在 Windbg 断点后执行命令不起作用?
executing command after breakpoint with Windbg doesn't work?
我正在使用这样一个简单的命令:
bp KernelFunctionAddress "dd esp L1;g"
但是当遇到断点时,我得到了这个:
中断
instruction exception - code 80000003 (first chance)
nt!KernelFunction:
87975cd0 8bff mov edi,edi
为什么会这样?为什么命中断点后命令没有被执行?我只是想转储 esp 的值并执行 g 命令,这样它就不会停止,但它不起作用?
假设KernelFunction是内核中的一个函数,什么函数并不重要。我也在使用 windbg 预览
当我也键入 .sxcmds 时没有任何反应:
0: kd> .sxcmds
0: kd> bl
0 e Disable Clear 86c20615 0001 (0001) "dd esp L1;g"
0: kd> g
Break instruction exception - code 80000003 (first chance)
storport!RaDriverScsiIrp:
86c20615 8bff mov edi,edi
不知道为什么?
它应该工作是你在 x86 目标上混合 x64 windbg 还是反之亦然哇发挥作用
编辑
添加了一个内核会话与 windbg 预览 winx 主机和目标(所有 x64)
主机windows和windbg预览版
PS C:\> Get-ComputerInfo -Property WindowsBuildLabEx,OsVersion,OsBuildNumber
WindowsBuildLabEx OsVersion OsBuildNumber
----------------- --------- -------------
18362.1.amd64fre.19h1_release.190318-1202 10.0.18363 18363
PS C:\> (Get-AppPackage -Name Microsoft.windbg ).Version
1.2001.2001.0
目标和 T运行运动
0: kd> vertarget
Windows 10 Kernel Version 17763 MP (2 procs) Free x64
17763.1.amd64fre.rs5_release.180914-1434
0: kd> dx Debugger.Sessions
Debugger.Sessions
[0x0] : Remote KD: KdSrv:Server=@{<Local>},Trans=@{COM:Port=\.\pipe\vmwpipe,Baud=115200,Pipe,Timeout=4000,Resets=2}
任意内核函数上带条件的断点
0: kd> bl
0 e Disable Clear fffff801`3ecea760 0001 (0001) nt!NtQueryDirectoryFile "dpp @rsp+50 l1;dt nt!_unicode_string poi(@rsp+50);.echo ===========;gc"
Bp 和条件的解释
NtQueryDirectoryFile 的原型为
__kernel_entry NTSYSCALLAPI NTSTATUS NtQueryDirectoryFile(
HANDLE FileHandle, == @rcx
HANDLE Event, == @rdx
PIO_APC_ROUTINE ApcRoutine, == @r8
PVOID ApcContext, == @r9
PIO_STATUS_BLOCK IoStatusBlock, == [rsp+28]
PVOID FileInformation, == [rsp+30]
ULONG Length, == [rsp+38]
FILE_INFORMATION_CLASS FileInformationClass, == [rsp+40]
BOOLEAN ReturnSingleEntry, == [rsp+48]
PUNICODE_STRING FileName, == [rsp+50] <==> printing this
BOOLEAN RestartScan == [rsp+58]
);
结果
0: kd> g
fffffd0e`2ca835d8 ffff8e07`848f9628 00000000`00160016
"diagwrn.xml"
+0x000 Length : 0x16
+0x002 MaximumLength : 0x16
+0x008 Buffer : 0xffff8e07`849d37f6 "diagwrn.xml"
===========
fffffd0e`2c0c05d8 ffff8e07`848f9628 00000000`00140014
"SRUtmp.log"
+0x000 Length : 0x14
+0x002 MaximumLength : 0x14
+0x008 Buffer : 0xffff8e07`849d37ea "SRUtmp.log"
===========
fffffd0e`2ca835d8 ffff8e07`848fc528 00000000`001a001a
