使用 windbg 在整个代码中搜索特定的调用指令
Search the entire code for a specific call instruction with windbg
是否可以搜索整个可执行内存space以找到调用特定方法的所有位置?例如,我想从调用 MyApplcation!MyFunction 的地方找到所有函数。使用 "s" 命令搜索特定的 optcode 不是一个选项,因为在我的情况下 call 命令使用相对代码路径,因此 optcode 因调用指令本身所在的位置而不同。
0:000> lm m 计算
Browse full module list
start end module name
005f0000 006b0000 calc (pdb symbols) e:\symbols\calc.pdb
1D2945E998438C847643A9DB39C88E2\calc.pdb
0:000> $$ 可以搜索谁在计算内存中调用了 operator new 函数 space
0:000> # op*new 5f0000 l?(6b0000-5f0000)
输出
calc!WinMain+0x213:
005f17e7 e89a0a0000 call calc!operator new (005f2286)
calc!WinMain+0x272:
005f1843 e83e0a0000 call calc!operator new (005f2286)
calc!operator new+0x26:
005f229d 0f84fcb80200 je calc!operator new+0x11 (0061db9f)
calc!operator new[]+0x26:
005f32b1 0f8438a90200 je calc!operator new[]+0x11 (0061dbef)
calc!CCalculatorState::storeAndFire+0x7:
005f33c9 e83becffff call calc!operator new (005f2009)
calc!CCalculatorState::storeAndFire+0x76:
005f3437 e84aeeffff call calc!operator new (005f2286)
calc!CCalculatorState::storeAndFire+0x8a:
005f3447 e83aeeffff call calc!operator new (005f2286)
calc!CUIController::UpdateTwoLineDisplay+0x56:
005f35c7 e8cefcffff call calc!operator new[] (005f329a)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x7:
005f3a8c e81ae8ffff call calc!operator new+0x30 (005f22ab)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x27:
005f3aac e8e9f7ffff call calc!operator new[] (005f329a)
calc!ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::CAtlREMatchContext<ATL::CAtlRECharTraitsW>+0x7:
005f3b52 e8b2e4ffff call calc!operator new (005f2009)
calc!ATL::CAutoVectorPtr<void *>::Allocate+0x7:
与上面的答案类似,只是详细说明了如何找到文本段的开始和大小。
!dh -f abc.exe
0000000140000000 image base
!dh -s abc.exe
SECTION HEADER #1
.text name
124D6A virtual size
1000 virtual address
124E00 size of raw data
400 file pointer to raw data
Add RVA of .text 1000 to image base 140000000 and dissemble the entire text segment
u 140001000 L124D6A
Or
Use # command to find the function in the disassembly
# GetSimpleProtocol 140001000 L124D6A
是否可以搜索整个可执行内存space以找到调用特定方法的所有位置?例如,我想从调用 MyApplcation!MyFunction 的地方找到所有函数。使用 "s" 命令搜索特定的 optcode 不是一个选项,因为在我的情况下 call 命令使用相对代码路径,因此 optcode 因调用指令本身所在的位置而不同。
0:000> lm m 计算
Browse full module list
start end module name
005f0000 006b0000 calc (pdb symbols) e:\symbols\calc.pdb
1D2945E998438C847643A9DB39C88E2\calc.pdb
0:000> $$ 可以搜索谁在计算内存中调用了 operator new 函数 space
0:000> # op*new 5f0000 l?(6b0000-5f0000)
输出
calc!WinMain+0x213:
005f17e7 e89a0a0000 call calc!operator new (005f2286)
calc!WinMain+0x272:
005f1843 e83e0a0000 call calc!operator new (005f2286)
calc!operator new+0x26:
005f229d 0f84fcb80200 je calc!operator new+0x11 (0061db9f)
calc!operator new[]+0x26:
005f32b1 0f8438a90200 je calc!operator new[]+0x11 (0061dbef)
calc!CCalculatorState::storeAndFire+0x7:
005f33c9 e83becffff call calc!operator new (005f2009)
calc!CCalculatorState::storeAndFire+0x76:
005f3437 e84aeeffff call calc!operator new (005f2286)
calc!CCalculatorState::storeAndFire+0x8a:
005f3447 e83aeeffff call calc!operator new (005f2286)
calc!CUIController::UpdateTwoLineDisplay+0x56:
005f35c7 e8cefcffff call calc!operator new[] (005f329a)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x7:
005f3a8c e81ae8ffff call calc!operator new+0x30 (005f22ab)
calc!ATL::CAutoVectorPtr<ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::MatchGroup>::Allocate+0x27:
005f3aac e8e9f7ffff call calc!operator new[] (005f329a)
calc!ATL::CAtlREMatchContext<ATL::CAtlRECharTraitsW>::CAtlREMatchContext<ATL::CAtlRECharTraitsW>+0x7:
005f3b52 e8b2e4ffff call calc!operator new (005f2009)
calc!ATL::CAutoVectorPtr<void *>::Allocate+0x7:
与上面的答案类似,只是详细说明了如何找到文本段的开始和大小。
!dh -f abc.exe
0000000140000000 image base
!dh -s abc.exe
SECTION HEADER #1
.text name
124D6A virtual size
1000 virtual address
124E00 size of raw data
400 file pointer to raw data
Add RVA of .text 1000 to image base 140000000 and dissemble the entire text segment
u 140001000 L124D6A
Or
Use # command to find the function in the disassembly
# GetSimpleProtocol 140001000 L124D6A