f1 . f2 . f1 . f2
. f3 . f4 . f6
. f5
,这意味着在该特定事件中正在发生类似的事情执行:
main {
f1();
f2();
f1();
f2();
}
f2 {
if(something) {
f3();
f4();
}
else {
f6();
}
}
f4 {
f5();
}
这应该使查找我感兴趣的功能以及它们在更高层次上的工作更加容易。我可以比较执行或不执行某些不同执行之间的流程,这也应该对我有帮助。
我将如何去做?我可以使用哪些工具?我是100%刚接触逆向工程的新手,我整天都在搜索,我开始觉得它实际上没有任何意义,因为它看起来很基础,但是我找不到任何结果。 >
#1 楼
您可以使用windbg wt(监视和跟踪功能来生成执行流)下面的演示适用于在调试模式下编译的查询中的代码(以确保函数调用存在并且不会被a优化)简单替换)
例如在msvcpp2ktenexp调试中编译的代码
int glob = 0;
void f1(int a) { printf("%d ",a); glob++;}
void f3(int a) { printf("F3 %d ",a);}
void f5(int a) { printf("F5 %d ",a);}
void f6(int a) { printf("%d ",a);}
void f4(int a) { f5(5);}
void f2(int a) { if(glob == 8) { f3(3); f4(4); } else { f6(6); } }
void main() { rndrob:f1(1);f2(2);f1(1);f2(2);if(glob<10){goto rndrob;} }
dry run results
>flowt.exe
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 F3 3 F5 5 1 6 1 6
模块flowt函数main()的windbg wt结果已编辑以去除绒毛
最后的统计数据显示printf()被调用了21次f3()f4()等等等等
Tracing flowt!main to return address 00411bcf
59 0 [ 0] flowt!main
62 0 [ 1] flowt!f1
1 72 0 [ 2] MSVCR100D!printf
65 72 [ 1] flowt!f1
62 156 [ 0] flowt!main
61 0 [ 1] flowt!f2
62 0 [ 2] flowt!f6
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
61 0 [ 1] flowt!f2
62 0 [ 2] flowt!f3
F3 3 72 0 [ 3] MSVCR100D!printf
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
64 153 [ 1] flowt!f2
62 0 [ 3] flowt!f5
F5 5 72 0 [ 4] MSVCR100D!printf
65 72 [ 3] flowt!f5
141 4073 [ 0] flowt!main
4214 instructions were executed in 4213 events (0 from other threads)
Function Name Invocations MinInst MaxInst AvgInst
MSVCR100D!printf 21 72 72 72
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
flowt!f1 10 77 77 77
flowt!f2 10 71 75 71
flowt!f3 1 74 74 74
flowt!f4 1 69 69 69
flowt!f5 1 74 74 74
flowt!f6 9 74 74 74
flowt!main 1 141 141 141
答案
如果您完全遵循逻辑,那么calc.exe将继续输出
calls in MessageLoop Forever直到您close calc.exe windbg calc.exeg calc!WinMain
这是
go to start of Winmain Function(wt traces and watches a single Function Call and its childcalls N deep,因此要使用wt,需要在任何要跟踪的函数的开头g Winmain Ensures you are on the start of Function WinMain 现在执行
wt -m calc
这将永远循环记录所有下面的calc!WinMain
子调用是calc.exe的一个细粒度示例。
DoOperation is a Function in calc.exe完成所有操作shows how to watch and trace that function a single time下面的输出称为g calc!DoOperation breaks when DoOperation is called wt traces the DoOperation for one time(将跟踪one bracket open ,如果您执行
3+5 and hit = it will stop tracing,它也会stop tracing if you do 3+5 * because *
(multiplication finishes the first operation viz addition ) 并打印结果>
>cdb -c "g calc!DoOperation; wt -m calc ;g;q" calc
0:000> cdb: Reading initial command 'g calc!DoOperation; wt -m calc ;g;q'
Tracing calc!DoOperation to return address 010035a0
2 0 [ 0] calc!DoOperation
10 0 [ 1] calc!_EH_prolog
20 10 [ 0] calc!DoOperation
12 0 [ 1] calc!addrat
52 0 [ 2] calc!equnum
