평소에 WinDbg의 가장 불편한 점 중 하나가 STL 분석이 안된다는 점이었는데요... 이 점을 보완할 수 있는 Extention DLL을 소개합니다.

STL 분석 뿐만 아니라 리버싱 관련 다양하고 파워풀한 기능을 지원하는 WinDbg의 Extention DLL "SDbgExt"입니다.


여기서 다운로드 받으시면 됩니다.

http://www.nynaeve.net


사용법은 아래 튜터리얼 참고...

http://www.nynaeve.net/?p=94

http://www.nynaeve.net/?p=7


이런 식으로 씁니다.

0:045>  !sdbgext.stlmap

Usage: !stlmap <address> [key-size] [value-size]


0:045> !sdbgext.stlmap 0x02722ae0+0x20e4 0x24 0x04

map size=78 head=027209b8

node at 08e41cc8

  key:

b0 a3 8b 05 6f 00 6d 00 65 00 5c 00 75 00 73 00 ....o.m.e.\.u.s.

5f 00*00 00 5f 00 00 00 5c 00 6d 00 30 51 72 02 _..._...\.m.0Qr.

9a 01 00 00                                     ....            

  data = 058C7F38

node at 08e419c8

  key:

78 a4 8b 05 65 00 6d 00 6f 00 72 00 79 00 32 00 x...e.m.o.r.y.2.

5f 00*00 00 5f 00 00 00 00 00 00 00 30 51 72 02 _..._.......0Qr.

9b 01 00 00                                     ....            

  data = 05948008

  /// 이하 생략...


0:045> dt Dokan!LEO_UDRIVE_REQUEST_HEADER 058C7F38

   +0x000 cbHeaderSize     : 0x10265

   +0x004 FileIoType       : 6 ( LeoIo_WriteFile )

   +0x008 szSessionId      : [100]  "00e0c338-58c5fa67"

   +0x0d0 dwProcessTypeFlag : 0

   +0x0d4 dwFlag           : 0

   +0x0d8 LeoDokanOptions  : _LEO_DOKAN_OPTIONS

   +0x0f4 DokanFileInfo    : _DOKAN_FILE_INFO

   +0x114 PerIoContext     : _LEOFS_PERIO_CONTEXT

   +0x170 ClientIp         : 0x2a64a8c0

   +0x174 dwReserved1      : 0

   +0x178 cbDataSize       : 0x100e8

   +0x17c Data             : [1]  ""


도움말이 잘 되어 있어서... 일단 무작정 써보셔도 됩니다. 

VS에서 직접 stl 디버깅하는 것만큼은 아니지만... 아쉬운대로 쓸만 합니다.


대충 다음과 같은 기능들이 있네요... ^^

0:045> !sdbgext.help

Skywing Debugger Extensions (SDbgExt) help

!valloc       [address] <size> <type> <protect>     Allocates virtual memory

!vallocrwx    [address] <size>                      Allocates and commits PAGE_READWRITE_EXECUTE virtual memory

!vfree        <address> <size> <type>               Frees virtual memory

!vdecom       <address>                             Decommits virtual memory

!vprotect     <address> <size> <protect>            Protects virtual memory

!vmemconst                                          Displays various constants for the !v* extensions

!ntstatus     <status>                              Translates an NTSTATUS value

!remotecall   <address> <call-conv> [arguments]     Calls a function in the target process (from a new thread)

                                                    Valid calling conventions include stdcall(0), cdecl(1), fastcall(2)

                                                    Ansi and Unicode strings ("str", L"str") are automatically marshalled

!remotecall64 <address> <call-conv> [arguments]     Same as !remotecall, but displays a 64-bit return value

!loaddll      <dllname>                             Loads a dll into the target process (from a new thread)

!unloaddll    <address>                             Unloads a dll from the target process (from a new thread)

!loaderlock                                         Checks if the process loader lock has been acquired

!version                                            Displays the SDbgExt version

!heapalloc    [heap] <size>                         Allocates heap memory (defaults to the process heap)

!heapfree     [heap] <address>                      Frees heap memory (defaults to the process heap)

!objsec       <handle>                              Displays the security descriptor associated with an object

!amask        <access-mask> [object-type]           Displays an ACCESS_MASK, optionally interpreting specific rights according to object-type

!objtypes                                           Display a list of supported object type names

!overlapped   <address>                             Displays an OVERLAPPED structure

!hwnd         [window-handle] [flags]               Displays information about an HWND (or enumerates windows for the current thread)

                                                    If bit 1 (0x01) is set in flags, dialog-specific information is included

!switchdesk   <desktop-name>                        Switches the active desktop

!threadinfo   <thread-id> [flags]                   Displays information about a thread

                                                    If bit 1 (0x01) is set in flags, thread times are included

!getprop      <hwnd> [propname]                     Displays a window property

                                                    If propname is omitted, all properties are displayed

!tokeninfo    [handle] [flags]                      Displays information about a token.  If handle is omitted the current subject token is used.

                                                    If bit 1 (0x01) is set in flags, handle refers to a thread id and the token for

                                                    that thread is displayed.  Bit 2 indicates a thread handle, bit 3 indicates a process

                                                    id, and bit 4 indicates a process handle.  Only one may be supplied.

