使用 GDB (x86) 检查堆栈
所以我正在使用 GDB 调试 x86 程序。我在一个名为 func1 的函数中。
我想检查堆栈并查看传递到其中的参数。因此,通过执行以下操作:
(gdb) info frame 0
Stack frame at 0x7fffffffe1f0:
rip = 0x400e70 in func4; saved rip 0x40115a
called by frame at 0x7fffffffe210
Arglist at 0x7fffffffe1e0, args:
Locals at 0x7fffffffe1e0, Previous frame's sp is 0x7fffffffe1f0
Saved registers:
rip at 0x7fffffffe1e8
我知道参数位于 0x7fffffffe1e0 中。通过这样做:
(gdb) x/8x 0x7fffffffe1e0
0x7fffffffe1e0: 0x08 0xe3 0xff 0xff 0xff 0x7f 0x00 0x00
那么为什么这个地址包含所有这些十六进制数字呢?这些是什么?另外我怎么知道有多少个参数?执行 info locals 或 info args 表示未加载符号表。
另外,我知道第一个参数位于 0x7fffffffe1e0 + 0x8,第二个参数位于 0x7fffffffe1e0 + 0xc 等...但是我怎么知道有多少个参数?
通过这样做:
(gdb) x 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 0x5a
(gdb) x/d 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 90
(gdb) x/c 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 90 'Z'
我知道第一个参数是 Z 或 90。有什么方法可以找出它是哪一个吗?
通过这样做
(gdb) x 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: -1 '\377'
(gdb) x/s 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: "\377\177"
(gdb) x/d 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: -1
我知道第二个参数可能是-1。
我知道
(gdb) x 0x7fffffffe1e8 + 0x10
0x7fffffffe1f8: 10
第三个参数“可能”是 10 吗?
那么我怎么知道有多少个参数呢?如果我找到一个数字或一个字符,有没有办法确定它是哪一个?
谢谢你!
So I am debugging an x86 program using GDB. I am in a certain function called func1.
I would like to examine the stack and see the arguments passed into it. So by doing the following:
(gdb) info frame 0
Stack frame at 0x7fffffffe1f0:
rip = 0x400e70 in func4; saved rip 0x40115a
called by frame at 0x7fffffffe210
Arglist at 0x7fffffffe1e0, args:
Locals at 0x7fffffffe1e0, Previous frame's sp is 0x7fffffffe1f0
Saved registers:
rip at 0x7fffffffe1e8
I know that the arguments are in 0x7fffffffe1e0. By doing:
(gdb) x/8x 0x7fffffffe1e0
0x7fffffffe1e0: 0x08 0xe3 0xff 0xff 0xff 0x7f 0x00 0x00
So why does this address contain all those hex numbers? What are they? Also how would I know how many arguments are there? Doing info locals or info args says no symbol table loaded.
Also, I know that the first argument would be at 0x7fffffffe1e0 + 0x8 and the second at 0x7fffffffe1e0 + 0xc etc... But how would I know how many arguments are there?
By doing:
(gdb) x 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 0x5a
(gdb) x/d 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 90
(gdb) x/c 0x7fffffffe1e0 + 0x8
0x7fffffffe1e8: 90 'Z'
I know that the first argument is either a Z or a 90. Is there any way to figure out which one it is?
And by doing
(gdb) x 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: -1 '\377'
(gdb) x/s 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: "\377\177"
(gdb) x/d 0x7fffffffe1e8 + 0xc
0x7fffffffe1f4: -1
I know that the second argument could be -1.
Doing
(gdb) x 0x7fffffffe1e8 + 0x10
0x7fffffffe1f8: 10
I know that the third argument "could" be 10.
So how would I know how many arguments are there? And if I found a number or a character, is there a way to determine which one it is?
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您显然位于 x86_64 平台上。
您应该了解所使用的调用约定。特别要注意的是,函数参数不会在堆栈上传递(除非你有超过 6 个参数),所以你的问题是从一个错误的假设开始的。
您无法检查堆栈来查看参数,因为它们一开始就不存在。
You apparently are on an x86_64 platform.
You should learn the calling convention used. In particular, note that function arguments are not passed on the stack (except if you have more than 6 of them), so your question starts with a bad assumption.
You can't examine stack to see the arguments as they aren't there to begin with.