36 52 [ 1] calc!addrat
19 0 [ 2] calc!addnum
30 0 [ 3] calc!_addnum
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
112 37 [ 3] calc!_addnum
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
118 57 [ 3] calc!_addnum
23 175 [ 2] calc!addnum
41 250 [ 1] calc!addrat
28 301 [ 0] calc!DoOperation
329 instructions were executed in 328 events (0 from other threads)
Function Name Invocations MinInst MaxInst AvgInst
calc!DoOperation 1 28 28 28
calc!_EH_prolog 1 10 10 10
calc!_addnum 1 118 118 118
calc!_createnum 1 12 12 12
calc!_destroynum 1 3 3 3
calc!addnum 1 23 23 23
calc!addrat 1 41 41 41
calc!equnum 1 52 52 52
kernel32!LocalAlloc 1 25 25 25
kernel32!LocalFree 1 17 17 17
0 system calls were executed
quit:
如果您发现转义引号有点烦人,并且想继续跟踪DoOperation几次,请将这些命令放在文本文件中,例如foo.txt,并使用
cdb -c "$$>a< c:\foo.txt" calc
foo.txt的内容
bp calc!DoOperation "bp /1 @$ra \"g\";wt -m calc"
g;
这将在DoOperation的返回地址上设置一个断点( )并发出一个命令告诉windbg在calc.exe中跟踪并从Function DoOperation()返回后继续执行目标。 br />
> cdb -c“ $$> a
0:000> cdb: Reading initial command '$$>a< c:\foo.txt'
Addition operation
Tracing calc!DoOperation to return address 010035a0
2 0 [ 0] calc!DoOperation
10 0 [ 1] calc!_EH_prolog
18 10 [ 0] calc!DoOperation
6 0 [ 1] calc!mulrat
14 0 [ 2] calc!zernum
12 14 [ 1] calc!mulrat
22 0 [ 2] calc!mulnumx
19 0 [ 3] calc!_mulnumx
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
127 37 [ 3] calc!_mulnumx
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
133 57 [ 3] calc!_mulnumx
27 190 [ 2] calc!mulnumx
17 231 [ 1] calc!mulrat
24 0 [ 2] calc!mulnumx
19 255 [ 1] calc!mulrat
36 0 [ 2] calc!trimit
23 291 [ 1] calc!mulrat
26 324 [ 0] calc!DoOperation
350 instructions were executed in 349 events (0 from other threads)
left shift operation
Tracing calc!DoOperation to return address 010035a0
2 0 [ 0] calc!DoOperation
10 0 [ 1] calc!_EH_prolog
26 10 [ 0] calc!DoOperation
6 0 [ 1] calc!_destroyrat
28 16 [ 0] calc!DoOperation
4 0 [ 1] calc!_createrat
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createrat
32 53 [ 0] calc!DoOperation
3 0 [ 1] calc!_destroynum
39 56 [ 0] calc!DoOperation
6 0 [ 1] calc!_createnum
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createnum
59 93 [ 0] calc!DoOperation
3 0 [ 1] calc!_destroynum
65 96 [ 0] calc!DoOperation
6 0 [ 1] calc!_createnum
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createnum
84 133 [ 0] calc!DoOperation
6 0 [ 1] calc!_destroyrat
3 0 [ 2] calc!_destroynum
17 0 [ 2] kernel32!LocalFree
9 20 [ 1] calc!_destroyrat
3 0 [ 2] calc!_destroynum
17 0 [ 2] kernel32!LocalFree
12 40 [ 1] calc!_destroyrat
17 0 [ 2] kernel32!LocalFree
14 57 [ 1] calc!_destroyrat
86 204 [ 0] calc!DoOperation
4 0 [ 1] calc!_createrat
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createrat
89 241 [ 0] calc!DoOperation
