By

Contents

如果用windbg调试的时候遇到优化过的代码,this指针的地址是不准确的,下面介绍如何通过vtable找到this指针。

1. kbn
# ChildEBP? RetAddr? Args to Child
00 1d61fad0 7c90d21a 7c8023f1 00000000 1d61fb04 ntdll!KiFastSystemCallRet
01 1d61fad4 7c8023f1 00000000 1d61fb04 1a314e78 ntdll!NtDelayExecution+0xc
02 1d61fb2c 7c802455 00000042 00000000 1d61fb6c kernel32!SleepEx+0x61
03 1d61fb3c (ChildEBPaftercall) 4c08f466 00000042 6496c8a2 1a3128f0 kernel32!Sleep+0xf
04 1d61fb6c 5c2656d4 616c06bc 1d61fbbc 1d61fe74 DllName!NameSpaceName::ClassName::OnProcess+0x106 [source1.cpp @ 5908]
05 1d61fbb0 (ChildEBPbeforecall) 77520c9a 1a312b0c 1d61fd78 0ef5bd18
Dll2Name!Class2Name::Process+0xb4 [source2.cpp @ 104]
06 1d61fbc8 77587f67 4c0e4df0 1a312b0c 1d61fcfc ole32!CallFrame::Invoke+0x54

2. dpp (ChildEBPaftercall) (ChildEBPbeforecall) ,来找到vtable

0:022> dpp 1d61fb3c 1d61fbb0
1d61fb3c 1d61fb6c 1d61fbb0 <Unloaded_API.DLL>+0x1d61fb7f
1d61fb40 4c08f466 d908ec83
1d61fb44 00000042
1d61fb48 6496c8a2 1e6041d6 <Unloaded_API.DLL>+0x1e6041a5
1d61fb4c 1a3128f0 (init this pointer address) 4c1a3e24 (vtable address) DllName!ATL::CComObject::`vftable’

3. dds (vtable address)-4,来找到RTTI

0:022> dds 4c1a3e24 -4
4c1a3e20 4c1b99e0 (RTTI address) DllName!ATL::CComObject::`RTTI Complete Object Locator’

4. dds (RTTI address),来找到偏移量,是第二个

0:022> dds 4c1b99e0
4c1b99e0 00000000
4c1b99e4 00000000 (offset)
4c1b99e8 00000000

5. dt ModuleName (init this pointer address) - (offset) ,查看this指针,搞定:)
dt DllName!NameSpaceName::ClassName 1a3128f0-0

Debug
Contents