Win10x64:在 Windbg 中,如何PEB直接使用GS:[0x60](而不是通过 Windbg 扩展)查看指向 的指针?
为了进行测试,我通过 masm64 组装了一个程序,该程序会引发中断、清除r8然后将指针移动到PEBto r8:
(3a4.2034): Break instruction exception - code 80000003 (!!! second chance !!!)
*** WARNING: Unable to verify checksum for C:\Users\res\Desktop\cfg\test.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Users\res\Desktop\cfg\test.exe
test+0x10c1:
00007ff6cedf10c1 4d33c0 xor r8,r8
0:000> r
rax=00007ff6cedf1000 rbx=0000000000000000 rcx=00007ff6cedf1068
rdx=00007ff6cedf1075 rsi=0000000000000000 rdi=0000000000000000
rip=00007ff6cedf10c1 rsp=0000006642d8f730 rbp=0000000000000000
r8=0000000000000000 r9=00007ff6cedf1000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244`
之后,我通过 selector 检查了 GS 的基地址,但它没有被填充:
0:000> dg gs
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags`
---- ----------------- ----------------- ---------- - -- -- -- -- --------
002B 00000000 00000000 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3`
当我尝试 dump 时,它自然为空GS:[0x60]。
但是,当我进入将PEB指针移动到 的指令时r8,r8具有不同的值!:
test+0x10c4:
00007ff6 cedf10c4 654c8b042560000000 mov r8,qword ptr gs:[60h] gs:00000000 00000060=????????????????
0:000> t
test+0x10cd:
00007ff6 cedf10cd 4d8b4018 mov r8,qword ptr [r8+18h] ds:00000066 42e0a018={ntdll!PebLdr (00007ff8 c642f3a0)}
0:000> r
rax=00007ff6cedf1000 rbx=0000000000000000 rcx=00007ff6cedf1068
rdx=00007ff6cedf1075 rsi=0000000000000000 rdi=0000000000000000
rip=00007ff6cedf10cd rsp=0000006642d8f730 rbp=0000000000000000
r8=0000006642e0a000 r9=00007ff6cedf1000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
test+0x10cd:
00007ff6 cedf10cd 4d8b4018 mov r8,qword ptr [r8+18h] ds:00000066 42e0a018={ntdll!PebLdr (00007ff8 c642f3a0)}`