是否可以在 windbg 中调用 win32 调用?
Is it possible to invoke win32 call in windbg?
我正在尝试使用 windbg 调用 win32 api,
> .call kernel32!ExitProcess(0)
^ Symbol not a function in '.call kernel32!ExitProcess(0)'
windbg 应该支持这个,知道吗?
一个原因可能是调试器找不到方法:
0:004> x kernel32!Exit*
00007ffc`12e9b0c0 KERNEL32!ExitVDM (<no parameter info>)
00007ffc`12e7d620 KERNEL32!ExitProcessImplementation (<no parameter info>)
你肯定没有 kernel32!ExitProcess()
的私有符号。如果你没有私有符号,那么你需要在你自己的代码中有一个函数(你有私有符号),你可以作为原型传递:
.call /s SameSignatureAsExitProcess kernel32!ExitProcess(0)
所以我的建议是:get the LLD extension,自己编译一些方法,比如
头文件:
#pragma once
#include <Windows.h>
class Call
{
public:
static void v();
static void vi(int);
static void vui(unsigned int);
static void vl(long);
static void vul(unsigned long);
};
Cpp 文件:
#include "Call.h"
void Call::v(){}
void Call::vi(int) {}
void Call::vui(unsigned int) {}
void Call::vl(long) {}
void Call::vul(unsigned long) {}
然后使用它
0:000> .load ...\lld
0:000> !injectdll ...\Calls\x64\Debug\Calls.dll
ModLoad: 00007ffc`11270000 00007ffc`1129e000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffc`070a0000 00007ffc`070c5000 ...\Calls\x64\Debug\Calls.dll
ModLoad: 00007ffb`f9000000 00007ffb`f91c2000 C:\Windows\System32\ucrtbased.dll
ModLoad: 00007ffc`07070000 00007ffc`07092000 C:\Windows\System32\VCRUNTIME140D.dll
ModLoad: 00007ffc`0d800000 00007ffc`0d89c000 C:\Windows\system32\uxtheme.dll
ntdll!NtTerminateThread+0x14:
00007ffc`138f01c4 c3 ret
0:004> ld Calls
*** WARNING: Unable to verify checksum for ...\Calls\x64\Debug\Calls.dll
Symbols loaded for Calls
0:004> x Calls!Call::*
00007ffc`070b1710 Calls!Call::vui (unsigned int)
00007ffc`070b1760 Calls!Call::vul (unsigned long)
00007ffc`070b1670 Calls!Call::vi (int)
00007ffc`070b1620 Calls!Call::v (void)
00007ffc`070b16c0 Calls!Call::vl (long)
0:004> .call /s Calls!Call::v kernelbase!TerminateProcess()
Thread is set up for call, 'g' will execute.
WARNING: This can have serious side-effects,
including deadlocks and corruption of the debuggee.
虽然这看起来好多了(没有错误消息),但它仍然不起作用 - 进程没有终止。我目前无法弄清楚为什么。也许它对某人仍然有帮助。
对我有用的是
static void t(); // .h
void Call::t() // .cpp
{
ExitProcess(0);
}
然后
0:007> .call Calls!Call::t()
Thread is set up for call, 'g' will execute.
WARNING: This can have serious side-effects,
including deadlocks and corruption of the debuggee.
0:007> p
Calls!Call::t+0x2a:
00007ffc`0709166a 33c9 xor ecx,ecx
0:007> p
ntdll!NtTerminateProcess+0x14:
00007ffc`138efce4 c3 ret
但这不是很方便,如果你事先不知道你想调用什么方法。
我正在尝试使用 windbg 调用 win32 api,
> .call kernel32!ExitProcess(0)
^ Symbol not a function in '.call kernel32!ExitProcess(0)'
windbg 应该支持这个,知道吗?
一个原因可能是调试器找不到方法:
0:004> x kernel32!Exit*
00007ffc`12e9b0c0 KERNEL32!ExitVDM (<no parameter info>)
00007ffc`12e7d620 KERNEL32!ExitProcessImplementation (<no parameter info>)
你肯定没有 kernel32!ExitProcess()
的私有符号。如果你没有私有符号,那么你需要在你自己的代码中有一个函数(你有私有符号),你可以作为原型传递:
.call /s SameSignatureAsExitProcess kernel32!ExitProcess(0)
所以我的建议是:get the LLD extension,自己编译一些方法,比如
头文件:
#pragma once
#include <Windows.h>
class Call
{
public:
static void v();
static void vi(int);
static void vui(unsigned int);
static void vl(long);
static void vul(unsigned long);
};
Cpp 文件:
#include "Call.h"
void Call::v(){}
void Call::vi(int) {}
void Call::vui(unsigned int) {}
void Call::vl(long) {}
void Call::vul(unsigned long) {}
然后使用它
0:000> .load ...\lld
0:000> !injectdll ...\Calls\x64\Debug\Calls.dll
ModLoad: 00007ffc`11270000 00007ffc`1129e000 C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffc`070a0000 00007ffc`070c5000 ...\Calls\x64\Debug\Calls.dll
ModLoad: 00007ffb`f9000000 00007ffb`f91c2000 C:\Windows\System32\ucrtbased.dll
ModLoad: 00007ffc`07070000 00007ffc`07092000 C:\Windows\System32\VCRUNTIME140D.dll
ModLoad: 00007ffc`0d800000 00007ffc`0d89c000 C:\Windows\system32\uxtheme.dll
ntdll!NtTerminateThread+0x14:
00007ffc`138f01c4 c3 ret
0:004> ld Calls
*** WARNING: Unable to verify checksum for ...\Calls\x64\Debug\Calls.dll
Symbols loaded for Calls
0:004> x Calls!Call::*
00007ffc`070b1710 Calls!Call::vui (unsigned int)
00007ffc`070b1760 Calls!Call::vul (unsigned long)
00007ffc`070b1670 Calls!Call::vi (int)
00007ffc`070b1620 Calls!Call::v (void)
00007ffc`070b16c0 Calls!Call::vl (long)
0:004> .call /s Calls!Call::v kernelbase!TerminateProcess()
Thread is set up for call, 'g' will execute.
WARNING: This can have serious side-effects,
including deadlocks and corruption of the debuggee.
虽然这看起来好多了(没有错误消息),但它仍然不起作用 - 进程没有终止。我目前无法弄清楚为什么。也许它对某人仍然有帮助。
对我有用的是
static void t(); // .h
void Call::t() // .cpp
{
ExitProcess(0);
}
然后
0:007> .call Calls!Call::t()
Thread is set up for call, 'g' will execute.
WARNING: This can have serious side-effects,
including deadlocks and corruption of the debuggee.
0:007> p
Calls!Call::t+0x2a:
00007ffc`0709166a 33c9 xor ecx,ecx
0:007> p
ntdll!NtTerminateProcess+0x14:
00007ffc`138efce4 c3 ret
但这不是很方便,如果你事先不知道你想调用什么方法。