返回首页

微信公众号

返回
2.1 WinDbg 的使用

WinDbg 无疑是 Windows 下进行漏洞分析的首选工具,较之 OD、IDA 等调试器,作为微软内部开发的 WinDbg 其优势还是很明显的。它同时支持 ring3 层和 ring0 层的漏洞调试,特别是 ring0 层下,目前还没有哪个调试器能够与其相媲美。WinDbg 于 Windows 就好像 GDB 之于 Linux,固漏洞分析人员掌握其使用方法还是很有必要的,本部分内容将主要介绍 ring3 层和 ring0 层下 WinDbg 的一些常见命令及使用技巧。

初识 WinDbg

0.JPG

WinDbg 界面中包含多个子窗口,如命令窗口、寄存器窗口、内存窗口、反汇编窗口等,其中最重要的是命令窗口,其余子窗口显示的内容实际上都可以通过特定的命令来得到,可以说命令调试是 WinDbg 的精髓所在。

在安装完 WinDbg 后,我们要为其配置调试符号信息,即微软提供的 pdb 文件,除了可以通过符号服务器实时获取外,还可以到官网下载独立的符号文件安装包。当然,其它软件开发商可能也会提供符号信息,可以根据具体分析需求来进行设置。对程序调试而言有源文件自然是最好的,如果没有,能提供符号文件那么对漏洞的分析调试也会有莫大的帮助。当然,并非所有调试程序都有符号文件,比如饱受诟病的 Office 应用,这个时候就只能啃那些晦涩的汇编了。

1.JPG

我们还可以借助 WinDbg 分析蓝屏 dump 文件、调试含源文件的程序等,此外,自定义插件的编写也是支持的。总的来说,WinDbg 还是很强大的。

ring3 常见命令及使用技巧

要学习 WinDbg 的命令,首先得了解调试命令有哪些,这里面分为 3 种,即基本命令(无前缀)、元命令(前缀 “.”)和扩展命令(前缀 “!”),可分别通过?.help!扩展模块名.help命令来查看。其中,扩展模块名称可通过version.chain命令查看,分析人员也可以编写自己的扩展模块(插件)。虽然这些命令看起来比较多,但调试过程中常用的命令其实并不多,关键靠平时积累。执行完前面的命令,界面可能比较乱了,先清下屏.cls。接着我们就来详细看下:

  • 列举调试的进线程状态,前面的小点表示当前进程或线程。
1
2
3
4
5
6
7
8
9
10
11
12
0:004> |
0    id: 135c    create  name: notepad.exe
0:004> ~
   0  Id: 135c.ac4 Suspend: 1 Teb: 00000077`58a19000 Unfrozen
   1  Id: 135c.eb0 Suspend: 1 Teb: 00000077`58a1b000 Unfrozen
   2  Id: 135c.13b0 Suspend: 1 Teb: 00000077`58a1d000 Unfrozen
   3  Id: 135c.810 Suspend: 1 Teb: 00000077`58a1f000 Unfrozen
   4  Id: 135c.6b4 Suspend: 1 Teb: 00000077`58a21000 Unfrozen
   5  Id: 135c.a58 Suspend: 1 Teb: 00000077`58a23000 Unfrozen
   6  Id: 135c.448 Suspend: 1 Teb: 00000077`58a25000 Unfrozen
7  Id: 135c.102c Suspend: 1 Teb: 00000077`58a2f000 Unfrozen
   9  Id: 135c.a18 Suspend: 1 Teb: 00000077`58a2b000 Unfrozen
  • 查看进程空间的信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
0:005> !address
 
