断点csrss.exe是什么进程

csrss.exe是什么进程  时间:2021-04-14  阅读:()
KernelDebuggingTutorial2005MicrosoftCorporation1使用WinDbgWinDbgWinDbgWinDbg内核调试看雪学院,笨笨雄译安装程序基础挑选技术取得更多信息WINDOWS调试工具很强大,但是学习使用它们并不容易.
特别对于驱动开发者使用的WinDbg和KD这两个内核调试器(CDB和NTSD是用户态调试器).
本教程的目标是给予一个已经有其他调试工具使用经验的开发者足够信息,使其能通过参考WINDOWS调试工具的帮助文件进行内核调试.
本文将假定开发者熟悉一般WINDOWS操作系统和进程的建立过程.
本文的重点是集成内核模式和用户态模式的图形化调试器WinDbg.
KD在脚本和自动化调试中更有用,并且在资深程序员中拥有一定地位,但是本教程将集中讨论WinDbg,只会偶尔提到KD.
本文讨论的是WindowsNT4.
0,Windows2000或以后的版本,而且目标电脑的处理器基于X86架构.
对于64位平台,将不会特别提及.
总之,本教程由简单介绍调试器的安装开始,大体分成2部分,基础知识和选择技术.
基础知识包括基本调试命令和常用调试命令.
选择技术是其他命令和在很多情况下都有用的调查方法.
后者并不是调查象deadlocks,memorycorruption或者resourceleaks的唯一方法.
第一次阅读本教程,你可能会跳过选择技术.
你可以停止阅读本教程而转向微软调试器讨论组,也可以通过调试器的反馈e-mai解决更多的问题.
安装程序取得最新版!
!
!
!
取得最新版的调试器,并且有规律的更新它.
这里并没有夸大最新版的价值,因为调试器会经常改进和修复错误.
你将能在下面网址下载:http://www.
microsoft.
com/whdc/devtools/debugging/default.
mspx.
主机与目标之间的连接调试器有使用null-modemcable或者1394cable连接两台电脑的安装方案.
本教程不分析单操作系统的本地调试(即在调试器运行的电脑上进行分析).
3台电脑(目标电脑,调试服务器,调试客户端)的调试将会被简要的讨论.
在主机调试软件(WinDbg或者KD)和目标操作系统之间,是一个协同处理的调试过程.
每一部分都必须做些什么.
更明确地,WinDbg不是作为一个"管理操作系统",象客户和一个真正操作系统那样运行目标.
WinDbg是一个调试软件,象目标操作系统的合作伙伴那样知道它在调试过程中的角色.
在这种关系中,WinDbg从目标接收信息,并且向目标发送信息.
这是一种有效的通信机制.
KernelDebuggingTutorial2005MicrosoftCorporation2serialprotocol是调试器与目标系统之间可靠的通信机制.
你能通过null-modemcable使用COM端口连接主机和目标机器.
另一个可供选择的通信机制是1394.
在调试工具的帮助文件中的"ConfiguringSoftwareontheTargetComputer.
"主题有关于它们的描述.
你的第一次sessionsessionsessionsession假设你的主机使用WIN2K或以上的版本.
主机的操作系统可以不同于目标电脑的操作系统.
主机可以在你平常进行开发,维护或者故障诊断的地方.
它应该与网络连接,如果你希望访问symbol和source服务器(请看symbols和source).
从命令提示窗口中,改变当前的目录到WINDOWS调试工具的安装目录.
这是windbg.
exe和kd.
exe所在的位置.
输入windbg,按下Enter.
你将会看到:KernelDebuggingTutorial2005MicrosoftCorporation3分屏在这里,你能重排你的窗口.
下面的例子包括可移动的窗口.
打开组合窗口并移到屏幕上方,单击"Command"标题栏并拖动它的窗口离开主框架.
然后收缩主框架,你可以使用键击代替直接使用菜单或者按钮.
然后使用FileFileFileFileKernelKernelKernelKernelDebugDebugDebugDebug以得到一个协议窗口,选择1394和channel1.
到这里,你的桌面会象下图一样:KernelDebuggingTutorial2005MicrosoftCorporation4在KernelDebugging窗口中,点OK.
激活连接现在你已经准备好在主机和目标之间建立连接.
在目标机器以其中一个调试入口启动WINDOWS.
立即回到主机系统,用鼠标激活WinDbg的命令窗口,按下CTRL+BREAK.
不久之后,你会看到:现在不必担心关于symbols的信息.
你已经将WinDbg连接到WIN2003.
你现在很忙!
你需要明白一件细小却至关重要的事:在命令窗口的底部显示"kd>"提示符.
这代表WinDbg已经准别好接受命令.
如果没有提示符显示,这时WinDbg将不能处理命令,尽管你输入的任何命令都将会被保存在缓冲区域并尽可能快的运行.
你必须等待"kd>"出现,以确定WinDbg已经作好响应的准备.
因为有时它正在忙于做某些你看不见的事(例如从目标取得信息,该信息可能很庞大).
缺少"kd>"是WinDbg处于繁忙状态的唯一线索.
另一个可能是WinDbg试图解析symbol并且时间超过了你的预期.
不幸地,WinDbg偶尔会等待一个永远不会响应的目标连接(可能boot.
ini配置得不好,或者选择了错误的选项).
在等待足够时间之后,你必须决定采取激烈的措施例如按下CTRL+BREAK,或者停止WinDbg重新开始.
KernelDebuggingTutorial2005MicrosoftCorporation5查找symbolssymbolssymbolssymbols和sourcesourcesourcesource现在你很可能渴望开始调试,但仍然有一些东西你必须去做,因为它们将会很好的改善你的调试体验.
首先确认WinDbg能找到你感兴趣模块的symbols.
Symbols指出一个二进制命令与声明之间的联系和什么变量正在被转移.
换句话说,就是Symbols表.
如果你在建立模块的地方,那么你将拥有有效的symbols和source文件.
但是如果你需要单步调试其他很早以前建立代码呢或者,在那种情况下,如果你的代码不在它被建立的地方呢明确的设置symbols所在的地方,使用.
sympath.
sympath.
sympath.
sympath命令.
在命令窗口中中断(CTRL-BREAK)然后输入:.
sympath.
sympath.
sympath.
sympathSRV**SRV**SRV**SRV**http://msdl.
microsoft.
com/download/symbolshttp://msdl.
microsoft.
com/download/symbolshttp://msdl.
microsoft.
com/download/symbolshttp://msdl.
microsoft.
com/download/symbols以便告诉WinDbg在Microsoft公开的symbols服务器上查找symbols.
让WinDbg使用该服务以及在本地保存一份已下载的symbols.
例如,在D:\DebugSymbols,你应该这么做:.
sympath.
sympath.
sympath.
sympathSRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymbolsbolsbolsbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols你偶尔会在symbols服务器上获取symbols时遇到一些故障.
在这个情况下,使用!
sym!
sym!
sym!
symnoisynoisynoisynoisy命令以获得关于WinDbg尝试获取symbols的更多信息.
然后使用!
lmi!
lmi!
lmi!
lmi查看WinDbg知道多少关于ntoskrnl的信息.
然后尝试取得ntoskrnl的symbols,使用.
reload.
reload.
reload.
reload/f/f/f/f.
因而:kd>kd>kd>kd>!
sym!
sym!
sym!
symnoisynoisynoisynoisynoisynoisynoisynoisymodemodemodemode----symbolsymbolsymbolsymbolpromptspromptspromptspromptsononononkd>kd>kd>kd>!
lmi!
lmi!
lmi!
lmintntntntLoadedLoadedLoadedLoadedModuleModuleModuleModuleInfo:Info:Info:Info:[nt][nt][nt][nt]Module:Module:Module:Module:ntoskrnlntoskrnlntoskrnlntoskrnlBaseBaseBaseBaseAddress:Address:Address:Address:80a0200080a0200080a0200080a02000ImageImageImageImageName:Name:Name:Name:ntoskrnl.
exentoskrnl.
exentoskrnl.
exentoskrnl.
exeMachineMachineMachineMachineType:Type:Type:Type:332332332332(I386)(I386)(I386)(I386)TimeTimeTimeTimeStamp:Stamp:Stamp:Stamp:3e80048b3e80048b3e80048b3e80048bMonMonMonMonMarMarMarMar2424242423:26:0323:26:0323:26:0323:26:032003200320032003Size:Size:Size:Size:4d80004d80004d80004d8000CheckSum:CheckSum:CheckSum:CheckSum:3f6f033f6f033f6f033f6f03Characteristics:Characteristics:Characteristics:Characteristics:10e10e10e10eDebugDebugDebugDebugDataDataDataDataDirs:Dirs:Dirs:Dirs:TypeTypeTypeTypeSizeSizeSizeSizeVAVAVAVAPointerPointerPointerPointerCODEVIEWCODEVIEWCODEVIEWCODEVIEW25,25,25,25,ee00,ee00,ee00,ee00,e600e600e600e600RSDSRSDSRSDSRSDS----GUID:GUID:GUID:GUID:(0xec9b7590,(0xec9b7590,(0xec9b7590,(0xec9b7590,0xd1bb,0xd1bb,0xd1bb,0xd1bb,0x47a6,0x47a6,0x47a6,0x47a6,0xa6,0xa6,0xa6,0xa6,0xd5,0xd5,0xd5,0xd5,0x38,0x38,0x38,0x38,0x35,0x35,0x35,0x35,0x38,0x38,0x38,0x38,0xc2,0xc2,0xc2,0xc2,0xb3,0xb3,0xb3,0xb3,0x1a)0x1a)0x1a)0x1a)Age:Age:Age:Age:1,1,1,1,Pdb:Pdb:Pdb:Pdb:ntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbImageImageImageImageType:Type:Type:Type:MEMORYMEMORYMEMORYMEMORY----ImageImageImageImagereadreadreadreadsuccessfullysuccessfullysuccessfullysuccessfullyfromfromfromfromloadedloadedloadedloadedmemory.
memory.
memory.
memory.
SymbolSymbolSymbolSymbolType:Type:Type:Type:EXPORTEXPORTEXPORTEXPORT----PDBPDBPDBPDBnotnotnotnotfoundfoundfoundfoundLoadLoadLoadLoadReport:Report:Report:Report:exportexportexportexportsymbolssymbolssymbolssymbols在WINDOWS调试工具帮助文件中,有关于这里使用的命令及其语法的描述.
输出symbols通常很大.
WINDOWS调试工具包括一个symbol服务器,以便连接到Microsoft的网络服务器保存这些公开的symbol.
添加这些到你的symbol路径,然后加载它们:kd>kd>kd>kd>.
sympath.
sympath.
sympath.
sympathSRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymbolsbolsbolsbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbolsKernelDebuggingTutorial2005MicrosoftCorporation6SymbolSymbolSymbolSymbolsearchsearchsearchsearchpathpathpathpathis:is:is:is:SRV*d:\SRV*d:\SRV*d:\SRV*d:\DebugSymDebugSymDebugSymDebugSymbolsbolsbolsbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbolskd>kd>kd>kd>.
reload.
reload.
reload.
reload/f/f/f/fntntntntSYMSRV:SYMSRV:SYMSRV:SYMSRV:\\symbols\symbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\file.
p\\symbols\symbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\file.
p\\symbols\symbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\file.
p\\symbols\symbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\file.
ptrtrtrtrSYMSRV:SYMSRV:SYMSRV:SYMSRV:ntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbfromfromfromfrom\\symbols\symbols:\\symbols\symbols:\\symbols\symbols:\\symbols\symbols:9620480962048096204809620480bytesbytesbytesbytescopiedcopiedcopiedcopiedDBGHELP:DBGHELP:DBGHELP:DBGHELP:ntntntnt----publicpublicpublicpublicsymbolssymbolssymbolssymbolsd:\DebugSymd:\DebugSymd:\DebugSymd:\DebugSymbolsbolsbolsbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
pdbpdbpdbpdbkd>kd>kd>kd>!
lmi!
lmi!
lmi!
lmintntntntLoadedLoadedLoadedLoadedModuleModuleModuleModuleInfo:Info:Info:Info:[nt][nt][nt][nt]Module:Module:Module:Module:ntoskrnlntoskrnlntoskrnlntoskrnlBaseBaseBaseBaseAddress:Address:Address:Address:80a0200080a0200080a0200080a02000ImageImageImageImageName:Name:Name:Name:ntoskrnl.
exentoskrnl.
exentoskrnl.
exentoskrnl.
exeMachineMachineMachineMachineType:Type:Type:Type:332332332332(I386)(I386)(I386)(I386)TimeTimeTimeTimeStamp:Stamp:Stamp:Stamp:3e80048b3e80048b3e80048b3e80048bMonMonMonMonMarMarMarMar2424242423:26:0323:26:0323:26:0323:26:032003200320032003Size:Size:Size:Size:4d80004d80004d80004d8000CheckSum:CheckSum:CheckSum:CheckSum:3f6f033f6f033f6f033f6f03Characteristics:Characteristics:Characteristics:Characteristics:10e10e10e10eDebugDebugDebugDebugDataDataDataDataDirs:Dirs:Dirs:Dirs:TypeTypeTypeTypeSizeSizeSizeSizeVAVAVAVAPointerPointerPointerPointerCODEVIEWCODEVIEWCODEVIEWCODEVIEW25,25,25,25,ee00,ee00,ee00,ee00,e600e600e600e600RSDSRSDSRSDSRSDS----GUID:GUID:GUID:GUID:(0xec9b7590,(0xec9b7590,(0xec9b7590,(0xec9b7590,0xd1bb,0xd1bb,0xd1bb,0xd1bb,0x47a6,0x47a6,0x47a6,0x47a6,0xa6,0xa6,0xa6,0xa6,0xd5,0xd5,0xd5,0xd5,0x38,0x38,0x38,0x38,0x35,0x35,0x35,0x35,0x38,0x38,0x38,0x38,0xc2,0xc2,0xc2,0xc2,0xb3,0xb3,0xb3,0xb3,0x1a)0x1a)0x1a)0x1a)Age:Age:Age:Age:1,1,1,1,Pdb:Pdb:Pdb:Pdb:ntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbntoskrnl.
pdbImageImageImageImageType:Type:Type:Type:MEMORYMEMORYMEMORYMEMORY----ImageImageImageImagereadreadreadreadsuccessfullysuccessfullysuccessfullysuccessfullyfromfromfromfromloadedloadedloadedloadedmemory.
memory.
memory.
memory.
SymbolSymbolSymbolSymbolType:Type:Type:Type:PDBPDBPDBPDB----SymbolsSymbolsSymbolsSymbolsloadedloadedloadedloadedsuccessfullysuccessfullysuccessfullysuccessfullyfromfromfromfromsymbolsymbolsymbolsymbolserver.
server.
server.
server.
d:\DebugSymd:\DebugSymd:\DebugSymd:\DebugSymbolsbolsbolsbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
pdbpdbpdbpdbCompiler:Compiler:Compiler:Compiler:CCCC----frontfrontfrontfrontendendendend[13.
10[13.
10[13.
10[13.
10bldbldbldbld2179]2179]2179]2179]----backbackbackbackendendendend[13.
10[13.
10[13.
10[13.
10bldbldbldbld2190]2190]2190]2190]LoadLoadLoadLoadReport:Report:Report:Report:publicpublicpublicpublicsymbolssymbolssymbolssymbolsd:\DebugSymd:\DebugSymd:\DebugSymd:\DebugSymbolsbolsbolsbols\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
\ntoskrnl.
pdb\EC9B7590D1BB47A6A6D5383538C2B31A1\ntoskrnl.
pdbpdbpdbpdbsymbols只会给你一些信息,而不会提供源代码.
在最简单的情况下,在它们被建立的时候,source文件便在同一个地方(该位置包括2进制文件和symbol文件).
但是在大多数情况下,你不能在那里找到它们(它们可能被移走了),你必须指定在哪里能找到它们.
这时,你需要一个源路径,例如,.
srcpath.
srcpath.
srcpath.
srcpathe:\Win2003SP1e:\Win2003SP1e:\Win2003SP1e:\Win2003SP1它的意思是:想要source文件,请查看e:\Win2003SP1目录.
另一个解决方案是命名一个source服务器,如果你有:.
srcpath.
srcpath.
srcpath.
srcpath\\MySrcServer\\MySrcServer\\MySrcServer\\MySrcServer如果你曾经在获取source文件时遇到麻烦,使用.
srcnoisy.
srcnoisy.
srcnoisy.
srcnoisy1111以取得更多关于调试器查找它们的信息.
KernelDebuggingTutorial2005MicrosoftCorporation7WorkspacesWorkspacesWorkspacesWorkspaces目前你还不能开始调试,除非你已经准备好打很多字.
很多设置都被保存在workspace中.
所以你应该使用FileFileFileFileSaveSaveSaveSave保存在workspace里面,例如,你将它保存为kernel1394Win2003.
在这之后,你希望以这个workspace的设置启动WinDbg:windbgwindbgwindbgwindbg-W-W-W-Wkernel1394Win2003kernel1394Win2003kernel1394Win2003kernel1394Win2003-k-k-k-k1394:channel=11394:channel=11394:channel=11394:channel=1––––WWWW指定一个workspace,而––––kkkk给出通信方式(祥见WINDOWS调试工具帮助文件中的"WinDbgCommand-LineOptions").
注意:在WinDbg或者KD中,你应该小心区分命令行可选项的大小写.
为了让事情变得简单,你可以在桌面建立快捷方式,以使用特定的workspace启动WinDbg,例如,使用1394连接:KernelDebuggingTutorial2005MicrosoftCorporation8上述文件中的内容:cdcdcdcd/d/d/d/d"d:\Program"d:\Program"d:\Program"d:\ProgramFiles\DebuggingFiles\DebuggingFiles\DebuggingFiles\DebuggingToolsToolsToolsToolsforforforforWindows"Windows"Windows"Windows"startstartstartstartwindbg.
exewindbg.
exewindbg.
exewindbg.
exe-y-y-y-ySRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymSRV*d:\DebugSymbolsbolsbolsbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols*http://msdl.
microsoft.
com/download/symbols-W-W-W-Wkernel1394Win2003kernel1394Win2003kernel1394Win2003kernel1394Win2003第一行将切换到WINDOWS调试工具的安装目录下面,确认调试器模块能在那里被找到.
第二行启动WinDbg,指定symbo路径(-y-y-y-y)和workspace(-W-W-W-W).
一个示例驱动使用示例驱动IoCtl练习,这将会帮助你熟悉WinDbg.
你能在WINDDK和它的后续产品,WDK中找到.
安装它,你便能在src\general\Ioctl子目录下找到该驱动.
IoCtl的优点在于它是示例,而且是一个"legacy"驱动,由服务管理器(SCM)加载,而不是即插即用的一部分(这里并不关心PnP的输入和输出).
你应该建立用户态程序(ioctlapp.
exe),并在前者被加载之后建立内核态驱动程序(sioctl.
sys).
这里有些重要的事需要明白.
在优化代码方面,建立程序的处理十分灵巧,优化会导致代码移动(当然,原逻辑会被保留),并且将一些变量单独保存在寄存器中.
为了确保更简单的调试体验,你应该在建立窗口或者源代码文件中使用这些编译指令建立一个调试版本:MSC_OPTIMIZATION=/OdMSC_OPTIMIZATION=/OdMSC_OPTIMIZATION=/OdMSC_OPTIMIZATION=/Od(这是"Ohd"而不是"zerod.
")有时上述的情况会引起内部函数的一些问题,例如memcmp.
如果你碰上这个问题,尝试:MSC_OPTIMIZATION=/OdiMSC_OPTIMIZATION=/OdiMSC_OPTIMIZATION=/OdiMSC_OPTIMIZATION=/Odi请明白阻止优化对于生成正式版产品来说,并不是一个好选择.
使用上述的指令,你将不能建立或者测试正式版.
尽管如此,这对于测试未经优化的版本来说,是不错的练习.
一旦你熟悉代码,排除简单的错误,正式产品便能得到提升.
如果你需要处理已优化的代码,你将会在"处理优化代码"找到相关帮助.
KernelDebuggingTutorial2005MicrosoftCorporation9开始调试示例驱动在IoCtl的DriverEntry设置断点.
在启动驱动之前,中断在WinDbg的命令窗口,输入:bubububusioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntrybubububu("BreakpointUnresolved")命令将会延迟断点的设置时间,直到该模块被加载;也就是说WinDbg会探测"DriverEntry".
如果没有什么需要做,按下F5(你也可以输入g,"Go")接下来,复制ioctlapp.
exe和sioctl.
sys到目标系统,例如C:\Temp\IOCTL,以管理员权限登陆系统,在命令窗口中,切换到C:\Temp\IOCTL目录下.
(你不需要在WinDbg中将此路径设置为symbol路径和source路径.
)在同样的命令窗口,输入ioctlappioctlappioctlappioctlapp按下Enter,在WinDbg中,你会看到:如图,程序停在断点之后,!
lmi!
lmi!
lmi!
lmi命令显示WinDbg从DDK中取得symbols.
时间信息象你期望的一样,本地symbol文件也符合你的要求.
