r 查看寄存器
加载某个DLL 的时候下断点的WinDBG 命令:
sxe ld:[dll name]
sxe ld:Winspool.drv
bp WINSPOOL!AddPrinterW
bp WINSPOOL!AddPrinterA
VS编译时需要将/pdbtype:sept编译选项去掉,dv才有结构体信息
//设定符号文件路径到本地及微软服务器:
.sympath SRV*H:/Symbols*http://msdl.microsoft.com/download/symbols
//下载ntoskrnl.exe的符号文件:
reload /f nt
kp 查看参数
dd r8
000000c9`fcfbd9a0 00000000 00000000 fcfbdf90 000000c9 ................
000000c9`fcfbd9b0 8d71c6e0 00007ffd 56264ed0 00000264 ..q......N&Vd...
000000c9`fcfbd9c0 56264d00 00000264 00000000 00000000 .M&Vd...........
000000c9`fcfbd9d0 00000000 00000000 00000000 00000000 ................
000000c9`fcfbd9e0 00000000 00000000 00000000 00000000 ................
000000c9`fcfbd9f0 8d71dd48 00007ffd 00000000 00000000 H.q.............
000000c9`fcfbda00 00000000 00000000 00000200 00000000 ................
000000c9`fcfbda10 00000000 00000000 00000000 00000000 ................
fcfbdf90 000000c9->000000c9`fcfbdf90 //
8d71c6e0 00007ffd->00007ffd`8d71c6e0 //
56264ed0 00000264->00000264`56264ed0 //
56264d00 00000264->00000264`56264d00 //
8d71dd48 00007ffd->00007ffd`8d71dd48
x64 系统函数调用,参数前四个在寄存器中,从左到右,rcx,rdx,r8,r9;剩下的参数从右到左入栈
rsp/esp 栈地址