 
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
 
        BaseAddress      EndAddress+1        RegionSize     Type       State                 Protect             Usage
--------------------------------------------------------------------------------------------------------------------------
+        0`00000000        0`7ffe0000        0`7ffe0000             MEM_FREE    PAGE_NOACCESS                      Free      
+        0`7ffe0000        0`7ffe1000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READONLY                      Other      [User Shared Data]
         0`7ffe1000        0`7fff0000        0`0000f000 MEM_PRIVATE MEM_RESERVE                                    <unknown> 
+        0`7fff0000       b7`26350000       b6`a6360000             MEM_FREE    PAGE_NOACCESS                      Free      
+       b7`26350000       b7`263bc000        0`0006c000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; 1534.8dc]
        b7`263bc000       b7`263bf000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 1534.8dc]
        b7`263bf000       b7`263d0000        0`00011000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 1534.8dc]
+       b7`263d0000       b7`26400000        0`00030000             MEM_FREE    PAGE_NOACCESS                      Free      
+       b7`26400000       b7`265f3000        0`001f3000 MEM_PRIVATE MEM_RESERVE                                    <unknown> 
        b7`265f3000       b7`265f4000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PEB        [1534]
        ...
  • 设置特定模块加载时中断程序,完成操作后记得置回默认值。
1
2
3
4
5
6
7
0:000> sxe ld KERNELBASE
0:000> g
ModLoad: 00007ffc`b10b0000 00007ffc`b12cd000   C:/Windows/System32/KERNELBASE.dll
ntdll!NtMapViewOfSection+0x14:
00007ffc`b3e55354 c3              ret
0:000> sxr
sx state reset to defaults
  • 查看进程模块的信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
0:005> lmvm KERNELBASE
Browse full module list
start             end                 module name
00007ffc`b10b0000 00007ffc`b12cd000   KERNELBASE   (pdb symbols)          c:/symbols/kernelbase.pdb/5D0E6B108BAA4E0CAD1C559120C6123F1kernelbase.pdb
    Loaded symbol image file: C:/Windows/System32/KERNELBASE.dll
    Image path: C:/Windows/System32/KERNELBASE.dll
    Image name: KERNELBASE.dll
    Browse all global symbols  functions  data
    Timestamp:        Sat Jul 16 10:12:25 2016 (57899809)
    CheckSum:         00221D33
    ImageSize:        0021D000
    File version:     10.0.14393.0
    Product version:  10.0.14393.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     Kernelbase.dll
    OriginalFilename: Kernelbase.dll
    ProductVersion:   10.0.14393.0
    FileVersion:      10.0.14393.0 (rs1_release.160715-1616)
    FileDescription:  Windows NT BASE API Client DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
  • 加载符号文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
0:000> .sympath
Symbol search path is: C:/Symbols
Expanded Symbol search path is: c:/symbols
 