3 0 [ 1] calc!_destroynum
95 244 [ 0] calc!DoOperation
6 0 [ 1] calc!_createnum
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createnum
114 281 [ 0] calc!DoOperation
3 0 [ 1] calc!_destroynum
120 284 [ 0] calc!DoOperation
6 0 [ 1] calc!_createnum
25 0 [ 2] kernel32!LocalAlloc
12 25 [ 1] calc!_createnum
139 321 [ 0] calc!DoOperation
8 0 [ 1] calc!lshrat
11 0 [ 2] calc!intrat
14 0 [ 3] calc!zernum
17 14 [ 2] calc!intrat
52 0 [ 3] calc!equnum
23 66 [ 2] calc!intrat
11 89 [ 1] calc!lshrat
14 0 [ 2] calc!zernum
16 103 [ 1] calc!lshrat
10 0 [ 2] calc!rat_gt
6 0 [ 3] calc!_destroyrat
12 6 [ 2] calc!rat_gt
4 0 [ 3] calc!_createrat
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createrat
15 43 [ 2] calc!rat_gt
3 0 [ 3] calc!_destroynum
21 46 [ 2] calc!rat_gt
6 0 [ 3] calc!_createnum
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createnum
40 83 [ 2] calc!rat_gt
3 0 [ 3] calc!_destroynum
45 86 [ 2] calc!rat_gt
6 0 [ 3] calc!_createnum
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createnum
69 123 [ 2] calc!rat_gt
12 0 [ 3] calc!addrat
52 0 [ 4] calc!equnum
36 52 [ 3] calc!addrat
19 0 [ 4] calc!addnum
30 0 [ 5] calc!_addnum
6 0 [ 6] calc!_createnum
25 0 [ 7] kernel32!LocalAlloc
12 25 [ 6] calc!_createnum
142 37 [ 5] calc!_addnum
3 0 [ 6] calc!_destroynum
17 0 [ 6] kernel32!LocalFree
148 57 [ 5] calc!_addnum
23 205 [ 4] calc!addnum
41 280 [ 3] calc!addrat
74 444 [ 2] calc!rat_gt
14 0 [ 3] calc!zernum
88 458 [ 2] calc!rat_gt
6 0 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
9 20 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
12 40 [ 3] calc!_destroyrat
17 0 [ 4] kernel32!LocalFree
14 57 [ 3] calc!_destroyrat
94 529 [ 2] calc!rat_gt
21 726 [ 1] calc!lshrat
12 0 [ 2] calc!rattolong
10 0 [ 3] calc!rat_gt
6 0 [ 4] calc!_destroyrat
12 6 [ 3] calc!rat_gt
4 0 [ 4] calc!_createrat
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createrat
15 43 [ 3] calc!rat_gt
3 0 [ 4] calc!_destroynum
21 46 [ 3] calc!rat_gt
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
40 83 [ 3] calc!rat_gt
3 0 [ 4] calc!_destroynum
45 86 [ 3] calc!rat_gt
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
69 123 [ 3] calc!rat_gt
12 0 [ 4] calc!addrat
52 0 [ 5] calc!equnum
36 52 [ 4] calc!addrat
17 0 [ 5] calc!addnum
30 0 [ 6] calc!_addnum
6 0 [ 7] calc!_createnum
25 0 [ 8] kernel32!LocalAlloc
12 25 [ 7] calc!_createnum
199 37 [ 6] calc!_addnum
3 0 [ 7] calc!_destroynum
17 0 [ 7] kernel32!LocalFree
205 57 [ 6] calc!_addnum
21 262 [ 5] calc!addnum
41 335 [ 4] calc!addrat
74 499 [ 3] calc!rat_gt
14 0 [ 4] calc!zernum
88 513 [ 3] calc!rat_gt
6 0 [ 4] calc!_destroyrat
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
9 20 [ 4] calc!_destroyrat
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
12 40 [ 4] calc!_destroyrat
17 0 [ 5] kernel32!LocalFree
