windbg查看函数参数，调用堆栈，及返回值．

windbg查看函数参数，调用堆栈，及返回值．

 

bp kernel32!CreateFileW ".echo ---------------------------------------;kL;du poi(@esp+4);gu;.echo =======;r eax;g"

 

 

用windbg打开qq看看

 

 

0:000> bp kernel32!CreateFileW ".echo ---------------------------------------;kL;du poi(@esp+4);gu;.echo =======;r eax;g" 0:000> g ModLoad: 62c20000 62c29000 C:/WINDOWS/system32/LPK.DLL ModLoad: 77180000 77283000 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03/comctl32.dll --------------------------------------- ChildEBP RetAddr 0012e374 7c814d65 kernel32!CreateFileW 0012e5dc 7c801d3a kernel32!BasepLoadLibraryAsDataFile+0x125 0012e640 7c8171dd kernel32!LoadLibraryExW+0x178 0012e66c 7c81715d kernel32!BasepSxsFindSuitableManifestResourceFor+0x51 0012e96c 7720b80d kernel32!CreateActCtxW+0x69e 0012eba4 7720b83f comctl32_77180000!SHFusionInitializeIDCC+0x83 0012ebb8 7720b857 comctl32_77180000!SHFusionInitializeID+0x12 0012ebc8 771841a9 comctl32_77180000!SHFusionInitialize+0xf 0012ebdc 77184267 comctl32_77180000!_ProcessAttach+0x32 0012ebe8 7c9211a7 comctl32_77180000!LibMain+0x21 0012ec08 7c93cbab ntdll!LdrpCallInitRoutine+0x14 0012ed10 7c936178 ntdll!LdrpRunInitializeRoutines+0x344 0012efbc 7c9362da ntdll!LdrpLoadDll+0x3e5 0012f264 7c801bb9 ntdll!LdrLoadDll+0x230 0012f2cc 7c80ae5c kernel32!LoadLibraryExW+0x18e 0012f2e0 77f5b1a3 kernel32!LoadLibraryW+0x11 0012f504 766a1110 SHLWAPI!LoadLibraryWrapW+0x51 0012f53c 766a10af WININET!SHFusionLoadLibrary+0x29 0012f548 766a107d WININET!DelayLoadCC+0x15 0012f77c 766a0ff7 WININET!SHFusionInitializeIDCC+0x92 0012e3d0 "C:/WINDOWS/WindowsShell.Manifest" 0012e410 "" ======= eax=00000794 --------------------------------------- ChildEBP RetAddr 0012f8cc 7c801a4f kernel32!CreateFileW 0012f8f0 76d357ff kernel32!CreateFileA+0x30 0012f954 76d3570a iphlpapi!OpenIPDriver+0x115 0012f99c 76d35454 iphlpapi!OpenTCPDriver+0xee 0012f9d0 76d35351 iphlpapi!DllMain+0x157 0012f9f0 7c9211a7 iphlpapi!_DllMainCRTStartup+0x52 0012fa10 7c93cbab ntdll!LdrpCallInitRoutine+0x14 0012fb18 7c94173e ntdll!LdrpRunInitializeRoutines+0x344 0012fc94 7c941639 ntdll!LdrpInitializeProcess+0x1131 0012fd1c 7c92eac7 ntdll!_LdrpInitialize+0x183 00000000 00000000 ntdll!KiUserApcDispatcher+0x7 7ffdfc00 "//./Ip" ======= eax=00000780 --------------------------------------- *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Program Files/Tencent/QQ2009/Bin/KernelUtil.dll - ChildEBP RetAddr 0012fc34 0044a69c kernel32!CreateFileW *** ERROR: Module load completed but symbols could not be loaded for QQ.exe WARNING: Stack unwind information not available. Following frames may be wrong. 