 |
|
|
|
|
|
|
|
Windows内核调试
帖子发起人: icecools 发起时间: 2009-03-26 21:54 下午 回复: 8
  
|
|
帖子排序:
|
|
|
|
 2009-03-26, 21:54 下午
|
icecools
注册: 2009-03-26
发 贴: 5
|
|
|
我自己写了一个windbg的extension,里面需要调用被调试程序的一个函数来显示东西,但我没有找到相应的函数,只看到在windbg里的.call可以,但是写程序怎么实现啊?
比如我有个函数Func1(void* p)
我用fun = GetExpression ("Fun1")得到函数地址,然后用
GetExpression(args)得到我传的参数的地址,然后con = ReadMemroy得到此地址的值,后面调用
fun(con)的时候总是出错,大家有啥办法吗?谢谢!
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-03-27, 12:47 下午
|
格蠹老雷
注册: 2005-12-19
发 贴: 1,303
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
可以格式化成.call命令,然后用IDebugControl的Execute接口执行。注意,执行.call命令需要私有符号。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-03-31, 11:28 上午
|
icecools
注册: 2009-03-26
发 贴: 5
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
谢谢Raymond.
我参考了网上另一种方法实现了一下,大体为先GetOffsetByName得到函数地址,然后在target上分配一块内存,拼一段调用此函数的代码,执行后int 3返回调试器,调了一下可以工作
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-02, 09:12 上午
|
guozf
注册: 2008-12-06
HK
发 贴: 68
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
有这种方法的具体的资料么?可以share给我啊?谢谢。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-02, 17:43 下午
|
icecools
注册: 2009-03-26
发 贴: 5
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
楼上,贴上程序,给你参考下
char PushCode<img src="/emoticons/emotion-14.gif" alt="Devil [6]" /> = "\x68\x00\x00\x00\x00"; // push 0
char CallCode[9] = "\xBA\xF0\xF0\xAD\xDE" // 0 - MOV EDX, 0xdeadf0f0 (address of remote function)
"\xFF\xD2" // 5 - CALL *EDX
"\xCC"; // 7 - int3
const CHAR *FUNCTION_NAME = "MyFunctionsName; //it has a pointer parameter
//The helper function to write code/date to the target process virtual memory
int WriteDataVirtual(PDEBUG_DATA_SPACES dataSpaces, ULONG64 baseAddr, void *data, ULONG dataLen, ULONG *offset)
{
ULONG tempOff = 0;
ULONG bytesWritten;
while (dataSpaces->WriteVirtual(baseAddr + *offset + tempOff, (PVOID)((ULONG) data + tempOff), dataLen - tempOff, &bytesWritten) == S_OK)
{
tempOff += bytesWritten;
if (tempOff == dataLen)
{
break;
}
}
if (tempOff != dataLen)
{
dprintf("WriteVirtual error!\n");
return -1;
}
*offset += dataLen;
return S_OK;
}
//WINDBG will call the MyFunctionsName
HRESULT CALLBACK mycall(PDEBUG_CLIENT Client, PCSTR args)
{
ULONG64 functionAddr, dagAddr, processHandle, moduleBase;
ULONG eipIndex, typeId, pdagCont;
DEBUG_VALUE eipValue;
size_t totalCodeLen;
CONTEXT context;
void *codeSpace;
bool success = false;
HRESULT result = S_OK;
PDEBUG_SYMBOLS debugSymbols;
PDEBUG_ADVANCED debugAdvanced;
PDEBUG_DATA_SPACES debugDataSpaces;
PDEBUG_REGISTERS debugRegisters;
PDEBUG_SYSTEM_OBJECTS debugSystemObjects;
PDEBUG_CONTROL debugControl;
Client->QueryInterface(__uuidof(IDebugSymbols), (void **) &debugSymbols);
Client->QueryInterface(__uuidof(IDebugAdvanced), (void **) &debugAdvanced);
Client->QueryInterface(__uuidof(IDebugDataSpaces), (void **) &debugDataSpaces);
Client->QueryInterface(__uuidof(IDebugRegisters), (void **) &debugRegisters);
Client->QueryInterface(__uuidof(IDebugSystemObjects), (void **) &debugSystemObjects);
Client->QueryInterface(__uuidof(IDebugControl), (void **) &debugControl);
if (!debugSymbols || !debugAdvanced || !debugDataSpaces || !debugRegisters || !debugSystemObjects || !debugControl)
{
dprintf("Query the interface error!\n");
goto E_RELEASE;
}
//Get the function address
result = debugSymbols->GetOffsetByName(FUNCTION_NAME, &functionAddr);
if (result != S_OK)
{
dprintf("Function not found or ambiguous!\n");
goto E_RELEASE;
}
//Get the pointer variable address
result = debugSymbols->GetOffsetByName(args, &dagAddr);
if (result != S_OK)
{
dprintf("DagName not found or ambiguous!\n");
goto E_RELEASE;
}
//Find the pointer variable's type and the module base including the variable
result = debugSymbols->GetSymbolTypeId(args, &typeId, &moduleBase);
if (result != S_OK)
{
dprintf("GetSymbolTypeId not found or ambiguous!\n");