"EventStore.db"
+0x000 Length : 0x1a
+0x002 MaximumLength : 0x1a
+0x008 Buffer : 0xffff8e07`84a6ca60 "EventStore.db"
===========
fffffd0e`2c1df5d8 ffff8e07`848fc528 00000000`00100010
"data.dat"
+0x000 Length : 0x10
+0x002 MaximumLength : 0x10
+0x008 Buffer : 0xffff8e07`7f0877fe "data.dat"
===========
fffffd0e`2c66f898 ffff8e07`82f81548 00000000`006c006c
"ScreenOnPowerStudyTraceSession-2020-07-05-12-01-44.etl"
+0x000 Length : 0x6c
+0x002 MaximumLength : 0x6c
+0x008 Buffer : 0xffff8e07`7f6cdb9a "ScreenOnPowerStudyTraceSession-2020-07-05-12-01-44.etl"
===========
编辑结束
我只是 运行 在经典 x64 windbg 18362 winx 上使用 x64 上的任意函数对用户模式 x64 二进制文件进行任意测试它似乎工作正常
DispatchMessage windows 消息结构 __TAGMSG 其中包含 WM_xxx #defines
0:005> bl
0 e Disable Clear 00007ffe`2e4f5410 0001 (0001) 0:**** USER32!DispatchMessageW ".echotime;.echo====================;dd @rcx l4;gc"
0:005> g
Debugger (not debuggee) time: Sat Jul 4 00:26:34.254 2020
====================
0000001d`7675d6b0 00140494 00000000 00000113 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:35.004 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:49.047 2020
====================
0000001d`7675d6b0 001606ac 00000000 0000000f 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:49.063 2020
====================
0000001d`7675d6b0 000d06a6 00000000 00000118 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:50.047 2020
====================
0000001d`7675d6b0 000d06a6 00000000 00000118 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.047 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.094 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.094 2020
====================
0000001d`7675d6b0 001606ac 00000000 0000000f 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.188 2020
====================
(2070.20e0): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint: 00007ffe`2fd3faa0 cc int 3
我正在使用这样一个简单的命令:
bp KernelFunctionAddress "dd esp L1;g"
但是当遇到断点时,我得到了这个:
中断
instruction exception - code 80000003 (first chance)
nt!KernelFunction:
87975cd0 8bff mov edi,edi
为什么会这样?为什么命中断点后命令没有被执行?我只是想转储 esp 的值并执行 g 命令,这样它就不会停止,但它不起作用?
假设KernelFunction是内核中的一个函数,什么函数并不重要。我也在使用 windbg 预览
当我也键入 .sxcmds 时没有任何反应:
0: kd> .sxcmds
0: kd> bl
0 e Disable Clear 86c20615 0001 (0001) "dd esp L1;g"
0: kd> g
Break instruction exception - code 80000003 (first chance)
storport!RaDriverScsiIrp:
86c20615 8bff mov edi,edi
不知道为什么?
