怎样打印某函数调用关系
| 命令 | 功能 | 适用范围 |
|---|
| uf /c /D 地址 |
打印当前函数对其他函数的调用 |
用户态/内核态 |
| # 函数名 起始地址 l长度 |
打印在某段地址范围内代码对该函数的引用 |
内核态/用户态 |
例1:
kd> uf /c /D 0x804fa5e6
nt!KeDelayExecutionThread (804fa5e6)
nt!KeDelayExecutionThread+0x8f (804fa675):
call to nt!KiUnlockDispatcherDatabase (80542748)
nt!KeDelayExecutionThread+0xe9 (804fa6cf):
call to nt!KiInsertTreeTimer (80500f62)
nt!KeDelayExecutionThread+0x116 (804fa6fc):
call to nt!KiSetPriorityThread (80501bba)
nt!KeDelayExecutionThread+0x12f (804fa715):
call to nt!KiFindReadyThread (80501894)
nt!KeDelayExecutionThread+0x19f (804fa785):
call to nt!KiActivateWaiterQueue (804fc02a)
nt!KeDelayExecutionThread+0x1c4 (804fa7aa):
call to nt!KiSwapThread (80501ca0)
nt!KeDelayExecutionThread+0x1de (804fa7c4):
call to nt!KiComputeWaitInterval (804fa504)
nt!KeDelayExecutionThread+0x1e6 (804fa7cc):
call to hal!KeRaiseIrqlToDpcLevel (806d3298)
nt!KeDelayExecutionThread+0x26a (804fa850):
call to nt!KiUnlockDispatcherDatabase (80542748)
例2:
kd> # IopCreateFile 840554ae l10000
nt!NtCreateFile+0x2f:
840554dd e87340ffff call nt!IopCreateFile (84049555)
nt!IoCreateFileEx+0x99:
84081442 e80e81fcff call nt!IopCreateFile (84049555)
nt!NtOpenFile+0x25:
84084c97 e8b948fcff call nt!IopCreateFile (84049555)
怎样显示函数指令数?
| 命令 | 功能 | 适用范围 |
|---|
| uf /i /m 地址 |
显示函数指令数 |
用户态/内核态 |
kd> uf /i ntcreatefile
21 instructions scanned
nt!NtCreateFile:
8056f2fc 8bff mov edi,edi
8056f2fe 55 push ebp
8056f2ff 8bec mov ebp,esp
8056f301 33c0 xor eax,eax
8056f303 50 push eax
8056f304 50 push eax
8056f305 50 push eax
8056f306 ff7530 push dword ptr [ebp+30h]
8056f309 ff752c push dword ptr [ebp+2Ch]
8056f30c ff7528 push dword ptr [ebp+28h]
8056f30f ff7524 push dword ptr [ebp+24h]
8056f312 ff7520 push dword ptr [ebp+20h]
8056f315 ff751c push dword ptr [ebp+1Ch]
8056f318 ff7518 push dword ptr [ebp+18h]
8056f31b ff7514 push dword ptr [ebp+14h]
8056f31e ff7510 push dword ptr [ebp+10h]
8056f321 ff750c push dword ptr [ebp+0Ch]
8056f324 ff7508 push dword ptr [ebp+8]
8056f327 e860d8ffff call nt!IoCreateFile (8056cb8c)
8056f32c 5d pop ebp
8056f32d c22c00 ret 2Ch
如何在X64系统中实现64位执行模式和虚拟86执行模式(wow)切换
| 命令 | 功能 | 适用范围 |
|---|
| !sw |
执行模式(wow)切换 |
用户态/内核态 |
0:000> .load wow64exts
0:000> !sw
Switched to Guest (WoW) mode
0:000:x86> ? .
Evaluate expression: 1995360060 = 76eec73c
0:000:x86> !sw
Switched to Host mode
0:000> ? .
Evaluate expression: 1994597202 = 00000000`76e32352
0:000> .load wow64exts
0:000> u .
