Visual Studio2010+SOS.dll调试入门
Visual Studio 作为一种强大的开发平台,已经提供了非常多的调试手段。但这些调试手段相对来说还是停留在表面上,无非是设置断点、变量查看以及调用堆栈列表等。某些时候我们希望了解更多的东西,尤其是那些被隐藏到背后和运行期的东西,诸如对象运行状态、内存分布等等,这些相对底层的知识可以让我们更好地理解 .NET CLR / JIT 的一些行为。当然,并不是所有人都需要了解这些知识,毕竟汇编和高级调试器使用起来还是非常麻烦的。
SOS.dll 是 Microsoft 提供的一种调试扩展,全称是 Son of Strike,可用来调试托管代码。SOS.dll 拥有非常强大的功能,包括 Cracker 常用的内存脱壳等。本文的目的并不是研究如何破解,而是如何使用 SOS.dll 来协助我们学习 .NET CLR / JIT 的一些知识。我们也不打算使用专业级别的 WinDbg,而是直接将 SOS.dll 载入到 VS 中使用。
打开项目属性对话框,在 "调试" 页选中 "启用非托管代码调试"。
写一段如下的代码:
class Base {
public virtual void Test() { } } class Derived : Base {
public override void Test() { } } public class Program {
static void Main(string[] args)
{
Derived o = new Derived();
o.Test();
(o as Base).Test();
Console.WriteLine("Press any key to exit...");
Console.ReadKey(true);
Environment.Exit(0);
} }
在即时窗口中输入.load sos.dll,会显式如下:
.load sos.dll
已加载扩展 C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll
输入 "!help" 可以查看全部的调试指令。
接下来,我们看看对象 o 是如何实现虚方法调用的。(上面代码中 Main 方法中的变量 o)
(1) 查看当前堆栈信息。
!clrstack -aPDB symbol for mscorwks.dll not loadedOS Thread Id: 0xfc8 (4040)ESP
EIP
0012f434 00f500bc ConsoleApplication1.Program.Main(System.String[]) PARAMETERS:
args = 0x013f1c20 LOCALS:
<CLR reg> = 0x013f1c740012f69c 79e79dd3 [GCFrame: 0012f69c]
LOCALS 中的对象就是我们的目标。(如何你看过我写的 MSIL 系列文章,想必对此理解会更深。)
(2) 查看对象信息。!dumpobj 0x013f1c74Name: ConsoleApplication1.DerivedMethodTable: 00a73120EEClass: 00a714d4Size: 12(0xc) bytes (ConsoleApplication1.exe)Fields:None
找到 MethodTable 的内存地址了,接下来看看这个表里面有什么东西。
(3) 查看方法表信息。!dumpmt -md 00a73120EEClass: 00a714d4Module: 00a72c3cName: ConsoleApplication1.DerivedmdToken: 02000004 (ConsoleApplication1.exe)BaseSize: 0xcComponentSize: 0x0Number of IFaces in IFaceMap: 0Slots in VTable: 6--------------------------------------MethodDesc Table Entry MethodDesc
JIT Name79369154 791474f8 PreJIT System.Object.ToString()79367ec0 79147500 PreJIT System.Object.Equals(System.Object)79367eb0 79147518 PreJIT System.Object.GetHashCode()7935e4c0 79147520 PreJIT System.Object.Finalize()00a7c0b0 00a73110
JIT ConsoleApplication1.Derived.Test()00a7c0c0 00a73118
JIT ConsoleApplication1.Derived..ctor()
JIT 会将基类的虚方法插入到当前类型的方法表中。
要是我们将 Derived Test() 删除,方法表会是下面这个样子。EEClass: 00a714d0Module: 00a72c3cName: ConsoleApplication1.DerivedmdToken: 02000004 (ConsoleApplication1.exe)BaseSize: 0xcComponentSize: 0x0Number of IFaces in IFaceMap: 0Slots in VTable: 6--------------------------------------MethodDesc Table Entry MethodDesc
JIT Name79369154 791474f8 PreJIT System.Object.ToString()79367ec0 79147500 PreJIT System.Object.Equals(System.Object)79367eb0 79147518 PreJIT System.Object.GetHashCode()7935e4c0 79147520 PreJIT System.Object.Finalize()00a7c070 00a730a8
JIT ConsoleApplication1.Base.Test()00a7c0a0 00a73110
