-
-
[求助]请问如何用windbg在ring3跟踪一个API的调用过程
-
发表于: 2011-6-21 01:58
-
比如像SetWindowsHookEx 这样的函数 怎么看调用堆栈的 怎么跟踪到得 堆栈调用顺序
是从下向上吗
: kd> kvn
# ChildEBP RetAddr Args to Child
00 0012f7b8 77d2dbfb 0012f81c 00000000 00000008 kernel32!LoadLibraryExW+0x2 (FPO: [Non-Fpo])
01 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 USER32!__ClientLoadLibrary+0x32 (FPO: [1,3,4])
02 0012f7e4 80501a60 0012f7f4 00000080 00000080 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
03 ef8f35e8 805a1779 ef8f36a0 ef8f369c ef8f38e8 nt!KiCallUserMode+0x4 (FPO: [2,3,4])
04 ef8f3644 bf84ce33 00000042 ef8f36b0 00000080 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
05 ef8f38cc bf84cf3e ef8f38e8 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo])
06 ef8f3afc bf83f449 00000002 00000000 e10622c0 win32k!xxxLoadHmodIndex+0x86 (FPO: [1,133,0])
07 ef8f3b68 bf83f4a0 03e49c40 00000003 00040140 win32k!xxxCallHook2+0x19b (FPO: [5,21,4])
08 ef8f3b84 bf8407c8 00000003 00040140 00000002 win32k!xxxCallHook+0x26 (FPO: [4,0,0])
09 ef8f3c6c bf83eec5 00000100 00000000 bbe34058 win32k!xxxCreateWindowEx+0x48c (FPO: [15,49,0])
0a ef8f3d20 8054160c 80000000 ef8f3cec ef8f3ce0 win32k!NtUserCreateWindowEx+0x1c1 (FPO: [Non-Fpo])
0b ef8f3d20 7c92eb94 80000000 ef8f3cec ef8f3ce0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ef8f3d64)
0c 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0d 0012f870 77d1fe13 77d1fdd9 80000000 0012fd98 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
0e 0012fd14 77d1fecc 80000000 0012fd98 0012fdac USER32!NtUserCreateWindowEx+0xc
0f 0012fdc0 77d1ff66 80000000 00487d80 0012fdac USER32!_CreateWindowEx+0x1ed (FPO: [13,25,0])
10 0012fdfc 00404dd2 00000000 00487d80 00477510 USER32!CreateWindowExA+0x33 (FPO: [12,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
11 0012fe70 00447830 00400000 00000001 0012ffc0 Procexp+0x4dd2
12 00000000 00000000 00000000 00000000 00000000 Procexp+0x47830
是从下向上吗
: kd> kvn
# ChildEBP RetAddr Args to Child
00 0012f7b8 77d2dbfb 0012f81c 00000000 00000008 kernel32!LoadLibraryExW+0x2 (FPO: [Non-Fpo])
01 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 USER32!__ClientLoadLibrary+0x32 (FPO: [1,3,4])
02 0012f7e4 80501a60 0012f7f4 00000080 00000080 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
03 ef8f35e8 805a1779 ef8f36a0 ef8f369c ef8f38e8 nt!KiCallUserMode+0x4 (FPO: [2,3,4])
04 ef8f3644 bf84ce33 00000042 ef8f36b0 00000080 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
05 ef8f38cc bf84cf3e ef8f38e8 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo])
06 ef8f3afc bf83f449 00000002 00000000 e10622c0 win32k!xxxLoadHmodIndex+0x86 (FPO: [1,133,0])
07 ef8f3b68 bf83f4a0 03e49c40 00000003 00040140 win32k!xxxCallHook2+0x19b (FPO: [5,21,4])
08 ef8f3b84 bf8407c8 00000003 00040140 00000002 win32k!xxxCallHook+0x26 (FPO: [4,0,0])
09 ef8f3c6c bf83eec5 00000100 00000000 bbe34058 win32k!xxxCreateWindowEx+0x48c (FPO: [15,49,0])
0a ef8f3d20 8054160c 80000000 ef8f3cec ef8f3ce0 win32k!NtUserCreateWindowEx+0x1c1 (FPO: [Non-Fpo])
0b ef8f3d20 7c92eb94 80000000 ef8f3cec ef8f3ce0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ef8f3d64)
0c 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0d 0012f870 77d1fe13 77d1fdd9 80000000 0012fd98 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
0e 0012fd14 77d1fecc 80000000 0012fd98 0012fdac USER32!NtUserCreateWindowEx+0xc
0f 0012fdc0 77d1ff66 80000000 00487d80 0012fdac USER32!_CreateWindowEx+0x1ed (FPO: [13,25,0])
10 0012fdfc 00404dd2 00000000 00487d80 00477510 USER32!CreateWindowExA+0x33 (FPO: [12,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
11 0012fe70 00447830 00400000 00000001 0012ffc0 Procexp+0x4dd2
12 00000000 00000000 00000000 00000000 00000000 Procexp+0x47830
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
