windbg使用的一些技巧
Posted yilang
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了windbg使用的一些技巧相关的知识,希望对你有一定的参考价值。
怎样打印某函数调用关系
命令 | 功能 | 适用范围 |
---|---|---|
uf /c /D 地址 | 打印当前函数对其他函数的调用 | 用户态/内核态 |
# 函数名 起始地址 l长度 | 打印在某段地址范围内代码对该函数的引用 | 内核态/用户态 |
kd> uf /c /D 0x804fa5e6 nt!KeDelayExecutionThread (804fa5e6) nt!KeDelayExecutionThread+0x8f (804fa675): call to nt!KiUnlockDispatcherDatabase (80542748) nt!KeDelayExecutionThread+0xe9 (804fa6cf): call to nt!KiInsertTreeTimer (80500f62) nt!KeDelayExecutionThread+0x116 (804fa6fc): call to nt!KiSetPriorityThread (80501bba) nt!KeDelayExecutionThread+0x12f (804fa715): call to nt!KiFindReadyThread (80501894) nt!KeDelayExecutionThread+0x19f (804fa785): call to nt!KiActivateWaiterQueue (804fc02a) nt!KeDelayExecutionThread+0x1c4 (804fa7aa): call to nt!KiSwapThread (80501ca0) nt!KeDelayExecutionThread+0x1de (804fa7c4): call to nt!KiComputeWaitInterval (804fa504) nt!KeDelayExecutionThread+0x1e6 (804fa7cc): call to hal!KeRaiseIrqlToDpcLevel (806d3298) nt!KeDelayExecutionThread+0x26a (804fa850): call to nt!KiUnlockDispatcherDatabase (80542748)
例2:
kd> # IopCreateFile 840554ae l10000 nt!NtCreateFile+0x2f: 840554dd e87340ffff call nt!IopCreateFile (84049555) nt!IoCreateFileEx+0x99: 84081442 e80e81fcff call nt!IopCreateFile (84049555) nt!NtOpenFile+0x25: 84084c97 e8b948fcff call nt!IopCreateFile (84049555)
怎样显示函数指令数?
命令 | 功能 | 适用范围 |
---|---|---|
uf /i /m 地址 | 显示函数指令数 | 用户态/内核态 |
kd> uf /i ntcreatefile 21 instructions scanned nt!NtCreateFile: 8056f2fc 8bff mov edi,edi 8056f2fe 55 push ebp 8056f2ff 8bec mov ebp,esp 8056f301 33c0 xor eax,eax 8056f303 50 push eax 8056f304 50 push eax 8056f305 50 push eax 8056f306 ff7530 push dword ptr [ebp+30h] 8056f309 ff752c push dword ptr [ebp+2Ch] 8056f30c ff7528 push dword ptr [ebp+28h] 8056f30f ff7524 push dword ptr [ebp+24h] 8056f312 ff7520 push dword ptr [ebp+20h] 8056f315 ff751c push dword ptr [ebp+1Ch] 8056f318 ff7518 push dword ptr [ebp+18h] 8056f31b ff7514 push dword ptr [ebp+14h] 8056f31e ff7510 push dword ptr [ebp+10h] 8056f321 ff750c push dword ptr [ebp+0Ch] 8056f324 ff7508 push dword ptr [ebp+8] 8056f327 e860d8ffff call nt!IoCreateFile (8056cb8c) 8056f32c 5d pop ebp 8056f32d c22c00 ret 2Ch
如何在X64系统中实现64位执行模式和虚拟86执行模式(wow)切换
命令 | 功能 | 适用范围 |
---|---|---|
!sw | 执行模式(wow)切换 | 用户态/内核态 |
0:000> .load wow64exts 0:000> !sw Switched to Guest (WoW) mode 0:000:x86> ? . Evaluate expression: 1995360060 = 76eec73c 0:000:x86> !sw Switched to Host mode 0:000> ? . Evaluate expression: 1994597202 = 00000000`76e32352 0:000> .load wow64exts 0:000> u . wow64cpu!CpupSyscallStub+0x2: 00000000`76e32352 c3 ret 00000000`76e32353 cc int 3 00000000`76e32354 b80d0000c0 mov eax,0C000000Dh 00000000`76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (00000000`76e3139c) 00000000`76e3235e 488b876c010000 mov rax,qword ptr [rdi+16Ch] 00000000`76e32365 48898370010000 mov qword ptr [rbx+170h],rax 00000000`76e3236c 488b8774010000 mov rax,qword ptr [rdi+174h] 00000000`76e32373 48898378010000 mov qword ptr [rbx+178h],rax 0:000> !sw Switched to Guest (WoW) mode 0:000:x86> u 00000000`76e32352 wow64cpu!CpupSyscallStub+0x2: 76e32352 c3 ret 76e32353 cc int 3 76e32354 b80d0000c0 mov eax,0C000000Dh 76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (76e3139c) 76e3235e 48 dec eax 76e3235f 8b876c010000 mov eax,dword ptr [edi+16Ch] 76e32365 48 dec eax 76e32366 898370010000 mov dword ptr [ebx+170h],eax 提示:也可手动修改cs以达到相同效果
怎样查找某地址附近的符号
命令 | 功能 | 适用范围 |
---|---|---|
ln 地址 | 查找某地址附近的符号 | 用户态/内核态 |
kd> ln nt!ntcreatefile-1 Browse module Set bu breakpoint (84055482) nt!SeValidateSecurityQos+0x2b | (840554ae) nt!NtCreateFile
如何跟踪某函数执行过的所有子函数?
