-
-
[求助]windbg堆栈追溯参数不正确
-
发表于: 2015-7-31 14:56
-
bp kernel32!FormatMessageA断下后
0:003> kv 3
ChildEBP RetAddr Args to Child
0552dad4 06eec811 00000004 00000000 0552dafc kernel32!FormatMessageA
WARNING: Stack unwind information not available. Following frames may be wrong.
0552db00 06eec893 0552db0c 00000818 00000004 ext!obja+0x3f1
0552dc64 06eec967 06dbd5e8 00000004 00000000 ext!obja+0x473
这个时候直接看堆栈
0:003> dd esp
0552da78 06ff0504 00001200 00000000 00000004
0552da88 00000000 0705a298 00000400 00000000
0552da98 0552daa8 778c56f7 04f657f0 00000000
0552daa8 06e0e950 07059eac 00000000 00000000
0552dab8 06e0e950 00000000 00001000 00000000
0552dac8 00000000 0705a298 00000000 0552db00
0552dad8 06eec811 00000004 00000000 0552dafc
0552dae8 0552daf8 00000001 00000000 06dbd59c
0:003> r
eax=00000004 ebx=00000000 ecx=00000000 edx=00001200 esi=00000000 edi=00000000
eip=75d98875 esp=0552da78 ebp=0552dad4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
kernel32!FormatMessageA:
75d98875 ff25ac1bd375 jmp dword ptr [kernel32!_imp__FormatMessageA (75d31bac)] ds:0023:75d31bac={KERNELBASE!FormatMessageA (75b8ec17)}
正确的返回地址应该是06ff0504, 前3个参数是00001200 00000000 00000004
而kv获得的返回地址是06eec811, 前3个参数是00000004 00000000 0552dafc
windbg似乎是按照当前的ebp去追溯堆栈了,但是ebp在这里其实没有被使用
0:003> kv 3
ChildEBP RetAddr Args to Child
0552dad4 06eec811 00000004 00000000 0552dafc kernel32!FormatMessageA
WARNING: Stack unwind information not available. Following frames may be wrong.
0552db00 06eec893 0552db0c 00000818 00000004 ext!obja+0x3f1
0552dc64 06eec967 06dbd5e8 00000004 00000000 ext!obja+0x473
这个时候直接看堆栈
0:003> dd esp
0552da78 06ff0504 00001200 00000000 00000004
0552da88 00000000 0705a298 00000400 00000000
0552da98 0552daa8 778c56f7 04f657f0 00000000
0552daa8 06e0e950 07059eac 00000000 00000000
0552dab8 06e0e950 00000000 00001000 00000000
0552dac8 00000000 0705a298 00000000 0552db00
0552dad8 06eec811 00000004 00000000 0552dafc
0552dae8 0552daf8 00000001 00000000 06dbd59c
0:003> r
eax=00000004 ebx=00000000 ecx=00000000 edx=00001200 esi=00000000 edi=00000000
eip=75d98875 esp=0552da78 ebp=0552dad4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
kernel32!FormatMessageA:
75d98875 ff25ac1bd375 jmp dword ptr [kernel32!_imp__FormatMessageA (75d31bac)] ds:0023:75d31bac={KERNELBASE!FormatMessageA (75b8ec17)}
正确的返回地址应该是06ff0504, 前3个参数是00001200 00000000 00000004
而kv获得的返回地址是06eec811, 前3个参数是00000004 00000000 0552dafc
windbg似乎是按照当前的ebp去追溯堆栈了,但是ebp在这里其实没有被使用
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
