怎樣打印某函數調用關系
| 命令 |
功能 |
適用范圍 |
| uf /c /D 地址 |
打印當前函數對其他函數的調用 |
用戶態/內核態 |
| # 函數名 起始地址 l長度 |
打印在某段地址范圍內代碼對該函數的引用 |
內核態/用戶態 |
例1:
kd> uf /c /D 0x804fa5e6
nt!KeDelayExecutionThread (804fa5e6)
nt!KeDelayExecutionThread+0x8f (804fa675):
call to nt!KiUnlockDispatcherDatabase (80542748)
nt!KeDelayExecutionThread+0xe9 (804fa6cf):
call to nt!KiInsertTreeTimer (80500f62)
nt!KeDelayExecutionThread+0x116 (804fa6fc):
call to nt!KiSetPriorityThread (80501bba)
nt!KeDelayExecutionThread+0x12f (804fa715):
call to nt!KiFindReadyThread (80501894)
nt!KeDelayExecutionThread+0x19f (804fa785):
call to nt!KiActivateWaiterQueue (804fc02a)
nt!KeDelayExecutionThread+0x1c4 (804fa7aa):
call to nt!KiSwapThread (80501ca0)
nt!KeDelayExecutionThread+0x1de (804fa7c4):
call to nt!KiComputeWaitInterval (804fa504)
nt!KeDelayExecutionThread+0x1e6 (804fa7cc):
call to hal!KeRaiseIrqlToDpcLevel (806d3298)
nt!KeDelayExecutionThread+0x26a (804fa850):
call to nt!KiUnlockDispatcherDatabase (80542748)
例2:
kd> # IopCreateFile 840554ae l10000
nt!NtCreateFile+0x2f:
840554dd e87340ffff call nt!IopCreateFile (84049555)
nt!IoCreateFileEx+0x99:
84081442 e80e81fcff call nt!IopCreateFile (84049555)
nt!NtOpenFile+0x25:
84084c97 e8b948fcff call nt!IopCreateFile (84049555)
怎樣顯示函數指令數?
| 命令 |
功能 |
適用范圍 |
| uf /i /m 地址 |
顯示函數指令數 |
用戶態/內核態 |
kd> uf /i ntcreatefile
21 instructions scanned
nt!NtCreateFile:
8056f2fc 8bff mov edi,edi
8056f2fe 55 push ebp
8056f2ff 8bec mov ebp,esp
8056f301 33c0 xor eax,eax
8056f303 50 push eax
8056f304 50 push eax
8056f305 50 push eax
8056f306 ff7530 push dword ptr [ebp+30h]
8056f309 ff752c push dword ptr [ebp+2Ch]
8056f30c ff7528 push dword ptr [ebp+28h]
8056f30f ff7524 push dword ptr [ebp+24h]
8056f312 ff7520 push dword ptr [ebp+20h]
8056f315 ff751c push dword ptr [ebp+1Ch]
8056f318 ff7518 push dword ptr [ebp+18h]
8056f31b ff7514 push dword ptr [ebp+14h]
8056f31e ff7510 push dword ptr [ebp+10h]
8056f321 ff750c push dword ptr [ebp+0Ch]
8056f324 ff7508 push dword ptr [ebp+8]
8056f327 e860d8ffff call nt!IoCreateFile (8056cb8c)
8056f32c 5d pop ebp
8056f32d c22c00 ret 2Ch
如何在X64系統中實現64位執行模式和虛擬86執行模式(wow)切換
| 命令 |
功能 |
適用范圍 |
| !sw |
執行模式(wow)切換 |
用戶態/內核態 |
0:000> .load wow64exts
0:000> !sw
Switched to Guest (WoW) mode
0:000:x86> ? .
Evaluate expression: 1995360060 = 76eec73c
0:000:x86> !sw
Switched to Host mode
0:000> ? .
Evaluate expression: 1994597202 = 00000000`76e32352
0:000> .load wow64exts
0:000> u .