wow64cpu!CpupSyscallStub+0x2:
00000000`76e32352 c3 ret
00000000`76e32353 cc int 3
00000000`76e32354 b80d0000c0 mov eax,0C000000Dh
00000000`76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (00000000`76e3139c)
00000000`76e3235e 488b876c010000 mov rax,qword ptr [rdi+16Ch]
00000000`76e32365 48898370010000 mov qword ptr [rbx+170h],rax
00000000`76e3236c 488b8774010000 mov rax,qword ptr [rdi+174h]
00000000`76e32373 48898378010000 mov qword ptr [rbx+178h],rax
0:000> !sw
Switched to Guest (WoW) mode
0:000:x86> u 00000000`76e32352
wow64cpu!CpupSyscallStub+0x2:
76e32352 c3 ret
76e32353 cc int 3
76e32354 b80d0000c0 mov eax,0C000000Dh
76e32359 e93ef0ffff jmp wow64cpu!CpuSetContext+0x15c (76e3139c)
76e3235e 48 dec eax
76e3235f 8b876c010000 mov eax,dword ptr [edi+16Ch]
76e32365 48 dec eax
76e32366 898370010000 mov dword ptr [ebx+170h],eax
提示:也可手动修改cs以达到相同效果
怎样查找某地址附近的符号
| 命令 | 功能 | 适用范围 |
|---|
| ln 地址 |
查找某地址附近的符号 |
用户态/内核态 |
kd> ln nt!ntcreatefile-1
Browse module
Set bu breakpoint
(84055482) nt!SeValidateSecurityQos+0x2b | (840554ae) nt!NtCreateFile
如何跟踪某函数执行过的所有子函数?
kd> wt
Tracing testdriver2!func to return address f89cb070
8 0 [ 0] testdriver2!func
7 0 [ 1] nt!ExAllocatePool
89 0 [ 2] nt!ExAllocatePoolWithTag
5 0 [ 3] hal!KeRaiseIrqlToDpcLevel
197 5 [ 2] nt!ExAllocatePoolWithTag
9 202 [ 1] nt!ExAllocatePool
13 211 [ 0] testdriver2!func
85 0 [ 1] nt!ExFreePoolWithTag
19 296 [ 0] testdriver2!func
315 instructions were executed in 7 events (0 from other threads)
Function Name Invocations MinInst MaxInst AvgInst
hal!KeRaiseIrqlToDpcLevel 1 5 5 5
nt!ExAllocatePool 1 9 9 9
nt!ExAllocatePoolWithTag 1 197 197 197
nt!ExFreePoolWithTag 1 85 85 85
testdriver2!func
回溯栈
回溯栈用来记录每一级函数返回地址
| 命令 | 功能 |
|---|
| k |
跟踪到第n分支指令 |
| kb |
执行到第n分支指令 |
| !stacks |
跟踪到第n分支指令 |
| !uniqstack |
执行到第n分支指令 |
如何在物理地址下断?
如果在加载pe时采用了文件内存映射,那么一块物理内存会映射到不同虚拟内存,因此如果对方映射了多个相同的PE往往需要在不同虚拟地址下断,这里提出一种物理内存手动下断方式,适用范围:内核态
kd> !pte 840554ae
VA 840554ae
PDE at C0602100 PTE at C04202A8
contains 00000000001DA063 contains 0000000004055121
pfn 1da ---DA--KWEV pfn 4055 -G--A--KREV
找到ntcreatefile的物理地址
kd> !db 40554ae
# 40554ae 8b ff 55 8b ec 51 33 c0-50 6a 20 50 50 50 ff 75 ..U..Q3.Pj PPP.u
# 40554be 30 ff 75 2c ff 75 28 ff-75 24 ff 75 20 ff 75 1c 0.u,.u(.u$.u .u.
# 40554ce ff 75 18 ff 75 14 ff 75-10 ff 75 0c ff 75 08 e8 .u..u..u..u..u..
# 40554de 73 40 ff ff 59 5d c2 2c-00 90 90 90 90 90 6a 40 s@..Y].,......j@
# 40554ee 68 28 42 e6 83 e8 70 51-e2 ff 8b 75 0c 8b 86 88 h(B...pQ...u....
# 40554fe 00 00 00 89 45 cc 8b 86-50 01 00 00 89 45 d0 8d ....E...P....E..
# 405550e 7d d8 89 7d d4 c6 45 e2-00 3b 75 08 74 33 8d 8e }..}..E..;u.t3..
# 405551e 70 02 00 00 8b 11 83 e2-fe 8d 42 02 8b f8 8b d9 p.........B.....
手动修改为软件断点
kd> !eb 40554ae cc
kd> g
Break instruction exception - code 80000003 (first chance)
nt!NtCreateFile:
840554ae cc int 3
中断后,需要手动改回物理内存
如何在针对线程/进程下断?
| 命令 | 功能 | 适用范围 |
|---|
| bp /p EPROCESS地址 |
针对进程下断 |
内核态 |
| bp /t ETHREAD地址 |
针对线程下断 |
内核态 |
如何对形如Gen*的函数下断?