JIT ConsoleApplication1.Derived..ctor()
而改成 "public new void Test()" 则又有所不同。EEClass: 00a714d4Module: 00a72c3cName: ConsoleApplication1.DerivedmdToken: 02000004 (ConsoleApplication1.exe)BaseSize: 0xcComponentSize: 0x0Number of IFaces in IFaceMap: 0Slots in VTable: 7--------------------------------------MethodDesc Table Entry MethodDesc
JIT Name79369154 791474f8 PreJIT System.Object.ToString()79367ec0 79147500 PreJIT System.Object.Equals(System.Object)79367eb0 79147518 PreJIT System.Object.GetHashCode()7935e4c0 79147520 PreJIT System.Object.Finalize()00a7c070 00a730a8
JIT ConsoleApplication1.Base.Test()00a7c0b0 00a73110
JIT ConsoleApplication1.Derived.Test()00a7c0c0 00a73118
JIT ConsoleApplication1.Derived..ctor()
对比这些差异能帮助我们更好地理解多态。好了,回到主题,我们看看 Main() 中的调用代码。
(4) 查看 IL 代码。!name2ee ConsoleApplication1.exe ConsoleApplication1.Program.MainModule: 00a72c3c (ConsoleApplication1.exe)Token: 0x06000009MethodDesc: 00a73040Name: ConsoleApplication1.Program.Main(System.String[])JITTED Code Address: 00f50070
这次我们使用 "!name2ee" 来查找某个类型或方法的地址。然后使用 "!dumpil" 来看看编译器生成的 IL 代码。!dumpil 00a73040ilAddr = 004020c0IL_0000: nop IL_0001: newobj ConsoleApplication1.Derived::.ctorIL_0006: stloc.0 IL_0007: ldloc.0 IL_0008: callvirt ConsoleApplication1.Base::TestIL_000d: nop IL_000e: ldloc.0 IL_000f: callvirt ConsoleApplication1.Base::TestIL_0014: nop IL_0015: ldstr "Press any key to exit..."IL_001a: call System.Console::WriteLine IL_001f: nop IL_0020: ldc.i4.1 IL_0021: call System.Console::ReadKey IL_0026: pop IL_0027: ldc.i4.0 IL_0028: call System.Environment::Exit IL_002d: nop IL_002e: ret
callvirt 在 MSIL 系列文章中已经说过很多次,这就不重复啰嗦了。
除了上面这些,我们还可以做更多的事情。
(5) 查看对象信息。!clrstack -aOS Thread Id: 0xfc8 (4040)ESP
EIP
0012f434 00f500bc ConsoleApplication1.Program.Main(System.String[]) PARAMETERS:
args = 0x013f1c20 LOCALS:
<CLR reg> = 0x013f1c740012f69c 79e79dd3 [GCFrame: 0012f69c] !dumpobj 0x013f1c74Name: ConsoleApplication1.DerivedMethodTable: 00a73120EEClass: 00a714d4Size: 12(0xc) bytes (ConsoleApplication1.exe)Fields:None
(6) 查看托管堆状态。!eeheapLoader Heap:--------------------------------------System Domain: 7a3c4690LowFrequencyHeap: Size: 0x0(0)bytes.HighFrequencyHeap: 00a62000(8000:1000) Size: 0x1000(4096)bytes.StubHeap: 00a6a000(2000:1000) Size: 0x1000(4096)bytes.Virtual Call Stub Heap: IndcellHeap: Size: 0x0(0)bytes. LookupHeap: Size: 0x0(0)bytes. ResolveHeap: Size: 0x0(0)bytes. DispatchHeap: Size: 0x0(0)bytes. CacheEntryHeap: Size: 0x0(0)bytes.Total size: 0x2000(8192)bytes--------------------------------------Shared Domain: 7a3c4330LowFrequencyHeap: 00a90000(2000:1000) Size: 0x1000(4096)bytes.HighFrequencyHeap: Size: 0x0(0)bytes.StubHeap: Size: 0x0(0)bytes.Virtual Call Stub Heap: