xiaoweitech

��¿ռ�

xiaoweitech — 2008-09-02 10:05

�� baidu �ռ䲻��ϴ��ǳ��㡣��һ��Ū�˸��վ��Ҫ��ע��Ժ� Windows �ں˷��ݣ��ӭ��ҷ��ʡ��ռ��º��Ҳ��½��ת�Ƶ��վ��档��⣬ǿ��Ƽ��ҷ��¿ռ�� WinDbg ��ķ��ѧϰ WinDbg ��ʹ�÷ǳ��а��

��վ��DbgTech (http://www.dbgtech.net)

��Ĭ�Ϸ�� 鿴��

תһ��С��ɣ��ں˵��½ Windows ʱ��֤

xiaoweitech — 2008-04-26 10:52

�� http://www.nynaeve.net/?p=136 ��һ��С��ɣ�ת��ݡ�

�� Windows ��ʱ��ͨ��Է�ʽ��ϵͳ��ں˵��ڵ�½��洦��

kd> !process 0 0 lsass.exe
PROCESS 81378338 SessionId: 0 Cid: 01ac    Peb: 7ffd4000 ParentCid: 0174
    DirBase: 0acf9000 ObjectTable: e12dd2e8 HandleCount: 411.
    Image: lsass.exe

kd> .process /i 0x81378338
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
8081d97e cc int 3
kd> .reload
kd> ba e1 msv1_0!MsvpPasswordValidate "g @$ra; r @al = 0x1; g"
kd> g

Ȼ��Ϳ��Ե�½ϵͳ��ĳЩʱ��á�

��û��õ��ģ��ʱ�� F8 ��ѡ��ģʽ��Window ��ȱʡʹ�� COM2 �˿ڣ�19200 ��ϵͳ��Vista ϵͳ�� 1394 �ڣ��ʹ�� 1394 �˿ڣ�ȱʡ channel Ϊ 0��

����Լ�� 鿴��

�޸� vmkd ֧�� VMware Workstation

xiaoweitech — 2008-04-26 10:22

vmkd ��Դ��ں˵��ķ�Ӧ�ٶȣ�� VMware server ��ܲ��㣬��֧��ֱ�Ӵ��Ϸ��ļ��ÿ�ζ��ô��ϴ��Ի��˵�ʱ�� vmkd �޸��һ�£��֧�� VMware Workstation ��ʹ�á�vmkd ��ԭ��ȥ��վ�ϲ鿴��ǽػ��ں˵��Զ�̵��ͨ�ŵĹ��̣��ÿ��ٵĴ��ݷ��滻��ԭ��ģ�⴮�ڷ��Ӷ��ں˵��ʱ��Ӧ�ٶȡ��ʱ�õ�� VMware �ṩ�� 0x12 ��ָ�ֱ�Ӻ��ϵ� vmware-vmx.exe ��ͨ�ţ��Ҫ��ݴ�ŵ�ĳ��ڴ棬��ע�뵽 vmware-vmx.exe ��̵� vmxpatch.dll ��ȡ��ͨ��µĹܵ��0x12 ��ָ�� vmware-vmx.exe ��е�ĳһ�δ��븺��Ӧ��vmxpatch.dll ע��ʱ��ͨ��һ�δ��룬��Ϊ VMware Workstation �� VMware server ��һ�δ��벻һ�� vmkd ��ʧ�ܣ��֧�� VMware Workstation�� vmxpatch.dll �е��޸�һ�¾��ʵ�ֶ� VMware Workstation ��֧�֡�

�޸ĺ�� vmxpatch.dll ��֮ǰ��ļ��졣

����Լ�� 鿴��

LiveDump - ��̬��ں� dump �ļ�

xiaoweitech — 2008-04-13 22:06

LiveDump by Сι

ģ�� livekd д��һ��ߣ��ڱ��϶�̬��ں� dump �ļ��㱾��ں˵��ԣ��º��ԣ��ܶ��ڱ��浱ǰϵͳ״̬Ҳ�е��á�� livekd ��ͬ��livedump ��ɵ��һ�� dump �ļ��û�в��ļ��ķ�ʽ��ǰ֧�� xp �Ժ�� 32 λϵͳ��ֻ�� 32 λ xpsp2 �� vista ϵͳ�ϲ��ͨ��ʹ�ù��̲��κ��Լ��

D:\WinDBG>livedump d:\DmpFiles\live_vista.dmp

LiveDump v1.0 - Generate full kernel mode dump file on a live system
xiaoweitech - http://hi.baidu.com/xiaoweitech
Copyright (C) 2008 xiaowei
Usage: livedump [dump file name]

start dump ... successed!

