我正在使用Johnson M. Hart的“Windows System Programming 4th”一书中的以下功能。熟悉Win32 API。我也在用Windbg检查这个功能。 检查指向接收从文件读取的数据的缓冲区的参数时。我从调试器得到下面的输出。有人可以解释如何使用windbg来检查lpBuffer吗?
#include "Everything.h"
#define BUF_SIZE 256
BOOL cci_f (LPCTSTR fIn, LPCTSTR fOut, DWORD shift)
{
HANDLE hIn, hOut;
DWORD nIn, nOut, iCopy;
BYTE buffer [BUF_SIZE], bShift = (BYTE)shift;
BOOL writeOK = TRUE;
hIn = CreateFile (fIn, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hIn == INVALID_HANDLE_VALUE) return FALSE;
hOut = CreateFile (fOut, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hOut == INVALID_HANDLE_VALUE) {
CloseHandle(hIn);
return FALSE;
}
while (writeOK && ReadFile (hIn, buffer, BUF_SIZE, &nIn, NULL) && nIn > 0) {
for (iCopy = 0; iCopy < nIn; iCopy++)
buffer[iCopy] = buffer[iCopy] + bShift;
writeOK = WriteFile (hOut, buffer, nIn, &nOut, NULL);
}
CloseHandle (hIn);
CloseHandle (hOut);
return writeOK;
}
0:000> bp kernel32!readfile
0:000> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=0018bf0c edx=00000030 esi=00000030 edi=0018ff20
eip=77383f11 esp=0018bddc ebp=0018be20 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
kernel32!ReadFile:
77383f11 ff25ec093877 jmp dword ptr [kernel32!_imp__ReadFile (773809ec)] ds:002b:773809ec={KERNELBASE!ReadFile (75efdc4a)}
0:000> k
ChildEBP RetAddr
0018be20 00411551 kernel32!ReadFile
0018ff44 00411b50 cpW!main+0x181 [c:\microsoft_press\wsp4_examples\chaptr01\cpw.c @ 31]
0018ff88 7738338a cpW!__tmainCRTStartup+0x122 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 555]
0018ff94 779b9f72 kernel32!BaseThreadInitThunk+0xe
0018ffd4 779b9f45 ntdll!__RtlUserThreadStart+0x70
0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> dd ebp
0018be20 0018ff44 00411551 00000030 0018bf0c
0018be30 00004000 0018ff20 00000000 0041757c
0018be40 00000001 00000000 cccccccc cccccccc
0018be50 cccccccc cccccccc cccccccc cccccccc
0018be60 cccccccc cccccccc cccccccc cccccccc
0018be70 cccccccc cccccccc cccccccc cccccccc
0018be80 cccccccc cccccccc cccccccc cccccccc
0018be90 cccccccc cccccccc cccccccc cccccccc
0:000> da 0018bf0c
0018bf0c "................................"
0018bf2c "................................"
0018bf4c "................................"
0018bf6c "................................"
0018bf8c "................................"
0018bfac "................................"
0018bfcc "................................"
0018bfec "................................"
0018c00c "................................"
0018c02c "................................"
0018c04c "................................"
0018c06c "................................"