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:/Symbols
0:000> .reload /f
Reloading current modules
.......................
0:000> lm
start             end                 module name
00007ff6`c00a0000 00007ff6`c00ad000   calc       (pdb symbols)          c:/symbols/calc.pdb/BBD33747DAF54B2D9AD9F02861D972F81/calc.pdb
00007ffc`b02b0000 00007ffc`b02c4000   profapi    (pdb symbols)          c:/symbols/profapi.pdb/CAC4E3CC2E9B4973B17D131D0EFC8ACE1/profapi.pdb
00007ffc`b02e0000 00007ffc`b02ef000   kernel_appcore   (pdb symbols)          c:/symbols/Kernel.Appcore.pdb/C765CB33A55844379117C2F71220C8D71/Kernel.Appcore.pdb
00007ffc`b02f0000 00007ffc`b033c000   powrprof   (pdb symbols)          c:/symbols/powrprof.pdb/74B38765BC2D4D1B9E53834273CE9ABF1/powrprof.pdb
00007ffc`b0340000 00007ffc`b04c2000   gdi32full   (pdb symbols)          c:/symbols/gdi32full.pdb/9A1C5DBA389740BA8568049E4C0603491/gdi32full.pdb
00007ffc`b0530000 00007ffc`b0572000   cfgmgr32   (pdb symbols)          c:/symbols/cfgmgr32.pdb/0C85585E81E54222A3065E20B6C913D41/cfgmgr32.pdb
00007ffc`b0580000 00007ffc`b0629000   shcore     (pdb symbols)          c:/symbols/shcore.pdb/1375C24C4D13484FB31C5B2E9E690F321/shcore.pdb
00007ffc`b0800000 00007ffc`b0eda000   windows_storage   (pdb symbols)          c:/symbols/Windows.Storage.pdb/FA91DDC596884A82AA032E2E9A652C4E1/Windows.Storage.pdb
00007ffc`b0f90000 00007ffc`b0fae000   win32u     (pdb symbols)          c:/symbols/win32u.pdb/CE777C7E22FC4E43A47A1D6EF5E1AF031/win32u.pdb
00007ffc`b0fb0000 00007ffc`b10a5000   ucrtbase   (pdb symbols)          c:/symbols/ucrtbase.pdb/5347FBF2D7FD4C99A15D54787482262A1/ucrtbase.pdb
00007ffc`b10b0000 00007ffc`b12cd000   KERNELBASE   (pdb symbols)          c:/symbols/kernelbase.pdb/5D0E6B108BAA4E0CAD1C559120C6123F1/kernelbase.pdb
...
  • 单步步过、单步步入。查看反汇编代码时,“.” 表示当前运行的指令处,另外,在命令输入时如果直接回车,则完成的操作和上一条命令相同。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
0:000:x86> ub
KERNELBASE!LoadLibraryExW+0x23:
75a392b3 8b5d10          mov     ebx,dword ptr [ebp+10h]
75a392b6 f7c30080ffff    test    ebx,0FFFF8000h
75a392bc 0f850a010000    jne     KERNELBASE!LoadLibraryExW+0x13c (75a393cc)
75a392c2 8bf3            mov     esi,ebx
75a392c4 83e642          and     esi,42h
75a392c7 83fe42          cmp     esi,42h
75a392ca 0f84fc000000    je      KERNELBASE!LoadLibraryExW+0x13c (75a393cc)
75a392d0 50              push    eax
0:000:x86> u .
KERNELBASE!LoadLibraryExW+0x41:
75a392d1 8d442424        lea     eax,[esp+24h]
75a392d5 50              push    eax
75a392d6 ff157081ae75    call    dword ptr [KERNELBASE!WakeConditionVariable+0x4756 (75ae8170)]
75a392dc 85c0            test    eax,eax
75a392de 0f8801ac0300    js      KERNELBASE!GetCurrentProcess+0x8425 (75a73ee5)
75a392e4 668b4c2420      mov     cx,word ptr [esp+20h]
75a392e9 8b542424        mov     edx,dword ptr [esp+24h]
75a392ed 6685c9          test    cx,cx
0:000:x86> p
KERNELBASE!LoadLibraryExW+0x45:
75a392d5 50              push    eax
0:000:x86>
KERNELBASE!LoadLibraryExW+0x46:
75a392d6 ff157081ae75    call    dword ptr [KERNELBASE!WakeConditionVariable+0x4756 (75ae8170)] ds:002b:75ae8170={ntdll_77820000!RtlInitUnicodeStringEx (77853380)}
0:000:x86> t
ntdll_77820000!RtlInitUnicodeStringEx:
77853380 8bff            mov     edi,edi
  • 列举函数名、设置断点、查看寄存器和内存、查看调用栈的信息。其中,“L+数字” 表示输出数目,“*” 为通配符。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
0:009> bc *
0:009> x KERNELBASE!LoadLibrary*
00000000`75a38c10 KERNELBASE!LoadLibraryExA (<no parameter info>)
00000000`75a39290 KERNELBASE!LoadLibraryExW (<no parameter info>)
00000000`75a3a2f0 KERNELBASE!LoadLibraryA (<no parameter info>)
00000000`75a3c590 KERNELBASE!LoadLibraryW (<no parameter info>)
0:009> bm KERNELBASE!LoadLibrary*
  1: 00000000`75a38c10 @!"KERNELBASE!LoadLibraryExA"
  2: 00000000`75a39290 @!"KERNELBASE!LoadLibraryExW"
  3: 00000000`75a3a2f0 @!"KERNELBASE!LoadLibraryA"
  4: 00000000`75a3c590 @!"KERNELBASE!LoadLibraryW"
0:009> bl