KernelDebuggingTutorial2005MicrosoftCorporation10依赖于你的排列方案,它并不明显,当前窗口能被其他窗口隐藏,但是你能在某个地方使用源代码窗口(按键顺序'alt-Keypad*'―不用按单引号―将会把窗口置前):KernelDebuggingTutorial2005MicrosoftCorporation11断点被设置,即运行停止的地方会以粉红色标记(WINDOWS调试工具帮助文件把它称为紫色).
当运行进IoCreateDevice(运行控制描述如何熟练运用):这里你能看到原始断点(高亮为红色,现在控制将停止在这里),你能看到当前声明被标记为深蓝色.
KernelDebuggingTutorial2005MicrosoftCorporation12基础在调试session中,这是一个"测试驱动".
这是一些基本的调试操作.
命令,扩展,等等.
命令来自几个系列:简单的(未修饰的),一些从句号(".
")开始,一些从惊叹号("!
")开始.
WINDOWS调试工具帮助文件将它们分别描述为commands,meta-commandsandextensioncommands.
以现在的效果来看,这些系列非常接近.
断点在运行中产生中断,是调试器的功能之一.
这是一些实现方法.
在操作系统启动时中断为了在操作系统启动时尽早中断,请确认WinDbg已经连接,重新按CTRL-ALT-K直到你看到:在下次启动时,在ntoskrnl加载之后的一小段时间,这时所有驱动还没有被加载,操作系统将会挂起,而WinDbg将会取得控制权.
在系统引导时间,你可能会希望为驱动程序定义断点,这就是时机.
KernelDebuggingTutorial2005MicrosoftCorporation13普通断点最简单的设置断点的方法就是通过bpbpbpbp("Breakpoint")命令.
例如:bpbpbpbpMyDriver!
xyzMyDriver!
xyzMyDriver!
xyzMyDriver!
xyzbpbpbpbpf89adeaaf89adeaaf89adeaaf89adeaa第一行,这个断点设在模块中的一个名字(!
);第二行,它被设置在一个给出的地址.
当运行到其中一个断点时,操作系统就会挂起,并且把控制权交给WinDbg.
(你可以在"寻找名字"看看如何为第二个命令取得地址.
)注意:第一个命令的语法假定操作系统已经加载该模块,以及在symbol文件或者外部名定义有足够可用信息关于识别xyz.
如果不能在模块中找到xyz,调试器会这么告诉你这些.
延迟断点说到驱动程序没有被加载,你最初的哪个断点,使用bubububu(见上述开始调试示例驱动)设置的是一个"可延迟的"断点.
BuBuBuBu命令的参数是一个模块及它里面的名字,例如:bubububusioctl!
sioctl!
sioctl!
sioctl!
SioctlDeviceControlSioctlDeviceControlSioctlDeviceControlSioctlDeviceControlSioctlDeviceControl是一个入口点,或者其他在模块sioctl.
sys中的名字.
这个形式假定当模块被加载,足够有用的信息识别SioctlDeviceControl以便断点能够设置.
(如果模块已经加载名字被找到,那么断点将会立即被设置).
如果操作系统找不到SioctlDeviceControl,调试器会提示,另外将不会在SioctlDeviceControl处挂起.
延迟断点的一个有用的特性便是它对modules!
names操作.
相比之下,一般断点对地址或者立即将modules!
names解释为地址.
延迟断点的另一个特性便是在引导的过程中会被记住(这不会影响明确地址的断点).
然而,延迟断点的另外一个特性使得即使关联模块被卸载,它仍然会被保留.
相同情况下,一般断点将会被移除.
另外一个设置一般断点的方法是通过source窗口.
返回sioctl.
sys.
当你中断于DriverEntry,,你能向下滚动窗口到你希望停止地方,将光标移动到该行代码,按下F9:KernelDebuggingTutorial2005MicrosoftCorporation14红色的那一行便是通过F9设置的断点.
你可以使用blblblbl("BreakpointList")查看所有已设置的断点:kd>kd>kd>kd>blblblbl0000eeee[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c@@@@123]123]123]123]0001000100010001(0001)(0001)(0001)(0001)SIoctl!
DriverEntrySIoctl!
DriverEntrySIoctl!
DriverEntrySIoctl!
DriverEntryKernelDebuggingTutorial2005MicrosoftCorporation151111eeee[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c@@@@338]338]338]338]0001000100010001(0001)(0001)(0001)(0001)Sioctl!
SioctlDeviceControl+0x103Sioctl!
SioctlDeviceControl+0x103Sioctl!
SioctlDeviceControl+0x103Sioctl!
SioctlDeviceControl+0x103注意两件事:每个断点都有一个号码并且显示出断点状态,"e"是"enabled",而"d"是"disabled".
假设你希望临时停止使用某个断点.
bdbdbdbd("DisableBreakpoint")将会完成它.
你只需指定断点号码:kd>kd>kd>kd>bdbdbdbd1111kd>kd>kd>kd>blblblbl0000eeee[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c@@@@123]123]123]123]0001000100010001(0001)(0001)(0001)(0001)SIoctl!
DriverEntrySIoctl!
DriverEntrySIoctl!
DriverEntrySIoctl!
DriverEntry1111dddd[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790\src\general\ioctl\sys\sioctl.
c@@@@338]338]338]338]0001000100010001(0001)(0001)(0001)(0001)SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103相似的方法,永久移除断点号码,使用bcbcbcbc1111("ClearBreakpoint").
现在该断点将会从断点列表中消除.
然而,有时在操作系统或者驱动程序中,断点会被设置在一些频繁被激活的地方,你可能希望将它应用在一些环境或者条件操作,以便断点只在该情况下生效.
这是基本格式:bpbpbpbpSIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103"j"j"j"j(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)'';'';'';'';'g'"'g'"'g'"'g'"它的意思是:只有Irp=地址0xFFB5C4F8时才中断;如果条件不符合,继续运行.
更深入的探讨上述命令,并不是断点本身的状态.
更准确的说,断点有一个操作项目(在双引号标记中);在该项目中,jjjj("ExecuteIF/ELSE")命令是一个条件操作.
JJJJ的函数运行于TRUE|FALSE项目(在单引号标记中).
如上述一样,TRUE项目(第一)为空,以便当断点激活和符合TRUE的条件出现时,WinDbg除了挂起程序之外不会做其他的事.
如果符合FALSE的条件出现,由于使用了gggg命令,程序讲会继续运行.
一个或者其他操作会被完成,这依赖于实际情况.
思考这个比上述更详细的命令:bpbpbpbpSIoctl!
SioctlDeviceCoSIoctl!
SioctlDeviceCoSIoctl!
SioctlDeviceCoSIoctl!
SioctlDeviceControl+0x103ntrol+0x103ntrol+0x103ntrol+0x103"j"j"j"j(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)(@@(Irp)=0xffb5c4f8)'.
echo'.
echo'.
echo'.
echoFoundFoundFoundFoundthethethetheinterestinginterestinginterestinginterestingIRP'IRP'IRP'IRP';;;;'.
echo'.
echo'.
echo'.
echoSkippingSkippingSkippingSkippingananananIRPIRPIRPIRPofofofofnonononointerest;interest;interest;interest;g'g'g'g'""""这里TRUE项目给出信息并停止.
FALSE项目给出信息并继续(这个信息很有用,WinDbg计算出条件为FALSE,并且默默地继续).
有时要注意:下面断点,EAX被检测(你能在寄存器中找到关于它们的处理方法),不会象你想的那样工作:bpbpbpbpSIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103"j"j"j"j(@eax=0xffb5c4f8)(@eax=0xffb5c4f8)(@eax=0xffb5c4f8)(@eax=0xffb5c4f8)'.
echo'.
echo'.
echo'.
echoHere!
'Here!
'Here!
'Here!
';;;;'.
echo'.
echo'.
echo'.
echoSkipping;Skipping;Skipping;Skipping;g'g'g'g'""""KernelDebuggingTutorial2005MicrosoftCorporation16原因是可能会将寄存器的值扩充到64位再计算,例如,扩充到0xFFFFFFFF`FFB5C4F8,这将不会与0x00000000`FFB5C4F8匹配.
这导致只有32位的最高位为1和一些其他条件(例如,一个32位寄存器)才适用.
在WINDOWS调试工具帮助文件中的"SignExtension"有更详尽的资料(也可以看看"SettingaConditionalBreakpoint").
断点可能包含一些条件式,附带或不附带条件操作.
其中一个条件是激发"one-shot":断点只激活一次(激活之后便清除).
假如你只对第一次激活感兴趣,对于那些使用频繁的代码,这很便利.
bpbpbpbp/1/1/1/1SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103另外一个有用的条件式测试一个进程或者线程:bpbpbpbp/p/p/p/p0x812340000x812340000x812340000x81234000SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103bpbpbpbp/t/t/t/t0xff2340000xff2340000xff2340000xff234000SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103它们分别代表,仅当进程块(EPROCESS)在0x81234000,才在指定的地方停止,以及仅当线程块(ETHREAD)在0xFF234000时才在指定地方停止.
该条件式能被组合为:bpbpbpbp/1/1/1/1/C/C/C/C4444/p/p/p/p0x812340000x812340000x812340000x81234000SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103SIoctl!
SioctlDeviceControl+0x103这代表,当callstack深度大于4(这里的大写C很重要,因为"c"代表"少于")和进程块在0x81234000时中断.
另外一种不同类型的断点,需要指定访问方式.
例如:babababaw4w4w4w40xffb5c4f8+0x18+0x40xffb5c4f8+0x18+0x40xffb5c4f8+0x18+0x40xffb5c4f8+0x18+0x4正如你所看到的,这个地址来自IRP,它的偏移0x18+0x4处即它的IoStatus.
Information成员.
所以当某程序企图更新IRP中IoStatus.
Information的这4个字节时,断点会被激活.
这种断点被称为数据断点(因为它们由数据访问触发)或者处理器断点(因为它们由处理器执行,而不是调试器自己).
表达式:MASMMASMMASMMASM与C++C++C++C++在驱动程序之中使用变量提供参数,如进程地址.
你或许同意那是很容易的一件事.
然而,你需要理解一些调试器的表达式.
调试器有两种评价表达式的方法,参考"MASM"(MicrosoftMacroAssembler)和"C++".
引用WINDOWS调试工具帮助文件中的"MASMExpressionsvs.
C++Expressions":在MASM的表达式中,任何符号的数值都在内存地址中.
在C++表达式中,变量中的数值是它的真实数值,而不是它的地址.
阅读再阅读这部分,这将会节省你更多的时间.
KernelDebuggingTutorial2005MicrosoftCorporation17一条表达式将会使用MASM,或者C++,或者它们的混合形式计算.
简要说明:1.
默认表达式类型是MASM.
2.
你能使用.
expr.
expr.
expr.
expr改变默认类型(详见WINDOWS调试工具帮助文件).
3.
某些命令总是使用C++的方式求值.
4.
一个特殊的表达式(或表达式的一部分)的赋值能通过前缀"@@"改成与一般表达式相反的方向.
这个摘要相当棘手,你应该参考WINDOWS调试工具帮助文件中的"EvaluatingExpressions".
现在,这里有一些例子,给你一些关于赋值是如何工作的概念.
你之前已经停止在Sioctl!
SioctlDeviceControl+0x103,所以使用dvdvdvdv查看一个已知变量(查看dv命令以获得更多信息):kd>kd>kd>kd>dvdvdvdvIrpIrpIrpIrpIrpIrpIrpIrp====0xff70fbc00xff70fbc00xff70fbc00xff70fbc0该响应的意思是,Irp变量包含0xFF70FBC0.
更多地,dvdvdvdv解释C++语法中的参数.
该响应基于变量内容,而不是地址.
你可以确认它:kd>kd>kd>kd>IrpIrpIrpIrpstructstructstructstruct_IRP_IRP_IRP_IRP****0xff70fbc00xff70fbc00xff70fbc00xff70fbc0总是以C++为基础(详见命令).
假如使用MASM类型的赋值,尝试(详见命令):kd>kd>kd>kd>IrpIrpIrpIrpEvaluateEvaluateEvaluateEvaluateexpression:expression:expression:expression:-141181880-141181880-141181880-141181880====f795bc48f795bc48f795bc48f795bc48这表示变量Irp位于0XF795BC48.
你可以通过使用dddddddd(详见dd命令)显示内存数据,确认该变量真的包含数据0xFF70FBC0.
kd>kd>kd>kd>ddddddddf795bc48f795bc48f795bc48f795bc48l1l1l1l1f795bc48f795bc48f795bc48f795bc48ff70fbc0ff70fbc0ff70fbc0ff70fbc0以及内存指向这里:kd>kd>kd>kd>dddddddd0xff70fbc00xff70fbc00xff70fbc00xff70fbc0ff70fbc0ff70fbc0ff70fbc0ff70fbc0009400060094000600940006009400060000000000000000000000000000000000000070000000700000007000000070ff660c30ff660c30ff660c30ff660c30ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd00000000000000000000000000000000000000000000000000000000000000000ff70fbe0ff70fbe0ff70fbe0ff70fbe001010001010100010101000101010001040000000400000004000000040000000006fdc00006fdc00006fdc00006fdc000000000000000000000000000000000ff70fbf0ff70fbf0ff70fbf0ff70fbf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004008f2004008f2004008f2004008f20ff70fc00ff70fc00ff70fc00ff70fc0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff70fc10ff70fc10ff70fc10ff70fc10ff73f4d8ff73f4d8ff73f4d8ff73f4d8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ff70fc20ff70fc20ff70fc20ff70fc20ff70fc30ff70fc30ff70fc30ff70fc30ffb05b90ffb05b90ffb05b90ffb05b900000000000000000000000000000000000000000000000000000000000000000ff70fc30ff70fc30ff70fc30ff70fc300005000e0005000e0005000e0005000e000000640000006400000064000000640000003c0000003c0000003c0000003c9c4024089c4024089c4024089c402408查看象IRP这样的变量,正如dtdtdtdt显示(详见dt命令),Type和Size成员有一个似是而非的数据:kd>kd>kd>kd>dtdtdtdtIrpIrpIrpIrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94KernelDebuggingTutorial2005MicrosoftCorporation18+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed有时,你会希望使用C++赋值代替MASM表达式.
"@@"前缀会完成它.
扩展命令总是使用象MASM表达式一样的参数,当你使用扩展命令!
irp!
irp!
irp!
irp(详见IRPs),你能看到@@的效果.
kd>kd>kd>kd>!
irp!
irp!
irp!
irp@@(Irp)@@(Irp)@@(Irp)@@(Irp)IrpIrpIrpIrpisisisisactiveactiveactiveactivewithwithwithwith1111stacksstacksstacksstacks1111isisisiscurrentcurrentcurrentcurrent(=(=(=(=0xff70fc30)0xff70fc30)0xff70fc30)0xff70fc30)NoNoNoNoMdlMdlMdlMdlSystemSystemSystemSystembufferbufferbufferbuffer====ff660c30ff660c30ff660c30ff660c30ThreadThreadThreadThreadff73f4d8:ff73f4d8:ff73f4d8:ff73f4d8:IrpIrpIrpIrpstackstackstackstacktrace.
trace.
trace.
trace.
cmdcmdcmdcmdflgflgflgflgclclclclDeviceDeviceDeviceDeviceFileFileFileFileCompletion-ContextCompletion-ContextCompletion-ContextCompletion-Context>[>[>[>[e,e,e,e,0]0]0]0]5555000082361348823613488236134882361348ffb05b90ffb05b90ffb05b90ffb05b9000000000-0000000000000000-0000000000000000-0000000000000000-00000000\Driver\SIoctl\Driver\SIoctl\Driver\SIoctl\Driver\SIoctlArgs:Args:Args:Args:000000640000006400000064000000640000003c0000003c0000003c0000003c9c4024089c4024089c4024089c40240800000000000000000000000000000000重复这个操作,不在上述的Irp变量中带@@前缀,!
irp!
irp!
irp!
irp将会使用变量的地址,而不是变量的值.
为了使这更加具体,如果变量位于0xF795BC48,它包含的数据是0xFF70FBC0,使用!
irp!
irp!
irp!
irpIrpIrpIrpIrp代替@@(@@(@@(@@(Irp)Irp)Irp)Irp)将会请求WinDbg格式化位于0xF795BC48的IRPstack.
你需要进一步了解的是:@@前缀相当通用,正如它的正式意思,使用不同于当前表达式中正在使用的赋值方法.
如果大部分表达式是MASM,@@代表C++,如果它是C++,@@代表MASM.
最后一点建议:如果表达式不如你期望那样工作,考虑你是否在请求调试器理解MASM或者C++语法.
显示和设置内存,变量,寄存器等等有一些方法可以显示和改变它们.
在当前例程中显示一个变量(当前的"scope"),使用dvdvdvdv("DisplayVariables").
例如,如果停止在Sioctl!
SioctlDeviceControl+0x103:kd>kd>kd>kd>dvdvdvdvDeviceObjectDeviceObjectDeviceObjectDeviceObject====0x823613480x823613480x823613480x82361348IrpIrpIrpIrp====0xff70fbc00xff70fbc00xff70fbc00xff70fbc0outBufLengthoutBufLengthoutBufLengthoutBufLength====0x640x640x640x64bufferbufferbufferbuffer====0x000000000x000000000x000000000x00000000""""""""irpSpirpSpirpSpirpSp====0xff70fc300xff70fc300xff70fc300xff70fc30KernelDebuggingTutorial2005MicrosoftCorporation19datadatadatadata====0xf886b0c00xf886b0c00xf886b0c00xf886b0c0"This"This"This"ThisStringStringStringStringisisisisfromfromfromfromDeviceDeviceDeviceDeviceDriverDriverDriverDriver!
!
!
"!
!
!
"!
!
!
"!
!
!
"ntStatusntStatusntStatusntStatus====0000mdlmdlmdlmdl====0x000000000x000000000x000000000x00000000inBufLengthinBufLengthinBufLengthinBufLength====0x3c0x3c0x3c0x3cdatalendatalendatalendatalen====0x260x260x260x26outBufoutBufoutBufoutBuf====0x000000300x000000300x000000300x00000030""""""""inBufinBufinBufinBuf====0xff660c300xff660c300xff660c300xff660c30"This"This"This"ThisStringStringStringStringisisisisfromfromfromfromUserUserUserUserApplication;Application;Application;Application;usingusingusingusingMETHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"这是一个参数变量列表以及一些在断点位置已知的变量.
"已知"是一个重要的限定词.
例如如果一个变量优化成一个寄存器,它将不会被显示,尽管可以反汇编它(ViewViewViewView=>DisassemblyDisassemblyDisassemblyDisassembly打开反汇编窗口)并且检查寄存器.
如果只关心一个变量,你可以:kd>kd>kd>kd>dvdvdvdvoutBufLengthoutBufLengthoutBufLengthoutBufLengthoutBufLengthoutBufLengthoutBufLengthoutBufLength====0x640x640x640x64另外一个有用的命令是dtdtdtdt("DisplayType").
例如,继续使用在Sioctl!
SioctlDeviceControl+0x103的断点:kd>kd>kd>kd>dtdtdtdtIrpIrpIrpIrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed上面的数据说明了变量Irp在0xF795BC48,它的值是0xFF70FBC0;因为dtdtdtdt知道IRP变量的指针("Type_IRP*"),0xFF70FBC0区域被格式化为IRP.
展开一级结构:kd>kd>kd>kd>dtdtdtdt-r1-r1-r1-r1IrpIrpIrpIrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*KernelDebuggingTutorial2005MicrosoftCorporation200xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x000+0x000+0x000+0x000MasterIrpMasterIrpMasterIrpMasterIrp::::0xff660c300xff660c300xff660c300xff660c30+0x000+0x000+0x000+0x000IrpCountIrpCountIrpCountIrpCount::::-10089424-10089424-10089424-10089424+0x000+0x000+0x000+0x000SystemBufferSystemBufferSystemBufferSystemBuffer::::0xff660c300xff660c300xff660c300xff660c30+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x000+0x000+0x000+0x000FlinkFlinkFlinkFlink::::0xff70fbd00xff70fbd00xff70fbd00xff70fbd0[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x004+0x004+0x004+0x004BlinkBlinkBlinkBlink::::0xff70fbd00xff70fbd00xff70fbd00xff70fbd0[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x000+0x000+0x000+0x000StatusStatusStatusStatus::::0000+0x000+0x000+0x000+0x000PointerPointerPointerPointer::::(null)(null)(null)(null)+0x004+0x004+0x004+0x004InformationInformationInformationInformation::::0000+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x000+0x000+0x000+0x000StatusStatusStatusStatus::::67142040671420406714204067142040+0x000+0x000+0x000+0x000PointerPointerPointerPointer::::0x040081980x040081980x040081980x04008198+0x004+0x004+0x004+0x004InformationInformationInformationInformation::::0x2a0x2a0x2a0x2a+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x000+0x000+0x000+0x000AsynchronousParametersAsynchronousParametersAsynchronousParametersAsynchronousParameters::::__unnamed__unnamed__unnamed__unnamed+0x000+0x000+0x000+0x000AllocationSizeAllocationSizeAllocationSizeAllocationSize::::_LARGE_INTEGER_LARGE_INTEGER_LARGE_INTEGER_LARGE_INTEGER0x00x00x00x0+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed+0x000+0x000+0x000+0x000OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x000+0x000+0x000+0x000ApcApcApcApc::::_KAPC_KAPC_KAPC_KAPC+0x000+0x000+0x000+0x000CompletionKeyCompletionKeyCompletionKeyCompletionKey::::(null)(null)(null)(null)你可以显示一些结构,甚至在它们不在范围之内的时候(被询问的内存不能以其他一些目的再生)kd>kd>kd>kd>dtdtdtdtnt!
