从xp开始的用户态调试模型:
image.png
上面的右侧是调试器进程(Debugger Process),左侧是被调试进程(Debuggee Process);这两者之间有一个远程API,它是为了访问内存方便用的;调试事件是通过内核沟通的;
image.png
比如:被调试进程中设立一个int 3断点命中,CPU一下子切换到内核模式,然后一下子跳到KiTrap03这个函数(在内核里面),KiTrap03进行分发异常,分发异常之后,著名的KiDispatchException()会通知调试子系统,支持用户态调试的就是DbgKForwardException,它会判断有没有调试器,如果有,会继往上发,DbgkpsendApiMessage,接下来会DbgkpqueDeMessage,q一个调试事件(在内核的一个特殊的调试队列里面,调试队列模型它是一个双向链表),有对应一个Event,有队列之后,内核就set一个event,调试器通常是在等待一个Event,在做一个WaiterForDeBugEvent();一set Event,调试器就会被唤醒,Event就会被'拿'上去,拿上去之后,开始处理这个Event的时候,发现这是一个断点,就开始显示界面,大家就看到调试界面了,
image.png
整个Windows调试模型,是以调试事件驱动的,刚才说的断点就是一个特殊的异常,是一个异常调试事件,类似的,还有创建线程(Create_Thread_Debug_Event),创建进程Create_Process_Debug_Event),线程退出,进程退出,dll加载,dll卸载……(详见上图右侧),
Xp之前的:(一旦开始调试,调试器与被调试器生死与共,xp改进了这一点,调试器与被调试器可以分离调试)
image.png
调试器的工作线程:
image.png
调试一个新程序,就靠CreateProcess这样一个API,指定DeBug_PRocess这样一个Flag,即:创建新进程并建立一个调试会话,如果是调试一个已经运行的进程,利用DebugActiveProcess()这个API,就附加到这个进程上去,然后调试器就WaitForDebugEvent()循环,和写窗口消息循环很类似,通常一个WinDbg调试器就是一个UI线程,做一个UI的消息循环,然后调试器的事件循环,专门在While循环这里等待事件,处理事件,来个事件就做个处理,处理好之后,用户一选go,被调试的就会被唤醒,ContinueDebugEvent();
_Debug_EVEnt就是一个结构体,里面有一个联合体,联合体里面就是不同的调试事件类型;
image.png
image.png
异常的来源(用户态):
分为CPU产生的异常,程序产生的异常:
image.png
GP:通用的保护错误
机器检查异常:CPU发现的硬件层错误,比如:PCI总线,PCI设备等严重错误,内存校验错误,缓冲错误;
Windows里面有一个著名的API,叫RaiseException,它是专门让应用软件模拟一个硬件异常(比如说报告一个异常);C++和C#里面的关键字throw都是会调用RaiseException,RaiseException就进入到内核,进入到内核之后,经过内核处理,就和硬件异常统一在一起!
下面做一个小实验:(演示环境:64位的Windows)
打开一个64位的WinDbg:
先运行一个64位的Notepad,然后打开64位的WinDbg(将WinDbg attach到这个Notepad上面;):
image.png
image.png
这里重新启动了一次Notepad,所以PID改了:
image.png
image.png
attach之后,我们就发现notepad不能动了!这也是用户态的一个特点!
当调试器附加到一个进程上之后,这个进程是属于Free的状态,
可以按~* 命令:
image.png
notepad现在有若干个线程!(这里有8个!)
