是否可以在 Windbg 中的 ntdll!LdrpDoDebuggerBreak 之前在模块加载上设置断点?
Is it possible to set breakpoint on module load before ntdll!LdrpDoDebuggerBreak in Windbg?
使用 WinDbg 启动可执行文件,在进入调试器之前加载了几个模块。
ModLoad: 00400000 0045c000 image00400000
ModLoad: 77da0000 77f3a000 ntdll.dll
ModLoad: 77460000 77540000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76b50000 76d4c000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 754c0000 7555f000 C:\Windows\SysWOW64\apphelp.dll
ModLoad: 796c0000 79944000 C:\Windows\SysWOW64\AcLayers.DLL
ModLoad: 77320000 773df000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 77650000 777e7000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 77d70000 77d87000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75800000 75821000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76970000 76aca000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 76ad0000 76b4c000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76850000 7696f000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 75900000 75e7a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 777f0000 7782b000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77540000 775c4000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 77bb0000 77c6b000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 75570000 75590000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 75560000 7556a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 75700000 7575f000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 76660000 766d6000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 77930000 77ba6000 C:\Windows\SysWOW64\combase.dll
ModLoad: 76d50000 77315000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 773e0000 77459000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 757c0000 757d7000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 75760000 757a3000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76540000 7654d000 C:\Windows\SysWOW64\UMPDC.dll
ModLoad: 75f00000 75f44000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 758d0000 758df000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 75e80000 75e93000 C:\Windows\SysWOW64\cryptsp.dll
ModLoad: 75830000 758c2000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76070000 764b9000 C:\Windows\SysWOW64\SETUPAPI.dll
ModLoad: 76520000 76539000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 73970000 73988000 C:\Windows\SysWOW64\MPR.dll
ModLoad: 66680000 66683000 C:\Windows\SysWOW64\sfc.dll
ModLoad: 74e80000 74eeb000 C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 747f0000 748b5000 C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 74dd0000 74e02000 C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 79950000 7995f000 C:\Windows\SysWOW64\sfc_os.DLL
ModLoad: 796b0000 796bf000 C:\Windows\SysWOW64\SortWindows61.dll
ModLoad: 77620000 77645000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 77c70000 77d67000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 64740000 647cd000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.18362.476_none_71d739795ae3e03a\comctl32.dll
(118c.4450): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00305000 ecx=51fe0000 edx=00000000 esi=004e24d0 edi=77da688c
eip=77e4e9d2 esp=0019fa20 ebp=0019fa4c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77e4e9d2 cc int 3
在模块加载时设置断点,例如 sxe ld shell32.dll 并使用 .restart 重新启动进程不会触发中断。在用户模式下使用 WinDbg 是否可行,因为我想在其中一个模块加载期间分析一些代码 运行。
C:\>cdb -xe ld:ntdll calc
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
CommandLine: calc
Response Time (ms) Location
Deferred xxxxxxxxxxxx
Symbol search path is: yyyyyyyyyyy
Executable search path is:
ModLoad: 004e0000 005a0000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=004f2d6c ebx=7ffd9000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=0015fb38 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
only the image and ntdll is loaded at this point executing t,p,g anything will
load all the system modules if you know the internals a bit set selective
breapoints before executing any execution commands
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:0015fb3c=00000000
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
irrelevent mod load spew cut
ModLoad: 74c80000 74c89000 C:\Windows\system32\VERSION.dll
(b40.198): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0015f650 edx=776770f4 esi=fffffffe edi=00000000
eip=776d05a6 esp=0015f66c ebp=0015f698 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
776d05a6 cc int 3 <<<<<<<<<<<<<< this comes later
0:000>
在一些内部编辑这些是滑
0:000> sxe ld:ntdll ;.restart
CommandLine: calc
Executable search path is:
ModLoad: 005c0000 00680000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=005d2d6c ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=000bfb24 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:000bfb28=00000000
0:000> u . l3
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax
776770dc 895c2408 mov dword ptr [esp+8],ebx
