tailieunhanh - Memory Dump Analysis Anthology- P20

Memory Dump Analysis Anthology- P20: This is a revised, edited, cross-referenced and thematically organized volume of selected blog posts about crash dump analysis and debugging written in 2006 - 2007 for software engineers developing and maintaining products on Windows platforms, technical support and escalation engineers dealing with complex software issues and general Windows users. | Disassembler 571 The second GDB command is x N i address where N is the number of instruc- tions to disassemble gdb x i 0x4012f0 0x4012f0 main push ebp gdb x 2i 0x4012f0 0x4012f0 main 0x4012f1 main 1 push ebp mov ebp esp gdb x 3i 0x4012f0 0x4012f0 0x4012f1 0x4012f3 main main 1 main 3 push ebp mov ebp esp sub esp 0x8 gdb x 0x4012f6 0x4012f9 0x4012fe 0x401301 i pc main 6 main 9 main 14 main 17 and esp 0xfffffff0 mov eax 0x0 add eax 0xf add eax 0xf gdb It seems to be no way to disassemble just N instructions in WinDbg. However in WinDbg we can disassemble backwards ub . This is useful for example if we have a return address and we want to see the CALL instruction 0 000 k ChildEBP RetAddr 0012ff7c 0040117a test main @ 3 0012ffc0 7d4e992a test _tmainCRTStartup 0 10f f sp vctools crt_bld self_x86 crt src @ 597 0012fff0 00000000 kernel32 BaseProcessStart 0 28 0 000 ub 7d4e992a kernel32 BaseProcessStart 0 10 7d4e9912 call kernel32 BasepReport32bitAppLaunching 7d4e994 9 7d4e9917 push 4 7d4e9919 lea eax ebp 8 7d4e991c push eax 7d4e991d push 9 7d4e991f push 0FFFFFFFEh 7d4e9921 call 7d4d032c dword ptr kernel32 _imp NtSetInformationThread 7d4e9927 call dword ptr ebp 8 Please purchase PDF Split-Merge on to remove this watermark 572 PART 7 WinDbg For GDB Users and Vice Versa Our next version of the map contains these new commands Action GDB WinDbg Start the process run g Exit q uit q Disassemble forward disas semble uf u Disassemble N instructions x i - Disassemble backward - ub Please purchase PDF Split-Merge on to remove this watermark Stack Trace Backtrace 573 STACK TRACE BACKTRACE Displaying thread stack trace is the most used action in crash or core dump analysis and debugging. To show various available GDB commands I created the next version of the test program with the following source code include void func_1 int param_1 char param_2 int param_ .3 char param_4 void func_2 int param_1 char param_2 int param_ .3 char