D:\WinDBG>kd -z d:\DmpFiles\live_vista.dmp

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [d:\DmpFiles\live_vista.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'This dump file is generated by LiveDump (http://hi.baidu.com/xiaoweitech)'
Symbol search path is: srv*E:\WebSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16584.x86fre.vista_gdr.071023-1545
Kernel base = 0x82000000 PsLoadedModuleList = 0x82111e10
Debug session time: Sun Apr 13 21:13:58.005 2008 (GMT+8)
System Uptime: 49336 days 0:17:26.005
Loading Kernel Symbols
........................................................................................................................
.....................................
Loading User Symbols

Loading unloaded module list
..........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {80000003, df9734b0, 0, 0}

*** ERROR: Module load completed but symbols could not be loaded for LDumpDrv.sys

Probably caused by : Unknown_Image ( LDumpDrv+4b0 )

Followup: MachineOwner
---------

16.0: kd> vertarget
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16584.x86fre.vista_gdr.071023-1545
Kernel base = 0x82000000 PsLoadedModuleList = 0x82111e10
Debug session time: Sun Apr 13 21:13:58.005 2008 (GMT+8)
System Uptime: 49336 days 0:17:26.005

16.0: kd> !process 0 0 explorer.exe
PROCESS 862b4d90 SessionId: 1 Cid: 0374    Peb: 7ffd8000 ParentCid: 021c
    DirBase: 685ed360 ObjectTable: 9d1817c0 HandleCount: 810.
    Image: explorer.exe

16.0: kd> !pcr
KPCR for Processor 0 at 820f4700:
    Major 1 Minor 1
        NtTib.ExceptionList: ffffffff
            NtTib.StackBase: 00000000
           NtTib.StackLimit: 00000000
         NtTib.SubSystemTib: 8014f000
              NtTib.Version: 03dc94a2
          NtTib.UserPointer: 00000001
              NtTib.SelfTib: 00000000

                    SelfPcr: 820f4700
                       Prcb: 820f4820
                       Irql: 00000002
                        IRR: 00000000
                        IDR: ffffffff
              InterruptMode: 00000000
                        IDT: 81c7f400
                        GDT: 81c7f000
                        TSS: 8014f000

              CurrentThread: 820f8300
                 NextThread: 00000000
                 IdleThread: 820f8300

                  DpcQueue:
16.0: kd> !object \Driver
Object: 88a68958 Type: (84057d40) Directory
    ObjectHeader: 88a68940 (old version)
    HandleCount: 0 PointerCount: 103
    Directory Object: 88a07488 Name: Driver

    Hash Address Type          Name
    ---- ------- ----          ----
     00 86191880 Driver        Beep
         85ce0570 Driver        al3uov8c
         8541eac8 Driver        KSecDD
         84f0d768 Driver        NDIS
     01 85d15c28 Driver        mouclass
     02 86ab0b08 Driver        CMB8100
     03 847280d8 Driver        LDumpDrv
         85e81778 Driver        kbdclass
         856240d0 Driver        IntcAzAudAddService
     04 86191e30 Driver        VgaSave
         8604f528 Driver        NDProxy
         84e32dd8 Driver        msisadrv
         867221b8 Driver        monitor
     05 84f07d78 Driver        Ecache
         84e3f760 Driver        MountMgr
     06 85ca7438 Driver        ohci1394
         86376d38 Driver        CMBProtector
     08 84eb65b8 Driver        atapi
         861604b8 Driver        PEAUTH
     09 84eb5ef0 Driver        JRAID
         84eb6908 Driver        volmgrx
         8405bd28 Driver        PCI_NTPNP9580
     10 84a10030 Driver        USBSTOR
         862adcd8 Driver        PSched
         861e5158 Driver        RasAcd
         85dad318 Driver        VMnetAdapter
         85c7cec8 Driver        tunmp
         84dbc368 Driver        sptd
     11 85ca5f38 Driver        usbuhci
         8641bb28 Driver        mouhid
         865e5860 Driver        Win32k
         86cabb68 Driver        VMnetuserif
     12 869c0bf8 Driver        VMnetBridge
         85de4d30 Driver        usbhub
         85d14f38 Driver        swenum
         85d1dcd0 Driver        rdpdr
         85b93ad0 Driver        tunnel
     13 861ec740 Driver        RDPCDD
         85ce6ac0 Driver        RasPppoe
         86a378b0 Driver        HTTP
     14 85d94030 Driver        TermDD
         85be6880 Driver        MTsensor
     15 85ceac48 Driver        Rasl2tp
         84f01c78 Driver        JGOGO
     17 84b5c150 Driver        WUDFRd
         85cf1f38 Driver        umbus
         85ce5f38 Driver        VPCNetS2
     18 862c9cb8 Driver        Smb
         861a7f38 Driver        WlanUIG
         85d1df38 Driver        PptpMiniport
         85cf6760 Driver        Serenum
         85b0cb68 Driver        crcdisk
         84f0b750 Driver        CLFS
         840a3960 Driver        WMIxWDM
         840a3f38 Driver        ACPI_HAL
         86b0c680 Driver        secdrv
     19 84fda390 Driver        spldr
         869557b0 Driver        hcmon
     21 8695fe20 Driver        NativeWifiP
         862c9838 Driver        netbt
         85c449e0 Driver        AtcL001
         86b5ed40 Driver        tcpipreg
     22 861a8b50 Driver        RDPENCDD
         85c990d0 Driver        cdrom
         85d14e40 Driver        mssmbios
         85cea8d8 Driver        iScsiPrt
         84e3f668 Driver        pciide
     23 869d8830 Driver        rspndr
         863392e8 Driver        tdx
     24 84f6ff38 Driver        fvevol
         861e5998 Driver        Tcpip
         8694ce90 Driver        mpsdrv
     25 84fbbab8 Driver        volsnap
         862ab030 Driver        nsiproxy
         84ebbdd8 Driver        volmgr
     26 85c7dcb0 Driver        intelppm
     27 869d2030 Driver        lltdio
         8645f580 Driver        ZSMC301b
         86329578 Driver        Wanarpv6
     28 86158150 Driver        Null
         85be0758 Driver        usbehci
     29 8541e2a0 Driver        disk
         862d7200 Driver        CSC
         84ebb380 Driver        pci
     30 84fda498 Driver        partmgr
         85cdc8c8 Driver        Serial
         85d1d030 Driver        NdisTapi
         85d92ec0 Driver        NdisWan
     31 862e3568 Driver        vmm
         85c429e0 Driver        HDAudBus
         85c85f38 Driver        DXGKrnl
     32 840513e0 Driver        ACPI
         84dd6710 Driver        Wdf01000
         869d4030 Driver        vmx86
     33 840a2300 Driver        PnpManager
     34 8470c9a0 Driver        PROCEXP111
         869da840 Driver        Ndisuio
         8633f890 Driver        AFD
         85be29e0 Driver        nvlddmkm
     35 86409b88 Driver        HidUsb
         868aa768 Driver        vstor2
     36 85cdcca0 Driver        i8042prt
16.0: kd>

