000 596af000   MSVCR120D   (deferred)             
597a0000 59869000   MSVCP120D   (deferred)             
76360000 76470000   kernel32   (deferred)             
76470000 764b7000   KERNELBASE   (deferred)             
774a0000 77620000   ntdll      (pdb symbols)          E:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sym\wntdll.pdb\156A0C04210F41998644103A7354418D2\wntdll.pdb
0:000> bp test!main
0:000> bl
     0 e Disable Clear  00af127b     0001 (0001)  0:**** test!ILT+630(_mainCRTStartup)
     1 e Disable Clear  00af5410     0001 (0001)  0:**** test!main查看

3.查找函數符號並斷點
0:000> x test!fun
00af4c30          test!fun (int *, struct _st *)
0:000> bp test!fun
0:000> g

4. kv 查看堆棧，fun函數入口時esp指向函數返回地址esp+4指向左邊第一個參數，esp+8.。。。（c調用協定）

0:000> k
 # ChildEBP RetAddr  
00 0045fa34 00af545a test!fun [g:\vsprojects\test\test\test.cpp @ 10] 
01 0045fb3c 00af5db9 test!main+0x4a [g:\vsprojects\test\test\test.cpp @ 21] 
02 0045fb8c 00af5fad test!__tmainCRTStartup+0x199 [f:\dd\vctools\crt\crtw32\dllstuff\crtexe.c @ 626] 
03 0045fb94 7637336a test!mainCRTStartup+0xd [f:\dd\vctools\crt\crtw32\dllstuff\crtexe.c @ 466] 
04 0045fba0 774d9902 kernel32!BaseThreadInitThunk+0xe
05 0045fbe0 774d98d5 ntdll!__RtlUserThreadStart+0x70
06 0045fbf8 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame 0
00 0045fa34 00af545a test!fun [g:\vsprojects\test\test\test.cpp @ 10] 
0:000> dd esp
0045fa38  00af545a 0045fb20 0045fb2c 00000000
0045fa48  00000000 7efde000 cccccccc cccccccc
0045fa58  cccccccc cccccccc cccccccc cccccccc
0045fa68  cccccccc cccccccc cccccccc cccccccc
0045fa78  cccccccc cccccccc cccccccc cccccccc
0045fa88  cccccccc cccccccc cccccccc cccccccc
0045fa98  cccccccc cccccccc cccccccc cccccccc
0045faa8  cccccccc cccccccc cccccccc cccccccc
0:000> dd 0045fb20
0045fb20  ffffffff cccccccc cccccccc 00000003
0045fb30  00000004 cccccccc bbee73d5 0045fb8c
0045fb40  00af5db9 00000001 005281a8 00528760
0045fb50  bbee7365 00000000 00000000 7efde000
0045fb60  00000000 59cce7d8 00000000 00460000
0045fb70  00000000 0045fb50 e22294be 0045fbd0
0045fb80  00af1109 bb046069 00000000 0045fb94
0045fb90  00af5fad 0045fba0 7637336a 7efde000
0:000> dd 0045fb2c 
0045fb2c  00000003 00000004 cccccccc bbee73d5
0045fb3c  0045fb8c 00af5db9 00000001 005281a8
0045fb4c  00528760 bbee7365 00000000 00000000
0045fb5c  7efde000 00000000 59cce7d8 00000000
0045fb6c  00460000 00000000 0045fb50 e22294be
0045fb7c  0045fbd0 00af1109 bb046069 00000000
0045fb8c  0045fb94 00af5fad 0045fba0 7637336a
0045fb9c  7efde000 0045fbe0 774d9902 7efde000

5.release版本 優化很簡
test!main:
010612a0 6a03            push    3
010612a2 688c310601      push    offset test!`string' (0106318c)
010612a7 ff15b8300601    call    dword ptr [test!_imp__printf (010630b8)]
010612ad 83c408          add     esp,8
010612b0 ff15ac300601    call    dword ptr [test!_imp__getchar (010630ac)]
010612b6 33c0            xor     eax,eax

test!main:
010612a0 6a03            push    3
0:000> bp test!fun
Couldn't resolve error at 'test!fun'
0:000> db 0106318c
0106318c  25 64 00 00 73 74 72 69-6e 67 20 74 6f 6f 20 6c  %d..string too l
0106319c  6f 6e 67 00 69 6e 76 61-6c 69 64 20 73 74 72 69  ong.invalid stri