IndcellHeap: Size: 0x0(0)bytes. LookupHeap: Size: 0x0(0)bytes. ResolveHeap: Size: 0x0(0)bytes. DispatchHeap: Size: 0x0(0)bytes. CacheEntryHeap: Size: 0x0(0)bytes.Total size: 0x1000(4096)bytes--------------------------------------Domain 1: 14c2d8LowFrequencyHeap: 00a70000(2000:2000) Size: 0x2000(8192)bytes.HighFrequencyHeap: 00a72000(8000:2000) Size: 0x2000(8192)bytes.StubHeap: Size: 0x0(0)bytes.Virtual Call Stub Heap: IndcellHeap: Size: 0x0(0)bytes. LookupHeap: Size: 0x0(0)bytes. ResolveHeap: Size: 0x0(0)bytes. DispatchHeap: Size: 0x0(0)bytes. CacheEntryHeap: Size: 0x0(0)bytes.Total size: 0x4000(16384)bytes--------------------------------------Jit code heap:LoaderCodeHeap: 00f50000(10000:1000) Size: 0x1000(4096)bytes.Total size: 0x1000(4096)bytes--------------------------------------Module Thunk heaps:Module 790c2000: Size: 0x0(0)bytes.Module 00a72c3c: Size: 0x0(0)bytes.Total size: 0x0(0)bytes--------------------------------------Module Lookup Table heaps:Module 790c2000: Size: 0x0(0)bytes.Module 00a72c3c: Size: 0x0(0)bytes.Total size: 0x0(0)bytes--------------------------------------Total LoaderHeap size: 0x8000(32768)bytes=======================================Number of GC Heaps: 1generation 0 starts at 0x013f1018generation 1 starts at 0x013f100cgeneration 2 starts at 0x013f1000ephemeral segment allocation context: none segment begin allocated
size001967a0 790d7f90 790f76fc 0x0001f76c(128876)013f0000 013f1000 013f1ff4 0x00000ff4(4084)Large object heap starts at 0x023f1000 segment begin allocated
size023f0000 023f1000 023f3250 0x00002250(8784)Total Size 0x229b0(141744)------------------------------GC Heap Size 0x229b0(141744)
(7) 查看应用程序域状态。
domain 地址可以使用 !eeheap 指令获取。!dumpdomain 14c2d8--------------------------------------Domain 1: 0014c2d8LowFrequencyHeap: 0014c2fcHighFrequencyHeap: 0014c354StubHeap: 0014c3acStage: OPENSecurityDescriptor: 0014d608Name: Learn.CUI.exeAssembly: 00192db0 [C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll]ClassLoader: 00192e48SecurityDescriptor: 00193fc0 Module Name790c2000 C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllAssembly: 0019e4c8 [ConsoleApplication1.exe]ClassLoader: 0019e560SecurityDescriptor: 0019e3f8 Module Name00a72c3c ConsoleApplication1.exe
(8) 查看线程池状态。!ThreadPoolCPU utilization 0%Worker Thread: Total: 0 Running: 0 Idle: 0 MaxLimit: 0 MinLimit: 0Work Request in Queue: 0--------------------------------------Number of Timers: 0--------------------------------------Completion Port Thread:Total: 0 Free: 0 MaxFree: 0 CurrentLimit: 0 MaxLimit: 1000 MinLimit: 0
SOS.dll 提供了大量的命令,大家可以通过 !help 指令查看其使用方法,本文不再一一详述。!help dumpclass------------------------------------------------------------------------------- !dso