一般我们抓取的dump文件后堆栈大都是这样的:
0:028> kb
*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll -
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
027acff8 7c802542 00000c34 ffffffff 00000000 ntdll!KiFastSystemCallRet
*** WARNING: Unable to verify timestamp for baidubrowser.exe
027ad00c 00401711 00000c34 ffffffff 4ca336f9 kernel32!WaitForSingleObject+0x12
027af13c 00401440 4ca31791 00000000 7c885780 baidubrowser!BDExceptionHandler::GenerateExceptionReport+0x261
027af164 7c864191 027af3fc 00000000 00000000 XXXXXX!BDExceptionHandler::BDUnhandledExceptionFilter_internal+0x50
027af3d4 7c83ab50 027af3fc 7c839b39 027af404 kernel32!UnhandledExceptionFilter+0x1c7
027affec 00000000 7813286e 036b2d00 00000000 kernel32!ValidateLocale+0x1328
注意红色的不分,为处理异常的捕捉函数,该函数会记录异常发生的上下文,包括堆栈信息等。
我们可以通过以下步骤查看崩溃堆栈:
1.dd 027af3fc 查看第一个参数的值
0:028> dd 027af3fc
027af3fc 027af4f0 027af50c 027af428 7c9232a8
027af40c 027af4f0 027affdc 027af50c 027af4c4
027af41c 027af858 7c9232bc 027affdc 027af4d8
027af42c 7c92327a 027af4f0 027affdc 027af50c
027af43c 027af4c4 7c839ad8 00000001 027af4f0
027af44c 027affdc 7c94a8c3 027af4f0 027affdc
027af45c 027af50c 027af4c4 7c839ad8 027af83c
027af46c 027af4f0 027132e0 0000f3be 00000000
2.从上面红色部分开始尝试恢复上下文:
0:028> .cxr 027af4f0 //尝试第一个 结果不行
eax=00000023 ebx=00000000 ecx=0000003b edx=00000000 esi=dc70870a edi=e9c0bf80
eip=027af83c esp=00000004 ebp=00000023 iopl=0 nv up di pl nz na po nc
cs=32e0 ss=0010 ds=8ab8 es=db00 fs=b1f4 gs=7ff9 efl=00000000
32e0:027af83c 0000 add byte ptr [eax],al ds:8ab8:00000023=??
0:028> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000023 00000000 00000000 00000000 00000000 0x27af83c
0:028> .cxr 027af50c //尝试第二个 有异常的堆栈了
eax=7ff99000 ebx=00000000 ecx=00000000 edx=00000004 esi=027132e0 edi=027af83c
eip=027132e0 esp=027af7d8 ebp=027af800 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
027132e0 ?? ???
0:028> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
027af7d4 77d18734 00191884 00000024 00000000 0x27132e0
027af800 77d18816 027132e0 00191884 00000024 user32!GetDC+0x6d
027af868 77d28ea0 00000000 027132e0 00191884 user32!GetDC+0x14f
027af8bc 77d2d08a 00909290 00000024 00000000 user32!DefWindowProcW+0x180
027af8e4 7c92e473 027af8f4 0000003c 00909290 user32!GetWindowRgnBox+0x83
027afdd0 77d2e442 00000000 027afe54 00000000 ntdll!KiUserCallbackDispatcher+0x13
027afe7c 77d2d0d6 00000000 0255f1d8 00000000 user32!GetScrollInfo+0x460
027afeb8 024e3f3b 00000000 0255f1d8 00000000 user32!CreateWindowExW+0x33
027aff78 78132848 01d4f0a8 4caf8d91 a4808326 boxbro!astart_kernel+0x2b [e:\workspace\disco\box\src\kernel\kernel_data.h @ 437]
027affb0 781328c8 7c80b729 036b2d00 a4808326 msvcr80!endthread+0x4b
027affec 00000000 7813286e 036b2d00 00000000 msvcr80!endthread+0xcb
其实还有更简单的方法,就是直接通过!analyze -v做分析会自动帮忙打出来异常的堆栈
或者先通过.ecxr 命令恢复异常的上下文,然后用kb命令打印堆栈
来源:https://www.cnblogs.com/terminator-studio/archive/2012/04/13/2445592.html