kd> wt Tracing testdriver2!func to return address f89cb070 8 0 [ 0] testdriver2!func 7 0 [ 1] nt!ExAllocatePool 89 0 [ 2] nt!ExAllocatePoolWithTag 5 0 [ 3] hal!KeRaiseIrqlToDpcLevel 197 5 [ 2] nt!ExAllocatePoolWithTag 9 202 [ 1] nt!ExAllocatePool 13 211 [ 0] testdriver2!func 85 0 [ 1] nt!ExFreePoolWithTag 19 296 [ 0] testdriver2!func 315 instructions were executed in 7 events (0 from other threads) Function Name Invocations MinInst MaxInst AvgInst hal!KeRaiseIrqlToDpcLevel 1 5 5 5 nt!ExAllocatePool 1 9 9 9 nt!ExAllocatePoolWithTag 1 197 197 197 nt!ExFreePoolWithTag 1 85 85 85 testdriver2!func
回溯栈
回溯栈用来记录每一级函数返回地址
命令 | 功能 |
---|---|
k | 跟踪到第n分支指令 |
kb | 执行到第n分支指令 |
!stacks | 跟踪到第n分支指令 |
!uniqstack | 执行到第n分支指令 |
如何在物理地址下断?
如果在加载pe时采用了文件内存映射,那么一块物理内存会映射到不同虚拟内存,因此如果对方映射了多个相同的PE往往需要在不同虚拟地址下断,这里提出一种物理内存手动下断方式,适用范围:内核态
kd> !pte 840554ae VA 840554ae PDE at C0602100 PTE at C04202A8 contains 00000000001DA063 contains 0000000004055121 pfn 1da ---DA--KWEV pfn 4055 -G--A--KREV 找到ntcreatefile的物理地址 kd> !db 40554ae # 40554ae 8b ff 55 8b ec 51 33 c0-50 6a 20 50 50 50 ff 75 ..U..Q3.Pj PPP.u # 40554be 30 ff 75 2c ff 75 28 ff-75 24 ff 75 20 ff 75 1c 0.u,.u(.u$.u .u. # 40554ce ff 75 18 ff 75 14 ff 75-10 ff 75 0c ff 75 08 e8 .u..u..u..u..u.. # 40554de 73 40 ff ff 59 5d c2 2c-00 90 90 90 90 90 6a 40 s@..Y].,......j@ # 40554ee 68 28 42 e6 83 e8 70 51-e2 ff 8b 75 0c 8b 86 88 h(B...pQ...u.... # 40554fe 00 00 00 89 45 cc 8b 86-50 01 00 00 89 45 d0 8d ....E...P....E.. # 405550e 7d d8 89 7d d4 c6 45 e2-00 3b 75 08 74 33 8d 8e }..}..E..;u.t3.. # 405551e 70 02 00 00 8b 11 83 e2-fe 8d 42 02 8b f8 8b d9 p.........B..... 手动修改为软件断点 kd> !eb 40554ae cc kd> g Break instruction exception - code 80000003 (first chance) nt!NtCreateFile: 840554ae cc int 3 中断后,需要手动改回物理内存
如何在针对线程/进程下断?
命令 | 功能 | 适用范围 |
---|---|---|
bp /p EPROCESS地址 | 针对进程下断 | 内核态 |
bp /t ETHREAD地址 | 针对线程下断 | 内核态 |
如何对形如Gen*的函数下断?