可以看一下0号线程:
可以~0 K
image.png
可以看到0号线程的栈回溯:
image.png
重新配置一下符号之后:
image.png
正确的栈回溯(~0 k,对0号线程进行栈回溯)应该是这样(可能这里符号配置出现了问题):
image.png
Winmain为程序的入口,上面是GetMessage,Winmain的0号UI线程在做消息循环,在等待消息,也就是说我们在break下来的时候0号线程在等消息,
这是在我自己的WinDbg里面的操作:
0:007> ~1 k
Child-SP RetAddr Call Site
00000035`f1dff428 00007ff9`205949dd ntdll!NtWaitForWorkViaWorkerFactory+0x14
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\KERNEL32.DLL -
00000035`f1dff430 00007ff9`1f6d1fe4 ntdll!TppWorkerThread+0x71d
00000035`f1dff7c0 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f1dff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~2 k
Child-SP RetAddr Call Site
00000035`f1effbc8 00007ff9`205949dd ntdll!NtWaitForWorkViaWorkerFactory+0x14
00000035`f1effbd0 00007ff9`1f6d1fe4 ntdll!TppWorkerThread+0x71d
00000035`f1efff60 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f1efff90 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~3 k
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\KERNELBASE.dll -
Child-SP RetAddr Call Site
00000035`f20ffc08 00007ff9`1c6d8dba ntdll!NtDelayExecution+0x14
*** ERROR: Module load completed but symbols could not be loaded for D:\Program Files\Notepad++\notepad++.exe
00000035`f20ffc10 00007ff7`39eba432 KERNELBASE!SleepEx+0x9a
00000035`f20ffcb0 00007ff9`1f6d1fe4 notepad__+0x6a432
00000035`f20ffce0 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f20ffd10 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~4 k
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\USER32.dll -
Child-SP RetAddr Call Site
00000035`f21ffa38 00007ff9`1e8e1b2d win32u!NtUserMsgWaitForMultipleObjectsEx+0x14
00000035`f21ffa40 00007ff8`f88918d5 USER32!MsgWaitForMultipleObjectsEx+0x9d
00000035`f21ffa80 00007ff8`f8891552 DUser!CoreSC::xwProcessNL+0x185
00000035`f21ffb10 00007ff9`1e8e6b54 DUser!MphProcessMessage+0xb2
00000035`f21ffb70 00007ff9`20603b44 USER32!SetTimer+0xe4
00000035`f21ffc10 00007ff9`1c4b1144 ntdll!KiUserCallbackDispatcherContinue
00000035`f21ffc88 00007ff9`1e8e3f76 win32u!NtUserGetMessage+0x14
00000035`f21ffc90 00007ff8`ff8b31ef USER32!GetMessageW+0x26
00000035`f21ffcc0 00007ff8`f6f51b60 DUI70!StartMessagePump+0x2f
00000035`f21ffd20 00007ff8`f6f51c2c msctfuimanager!CCommandingUI::_UIThreadProc+0x1cc
00000035`f21ffde0 00007ff9`1f6d1fe4 msctfuimanager!CCommandingUI::UIThreadProc+0x4c
00000035`f21ffe10 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f21ffe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~5 k
Child-SP RetAddr Call Site
00000035`f22ff888 00007ff9`1e8e1b2d win32u!NtUserMsgWaitForMultipleObjectsEx+0x14
00000035`f22ff890 00007ff8`f8891a6a USER32!MsgWaitForMultipleObjectsEx+0x9d
00000035`f22ff8d0 00007ff8`f8883b07 DUser!CoreSC::xwProcessNL+0x31a
00000035`f22ff960 00007ff8`f88846d3 DUser!GetMessageExA+0x67
00000035`f22ff9b0 00007ff9`1f41a8e6 DUser!ResourceManager::SharedThreadProc+0xf3
00000035`f22ffa40 00007ff9`1f41a9bc msvcrt!_callthreadstartex+0x1e
00000035`f22ffa70 00007ff9`1f6d1fe4 msvcrt!_threadstartex+0x7c
00000035`f22ffaa0 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f22ffad0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~6 k