0012fca8 004029bd KernelUtil!Version::Init+0x8c 0012ff08 004027d9 QQ+0x29bd 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00c8eca8 "C:/Program Files/Tencent/QQ2009/" 00c8ece8 "Bin/vi.dat" ======= eax=00000720 --------------------------------------- ChildEBP RetAddr 0012eab4 0044a2ad kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fbb4 0044a4ea KernelUtil!Util::URL::OpenUrlWithTT+0x1cd 0012fc4c 0044a6fc KernelUtil!Version::GetBuildVer+0xca 0012fca8 004029bd KernelUtil!Version::Init+0xec 0012ff08 004027d9 QQ+0x29bd 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00c8ede0 "C:/Program Files/Tencent/QQ2009/" 00c8ee20 "Bin/QQ.exe" ======= eax=00000720 ModLoad: 76fa0000 7701f000 C:/WINDOWS/system32/CLBCATQ.DLL ModLoad: 77020000 770ba000 C:/WINDOWS/system32/COMRes.dll --------------------------------------- ChildEBP RetAddr 0012f498 76fa6b6e kernel32!CreateFileW 0012f4c4 76faac07 CLBCATQ!WszCreateFile+0x7f 0012f4fc 76fac121 CLBCATQ!StgIO::Open+0xfc 0012f530 76fd770a CLBCATQ!StgDatabase::InitDatabase+0x118 0012f554 76fd5316 CLBCATQ!OpenComponentLibraryEx+0x3e 0012f570 76fa9595 CLBCATQ!OpenComponentLibraryTS+0x1a 0012f80c 76fa217b CLBCATQ!_RegGetICR+0x205 0012f82c 76fa2da1 CLBCATQ!CoRegGetICR+0x29 0012f86c 76fa2d38 CLBCATQ!IsComplusComponent+0x2f 0012f8e0 76fa28c6 CLBCATQ!CComClass::Init+0x78 0012f910 76fa2946 CLBCATQ!CComClass::Create+0x5e 0012f938 769b05af CLBCATQ!CComCLBCatalog::GetClassInfoW+0x23 0012f9a8 769aff58 ole32!CComCatalog::GetClassInfoInternal+0x262 0012f9cc 769b12a7 ole32!CComCatalog::GetClassInfoW+0x1c 0012f9e4 769b12c9 ole32!GetClassInfoFromClsid+0x24 0012fa04 769af99d ole32!LookForConfiguredClsid+0x19 0012fae8 769afaba ole32!ICoCreateInstanceEx+0x106 0012fb10 769afa89 ole32!CComActivator::DoCreateInstance+0x28 0012fb34 769afaf7 ole32!CoCreateInstanceEx+0x1e *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Program Files/Tencent/QQ2009/Bin/Common.dll - 0012fb64 100b1d0f ole32!CoCreateInstance+0x37 0012f5e4 "C:/WINDOWS/Registration/R0000000" 0012f624 "00007.clb" ======= eax=000006ac ModLoad: 5dd50000 5de80000 C:/WINDOWS/system32/msxml3.dll ModLoad: 4a410000 4a468000 C:/WINDOWS/system32/WINHTTP.dll --------------------------------------- ChildEBP RetAddr 0012e04c 7c814d65 kernel32!CreateFileW 0012e2b4 7c801d3a kernel32!BasepLoadLibraryAsDataFile+0x125 0012e318 7c801d6e kernel32!LoadLibraryExW+0x178 0012e32c 5dd7b55c kernel32!LoadLibraryExA+0x1f 0012e47c 5dd7b10f msxml3!Resources::classInit+0xcd 0012e4b0 5dd7b15e msxml3!Runtime_init+0x66 0012e4c0 7c9211a7 msxml3!InitDllMain+0x7e 0012e4e0 7c93cbab ntdll!LdrpCallInitRoutine+0x14 0012e5e8 7c936178 ntdll!LdrpRunInitializeRoutines+0x344 0012e894 7c9362da ntdll!LdrpLoadDll+0x3e5 0012eb3c 7c801bb9 ntdll!LdrLoadDll+0x230 0012eba4 769de1b1 kernel32!LoadLibraryExW+0x18e 0012ebc8 769de0cd ole32!CClassCache::CDllPathEntry::LoadDll+0x6c 0012ebf8 769dd550 ole32!CClassCache::CDllPathEntry::Create_rl+0x37 0012ee44 769dd473 ole32!CClassCache::CClassEntry::CreateDllClassEntry_rl+0xd6 0012ee8c 769dd3d1 ole32!CClassCache::GetClassObjectActivator+0x195 0012eeb8 769dcf3b ole32!CClassCache::GetClassObject+0x23 0012ef34 769dcddf ole32!CServerContextActivator::CreateInstance+0x106 0012ef74 769dd02e ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7 0012efc8 769dcfa5 ole32!CApartmentActivator::CreateInstance+0x110 