{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 啃猪蹄的小仙女 的问题《call stack and disassembly doubt》','https://www.manongdao.com/q-871409.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Three doubts 1) Suppose I get the call stack as below
user32.dll!_InternalCallWinProc@20() + 0x28 bytes
user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes
user32.dll!_CallWindowProcAorW@24() + 0x51 bytes
user32.dll!_CallWindowProcW@20() + 0x1b bytes
Now what are the bytes mentioned at the end of each function? Like for first statement what is 0x28 bytes.
2) How to put breakpoint on a windows system dll in VS ? In windbg I can search for a particular function of windows system dll as
>x wininet!*funcA*
with this command I can get the address of this function and can put breakpoint . Can I do the same in Visual Studio?
3) I don't have Symbol file of a dll. The call stack I am getting in disassembly is
7814XXX0 call dword ptr [__imp__WindowsFuncA@32 (781EXXXXh)]
What is __imp__ in above call stack? Does this mean that this windows function is hooked to some other dll?
1) They are the byte offset of the instruction being executed in that stack frame, relative to the start of the function.
2) Enter something like this into the New Breakpoint dialog:
where the
16is the number of bytes of parameters that the function expects (In Win32, this is almost always 4 times the number of parameters). TheWrefers to the Unicode version of the API; useAif you're debugging an ANSI application.3)
__imp__refers to the DLL import table - the code in the current module is redirected via aJMPinto the real Windows DLL, and the__imp__symbol refers to thatJMP. TheseJMPs live in a table in the DLL or EXE making the call.For the first part of your question, the byte offsets mentioned are the position in the function during execution that resulted in the subsequent call higher in the stack.
1) They're the offsets from the start of the function to the line that was executing when the stack trace was created.
2 & 3 - dunno. Sorry.