E.T*_*E.T 5 debugging macos assembly gdb
来自 Windows 环境,当我进行内核调试时,甚至在用户模式下,我可以以非常详细的方式查看反汇编代码,例如:
80526db2 6824020000 推224h 80526db7 6808a14d80 推送偏移 nt!ObWatchHandles+0x8dc (804da108) 80526dbc e81f030100 调用 nt!_SEH_prolog (805370e0) 80526dc1 a140a05480 mov eax,dword ptr [nt!__security_cookie (8054a040)]
第一个数字很明显是地址,但第二个数字代表操作码字节,这在 GDB 上是缺少的,或者至少,我不知道如何获得类似的结果。
我通常会做这样的事情:
(gdb): 显示 /i $pc
但我得到的只是这样的:
x/i $pc 0x21c4c: pop %eax
我可以看到代码字节是什么,这有时对我来说有点问题。有什么我可以用显示器做的事情吗?
编辑:有问题的 GDB 在 Mac OS X 10.8.3 上是 6.3.50。
我认为disassemble /r应该给你你正在寻找的东西:
(gdb) help disass
Disassemble a specified section of memory.
Default is the function surrounding the pc of the selected frame.
With a /m modifier, source lines are included (if available).
With a /r modifier, raw instructions in hex are included.
With a single argument, the function surrounding that address is dumped.
Two arguments (separated by a comma) are taken as a range of memory to dump,
in the form of "start,end", or "start,+length".
(gdb) disass /r main
Dump of assembler code for function main:
0x004004f8 <+0>: 55 push %ebp
0x004004f9 <+1>: 48 dec %eax
0x004004fa <+2>: 89 e5 mov %esp,%ebp
0x004004fc <+4>: 48 dec %eax
0x004004fd <+5>: 83 ec 10 sub $0x10,%esp
0x00400500 <+8>: 89 7d fc mov %edi,-0x4(%ebp)
0x00400503 <+11>: 48 dec %eax
0x00400504 <+12>: 89 75 f0 mov %esi,-0x10(%ebp)
0x00400507 <+15>: bf 0c 06 40 00 mov $0x40060c,%edi
0x0040050c <+20>: b8 00 00 00 00 mov $0x0,%eax
0x00400511 <+25>: e8 0a ff ff ff call 0x400420
0x00400516 <+30>: bf 00 00 00 00 mov $0x0,%edi
0x0040051b <+35>: e8 10 ff ff ff call 0x400430
End of assembler dump.
(gdb)
| 归档时间: |
|
| 查看次数: |
7196 次 |
| 最近记录: |