使用Windbg PyKD Python扩展在调用指令时打印/中断
使用WinDBG的python扩展,我只想在控制台中打印调用指令。一种一步调试
我的代码:
from pykd import *
pid = raw_input ('pid >>> ')
id=attachProcess(int(pid))
print id
while 1:
trace()
r_o = dbgCommand('r')
line = r_o.split('\n')[-2]
sp_line = line.split()
addr = int(sp_line[0],16)
ins = sp_line[2]
if ins == "call":
print line我尝试了上面的代码,得到了下面的结果。
输出:
C:\Program Files (x86)\Debugging Tools for Windows (x86)\winext>db.py
[+] Starting...
pid >>> 3516
0
76ec000d c3 ret
76f4f926 eb07 jmp ntdll!DbgUiRemoteBreakin+0x45 (76f4f92f)
76f4f92f c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh ss:002b:0029ff84=00000000
76f4f936 6a00 push 0
76f4f938 e8df86fbff call ntdll!RtlExitUserThread (76f0801c)
76ed0096 83c404 add esp,4这里的问题似乎是,在调试器进入进程后,调试线程被启动,调试线程在某个时候被终止,因为它是当前线程我们可以看到最后一次调用ntdll!RtlExitUserThread。因此,即使运行调试器应用程序,我也看不到命令行中的任何东西。
我看到了一个使用winappdbg并执行类似操作的脚本。下面是脚本:
https://github.com/MarioVilas/winappdbg/blob/master/tools/ptrace.py
我想建造类似的东西。
回答 1
Stack Overflow用户
发布于 2015-01-23 11:25:21
不是pykd回答,而是内置的pc/tc (步骤/跟踪到下一个调用)将打印出所有的调用。
0:000> .printf "%y\n" , @eip
multithread!wmain (00411430)
0:000> $ iam at start of winmain and i have disabled all output except disassembly via .prompt_allow
0:000> $ i have set a breakpoint on winmains exit
0:000> $ code for demo is exact copy paste of msdn sample code for createthread documentation
0:000> $lets roll and log all call instructions 0:000> tc 1000000
0041147c ff1530824100 call dword ptr [multithread!_imp__GetProcessHeap (00418230)]
00411484 e8e9fcffff call multithread!ILT+365(__RTC_CheckEsp) (00411172)
0041148a ff152c824100 call dword ptr [multithread!_imp__HeapAlloc (0041822c)]
7c955264 e827ffffff call ntdll!LdrpTagAllocateHeap (7c955190)
7c9551b0 e80faffbff call ntdll!RtlAllocateHeap (7c9100c4)
7c9100ce e8f8e7ffff call ntdll!_SEH_prolog (7c90e8cb)
removed =====================
7c923b25 e80b000000 call ntdll!LdrShutdownProcess+0x1e0 (7c923b35)
7c923b3a e8a1d5fdff call ntdll!RtlLeaveCriticalSection (7c9010e0)
7c923b2a e8d7adfeff call ntdll!_SEH_epilog (7c90e906)
7c81cac3 ff153410807c call dword ptr [kernel32!_imp__CsrClientCallServer (7c801034)]
7c912de3 e8f6acffff call ntdll!NtRequestWaitReplyPort (7c90dade)
7c90dae8 ff12 call dword ptr [edx]
7c90e512 0f34 sysenter
7c81cacc ffd6 call esi
7c90de78 ff12 call dword ptr [edx]
7c90e512 0f34 sysenter
7c90e514 c3 ret如果您正在跟踪msdn示例中的代码,并且希望跟踪线程调用,则可以使用断点( hack,但在大多数情况下都能工作)。
.prompt_allow禁用dis-程序集以外的所有内容。
在conditional break-point上设置CreateThread
条件为setting another break point on poi(@esp+c) LpThreadStartRoutine和continuing
next three pc 1000000是直到下一次调用和one quit的步骤
我们在示例中使用know we have three threads,所以我们自动化了pc 10000000
三次if you don't know在手动执行enter pc 1000000 manually on each thread exit之前执行多少个线程。
:国开行-c ".prompt_allow -src -reg -sym -ea ;g wmain;bp kernel32!CreateThread \"ba e1 poi( @esp+c)“$tid ;pc 100000”;gc“;pc 100000;pc 1000000;pc 10000000;pc 1000000;pc 10000000;q”multithread.exe grep -iE“CreateThread e1 poi(@esp+c)”$tid;pc 100000 \";gc \“;pc 100000;pc 1000000;pc 10000000;pc 1000000;Q”multithread.exe grep-iE“
Evaluate expression: 2148 = 00000864
004011c6 ff1520204000 call dword ptr [multithread!_imp__WriteConsoleW (004
02020)]
Evaluate expression: 2780 = 00000adc
004011c6 ff1520204000 call dword ptr [multithread!_imp__WriteConsoleW (004
02020)]
Evaluate expression: 3440 = 00000d70
004011c6 ff1520204000 call dword ptr [multithread!_imp__WriteConsoleW (004
02020)]https://stackoverflow.com/questions/28097300
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号