调试笔记之调试WinPE
WinPE是Windows Preinstallation Environment 的简称,简单理解就是不需安装就可以使用,可以直接在只读介质上启动的Windows。比如,Vista的安装光盘上就包含了一个WinPE,系统修复功能就是工作在WinPE环境中的。
从软件实现的角度来看,WinPE与普通的Windows是共享主要源代码的,但是有些逻辑是专门针对WinPE的,这可以通过编译选项来控制这种差异。
因为内核的主要代码都是相同的,所以WinPE也有内核调试支持。当在BOOTMGR阶段按F8选择Debug Mode后,通过串行口和19200波特率就可以与其建立内核调试连接:
以下是按Ctrl+Break将目标内核中断到调试器时,WinDBG所输出的信息:
Opened \\.\com1
Waiting to reconnect...
Connected to Windows Vista 6000 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*d:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (4 procs) Free x86 compatible
Built by: 6000.16386.x86fre.vista_rtm.061101-2205
Kernel base = 0x81000000 PsLoadedModuleList = 0x81111db0
Debug session time: Sun Sep 7 07:16:27.578 2008 (GMT+8)
System Uptime: 0 days 0:01:09.359
Break instruction exception - code 80000003 (first chance)
因为这个WinPE是Vista安装光盘上的,所以它的主Build编号也是6000,即vista_rtm.
列出系统的所有进程:
2: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 83238908 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00122000 ObjectTable: 88201168 HandleCount: 178.
Image: System
PROCESS 838b2ae8 SessionId: none Cid: 0124 Peb: 7ffd8000 ParentCid: 0004
DirBase: 79a81020 ObjectTable: 8af4bc58 HandleCount: 28.
Image: smss.exe
PROCESS 838e2d90 SessionId: 0 Cid: 0158 Peb: 7ffd3000 ParentCid: 014c
DirBase: 79a81060 ObjectTable: 89e73310 HandleCount: 204.
Image: csrss.exe
PROCESS 838f4d90 SessionId: 1 Cid: 0184 Peb: 7ffd8000 ParentCid: 017c
DirBase: 79a810a0 ObjectTable: 8d2aa760 HandleCount: 112.
Image: csrss.exe
PROCESS 838f32e0 SessionId: 0 Cid: 018c Peb: 7ffd7000 ParentCid: 014c
DirBase: 79a810c0 ObjectTable: 8d2b3db0 HandleCount: 83.
Image: wininit.exe
PROCESS 83906218 SessionId: 1 Cid: 01c4 Peb: 7ffdf000 ParentCid: 017c
DirBase: 79a81040 ObjectTable: 8d2bf3b0 HandleCount: 70.
Image: winlogon.exe
PROCESS 8390ed90 SessionId: 0 Cid: 01e8 Peb: 7ffdc000 ParentCid: 018c
DirBase: 79a81080 ObjectTable: 8d2d5490 HandleCount: 233.
Image: services.exe
PROCESS 83912d90 SessionId: 0 Cid: 01f0 Peb: 7ffdc000 ParentCid: 018c
DirBase: 79a810e0 ObjectTable: 8d2e1b30 HandleCount: 435.
Image: lsass.exe
PROCESS 83914188 SessionId: 0 Cid: 01f8 Peb: 7ffd9000 ParentCid: 018c
DirBase: 79a81100 ObjectTable: 8d2ec8d0 HandleCount: 117.
Image: lsm.exe
PROCESS 83999d90 SessionId: 0 Cid: 0294 Peb: 7ffd5000 ParentCid: 01e8
DirBase: 79a81120 ObjectTable: 8d34a708 HandleCount: 275.
Image: svchost.exe
PROCESS 8368fd90 SessionId: 0 Cid: 02c0 Peb: 7ffdd000 ParentCid: 01e8
DirBase: 79a81140 ObjectTable: 8d3b6348 HandleCount: 152.
Image: svchost.exe
PROCESS 839bfd90 SessionId: 0 Cid: 0308 Peb: 7ffd8000 ParentCid: 01e8
DirBase: 79a81160 ObjectTable: 8d3f6c10 HandleCount: 186.
Image: svchost.exe
PROCESS 839c0020 SessionId: 1 Cid: 0350 Peb: 7ffd5000 ParentCid: 01c4
DirBase: 79a811a0 ObjectTable: 8e2101f0 HandleCount: 203.
Image: winpeshl.exe
PROCESS 839f3d90 SessionId: 0 Cid: 0370 Peb: 7ffde000 ParentCid: 01e8
DirBase: 79a811e0 ObjectTable: 8d3597d8 HandleCount: 166.
Image: svchost.exe
PROCESS 83a30d90 SessionId: 0 Cid: 0408 Peb: 7ffdc000 ParentCid: 01e8
DirBase: 79a81180 ObjectTable: 8e20ccc0 HandleCount: 132.
Image: svchost.exe
PROCESS 83a6ad90 SessionId: 0 Cid: 0460 Peb: 7ffde000 ParentCid: 01e8
DirBase: 79a81240 ObjectTable: 8e36df68 HandleCount: 83.
Image: svchost.exe
PROCESS 8390d8e8 SessionId: 0 Cid: 0480 Peb: 7ffde000 ParentCid: 01e8
DirBase: 79a81260 ObjectTable: 8e38e748 HandleCount: 342.
Image: svchost.exe
可以看到,它也使用了Vista的Session隔离,系统中已经有两个Session,每个Session有自己的Windows子系统服务进程CSRSS。 系统进程的页目录基地址也非常的眼熟,即DirBase: 00122000。
因为时间关系,没有做更多分析,聊记至此。