是否可以在 Windbg 中的 ntdll!LdrpDoDebuggerBreak 之前在模块加载上设置断点?

Is it possible to set breakpoint on module load before ntdll!LdrpDoDebuggerBreak in Windbg?

使用 WinDbg 启动可执行文件,在进入调试器之前加载了几个模块。

ModLoad: 00400000 0045c000   image00400000
ModLoad: 77da0000 77f3a000   ntdll.dll
ModLoad: 77460000 77540000   C:\Windows\SysWOW64\KERNEL32.DLL
ModLoad: 76b50000 76d4c000   C:\Windows\SysWOW64\KERNELBASE.dll
ModLoad: 754c0000 7555f000   C:\Windows\SysWOW64\apphelp.dll
ModLoad: 796c0000 79944000   C:\Windows\SysWOW64\AcLayers.DLL
ModLoad: 77320000 773df000   C:\Windows\SysWOW64\msvcrt.dll
ModLoad: 77650000 777e7000   C:\Windows\SysWOW64\USER32.dll
ModLoad: 77d70000 77d87000   C:\Windows\SysWOW64\win32u.dll
ModLoad: 75800000 75821000   C:\Windows\SysWOW64\GDI32.dll
ModLoad: 76970000 76aca000   C:\Windows\SysWOW64\gdi32full.dll
ModLoad: 76ad0000 76b4c000   C:\Windows\SysWOW64\msvcp_win.dll
ModLoad: 76850000 7696f000   C:\Windows\SysWOW64\ucrtbase.dll
ModLoad: 75900000 75e7a000   C:\Windows\SysWOW64\SHELL32.dll
ModLoad: 777f0000 7782b000   C:\Windows\SysWOW64\cfgmgr32.dll
ModLoad: 77540000 775c4000   C:\Windows\SysWOW64\shcore.dll
ModLoad: 77bb0000 77c6b000   C:\Windows\SysWOW64\RPCRT4.dll
ModLoad: 75570000 75590000   C:\Windows\SysWOW64\SspiCli.dll
ModLoad: 75560000 7556a000   C:\Windows\SysWOW64\CRYPTBASE.dll
ModLoad: 75700000 7575f000   C:\Windows\SysWOW64\bcryptPrimitives.dll
ModLoad: 76660000 766d6000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 77930000 77ba6000   C:\Windows\SysWOW64\combase.dll
ModLoad: 76d50000 77315000   C:\Windows\SysWOW64\windows.storage.dll
ModLoad: 773e0000 77459000   C:\Windows\SysWOW64\advapi32.dll
ModLoad: 757c0000 757d7000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75760000 757a3000   C:\Windows\SysWOW64\powrprof.dll
ModLoad: 76540000 7654d000   C:\Windows\SysWOW64\UMPDC.dll
ModLoad: 75f00000 75f44000   C:\Windows\SysWOW64\shlwapi.dll
ModLoad: 758d0000 758df000   C:\Windows\SysWOW64\kernel.appcore.dll
ModLoad: 75e80000 75e93000   C:\Windows\SysWOW64\cryptsp.dll
ModLoad: 75830000 758c2000   C:\Windows\SysWOW64\OLEAUT32.dll
ModLoad: 76070000 764b9000   C:\Windows\SysWOW64\SETUPAPI.dll
ModLoad: 76520000 76539000   C:\Windows\SysWOW64\bcrypt.dll
ModLoad: 73970000 73988000   C:\Windows\SysWOW64\MPR.dll
ModLoad: 66680000 66683000   C:\Windows\SysWOW64\sfc.dll
ModLoad: 74e80000 74eeb000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 747f0000 748b5000   C:\Windows\SysWOW64\PROPSYS.dll
ModLoad: 74dd0000 74e02000   C:\Windows\SysWOW64\IPHLPAPI.DLL
ModLoad: 79950000 7995f000   C:\Windows\SysWOW64\sfc_os.DLL
ModLoad: 796b0000 796bf000   C:\Windows\SysWOW64\SortWindows61.dll
ModLoad: 77620000 77645000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 77c70000 77d67000   C:\Windows\SysWOW64\ole32.dll
ModLoad: 64740000 647cd000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.18362.476_none_71d739795ae3e03a\comctl32.dll
(118c.4450): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00305000 ecx=51fe0000 edx=00000000 esi=004e24d0 edi=77da688c
eip=77e4e9d2 esp=0019fa20 ebp=0019fa4c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
77e4e9d2 cc              int     3

在模块加载时设置断点,例如 sxe ld shell32.dll 并使用 .restart 重新启动进程不会触发中断。在用户模式下使用 WinDbg 是否可行,因为我想在其中一个模块加载期间分析一些代码 运行。