_IRPnt!
_IRPnt!
_IRPnt!
_IRP0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''KernelDebuggingTutorial2005MicrosoftCorporation21+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed上面的命令,按照你知道的来说,就是IRP在0xFF70FBC0,而事实上,这是在ntoskrnl映射出的IRP结构.
如果你对众多成员的区域中的一块感兴趣呢取得成员的大小,例如:kd>kd>kd>kd>dtdtdtdtnt!
_IRPnt!
_IRPnt!
_IRPnt!
_IRPSizeSizeSizeSize0xff70fbc00xff70fbc00xff70fbc00xff70fbc0unsignedunsignedunsignedunsignedshortshortshortshort0x940x940x940x94更直接的方法是使用("EvaluateC++Expression")命令:kd>kd>kd>kd>Irp->SizeIrp->SizeIrp->SizeIrp->Sizeunsignedunsignedunsignedunsignedshortshortshortshort0x940x940x940x94那是,了解它的参数指向适当结构中的一个成员.
显示内存,而不使用上述的格式,一些可用的命令,如dddddddd,dwdwdwdw和dbdbdbdb("DisplayMemory"):kd>kd>kd>kd>dddddddd0xff70fbc00xff70fbc00xff70fbc00xff70fbc0l0x10l0x10l0x10l0x10ff70fbc0ff70fbc0ff70fbc0ff70fbc0009400060094000600940006009400060000000000000000000000000000000000000070000000700000007000000070ff660c30ff660c30ff660c30ff660c30ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd0ff70fbd00000000000000000000000000000000000000000000000000000000000000000ff70fbe0ff70fbe0ff70fbe0ff70fbe001010001010100010101000101010001040000000400000004000000040000000006fdc00006fdc00006fdc00006fdc000000000000000000000000000000000ff70fbf0ff70fbf0ff70fbf0ff70fbf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004008f2004008f2004008f2004008f20kd>kd>kd>kd>dwdwdwdw0xff70fbc00xff70fbc00xff70fbc00xff70fbc0l0x20l0x20l0x20l0x20ff70fbc0ff70fbc0ff70fbc0ff70fbc00006000600060006009400940094009400000000000000000000000000000000007000700070007000000000000000000c300c300c300c30ff66ff66ff66ff66ff70fbd0ff70fbd0ff70fbd0ff70fbd0fbd0fbd0fbd0fbd0ff70ff70ff70ff70fbd0fbd0fbd0fbd0ff70ff70ff70ff700000000000000000000000000000000000000000000000000000000000000000ff70fbe0ff70fbe0ff70fbe0ff70fbe00001000100010001010101010101010100000000000000000400040004000400fdc0fdc0fdc0fdc0000600060006000600000000000000000000000000000000ff70fbf0ff70fbf0ff70fbf0ff70fbf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008f208f208f208f200400040004000400kd>kd>kd>kd>dbdbdbdb0xff70fbc00xff70fbc00xff70fbc00xff70fbc0l0x40l0x40l0x40l0x40ff70fbc0ff70fbc0ff70fbc0ff70fbc00606060600000000949494940000000000000000000000000000000000-7000-7000-7000-70000000000000000000000000303030300c0c0c0c66666666ffffffff.
.
.
.
.
.
.
.
p.
.
.
0.
f.
.
.
.
.
.
.
.
.
p.
.
.
0.
f.
.
.
.
.
.
.
.
.
p.
.
.
0.
f.
.
.
.
.
.
.
.
.
p.
.
.
0.
f.
ff70fbd0ff70fbd0ff70fbd0ff70fbd0d0d0d0d0fbfbfbfb70707070ffffffffd0d0d0d0fbfbfbfb70707070ff-00ff-00ff-00ff-0000000000000000000000000000000000000000000000000000000000.
.
p.
.
.
p.
.
.
p.
.
.
p.
.
.
p.
.
.
p.
.
.
p.
.
.
p.
ff70fbe0ff70fbe0ff70fbe0ff70fbe00101010100000000010101010101010100000000000000000000000004-c004-c004-c004-c0fdfdfdfd060606060000000000000000000000000000000000000000ff70fbf0ff70fbf0ff70fbf0ff70fbf00000000000000000000000000000000000000000000000000000000000-0000-0000-0000-00000000000000000000000000202020208f8f8f8f0000000004040404.
.
.
.
.
.
.
.
.
(注意:3个命令各自的第二个参数是一个长度,由l(字母"l")后面的数值给出,例如0x10.
)第一个显示16个双字(每个4字节,或者共64个字节).
第二个显示同样的字.
第三个显示同样的字节.
怎么改变变量继续在Sioctl!
SioctlDeviceControl+0x103,你会看到下面格式.
kd>kd>kd>kd>outBufLengthoutBufLengthoutBufLengthoutBufLength====00000000^^^^SyntaxSyntaxSyntaxSyntaxerrorerrorerrorerrorinininin'outBufLength'outBufLength'outBufLength'outBufLength====00'00'00'00'KernelDebuggingTutorial2005MicrosoftCorporation22不工作但是完成了这个工作:kd>kd>kd>kd>outBufLengthoutBufLengthoutBufLengthoutBufLength====0000unsignedunsignedunsignedunsignedlonglonglonglong0000现在回到IRP,你在上述使用的dtdtdtdt:kd>kd>kd>kd>dtdtdtdtIrpIrpIrpIrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed改变第一个字(2个字节),通过ewewewew("EnterValues"):kd>kd>kd>kd>ewewewew0xff70fbc00xff70fbc00xff70fbc00xff70fbc03333kd>kd>kd>kd>dtdtdtdtIrpIrpIrpIrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::3333+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''KernelDebuggingTutorial2005MicrosoftCorporation23+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed当然,下面可能比ewewewew更加自然:kd>kd>kd>kd>irp->typeirp->typeirp->typeirp->type====3333TypeTypeTypeTypedoesdoesdoesdoesnotnotnotnothavehavehavehavegivengivengivengivenmembermembermembermembererrorerrorerrorerroratatatat'type'type'type'type====3'3'3'3'kd>kd>kd>kd>irp->Typeirp->Typeirp->Typeirp->Type====3333shortshortshortshort3333kd>kd>kd>kd>dtdtdtdtirpirpirpirpioctlapp!
Irpioctlapp!
Irpioctlapp!
Irpioctlapp!
IrpLocalLocalLocalLocalvarvarvarvar@@@@0xf795bc480xf795bc480xf795bc480xf795bc48TypeTypeTypeType_IRP*_IRP*_IRP*_IRP*0xff70fbc00xff70fbc00xff70fbc00xff70fbc0+0x000+0x000+0x000+0x000TypeTypeTypeType::::3333+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamed+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamed以上需要注意的两件事.
首先,结构中成员的大小写是有意义的,正如WinDbg的提示那样,在Irp中没有这样的成员.
第二,dtdtdtdtirpirpirpirp是二义的,但是WinDbg显示了该实例,它的想法好象被修正了,其中一个在ioctlapp.
exe而另外一个则在sioctl.
sys.
因为大小写是有意义的,你应该在任何时候都使用它.
关于ewewewew的更多信息,有其他"EnterValues"命令:ebebebeb用于字节,edededed用于双字,eqeqeqeq用于四倍字长(8字节)等等.
参考WINDOWS调试工具帮助文件中的"EnterValues".
KernelDebuggingTutorial2005MicrosoftCorporation24本地窗口能更容易的显示内嵌到结构中的结构指针:你可以在本地窗口中改写它们的值.
寄存器(也包括段寄存器和标记寄存器)可以被显示和改变.
例如:kd>kd>kd>kd>rrrreax=81478f68eax=81478f68eax=81478f68eax=81478f68ebx=00000000ebx=00000000ebx=00000000ebx=00000000ecx=814243a8ecx=814243a8ecx=814243a8ecx=814243a8edx=0000003cedx=0000003cedx=0000003cedx=0000003cesi=81778ea0esi=81778ea0esi=81778ea0esi=81778ea0edi=81478f68edi=81478f68edi=81478f68edi=81478f68eip=f8803553eip=f8803553eip=f8803553eip=f8803553esp=f7813bb4esp=f7813bb4esp=f7813bb4esp=f7813bb4ebp=f7813c3cebp=f7813c3cebp=f7813c3cebp=f7813c3ciopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieingngngngnznznznzacacacacpepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00000292efl=00000292efl=00000292efl=00000292或者只是:KernelDebuggingTutorial2005MicrosoftCorporation25kd>kd>kd>kd>rrrreaxeaxeaxeaxeax=81478f68eax=81478f68eax=81478f68eax=81478f68有时你会希望改变寄存器.
例如,EAX经常被用于从例程退出时传递返回参数.
因此,在例程退出之前:rrrreaxeaxeaxeax====0xc00000010xc00000010xc00000010xc0000001现在显示状态数据为STATUS_UNSUCCESSFUL.
这里是其他的一些例子:rrrreipeipeipeip====poi(@esp)poi(@esp)poi(@esp)poi(@esp)rrrrespespespesp====@esp@esp@esp@esp++++0xc0xc0xc0xc他们分别表示,设置Eip(命令指针)为堆栈偏移为0x0指向的值,和Esp(堆栈指针)+0xC,有效的释放堆栈.
WINDOWS调试工具帮助文件中的"RegisterSyntax",解释了poipoipoipoi命令和为什么寄存器一些地方需要加上"@"前缀.
你可能会问上述寄存器设置命令怎么用.
考虑一下,当一个"坏"驱动的DriverEntry将会引起故障检查("蓝屏")—或许由于违规访问.
你可以通过在ntoskrn加载时设置一个延迟断点处理这些问题.
下面命令必须在同一行中:bubububusioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntry"r"r"r"reipeipeipeip====poi(@esp);poi(@esp);poi(@esp);poi(@esp);rrrreaxeaxeaxeax====0xc0000001;0xc0000001;0xc0000001;0xc0000001;rrrrespespespesp====@esp@esp@esp@esp++++0xc;0xc;0xc;0xc;.
echo.
echo.
echo.
echosioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntrysioctl!
DriverEntryentered;entered;entered;entered;g"g"g"g"它的意思是:在sioctl.
sys的DriverEntry,1)这样设置命令指针(Eip)2)这样设置返回代码(Eax)3)这样设置堆栈指针(Esp)4)宣布已经进入DriverEntry5)继续运行.
(当然,这技术仅仅移除DriverEntry引起崩溃的可能性,例如违规访问.
如果操作系统期待驱动程序供应函数,该函数将不可用,和可能是其他问题导致停机.
)在这里,你会想知道是否能用寄存器设置一个变量.
例如,返回到IoCtl的dispatchroutine:kd>kd>kd>kd>rrrreax=00000000eax=00000000eax=00000000eax=00000000ebx=00000000ebx=00000000ebx=00000000ebx=00000000ecx=81a88f18ecx=81a88f18ecx=81a88f18ecx=81a88f18edx=81a88ef4edx=81a88ef4edx=81a88ef4edx=81a88ef4esi=ff9e18a8esi=ff9e18a8esi=ff9e18a8esi=ff9e18a8edi=ff981e7eedi=ff981e7eedi=ff981e7eedi=ff981e7eeip=f87a40feeip=f87a40feeip=f87a40feeip=f87a40feesp=f88fac78esp=f88fac78esp=f88fac78esp=f88fac78ebp=f88fac90ebp=f88fac90ebp=f88fac90ebp=f88fac90iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieiplplplplzrzrzrzrnanananapopopoponcncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00000246efl=00000246efl=00000246efl=00000246kd>kd>kd>kd>ntStatusntStatusntStatusntStatus====@ecx@ecx@ecx@ecxlonglonglonglong-2119659752-2119659752-2119659752-2119659752kd>kd>kd>kd>dddddddd&ntStatus&ntStatus&ntStatus&ntStatusl1l1l1l1f88fac78f88fac78f88fac78f88fac7881a88f1881a88f1881a88f1881a88f18在这个情况中,应该使用@ecx格式,以保证WinDbg知道你在引用一个寄存器.
KernelDebuggingTutorial2005MicrosoftCorporation26寄存器的数量比默认显示的要多.
要查看所有寄存器,使用rMrMrMrM命令("M"必须是大写;实际上是rrrr命令带M参数,这里在命令和参数之间不允许空格):kd>kd>kd>kd>rMrMrMrM0xff0xff0xff0xffeax=00000001eax=00000001eax=00000001eax=00000001ebx=0050e2a3ebx=0050e2a3ebx=0050e2a3ebx=0050e2a3ecx=80571780ecx=80571780ecx=80571780ecx=80571780edx=000003f8edx=000003f8edx=000003f8edx=000003f8esi=000000c0esi=000000c0esi=000000c0esi=000000c0edi=d87a75a8edi=d87a75a8edi=d87a75a8edi=d87a75a8eip=804df1c0eip=804df1c0eip=804df1c0eip=804df1c0esp=8056f564esp=8056f564esp=8056f564esp=8056f564ebp=8056f574ebp=8056f574ebp=8056f574ebp=8056f574iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieiplplplplnznznznznanananapepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00000202efl=00000202efl=00000202efl=00000202fpcw=0000:fpcw=0000:fpcw=0000:fpcw=0000:rnrnrnrn24242424------------------------fpsw=0000:fpsw=0000:fpsw=0000:fpsw=0000:top=0top=0top=0top=0cc=0000cc=0000cc=0000cc=0000--------------------------------fptw=0000fptw=0000fptw=0000fptw=0000fopcode=6745fopcode=6745fopcode=6745fopcode=6745fpip=2301:a0020000fpip=2301:a0020000fpip=2301:a0020000fpip=2301:a0020000fpdp=dcfe:efcdab89fpdp=dcfe:efcdab89fpdp=dcfe:efcdab89fpdp=dcfe:efcdab89st0=st0=st0=st0=5.
143591243081972142170e-49325.
143591243081972142170e-49325.
143591243081972142170e-49325.
143591243081972142170e-4932st1=st1=st1=st1=0.
001025530551233493990e-49330.
001025530551233493990e-49330.
001025530551233493990e-49330.
001025530551233493990e-4933st2=st2=st2=st2=0.
000000002357022271740e-49320.
000000002357022271740e-49320.
000000002357022271740e-49320.
000000002357022271740e-4932st3=st3=st3=st3=2.
471625214254630491460e-49062.
471625214254630491460e-49062.
471625214254630491460e-49062.
471625214254630491460e-4906st4=st4=st4=st4=3.
370207406893238285120e-49323.
370207406893238285120e-49323.
370207406893238285120e-49323.
370207406893238285120e-4932st5=-st5=-st5=-st5=-7.
461339669368745455450e+48557.
461339669368745455450e+48557.
461339669368745455450e+48557.
461339669368745455450e+4855st6=st6=st6=st6=6.
698191557136036873700e-49326.
698191557136036873700e-49326.
698191557136036873700e-49326.
698191557136036873700e-4932st7=-st7=-st7=-st7=-2.
455410815115332972380e-49062.
455410815115332972380e-49062.
455410815115332972380e-49062.
455410815115332972380e-4906mm0=c3d2e1f010325476mm0=c3d2e1f010325476mm0=c3d2e1f010325476mm0=c3d2e1f010325476mm1=0000ffdff1200000mm1=0000ffdff1200000mm1=0000ffdff1200000mm1=0000ffdff1200000mm2=000000018168d902mm2=000000018168d902mm2=000000018168d902mm2=000000018168d902mm3=f33cffdff1200000mm3=f33cffdff1200000mm3=f33cffdff1200000mm3=f33cffdff1200000mm4=804efc868056f170mm4=804efc868056f170mm4=804efc868056f170mm4=804efc868056f170mm5=7430804efb880000mm5=7430804efb880000mm5=7430804efb880000mm5=7430804efb880000mm6=ff02740200000000mm6=ff02740200000000mm6=ff02740200000000mm6=ff02740200000000mm7=f1a48056f1020000mm7=f1a48056f1020000mm7=f1a48056f1020000mm7=f1a48056f1020000xmm0=0xmm0=0xmm0=0xmm0=09.
11671e-0419.
11671e-0419.
11671e-0419.
11671e-0413.
10647e+0353.
10647e+0353.
10647e+0353.
10647e+035-1.
154e-034-1.
154e-034-1.
154e-034-1.
154e-034xmm1=-7.
98492e-039xmm1=-7.
98492e-039xmm1=-7.
98492e-039xmm1=-7.
98492e-039-2.
83455e+038-2.
83455e+038-2.
83455e+038-2.
83455e+038-2.
91106e+038-2.
91106e+038-2.
91106e+038-2.
91106e+0385.
85182e-0425.
85182e-0425.
85182e-0425.
85182e-042xmm2=1.
77965e-043xmm2=1.
77965e-043xmm2=1.
77965e-043xmm2=1.
77965e-043-1.
17906e-010-1.
17906e-010-1.
17906e-010-1.
17906e-010-4.
44585e-038-4.
44585e-038-4.
44585e-038-4.
44585e-038-7.
98511e-039-7.
98511e-039-7.
98511e-039-7.
98511e-039xmm3=-7.
98511e-039xmm3=-7.
98511e-039xmm3=-7.
98511e-039xmm3=-7.
98511e-03900000000-7.
98504e-039-7.
98504e-039-7.
98504e-039-7.
98504e-039xmm4=-7.
98503e-039xmm4=-7.
98503e-039xmm4=-7.
98503e-039xmm4=-7.
98503e-0391.
20545e-0401.
20545e-0401.
20545e-0401.
20545e-040-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037xmm5=-2.
05476e+018xmm5=-2.
05476e+018xmm5=-2.
05476e+018xmm5=-2.
05476e+018-452.
247-452.
247-452.
247-452.
247-1.
42468e-037-1.
42468e-037-1.
42468e-037-1.
42468e-037-8.
60834e+033-8.
60834e+033-8.
60834e+033-8.
60834e+033xmm6=2.
8026e-044xmm6=2.
8026e-044xmm6=2.
8026e-044xmm6=2.
8026e-044-1.
47202e-037-1.
47202e-037-1.
47202e-037-1.
47202e-037-452.
247-452.
247-452.
247-452.
2470000xmm7=8.
40779e-045xmm7=8.
40779e-045xmm7=8.
40779e-045xmm7=8.
40779e-045-7.
98503e-039-7.
98503e-039-7.
98503e-039-7.
98503e-0390000-7.
98511e-039-7.
98511e-039-7.
98511e-039-7.
98511e-039cr0=8001003bcr0=8001003bcr0=8001003bcr0=8001003bcr2=d93db000cr2=d93db000cr2=d93db000cr2=d93db000cr3=00039000cr3=00039000cr3=00039000cr3=00039000dr0=00000000dr0=00000000dr0=00000000dr0=00000000dr1=00000000dr1=00000000dr1=00000000dr1=00000000dr2=00000000dr2=00000000dr2=00000000dr2=00000000dr3=00000000dr3=00000000dr3=00000000dr3=00000000dr6=ffff0ff0dr6=ffff0ff0dr6=ffff0ff0dr6=ffff0ff0dr7=00000400dr7=00000400dr7=00000400dr7=00000400cr4=000006d9cr4=000006d9cr4=000006d9cr4=000006d9KernelDebuggingTutorial2005MicrosoftCorporation27如果你不想使用命令作改变,你可以打开内存窗口(ViewViewViewViewMemoryMemoryMemoryMemory),变量窗口(ViewViewViewViewLocalsLocalsLocalsLocals)或者寄存器窗口(ViewViewViewViewRegistersRegistersRegistersRegisters),并且改写你想要数值.
例如,如上图,你可以改写16进制的数值.
运行控制在前面的部分(详见IoCreateDevice)你曾经想程序从一点运行到下一点,而不需要告诉它怎么做.
这里有一些方法可以控制运行.
下面所有的项目,除第一项,都假设程序处于挂起状态.
中断(CTRL-BREAK)—该快捷键总是中断系统,只要系统正在运行并与WinDbg处于通信状态(在KD快捷键是CTRL-C).
步过(F10)—每按一次运行一条语句(如果C或者C++和WinDbg处于"sourcemode",可通过DebugDebugDebugDebugSourceSourceSourceSourceModeModeModeMode切换),或者一条指,并且规定如果遇到一个函数调用,将会运行过该函数,而不会进入它.
步进(F11)—就象步过那样,除了运行到一个函数调用时,会进入该调用例程.
步出(SHIFT-F11)—这会使程序运行直到完成当前例程(在callstack中的当前地址).
如果你对该例程已经了解得足够多,这个快捷键很有用.
运行到光标(F7orCRTL-F10)—当你想运行到该处中断,你可以将光标放到源代码窗口或者反汇编窗口中相应的位置,按下F7;程序将会运行到该位置.