0012e0a8 "C:/WINDOWS/system32/msxml3r.dll" ======= eax=00000670 --------------------------------------- ChildEBP RetAddr 0012f6e8 77f47eff kernel32!CreateFileW 0012f92c 5dd7bbb6 SHLWAPI!CreateFileWrapW+0x73 0012f96c 5dd7bd04 msxml3!URLStream::OpenFile+0x8f 0012f980 5dd7b891 msxml3!URLStream::Open+0x8f 0012f9b4 5dd7b927 msxml3!XMLParser::PushURL+0x13f 0012f9f0 5dd7cd0a msxml3!XMLParser::SetURL+0x73 0012fa74 5dd7cbbb msxml3!Document::_load+0x128 0012fa90 5dd7caa7 msxml3!Document::load+0x3e 0012fb60 100b1fad msxml3!DOMDocumentWrapper::load+0x221 WARNING: Stack unwind information not available. Following frames may be wrong. 0012fbd4 10011c4b Common!Util::FS::LoadXmlByName+0x2ed 0012fc10 10029867 Common!Util::Convert::ConvertXMLToTXData+0x6b 0012fc68 1003ec3a Common!CCmdCodecBase::SetCodeStruct+0x37b7 0012fc78 00406354 Common!Util::CoreCenter::InitPlatform+0x1a 0012fca8 00402ac5 QQ+0x6354 0012ff08 004027d9 QQ+0x2ac5 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00f142a0 "C:/Program Files/Tencent/QQ2009/" 00f142e0 "platform.tpc" ======= eax=00000664 --------------------------------------- ChildEBP RetAddr 0012f9e0 78165a5f kernel32!CreateFileW 0012fa48 78166095 MSVCR80!_tsopen_nolock+0x252 0012fa98 78166133 MSVCR80!_wsopen_helper+0x77 0012fab8 7817ec77 MSVCR80!_wsopen_s+0x19 0012faec 78178f95 MSVCR80!_wopenfile+0x25a 0012fb30 78179006 MSVCR80!_wfsopen+0xa1 0012fb48 10127eb1 MSVCR80!_wfopen_s+0x39 WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb64 100b18a6 Common!TiXmlDocument::LoadFile+0x21 0012fba4 100f2df5 Common!Util::FS::LoadTinyXmlByName+0x1c6 0012fbfc 1000c100 Common!TXI18N::SetConfigFile+0xd5 0012fc74 1000c63b Common!Util::BitManip::IsSet+0x6c0 0012fca8 00402adf Common!Util::Boot::InitPlatformI18NConfig+0xab 0012ff08 004027d9 QQ+0x2adf 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00e04bb8 "C:/Program Files/Tencent/QQ2009/" 00e04bf8 "I18N/Config.xml" ======= eax=00000668 --------------------------------------- ChildEBP RetAddr 0012fb24 100247b6 kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb7c 100268cb Common!CTXHttpUploadStandard::OnHttpStatusOK+0x846 0012fbb8 101035b0 Common!CCmdCodecBase::SetCodeStruct+0x81b 0012fbc8 1002f832 Common!CTXCommPack::AddTLV+0x2500 0012fbd8 1000bdad Common!CCmdCodecBase::SetCodeStruct+0x9782 0012fc78 1000c545 Common!Util::BitManip::IsSet+0x36d 0012fca8 00402b35 Common!Util::Boot::InitPlatformCoreConfig+0xa5 0012ff08 004027d9 QQ+0x2b35 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00e052f0 "C:/Program Files/Tencent/QQ2009/" 00e05330 "common.xml.txd" ======= eax=00000668 --------------------------------------- ChildEBP RetAddr 0012fb24 100247b6 kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb7c 100268cb Common!CTXHttpUploadStandard::OnHttpStatusOK+0x846 0012fbb8 101035b0 Common!CCmdCodecBase::SetCodeStruct+0x81b 0012fbc8 1002f832 Common!CTXCommPack::AddTLV+0x2500 0012fbd8 1000bdad Common!CCmdCodecBase::SetCodeStruct+0x9782 0012fc78 1000c545 