1. .vmx
debugStub.listen.guest32 = "TRUE"
debugStub.hideBreakpoints= "TRUE"
2.启动虚拟器
3.启动IDA
4.调试->附加->Remote GDB debugger.
5.主机名:localhost,端口:8832。注意这个不可变。
6.选择地0个,不要选择PID那个。
7.点击OK,那就OK了。
注释:这个可调试MBR,虚拟化等。还可显示流程窗口,加载符号等。
made by correy
made at 9:38 2015/1/30.
2015年2月17日星期二
IDA调试驱动或者内核
1.前提是配置好用WINDBG可以调试的环境。
2.开启被调试的机器,确保是被调试模式。
3.此时可以加载/启动WINDBG。
4.在WINDBG中输入:||,得到如下字符串:COM:Port=\\.\pipe\kd_Windows_XP_Professional,Baud=19200,Pipe
5.关闭WINDBG。
6.开启IDA。
7.选择调试->附加->WINDBG调试。不建议选择运行。
8.点击调试选项->设置特殊选项->选择内核调试,建议选择重连带断点的那个。
9.依次关闭窗口。在链接字符串中输入第四步的内容。
10.出现一个选择框,点击OK。那就OK了,开始调试吧!
记得有个应用程序名,那个可以随便输入的。
这样的好处是:对于没有源码的驱动/内核可以看流程图。
对于有源码的驱动建议还是用WINDBG调试。
made by correy
made at 9:25 2015/1/30
2.开启被调试的机器,确保是被调试模式。
3.此时可以加载/启动WINDBG。
4.在WINDBG中输入:||,得到如下字符串:COM:Port=\\.\pipe\kd_Windows_XP_Professional,Baud=19200,Pipe
5.关闭WINDBG。
6.开启IDA。
7.选择调试->附加->WINDBG调试。不建议选择运行。
8.点击调试选项->设置特殊选项->选择内核调试,建议选择重连带断点的那个。
9.依次关闭窗口。在链接字符串中输入第四步的内容。
10.出现一个选择框,点击OK。那就OK了,开始调试吧!
记得有个应用程序名,那个可以随便输入的。
这样的好处是:对于没有源码的驱动/内核可以看流程图。
对于有源码的驱动建议还是用WINDBG调试。
made by correy
made at 9:25 2015/1/30
查看进程回调的函数的地址
0: kd> x nt!*PspCreateProcessNotifyRoutine*
80564a60 nt!PspCreateProcessNotifyRoutineCount = <no type information>
80564a40 nt!PspCreateProcessNotifyRoutine = <no type information>
0: kd> dd 80564a60 L1
80564a60 00000001
0: kd> dd 80564a40 L1
80564a40 e22ecc07
0: kd> dd e22ecc04 L1 上面的数的二进制的低四位清零然后加4(64位可能是加八).也就是16进制的末尾清零加4(64位可能是加八).
e22ecc04 b1abeeb0
0: kd> u b1abeeb0
ahsh!ProcessCreateMon [e:\ahsh\sandbox\filter\process.c @ 179]:
b1abeeb0 8bff mov edi,edi
上面的是XP的32位的分析。
--------------------------------------------------------------------------------------------------
下面分析win10 X64的。
首先,先用IDA分析下ntoskrnl.exe,得出:
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetCreateProcessNotifyRoutineEx2
都用到了nt!PspCreateProcessNotifyRoutine。
不过,计数有两个PspCreateProcessNotifyRoutineCount和PspCreateProcessNotifyRoutineExCount。
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`c648d000 PsLoadedModuleList = 0xfffff800`c67f3fd0
Debug session time: Thu Jan 4 14:08:28.974 2018 (UTC + 8:00)
System Uptime: 0 days 1:02:35.071
0: kd> dq nt!PspCreateProcessNotifyRoutine
fffff800`c682ad40 ffffae00`5d44ab1f ffffae00`5d87496f
fffff800`c682ad50 ffffae00`5f005fef ffffae00`5f0581df
fffff800`c682ad60 ffffae00`5f09709f ffffae00`5f20589f
fffff800`c682ad70 ffffae00`5f182b5f ffffae00`5f18083f
fffff800`c682ad80 ffffae00`611d2bbf 00000000`00000000
fffff800`c682ad90 00000000`00000000 00000000`00000000
fffff800`c682ada0 00000000`00000000 00000000`00000000
fffff800`c682adb0 00000000`00000000 00000000`00000000
0: kd> dd nt!PspCreateProcessNotifyRoutineCount L1
fffff800`c6c7ae80 00000005
0: kd> dd nt!PspCreateProcessNotifyRoutineExCount L1
fffff800`c6c7ae84 00000004
听说X64上的SSDT都做了手脚,小加密移位等运算,这个进程回掉也不会简单吧!
不信你看:
0: kd> dq ffffae00`5d44ab1f
ffffae00`5d44ab1f 00000000`000000ff 00000000`00000000
ffffae00`5d44ab2f 31695602`07000300 c78a14c6`d1c37830
ffffae00`5d44ab3f 00000000`00000071 00000000`00000000
ffffae00`5d44ab4f 00000001`00000400 00000000`00000000
ffffae00`5d44ab5f 00000100`00000000 0000a832`31695600
ffffae00`5d44ab6f fff800c6`5a74a000 fff800c6`49ec90ff
ffffae00`5d44ab7f ffae005d`4d7d30ff ffae0061`206630ff
ffffae00`5d44ab8f 00000000`000000ff 00000000`7d003600
这是什么东西呢?乍看都找不到自己想要的。
经过了思索,看WRK的代码,IDA分析,走了不少的弯路。
IDA分析出ExCompareExchangeCallBack函数是要点。
经查WRK这个函数的第二个参数是PEX_CALLBACK_ROUTINE_BLOCK,可见插入的是一个结构的指针,这是ExAllocateCallBack函数申请的。
这个函数的重点是ExFastRefCompareSwapObject函数。
ExFastRefCompareSwapObject函数又调用了InterlockedCompareExchangePointerRelease。
ExFastRefCompareSwapObject函数里看到了MAX_FAST_REFS的位与的操作。
#if defined (_WIN64)
#define MAX_FAST_REFS 15
#else
#define MAX_FAST_REFS 7
#endif
可是这和上面的也不照啊!看来微软又修改了。
这时确实无招了,那就看看这个内存的TAG吧!
