Windbg附加到进程后如何显示某线程的堆栈信息？

显示全部楼层 · 2021-1-27 06:52:10

我想通过windbg附加到某个exe的进程后，随时观测某个动态库的运行情况。我确定了.dll对应的.pdb文件已经正确加载，可是当我选定了我想查看的线程后，却没能看到堆栈内的函数调用状况。
我baidu+google了一下网上对attach和callstack的应用介绍和教程，都说得特简单。尤其是MSDN，直接说attach+callstack,然后WALLAH！堆栈就出来了，模块名，模块地址，函数名等什么都有。可是我按同样步骤却只能显示系统的.dll。
我感觉要么是我的windbg版本或者设置不对，要么就是我却少/漏加载某个文件。
有没有大神指导一下本菜鸟啊？
分 -->

千问 · 2021-1-27 06:52:10

DebuggingToolsforWindows
k,kb,kc,kd,kp,kP,kv(DisplayStackBacktrace)
Thek*commandsdisplaythestackframeofthegiventhread,togetherwithrelatedinformation..
Syntax
User-Mode
[~Thread]k[b|p|P|v][c][n][f][L][FrameCount]
[~Thread]k[b|p|P|v][c][n][f][L]=BasePtr[FrameCount]
[~Thread]k[b|p|P|v][c][n][f][L]=BasePtrStackPtrInstructionPtr
[~Thread]kd[WordCount]

Kernel-Mode
[Processor]k[b|p|P|v][c][n][f][L][FrameCount]
[Processor]k[b|p|P|v][c][n][f][L]=BasePtr[FrameCount]
[Processor]k[b|p|P|v][c][n][f][L]=BasePtrStackPtrInstructionPtr
[Processor]kd[WordCount]

Parameters
Thread
Specifiesthethreadwhosestackistobedisplayed.Ifyouomitthisparameter,thestackofthecurrentthreadisdisplayed.Formoreinformationaboutthreadsyntax,seeThreadSyntax.Youcanspecifythreadsonlyinusermode.
Processor
Specifiestheprocessorwhosestackistobedisplayed.Formoreinformationaboutprocessorsyntax,seeMultiprocessorSyntax.Youcanspecifyprocessorsonlyinkernelmode.
b
Displaysthefirstthreeparametersthatarepassedtoeachfunctioninthestacktrace.
c
Displaysacleanstacktrace.Eachdisplaylineincludesonlythemodulenameandthefunctionname.
p
Displaysalloftheparametersforeachfunctionthatiscalledinthestacktrace.Theparameterlistincludeseachparameter'sdatatype,name,andvalue.Thepoptioniscasesensitive.Thisparameterrequiresfullsymbolinformation.
P
Displaysalloftheparametersforeachfunctionthatiscalledinthestacktrace,likethepparameter.However,forP,thefunctionparametersareprintedonasecondlineofthedisplay,insteadofonthesamelineastherestofthedata.
v
Displaysframepointeromission(FPO)information.Onx86-basedprocessors,thedisplayalsoincludescallingconventioninformation.
n
Displaysframenumbers.
f
Displaysthedistancebetweenadjacentframes.Thisdistanceisthenumberofbytesthatseparatetheframesontheactualstack.
L
Hidessourcelinesinthedisplay.Liscasesensitive.
FrameCount
Specifiesthenumberofstackframestodisplay.Youshouldspecifythisnumberinhexadecimalformat,unlessyouhavechangedtheradixbyusingthen(SetNumberBase)command.Thedefaultvalueis20(0x14),unlessyouhavechangedthedefaultvaluebyusingthe.kframes(SetStackLength)command.
BasePtr
Specifiesthebasepointerforthestacktrace.TheBasePtrparameterisavailableonlyifthereisanequalsign(=)afterthecommand.Onanx86-basedprocessor,youcanaddonemoreparameterafterBasePtr(whichisinterpretedastheFrameCountparameter)ortwomoreparametersafterBasePtr(whichareinterpretedastheStackPtrandInstructionPtrparameters).
StackPtr
(x86-basedprocessoronly)Specifiesthestackpointerforthestacktrace.IfyouomitStackPtrandInstructionPtr,thecommandusesthestackpointerthattheespregisterspecifiesandtheinstructionpointerthattheeipregisterspecifies.
InstructionPtr
(x86-basedprocessoronly)Specifiestheinstructionpointerforthestacktrace.IfyouomitStackPtrandInstructionPtr,thecommandusesthestackpointerthattheespregisterspecifiesandtheinstructionpointerthattheeipregisterspecifies.
WordCount
SpecifiesthenumberofDWORD_PTRvaluesinthestacktodump.Thedefaultvalueis20(0x14),unlessyouchangedthedefaultvaluebyusingthe.kframes(SetStackLength)command.
Environment
ModesUsermode,kernelmode
TargetsLive,crashdump
PlatformsAll

