当前位置:网站首页>关于内和调试无法查看ntdll内存的问题

关于内和调试无法查看ntdll内存的问题

2022-07-30 16:56:00 ma_de_hao_mei_le

友链

鸣谢
参考:

在这里插入图片描述
在这里插入图片描述

在内核调试下,用户空间的内存是否可以访问,取决于当前的进程上下文,而ntdll就是加载在用户空间的

64位
在这里插入图片描述32位
在这里插入图片描述

可以看到都是在用户空间内存范围的

使用windbg的.process命令可以让内核调试器使用指定的用户模式下的进程作为进程上下文,这样一来调试器就可以访问到该进程的虚拟内存空间了

可以先放行目标机器执行流程g,然后在目标机器上起一个notepad.exe进程(记事本)

然后在windbg上break,切换进程上下文

kd> !process 0 0 notepad.exe
PROCESS 84812a60  SessionId: 1  Cid: 0450    Peb: 7ffd6000  ParentCid: 0518
    DirBase: 3f2b4260  ObjectTable: 93e5c7a8  HandleCount:  58.
    Image: notepad.exe

kd> .process /i /p /r 84812a60  
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
82a6d03c cc              int     3
kd> .process
Implicit process is now 84812a60
kd> .context
User-mode page directory base is 3f2b4260
kd> !peb
PEB at 7ffd6000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00a10000
    NtGlobalFlag:             0
    NtGlobalFlag2:            0
    Ldr                       77718880
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 001318f8 . 0013ecb0
    Ldr.InLoadOrderModuleList:           00131868 . 0013eca0
    Ldr.InMemoryOrderModuleList:         00131870 . 0013eca8
            Base TimeStamp                     Module
          a10000 559ea6ff Jul 10 00:53:19 2015 C:\Windows\system32\notepad.exe
        77640000 5b626fd1 Aug 02 10:43:29 2018 C:\Windows\SYSTEM32\ntdll.dll
        75740000 5b1aa77a Jun 08 23:57:46 2018 C:\Windows\system32\kernel32.dll
        75670000 5b1aa77b Jun 08 23:57:47 2018 C:\Windows\system32\KERNELBASE.dll
        77390000 5b626f21 Aug 02 10:40:33 2018 C:\Windows\system32\ADVAPI32.dll
        75a40000 4eeaf722 Dec 16 15:45:38 2011 C:\Windows\system32\msvcrt.dll
        77790000 556362e4 May 26 01:59:00 2015 C:\Windows\SYSTEM32\sechost.dll
        777e0000 5b626f6c Aug 02 10:41:48 2018 C:\Windows\system32\RPCRT4.dll
        75d30000 59b2b2c3 Sep 08 23:09:55 2017 C:\Windows\system32\GDI32.dll
        75df0000 58249e2b Nov 11 00:19:55 2016 C:\Windows\system32\USER32.dll
        75cc0000 5b4230d2 Jul 08 23:42:10 2018 C:\Windows\system32\LPK.dll
        766a0000 59946079 Aug 16 23:10:49 2017 C:\Windows\system32\USP10.dll
        759c0000 4ce7b82d Nov 20 19:59:41 2010 C:\Windows\system32\COMDLG32.dll
        75cd0000 4ce7b9e2 Nov 20 20:06:58 2010 C:\Windows\system32\SHLWAPI.dll
        74330000 553a8345 Apr 25 01:54:13 2015 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
        76740000 5b213e7c Jun 13 23:55:40 2018 C:\Windows\system32\SHELL32.dll
        72600000 4ce7ba4b Nov 20 20:08:43 2010 C:\Windows\system32\WINSPOOL.DRV
        774e0000 5b1aa6f9 Jun 08 23:55:37 2018 C:\Windows\system32\ole32.dll
        77440000 5add1d9b Apr 23 07:41:15 2018 C:\Windows\system32\OLEAUT32.dll
        748a0000 4a5bdb2b Jul 14 09:11:07 2009 C:\Windows\system32\VERSION.dll
        777c0000 4ce7b845 Nov 20 20:00:05 2010 C:\Windows\system32\IMM32.DLL
        761e0000 59b94a4c Sep 13 23:10:04 2017 C:\Windows\system32\MSCTF.dll
        75330000 5b626815 Aug 02 10:10:29 2018 C:\Windows\system32\CRYPTBASE.dll
        741b0000 4a5bdb38 Jul 14 09:11:20 2009 C:\Windows\system32\uxtheme.dll
        73e70000 559eb13d Jul 10 01:37:01 2015 C:\Windows\system32\dwmapi.dll
    SubSystemData:     00000000
    ProcessHeap:       00130000
    ProcessParameters: 00131088
    CurrentDirectory:  'C:\Users\x\'
    WindowTitle:  'C:\Users\x\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk'
    ImageFile:    'C:\Windows\system32\notepad.exe'
    CommandLine:  '"C:\Windows\system32\notepad.exe" '
    DllPath:      'C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
    Environment:  001307f0
        =::=::\
        ALLUSERSPROFILE=C:\ProgramData
        APPDATA=C:\Users\x\AppData\Roaming
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=WIN-R59CTBAGARF
        ComSpec=C:\Windows\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        HOMEDRIVE=C:
        HOMEPATH=\Users\x
        LOCALAPPDATA=C:\Users\x\AppData\Local
        LOGONSERVER=\\WIN-R59CTBAGARF
        NUMBER_OF_PROCESSORS=1
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 6 Model 165 Stepping 3, GenuineIntel
        PROCESSOR_LEVEL=6
        PROCESSOR_REVISION=a503
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
        PUBLIC=C:\Users\Public
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\Users\x\AppData\Local\Temp
        TMP=C:\Users\x\AppData\Local\Temp
        USERDOMAIN=WIN-R59CTBAGARF
        USERNAME=x
        USERPROFILE=C:\Users\x
        windir=C:\Windows
        windows_tracing_flags=3
        windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

.reload /f重新加载

在这里插入图片描述

就好了

原网站

版权声明
本文为[ma_de_hao_mei_le]所创,转载请带上原文链接,感谢
https://blog.csdn.net/ma_de_hao_mei_le/article/details/126051148

边栏推荐

猜你喜欢

随机推荐