14 57 [ 4] calc!_destroyrat
94 584 [ 3] calc!rat_gt
17 678 [ 2] calc!rattolong
10 0 [ 3] calc!rat_lt
6 0 [ 4] calc!_destroyrat
12 6 [ 3] calc!rat_lt
4 0 [ 4] calc!_createrat
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createrat
15 43 [ 3] calc!rat_lt
3 0 [ 4] calc!_destroynum
21 46 [ 3] calc!rat_lt
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
40 83 [ 3] calc!rat_lt
3 0 [ 4] calc!_destroynum
45 86 [ 3] calc!rat_lt
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
69 123 [ 3] calc!rat_lt
12 0 [ 4] calc!addrat
52 0 [ 5] calc!equnum
36 52 [ 4] calc!addrat
17 0 [ 5] calc!addnum
30 0 [ 6] calc!_addnum
6 0 [ 7] calc!_createnum
25 0 [ 8] kernel32!LocalAlloc
12 25 [ 7] calc!_createnum
157 37 [ 6] calc!_addnum
3 0 [ 7] calc!_destroynum
17 0 [ 7] kernel32!LocalFree
163 57 [ 6] calc!_addnum
21 220 [ 5] calc!addnum
41 293 [ 4] calc!addrat
74 457 [ 3] calc!rat_lt
14 0 [ 4] calc!zernum
86 471 [ 3] calc!rat_lt
6 0 [ 4] calc!_destroyrat
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
9 20 [ 4] calc!_destroyrat
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
12 40 [ 4] calc!_destroyrat
17 0 [ 5] kernel32!LocalFree
14 57 [ 4] calc!_destroyrat
92 542 [ 3] calc!rat_lt
21 1312 [ 2] calc!rattolong
6 0 [ 3] calc!_destroyrat
23 1318 [ 2] calc!rattolong
4 0 [ 3] calc!_createrat
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createrat
26 1355 [ 2] calc!rattolong
3 0 [ 3] calc!_destroynum
31 1358 [ 2] calc!rattolong
6 0 [ 3] calc!_createnum
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createnum
50 1395 [ 2] calc!rattolong
3 0 [ 3] calc!_destroynum
55 1398 [ 2] calc!rattolong
6 0 [ 3] calc!_createnum
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createnum
75 1435 [ 2] calc!rattolong
11 0 [ 3] calc!intrat
14 0 [ 4] calc!zernum
17 14 [ 3] calc!intrat
52 0 [ 4] calc!equnum
23 66 [ 3] calc!intrat
79 1524 [ 2] calc!rattolong
24 0 [ 3] calc!divnumx
82 1548 [ 2] calc!rattolong
3 0 [ 3] calc!_destroynum
17 0 [ 3] kernel32!LocalFree
87 1568 [ 2] calc!rattolong
6 0 [ 3] calc!_createnum
25 0 [ 4] kernel32!LocalAlloc
12 25 [ 3] calc!_createnum
107 1605 [ 2] calc!rattolong
28 0 [ 3] calc!numtolong
110 1633 [ 2] calc!rattolong
6 0 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
9 20 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
12 40 [ 3] calc!_destroyrat
17 0 [ 4] kernel32!LocalFree
14 57 [ 3] calc!_destroyrat
116 1704 [ 2] calc!rattolong
24 2546 [ 1] calc!lshrat
6 0 [ 2] calc!_destroyrat
26 2552 [ 1] calc!lshrat
4 0 [ 2] calc!_createrat
25 0 [ 3] kernel32!LocalAlloc
12 25 [ 2] calc!_createrat
29 2589 [ 1] calc!lshrat
3 0 [ 2] calc!_destroynum
35 2592 [ 1] calc!lshrat
6 0 [ 2] calc!_createnum
25 0 [ 3] kernel32!LocalAlloc
12 25 [ 2] calc!_createnum
55 2629 [ 1] calc!lshrat
3 0 [ 2] calc!_destroynum