下面的附加调试输出。
0:000> lm
start end module name
00400000 0040a000 cci (deferred)
71580000 71656000 MSVCR110 (deferred)
71660000 71703000 MSVCR90 (deferred)
72660000 72666000 Utility_4_0 (deferred)
76630000 76677000 KERNELBASE (deferred)
76950000 76a60000 kernel32 (deferred)
771d0000 77350000 ntdll (pdb symbols) c:\symbol\wntdll.pdb\69DDFBCBBC14421D8CB974F8EDC414102\wntdll.pdb
0:000> .sympath+ C:\Microsoft_Press\WSP4_Examples\Projects2008\cci\Debug
Symbol search path is: SRV*c:\symbol*http://msdl.microsoft.com/download/symbols;C:\Microsoft_Press\WSP4_Examples\Projects2008\cci\Debug
Expanded Symbol search path is: srv*c:\symbol*http://msdl.microsoft.com/download/symbols;c:\microsoft_press\wsp4_examples\projects2008\cci\debug
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\symbol*http://msdl.microsoft.com/download/symbols
OK C:\Microsoft_Press\WSP4_Examples\Projects2008\cci\Debug
0:000> bp cci!main
*** WARNING: Unable to verify checksum for cci.exe
0:000> g
Breakpoint 0 hit
eax=71648634 ebx=00000000 ecx=0048e198 edx=00000000 esi=00000001 edi=00000000
eip=00401020 esp=0018ff4c ebp=0018ff88 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
cci!main:
00401020 55 push ebp
0:000> bp kernel32!Readfile
0:000> g
Breakpoint 1 hit
eax=00000000 ebx=00000000 ecx=0018fd24 edx=0000003c esi=0000003c edi=0018fe44
eip=76963f11 esp=0018fbdc ebp=0018fc20 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
kernel32!ReadFile:
76963f11 ff25ec099676 jmp dword ptr [kernel32!_imp__ReadFile (769609ec)] ds:002b:769609ec={KERNELBASE!ReadFile (7663dc4a)}
0:000> k
ChildEBP RetAddr
0018fc20 004011f3 kernel32!ReadFile
0018fe68 004010a3 cci!cci_f+0xe3 [c:\microsoft_press\wsp4_examples\chaptr02\cci_f.c @ 29]
0018ff48 00401765 cci!main+0x83 [c:\microsoft_press\wsp4_examples\chaptr02\cci.c @ 24]
0018ff88 7696338a cci!__tmainCRTStartup+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536]
0018ff94 77209f72 kernel32!BaseThreadInitThunk+0xe
0018ffd4 77209f45 ntdll!__RtlUserThreadStart+0x70
0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> r esp
esp=0018fbdc
0:000> dd 0018fbdc
0018fbdc 76963ee7 0000003c 0018fd24 00000100
0018fbec 0018fe44 00000000 988c6ffa 0018fe68
0018fbfc 0018fc3c 00000000 769653d0 0018fbf4
0018fc0c 0018fc3c 0018ff78 76a04643 ee02ad2a
0018fc1c fffffffe 0018fe68 004011f3 0000003c
0018fc2c 0018fd24 00000100 0018fe44 00000000
0018fc3c 0018ff48 0018fe7c 00000000 cccccccc
0018fc4c cccccccc cccccccc cccccccc cccccccc
0:000> !handle 0000003c f
Handle 3c
Type File
Attributes 0
GrantedAccess 0x120089:
ReadControl,Synch
Read/List,ReadEA,ReadAttr
HandleCount 2
PointerCount 19
No Object Specific Information available
0:000> da 0018fd24
0018fd24 "................................"
0018fd44 "................................"
0018fd64 "................................"
0018fd84 "................................"
0018fda4 "................................"
0018fdc4 "................................"
0018fde4 "................................"
0018fe04 "................................"
0018fe24 "................................"
0018fe44 ""
0:000> r ebp
ebp=0018fc20
0:000> dd 0018fc20
0018fc20 0018fe68 004011f3 0000003c 0018fd24
0018fc30 00000100 0018fe44 00000000 0018ff48
0018fc40 0018fe7c 00000000 cccccccc cccccccc
0018fc50 cccccccc cccccccc cccccccc cccccccc
0018fc60 cccccccc cccccccc cccccccc cccccccc
0018fc70 cccccccc cccccccc cccccccc cccccccc
0018fc80 cccccccc cccccccc cccccccc cccccccc
0018fc90 cccccccc cccccccc cccccccc cccccccc
0:000> da 0018fd24
0018fd24 "................................"
0018fd44 "................................"
0018fd64 "................................"
0018fd84 "................................"
0018fda4 "................................"
0018fdc4 "................................"
0018fde4 "................................"
0018fe04 "................................"
0018fe24 "................................"