goto E_RELEASE;
}
//Get the pointer from the variable
result = debugSymbols->ReadTypedDataVirtual(dagAddr, moduleBase, typeId, (PVOID)&pdagCont, 4, NULL);
if (result != S_OK)
{
dprintf("ReadTypedDataVirtual error!\n");
goto E_RELEASE;
}
//Get the thread context to prepare for call target function then restore the current context
result = debugAdvanced->GetThreadContext(&context, sizeof(context));
if (result != S_OK)
{
dprintf("GetThreadContexterror!\n");
goto E_RELEASE;
}
//Get target handle
result = debugSystemObjects->GetCurrentProcessHandle(&processHandle);
if (result != S_OK)
{
dprintf("GetCurrentProcessHandle error!\n");
goto E_RELEASE;
}
totalCodeLen = sizeof(PushCode) + sizeof(CallCode);
//Allocate some memory in the target
if (!(codeSpace = VirtualAllocEx((HANDLE) processHandle, NULL, totalCodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE )))
{
DWORD error = GetLastError();
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL );
dprintf((CHAR *) lpMsgBuf);
dprintf("VirtualAllocEx error!\n");
goto E_RELEASE;
}
ULONG curOffset = 0;
memcpy(&(PushCode[1]), (void *) &(pdagCont), 4);
//Write the following code to target memory(push the parameter to the stack)
//PUSH pVoid
result = WriteDataVirtual(debugDataSpaces, (ULONG64) codeSpace, PushCode, sizeof(PushCode) - 1, &curOffset);
if (result != S_OK)
{
goto E_VFREE;
}
memcpy(&(CallCode[1]), (void *) &functionAddr, 4);
//Write the following code to target memory(call target function and return to debugger)
//MOV EDX, funcitonAddress
//CALL *EDX
//INT 3
result = WriteDataVirtual(debugDataSpaces, (ULONG64) codeSpace, CallCode, sizeof(CallCode) - 1, &curOffset);
if (result != S_OK)
{
goto E_VFREE;
}
//Get EIP value
result = debugRegisters->GetIndexByName("eip", &eipIndex);
if (result != S_OK)
{
dprintf("GetIndexByName error!\n");
goto E_VFREE;
}
result = debugRegisters->GetValue(eipIndex, &eipValue);
if (result != S_OK)
{
dprintf("GetValue error!\n");
goto E_VFREE;
}
// Set the new EIP and go
eipValue.Type = DEBUG_VALUE_INT32;
eipValue.I32 = (ULONG) codeSpace;
result = debugRegisters->SetValue(eipIndex, &eipValue);
if (result != S_OK)
{
dprintf("SetValue error!\n");
goto E_VFREE;
}
//Here we run the code finally!
result = debugControl->SetExecutionStatus(DEBUG_STATUS_GO);
if (result != S_OK)
{
dprintf("SetExecutionStatus error!\n");
goto E_RESTORE;
}
result = debugControl->WaitForEvent(0, INFINITE);
//Return from the target function so we need restore the current thread context
E_RESTORE:
debugAdvanced->SetThreadContext(&context, sizeof(context));
//Do some cleanup work
E_VFREE:
VirtualFreeEx((HANDLE) processHandle, codeSpace, 0, MEM_RELEASE);
E_RELEASE:
if (debugSymbols) debugSymbols->Release();
if (debugAdvanced) debugAdvanced->Release();
if (debugDataSpaces) debugDataSpaces->Release();
if (debugRegisters) debugRegisters->Release();
if (debugSystemObjects) debugSystemObjects->Release();
if (debugControl) debugControl->Release();
return result;
}
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-02, 17:44 下午
|
icecools
注册: 2009-03-26
发 贴: 5
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
第一行应该是
char PushCode[ 6 ] = "\x68\x00\x00\x00\x00"; // push 0
不知道怎么给替换成图标了
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-07, 08:21 上午
|
guozf
注册: 2008-12-06
HK
发 贴: 68
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
楼上的老兄,这个方法试验过,源代码可以直接work么?谢谢啊。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-07, 08:47 上午
|
guozf
注册: 2008-12-06
HK
发 贴: 68
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-07, 10:00 上午
|
icecools
注册: 2009-03-26
发 贴: 5
|
Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|
当然可以工作,你仔细看代码,调用函数接受一个指针做参数,注意pushcode那部分。。。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
高端调试 » 软件调试 » Windows内核调试 » Re: windbg ext中怎么调用被调试程序的函数?
|
|
|
|
|
|