61 2632 [ 1] calc!lshrat
6 0 [ 2] calc!_createnum
25 0 [ 3] kernel32!LocalAlloc
12 25 [ 2] calc!_createnum
82 2669 [ 1] calc!lshrat
10 0 [ 2] calc!ratpowlong
3 0 [ 3] calc!longtorat
4 0 [ 4] calc!_createrat
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createrat
8 37 [ 3] calc!longtorat
3 0 [ 4] calc!longtonum
6 0 [ 5] calc!_createnum
25 0 [ 6] kernel32!LocalAlloc
12 25 [ 5] calc!_createnum
21 37 [ 4] calc!longtonum
12 95 [ 3] calc!longtorat
3 0 [ 4] calc!longtonum
6 0 [ 5] calc!_createnum
25 0 [ 6] kernel32!LocalAlloc
12 25 [ 5] calc!_createnum
21 37 [ 4] calc!longtonum
17 153 [ 3] calc!longtorat
21 170 [ 2] calc!ratpowlong
25 0 [ 3] calc!mulnumx
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
28 20 [ 3] calc!mulnumx
6 0 [ 4] calc!_createnum
25 0 [ 5] kernel32!LocalAlloc
12 25 [ 4] calc!_createnum
51 57 [ 3] calc!mulnumx
27 278 [ 2] calc!ratpowlong
24 0 [ 3] calc!mulnumx
30 302 [ 2] calc!ratpowlong
6 0 [ 3] calc!mulrat
14 0 [ 4] calc!zernum
12 14 [ 3] calc!mulrat
22 0 [ 4] calc!mulnumx
19 0 [ 5] calc!_mulnumx
6 0 [ 6] calc!_createnum
25 0 [ 7] kernel32!LocalAlloc
12 25 [ 6] calc!_createnum
127 37 [ 5] calc!_mulnumx
3 0 [ 6] calc!_destroynum
17 0 [ 6] kernel32!LocalFree
133 57 [ 5] calc!_mulnumx
27 190 [ 4] calc!mulnumx
17 231 [ 3] calc!mulrat
24 0 [ 4] calc!mulnumx
19 255 [ 3] calc!mulrat
36 0 [ 4] calc!trimit
23 291 [ 3] calc!mulrat
33 616 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
35 652 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
43 688 [ 2] calc!ratpowlong
6 0 [ 3] calc!mulrat
14 0 [ 4] calc!zernum
12 14 [ 3] calc!mulrat
22 0 [ 4] calc!mulnumx
19 0 [ 5] calc!_mulnumx
6 0 [ 6] calc!_createnum
25 0 [ 7] kernel32!LocalAlloc
12 25 [ 6] calc!_createnum
127 37 [ 5] calc!_mulnumx
3 0 [ 6] calc!_destroynum
17 0 [ 6] kernel32!LocalFree
133 57 [ 5] calc!_mulnumx
27 190 [ 4] calc!mulnumx
17 231 [ 3] calc!mulrat
24 0 [ 4] calc!mulnumx
19 255 [ 3] calc!mulrat
36 0 [ 4] calc!trimit
23 291 [ 3] calc!mulrat
46 1002 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
48 1038 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
57 1074 [ 2] calc!ratpowlong
22 0 [ 3] calc!mulnumx
19 0 [ 4] calc!_mulnumx
6 0 [ 5] calc!_createnum
25 0 [ 6] kernel32!LocalAlloc
12 25 [ 5] calc!_createnum
127 37 [ 4] calc!_mulnumx
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
133 57 [ 4] calc!_mulnumx
27 190 [ 3] calc!mulnumx
63 1291 [ 2] calc!ratpowlong
24 0 [ 3] calc!mulnumx
66 1315 [ 2] calc!ratpowlong
6 0 [ 3] calc!mulrat
14 0 [ 4] calc!zernum
12 14 [ 3] calc!mulrat
22 0 [ 4] calc!mulnumx
19 0 [ 5] calc!_mulnumx
6 0 [ 6] calc!_createnum
25 0 [ 7] kernel32!LocalAlloc
12 25 [ 6] calc!_createnum
127 37 [ 5] calc!_mulnumx
3 0 [ 6] calc!_destroynum
17 0 [ 6] kernel32!LocalFree
133 57 [ 5] calc!_mulnumx
27 190 [ 4] calc!mulnumx