听说一个地址的前面几个字节是TAG,于是:
0: kd> dq ffffae00`5d44ab1f - 8 L1
ffffae00`5d44ab17 fff800c6`5ac5c000
说明下,如果自己编写驱动,并添加了进程回调的代码,此时你会发现此地址是很特殊的,和吸引人的。
其实,这是个有符号的数,然后右移8位就是注册的回调函数,代码演示如下:
SSIZE_T x = 0xfff800c65ac5c000;
SSIZE_T y = x >> 8;
0: kd> ln fffff800c65ac5c0
Browse module
Set bu breakpoint
(fffff800`c65ac5c0) nt!ViCreateProcessCallback | (fffff800`c65ac5e0) nt!IopCancelIrpsInCurrentThreadListSpecialApc
Exact matches:
nt!ViCreateProcessCallback (void)
0: kd> u fffff800c65ac5c0
nt!ViCreateProcessCallback:
fffff800`c65ac5c0 4883ec28 sub rsp,28h
fffff800`c65ac5c4 833dd5f9230000 cmp dword ptr [nt!ViVerifierEnabled (fffff800`c67ebfa0)],0
fffff800`c65ac5cb 488bc2 mov rax,rdx
fffff800`c65ac5ce 0f857acf0a00 jne nt!ViCreateProcessCallback+0xacf8e (fffff800`c665954e)
fffff800`c65ac5d4 4883c428 add rsp,28h
fffff800`c65ac5d8 c3 ret
fffff800`c65ac5d9 cc int 3
fffff800`c65ac5da cc int 3
0: kd> lmDva 0xfffff800`c65ac5c0
Browse full module list
start end module name
fffff800`c648d000 fffff800`c6d62000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\9378084E8DBD4AB1A155099BCE693E341\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Mon Jan 1 19:07:05 2018 (5A4A1659)
CheckSum: 00842CC4
ImageSize: 008D5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
顺便说下:
IDA分析中有个按位操作(_interlockedbittestandset)PspNotifyEnableMask,估计这就是那个最多64个限制的原因。
应该是32,因为定义是int不是64位的。
看样子还有开关。
0: kd> dd nt!PspNotifyEnableMask L1
fffff800`c6c7aaf4 0000000f
0: kd> .formats f
Evaluate expression:
Hex: 00000000`0000000f
Decimal: 15
Octal: 0000000000000000000017
Binary: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00001111
Chars: ........
Time: Thu Jan 1 08:00:15 1970
Float: low 2.10195e-044 high 0
Double: 7.41098e-323
至此分析完毕,其他的,如:thread,image等应该与此类似。
最后奉送一个查看进程回调函数的命令/脚本:
0: kd> r @$t0=(poi(nt!PspCreateProcessNotifyRoutineCount) + poi(nt!PspCreateProcessNotifyRoutineExCount));r @$t1=nt!PspCreateProcessNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ProcessNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*8))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ProcessNotifyRoutine(1):nt!ViCreateProcessCallback (fffff800`955252f0)
ProcessNotifyRoutine(2):cng!CngCreateProcessNotifyRoutine (fffff801`82693d10)
ProcessNotifyRoutine(3):ksecdd!KsecCreateProcessNotifyRoutine (fffff801`8332be10)
ProcessNotifyRoutine(4):tcpip!CreateProcessNotifyRoutineEx (fffff801`8345a0e0)
ProcessNotifyRoutine(5):iorate!IoRateProcessCreateNotify (fffff801`8394c010)
ProcessNotifyRoutine(6):CI!I_PEProcessNotify (fffff801`82620c00)
ProcessNotifyRoutine(7):dxgkrnl!DxgkProcessNotify (fffff801`852a3020)
ProcessNotifyRoutine(8):nvlddmkm+0xe6bf4 (fffff801`871f6bf4)
ProcessNotifyRoutine(9):peauth+0x2bbd0 (fffff800`9989bbd0) 这个没有符号文件,所以出现下面的错误。
ProcessNotifyRoutine(10):Memory access error at ')>>8) | ff00000000000000)'
--------------------------------------------------------------------------------------------------
made by correy
made at 15:21 2018/1/4
http://correy.webs.com
80564a60 nt!PspCreateProcessNotifyRoutineCount = <no type information>
80564a40 nt!PspCreateProcessNotifyRoutine = <no type information>
0: kd> dd 80564a60 L1
80564a60 00000001
0: kd> dd 80564a40 L1
80564a40 e22ecc07
0: kd> dd e22ecc04 L1 上面的数的二进制的低四位清零然后加4(64位可能是加八).也就是16进制的末尾清零加4(64位可能是加八).
e22ecc04 b1abeeb0
0: kd> u b1abeeb0
ahsh!ProcessCreateMon [e:\ahsh\sandbox\filter\process.c @ 179]:
b1abeeb0 8bff mov edi,edi
上面的是XP的32位的分析。
--------------------------------------------------------------------------------------------------
下面分析win10 X64的。
首先,先用IDA分析下ntoskrnl.exe,得出:
PsSetCreateProcessNotifyRoutine
PsSetCreateProcessNotifyRoutineEx
PsSetCreateProcessNotifyRoutineEx2
都用到了nt!PspCreateProcessNotifyRoutine。
不过,计数有两个PspCreateProcessNotifyRoutineCount和PspCreateProcessNotifyRoutineExCount。
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`c648d000 PsLoadedModuleList = 0xfffff800`c67f3fd0
Debug session time: Thu Jan 4 14:08:28.974 2018 (UTC + 8:00)
System Uptime: 0 days 1:02:35.071
0: kd> dq nt!PspCreateProcessNotifyRoutine
fffff800`c682ad40 ffffae00`5d44ab1f ffffae00`5d87496f
fffff800`c682ad50 ffffae00`5f005fef ffffae00`5f0581df
fffff800`c682ad60 ffffae00`5f09709f ffffae00`5f20589f
fffff800`c682ad70 ffffae00`5f182b5f ffffae00`5f18083f
fffff800`c682ad80 ffffae00`611d2bbf 00000000`00000000
fffff800`c682ad90 00000000`00000000 00000000`00000000
fffff800`c682ada0 00000000`00000000 00000000`00000000
fffff800`c682adb0 00000000`00000000 00000000`00000000
0: kd> dd nt!PspCreateProcessNotifyRoutineCount L1
fffff800`c6c7ae80 00000005
0: kd> dd nt!PspCreateProcessNotifyRoutineExCount L1
fffff800`c6c7ae84 00000004
听说X64上的SSDT都做了手脚,小加密移位等运算,这个进程回掉也不会简单吧!