Comments
Whenyouissuethek,kb,kp,kP,orkvcommand,astacktraceisdisplayedinatabularformat.Iflineloadingisenabled,sourcemodulesandlinenumbersarealsodisplayed.
Thestacktraceincludesthebasepointerforthestackframe,thereturnaddress,andfunctionnames.
IfyouusethekporkPcommand,thefullparametersforeachfunctionthatiscalledinthestacktracearedisplayed.Theparameterlistincludeseachparameter'sdatatype,name,andvalue.
Thiscommandmightbeslow.Forexample,whenMyFunction1callsMyFunction2,thedebuggermusthavefullsymbolinformationforMyFunction1todisplaytheparametersthatarepassedinthiscall.ThiscommanddoesnotfullydisplayinternalMicrosoftWindowsroutinesthatarenotexposedinpublicsymbols.
Ifyouusethekborkvcommand,thefirstthreeparametersthatarepassedtoeachfunctionaredisplayed.Ifyouusethekvcommand,FPOdataisalsodisplayed.
Onanx86-basedprocessor,thekvcommandalsodisplayscallingconventioninformation.
OnanItanium-basedprocessor,thekvcommandalsocausesnonvolatileregisterstobedisplayed.Thisinformationenablesyoutotracetheregisterstack.

Whenyouusethekvcommand,theFPOinformationisaddedattheendofthelineinthefollowingformat.
FPOtextMeaning
FPO:[non-Fpo]
NoFPOdatafortheframe.
FPO:[N1,N2,N3]
N1isthetotalnumberofparameters.
N2isthenumberofDWORDvaluesforthelocalvariables.
N3isthenumberofregistersthataresaved.

FPO:[N1,N2]TrapFrame@Address
N1isthetotalnumberofparameters.
N2isthenumberofDWORDvaluesforthelocals.
Addressistheaddressofthetrapframe.

FPO:TaskGateSegment:0
Segmentisthesegmentselectorforthetaskgate.
FPO:[EBP0xBase]
Baseisthebasepointerfortheframe.

Thekdcommanddisplaystherawstackdata.EachDWORDvalueisdisplayedonaseparateline.Symbolinformationisdisplayedforthoselinestogetherwithassociatedsymbols.Thisformatcreatesamoredetailedlistthantheotherk*commands.Thekdcommandisequivalenttoadds(DisplayMemory)commandthatusesthestackaddressasitsparameter.
Ifyouwantastacktracethatbeginssomewhereotherthanthecurrentstacklocation,youcanusetheBasePtrparametertospecifythebasepointervalue.Ifyouarespecifyingthebasepointervalueonanx86-basedprocessor,youshouldspecifyBasePtr,StackPtr,andInstructionPtr.Theseparametersshouldbethevaluesofebp,esp,andeipthatcorrespondtothestacktracethatyouwant.IfyouspecifyBasePtrandomitStackPtrandInstructionPtr,youmightreceiveincorrectresultsifthereareFPOframespresent.
Ifyouusethekcommandatthebeginningofafunction(beforethefunctionprologhasbeenexecuted),youreceiveincorrectresults.Thedebuggerusestheframeregistertocomputethecurrentbacktrace,andthisregisterisnotsetcorrectlyforafunctionuntilitsprologhasbeenexecuted.
Inusermode,thestacktraceisbasedonthestackofthecurrentthread.Formoreinformationaboutthreads,seeControllingProcessesandThreads.
Inkernelmode,thestacktraceisbasedonthecurrentregistercontext.Youcansettheregistercontexttomatchaspecificthread,contextrecord,ortrapframe.
AdditionalInformation
Formoreinformationaboutstacktracesandotherwaystodisplaystacktraces,seeViewingtheCallStack.Formoreinformationabouttheregistercontextandothercontextsettings,seeChangingContexts.

?2009MicrosoftCorporation
Sendfeedbackonthistopic
DebuggingToolsforWindows
January17,2009
Buildmachine:CAPEBUILD
AdditionalInformation
Formoreinformationaboutstacktracesandotherwaystodisplaystacktraces,seeViewingtheCallStack.Formoreinformationabouttheregistercontextandothercontextsettings,seeChangingContexts.