�� dump �ļ�ͷ��ʽ��Ҳο��

typedef struct _DUMP_HEADER32 /* sizeof = 0x1000 */
{
/* 000 */   ULONG       ulSignature;
/* 004 */   ULONG       ulValidDump;
/* 008 */   ULONG       ulMajorVersion;
/* 00C */   ULONG       ulMinorVersion;
/* 010 */   ULONG       ulDirectoryTableBase;
/* 014 */   ULONG       ulPfnDataBase;
/* 018 */   PLIST_ENTRY PsLoadedModuleList;
/* 01C */   PLIST_ENTRY PsActiveProcessHead;
/* 020 */   ULONG       ulMachineImageType;
/* 024 */   ULONG       ulNumberProcessors;
/* 028 */   ULONG       ulBugCheckCode;
/* 02C */   ULONG       ulBugCheckParameter1;
/* 030 */   ULONG       ulBugCheckParameter2;
/* 034 */   ULONG       ulBugCheckParameter3;
/* 038 */   ULONG       ulBugCheckParameter4;
/* 03C */   char        szVersionUser[32];
/* 05C */   BOOLEAN     bPaeEnabled;
/* 05D */   UCHAR       uchKdSecondaryVersion;
/* 05E */   char        chUnused1[2];
/* 060 */   ULONG       ulKdDebuggerDataBlock;
/* 064 */   PHYSICAL_MEMORY_DESCRIPTOR stPhysMemDesc;
/* 074 */   char        chUnused2[684];
/* 320 */   CONTEXT     stContext;
/* 5EC */   char        chUnused3[484];
/* 7D0 */   EXCEPTION_RECORD32 stExceptionRecord;
/* 820 */   char        szComment[1896];
/* F88 */   ULONG       ulDumpType;
/* F8C */   ULONG       ulMiniDumpFields;
/* F90 */   ULONG       ulSecondaryDataState;
/* F94 */   ULONG       ulProductType;
/* F98 */   ULONG       ulSuiteMask;
/* F9C */   ULONG       ulWriterStatus;
/* FA0 */   ULONG64     ulFileSize;
/* FA8 */   char        chUnused4[16];
/* FB8 */   ULONG64     ulSystemUptime;
/* FC0 */   ULONG64     ulDebugSessionTime;
/* FC8 */   char        chUnused5[56];
} DUMP_HEADER32, *PDUMP_HEADER32;

��ﻹ��һƪ��½�� dump �ļ��ʽ��

http://wasm.ru/article.php?article=dmp_format

�ϴ��ĸ��

LiveDump.zip (2008-04-13 21:42, 33.9 KB, 1 ��)

����Լ�� 鿴��

VistaLKD - ��̬�� vista ϵͳ��ں˵��Թ��

xiaoweitech — 2008-04-13 22:02

VistaLKD by Сι

WinDbg �ı��ں˵��Ǹ��ǿ��Ĺ��ܣ��Բ鿴�޸��ں��Ϣ�� Vista ϵͳ�Ժ�ȱʡ��ʹ�ñ��ں˵��Թ��ܣ�ֻ��޸��򿪵��Թ��ʹ�á��д�˸� VistaLKD С��ߣ��Զ�̬�򿪱��ں˵��Թ��ܣ��ʹ�á�

D:\WinDbg>kd -kl

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

OSVERSIONINFO(276,6,0,6000,2)
Local kernel debugging is disabled by default in Windows Vista, you must run "bcdedit -debug on" and reboot to enable it
.
Debuggee initialization failed, HRESULT 0x80004001
""

