kb 为 64 位进程显示什么? [英] What does kb show for 64 bit processes?

查看:26
本文介绍了kb 为 64 位进程显示什么?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我最近在分析调用堆栈时犯了一个错误,因为我没想到应用程序是 64 位的.我使用了 WinDbg 命令 kb 来显示调用堆栈和传递给方法的参数.

I have recently made a mistake analyzing a callstack, because I didn't expect the application to be 64 bit. I have used the WinDbg command kb to show the callstack and parameters passed to methods.

在 64 位上,参数不是通过堆栈传递,而是在寄存器(RCX、RDX、R8 和 R9)中传递.似乎 WinDbg 没有或没有完全实现这一点.部分我猜这几乎是不可能的,因为寄存器值可能同时发生了变化.

On 64 bit, the parameters are not passed via the stack but in registers (RCX, RDX, R8 and R9) instead. It seems that WinDbg has not or not fully implemented this. Partly I guess it is almost impossible since the register values might have changed meanwhile.

但是,WinDbg 帮助仍将 kb 列为 User-Mode, x64 Processor 下的有效命令.因此我的问题是:

However, the WinDbg help still lists kb as a valid command under User-Mode, x64 Processor. Therefore my question is:

kb 为 64 位用户模式进程显示什么?该输出何时/如何有用?

What does kb display for 64 bit user mode processes? When/how is that output useful?

推荐答案

WinDbg 中 kb 和 kv 中显示的Args to Child"输出一直很可疑,即使在 x86 上,这些列也不一定显示函数的参数.

The "Args to Child" output shown in kb and kv in WinDbg has always been very suspect, even on the x86 those columns don't necessarily show you the arguments to the function.

在 x86 上,"Args to Child" 只是 [EBP+0x08]、[EBP+0x0C] 和 [EBP+0x10](kv 显示四个参数,因此最后一列是 [EBP+0x14]).这些只会是函数的参数,如果:

On the x86, the "Args to Child" are simply [EBP+0x08], [EBP+0x0C], and [EBP+0x10] (kv shows four arguments, thus the last column is [EBP+0x14]). These will only be the arguments to the function if:

  1. 该函数使用 EBP 框架
  2. 该函数已通过堆栈传递参数(取决于调用约定)
  3. 优化器没有将这些位置重用于其他用途

在 x64 上,如您所见,函数的前四个参数是通过寄存器传递的.但是,作为调用约定的一部分,调用者需要为这些参数中的每一个在堆栈上分配Home"(或Spill")空间.这个空间总是被分配,即使被调用的函数使用的参数少于四个.然后被调用的函数可以自由选择任何方式使用这个家庭空间,它可以:

On the x64, as you noted the first four arguments to the function are passed via registers. However, as part of the calling convention the caller is required to allocate "Home" (or "Spill") Space on the stack for each of these arguments. This space is always allocated, even if the called function takes fewer than four arguments. The called function is then free to use this Home Space any way it chooses, it may:

  1. 忽略它
  2. 在那里保存非易失性寄存器
  3. Home"寄存器传递参数到栈上

kb 和 kv 输出按顺序显示 Home Space(RCX Home、RDX Home、R8 Home、R9 Home).大多数情况下,这个空间将用于上面的 1 或 2,因此它实际上与传入的参数没有任何关系.但是,在 Debug 构建中,编译器会立即归位传入的参数,以便于调试.

The kb and kv output shows the Home Space in order (RCX Home, RDX Home, R8 Home, R9 Home). Most frequently this space will be used for 1 or 2 above, thus it won't actually have anything to do with the passed in arguments. However, in the Debug build the compiler immediately Homes the passed in arguments to make debugging easier.

例如,这是一个带有两个参数的函数的序言编译调试.请注意参数的归位作为第一条指令:

For example, here's the prolog of a function with two arguments compiled Debug. Note the Homing of the arguments as the first instructions:

0:000> u DriverEntry
mov     qword ptr [rsp+10h],rdx
mov     qword ptr [rsp+8],rcx
push    rdi
sub     rsp,0C0h

和同样的代码编译Release,使用Home Space进行非易失性寄存器保存:

And the same code compiled Release, using the Home Space for non-volatile register preservation:

0:000> u DriverEntry
mov     qword ptr [rsp+8],rbx
mov     qword ptr [rsp+10h],rdi
push    rbp
lea     rbp,[rsp-57h]
sub     rsp,0B0h

这意味着 Home Space 在获取函数参数方面通常毫无用处.但是,它仍然可以用作调试辅助工具,在函数入口重构非易失性寄存器值(即我可以通过查看 Home Space 告诉您上面的 RBX 或 RDI 的值)

This means the Home Space is usually pretty useless in terms of getting the arguments to the function. However, it can still be used as a debugging aid to reconstruct non-volatile register values on function entry (i.e. I can tell you the value of RBX or RDI above by looking at the Home Space)

这篇关于kb 为 64 位进程显示什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