Windbg 驱动加载时进入调试

感谢 sudaim同学的回答， 让我等小菜不必费劲脑经想起他办法进入

http://bbs.pediy.com/showthread.php?t=128515 

windbg连上VM,在虚拟机启动的时候break一下,然后输入:
sxe ld 360SelfProtectiong
 
不一会就会断下,如下
kd> lmvm 360SelfProtection
 
start end module name
f67b4000 f67d1980 360SelfProtection (no symbols) 
Loaded symbol image file: 360SelfProtection.sys
Image path: 360SelfProtection.sys
Image name: 360SelfProtection.sys
Timestamp: Tue Jan 11 19:36:54 2011 (4D2C40D6)
CheckSum: 00021EF4
ImageSize: 0001D980
File version: 1.0.0.1054
Product version: 1.0.0.1054
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.8 Driver
File date: 00000000.00000000
Translations: 0804.04b0
CompanyName: 360安全中心
ProductName: 360安全中心
InternalName: SelfProtection
OriginalFilename: SelfProtection.sys
ProductVersion: 1, 0, 0, 1054
FileVersion: 1, 0, 0, 1054
PrivateBuild: 1, 0, 0, 1054
SpecialBuild: 1, 0, 0, 1054
FileDescription: 360安全卫士 - SelfProtection
LegalCopyright: 版权所有 (C) 2006-2010 360安全中心
LegalTrademarks: 版权所有 (C) 2006-2010 360安全中心
Comments: 版权所有 (C) 2006-2010 360安全中心
 
kd> kvn 100
# ChildEBP RetAddr Args to Child 
00 f819c398 80527fce f819c430 f819c3ac 00000003 nt!DebugService2+0x10 (FPO: [3,0,0])
01 f819c3bc 805a3cea f819c430 f67b4000 ffffffff nt!DbgLoadImageSymbols+0x42 (FPO: [3,4,0])
02 f819c560 80576254 f819c5e4 00000000 00000000 nt!MmLoadSystemImage+0xa34 (FPO: [Non-Fpo])
03 f819c640 80689770 000006c8 00000001 00000000 nt!IopLoadDriver+0x370 (FPO: [4,45,0])
04 f819c69c 80686ad9 00043000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c (FPO: [0,14,4])
05 f819c83c 80684edd 80087000 00000000 81c4f3e8 nt!IoInitSystem+0x7a3 (FPO: [1,99,4])
06 f819cdac 805c5a28 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5 (FPO: [1,342,4])
07 f819cddc 80541fa2 80684528 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
 
kd> bp f67b4000+poi(poi(f67b4000+3c)+f67b4000+28)
kd> bl
0 e f67cee85 0001 (0001) 360SelfProtection+0x1ae85
 
kd> u f67cee85
360SelfProtection+0x1ae85:
f67cee85 a188ad7cf6 mov eax,dword ptr [360SelfProtection+0x16d88 (f67cad88)]
f67cee8a 85c0 test eax,eax
f67cee8c b94ee640bb mov ecx,0BB40E64Eh
f67cee91 7404 je 360SelfProtection+0x1ae97 (f67cee97)
f67cee93 3bc1 cmp eax,ecx
f67cee95 7519 jne 360SelfProtection+0x1aeb0 (f67ceeb0)
f67cee97 a1a48a7cf6 mov eax,dword ptr [360SelfProtection+0x14aa4 (f67c8aa4)]
f67cee9c 8b00 mov eax,dword ptr [eax]
 
kd> g
Breakpoint 0 hit
360SelfProtection+0x1ae85:
f67cee85 a188ad7cf6 mov eax,dword ptr [360SelfProtection+0x16d88 (f67cad88)]
 
kd> kvn 100
# ChildEBP RetAddr Args to Child 
WARNING: Stack unwind information not available. Following frames may be wrong.
00 f819c640 80689770 000006c8 00000001 00000000 360SelfProtection+0x1ae85
01 f819c69c 80686ad9 00043000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c (FPO: [0,14,4])
02 f819c83c 80684edd 80087000 00000000 81c4f3e8 nt!IoInitSystem+0x7a3 (FPO: [1,99,4])
03 f819cdac 805c5a28 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5 (FPO: [1,342,4])
04 f819cddc 80541fa2 80684528 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
05 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
ok,进入此驱动内部,调试吧.