D:\WinDbg>kd -kl

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

OSVERSIONINFO(276,6,0,6000,2)
Connected to Windows Vista 6000 x86 compatible target, ptr64 FALSE
Symbol search path is: srv*E:\WebSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*******************************************************************************
WARNING: Local kernel debugging requires booting with kernel
debugging support (/debug or bcdedit -debug on) to work optimally.
*******************************************************************************
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16584.x86fre.vista_gdr.071023-1545
Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10
Debug session time: Sat Apr 5 07:32:21.600 2008 (GMT+8)
System Uptime: 0 days 0:05:36.475
lkd>

�ϴ��ĸ��

VistaLKD.zip (2008-04-05 10:21, 110.0 KB, 52 ��)

����Լ�� 鿴��

DbgPrint ��̷��

xiaoweitech — 2008-04-13 22:00

��ķ�� Vista ϵͳ�� DbgPrint ��ִ��Լ� DebugView ��ߵ�ԭ��

DbgPrint��̷��.pdf

��windows �ں� �鿴��

findstr ��ѧϰ

xiaoweitech — 2008-04-13 21:59

findstr ��ѧϰ

findstr �� Windows �Դ��һ��ʵ�ó��ļ��е��ַ��֧��ʽ��

��£�

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/F:file]
[/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]
strings [[drive:][path]filename[ ...]]

/B        ��һ�еĿ�ʼ��ģʽ��
/E        ��һ�еĽ�β��ģʽ��
/L        ��ʹ��ַ��
/R        ��ַ��Ϊһ��ʽʹ�á�
/S        �ڵ�ǰĿ¼��Ŀ¼��
              ƥ��ļ��
/I         ָ��ִ�Сд��
/X        ��ӡ��ȫƥ��С�
/V        ֻ��ӡ��ƥ��С�
/N        ��ƥ��ÿ��ǰ��ӡ��
/M        ��ļ��ƥ��ֻ��ӡ��ļ��
/O        ��ÿ��ƥ��ǰ��ӡ�ַ�ƫ��
/P        ��в��ɴ�ӡ�ַ��ļ��
/OFF[LINE] ��ѻ��Լ��ļ��
/A:attr   ָ��ʮ��λ��ֵ��ɫ��ԡ�� "color /?"
/F:file   ��ָ��ļ��ļ��б� (/ ��̨)��
/C:string ʹ��ָ��ַ��Ϊ��ַ��
/G:file   ��ָ��ļ��ַ�� (/ ��̨)��
/D:dir    ��Էֺ�Ϊ�ָ��Ŀ¼�б�
strings   Ҫ��ҵ��֡�
[drive:][path]filename
            ָ��Ҫ��ҵ��ļ��

��ǲ�� /C ǰ׺��ʹ�ÿո��ַ��
��: 'FINDSTR "hello there" x.y' ��ļ� x.y ��Ѱ�� "hello" ��
"there" �� 'FINDSTR /C:"hello there" x.y' �ļ� x.y Ѱ��
"hello there"��

һ��ʽ�Ŀ��ٲο�:
.        ͨ��: �κ��ַ�
*        �ظ�: ��ǰ�ַ��ϴ��
^        ��λ��: �еĿ�ʼ
$        ��λ��: �е��յ�
[class] �ַ��: �κ��ַ��е��ַ�
[^class] ��ַ��: �κβ��ַ��е��ַ�
[x-y]    ��Χ: ��ָ��Χ�ڵ��κ��ַ�
\x       Escape: Ԫ�ַ� x ��÷�
\ xyz\>    ��λ��: �ֵĽ��

��߽��ʹ��ʱ�ȽϷ��㣬��ʾ�˽�� dumpbin ��߲�� ntdll.dll ��к� port ��صĺ��

d:\>dumpbin /exports c:\WINDOWS\system32\ntdll.dll | findstr /i port
Section contains the following exports for ntdll.dll
         86   4E 0000D379 NtAcceptConnectPort = _NtAcceptConnectPort@24
        115   6B 0000D5DA NtCompleteConnectPort = _ZwCompleteConnectPort@4
        117   6D 0000D604 NtConnectPort = _NtConnectPort@32
        133   7D 0000D73F NtCreatePort = _NtCreatePort@20
        143   87 0000D811 NtCreateWaitablePort = _ZwCreateWaitablePort@20
        178   AA 0000DADB NtImpersonateClientOfPort = _ZwImpersonateClientOfPort@8
        184   B0 0000DB59 NtListenPort = _NtListenPort@8
        242   EA 0000E006 NtQueryInformationPort = _ZwQueryInformationPort@20
        255   F7 0000EAB0 NtQueryPortInformationProcess = _ZwQueryPortInformationProcess@0
        277 10D 0000E2D0 NtRegisterThreadTerminatePort = _NtRegisterThreadTerminatePort@4
        285 115 0000E363 NtReplyPort = _ZwReplyPort@8
        286 116 0000E378 NtReplyWaitReceivePort = _NtReplyWaitReceivePort@16
        287 117 0000E38D NtReplyWaitReceivePortEx = _ZwReplyWaitReceivePortEx@20
        288 118 0000E3A2 NtReplyWaitReplyPort = _NtReplyWaitReplyPort@8
        290 11A 0000E3CC NtRequestPort = _NtRequestPort@8
        291 11B 0000E3E1 NtRequestWaitReplyPort = _NtRequestWaitReplyPort@12
        301 125 0000E4B3 NtSecureConnectPort = _ZwSecureConnectPort@36
        306 12A 0000E51C NtSetDefaultHardErrorPort = _NtSetDefaultHardErrorPort@4
        442 1B3 00058037 RtlComputeImportTableHash = _RtlComputeImportTableHash@12
        896 37F 0000D379 ZwAcceptConnectPort = _NtAcceptConnectPort@24
        925 39C 0000D5DA ZwCompleteConnectPort = _ZwCompleteConnectPort@4
        927 39E 0000D604 ZwConnectPort = _NtConnectPort@32
        943 3AE 0000D73F ZwCreatePort = _NtCreatePort@20
        953 3B8 0000D811 ZwCreateWaitablePort = _ZwCreateWaitablePort@20
        987 3DA 0000DADB ZwImpersonateClientOfPort = _ZwImpersonateClientOfPort@8
        993 3E0 0000DB59 ZwListenPort = _NtListenPort@8
       1051 41A 0000E006 ZwQueryInformationPort = _ZwQueryInformationPort@20
       1064 427 0000EAB0 ZwQueryPortInformationProcess = _ZwQueryPortInformationProcess@0
       1086 43D 0000E2D0 ZwRegisterThreadTerminatePort = _NtRegisterThreadTerminatePort@4
       1094 445 0000E363 ZwReplyPort = _ZwReplyPort@8
       1095 446 0000E378 ZwReplyWaitReceivePort = _NtReplyWaitReceivePort@16
       1096 447 0000E38D ZwReplyWaitReceivePortEx = _ZwReplyWaitReceivePortEx@20
       1097 448 0000E3A2 ZwReplyWaitReplyPort = _NtReplyWaitReplyPort@8
       1099 44A 0000E3CC ZwRequestPort = _NtRequestPort@8
       1100 44B 0000E3E1 ZwRequestWaitReplyPort = _NtRequestWaitReplyPort@12
       1110 455 0000E4B3 ZwSecureConnectPort = _ZwSecureConnectPort@36
       1115 45A 0000E51C ZwSetDefaultHardErrorPort = _NtSetDefaultHardErrorPort@4

��δ�� 鿴��

��һ��Ĺ��: vmkd

xiaoweitech — 2008-04-13 21:58

WinDbg + VMWare ��˫��ںˣ�� VMWare ��ṩ��⴮�ڷ�ʽ��ٶȺ��ҵ��ʱռ�� CPU 100%��ǲ��ˬ��

Skywing ��վ�Ϸ��һ�� vmkd��http://www.nynaeve.net/?page_id=168 ��Խ��⣬��һ�д��һϵ��˵��ʵ��ԭ��http://www.nynaeve.net/?p=174��

��һ�£��о��ǳ��ã��ܸ��ң��Ǻǣ�

��װ��裺

1. ��װ VMware Server 1.0.4�� vmware ��վ�Ͽ��ע�ᡣ
2. ��а�װ��ϵͳ��úô��ڵ��ԡ�
3. �� vmkd �е� kdvmware.sys ��Ƶ��У�sc create kdvmware start= demand type= kernel binPath= c:\windows\system32\drivers\kdvmware.sys DisplayName= kdvmware ��װ��
4. ͨ��ڶ��úõĵ��Է�ʽ��ϵͳ��
5. �ҵ�� vmware-vmx.exe ��̵� pid�� vmxinject.exe pid �� vmxpatch.dll ע�뵽 vmware-vmx.exe ��̡�
6. ��ͨ�� net start kdvmware ��
7. �� WinDbg ��ͨ�� \\.\pipe\kdvmware_winxp ��е�ϵͳ��ʼ��ԣ��ܵ��е� winxp ��ϵͳ�İ�װ�ļ��У��磺d:\VM\winxp��

��ȥ�� .dump /f ���ٶȺܿ죬��ȫ��“�ǳ��ǳ��Ҫһ��Сʱ”��ʾ��:)

����Լ�� 鿴��

WinDbg ��ѧϰ - !list

xiaoweitech — 2008-04-13 21:57

Windows �ڲ��ĸ��ֽṹͨ��˫�� !list ��鿴��Щ�ṹ�ǳ��㡣

��鿴ϵͳ�е��н��̣�

lkd> !list -t nt!_LIST_ENTRY.Flink -x "dt nt!_EPROCESS UniqueProcessId ImageFileName @@(#CONTAINING_RECORD(@$extret, nt!_EPROCESS, ActiveProcessLinks))" poi(nt!PsActiveProcessHead)

    +0x084 UniqueProcessId : 0x00000004
    +0x174 ImageFileName    : [16]   "System"

    +0x084 UniqueProcessId : 0x00000270
    +0x174 ImageFileName    : [16]   "SMSS.EXE"

    +0x084 UniqueProcessId : 0x000002ac
    +0x174 ImageFileName    : [16]   "CSRSS.EXE"

    +0x084 UniqueProcessId : 0x000002c4
    +0x174 ImageFileName    : [16]   "WINLOGON.EXE"

    +0x084 UniqueProcessId : 0x000002f0
    +0x174 ImageFileName    : [16]   "SERVICES.EXE"

