Re: dump出来的mudule怎么能直接运行?

Windows内核调试

dump出来的mudule怎么能直接运行?

Thomson 2009-04-14, 23:07 下午
我试了一下notepad.exe,在运行起来的时候,使用'.writemem',把notepad module写到一个temp.exe,
直接运行不可以,然后把file alignment和virtual memory alignment改成一样,还是不能运行.

这里的temp.exe和原始文件差别在哪些地方?怎么改才能让其可运行呢?

Re: dump出来的mudule怎么能直接运行?

aa1ss2 2009-04-15, 09:50 上午
可以使用的,楼主你改错了。

原记事本的区段如下
按 [Esc] 键关闭该窗口!
No | 名称 | VSize | VOffset | RSize | ROffset | Charact. |
01 | .text | 00007748 | 00001000 | 00007800 | 00000400 | 60000020 |
02 | .data | 00001BA8 | 00009000 | 00000800 | 00007C00 | C0000040 |
03 | .rsrc | 00007F30 | 0000B000 | 00008000 | 00008400 | 40000040 |


0:000> lm
start end module name
01000000 01013000 notepad (deferred)
72f70000 72f96000 WINSPOOL (deferred)
76320000 76367000 comdlg32 (deferred)
77180000 77283000 COMCTL32 (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77d9f000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee1000 RPCRT4 (deferred)
77ef0000 77f37000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
7c800000 7c91c000 kernel32 (deferred)
7c920000 7c9b4000 ntdll (pdb symbols) C:\Program Files\Debugging Tools for Windows (x86)\sym\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7d590000 7dd82000 SHELL32 (deferred)
0:000> .writemem d:\1.exe 01000000 l13000
Writing 13000 bytes......................................


dump下来后,要修正区段,改成下面这样

按 [Esc] 键关闭该窗口!
No | 名称 | VSize | VOffset | RSize | ROffset | Charact. |
01 | .text | 00008000 | 00001000 | 00008000 | 00001000 | 60000020 |
02 | .data | 00002000 | 00009000 | 00002000 | 00009000 | C0000040 |
03 | .rsrc | 00008000 | 0000B000 | 00008000 | 0000B000 | 40000040 |

就可以使用了。

Powered by Community Server Powered by CnForums.Net