当在内核模式下使用windbg调试时,如何打破程序的入口点? [英] How to break on the entry point of a program when debug in kernel mode with windbg?
问题描述
ollydbg 。但是我不能用 bp 打破它,因为程序没有启动,并且无法加载该符号。我已经找到了一些方法,但我认为这不是很好。 1.打破 CreateProcess 内核函数。但是我不知道哪个功能我应该打破,我认为在 CreateProcess 和程序的入口点之间有很长的路要走。
2.使用 cc 更改程序的入口点。但是它需要其他工具,我应该改变字节改回的代码。我觉得这很烦人。
3.借助 ollydbg 。在使用Windbg调试的虚拟机中调试程序,使用 ollydbg 。我不认为这是一个好主意。
4.使用 sxe ld 。可以在 中找到。我已经尝试了,但我发现它只能在第一次工作。我不知道休息后我应该做什么。 清单3.29 <<高级Windows调试>>
5.使用 bu 键入条目功能。但是我不知道我该怎么做。例如,如何加载符号?
6.使用 .create 。我不知道是否正确地做我所说的。
我认为打破程序入口点是一个常见的用法,在内核模式下使用 windbg 进行调试,我认为使用强大的 windbg 。什么是最好的方法?
顺便说一下,我想在内核模式下调试程序,因为我想获得程序的令牌vaule。我发现windbg可以在用户模式下用!token 来识别令牌,但是我不知道如何在用户模式下获取令牌的值。看来我只能在内核模式中获取令牌的值,对或错?
你可以运行任何exe假设您正在运行一个虚拟机 mytarget ,在目标中通过ntsd -d从主机运行的内核模式调试器调试它
myhost
在myhost中安装windbg
设置myhost的符号路径viz srv * x:\xxxx * http:\xxxxxxxxxxxx
在主机中创建一个内核连接(选择下面最好显示的是一个串行连接)
X:\xxxx\windbg.exe -k com:pipe,port = \\.\pipe\debugPipe,resetets = 0,reconnect
在mytarget中安装windbg
打开一个共享文件夹z:\指向myhost中的symbolcache文件夹
设置mytarget中的符号路径,指向共享文件夹
运行ntsd -d calc.exe
kd将使用输入提示符break.exe / p>
只要输入提示符显示,您正在使用kd,如本机usermode调试器
,所以如果你设置一个bp calc!Winmain和问题g kd将中断calc.exe winmain
得到kd会话使用.breakin
凌乱的东西,但一旦你
一个样本运行
kd> g< -------------- kd会话在myhost中运行
CommandLine:calc.exe
符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
ntdll!DbgBreakPoint:
7c90120e cc int 3
.sympath
注意:此ntsd的符号路径是相对于运行
ntsd.exe的位置,而不是kd.exe运行的位置。
符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
扩展符号搜索路径是:srv * z:\
* http://msdl.microsoft.com/download/symbols
.reload / f calc.exe
lm m calc
开始结束模块name
01000000 0101f000 calc(pdb symbols)z:\calc.pdb\3B7D84101\calc.pdb
0:000>版本< --------------------通过ntsd进行kd的usermode会话-d
版本
Windows XP版本2600(Service Pack 3)UP免费x86兼容
实时用户模式:<本地>
命令行:'ntsd -d calc.exe'调试器进程0x3F8
? $ exentry;? calc!WinmainCrtstartup
评估表达式:16852085 = 01012475
评估表达式:16852085 = 01012475
关于您的原始请求,我不知道你有兴趣找到什么令牌
如果获得EPROCESS->您的exe的令牌是唯一的要求,你没有运行任何kd会话
您可以使用本地内核调试会话(使用kd -kl或通过使用sysinternals的livekd)获取myhost中所有正在运行的进程的令牌,
这里是一个简单的脚本,它使用上述技术获取所有正在运行的进程的脚本
r $ t0 =(@@ c ++(((nt!_eprocess *)@#Process) - > Token.Object)):\> cat sid.txt
!for_each_process &
@@(〜7); r $ t1 = @@ c ++(((nt!_token *)@ $ t0) - > UserAndGroups-> Sid);!sid @ $ t1 1;
?(char *)((nt!_eprocess *)@#Process) - > ImageFileName
:\> kd -kl -c$$& sid.txt; q
结果
警告:本地内核调试需要启动内核
调试支持(/ debug或bcdedit -debug on)才能最佳地工作。
lkd> kd:读取初始命令'$$> a< sid.txt; q'
SID是:S-1-5-18(已知组:NT AUTHORITY\SYSTEM)
char * 0x8ac729a4
系统
SID是:S-1-5-18(已知组:NT AUTHORITY\SYSTEM)
char * 0x8a35729c
smss.exe
SID是:S-1 -5-20(已知组:NT AUTHORITY\NETWORK SERVICE)
char * 0x8a3619ac
svchost.exe
SID是:S-1-5-19 (已知群组:NT AUTHORITY\LOCAL SERVICE)
char * 0x8a36ef14
svchost.exe
SID是:S-1-5-21-602162358-1801674531 -1417001333-1003(用户:XXXXXX\Admin)
char * 0x8a261b64
explorer.exe
I want to debug a program in kernel mode, and I want to break on the entry point of the program like ollydbg. But I can't break it with bp because the program is not start and the symbol can't be loaded. I have found some way to do it but I think it's not so good.
