问题描述
我想在内核模式下调试一个程序,我想打破程序的入口点,如 ollydbg 。但是我不能用 bp 打破它,因为程序没有启动,并且无法加载该符号。我已经找到了一些方法,但我认为这不是很好。 1.打破 CreateProcess 内核函数。但是我不知道哪个功能我应该打破,我认为在 CreateProcess 和程序的入口点之间有很长的路要走。
2.使用 cc 更改程序的入口点。但是它需要其他工具,我应该改变字节改回的代码。我觉得这很烦人。
3.借助 ollydbg 。在使用Windbg调试的虚拟机中调试程序,使用 ollydbg 。我不认为这是一个好主意。
4.使用 sxe ld 。可以在 中找到。我已经尝试了,但我发现它只能在第一次工作。我不知道休息后我应该做什么。 清单3.29 <<高级Windows调试>>
5.使用 bu 键入条目功能。但是我不知道我该怎么做。例如,如何加载符号?
6.使用 .create 。我不知道是否正确地做我所说的。
我认为打破程序入口点是一个常见的用法,在内核模式下使用 windbg 进行调试,我认为使用强大的 windbg 。什么是最好的方法?
顺便说一下,我想在内核模式下调试程序,因为我想获得程序的令牌vaule。我发现windbg可以在用户模式下用!token 来识别令牌,但是我不知道如何在用户模式下获取令牌的值。看来我只能在内核模式中获取令牌的值,对或错?
你可以运行任何exe假设您正在运行一个虚拟机 mytarget ,在目标中通过ntsd -d从主机运行的内核模式调试器调试它
myhost
在myhost中安装windbg
设置myhost的符号路径viz srv * x:\xxxx * http:\xxxxxxxxxxxx
在主机中创建一个内核连接(选择下面最好显示的是一个串行连接)
X:\xxxx\windbg.exe -k com:pipe,port = \\.\pipe\debugPipe,resetets = 0,reconnect
在mytarget中安装windbg
打开一个共享文件夹z:\指向myhost中的symbolcache文件夹
设置mytarget中的符号路径,指向共享文件夹
运行ntsd -d calc.exe
kd将使用输入提示符break.exe / p>
只要输入提示符显示,您正在使用kd,如本机usermode调试器
,所以如果你设置一个bp calc!Winmain和问题g kd将中断calc.exe winmain
得到kd会话使用.breakin
凌乱的东西,但一旦你
一个样本运行
kd> g< -------------- kd会话在myhost中运行
CommandLine:calc.exe
符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
ntdll!DbgBreakPoint:
7c90120e cc int 3
.sympath
注意:此ntsd的符号路径是相对于运行
ntsd.exe的位置,而不是kd.exe运行的位置。
符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
扩展符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
.reload / f calc.exe
lm m calc
开始结束模块name
01000000 0101f000 calc(pdb symbols)z:\calc.pdb\3B7D84101\calc.pdb
0:000>版本< --------------------通过ntsd进行kd的usermode会话-d
版本
Windows XP版本2600(Service Pack 3)UP免费x86兼容
实时用户模式:<本地>
命令行:'ntsd -d calc.exe'调试器进程0x3F8
? $ exentry;? calc!WinmainCrtstartup
评估表达式:16852085 = 01012475
评估表达式:16852085 = 01012475
关于您的原始请求,我不知道你有兴趣找到什么令牌
如果获得EPROCESS->您的exe的令牌是唯一的要求,你没有运行任何kd会话
您可以使用本地内核调试会话(使用kd -kl或通过使用sysinternals的livekd)获取myhost中所有正在运行的进程的令牌,
这里是一个简单的脚本,它使用上述技术获取所有正在运行的进程的脚本
r $ t0 =(@@ c ++(((nt!_eprocess *)@#Process) - > Token.Object)):\> cat sid.txt
!for_each_process &
@@(〜7); r $ t1 = @@ c ++(((nt!_token *)@ $ t0) - > UserAndGroups-> Sid);!sid @ $ t1 1;
?(char *)((nt!_eprocess *)@#Process) - > ImageFileName
:\> kd -kl -c$$& sid.txt; q
结果
警告:本地内核调试需要启动内核
调试支持(/ debug或bcdedit -debug on)才能最佳地工作。
lkd> kd:读取初始命令'$$> a< sid.txt; q'
SID是:S-1-5-18(已知组:NT AUTHORITY\SYSTEM)
char * 0x8ac729a4
系统
SID是:S-1-5-18(已知组:NT AUTHORITY\SYSTEM)
char * 0x8a35729c
smss.exe
SID是:S-1 -5-20(已知组:NT AUTHORITY\NETWORK SERVICE)
char * 0x8a3619ac
svchost.exe
SID是:S-1-5-19 (已知群组:NT AUTHORITY\LOCAL SERVICE)
char * 0x8a36ef14
svchost.exe
SID是:S-1-5-21-602162358-1801674531 -1417001333-1003(用户:XXXXXX\Admin)
char * 0x8a261b64
explorer.exe
I want to debug a program in kernel mode, and I want to break on the entry point of the program like ollydbg. But I can't break it with bp because the program is not start and the symbol can't be loaded. I have found some way to do it but I think it's not so good.
