原文发表于百度空间,2011-03-24
==========================================================================
看雪上别人问的一个问题,顺便在此记录下吧~~
kd> kvn # ChildEBP RetAddr Args to Child 00 0012f7b8 77d2dbfb 0012f81c 00000000 00000008 kernel32!LoadLibraryExW+0x2 (FPO: [Non-Fpo]) 01 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 USER32!__ClientLoadLibrary+0x32 (FPO: [1,3,4]) 02 0012f7e4 80501a60 0012f7f4 00000080 00000080 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) 03 ef8f35e8 805a1779 ef8f36a0 ef8f369c ef8f38e8 nt!KiCallUserMode+0x4 (FPO: [2,3,4]) 04 ef8f3644 bf84ce33 00000042 ef8f36b0 00000080 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo]) 05 ef8f38cc bf84cf3e ef8f38e8 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo]) 06 ef8f3afc bf83f449 00000002 00000000 e10622c0 win32k!xxxLoadHmodIndex+0x86 (FPO: [1,133,0]) 07 ef8f3b68 bf83f4a0 03e49c40 00000003 00040140 win32k!xxxCallHook2+0x19b (FPO: [5,21,4]) 08 ef8f3b84 bf8407c8 00000003 00040140 00000002 win32k!xxxCallHook+0x26 (FPO: [4,0,0]) 09 ef8f3c6c bf83eec5 00000100 00000000 bbe34058 win32k!xxxCreateWindowEx+0x48c (FPO: [15,49,0]) 0a ef8f3d20 8054160c 80000000 ef8f3cec ef8f3ce0 win32k!NtUserCreateWindowEx+0x1c1 (FPO: [Non-Fpo]) 0b ef8f3d20 7c92eb94 80000000 ef8f3cec ef8f3ce0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ef8f3d64) 0c 0012f7e4 7c92eae3 0012f7f4 00000080 00000080 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0d 0012f870 77d1fe13 77d1fdd9 80000000 0012fd98 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) 0e 0012fd14 77d1fecc 80000000 0012fd98 0012fdac USER32!NtUserCreateWindowEx+0xc 0f 0012fdc0 77d1ff66 80000000 00487d80 0012fdac USER32!_CreateWindowEx+0x1ed (FPO: [13,25,0]) 10 0012fdfc 00404dd2 00000000 00487d80 00477510 USER32!CreateWindowExA+0x33 (FPO: [12,0,0]) 11 0012fe70 00447830 00400000 00000001 0012ffc0 Procexp+0x4dd2 12 00000000 00000000 00000000 00000000 00000000 Procexp+0x47830
原文地址:https://www.cnblogs.com/achillis/p/10183650.html
时间: 2024-10-08 10:12:15