(1)如果返回值等于4字节,函数将把返回值赋予EAX,通过EAX返回
(2)如果返回值等于8字节,函数将把返回值赋予EAX和EDX,通过EAX和EDX返回,EDX存储高位4字节,EAX存储低位4字节
(3)如果返回值是一个大于8字节的数据,EAX存放返回值的地址
0:000> !analyze -v
FAULTING_IP:
+0
00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 00001588
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: EnforcerGUI.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT
BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT
LAST_CONTROL_TRANSFER: from 77d244e4 to 77d2f62c
STACK_TEXT:
045bfa98 77d244e4 00000418 00596380 00000010 ntdll!ZwWaitForWorkViaWorkerFactory+0xc
045bfc34 779d86e3 00594060 045bfc84 77d5be99 ntdll!TppWorkerThread+0x1e3
045bfc40 77d5be99 00594060 943f99ac 00000000 kernel32!BaseThreadInitThunk+0xe
045bfc84 77d5be6c 77d25087 00594060 ffffffff ntdll!__RtlUserThreadStart+0x72
045bfc9c 00000000 77d25087 00594060 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s; .ecxr ; kb
FOLLOWUP_IP:
ntdll!ZwWaitForWorkViaWorkerFactory+c
77d2f62c c21000 ret 10h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ntdll!ZwWaitForWorkViaWorkerFactory+c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ntdll
IMAGE_NAME: ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 53645e25
FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_ntdll.dll!ZwWaitForWorkViaWorkerFactory
BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_ntdll!ZwWaitForWorkViaWorkerFactory+c
Followup: MachineOwner
---------
0:000> u 77d244e4// 显示指定内存中的程序代码的反汇编
ntdll!TppWorkerThread+0x1e3:
77d244e4 8945c4 mov dword ptr [ebp-3Ch],eax
77d244e7 8975fc mov dword ptr [ebp-4],esi
77d244ea b9c003fe7f mov ecx,offset SharedUserData+0x3c0 (7ffe03c0)
77d244ef 85c0 test eax,eax
77d244f1 0f85883cfeff jne ntdll!TppWorkerThread+0x244 (77d0817f)
77d244f7 2bc3 sub eax,ebx
77d244f9 0f859f0effff jne ntdll!TppWorkerThread+0x24b (77d1539e)
77d244ff 8b01 mov eax,dword ptr [ecx]
0:000> ub 77d2f62c //要反汇编的区域是向后计算的
ntdll!ZwWaitForKeyedEvent+0xc:
77d2f60c c21000 ret 10h
77d2f60f 90 nop
ntdll!NtWaitForWnfNotifications:
77d2f610 b8a9010000 mov eax,1A9h
77d2f615 64ff15c0000000 call dword ptr fs:[0C0h]
77d2f61c c20800 ret 8
77d2f61f 90 nop
ntdll!ZwWaitForWorkViaWorkerFactory:
77d2f620 b8aa010000 mov eax,1AAh
77d2f625 64ff15c0000000 call dword ptr fs:[0C0h]
0:000> !teb //查看TEB结构的具体内容
TEB at 7e93c000
ExceptionList: 045bfc24
StackBase: 045c0000
StackLimit: 045be000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7e93c000
EnvironmentPointer: 00000000
ClientId: 00001f00 . 00001588
RpcHandle: 00000000
Tls Storage: 00591e80
PEB Address: 7ea67000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0
0:000> r
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000002 edi=00594060
eip=77d2f62c esp=045bfa9c ebp=045bfc34 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!ZwWaitForWorkViaWorkerFactory+0xc:
77d2f62c c21000 ret 10h
0:000> dps 045be000 045c0000 //显示指定内存范围的内容
045be000 00000000
045bef4c 00000000
045bef50 772d10b8 ole32!DllMain+0x44
045bef54 00000000
045befd8 045beff4
045befdc 77d4f317 ntdll!bsearch+0x61
045befe0 045bf03c
045bf790 75de1501 crypt32!DllMain+0xad
045bf794 75de0000 crypt32!__xc_a <PERF> (crypt32+0x0)
045bf798 77b1109e msctf!DllMain+0x3c
045bf79c 77ba10d8 msctf!g_dwThreadDllMain
045bf7a0 00000000
045bf7b4 045bf818
045bf7b8 74e76aca mswsock!_except_handler4
045bf7bc e63189b2
045bf7c0 fffffffe
045bf7c4 045bf828
045bf7c8 74e51151 mswsock!__DllMainCRTStartup+0x84
045bf7cc 00000002
045bf7d0 74e51183 mswsock!__DllMainCRTStartup+0xaa
045bf7d4 968f611a
045bf7e0 004f2d90
045bf7e4 74ed1170 gpapi!_CRT_INIT+0x2d5
045bf7e8 74ed0000 gpapi!__xc_a <PERF> (gpapi+0x0)
045bf7ec 00000002
045bf7f0 74ed11c8 gpapi!_CRT_INIT+0x445
045bf7f4 9708ef99
045bf810 045bf7d4
045bf814 75660000 advapi32!_sz_CRYPTSP_dll <PERF> (advapi32+0x0)
045bf818 045bf898
045bf81c 74e76aca mswsock!_except_handler4
045bf820 e6318892
045bf824 fffffffe
045bf828 045bf840
045bf82c 74e510bf mswsock!_DllMainCRTStartup+0x1a
045bf830 74e50000 mswsock!__xc_a <PERF> (mswsock+0x0)
045bf834 00000002
045bf844 00000000
045bf848 77d523c2 ntdll!RtlDeactivateActivationContextUnsafeFast+0x263
045bf84c 00000002
045bf9e0 045bfc24
045bf9e4 77d05191 ntdll!_except_handler4
045bfc94 ffffffff
045bfc98 77dd1e8b ntdll!FinalExceptionHandler
045bfc9c 00000000
045bfca0 00000000
045bfca4 77d25087 ntdll!TppWorkerThread
045c0000 3bf27462
windbg 相关用法:
http://www.cnblogs.com/gaochundong/p/windbg_cheat_sheet.html#thread_info_cmds