Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 30 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
30
Dung lượng
688,05 KB
Nội dung
Disassembler 571
The second GDB command is x/[N]i address where N is the number of instruc-
tions to disassemble:
(gdb) x/i 0x4012f0
0x4012f0 <main>: push ebp
(gdb) x/2i 0x4012f0
0x4012f0 <main>: push ebp
0x4012f1 <main+1>: mov ebp,esp
(gdb) x/3i 0x4012f0
0x4012f0 <main>: push ebp
0x4012f1 <main+1>: mov ebp,esp
0x4012f3 <main+3>: sub esp,0x8
(gdb) x/4i $pc
0x4012f6 <main+6>: and esp,0xfffffff0
0x4012f9 <main+9>: mov eax,0x0
0x4012fe <main+14>: add eax,0xf
0x401301 <main+17>: add eax,0xf
(gdb)
It seems to be no way to disassemble just N instructions in WinDbg. However in
WinDbg we can disassemble backwards (ub). This is useful, for example, if we have a
return address and we want to see the CALL instruction:
0:000> k
ChildEBP RetAddr
0012ff7c 0040117a test!main [test.cpp @ 3]
0012ffc0 7d4e992a test!__tmainCRTStartup+0×10f
[f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 597]
0012fff0 00000000 kernel32!BaseProcessStart+0×28
0:000> ub 7d4e992a
kernel32!BaseProcessStart+0×10:
7d4e9912 call kernel32!BasepReport32bitAppLaunching (7d4e9949)
7d4e9917 push 4
7d4e9919 lea eax,[ebp+8]
7d4e991c push eax
7d4e991d push 9
7d4e991f push 0FFFFFFFEh
7d4e9921 call dword ptr [kernel32!_imp__NtSetInformationThread
(7d4d032c)]
7d4e9927 call dword ptr [ebp+8]
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
572 PART 7: WinDbg For GDB Users and Vice Versa
Our next version of the map contains these new commands:
Action | GDB | WinDbg
Start the process | run | g
Exit | (q)uit | q
Disassemble (forward) | (disas)semble | uf, u
Disassemble N instructions | x/i | -
Disassemble (backward) | - | ub
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Stack Trace (Backtrace) 573
STACK TRACE (BACKTRACE)
Displaying thread stack trace is the most used action in crash or core dump analy-
sis and debugging. To show various available GDB commands I created the next version
of the test program with the following source code:
#include <stdio.h>
void func_1(int param_1, char param_2, int *param_3, char *param_4);
void func_2(int param_1, char param_2, int *param_3, char *param_4);
void func_3(int param_1, char param_2, int *param_3, char *param_4);
void func_4();
int val_1;
char val_2;
int *pval_1 = &val_1;
char *pval_2 = &val_2;
int main()
{
val_1 = 1;
val_2 = '1';
func_1(val_1, val_2, (int *)pval_1, (char *)pval_2);
return 0;
}
void func_1(int param_1, char param_2, int *param_3, char *param_4)
{
val_1 = 2;
val_2 = '2';
func_2(param_1, param_2, param_3, param_4);
}
void func_2(int param_1, char param_2, int *param_3, char *param_4)
{
val_1 = 3;
val_2 = '3';
func_3(param_1, param_2, param_3, param_4);
}
void func_3(int param_1, char param_2, int *param_3, char *param_4)
{
*pval_1 += param_1;
*pval_2 += param_2;
func_4();
}
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
574 PART 7: WinDbg For GDB Users and Vice Versa
void func_4()
{
puts("Hello World!");
}
We need to compile it with -g gcc compiler option to generate symbolic informa-
tion. It is needed for GDB to display function arguments and local variables.