有一点要注意,然而:如果运行流程与该处不匹配(例如,一个IF语句不运行),WinDbg将不会中断,因为并没有运行到指定地方.
运行(F5)—运行直到遇到断点或者错误事件被检测到.
你可以将"运行"想象为正常执行状态.
KernelDebuggingTutorial2005MicrosoftCorporation28将指令设置在当前行(CTRL-SHIFT-I)—在源代码窗口,你可以把光标放在一行中,使用该快捷键,只要你允许(例如F5或者F10),程序便从该处开始运行.
在你想重复一些指令序列时,这很有用.
但是要注意一些事情.
例如,寄存器和变量的数据不会象你正常运行到该处时看到那样.
直接设置Eip—你可以为Eip寄存器设置一个数值,然后按下F5(或者F10或者其他的什么),运行开始于该地址.
显然易见,该功能就象将指令设置在当前行,除非你指定了一个汇编指令的地址.
callcallcallcallstackstackstackstack几乎运行到某一点,都会有一个区域作为堆栈使用;该堆栈用于存放本地状态,参数和返回地址.
在内核空间中有一个内核栈,在用户空间中有一个用户栈.
当中断发生时,可能有几个例程在当前的栈中.
例如,如果由于sioctl.
sys中PrintIrpInfo的断点引起指令停止执行,使用kkkk("StackBacktrace"):kd>kd>kd>kd>kkkkChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrf7428ba8f7428ba8f7428ba8f7428ba8f889b54af889b54af889b54af889b54aSIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c@@@@708]708]708]708]f7428c3cf7428c3cf7428c3cf7428c3c804e0e0d804e0e0d804e0e0d804e0e0dSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfa[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c@@@@337]337]337]337]WARNING:WARNING:WARNING:WARNING:StackStackStackStackunwindunwindunwindunwindinformationinformationinformationinformationnotnotnotnotavailable.
available.
available.
available.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
f7428c60f7428c60f7428c60f7428c6080580e2a80580e2a80580e2a80580e2ant!
IofCallDriver+0x33nt!
IofCallDriver+0x33nt!
IofCallDriver+0x33nt!
IofCallDriver+0x33f7428d00f7428d00f7428d00f7428d00805876c2805876c2805876c2805876c2nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c3f7428d34f7428d34f7428d34f7428d34804e7a8c804e7a8c804e7a8c804e7a8cnt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28f7428d64f7428d64f7428d64f7428d6400000000000000000000000000000000nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9最高一行(最新的)栈帧就是停止的地方.
你也可以看到此前的一些调用.
但是如果你没有symbols,他们可能会显示得不正常.
在驱动中的当前文件和行号信息,都会在每个栈帧中呈现,你将会享受到在sioctl.
sys中使用symbols的乐趣.
你可以为IoCtl的IRP处理程序打开源代码窗口.
但是假如你对更早的例程不感兴趣你打开调用窗口(ViewViewViewViewCallCallCallCallstackstackstackstack),所以:KernelDebuggingTutorial2005MicrosoftCorporation29你可以双击入口,然后便会被带到源代码文件中,如果该文件已被定位.
如果你只对在堆栈中属于例程的变量感兴趣,你可以双击该例程所在的项目,或者你可以用knknknkn(与kkkk同属)然后.
frame.
frame.
frame.
frame.
例如,取得关于调用了PrintIrpInfo的dispatchroutine的信息:kd>kd>kd>kd>knknknkn####ChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddr00000000f7428ba8f7428ba8f7428ba8f7428ba8f889b54af889b54af889b54af889b54aSIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6SIoctl!
PrintIrpInfo+0x6[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c@@@@708]708]708]708]01010101f7428c3cf7428c3cf7428c3cf7428c3c804e0e0d804e0e0d804e0e0d804e0e0dSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfa[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c@@@@337]337]337]337]WARNING:WARNING:WARNING:WARNING:StackStackStackStackunwindunwindunwindunwindinformationinformationinformationinformationnotnotnotnotavailable.
available.
available.
available.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
02020202f7428c60f7428c60f7428c60f7428c6080580e2a80580e2a80580e2a80580e2ant!
IofCallDriver+0x33nt!
IofCallDriver+0x33nt!
IofCallDriver+0x33nt!
IofCallDriver+0x3303030303f7428d00f7428d00f7428d00f7428d00805876c2805876c2805876c2805876c2nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c3nt!
CcFastCopyRead+0x3c304040404f7428d34f7428d34f7428d34f7428d34804e7a8c804e7a8c804e7a8c804e7a8cnt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x2805050505f7428d64f7428d64f7428d64f7428d6400000000000000000000000000000000nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9nt!
ZwYieldExecution+0xaa9kd>kd>kd>kd>.
frame.
frame.
frame.
frame111101010101f7428c3cf7428c3cf7428c3cf7428c3c804e0e0d804e0e0d804e0e0d804e0e0dSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfaSIoctl!
SioctlDeviceControl+0xfa[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c[d:\winddk\3790.
1824\src\general\ioctl\sys\sioctl.
c@@@@337]337]337]337]在设置桢号码之后,便能显示在桢中的已知变量和属于该桢的寄存器:kd>kd>kd>kd>dvdvdvdvDeviceObjectDeviceObjectDeviceObjectDeviceObject====0x80f895e80x80f895e80x80f895e80x80f895e8IrpIrpIrpIrp====0x820572a80x820572a80x820572a80x820572a8outBufLengthoutBufLengthoutBufLengthoutBufLength====0x640x640x640x64bufferbufferbufferbuffer====0x000000000x000000000x000000000x00000000""""""""irpSpirpSpirpSpirpSp====0x820573180x820573180x820573180x82057318datadatadatadata====0xf889b0c00xf889b0c00xf889b0c00xf889b0c0"This"This"This"ThisStringStringStringStringisisisisfromfromfromfromDeviceDeviceDeviceDeviceDriverDriverDriverDriver!
!
!
"!
!
!
"!
!
!
"!
!
!
"ntStatusntStatusntStatusntStatus====0000mdlmdlmdlmdl====0x000000000x000000000x000000000x00000000inBufLengthinBufLengthinBufLengthinBufLength====0x3c0x3c0x3c0x3cdatalendatalendatalendatalen====0x260x260x260x26outBufoutBufoutBufoutBuf====0x82096b200x82096b200x82096b200x82096b20"This"This"This"ThisStringStringStringStringisisisisfromfromfromfromUserUserUserUserApplication;Application;Application;Application;usingusingusingusingMETHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"inBufinBufinBufinBuf====0x82096b200x82096b200x82096b200x82096b20"This"This"This"ThisStringStringStringStringisisisisfromfromfromfromUserUserUserUserApplication;Application;Application;Application;usingusingusingusingMETHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"METHOD_BUFFERED"kd>kd>kd>kd>rrrreax=00000000eax=00000000eax=00000000eax=00000000ebx=00000000ebx=00000000ebx=00000000ebx=00000000ecx=80506be8ecx=80506be8ecx=80506be8ecx=80506be8edx=820572a8edx=820572a8edx=820572a8edx=820572a8esi=81fabda0esi=81fabda0esi=81fabda0esi=81fabda0edi=820572a8edi=820572a8edi=820572a8edi=820572a8eip=f889bcf6eip=f889bcf6eip=f889bcf6eip=f889bcf6esp=f7428ba4esp=f7428ba4esp=f7428ba4esp=f7428ba4ebp=f7428ba8ebp=f7428ba8ebp=f7428ba8ebp=f7428ba8iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieingngngngnznznznzacacacacpepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00000292efl=00000292efl=00000292efl=00000292SIoctl!
PrintIrpInfo+0x6:SIoctl!
PrintIrpInfo+0x6:SIoctl!
PrintIrpInfo+0x6:SIoctl!
PrintIrpInfo+0x6:f889bcf6f889bcf6f889bcf6f889bcf68b45088b45088b45088b4508movmovmovmoveax,[ebp+0x8]eax,[ebp+0x8]eax,[ebp+0x8]eax,[ebp+0x8]ss:0010:f7428bb0=820572a8ss:0010:f7428bb0=820572a8ss:0010:f7428bb0=820572a8ss:0010:f7428bb0=820572a8KernelDebuggingTutorial2005MicrosoftCorporation30在模块中寻找名字xxxx("ExamineSymbols")命令能定位模块中的symbols.
例如,如果你想在Ioctl例程中设置断点,以便处理DeviceIoControlIRPs.
但是你不太记得该例程的名字了,你可以这么做:kd>kd>kd>kd>xxxxsioctl!
*ioctl*sioctl!
*ioctl*sioctl!
*ioctl*sioctl!
*ioctl*f8883080f8883080f8883080f8883080SIoctl!
SioctlUnloadDriverSIoctl!
SioctlUnloadDriverSIoctl!
SioctlUnloadDriverSIoctl!
SioctlUnloadDriver(struct(struct(struct(struct_DRIVER_OBJECT_DRIVER_OBJECT_DRIVER_OBJECT_DRIVER_OBJECT*)*)*)*)f8883010f8883010f8883010f8883010SIoctl!
SioctlCreateCloseSIoctl!
SioctlCreateCloseSIoctl!
SioctlCreateCloseSIoctl!
SioctlCreateClose(struct(struct(struct(struct_DEVICE_OBJECT_DEVICE_OBJECT_DEVICE_OBJECT_DEVICE_OBJECT*,*,*,*,structstructstructstruct_IRP_IRP_IRP_IRP*)*)*)*)f8883450f8883450f8883450f8883450SIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControl(struct(struct(struct(struct_DEVICE_OBJECT_DEVICE_OBJECT_DEVICE_OBJECT_DEVICE_OBJECT*,*,*,*,structstructstructstruct_IRP_IRP_IRP_IRP*)*)*)*)它的意思是,告诉我所有在sioctl模块中,包含"ioctl.
"的symbols.
这看起来看琐细.
然而,想想,在一个实际案例中,这个信息在调试器中出现:PopPolicyWorkerAction:PopPolicyWorkerAction:PopPolicyWorkerAction:PopPolicyWorkerAction:actionactionactionactionrequestrequestrequestrequest2222failedfailedfailedfailedc000009ac000009ac000009ac000009a可以推测PopPolicyWorkerAction在ntoskrnl中,你可能看到这些:kd>kd>kd>kd>xxxxnt!
PopPolicy*nt!
PopPolicy*nt!
PopPolicy*nt!
PopPolicy*805146c0805146c0805146c0805146c0nt!
PopPolicyWorkerThreadnt!
PopPolicyWorkerThreadnt!
PopPolicyWorkerThreadnt!
PopPolicyWorkerThread====information>information>information>8064e3898064e3898064e3898064e389nt!
PopPolicySystemIdlent!
PopPolicySystemIdlent!
PopPolicySystemIdlent!
PopPolicySystemIdle====information>information>information>805b328d805b328d805b328d805b328dnt!
PopPolicyWorkerNotifynt!
PopPolicyWorkerNotifynt!
PopPolicyWorkerNotifynt!
PopPolicyWorkerNotify====information>information>information>8056e6208056e6208056e6208056e620nt!
PopPolicyLocknt!
PopPolicyLocknt!
PopPolicyLocknt!
PopPolicyLock====information>information>information>8064d5f88064d5f88064d5f88064d5f8nt!
PopPolicyWorkerActionPromotent!
PopPolicyWorkerActionPromotent!
PopPolicyWorkerActionPromotent!
PopPolicyWorkerActionPromote====information>information>information>805c7d10805c7d10805c7d10805c7d10nt!
PopPolicyWorkerMainnt!
PopPolicyWorkerMainnt!
PopPolicyWorkerMainnt!
PopPolicyWorkerMain====information>information>information>8064d51b8064d51b8064d51b8064d51bnt!
PopPolicyWorkerActionnt!
PopPolicyWorkerActionnt!
PopPolicyWorkerActionnt!
PopPolicyWorkerAction====information>information>information>80561c7080561c7080561c7080561c70nt!
PopPolicynt!
PopPolicynt!
PopPolicynt!
PopPolicy====information>information>information>8056e8788056e8788056e8788056e878nt!
PopPolicyIrpQueuent!
PopPolicyIrpQueuent!
PopPolicyIrpQueuent!
PopPolicyIrpQueue====information>information>information>80561a9880561a9880561a9880561a98nt!
PopPolicyLockThreadnt!
PopPolicyLockThreadnt!
PopPolicyLockThreadnt!
PopPolicyLockThread====information>information>information>8064e74a8064e74a8064e74a8064e74ant!
PopPolicyTimeChangent!
PopPolicyTimeChangent!
PopPolicyTimeChangent!
PopPolicyTimeChange====information>information>information>8056e8b08056e8b08056e8b08056e8b0nt!
PopPolicyWorkernt!
PopPolicyWorkernt!
PopPolicyWorkernt!
PopPolicyWorker====information>information>information>由这些信息可以得出,你应该在被显示为红色的例程中设置断点.
处理优化代码如果一个EXE文件在建立时作了一些优化,它可能很难在源码窗口中跟踪运行,一些本地变量可能无法使用,或者显示为错误的数值.
对于x86指令,你可能要尝试在源代码窗口和反汇编窗口(将这些窗口并排会方便你工作)中跟踪它的运行.
你不需要为了跟踪控制流而对x86非常了解;主要看比较命令(例如test或者cmp)和分支命令(例如jnz),以便跟踪控制流.
KernelDebuggingTutorial2005MicrosoftCorporation31挑选技术那适用于基本操作.
尽管上面的焦点不是讨论如何调查一些特殊区域,但是有大量调试器命令—从技术上来说,它们是扩展命令并且由DLL提供—仍然值得被提及,因为它们在很多方面都被反复使用.
进程和线程查看当前进程(在停止的位置):kd>kd>kd>kd>!
process!
process!
process!
processPROCESSPROCESSPROCESSPROCESS816fc3c0816fc3c0816fc3c0816fc3c0SessionId:SessionId:SessionId:SessionId:1111Cid:Cid:Cid:Cid:08f808f808f808f8Peb:Peb:Peb:Peb:7ffdf0007ffdf0007ffdf0007ffdf000ParentCid:ParentCid:ParentCid:ParentCid:0d8c0d8c0d8c0d8cDirBase:DirBase:DirBase:DirBase:10503000105030001050300010503000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e1afeaa8e1afeaa8e1afeaa8e1afeaa8HandleCount:HandleCount:HandleCount:HandleCount:19.
19.
19.
19.
Image:Image:Image:Image:ioctlapp.
exeioctlapp.
exeioctlapp.
exeioctlapp.
exeVadRootVadRootVadRootVadRoot825145e0825145e0825145e0825145e0VadsVadsVadsVads22222222CloneCloneCloneClone0000PrivatePrivatePrivatePrivate38.
38.
38.
38.
ModifiedModifiedModifiedModified0.
0.
0.
0.
LockedLockedLockedLocked0.
0.
0.
0.
DeviceMapDeviceMapDeviceMapDeviceMape10d0198e10d0198e10d0198e10d0198TokenTokenTokenTokene1c8e030e1c8e030e1c8e030e1c8e030ElapsedTimeElapsedTimeElapsedTimeElapsedTime00:00:00.
51800:00:00.
51800:00:00.
51800:00:00.
518UserTimeUserTimeUserTimeUserTime00:00:00.
00000:00:00.
00000:00:00.
00000:00:00.
000KernelTimeKernelTimeKernelTimeKernelTime00:00:00.
10900:00:00.
10900:00:00.
10900:00:00.
109QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]9096909690969096QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]992992992992WorkingWorkingWorkingWorkingSetSetSetSetSizesSizesSizesSizes(now,min,max)(now,min,max)(now,min,max)(now,min,max)(263,(263,(263,(263,50,50,50,50,345)345)345)345)(1052KB,(1052KB,(1052KB,(1052KB,200KB,200KB,200KB,200KB,1380KB)1380KB)1380KB)1380KB)PeakWorkingSetSizePeakWorkingSetSizePeakWorkingSetSizePeakWorkingSetSize263263263263VirtualSizeVirtualSizeVirtualSizeVirtualSize6666MbMbMbMbPeakVirtualSizePeakVirtualSizePeakVirtualSizePeakVirtualSize6666MbMbMbMbPageFaultCountPageFaultCountPageFaultCountPageFaultCount259259259259MemoryPriorityMemoryPriorityMemoryPriorityMemoryPriorityBACKGROUNDBACKGROUNDBACKGROUNDBACKGROUNDBasePriorityBasePriorityBasePriorityBasePriority8888CommitChargeCommitChargeCommitChargeCommitCharge48484848THREADTHREADTHREADTHREAD825d2020825d2020825d2020825d2020CidCidCidCid08f8.
070808f8.
070808f8.
070808f8.
0708Teb:Teb:Teb:Teb:7ffde0007ffde0007ffde0007ffde000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000RUNNINGRUNNINGRUNNINGRUNNINGononononprocessorprocessorprocessorprocessor0000进程块地址(EPROCESS)和线程块地址(ETHREAD)被标记为红色.
你可以在该处使用条件断点.
使用摘要的形式查看所有进程:kd>kd>kd>kd>!
process!
process!
process!
process00000000****************NTNTNTNTACTIVEACTIVEACTIVEACTIVEPROCESSPROCESSPROCESSPROCESSDUMPDUMPDUMPDUMP****************PROCESSPROCESSPROCESSPROCESS826af478826af478826af478826af478SessionId:SessionId:SessionId:SessionId:nonenonenonenoneCid:Cid:Cid:Cid:0004000400040004Peb:Peb:Peb:Peb:00000000000000000000000000000000ParentCid:ParentCid:ParentCid:ParentCid:0000000000000000DirBase:DirBase:DirBase:DirBase:02c2000002c2000002c2000002c20000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e1001e60e1001e60e1001e60e1001e60HandleCount:HandleCount:HandleCount:HandleCount:363.
363.
363.
363.
Image:Image:Image:Image:SystemSystemSystemSystemPROCESSPROCESSPROCESSPROCESS82407d8882407d8882407d8882407d88SessionId:SessionId:SessionId:SessionId:nonenonenonenoneCid:Cid:Cid:Cid:0158015801580158Peb:Peb:Peb:Peb:7ffdf0007ffdf0007ffdf0007ffdf000ParentCid:ParentCid:ParentCid:ParentCid:0004000400040004DirBase:DirBase:DirBase:DirBase:1fbe80001fbe80001fbe80001fbe8000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e13ff740e13ff740e13ff740e13ff740HandleCount:HandleCount:HandleCount:HandleCount:24.
24.
24.
24.
Image:Image:Image:Image:smss.
exesmss.
exesmss.
exesmss.
exePROCESSPROCESSPROCESSPROCESS82461d8882461d8882461d8882461d88SessionId:SessionId:SessionId:SessionId:0000Cid:Cid:Cid:Cid:0188018801880188Peb:Peb:Peb:Peb:7ffdf0007ffdf0007ffdf0007ffdf000ParentCid:ParentCid:ParentCid:ParentCid:0158015801580158DirBase:DirBase:DirBase:DirBase:1f14d0001f14d0001f14d0001f14d000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e15e8958e15e8958e15e8958e15e8958HandleCount:HandleCount:HandleCount:HandleCount:408.
408.
408.
408.
KernelDebuggingTutorial2005MicrosoftCorporation32Image:Image:Image:Image:csrss.
execsrss.
execsrss.
execsrss.
exe.
.
.
.
.
.
.
.
.
.
.
.
查看一个详细进程的线程摘要,给出进程块的地址和通过第二个参数请求(查看WINDOWS调试工具帮助文件以取得更详细的参数说明):kd>kd>kd>kd>!
process!
process!
process!
process826af478826af478826af478826af4783333PROCESSPROCESSPROCESSPROCESS826af478826af478826af478826af478SessionId:SessionId:SessionId:SessionId:nonenonenonenoneCid:Cid:Cid:Cid:0004000400040004Peb:Peb:Peb:Peb:00000000000000000000000000000000ParentCid:ParentCid:ParentCid:ParentCid:0000000000000000DirBase:DirBase:DirBase:DirBase:02c2000002c2000002c2000002c20000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e1001e60e1001e60e1001e60e1001e60HandleCount:HandleCount:HandleCount:HandleCount:362.
362.
362.
362.
Image:Image:Image:Image:SystemSystemSystemSystemVadRootVadRootVadRootVadRoot81a4384081a4384081a4384081a43840VadsVadsVadsVads4444CloneCloneCloneClone0000PrivatePrivatePrivatePrivate3.
3.
3.
3.
ModifiedModifiedModifiedModified18884.
18884.
18884.
18884.
LockedLockedLockedLocked0.
0.
0.
0.
DeviceMapDeviceMapDeviceMapDeviceMape1002868e1002868e1002868e1002868TokenTokenTokenTokene1002ae0e1002ae0e1002ae0e1002ae0ElapsedTimeElapsedTimeElapsedTimeElapsedTime07:19:11.
25007:19:11.
25007:19:11.
25007:19:11.
250UserTimeUserTimeUserTimeUserTime00:00:00.
00000:00:00.
00000:00:00.
00000:00:00.
000KernelTimeKernelTimeKernelTimeKernelTime00:00:11.
