从其使用的DLL获取进程的堆栈跟踪

时间:2018-07-09 13:44:37

标签: c++11 assembly visual-c++ dll memory-alignment

我正在研究VC ++ 2013项目,并且尝试从主进程从与其连接的DLL获取调用函数的堆栈跟踪。附加的DLL已定义_penter_pexit,而主进程具有/Gh/GH标志,因此调用了这些函数。但是,当我尝试获取stacktrace时,它在CaptureStackBackTrace函数中崩溃。我在想,由于_penter_pexit是在DLL中定义的,因此无法看到主进程堆栈。我所看到的只是它输入了_penter_pexit。我没有看到其他符号。我可能错了。这是代码(我从stackoverflow的答案中使用了此代码)。这是获取函数名称的代码,

process = GetCurrentProcess();
SymInitialize(process, NULL, TRUE);

frames = CaptureStackBackTrace(0, 100, stack, NULL);
symbol = (SYMBOL_INFO *)calloc(sizeof(SYMBOL_INFO) + 256 * sizeof(char), 1);
symbol->MaxNameLen = 255;
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
SymFromAddr(process, (DWORD64)(stack[1]), 0, symbol);

printf("%i: %s - 0x%0X\n", frames - 1 - 1, symbol->Name, symbol->Address);

此操作在某些调用后在frames = CaptureStackBackTrace(0, 100, stack, NULL);行崩溃,这是输出,

1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _pexit - 0xEDB718DC
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _pexit - 0xEDB718DC
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890
1: printStackTrace - 0xEDB71730
1: on_enter - 0xEDB71840
1: _penter - 0xEDB71890

它在这里崩溃了。.这就是崩溃:

Unhandled exception at 0x00007FF9F8679D62 (ntdll.dll) in TraceTrack.exe: 0xC0000005: Access violation reading location 0xFFFFFFFFFFFFFFFF.

有人可以帮我吗?

编辑: 这是我的asm文件,     外部条目:Proc     extern exitp:Proc     公共_penter     公开_pexit 

.code
    PUSHREGS    macro
        push    rax
        push    rcx
        push    rdx
        push    r8
        push    r9
        push    r10
        push    r11
    endm

    POPREGS macro
        pop r11
        pop r10
        pop r9
        pop r8
        pop rdx
        pop rcx
        pop rax
    endm

_penter proc
    push rax
    lahf
    PUSHREGS
    sub rsp, 8+16
    movdqu xmmword ptr[rsp], xmm0
    sub rsp ,8
    sub  rsp,28h 
    mov  rcx,rsp
    mov  rcx,qword ptr[rcx+136]
    call entry
    add  rsp,28h
    add rsp, 8 
    movdqu xmm0, xmmword ptr[rsp]
    add rsp, 8+ 16
    POPREGS
    sahf
    pop rax
    ret
_penter endp

_pexit proc
    push rax
    lahf
    PUSHREGS
    sub rsp, 8+16
    movdqu xmmword ptr[rsp], xmm0
    sub rsp ,8
    sub  rsp,28h 
    mov  rcx,rsp
    mov  rcx,qword ptr[rcx+136]
    call exitp
    add  rsp,28h
    add rsp, 8 
    movdqu xmm0, xmmword ptr[rsp]
    add rsp, 8+ 16
    POPREGS
    sahf
    pop rax
    ret
_pexit endp

end

EDIT2:

此外,我尝试在SymFromAddr(process, (DWORD64)(stack[3]), 0, symbol);行中打印第3帧,发现有些奇怪。我找到了这个输出,

1:  - 0x0
1:  - 0x0
1: printStackTrace - 0xF0841750
1: printStackTrace - 0xF0841750
1:  - 0x0
1: on_enter - 0xF0841820
1:  - 0x0
1:  - 0x0
1:  - 0x0

这些函数的组织方式为(在实际程序中为功能)-> _penter(在DLL中公开)-> on_enter(在DLL中公开)-> printstackFrame(在DLL中公开)

0 个答案:

没有答案
相关问题
最新问题