INT匹配命令如下:
bp ws2_32!send ".if(poi(esp+4)!=50){gc;}"
字符串匹配命令如下:
bp kernel32!CreateFileW "as /mu $FileName poi(@esp+0x4);.block{r @$t0=$scmp(@"$FileName", @"C:\Test\1.txt");.if(0!=@$t0){gc;}}"
1. as /mu $FileName poi(@esp+0x4); //取决于第一个参数,需要则用 @ecx/rcx 替代 @esp+0x4
取CreateFileW的第一个参数,作为别名 $FileName
2. r @$t0=$scmp(@"$FileName", @"C:\Test\1.txt");
把文件名与字符串 "C:\Test\1.txt"对比,结果存放在$t0寄存器
3. .if(0!=@$t0){gc;}
比对结果不为0,gc继续执行;即字符串相同break
使用时须注意以下几点:
1.必须在使用别名前,先用ad命令把别名删除掉(否则断点会失败,ad用法与bd,bc等相同),al命令查看所有别名。
2.必须使用block语句块,否则断点无效。
3.scmp/sicmp/spat进行字符串比较,scmp大小写敏感;sicmp不区分大小写;spat模糊匹配,用*代替模糊词组。
4.poi(address) 取值,此断点仅用于x86环境,x64环境改 poi(@esp+0x4) 为 poi(@rcx) ,代表CreateFile第一个参数pFilePath。
常用条件断点:
-----------------------------x86---------------------------
bp ntdll!NtCreateFile "as /msu $Name poi(poi(@esp+0xc)+8);.block{.if($spat("${$Name}","*1.txt")){.echo ${$Name}}.else{gc}}"
bp kernel32!CreateFileW "as /mu $Name poi(@esp+0x4);.block{.if($spat("${$Name}","*1.txt")){.echo ${$Name}}.else{gc}}"
bp kernel32!CreateFileW "as /mu $Name poi(@esp+0x4);.block{.if($sicmp("${$Name}","C: est1.txt")){gc}.else{.echo ${$Name}}}"
------------------------------x64-------------------------------
bp ntdll!NtCreateFile "as /msu $Name poi(r8+10);.block{.if($spat("${$Name}","*1.txt")){}.else{gc}}"
bp ntdll!NtCreateFile "as /msu $Name poi(r8+10);.block{.if($sicmp(@"${$Name}",@"C: est1.txt")){gc}.else{}}"
bp ntdll!NtCreateFile "as /msu $Name poi(r8+10);.block{.echo ${$Name}};gc"
bp ntdll!NtCreateFile "as /msu $Name poi(r8+10);.block{.if($sicmp(@"${$Name}",@"C: est1.txt")){gc}.else{}}"
bp ntdll!NtCreateFile "as /msu $Name poi(r8+10);.block{.echo ${$Name}};gc"
bp kernel32!CreateFileW "as /mu $Name @rcx;.block{.if($sicmp("${$Name}","C: est1.txt")){gc}.else{.echo ${$Name}}}"