我的标题有点模棱两可,不确定它是否真实,因此最后是问号。
基本上,我试图printf在 NASM 中跟踪窗口以识别“输出刺痛的最后一个调用/函数是什么”。在一堆断点等之后,长话短说。我发现如下:
[EIP] debug034:77126000 jmp far ptr 33h:77126009h
一旦我的 EIP 越过这条线,控制台就会输出我的字符串。
我的工作不会在这里结束。因此,我尝试跟踪 jmp 并查看它指向的内容:
正如您在图像中看到的,上面的 jmp 指向这个位置/ unk_77126339(按下d位置后从 unk_ 变为 byte_)这是空数据(不确定,只是说因为db)
我也试图跳到跳的f8a7ff41下方,但这仍然指向空虚。
你知道这里发生了什么吗?或者我如何在这里跳转到 printf 的下一条指令?
首先,您有一个 32 位二进制文件,并且正在 64 位系统上调试它,请参阅 wow64 符号
这意味着你正在寻找某种介于两者之间
这意味着远跳转指向不同的代码段(参见当前代码段 0x43 与代码段 0x33
请让自己熟悉代码段和权限级别
基本上 printf 在通过系统调用转换到内核之前到达 Ntdll!NtWriteFile
您看到的远跳是 32 位系统调用和 64 位执行之间的一层胶水
谷歌搜索 wow64、heavensgate 等词并略读它们
这是在 x64 windbg 上调试的 x86 编译二进制的摘要,代码如下所示
:\>ls -lg
total 1
-rw-r--r-- 1 197121 82 Jan 20 09:03 printf.cpp
:\>cat printf.cpp
#include <stdio.h>
int main (void) {
printf ("hello jmp far\n");
return 0;
}
:\>cl /Zi /W4 /analyze /Od /EHsc /nologo printf.cpp /link /release
printf.cpp
:\>ls -lg
total 6794
-rw-r--r-- 1 197121 82 Jan 20 09:03 printf.cpp
-rwxr-xr-x 1 197121 301568 Jan 20 09:05 printf.exe
-rw-r--r-- 1 197121 59 Jan 20 09:05 printf.nativecodeanalysis.xml
-rw-r--r-- 1 197121 5283 Jan 20 09:05 printf.obj
-rw-r--r-- 1 197121 6574080 Jan 20 09:05 printf.pdb
-rw-r--r-- 1 197121 69632 Jan 20 09:05 vc140.pdb
:\>printf.exe
hello jmp far
这是一个简单的跟踪,输入并执行所有调用,直到打印字符串
滚动到最后以查看过渡
:\>cdb printf.exe
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
(1674.4d4): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffa`ac6f0fcc cc int 3
0:000> g printf!main
ModLoad: 00000000`77070000 00000000`77079000 C:\WINDOWS\System32\wow64cpu.dll
ModLoad: 00000000`74eb0000 00000000`74f90000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 00000000`76e50000 00000000`7704f000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
(1674.4d4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77080000!LdrpDoDebuggerBreak+0x2b:
7712ecc2 cc int 3
0:000:x86> g printf!main
printf!main:
00181000 55 push ebp
0:000:x86> uf .
printf!main:
00181000 55 push ebp
00181001 8bec mov ebp,esp
00181003 6890011c00 push offset printf!__xt_z+0x8 (001c0190)
00181008 e853000000 call printf!printf (00181060)
0018100d 83c404 add esp,4
00181010 33c0 xor eax,eax
00181012 5d pop ebp
00181013 c3 ret
0:000:x86> pc
printf!main+0x8:
00181008 e853000000 call printf!printf (00181060)
0:000:x86> t
printf!printf:
00181060 55 push ebp
0:000:x86> pc
printf!printf+0x18:
00181078 e82ea10000 call printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff mov edi,edi
0:000:x86> pc
printf!printf+0x21:
00181081 e8aaffffff call printf!_vfprintf_l (00181030)
0:000:x86> t
printf!_vfprintf_l:
00181030 55 push ebp
0:000:x86> pc
printf!_vfprintf_l+0x13:
00181043 e8d8ffffff call printf!__local_stdio_printf_options (00181020)
0:000:x86> t
printf!__local_stdio_printf_options:
00181020 55 push ebp
0:000:x86> pc
printf!_vfprintf_l+0x1f:
0018104f e884b70100 call printf!__stdio_common_vfprintf (0019c7d8)
0:000:x86> t
printf!__stdio_common_vfprintf:
0019c7d8 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_lock_stream_and_call+0x30 [inlined in printf!__stdio_common_vfprintf+0x7c]:
0019c854 e83eedfeff call printf!__crt_seh_guarded_callxxxlambdaing
0:000:x86> t
printf!__crt_seh_guarded_call<int>::operator()<<lambdaing
0018b597 6a0c push 0Ch
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_ing
0018b59e e80d65ffff call printf!__SEH_prolog4 (00181ab0)
0:000:x86> t
printf!__SEH_prolog4:
00181ab0 6890201800 push offset printf!_except_handler4 (00182090)
0:000:x86> pc
printf!__acrt_lock_stream_and_call::__l2::<lambda_8ing
0018b5ac e89cfcffff call printf!_lock_file (0018b24d)
0:000:x86> t
printf!_lock_file:
0018b24d 8bff mov edi,edi
0:000:x86> pc
printf!_lock_file+0xc:
0018b259 ff154c001c00 call dword ptr [printf!_imp__EnterCriticalSection
0:000:x86> t
ntdll_77080000!RtlEnterCriticalSection:
770cadc0 8bff mov edi,edi
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_8
0018b5b9 e880520000 call printf!<lambda_df
0:000:x86> t
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator():