!sidname      <sid>                                 Converts a sid to an account name.

!close        <handle>                              Closes a handle in the process currently being debugged.

!objname      <handle>                              Retrieves full name information for an object handle, including FILE_OBJECT handles.

!killthread   [threadid]                            Terminates a thread.  If a thread is is not supplied, the current thread is terminated.

!loadsym      <module> [symbol list file] [path]    Loads custom symbols from a symbol list file.  If no list file is specified, a file named

                                                    loaded-base-module-name.lst is searched (e.g. C:\WINDOWS\System32\CMD.lst).  Optionally a

                                                    path to the module image may be specified (for remote debugging.  If a path is specified then

                                                    any filenames with spaces must be quoted (otherwise quoting is optional).

                                                    If no .lst file is present, loaded-base-module-name.map is searched (as a linker map file).

!unloadsym    <module> [symbol list file] [path]    Unloads custom symbols from a symbol list file.

!dbgpri       [priority]                            Sets the scheduling priority for the debugger process.  If priority is omitted, the debugger

                                                    is set to the normal priority class.

!lmx          [list-type]                           Lists user mode loaded modules for the target.  list-type is 0, 1, 2 for the load order,

                                                    memory order, or initialization order lists.  Defaults to in-load-order list.

!findwfptr    [flags]                               Searches target process address space for function pointers that are in writable memory.

                                                    Bit 0x1: Ignore symbols that reside in the middle of functions.

                                                    Bit 0x2: Automatically breakpoint on all found function addresses.

!adjpriv      [priv] [flags]                        Adjusts privileges the target token.

                                                    Bit 0x1: Disable the privilege instead of enabling it.

                                                    Bit 0x2: Adjust the threads privileges and not the process.

                                                    Bit 0x4: Disable privilege lookup by name (required when RPC is unavailable).

                                                    Bit 0x8: Remove the privilege from the token.

!usermsg      <address>                             Displays detailed information about a winuser MSG structure.

!ret          <returnpoint> [stackbytes] [retval]   Returns from a function, adjusting the stack upwards by 'stackbytes' bytes and

                                                    setting the return value register to a given value.  The extension will verify

                                                    that the given returnpoint matches a return address on the stack after adjusting

                                                    the stack pointer.  If retval is not specified, the return value is set to zero.

!mapbuiltinsym                                      Loads SDbgExt built-in symbols appropriate for the target platform.  If a full symbol

                                                    reload is issued, these symbols will be removed.

!cmpmem <[[-a|-x] addr length] | [-e addr] | [-c addr] [-s addr] [-l]> 

                                                    Compares memory over time.  Memory compare ranges may not overlap.

                                                      -a address length: Begin the comparison operation by saving target virtual memory.

                                                      -x address length: Manually exclude a region from future comparisons.

                                                      -e address       : Compare memory with the target, excluding differing ranges from future

                                                                         comparison operations.  Address must refer to a region within an existing

                                                                         memory compare operation.

                                                      -c address       : Compare memory with the target, displaying differing ranges.  Address must

                                                                         refer to a region within an existing memory compare operation.

                                                      -s address       : Stop a comparison operation, freeing any saved memory.  Implied by -a.

                                                                         Address must refer to a region within an existing memory compare operation.

                                                      -l               : List all compare ranges currently active.

!rawbu        <modulename> [command]                Sets a deferred breakpoint on a given module name that executes the given command,

                                                    if present.  The modulename is taken "as-is" and is not parsed.

                                                    Note that if present, the breakpoint command must not be quoted; it is taken "as-is".

!fnseh        <address> [seh-module-base]           Retrieves and displays exception handling data for an address (on 64-bit targets).

                                                    If present, seh-module-base overrides the automatic detection for the module base to use when

                                                    computing completed virtual addresses for exception and unwind handlers.

!findsymptr   [flags]                               Searches for potential pointers to addresses corresponding exactly to a symbol.

                                                    This extension is useful for finding vtables on the heap if you have symbols.

                                                    Bit 0x1: Ignore symbols that reside in the middle of functions.

                                                    Bit 0x2: Only show sorted totals.


STL functions (for Visual Studio STL only)

!stlstring    <address> [max-size]                  Displays an std::string (up to the first 64K chars, default to max 16K)

!stlwstring   <address> [max-size]                  Displays an std::wstring (up to the first 64K-1 chars, default to max 16K)

!stlset       <address> [value-size]                Displays an std::set/std::multiset

                                                    If value-size is specified, that many bytes are displayed from each node's data

!stlmap       <address> [key-size] [value-size]     Displays an std::map/std::multimap

                                                    If key-size is specified, that many bytes are displayed from each node's key data

                                                    If value-size is also specified, that many bytes are displayed from each node's value data

!stllist      <address> [value-size]                Displays an std::list

                                                    If value-size is specified, that many bytes are displayed from each node's data

!stlvector    <address> [element-size]              Displays an std::vector

                                                    If element-size is specified, that many bytes are displayed from each element's data



Posted by kuaaan

댓글을 달아 주세요



사랑합니다. 편안히 잠드소서