 1 e x86 00000000`75a38c10     0001 (00010:**** KERNELBASE!LoadLibraryExA
 2 e x86 00000000`75a39290     0001 (00010:**** KERNELBASE!LoadLibraryExW
 3 e x86 00000000`75a3a2f0     0001 (00010:**** KERNELBASE!LoadLibraryA
 4 e x86 00000000`75a3c590     0001 (00010:**** KERNELBASE!LoadLibraryW
0:009> bd 1 2
0:009> g
Breakpoint 3 hit
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Program Files (x86)/Common Files/Microsoft Shared/office14/riched20.dll -
KERNELBASE!LoadLibraryA:
75a3a2f0 8bff            mov     edi,edi
0:000:x86> r
eax=00000000 ebx=00000000 ecx=00bdc355 edx=6fd20950 esi=6fd20890 edi=00000000
eip=75a3a2f0 esp=00bdc3b4 ebp=00bdc40c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!LoadLibraryA:
75a3a2f0 8bff            mov     edi,edi
0:000:x86> dd esp L4
00bdc3b4  6fc0d839 6fd20950 000000cc 097d05c8
0:000:x86> da poi(esp+4)
6fd20950  "UxTheme.dll"
0:000:x86> bd *
0:000:x86> bp KERNELBASE!LoadLibraryA ".if(ebx=0){}.else{gc}"
breakpoint 3 redefined
0:000:x86> g
KERNELBASE!LoadLibraryA:
75a3a2f0 8bff            mov     edi,edi
0:000:x86> r
eax=00000000 ebx=00000000 ecx=00bdc649 edx=6fd20930 esi=6fd20850 edi=00000000
eip=75a3a2f0 esp=00bdc6a0 ebp=00bdc6f8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!LoadLibraryA:
75a3a2f0 8bff            mov     edi,edi
0:000:x86> k L5
 # ChildEBP RetAddr 
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00bdc69c 6fc0d839 KERNELBASE!LoadLibraryA
01 00bdc6f8 6fc1f79f riched20!IID_ITextServices2+0x3b09
02 00bdc718 6fc7e13f riched20!RichListBoxWndProc+0x13a8
03 00bdc738 6fc0a3b7 riched20!IID_ITextHost2+0x3672f
04 00bdc754 6fc09f8d riched20!IID_ITextServices2+0x687
  • 条件断点与硬件断点,设置断点时可通过.echo命令打印一些日志信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
0:004> bp KERNELBASE!LoadLibraryA ".echo 'Hi, this is a LoadLibraryA break!'"
0:004> bl
 0 e 00007ffa`7635b680     0001 (00010:**** KERNELBASE!LoadLibraryA ".echo 'Hi, this is a LoadLibraryA break!'"
0:004> g
ModLoad: 00007ffa`71f40000 00007ffa`71f76000   C:Windowssystem32xmllite.dll
'Hi, this is a LoadLibraryA break!'
KERNELBASE!LoadLibraryA:
00007ffa`7635b680 48895c2408      mov     qword ptr [rsp+8],rbx ss:000000dc`4db7f810=000000008004000a
...
0:000> bp KERNELBASE!LoadLibraryExW ".if(rax > 0xff){.echo 'rax > 0xff'}.else{.echo 'rax <= 0xff'; gc}"
0:000> bl
 0 e 00007ffa`7631c8b0     0001 (00010:**** KERNELBASE!LoadLibraryExW ".if(rax > 0xff){.echo 'rax > 0xff'}.else{.echo 'rax <= 0xff'; gc}"
0:000> g
'rax > 0xff'
KERNELBASE!LoadLibraryExW:
00007ffa`7631c8b0 4055            push    rbp
0:000> g
ModLoad: 00007ffa`78460000 00007ffa`7848e000   C:WindowsSystem32IMM32.DLL
'rax <= 0xff'
'rax <= 0xff'
'rax <= 0xff'
'rax <= 0xff'
'rax <= 0xff'
'rax <= 0xff'
'rax <= 0xff'
ModLoad: 00007ffa`73d80000 00007ffa`73e15000   C:Windowssystem32uxtheme.dll
ModLoad: 00007ffa`76720000 00007ffa`7687b000   C:WindowsSystem32MSCTF.dll
ModLoad: 00007ffa`73a30000 00007ffa`73a56000   C:Windowssystem32dwmapi.dll
ModLoad: 00007ffa`78e70000 00007ffa`78f0f000   C:WindowsSystem32clbcatq.dll
'rax > 0xff'
KERNELBASE!LoadLibraryExW:
00007ffa`7631c8b0 4055            push    rbp
0:000> r rax
rax=000000a0107cdf78
0:000> bc *
0:000> ba e1 00007ffa`7631c8b0
0:000> bl
 0 e 00007ffa`7631c8b0 e 1 0001 (00010:**** KERNELBASE!LoadLibraryExW
0:000> g
Breakpoint 0 hit
KERNELBASE!LoadLibraryExW:
00007ffa`7631c8b0 4055            push    rbp
  • 查看特定函数的反汇编代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0:001> uf KERNELBASE!LoadLibraryA
Flow analysis was incomplete, some code may be missing
KERNELBASE!LoadLibraryA:
00000000`75a3a2f0 8bff            mov     edi,edi
00000000`75a3a2f2 55              push    rbp
00000000`75a3a2f3 8bec            mov     ebp,esp
00000000`75a3a2f5 51              push    rcx
00000000`75a3a2f6 837d0800        cmp     dword ptr [rbp+8],0
00000000`75a3a2fa 53              push    rbx
00000000`75a3a2fb 56              push    rsi
00000000`75a3a2fc 7418            je      KERNELBASE!LoadLibraryA+0x26 (00000000`75a3a316)  Branch
 