不信你看:
0: kd> dq ffffae00`5d44ab1f
ffffae00`5d44ab1f 00000000`000000ff 00000000`00000000
ffffae00`5d44ab2f 31695602`07000300 c78a14c6`d1c37830
ffffae00`5d44ab3f 00000000`00000071 00000000`00000000
ffffae00`5d44ab4f 00000001`00000400 00000000`00000000
ffffae00`5d44ab5f 00000100`00000000 0000a832`31695600
ffffae00`5d44ab6f fff800c6`5a74a000 fff800c6`49ec90ff
ffffae00`5d44ab7f ffae005d`4d7d30ff ffae0061`206630ff
ffffae00`5d44ab8f 00000000`000000ff 00000000`7d003600
这是什么东西呢?乍看都找不到自己想要的。
经过了思索,看WRK的代码,IDA分析,走了不少的弯路。
IDA分析出ExCompareExchangeCallBack函数是要点。
经查WRK这个函数的第二个参数是PEX_CALLBACK_ROUTINE_BLOCK,可见插入的是一个结构的指针,这是ExAllocateCallBack函数申请的。
这个函数的重点是ExFastRefCompareSwapObject函数。
ExFastRefCompareSwapObject函数又调用了InterlockedCompareExchangePointerRelease。
ExFastRefCompareSwapObject函数里看到了MAX_FAST_REFS的位与的操作。
#if defined (_WIN64)
#define MAX_FAST_REFS 15
#else
#define MAX_FAST_REFS 7
#endif
可是这和上面的也不照啊!看来微软又修改了。
这时确实无招了,那就看看这个内存的TAG吧!
听说一个地址的前面几个字节是TAG,于是:
0: kd> dq ffffae00`5d44ab1f - 8 L1
ffffae00`5d44ab17 fff800c6`5ac5c000
说明下,如果自己编写驱动,并添加了进程回调的代码,此时你会发现此地址是很特殊的,和吸引人的。
其实,这是个有符号的数,然后右移8位就是注册的回调函数,代码演示如下:
SSIZE_T x = 0xfff800c65ac5c000;
SSIZE_T y = x >> 8;
0: kd> ln fffff800c65ac5c0
Browse module
Set bu breakpoint
(fffff800`c65ac5c0) nt!ViCreateProcessCallback | (fffff800`c65ac5e0) nt!IopCancelIrpsInCurrentThreadListSpecialApc
Exact matches:
nt!ViCreateProcessCallback (void)
0: kd> u fffff800c65ac5c0
nt!ViCreateProcessCallback:
fffff800`c65ac5c0 4883ec28 sub rsp,28h
fffff800`c65ac5c4 833dd5f9230000 cmp dword ptr [nt!ViVerifierEnabled (fffff800`c67ebfa0)],0
fffff800`c65ac5cb 488bc2 mov rax,rdx
fffff800`c65ac5ce 0f857acf0a00 jne nt!ViCreateProcessCallback+0xacf8e (fffff800`c665954e)
fffff800`c65ac5d4 4883c428 add rsp,28h
fffff800`c65ac5d8 c3 ret
fffff800`c65ac5d9 cc int 3
fffff800`c65ac5da cc int 3
0: kd> lmDva 0xfffff800`c65ac5c0
Browse full module list
start end module name
fffff800`c648d000 fffff800`c6d62000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\9378084E8DBD4AB1A155099BCE693E341\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Mon Jan 1 19:07:05 2018 (5A4A1659)
CheckSum: 00842CC4
ImageSize: 008D5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
顺便说下:
IDA分析中有个按位操作(_interlockedbittestandset)PspNotifyEnableMask,估计这就是那个最多64个限制的原因。
应该是32,因为定义是int不是64位的。
看样子还有开关。
0: kd> dd nt!PspNotifyEnableMask L1
fffff800`c6c7aaf4 0000000f
0: kd> .formats f
Evaluate expression:
Hex: 00000000`0000000f
Decimal: 15
Octal: 0000000000000000000017
Binary: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00001111
Chars: ........
Time: Thu Jan 1 08:00:15 1970
Float: low 2.10195e-044 high 0
Double: 7.41098e-323
至此分析完毕,其他的,如:thread,image等应该与此类似。
最后奉送一个查看进程回调函数的命令/脚本:
0: kd> r @$t0=(poi(nt!PspCreateProcessNotifyRoutineCount) + poi(nt!PspCreateProcessNotifyRoutineExCount));r @$t1=nt!PspCreateProcessNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ProcessNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*8))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ProcessNotifyRoutine(1):nt!ViCreateProcessCallback (fffff800`955252f0)
ProcessNotifyRoutine(2):cng!CngCreateProcessNotifyRoutine (fffff801`82693d10)
ProcessNotifyRoutine(3):ksecdd!KsecCreateProcessNotifyRoutine (fffff801`8332be10)
ProcessNotifyRoutine(4):tcpip!CreateProcessNotifyRoutineEx (fffff801`8345a0e0)
ProcessNotifyRoutine(5):iorate!IoRateProcessCreateNotify (fffff801`8394c010)
ProcessNotifyRoutine(6):CI!I_PEProcessNotify (fffff801`82620c00)
ProcessNotifyRoutine(7):dxgkrnl!DxgkProcessNotify (fffff801`852a3020)
ProcessNotifyRoutine(8):nvlddmkm+0xe6bf4 (fffff801`871f6bf4)
ProcessNotifyRoutine(9):peauth+0x2bbd0 (fffff800`9989bbd0) 这个没有符号文件,所以出现下面的错误。
ProcessNotifyRoutine(10):Memory access error at ')>>8) | ff00000000000000)'
--------------------------------------------------------------------------------------------------
made by correy
made at 15:21 2018/1/4
http://correy.webs.com
内核中查看和切换某个进程的某个线程
0: kd> !process 81b3a020 7
PROCESS 81b3a020 SessionId: 0 Cid: 09c0 Peb: 7ffdc000 ParentCid: 0914
DirBase: 02940340 ObjectTable: e25c91a0 HandleCount: 218.
Image: WINWORD.EXE
VadRoot 81ac60a0 Vads 69 Clone 0 Private 342. Modified 0. Locked 0.
