首页
社区
课程
招聘
[求助]WinDbg一个指令
发表于: 2009-11-16 22:54 5312

[求助]WinDbg一个指令

2009-11-16 22:54
5312
.call一个扩展指令:

  
Debugging Tools for Windows
.call (Call Function)
The .call command causes the target process to execute a function.

Syntax
.call [/v] Function( Arguments )
.call /s Prototype Function( Arguments )
.call /c
.call /C

Parameters
/v
Verbose information about the call and its arguments is displayed.
/s Prototype
Allows you to call the function that is specified by Function even though you do not have the correct symbols. In this case, you must have symbols for another function that has the same calling prototype as the function you are trying to call. The Prototype parameter is the name of this prototype function.
Function
Specifies the function being called. This can be the name of the function (preferably qualified with a module name), or any other expression that evaluates to the function address. If you need to call a constructor or destructor, you must supply the address — or else use a C++ expression to evaluate named syntax for the operators (see Numerical Expression Syntax for details).
Arguments
Specifies the arguments passed to the function. If you are calling a method, the first argument must be this, and all other arguments follow it. Arguments should be separated with commas and should match the usual argument syntax. Variable-length argument lists are supported. Expressions within an argument are parsed by the C++ expression evaluator; see C++ Numbers and Operators for details. You cannot enter a literal string as an argument, but you can use a pointer to a string, or any other memory accessible to the target process.
/c
Clears any existing call on the current thread.
/C
Clears any existing call on the current thread, and resets the context of the current thread to the context stored by the outstanding call.

Environment
Modes user mode only  
Targets live debugging only
Platforms x86 and x64 only  

Comments
The specified function is called by the current thread of the current process.

Only the cdecl, stdcall, fastcall, and thiscall calling conventions are supported. Managed code cannot be called by this command.

After .call is used, the debugger will update the stack, change the instruction pointer to point to the beginning of the called function, and then stop. Use g (Go) to resume execution, or ~. g to execute just the thread making the call.

When the function returns, a break occurs and the debugger displays the return value of the function. The return value is also stored in the $callret pseudo-register, which acquires the type of the return value.

If you have broken into the target using CTRL+C or CTRL+BREAK, the current thread is an additional thread created to handle the breakin. If you issue a .call command at this point, the extra thread will be used for the called function.

If you have reached a predefined breakpoint, there is no extra breakin thread. If you use .call while at a breakpoint in user mode, you could use g to execute the entire process, or ~. g to execute just the current thread. Using g may distort your program's behavior, since you have taken one thread and diverted it to this new function. On the other hand, this thread will still have its locks and other attributes, and thus ~. g may risk deadlocks.

The safest way to use .call is to set a breakpoint in your code at a location where a certain function could be safely called. When that breakpoint is hit, you can use .call if you desire that function to run. If you use .call at a point where this function could not normally be called, a deadlock or target corruption could result.

It may be useful to add extra functions to your source code that are not called by the existing code, but are intended to be called by the debugger. For example, you could add functions that are used to investigate the current state of your code and its environment and store information about the state in a known memory location. Be sure not to optimize your code, or these functions may be removed by the compiler. Use this technique only as a last resort, because if your application crashes .call will not be available when debugging the dump file.

The .call /c and .call /C commands should only be used if an attempt to use .call has failed, or if you changed your mind before entering the g command. These should not be used casually, since abandoning an uncompleted call can lead to a corrupted target state.

The following code example shows how the .call /s command is used.

.call /s KnownFunction UnknownFunction( 1 )

In this example, you have private symbols for KnownFunction, which takes an integer as its only argument and returns, for example, a pointer to an array. You do not have symbols, or possibly you only have public symbols for UnknownFunction, but you do know that it takes an integer as its only argument and returns a pointer to an array. By using the /s option, you can specify that UnknownFunction will work the same way that KnownFunction does. Thus, you can successfully generate a call to UnknownFunction.

© 2009 Microsoft Corporation
Send feedback on this topic
Debugging Tools for Windows
January 17, 2009

Build machine: CAPEBUILD

help文件是这么写的。意思大概是可以call一个有符号的函数。

0:000> .call /s LoadLibraryA(1) LoadLibraryA(2)
                              ^ Symbol not a function in '.call /s LoadLibraryA(1) LoadLibraryA(2)'

我这么写的.

0:000> x kernel32!LoadLibraryA
7c801d77 kernel32!LoadLibraryA (<no parameter info>)

符号式存在的。

什么叫符号不是一个函数在call /s LoadLibraryA(1) ;

google了.

.call应该怎么用。比如我需要让目标进场加载我的一个patch dll.用做调试。

google了一些别人的回答。但都说的不清楚。那些人大概的意思是这么个问题:
I think the problem here is that .call requires private symbols in order to  
  
retrieve calling convention and parameter information for a function (at  
  
least, that's my understanding of it).  
  
"Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message  
  
news:Ol$j7gagFHA.2444@tk2msftngp13.phx.gbl...

搞不懂!~~咯....啥叫private symbols..符号就是符号嘛。就是让调试器识别的一个地址而已嘛。有啥公有私有的。

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 152
活跃值: (106)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
2
想问下.call到底如何用
2009-11-16 22:55
0
雪    币: 152
活跃值: (106)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
3
解决了,该指令确实可以调用一个函数,不过要有完全的符号信息.从microsoft上下的符号信息是确实了参数规则等信息的.所以用.call会失败.
2009-11-17 10:20
0
游客
登录 | 注册 方可回帖
返回
//