Windbg 如何在等待“WaitForMultipleObjects”的调用堆栈框架中查找对象/句柄?
在第2帧中,内核32!WaitForMultipleObjects+0x19,win32 API调用正在等待多个对象/句柄 在Windbg中,如何确定此特定帧的句柄Windbg 如何在等待“WaitForMultipleObjects”的调用堆栈框架中查找对象/句柄?,windbg,window-handles,Windbg,Window Handles,在第2帧中,内核32!WaitForMultipleObjects+0x19,win32 API调用正在等待多个对象/句柄 在Windbg中,如何确定此特定帧的句柄 0:012> k # ChildEBP RetAddr 00 093ffba0 7510285f ntdll!NtWaitForMultipleObjects+0xc 01 093ffd2c 76f89188 KERNELBASE!WaitForMultipleObjectsEx+0xcc
0:012> k
# ChildEBP RetAddr 00 093ffba0 7510285f ntdll!NtWaitForMultipleObjects+0xc
01 093ffd2c 76f89188 KERNELBASE!WaitForMultipleObjectsEx+0xcc
02 093ffd48 61006516 kernel32!WaitForMultipleObjects+0x19
03 093ffd80 610065b0 mshtml!CRenderThread::WaitForWork+0x82
04 093ffdc4 61130503 mshtml!CRenderThread::RenderThread+0x2b0
05 093ffdd4 6d363a31 mshtml!CRenderThread::StaticRenderThreadProc+0x23
06 (Inline) -------- IEShims!NS_CreateThread::ThreadProc+0x86
07 093ffe0c 76f8919f IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
08 093ffe18 776ead8f kernel32!BaseThreadInitThunk+0xe
09 093ffe60 776ead5a ntdll!__RtlUserThreadStart+0x2f
0a 093ffe70 00000000 ntdll!_RtlUserThreadStart+0x1b
**//Arguments passed in function call : kernel32!WaitForMultipleObjects+0x19**
0:012> dd 093ffd48
093ffd48 093ffd80 61006516 **00000002 093ffd6c**
093ffd58 **00000000 ffffffff** 00000000 00000000
093ffd68 05ef6078 00000778 000007c8 00000002
093ffd78 ffffffff 093ffdc4 093ffdc4 610065b0
093ffd88 093ffde0 00000000 00000006 61015990
093ffd98 1b541170 00000000 00000000 00000000
093ffda8 00000000 00000000 00000000 1b541170
093ffdb8 00000000 05ef6078 003ffdd4 093ffdd4
k的输出
kd> $$ 00adfb88 7755fe39 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
在ebp中转储dwords
kd> dd 00adfb88 l 8
00adfb88 77576a44 7755fe39 00000010 00412ca8
00adfb98 00000001 00000001 00000000 77cc0c57
kd>$$ebp+8=第一个参数=10
kd>$$ebp+c=secon argument=*到句柄412ca8
kd>$$这些句柄是
kd> dd 412ca8 l10
00412ca8 000000f4 000000f0 0000069c 00000900
00412cb8 00000464 000007d0 0000081c 00000828
00412cc8 000006d8 00000640 00000634 0000056c
00412cd8 0000037c 00000460 00000654 00000100
这样的脚本可以获取所有句柄
kd> .foreach /pS 1 /ps 1 (place { dd /c 1 412ca8 l10 } ) { !handle place 2}
输出
PROCESS 86f6a6c8 SessionId: 1 Cid: 0b78 Peb: 7ffd8000 ParentCid: 0b6c
DirBase: 7e26c4c0 ObjectTable: b908ef00 HandleCount: 1079.