32800:00:11.
32800:00:11.
32800:00:11.
328QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]QuotaPoolUsage[PagedPool]0000QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]QuotaPoolUsage[NonPagedPool]0000WorkingWorkingWorkingWorkingSetSetSetSetSizesSizesSizesSizes(now,min,max)(now,min,max)(now,min,max)(now,min,max)(54,(54,(54,(54,0,0,0,0,345)345)345)345)(216KB,(216KB,(216KB,(216KB,0KB,0KB,0KB,0KB,1380KB)1380KB)1380KB)1380KB)PeakWorkingSetSizePeakWorkingSetSizePeakWorkingSetSizePeakWorkingSetSize497497497497VirtualSizeVirtualSizeVirtualSizeVirtualSize1111MbMbMbMbPeakVirtualSizePeakVirtualSizePeakVirtualSizePeakVirtualSize2222MbMbMbMbPageFaultCountPageFaultCountPageFaultCountPageFaultCount4179417941794179MemoryPriorityMemoryPriorityMemoryPriorityMemoryPriorityBACKGROUNDBACKGROUNDBACKGROUNDBACKGROUNDBasePriorityBasePriorityBasePriorityBasePriority8888CommitChargeCommitChargeCommitChargeCommitCharge7777THREADTHREADTHREADTHREAD826af1f8826af1f8826af1f8826af1f8CidCidCidCid0004.
00080004.
00080004.
00080004.
0008Teb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000WAIT:WAIT:WAIT:WAIT:(WrFreePage)(WrFreePage)(WrFreePage)(WrFreePage)KernelModeKernelModeKernelModeKernelModeNon-AlertableNon-AlertableNon-AlertableNon-Alertable80580040805800408058004080580040SynchronizationEventSynchronizationEventSynchronizationEventSynchronizationEvent80581140805811408058114080581140NotificationTimerNotificationTimerNotificationTimerNotificationTimerTHREADTHREADTHREADTHREAD826aea98826aea98826aea98826aea98CidCidCidCid0004.
00100004.
00100004.
00100004.
0010Teb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000WAIT:WAIT:WAIT:WAIT:(WrQueue)(WrQueue)(WrQueue)(WrQueue)KernelModeKernelModeKernelModeKernelModeNon-AlertableNon-AlertableNon-AlertableNon-Alertable80582d8080582d8080582d8080582d80QueueObjectQueueObjectQueueObjectQueueObjectTHREADTHREADTHREADTHREAD826ae818826ae818826ae818826ae818CidCidCidCid0004.
00140004.
00140004.
00140004.
0014Teb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000WAIT:WAIT:WAIT:WAIT:(WrQueue)(WrQueue)(WrQueue)(WrQueue)KernelModeKernelModeKernelModeKernelModeNon-AlertableNon-AlertableNon-AlertableNon-Alertable80582d8080582d8080582d8080582d80QueueObjectQueueObjectQueueObjectQueueObject.
.
.
.
.
.
.
.
.
.
.
.
查看所有关于某线程的信息,使用!
thread!
thread!
thread!
thread命令和0xFF作为细节参数:kd>kd>kd>kd>!
thread!
thread!
thread!
thread826af1f8826af1f8826af1f8826af1f80xff0xff0xff0xffTHREADTHREADTHREADTHREAD826af1f8826af1f8826af1f8826af1f8CidCidCidCid0004.
00080004.
00080004.
00080004.
0008Teb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000WAIT:WAIT:WAIT:WAIT:(WrFreePage)(WrFreePage)(WrFreePage)(WrFreePage)KernelModeKernelModeKernelModeKernelModeNon-AlertableNon-AlertableNon-AlertableNon-Alertable80580040805800408058004080580040SynchronizationEventSynchronizationEventSynchronizationEventSynchronizationEvent80581140805811408058114080581140NotificationTimerNotificationTimerNotificationTimerNotificationTimerNotNotNotNotimpersonatingimpersonatingimpersonatingimpersonatingDeviceMapDeviceMapDeviceMapDeviceMape1002868e1002868e1002868e1002868OwningOwningOwningOwningProcessProcessProcessProcess826af478826af478826af478826af478Image:Image:Image:Image:SystemSystemSystemSystemWaitWaitWaitWaitStartStartStartStartTickCountTickCountTickCountTickCount1688197168819716881971688197Ticks:Ticks:Ticks:Ticks:153153153153(0:00:00:02.
390)(0:00:00:02.
390)(0:00:00:02.
390)(0:00:00:02.
390)ContextContextContextContextSwitchSwitchSwitchSwitchCountCountCountCount9133913391339133KernelDebuggingTutorial2005MicrosoftCorporation33UserTimeUserTimeUserTimeUserTime00:00:00.
000000:00:00.
000000:00:00.
000000:00:00.
0000KernelTimeKernelTimeKernelTimeKernelTime00:00:03.
040600:00:03.
040600:00:03.
040600:00:03.
0406StartStartStartStartAddressAddressAddressAddressnt!
Phase1Initializationnt!
Phase1Initializationnt!
Phase1Initializationnt!
Phase1Initialization(0x806fb790)(0x806fb790)(0x806fb790)(0x806fb790)StackStackStackStackInitInitInitInitf88b3000f88b3000f88b3000f88b3000CurrentCurrentCurrentCurrentf88b2780f88b2780f88b2780f88b2780BaseBaseBaseBasef88b3000f88b3000f88b3000f88b3000LimitLimitLimitLimitf88b0000f88b0000f88b0000f88b0000CallCallCallCall0000PriorityPriorityPriorityPriority0000BasePriorityBasePriorityBasePriorityBasePriority0000PriorityDecrementPriorityDecrementPriorityDecrementPriorityDecrement0000ChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrf88b2798f88b2798f88b2798f88b2798804edb2b804edb2b804edb2b804edb2bnt!
KiSwapContext+0x26nt!
KiSwapContext+0x26nt!
KiSwapContext+0x26nt!
KiSwapContext+0x26(FPO:(FPO:(FPO:(FPO:[EBP[EBP[EBP[EBP0xf88b27c0]0xf88b27c0]0xf88b27c0]0xf88b27c0][0,0,4])[0,0,4])[0,0,4])[0,0,4])f88b27c0f88b27c0f88b27c0f88b27c0804f0e7a804f0e7a804f0e7a804f0e7ant!
KiSwapThread+0x280nt!
KiSwapThread+0x280nt!
KiSwapThread+0x280nt!
KiSwapThread+0x280(FPO:(FPO:(FPO:(FPO:[Non-Fpo])[Non-Fpo])[Non-Fpo])[Non-Fpo])(CONV:(CONV:(CONV:(CONV:fastcall)fastcall)fastcall)fastcall)f88b27f4f88b27f4f88b27f4f88b27f480502fc280502fc280502fc280502fc2nt!
KeWaitForMultipleObjects+0x324nt!
KeWaitForMultipleObjects+0x324nt!
KeWaitForMultipleObjects+0x324nt!
KeWaitForMultipleObjects+0x324(FPO:(FPO:(FPO:(FPO:[Non-Fpo])[Non-Fpo])[Non-Fpo])[Non-Fpo])(CONV:(CONV:(CONV:(CONV:stdcall)stdcall)stdcall)stdcall)驱动程序和设备对象如果你编写了一个驱动程序,你将回经常查看设备堆栈.
你应该在开始时查找设备属于哪一个确定的驱动程序,并且检查该设备堆栈.
假设你对ScsiPortminiportdriveraic78xx.
sys感兴趣.
以!
drvobj!
drvobj!
drvobj!
drvobj开始:kd>kd>kd>kd>!
drvobj!
drvobj!
drvobj!
drvobjaic78xxaic78xxaic78xxaic78xxDriverDriverDriverDriverobjectobjectobjectobject(82627250)(82627250)(82627250)(82627250)isisisisfor:for:for:for:\Driver\aic78xx\Driver\aic78xx\Driver\aic78xx\Driver\aic78xxDriverDriverDriverDriverExtensionExtensionExtensionExtensionList:List:List:List:(id(id(id(id,,,,addr)addr)addr)addr)(f8386480(f8386480(f8386480(f83864808267da38)8267da38)8267da38)8267da38)DeviceDeviceDeviceDeviceObjectObjectObjectObjectlist:list:list:list:826660308266603082666030826660308267b0308267b0308267b0308267b0308263c0308263c0308263c0308263c0308267ca408267ca408267ca408267ca40这里有4个设备对象.
通常查看第一个,使用!
devobj!
devobj!
devobj!
devobj取得一些关于该设备的信息,而!
devstack!
devstack!
devstack!
devstack则会显示该设备对象堆栈属于哪个设备对象:kd>kd>kd>kd>!
devobj!
devobj!
devobj!
devobj82666030826660308266603082666030DeviceDeviceDeviceDeviceobjectobjectobjectobject(82666030)(82666030)(82666030)(82666030)isisisisfor:for:for:for:aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0\Driver\aic78xx\Driver\aic78xx\Driver\aic78xx\Driver\aic78xxDriverObjectDriverObjectDriverObjectDriverObject82627250826272508262725082627250CurrentCurrentCurrentCurrentIrpIrpIrpIrp00000000000000000000000000000000RefCountRefCountRefCountRefCount0000TypeTypeTypeType00000007000000070000000700000007FlagsFlagsFlagsFlags00001050000010500000105000001050DaclDaclDaclDacle13bb39ce13bb39ce13bb39ce13bb39cDevExtDevExtDevExtDevExt826660e8826660e8826660e8826660e8DevObjExtDevObjExtDevObjExtDevObjExt82666d1082666d1082666d1082666d10DopeDopeDopeDope8267a9d88267a9d88267a9d88267a9d8DevNodeDevNodeDevNodeDevNode8263cdc88263cdc88263cdc88263cdc8ExtensionFlagsExtensionFlagsExtensionFlagsExtensionFlags(0000000000)(0000000000)(0000000000)(0000000000)AttachedDeviceAttachedDeviceAttachedDeviceAttachedDevice(Upper)(Upper)(Upper)(Upper)826bb030826bb030826bb030826bb030\Driver\Disk\Driver\Disk\Driver\Disk\Driver\DiskDeviceDeviceDeviceDevicequeuequeuequeuequeueisisisisnotnotnotnotbusy.
busy.
busy.
busy.
kd>kd>kd>kd>!
devstack!
devstack!
devstack!
devstack82666030826660308266603082666030!
DevObj!
DevObj!
DevObj!
DevObj!
DrvObj!
DrvObj!
DrvObj!
DrvObj!
DevExt!
DevExt!
DevExt!
DevExtObjectNameObjectNameObjectNameObjectName826bbe00826bbe00826bbe00826bbe00\Driver\PartMgr\Driver\PartMgr\Driver\PartMgr\Driver\PartMgr826bbeb8826bbeb8826bbeb8826bbeb8826bb030826bb030826bb030826bb030\Driver\Disk\Driver\Disk\Driver\Disk\Driver\Disk826bb0e8826bb0e8826bb0e8826bb0e8DR2DR2DR2DR2>>>>82666030826660308266603082666030\Driver\aic78xx\Driver\aic78xx\Driver\aic78xx\Driver\aic78xx826660e8826660e8826660e8826660e8aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0aic78xx1Port2Path0Target1Lun0!
DevNode!
DevNode!
DevNode!
DevNode8263cdc88263cdc88263cdc88263cdc8::::DeviceInstDeviceInstDeviceInstDeviceInstisisisis"SCSI\Disk&Ven_QUANTUM&Prod_VIKING_II_4.
5WLS&Rev_5520\5&375eb691&1&010""SCSI\Disk&Ven_QUANTUM&Prod_VIKING_II_4.
5WLS&Rev_5520\5&375eb691&1&010""SCSI\Disk&Ven_QUANTUM&Prod_VIKING_II_4.
5WLS&Rev_5520\5&375eb691&1&010""SCSI\Disk&Ven_QUANTUM&Prod_VIKING_II_4.
5WLS&Rev_5520\5&375eb691&1&010"ServiceNameServiceNameServiceNameServiceNameisisisis"disk""disk""disk""disk"KernelDebuggingTutorial2005MicrosoftCorporation34IRPsIRPsIRPsIRPs最普遍的与驱动程序的通信便是发送I/O请求包,或者IRP.
查看IRP的I/O堆栈,例如在Sioctl!
SioctlDeviceControl+0x103:kd>kd>kd>kd>!
irp!
irp!
irp!
irp@@(Irp)@@(Irp)@@(Irp)@@(Irp)IrpIrpIrpIrpisisisisactiveactiveactiveactivewithwithwithwith1111stacksstacksstacksstacks1111isisisiscurrentcurrentcurrentcurrent(=(=(=(=0xff70fc30)0xff70fc30)0xff70fc30)0xff70fc30)NoNoNoNoMdlMdlMdlMdlSystemSystemSystemSystembufferbufferbufferbuffer====ff660c30ff660c30ff660c30ff660c30ThreadThreadThreadThreadff73f4d8:ff73f4d8:ff73f4d8:ff73f4d8:IrpIrpIrpIrpstackstackstackstacktrace.
trace.
trace.
trace.
cmdcmdcmdcmdflgflgflgflgclclclclDeviceDeviceDeviceDeviceFileFileFileFileCompletion-ContextCompletion-ContextCompletion-ContextCompletion-Context>[>[>[>[e,e,e,e,0]0]0]0]5555000082361348823613488236134882361348ffb05b90ffb05b90ffb05b90ffb05b9000000000-0000000000000000-0000000000000000-0000000000000000-00000000\Driver\SIoctl\Driver\SIoctl\Driver\SIoctl\Driver\SIoctlArgs:Args:Args:Args:000000640000006400000064000000640000003c0000003c0000003c0000003c9c4024089c4024089c4024089c40240800000000000000000000000000000000取得IRP的所有内容,加上它的堆栈:kd>kd>kd>kd>!
irp!
irp!
irp!
irp@@(Irp)@@(Irp)@@(Irp)@@(Irp)1111IrpIrpIrpIrpisisisisactiveactiveactiveactivewithwithwithwith1111stacksstacksstacksstacks1111isisisiscurrentcurrentcurrentcurrent(=(=(=(=0xff70fc30)0xff70fc30)0xff70fc30)0xff70fc30)NoNoNoNoMdlMdlMdlMdlSystemSystemSystemSystembufferbufferbufferbuffer====ff660c30ff660c30ff660c30ff660c30ThreadThreadThreadThreadff73f4d8:ff73f4d8:ff73f4d8:ff73f4d8:IrpIrpIrpIrpstackstackstackstacktrace.
trace.
trace.
trace.
FlagsFlagsFlagsFlags====00000070000000700000007000000070ThreadListEntry.
FlinkThreadListEntry.
FlinkThreadListEntry.
FlinkThreadListEntry.
Flink====ff70fbd0ff70fbd0ff70fbd0ff70fbd0ThreadListEntry.
BlinkThreadListEntry.
BlinkThreadListEntry.
BlinkThreadListEntry.
Blink====ff70fbd0ff70fbd0ff70fbd0ff70fbd0IoStatus.
StatusIoStatus.
StatusIoStatus.
StatusIoStatus.
Status====00000000000000000000000000000000IoStatus.
InformationIoStatus.
InformationIoStatus.
InformationIoStatus.
Information====00000000000000000000000000000000RequestorModeRequestorModeRequestorModeRequestorMode====00000001000000010000000100000001CancelCancelCancelCancel====00000000CancelIrqlCancelIrqlCancelIrqlCancelIrql====0000ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment====00000000UserIosbUserIosbUserIosbUserIosb====0006fdc00006fdc00006fdc00006fdc0UserEventUserEventUserEventUserEvent====00000000000000000000000000000000Overlay.
AsynchronousParameters.
UserApcRoutineOverlay.
AsynchronousParameters.
UserApcRoutineOverlay.
AsynchronousParameters.
UserApcRoutineOverlay.
AsynchronousParameters.
UserApcRoutine====00000000000000000000000000000000Overlay.
AsynchronousParameters.
UserApcContextOverlay.
AsynchronousParameters.
UserApcContextOverlay.
AsynchronousParameters.
UserApcContextOverlay.
AsynchronousParameters.
UserApcContext====00000000000000000000000000000000Overlay.
AllocationSizeOverlay.
AllocationSizeOverlay.
AllocationSizeOverlay.
AllocationSize====00000000000000000000000000000000----00000000000000000000000000000000CancelRoutineCancelRoutineCancelRoutineCancelRoutine====00000000000000000000000000000000UserBufferUserBufferUserBufferUserBuffer====04008f2004008f2004008f2004008f20&Tail.
Overlay.
DeviceQueueEntry&Tail.
Overlay.
DeviceQueueEntry&Tail.
Overlay.
DeviceQueueEntry&Tail.
Overlay.
DeviceQueueEntry====ff70fc00ff70fc00ff70fc00ff70fc00Tail.
Overlay.
ThreadTail.
Overlay.
ThreadTail.
Overlay.
ThreadTail.
Overlay.
Thread====ff73f4d8ff73f4d8ff73f4d8ff73f4d8Tail.
Overlay.
AuxiliaryBufferTail.
Overlay.
AuxiliaryBufferTail.
Overlay.
AuxiliaryBufferTail.
Overlay.
AuxiliaryBuffer====00000000000000000000000000000000Tail.
Overlay.
ListEntry.
FlinkTail.
Overlay.
ListEntry.
FlinkTail.
Overlay.
ListEntry.
FlinkTail.
Overlay.
ListEntry.
Flink====00000000000000000000000000000000Tail.
Overlay.
ListEntry.
BlinkTail.
Overlay.
ListEntry.
BlinkTail.
Overlay.
ListEntry.
BlinkTail.
Overlay.
ListEntry.
Blink====00000000000000000000000000000000Tail.
Overlay.
CurrentStackLocationTail.
Overlay.
CurrentStackLocationTail.
Overlay.
CurrentStackLocationTail.
Overlay.
CurrentStackLocation====ff70fc30ff70fc30ff70fc30ff70fc30Tail.
Overlay.
OriginalFileObjectTail.
Overlay.
OriginalFileObjectTail.
Overlay.
OriginalFileObjectTail.
Overlay.
OriginalFileObject====ffb05b90ffb05b90ffb05b90ffb05b90Tail.
ApcTail.
ApcTail.
ApcTail.
Apc====00000000000000000000000000000000Tail.
CompletionKeyTail.
CompletionKeyTail.
CompletionKeyTail.
CompletionKey====00000000000000000000000000000000cmdcmdcmdcmdflgflgflgflgclclclclDeviceDeviceDeviceDeviceFileFileFileFileCompletion-ContextCompletion-ContextCompletion-ContextCompletion-Context>[>[>[>[e,e,e,e,0]0]0]0]5555000082361348823613488236134882361348ffb05b90ffb05b90ffb05b90ffb05b9000000000-0000000000000000-0000000000000000-0000000000000000-00000000\Driver\SIoctl\Driver\SIoctl\Driver\SIoctl\Driver\SIoctlArgs:Args:Args:Args:000000640000006400000064000000640000003c0000003c0000003c0000003c9c4024089c4024089c4024089c40240800000000000000000000000000000000只取得IRP中的第一级成员:kd>kd>kd>kd>dtdtdtdtnt!
_IRPnt!
_IRPnt!
_IRPnt!
_IRP@@(Irp)@@(Irp)@@(Irp)@@(Irp)+0x000+0x000+0x000+0x000TypeTypeTypeType::::6666+0x002+0x002+0x002+0x002SizeSizeSizeSize::::0x940x940x940x94+0x004+0x004+0x004+0x004MdlAddressMdlAddressMdlAddressMdlAddress::::(null)(null)(null)(null)+0x008+0x008+0x008+0x008FlagsFlagsFlagsFlags::::0x700x700x700x70+0x00c+0x00c+0x00c+0x00cAssociatedIrpAssociatedIrpAssociatedIrpAssociatedIrp::::__unnamed__unnamed__unnamed__unnamedKernelDebuggingTutorial2005MicrosoftCorporation35+0x010+0x010+0x010+0x010ThreadListEntryThreadListEntryThreadListEntryThreadListEntry::::_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY_LIST_ENTRY[[[[0xff70fbd00xff70fbd00xff70fbd00xff70fbd0----0xff70fbd00xff70fbd00xff70fbd00xff70fbd0]]]]+0x018+0x018+0x018+0x018IoStatusIoStatusIoStatusIoStatus::::_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK_IO_STATUS_BLOCK+0x020+0x020+0x020+0x020RequestorModeRequestorModeRequestorModeRequestorMode::::1111''''''''+0x021+0x021+0x021+0x021PendingReturnedPendingReturnedPendingReturnedPendingReturned::::0000''''''''+0x022+0x022+0x022+0x022StackCountStackCountStackCountStackCount::::1111''''''''+0x023+0x023+0x023+0x023CurrentLocationCurrentLocationCurrentLocationCurrentLocation::::1111''''''''+0x024+0x024+0x024+0x024CancelCancelCancelCancel::::0000''''''''+0x025+0x025+0x025+0x025CancelIrqlCancelIrqlCancelIrqlCancelIrql::::0000''''''''+0x026+0x026+0x026+0x026ApcEnvironmentApcEnvironmentApcEnvironmentApcEnvironment::::0000''''''''+0x027+0x027+0x027+0x027AllocationFlagsAllocationFlagsAllocationFlagsAllocationFlags::::0x40x40x40x4''''''''+0x028+0x028+0x028+0x028UserIosbUserIosbUserIosbUserIosb::::0x0006fdc00x0006fdc00x0006fdc00x0006fdc0+0x02c+0x02c+0x02c+0x02cUserEventUserEventUserEventUserEvent::::(null)(null)(null)(null)+0x030+0x030+0x030+0x030OverlayOverlayOverlayOverlay::::__unnamed__unnamed__unnamed__unnamed+0x038+0x038+0x038+0x038CancelRoutineCancelRoutineCancelRoutineCancelRoutine::::(null)(null)(null)(null)+0x03c+0x03c+0x03c+0x03cUserBufferUserBufferUserBufferUserBuffer::::0x04008f200x04008f200x04008f200x04008f20+0x040+0x040+0x040+0x040TailTailTailTail::::__unnamed__unnamed__unnamed__unnamedIRQLIRQLIRQLIRQL偶然会用到的命令!
irql!
irql!
irql!
irql(WindowsServer2003或以后的版本可用),因为它显示有关处理器当前的IRQL.