Child-SP RetAddr Call Site
00000035`f24ff8b8 00007ff9`1c6da966 ntdll!NtWaitForMultipleObjects+0x14
00000035`f24ff8c0 00007ff9`1c6da84e KERNELBASE!WaitForMultipleObjectsEx+0x106
00000035`f24ffbc0 00007ff8`fff81be6 KERNELBASE!WaitForMultipleObjects+0xe
00000035`f24ffc00 00007ff9`1f6d1fe4 msiltcfg!WorkerThread+0x66
00000035`f24ffc80 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f24ffcb0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~7 k
Child-SP RetAddr Call Site
00000035`f26fff18 00007ff9`206301cb ntdll!DbgBreakPoint
00000035`f26fff20 00007ff9`1f6d1fe4 ntdll!DbgUiRemoteBreakin+0x4b
00000035`f26fff50 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f26fff80 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:007> ~0 k
Child-SP RetAddr Call Site
00000035`f1866a00 00007ff9`1e8c62d8 KERNELBASE!GetUserDefaultLCID+0x68
00000035`f1866a30 00007ff7`39ed1584 USER32!IsDialogMessageW+0x28
00000035`f1866a90 00007ff7`39f6c023 notepad__+0x81584
00000035`f1866ac0 00007ff7`39f7a41f notepad__+0x11c023
00000035`f18ff780 00007ff9`1f6d1fe4 notepad__+0x12a41f
00000035`f18ff7c0 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
00000035`f18ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
再看一看1号线程:
image.png
我们break下来的时候,0号线程在等消息,
1号线程有一个
DbgUiRemoteBreakin,然后执行一个DbgBreakPoint,再U一下:
0:007> u
ntdll!DbgBreakPoint:
00007ff9`20603800 cc int 3
00007ff9`20603801 c3 ret
00007ff9`20603802 cc int 3
00007ff9`20603803 cc int 3
00007ff9`20603804 cc int 3
00007ff9`20603805 cc int 3
00007ff9`20603806 cc int 3
00007ff9`20603807 cc int 3
发现DbgBreakPoint执行一个int 3指令;
再r一下,发现break现场也是在执行int3指令;
0:007> r
rax=00000035f175a000 rbx=0000000000000000 rcx=0000000000000000
rdx=00007ff920630180 rsi=0000000000000000 rdi=0000000000000000
rip=00007ff920603800 rsp=00000035f26fff18 rbp=0000000000000000
r8=0000000000000000 r9=00007ff920630180 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244
ntdll!DbgBreakPoint:
00007ff9`20603800 cc int 3
这是为什么?
调试器进程要把被调试进程中断下来可以有好几种方法:
1.创建一个远程中断线程(RemoteBreakIn),这个线程的作用就是触发一个int 3,被调试进程本来没有1号线程,1号线程完全是调试器创建的,调试器通过CreateRemoteThread,这样的一个API创建了这样的一个线程,这个线程起来之后执行break,break一执行,CPU就跳到内核态,然后分发异常,最后调试器收到,在分发异常的过程中,内核会把调试器的所有线程都frees掉,所以当我们在调试器里break下来的时候的时候,被调试进程是完全不动的,因为所有线程被frees掉了
image.png
当我们go的时候,调试器执行Continue_Debug_Event,被调试进程就能够活动了;
再做一个演示:
指令g之后做下面这个动作
再在notepad里面做一些操作:
image.png
可以看到readfile被触发了,再k一下就知道是谁调用了readFile,(指令全记录,四处打*的地方)
0:014> x ntdll!*readfile //**********************
00007ff9`2067090c ntdll!ResReadFile (<no parameter info>)
00007ff9`20643504 ntdll!LdrpResReadFile (<no parameter info>)
00007ff9`205fff20 ntdll!ZwReadFile (<no parameter info>)
00007ff9`205fff20 ntdll!NtReadFile (<no parameter info>)
0:014> bp ntdll!NtReadFile //**************************
0:014> g //****************************
ModLoad: 00007ff9`06840000 00007ff9`068e9000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ff9`18880000 00007ff9`188c4000 C:\WINDOWS\SYSTEM32\edputil.dll
ModLoad: 00007ff9`04130000 00007ff9`045c3000 C:\WINDOWS\system32\explorerframe.dll
Breakpoint 0 hit
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\KERNELBASE.dll -