0019083e 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_temporary_buffering_guard::{ctor}+0x1 [inl
0019085c e84e750100 call printf!__acrt_stdio_begin
0:000:x86> t
printf!__acrt_stdio_begin_temporary_buffering_nolock:
001a7daf 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0xc:
001a7dbb e80afeffff call printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x12:
001a7dc1 e85ed90000 call printf!_isatty (001b5724)
0:000:x86> t
printf!_isatty:
001b5724 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x23:
001a7dd2 e8d433feff call printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x6d:
001a7e1c e88ed0ffff call printf!_malloc_base (001a4eaf)
0:000:x86> t
printf!_malloc_base:
001a4eaf 8bff mov edi,edi
0:000:x86> pc
printf!_malloc_base+0x32:
001a4ee1 ff159c001c00 call dword ptr [printf!_imp__HeapAlloc
0:000:x86> t
ntdll_77080000!RtlAllocateHeap:
770cf910 8bff mov edi,edi
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cut off spew
ntdll_77080000!RtlLeaveCriticalSection:
770ba180 8bff mov edi,edi
0:000:x86> pc
printf!__crt_internal_free_policy::operator()+0x4 [inli
001a7e25 e8e5acffff call printf!_free_base (001a2b0f)
0:000:x86> t
printf!_free_base:
001a2b0f 8bff mov edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x35:
00190873 e8f3f9ffff call printf!_LocaleUpdate::_LocaleUpdate (0019026b)
0:000:x86> t
printf!_LocaleUpdate::_LocaleUpdate:
0019026b 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::standard_base<char,__crt_stdio_output::stream_output_adapter
001908a8 e88af6ffff call printf!__crt_stdio_output::output_adapter_data
0:000:x86> t
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_ou
0018ff37 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_output_ad
0018ff3f e860ffffff call printf!__crt_stdio_output::common_data<char>::common_data<char> (0018fea4)
0:000:x86> t
printf!__crt_stdio_output::common_data<char>::common_data<char>:
0018fea4 8bff mov edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x79:
001908b7 e88c150000 call printf!__crt_stdio_output::output_pro
0:000:x86> t
printf!__crt_stdio_output::output_processor<char,__crt_stdio_ou
00191e48 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_processor<char,__crt_stdio_outp
00191e54 e881930000 call printf!__crt_stdio_output::stre
0:000:x86> t
printf!__crt_stdio_stream::valid [inlined in printf!__crt_stdio_output::stream_o
0019b1da 8b01 mov eax,dword ptr [ecx] ds:002b:009ef804=001c9078
0:000:x86> pc
printf!__crt_stdio_output::stream_output_adapter<char>::validate+0x1a:
0019b1f4 e8a5090000 call printf!__acrt_stdio_char_traits<char>::va
0:000:x86> t
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required:
0019bb9e 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required+0x16:
0019bbb4 e811c00000 call printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff mov edi,edi
0:000:x86> pc
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz cut off spew
0:000:x86>
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x86:
001908c4 e892fbffff call printf!__crt_stdio_output::format
0:000:x86>
printf!__crt_internal_free_policy::operator()+0x9 [inlined in pr
00190466 e8a4260100 call printf!_free_base (001a2b0f)
0:000:x86>
printf!__acrt_stdio_temporary_buffering_guard::{dtor}+0x7
001908e6 e877750100 call printf!__acrt_stdio_end_tempo
0:000:x86>
printf!__acrt_stdio_end_temporary_buffering_nolock+0x1e:
001a7e80 e827c3ffff call printf!__acrt_stdio_flush_nolock (001a41ac)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x31:
001a41dd e8e8390000 call printf!_fileno (001a7bca)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x38:
001a41e4 e849c90000 call printf!_write (001b0b32)
0:000:x86>
printf!_write+0x7:
001b0b39 e8720ffdff call printf!__SEH_prolog4 (00181ab0)
0:000:x86>
printf!_write+0x5f:
001b0b91 e818a9ffff call printf!__acrt_lowio_lock_fh (001ab4ae)
0:000:x86>
printf!__acrt_lowio_lock_fh+0x1b:
001ab4c9 ff154c001c00 call dword ptr [printf!_imp__EnterCrit