在Sioctl!
SioctlDeviceControl+0x0中断:kd>kd>kd>kd>!
irql!
irql!
irql!
irqlDebuggerDebuggerDebuggerDebuggersavedsavedsavedsavedIRQLIRQLIRQLIRQLforforforforprocessorprocessorprocessorprocessor0x00x00x00x0--------0000(LOW_LEVEL)(LOW_LEVEL)(LOW_LEVEL)(LOW_LEVEL)举个更高级别的IRQL例子,假设你为Sioctl!
SioctlDeviceControl加上下面代码,在IOCTL_SIOCTL_METHOD_BUFFERED项最后的语句中断之前:Irp->IoStatus.
InformationIrp->IoStatus.
InformationIrp->IoStatus.
InformationIrp->IoStatus.
Information====(outBufLengthkd>kd>kd>!
irql!
irql!
irql!
irqlDebuggerDebuggerDebuggerDebuggersavedsavedsavedsavedIRQLIRQLIRQLIRQLforforforforprocessorprocessorprocessorprocessor0x00x00x00x0--------2222(DISPATCH_LEVEL)(DISPATCH_LEVEL)(DISPATCH_LEVEL)(DISPATCH_LEVEL)顺便说明一下!
pcr!
pcr!
pcr!
pcr命令一般不会显示你感兴趣的IRQL,也就是说在该IRQL的断点引起中断.
KernelDebuggingTutorial2005MicrosoftCorporation36DumpDumpDumpDump文件这里有一些DUMP文件独有的事要说明.
只有少数一些事值得说明.
有三种内核DUMP文件.
全部内存的DUMP是最好的,但是有些更小体积的内核DUMP已经可以满足大多数情况.
也有小内存DUMP,它只有64KB(比起其他两种类型生成得更快).
由于小内存DUMP没有关于执行体的所有信息,你可能需要使用.
exepath.
exepath.
exepath.
exepath命令指定执行体镜象.
你可以通过配置WINDOWS以便当崩溃出现时建立一个DUMP文件.
调查DUMP文件时,不需要为WinDbg指定目标系统.
在WinDbg中使用FileFileFileFileOpenOpenOpenOpenCrashCrashCrashCrashDumpDumpDumpDump打开DUMP文件.
如果symbol路径和source路径都已经设置好,它们会帮助你.
现在,在WinDbg的命令窗口使用!
analyze!
analyze!
analyze!
analyze––––vvvv取得摘要.
该命令可能会提出执行上下文(.
cxr.
cxr.
cxr.
cxr);通过设置该上下文,你可以访问错误发生时的callstack(最接近错误的那个).
你需要进入进程和线程(!
process!
process!
process!
process和!
thread!
thread!
thread!
thread),查看内核的模块列表(lmntlmntlmntlmnt),在该列表中挑选需要查看的驱动对象(!
drvobj!
drvobj!
drvobj!
drvobj)和可能要查看设备节点(!
devnode!
devnode!
devnode!
devnode),设备对象(!
devobj!
devobj!
devobj!
devobj)和设备堆栈(!
devstack!
devstack!
devstack!
devstack).
但是在查看DUMP文件中,没有比使用!
analyze!
analyze!
analyze!
analyze––––vvvv更简单的方法了.
如果一个内核模式的DUMP文件在错误发生时被建立.
调试该文件与使用调试器附加调试错误时相似.
下面的部分将会展示一个现场调试的例子,它与分析DUMP文件相似.
调试错误这是关于如何开始分析一个错误.
在这个例子中,内核调试器在崩溃时附加,它的过程与分析一个内核模式DUMP文件是相似的在这个例子中,Sioctl.
sys被加载,并且在Sioctl!
DriverEntry设置断点.
当调试器在该断点停止时,甚至EIP为0.
这永远都不会是一个有效的数值,因为命令指针不能为0.
然后通过F5继续运行.
一个内核错误发生,你可以开始查错了.
然后你可以使用!
analyze!
analyze!
analyze!
analyze这个扩展命令进行调查:kd>kd>kd>kd>!
analyze!
analyze!
analyze!
analyze-v-v-v-v********************************************BugcheckBugcheckBugcheckBugcheckAnalysisAnalysisAnalysisAnalysis********************************************SYSTEM_THREAD_EXCEPTION_NOT_HANDLEDSYSTEM_THREAD_EXCEPTION_NOT_HANDLEDSYSTEM_THREAD_EXCEPTION_NOT_HANDLEDSYSTEM_THREAD_EXCEPTION_NOT_HANDLED(7e)(7e)(7e)(7e)ThisThisThisThisisisisisaaaaveryveryveryverycommoncommoncommoncommonbugcheck.
bugcheck.
bugcheck.
bugcheck.
UsuallyUsuallyUsuallyUsuallythethethetheexceptionexceptionexceptionexceptionaddressaddressaddressaddresspinpointspinpointspinpointspinpointsthethethethedriver/functiondriver/functiondriver/functiondriver/functionthatthatthatthatcausedcausedcausedcausedthethethetheproblem.
problem.
problem.
problem.
AlwaysAlwaysAlwaysAlwaysnotenotenotenotethisthisthisthisaddressaddressaddressaddressasasasaswellwellwellwellasasasasthethethethelinklinklinklinkdatedatedatedateofofofofthethethethedriver/imagedriver/imagedriver/imagedriver/imagethatthatthatthatcontainscontainscontainscontainsthisthisthisthisaddress.
address.
address.
address.
Arguments:Arguments:Arguments:Arguments:Arg1:Arg1:Arg1:Arg1:c0000005,c0000005,c0000005,c0000005,TheTheTheTheexceptionexceptionexceptionexceptioncodecodecodecodethatthatthatthatwaswaswaswasnotnotnotnothandledhandledhandledhandledArg2:Arg2:Arg2:Arg2:00000000,00000000,00000000,00000000,TheTheTheTheaddressaddressaddressaddressthatthatthatthatthethethetheexceptionexceptionexceptionexceptionoccurredoccurredoccurredoccurredatatatatArg3:Arg3:Arg3:Arg3:f88f2bd8,f88f2bd8,f88f2bd8,f88f2bd8,ExceptionExceptionExceptionExceptionRecordRecordRecordRecordAddressAddressAddressAddressArg4:Arg4:Arg4:Arg4:f88f2828,f88f2828,f88f2828,f88f2828,ContextContextContextContextRecordRecordRecordRecordAddressAddressAddressAddressDebuggingDebuggingDebuggingDebuggingDetails:Details:Details:Details:KernelDebuggingTutorial2005MicrosoftCorporation37EXCEPTION_CODE:EXCEPTION_CODE:EXCEPTION_CODE:EXCEPTION_CODE:(NTSTATUS)(NTSTATUS)(NTSTATUS)(NTSTATUS)0xc00000050xc00000050xc00000050xc0000005----TheTheTheTheinstructioninstructioninstructioninstructionatatatat"0x%08lx""0x%08lx""0x%08lx""0x%08lx"referencedreferencedreferencedreferencedmemorymemorymemorymemoryatatatat"0x%08lx".
"0x%08lx".
"0x%08lx".
"0x%08lx".
TheTheTheThememorymemorymemorymemorycouldcouldcouldcouldnotnotnotnotbebebebe"%s".
"%s".
"%s".
"%s".
FAULTING_IP:FAULTING_IP:FAULTING_IP:FAULTING_IP:+0+0+0+000000000000000000000000000000000EXCEPTION_RECORD:EXCEPTION_RECORD:EXCEPTION_RECORD:EXCEPTION_RECORD:f88f2bd8f88f2bd8f88f2bd8f88f2bd8--------(.
exr(.
exr(.
exr(.
exrfffffffff88f2bd8)fffffffff88f2bd8)fffffffff88f2bd8)fffffffff88f2bd8)ExceptionAddress:ExceptionAddress:ExceptionAddress:ExceptionAddress:00000000000000000000000000000000ExceptionCode:ExceptionCode:ExceptionCode:ExceptionCode:c0000005c0000005c0000005c0000005(Access(Access(Access(Accessviolation)violation)violation)violation)ExceptionFlags:ExceptionFlags:ExceptionFlags:ExceptionFlags:00000000000000000000000000000000NumberParameters:NumberParameters:NumberParameters:NumberParameters:2222Parameter[0]:Parameter[0]:Parameter[0]:Parameter[0]:00000000000000000000000000000000Parameter[1]:Parameter[1]:Parameter[1]:Parameter[1]:00000000000000000000000000000000AttemptAttemptAttemptAttempttotototoreadreadreadreadfromfromfromfromaddressaddressaddressaddress00000000000000000000000000000000CONTEXT:CONTEXT:CONTEXT:CONTEXT:f88f2828f88f2828f88f2828f88f2828--------(.
cxr(.
cxr(.
cxr(.
cxrfffffffff88f2828)fffffffff88f2828)fffffffff88f2828)fffffffff88f2828)eax=ffff99eaeax=ffff99eaeax=ffff99eaeax=ffff99eaebx=00000000ebx=00000000ebx=00000000ebx=00000000ecx=0000bb40ecx=0000bb40ecx=0000bb40ecx=0000bb40edx=8055f7a4edx=8055f7a4edx=8055f7a4edx=8055f7a4esi=e190049eesi=e190049eesi=e190049eesi=e190049eedi=81e826e8edi=81e826e8edi=81e826e8edi=81e826e8eip=00000000eip=00000000eip=00000000eip=00000000esp=f88f2ca0esp=f88f2ca0esp=f88f2ca0esp=f88f2ca0ebp=f88f2cf0ebp=f88f2cf0ebp=f88f2cf0ebp=f88f2cf0iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieiplplplplnznznznznanananapepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00010202efl=00010202efl=00010202efl=0001020200000000000000000000000000000000ResettingResettingResettingResettingdefaultdefaultdefaultdefaultscopescopescopescopeDEFAULT_BUCKET_ID:DEFAULT_BUCKET_ID:DEFAULT_BUCKET_ID:DEFAULT_BUCKET_ID:DRIVER_FAULTDRIVER_FAULTDRIVER_FAULTDRIVER_FAULTCURRENT_IRQL:CURRENT_IRQL:CURRENT_IRQL:CURRENT_IRQL:0000ERROR_CODE:ERROR_CODE:ERROR_CODE:ERROR_CODE:(NTSTATUS)(NTSTATUS)(NTSTATUS)(NTSTATUS)0xc00000050xc00000050xc00000050xc0000005----TheTheTheTheinstructioninstructioninstructioninstructionatatatat"0x%08lx""0x%08lx""0x%08lx""0x%08lx"referencedreferencedreferencedreferencedmemorymemorymemorymemoryatatatat"0x%08lx".
"0x%08lx".
"0x%08lx".
"0x%08lx".
TheTheTheThememorymemorymemorymemorycouldcouldcouldcouldnotnotnotnotbebebebe"%s".
"%s".
"%s".
"%s".
READ_ADDRESS:READ_ADDRESS:READ_ADDRESS:READ_ADDRESS:00000000000000000000000000000000BUGCHECK_STR:BUGCHECK_STR:BUGCHECK_STR:BUGCHECK_STR:0x7E0x7E0x7E0x7ELAST_CONTROL_TRANSFER:LAST_CONTROL_TRANSFER:LAST_CONTROL_TRANSFER:LAST_CONTROL_TRANSFER:fromfromfromfrom805b9cbb805b9cbb805b9cbb805b9cbbtotototo00000000000000000000000000000000STACK_TEXT:STACK_TEXT:STACK_TEXT:STACK_TEXT:WARNING:WARNING:WARNING:WARNING:FrameFrameFrameFrameIPIPIPIPnotnotnotnotininininanyanyanyanyknownknownknownknownmodule.
module.
module.
module.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
f88f2c9cf88f2c9cf88f2c9cf88f2c9c805b9cbb805b9cbb805b9cbb805b9cbb81e826e881e826e881e826e881e826e88123a0008123a0008123a0008123a000000000000000000000000000000000000x00x00x00x0f88f2d58f88f2d58f88f2d58f88f2d58805b9ee5805b9ee5805b9ee5805b9ee5800002348000023480000234800002348123a0008123a0008123a0008123a00081e826e881e826e881e826e881e826e8nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1f88f2d80f88f2d80f88f2d80f88f2d80804ec5c8804ec5c8804ec5c8804ec5c88000023480000234800002348000023400000000000000000000000000000000822aeda0822aeda0822aeda0822aeda0nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43f88f2dacf88f2dacf88f2dacf88f2dac805f1828805f1828805f1828805f1828f7718cf4f7718cf4f7718cf4f7718cf40000000000000000000000000000000000000000000000000000000000000000nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9f88f2ddcf88f2ddcf88f2ddcf88f2ddc8050058e8050058e8050058e8050058e804ec50d804ec50d804ec50d804ec50d0000000100000001000000010000000100000000000000000000000000000000nt!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16FAILED_INSTRUCTION_ADDRESS:FAILED_INSTRUCTION_ADDRESS:FAILED_INSTRUCTION_ADDRESS:FAILED_INSTRUCTION_ADDRESS:+0+0+0+000000000000000000000000000000000KernelDebuggingTutorial2005MicrosoftCorporation38FOLLOWUP_IP:FOLLOWUP_IP:FOLLOWUP_IP:FOLLOWUP_IP:nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1805b9cbb805b9cbb805b9cbb805b9cbb3bc33bc33bc33bc3cmpcmpcmpcmpeax,ebxeax,ebxeax,ebxeax,ebxSYMBOL_STACK_INDEX:SYMBOL_STACK_INDEX:SYMBOL_STACK_INDEX:SYMBOL_STACK_INDEX:1111SYMBOL_NAME:SYMBOL_NAME:SYMBOL_NAME:SYMBOL_NAME:nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1nt!
IopLoadDriver+5e1MODULE_NAME:MODULE_NAME:MODULE_NAME:MODULE_NAME:ntntntntIMAGE_NAME:IMAGE_NAME:IMAGE_NAME:IMAGE_NAME:ntoskrnl.
exentoskrnl.
exentoskrnl.
exentoskrnl.
exeDEBUG_FLR_IMAGE_TIMESTAMP:DEBUG_FLR_IMAGE_TIMESTAMP:DEBUG_FLR_IMAGE_TIMESTAMP:DEBUG_FLR_IMAGE_TIMESTAMP:3e800a793e800a793e800a793e800a79STACK_COMMAND:STACK_COMMAND:STACK_COMMAND:STACK_COMMAND:.
cxr.
cxr.
cxr.
cxrfffffffff88f2828fffffffff88f2828fffffffff88f2828fffffffff88f2828;;;;kbkbkbkbFAILURE_BUCKET_ID:FAILURE_BUCKET_ID:FAILURE_BUCKET_ID:FAILURE_BUCKET_ID:0x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e1BUCKET_ID:BUCKET_ID:BUCKET_ID:BUCKET_ID:0x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e10x7E_NULL_IP_nt!
IopLoadDriver+5e1kd>kd>kd>kd>.
cxr.
cxr.
cxr.
cxrfffffffff88f2828fffffffff88f2828fffffffff88f2828fffffffff88f2828eax=ffff99eaeax=ffff99eaeax=ffff99eaeax=ffff99eaebx=00000000ebx=00000000ebx=00000000ebx=00000000ecx=0000bb40ecx=0000bb40ecx=0000bb40ecx=0000bb40edx=8055f7a4edx=8055f7a4edx=8055f7a4edx=8055f7a4esi=e190049eesi=e190049eesi=e190049eesi=e190049eedi=81e826e8edi=81e826e8edi=81e826e8edi=81e826e8eip=00000000eip=00000000eip=00000000eip=00000000esp=f88f2ca0esp=f88f2ca0esp=f88f2ca0esp=f88f2ca0ebp=f88f2cf0ebp=f88f2cf0ebp=f88f2cf0ebp=f88f2cf0iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieiplplplplnznznznznanananapepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00010202efl=00010202efl=00010202efl=0001020200000000000000000000000000000000kd>kd>kd>kd>kbkbkbkb************StackStackStackStacktracetracetracetraceforforforforlastlastlastlastsetsetsetsetcontextcontextcontextcontext----.
thread/.
cxr.
thread/.
cxr.
thread/.
cxr.
thread/.
cxrresetsresetsresetsresetsititititChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrArgsArgsArgsArgstotototoChildChildChildChildWARNING:WARNING:WARNING:WARNING:FrameFrameFrameFrameIPIPIPIPnotnotnotnotininininanyanyanyanyknownknownknownknownmodule.
module.
module.
module.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
f88f2c9cf88f2c9cf88f2c9cf88f2c9c805b9cbb805b9cbb805b9cbb805b9cbb81e826e881e826e881e826e881e826e88123a0008123a0008123a0008123a000000000000000000000000000000000000x00x00x00x0f88f2d58f88f2d58f88f2d58f88f2d58805b9ee5805b9ee5805b9ee5805b9ee5800002348000023480000234800002348123a0008123a0008123a0008123a00081e826e881e826e881e826e881e826e8nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1nt!
IopLoadDriver+0x5e1f88f2d80f88f2d80f88f2d80f88f2d80804ec5c8804ec5c8804ec5c8804ec5c88000023480000234800002348000023400000000000000000000000000000000822aeda0822aeda0822aeda0822aeda0nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43nt!
IopLoadUnloadDriver+0x43f88f2dacf88f2dacf88f2dacf88f2dac805f1828805f1828805f1828805f1828f7718cf4f7718cf4f7718cf4f7718cf40000000000000000000000000000000000000000000000000000000000000000nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9nt!
ExpWorkerThread+0xe9f88f2ddcf88f2ddcf88f2ddcf88f2ddc8050058e8050058e8050058e8050058e804ec50d804ec50d804ec50d804ec50d0000000100000001000000010000000100000000000000000000000000000000nt!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2ent!
PspSystemThreadStartup+0x2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16nt!
KiThreadStartup+0x16最上层的堆栈入口看起来是错误的.
这是你可能在DUMP文件中遇到的.
如果你不知道该错误是如何发生的,你应该如何工作1.
使用.
frame.
frame.
frame.
frame1111以取得该神秘例程的调用者nt!
IopLoadDriver.
2.
切换到反汇编窗口,nt!
IopLoadDriver的调用命令被显示:8062da9e8062da9e8062da9e8062da9eff572cff572cff572cff572ccallcallcallcalldworddworddworddwordptrptrptrptr[[[[edi+0x2cedi+0x2cedi+0x2cedi+0x2c]]]]8062daa18062daa18062daa18062daa13bc33bc33bc33bc3cmpcmpcmpcmpeax,ebxeax,ebxeax,ebxeax,ebxKernelDebuggingTutorial2005MicrosoftCorporation393.
这个调用是EDI寄存器包含的双字再加上0x2C.
这个地址是你所需要的,显示EDI寄存器:kd>kd>kd>kd>rrrrediediediediLastLastLastLastsetsetsetsetcontext:context:context:context:edi=81a2bb18edi=81a2bb18edi=81a2bb18edi=81a2bb184.
一个小运算:kd>kd>kd>kd>81a2bb18+0x2c81a2bb18+0x2c81a2bb18+0x2c81a2bb18+0x2cEvaluateEvaluateEvaluateEvaluateexpression:expression:expression:expression:-2120041660-2120041660-2120041660-2120041660====81a2bb4481a2bb4481a2bb4481a2bb445.
该地址在储存器中的0x81A2BB44处:kd>kd>kd>kd>dddddddd81a2bb4481a2bb4481a2bb4481a2bb44l1l1l1l181a2bb4481a2bb4481a2bb4481a2bb44f87941a3f87941a3f87941a3f87941a36.
该地址在哪里kd>kd>kd>kd>dtdtdtdtf87941a3f87941a3f87941a3f87941a3GsDriverEntryGsDriverEntryGsDriverEntryGsDriverEntrySIoctl!
GsDriverEntry+0(SIoctl!
GsDriverEntry+0(SIoctl!
GsDriverEntry+0(SIoctl!