ntdll!NtReadFile:
00007ff9`205fff20 4c8bd1 mov r10,rcx
0:000> k //**********************
Child-SP RetAddr Call Site
0000008a`98253948 00007ff9`1c6c2c66 ntdll!NtReadFile
0000008a`98253950 00007ff9`1e82833b KERNELBASE!ReadFile+0x76
0000008a`982539d0 00007ff9`1e829693 shcore!CFileStream::Read+0x22b
0000008a`98253a40 00007ff9`1d29269f shcore!IStream_Read+0x133
0000008a`98253aa0 00007ff9`1d291f75 SHELL32!IconCacheRestore+0xab
0000008a`98253e90 00007ff9`1d294bfe SHELL32!FileIconInitInternal+0x341
0000008a`98253f40 00007ff9`1d2957ae SHELL32!SHGetImageList+0xbe
0000008a`98253f70 00007ff9`1d29251f SHELL32!CreatePerfectIconList+0x6a
0000008a`98254030 00007ff9`041a406b SHELL32!SHCreateIconImageList+0x1f
0000008a`98254070 00007ff9`041a3f73 explorerframe!CBreadcrumbBar::RefreshImagelist+0x3f
0000008a`982540a0 00007ff9`041813af explorerframe!CBreadcrumbBar::InitBreadcrumbBar+0x323
0000008a`982543c0 00007ff9`041829b7 explorerframe!CAddressBand::_EnsureBreadcrumbBar+0x16f
0000008a`98254400 00007ff9`04183539 explorerframe!CAddressBand::_CreateAddressBand+0x1c7
0000008a`982544c0 00007ff9`1e833db9 explorerframe!CAddressBand::SetSite+0x69
0000008a`982544f0 00007ff9`0417cec2 shcore!IUnknown_SetSite+0x49
0000008a`98254530 00007ff9`0417cdb9 explorerframe!CBandSite::_AddBandByID+0xf2
0000008a`982546c0 00007ff9`0417ebef explorerframe!CBandSite::AddBand+0x19
0000008a`982546f0 00007ff9`0417f07a explorerframe!CNavBar::_CreateBands+0x287
0000008a`982547f0 00007ff9`041808ae explorerframe!CNavBar::_CreateBar+0x18a
0000008a`98254930 00007ff9`1eda1c22 explorerframe!CNavBar::ShowDW+0x1e
0000008a`98254970 00007ff9`1eda7181 COMDLG32!CFileOpenSave::_CreateNavigationBar+0x2f2
0000008a`982549e0 00007ff9`1ed99888 COMDLG32!CFileOpenSave::_InitOpenSaveDialog+0x1331
image.png
image.png
image.png
0:000> k
Child-SP RetAddr Call Site
0000008a`98253948 00007ff9`1c6c2c66 ntdll!NtReadFile
0000008a`98253950 00007ff9`1e82833b KERNELBASE!ReadFile+0x76
0000008a`982539d0 00007ff9`1e829693 shcore!CFileStream::Read+0x22b
0000008a`98253a40 00007ff9`1d29269f shcore!IStream_Read+0x133
0000008a`98253aa0 00007ff9`1d291f75 SHELL32!IconCacheRestore+0xab
0000008a`98253e90 00007ff9`1d294bfe SHELL32!FileIconInitInternal+0x341
0000008a`98253f40 00007ff9`1d2957ae SHELL32!SHGetImageList+0xbe
0000008a`98253f70 00007ff9`1d29251f SHELL32!CreatePerfectIconList+0x6a
0000008a`98254030 00007ff9`041a406b SHELL32!SHCreateIconImageList+0x1f
0000008a`98254070 00007ff9`041a3f73 explorerframe!CBreadcrumbBar::RefreshImagelist+0x3f
0000008a`982540a0 00007ff9`041813af explorerframe!CBreadcrumbBar::InitBreadcrumbBar+0x323
0000008a`982543c0 00007ff9`041829b7 explorerframe!CAddressBand::_EnsureBreadcrumbBar+0x16f
0000008a`98254400 00007ff9`04183539 explorerframe!CAddressBand::_CreateAddressBand+0x1c7
0000008a`982544c0 00007ff9`1e833db9 explorerframe!CAddressBand::SetSite+0x69
0000008a`982544f0 00007ff9`0417cec2 shcore!IUnknown_SetSite+0x49
0000008a`98254530 00007ff9`0417cdb9 explorerframe!CBandSite::_AddBandByID+0xf2
0000008a`982546c0 00007ff9`0417ebef explorerframe!CBandSite::AddBand+0x19
0000008a`982546f0 00007ff9`0417f07a explorerframe!CNavBar::_CreateBands+0x287