千问 · 2021-1-27 06:52:10

DebuggingToolsforWindows
~s(SetCurrentThread)
The~scommandsetsordisplaysthecurrentthreadnumber.
Inusermode,~ssetsthecurrentthread.Donotconfusethiscommandconfusedwiththe~s(ChangeCurrentProcessor)command(whichworksonlyinkernelmode),the|s(SetCurrentProcess)command,the||s(SetCurrentSystem)command,orthes(SearchMemory)command.

Syntax
~Threads
~s

Parameters
Thread
Specifiesthethreadtosetordisplay.Formoreinformationaboutthesyntax,seeThreadSyntax.
Environment
ModesUsermodeonly
TargetsLive,crashdump
PlatformsAll

Comments
Youcanspecifythreadsonlyinusermode.Inkernelmode,thetilde(~)referstoaprocessor.
Ifyouusethe~ssyntax,thedebuggerdisplaysinformationaboutthecurrentthread.
Thiscommandalsodisassemblesthecurrentinstructionforthecurrentsystem,process,andthread.
AdditionalInformation
Formoreinformationandothermethodsofdisplayingorcontrollingprocessesandthreads,seeControllingProcessesandThreads.

?2009MicrosoftCorporation
Sendfeedbackonthistopic
DebuggingToolsforWindows
January17,2009
Buildmachine:CAPEBUILD
AdditionalInformation
Formoreinformationandothermethodsofdisplayingorcontrollingprocessesandthreads,seeControllingProcessesandThreads.

千问 · 2021-1-27 06:52:10

DebuggingToolsforWindows
~s(ChangeCurrentProcessor)
The~scommandsetswhichprocessorisdebuggedonamultiprocessorsystem.
Inkernelmode,~schangesthecurrentprocessor.Donotconfusethiscommandwiththe~s(SetCurrentThread)command(whichworksonlyinusermode),the|s(SetCurrentProcess)command,the||s(SetCurrentSystem)command,orthes(SearchMemory)command.

Syntax
~Processors

Parameters
Processor
Specifiesthenumberoftheprocessortodebug.
Environment
ModesKernelmodeonly
TargetsLive,crashdump
PlatformsAll

Comments
Youcanspecifyprocessorsonlyinkernelmode.Inusermode,thetilde(~)referstoathread.

Youcanimmediatelytellwhenyouareworkingonamultipleprocessorsystembytheshapeofthekerneldebuggingprompt.Inthefollowingexample,0:meansthatyouaredebuggingthefirstprocessorinthecomputer.
0:kd>

Usethefollowingcommandtoswitchbetweenprocessors:
0:kd>~1s
1:kd>

Nowthesecondprocessorinthecomputerthatisbeingdebugged.
SeeAlso
MultiprocessorSyntax

?2009MicrosoftCorporation
Sendfeedbackonthistopic
DebuggingToolsforWindows
January17,2009
Buildmachine:CAPEBUILD
SeeAlso
MultiprocessorSyntax

千问 · 2021-1-27 06:52:10

k命令，具体的windbg自带了帮助文档很全面了，如果kb命令

千问 · 2021-1-27 06:52:10

谢谢，我仔细阅读
引用3楼zhao4zhong1的回复:
DebuggingToolsforWindows
~s(ChangeCurrentProcessor)
The~scommandsetswhichprocessorisdebuggedonamultiprocessorsystem.
......
老师，请教个问题。
现在我想调试一个.exe，想观察其中一个dll调用的情况，这个dll是exe进程下的其中一个线程--线程A。我在正确路径下具有dll的pdb文件（dll和pdb是编译器同时生成的，版本一致），并且确定成功加载。
但是我缺少exe的pdb.
我运行了exe后，让windbgattach到了exe进程，并通过log文件确定了dll的线程号为“n”。但是我break以后，通过~ns切换到该进程，输入各种k指令也只能看到这样的信息

请问能大概跟我讲讲为什么会这样子吗？我之后会仔细阅读Windbg的教程，但是现在急用，无奈之下才这样提问的

千问 · 2021-1-27 06:52:10

引用4楼spirit008的回复:k命令，具体的windbg自带了帮助文档很全面了，如果kb命令
帮我看看你楼下的回复~万分感谢

千问 · 2021-1-27 06:52:10

引用4楼spirit008的回复:k命令，具体的windbg自带了帮助文档很全面了，如果kb命令
我在目标线程内~*kv,kb,kp,kP等等都试过了，可是无法看到函数调用等情况，只有各种dll

千问 · 2021-1-27 06:52:10

你5楼的图不就是callstack？你还想看到什么？

千问 · 2021-1-27 06:52:10

引用8楼spirit008的回复:你5楼的图不就是callstack？你还想看到什么？
我想看堆栈里的函数和参数，就跟打开dmp文件时看到的堆栈信息那样，能做到么？