GsDriverEntry+0(_DRIVER_OBJECT*,_DRIVER_OBJECT*,_DRIVER_OBJECT*,_DRIVER_OBJECT*,_UNICODE_STRING*)_UNICODE_STRING*)_UNICODE_STRING*)_UNICODE_STRING*)这样你就知道了堆栈最上层的真实例程了.
伪寄存器你可以将伪寄存器当作变量使用以完成各种目的.
有很多伪寄存器都被预定义:$ra是当前callstack入口的返回地址,$ip是指令指针,$scopeip代表当前作用域的地址(使当前例程中的本地变量可用的本地上下文),$proc指向当前EPROCESS,等等.
这些在条件语句中很有用.
当然也有由使用者定义的伪寄存器,从$t0到$t19.
这能用于达成很多目的,例如计算中断的次数.
一个伪寄存器被用于储存区域被频繁更新的真实情况:babababaw4w4w4w481b404d8-1881b404d8-1881b404d8-1881b404d8-18"r$t0=@$t0+1;as"r$t0=@$t0+1;as"r$t0=@$t0+1;as"r$t0=@$t0+1;as/x/x/x/x${/v:$$t0}${/v:$$t0}${/v:$$t0}${/v:$$t0}@$t0;.
block@$t0;.
block@$t0;.
block@$t0;.
block{.
echo{.
echo{.
echo{.
echohithithithit####$$t0};ad$$t0};ad$$t0};ad$$t0};ad${/v:$$t0};dd${/v:$$t0};dd${/v:$$t0};dd${/v:$$t0};dd81b404d8-1881b404d8-1881b404d8-1881b404d8-18l1;k;!
threadl1;k;!
threadl1;k;!
threadl1;k;!
thread-1-1-1-10;!
process0;!
process0;!
process0;!
process-1-1-1-10"0"0"0"上式的近似意思是,当0x81B404D8中的双字被更新时,伪寄存器$t0将作为中断计数器,指出已中断的次数,并且显示0x81B404D8中的数值、当前的callstack,当前的进程和当前的线程(请参考下面的别名使用以获得更详细描述)另外一个用途说明来自于一个维护实例.
该实例需要跟踪Atapi.
sys的DPC例程的活动状况(Atapi.
sys是一个标准的操作系统驱动程序).
该例程经常会被使用,分析工程师对一个特殊的地方感兴趣,一个IRP将要完成,而变量irp指向相同的IRP.
该工程师希望在正确的时间停止Tape.
sys,所以他在开始的时候为Atapi.
sysDPC设置了一个只中断1次的断点:bpbpbpbp/1/1/1/1Atapi!
IdeProcessCompletedRequest+0x3bdAtapi!
IdeProcessCompletedRequest+0x3bdAtapi!
IdeProcessCompletedRequest+0x3bdAtapi!
IdeProcessCompletedRequest+0x3bd"dv"dv"dv"dvirp;irp;irp;irp;r$t0=@@(irp)"r$t0=@@(irp)"r$t0=@@(irp)"r$t0=@@(irp)"该断点的作用是设置伪寄存器$t0的值,使它与irp相等,即那个感兴趣的IRP地址.
(同样会显示irp的值)KernelDebuggingTutorial2005MicrosoftCorporation40当中断发生,工程师这么做:bpbpbpbpTape!
TapeIoCompleteAssociated+0x1c6Tape!
TapeIoCompleteAssociated+0x1c6Tape!
TapeIoCompleteAssociated+0x1c6Tape!
TapeIoCompleteAssociated+0x1c6"j"j"j"j(@@(Irp)=$t0)(@@(Irp)=$t0)(@@(Irp)=$t0)(@@(Irp)=$t0)'.
echo'.
echo'.
echo'.
echostostostostoppedppedppedppedatatatatTAPE!
TapeIoCompleteAssociated+0x1c6;TAPE!
TapeIoCompleteAssociated+0x1c6;TAPE!
TapeIoCompleteAssociated+0x1c6;TAPE!
TapeIoCompleteAssociated+0x1c6;dvdvdvdvIrp'Irp'Irp'Irp';;;;'g'"'g'"'g'"'g'"这个意思是:当Tape.
sys被第二个断点中断时,如果本地变量Irp与$t0匹配,给出有用的信息并且显示Irp的值.
另一方面,如果Irp不等于$t0,继续运行.
当第二个断点使运行停止时,那便是工程师希望控制被挂起的地方.
使用别名将一些字符替换成其他命令字符可能会比较便利.
其中一个用处便是用一个简短的字符来代替长长的命令.
例如,kd>kd>kd>kd>asasasasDemoDemoDemoDemor;r;r;r;!
process!
process!
process!
process-1-1-1-10;0;0;0;k;k;k;k;!
thread!
thread!
thread!
thread-1-1-1-10000kd>kd>kd>kd>alalalalAliasAliasAliasAliasValueValueValueValue------------------------------------------DemoDemoDemoDemor;r;r;r;!
process!
process!
process!
process-1-1-1-10;0;0;0;k;k;k;k;!
thread!
thread!
thread!
thread-1-1-1-10000kd>kd>kd>kd>demodemodemodemoCouldn'tCouldn'tCouldn'tCouldn'tresolveresolveresolveresolveerrorerrorerrorerroratatatat'emo''emo''emo''emo'kd>kd>kd>kd>DemoDemoDemoDemoeax=00000001eax=00000001eax=00000001eax=00000001ebx=001a6987ebx=001a6987ebx=001a6987ebx=001a6987ecx=80571780ecx=80571780ecx=80571780ecx=80571780edx=ffd11118edx=ffd11118edx=ffd11118edx=ffd11118esi=0000003eesi=0000003eesi=0000003eesi=0000003eedi=f8bcc776edi=f8bcc776edi=f8bcc776edi=f8bcc776eip=804df1c0eip=804df1c0eip=804df1c0eip=804df1c0esp=8056f564esp=8056f564esp=8056f564esp=8056f564ebp=8056f574ebp=8056f574ebp=8056f574ebp=8056f574iopl=0iopl=0iopl=0iopl=0nvnvnvnvupupupupeieieieiplplplplnznznznznanananapepepepencncncnccs=0008cs=0008cs=0008cs=0008ss=0010ss=0010ss=0010ss=0010ds=0023ds=0023ds=0023ds=0023es=0023es=0023es=0023es=0023fs=0030fs=0030fs=0030fs=0030gs=0000gs=0000gs=0000gs=0000efl=00000202efl=00000202efl=00000202efl=00000202nt!
RtlpBreakWithStatusInstruction:nt!
RtlpBreakWithStatusInstruction:nt!
RtlpBreakWithStatusInstruction:nt!
RtlpBreakWithStatusInstruction:804df1c0804df1c0804df1c0804df1c0ccccccccintintintint3333PROCESSPROCESSPROCESSPROCESS80579f6080579f6080579f6080579f60SessionId:SessionId:SessionId:SessionId:nonenonenonenoneCid:Cid:Cid:Cid:0000000000000000Peb:Peb:Peb:Peb:00000000000000000000000000000000ParentCid:ParentCid:ParentCid:ParentCid:0000000000000000DirBase:DirBase:DirBase:DirBase:00039000000390000003900000039000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e1000e78e1000e78e1000e78e1000e78HandleCount:HandleCount:HandleCount:HandleCount:234.
234.
234.
234.
Image:Image:Image:Image:IdleIdleIdleIdleChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddr8056f5608056f5608056f5608056f560804e8682804e8682804e8682804e8682nt!
RtlpBreakWithStatusInstructionnt!
RtlpBreakWithStatusInstructionnt!
RtlpBreakWithStatusInstructionnt!
RtlpBreakWithStatusInstruction8056f5608056f5608056f5608056f560804e61ce804e61ce804e61ce804e61cent!
KeUpdateSystemTime+0x132nt!
KeUpdateSystemTime+0x132nt!
KeUpdateSystemTime+0x132nt!
KeUpdateSystemTime+0x13280579f6080579f6080579f6080579f6000000000000000000000000000000000nt!
KiIdleLoop+0xent!
KiIdleLoop+0xent!
KiIdleLoop+0xent!
KiIdleLoop+0xeTHREADTHREADTHREADTHREAD80579d0080579d0080579d0080579d00CidCidCidCid0000.
00000000.
00000000.
00000000.
0000Teb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000RUNNINGRUNNINGRUNNINGRUNNINGononononprocessorprocessorprocessorprocessor0000注意被替换成的假名是区分大小写的.
如果你回到上面看看伪寄存器,你便会理解这里的第一个例子.
继续,假设这是一个实际的命令:bpbpbpbpSioctlDeviceControlSioctlDeviceControlSioctlDeviceControlSioctlDeviceControl"r$t0=@$t0+1;as"r$t0=@$t0+1;as"r$t0=@$t0+1;as"r$t0=@$t0+1;as/x/x/x/x${/v:$$t0}${/v:$$t0}${/v:$$t0}${/v:$$t0}@$t0;.
block@$t0;.
block@$t0;.
block@$t0;.
block{.
echo{.
echo{.
echo{.
echohithithithit####$$t0};ad$$t0};ad$$t0};ad$$t0};ad${/v:$$t0};k${/v:$$t0};k${/v:$$t0};k${/v:$$t0};k;!
thread;!
thread;!
thread;!
thread-1-1-1-10;!
process0;!
process0;!
process0;!
process-1-1-1-10;g"0;g"0;g"0;g"这便是在WinDbg命令窗口中给出的,其中假名以红色显示:hithithithit####0x10x10x10x1ChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrf747dc20f747dc20f747dc20f747dc2080a2675c80a2675c80a2675c80a2675cSIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControlSIoctl!
SioctlDeviceControlf747dc3cf747dc3cf747dc3cf747dc3c80c70bed80c70bed80c70bed80c70bednt!
IofCallDriver+0x62nt!
IofCallDriver+0x62nt!
IofCallDriver+0x62nt!
IofCallDriver+0x62KernelDebuggingTutorial2005MicrosoftCorporation41f747dc54f747dc54f747dc54f747dc5480c71b0d80c71b0d80c71b0d80c71b0dnt!
IopSynchronousServiceTail+0x159nt!
IopSynchronousServiceTail+0x159nt!
IopSynchronousServiceTail+0x159nt!
IopSynchronousServiceTail+0x159f747dcf4f747dcf4f747dcf4f747dcf480c673aa80c673aa80c673aa80c673aant!
IopXxxControlFile+0x665nt!
IopXxxControlFile+0x665nt!
IopXxxControlFile+0x665nt!
IopXxxControlFile+0x665f747dd28f747dd28f747dd28f747dd2880afbbf280afbbf280afbbf280afbbf2nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28nt!
NtDeviceIoControlFile+0x28f747dd28f747dd28f747dd28f747dd287ffe03047ffe03047ffe03047ffe0304nt!
_KiSystemService+0x13fnt!
_KiSystemService+0x13fnt!
_KiSystemService+0x13fnt!
_KiSystemService+0x13f0006fdc80006fdc80006fdc80006fdc804003bcb04003bcb04003bcb04003bcbSharedUserData!
SystemCallStub+0x4SharedUserData!
SystemCallStub+0x4SharedUserData!
SystemCallStub+0x4SharedUserData!
SystemCallStub+0x40006fde80006fde80006fde80006fde804002314040023140400231404002314ioctlapp!
_ftbuf+0x1bioctlapp!
_ftbuf+0x1bioctlapp!
_ftbuf+0x1bioctlapp!
_ftbuf+0x1b0006ff780006ff780006ff780006ff7804002e0204002e0204002e0204002e02ioctlapp!
main+0x1e4ioctlapp!
main+0x1e4ioctlapp!
main+0x1e4ioctlapp!
main+0x1e40006ffc00006ffc00006ffc00006ffc077e4f38c77e4f38c77e4f38c77e4f38cioctlapp!
mainCRTStartup+0x14dioctlapp!
mainCRTStartup+0x14dioctlapp!
mainCRTStartup+0x14dioctlapp!
mainCRTStartup+0x14dWARNING:WARNING:WARNING:WARNING:FrameFrameFrameFrameIPIPIPIPnotnotnotnotininininanyanyanyanyknownknownknownknownmodule.
module.
module.
module.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
0006fff00006fff00006fff00006fff0000000000000000000000000000000000x77e4f38c0x77e4f38c0x77e4f38c0x77e4f38cTHREADTHREADTHREADTHREADfeca2b88feca2b88feca2b88feca2b88CidCidCidCid0714.
0e2c0714.
0e2c0714.
0e2c0714.
0e2cTeb:Teb:Teb:Teb:7ffde0007ffde0007ffde0007ffde000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000RUNNINGRUNNINGRUNNINGRUNNINGononononprocessorprocessorprocessorprocessor0000PROCESSPROCESSPROCESSPROCESSff877b50ff877b50ff877b50ff877b50SessionId:SessionId:SessionId:SessionId:1111Cid:Cid:Cid:Cid:0714071407140714Peb:Peb:Peb:Peb:7ffdf0007ffdf0007ffdf0007ffdf000ParentCid:ParentCid:ParentCid:ParentCid:0d040d040d040d04DirBase:DirBase:DirBase:DirBase:048f0000048f0000048f0000048f0000ObjectTable:ObjectTable:ObjectTable:ObjectTable:e2342440e2342440e2342440e2342440HandleCount:HandleCount:HandleCount:HandleCount:19.
19.
19.
19.
Image:Image:Image:Image:ioctlapp.
exeioctlapp.
exeioctlapp.
exeioctlapp.
exe.
.
.
.
.
.
.
.
.
.
.
.
hithithithit####0x20x20x20x2.
.
.
.
.
.
.
.
.
.
.
.
hithithithit####0x30x30x30x3.
.
.
.
.
.
.
.
.
.
.
.
上面的基本技巧是将命令块关联到断点中,使用该方法嵌入假名将不会被立刻解释,而是当中断发生时才解释.
这由${}${}${}${}("AliasInterpreter")命令完成,使用/v/v/v/v标记选项指定假名不会在说明时计算(在bpbpbpbp命令中)和.
block.
block.
block.
block("Block")标记使假名在中断发生和运行关联命令时才计算.
最后asasasas的/x/x/x/x选项确保使用64位数值,adadadad确保最近的假名被清除.
ScriptScriptScriptScript文件和其他减少工作量的方法你可以使用script文件运行大量WinDbg命令.
想象这是一个64位系统中的DUMP文件.
这里的焦点是来自于xStor.
sys设备驱动的SCSIRequestBlocks(SRBs)调用:1.
使用!
irpfind!
irpfind!
irpfind!
irpfind(详见WINDOWS调试工具帮助文件)查找在non-pagedpool中的IRPs.
你会得到下面几行字:fffffadfe5df1010fffffadfe5df1010fffffadfe5df1010fffffadfe5df1010[fffffadfe5ee6760][fffffadfe5ee6760][fffffadfe5ee6760][fffffadfe5ee6760]irpStack:irpStack:irpStack:irpStack:((((4,4,4,4,0)0)0)0)fffffadfe78cc060fffffadfe78cc060fffffadfe78cc060fffffadfe78cc060[[[[\Driver\dmio]\Driver\dmio]\Driver\dmio]\Driver\dmio]0xfffffadfe69194700xfffffadfe69194700xfffffadfe69194700xfffffadfe6919470被红色显示的地址便是该特殊的IRP.
2.
复制这几行到一个文件中.
3.
在该文件中,选择所有包括xStor的项目并且将这些项目放到另外一个文件中,debugtst1.
txt.
该输出行是:fffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d0[00000000][00000000][00000000][00000000]irpStack:irpStack:irpStack:irpStack:((((f,f,f,f,0)0)0)0)fffffadfe783d050fffffadfe783d050fffffadfe783d050fffffadfe783d050[[[[\Driver\xStor]\Driver\xStor]\Driver\xStor]\Driver\xStor]0xfffffadfe69194700xfffffadfe69194700xfffffadfe69194700xfffffadfe6919470KernelDebuggingTutorial2005MicrosoftCorporation424.
编辑debugtst1.
txt,修改每一行:!
irp!
irp!
irp!
irpfffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d01111!
irp!
irp!
irp!
irp扩展命令在给出的地址中显示IRP,包括IRP的首部和它的堆栈.
保存debugtst1.
txt.
5.
现在,在WinDbg中,使用命令$$kd>kd>kd>$$kd>kd>kd>!
irp!
irp!
irp!
irpfffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d0fffffadfe5e4c9d01111IrpIrpIrpIrpisisisisactiveactiveactiveactivewithwithwithwith2222stacksstacksstacksstacks2222isisisiscurrentcurrentcurrentcurrent(=(=(=(=0xfffffadfe5e4cae8)0xfffffadfe5e4cae8)0xfffffadfe5e4cae8)0xfffffadfe5e4cae8)MdlMdlMdlMdl====fffffadfe600f5e0fffffadfe600f5e0fffffadfe600f5e0fffffadfe600f5e0ThreadThreadThreadThread00000000:00000000:00000000:00000000:IrpIrpIrpIrpstackstackstackstacktrace.
trace.
trace.
trace.
FlagsFlagsFlagsFlags====00000000000000000000000000000000ThreadListEntry.
FlinkThreadListEntry.
FlinkThreadListEntry.
FlinkThreadListEntry.
Flink====fffffadfe5e4c9f0fffffadfe5e4c9f0fffffadfe5e4c9f0fffffadfe5e4c9f0ThreadListEntry.
BlinkThreadListEntry.
BlinkThreadListEntry.
BlinkThreadListEntry.
Blink====fffffadfe5e4c9f0fffffadfe5e4c9f0fffffadfe5e4c9f0fffffadfe5e4c9f0IoStatus.
StatusIoStatus.
StatusIoStatus.
StatusIoStatus.
Status====c00000bbc00000bbc00000bbc00000bbIoStatus.
InformationIoStatus.
InformationIoStatus.
InformationIoStatus.
Information====00000000000000000000000000000000.
.
.
.
.
.
.
.
.
.
.
.
Tail.
ApcTail.
ApcTail.
ApcTail.
Apc====0326cc000326cc000326cc000326cc00Tail.
CompletionKeyTail.
CompletionKeyTail.
CompletionKeyTail.
CompletionKey====0326cc000326cc000326cc000326cc00cmdcmdcmdcmdflgflgflgflgclclclclDeviceDeviceDeviceDeviceFileFileFileFileCompletion-ContextCompletion-ContextCompletion-ContextCompletion-Context[[[[0,0,0,0,0]0]0]0]00000000000000000000000000000000000000000000000000000000000000000000000000000000-0000000000000000-0000000000000000-0000000000000000-00000000Args:Args:Args:Args:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000>[>[>[>[f,f,f,f,0]0]0]0]0000e1e1e1e1fffffadfe783d050fffffadfe783d050fffffadfe783d050fffffadfe783d05000000000000000000000000000000000fffffadfe3ee46d0-fffffadfe3ee46d0-fffffadfe3ee46d0-fffffadfe3ee46d0-fffffadfe6869010fffffadfe6869010fffffadfe6869010fffffadfe6869010SuccessSuccessSuccessSuccessErrorErrorErrorErrorCancelCancelCancelCancelpendingpendingpendingpending\Driver\xStor\Driver\xStor\Driver\xStor\Driver\xStorCLASSPNP!
TransferPktCompleteCLASSPNP!
TransferPktCompleteCLASSPNP!
TransferPktCompleteCLASSPNP!
TransferPktCompleteArgs:Args:Args:Args:fffffadfe6869130fffffadfe6869130fffffadfe6869130fffffadfe6869130000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000在这些条件式中,红色的数值便是IRP中的SRB地址.
6.
为了得到SRBs的格式化输出,复制上面所有包括'Args:ffff'的输出并保存在debugtst2.
txt.
然后象这样改变每一行:dtdtdtdtnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKfffffadfe6869130fffffadfe6869130fffffadfe6869130fffffadfe6869130注意:因为Microsoftsymbol只保存"公开的symbols",nt!
SCSI_REQUEST_BLOCK可能无法使用.
为了当前的目的,想象它已经被定义在驱动程序的完整symbols.
7.
保存debugtst2.
txt.
然后在WinDbg输入$$kd>kd>kd>dtdtdtdtnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKnt!
SCSI_REQUEST_BLOCKfffffadfe6869130fffffadfe6869130fffffadfe6869130fffffadfe6869130+0x000+0x000+0x000+0x000LengthLengthLengthLength::::0x580x580x580x58+0x002+0x002+0x002+0x002FunctionFunctionFunctionFunction::::0000''''''''+0x003+0x003+0x003+0x003SSSSrbStatusrbStatusrbStatusrbStatus::::0000''''''''+0x004+0x004+0x004+0x004ScsiStatusScsiStatusScsiStatusScsiStatus::::0000''''''''+0x005+0x005+0x005+0x005PathIdPathIdPathIdPathId::::0000''''''''+0x006+0x006+0x006+0x006TargetIdTargetIdTargetIdTargetId::::0xff0xff0xff0xff''''''''+0x007+0x007+0x007+0x007LunLunLunLun::::0000''''''''KernelDebuggingTutorial2005MicrosoftCorporation43.
.
.
.
.
.
.
.
.
.
.
.
