逆向工程 - Windbg：断点内的“gu”命令导致警告 - 吾爱随笔录

Windbg：断点内的“gu”命令导致警告

逆向工程风袋断点

2021-06-23 20:16:19

我正在尝试在条件断点中利用“gu”命令或在常规断点中将其用作“CommandString”。例如，当我们想在日志中查看分配的指针和分配的大小时，让我们考虑在 malloc() 函数上中断：

bp msvcrt!malloc "r $t1=@rcx; gu; .printf \"malloc: %p %08x\\n\",@rax,@$t1; gc"

tldr：所以，我们创建了一个临时寄存器$t1，将它分配给分配的大小（arch是x64，因此@rcx = "size"），使用“gu”命令浸出函数，最后打印@rax 上的指针加上我们的临时寄存器值。您可以使用“notepad.exe”自行尝试；）

它有点工作，我们可以看到数据：

Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d42c0 00000100
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d4700 00000088
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d47c0 00000088
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d4880 00000038
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d4f10 000000f0
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d5030 00001124
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d6190 00002430
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d85f0 00000200
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d8820 00000080
Some commands were skipped because previous commands caused target execution inside an event handler.malloc: 000001d2e78d88d0 00000080

唯一的小例外是嘈杂的字符串“某些命令被跳过，因为先前的命令导致事件处理程序内的目标执行。”。当我们使用“gu”作为“CommandString”时，它似乎总是在日志中。

任何想法如何摆脱它或解决此类问题的预期方法是什么？

问候！

1个回答

看看这个

所以你不能在等待中使用改变执行状态的命令

我不确定你的意图是什么

但是 windbg 提供了几个 PseudoRegisters 来访问状态并采取行动

一个是@$ra ，它是堆栈上的返回地址，这是您的 gu 实际结束的地方

其他是@$retreg 和@$retreg64
这些实际上是函数的返回值（或在外行的术语eax 和 rax执行调用后

所以基本上一些 xyz 正在调用 malloc，比如 malloc(size) 你已经在 msvcrt 上设置了一个中断！malloc @ra 将包含 xyz +（调用的大小），它是调用返回的地址，如果你已经发出了 gu 你将登陆这里，当你登陆这里 rax/eax 以及 @$retreg/@$retreg64 将包含来自 malloc 调用的分配内存地址

您还可以设置一次性断点

您可以将所有这些结合起来制作一个简洁的断点，该断点将打印大小以及返回的指针

0:002> bl
     1 e Disable Clear  00007ff8`c8199d30     0001 (0001)  0:**** msvcrt!malloc "bp /1 @$ra \"? @$t1;?@$retreg64;gc\";r $t1=@rcx;gc"
windbg> .hh
0:002> g
Evaluate expression: 40 = 00000000`00000028
Evaluate expression: 2051178946016 = 000001dd`93cadde0
Evaluate expression: 256 = 00000000`00000100
Evaluate expression: 2051178943712 = 000001dd`93cad4e0
Evaluate expression: 40 = 00000000`00000028
Evaluate expression: 2051178944016 = 000001dd`93cad610
Evaluate expression: 24 = 00000000`00000018
Evaluate expression: 2051178947056 = 000001dd`93cae1f0
Evaluate expression: 32 = 00000000`00000020
Evaluate expression: 2051178947328 = 000001dd`93cae300
Evaluate expression: 32 = 00000000`00000020
Evaluate expression: 2051178949536 = 000001dd`93caeba0
Evaluate expression: 72 = 00000000`00000048
Evaluate expression: 2051178946272 = 000001dd`93cadee0
Evaluate expression: 32 = 00000000`00000020
Evaluate expression: 2051178947056 = 000001dd`93cae1f0
Evaluate expression: 32 = 00000000`00000020
Evaluate expression: 2051178944016 = 000001dd`93cad610
Evaluate expression: 672 = 00000000`000002a0
Evaluate expression: 2051178949824 = 000001dd`93caecc0
Evaluate expression: 104 = 00000000`00000068
Evaluate expression: 2051178946272 = 000001dd`93cadee0
Evaluate expression: 32 = 00000000`00000020
Evaluate expression: 2051178946432 = 000001dd`93cadf80

注意 bp 中的转义命令字符串

bp msvcrt!malloc "bp /1 @$ra \"？@$t1;?@$retreg64;gc\";r $t1=@rcx;gc"

如果你需要使用 .printf 你可能需要另一个级别的引用转义

其它你可能感兴趣的问题

上一篇通过PEB dllbase地址访问DLL PE文件下一篇如何检查我是否在 x64 CPU 上的 ring 0 / ring 3 中运行