逆向工程 - 获取进程映射到 Windbg 的地址 - 吾爱随笔录

获取进程映射到 Windbg 的地址

逆向工程视窗 ollydbg 风袋

2021-07-10 03:27:04

我正在寻找myfile.exe使用Windbg. 为此，我通过串行端口连接到 VMWare 进行内核调试，之后我myfile.exe在来宾机器上运行并从来宾机器附加到它，ollydbg以查看在内核调试中进行的任何编辑，myfile.exe然后中断Windbg从主机编辑内存.

所以我使用以下命令来获取所有进程以查看在哪里可以找到myfile.exe：

 kd> !process 0 0

它给了我一长串我最终可以找到的进程列表myfile.exe。

PROCESS ffffe001f9652080
    SessionId: 1  Cid: 0da4    Peb: 7ffdf000  ParentCid: 0588
    DirBase: 11d6d000  ObjectTable: ffffc0013e905680  HandleCount: <Data Not Accessible>
    Image: myfile.exe

因此，有关此过程的更多详细信息，我运行：

 kd> !process ffffe001f9652080 7

它给了我：

    1: kd> !process ffffe001f9652080 7
PROCESS ffffe001f9652080
    SessionId: 1  Cid: 0da4    Peb: 7ffdf000  ParentCid: 0588
    DirBase: 11d6d000  ObjectTable: ffffc0013e905680  HandleCount: <Data Not Accessible>
    Image: myfile.exe
    VadRoot ffffe001f64dda10 Vads 129 Clone 0 Private 5676. Modified 520. Locked 0.
    DeviceMap ffffc0013dff8c30
    Token                             ffffc0014336a8e0
    ElapsedTime                       00:08:14.197
    UserTime                          00:00:00.046
    KernelTime                        00:00:00.125
    QuotaPoolUsage[PagedPool]         231392
    QuotaPoolUsage[NonPagedPool]      17632
    Working Set Sizes (now,min,max)  (11793, 50, 345) (47172KB, 200KB, 1380KB)
    PeakWorkingSetSize                13859
    VirtualSize                       148 Mb
    PeakVirtualSize                   159 Mb
    PageFaultCount                    24764
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      6195
    DebugPort                         ffffe001fa6f0f90
    Job                               ffffe001f8544620
    THREAD ffffe001fa713440  Cid 0da4.10a4  Teb: 000000007ffdb000 Win32Thread: ffffe001f6822cb0 WAIT: (WrUserRequest) UserMode Non-Alertable
        ffffe001fa4bbb90  SynchronizationEvent
    Not impersonating
    DeviceMap                 ffffc0013dff8c30
    Owning Process            ffffe001f9652080       Image:         myfile.exe
    Attached Process          N/A            Image:         N/A
    Wait Start TickCount      56653          Ticks: 2 (0:00:00:00.031)
    Context Switch Count      11053          IdealProcessor: 2             
    UserTime                  00:00:01.125
    KernelTime                00:00:00.781
    Win32 Start Address 0x000000000044aa31
    Stack Init ffffd00025d59c90 Current ffffd00025d59480
    Base ffffd00025d5a000 Limit ffffd00025d54000 Call 0
    Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

    Child-SP          RetAddr           : Args to Child                                                           : Call Site
    ffffd000`25d594c0 fffff802`a1c92130 : ffffe001`f805e0c0 fffff961`00000000 ffffe001`fa713440 fffff802`a1c8ee76 : nt!KiSwapContext+0x76
    ffffd000`25d59600 fffff802`a1c91b48 : 00000000`00000000 00000000`00010001 00000000`00000000 00000000`00000000 : nt!KiSwapThread+0x160
    ffffd000`25d596b0 fffff802`a1c9120d : 00000000`00000000 00000000`00000000 ffffd000`25d59900 00000000`00000000 : nt!KiCommitThreadWait+0x148
    ffffd000`25d59740 fffff961`00c95dc5 : fffff901`00000000 ffffd000`25d598a0 fffff901`423edb20 fffff901`0000000d : nt!KeWaitForMultipleObjects+0x3fd
    ffffd000`25d59800 fffff961`00c959f8 : fffff901`423edb20 fffff901`423edb20 00000000`00003dff fffff961`00c958a3 : win32kfull!xxxRealSleepThread+0x355
    ffffd000`25d598f0 fffff961`00c94ba0 : ffffd000`25d59b80 00000000`00000000 fffff901`423edb20 00000000`00000000 : win32kfull!xxxSleepThread2+0x98
    ffffd000`25d59940 fffff961`00c93fc0 : ffffd000`25d59ab8 ffffd000`25d5c240 00000000`00000000 00000000`ffffffff : win32kfull!xxxRealInternalGetMessage+0xb70
    ffffd000`25d59a70 fffff802`a1dd2a63 : ffffe001`fa713440 00000000`570a8480 00000000`00000020 00000000`00000000 : win32kfull!NtUserGetMessage+0x90
    ffffd000`25d59b00 00000000`570b344a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`25d59b00)
    00000000`0009e6b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x570b344a

