Windbg 预览版 kd dump 命令执行不正确
Windbg preview kd dump command don't perform correctly
我正在使用 Windbg Preview 调试一个普通程序。我正在使用 kd command 转储堆栈,
但我发现它并没有从esp down打印出相应的内存,
由于 r 命令显示 esp 指向 0x29af810,kd 只是向我显示了 0x29af814 及更高版本的内存,我认为单步执行一条指令会使它自行纠正,但它似乎保持不变。这是 Windbg 预览版的已知错误吗?
即使在第一次休息时似乎也会产生错误的答案。
(3f44.87c): Break instruction exception - code 80000003 (first
chance)
eax=00000000 ebx=00000000 ecx=189c0000 edx=00000000 esi=77d52054
edi=77d5261c
eip=77df1ba2 esp=005bf984 ebp=005bf9b0 iopl=0 nv up ei pl zr
na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77df1ba2 cc int 3
0:000> kd 10
005bf9b0 005bfc10
005bf9b4 77dec0a8 ntdll!LdrpInitializeProcess+0x1c98
005bf9b8 c12453e3
005bf9bc 0286d000
005bf9c0 00000000
005bf9c4 02870000
005bf9c8 00640062
005bf9cc 02af2738
005bf9d0 005bfb44
005bf9d4 00000000
005bf9d8 00000201
005bf9dc 00000000
005bf9e0 005bfb40
005bf9e4 00000000
005bf9e8 02af4198
005bf9ec 77e65d00 ntdll!LdrpWorkQueue
kd 从 Frame Offset 或 ChildEBP 打印原始双字(见编辑)
您可以使用 .frame 命令检查帧偏移
@esp 可以不同
你观察到一些不同的东西吗?
0:000> .frame
00 00a3fc94 00f367ba cdb!wmain+0xb
0:000> k 1
ChildEBP RetAddr
00a3fc94 00f367ba cdb!wmain+0xb
0:000> kd 4
00a3fc94 00a3fcd4
00a3fc98 00f367ba cdb!__wmainCRTStartup+0x107
00a3fc9c 00000001
00a3fca0 050f2210
0:000> ?@esp
Evaluate expression: 10746476 = 00a3fa6c
0:000>
一个随机过程的完整调用堆栈,它的帧或 ChildEBP 和 RegisterContext 中的 esp 寄存器,如果打印如下
0:000> .frame 0
00 00a3fc94 00f367ba cdb!wmain+0xb
0:000> .frame 1
01 00a3fcd4 75346359 cdb!__wmainCRTStartup+0x107
0:000> .frame 2
02 00a3fce4 776687a4 KERNEL32!BaseThreadInitThunk+0x19
0:000> .frame 3
03 00a3fd40 77668774 ntdll!__RtlUserThreadStart+0x2f
0:000> .frame 4
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame 5
Cannot find frame 0x5, previous scope unchanged
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame /c 0 ; kd 2
00 00a3fc94 00f367ba cdb!wmain+0xb
eax=00a40000 ebx=00000000 ecx=00f3f2f8 edx=00000080 esi=00000001 edi=00000000
eip=00f33c99 esp=00a3fa6c ebp=00a3fc94 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
cdb!wmain+0xb:
00f33c99 a1448ff300 mov eax,dword ptr [cdb!__security_cookie (00f38f44)] ds:002b:00f38f44=4d19f94c
00a3fc94 00a3fcd4
00a3fc98 00f367ba cdb!__wmainCRTStartup+0x107
0:000> .frame /c 1 ; kd 2
01 00a3fcd4 75346359 cdb!__wmainCRTStartup+0x107
eax=00a40000 ebx=00000000 ecx=00f3f2f8 edx=00000080 esi=00000001 edi=00000000
eip=00f367ba esp=00a3fc9c ebp=00a3fcd4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
cdb!__wmainCRTStartup+0x107:
00f367ba 83c40c add esp,0Ch
00a3fcd4 00a3fce4
00a3fcd8 75346359 KERNEL32!BaseThreadInitThunk+0x19
0:000> .frame /c 2 ; kd 2
02 00a3fce4 776687a4 KERNEL32!BaseThreadInitThunk+0x19
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00f368c0 edi=00f368c0
eip=75346359 esp=00a3fcdc ebp=00a3fce4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNEL32!BaseThreadInitThunk+0x19:
75346359 50 push eax
00a3fce4 00a3fd40
00a3fce8 776687a4 ntdll!__RtlUserThreadStart+0x2f
0:000> .frame /c 3 ; kd 2
03 00a3fd40 77668774 ntdll!__RtlUserThreadStart+0x2f
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=75346340 edi=00f368c0
eip=776687a4 esp=00a3fcec ebp=00a3fd40 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!__RtlUserThreadStart+0x2f:
776687a4 e9fea00300 jmp ntdll!__RtlUserThreadStart+0x3a132 (776a28a7)
00a3fd40 00a3fd50
00a3fd44 77668774 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame /c 4 ; kd 2
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00000000 edi=00000000
eip=77668774 esp=00a3fd48 ebp=00a3fd50 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!_RtlUserThreadStart+0x1b:
77668774 cc int 3
00a3fd50 00000000
00a3fd54 00000000
0:000> .frame /c 5 ; kd 2
Cannot find frame 0x1, previous scope unchanged
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00000000 edi=00000000
eip=77668774 esp=00a3fd48 ebp=00a3fd50 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!_RtlUserThreadStart+0x1b:
77668774 cc int 3
00a3fd50 00000000
00a3fd54 00000000
0:000>
我正在使用 Windbg Preview 调试一个普通程序。我正在使用 kd command 转储堆栈,
但我发现它并没有从esp down打印出相应的内存,
由于 r 命令显示 esp 指向 0x29af810,kd 只是向我显示了 0x29af814 及更高版本的内存,我认为单步执行一条指令会使它自行纠正,但它似乎保持不变。这是 Windbg 预览版的已知错误吗?