C:\MinGW\examples> \bin\gcc -g -o test.exe test.c
If you have a crash in func_4 then we can examine stack trace (backtrace) once
we open a core dump. Because we don’t have a core dump of our test program we will
simulate the stack trace by putting a breakpoint on func_4. In GDB this can be done by
break command:
C:\MinGW\examples> \bin\gdb test.exe
(gdb) break func_4
Breakpoint 1 at 0x40141d
(gdb) run
Starting program: C:\MinGW\examples/test.exeBreakpoint 1, 0x0040141d in
func_4 ()
(gdb)
In WinDbg the breakpoint command is bp:
CommandLine: C:\dmitri\test\release\test.exe
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0040f000 test.exe
ModLoad: 7d4c0000 7d5f0000 NOT_AN_IMAGE
ModLoad: 7d600000 7d6f0000 C:\W2K3\SysWOW64\ntdll32.dll
ModLoad: 7d4c0000 7d5f0000 C:\W2K3\syswow64\kernel32.dll
(103c.17d8): Break instruction exception - code 80000003 (first chance)
eax=7d600000 ebx=7efde000 ecx=00000005 edx=00000020 esi=7d6a01f4
edi=00221f38
eip=7d61002d esp=0012fb4c ebp=0012fcac iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll32!DbgBreakPoint:
7d61002d cc int 3
0:000> bp func_4
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Stack Trace (Backtrace) 575
0:000> g
ModLoad: 71c20000 71c32000 C:\W2K3\SysWOW64\tsappcmp.dll
ModLoad: 77ba0000 77bfa000 C:\W2K3\syswow64\msvcrt.dll
ModLoad: 77f50000 77fec000 C:\W2K3\syswow64\ADVAPI32.dll
ModLoad: 7da20000 7db00000 C:\W2K3\syswow64\RPCRT4.dll
Breakpoint 0 hit
eax=0040c9d0 ebx=7d4d8dc9 ecx=0040c9d0 edx=00000064 esi=00000002
edi=00000ece
eip=00408be0 esp=0012ff24 ebp=0012ff28 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
test!func_4:
00408be0 55 push ebp
We have to disable optimization in the project properties otherwise Visual C++
compiler optimizes away all function calls and produces the following short code:
0:000> uf main
00401000 push offset test!`string' (004020f4)
00401005 mov dword ptr [test!val_1 (0040337c)],4
0040100f mov byte ptr [test!val_2 (00403378)],64h
00401016 call dword ptr [test!_imp__puts (004020a0)]
0040101c add esp,4
0040101f xor eax,eax
00401021 ret
Now we are going to concentrate on commands that examine a call
stack. backtrace or bt command shows stack trace. backtrace <N> or bt <N> shows only
the innermost N stack frames. backtrace -<N> or bt -<N> shows only the outermost N
stack frames. backtrace full or bt full additionally shows local variables. There are also
variants backtrace full <N> or bt full <N> and backtrace full -<N> or bt full -<N>:
(gdb) backtrace
#0 func_4 () at test.c:48
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
#2 0x004013da in func_2 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:35
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
#4 0x00401355 in main () at test.c:18
(gdb) bt
#0 func_4 () at test.c:48
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
#2 0x004013da in func_2 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:35
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
#4 0x00401355 in main () at test.c:18
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
576 PART 7: WinDbg For GDB Users and Vice Versa
(gdb) bt 2
#0 func_4 () at test.c:48
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
(More stack frames follow )
(gdb) bt -2
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
#4 0x00401355 in main () at test.c:18
(gdb) bt full
#0 func_4 () at test.c:48
No locals.
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
param_2 = 49 '1'
#2 0x004013da in func_2 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:35
param_2 = 49 '1'
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
param_2 = 49 '1'
#4 0x00401355 in main () at test.c:18
No locals.
(gdb) bt full 2
#0 func_4 () at test.c:48
No locals.
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
param_2 = 49 '1'
(More stack frames follow )
(gdb) bt full -2
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
param_2 = 49 '1'
#4 0x00401355 in main () at test.c:18
No locals.