1.Break on the CreateProcess function in kernel. But I don't know which function exactly should I break and I think there is a long way between CreateProcess and the entry point of the program.
2.Change the entry point of the program with cc. But it needs other tools and I should change the code where the byte changed back. I think it is annoying.
3.With the help of ollydbg. Debugging the program with ollydbg in a virtual machine which is debugged with windbg. I don't think that it is a good idea.
4.Use sxe ld. It can be found on Listing 3.29 in <<Advanced Windows Debugging>>. I have tried it but I found that it only works on the first time. And I don't know what exactly should I do after the break.
5.Break on the entry function with bu. But I don't know what exactly I should do either. For example, how to load the symbol?
6.Use .create. I don't know whether it is properly or not to do what I said.
I think that it is a common use to break on the entry point of a program when debug in kernel mode with windbg , and I think that there must be a good way to do that with the powerful windbg. What's the best way to do it?
By the way, I want to debug a program in kernel mode because I want to get the token vaule of the program. I found that the windbg can identify the token with !token in user mode, but I don't know how to get the value of token in user mode. It seems that I can only get the value of token in the kernel mode, right or wrong?
you can run any exe in the target via ntsd -d to debug it from the kernel mode debugger running in the host
assuming you are running a virtual machine mytarget inside myhost
install windbg in myhost
set symbol path for myhost viz srv*x:\xxxx*http:\xxxxxxxxxxxx
create a kernel connection in the host (choose the best shown below is a serial connnection)
X:\xxxx\windbg.exe -k com:pipe,port=\\.\pipe\debugPipe,resets=0,reconnect
install windbg in mytarget
open a shared folder z:\ pointing to the symbolcache folder in myhost
set symbolpath in mytarget pointing to the shared folder
run ntsd -d calc.exe
kd will break on $exentry of calc.exe with Input Prompt
as long as Input prompt is shown you are using kd like a native usermode debugger so if you set a bp calc!Winmain and issue g kd will break on calc.exe winmain
to get to kd session use .breakin
messy stuff but will work well once you get accustomed (ie memorizing the docs)
a sample run
kd> g <-------------- kd session running in myhost
CommandLine: calc.exe
Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
ntdll!DbgBreakPoint:
7c90120e cc int 3
.sympath
NOTE: The symbol path for this ntsd is relative to where
ntsd.exe is running, not where kd.exe is running.
Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*z:\
*http://msdl.microsoft.com/download/symbols
.reload /f calc.exe
lm m calc
start end module name
01000000 0101f000 calc (pdb symbols) z:\calc.pdb\3B7D84101\calc.pdb
0:000> version <--------------------usermode session in kd via ntsd -d
version
Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible
Live user mode: <Local>
command line: 'ntsd -d calc.exe' Debugger Process 0x3F8
? $exentry;? calc!WinmainCrtstartup
Evaluate expression: 16852085 = 01012475
Evaluate expression: 16852085 = 01012475
as to your original request i am not sure what token you are interested to find
if getting the EPROCESS->Token of your exe is the only requirement you dont have to run any kd session
you can get the token of all running process in myhost with a local kernel debugging session (either using kd -kl or by using livekd from sysinternals)
here is a simple script which fetches the sid of all running process employing the above technique
:\>cat sid.txt
!for_each_process "r $t0 =(@@c++(((nt!_eprocess *) @#Process )->Token.Object)) &
@@(~7); r $t1 = @@c++(((nt!_token *) @$t0 )->UserAndGroups->Sid);!sid @$t1 1; ?
? (char *)((nt!_eprocess *) @#Process )->ImageFileName "
:\>kd -kl -c "$$>a< sid.txt;q"
result
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
lkd> kd: Reading initial command '$$>a< sid.txt;q'
SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
char * 0x8ac729a4
"System"
SID is: S-1-5-18 (Well Known Group: NT AUTHORITY\SYSTEM)
char * 0x8a35729c
"smss.exe"
SID is: S-1-5-20 (Well Known Group: NT AUTHORITY\NETWORK SERVICE)
char * 0x8a3619ac
"svchost.exe"
SID is: S-1-5-19 (Well Known Group: NT AUTHORITY\LOCAL SERVICE)
char * 0x8a36ef14
"svchost.exe"
SID is: S-1-5-21-602162358-1801674531-1417001333-1003 (User: XXXXXX\Admin)
char * 0x8a261b64
"explorer.exe"
这篇关于当在内核模式下使用windbg调试时,如何打破程序的入口点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
