vshost.exe调试宿主（VS Debug Host Process）进程详解的分析过程

整个分析过程如下：

1. 首先将VS 2008运行起来，打开一个工程，这里我打开的是PersonalFinancy工程，这个时候VS 2008自动将PersonalFinancy.vshost.exe运行起来。
2. 启动可执行文件，PersonalFinancy.exe，因为这是一个窗体程序，所以我没有在工程里面设置断点。
3. 接着启动Windbg.exe，选择Attach to a Process，然后从打开的对话框里面选择PersonalFinancy.vshost.exe，勾选“NonInvasive”复选框。这是因为我们的PersonalFinancy.vshost.exe已经被一个调试器所调试，如果将两个调试器附加到同一个进程上面，会有很多不可预料的问题。
4. 打印堆栈，并且查看PersonalFinancy.vshost.exe里面的应用程序域信息。

0:000> !eestack --------------------------------------------- Thread 0 Current frame: ntdll!KiFastSystemCallRet ChildEBP RetAddr Caller,Callee 0012f490 7c957cfb ntdll!ZwWaitForMultipleObjects+0xc 0012f494 7c82202c KERNEL32!WaitForMultipleObjectsEx+0x11a, calling ntdll!ZwWaitForMultipleObjects 0012f4d4 7c822080 KERNEL32!WaitForMultipleObjectsEx+0x34, calling ntdll!RtlActivateActivationContextUnsafeFast # 此处省略了很多不相关的函数信息 … 0012feec 79f45dc0 mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb31b, calling mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb35f 0012fef0 79f45ddf mscorwks!GetMetaDataInternalInterfaceFromPublic+0xb33a, calling mscorwks+0x18bb # 虽然我没有使用正确的调试符号文件，但是CorExeMain函数还是告诉我这个是 # PersonalFinancy.vshost.exe的主线程 0012ff18 79fb9793 mscorwks!CorExeMain+0x14c, calling mscorwks!GetCLRFunction+0xcd27 0012ff68 79fb96df mscorwks!CorExeMain+0x98, calling mscorwks!CorExeMain+0x103 0012ffb0 7900b1b3 mscoree!_CorExeMain+0x2c 0012ffc0 7c82f23b KERNEL32!BaseProcessStart+0x23 --------------------------------------------- # 此处省略了很多不相关的线程堆栈信息 … --------------------------------------------- Thread 6 Current frame: ntdll!KiFastSystemCallRet ChildEBP RetAddr Caller,Callee 039ffe18 7c95783b ntdll!NtReplyWaitReceivePortEx+0xc # PersonalFinancy.vshost.exe通过这个线程与Visual studio 2008相互交流 039ffe1c 77c585ac RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x198, calling ntdll!NtReplyWaitReceivePortEx 039fff30 77c584a6 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x3a, calling RPCRT4!FormatTimeOut 039fff38 77c584b6 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x4a, calling ntdll!alloca_probe 039fff84 77c58792 RPCRT4!RecvLotsaCallsWrapper+0xd, calling RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls 039fff8c 77c5872d RPCRT4!BaseCachedThreadRoutine+0x9d 039fffac 77c4b110 RPCRT4!ThreadStartRoutine+0x1b 039fffb8 7c824829 KERNEL32!BaseThreadStart+0x34 --------------------------------------------- # 此处省略了很多不相关的线程堆栈和函数信息 … 0494f574 7937dd77 (MethodDesc 0x79255938 +0x37 System.Reflection.Assembly.nLoad(System.Reflection.AssemblyName, System.String, System.Security.Policy.Evidence, System.Reflection.Assembly, System.Threading.StackCrawlMark ByRef, Boolean, Boolean)), calling mscorwks!GetCLRFunction+0x48c29 0494f59c 7937dbe8 (MethodDesc 0x7914b8b8 +0xd4 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)), calling (MethodDesc 0x79255938 +0 System.Reflection.Assembly.nLoad(System.Reflection.AssemblyName, System.String, System.Security.Policy.Evidence, System.Reflection.Assembly, System.Threading.StackCrawlMark ByRef, Boolean, Boolean)) 0494f5ac 7937dbf6 (MethodDesc 0x7914b8b8 +0xe2 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)), calling mscorwks!LogHelp_TerminateOnAssert 0494f5d0 79423431 (MethodDesc 0x79255690 +0x55 System.Reflection.Assembly.InternalLoadFrom(System.String, System.Security.Policy.Evidence, Byte[], System.Configuration.Assemblies.AssemblyHashAlgorithm, Boolean, System.Threading.StackCrawlMark ByRef)), calling (MethodDesc 0x7914b8b8 +0 System.Reflection.Assembly.InternalLoad(System.Reflection.AssemblyName, System.Security.Policy.Evidence, System.Threading.StackCrawlMark ByRef, Boolean)) # 启动实际需要被调试的进程—PersonalFinancy.exe 0494f5f8 793def29 (MethodDesc 0x79257218 +0x39 System.AppDomain.ExecuteAssembly(System.String, System.Security.Policy.Evidence, System.String[])), calling mscorwks!CreateHistoryReader+0x2f890 0494f60c 0120156b (MethodDesc 0x983d10 +0x2b Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()) 0494f61c 793b0d1f (MethodDesc 0x792713d0 +0x3b System.Threading.ThreadHelper.ThreadStart_Context(System.Object)) 0494f63c 793b0d1f (MethodDesc 0x792713d0 +0x3b System.Threading.ThreadHelper.ThreadStart_Context(System.Object)) 0494f644 79373ecd (MethodDesc 0x7914e0d8 +0x81 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)) 0494f658 793b0c68 (MethodDesc 0x791511d0 +0x40 System.Threading.ThreadHelper.ThreadStart()), calling (MethodDesc 0x7914e0d8 +0 System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)) # 此处省略了很多不相关的线程堆栈和函数信息 … # 查看PersonalFinancy.vshost.exe应用程序域信息，以及每一个应用程序域所加载的Assembly 0:000> !dumpdomain -------------------------------------- # 此处省略了很多不相关的线程应用程序域信息 … -------------------------------------- Domain 1: 0015e560 LowFrequencyHeap: 0015e584 HighFrequencyHeap: 0015e5dc StubHeap: 0015e634 Stage: OPEN SecurityDescriptor: 00158f98 # PersonalFinancy.vshost.exe执行的应用程序域 Name: PersonalFinancy.vshost.exe Assembly: 001a3dc8 [C:/WINDOWS/assembly/GAC_32/mscorlib/2.0.0.0__b77a5c561934e089/mscorlib.dll] ClassLoader: 00173528 SecurityDescriptor: 00163938 Module Name 790c2000 C:/WINDOWS/assembly/GAC_32/mscorlib/2.0.0.0__b77a5c561934e089/mscorlib.dll # 此处省略了很多不相关的线程应用程序域信息 … Assembly: 0022ba88 [D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.vshost.exe] ClassLoader: 00223f90 SecurityDescriptor: 00224018 Module Name 00987528 D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.vshost.exe # PersonalFinancy.vshost.exe其实将被调试的可执行文件PersonalFinancy.exe放在与它相同的 # 应用程序域中执行 Assembly: 0421faa0 [D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.exe] ClassLoader: 0024c690 SecurityDescriptor: 0024c2c0 Module Name 041025c0 D:/Workspace/PersonalFinancy/PersonalFinancy/bin/Debug/PersonalFinancy.exe