0:000> bm /a ml64!Gen*
1: 00000000`00c733c0 @!"ml64!genIntReloc"
2: 00000000`00c73694 @!"ml64!genDataDef"
3: 00000000`00c7160c @!"ml64!GenCodeJump"
4: 00000000`00c9a354 @!"ml64!genPrologue"
5: 00000000`00c73ef4 @!"ml64!GenCodeRet"
6: 00000000`00c9a620 @!"ml64!genEpilogue"
7: 00000000`00c73a60 @!"ml64!genNormReloc"
8: 00000000`00c71008 @!"ml64!GenCodeLoop"
9: 00000000`00c71710 @!"ml64!GenREXPrefix"
10: 00000000`00cda6d0 @!"ml64!genmcBuffT"
11: 00000000`00c71940 @!"ml64!GenCodeNormal"
12: 00000000`00c73434 @!"ml64!genReloc"
13: 00000000`00c98ffc @!"ml64!genProEpiMacroCall"
14: 00000000`00c73d00 @!"ml64!GenCodeString
如何正确地下字符串断点?
0:000> db .
76f63bad 6c 00 69 00 63 00 68 00-6b 00 69 00 6e 00 67 00 l.i.c.h.k.i.n.g.
76f63bbd 00 00 00 00 f9 ff c3 90-90 90 90 fe ff ff ff 00 ................
76f63bcd 24 00 7b 00 74 00 32 00-7d 00 00 00 ff ff ff b0 $.{.t.2.}.......
76f63bdd 3b f6 76 b4 3b f6 76 90-90 90 90 90 8b ff 55 8b ;.v.;.v.......U.
76f63bed ec 81 ec 3c 02 00 00 a1-50 32 fb 76 33 c5 89 45 ...<....P2.v3..E
76f63bfd fc 53 56 8b 35 a0 f0 fa-76 8b d9 57 6a 2a 58 66 .SV.5...v..Wj*Xf
76f63c0d 89 85 dc fd ff ff 33 ff-89 bd ea fd ff ff 66 89 ......3.......f.
76f63c1d bd ee fd ff ff c7 85 e0-fd ff ff a8 b7 ef 76 c7 ..............v.
匹配写法:
0:000> .block{as /mu ${/v:tn2} 76f63bad};? $scmp("${tn2}","lichking")
Evaluate expression: 0 = 00000000
注意:一定要有.block,对于as语句必须用block隔开才能展开
异常&事件
命令 功能
sxe 事件异常名 开启事件异常捕获
sxd 事件异常名 关闭事件异常捕获
异常码 类型
av 断言错误
dz 整数除0
c000008e 浮点除0
eh c++异常
gp 页保护错误
ii 指令错误
iov 整数溢出
isc 非法系统调用
sbo 栈缓冲区溢出
sov 栈溢出
aph 程序停止响应
3c 子进程退出
chhc 非法句柄
wos wow64单步异常
wob wow64单步异常
ssessec 单步异常
bpebpec 断点异常
ccecc ctrl+c;ctrl+break
事件码 类型
ser 系统错误
cpr 进程创建
epr 进程退出
ct 线程创建
et 线程退出
ld 加载模块
ud 加载模块
out 调试输出
如何暂停/恢复线程执行?
| 命令 | 功能 | 适用范围 |
|---|
| .process /p /r /i PEPROCESS地址 |
切换到可执行进程 |
内核态 |
| .thread /p /r PETHREAD地址 |
切换到可执行线程 |
内核态 |
kd> !process 0 0 smss.exe
Failed to get VAD root
PROCESS 81c38da0 SessionId: none Cid: 0220 Peb: 7ffd4000 ParentCid: 0004
DirBase: 08a40020 ObjectTable: e13bde58 HandleCount: 19.
Image: smss.exe
kd> .process /p /r /i 81c38da0
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80528bec cc int 3
kd> .thread /p /r 805537c0
Implicit thread is now 805537c0
Implicit process is now 80553a20
.cache forcedecodeuser done
Loading User Symbols
如何查看SEH链?
0:000> !exchain
0012fea8: Prymes!_except_handler3+0 (00407604)
CRT scope 0, filter: Prymes!dzExcepError+e6 (00401576)
func: Prymes!dzExcepError+ec (0040157c)
0012ffb0: Prymes!_except_handler3+0 (00407604)
CRT scope 0, filter: Prymes!mainCRTStartup+f8 (004021b8)
func: Prymes!mainCRTStartup+113 (004021d3)
0012ffe0: KERNEL32!GetThreadContext+1c (77ea1856)
摘自:https://www.jianshu.com/p/56ff0bc43d3d