0:000> bm /a ml64!Gen* 1: 00000000`00c733c0 @!"ml64!genIntReloc" 2: 00000000`00c73694 @!"ml64!genDataDef" 3: 00000000`00c7160c @!"ml64!GenCodeJump" 4: 00000000`00c9a354 @!"ml64!genPrologue" 5: 00000000`00c73ef4 @!"ml64!GenCodeRet" 6: 00000000`00c9a620 @!"ml64!genEpilogue" 7: 00000000`00c73a60 @!"ml64!genNormReloc" 8: 00000000`00c71008 @!"ml64!GenCodeLoop" 9: 00000000`00c71710 @!"ml64!GenREXPrefix" 10: 00000000`00cda6d0 @!"ml64!genmcBuffT" 11: 00000000`00c71940 @!"ml64!GenCodeNormal" 12: 00000000`00c73434 @!"ml64!genReloc" 13: 00000000`00c98ffc @!"ml64!genProEpiMacroCall" 14: 00000000`00c73d00 @!"ml64!GenCodeString
如何正确地下字符串断点?
0:000> db . 76f63bad 6c 00 69 00 63 00 68 00-6b 00 69 00 6e 00 67 00 l.i.c.h.k.i.n.g. 76f63bbd 00 00 00 00 f9 ff c3 90-90 90 90 fe ff ff ff 00 ................ 76f63bcd 24 00 7b 00 74 00 32 00-7d 00 00 00 ff ff ff b0 $.{.t.2.}....... 76f63bdd 3b f6 76 b4 3b f6 76 90-90 90 90 90 8b ff 55 8b ;.v.;.v.......U. 76f63bed ec 81 ec 3c 02 00 00 a1-50 32 fb 76 33 c5 89 45 ...<....P2.v3..E 76f63bfd fc 53 56 8b 35 a0 f0 fa-76 8b d9 57 6a 2a 58 66 .SV.5...v..Wj*Xf 76f63c0d 89 85 dc fd ff ff 33 ff-89 bd ea fd ff ff 66 89 ......3.......f. 76f63c1d bd ee fd ff ff c7 85 e0-fd ff ff a8 b7 ef 76 c7 ..............v. 匹配写法: 0:000> .block{as /mu ${/v:tn2} 76f63bad};? $scmp("${tn2}","lichking") Evaluate expression: 0 = 00000000 注意:一定要有.block,对于as语句必须用block隔开才能展开
异常&事件
命令 功能 sxe 事件异常名 开启事件异常捕获 sxd 事件异常名 关闭事件异常捕获 异常码 类型 av 断言错误 dz 整数除0 c000008e 浮点除0 eh c++异常 gp 页保护错误 ii 指令错误 iov 整数溢出 isc 非法系统调用 sbo 栈缓冲区溢出 sov 栈溢出 aph 程序停止响应 3c 子进程退出 chhc 非法句柄 wos wow64单步异常 wob wow64单步异常 ssessec 单步异常 bpebpec 断点异常 ccecc ctrl+c;ctrl+break 事件码 类型 ser 系统错误 cpr 进程创建 epr 进程退出 ct 线程创建 et 线程退出 ld 加载模块 ud 加载模块 out 调试输出
如何暂停/恢复线程执行?
命令 | 功能 | 适用范围 |
---|---|---|
.process /p /r /i PEPROCESS地址 | 切换到可执行进程 | 内核态 |
.thread /p /r PETHREAD地址 | 切换到可执行线程 | 内核态 |
kd> !process 0 0 smss.exe Failed to get VAD root PROCESS 81c38da0 SessionId: none Cid: 0220 Peb: 7ffd4000 ParentCid: 0004 DirBase: 08a40020 ObjectTable: e13bde58 HandleCount: 19. Image: smss.exe kd> .process /p /r /i 81c38da0 You need to continue execution (press ‘g‘ <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 80528bec cc int 3
kd> .thread /p /r 805537c0 Implicit thread is now 805537c0 Implicit process is now 80553a20 .cache forcedecodeuser done Loading User Symbols
如何查看SEH链?
0:000> !exchain 0012fea8: Prymes!_except_handler3+0 (00407604) CRT scope 0, filter: Prymes!dzExcepError+e6 (00401576) func: Prymes!dzExcepError+ec (0040157c) 0012ffb0: Prymes!_except_handler3+0 (00407604) CRT scope 0, filter: Prymes!mainCRTStartup+f8 (004021b8) func: Prymes!mainCRTStartup+113 (004021d3) 0012ffe0: KERNEL32!GetThreadContext+1c (77ea1856)
摘自:https://www.jianshu.com/p/56ff0bc43d3d