0018fe44 ""
转储Kernel32!Writefile lBuffer显示要写入文件的数据。我不清楚为什么kernel32!ReadFile没有在lpBuffer参数中显示数据。
0:000> bp kernel32!writefile
0:000> g
Breakpoint 2 hit
eax=00000040 ebx=00000000 ecx=0018fe38 edx=00000000 esi=0018fc3c edi=0018fe68
eip=769617ad esp=0018fc08 ebp=0018fc20 iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
kernel32!WriteFile:
769617ad ff25e4099676 jmp dword ptr [kernel32!_imp__WriteFile (769609e4)] ds:002b:769609e4={KERNELBASE!WriteFile (7663ddbc)}
0:000> k
ChildEBP RetAddr
0018fc20 0040125b kernel32!WriteFile
0018fe68 004010a3 cci!cci_f+0x14b [c:\microsoft_press\wsp4_examples\chaptr02\cci_f.c @ 36]
0018ff48 00401765 cci!main+0x83 [c:\microsoft_press\wsp4_examples\chaptr02\cci.c @ 24]
0018ff88 7696338a cci!__tmainCRTStartup+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536]
0018ff94 77209f72 kernel32!BaseThreadInitThunk+0xe
0018ffd4 77209f45 ntdll!__RtlUserThreadStart+0x70
0018ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> dd 0018fc20
0018fc20 0018fe68 0040125b 00000040 0018fd24
0018fc30 00000100 0018fe38 00000000 0018ff48
0018fc40 0018fe7c 00000000 cccccccc cccccccc
0018fc50 cccccccc cccccccc cccccccc cccccccc
0018fc60 cccccccc cccccccc cccccccc cccccccc
0018fc70 cccccccc cccccccc cccccccc cccccccc
0018fc80 cccccccc cccccccc cccccccc cccccccc
0018fc90 cccccccc cccccccc cccccccc cccccccc
0:000> da 0018fd24
0018fd24 "9:(86:::@@98<?8:@;<A<;..9:(86:::"
0018fd44 "@@98<?8:@;<A<;..9:(86:::@@98<?8:"
0018fd64 "@;<A<;..9:(86:::@@98<?8:@;<A<;.."
0018fd84 "9:(86:::@@98<?8:@;<A<;..9:(86:::"
0018fda4 "@@98<?8:@;<A<;..9:(86:::@@98<?8:"
0018fdc4 "@;<A<;..9:(86:::@@98<?8:@;<A<;.."
0018fde4 "9:(86:::@@98<?8:@;<A<;..9:(86:::"
0018fe04 "@@98<?8:@;<A<;..9:(86:::@@98<?8:"
0018fe24 "........"
感谢社区提供的洞察力。我可以通过首先在Kernel32!ReadFile上设置断点来查看lpBuffer中的数据。然后执行gu(gu命令使目标执行,直到当前函数完成)。此后我可以转储缓冲区。现在显示我感兴趣的数据。
答案 0 :(得分:4)
BOOL WINAPI ReadFile(
_In_ HANDLE hFile,
_Out_ LPVOID lpBuffer,
_In_ DWORD nNumberOfBytesToRead,
_Out_opt_ LPDWORD lpNumberOfBytesRead,
_Inout_opt_ LPOVERLAPPED lpOverlapped
);
如果broken on ReadFile lpBuffer将包含rubbish/ garbage/ zeros/ or pre initialised content based on how you allocated and initialised the buffer,则此缓冲区将填充文件only after you return from the API的内容,以退出函数use {{当你在32位系统上的kernel32.dll中打破ReadFile时,检查缓冲区(gu (goup)以便稍后检查save the address of buffer first
address of buffer should be at @esp+08低于the walk through,然后creates a new file in current directory,然后writes to it,以便阅读文件的开头resets the file position和reads the file并在{{1}之后退出}。
prints the content to stdout是控制台模式windbg Closing the handle switch命令执行事件cdb执行文件直到main,以避免无趣的中断
ReadFile的-c在API上设置断点g main以便在我们的断点处打破bp kernel32!ReadFile(建议在此时养成这种习惯
脚本)g to execute the file将指针保存到lpBuffer bc * to clear any breakpoints始终是返回地址r $t0 = poi(@esp+8)在函数启动时断开时始终是第一个参数