0:000:x86>
printf!_write+0x9c:
001b0bce e847000000 call printf!_write_nolock (001b0c1a)
0:000:x86>
printf!_write_nolock+0x95:
001b0caf e8fefaffff call printf!write_requires_double_translation_nolock (001b07b2)
0:000:x86>
printf!write_requires_double_translation_nolock+0xc:
001b07be e8614f0000 call printf!_isatty (001b5724)
0:000:x86>
printf!write_requires_double_translation_nolock+0x2f:
001b07e1 e80065ffff call printf!__acrt_getptd (001a6ce6)
0:000:x86>
printf!__crt_scoped_get_last_error_reset::{ctor} [inlined in printf!__acrt_getptd+0x5]:
001a6ceb ff1544001c00 call dword ptr [printf!_imp__GetLastError
0:000:x86>
printf!try_get_ptd_head+0xb [inlined in printf!__acrt_getptd+0x18]:
001a6cfe e8edc7ffff call printf!__acrt_FlsGetValue (001a34f0)
0:000:x86> t;pc
printf!try_get_FlsGetValue+0x11 [inlined in printf!__acrt_FlsGetValue+0x17]:
001a3507 e834fcffff call printf!try_get_function (001a3140)
0:000:x86>
printf!__acrt_FlsGetValue+0x2a:
001a351a ff1544011c00 call dword ptr [printf!__guard_check_icall_fptr
0:000:x86>
printf!__acrt_FlsGetValue+0x30:
001a3520 ffd6 call esi {KERNELBASE!FlsGetValue (76f3fc60)}
0:000:x86>
KERNELBASE!FlsGetValue+0x15:
76f3fc75 ff1508a90177 call dword ptr [KERNELBASE!_imp__RtlFlsGetValue
0:000:x86>
printf!__acrt_getptd+0xa3:
001a6d89 ff1548001c00 call dword ptr [printf!_imp__SetLastError
0:000:x86>
ntdll_77080000!RtlSetLastWin32Error+0x34:
770df8b4 e897570100 call ntdll_77080000!__security_check_cookie (770f5050)
0:000:x86>
printf!_write_nolock+0x130:
001b0d4a e8d6faffff call printf!write_text_ansi_nolock (001b0825)
0:000:x86>
printf!write_text_ansi_nolock+0xa:
001b082f e8fcc30000 call printf!_chkstk (001bcc30)
0:000:x86>
printf!write_text_ansi_nolock+0x9c:
001b08c1 ff1584001c00 call dword ptr [printf!_imp__WriteFile
0:000:x86>
KERNELBASE!WriteFile+0x7:
76f41877 e858920400 call KERNELBASE!_SEH_prolog4 (76f8aad4)
0:000:x86>
KERNELBASE!WriteFile+0x52:
76f418c2 ff15c0a70177 call dword ptr [KERNELBASE!_imp__NtWriteFile
0:000:x86>
ntdll_77080000!NtWriteFile+0xa:
770f2f7a ffd2 call edx {ntdll_77080000!Wow64SystemServiceCall (77109ef0)}
0:000:x86>
wow64cpu!ReadWriteFileFault+0x2c:
00000000`77071995 e816030000 call wow64cpu!CpupSyscallStub (00000000`77071cb0)
0:000>
wow64cpu!CpupSyscallStub+0xa:
00000000`77071cba 0f05 syscall
0:000>
hello jmp far <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< string printed
printf!write_text_ansi_nolock+0xd4:
001b08f9 e8d713fdff call printf!__security_check_cookie (00181cd5)
0:000:x86>
您可以在简洁的单次执行中看到相同的 jmp
:\>cdb -c "bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q" printf.exe | awk /"Reading/,/quit/"
0:000> cdb: Reading initial command 'bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q'
Bp expression 'KERNELBASE!WriteFile' could not be resolved, adding deferred bp
(1b10.1678): WOW64 breakpoint - code 4000001f (first chance)
Breakpoint 0 hit
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77109ef0 esp=0135e258 ebp=0135e2bc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll_77080000!Wow64SystemServiceCall:
77109ef0 ff2528121a77 jmp dword ptr [ntdll_77080000!Wow64Transition (771a1228)]
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77076000 esp=0135e258 ebp=0135e2bc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
wow64cpu!KiFastSystemCall:
77076000 ea096007773300 jmp 0033:77076009 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
rax=00000000001a0008 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000077109ef0 rsi=000000000135e2e8 rdi=0000000000000054
rip=0000000077076009 rsp=000000000135e258 rbp=000000000135e2bc
r8=000000000000002b r9=00000000770f314c r10=0000000000000000
r11=000000000125def0 r12=0000000001052000 r13=000000000125fda0
r14=000000000125e7e0 r15=0000000077073620
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
wow64cpu!KiFastSystemCall+0x9:
00000000`77076009 41ffa7f8000000 jmp qword ptr [r15+0F8h] ds:00000000`77073718={wow64cpu!CpupRe
hello jmp far
quit:
:\>