DeviceMap e1c1ea18
Token e1973d48
ElapsedTime 00:00:55.875
UserTime 00:00:00.015
KernelTime 00:00:00.890
QuotaPoolUsage[PagedPool] 138252
QuotaPoolUsage[NonPagedPool] 2760
Working Set Sizes (now,min,max) (868, 50, 345) (3472KB, 200KB, 1380KB)
PeakWorkingSetSize 871
VirtualSize 68 Mb
PeakVirtualSize 68 Mb
PageFaultCount 1496
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1021
THREAD 81e62020 Cid 09c0.09c4 Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
826d8fe4 SynchronizationEvent
Not impersonating
DeviceMap e1c1ea18
Owning Process 0 Image: <Unknown>
Attached Process 81b3a020 Image: WINWORD.EXE
Wait Start TickCount 304841 Ticks: 3379 (0:00:00:52.796)
Context Switch Count 1592 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.890
Win32 Start Address WINWORD (0x300010cc)
Start Address kernel32!BaseProcessStartThunk (0x7c810735)
Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
0012ad8c 7c92d76a 7c82f6dc 0012ad9c 3342c418 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012ad90 7c82f6dc 0012ad9c 3342c418 0012adac ntdll!ZwQueryDefaultUILanguage+0xc (FPO: [1,0,0])
0012ada0 32612b47 00000000 0012adbc 331dbc78 kernel32!GetUserDefaultUILanguage+0x10 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012adac 331dbc78 00000194 00000190 0012ba88 mso+0x12b47
0012adbc 32bd9d97 0012b434 00000001 0012ade4 mso+0xbdbc78
0012ba88 32bd99c5 00000001 33428160 0012f764 mso+0x5d9d97
0012dd38 3260cd6e 0012f760 00000000 7c80acaf mso+0x5d99c5
0012f734 32606e77 33428160 0012f764 0012f760 mso+0xcd6e
0012f768 32606da8 00000000 31246ce2 0012f760 mso+0x6e77
0012f980 312448da 31244562 31240000 7c80ae40 mso+0x6da8
0012ff0c 300015d7 30000000 00000000 00152349 wwlib!FMain+0x378
0012ff30 3000155d 30000000 00000000 00152349 WINWORD+0x15d7
0012ffc0 7c816037 00200020 00200020 7ffdc000 WINWORD+0x155d
0012fff0 00000000 300010cc 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
0: kd> !thread 81e62020 7
THREAD 81e62020 Cid 09c0.09c4 Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
826d8fe4 SynchronizationEvent
Not impersonating
DeviceMap e1c1ea18
Owning Process 0 Image: <Unknown>
Attached Process 81b3a020 Image: WINWORD.EXE
Wait Start TickCount 304841 Ticks: 3379 (0:00:00:52.796)
Context Switch Count 1592 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.890
Win32 Start Address WINWORD (0x300010cc)
Start Address kernel32!BaseProcessStartThunk (0x7c810735)
Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
0012ada0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0: kd> .thread /p /r 81e62020
Implicit thread is now 81e62020
Implicit process is now 81b3a020
.cache forcedecodeuser done
Loading User Symbols
..................
0: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
f4feca6c 8050493e nt!KiSwapContext+0x2f
f4feca78 804fc0d8 nt!KiSwapThread+0x8a
f4fecaa0 8065b61e nt!KeWaitForSingleObject+0x1c2
f4fecac8 f4e273d2 nt!VerifierKeWaitForSingleObject+0x56
f4fecaf0 f4e2914c ahsh!get_old_handle+0x102 [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 ahsh!HookRegQueryValueKey+0x11c [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d nt!KiSystemServicePostCall
f4fecba4 8061274f nt!ZwQueryValueKey+0x11
f4fecd14 80612b33 nt!ExpGetCurrentUserUILanguage+0xed
f4fecd58 805427e8 nt!NtQueryDefaultUILanguage+0x49
f4fecd58 7c92e514 nt!KiSystemServicePostCall
0012ad8c 7c92d76a ntdll!KiFastSystemCallRet
0012ad90 7c82f6dc ntdll!ZwQueryDefaultUILanguage+0xc
0012ada0 32612b47 kernel32!GetUserDefaultUILanguage+0x10
WARNING: Stack unwind information not available. Following frames may be wrong.
0012adac 331dbc78 mso+0x12b47
0012adbc 32bd9d97 mso+0xbdbc78
0012ba88 32bd99c5 mso+0x5d9d97
0012dd38 3260cd6e mso+0x5d99c5
0012f734 32606e77 mso+0xcd6e
0012f768 32606da8 mso+0x6e77
0012f980 312448da mso+0x6da8
0012ff0c 300015d7 wwlib!FMain+0x378
0012ff30 3000155d WINWORD+0x15d7
0012ffc0 7c816037 WINWORD+0x155d
0012fff0 00000000 kernel32!BaseProcessStart+0x23
PROCESS 81b3a020 SessionId: 0 Cid: 09c0 Peb: 7ffdc000 ParentCid: 0914
DirBase: 02940340 ObjectTable: e25c91a0 HandleCount: 218.
Image: WINWORD.EXE
VadRoot 81ac60a0 Vads 69 Clone 0 Private 342. Modified 0. Locked 0.