1.Break on the CreateProcess function in kernel. But I don't know which function exactly should I break and I think there is a long way between CreateProcess and the entry point of the program.
2.Change the entry point of the program with cc. But it needs other tools and I should change the code where the byte changed back. I think it is annoying.
3.With the help of ollydbg. Debugging the program with ollydbg in a virtual machine which is debugged with windbg. I don't think that it is a good idea.
4.Use sxe ld. It can be found on Listing 3.29 in <<Advanced Windows Debugging>>. I have tried it but I found that it only works on the first time. And I don't know what exactly should I do after the break.
5.Break on the entry function with bu. But I don't know what exactly I should do either. For example, how to load the symbol?
6.Use .create. I don't know whether it is properly or not to do what I said.
I think that it is a common use to break on the entry point of a program when debug in kernel mode with windbg , and I think that there must be a good way to do that with the powerful windbg. What's the best way to do it?
By the way, I want to debug a program in kernel mode because I want to get the token vaule of the program. I found that the windbg can identify the token with !token in user mode, but I don't know how to get the value of token in user mode. It seems that I can only get the value of token in the kernel mode, right or wrong?
you can run any exe in the target via ntsd -d to debug it from the kernel mode debugger running in the host
assuming you are running a virtual machine mytarget inside myhost
install windbg in myhost
set symbol path for myhost viz srv*x:\xxxx*http:\xxxxxxxxxxxx
create a kernel connection in the host (choose the best shown below is a serial connnection)
X:\xxxx\windbg.exe -k com:pipe,port=\\.\pipe\debugPipe,resets=0,reconnect
install windbg in mytarget
open a shared folder z:\ pointing to the symbolcache folder in myhostset symbolpath in mytarget pointing to the shared folderrun ntsd -d calc.exe
kd will break on $exentry of calc.exe with Input Prompt
as long as Input prompt is shown you are using kd like a native usermode debuggerso if you set a bp calc!Winmain and issue g kd will break on calc.exe winmain
to get to kd session use .breakin
messy stuff but will work well once you get accustomed (ie memorizing the docs)
a sample run
kd> g <-------------- kd session running in myhost
CommandLine: calc.exe
Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
ntdll!DbgBreakPoint:
7c90120e cc int 3
.sympath
NOTE: The symbol path for this ntsd is relative to where
ntsd.exe is running, not where kd.exe is running.
Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
.reload /f calc.exe
lm m calc
start end module name
01000000 0101f000 calc (pdb symbols) z:\calc.pdb\3B7D84101\calc.pdb
0:000> version <--------------------usermode session in kd via ntsd -d
version
Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible
Live user mode: <Local>
command line: 'ntsd -d calc.exe' Debugger Process 0x3F8
? $exentry;? calc!WinmainCrtstartup
Evaluate expression: 16852085 = 01012475
Evaluate expression: 16852085 = 01012475
as to your original request i am not sure what token you are interested to find
if getting the EPROCESS->Token of your exe is the only requirement you dont have to run any kd session
you can get the token of all running process in myhost with a local kernel debugging session (either using kd -kl or by using livekd from sysinternals)
here is a simple script which fetches the sid of all running process employing the above technique
:\>cat sid.txt
!for_each_process "r $t0 =(@@c++(((nt!_eprocess *) @#Process )->Token.Object)) &
@@(~7); r $t1 = @@c++(((nt!_token *) @$t0 )->UserAndGroups->Sid);!sid @$t1 1; ?
? (char *)((nt!_eprocess *) @#Process )->ImageFileName "
:\>kd -kl -c "$$>a< sid.txt;q"
result
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
lkd> kd: Reading initial command '$$>a< sid.txt;q'
SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
char * 0x8ac729a4
"System"
SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
char * 0x8a35729c
"smss.exe"
SID is: S-1-5-20 (Well Known Group: NT AUTHORITY\NETWORK SERVICE)
char * 0x8a3619ac
"svchost.exe"
SID is: S-1-5-19 (Well Known Group: NT AUTHORITY\LOCAL SERVICE)
char * 0x8a36ef14
"svchost.exe"
SID is: S-1-5-21-602162358-1801674531-1417001333-1003 (User: XXXXXX\Admin)
char * 0x8a261b64
"explorer.exe"
这篇关于当在内核模式下使用windbg调试时,如何打破程序的入口点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!