2

我需要获取所有堆栈帧的基地址和顶部地址,用于我为 windbg 编写的扩展。例如,这是我得到的:

(0) ip= 0x779e5604, ret= 0x779cda0d, frame= 0x23c79c, stack= 0x23c79c
(1) ip= 0x779cda0d, ret= 0x779b19f5, frame= 0x23c7b4, stack= 0x23c7a4
(2) ip= 0x779b19f5, ret= 0x779e665f, frame= 0x23c7d4, stack= 0x23c7bc
(3) ip= 0x779e665f, ret= 0x779aa0aa, frame= 0x23c81c, stack= 0x23c7dc
(4) ip= 0x779aa0aa, ret= 0x779765a6, frame= 0x23c910, stack= 0x23c824
(5) ip= 0x779765a6, ret= 0x7679bbe4, frame= 0x23c930, stack= 0x23c918
(6) ip= 0x7679bbe4, ret= 0x57cd4c39, frame= 0x23c944, stack= 0x23c938
(7) ip= 0x57cd4c39, ret= 0x53c6c74e, frame= 0x23c990, stack= 0x23c94c
(8) ip= 0x53c6c74e, ret= 0x53dc42d7, frame= 0x23d5a4, stack= 0x23c998
(9) ip= 0x53dc42d7, ret= 0x53bc17b0, frame= 0x23d658, stack= 0x23d5ac
(10) ip= 0x53bc17b0, ret= 0x57cf9321, frame= 0x23d85c, stack= 0x23d660
(11) ip= 0x57cf9321, ret= 0x53daf2da, frame= 0x23d9a4, stack= 0x23d864
(12) ip= 0x53daf2da, ret= 0x53d9bce5, frame= 0x23da3c, stack= 0x23d9ac
(13) ip= 0x53d9bce5, ret= 0x53cc427c, frame= 0x23dacc, stack= 0x23da44
(14) ip= 0x53cc427c, ret= 0x53ebd9e1, frame= 0x23db14, stack= 0x23dad4
(15) ip= 0x53ebd9e1, ret= 0x53d8b86f, frame= 0x23db30, stack= 0x23db1c
(16) ip= 0x53d8b86f, ret= 0x53cc439d, frame= 0x23db4c, stack= 0x23db38
(17) ip= 0x53cc439d, ret= 0x53d8b86f, frame= 0x23db94, stack= 0x23db54
(18) ip= 0x53d8b86f, ret= 0x53cc439d, frame= 0x23dbb0, stack= 0x23db9c
(19) ip= 0x53cc439d, ret= 0x53d8e4b6, frame= 0x23dbf8, stack= 0x23dbb8
(20) ip= 0x53d8e4b6, ret= 0x53d8f815, frame= 0x23dc40, stack= 0x23dc00
(21) ip= 0x53d8f815, ret= 0x53cc68f5, frame= 0x23dd00, stack= 0x23dc48
(22) ip= 0x53cc68f5, ret= 0x53ff9c4c, frame= 0x23dd5c, stack= 0x23dd08
(23) ip= 0x53ff9c4c, ret= 0x53cc98e8, frame= 0x23dddc, stack= 0x23dd64
(24) ip= 0x53cc98e8, ret= 0x53e6556e, frame= 0x23de14, stack= 0x23dde4
(25) ip= 0x53e6556e, ret= 0x53ccfe4b, frame= 0x23df50, stack= 0x23de1c
(26) ip= 0x53ccfe4b, ret= 0x0, frame= 0x0, stack= 0x23df58

ESP=0023c79c EBP=0023c79c

好的,所以根据这里的 msdn 文档,如果 FrameOffset 为零,则应使用当前帧指针,如果 StackOffset 为零,则应使用当前堆栈指针:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff548425%28v=vs.85%29.aspx

现在对于第一帧,或者上例中的帧#26,它显示帧偏移量为零,但是当前帧偏移量EBP是0023c79c,它指的是堆栈的顶部,因此不能对应于帧# 26 的帧偏移。那么我到底应该如何找到堆栈帧#26 的底部呢?

另一个问题,!teb在 windbg 中运行给了我以下堆栈范围:

StackBase:            00240000
StackLimit:           0022e000

现在,在第 26 个堆栈帧指针和堆栈底部之间的 8360 字节(240000 - 23df58)中到底有什么?它是全部由第 26 个堆栈帧本身组成的,还是中间还有其他东西?(除了 ret 和 ebp)

4

0 回答 0