DeviceMap e1c1ea18
Token e1973d48
ElapsedTime 00:00:55.875
UserTime 00:00:00.015
KernelTime 00:00:00.890
QuotaPoolUsage[PagedPool] 138252
QuotaPoolUsage[NonPagedPool] 2760
Working Set Sizes (now,min,max) (868, 50, 345) (3472KB, 200KB, 1380KB)
PeakWorkingSetSize 871
VirtualSize 68 Mb
PeakVirtualSize 68 Mb
PageFaultCount 1496
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1021
THREAD 81e62020 Cid 09c0.09c4 Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
826d8fe4 SynchronizationEvent
Not impersonating
DeviceMap e1c1ea18
Owning Process 0 Image: <Unknown>
Attached Process 81b3a020 Image: WINWORD.EXE
Wait Start TickCount 304841 Ticks: 3379 (0:00:00:52.796)
Context Switch Count 1592 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.890
Win32 Start Address WINWORD (0x300010cc)
Start Address kernel32!BaseProcessStartThunk (0x7c810735)
Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
0012ad8c 7c92d76a 7c82f6dc 0012ad9c 3342c418 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0012ad90 7c82f6dc 0012ad9c 3342c418 0012adac ntdll!ZwQueryDefaultUILanguage+0xc (FPO: [1,0,0])
0012ada0 32612b47 00000000 0012adbc 331dbc78 kernel32!GetUserDefaultUILanguage+0x10 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0012adac 331dbc78 00000194 00000190 0012ba88 mso+0x12b47
0012adbc 32bd9d97 0012b434 00000001 0012ade4 mso+0xbdbc78
0012ba88 32bd99c5 00000001 33428160 0012f764 mso+0x5d9d97
0012dd38 3260cd6e 0012f760 00000000 7c80acaf mso+0x5d99c5
0012f734 32606e77 33428160 0012f764 0012f760 mso+0xcd6e
0012f768 32606da8 00000000 31246ce2 0012f760 mso+0x6e77
0012f980 312448da 31244562 31240000 7c80ae40 mso+0x6da8
0012ff0c 300015d7 30000000 00000000 00152349 wwlib!FMain+0x378
0012ff30 3000155d 30000000 00000000 00152349 WINWORD+0x15d7
0012ffc0 7c816037 00200020 00200020 7ffdc000 WINWORD+0x155d
0012fff0 00000000 300010cc 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
0: kd> !thread 81e62020 7
THREAD 81e62020 Cid 09c0.09c4 Teb: 7ffdf000 Win32Thread: e2312c20 WAIT: (Executive) KernelMode Alertable
826d8fe4 SynchronizationEvent
Not impersonating
DeviceMap e1c1ea18
Owning Process 0 Image: <Unknown>
Attached Process 81b3a020 Image: WINWORD.EXE
Wait Start TickCount 304841 Ticks: 3379 (0:00:00:52.796)
Context Switch Count 1592 IdealProcessor: 0 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.890
Win32 Start Address WINWORD (0x300010cc)
Start Address kernel32!BaseProcessStartThunk (0x7c810735)
Stack Init f4fed000 Current f4feca54 Base f4fed000 Limit f4fe9000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
f4feca6c 8050493e 81e62090 81e62020 804fc0d8 nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4])
f4feca78 804fc0d8 00000000 826d8fe4 f4e29030 nt!KiSwapThread+0x8a (FPO: [0,0,0])
f4fecaa0 8065b61e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f4fecac8 f4e273d2 826d8fe4 00000000 00000000 nt!VerifierKeWaitForSingleObject+0x56 (FPO: [Non-Fpo])
f4fecaf0 f4e2914c f4fecafc 040000b6 828fcc00 ahsh!get_old_handle+0x102 (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 80002170 f4fecbd0 00000002 ahsh!HookRegQueryValueKey+0x11c (FPO: [Non-Fpo]) (CONV: stdcall) [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d 80002170 f4fecbd0 00000002 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecb34)
f4fecba4 8061274f 80002170 f4fecbd0 00000002 nt!ZwQueryValueKey+0x11 (FPO: [6,0,0])
f4fecd14 80612b33 80612ac0 0012ad9c 00000001 nt!ExpGetCurrentUserUILanguage+0xed (FPO: [Non-Fpo])
f4fecd58 805427e8 0012ad9c 0012ada0 7c92e514 nt!NtQueryDefaultUILanguage+0x49 (FPO: [Non-Fpo])
f4fecd58 7c92e514 0012ad9c 0012ada0 7c92e514 nt!KiSystemServicePostCall (FPO: [0,0] TrapFrame @ f4fecd64)
0012ada0 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0: kd> .thread /p /r 81e62020
Implicit thread is now 81e62020
Implicit process is now 81b3a020
.cache forcedecodeuser done
Loading User Symbols
..................
0: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr
f4feca6c 8050493e nt!KiSwapContext+0x2f
f4feca78 804fc0d8 nt!KiSwapThread+0x8a
f4fecaa0 8065b61e nt!KeWaitForSingleObject+0x1c2
f4fecac8 f4e273d2 nt!VerifierKeWaitForSingleObject+0x56
f4fecaf0 f4e2914c ahsh!get_old_handle+0x102 [e:\ahsh\sandbox\filter\regedit.c @ 3822]
f4fecb14 805427e8 ahsh!HookRegQueryValueKey+0x11c [e:\ahsh\sandbox\filter\regedit.c @ 5203]
f4fecb14 80501b6d nt!KiSystemServicePostCall
f4fecba4 8061274f nt!ZwQueryValueKey+0x11
f4fecd14 80612b33 nt!ExpGetCurrentUserUILanguage+0xed
f4fecd58 805427e8 nt!NtQueryDefaultUILanguage+0x49
f4fecd58 7c92e514 nt!KiSystemServicePostCall
0012ad8c 7c92d76a ntdll!KiFastSystemCallRet
0012ad90 7c82f6dc ntdll!ZwQueryDefaultUILanguage+0xc
0012ada0 32612b47 kernel32!GetUserDefaultUILanguage+0x10
WARNING: Stack unwind information not available. Following frames may be wrong.
0012adac 331dbc78 mso+0x12b47
0012adbc 32bd9d97 mso+0xbdbc78
0012ba88 32bd99c5 mso+0x5d9d97
0012dd38 3260cd6e mso+0x5d99c5
0012f734 32606e77 mso+0xcd6e
0012f768 32606da8 mso+0x6e77
0012f980 312448da mso+0x6da8
0012ff0c 300015d7 wwlib!FMain+0x378
0012ff30 3000155d WINWORD+0x15d7
0012ffc0 7c816037 WINWORD+0x155d
0012fff0 00000000 kernel32!BaseProcessStart+0x23
虚拟地址转换物理地址
1: kd> db 400000
00400000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00400010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
00400040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00400050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00400060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00400070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
1: kd> !vtop 0 400000 当前进程的环境。
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
方法二:
1: kd> !process 0 0 explorer.exe
PROCESS 8206d730 SessionId: 0 Cid: 0654 Peb: 7ffd9000 ParentCid: 05e4
DirBase: 029801e0 ObjectTable: e16c6460 HandleCount: 322.
Image: explorer.exe
1: kd> !vtop 029801e0 400000
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
1: kd> r cr3
cr3=029801e0
这些方法不是自己计算的,而是应该用命令,所以应该在32位的PAE或者非PAE的系统上和X64的系统都可以使用。
另外一个命令是PTE,这里就不演示了。
以下摘自:http://blogs.msdn.com/b/ntdebugging/archive/2010/06/22/part-3-understanding-pte-non-pae-and-x64.aspx
The PAE bit is bit number five, which is the sixth bit due to bit numbering starting at zero. You can see PAE is not enabled on this system.