在32位系统中。poi(@esp+0)。poi(@esp+4)打印lpBuffer .echo is to output a comment的前20个字节执行ReadFile()db @$t0 l20是goup prior to。 gu打印lpBuffer的前20个字节.echo is to output a comment执行ReadFile()db @$t0 l20 readfile&gt; type readfile.cpp&amp; %compile%readfile.cpp&amp; readfile.exe
post使用windbg
readfile&gt; cdb -c&#34; g main; bp kernel32!ReadFile; g; bc *; r $ t0 = poi(@ esp + 8);。echo ======== =====缓冲区内容pre readfile ================; db @ $ t0 l20; gu; .echo ============== ========缓冲内容发布readfile =================; db @ $ t0 l20; g; q&#34; readfile.exe
g;q is to continue and quit使用#include <stdio.h>
#include <Windows.h>
int main(void) {
char writein[] = {"Iam going to write me in\n"};
char readin [] = {"Iam rubbish Iam garbage Readfile will clean me up\n" };
DWORD bytesreadoutin = 0;
BOOL result = FALSE;
HANDLE hFile = CreateFileA("mynewtxt.txt",GENERIC_ALL,FILE_SHARE_WRITE |
FILE_SHARE_READ,NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,NULL);
if (INVALID_HANDLE_VALUE != hFile) {
if ((result = WriteFile(
hFile,writein,sizeof(writein),&bytesreadoutin,NULL)) == TRUE ) {
if (bytesreadoutin == sizeof(writein)) {
if ( INVALID_SET_FILE_POINTER != SetFilePointer(
hFile,NULL,NULL,FILE_BEGIN) ) {
if (( result = ReadFile(
hFile,readin,sizeof(writein),&bytesreadoutin,
NULL))== TRUE) {
printf(readin);
}
}
}
}
CloseHandle(hFile);
}
return 0;
}Setting environment for using Microsoft Visual Studio 2010 x86 tools.
readfile.cpp
Press any key to continue . . .
I am going to write me in
和ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> cdb: Reading initial command 'g main;bp kernel32!ReadFile;g;bc *;r $t0 =
poi(@esp+8);.echo =============buffer contents pre readfile================;db @
$t0 l20;gu;.echo ======================buffer contents post readfile============
=====;db @$t0 l20;g;q'
Breakpoint 0 hit
=============buffer contents pre readfile================
0013ff34 49 20 61 6d 20 72 75 62-62 69 73 68 20 49 20 61 I am rubbish I a
0013ff44 6d 20 67 61 72 62 61 67-65 49 20 77 69 6c 6c 20 m garbageI will
======================buffer contents post readfile=================
0013ff34 49 20 61 6d 20 67 6f 69-6e 67 20 74 6f 20 77 72 I am going to wr
0013ff44 69 74 65 20 6d 65 20 69-6e 0a 00 77 69 6c 6c 20 ite me in..will
I am going to write me in
quit:
write a simple script
请注意,ReadFile是.block {},一般情况下set a conditional breakpoint like bp kernel32!ReadFile "$$>a< X:\\blah.ext"需要发送
设置Very Busy Api因为这可能会导致表现非常糟糕
或者会话中的不良缓慢,并且在调试时间相关代码的问题时可能会引入严重问题
脚本文件内容
do not结果
permanent breaks in busy apis答案 1 :(得分:3)
这是一系列Windbg命令,用于查看调用ReadFile时lpBuffer中收到的字节数。
bp ReadFile
r $t1 = dwo(esp+8) ;lpBuffer
pt ;execute till return
db @$t1 ;dump bytes in lpBuffer
你可以找到一个简单的Windbg脚本拦截ReadFile调用here。