C:\>cdb -xe ld:ntdll calc

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
CommandLine: calc
Response                         Time (ms)     Location
Deferred xxxxxxxxxxxx
Symbol search path is: yyyyyyyyyyy
Executable search path is:
ModLoad: 004e0000 005a0000   calc.exe
ModLoad: 77630000 7776c000   ntdll.dll
eax=004f2d6c ebx=7ffd9000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=0015fb38 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000200

only the image and ntdll is loaded at this point executing  t,p,g anything will 
load all  the system modules if you know the internals a bit set selective
breapoints before  executing any execution commands 


ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax ss:0023:0015fb3c=00000000


0:000> g
ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
irrelevent mod load spew cut
ModLoad: 74c80000 74c89000   C:\Windows\system32\VERSION.dll
(b40.198): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0015f650 edx=776770f4 esi=fffffffe edi=00000000
eip=776d05a6 esp=0015f66c ebp=0015f698 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
776d05a6 cc              int     3  <<<<<<<<<<<<<< this comes later 
0:000>

在一些内部编辑这些是滑

0:000> sxe ld:ntdll ;.restart

CommandLine: calc


Executable search path is: 
ModLoad: 005c0000 00680000   calc.exe
ModLoad: 77630000 7776c000   ntdll.dll

eax=005d2d6c ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=000bfb24 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000200
ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax ss:0023:000bfb28=00000000

0:000> u . l3
ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax
776770dc 895c2408        mov     dword ptr [esp+8],ebx
776770e0 e9bec60100      jmp     ntdll!_RtlUserThreadStart (776937a3)

0:000> ln @eax

(005d2d6c)   calc!WinMainCRTStartup   |  (005d2e68)   calc!__xc_a
Exact matches:
    calc!WinMainCRTStartup (<no parameter info>)

0:000> dd @ebx l5
7ffdf000  08010000 ffffffff 005c0000 00000000
7ffdf010  00010000

0:000> $$ @ebx == ntdll!_CONTEXT 
0:000> $$ 8010000 contextflag EXCEPTION_ACTIVE | CONTEXT_I386

0:000> ?? ((ntdll!_CONTEXT *) @ebx)->ContextFlags
unsigned long 0x8010000

0:000> ?? ((ntdll!_CONTEXT *) @ebx)->Dr1
unsigned long 0x5c0000
0:000> Dr1 Holds the Module Base of Image



0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
eax=000bf72c ebx=7ffdf000 ecx=776936f6 edx=7770cd48 esi=77697de0 edi=00000000
eip=776922ae esp=000bf678 ebp=000bf7e4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrLoadDll:
776922ae 8bff            mov     edi,edi


0:000> dS poi(@esp+c)
77678230  "kernel32.dll"  <<<<<<<<<< next module load is kernel32

0:000> lm
start    end        module name
005c0000 00680000   calc       (pdb symbols)          e:\symbols\calc.pdb1D2945E998438C847643A9DB39C88E2\calc.pdb
77630000 7776c000   ntdll      (pdb symbols)          e:\symbols\ntdll.pdb\CD4062A231154A17A18DAE7D1A0FBACC2\ntdll.pdb


0:000> !gflag +2
New NtGlobalFlag contents: 0x00000072
    sls - Show Loader Snaps
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000bf674 77697d33 00000000 00000000 77697de0 ntdll!LdrLoadDll
01 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
02 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
03 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10


0:000> bp 77697d33
0:000> g

ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
eax=776922ae ebx=00000000 ecx=000bf0e0 edx=00000062 esi=77688b19 edi=000bf100
eip=776922ae esp=000bf0c4 ebp=000bf0ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!LdrLoadDll:
776922ae 8bff            mov     edi,edi

0:000> dS poi(@esp+c)
00010020  "C:\Program Files\AVAST Software\"
00010060  "Avast\aswhook.dll"

0:000> bl
     0 e Disable Clear  776922ae     0001 (0001)  0:**** ntdll!LdrLoadDll
     1 e Disable Clear  77697d33     0001 (0001)  0:**** 
ntdll!LdrpInitializeProcess+0xfe7

0:000> g
ModLoad: 6afd0000 6afe0000   C:\Program Files\AVAST Software\Avast\aswhook.dll
ModLoad: 75890000 758da000   C:\Windows\system32\KERNELBASE.dll


Breakpoint 1 hit
eax=00000000 ebx=7ffdf000 ecx=000bf72c edx=7770789c esi=77697de0 edi=00000000
eip=77697d33 esp=000bf68c ebp=000bf7e4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpInitializeProcess+0xfe7:
77697d33 3bc7            cmp     eax,edi
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
01 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
02 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10