17 231 [ 3] calc!mulrat
24 0 [ 4] calc!mulnumx
19 255 [ 3] calc!mulrat
36 0 [ 4] calc!trimit
23 291 [ 3] calc!mulrat
69 1629 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
71 1665 [ 2] calc!ratpowlong
36 0 [ 3] calc!trimit
76 1701 [ 2] calc!ratpowlong
6 0 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
9 20 [ 3] calc!_destroyrat
3 0 [ 4] calc!_destroynum
17 0 [ 4] kernel32!LocalFree
12 40 [ 3] calc!_destroyrat
17 0 [ 4] kernel32!LocalFree
14 57 [ 3] calc!_destroyrat
82 1772 [ 2] calc!ratpowlong
85 4523 [ 1] calc!lshrat
6 0 [ 2] calc!mulrat
14 0 [ 3] calc!zernum
12 14 [ 2] calc!mulrat
22 0 [ 3] calc!mulnumx
19 0 [ 4] calc!_mulnumx
6 0 [ 5] calc!_createnum
25 0 [ 6] kernel32!LocalAlloc
12 25 [ 5] calc!_createnum
127 37 [ 4] calc!_mulnumx
3 0 [ 5] calc!_destroynum
17 0 [ 5] kernel32!LocalFree
133 57 [ 4] calc!_mulnumx
27 190 [ 3] calc!mulnumx
17 231 [ 2] calc!mulrat
24 0 [ 3] calc!mulnumx
19 255 [ 2] calc!mulrat
36 0 [ 3] calc!trimit
23 291 [ 2] calc!mulrat
87 4837 [ 1] calc!lshrat
6 0 [ 2] calc!_destroyrat
3 0 [ 3] calc!_destroynum
17 0 [ 3] kernel32!LocalFree
9 20 [ 2] calc!_destroyrat
3 0 [ 3] calc!_destroynum
17 0 [ 3] kernel32!LocalFree
12 40 [ 2] calc!_destroyrat
17 0 [ 3] kernel32!LocalFree
14 57 [ 2] calc!_destroyrat
91 4908 [ 1] calc!lshrat
144 5320 [ 0] calc!DoOperation
6 0 [ 1] calc!_destroyrat
3 0 [ 2] calc!_destroynum
17 0 [ 2] kernel32!LocalFree
9 20 [ 1] calc!_destroyrat
3 0 [ 2] calc!_destroynum
17 0 [ 2] kernel32!LocalFree
12 40 [ 1] calc!_destroyrat
17 0 [ 2] kernel32!LocalFree
14 57 [ 1] calc!_destroyrat
153 5391 [ 0] calc!DoOperation
5544 instructions were executed in 5543 events (0 from other threads)
Function Name Invocations MinInst MaxInst AvgInst
calc!DoOperation 1 153 153 153
calc!_EH_prolog 1 10 10 10
calc!_addnum 3 148 205 172
calc!_createnum 26 12 12 12
calc!_createrat 8 12 12 12
calc!_destroynum 40 3 3 3
calc!_destroyrat 14 6 14 10
calc!_mulnumx 5 133 133 133
calc!addnum 3 21 23 21
calc!addrat 3 41 41 41
calc!divnumx 1 24 24 24
calc!equnum 5 52 52 52
calc!intrat 2 23 23 23
calc!longtonum 2 21 21 21
calc!longtorat 1 17 17 17
calc!lshrat 1 91 91 91
calc!mulnumx 12 24 51 27
calc!mulrat 4 23 23 23
calc!numtolong 1 28 28 28
calc!rat_gt 2 94 94 94
calc!rat_lt 1 92 92 92
calc!ratpowlong 1 82 82 82
calc!rattolong 1 116 116 116
calc!trimit 10 36 36 36
calc!zernum 10 14 14 14
kernel32!LocalAlloc 34 25 25 25
kernel32!LocalFree 34 17 17 17
0 system calls were executed
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0007fde8 ebp=0007fee4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret
0:000> q
quit:
评论
看起来这正是我所需要的,但是由于我没有使用windbg的经验,因此我需要更多有关如何使用它的帮助。我尝试加载calc.exe并执行wt -m calc只是为了对其进行测试,但它仅输出一些指令,然后启动。
–m fran
2014年11月7日7:10
查看添加到答案中的其他详细信息
– blabb
2014年11月7日12:01
评论
看起来很酷,但不完全符合我的需求。