Common!Util::BitManip::IsSet+0x36d 0012fca8 00402b35 Common!Util::Boot::InitPlatformCoreConfig+0xa5 0012ff08 004027d9 QQ+0x2b35 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00e192d8 "C:/Program Files/Tencent/QQ2009/" 00e19318 "kernel.xml.txd" ======= eax=00000668 --------------------------------------- ChildEBP RetAddr 0012fb24 100247b6 kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb7c 100268cb Common!CTXHttpUploadStandard::OnHttpStatusOK+0x846 0012fbb8 101035b0 Common!CCmdCodecBase::SetCodeStruct+0x81b 0012fbc8 1002f832 Common!CTXCommPack::AddTLV+0x2500 0012fbd8 1000bdad Common!CCmdCodecBase::SetCodeStruct+0x9782 0012fc78 1000c545 Common!Util::BitManip::IsSet+0x36d 0012fca8 00402b35 Common!Util::Boot::InitPlatformCoreConfig+0xa5 0012ff08 004027d9 QQ+0x2b35 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00e359a8 "C:/Program Files/Tencent/QQ2009/" 00e359e8 "app.xml.txd" ======= eax=00000668 --------------------------------------- ChildEBP RetAddr 0012f848 100c46a2 kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012f87c 100c4ea7 Common!CTXBSTR::~CTXBSTR+0x2982 0012f89c 100c532f Common!TXLog::GetLogByFilter+0x607 0012faf8 100c570d Common!TXLog::GetLogByFilter+0xa8f *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Program Files/Tencent/QQ2009/Bin/GF.dll - 0012fb1c 004b8236 Common!Ordinal37+0xad 0012fb84 004b82d4 GF!CGFFrameAnchorHelper::operator=+0x6206 0012fba8 004b8d65 GF!CGFFrameAnchorHelper::operator=+0x62a4 0012fc04 1000c3ec GF!CGFFrameAnchorHelper::operator=+0x6d35 0012fc78 1000c725 Common!Util::BitManip::IsSet+0x9ac 0012fca8 00402b5d Common!Util::Boot::InitPlatformGFConfig+0xa5 0012ff08 004027d9 QQ+0x2b5d 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00c8e7bc "C:/Documents and Settings/admin/" 00c8e7fc "Application Data/Tencent/Logs/QQ" 00c8e83c ".tlg" ======= eax=00000668 --------------------------------------- ChildEBP RetAddr 0012f658 77f47eff kernel32!CreateFileW 0012f89c 5dd7bbb6 SHLWAPI!CreateFileWrapW+0x73 0012f8dc 5dd7bd04 msxml3!URLStream::OpenFile+0x8f 0012f8f0 5dd7b891 msxml3!URLStream::Open+0x8f 0012f924 5dd7b927 msxml3!XMLParser::PushURL+0x13f 0012f960 5dd7cd0a msxml3!XMLParser::SetURL+0x73 0012f9e4 5dd7cbbb msxml3!Document::_load+0x128 0012fa00 5dd7caa7 msxml3!Document::load+0x3e 0012fad0 100b1fad msxml3!DOMDocumentWrapper::load+0x221 WARNING: Stack unwind information not available. Following frames may be wrong. 0012fb44 004ead4c Common!Util::FS::LoadXmlByName+0x2ed 0012fbb8 004b8dc5 GF!Util::IEEvent::GetIEAcxContainer+0x1e0c 0012fc04 1000c3ec GF!CGFFrameAnchorHelper::operator=+0x6d95 0012fc78 1000c725 Common!Util::BitManip::IsSet+0x9ac 0012fca8 00402b5d Common!Util::Boot::InitPlatformGFConfig+0xa5 0012ff08 004027d9 QQ+0x2b5d 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00f144a8 "C:/Program Files/Tencent/QQ2009/" 00f144e8 "gf-config.xml" ======= eax=00000664

 

 

 

 

 

来源：CSDN

作者：xhunmr

链接：https://blog.csdn.net/xhunmr/article/details/5199437