Is there a way to see the address stored by a pointer on stack-frame through windbg?
Here is a trivial program i wrote in VC++:
#include "stdafx.h
#include <iostream>
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
int foo = 10;
int* bar = &foo;
cout<<bar<<endl;
getchar();
return 0;
}
The output on my machine is: 0035F95C
After attaching the process through windbg and viewing the disassembly, i am not able to compute the address above. I kn开发者_开发技巧ow i need to get to the stack frame and look at the locals and walk the addresses but not sure on commands in windbg. How would you approach this?
Use the .frame
command to see the stack frame.
Use the dv
or dt
command to view the value of variable.
http://www.codeproject.com/KB/debug/windbg_part1.aspx
Thu 12/30/2010 20:04:38.48\>type stdafx.h
//dummmy file to satisfy compiler
Thu 12/30/2010 20:05:04.70\>type windb.cpp
#include "stdafx.h"
#include <iostream>
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
int foo = 10;
int* bar = &foo;
cout<<bar<<endl;
getchar();
return 0;
}
Thu 12/30/2010 20:05:28.87\>bcc32 -v -ls -w-8057 windb.cpp
Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland
windb.cpp:
Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland
Thu 12/30/2010 20:05:48.85\>map2dbg windb.exe
Converted 1644 symbols.
Thu 12/30/2010 20:06:04.07\>windb.exe
0012FF88
lets run windbg noninvasive look for stack and check disassembly of main find
where 10 is used in windbg
cdb -pv -pn windb.exe
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
WARNING: **Process 2312** is not attached as a debuggee
The process can be examined but debug events will not be received
.........
(908.1c8): Wake debugger - code 80000007 (first chance)
eax=0012fe48 ebx=00000000 ecx=0012ff10 edx=00862a30 esi=0012fd58 edi=00250688
eip=7c90e514 esp=0012fcf8 ebp=0012fd18 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret
0:000> .tlist windb.exe
0n2312 windb.exe
0:000> kn
# ChildEBP RetAddr
00 0012fcf4 7c90daea ntdll!KiFastSystemCallRet
01 0012fcf8 7c912de8 ntdll!ZwRequestWaitReplyPort+0xc
02 0012fd18 7c872a51 ntdll!CsrClientCallServer+0x8c
03 0012fe14 7c872b98 kernel32!ReadConsoleInternal+0x1be
04 0012fe9c 7c8018b7 kernel32!ReadConsoleA+0x3b
*** WARNING: Unable to verify checksum for F:\Borland\windb\windb.exe
05 0012fef4 004111fd kernel32!ReadFile+0x64
06 0012ff14 00410fcb windb!_rtl_read+0x35
07 0012ff40 004117a7 windb!__read+0x9b
08 0012ff5c 00411865 windb!c798_0+0x5b
09 0012ff6c 004117ff windb!fgetc+0x61
0a 0012ff78 00401198 windb!_fgetc+0x13
**0b 0012ff8c 00417c4e windb!main+0x48**
0c 0012ffc0 7c817077 windb!c1770_0+0x172
0d 0012fff0 00000000 kernel32!BaseProcessStart+0x23
0:000> uf windb!main
windb!main:
00401150 55 push ebp
00401151 8bec mov ebp,esp
00401153 51 push ecx
00401154 53 push ebx
00401155 c745fc0a000000 **mov dword ptr [ebp-4],0Ah**
0040115c 8d5dfc lea ebx,[ebp-4]
0040115f 68a0114000 push offset windb!std::basic_ostream<char, std::char
_traits<char> >& std::endl<char, std::char_traits<char> >(std::basic_ostream<cha
r, std::char_traits<char> >&) (004011a0)
00401164 53 push ebx
00401165 68f8034200 push offset windb!d1862_1+0x9bc (004203f8)
0040116a e8ed7f0000 call windb!std::basic_ostream<char, std::char_traits
<char> >::operator <<(const void *) (0040915c)
0040116f 83c408 add esp,8
00401172 50 push eax
00401173 e8a4810000 call windb!std::basic_ostream<char, std::char_traits
<char> >::operator <<(std::basic_ostream<char, std::char_traits<char> >& (*)(std
::basic_ostream<char, std::char_traits<char> >&)) (0040931c)
00401178 83c408 add esp,8
0040117b b8ece04100 mov eax,offset windb!_streams (0041e0ec)
00401180 ff4808 dec dword ptr [eax+8]
00401183 7809 js windb!main+0x3e (0040118e)
windb!main+0x35:
00401185 baece04100 mov edx,offset windb!_streams (0041e0ec)
0040118a ff02 inc dword ptr [edx]
0040118c eb0b jmp windb!main+0x49 (00401199)
windb!main+0x3e:
0040118e 68ece04100 push offset windb!_streams (0041e0ec)
00401193 e854060100 call windb!_fgetc (004117ec)
00401198 59 pop ecx
windb!main+0x49:
00401199 33c0 xor eax,eax
0040119b 5b pop ebx
0040119c 59 pop ecx
0040119d 5d pop ebp
0040119e c3 ret
0:000> .frame /r 0x0b
0b 0012ff8c 00417c4e windb!main+0x48
eax=0012fe48 ebx=00862a30 ecx=0012ff10 edx=00862a30 esi=0012fd58 edi=00250688
eip=00401198 esp=0012ff80 ebp=0012ff8c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
windb!main+0x48:
00401198 59 pop ecx
0:000> dd 12ff7c l8
0012ff7c 00401198 0041e0ec 7ffde000 0000000a
0012ff8c 0012ffb8 00417c4e 00000001 008621c4
0:000> dds 12ff7c l8
0012ff7c 00401198 windb!main+0x48
0012ff80 0041e0ec windb!_streams
0012ff84 7ffde000
**0012ff88 0000000a**
0012ff8c 0012ffb8
0012ff90 00417c4e windb!c1770_0+0x172
0012ff94 00000001
0012ff98 008621c4
0:000>
精彩评论