0: kd> .formats @cr4
Binary: 00000000 00000000 00000110 11010001
543210 自己添加。
Another method of checking this:
1: kd> j ((@cr4 & 0y00000000000000000000000000100000) != 0) '.echo PAE flag Enabled';'.echo PAE flag Disabled'
PAE flag Enabled
--------------------------------------------------------------------------------------------------------------------------------------------------
64位系统的分析:
1: kd> !process 0 0 explorer.exe
PROCESS fffffa801aab4b30
SessionId: 1 Cid: 06b0 Peb: 7fffffd8000 ParentCid: 0650
DirBase: 64e06000 ObjectTable: fffff8a001495e00 HandleCount: 796.
Image: explorer.exe
1: kd> .process /r /p fffffa801aab4b30
Implicit process is now fffffa80`1aab4b30
.cache forcedecodeuser done
Loading User Symbols
................................................................
................................................................
....................
1: kd> db 40000
00000000`00040000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
00000000`00040010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
00000000`00040020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
00000000`00040030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
00000000`00040040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
00000000`00040050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
00000000`00040060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
00000000`00040070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> !vtop 0 40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> !vtop 64e06000 40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> r cr3
cr3=0000000000187000
1: kd> r cr4
cr4=00000000000406f8
另一思路:
http://blogs.technet.com/b/marcelofartura/archive/2008/11/20/how-to-manually-translate-virtual-addresses-into-physical-ones.aspx
d* /p VA
made by correy
made at 2014.12.25
00400000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
00400010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
00400020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00400030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
00400040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
00400050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
00400060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
00400070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
1: kd> !vtop 0 400000 当前进程的环境。
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
方法二:
1: kd> !process 0 0 explorer.exe
PROCESS 8206d730 SessionId: 0 Cid: 0654 Peb: 7ffd9000 ParentCid: 05e4
DirBase: 029801e0 ObjectTable: e16c6460 HandleCount: 322.
Image: explorer.exe
1: kd> !vtop 029801e0 400000
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
1: kd> r cr3
cr3=029801e0
这些方法不是自己计算的,而是应该用命令,所以应该在32位的PAE或者非PAE的系统上和X64的系统都可以使用。
另外一个命令是PTE,这里就不演示了。
以下摘自:http://blogs.msdn.com/b/ntdebugging/archive/2010/06/22/part-3-understanding-pte-non-pae-and-x64.aspx
The PAE bit is bit number five, which is the sixth bit due to bit numbering starting at zero. You can see PAE is not enabled on this system.
0: kd> .formats @cr4
Binary: 00000000 00000000 00000110 11010001
543210 自己添加。
Another method of checking this:
1: kd> j ((@cr4 & 0y00000000000000000000000000100000) != 0) '.echo PAE flag Enabled';'.echo PAE flag Disabled'
PAE flag Enabled
--------------------------------------------------------------------------------------------------------------------------------------------------
64位系统的分析:
1: kd> !process 0 0 explorer.exe
PROCESS fffffa801aab4b30
SessionId: 1 Cid: 06b0 Peb: 7fffffd8000 ParentCid: 0650
DirBase: 64e06000 ObjectTable: fffff8a001495e00 HandleCount: 796.
Image: explorer.exe
1: kd> .process /r /p fffffa801aab4b30
Implicit process is now fffffa80`1aab4b30
.cache forcedecodeuser done
Loading User Symbols
................................................................
................................................................
....................
1: kd> db 40000
00000000`00040000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
00000000`00040010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
00000000`00040020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
00000000`00040030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
00000000`00040040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
00000000`00040050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
00000000`00040060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
00000000`00040070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> !vtop 0 40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> !vtop 64e06000 40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> r cr3
cr3=0000000000187000
1: kd> r cr4
cr4=00000000000406f8
另一思路:
http://blogs.technet.com/b/marcelofartura/archive/2008/11/20/how-to-manually-translate-virtual-addresses-into-physical-ones.aspx
d* /p VA
made by correy
made at 2014.12.25
WIndbg调试VBS的Msgbox
VBS可以用VS调试,主要是它有个参数 /X
一下是VBS在WINDBG中的调试结果:
断点是:
bu USER32!MessageBoxWorker
而不是:
USER32!MessageBoxA
USER32!MessageBoxW
USER32!MessageBoxIndirectW
调用栈是:
0:000> kv
Child-SP RetAddr : Args to Child : Call Site
00000000`002acd00 000007fe`efa713f5 : 00000000`00010000 00000000`0044f000 00000000`00000000 00000000`002ade90 : USER32!MessageBoxIndirectW+0x73
00000000`002acdd0 000007fe`efa7242a : 00000000`0046c8a8 00000000`00000000 00000000`00000001 00000000`00000000 : vbscript!DisplayMessageBox+0x1b9
