使用windbg通过vtable找到优化后的this指针

2016-12-28 10:10:59来源:作者:Dawei XU人点击

如果用windbg调试的时候遇到优化过的代码,this指针的地址是不准确的,下面介绍如何通过vtable找到this指针。

1. kbn

# ChildEBP? RetAddr? Args to Child

00 1d61fad0 7c90d21a 7c8023f1 00000000 1d61fb04 ntdll!KiFastSystemCallRet

01 1d61fad4 7c8023f1 00000000 1d61fb04 1a314e78 ntdll!NtDelayExecution+0xc

02 1d61fb2c 7c802455 00000042 00000000 1d61fb6c kernel32!SleepEx+0x61

03 1d61fb3c (ChildEBPaftercall) 4c08f466 00000042 6496c8a2 1a3128f0 kernel32!Sleep+0xf

04 1d61fb6c 5c2656d4 616c06bc 1d61fbbc 1d61fe74 DllName!NameSpaceName::ClassName::OnProcess+0x106 [source1.cpp @ 5908]

05 1d61fbb0( ChildEBPbeforecall) 77520c9a 1a312b0c 1d61fd78 0ef5bd18

Dll2Name!Class2Name::Process+0xb4 [source2.cpp @ 104]

06 1d61fbc8 77587f67 4c0e4df0 1a312b0c 1d61fcfc ole32!CallFrame::Invoke+0x54

2. dpp( ChildEBPaftercall

) (

ChildEBPbeforecall

) ,来找到vtable

0:022> dpp 1d61fb3c 1d61fbb0

1d61fb3c 1d61fb6c 1d61fbb0 <Unloaded_API.DLL>+0x1d61fb7f

1d61fb40 4c08f466 d908ec83

1d61fb44 00000042

1d61fb48 6496c8a2 1e6041d6 <Unloaded_API.DLL>+0x1e6041a5

1d61fb4c 1a3128f0 (init this pointer address) 4c1a3e24( vtable address) DllName!ATL::CComObject::`vftable’

3. dds( vtable address) -4,来找到RTTI

0:022> dds 4c1a3e24 -4

4c1a3e20 4c1b99e0( RTTI address) DllName!ATL::CComObject::`RTTI Complete Object Locator’

4. dds

(

RTTI address

),来找到偏移量,是第二个

0:022> dds 4c1b99e0

4c1b99e0 00000000

4c1b99e4 00000000( offset)

4c1b99e8 00000000

5. dt ModuleName (init this pointer address) - ( offset) ,查看this指针,搞定:)

dt DllName!NameSpaceName::ClassName 1a3128f0-0

最新文章

123

最新摄影

微信扫一扫

第七城市微信公众平台