即使在第一次休息时似乎也会产生错误的答案。
(3f44.87c): Break instruction exception - code 80000003 (first
chance)
eax=00000000 ebx=00000000 ecx=189c0000 edx=00000000 esi=77d52054
edi=77d5261c
eip=77df1ba2 esp=005bf984 ebp=005bf9b0 iopl=0 nv up ei pl zr
na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77df1ba2 cc int 3
0:000> kd 10
005bf9b0 005bfc10
005bf9b4 77dec0a8 ntdll!LdrpInitializeProcess+0x1c98
005bf9b8 c12453e3
005bf9bc 0286d000
005bf9c0 00000000
005bf9c4 02870000
005bf9c8 00640062
005bf9cc 02af2738
005bf9d0 005bfb44
005bf9d4 00000000
005bf9d8 00000201
005bf9dc 00000000
005bf9e0 005bfb40
005bf9e4 00000000
005bf9e8 02af4198
005bf9ec 77e65d00 ntdll!LdrpWorkQueue
kd 从 Frame Offset 或 ChildEBP 打印原始双字(见编辑)
您可以使用 .frame 命令检查帧偏移
@esp 可以不同
你观察到一些不同的东西吗?
0:000> .frame
00 00a3fc94 00f367ba cdb!wmain+0xb
0:000> k 1
ChildEBP RetAddr
00a3fc94 00f367ba cdb!wmain+0xb
0:000> kd 4
00a3fc94 00a3fcd4
00a3fc98 00f367ba cdb!__wmainCRTStartup+0x107
00a3fc9c 00000001
00a3fca0 050f2210
0:000> ?@esp
Evaluate expression: 10746476 = 00a3fa6c
0:000>
一个随机过程的完整调用堆栈,它的帧或 ChildEBP 和 RegisterContext 中的 esp 寄存器,如果打印如下
0:000> .frame 0
00 00a3fc94 00f367ba cdb!wmain+0xb
0:000> .frame 1
01 00a3fcd4 75346359 cdb!__wmainCRTStartup+0x107
0:000> .frame 2
02 00a3fce4 776687a4 KERNEL32!BaseThreadInitThunk+0x19
0:000> .frame 3
03 00a3fd40 77668774 ntdll!__RtlUserThreadStart+0x2f
0:000> .frame 4
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame 5
Cannot find frame 0x5, previous scope unchanged
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame /c 0 ; kd 2
00 00a3fc94 00f367ba cdb!wmain+0xb
eax=00a40000 ebx=00000000 ecx=00f3f2f8 edx=00000080 esi=00000001 edi=00000000
eip=00f33c99 esp=00a3fa6c ebp=00a3fc94 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
cdb!wmain+0xb:
00f33c99 a1448ff300 mov eax,dword ptr [cdb!__security_cookie (00f38f44)] ds:002b:00f38f44=4d19f94c
00a3fc94 00a3fcd4
00a3fc98 00f367ba cdb!__wmainCRTStartup+0x107
0:000> .frame /c 1 ; kd 2
01 00a3fcd4 75346359 cdb!__wmainCRTStartup+0x107
eax=00a40000 ebx=00000000 ecx=00f3f2f8 edx=00000080 esi=00000001 edi=00000000
eip=00f367ba esp=00a3fc9c ebp=00a3fcd4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
cdb!__wmainCRTStartup+0x107:
00f367ba 83c40c add esp,0Ch
00a3fcd4 00a3fce4
00a3fcd8 75346359 KERNEL32!BaseThreadInitThunk+0x19
0:000> .frame /c 2 ; kd 2
02 00a3fce4 776687a4 KERNEL32!BaseThreadInitThunk+0x19
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00f368c0 edi=00f368c0
eip=75346359 esp=00a3fcdc ebp=00a3fce4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNEL32!BaseThreadInitThunk+0x19:
75346359 50 push eax
00a3fce4 00a3fd40
00a3fce8 776687a4 ntdll!__RtlUserThreadStart+0x2f
0:000> .frame /c 3 ; kd 2
03 00a3fd40 77668774 ntdll!__RtlUserThreadStart+0x2f
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=75346340 edi=00f368c0
eip=776687a4 esp=00a3fcec ebp=00a3fd40 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!__RtlUserThreadStart+0x2f:
776687a4 e9fea00300 jmp ntdll!__RtlUserThreadStart+0x3a132 (776a28a7)
00a3fd40 00a3fd50
00a3fd44 77668774 ntdll!_RtlUserThreadStart+0x1b
0:000> .frame /c 4 ; kd 2
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00000000 edi=00000000
eip=77668774 esp=00a3fd48 ebp=00a3fd50 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!_RtlUserThreadStart+0x1b:
77668774 cc int 3
00a3fd50 00000000
00a3fd54 00000000
0:000> .frame /c 5 ; kd 2
Cannot find frame 0x1, previous scope unchanged
04 00a3fd50 00000000 ntdll!_RtlUserThreadStart+0x1b
eax=00a40000 ebx=0095f000 ecx=00f3f2f8 edx=00000080 esi=00000000 edi=00000000
eip=77668774 esp=00a3fd48 ebp=00a3fd50 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!_RtlUserThreadStart+0x1b:
77668774 cc int 3
00a3fd50 00000000
00a3fd54 00000000
0:000>