它应该工作是你在 x86 目标上混合 x64 windbg 还是反之亦然哇发挥作用
编辑
添加了一个内核会话与 windbg 预览 winx 主机和目标(所有 x64)
主机windows和windbg预览版
PS C:\> Get-ComputerInfo -Property WindowsBuildLabEx,OsVersion,OsBuildNumber
WindowsBuildLabEx OsVersion OsBuildNumber
----------------- --------- -------------
18362.1.amd64fre.19h1_release.190318-1202 10.0.18363 18363
PS C:\> (Get-AppPackage -Name Microsoft.windbg ).Version
1.2001.2001.0
目标和 T运行运动
0: kd> vertarget
Windows 10 Kernel Version 17763 MP (2 procs) Free x64
17763.1.amd64fre.rs5_release.180914-1434
0: kd> dx Debugger.Sessions
Debugger.Sessions
[0x0] : Remote KD: KdSrv:Server=@{<Local>},Trans=@{COM:Port=\.\pipe\vmwpipe,Baud=115200,Pipe,Timeout=4000,Resets=2}
任意内核函数上带条件的断点
0: kd> bl
0 e Disable Clear fffff801`3ecea760 0001 (0001) nt!NtQueryDirectoryFile "dpp @rsp+50 l1;dt nt!_unicode_string poi(@rsp+50);.echo ===========;gc"
Bp 和条件的解释
NtQueryDirectoryFile 的原型为
__kernel_entry NTSYSCALLAPI NTSTATUS NtQueryDirectoryFile(
HANDLE FileHandle, == @rcx
HANDLE Event, == @rdx
PIO_APC_ROUTINE ApcRoutine, == @r8
PVOID ApcContext, == @r9
PIO_STATUS_BLOCK IoStatusBlock, == [rsp+28]
PVOID FileInformation, == [rsp+30]
ULONG Length, == [rsp+38]
FILE_INFORMATION_CLASS FileInformationClass, == [rsp+40]
BOOLEAN ReturnSingleEntry, == [rsp+48]
PUNICODE_STRING FileName, == [rsp+50] <==> printing this
BOOLEAN RestartScan == [rsp+58]
);
结果
0: kd> g
fffffd0e`2ca835d8 ffff8e07`848f9628 00000000`00160016
"diagwrn.xml"
+0x000 Length : 0x16
+0x002 MaximumLength : 0x16
+0x008 Buffer : 0xffff8e07`849d37f6 "diagwrn.xml"
===========
fffffd0e`2c0c05d8 ffff8e07`848f9628 00000000`00140014
"SRUtmp.log"
+0x000 Length : 0x14
+0x002 MaximumLength : 0x14
+0x008 Buffer : 0xffff8e07`849d37ea "SRUtmp.log"
===========
fffffd0e`2ca835d8 ffff8e07`848fc528 00000000`001a001a
"EventStore.db"
+0x000 Length : 0x1a
+0x002 MaximumLength : 0x1a
+0x008 Buffer : 0xffff8e07`84a6ca60 "EventStore.db"
===========
fffffd0e`2c1df5d8 ffff8e07`848fc528 00000000`00100010
"data.dat"
+0x000 Length : 0x10
+0x002 MaximumLength : 0x10
+0x008 Buffer : 0xffff8e07`7f0877fe "data.dat"
===========
fffffd0e`2c66f898 ffff8e07`82f81548 00000000`006c006c
"ScreenOnPowerStudyTraceSession-2020-07-05-12-01-44.etl"
+0x000 Length : 0x6c
+0x002 MaximumLength : 0x6c
+0x008 Buffer : 0xffff8e07`7f6cdb9a "ScreenOnPowerStudyTraceSession-2020-07-05-12-01-44.etl"
===========
编辑结束
我只是 运行 在经典 x64 windbg 18362 winx 上使用 x64 上的任意函数对用户模式 x64 二进制文件进行任意测试它似乎工作正常
DispatchMessage windows 消息结构 __TAGMSG 其中包含 WM_xxx #defines
0:005> bl
0 e Disable Clear 00007ffe`2e4f5410 0001 (0001) 0:**** USER32!DispatchMessageW ".echotime;.echo====================;dd @rcx l4;gc"
0:005> g
Debugger (not debuggee) time: Sat Jul 4 00:26:34.254 2020
====================
0000001d`7675d6b0 00140494 00000000 00000113 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:35.004 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:49.047 2020
====================
0000001d`7675d6b0 001606ac 00000000 0000000f 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:49.063 2020
====================
0000001d`7675d6b0 000d06a6 00000000 00000118 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:50.047 2020
====================
0000001d`7675d6b0 000d06a6 00000000 00000118 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.047 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.094 2020
====================
0000001d`7675d6b0 001c0628 00000000 00000060 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.094 2020
====================
0000001d`7675d6b0 001606ac 00000000 0000000f 00000000
Debugger (not debuggee) time: Sat Jul 4 00:26:51.188 2020
====================
(2070.20e0): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint: 00007ffe`2fd3faa0 cc int 3