调试应用程序对 msvcrt!_read 的使用。在 Windows 上在线Reversing找到了一个漂亮的 Windbg 脚本：拦截我稍微编辑过的ReadFile：

$$ Windbg script to intercept when a file is being read.
bp msvcrt!_read
.while(1)
{
  g
  $$ Get parameters of _read()
  r $t0 = dwo(esp+4)
  r $t1 = dwo(esp+8)
  r $t2 = dwo(esp+0x0c)

  $$ Execute until return is reached
  pt

  $$ Read magic value in the buffer
  $$ CHANGE position in buffer here
  r $t5 = dwo(@$t1+0x00)
  r
  .printf "hFile=%p buffer=%p count=%p\n", @$t0, @$t1, @$t2

  $$ Check if magic value matches
  $$ CHANGE constant here
  db @$t1 $$ had to put this here b/c .if never executed 'clause'
  .if(@$t5 == 0x00000000) $$magic string
  {
    db @$t1

    $$ UNCOMMENT below to break in the debugger
    .break
  }
}

$$ Clear BP for ReadFile (assume it is the 0th one)
bc 0

我尝试使用以下字节的“魔法字符串”：

77 30 30 66

在：

.if(@$t5 == 0x77303066) $$magic string

但是，它永远不会满足该条件。最令人沮丧的部分是当脚本运行 'db@$t1' 时我看到了魔法字符串

eax=00000400 ebx=02895cc4 ecx=75b7c2d6 edx=771f70f4 esi=017d0ab8 edi=028b2534
eip=75b7c2d6 esp=03d2fbec ebp=00000003 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
msvcrt!_read+0xd1:
75b7c2d6 c3              ret
hFile=00000003 lpBuffer=05f30020 nNumberOfBytesToRead=00000400
05f30020  77 30 30 66 00 00 00 2e-00 00 00 00 00 00 00 00  w00f............
05f30030  00 2e 2e 2e 2e 2e 00 00-00 2e 00 00 00 2e 2e 00  ................
05f30040  00 2e 2e 00 00 00 04 00-00 00 2e 2e 00 00 2e 2e  ................
05f30050  00 00 2e 2e 00 00 00 00-00 00 00 00 00 00 01 2e  ................
05f30060  00 2e 00 2e 2e 2e 2e 2e-00 00 00 2e 00 00 00 2e  ................

我也尝试将 wds 脚本中的魔法字符串更改为小端，但仍然不起作用。

如何使用魔术字符串“w00f”格式化 if 语句以在上述脚本中触发？