KERNELBASE!LoadLibraryA+0xe:
00000000`75a3a2fe 68d0129b75      push    offset KERNELBASE+0x412d0 (00000000`759b12d0)
00000000`75a3a303 ff7508          push    qword ptr [rbp+8]
00000000`75a3a306 ff155886ae75    call    qword ptr [00000000`eb522964]
...
  • 查看内存堆信息、搜索内存。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0:005> !heap -h
Index   Address  Name      Debugging options enabled
  1:   2d1990b0000
    Segment at 000002d1990b0000 to 000002d1991af000 (00056000 bytes committed)
  2:   2d198ff0000
    Segment at 000002d198ff0000 to 000002d199000000 (00001000 bytes committed)
  3:   2d1993c0000
    Segment at 000002d1993c0000 to 000002d1993cf000 (00007000 bytes committed)
  4:   2d199390000
    Segment at 000002d199390000 to 000002d19939f000 (00009000 bytes committed)
0:005> !heap -p -a 2d1990b1000
    address 000002d1990b1000 found in
    _HEAP @ 2d1990b0000
              HEAP_ENTRY Size Prev Flags            UserPtr UserSize - state
        000002d1990b0ef0 00ca 0000  [00]   000002d1990b0f00    00c6c - (busy)
 
 
0:005> s -sa 2d1990b0000 L4000
000002d1`990b0736  "-3E"
000002d1`990b08e2  "_0*"
000002d1`990b08ea  "`"0"
000002d1`990b243f  "0@+"
000002d1`990b260f  "0@$"
000002d1`990b3128  "PZm4"
000002d1`990b340f  "0C:/Windows/System32/notepad.exe"
000002d1`990b3e11  "up4"
0:005> s -a 2d1990b0000 L4000 "notepad"
000002d1`990b3424  6e 6f 74 65 70 61 64 2e-65 78 65 00 ab ab ab ab  notepad.exe.....
  • 查看相关的符号信息。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0:000> dqs rsp
000000ad`0152f5e0  00000000`00000000
000000ad`0152f5e8  000000ad`0152f670
000000ad`0152f5f0  00000000`00000000
000000ad`0152f5f8  000000ad`0152f670
000000ad`0152f600  00000000`00000000
000000ad`0152f608  00007ffc`b3ebe0c0 ntdll!`string'
000000ad`0152f610  000000ad`017dc000
000000ad`0152f618  00007ffc`b3e41b92 ntdll!LdrpInitializeProcess+0x1962
000000ad`0152f620  00000000`00000000
000000ad`0152f628  00000000`00000003
000000ad`0152f630  00000000`00000003
000000ad`0152f638  00000000`00000003
000000ad`0152f640  00000000`00000000
000000ad`0152f648  000000ad`0152f900
000000ad`0152f650  00000000`00000000
000000ad`0152f658  00000000`00000000
0:000> kb
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffc`b3e41b92 : 00000000`00000000 00000000`00000003 00000000`00000003 00000000`00000003 : ntdll!LdrpDoDebuggerBreak+0x30
01 00007ffc`b3e77af4 : 00000000`00000000 00007ffc`b3e38bc9 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1962
02 00007ffc`b3e28d5e : 000000ad`0152faf0 00000000`00000000 00000000`00000000 000000ad`017dc000 : ntdll!_LdrpInitialize+0x4ed40
03 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
0:000> ln 00007ffc`b3e38bc9
Browse module
Set bu breakpoint
 
(00007ffc`b3e38b88)   ntdll!InitSecurityCookie+0x41   |  (00007ffc`b3e38bf0)   ntdll!RtlDoesFileExists_U
  • ?在运算时还是很有用的,其中,“0x” 表示 16 进制、“0n” 表示 10 进制、“0t” 表示 8 进制、“0y” 表示 2 进制,默认情况是 16 进制。
1
2
3
4
5
6
7
8
9
10
11
12
13
0:004> ? 0x100
Evaluate expression: 256 = 00000000`00000100
0:004> ? 0n100
Evaluate expression: 100 = 00000000`00000064
0:004> ? 0t100
Evaluate expression: 64 = 00000000`00000040
0:004> ? 0y100
Evaluate expression: 4 = 00000000`00000004
0:004> ? 100
Evaluate expression: 256 = 00000000`00000100
0:004> ? 0x100+0n100
Evaluate expression: 356 = 00000000`00000164
0:004> qd

ring0 常见命令及使用技巧

这里用到双虚拟机调试环境,具体配置可参照此文,连接建立后会显示如下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
Opened .com1
Waiting to reconnect...
Connected to Windows 10 14393 x64 target at (Tue Dec 19 15:55:49.108 2017 (UTC + 8:00)), ptr64 TRUE
Kernel Debugger connection established.
 