Image: explorer.exe
Handle table at b908ef00 with 1079 entries in use
00f4: Object: 86945a90 GrantedAccess: 001f0003 Entry: b90951e8
Object: 86945a90 Type: (84eaf350) Timer
ObjectHeader: 86945a78 (new version)
HandleCount: 1 PointerCount: 2
00f0: Object: 869416c0 GrantedAccess: 00100002 Entry: b90951e0
Object: 869416c0 Type: (84eaf350) Timer
ObjectHeader: 869416a8 (new version)
HandleCount: 1 PointerCount: 2
069c: Object: 86a12388 GrantedAccess: 00100004 Entry: b9095d38
Object: 86a12388 Type: (84ed06b8) WmiGuid
ObjectHeader: 86a12370 (new version)
HandleCount: 1 PointerCount: 2
0900: Object: 869b2d38 GrantedAccess: 001f0003 Entry: b8601200
Object: 869b2d38 Type: (84eb0978) Event
ObjectHeader: 869b2d20 (new version)
HandleCount: 1 PointerCount: 2
0464: Object: 85540d00 GrantedAccess: 001f0003 Entry: b90958c8
Object: 85540d00 Type: (84eb0978) Event
ObjectHeader: 85540ce8 (new version)
HandleCount: 1 PointerCount: 3
07d0: Object: 8552a480 GrantedAccess: 001f0003 Entry: b9095fa0
Object: 8552a480 Type: (84eb0978) Event
ObjectHeader: 8552a468 (new version)
HandleCount: 1 PointerCount: 4
081c: Object: 85cdde78 GrantedAccess: 001f0003 Entry: b8601038
Object: 85cdde78 Type: (84eb0978) Event
ObjectHeader: 85cdde60 (new version)
HandleCount: 1 PointerCount: 3
Directory Object: 98a802a8 Name: PRS_EXTERNAL_CHECK_CHANGED_NOTIFY
0828: Object: 86c4c938 GrantedAccess: 001f0003 Entry: b8601050
Object: 86c4c938 Type: (84eb0978) Event
ObjectHeader: 86c4c920 (new version)
HandleCount: 2 PointerCount: 5
Directory Object: 98a802a8 Name: {43a2b8d7-6fed-4c18-bd36-b4630d61afb5}
06d8: Object: 86d014d0 GrantedAccess: 001f0003 Entry: b9095db0
Object: 86d014d0 Type: (84eb0978) Event
ObjectHeader: 86d014b8 (new version)
HandleCount: 1 PointerCount: 2
0640: Object: 85ce4380 GrantedAccess: 001f0003 Entry: b9095c80
Object: 85ce4380 Type: (84eb0978) Event
ObjectHeader: 85ce4368 (new version)
HandleCount: 1 PointerCount: 2
0634: Object: 86f17e20 GrantedAccess: 001f0003 Entry: b9095c68
Object: 86f17e20 Type: (84eb0978) Event
ObjectHeader: 86f17e08 (new version)
HandleCount: 1 PointerCount: 2
056c: Object: 85ce7750 GrantedAccess: 001f0003 Entry: b9095ad8
Object: 85ce7750 Type: (84eb0978) Event
ObjectHeader: 85ce7738 (new version)
HandleCount: 1 PointerCount: 2
037c: Object: 86bbcae8 GrantedAccess: 001f0003 Entry: b90956f8
Object: 86bbcae8 Type: (84eb0978) Event
ObjectHeader: 86bbcad0 (new version)
HandleCount: 2 PointerCount: 3
0460: Object: 86cdab88 GrantedAccess: 001f0003 Entry: b90958c0
Object: 86cdab88 Type: (84eb0978) Event
ObjectHeader: 86cdab70 (new version)
HandleCount: 1 PointerCount: 2
0654: Object: 85ce6838 GrantedAccess: 001f0003 Entry: b9095ca8
Object: 85ce6838 Type: (84eb0978) Event
ObjectHeader: 85ce6820 (new version)
HandleCount: 1 PointerCount: 2
0100: Object: 865bb170 GrantedAccess: 00100002 Entry: b9095200
Object: 865bb170 Type: (84eaf350) Timer
ObjectHeader: 865bb158 (new version)
HandleCount: 1 PointerCount: 2
kd>
k的输出
kd> $$ 00adfb88 7755fe39 ntdll!NtWaitForMultipleObjects+0xc (FPO: [5,0,0])
在ebp中转储dwords
kd> dd 00adfb88 l 8
00adfb88 77576a44 7755fe39 00000010 00412ca8
00adfb98 00000001 00000001 00000000 77cc0c57
kd>$$ebp+8=第一个参数=10
kd>$$ebp+c=secon argument=*到句柄412ca8
kd>$$这些句柄是
kd> dd 412ca8 l10
00412ca8 000000f4 000000f0 0000069c 00000900
00412cb8 00000464 000007d0 0000081c 00000828
00412cc8 000006d8 00000640 00000634 0000056c
00412cd8 0000037c 00000460 00000654 00000100
这样的脚本可以获取所有句柄
kd> .foreach /pS 1 /ps 1 (place { dd /c 1 412ca8 l10 } ) { !handle place 2}
输出
PROCESS 86f6a6c8 SessionId: 1 Cid: 0b78 Peb: 7ffd8000 ParentCid: 0b6c
DirBase: 7e26c4c0 ObjectTable: b908ef00 HandleCount: 1079.