    THREAD ffffe001fab05840  Cid 0da4.11ac  Teb: 000000007fe9e000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
        ffffe001f6741d40  QueueObject
    Not impersonating
    DeviceMap                 ffffc0013dff8c30
    Owning Process            ffffe001f9652080       Image:         myfile.exe
    Attached Process          N/A            Image:         N/A
    Wait Start TickCount      51667          Ticks: 4988 (0:00:01:17.937)
    Context Switch Count      34             IdealProcessor: 2             
    UserTime                  00:00:00.000
    KernelTime                00:00:00.015
    Win32 Start Address 0x0000000077e54630
    Stack Init ffffd000203cfc90 Current ffffd000203cf420
    Base ffffd000203d0000 Limit ffffd000203ca000 Call 0
    Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
    Child-SP          RetAddr           : Args to Child                                                           : Call Site
    ffffd000`203cf460 fffff802`a1c92130 : 0000ffff`00000000 00000000`00000001 ffffe001`fab05980 ffffe001`fab05940 : nt!KiSwapContext+0x76
    ffffd000`203cf5a0 fffff802`a1c91b48 : 00000000`743af562 00000000`00000030 00000000`00000000 ffffe001`f9652578 : nt!KiSwapThread+0x160
    ffffd000`203cf650 fffff802`a1c907a5 : 00000000`69f79021 00000000`00000010 fffffa80`013de6b0 fffffa80`0127b690 : nt!KiCommitThreadWait+0x148
    ffffd000`203cf6e0 fffff802`a1c90382 : ffffe001`f6741d40 00000000`00000000 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x215
    ffffd000`203cf750 fffff802`a1c8fd43 : fffff680`003a1d78 ffffe001`f9652578 ffffd000`203cfa00 00000000`00000000 : nt!IoRemoveIoCompletion+0x82
    ffffd000`203cf870 fffff802`a1dd2a63 : fffff6fb`40001d08 fffff680`003a1d78 ffff504a`eece1c5c 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x303
    ffffd000`203cfa90 00007ff9`eeab538a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`203cfb00)
    00000000`049eea78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtWaitForWorkViaWorkerFactory+0xa

所以我注意到，正如我之前在 Olly 中看到的那样，2 个线程有 2 个堆栈。如你看到的：

    Stack Init ffffd00025d59c90 Current ffffd00025d59480
    Stack Init ffffd000203cfc90 Current ffffd000203cf420

所以我想象我在进程虚拟地址，所以我运行调试器(press g)并通过客机中的 Olly 编辑堆栈的开始和结束。然后再次打开来宾机器并dc查看该区域中的内存，例如：

    dc ffffd00025d59c90 
    dc ffffd000203cfc90

但是我看不到任何更改（我在 Olly 的 Stacks 中所做的更改）！

所以我的问题是：

如何获取myfile.exe映射到内存中的地址（来自主机中的 Windbg）？
我在 Windbg 中看不到我在 olly 中所做的更改有什么问题？（我认为 Windbg 给了我错误的信息Stack Init。）

