基础调试命令 - wt (watch and trace)
本文介绍windbg动态调试过程中一个非常有用的命令,wt的用法。
wt命令
wt命令之所以称为wt是因为它是watch and trace的简称,即用来观察和跟踪的命令。这个命令一般用在动态调试而不是dump分析中。他的作用是跟踪程序的执行过程,并将每个执行的调用打印到输出。
我们先准备一个简单的斐波那契计算代码,然后通过wt命令来追踪这个程序的执行。
#include "tchar.h" #include <iostream> using namespace std; unsigned Fibonacci(unsigned n) { if(n <= 1) { return n; } return Fibonacci(n-1) + Fibonacci(n-2); } int _tmain(int argc, _TCHAR* argv[]) { cout << Fibonacci(5) << endl; return 0; }
将以上代码编译之后通过windbg打开运行,然后通过x命令查找入口函数main的地址,
0:000> x fibo!main
00391a40 fibo!main (int, char **)
通过uf命令反编译该函数,找出递归开始和结束的地址,
0:000> uf 00391a40
fibo!main [c:usersaaronzhdesktopfibo.cpp @ 16]:
16 00391a40 55 push ebp
16 00391a41 8bec mov ebp,esp
17 00391a43 684c143900 push offset fibo!ILT+1095(?endlstdYAAAV?$basic_ostreamDU?$char_traitsDstd (0039144c)
17 00391a48 6a0a push 0Ah
17 00391a4a e8acfaffff call fibo!ILT+1270(?FibonacciYAIIZ) (003914fb)
17 00391a4f 83c404 add esp,4
17 00391a52 50 push eax
17 00391a53 b9f0ad4000 mov ecx,offset fibo!std::cout (0040adf0)
17 00391a58 e870f6ffff call fibo!ILT+200(??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01IZ) (003910cd)
17 00391a5d 8bc8 mov ecx,eax
17 00391a5f e895f7ffff call fibo!ILT+500(??6?$basic_ostreamDU?$char_traitsDstdstdQAEAAV01P6AAAV01AAV01ZZ) (003911f9)
18 00391a64 33c0 xor eax,eax
19 00391a66 5d pop ebp
19 00391a67 c3 ret
通过wt命令来查看整个的递归调用过程,=后面是起始地址。
0:000> wt =00391a48 00391a4f 2 0 [ 0] fibo!main 1 0 [ 1] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 1] fibo!Fibonacci 1 0 [ 2] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 2] fibo!Fibonacci 1 0 [ 3] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 3] fibo!Fibonacci 1 0 [ 4] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 4] fibo!Fibonacci 1 0 [ 5] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 5] fibo!Fibonacci 1 0 [ 6] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 6] fibo!Fibonacci 1 0 [ 7] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 9] fibo!Fibonacci 1 0 [ 10] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 10] fibo!Fibonacci 15 11 [ 9] fibo!Fibonacci 1 0 [ 10] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 10] fibo!Fibonacci 20 22 [ 9] fibo!Fibonacci 15 43 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 20 54 [ 8] fibo!Fibonacci 15 75 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 15 11 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 20 22 [ 8] fibo!Fibonacci 20 118 [ 7] fibo!Fibonacci 15 139 [ 6] fibo!Fibonacci 1 0 [ 7] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 15 11 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 20 22 [ 8] fibo!Fibonacci 15 43 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 8] fibo!Fibonacci 20 54 [ 7] fibo!Fibonacci 20 214 [ 6] fibo!Fibonacci 15 235 [ 5] fibo!Fibonacci 1 0 [ 6] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 6] fibo!Fibonacci 1 0 [ 7] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 15 11 [ 8] fibo!Fibonacci 1 0 [ 9] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 9] fibo!Fibonacci 20 22 [ 8] fibo!Fibonacci 15 43 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 8] fibo!Fibonacci 20 54 [ 7] fibo!Fibonacci 15 75 [ 6] fibo!Fibonacci 1 0 [ 7] fibo!ILT+1270(?FibonacciYAIIZ) 9 0 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 8] fibo!Fibonacci 15 11 [ 7] fibo!Fibonacci 1 0 [ 8] fibo!ILT+1270(?FibonacciYAIIZ) 10 0 [ 8] fibo!Fibonacci 20 22 [ 7] fibo!Fibonacci 20 118 [ 6] fibo!Fibonacci 20 374 [ 5] fibo!Fibonacci
....
....省略部分输出
.... 2829 instructions were executed in 2828 events (0 from other threads) Function Name Invocations MinInst MaxInst AvgInst fibo!Fibonacci 177 10 20 14 fibo!ILT+1270(?FibonacciYAIIZ) 177 1 1 1 fibo!main 1 2 2 2 0 system calls were executed eax=00000037 ebx=00000003 ecx=00000000 edx=00000000 esi=00000000 edi=003900d8 eip=00391a4f esp=0055f838 ebp=0055f868 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 fibo!main+0xf: 00391a4f 83c404 add esp,4
这个命令对于并不熟悉代码的调用过程的时候非常有用,通过这个方法调用跟踪,对于整个过程的方法调用过程就有了一个完整的概念,之后我们就可以根据相应的函数调用来设置相应的断点来查看我们关心的逻辑。
另外wt命令本身支持很多选项,常用的如下,
- -l,指定要追踪的调用深度(注意后面的数字默认16进制)
- -m,指定要追踪的特定模块,其他的模块调用会被忽略
- -i,指定要被忽略的模块
- -oR,显示函数调用返回值,这个选项对于你已知某个函数调用返回值的含义(例如access denied)时非常有用,通过这个选项追踪特定函数调用,然后直接全局搜索输出,来查看特定值是否被输出,结果就一目了然了。
希望以上内容对您有所帮助
分类: 技术分享 - 工具使用