0000008a`982547f0 00007ff9`041808ae explorerframe!CNavBar::_CreateBar+0x18a
0000008a`98254930 00007ff9`1eda1c22 explorerframe!CNavBar::ShowDW+0x1e
0000008a`98254970 00007ff9`1eda7181 COMDLG32!CFileOpenSave::_CreateNavigationBar+0x2f2
0000008a`982549e0 00007ff9`1ed99888 COMDLG32!CFileOpenSave::_InitOpenSaveDialog+0x1331
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\USER32.dll -
0000008a`98255840 00007ff9`1e8c76f1 COMDLG32!CFileOpenSave::s_OpenSaveDlgProc+0x7b8
0000008a`98256030 00007ff9`1e8c790d USER32!SetWindowTextW+0x361
0000008a`98256110 00007ff9`1e8c7826 USER32!SetWindowTextW+0x57d
0000008a`982561d0 00007ff9`1e8cb85d USER32!SetWindowTextW+0x496
0000008a`98256210 00007ff9`1e8cb54c USER32!CallWindowProcW+0x4dd
0000008a`98256380 00007ff9`1e8e19c3 USER32!CallWindowProcW+0x1cc
0000008a`982563e0 00007ff9`20603b44 USER32!GetTopWindow+0x153
0000008a`98256440 00007ff9`1c4b1164 ntdll!KiUserCallbackDispatcherContinue
0000008a`982564c8 00007ff9`1e8cace8 win32u!NtUserMessageCall+0x14
0000008a`982564d0 00007ff9`1e8dc311 USER32!SendMessageW+0x258
0000008a`98256560 00007ff9`1e8eb6f4 USER32!CreateWindowInBandEx+0x11c1
0000008a`98256730 00007ff9`1e8eb5d2 USER32!DialogBoxIndirectParamAorW+0x174
0000008a`98256790 00007ff9`1e8eb568 USER32!DialogBoxIndirectParamAorW+0x52
0000008a`982567d0 00007ff9`1eda546b USER32!DialogBoxIndirectParamW+0x18
0000008a`98256810 00007ff9`1edff930 COMDLG32!CFileOpenSave::Show+0x9eb
0000008a`98256ba0 00007ff9`1edfead4 COMDLG32!_InvokeNewFileOpenSave+0xf0
0000008a`98256c00 00007ff9`1edf873e COMDLG32!_CreateNewFileOpenSaveInProc+0xe8
0000008a`98256c50 00007ff9`1eddda11 COMDLG32!NewGetFileName+0x15e
0000008a`98256cb0 00007ff9`1edde1a0 COMDLG32!GetFileName+0x109
*** ERROR: Module load completed but symbols could not be loaded for D:\Program Files\Notepad++\notepad++.exe
0000008a`98256d10 00007ff7`39e88d3a COMDLG32!GetOpenFileNameW+0x70
0000008a`98257dd0 00007ff7`39eec14f notepad__+0x38d3a
0000008a`982590b0 00007ff7`39ee1c4d notepad__+0x9c14f
0000008a`9825a270 00007ff7`39ed567e notepad__+0x91c4d
0000008a`98263cc0 00007ff7`39ed8d03 notepad__+0x8567e
0000008a`98266890 00007ff7`39ed4aa1 notepad__+0x88d03
0000008a`982668e0 00007ff9`1e8cb85d notepad__+0x84aa1
0000008a`98266920 00007ff9`1e8cb40b USER32!CallWindowProcW+0x4dd
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\Program Files\Notepad++\plugins\DSpellCheck.dll -
0000008a`98266a90 00007ff8`e35b07f4 USER32!CallWindowProcW+0x8b
0000008a`98266ae0 00007ff9`1e8cb85d DSpellCheck!getFuncsArray+0x18f67
0000008a`98266c00 00007ff9`1e8cb1ef USER32!CallWindowProcW+0x4dd //************窗口执行..............
0000008a`98266d70 00007ff7`39f6c05c USER32!DispatchMessageW+0x1af //**************分发消息
0000008a`98266df0 00007ff7`39f7a41f notepad__+0x11c05c
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\KERNEL32.DLL -
0000008a`982ffab0 00007ff9`1f6d1fe4 notepad__+0x12a41f
0000008a`982ffaf0 00007ff9`205cefb1 KERNEL32!BaseThreadInitThunk+0x14
0000008a`982ffb20 00000000`00000000 ntdll!RtlUserThreadStart+0x21
winmain是等到了窗口消息,
Dispatchmessage是分发窗口消息,
UserCallWinProc...是执行窗口过程!
