I am trying to debug some win32API's like Createthread which returns a handle. How to get the return values in windbg?
我正在尝试调试一些win32API,比如返回句柄的Createthread。如何在windbg中获取返回值?
I did some research and found that return values generally stored in EAx register.
我做了一些研究,发现返回值一般存储在EAx寄存器中。
If I put breakpoint on CreateThread then I can step into assembly of Createthread and ultimatelyw I will hit ret statement which means Createthread is returning .
如果我在CreateThread上放置断点,那么我可以进入Createthread的程序集,最终我会点击ret语句,这意味着Createthread正在返回。
At this point should I check the value of EAX register to get the HANDLE value or is the some other way?
此时我应该检查EAX寄存器的值以获取HANDLE值还是其他方式?
1 个解决方案
#1
There isn't another way that isn't basically the same as testing eax.
没有其他方法与测试eax基本相同。
If you want to get pedantic:
如果你想变得迂腐:
eax works fine for 32 bit.
eax适用于32位。
rax is what you'll want for 64 bit apps
rax是你想要的64位应用程序
ret0 is what itanium uses
ret0是itanium使用的
$retreg is a pseudo register you can use that will behave properly in all cases.
$ retreg是一个可以使用的伪寄存器,在所有情况下都能正常运行。
e.g.
0:028> r rax rax=00000000fff02000 0:028> r eax eax=fff02000 0:028> r $retreg $retreg=00000000fff02000
#1
There isn't another way that isn't basically the same as testing eax.
没有其他方法与测试eax基本相同。
If you want to get pedantic:
如果你想变得迂腐:
eax works fine for 32 bit.
eax适用于32位。
rax is what you'll want for 64 bit apps
rax是你想要的64位应用程序
ret0 is what itanium uses
ret0是itanium使用的
$retreg is a pseudo register you can use that will behave properly in all cases.
$ retreg是一个可以使用的伪寄存器,在所有情况下都能正常运行。
e.g.
0:028> r rax rax=00000000fff02000 0:028> r eax eax=fff02000 0:028> r $retreg $retreg=00000000fff02000