问题描述
我正在使用WinDbg分析 AcroRd32.exe 。 AcroRd32.exe 有2个进程,一个(父亲p)启动另一个进程(子p)。我使用 .childdbg 1 和 | 1s 等命令调试这两个进程。
我切换到child-p,然后切换回父亲-p,监视kernel32.dll的 CreateFileW 和 ReadFile 具有条件断点的API。打开 a.pdf 时,仅使用参数 C:\a.pdf调用 CreateFileW 。我记得文件句柄 CreateFileW 的返回值使用条件断点来监视 ReadFile 的参数,但是没有调用 ReadFile ,返回值为 CreateFileW 。然后使用许多 g 命令,令人困惑的事情就出现了, a.pdf 打开了!
我很困惑。在不调用 ReadFile 的情况下,打开了PDF。 Acrobat Reader是如何做到的?我有两个假设,第一个,它使用类似 CreateFileMapping 的API;
让我们讨论第二个假设。当我调试父亲-p时,孩子-p没有挂起。
使用
既然是这种情况,那么在WinDbg中使用断点也必须找出相同的地方。如果没有确切的步骤来重现问题,我们将无法回答问题所在,例如
当我看一下演练时,我认为以下内容可能会出错:
- 在子进程的条件下,您正在使用父进程的文件句柄,尽管子进程获得了新的句柄
- 在错误的过程上设置断点。断点是特定于过程的。
- 在断点的情况下,其他情况是错误的。检查
。如果或j命令。
这是我的演练,这表明命中了断点。我不在这里使用条件断点。
0:000> bp kernel32!CreateFileW
0:000> .childdbg 1
当前进程创建的进程将被调试
0:000> g
[...]
断点0命中
[...]
0:000> kb L1
#ChildEBP RetAddr Args to Child
00 0045f0d8 011d95b1 0023ca98 00000000 00000007 kernel32!CreateFileW
0:000> du 0023ca98
0023ca98 d:\temp\a.pdf
0:000> gu
0:000> r eax
eax = 000000f0
0:000> ***请注意,这是一个错误的过程,这是父亲
0:000> ***我们不应将条件为0xF0的断点设置为句柄
0:000> ***让我们等待子进程
0:000> bd 0
0:000> sxe cpr
0:000> g
[...]
ModLoad:011c0000 013e5000 AcroRd32.exe
[...]
1:009> bl
1:009> | 0s
[...]
0:000> bl
0 d启用清除771a167f 0001(0001)0:**** kernel32!CreateFileW
0:000> | 1s
[...]
1:009> bl
1:009> ***你注意到了吗?断点是特定于过程的
1:009> bp kernel32!CreateFileW
无法解析Bp表达式 kernel32!CreateFileW,添加了延迟的bp
1:009> g
[...]
ntdll!LdrpDoDebuggerBreak + 0x2c:
77850ed4 cc int 3
1:009> bl
1 e禁用清除771a167f 0001(0001)1:**** kernel32!CreateFileW
[...]
断点1命中
[...]
1:009> kb L1
#ChildEBP RetAddr Args to Child
00 002cedcc 771a775d 002cedec 002cede8 772e124c kernel32!CreateFileW
1:009> du 002cedec
002cedec C:\Windows\Globalization\Sorting
002cee2c \sortdefault.nls
1:009> ***错误的文件
1:009> g
[...]
断点0达到
[...]
1:009> kb L1
#ChildEBP RetAddr Args to Child
00 0043da18 5f9b5cf0 06a12e68 80000000 00000001 kernel32!CreateFileW
1:009> du 06a12e68
06a12e68 d:\temp\a.pdf
1:009> gu
[...]
1:009> r eax
eax = 000001cc
1:009> bp kernel32!readfile
1:009> bl
0 e禁用清除771a167f 0001(0001)1:**** kernel32!CreateFileW
1 e禁用清除771a3ef1 0001(0001)1:**** kernel32!ReadFile
1 :009> bd 0
1:009> g
断点1达到
[...]
1:009> kb L1
#ChildEBP RetAddr Args to Child
00 0043da44 5f9b74be 000001cc 0043db64 00000008 kernel32!ReadFile
I am analysing AcroRd32.exe with WinDbg. AcroRd32.exe has 2 processes, one (father-p) starts another (child-p). I use .childdbg 1 and |1s etc. commands to debug these two processes.
