有時候需要檢視函式位址,官方位址示例:x /d /f lec_teacher!c*
以下命令將查詢 mymodule 中包含字串 "spin" 的所有符號。
以下命令快速查詢 mymodule 中的 "downloadminor" 和 "downloadmajor" 符號。0:000> x mymodule!*spin*你還可以使用以下命令顯示 mymodule 中的所有符號。0:000> x mymodule!downloadm??or上述命令還強制偵錯程式過載 mymodule 中的符號資訊。0:000> x mymodule!*如果要使用最小顯示過載模組中的符號,請使用以下命令。
幾個符號始終包含字串 "start"。 因此,前面的命令將始終顯示某些輸出,以驗證該命令是否正常工作。 但前面的命令將避免 *x mymodule! * _.0:000> x mymodule!*start*顯示每個符號的起始位址和完整符號名稱。 如果符號是函式名稱,則該顯示還包含其引數型別的列表。 如果符號是全域性變數,則顯示其當前值。
還存在 x* 命令的另一種特殊情況。 若要顯示當前上下文的所有區域性變數的位址和名稱,請使用以下命令。
顯示區域性變數0:000> x *
官方文件:
dx -id 2,2 -r1 ((lec_teacher!graphicstoolmanager *)0x1e7cb010)-r1 : 表示顯示的內容只展出1層,例如:m_graphicstoolsbar的值,如果是r2會把m_graphicstoolsbar的成員變數列印出來的使用 "環境" 物件可顯示與執行緒和程序關聯的 teb 和 peb 資訊。
若要顯示與當前執行緒關聯的 teb,請使用此命令。
若要顯示與當前程序關聯的 peb,請使用此命令。0: kd> dx -r2 @$curthread.environment@$curthread.environment
environmentblock [type: _teb]
[+0x000] nttib [type: _nt_tib]
[+0x038] environmentpointer : unable to read memory at address 0x38
[+0x040] clientid [type: _client_id]
[+0x050] activerpchandle : unable to read memory at address 0x50
[+0x058] threadlocalstoragepointer : unable to read memory at address 0x58
[+0x060] processenvironmentblock : unable to read memory at address 0x60
[+0x068] lasterrorvalue : unable to read memory at address 0x68
[+0x06c] countofownedcriticalsections : unable to read memory at address 0x6c
[+0x070] csrclientthread : unable to read memory at address 0x70
[+0x078] win32threadinfo : unable to read memory at address 0x78
[+0x080] user32reserved [type: unsigned long [26]]
[+0x0e8] userreserved [type: unsigned long [5]]
[+0x100] wow32reserved : unable to read memory at address 0x100
[+0x108] currentlocale : unable to read memory at address 0x108
[+0x10c] fpsoftwarestatusregister : unable to read memory at address 0x10c
...
0: kd> dx -r2 @$curprocess.environment@$curprocess.environment
environmentblock [type: _peb]
[+0x000] inheritedaddressspace : unable to read memory at address 0x0
[+0x001] readimagefileexecoptions : unable to read memory at address 0x1
[+0x002] beingdebugged : unable to read memory at address 0x2
[+0x003] bitfield : unable to read memory at address 0x3
[+0x003 ( 0: 0)] imageuseslargepages : unable to read memory at address 0x3
[+0x003 ( 1: 1)] isprotectedprocess : unable to read memory at address 0x3
[+0x003 ( 2: 2)] isimagedynamicallyrelocated : unable to read memory at address 0x3
[+0x003 ( 3: 3)] skippatchinguser32forwarders : unable to read memory at address 0x3
[+0x003 ( 4: 4)] ispackagedprocess : unable to read memory at address 0x3
[+0x003 ( 6: 6)] isprotectedprocesslight : unable to read memory at address 0x3
[+0x003 ( 7: 7)] islongpathawareprocess : unable to read memory at address 0x3
[+0x004] padding0 [type: unsigned char [4]]
[+0x008] mutant : unable to read memory at address 0x8
[+0x010] imagebaseaddress : unable to read memory at address 0x10
[+0x018] ldr : unable to read memory at address 0x18
[+0x020] processparameters : unable to read memory at address 0x20
...
WinDbg 檢視函式的引數
檢視函式 funnewwlxloggedoutsas 的引數kd kb childebp retaddrargs to child 0006edc8 7c9859f2 00000000 c00000050006f0d0 ntdll dbgbreakpoint 0006ee08 7c986101 00...
Windbg檢視呼叫堆疊 k
無論是分析程式崩潰原因,還是解決程式hang問題,我們最常檢視的就是程式呼叫堆疊。學會windbg呼叫堆疊命令,以及理解堆疊中的各個引數的意義就顯得至關重要。上圖就是乙個典型的windbg堆疊,如果不理解childebp retaddr args to child等引數意義,以及它們之間的來龍去脈,...
gdb檢視虛函式表 函式位址
1.檢視函式位址 看函式在 的哪一行,使用info line就可以看到類似下面這中輸出 點選 此處 摺疊或開啟 gdb info line a.cpp 10 line 10 of a.cpp starts at address 0x80487d4 zn1b5test2ev and ends at 0...