简单可执行文件中的CreateProcess参数 [英] CreateProcess parameters in simple executable
问题描述
在调试期间,在OllyDbg下的exe文件中发现了两个带有"-3"的子线程。优先。来自
During debugging exe file under OllyDbg found two subthreads with "-3" priority. From
there found that such priorities could be in process with REALTIME_PRIORITY_CLASS.
How to find out with which parameters process was created? I mean, all i have is just executable that started. Ii has main window and so on. There is no
CreateProcess symbols in executable. Maybe it's normally somewhere in system dll? And yes, breakpoints on
CreateProcess and other functions like this hasn't work.
For example, I attach the WinDbg debugger to the cmd process and start notepad.exe from it.
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.CommandLine: C:\Windows\System32\cmd.exe
Symbol search path is: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00000000`4aa30000 00000000`4aa89000 cmd.exe
ModLoad: 00000000`77340000 00000000`774e9000 ntdll.dll
ModLoad: 00000000`76f10000 00000000`7702f000 C:\Windows\system32\kernel32.dll
ModLoad: 000007fe`fd850000 000007fe`fd8bb000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 000007fe`fdcc0000 000007fe`fdd5f000 C:\Windows\system32\msvcrt.dll
ModLoad: 000007fe`fa430000 000007fe`fa438000 C:\Windows\System32\WINBRAND.dll
ModLoad: 00000000`77030000 00000000`7712a000 C:\Windows\system32\USER32.dll
ModLoad: 000007fe`ff4d0000 000007fe`ff537000 C:\Windows\system32\GDI32.dll
ModLoad: 000007fe`ff540000 000007fe`ff54e000 C:\Windows\system32\LPK.dll
ModLoad: 000007fe`fedf0000 000007fe`feeb9000 C:\Windows\system32\USP10.dll
(e88.99c): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`773ecb60 cc int 3
0:000> x kernel32!createprocess* 00000000`76f2e7b0 kernel32!CreateProcessInternalW = <no type information> 00000000`76fa7b70 kernel32!CreateProcessInternalA = <no type information> 00000000`76fa8840 kernel32!CreateProcessA = <no type information> 00000000`76f1a420 kernel32!CreateProcessAsUserW = <no type information> 00000000`76f31bb0 kernel32!CreateProcessW = <no type information> 0:000> bp kernel32!CreateProcessA 0:000> bp kernel32!CreateProcessW 0:000> bl 0 e 00000000`76fa8840 0001 (0001) 0:**** kernel32!CreateProcessA 1 e 00000000`76f31bb0 0001 (0001) 0:**** kernel32!CreateProcessW 0:000> g ModLoad: 000007fe`ff140000 000007fe`ff16e000 C:\Windows\system32\IMM32.DLL ModLoad: 000007fe`fdb90000 000007fe`fdc99000 C:\Windows\system32\MSCTF.dll Breakpoint 1 hit kernel32!CreateProcessW: 00000000`76f31bb0 4883ec68 sub rsp,68h 0:000> r rax=000000000030f3c0 rbx=0000000000000000 rcx=00000000004a98c0 rdx=00000000004ab170 rsi=00000000004ab170 rdi=0000000000000001 rip=0000000076f31bb0 rsp=000000000030f2a8 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000000 r10=000000007ffffffd r11=0000000000000000 r12=000000004aa6c0a0 r13=00000000004a98c0 r14=00000000004a98c0 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 kernel32!CreateProcessW: 00000000`76f31bb0 4883ec68 sub rsp,68h 0:000> du @rcx 00000000`004a98c0 "C:\Windows\system32\notepad.exe" 0:000> du @rdx 00000000`004ab170 "notepad.exe"BOOL WINAPI CreateProcess(
__in_opt LPCTSTR lpApplicationName, //@rcx
__inout_opt LPTSTR lpCommandLine, //@rdx
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, //@r8
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, //@r9
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags,
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
);I'm preparing for the exam 70-660 TS: Windows Internals
这篇关于简单可执行文件中的CreateProcess参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