wow64cpu!CpupSyscallStub+0x2:
00000000`76e32352 c3 ret
00000000`76e32353 cc int 3
00000000`76e32354 b80d0000c0 mov eax,0C000000Dh
00000000`76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (00000000`76e3139c)
00000000`76e3235e 488b876c010000 mov rax,qword ptr [rdi+16Ch]
00000000`76e32365 48898370010000 mov qword ptr [rbx+170h],rax
00000000`76e3236c 488b8774010000 mov rax,qword ptr [rdi+174h]
00000000`76e32373 48898378010000 mov qword ptr [rbx+178h],rax
0:000> !sw
Switched to Guest (WoW) mode
0:000:x86> u 00000000`76e32352
wow64cpu!CpupSyscallStub+0x2:
76e32352 c3 ret
76e32353 cc int 3
76e32354 b80d0000c0 mov eax,0C000000Dh
76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (76e3139c)
76e3235e 48 dec eax
76e3235f 8b876c010000 mov eax,dword ptr [edi+16Ch]
76e32365 48 dec eax
76e32366 898370010000 mov dword ptr [ebx+170h],eax
提示:也可手動修改cs以達到相同效果
怎樣查找某地址附近的符號
| 命令 |
功能 |
適用范圍 |
| ln 地址 |
查找某地址附近的符號 |
用戶態/內核態 |
kd> ln nt!ntcreatefile-1
Browse module
Set bu breakpoint
(84055482) nt!SeValidateSecurityQos+0x2b | (840554ae) nt!NtCreateFile
如何跟蹤某函數執行過的所有子函數?
kd> wt
Tracing testdriver2!func to return address f89cb070
8 0 [ 0] testdriver2!func
7 0 [ 1] nt!ExAllocatePool
89 0 [ 2] nt!ExAllocatePoolWithTag
5 0 [ 3] hal!KeRaiseIrqlToDpcLevel
197 5 [ 2] nt!ExAllocatePoolWithTag
9 202 [ 1] nt!ExAllocatePool
13 211 [ 0] testdriver2!func
85 0 [ 1] nt!ExFreePoolWithTag
19 296 [ 0] testdriver2!func
315 instructions were executed in 7 events (0 from other threads)
Function Name Invocations MinInst MaxInst AvgInst
hal!KeRaiseIrqlToDpcLevel 1 5 5 5
nt!ExAllocatePool 1 9 9 9
nt!ExAllocatePoolWithTag 1 197 197 197
nt!ExFreePoolWithTag 1 85 85 85
testdriver2!func
回溯棧
回溯棧用來記錄每一級函數返回地址
| 命令 |
功能 |
| k |
跟蹤到第n分支指令 |
| kb |
執行到第n分支指令 |
| !stacks |
跟蹤到第n分支指令 |
| !uniqstack |
執行到第n分支指令 |
如何在物理地址下斷?
如果在加載pe時采用了文件內存映射,那么一塊物理內存會映射到不同虛擬內存,因此如果對方映射了多個相同的PE往往需要在不同虛擬地址下斷,這里提出一種物理內存手動下斷方式,適用范圍:內核態
kd> !pte 840554ae
VA 840554ae
PDE at C0602100 PTE at C04202A8
contains 00000000001DA063 contains 0000000004055121
pfn 1da ---DA--KWEV pfn 4055 -G--A--KREV
找到ntcreatefile的物理地址
kd> !db 40554ae
# 40554ae 8b ff 55 8b ec 51 33 c0-50 6a 20 50 50 50 ff 75 ..U..Q3.Pj PPP.u
# 40554be 30 ff 75 2c ff 75 28 ff-75 24 ff 75 20 ff 75 1c 0.u,.u(.u$.u .u.
# 40554ce ff 75 18 ff 75 14 ff 75-10 ff 75 0c ff 75 08 e8 .u..u..u..u..u..
# 40554de 73 40 ff ff 59 5d c2 2c-00 90 90 90 90 90 6a 40 s@..Y].,......j@
# 40554ee 68 28 42 e6 83 e8 70 51-e2 ff 8b 75 0c 8b 86 88 h(B...pQ...u....
# 40554fe 00 00 00 89 45 cc 8b 86-50 01 00 00 89 45 d0 8d ....E...P....E..
# 405550e 7d d8 89 7d d4 c6 45 e2-00 3b 75 08 74 33 8d 8e }..}..E..;u.t3..
# 405551e 70 02 00 00 8b 11 83 e2-fe 8d 42 02 8b f8 8b d9 p.........B.....
手動修改為軟件斷點
kd> !eb 40554ae cc
kd> g
Break instruction exception - code 80000003 (first chance)
nt!NtCreateFile:
840554ae cc int 3
中斷后,需要手動改回物理內存
如何在針對線程/進程下斷?
| 命令 |
功能 |
適用范圍 |
| bp /p EPROCESS地址 |
針對進程下斷 |
內核態 |
| bp /t ETHREAD地址 |
針對線程下斷 |
內核態 |
如何對形如Gen*的函數下斷?