(gdb)
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Stack Trace (Backtrace) 577
In WinDbg there is only one k command but it has many parameters, for exam-
ple:
Default stack trace with source code lines:
0:000> k
ChildEBP RetAddr
0012ff20 00408c30 test!func_4 [c:\dmitri\test\test\test.cpp @ 47]
0012ff28 00408c69 test!func_3+0x30 [c:\dmitri\test\test\test.cpp @ 44]
0012ff40 00408c99 test!func_2+0x29 [c:\dmitri\test\test\test.cpp @ 35]
0012ff58 00408cd3 test!func_1+0x29 [c:\dmitri\test\test\test.cpp @ 27]
0012ff70 00401368 test!main+0x33 [c:\dmitri\test\test\test.cpp @ 18]
0012ffc0 7d4e992a test!__tmainCRTStartup+0x15f
[f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 327]
0012fff0 00000000 kernel32!BaseProcessStart+0x28
Stack trace without source code lines:
0:000> kL
ChildEBP RetAddr
0012ff20 00408c30 test!func_4
0012ff28 00408c69 test!func_3+0x30
0012ff40 00408c99 test!func_2+0x29
0012ff58 00408cd3 test!func_1+0x29
0012ff70 00401368 test!main+0x33
0012ffc0 7d4e992a test!__tmainCRTStartup+0x15f
0012fff0 00000000 kernel32!BaseProcessStart+0x28
Full stack trace without source code lines showing 3 stack arguments for every
stack frame, calling convention and optimization information:
0:000> kvL
ChildEBP RetAddr Args to Child
0012ff20 00408c30 0012ff40 00408c69 00000001 test!func_4 (CONV: cdecl)
0012ff28 00408c69 00000001 00000031 0040c9d4 test!func_3+0x30 (CONV:
cdecl)
0012ff40 00408c99 00000001 00000031 0040c9d4 test!func_2+0x29 (CONV:
cdecl)
0012ff58 00408cd3 00000001 00000031 0040c9d4 test!func_1+0x29 (CONV:
cdecl)
0012ff70 00401368 00000001 004230e0 00423120 test!main+0x33 (CONV: cdecl)
0012ffc0 7d4e992a 00000000 00000000 7efde000 test!__tmainCRTStartup+0x15f
(FPO: [Non-Fpo]) (CONV: cdecl)
0012fff0 00000000 004013bf 00000000 00000000
kernel32!BaseProcessStart+0x28 (FPO: [Non-Fpo])
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
578 PART 7: WinDbg For GDB Users and Vice Versa
Stack trace without source code lines showing all function parameters:
0:000> kPL
ChildEBP RetAddr
0012ff20 00408c30 test!func_4(void)
0012ff28 00408c69 test!func_3(
int param_1 = 1,
char param_2 = 49 '1',
int * param_3 = 0x0040c9d4,
char * param_4 = 0x0040c9d0 "d")+0x30
0012ff40 00408c99 test!func_2(
int param_1 = 1,
char param_2 = 49 '1',
int * param_3 = 0x0040c9d4,
char * param_4 = 0x0040c9d0 "d")+0x29
0012ff58 00408cd3 test!func_1(
int param_1 = 1,
char param_2 = 49 '1',
int * param_3 = 0x0040c9d4,
char * param_4 = 0x0040c9d0 "d")+0x29
0012ff70 00401368 test!main(void)+0x33
0012ffc0 7d4e992a test!__tmainCRTStartup(void)+0x15f
0012fff0 00000000 kernel32!BaseProcessStart+0x28
Stack trace without source code lines showing stack frame numbers:
0:000> knL
# ChildEBP RetAddr
00 0012ff20 00408c30 test!func_4
01 0012ff28 00408c69 test!func_3+0x30
02 0012ff40 00408c99 test!func_2+0x29
03 0012ff58 00408cd3 test!func_1+0x29
04 0012ff70 00401368 test!main+0x33
05 0012ffc0 7d4e992a test!__tmainCRTStartup+0x15f
06 0012fff0 00000000 kernel32!BaseProcessStart+0x28
Stack trace without source code lines showing the distance between stack frames
in bytes:
0:000> knfL
# Memory ChildEBP RetAddr
00 0012ff20 00408c30 test!func_4
01 8 0012ff28 00408c69 test!func_3+0x30
02 18 0012ff40 00408c99 test!func_2+0x29
03 18 0012ff58 00408cd3 test!func_1+0x29
04 18 0012ff70 00401368 test!main+0x33
05 50 0012ffc0 7d4e992a test!__tmainCRTStartup+0x15f
06 30 0012fff0 00000000 kernel32!BaseProcessStart+0x28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Stack Trace (Backtrace) 579
Stack trace without source code lines showing the innermost 2 frames:
0:000> kL 2
ChildEBP RetAddr
0012ff20 00408c30 test!func_4
0012ff28 00408c69 test!func_3+0x30
If we want to see stack traces from all threads in a process we can use the follow-
ing command:
(gdb) thread apply all bt
Thread 1 (thread 728.0xc0c):
#0 func_4 () at test.c:48
#1 0x00401414 in func_3 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:43
#2 0x004013da in func_2 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:35
#3 0x0040139a in func_1 (param_1=1, param_2=49 '1', param_3=0x404080,
param_4=0x404070 "d") at test.c:27
#4 0x00401355 in main () at test.c:18
(gdb)
In WinDbg it is ~*k. Any parameter shown above can be used, for example:
0:000> ~*kL
. 0 Id: 103c.17d8 Suspend: 1 Teb: 7efdd000 Unfrozen
ChildEBP RetAddr
0012ff20 00408c30 test!func_4
0012ff28 00408c69 test!func_3+0x30
0012ff40 00408c99 test!func_2+0x29
0012ff58 00408cd3 test!func_1+0x29
0012ff70 00401368 test!main+0x33
0012ffc0 7d4e992a test!__tmainCRTStartup+0x15f
0012fff0 00000000 kernel32!BaseProcessStart+0x28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
580 PART 7: WinDbg For GDB Users and Vice Versa
Therefore, the next version of the map contains these new commands:
