调用kernel32.dll函数时获取调用栈 [英] Get the callstack(s) when a kernel32.dll function is called

问题描述

我有一个更改其当前目录的过程，我想知道它的发生时间和位置。我该怎么做？

I have a process that changes its current directory, and I would to know when and where it happens. How could I do that?

我尝试使用Visual Studio在SetCurrentDirectoryA / SetCurrentDirectoryW中设置断点，但是它不起作用。

I tried setting a breakpoint in SetCurrentDirectoryA/SetCurrentDirectoryW with Visual Studio, but it does not work.

推荐答案

您要调试自己的程序之一，还是没有源代码的程序？ Visual Studio调试器在调试无源应用程序方面不是很友好。在这种情况下，我建议使用 WinDbg 或 OllyDbg -甚至跳过调试器，并使用。

Are you debugging one of your own programs, or one that you don't have the source code for? The Visual Studio debugger isn't very friendly with regards to debugging no-source applications; in that case, I would recommend WinDbg or OllyDbg - or even skipping the debugger and write an instrumented logger using EasyHook.

尝试在 {,, kernel32。 dll} _SetCurrentDirectoryA @ 4 -特殊的语法，并且需要修饰的名称。我自己还没有尝试过，但是发现它此处。 Google关键字： Visual Studio断点API ：）

Try setting a breakpoint at {,,kernel32.dll}_SetCurrentDirectoryA@4 - peculiar syntax and requires decorated names. Haven't tried it myself, but found it here. Google keywords: "visual studio breakpoint api" :)

这篇关于调用kernel32.dll函数时获取调用栈的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！