0:000> bm /a ml64!Gen*
1: 00000000`00c733c0 @!"ml64!genIntReloc"
2: 00000000`00c73694 @!"ml64!genDataDef"
3: 00000000`00c7160c @!"ml64!GenCodeJump"
4: 00000000`00c9a354 @!"ml64!genPrologue"
5: 00000000`00c73ef4 @!"ml64!GenCodeRet"
6: 00000000`00c9a620 @!"ml64!genEpilogue"
7: 00000000`00c73a60 @!"ml64!genNormReloc"
8: 00000000`00c71008 @!"ml64!GenCodeLoop"
9: 00000000`00c71710 @!"ml64!GenREXPrefix"
10: 00000000`00cda6d0 @!"ml64!genmcBuffT"
11: 00000000`00c71940 @!"ml64!GenCodeNormal"
12: 00000000`00c73434 @!"ml64!genReloc"
13: 00000000`00c98ffc @!"ml64!genProEpiMacroCall"
14: 00000000`00c73d00 @!"ml64!GenCodeString
如何正確地下字符串斷點?
0:000> db .
76f63bad 6c 00 69 00 63 00 68 00-6b 00 69 00 6e 00 67 00 l.i.c.h.k.i.n.g.
76f63bbd 00 00 00 00 f9 ff c3 90-90 90 90 fe ff ff ff 00 ................
76f63bcd 24 00 7b 00 74 00 32 00-7d 00 00 00 ff ff ff b0 $.{.t.2.}.......
76f63bdd 3b f6 76 b4 3b f6 76 90-90 90 90 90 8b ff 55 8b ;.v.;.v.......U.
76f63bed ec 81 ec 3c 02 00 00 a1-50 32 fb 76 33 c5 89 45 ...<....P2.v3..E
76f63bfd fc 53 56 8b 35 a0 f0 fa-76 8b d9 57 6a 2a 58 66 .SV.5...v..Wj*Xf
76f63c0d 89 85 dc fd ff ff 33 ff-89 bd ea fd ff ff 66 89 ......3.......f.
76f63c1d bd ee fd ff ff c7 85 e0-fd ff ff a8 b7 ef 76 c7 ..............v.
匹配寫法:
0:000> .block{as /mu ${/v:tn2} 76f63bad};? $scmp("${tn2}","lichking")
Evaluate expression: 0 = 00000000
注意:一定要有.block,對於as語句必須用block隔開才能展開
異常&事件
命令 功能
sxe 事件異常名 開啟事件異常捕獲
sxd 事件異常名 關閉事件異常捕獲
異常碼 類型
av 斷言錯誤
dz 整數除0
c000008e 浮點除0
eh c++異常
gp 頁保護錯誤
ii 指令錯誤
iov 整數溢出
isc 非法系統調用
sbo 棧緩沖區溢出
sov 棧溢出
aph 程序停止響應
3c 子進程退出
chhc 非法句柄
wos wow64單步異常
wob wow64單步異常
ssessec 單步異常
bpebpec 斷點異常
ccecc ctrl+c;ctrl+break
事件碼 類型
ser 系統錯誤
cpr 進程創建
epr 進程退出
ct 線程創建
et 線程退出
ld 加載模塊
ud 加載模塊
out 調試輸出
如何暫停/恢復線程執行?
| 命令 |
功能 |
適用范圍 |
| .process /p /r /i PEPROCESS地址 |
切換到可執行進程 |
內核態 |
| .thread /p /r PETHREAD地址 |
切換到可執行線程 |
內核態 |
kd> !process 0 0 smss.exe
Failed to get VAD root
PROCESS 81c38da0 SessionId: none Cid: 0220 Peb: 7ffd4000 ParentCid: 0004
DirBase: 08a40020 ObjectTable: e13bde58 HandleCount: 19.
Image: smss.exe
kd> .process /p /r /i 81c38da0
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80528bec cc int 3
kd> .thread /p /r 805537c0
Implicit thread is now 805537c0
Implicit process is now 80553a20
.cache forcedecodeuser done
Loading User Symbols
如何查看SEH鏈?
0:000> !exchain
0012fea8: Prymes!_except_handler3+0 (00407604)
CRT scope 0, filter: Prymes!dzExcepError+e6 (00401576)
func: Prymes!dzExcepError+ec (0040157c)
0012ffb0: Prymes!_except_handler3+0 (00407604)
CRT scope 0, filter: Prymes!mainCRTStartup+f8 (004021b8)
func: Prymes!mainCRTStartup+113 (004021d3)
0012ffe0: KERNEL32!GetThreadContext+1c (77ea1856)
摘自:https://www.jianshu.com/p/56ff0bc43d3d