00000000`002ae6f0 000007fe`efa123ce : 000007fe`efa851f8 00000000`002ae850 00000000`0046c928 00000000`002aec10 : vbscript!VbsMsgBox+0x16e
00000000`002ae750 000007fe`efa16841 : 00000000`002aec10 00000000`00000000 00000000`002aec10 00000000`00000000 : vbscript!CScriptRuntime::RunNoEH+0xe1e
00000000`002aeb70 000007fe`efa16762 : 00000000`002aec10 00000000`00000000 00000000`001af870 00000000`002aecd0 : vbscript!CScriptRuntime::Run+0xad
00000000`002aebd0 000007fe`efa1837d : 00000000`00000000 00000000`00000000 00000000`001af870 00000000`00000000 : vbscript!CScriptEntryPoint::Call+0xf2
00000000`002aee70 000007fe`efa181c5 : 00000000`001af870 00000000`002aef79 00000000`00000000 00000000`00000000 : vbscript!CSession::Execute+0x10d
00000000`002aef10 000007fe`efa18026 : 00000000`00000000 00000000`001af870 00000000`00000000 00000000`00000000 : vbscript!COleScript::ExecutePendingScripts+0x177
00000000`002aefe0 00000000`fffac127 : 00000000`002af970 00000000`002af970 00000000`00000000 00000000`00000000 : vbscript!COleScript::SetScriptState+0xdd
00000000`002af020 00000000`fffabd01 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`003c3b08 : wscript!CHost::RunStandardScript+0x29f
00000000`002af070 00000000`fffad704 : ffffffff`80000001 ffffffff`80000001 00000000`00000001 00000000`00000070 : wscript!CHost::Execute+0x1d5
00000000`002af330 00000000`fffaae94 : 00000000`00000074 00000000`fffa0000 00000000`00000001 00000000`001a2620 : wscript!CHost::Main+0x518
00000000`002af940 00000000`fffab137 : 00000000`00000000 00000000`00000001 00000000`00000035 00000000`001a259a : wscript!StringCchPrintfA+0xf7c
00000000`002afc60 00000000`fffa97d2 : 00000000`fffa0000 00000000`fffa0000 00000000`00000000 00000000`00000000 : wscript!WinMain+0x1ff
00000000`002afcc0 00000000`772759ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wscript!WinMainCRTStartup+0x9e
00000000`002afd60 00000000`773ac541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`002afd90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
当然进程是宿主。本例是:wscript。
关于断点是:USER32!MessageBoxWorker的查找说明:
附加到进程后,打开进程和线程窗口,然后一个一个的点击没有线程,其中的一个线程必定是弹出消息框的。
从这个线程的栈中可以找到消息框的API。
一下是VBS在WINDBG中的调试结果:
断点是:
bu USER32!MessageBoxWorker
而不是:
USER32!MessageBoxA
USER32!MessageBoxW
USER32!MessageBoxIndirectW
调用栈是:
0:000> kv
Child-SP RetAddr : Args to Child : Call Site
00000000`002acd00 000007fe`efa713f5 : 00000000`00010000 00000000`0044f000 00000000`00000000 00000000`002ade90 : USER32!MessageBoxIndirectW+0x73
00000000`002acdd0 000007fe`efa7242a : 00000000`0046c8a8 00000000`00000000 00000000`00000001 00000000`00000000 : vbscript!DisplayMessageBox+0x1b9
00000000`002ae6f0 000007fe`efa123ce : 000007fe`efa851f8 00000000`002ae850 00000000`0046c928 00000000`002aec10 : vbscript!VbsMsgBox+0x16e
00000000`002ae750 000007fe`efa16841 : 00000000`002aec10 00000000`00000000 00000000`002aec10 00000000`00000000 : vbscript!CScriptRuntime::RunNoEH+0xe1e
00000000`002aeb70 000007fe`efa16762 : 00000000`002aec10 00000000`00000000 00000000`001af870 00000000`002aecd0 : vbscript!CScriptRuntime::Run+0xad
00000000`002aebd0 000007fe`efa1837d : 00000000`00000000 00000000`00000000 00000000`001af870 00000000`00000000 : vbscript!CScriptEntryPoint::Call+0xf2
00000000`002aee70 000007fe`efa181c5 : 00000000`001af870 00000000`002aef79 00000000`00000000 00000000`00000000 : vbscript!CSession::Execute+0x10d
00000000`002aef10 000007fe`efa18026 : 00000000`00000000 00000000`001af870 00000000`00000000 00000000`00000000 : vbscript!COleScript::ExecutePendingScripts+0x177
00000000`002aefe0 00000000`fffac127 : 00000000`002af970 00000000`002af970 00000000`00000000 00000000`00000000 : vbscript!COleScript::SetScriptState+0xdd
00000000`002af020 00000000`fffabd01 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`003c3b08 : wscript!CHost::RunStandardScript+0x29f
00000000`002af070 00000000`fffad704 : ffffffff`80000001 ffffffff`80000001 00000000`00000001 00000000`00000070 : wscript!CHost::Execute+0x1d5
00000000`002af330 00000000`fffaae94 : 00000000`00000074 00000000`fffa0000 00000000`00000001 00000000`001a2620 : wscript!CHost::Main+0x518
00000000`002af940 00000000`fffab137 : 00000000`00000000 00000000`00000001 00000000`00000035 00000000`001a259a : wscript!StringCchPrintfA+0xf7c
00000000`002afc60 00000000`fffa97d2 : 00000000`fffa0000 00000000`fffa0000 00000000`00000000 00000000`00000000 : wscript!WinMain+0x1ff
00000000`002afcc0 00000000`772759ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wscript!WinMainCRTStartup+0x9e
00000000`002afd60 00000000`773ac541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`002afd90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
当然进程是宿主。本例是:wscript。
关于断点是:USER32!MessageBoxWorker的查找说明:
附加到进程后,打开进程和线程窗口,然后一个一个的点击没有线程,其中的一个线程必定是弹出消息框的。
从这个线程的栈中可以找到消息框的API。
list命令用法总结
list命令用法总结:
功能:
The !list extension executes the specified debugger commands repeatedly, once for every element in a linked list.
就是枚举/遍历链表的。
用法:
!list -t [Module!]Type.Field -x "Commands" [-a "Arguments"] [Options] StartAddress
!list " -t [Module!]Type.Field -x \"Commands\" [-a \"Arguments\"] [Options] StartAddress "
!list -h
第三个是显示帮助的,注意这个和WINDBG帮助文档的优点少。
建议用第一个,第二个可能在别的情况下有用,如脚本。
示例:
这里以进程结构为例。
1: kd> !list -t nt!_EPROCESS.ImageFileName -x "dp" -e poi(nt!PsActiveProcessHead)
dp 0xffffffff8214e6e8
8214e6e8 81e1fd80 805648b8 00000000 00000000
