WinDbg高级调试,除硬件和内存断点外,还可以调用脚本做批处理的断点及相关信息处理。
[reply]
du 地址 (显示UNICODE)
da 地址 (显示ANSI)
%mu UNICODE格式化
%ma ANSI格式化
| Character | Argument type | Argument | Text printed |
|---|
%p | ULONG64 | A pointer in the target's virtual address space. | The value of the pointer. |
%N | DWORD_PTR (32 or 64 bits, depending on the host's architecture) | A pointer in the host's virtual address space. | The value of the pointer. (This is equivalent to the standard C %p
character.) |
%I | ULONG64 | Any 64-bit value. | The specified value. If this is greater than 0xFFFFFFFF, it is printed as a
64-bit address; otherwise it is printed as a 32-bit address. |
%ma | ULONG64 | The address of a NULL-terminated ASCII string in the target's virtual address
space. | The specified string. |
%mu | ULONG64 | The address of a NULL-terminated Unicode string in the target's virtual
address space. | The specified string. |
%msa | ULONG64 | The address of an ANSI_STRING structure in the target's virtual address
space. | The specified string. |
%msu | ULONG64 | The address of a UNICODE_STRING structure in the target's virtual address
space. | The specified string. |
%y | ULONG64 | The address of a debugger symbol in the target's virtual address space. | A string containing the name of the specified symbol (and displacement, if
any). |
%ly | ULONG64 | The address of a debugger symbol in the target's virtual address space. | A string containing the name of the specified symbol (and displacement, if
any), as well as any available source line information. |
检测应用程序创建打开的文件名称(UNICODE)
CreateFileW第一个参数为文件名称
bp kernel32!CreateFileW "r $t1=poi(esp+4);.echo;.printf\"FileName:%mu\",@$t1;.echo;g"
检测应用程序创建打开的文件名称(ANSI)
CreateFileA第一个参数为文件名称
bp kernel32!CreateFileA "r $t1=poi(esp+4);.echo;.printf\"FileName:%ma\",@$t1;.echo;g"
检测应用程序动态获取函数地址的函数名称(ANSI)
GetProcAddress第二个参数位函数名称
bp kernel32!GetProcAddress "r $t1=poi(esp+8);.echo;.printf\"FileName:%mu\",@$t1;.echo;g"
检测应用程序动态获取指定的函数地址的函数名称(ANSI)则中断停止下来
GetProcAddress第二个参数位函数名称
bp kernel32!GetProcAddress "
r $t1=poi(esp+8);
as /ma $FileName @$t1;
.echo;
.printf\"FileName:%ma\",@$t1;
.block
{
.if($spat(\"${$FileName}\",\"*StartWachat*\"))
{
.echo 'find...';
~0k;
ad ${/v:$FileName}
}
.else
{
.echo no find...;
ad ${/v:$FileName};
gc;
.echo;g
}"
修正版:
bp kernel32!GetProcAddress "r $t1=poi(esp+8); as /ma $FuncName @$t1;.echo;.printf\"FuncName:%ma\",@$t1;.block{.if($spat(\"${$FuncName}\",\"*StartWachat*\")){ .echo 'find...';~0k;ad ${/v:$FuncName};} .else{.echo no find...; ad ${/v:$FuncName};.echo;g;}"
WinDbg在command命令行框中输入
$<Filename
$><Filename
$$<Filename
$$><Filename
$$>a<Filename [arg1 arg2 arg3 ...]
[/reply]