776770e0 e9bec60100 jmp ntdll!_RtlUserThreadStart (776937a3)
0:000> ln @eax
(005d2d6c) calc!WinMainCRTStartup | (005d2e68) calc!__xc_a
Exact matches:
calc!WinMainCRTStartup (<no parameter info>)
0:000> dd @ebx l5
7ffdf000 08010000 ffffffff 005c0000 00000000
7ffdf010 00010000
0:000> $$ @ebx == ntdll!_CONTEXT
0:000> $$ 8010000 contextflag EXCEPTION_ACTIVE | CONTEXT_I386
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->ContextFlags
unsigned long 0x8010000
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->Dr1
unsigned long 0x5c0000
0:000> Dr1 Holds the Module Base of Image
0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
eax=000bf72c ebx=7ffdf000 ecx=776936f6 edx=7770cd48 esi=77697de0 edi=00000000
eip=776922ae esp=000bf678 ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
77678230 "kernel32.dll" <<<<<<<<<< next module load is kernel32
0:000> lm
start end module name
005c0000 00680000 calc (pdb symbols) e:\symbols\calc.pdb1D2945E998438C847643A9DB39C88E2\calc.pdb
77630000 7776c000 ntdll (pdb symbols) e:\symbols\ntdll.pdb\CD4062A231154A17A18DAE7D1A0FBACC2\ntdll.pdb
0:000> !gflag +2
New NtGlobalFlag contents: 0x00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf674 77697d33 00000000 00000000 77697de0 ntdll!LdrLoadDll
01 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
02 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
03 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10
0:000> bp 77697d33
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
eax=776922ae ebx=00000000 ecx=000bf0e0 edx=00000062 esi=77688b19 edi=000bf100
eip=776922ae esp=000bf0c4 ebp=000bf0ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
00010020 "C:\Program Files\AVAST Software\"
00010060 "Avast\aswhook.dll"
0:000> bl
0 e Disable Clear 776922ae 0001 (0001) 0:**** ntdll!LdrLoadDll
1 e Disable Clear 77697d33 0001 (0001) 0:****
ntdll!LdrpInitializeProcess+0xfe7
0:000> g
ModLoad: 6afd0000 6afe0000 C:\Program Files\AVAST Software\Avast\aswhook.dll
ModLoad: 75890000 758da000 C:\Windows\system32\KERNELBASE.dll
Breakpoint 1 hit
eax=00000000 ebx=7ffdf000 ecx=000bf72c edx=7770789c esi=77697de0 edi=00000000
eip=77697d33 esp=000bf68c ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0xfe7:
77697d33 3bc7 cmp eax,edi
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
01 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
02 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10
使用 WinDbg 启动可执行文件,在进入调试器之前加载了几个模块。
ModLoad: 00400000 0045c000 image00400000
ModLoad: 77da0000 77f3a000 ntdll.dll
ModLoad: 77460000 77540000 C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76b50000 76d4c000 C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 754c0000 7555f000 C:\Windows\SysWOW64\apphelp.dll
ModLoad: 796c0000 79944000 C:\Windows\SysWOW64\AcLayers.DLL
ModLoad: 77320000 773df000 C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 77650000 777e7000 C:\Windows\SysWOW64\USER32.dll
ModLoad: 77d70000 77d87000 C:\Windows\SysWOW64\win32u.dll
ModLoad: 75800000 75821000 C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76970000 76aca000 C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 76ad0000 76b4c000 C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76850000 7696f000 C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 75900000 75e7a000 C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 777f0000 7782b000 C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77540000 775c4000 C:\Windows\SysWOW64\shcore.dll
ModLoad: 77bb0000 77c6b000 C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 75570000 75590000 C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 75560000 7556a000 C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 75700000 7575f000 C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 76660000 766d6000 C:\Windows\SysWOW64\sechost.dll
ModLoad: 77930000 77ba6000 C:\Windows\SysWOW64\combase.dll
ModLoad: 76d50000 77315000 C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 773e0000 77459000 C:\Windows\SysWOW64\advapi32.dll
ModLoad: 757c0000 757d7000 C:\Windows\SysWOW64\profapi.dll
ModLoad: 75760000 757a3000 C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76540000 7654d000 C:\Windows\SysWOW64\UMPDC.dll
ModLoad: 75f00000 75f44000 C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 758d0000 758df000 C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 75e80000 75e93000 C:\Windows\SysWOW64\cryptsp.dll
ModLoad: 75830000 758c2000 C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76070000 764b9000 C:\Windows\SysWOW64\SETUPAPI.dll
ModLoad: 76520000 76539000 C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 73970000 73988000 C:\Windows\SysWOW64\MPR.dll
ModLoad: 66680000 66683000 C:\Windows\SysWOW64\sfc.dll
ModLoad: 74e80000 74eeb000 C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 747f0000 748b5000 C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 74dd0000 74e02000 C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 79950000 7995f000 C:\Windows\SysWOW64\sfc_os.DLL