+0x038+0x038+0x038+0x038SrbExtensionSrbExtensionSrbExtensionSrbExtension::::(null)(null)(null)(null)+0x040+0x040+0x040+0x040InternalStatusInternalStatusInternalStatusInternalStatus::::0x21044d00x21044d00x21044d00x21044d0+0x040+0x040+0x040+0x040QueueSortKeyQueueSortKeyQueueSortKeyQueueSortKey::::0x21044d00x21044d00x21044d00x21044d0+0x044+0x044+0x044+0x044ReservedReservedReservedReserved::::0000+0x048+0x048+0x048+0x048CdbCdbCdbCdb::::[16][16][16][16]"*""*""*""*"这样,通过几分钟的工作,你找到并显示所有你感兴趣的SRBs.
你也可以写一个调试器插件完成同样的工作,但是对于一次性的调查,一个简易的script会是更好的方法.
你可以更进一步通过逻辑控制封装一些命令以组成一些命令程序.
由.
if.
if.
if.
if和.
for.
for.
for.
for控制流水作业.
更多内容请见WINDOWS调试工具帮助文件中的"RunScriptFile"和"UsingDebuggerCommandPrograms".
调试器插件功能更加强大,但是你需要花费更多时间去编写.
由C或者C++编写,编译成DLL,可以使用调试器的所有功能和它的引擎.
一些常用的命令,例如!
process!
process!
process!
process,实际上,它是由插件提供的.
编写插件的细节部分已经超出本文范围,请参考WINDOWS调试工具帮助中的"DebuggerExtensions".
远程调试WinDbg(和KD)能够连接目标以扮演服务器的角色,而调式实例则扮演客户的角色,通过TCP/IP或者其他协议.
待测系统通过COMx或者1394连接到调试器,调试器则提供调试服务.
然后开发者可以远距离调查程序或者运行函数.
在自动化测试中,安装该调试器很有价值,它允许你在自己的桌面上研究实验室的难题.
你可以使用该命令行选项表明它的任务以取得该特性:windbgwindbgwindbgwindbg-server-server-server-servertcp:port=5555tcp:port=5555tcp:port=5555tcp:port=5555或者你可以在WinDbg运行之后使用下面命令:.
server.
server.
server.
servertcp:port=5005tcp:port=5005tcp:port=5005tcp:port=5005任何一个方法都可以让WinDbg扮演调试服务器的角色,在TCP/IP的5005端口监听.
另一个不同的WinDbg实例,使用下面命令作为客户端连接:.
tcp:server=myserver,port=5005.
tcp:server=myserver,port=5005.
tcp:server=myserver,port=5005.
tcp:server=myserver,port=5005临时启动一个WinDbg客户端:windbgwindbgwindbgwindbg-remote-remote-remote-remotetcp:server=myserver,port=5005tcp:server=myserver,port=5005tcp:server=myserver,port=5005tcp:server=myserver,port=5005COMx,named-pipe和SSL是其他可用的协议.
关于远程调试的一些事:如果本地系统网络和目标系统网络之间有防火墙,那么远程调试将更加复杂.
详见WINDOWS调试工具帮助文件.
访问symbols和source依赖于你在远程服务器中登陆的权限,而不是客户机使用者的权限.
客户通过.
lsrcpath.
lsrcpath.
lsrcpath.
lsrcpath("localsourcepath")命令定位source文件,而不是.
srcpath.
srcpath.
srcpath.
srcpath.
KernelDebuggingTutorial2005MicrosoftCorporation44""""ShortShortShortShort""""callcallcallcallstacksstacksstacksstacksWinDbg尽它的最大努力计算出callstack,但是有时它失败了.
检索出这样一个状况是调试人员所面对的最难任务,因为他或者她必须用自己的知识对WinDbg作补充.
注意,然后坚持向前.
假设这个例子来自于一个双重错误的DUMP文件(来自第一个参数0x00000008的非预期的内核模式陷阱):kd>kd>kd>kd>kkkkChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrbe80cff8be80cff8be80cff8be80cff800000000000000000000000000000000hal!
HalpClockInterruptPn+0x84hal!
HalpClockInterruptPn+0x84hal!
HalpClockInterruptPn+0x84hal!
HalpClockInterruptPn+0x84看起来只有一个操作系统的时间中断例程在堆栈中.
它会失败,这有点可疑.
因此,现在看看当前线程:kd>kd>kd>kd>!
thread!
thread!
thread!
threadTHREADTHREADTHREADTHREAD88f108a088f108a088f108a088f108a0CidCidCidCid8.
54c8.
54c8.
54c8.
54cTeb:Teb:Teb:Teb:00000000000000000000000000000000Win32Thread:Win32Thread:Win32Thread:Win32Thread:00000000000000000000000000000000RUNNINGRUNNINGRUNNINGRUNNING.
.
.
.
.
.
.
.
.
.
.
.
StartStartStartStartAddressAddressAddressAddressrpcxdr!
SunRpcGetRxStatsrpcxdr!
SunRpcGetRxStatsrpcxdr!
SunRpcGetRxStatsrpcxdr!
SunRpcGetRxStats(0xf7352702)(0xf7352702)(0xf7352702)(0xf7352702)StackStackStackStackInitInitInitInitbe810000be810000be810000be810000CurrentCurrentCurrentCurrentbe80fd34be80fd34be80fd34be80fd34BaseBaseBaseBasebe810000be810000be810000be810000LimitLimitLimitLimitbe80d000be80d000be80d000be80d000CallCallCallCall0000堆栈从0xBE810000开始,到0xBE80D000结束(正常状态下是3页).
显然,失败的时钟例程的栈基(ChildEBP)是0xBE80CFF8,在正常状态堆栈结束位置的上面.
时钟例程会使用超过标准的堆栈现在的侦察工作是查看堆栈中可能指出其他例程的地址.
一般使用ddsddsddsdds("DisplayWordsandSymbols")寻找已保存的地址(也可以使用dqsdqsdqsdqs和dpsdpsdpsdps;注意到3个命令都是区分大小写的).
为了现在的目的忽略时间中断例程,将焦点移到堆栈上面.
但是没有例程被时钟例程中断.
但是不要完全回避时钟例程:从这个事实开始,它的栈基指针(ChildEBP上面)是0xBE80CFF8.
查看0xBE80CFF8,看看是否有什么有趣的东西显示出来(下面以C风格给出注释):2:2:2:2:kd>kd>kd>kd>ddsddsddsddsbe80cff8be80cff8be80cff8be80cff8be80cff8+0x100be80cff8+0x100be80cff8+0x100be80cff8+0x100be80cff8be80cff8be80cff8be80cff8/*/*/*InvalidInvalidInvalidInvalidstoragestoragestoragestorageaddress.
address.
address.
address.
*/*/*/*/be80cffcbe80cffcbe80cffcbe80cffc/*/*/*InvalidInvalidInvalidInvalidstoragestoragestoragestorageaddress.
address.
address.
address.
*/*/*/*/be80d000be80d000be80d000be80d00000000000000000000000000000000000.
.
.
.
.
.
.
.
.
.
.
.
be80d034be80d034be80d034be80d03400000000000000000000000000000000be80d038be80d038be80d038be80d03800000020000000200000002000000020.
.
.
.
.
.
.
.
.
.
.
.
be80d058be80d058be80d058be80d058be80d084be80d084be80d084be80d084be80d05cbe80d05cbe80d05cbe80d05c00000000000000000000000000000000be80d060be80d060be80d060be80d060bfee03e0bfee03e0bfee03e0bfee03e0zzznds+0x103e0zzznds+0x103e0zzznds+0x103e0zzznds+0x103e0be80d064be80d064be80d064be80d06400000008000000080000000800000008be80d068be80d068be80d068be80d06800000246000002460000024600000246be80d06cbe80d06cbe80d06cbe80d06c8a61c0048a61c0048a61c0048a61c004be80d070be80d070be80d070be80d070bfbb7858bfbb7858bfbb7858bfbb7858KernelDebuggingTutorial2005MicrosoftCorporation45be80d074be80d074be80d074be80d07488c1da2888c1da2888c1da2888c1da28be80d078be80d078be80d078be80d07800000000000000000000000000000000be80d07cbe80d07cbe80d07cbe80d07c00000000000000000000000000000000be80d080be80d080be80d080be80d08000000000000000000000000000000000be80d084be80d084be80d084be80d084be80d0d8be80d0d8be80d0d8be80d0d8/*/*/*/*SavedSavedSavedSavedEbpEbpEbpEbpofofofofzzznds+0xBED7,zzznds+0xBED7,zzznds+0xBED7,zzznds+0xBED7,asasasasexplainedexplainedexplainedexplainedbelow.
below.
below.
below.
*/*/*/*/be80d088be80d088be80d088be80d088bfedbed7bfedbed7bfedbed7bfedbed7zzznds+0xbed7zzznds+0xbed7zzznds+0xbed7zzznds+0xbed7.
.
.
.
.
.
.
.
.
.
.
.
假设"zzzndx+0x103E0"是一个驱动程序例程的标记,它被时钟例程中断.
你会注意到前面的(栈地址的高位)"zzznds+0xBED7"标记.
现在看看zzznds+0xBED7之前的一些反汇编代码(一个调用指针):zzznds+0xbed0:zzznds+0xbed0:zzznds+0xbed0:zzznds+0xbed0:bfedbed0bfedbed0bfedbed0bfedbed053535353pushpushpushpushebxebxebxebxbfedbed1bfedbed1bfedbed1bfedbed157575757pushpushpushpushediediediedibfedbed2bfedbed2bfedbed2bfedbed2e8e7420000e8e7420000e8e7420000e8e7420000callcallcallcallzzznds+0x101bezzznds+0x101bezzznds+0x101bezzznds+0x101be(bfee01be)(bfee01be)(bfee01be)(bfee01be)注意到这里是调用zzznds+0x101BE,它接近第一个被识别的标记.
因而可以很好的反汇编该调用.
现在反汇编zzznds+0x101BE,看看它是怎么工作的:bfee01bebfee01bebfee01bebfee01be55555555pushpushpushpushebpebpebpebp/*/*/*/*SaveSaveSaveSavethethethethecaller'scaller'scaller'scaller'sEBP.
EBP.
EBP.
EBP.
*/*/*/*/bfee01bfbfee01bfbfee01bfbfee01bf8bec8bec8bec8becmovmovmovmovebp,espebp,espebp,espebp,esp/*/*/*/*MakeMakeMakeMakethethethethecurrentcurrentcurrentcurrentESPESPESPESPourourourourEBP.
EBP.
EBP.
EBP.
*/*/*/*/bfee01c1bfee01c1bfee01c1bfee01c183ec0c83ec0c83ec0c83ec0csubsubsubsubesp,0xcesp,0xcesp,0xcesp,0xc/*/*/*/*AdjustAdjustAdjustAdjustESPESPESPESPbybybybysubtractingsubtractingsubtractingsubtracting0xC.
0xC.
0xC.
0xC.
*/*/*/*/bfee01c4bfee01c4bfee01c4bfee01c453535353pushpushpushpushebxebxebxebx回到上面,看看ddsddsddsdds的输出,你可以看到调用程序被保存在0xBE80D084的Ebp.
指令将Ebp压入(在0xBFEE01BEpushpushpushpushebpebpebpebp)并且在0xBE80D084保存它.
这代表ESP会在压栈之后变成0xBE80D084,然后ESP变成当前的EBP(0xBFEE01BF处的指令),后来Esp减去0xC得到0xBFEE01C1.
0XBFEE01C4处指令的结果是Esp=0xBE80D078.
现在你已经确定了调用zzznds+0xBED7时Ebp,Esp和Eip的值,也就是,0xBE80D084,0xBE80D078和0xBFEE01C4,然后你将它们提供给kkkk命令,这比尝试发现数值要好:2:2:2:2:kd>kd>kd>kd>kkkk====0xBE80D0840xBE80D0840xBE80D0840xBE80D0840xBE80D0780xBE80D0780xBE80D0780xBE80D0780xBFEE01C40xBFEE01C40xBFEE01C40xBFEE01C4ChildEBPChildEBPChildEBPChildEBPRetAddrRetAddrRetAddrRetAddrWARNING:WARNING:WARNING:WARNING:StackStackStackStackunwindunwindunwindunwindinformationinformationinformationinformationnotnotnotnotavailable.
available.
available.
available.
FollowingFollowingFollowingFollowingframesframesframesframesmaymaymaymaybebebebewrong.
wrong.
wrong.
wrong.
be80d084be80d084be80d084be80d084bfedbed7bfedbed7bfedbed7bfedbed7zzznds+0x101c4zzznds+0x101c4zzznds+0x101c4zzznds+0x101c4be80d0d8be80d0d8be80d0d8be80d0d8bff6030fbff6030fbff6030fbff6030fzzznds+0xbed7zzznds+0xbed7zzznds+0xbed7zzznds+0xbed7be80d0fcbe80d0fcbe80d0fcbe80d0fc8046d7788046d7788046d7788046d778SCSIPORT!
SpStartIoSynchronized+0x139SCSIPORT!
SpStartIoSynchronized+0x139SCSIPORT!
SpStartIoSynchronized+0x139SCSIPORT!
SpStartIoSynchronized+0x139be80d114be80d114be80d114be80d114bff60e4fbff60e4fbff60e4fbff60e4fnt!
KeSynchronizeExecution+0x28nt!
KeSynchronizeExecution+0x28nt!
KeSynchronizeExecution+0x28nt!
KeSynchronizeExecution+0x28be80d148be80d148be80d148be80d1488006627b8006627b8006627b8006627bSCSIPORT!
SpBuildScatterGather+0x249SCSIPORT!
SpBuildScatterGather+0x249SCSIPORT!
SpBuildScatterGather+0x249SCSIPORT!
SpBuildScatterGather+0x249be80d174be80d174be80d174be80d1748041d30e8041d30e8041d30e8041d30ehal!
HalAllocateAdapterChannel+0x11bhal!
HalAllocateAdapterChannel+0x11bhal!
HalAllocateAdapterChannel+0x11bhal!
HalAllocateAdapterChannel+0x11bbe80d18cbe80d18cbe80d18cbe80d18cbff5f8c8bff5f8c8bff5f8c8bff5f8c8nt!
IoAllocateAdapterChannel+0x28nt!
IoAllocateAdapterChannel+0x28nt!
IoAllocateAdapterChannel+0x28nt!
IoAllocateAdapterChannel+0x28be80d1bcbe80d1bcbe80d1bcbe80d1bc8041f73f8041f73f8041f73f8041f73fSCSIPORT!
ScsiPortStartIo+0x2eaSCSIPORT!
ScsiPortStartIo+0x2eaSCSIPORT!
ScsiPortStartIo+0x2eaSCSIPORT!
ScsiPortStartIo+0x2eaKernelDebuggingTutorial2005MicrosoftCorporation46be80d1e0be80d1e0be80d1e0be80d1e0bff5f4ecbff5f4ecbff5f4ecbff5f4ecnt!
IoStartPacket+0x6fnt!
IoStartPacket+0x6fnt!
IoStartPacket+0x6fnt!
IoStartPacket+0x6fbe80d214be80d214be80d214be80d214bff601d0bff601d0bff601d0bff601d0SCSIPORT!
ScsiPortFdoDispatch+0x26cSCSIPORT!
ScsiPortFdoDispatch+0x26cSCSIPORT!
ScsiPortFdoDispatch+0x26cSCSIPORT!
ScsiPortFdoDispatch+0x26cbe80d22cbe80d22cbe80d22cbe80d22cbff622f7bff622f7bff622f7bff622f7SCSIPORT!
SpDispatchRequest+0x70SCSIPORT!
SpDispatchRequest+0x70SCSIPORT!
SpDispatchRequest+0x70SCSIPORT!
SpDispatchRequest+0x70be80d248be80d248be80d248be80d248bff5e390bff5e390bff5e390bff5e390SCSIPORT!
ScsiPortPdoScsi+0xefSCSIPORT!
ScsiPortPdoScsi+0xefSCSIPORT!
ScsiPortPdoScsi+0xefSCSIPORT!
ScsiPortPdoScsi+0xefbe80d258be80d258be80d258be80d2588041deb18041deb18041deb18041deb1SCSIPORT!
ScsiPortGlobalDispatch+0x1aSCSIPORT!
ScsiPortGlobalDispatch+0x1aSCSIPORT!
ScsiPortGlobalDispatch+0x1aSCSIPORT!
ScsiPortGlobalDispatch+0x1a.
.
.
.
.
.
.
.
.
.
.
.
这是堆栈中唯一的最近的一部分.
但是你应该有通用的想法.
立即查看上面kkkk给出的参数,这需要大量的侦察工作,包括搜索堆栈和通过代码查看堆栈是如何被建立到那些位置的.
这里的工作将使一种情况改变成另一种情况.
这里的教训是,如果WinDbg的堆栈反向跟踪看起来很短,查看运行失败的线程被分配到的内核堆栈.
如果没有,把它发掘出来.
在单步中线程的上下文的意外改变如果你在很长一段时间内单步内核代码(例如使用F10或F11),你会注意到控制器突然跳转到非预期的地方.
这很可能是该代码运行在低于DISPATCH_LEVEL的IRQL并且你使用了步过(F10).
如果你知道你正在跟踪特定线程,现在检查正在运行的线程,你确定该线程的变化.
这很正常.
调试器将调试指令(例如x86里的int3)放在下一个指令或者下一个语句(在调试过程中,这些调试指令一般不可见)完成单步.
如果移动当前指令/语句到下一个时,线程的时间片期满,操作系统可能分派不同的线程,该线程可能遇到调试指令,于是调试器便取得控制.
调试器不会检查当前线程是不是上一次单步时的那个,仅仅停止运行.
在这个情况下,你可以观察跳转.
这个方案可能更接近步过需要大量处理的代码,正如步过一个API,该API又调用API,该API又调用API,等等.
没有简单的方法可以对付这个预期的重复出现的行为.
当你在单步中看到一个非预期跳转时应该怎么做检查当前线程,假如你觉得它很可疑.
如果你发现该线程被关掉,你只能回到最后一个好的位置,重新测试,在该处设置一次性断点,让程序运行,直到它到达断点.
然后你可以继续下去:你仍然易手该情况影响,但是你沿着感兴趣的路径更进一步.
取得更多信息该摘要不会探索调试器的所有可能性.
请参考WINDOWS调试工具帮助文件以取得更多信息.
如果你仍然无法得到答案,将它们放到microsoft.
public.
windbg(由msnews.
microsoft.
com建立),或者发送email到windbgfb@microsoft.
com.

Sharktech:无限流量服务器丹佛,洛杉矶,荷兰$49/月起,1Gbps带宽哦!

鲨鱼机房(Sharktech)我们也叫它SK机房,是一家成立于2003年的老牌国外主机商,提供的产品包括独立服务器租用、VPS主机等,自营机房在美国洛杉矶、丹佛、芝加哥和荷兰阿姆斯特丹等,主打高防产品,独立服务器免费提供60Gbps/48Mpps攻击防御。机房提供1-10Gbps带宽不限流量服务器,最低丹佛/荷兰机房每月49美元起,洛杉矶机房最低59美元/月起。下面列出部分促销机型的配置信息。机房...

VirMach:$7.2/年KVM-美元512MB/$7.2/年MB多个机房个机房可选_双线服务器租赁

Virmach对资源限制比较严格,建议查看TOS,自己做好限制,优点是稳定。 vCPU 内存 空间 流量 带宽 IPv4 价格 购买 1 512MB 15GB SSD 500GB 1Gbps 1 $7/VirMach:$7/年/512MB内存/15GB SSD空间/500GB流量/1Gbps端口/KVM/洛杉矶/西雅图/芝加哥/纽约等 发布于 5个月前 (01-05) VirMach,美国老牌、稳...

AlphaVPS(€3.99/月)VPS年付15欧,AMD EYPC+NVMe系列起

AlphaVPS是一家保加利亚本土主机商(DA International Group Ltd),提供VPS主机及独立服务器租用等,数据中心包括美国(洛杉矶/纽约)、德国、英国和保加利亚等,公司办公地点跟他们提供的保加利亚数据中心在一栋楼内,自有硬件,提供IPv4+IPv6,支持PayPal或者信用卡等方式付款。商家提供的大硬盘VPS主机,提供128GB-2TB磁盘,最低年付15欧元起,也可以选择...

csrss.exe是什么进程为你推荐
投标在线代理hPK03163phpweb破解painter破解版中文版thinkphp什么是THINKPHP 和 MVC的概念2019支付宝五福支付宝5褔过了开奖时间怎么办企业电子邮局企业邮箱怎么使用?2828商机网千元能办厂?28商机网是真的吗?三五互联股票三五互联是什么股票300051三五互联170号段和三五互联什么关系最土团购程序你好,请问你有团购网的程序吗
域名反查 哈尔滨服务器租用 如何申请免费域名 金万维动态域名 私人服务器 外国域名 ubuntu更新源 服务器怎么绑定域名 国外空间 网站实时监控 ibox官网 京东商城0元抢购 免费防火墙 世界测速 免费高速空间 购买国外空间 域名与空间 监控服务器 帽子云排名 阿里云邮箱登陆 更多