    +0x084 UniqueProcessId : 0x00000314
    +0x174 ImageFileName    : [16]   "LSASS.EXE"

    +0x084 UniqueProcessId : 0x000003a4
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x000003f8
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x000005ec
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x00000658
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x000006f0
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x000000c8
    +0x174 ImageFileName    : [16]   "SPOOLSV.EXE"

    +0x084 UniqueProcessId : 0x00000298
    +0x174 ImageFileName    : [16]   "MDM.EXE"

    +0x084 UniqueProcessId : 0x00000484
    +0x174 ImageFileName    : [16]   "WGATRAY.EXE"

    +0x084 UniqueProcessId : 0x00000494
    +0x174 ImageFileName    : [16]   "EXPLORER.EXE"

    +0x084 UniqueProcessId : 0x0000056c
    +0x174 ImageFileName    : [16]   "SVCHOST.EXE"

    +0x084 UniqueProcessId : 0x000005d4
    +0x174 ImageFileName    : [16]   "vmware-authd.ex"

    +0x084 UniqueProcessId : 0x000006b0
    +0x174 ImageFileName    : [16]   "VMOUNT2.EXE"

    +0x084 UniqueProcessId : 0x00000700
    +0x174 ImageFileName    : [16]   "VMNAT.EXE"

    +0x084 UniqueProcessId : 0x000007a8
    +0x174 ImageFileName    : [16]   "VMNETDHCP.EXE"

    +0x084 UniqueProcessId : 0x00000448
    +0x174 ImageFileName    : [16]   "HKCMD.EXE"

    +0x084 UniqueProcessId : 0x000004dc
    +0x174 ImageFileName    : [16]   "IGFXPERS.EXE"

    +0x084 UniqueProcessId : 0x00000578
    +0x174 ImageFileName    : [16]   "SOUNDMAN.EXE"

    +0x084 UniqueProcessId : 0x00000590
    +0x174 ImageFileName    : [16]   "daemon.exe"

    ......

��Ҫִ�ж����ÿ��÷ֺŸ�� !list ��˫��

����Լ�� 鿴��

�� WinDbg �ű��ʹ�ò��

xiaoweitech — 2008-04-13 21:56

WinDbg 6.7.5.0 �汾��нű�ʱ��һ��µ�� $$>a<��Ը��ű��ݲ��һ��򵥵��ӣ��ʾ�˲��÷��

$$
$$ calc v0.0.1
$$ by Сι 2007.06.08
$$

.if(@@c++(${/d:$arg1} && ${/d:$arg2}))
{
     .printf "\n%d + %d = %d\n", ${$arg1}, ${$arg2}, ${$arg1} + ${$arg2}
     .printf "%d - %d = %d\n", ${$arg1}, ${$arg2}, ${$arg1} - ${$arg2}
     .printf "%d * %d = %d\n", ${$arg1}, ${$arg2}, ${$arg1} * ${$arg2}
     .printf "%d / %d = %d\n", ${$arg1}, ${$arg2}, ${$arg1} / ${$arg2}
}
.else
{
     .printf "\nusage: $$>a< \calc.txt arg1 arg2\n\n"
}

��һ�£�

0:000> $$>a< d:\windbg\scripts\calc.txt @eax 4

1580724 + 4 = 1580728
1580724 - 4 = 1580720
1580724 * 4 = 6322896
1580724 / 4 = 395181
����Լ�� 鿴��

��

xiaoweitech — 2008-04-08 20:24

��д�˸�С��߲��Բ��ҶϿ� PsLoadedModuleList �� np ��

��ǹؼ��룺

PDIRECTORY_BASIC_INFORMATION     pDriverBuffer = NULL;
pDriverBuffer = (PDIRECTORY_BASIC_INFORMATION)m_cSysInfo.QueryDirectoryObject(L"\\Driver", &uMemSize);

��Ŀ¼�µ��ж��󣬲��Ҵ��¡�

PVOID CNativeSysInfo::QueryDirectoryObject(PWSTR pwsDirPath, PULONG puMemSize)
{
     NTSTATUS             ntStatus;
     UNICODE_STRING       usDirPath;
     OBJECT_ATTRIBUTES    oa;
     HANDLE               hDir = NULL;
     PVOID                pBuffer = NULL;
     ULONG                uLength = 0x800;
     ULONG                uContext = 0;
     ULONG                uResult = 0;

     // �жϺ��Ƿ��
     if(m_lpRtlInitUnicodeString == NULL ||
        m_lpZwOpenDirectoryObject == NULL ||
        m_lpZwQueryDirectoryObject == NULL ||
        m_lpZwClose == NULL)
     {
         return NULL;
     }

     // ��Ŀ¼��
     m_lpRtlInitUnicodeString(&usDirPath, pwsDirPath);
     InitializeObjectAttributes(&oa, &usDirPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
     ntStatus = m_lpZwOpenDirectoryObject(&hDir, DIRECTORY_QUERY, &oa);
     if(ntStatus != STATUS_SUCCESS)
     {
         TRACE(_T("ZwOpenDirectoryObject failed!"));
         goto _exit;
     }

