在使用WinDbg切换到流程上下文后,有没有办法切换回原始上下文?我使用过以下命令:
获取进程地址:
!process 0 0 myprocess.exe
然后切换到myprocess.exe上下文此命令:
.process /i /r /p <address>
现在如何切换回物理地址?我想用WinDbg将从myprocess.exe中的系统调用开始的函数调试到整个路径下的ntdll函数中,但一旦进入进程上下文,我就不知道如何返回物理地址,以便在系统调用完成后继续调试ntdll。
我已经试着在网上搜索了,但找不到答案,谢谢。
假设你有一个合适的内核调试环境设置,你可以从用户模式跟踪到内核模式和返回用户模式
如下所示的示例是一个剥离的低级别CreateFile调用
它从用户模式下旅程的最后一段开始,位于ntdll.dll
编译链接并将可执行文件传输到目标计算机
,然后从目标
使用ntsd-d exe或使用!gflag+ksl;主机windbg中的sxe ld:ntcfile
sxe ld:每次启动一次
对于ntsd-d,您需要在目标中安装windbg
首先阅读有关这两种方法的文档
您还可以查看我的一些旧答案
//poc and Demo code using fragile semi-documented functions and magic constants
//compiled and linked in vs2017 community in x86 as x86 with cmd dev prompt
// will produce a barebone ~1kb exe on successful execution will create or
//open a zero byte text file testfile.txt in c:
#include <windows.h>
#include <winternl.h>
#pragma comment(lib ,"ntdll.lib")
UNICODE_STRING FileName = { 38,40, L"\??\C:\testfile.txt" };
OBJECT_ATTRIBUTES Ob = { 0x18,NULL,&FileName,0x40,NULL,NULL };
IO_STATUS_BLOCK ioStatus;
HANDLE Out;
int main(void) {
NtCreateFile(&Out,0x80000000,&Ob,&ioStatus,NULL,0x80,0,3,0,NULL,0);
return (int)Out;
}
编译链接执行和验证
:>ls -lg c:testfile.txt
ls: c:testfile.txt: No such file or directory
:>cl /Zi /W4 /analyze /Od /nologo ntcfile.cpp /link /release /entry:main /subsystem:windows /fixed
ntcfile.cpp
:>powershell -c "(Start-Process -PassThru -Wait .ntcfile.exe).ExitCode"
12
:>ls -lg c:testfile.txt
-rw-rw-rw- 1 0 0 2021-01-04 01:21 c:testfile.txt
下面显示的是在主机和目标中使用上面的代码的演练
$$ on executing ntsd -d in target you get a user mode prompt in kernel debugger
$$ issue .breakin to change mode
.breakin
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
82882d00 cc int 3
寻找感兴趣的EPROCESS
kd> !process 0 0 ntcfile.exe
PROCESS 84386828 SessionId: 1 Cid: 04d8 Peb: 7ffdf000 ParentCid: 01a4
DirBase: 0b1eb000 ObjectTable: 96f2a970 HandleCount: 4.
Image: ntcfile.exe
在内核模式ddi-wrt用户模式api上设置进程特定断点
(在ntdll中大部分名称相同的函数(并继续(f5或g->enter(
如果您进入已设置
内核模式断点的系统中心,您将在正确的
进程上下文中在内核模式下中断,则您将返回到用户模式提示调试
kd> bp /p 84386828 nt!NtCreateFile
kd> bl
0 e Disable Clear 82a7642e 0001 (0001) nt!NtCreateFile
Match process data 84386828
kd> g
0:000> g @$exentry
g @$exentry
eax=77533c33 ebx=7ffdf000 ecx=00000000 edx=00401000 esi=00000000 edi=00000000
eip=00401000 esp=0012ff8c ebp=0012ff94 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntcfile!main:
00401000 55 push ebp
在用户模式下重新加载符号它将在目标ntsd 中加载传输的pdb
0:000> .reload /f ntcfile.exe=0x400000,4000
.reload /f ntcfile.exe=0x400000,4000
0:000> lmm ntc*
lmm ntc*
start end module name
00400000 00404000 ntcfile (private pdb symbols) c:UserswinsevDesktopntcfile.pdb
0:000> $$ this pdb is in target transferred along with binary for ntsd -d to work
$$ this pdb is in target transferred along with binary for ntsd -d to work
主的拆卸
0:000> uf .
uf .
ntcfile!main:
00401000 55 push ebp
00401001 8bec mov ebp,esp
00401003 6a00 push 0
00401005 6a00 push 0
00401007 6a00 push 0
00401009 6a03 push 3
0040100b 6a00 push 0
0040100d 6880000000 push 80h
00401012 6a00 push 0
00401014 6820304000 push offset ntcfile!ioStatus (00403020)
00401019 6808304000 push offset ntcfile!Ob (00403008)
0040101e 6800000080 push 80000000h
00401023 6828304000 push offset ntcfile!Out (00403028)
00401028 e807000000 call ntcfile!NtCreateFile (00401034)
0040102d a128304000 mov eax,dword ptr [ntcfile!Out (00403028)]
00401032 5d pop ebp
00401033 c3 ret
逐步完成,直到ntdll的sysenter!NtCreateFile要插入nt!NtCreateFile
0:000> pc
ntcfile!main+0x28:
00401028 e807000000 call ntcfile!NtCreateFile (00401034)
0:000> t
ntcfile!NtCreateFile:
00401034 ff2500204000 jmp dword ptr [ntcfile!_imp__NtCreateFile (00402000)] ds:0023:00402000={ntdll!NtCreateFile (773e55c8)}
0:000> t
ntdll!NtCreateFile:
773e55c8 b842000000 mov eax,42h
0:000> t
ntdll!NtCreateFile+0x5:
773e55cd ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> t
ntdll!NtCreateFile+0xa:
773e55d2 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (773e70b0)}
0:000> t
ntdll!KiFastSystemCall:
773e70b0 8bd4 mov edx,esp
0:000> t
773e70b2 0f34 sysenter
0:000> t
您现在处于内核模式
Breakpoint 0 hit
nt!NtCreateFile:
82a7642e 8bff mov edi,edi
kd> kb
# ChildEBP RetAddr Args to Child
00 961bbd00 8285f87a 00403028 80000000 00403008 nt!NtCreateFile
01 961bbd00 773e70b4 00403028 80000000 00403008 nt!KiFastCallEntry+0x12a
02 0012ff50 773e55d4 0040102d 00403028 80000000 ntdll!KiFastSystemCallRet
03 0012ff54 0040102d 00403028 80000000 00403008 ntdll!NtCreateFile+0xc
04 0012ff88 77533c45 7ffdf000 0012ffd4 774037f5 ntcfile!main+0x2d [c:usershpdesktopntcfilentcfile.cpp @ 14]
05 0012ff94 774037f5 7ffdf000 775c0f6b 00000000 kernel32!BaseThreadInitThunk+0xe
06 0012ffd4 774037c8 00401000 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
07 0012ffec 00000000 00401000 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
kd> $$ stack consists of both user mode and kernle mode components