I have an executable that uses a mix of managed and unmanaged code. I don't have the source code to it, but I can decompile it.
我有一个可执行文件,它使用托管代码和非托管代码。我没有它的源代码,但我可以反编译它。
What I do know is at some point it reads a registry key, and then afterwards loads a manged DLL based on the assembly name in the registry. So I'd like to set a break point on that registry key being read, regardless of if its read in managed code or unmanaged code, and then look at the (hopefully managed) stacktrace. My plan then would be to use ILSpy to step through the decompiled code starting there, and watch the DLL in question get used.
我所知道的是,在某些时候它会读取一个注册表项,然后根据注册表中的程序集名称加载一个manged DLL。因此,我想在读取的注册表项上设置一个断点,无论它是否在托管代码或非托管代码中读取,然后查看(希望管理的)堆栈跟踪。我的计划是使用ILSpy从那里开始逐步执行反编译代码,并观察有问题的DLL使用。
Is this possible through the Visual Studio debugger, windbg or another debugger? I'm not that comfortable with WinDbg, but if I gotta use it, I will.
这可以通过Visual Studio调试器,windbg或其他调试器吗?我对WinDbg不太满意,但如果我要使用它,我会的。
2 个解决方案
#1
1
I'm halfway there. Its possible to debug the Win32 API Functions via a special syntax.
我已经到了一半。可以通过特殊语法调试Win32 API函数。
{,,FOO.DLL}_FunctionName@N
Unless its a 64 bit DLL in which case there is no decoration:
除非它是一个64位DLL,在这种情况下没有装饰:
{,,FOO.DLL}FunctionName
My process is 32 bits. I've been unable to get a list of function decorations using any of the following:
我的进程是32位。我无法使用以下任何一项获取功能装饰列表:
dumpbin /exports c:\Windows\SysWOW64\advapi32.dll- dumpbin / exports c:\ Windows \ SysWOW64 \ advapi32.dll
- This long blog article that seems to have some holes in it
- 这篇长篇博文似乎有些漏洞
- This MSDN Link
- 这个MSDN链接
I believe this is due to SxS loading the wrong version of the dll.
我相信这是由于SxS加载了错误的dll版本。
However, this post on Zach Burlingame's blog enumerates the registry keys.
但是,Zach Burlingame博客上的这篇文章列举了注册表项。
The breakpoint I need to set is {,,Advapi32.dll}_RegOpenKeyExW@20.
我需要设置的断点是{,, Advapi32.dll} _RegOpenKeyExW @ 20。
Now I need to make the breakpoint conditional on the registry path.
现在我需要在注册表路径上使断点成为条件。
#2
1
windbg:
WinDbg的:
check symbols:
检查符号:
x advapi32!RegOpenKeyExW
If there is no problem with symbols, set breakpoint:
如果符号没有问题,请设置断点:
bp advapi32!RegOpenKeyExW
If windbg does not see symbols, try:
如果windbg看不到符号,请尝试:
.symfix
.reload /f advapi32.dll
#1
1
I'm halfway there. Its possible to debug the Win32 API Functions via a special syntax.
我已经到了一半。可以通过特殊语法调试Win32 API函数。
{,,FOO.DLL}_FunctionName@N
Unless its a 64 bit DLL in which case there is no decoration:
除非它是一个64位DLL,在这种情况下没有装饰:
{,,FOO.DLL}FunctionName
My process is 32 bits. I've been unable to get a list of function decorations using any of the following:
我的进程是32位。我无法使用以下任何一项获取功能装饰列表:
dumpbin /exports c:\Windows\SysWOW64\advapi32.dll- dumpbin / exports c:\ Windows \ SysWOW64 \ advapi32.dll
- This long blog article that seems to have some holes in it
- 这篇长篇博文似乎有些漏洞
- This MSDN Link
- 这个MSDN链接
I believe this is due to SxS loading the wrong version of the dll.
我相信这是由于SxS加载了错误的dll版本。
However, this post on Zach Burlingame's blog enumerates the registry keys.
但是,Zach Burlingame博客上的这篇文章列举了注册表项。
The breakpoint I need to set is {,,Advapi32.dll}_RegOpenKeyExW@20.
我需要设置的断点是{,, Advapi32.dll} _RegOpenKeyExW @ 20。
Now I need to make the breakpoint conditional on the registry path.
现在我需要在注册表路径上使断点成为条件。
#2
1
windbg:
WinDbg的:
check symbols:
检查符号:
x advapi32!RegOpenKeyExW
If there is no problem with symbols, set breakpoint:
如果符号没有问题,请设置断点:
bp advapi32!RegOpenKeyExW
If windbg does not see symbols, try:
如果windbg看不到符号,请尝试:
.symfix
.reload /f advapi32.dll