     // ��ѯĿ¼��
     do
     {
         if(pBuffer)
             VirtualFree(pBuffer, uLength, MEM_DECOMMIT);

         uLength *= 2;

         pBuffer = VirtualAlloc(NULL, uLength, MEM_COMMIT, PAGE_READWRITE);
         if(pBuffer == NULL)
             goto _exit;

         ntStatus = m_lpZwQueryDirectoryObject(hDir, pBuffer, uLength, FALSE, TRUE, &uContext, &uResult);

     } while(ntStatus == STATUS_MORE_ENTRIES || ntStatus == STATUS_BUFFER_TOO_SMALL);

     // �жϲ�ѯ�Ƿ�ɹ��
     if(ntStatus == STATUS_SUCCESS)
     {
         if(puMemSize)
             *puMemSize = uLength;
     }
     else
     {
         VirtualFree(pBuffer, uLength, MEM_DECOMMIT);
         pBuffer = NULL;
     }

_exit:

     if(hDir)
     {
         m_lpZwClose(hDir);
         hDir = NULL;
     }

     return pBuffer;
}

Ȼ��ѵõ��Ľ��ͳ��ȽϾͿ��ҵ��Ϣ��ͨ��ķ�ʽ�õ��

     PDRIVER_OBJECT           pDrvObject = NULL;

     RtlInitUnicodeString(&usDirPath, (PCWSTR)pvInBuf);
     ntStatus = ObReferenceObjectByName(&usDirPath,
                                        OBJ_CASE_INSENSITIVE,
                                        NULL,
                                        0,
                                        *IoDriverObjectType,
                                        KernelMode,
                                        NULL,
                                        (PVOID*)&pDrvObject);

�� DRIVER_OBJECT �ṹ��ɶ��ˣ�:)

��һ��ӣ��İ취��Է��֡�

void _EraseDrvFromModList(PDRIVER_OBJECT pDrvObject)
{
     PLDR_DATA_TABLE_ENTRY    pOwen;
     PLDR_DATA_TABLE_ENTRY    pPrev;
     PLDR_DATA_TABLE_ENTRY    pNext;

     pOwen = (PLDR_DATA_TABLE_ENTRY)pDrvObject->DriverSection;
     pPrev = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Blink;
     pNext = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Flink;

     pPrev->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pNext;
     pNext->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pPrev;

     pOwen->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pOwen;
     pOwen->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pOwen;
}

��windows �ں� �鿴��

�� PE �ļ��Ϣ��ֵ

xiaoweitech — 2008-04-08 20:21

��߿��鿴 PE �ļ��Ϣ��ֵ��Ӷ��ж��ļ��Ƿ�ѹ��˼·��Դ�� PEiD ��ߣ�ÿ��ڵ��Ϣ�غ� PEiD �ļ��һ�� ļ��ֵ�� PEiD �ļ��ͬ��㲻�� PEiD ��ôŪ�ġ�Ҳ��ȥ��ˡ��PEiD ��̳�и��⣺http: //www.secretashell.com/PEiD/viewtopic.php?t=42��

��Ϣ�ص��֪ʶ��Ҳ��ֻ�ǿ��˵��ϣ��˽�ЩƤë��ɶ��Ҳ��ң��Ҳ��ʣ��Ǻǿ�� http://en.wikipedia.org/wiki/Information_entropy ��

��⣬�о��ܻ��ͦ��õģ�� ProcessExplorer ��ʾ��ѹ��Ľ��̣��ƾ��õ��ְ취��²�� ^_^��

Դ��أ� entropy_src.zip

��δ�� 鿴��

д�˸�С�� WinDbg �ű��ʾ SSDT

xiaoweitech — 2008-04-08 07:43

$$ ntcall Script v0.1
$$ by Сι 2006.10.29

aS ufLinkS "";
aS ufLinkE "";

r $t1 = nt!KeServiceDescriptorTable;
r $t2 = poi(@$t1 + 8);
r $t1 = poi(@$t1);

.printf "\nOrd    Address    fnAddr    Symbols\n";
.printf "--------------------------------\n\n";

.for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1)
{
     r $t3 = poi(@$t1);
     .printf /D "[%3d] %X: ${ufLinkS}%X${ufLinkE} (%y)\n", @$t0, @$t1, @$t3, @$t3, @$t3, @$t3;
     r $t1 = @$t1 + 4;
}

.printf "\n- end -\n";

ad ufLinkS;
ad ufLinkE;

��ӻ��ĳ��

����Լ�� 鿴��

PEB��ַ��

xiaoweitech — 2008-04-07 21:46

��XPSP2��ϵͳ��һ��ԣ�PEB��ַ��ÿ��̵�PEB��ַ��̶��14�ֿ��ܡ�ϵͳ��ʱ��PEB�ĵ�ַ��

NtCreateProcess / NtCreateProcessEx / PspCreateProcess / MmCreatePeb / MiCreatePebOrTeb

��MiCreatePebOrTeb��и��ݵ�ǰʱ��ֵ��

PVOID HighestVadAddress;

LARGE_INTEGER CurrentTime;

HighestVadAddress = (PVOID) ((PCHAR)MM_HIGHEST_VAD_ADDRESS + 1);

