Posted on 2009-11-02 17:26
S.l.e!ep.¢% 閱讀(1812)
評論(0) 編輯 收藏 引用 所屬分類:
WinDbg
kb查看函數堆棧
0:000>?kb
ChildEBP?RetAddr??Args?to?Child??????????????
0007d838?7632beb6?0007dea8?40000000?00000003?kernel32!CreateFileW
0007e0bc?7632741f?0007e0e8?00000000?004a0398?comdlg32!CFileOpenBrowser::OKButtonPressed+0x905
0007e2fc?76327327?0020029c?00230450?000ced30?comdlg32!CFileOpenBrowser::ProcessEdit+0x192
0007e33c?7632274e?00000001?00230450?0007e5e4?comdlg32!CFileOpenBrowser::OnCommandMessage+0x1d3
0007e57c?77d18734?0020029c?00000111?00000001?comdlg32!OpenDlgProc+0x2f5
0007e5a8?77d2418d?763225e4?0020029c?00000111?USER32!InternalCallWinProc+0x28
0007e614?77d23fd9?00000000?763225e4?0020029c?USER32!UserCallDlgProcCheckWow+0x146
0007e65c?77d2cb2b?00000000?00000111?00000001?USER32!DefDlgProcWorker+0xa8
0007e68c?77d1b903?005c3200?005bfea8?00000001?USER32!SendMessageWorker+0x384
0007e6ac?771a7344?0020029c?00000111?00000001?USER32!SendMessageW+0x7f
0007e6cc?771a7426?000d0dd0?00000000?00090014?COMCTL32!Button_NotifyParent+0x3d
0007e6e8?771a972b?000d0dd0?00000001?0007e7e0?COMCTL32!Button_ReleaseCapture+0xd7
0007e778?77d18734?00230450?00000202?00000000?COMCTL32!Button_WndProc+0x887
0007e7a4?77d18816?771a8ea4?00230450?00000202?USER32!InternalCallWinProc+0x28
0007e80c?77d1c63f?00000000?771a8ea4?00230450?USER32!UserCallWinProcCheckWow+0x150
0007e83c?77d1c665?771a8ea4?00230450?00000202?USER32!CallWindowProcAorW+0x98
0007e85c?76322dc5?771a8ea4?00230450?00000202?USER32!CallWindowProcW+0x1b
0007e878?77d18734?00230450?00000202?00000000?comdlg32!OKSubclass+0x46
0007e8a4?77d18816?76322d82?00230450?00000202?USER32!InternalCallWinProc+0x28
0007e90c?77d189cd?00000000?76322d82?00230450?USER32!UserCallWinProcCheckWow+0x150
其次,查看ESP,ESP的地址保存的就是EIP的內容,那么ESP+4就是函數的第一個參數,ESP+8是第二個參數,根據函數的參數個數,以此類推。
在上面的例子中(ESP為7d83c)
0:000>?dd?7d83c
0007d83c??7632beb6?0007dea8?40000000?00000003
0007d84c??00000000?00000001?00000080?00000000
0007d85c??0007e0e8?000ced30?00000000?000ced30
0007d86c??00000000?00000000?00000003?00000000
0007d87c??00000000?0007e0e8?00000000?00000000
0007d88c??00000002?00620061?00000063?00000014
0007d89c??00000001?00000000?00000000?00000010
0007d8ac??00000000?0007d8c4?00000000?00000000
那么0007d83c的內容7632beb6就是對應的EIP了,7d83c+4,就是CreateFileW的第一個參數,我們可以用dW來look一下就能看到參數的內容了。