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
OK                                             C:/Symbols
Symbol search path is: C:/Symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (1 procs) Free x64
Built by: 14393.0.amd64fre.rs1_release.160715-1616
Machine Name:
Kernel base = 0xfffff800`af419000 PsLoadedModuleList = 0xfffff800`af71e060
System Uptime: 0 days 0:00:00.025
KDTARGET: Refreshing KD connection

说明一点,前面介绍的 ring3 层调试命令大多在 ring0 层也是适用的,同样,接下去介绍的有些命令也适用于 ring3 层,我们继续:

  • 查看进程列表、进程中的线程、切换进程上下文。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffb98dd065a040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa000  ObjectTable: ffff9e0212001340  HandleCount: <Data Not Accessible>
    Image: System
 
PROCESS ffffb98dd18fd040
    SessionId: none  Cid: 0118    Peb: 63d31d1000  ParentCid: 0004
    DirBase: 7be6d000  ObjectTable: ffff9e02125e9280  HandleCount: <Data Not Accessible>
    Image: smss.exe
 
PROCESS ffffb98dd1c01780
    SessionId: 0  Cid: 0168    Peb: ccec47a000  ParentCid: 0160
    DirBase: 0c0c1000  ObjectTable: ffff9e0212132a80  HandleCount: <Data Not Accessible>
    Image: csrss.exe
 
PROCESS ffffb98dd21de080
    SessionId: 1  Cid: 019c    Peb: ab7b3d9000  ParentCid: 0118
    DirBase: 0e0c1000  ObjectTable: 00000000  HandleCount:   0.
    Image: smss.exe
 
...
 
PROCESS ffffb98dd251b080
    SessionId: 1  Cid: 0290    Peb: 68a6eb3000  ParentCid: 09d8
    DirBase: 0fcaa000  ObjectTable: ffff9e0219d2dc40  HandleCount: <Data Not Accessible>
    Image: notepad.exe
 
kd> !process ffffb98dd251b080 2
PROCESS ffffb98dd251b080
    SessionId: 1  Cid: 0290    Peb: 68a6eb3000  ParentCid: 09d8
    DirBase: 0fcaa000  ObjectTable: ffff9e0219d2dc40  HandleCount: <Data Not Accessible>
    Image: notepad.exe
 
        THREAD ffffb98dd2cd9080  Cid 0290.0370  Teb: 00000068a6eb4000 Win32Thread: ffffb98dd1068820 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffffb98dd2d11de0  SynchronizationEvent
 
        THREAD ffffb98dd254f080  Cid 0290.0844  Teb: 00000068a6eb6000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffb98dd2238e80  QueueObject
 
        THREAD ffffb98dd108b080  Cid 0290.0854  Teb: 00000068a6eb8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffb98dd2e5f540  QueueObject
 
        THREAD ffffb98dd2572080  Cid 0290.08e0  Teb: 00000068a6eba000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
            ffffb98dd2e5f540  QueueObject
        ...
 
 
kd> .process
Implicit process is now ffffb98d`d065a040
kd> .process /i /p ffffb98dd251b080
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`af568a60 cc              int     3
kd> .process
Implicit process is now ffffb98d`d251b080
  • 查看结构体的类型定义。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
kd> dt nt!_PEB
dtx is unsupported for this scenario.  It only recognizes dtx [<type>] [<address>] with -a, -h, and -r.  Reverting to dt.
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
   +0x003 BitField         : UChar
   +0x003 ImageUsesLargePages : Pos 0, 1 Bit
   +0x003 IsProtectedProcess : Pos 1, 1 Bit
   +0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit
   +0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit
   +0x003 IsPackagedProcess : Pos 4, 1 Bit
   +0x003 IsAppContainer   : Pos 5, 1 Bit
   +0x003 IsProtectedProcessLight : Pos 6, 1 Bit
   +0x003 IsLongPathAwareProcess : Pos 7, 1 Bit
   +0x004 Padding0         : [4] UChar
   +0x008 Mutant           : Ptr64 Void
   +0x010 ImageBaseAddress : Ptr64 Void
   ...

参考:
[1] Windbg调试命令详解
http://www.yiiyee.cn/Blog/windbg/
[2] Getting Started with Windows Debugging
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging

©2000 - 2025 看雪 / 沪ICP备2022023406号 / 沪公网安备 31011502006611号

邮件

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》