I switch to child-p, then switch back to father-p, monitoring kernel32.dll's CreateFileW and ReadFile APIs with conditional breakpoint. While opening a.pdf, only CreateFileWis invoked with parameter "C:\a.pdf". I remember the return value of CreateFileW, the file handle, use a conditional breakpoint to monitor ReadFile's parameter, however there is no call to ReadFile with the return value of CreateFileW. Then with many g commands, confusing thing coming, a.pdf opened!
I am confused. Without call to ReadFile, the PDF opened. How did Acrobat Reader do it? I have two assumptions, first one, it use some like CreateFileMapping APIs; the other one (mostly), the child-p makes it.
Let's discuss the second assumption. When I debugging father-p, the child-p didn't suspend. How did it open (read) the file?
Using Rohitab API Monitor I see that the second instance calls CreateFileW() as well as ReadFile() with the handle of the file:
Since that's the case, it must also be possible to figure out the same with breakpoints in WinDbg. Without exact steps to reproduce the problem, we'll not be able to answer what's wrong, e.g. in your condition of the breakpoint.
When I look at my walkthrough, I think the following could go wrong:
- you're using the file handle of the parent process in the condition for the child process, although the child process gets a new handle
- you're setting the breakpoint on the wrong process. Breakpoints are process specific.
- something else is wrong in the condition of the breakpoint. Check the
.iforjcommand.
Here's my walkthrough, which shows that the breakpoints are hit. I'm not using conditional breakpoints here.
0:000> bp kernel32!CreateFileW
0:000> .childdbg 1
Processes created by the current process will be debugged
0:000> g
[...]
Breakpoint 0 hit
[...]
0:000> kb L1
# ChildEBP RetAddr Args to Child
00 0045f0d8 011d95b1 0023ca98 00000000 00000007 kernel32!CreateFileW
0:000> du 0023ca98
0023ca98 "d:\temp\a.pdf"
0:000> gu
0:000> r eax
eax=000000f0
0:000> *** Note that this is the wrong process, it's the father
0:000> *** We should not set a breakpoint with a condition of 0xF0 as the handle
0:000> *** Let's wait for the child process
0:000> bd 0
0:000> sxe cpr
0:000> g
[...]
ModLoad: 011c0000 013e5000 AcroRd32.exe
[...]
1:009> bl
1:009> |0s
[...]
0:000> bl
0 d Enable Clear 771a167f 0001 (0001) 0:**** kernel32!CreateFileW
0:000> |1s
[...]
1:009> bl
1:009> *** Did you note? Breakpoints are process specific
1:009> bp kernel32!CreateFileW
Bp expression 'kernel32!CreateFileW' could not be resolved, adding deferred bp
1:009> g
[...]
ntdll!LdrpDoDebuggerBreak+0x2c:
77850ed4 cc int 3
1:009> bl
1 e Disable Clear 771a167f 0001 (0001) 1:**** kernel32!CreateFileW
[...]
Breakpoint 1 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 002cedcc 771a775d 002cedec 002cede8 772e124c kernel32!CreateFileW
1:009> du 002cedec
002cedec "C:\Windows\Globalization\Sorting"
002cee2c "\sortdefault.nls"
1:009> *** wrong file
1:009> g
[...]
Breakpoint 0 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 0043da18 5f9b5cf0 06a12e68 80000000 00000001 kernel32!CreateFileW
1:009> du 06a12e68
06a12e68 "d:\temp\a.pdf"
1:009> gu
[...]
1:009> r eax
eax=000001cc
1:009> bp kernel32!readfile
1:009> bl
0 e Disable Clear 771a167f 0001 (0001) 1:**** kernel32!CreateFileW
1 e Disable Clear 771a3ef1 0001 (0001) 1:**** kernel32!ReadFile
1:009> bd 0
1:009> g
Breakpoint 1 hit
[...]
1:009> kb L1
# ChildEBP RetAddr Args to Child
00 0043da44 5f9b74be 000001cc 0043db64 00000008 kernel32!ReadFile
这篇关于如何控制多进程调试的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!