KeQueryTickCount (&CurrentTime);

CurrentTime.LowPart &= ((X64K >> PAGE_SHIFT) - 1);

if (CurrentTime.LowPart <= 1) {

CurrentTime.LowPart = 2;

}

HighestVadAddress = (PVOID) ((PCHAR)HighestVadAddress - (CurrentTime.LowPart << PAGE_SHIFT));

��XPSP2ϵͳ�Ժ��ΪPEB�ʹ��0x7FFDF000��ͬ�Ľ��PEB��ַ�᲻һ��

��Ǳ��̣��ͨ��ָ��ȡ�ã�

mov eax,fs:[0x18]

mov eax,dword ptr [eax+0x30]

��ȡ��TEB�ĵ�ַ��ȡ��PEB�ĵ�ַ��

��Ҫȡ��̵�PEB��ַ��ͨ��NtQueryInformationProcess��ʵ�֡�

NtQueryInformationProcess(...)

{

......

case ProcessBasicInformation:

BasicInfo.ExitStatus = Process->ExitStatus;

BasicInfo.PebBaseAddress = Process->Peb;

BasicInfo.AffinityMask = Process->Pcb.Affinity;

BasicInfo.BasePriority = Process->Pcb.BasePriority;

BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId;

BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId;

......

}

ULONG CEnumPebDlg::GetPebAddress(ULONG ulPID)

{

HANDLE hProcess = NULL;

ULONG ulPebAddr = 0;

PROCESS_BASIC_INFORMATION pbi = {0};

ULONG dwReturnLength = 0;

hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ulPID);

if(hProcess != NULL)

{

if(g_lpNtQueryInformationProcess(hProcess,

ProcessBasicInformation,

&pbi,

sizeof(PROCESS_BASIC_INFORMATION),

&dwReturnLength) == 0)

{

ulPebAddr = (ULONG)pbi.PebBaseAddress;

}

CloseHandle(hProcess);

}

return ulPebAddr;

}

��windows �ں� �鿴��

�жϽ��̵� DEP ״̬

xiaoweitech — 2008-04-06 21:43

lkd> !process 0n1984 0
Searching for Process with Cid == 7c0
PROCESS 85d97268 SessionId: 0 Cid: 07c0    Peb: 7ffdb000 ParentCid: 0788
    DirBase: 17fc00a0 ObjectTable: e12c9158 HandleCount: 466.
    Image: lsass.exe

lkd> dt nt!_KPROCESS Flags. 0x85d97268
   +0x06b Flags :
      +0x000 ExecuteDisable : 0y0
      +0x000 ExecuteEnable : 0y0
      +0x000 DisableThunkEmulation : 0y0
      +0x000 Permanent : 0y0
      +0x000 ExecuteDispatchEnable : 0y0
      +0x000 ImageDispatchEnable : 0y0
      +0x000 Spare : 0y00

lkd> !process 0n448 0
Searching for Process with Cid == 1c0
PROCESS 84f2c3b8 SessionId: 0 Cid: 01c0    Peb: 7ffdc000 ParentCid: 04a0
    DirBase: 17fc0480 ObjectTable: e44a91f0 HandleCount: 731.
    Image: QQ.exe

lkd> dt nt!_KPROCESS Flags. 0x84f2c3b8
   +0x06b Flags :
      +0x000 ExecuteDisable : 0y0
      +0x000 ExecuteEnable : 0y1
      +0x000 DisableThunkEmulation : 0y0
      +0x000 Permanent : 0y0
      +0x000 ExecuteDispatchEnable : 0y1
      +0x000 ImageDispatchEnable : 0y1
      +0x000 Spare : 0y00

ͨ��д��Դ��ں��ȡ��Щ��Ϣ��Ӷ��жϽ��Ƿ�� DEP ��ֱ��޸��Щֵ��л��̵� DEP ״̬��

��windows �ں� �鿴��

xiaoweitech

���¿ռ�

תһ��С���ɣ������ں˵�����������½ Windows ʱ��������֤

�޸� vmkd ֧�� VMware Workstation

LiveDump - ������̬���������ں� dump �ļ�

VistaLKD - ��̬���� vista ϵͳ�����ں˵��Թ���

DbgPrint �������̷���

findstr ����ѧϰ

����һ������Ĺ���: vmkd

WinDbg ����ѧϰ - !list

�� WinDbg �ű���ʹ�ò���

������������

���� PE �ļ�����Ϣ��ֵ

д�˸�С�� WinDbg �ű���������ʾ SSDT

PEB��ַ�����

�жϽ��̵� DEP ״̬

��¿ռ�

תһ��С��ɣ��ں˵��½ Windows ʱ��֤

LiveDump - ��̬��ں� dump �ļ�

VistaLKD - ��̬�� vista ϵͳ��ں˵��Թ��

DbgPrint ��̷��

findstr ��ѧϰ

��һ��Ĺ��: vmkd

WinDbg ��ѧϰ - !list

�� WinDbg �ű��ʹ�ò��

��

�� PE �ļ��Ϣ��ֵ

д�˸�С�� WinDbg �ű��ʾ SSDT

PEB��ַ��