显示等到了窗口消息,再分发窗口消息,最后再执行窗口过程!
执行窗口过程当中执行打开OpenFile那个著名的对话框!这里需要显示这个对话框!这个对话框很复杂,里面有很多分析逻辑!对话框的内部逻辑要读某个文件!
image.png
0:000> u ntdll!NtReadFile //************************输入这条指令
ntdll!NtReadFile:
00007ff9`205fff20 4c8bd1 mov r10,rcx
00007ff9`205fff23 b806000000 mov eax,6
00007ff9`205fff28 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ff9`205fff30 7503 jne ntdll!NtReadFile+0x15 (00007ff9`205fff35)
00007ff9`205fff32 0f05 syscall
00007ff9`205fff34 c3 ret
00007ff9`205fff35 cd2e int 2Eh
00007ff9`205fff37 c3 ret
0:000> u ntdll!ZwReadFile //*****************
ntdll!NtReadFile:
00007ff9`205fff20 4c8bd1 mov r10,rcx
00007ff9`205fff23 b806000000 mov eax,6
00007ff9`205fff28 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1
00007ff9`205fff30 7503 jne ntdll!NtReadFile+0x15 (00007ff9`205fff35)
00007ff9`205fff32 0f05 syscall
00007ff9`205fff34 c3 ret
00007ff9`205fff35 cd2e int 2Eh
00007ff9`205fff37 c3 ret
ReadFile要进入内核态,调用系统调用!调用系统调用要经过著名的Syscall指令;这是CPU的一条特殊指令,
CPU一执行Syscall指令,就会飞跃到内核态里去,单纯的用户态会话,是不可以跟踪到内核态的,单步这里,CPU进入到内核里面转一圈又回来了!
p指令为单步执行!
0:000> p
ntdll!NtReadFile+0x12:
00007ff9`205fff32 0f05 syscall
0:000> p
ntdll!NtReadFile+0x14:
00007ff9`205fff34 c3 ret
下面这条指令表示执行过这个断点之后再继续执行k指令和gc指令
bp ntdll!NtReadFile ".echo ***** helloyanghzou! ReadFile is invoking ****;k;gc"
断点命中之后,打印出来一句话,再继续执行k
image.png
最终出现了打开这个对话框
image.png
可以先按一下ctrl+break(或者直接按断点键)
image.png
把整个进程重新加载: .restart /f
还有sxe ld命令,每个模块加载的时候,都会报告!加载模块事件,内核有特殊支持!
0:002> .restart /f //********************
CommandLine: "D:\Program Files\Notepad++\notepad++.exe"
WARNING: Whitespace at end of path element
Error: Empty Path.
Symbol search path is: SRV*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff7`39e50000 00007ff7`3a16b000 npp.exe
ModLoad: 00007ff9`20560000 00007ff9`20740000 ntdll.dll
ntdll!RtlUserThreadStart:
00007ff9`205cef90 4883ec48 sub rsp,48h
0:000> sxe ld //******************
0:000> g //******************
ModLoad: 00007ff9`1f6c0000 00007ff9`1f76e000 C:\WINDOWS\System32\KERNEL32.DLL
ntdll!NtMapViewOfSection+0x14:
00007ff9`20600374 c3 ret
0:000> g
ModLoad: 00007ff9`1c680000 00007ff9`1c8e6000 C:\WINDOWS\System32\KERNELBASE.dll
ntdll!NtMapViewOfSection+0x14:
00007ff9`20600374 c3 ret
0:000> g //****************
ModLoad: 00007ff9`1a2a0000 00007ff9`1a328000 C:\WINDOWS\SYSTEM32\apphelp.dll
ntdll!NtMapViewOfSection+0x14:
00007ff9`20600374 c3 ret
0:000> g //**********************
ModLoad: 00007ff9`1fbb0000 00007ff9`1fc01000 C:\WINDOWS\System32\SHLWAPI.dll
ntdll!NtMapViewOfSection+0x14:
00007ff9`20600374 c3 ret
每个模块加载的时候都会加载,模块加载事件就是因为内核有特殊支持!
当内核发现加载模块的事件的时候,内核会通知调试子系统,它会报告一个EVEnt给调试器,
image.png
这也是代表内核对调试的一种支持!
