vshost.exe调试宿主(VS Debug Host Process)进程详解的分析过程

整个分析过程如下:

 

1.         首先将VS 2008运行起来,打开一个工程,这里我打开的是PersonalFinancy工程,这个时候VS 2008自动将PersonalFinancy.vshost.exe运行起来。

2.         启动可执行文件,PersonalFinancy.exe,因为这是一个窗体程序,所以我没有在工程里面设置断点。

3.         接着启动Windbg.exe,选择Attach to a Process,然后从打开的对话框里面选择PersonalFinancy.vshost.exe,勾选“NonInvasive”复选框。这是因为我们的PersonalFinancy.vshost.exe已经被一个调试器所调试,如果将两个调试器附加到同一个进程上面,会有很多不可预料的问题。

4.         打印堆栈,并且查看PersonalFinancy.vshost.exe里面的应用程序域信息。

 

0:000> !eestack

---------------------------------------------

Thread   0

Current frame: ntdll!KiFastSystemCallRet

ChildEBP RetAddr  Caller,Callee

0012f490 7c957cfb ntdll!ZwWaitForMultipleObjects+0xc

0012f494 7c82202c KERNEL32!WaitForMultipleObjectsEx+0x11a, calling ntdll!ZwWaitForMultipleObjects

0012f4d4 7c822080 KERNEL32!WaitForMultipleObjectsEx+0x34, calling ntdll!RtlActivateActivationContextUnsafeFast

# 此处省略了很多不相关的函数信息

0012feec 79f45dc0 mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb31b, calling mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb35f

0012fef0 79f45ddf mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb33a, calling mscorwks+0x18bb

# 虽然我没有使用正确的调试符号文件,但是CorExeMain函数还是告诉我这个是

# PersonalFinancy.vshost.exe的主线程

0012ff18 79fb9793 mscorwks!CorExeMain+0x14c, calling mscorwks!GetCLRFunction+0xcd27

0012ff68 79fb96df mscorwks!CorExeMain+0x98, calling mscorwks!CorExeMain+0x103

0012ffb0 7900b1b3 mscoree!_CorExeMain+0x2c

0012ffc0 7c82f23b KERNEL32!BaseProcessStart+0x23

---------------------------------------------

# 此处省略了很多不相关的线程堆栈信息

---------------------------------------------

Thread   6

Current frame: ntdll!KiFastSystemCallRet

ChildEBP RetAddr  Caller,Callee

039ffe18 7c95783b ntdll!NtReplyWaitReceivePortEx+0xc

# PersonalFinancy.vshost.exe通过这个线程与Visual studio 2008相互交流

039ffe1c 77c585ac RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198, calling ntdll!NtReplyWaitReceivePortEx

039fff30 77c584a6 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x3a, calling RPCRT4!FormatTimeOut

039fff38 77c584b6 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x4a, calling ntdll!alloca_probe

039fff84 77c58792 RPCRT4!RecvLotsaCallsWrapper+0xd, calling RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls

039fff8c 77c5872d RPCRT4!BaseCachedThreadRoutine+0x9d

039fffac 77c4b110 RPCRT4!ThreadStartRoutine+0x1b

039fffb8 7c824829 KERNEL32!BaseThreadStart+0x34

---------------------------------------------

# 此处省略了很多不相关的线程堆栈和函数信息

0494f574 7937dd77 (MethodDesc 0x79255938 +0x37 System.Reflection.Assembly.nLoad(System.Reflection.AssemblyName, System.String, System.Security.Policy.Evidence, System.Reflection.Assembly, System.Threading.StackCrawlMark ByRef, Boolean, Boolean)), calling mscorwks!GetCLRFunction+0x48c29

0494f59c 7937dbe8 (MethodDesc 0x7914b8b8 +0xd4 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)), calling (MethodDesc 0x79255938 +0 System.Reflection.Assembly.nLoad(System.Reflection.AssemblyName, System.String, System.Security.Policy.Evidence, System.Reflection.Assembly, System.Threading.StackCrawlMark ByRef, Boolean, Boolean))

0494f5ac 7937dbf6 (MethodDesc 0x7914b8b8 +0xe2 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)), calling mscorwks!LogHelp_TerminateOnAssert

0494f5d0 79423431 (MethodDesc 0x79255690 +0x55 System.Reflection.Assembly.InternalLoadFrom(System.String, System.Security.Policy.Evidence, Byte[], System.Configuration.Assemblies.AssemblyHashAlgorithm, Boolean, System.Threading.StackCrawlMark ByRef)), calling (MethodDesc 0x7914b8b8 +0 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean))

# 启动实际需要被调试的进程—PersonalFinancy.exe

0494f5f8 793def29 (MethodDesc 0x79257218 +0x39 System.AppDomain.ExecuteAssembly(System.String, System.Security.Policy.Evidence, System.String[])), calling mscorwks!CreateHistoryReader+0x2f890

0494f60c 0120156b (MethodDesc 0x983d10 +0x2b Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly())

0494f61c 793b0d1f (MethodDesc 0x792713d0 +0x3b System.Threading.ThreadHelper.ThreadStart_Context(System.Object))

0494f63c 793b0d1f (MethodDesc 0x792713d0 +0x3b System.Threading.ThreadHelper.ThreadStart_Context(System.Object))

0494f644 79373ecd (MethodDesc 0x7914e0d8 +0x81 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))

0494f658 793b0c68 (MethodDesc 0x791511d0 +0x40 System.Threading.ThreadHelper.ThreadStart()), calling (MethodDesc 0x7914e0d8 +0 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))

# 此处省略了很多不相关的线程堆栈和函数信息

# 查看PersonalFinancy.vshost.exe应用程序域信息,以及每一个应用程序域所加载的Assembly

0:000> !dumpdomain

--------------------------------------

# 此处省略了很多不相关的线程应用程序域信息

--------------------------------------

Domain 1: 0015e560

LowFrequencyHeap: 0015e584

HighFrequencyHeap: 0015e5dc

StubHeap: 0015e634

Stage: OPEN

SecurityDescriptor: 00158f98

# PersonalFinancy.vshost.exe执行的应用程序域

Name: PersonalFinancy.vshost.exe

Assembly: 001a3dc8 [C:/WINDOWS/assembly/GAC_32/mscorlib/2.0.0.0__b77a5c561934e089/mscorlib.dll]

ClassLoader: 00173528

SecurityDescriptor: 00163938

  Module Name

790c2000 C:/WINDOWS/assembly/GAC_32/mscorlib/2.0.0.0__b77a5c561934e089/mscorlib.dll

# 此处省略了很多不相关的线程应用程序域信息

Assembly: 0022ba88 [D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.vshost.exe]

ClassLoader: 00223f90

SecurityDescriptor: 00224018

  Module Name

00987528 D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.vshost.exe

 

# PersonalFinancy.vshost.exe其实将被调试的可执行文件PersonalFinancy.exe放在与它相同的

# 应用程序域中执行

Assembly: 0421faa0 [D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.exe]

ClassLoader: 0024c690

SecurityDescriptor: 0024c2c0

  Module Name

041025c0 D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.exe

 

你可能感兴趣的:(classloader,assembly,c,module,byte,调试)