8214e6f8 00000000 00000000 00000000 00000000
8214e708 00000007 00299000 001ca000 00000000
8214e718 00000000 00000000 00000000 e1003e38
8214e728 e1000add 00000001 f88fabe4 00000000
8214e738 00040001 00000000 8214e740 8214e740
8214e748 00000000 000028c6 00000001 f88fabe4
8214e758 00000000 00040001 00000000 8214e764
1: kd> !list -t nt!eprocess.ImageFileName -x "dp" -e poi(nt!PsActiveProcessHead)
GetFieldOffset failed for nt!eprocess.ImageFileName
注意:
1.结构最好区分大小写。
2.结构最好是链表,否则好像不循环。
3.-e是显示的命令,不是显示结构的每个成员。
4.-m Max控制显示的循环数,在某些情况下有用。
1: kd> !list -t nt!_LIST_ENTRY.Flink -x "dp" -e -m 3 poi(nt!PsActiveProcessHead)
dp 0xffffffff8214e6e8
8214e6e8 81e1fd80 805648b8 00000000 00000000
8214e6f8 00000000 00000000 00000000 00000000
8214e708 00000007 00299000 001ca000 00000000
8214e718 00000000 00000000 00000000 e1003e38
8214e728 e1000add 00000001 f88fabe4 00000000
8214e738 00040001 00000000 8214e740 8214e740
8214e748 00000000 000028c6 00000001 f88fabe4
8214e758 00000000 00040001 00000000 8214e764
dp 0xffffffff81e1fd80
81e1fd80 81f5b350 8214e6e8 00000280 000017b4
81e1fd90 0000002b 00001318 00006bd4 000001a3
81e1fda0 0000002b 00e45000 003ab000 00000000
81e1fdb0 00000000 00000000 00000000 e13604c0
81e1fdc0 e17933d7 00000001 f80f5cb8 00000000
81e1fdd0 00040001 00000000 81e1fdd8 81e1fdd8
81e1fde0 00000000 0000c0c0 00000001 f80f5cb8
81e1fdf0 00000000 00040001 00000000 81e1fdfc
dp 0xffffffff81f5b350
81f5b350 81dfba08 81e1fd80 00006560 0002157c
81f5b360 00000be8 000075f8 000215a4 00000bef
81f5b370 00000be8 04762000 0475f000 81dfba34
81f5b380 f89bb014 00000000 00000000 e1759e50
81f5b390 e174bde1 00000001 f853ed00 00000003
81f5b3a0 00040001 00000000 81f5b3a8 81f5b3a8
81f5b3b0 00000000 0000d627 00000001 f853ed04
81f5b3c0 00000005 00040001 00000000 81f5b3cc
!list -t nt!_LIST_ENTRY.Flink -x "dt nt!_EPROCESS UniqueProcessId ImageFileName @@(#CONTAINING_RECORD(@$extret, nt!_EPROCESS, ActiveProcessLinks))" poi(nt!PsActiveProcessHead)
这个命令摘自:http://bbs.pediy.com/showthread.php?t=43835
注释:dt nt!_EPROCESS UniqueProcessId ImageFileName @@(#CONTAINING_RECORD(@$extret, nt!_EPROCESS, ActiveProcessLinks))
这个是DT命令,可以自己输入看看效果。DT命令还是很强大的,DT也可以显示链表,请看WINDBG的帮助文档,还有很多没有搞懂的参数。
课题:
用WINDBG显示一个进程VadRoot内容。
成功运用的例子是:!list -t nt!_LIST_ENTRY.Flink -x "dt _enumerate_key key_path @@(#CONTAINING_RECORD(@$extret, enumerate_key, le))" -e poi(g_register_key_le)
made by correy
made at 2015.01.22
功能:
The !list extension executes the specified debugger commands repeatedly, once for every element in a linked list.
就是枚举/遍历链表的。
用法:
!list -t [Module!]Type.Field -x "Commands" [-a "Arguments"] [Options] StartAddress
!list " -t [Module!]Type.Field -x \"Commands\" [-a \"Arguments\"] [Options] StartAddress "
!list -h
第三个是显示帮助的,注意这个和WINDBG帮助文档的优点少。
建议用第一个,第二个可能在别的情况下有用,如脚本。
示例:
这里以进程结构为例。
1: kd> !list -t nt!_EPROCESS.ImageFileName -x "dp" -e poi(nt!PsActiveProcessHead)
dp 0xffffffff8214e6e8
8214e6e8 81e1fd80 805648b8 00000000 00000000
8214e6f8 00000000 00000000 00000000 00000000
8214e708 00000007 00299000 001ca000 00000000
8214e718 00000000 00000000 00000000 e1003e38
8214e728 e1000add 00000001 f88fabe4 00000000
8214e738 00040001 00000000 8214e740 8214e740
8214e748 00000000 000028c6 00000001 f88fabe4
8214e758 00000000 00040001 00000000 8214e764
1: kd> !list -t nt!eprocess.ImageFileName -x "dp" -e poi(nt!PsActiveProcessHead)
GetFieldOffset failed for nt!eprocess.ImageFileName
注意:
1.结构最好区分大小写。
2.结构最好是链表,否则好像不循环。
3.-e是显示的命令,不是显示结构的每个成员。
4.-m Max控制显示的循环数,在某些情况下有用。
1: kd> !list -t nt!_LIST_ENTRY.Flink -x "dp" -e -m 3 poi(nt!PsActiveProcessHead)
dp 0xffffffff8214e6e8
8214e6e8 81e1fd80 805648b8 00000000 00000000
8214e6f8 00000000 00000000 00000000 00000000
8214e708 00000007 00299000 001ca000 00000000
8214e718 00000000 00000000 00000000 e1003e38
8214e728 e1000add 00000001 f88fabe4 00000000
8214e738 00040001 00000000 8214e740 8214e740
8214e748 00000000 000028c6 00000001 f88fabe4
8214e758 00000000 00040001 00000000 8214e764
dp 0xffffffff81e1fd80
81e1fd80 81f5b350 8214e6e8 00000280 000017b4
81e1fd90 0000002b 00001318 00006bd4 000001a3
81e1fda0 0000002b 00e45000 003ab000 00000000
81e1fdb0 00000000 00000000 00000000 e13604c0
81e1fdc0 e17933d7 00000001 f80f5cb8 00000000
81e1fdd0 00040001 00000000 81e1fdd8 81e1fdd8
81e1fde0 00000000 0000c0c0 00000001 f80f5cb8
81e1fdf0 00000000 00040001 00000000 81e1fdfc
dp 0xffffffff81f5b350
81f5b350 81dfba08 81e1fd80 00006560 0002157c
81f5b360 00000be8 000075f8 000215a4 00000bef
81f5b370 00000be8 04762000 0475f000 81dfba34
81f5b380 f89bb014 00000000 00000000 e1759e50
81f5b390 e174bde1 00000001 f853ed00 00000003
81f5b3a0 00040001 00000000 81f5b3a8 81f5b3a8
81f5b3b0 00000000 0000d627 00000001 f853ed04
81f5b3c0 00000005 00040001 00000000 81f5b3cc
!list -t nt!_LIST_ENTRY.Flink -x "dt nt!_EPROCESS UniqueProcessId ImageFileName @@(#CONTAINING_RECORD(@$extret, nt!_EPROCESS, ActiveProcessLinks))" poi(nt!PsActiveProcessHead)
这个命令摘自:http://bbs.pediy.com/showthread.php?t=43835
注释:dt nt!_EPROCESS UniqueProcessId ImageFileName @@(#CONTAINING_RECORD(@$extret, nt!_EPROCESS, ActiveProcessLinks))
这个是DT命令,可以自己输入看看效果。DT命令还是很强大的,DT也可以显示链表,请看WINDBG的帮助文档,还有很多没有搞懂的参数。
课题:
用WINDBG显示一个进程VadRoot内容。
成功运用的例子是:!list -t nt!_LIST_ENTRY.Flink -x "dt _enumerate_key key_path @@(#CONTAINING_RECORD(@$extret, enumerate_key, le))" -e poi(g_register_key_le)
made by correy
made at 2015.01.22
订阅:
博文 (Atom)