Action | GDB | WinDbg
Start the process | run | g
Exit | (q)uit | q
Disassemble (forward) | (disas)semble | uf, u
Disassemble N instructions | x/<N>i | -
Disassemble (backward) | - | ub
Stack trace | backtrace (bt) | k
Full stack trace | bt full | kv
Partial trace (innermost) | bt <N> | k <N>
Partial trace (outermost) | bt -<N> | -
Stack trace for all threads | thread apply all bt | ~*k
Breakpoint | break | bp
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
[...]... /i /V Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 588 PART 7: WinDbg For GDB Users and Vice Versa Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Four Pillars 589 PART 8: SOFTWARE TROUBLESHOOTING FOUR PILLARS They are (sorted alphabetically): 1 2 3 4 Crash DumpAnalysis (also called MemoryDumpAnalysis or Core Dump Analysis) Problem Reproduction... gdi32.dll user32.dll Application Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Memory Visualization 599 PART 10: SECURITY MEMORY VISUALIZATION This security warning is related to sound files and pictures produced by Dump2 Wave (page 521), Dump2 Picture (page 532) and WinDbg scripts based on them These tools do not change computer memory data and it is present in resulting WAV... customer or a support engineer request a dump file or a trace? This could shed the light on various assumptions including presuppositions hidden in problem description Supporting information - needed to find a needle in a hay: process id, thread id, etc Also, the answer to the following question is important: how memory dumps and traces were created? Every trace or memorydump shall be accompanied by 4WS answers... JPEG, all original computer memory content is lost and becomes non-recoverable Therefore, if you create a piece of modern art using Dump2 Picture and want to publish it electronically always transform it into JPEG, for example Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 600 PART 10: Security WINDBG IS PRIVACY-AWARE WinDbg has two options for dump command to remove the... from the minidump those portions of the stack and store memory that are not useful for recreating the stack trace Local variables and other data type values are deleted as well This option does not make the minidump smaller (because these memory sections are simply zeroed), but it is useful if you want to protect the privacy of other applications R - Deletes the full module paths from the minidump Only... with this easy to remember 4WS questions to ask when sending or requesting traces and memory dumps: What - What had happened or had been observed? Crash or hang, for example? When - When did the problem happen if traces were recorded for hours? Where - What server or workstation had been used for tracing or where memory dumps came from? For example, one trace is from a primary server and two others are... MemoryDumpAnalysis or Core Dump Analysis) Problem Reproduction Trace and Log Analysis Virtual Assistance (also called Remote Assistance) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 590 PART 8: Software Troubleshooting FIVE GOLDEN RULES It is difficult to analyze a problem when we have crash dumps and/or traces from various tracing tools and supporting information we... pooltag doesn’t belong to Citrix drivers although it sounds like “ICA protocol” It comes from Microsoft termdd.sys driver Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 594 PART 9: Citrix THE LIST OF CITRIX SERVICES In kernel or complete memory dumps coming from Windows servers running Citrix Presentation Server 4.x we might see the following processes running in session 0, for... Citrix article describes them briefly: Citrix Presentation Server Services Overview http://support.citrix.com/article/CTX114669 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 596 PART 9: Citrix REVERSE ENGINEERING CITRIX THINWIRE Crash dumps (and live debugging) can be very useful for reverse engineering component dependencies Let’s look at Microsoft Video Driver Architecture... by false cause fallacies because it doesn’t have explicitly recorded sequence of events although some caution should be exercised during detailed analysis of thread waiting times and other historical information Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 592 PART 8: Software Troubleshooting TROUBLESHOOTING AS DDEBUGGING This post is motivated by TRAFFIC steps introduced . Crash Dump Analysis (also called Memory Dump Analysis or Core Dump
Analysis)
2. Problem Reproduction
3. Trace and Log Analysis
4. Virtual Assistance. to the following question is important: how memory dumps and
traces were created?
Every trace or memory dump shall be accompanied by 4WS answers.
4WS