ModLoad: 796b0000 796bf000 C:\Windows\SysWOW64\SortWindows61.dll
ModLoad: 77620000 77645000 C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 77c70000 77d67000 C:\Windows\SysWOW64\ole32.dll
ModLoad: 64740000 647cd000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.18362.476_none_71d739795ae3e03a\comctl32.dll
(118c.4450): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00305000 ecx=51fe0000 edx=00000000 esi=004e24d0 edi=77da688c
eip=77e4e9d2 esp=0019fa20 ebp=0019fa4c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77e4e9d2 cc int 3
在模块加载时设置断点,例如 sxe ld shell32.dll 并使用 .restart 重新启动进程不会触发中断。在用户模式下使用 WinDbg 是否可行,因为我想在其中一个模块加载期间分析一些代码 运行。
C:\>cdb -xe ld:ntdll calc
Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
CommandLine: calc
Response Time (ms) Location
Deferred xxxxxxxxxxxx
Symbol search path is: yyyyyyyyyyy
Executable search path is:
ModLoad: 004e0000 005a0000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=004f2d6c ebx=7ffd9000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=0015fb38 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
only the image and ntdll is loaded at this point executing t,p,g anything will
load all the system modules if you know the internals a bit set selective
breapoints before executing any execution commands
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:0015fb3c=00000000
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
irrelevent mod load spew cut
ModLoad: 74c80000 74c89000 C:\Windows\system32\VERSION.dll
(b40.198): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0015f650 edx=776770f4 esi=fffffffe edi=00000000
eip=776d05a6 esp=0015f66c ebp=0015f698 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
776d05a6 cc int 3 <<<<<<<<<<<<<< this comes later
0:000>
在一些内部编辑这些是滑
0:000> sxe ld:ntdll ;.restart
CommandLine: calc
Executable search path is:
ModLoad: 005c0000 00680000 calc.exe
ModLoad: 77630000 7776c000 ntdll.dll
eax=005d2d6c ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=000bfb24 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000200
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax ss:0023:000bfb28=00000000
0:000> u . l3
ntdll!RtlUserThreadStart:
776770d8 89442404 mov dword ptr [esp+4],eax
776770dc 895c2408 mov dword ptr [esp+8],ebx
776770e0 e9bec60100 jmp ntdll!_RtlUserThreadStart (776937a3)
0:000> ln @eax
(005d2d6c) calc!WinMainCRTStartup | (005d2e68) calc!__xc_a
Exact matches:
calc!WinMainCRTStartup (<no parameter info>)
0:000> dd @ebx l5
7ffdf000 08010000 ffffffff 005c0000 00000000
7ffdf010 00010000
0:000> $$ @ebx == ntdll!_CONTEXT
0:000> $$ 8010000 contextflag EXCEPTION_ACTIVE | CONTEXT_I386
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->ContextFlags
unsigned long 0x8010000
0:000> ?? ((ntdll!_CONTEXT *) @ebx)->Dr1
unsigned long 0x5c0000
0:000> Dr1 Holds the Module Base of Image
0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
eax=000bf72c ebx=7ffdf000 ecx=776936f6 edx=7770cd48 esi=77697de0 edi=00000000
eip=776922ae esp=000bf678 ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
77678230 "kernel32.dll" <<<<<<<<<< next module load is kernel32
0:000> lm
start end module name
005c0000 00680000 calc (pdb symbols) e:\symbols\calc.pdb1D2945E998438C847643A9DB39C88E2\calc.pdb
77630000 7776c000 ntdll (pdb symbols) e:\symbols\ntdll.pdb\CD4062A231154A17A18DAE7D1A0FBACC2\ntdll.pdb
0:000> !gflag +2
New NtGlobalFlag contents: 0x00000072
sls - Show Loader Snaps
htc - Enable heap tail checking
hfc - Enable heap free checking
hpc - Enable heap parameter checking
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf674 77697d33 00000000 00000000 77697de0 ntdll!LdrLoadDll
01 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
02 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
03 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10
0:000> bp 77697d33
0:000> g
ModLoad: 77140000 77214000 C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
eax=776922ae ebx=00000000 ecx=000bf0e0 edx=00000062 esi=77688b19 edi=000bf100
eip=776922ae esp=000bf0c4 ebp=000bf0ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!LdrLoadDll:
776922ae 8bff mov edi,edi
0:000> dS poi(@esp+c)
00010020 "C:\Program Files\AVAST Software\"
00010060 "Avast\aswhook.dll"
0:000> bl
0 e Disable Clear 776922ae 0001 (0001) 0:**** ntdll!LdrLoadDll
1 e Disable Clear 77697d33 0001 (0001) 0:****
ntdll!LdrpInitializeProcess+0xfe7
0:000> g
ModLoad: 6afd0000 6afe0000 C:\Program Files\AVAST Software\Avast\aswhook.dll
ModLoad: 75890000 758da000 C:\Windows\system32\KERNELBASE.dll
Breakpoint 1 hit
eax=00000000 ebx=7ffdf000 ecx=000bf72c edx=7770789c esi=77697de0 edi=00000000
eip=77697d33 esp=000bf68c ebp=000bf7e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0xfe7:
77697d33 3bc7 cmp eax,edi
0:000> kb
# ChildEBP RetAddr Args to Child
00 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
01 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
02 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10