Image: explorer.exe
Handle table at b908ef00 with 1079 entries in use
00f4: Object: 86945a90 GrantedAccess: 001f0003 Entry: b90951e8
Object: 86945a90 Type: (84eaf350) Timer
ObjectHeader: 86945a78 (new version)
HandleCount: 1 PointerCount: 2
00f0: Object: 869416c0 GrantedAccess: 00100002 Entry: b90951e0
Object: 869416c0 Type: (84eaf350) Timer
ObjectHeader: 869416a8 (new version)
HandleCount: 1 PointerCount: 2
069c: Object: 86a12388 GrantedAccess: 00100004 Entry: b9095d38
Object: 86a12388 Type: (84ed06b8) WmiGuid
ObjectHeader: 86a12370 (new version)
HandleCount: 1 PointerCount: 2
0900: Object: 869b2d38 GrantedAccess: 001f0003 Entry: b8601200
Object: 869b2d38 Type: (84eb0978) Event
ObjectHeader: 869b2d20 (new version)
HandleCount: 1 PointerCount: 2
0464: Object: 85540d00 GrantedAccess: 001f0003 Entry: b90958c8
Object: 85540d00 Type: (84eb0978) Event
ObjectHeader: 85540ce8 (new version)
HandleCount: 1 PointerCount: 3
07d0: Object: 8552a480 GrantedAccess: 001f0003 Entry: b9095fa0
Object: 8552a480 Type: (84eb0978) Event
ObjectHeader: 8552a468 (new version)
HandleCount: 1 PointerCount: 4
081c: Object: 85cdde78 GrantedAccess: 001f0003 Entry: b8601038
Object: 85cdde78 Type: (84eb0978) Event
ObjectHeader: 85cdde60 (new version)
HandleCount: 1 PointerCount: 3
Directory Object: 98a802a8 Name: PRS_EXTERNAL_CHECK_CHANGED_NOTIFY
0828: Object: 86c4c938 GrantedAccess: 001f0003 Entry: b8601050
Object: 86c4c938 Type: (84eb0978) Event
ObjectHeader: 86c4c920 (new version)
HandleCount: 2 PointerCount: 5
Directory Object: 98a802a8 Name: {43a2b8d7-6fed-4c18-bd36-b4630d61afb5}
06d8: Object: 86d014d0 GrantedAccess: 001f0003 Entry: b9095db0
Object: 86d014d0 Type: (84eb0978) Event
ObjectHeader: 86d014b8 (new version)
HandleCount: 1 PointerCount: 2
0640: Object: 85ce4380 GrantedAccess: 001f0003 Entry: b9095c80
Object: 85ce4380 Type: (84eb0978) Event
ObjectHeader: 85ce4368 (new version)
HandleCount: 1 PointerCount: 2
0634: Object: 86f17e20 GrantedAccess: 001f0003 Entry: b9095c68
Object: 86f17e20 Type: (84eb0978) Event
ObjectHeader: 86f17e08 (new version)
HandleCount: 1 PointerCount: 2
056c: Object: 85ce7750 GrantedAccess: 001f0003 Entry: b9095ad8
Object: 85ce7750 Type: (84eb0978) Event
ObjectHeader: 85ce7738 (new version)
HandleCount: 1 PointerCount: 2
037c: Object: 86bbcae8 GrantedAccess: 001f0003 Entry: b90956f8
Object: 86bbcae8 Type: (84eb0978) Event
ObjectHeader: 86bbcad0 (new version)
HandleCount: 2 PointerCount: 3
0460: Object: 86cdab88 GrantedAccess: 001f0003 Entry: b90958c0
Object: 86cdab88 Type: (84eb0978) Event
ObjectHeader: 86cdab70 (new version)
HandleCount: 1 PointerCount: 2
0654: Object: 85ce6838 GrantedAccess: 001f0003 Entry: b9095ca8
Object: 85ce6838 Type: (84eb0978) Event
ObjectHeader: 85ce6820 (new version)
HandleCount: 1 PointerCount: 2
0100: Object: 865bb170 GrantedAccess: 00100002 Entry: b9095200
Object: 865bb170 Type: (84eaf350) Timer
ObjectHeader: 865bb158 (new version)
HandleCount: 1 PointerCount: 2
kd>
00000002的第一个参数是句柄计数,第二个参数093ffd6c是指向这些句柄的指针。您可以使用dd 093ffd6c L2打印它们。为了更容易一目了然地查看此信息,请使用kv。在32位上,kb打印包含参数的堆栈。你不必在自己周围胡闹。此外,我建议使用dp而不是dd-您可能会切换到64位,因此了解dp很有帮助。但是请注意,由于调用约定的更改,kb停止在64位上工作。00000002的第一个参数是句柄计数,第二个参数093ffd6c是指向这些句柄的指针。您可以使用dd 093ffd6c L2打印它们。为了更容易一目了然地查看此信息,请使用kv。在32位上,kb打印包含参数的堆栈。你不必在自己周围胡闹。此外,我建议使用dp而不是dd-您可能会切换到64位,因此了解dp很有帮助。但是请注意,由于调用约定的更改,kb停止在64位上工作。