windows Microsoft Detours 如何工作以及如何使用它来获取堆栈跟踪?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4507581/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How does Microsoft Detours work and how do I use it to get a stack trace?
提问by Bruce
I am new to Microsoft Detours. I have installed it to trace the system calls a process makes. I run the following commands which I got from the web
我是 Microsoft Detours 的新手。我已经安装它来跟踪进程进行的系统调用。我运行以下从网上获得的命令
syelogd.exe /q C:\Users\xxx\Desktop\log.txt
withdll.exe /d:traceapi.dll C:\Program Files\Google\Google Talk\googletalk.exe
I get the log file. The problem is I don't fully understand what is happening here. How does detours work? How does it trace the system calls? Also I don't know how to read the output in log.txt. Here is one line in log.txt
我得到了日志文件。问题是我不完全明白这里发生了什么。绕道如何运作?它如何跟踪系统调用?另外我不知道如何读取 log.txt 中的输出。这是 log.txt 中的一行
20101221060413329 2912 50.60: traceapi: 001 GetCurrentThreadId()
Finally I want to get the stack trace of the process. How can I get that?
最后我想获得进程的堆栈跟踪。我怎样才能得到那个?
回答by Pablo Yabo
Detours lets you intercept any function. It places a jmp in the address that you specify creating a trampoline to your code. Finally, you call the old function if you want to do it. To use Detours you have to inject your code in the process you want to intercept.
Detours 让你拦截任何函数。它在您指定的地址中放置一个 jmp,为您的代码创建一个蹦床。最后,如果你想这样做,你可以调用旧函数。要使用 Detours,您必须在要拦截的进程中注入代码。
To simplify this process you can use Deviare API Hookwhich does all the injection staff and you can use intercept applications from any programming language that supports COM technology, including .NET, Delphi, C++, Python, etc.. After downloading the package you will find some examples in it. There is a console named DeviareCSharpConsole that let you intercept any API of any process showing full stack trace information.
为了简化这个过程,你可以使用Deviare API Hook来完成所有注入工作,你可以使用任何支持 COM 技术的编程语言的拦截应用程序,包括 .NET、Delphi、C++、Python 等。下载包后你将在其中找到一些示例。有一个名为 DeviareCSharpConsole 的控制台,可让您拦截显示完整堆栈跟踪信息的任何进程的任何 API。
This is the way Deviare API Hookworks but is what you need to do if you want to create an application that hooks another process:
这是Deviare API Hook 的工作方式,但如果您想创建一个挂钩另一个进程的应用程序,您需要这样做:
An agent should be created in the target process to intercept the APIs you want. To intercept these APIs you can use Detours but you have to code IPC staff that is not included in that library.
应该在目标进程中创建一个代理来拦截你想要的 API。要拦截这些 API,您可以使用 Detours,但您必须编写未包含在该库中的 IPC 人员。
If you need to write code inside the target process using Deviare API Hookyou can use Deviare Custom Hooks. This feature lets you intercept APIs and handle processed parameters asynchronously.
如果您需要使用Deviare API Hook在目标进程中编写代码,您可以使用Deviare Custom Hooks。此功能可让您拦截 API 并异步处理已处理的参数。
回答by martona
Instead of detours (which is free for 32-bit only) or easyhook (which is, khm, a littlebit messy code) you may want to check out mhook 2.4which is very neat code and BSD-licensed. Works on x86 and x64, handles IP-relative code, etc.
取而代之的弯路(这是免费的,仅32位)或easyhook(这是KHM,一点点有点乱码),你可能想看看mhook 2.4,这是非常整洁的代码和BSD许可。适用于 x86 和 x64,处理 IP 相关代码等。
There's also a thorough description on how it works at the site.
还有一个关于它如何在网站上工作的详尽描述。
As for the stack backtrace, you can use CaptureStackBackTrace()from kernel32, or if you want to get fancy, use StackWalk64()from dbghelp.
至于堆栈回溯,您可以使用CaptureStackBackTrace()from kernel32,或者如果您想花哨的话,请使用StackWalk64()from dbghelp。
回答by TCS
First of all, I would HIGHLY advise, that if you want to perform API hooking, I would go with easyhook: http://easyhook.codeplex.com/(open source). It is a VERY good and easy api-hooking framework.
首先,我强烈建议,如果您想执行 API 挂钩,我会使用 easyhook:http://easyhook.codeplex.com/ (开源)。这是一个非常好的和简单的 api-hooking 框架。
About how to get the stack trace, I don't remember exactly how to do it, but check out WinAPIOverride32: http://jacquelin.potier.free.fr/winapioverride32/(open source). He's doing exactly that, and it is open source. Besides, if you need the traces for research, WinAPIOverride32 is a great application to use in order to study how applications work.
关于如何获取堆栈跟踪,我不记得确切的方法,但请查看 WinAPIOverride32:http://jacquelin.potier.free.fr/winapioverride32/ (开源)。他就是这样做的,而且它是开源的。此外,如果您需要跟踪研究,WinAPIOverride32 是一个很好的应用程序,可以用来研究应用程序的工作方式。
EDIT: Just adding one more application. http://www.rohitab.com/is like WinAPIOVerride32, but it supports 64bit and it really improved since I wrote this answer. I must point out that it in some cases it missed API calls that I found in WinAPIOverride32, but its still pretty good. Unfortunately the source is not published.
编辑:只需再添加一个应用程序。http://www.rohitab.com/就像 WinAPIOVerride32,但它支持 64 位,并且自从我写这个答案以来它确实有所改进。我必须指出,在某些情况下,它错过了我在 WinAPIOverride32 中找到的 API 调用,但它仍然相当不错。不幸的是,来源没有公布。
About how api-hooking works, Well its a long explanation, I would point you to this article: http://www.codeproject.com/KB/system/hooksys.aspxIt gives a pretty good explanation of how it is done under the hood (there are other methods besides what is written there, but still, it is a very good article).
关于 api-hooking 的工作原理,这是一个很长的解释,我会向您指出这篇文章:http: //www.codeproject.com/KB/system/hooksys.aspx它很好地解释了它是如何完成的引擎盖(除了那里写的还有其他方法,但仍然是一篇非常好的文章)。
Hope it helps! :-)
希望能帮助到你!:-)
回答by karlphillip
If you are allowed to use something other than Detours, you could install a debugger like WinDbg and attach it to the processto get a callstack.
如果允许您使用 Detours 以外的其他东西,您可以安装一个调试器,如 WinDbg 并将其附加到进程以获取调用堆栈。
You could also try other tools like Process Monitorand Windows Performance Toolkitas explained here.
您也可以尝试其他工具,如进程监视器和Windows性能工具包为解释在这里。
