kb显示64位进程? [英] What does kb show for 64 bit processes?
问题描述
kb 来显示调用堆栈和传递给方法的参数。 在64位,参数不是通过堆栈传递,而是通过寄存器(RCX,RDX,R8和R9)传递。看来WinDbg还没有完全实现。部分我猜这是几乎不可能,因为寄存器值可能已经改变了。
但是,WinDbg帮助仍然列出 kb 作为用户模式x64处理器之间的有效命令。因此,我的问题是:
对于64位用户模式进程, kb 显示什么?何时/如何输出有用?
WinDbg中的kb和kv中显示的Args to Child输出一直是非常怀疑,即使在x86上,这些列也不一定会显示你对函数的参数。
在x86上,Args to Child只是[EBP + 0x08],[EBP + 0x0C]和[EBP + 0x10](kv显示四个参数,因此最后一列为[EBP + 0x14])。这些仅仅是函数的参数:
- 该函数使用EBP框架
- 该函数具有堆栈传递的参数(取决于调用约定)
- 优化程序没有将其他位置重新使用
在x64上,您注意到函数的前四个参数通过寄存器传递。然而,作为调用约定的一部分,调用者需要为堆栈中的每个参数分配Home(或Spill)空间。这个空间总是分配,即使被调用的函数占用少于四个参数。被叫功能然后可以随意使用这个家庭空间以任何方式选择,它可以:
- 忽略它
- 保存非易失性寄存器
- 首页寄存器将参数传递到堆栈
kb和kv输出按顺序显示家庭空间(RCX Home,RDX Home,R8 Home,R9 Home)。这个空间最常用于1或2以上,因此实际上与传入的参数无关。然而,在Debug构建中,编译器立即收到传入的参数,使调试更容易。
例如,这里是一个函数的序言,其中有两个参数被编译为Debug。请注意参数的归位是第一个说明:
0:000> u DriverEntry
mov qword ptr [rsp + 10h],rdx
mov qword ptr [rsp + 8],rcx
push rdi
sub rsp,0C0h
同样的代码编译为Release,使用Home Space进行非易失性注册保存:
0:000> u DriverEntry
mov qword ptr [rsp + 8],rbx
mov qword ptr [rsp + 10h],rdi
push rbp
lea rbp,[rsp-57h]
sub rsp,0B0h
这意味着家庭空间在获取参数方面通常很无用到功能。然而,它仍然可以用作调试辅助来重建功能输入上的非易失性寄存器值(即,可以通过查看归属空间告诉您上面的RBX或RDI的值)
I have recently made a mistake analyzing a callstack, because I didn't expect the application to be 64 bit. I have used the WinDbg command kb to show the callstack and parameters passed to methods.
On 64 bit, the parameters are not passed via the stack but in registers (RCX, RDX, R8 and R9) instead. It seems that WinDbg has not or not fully implemented this. Partly I guess it is almost impossible since the register values might have changed meanwhile.
However, the WinDbg help still lists kb as a valid command under User-Mode, x64 Processor. Therefore my question is:
What does kb display for 64 bit user mode processes? When/how is that output useful?
The "Args to Child" output shown in kb and kv in WinDbg has always been very suspect, even on the x86 those columns don't necessarily show you the arguments to the function.
On the x86, the "Args to Child" are simply [EBP+0x08], [EBP+0x0C], and [EBP+0x10] (kv shows four arguments, thus the last column is [EBP+0x14]). These will only be the arguments to the function if:
- The function uses an EBP frame
- The function has stack passed arguments (depends on the calling convention)
- The optimizer hasn't reused those locations for something else
On the x64, as you noted the first four arguments to the function are passed via registers. However, as part of the calling convention the caller is required to allocate "Home" (or "Spill") Space on the stack for each of these arguments. This space is always allocated, even if the called function takes fewer than four arguments. The called function is then free to use this Home Space any way it chooses, it may:
- Ignore it
- Save non-volatile registers there
- "Home" the register passed parameters onto the stack
The kb and kv output shows the Home Space in order (RCX Home, RDX Home, R8 Home, R9 Home). Most frequently this space will be used for 1 or 2 above, thus it won't actually have anything to do with the passed in arguments. However, in the Debug build the compiler immediately Homes the passed in arguments to make debugging easier.
For example, here's the prolog of a function with two arguments compiled Debug. Note the Homing of the arguments as the first instructions:
0:000> u DriverEntry
mov qword ptr [rsp+10h],rdx
mov qword ptr [rsp+8],rcx
push rdi
sub rsp,0C0h
And the same code compiled Release, using the Home Space for non-volatile register preservation:
0:000> u DriverEntry
mov qword ptr [rsp+8],rbx
mov qword ptr [rsp+10h],rdi
push rbp
lea rbp,[rsp-57h]
sub rsp,0B0h
This means the Home Space is usually pretty useless in terms of getting the arguments to the function. However, it can still be used as a debugging aid to reconstruct non-volatile register values on function entry (i.e. I can tell you the value of RBX or RDI above by looking at the Home Space)
这篇关于kb显示64位进程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
