|
|
|
|
|
|
|
Windows内核调试
帖子发起人: 特来劲同学 发起时间: 2010-12-01 19:56 下午 回复: 6
|
帖子排序:
|
|
|
|
2010-12-01, 19:56 下午
|
特来劲同学
注册: 2009-08-28
发 贴: 37
|
|
|
用windbg下条件断点, 断点断下来后提示语法错误, 请大牛指点 一天了都在搞这个问题,windbg文档翻了n遍还没找到答案,里面也没有个例子... kd> bl 0 e f9748e01 0001 (0001) Ntfs!NtfsFsdCreate "r $t1=poi(poi(poi(esp+8)+64)+34); as /mu $FileName $t1; .block{ .if ($spat(\"${$FileName}\",\"*a.txt\")) { ad ${/v:$FileName} } .else { ad ${/v:$FileName} ; gc } }"
kd> g Syntax error at '("\RECYCLER\S-1-5-21-1123561945-362288127-725345543-500\","*a.txt")) { ad ${/v:$FileName} } .else { ad ${/v:$FileName} ; gc } ' 该来该去有时候还有这样提示 Numeric expression missing from 'and Settings\All Users\Application Data\VMware\VMware Tools\ $t1;'
还有强制转换伪寄存器数据类型一节中文档上说: A pseudo-register is always typed as an integer, unless you use the ? switch together with the r command. If you use this switch, the pseudo-register acquires the type of whatever is assigned to it. For example, the following command assigns the UNICODE_STRING** type and the 0x0012FFBC value to $t15.
0:000> r? $t15 = * (UNICODE_STRING*) 0x12ffbc
这个命令我再windbg里就是用不了 改成UNICODE_STRING _UNICODE_STRING也都不行..
什么原因啊,请张老师给指点 , 晚上不吃饭, 在线等!
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
2010-12-01, 22:22 下午
|
格蠹老雷
注册: 2005-12-19
发 贴: 1,303
|
|
|
不好意思, 久等了 :-)
那个Syntax error, 应该是因为文件路径末尾的'\'将双引号转义了, 所以命令解析"错位了"
解决的一种简单方法是在别名后面加一个空格:
$spat(\"${$FileName} \",
另一个错误多半是由于其它错误导致的, 上次定义的别名$FileName没有删掉
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
2010-12-01, 23:36 下午
|
特来劲同学
注册: 2009-08-28
发 贴: 37
|
|
|
真感动啊,能看到张老师回复真是三生有幸,在看雪发的帖子到现在都没人回,以为石沉大海了,准备去国外论坛求助了,幸好wy大哥及时上线提醒我张老师回复了。
Pattern matching problem I have had a problem for a long time.The problem is about the conditional breakpoints and the pattern matching Command "$spat".I want to set a conditional breakpoint on DispatchCreate routine so that i can watch when my file is opened.i get the irp from esp+8 ,then get the OriginalFileObject from it,and finally get the FileName.But the Commands i used were always not working:bp f9748e01 ".block{as /mu ${$FileName} poi(poi(poi(esp+8)+64)+34)};.block{.if($spat(\"${$FileName}\",\"*abc*\")){ad *}}.else{ad *;gc}}" .it can stop but windbg also dispaly something wqrong about that : Numeric expression missing from 'and SettingsAll UsersApplication DataVMwareVMware Tools poi(poi(poi(esp+8)+64)+34)' or some Syntax error at xxx . Please help me~~ :-( Please~ Have tried again and again for quite times~ I was so tired ~
我简化了下命令,其实就是下的ntfs的creat例程,通过esp+8得到irp,在通过他得到OriginalFileObject ,然后查看文件名,但是总是不对,很纠结啊。
张老师,我按您说的在$spat(\"${$FileName} \", 加过空格了 ,可还是不行啊
windbg显示 :Numeric expression missing from 'and SettingsAll UsersApplication DataVMwareVMware Tools poi(poi(poi(esp+8)+64)+34)'
哪里不对还望老师指点啊
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
2010-12-02, 00:01 上午
|
特来劲同学
注册: 2009-08-28
发 贴: 37
|
|
|
哎 只怪自己基础太差,老师您若还在的话就早点休息吧,别耽误了您明天的工作,有空您再抽时间帮我找找原因。耽误您休息那就真不好意思啦
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
2010-12-02, 10:14 上午
|
格蠹老雷
注册: 2005-12-19
发 贴: 1,303
|
|
|
感觉的你的调试器里面已经有很多重复的别名定义,
建议你用al命令列出所有别名检查一下. 或者用ad *删除所有别名.
基于你的命令略作修改, 针对Win7目标运行的很好:
bp Ntfs!NtfsFsdCreate "r $t1=poi(poi(poi(esp+8)+64)+34); as /mu $FileName $t1; .block{ .if ($spat(\" ${$FileName} \",\"*vga.dll\")) {.echo found the pattern; .echo $FileName; ad ${/v:$FileName} } .else { .echo not found the pattern; .echo ' $FileName '; ad ${/v:$FileName}; gc;} }"
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
高端调试 » 软件调试 » Windows内核调试 » 【求助】windbg 条件断点
|
|
|
|
|
|