windbg学习----P和T

p|t =startAddr count

可以让目标程序从指定的startAddr开始指行，注意，如果指定地址跳过了调整栈的代码，栈就会失去平衡

count指定要单步执行的次数，如t 2就是两次运行t

0:000> t 2
eax=99e265e1 ebx=7ffd3000 ecx=00000000 edx=01b00370 esi=0026fc88 edi=0026fc80
eip=01582e9c esp=0026fbd4 ebp=0026fc80 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
>   17: 	ZeroMemory(&ovi, sizeof(OSVERSIONINFO));
VerifyTxSignDemo!BeginAnti+0x2c:
01582e9c 6a00            push    0
eax=99e265e1 ebx=7ffd3000 ecx=00000000 edx=01b00370 esi=0026fc88 edi=0026fc80
eip=01582e9e esp=0026fbd0 ebp=0026fc80 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286

eip从9c更新到9e,对应汇编：

01582e9c 6a00            push    0
01582e9e 8d8564ffffff    lea     eax,[ebp-9Ch]

两步！

还可以用p|t =startAddr count "command"
command指定每次单步执行后要执行的命令

0:000> t 3 ".echo @"run ok....""
eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80
eip=018c24fe esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
No source found for 'f:ddvctoolscrt_bldSELF_X86crtsrcINTELmemset.asm'
VerifyTxSignDemo!memset+0x1e:
018c24fe 833da080b00100  cmp     dword ptr [VerifyTxSignDemo!__sse2_available (01b080a0)],0 ds:0023:01b080a0=00000001
eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80
eip=018c2505 esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
No source found for 'f:ddvctoolscrt_bldSELF_X86crtsrcINTELmemset.asm'
VerifyTxSignDemo!memset+0x25:
018c2505 7405            je      VerifyTxSignDemo!memset+0x2c (018c250c) [br=0]
run ok....
eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80
eip=018c2507 esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
No source found for 'f:ddvctoolscrt_bldSELF_X86crtsrcINTELmemset.asm'
VerifyTxSignDemo!memset+0x27:
018c2507 e983b9c9ff      jmp     VerifyTxSignDemo!ILT+16010(__VEC_memzero) (0155de8f)

可以看到,run ok....只执行了一次

pa|ta  =startAddr stopAddr “command”

相当于反复调用p或t，不同就是，t会遇到函数调用进入到函数中，而不是越过

0:000> r eip
eip=00452e7a
0:000> pa 00452e8b ".echo @"pa run ok...""
eax=00000001 ebx=7ffdb000 ecx=85fc7085 edx=009d0370 esi=0019fcc0 edi=0019fdc8
eip=00452e7b esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
>   14: {
VerifyTxSignDemo!BeginAnti+0xb:
00452e7b 8dbd60ffffff    lea     edi,[ebp-0A0h]
eax=00000001 ebx=7ffdb000 ecx=85fc7085 edx=009d0370 esi=0019fcc0 edi=0019fc18
eip=00452e81 esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
>   14: {
VerifyTxSignDemo!BeginAnti+0x11:
00452e81 b928000000      mov     ecx,28h
eax=00000001 ebx=7ffdb000 ecx=00000028 edx=009d0370 esi=0019fcc0 edi=0019fc18
eip=00452e86 esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
>   14: {
VerifyTxSignDemo!BeginAnti+0x16:
00452e86 b8cccccccc      mov     eax,0CCCCCCCCh
pa run ok...
eax=cccccccc ebx=7ffdb000 ecx=00000028 edx=009d0370 esi=0019fcc0 edi=0019fc18
eip=00452e8b esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
>   14: {
VerifyTxSignDemo!BeginAnti+0x1b:
00452e8b f3ab            rep stos dword ptr es:[edi]

因为$ra总是代表当前函数的返回地址，所以可以使用pa @$ra来步出当前函数，也就是单步反复执行直到返回到上一级函数

相当于gu命令，但因为是单步的，所以可能会卡顿

pc|tc  =startAddr  count

用来单步执行到下一个函数调用指令CALL，count是指遇到的函数调用指令个数，

0:000> pc 
eax=0030fab0 ebx=7ffdf000 ecx=00000000 edx=01690370 esi=0030fb54 edi=0030fb4c
eip=01112ea5 esp=0030fa98 ebp=0030fb4c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
>   17: 	ZeroMemory(&ovi, sizeof(OSVERSIONINFO));
VerifyTxSignDemo!BeginAnti+0x35:
01112ea5 e83a37feff      call    VerifyTxSignDemo!ILT+50655(_memset) (010f65e4)

可以看出，在第一个call处断下来了

tc也一样，不同处是，如果count为2或更大，中间遇到call， pc 就步过了，而tc会跟进去

0:000> pc 2
eax=0020f6b4 ebx=7ffdf000 ecx=00000000 edx=01b50370 esi=0020f758 edi=0020f750
eip=015d2ea5 esp=0020f69c ebp=0020f750 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000282
>   17: 	ZeroMemory(&ovi, sizeof(OSVERSIONINFO));
VerifyTxSignDemo!BeginAnti+0x35:
015d2ea5 e83a37feff      call    VerifyTxSignDemo!ILT+50655(_memset) (015b65e4)
eax=0020f6b4 ebx=7ffdf000 ecx=0020f6b4 edx=00000000 esi=0020f6a8 edi=0020f750
eip=015d2ec0 esp=0020f6a4 ebp=0020f750 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
>   20: 	GetVersionEx(&ovi);
VerifyTxSignDemo!BeginAnti+0x50:
015d2ec0 ff150caeb501    call    dword ptr [VerifyTxSignDemo!_imp__GetVersionExA (01b5ae0c)] ds:0023:01b5ae0c={kernel32!GetVersionExAStub (7668dd70)}

可以看到代码是在第二次call处断下

同样，ph|th可用于同样效果，追踪到下一分支指令