注意： myfile.exe 是 32 位程序，运行在 64 位 Windows 10 阵风机器下，宿主机也是 64 位 Windows 10。

更新 1：我在 olly 中编辑堆栈的内容。堆栈开始和堆栈结束。

1个回答

您在!process @$proc 7 中看到的堆栈是内核堆栈而不是用户模式堆栈

如果您想查看用户模式堆栈，请使用0x17标志

您在用户模式下编辑的任何内容只能在属于用户模式堆栈的地址中可用，该地址通常小于 0x80000000

这是内核模式调试器中的 calc.exe 堆栈

kd> !process 0 17 calc.exe
Failed to get VAD root
PROCESS 811c3500  SessionId: 0  Cid: 0560    Peb: 7ffd7000  ParentCid: 00a8
    DirBase: 01cc4000  ObjectTable: e1a63450  HandleCount:  28.
    Image: calc.exe
    VadRoot 00000000 Vads 0 Clone 0 Private 115. Modified 0. Locked 0.
    DeviceMap e1a2ed30
    Token                             e1c22270
    ElapsedTime                       00:00:06.709
    UserTime                          00:00:00.030
    KernelTime                        00:00:00.060
    QuotaPoolUsage[PagedPool]         0
    QuotaPoolUsage[NonPagedPool]      0
    Working Set Sizes (now,min,max)  (644, 50, 345) (2576KB, 200KB, 1380KB)
    PeakWorkingSetSize                644
    VirtualSize                       27 Mb
    PeakVirtualSize                   34 Mb
    PageFaultCount                    669
    MemoryPriority                    FOREGROUND
    BasePriority                      8
    CommitCharge                      187

        THREAD 810efda8  Cid 0560.0564  Teb: 7ffdf000 Win32Thread: e1a631d0 WAIT: (WrUserRequest) UserMode Non-Alertable
            ffafbb00  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1a2ed30
        Owning Process            00000000       Image:         
        Attached Process          811c3500       Image:         calc.exe
        Wait Start TickCount      6064           Ticks: 23 (0:00:00:00.230)
        Context Switch Count      164            IdealProcessor: 0                 LargeStack
        UserTime                  00:00:00.020
        KernelTime                00:00:00.060
        Win32 Start Address calc!WinMainCRTStartup (0x01012475)
        Stack Init f8bc2000 Current f8bc1c20 Base f8bc2000 Limit f8bbd000 Call 00000000
        Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 0 PagePriority 0

        ChildEBP RetAddr  Args to Child              
        f8bc1c38 804dc0f7 810efe18 810efda8 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        f8bc1c44 804dc143 000025ff e1a631d0 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0])
        f8bc1c6c bf802f52 00000001 0000000d 00000001 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
        f8bc1ca8 bf801b2a 000025ff 00000000 00000001 win32k!xxxSleepThread+0x192 (FPO: [Non-Fpo])
        f8bc1cec bf819e6c f8bc1d18 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x418 (FPO: [Non-Fpo])
        f8bc1d4c 804de7ec 0007fee8 00000000 00000000 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
        f8bc1d4c 7c90e4f4 0007fee8 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f8bc1d64)
        0007fddc 7e4191be 7e4191f1 0007fee8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0007fdfc 010021b0 0007fee8 00000000 00000000 USER32!NtUserGetMessage+0xc
        0007ff1c 010125e9 000a8aa8 00000055 000a8aa8 calc!WinMain+0x25f (FPO: [Non-Fpo])
        0007ffc0 7c817067 80000001 0144da28 7ffd7000 calc!WinMainCRTStartup+0x174 (FPO: [Non-Fpo])
        0007fff0 00000000 01012475 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

即上面粘贴中的用户模式堆栈部分位于

kd> dc 0007fddc
0007fddc  ???????? ???????? ???????? ????????  ????????????????
0007fdec  ???????? ???????? ???????? ????????  ????????????????
0007fdfc  ???????? ???????? ???????? ????????  ????????????????
0007fe0c  ???????? ???????? ???????? ????????  ????????????????
0007fe1c  ???????? ???????? ???????? ????????  ????????????????
0007fe2c  ???????? ???????? ???????? ????????  ????????????????
0007fe3c  ???????? ???????? ???????? ????????  ????????????????
0007fe4c  ???????? ???????? ???????? ????????  ????????????????

kd> .process /p /r 811c3500
Implicit process is now 811c3500
.cache forcedecodeuser done
Loading User Symbols
.....................



kd> dc 0007fddc
0007fddc  00000000 7e4191be 7e4191f1 0007fee8  ......A~..A~....
0007fdec  00000000 00000000 00000000 7e4191c6  ..............A~
0007fdfc  0007ff1c 010021b0 0007fee8 00000000  .....!..........
0007fe0c  00000000 00000000 7c80b731 000a232f  ........1..|/#..
0007fe1c  00000000 00000000 00000000 00000000  ................
0007fe2c  00000000 00000000 00000000 00000000  ................
0007fe3c  00000000 00000000 00000000 00000000  ................
0007fe4c  00000000 00000000 00000000 00000000  ................

您可以看到在 ollydbg 中所做的编辑反映在用户模式堆栈中正确进程上下文的 kd 中（确保您没有编辑消息循环，它们在每次调用时被重复调用和覆盖）

其它你可能感兴趣的问题

上一篇获取正在运行的可执行文件中的函数列表（包括非导出函数！）下一篇为新 CPU 创建 FLIRT 签名文件