windgb分析dump
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
– __cdecl – __stdcall – __thiscall – __fastcall
Calling Convention
• cdecl
– Default convention for C – Push parameters into stack from right to left
• i.e. foo(int a, int b) will push b first into stack, then push a. After parameter pushed it calls foo().
– Return result by EAX register – Function name decoration : add underline before function name.
• i.e. Foo() => _Foo
– Caller should clean up stack after function return
• What can we do by dump file analyze?
– Postmortem – Figure out “why application crashed” – Analyze “what’s wrong in process” – Analyze “why my application hang”
• i.e. Foo(int a, char b) => _Foo@5
– Callee function should clean up stack
Calling Convention
• fastcall
– Fastest convention – (M$ spec) First and second parameter (from left) stored in ECX
Introduction of using windbg
Outlines
• What is Dump File • Dump File Types • Calling Convention • Windbg is your good friend • WinDBG Configuration • Symbol and Source Code • Getting Start : How to find nugets in digital garbage? • Most Common Used Commands in WinDBG • Welcome to real world... • Appendix 1 : How to generate dump manually • Appendix 2 : How to enable kernel debug in Vista
and EDX , push other parameters into stack from right to left – (Borland spec) First param stored in EAX, second in EDX, third
in ECX. Other parameters pushed into stack from right to left – Return result by EAX – Function name decoration: @<function name>@<param size>
Dump File Types
• Mini Dump
– Saves limited information for quick analyze. There are only limited thread information, module information, and some (not full) stack data.
Calling Convention
• How does functions get parameter and return results?
– Sequence of Parameter passing – Function name decoration – Stack cleaning
• Calling convention we can see in Win32
– Saves all kernel space information, but no user space data
• Full Dump (Entire System Dump)
– Saves entire system data. – How many physical memory(RAM) you have, how big it is.
Calling Convention
• stdcall
– Win32 system default convention – #define WINAPI __stdcall (@ windef.h) – Push parameters into stack from right to left – Return result by EAX – Function name decoration: _<function name>@<param size>
• Process Duwenku.baidu.comp
– Saves entire user space of process which is currently used – All information of specified process are saved. – Usermode address only
• Kernel Dump
What is Dump File?
• Dump file is a exception snapshot of applications.
– Stack information – Process information – Thread information – System Resource information – Heap information
Calling Convention
• cdecl
– Default convention for C – Push parameters into stack from right to left
• i.e. foo(int a, int b) will push b first into stack, then push a. After parameter pushed it calls foo().
– Return result by EAX register – Function name decoration : add underline before function name.
• i.e. Foo() => _Foo
– Caller should clean up stack after function return
• What can we do by dump file analyze?
– Postmortem – Figure out “why application crashed” – Analyze “what’s wrong in process” – Analyze “why my application hang”
• i.e. Foo(int a, char b) => _Foo@5
– Callee function should clean up stack
Calling Convention
• fastcall
– Fastest convention – (M$ spec) First and second parameter (from left) stored in ECX
Introduction of using windbg
Outlines
• What is Dump File • Dump File Types • Calling Convention • Windbg is your good friend • WinDBG Configuration • Symbol and Source Code • Getting Start : How to find nugets in digital garbage? • Most Common Used Commands in WinDBG • Welcome to real world... • Appendix 1 : How to generate dump manually • Appendix 2 : How to enable kernel debug in Vista
and EDX , push other parameters into stack from right to left – (Borland spec) First param stored in EAX, second in EDX, third
in ECX. Other parameters pushed into stack from right to left – Return result by EAX – Function name decoration: @<function name>@<param size>
Dump File Types
• Mini Dump
– Saves limited information for quick analyze. There are only limited thread information, module information, and some (not full) stack data.
Calling Convention
• How does functions get parameter and return results?
– Sequence of Parameter passing – Function name decoration – Stack cleaning
• Calling convention we can see in Win32
– Saves all kernel space information, but no user space data
• Full Dump (Entire System Dump)
– Saves entire system data. – How many physical memory(RAM) you have, how big it is.
Calling Convention
• stdcall
– Win32 system default convention – #define WINAPI __stdcall (@ windef.h) – Push parameters into stack from right to left – Return result by EAX – Function name decoration: _<function name>@<param size>
• Process Duwenku.baidu.comp
– Saves entire user space of process which is currently used – All information of specified process are saved. – Usermode address only
• Kernel Dump
What is Dump File?
• Dump file is a exception snapshot of applications.
– Stack information – Process information – Thread information – System Resource information – Heap information