2015年2月17日星期二

WIndbg调试VBS的Msgbox

VBS可以用VS调试,主要是它有个参数 /X

一下是VBS在WINDBG中的调试结果:
断点是:
bu USER32!MessageBoxWorker

而不是:
USER32!MessageBoxA
USER32!MessageBoxW
USER32!MessageBoxIndirectW

调用栈是:
0:000> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`002acd00 000007fe`efa713f5 : 00000000`00010000 00000000`0044f000 00000000`00000000 00000000`002ade90 : USER32!MessageBoxIndirectW+0x73
00000000`002acdd0 000007fe`efa7242a : 00000000`0046c8a8 00000000`00000000 00000000`00000001 00000000`00000000 : vbscript!DisplayMessageBox+0x1b9
00000000`002ae6f0 000007fe`efa123ce : 000007fe`efa851f8 00000000`002ae850 00000000`0046c928 00000000`002aec10 : vbscript!VbsMsgBox+0x16e
00000000`002ae750 000007fe`efa16841 : 00000000`002aec10 00000000`00000000 00000000`002aec10 00000000`00000000 : vbscript!CScriptRuntime::RunNoEH+0xe1e
00000000`002aeb70 000007fe`efa16762 : 00000000`002aec10 00000000`00000000 00000000`001af870 00000000`002aecd0 : vbscript!CScriptRuntime::Run+0xad
00000000`002aebd0 000007fe`efa1837d : 00000000`00000000 00000000`00000000 00000000`001af870 00000000`00000000 : vbscript!CScriptEntryPoint::Call+0xf2
00000000`002aee70 000007fe`efa181c5 : 00000000`001af870 00000000`002aef79 00000000`00000000 00000000`00000000 : vbscript!CSession::Execute+0x10d
00000000`002aef10 000007fe`efa18026 : 00000000`00000000 00000000`001af870 00000000`00000000 00000000`00000000 : vbscript!COleScript::ExecutePendingScripts+0x177
00000000`002aefe0 00000000`fffac127 : 00000000`002af970 00000000`002af970 00000000`00000000 00000000`00000000 : vbscript!COleScript::SetScriptState+0xdd
00000000`002af020 00000000`fffabd01 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`003c3b08 : wscript!CHost::RunStandardScript+0x29f
00000000`002af070 00000000`fffad704 : ffffffff`80000001 ffffffff`80000001 00000000`00000001 00000000`00000070 : wscript!CHost::Execute+0x1d5
00000000`002af330 00000000`fffaae94 : 00000000`00000074 00000000`fffa0000 00000000`00000001 00000000`001a2620 : wscript!CHost::Main+0x518
00000000`002af940 00000000`fffab137 : 00000000`00000000 00000000`00000001 00000000`00000035 00000000`001a259a : wscript!StringCchPrintfA+0xf7c
00000000`002afc60 00000000`fffa97d2 : 00000000`fffa0000 00000000`fffa0000 00000000`00000000 00000000`00000000 : wscript!WinMain+0x1ff
00000000`002afcc0 00000000`772759ed : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wscript!WinMainCRTStartup+0x9e
00000000`002afd60 00000000`773ac541 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`002afd90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

当然进程是宿主。本例是:wscript。


关于断点是:USER32!MessageBoxWorker的查找说明:
附加到进程后,打开进程和线程窗口,然后一个一个的点击没有线程,其中的一个线程必定是弹出消息框的。
从这个线程的栈中可以找到消息框的API。
发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)