标题: windbg内存属性断点
创建: 2018-03-21 14:32
链接: https://scz.617.cn/windows/201803211432.txt
Extending windbg with Page Fault Breakpoints - [2011-05-01]
http://www.codeproject.com/Articles/186230/Extending-windbg-with-Page-Fault-Breakpoints
http://www.codeproject.com/KB/debug/ExtendingWindbg/pagefaultbp_demo.zip
http://www.codeproject.com/KB/debug/ExtendingWindbg/pagefaultbp_src.zip
debugext.dll相比sdbgext.dll,前者提供源码,并且支持x64。
> .load debugext.dll
--------------------------------------------------------------------------
> !debugext.help
Commands for C:\Program Files\Windows Kits\10\Debuggers\x64\winext\debugext.dll:
!MemInfo - Read memory information
Usage: !MemInfo
!Protect - Protect page from access
Usage: !Protect
Example: !Protect 65310000 1000 1
Protection flags:
PAGE_EXECUTE = 0x10
PAGE_EXECUTE_READ = 0x20
PAGE_EXECUTE_READWRITE = 0x40
PAGE_EXECUTE_WRITECOPY = 0x80
PAGE_NOACCESS = 0x01
PAGE_READONLY = 0x02
PAGE_READWRITE = 0x04
PAGE_WRITECOPY = 0x08
"lm" can be used to display module boundary addresses
"!dh " can be used to display the PE header
!help - Displays information on available extension commands
!help will give more information for a particular command
--------------------------------------------------------------------------
> !debugext.help MemInfo
!MemInfo [/pid ]
- Memory address to protect
/pid - Process ID (defaults to @$tpid)
Read memory information
Usage: !MemInfo
--------------------------------------------------------------------------
> !debugext.help Protect
!Protect [/pid ]
- Memory address to protect
- Memory Size to protect
- Protection mask
/pid - Process ID (defaults to @$tpid)
Protect page from access
Usage: !Protect
Example: !Protect 65310000 1000 1
Protection flags:
PAGE_EXECUTE = 0x10
PAGE_EXECUTE_READ = 0x20
PAGE_EXECUTE_READWRITE = 0x40
PAGE_EXECUTE_WRITECOPY = 0x80
PAGE_NOACCESS = 0x01
PAGE_READONLY = 0x02
PAGE_READWRITE = 0x04
PAGE_WRITECOPY = 0x08
"lm" can be used to display module boundary addresses
"!dh " can be used to display the PE header
--------------------------------------------------------------------------
举例说明其使用。已知被调试进程会调用模块psapi中的函数,修改psapi的.text内
存属性,使得流程转入psapi时断下来。
> lm m psapi
start end module name
00007ffd`66180000 00007ffd`66188000 psapi
> !dh -s psapi
SECTION HEADER #1
.text name
467 virtual size
1000 virtual address // RVA
600 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
...
没必要lm,模块名就相当于模块基址。大多数时候没必要!dh,.text的RVA很可能是
0x1000。
> !debugext.MemInfo psapi+0x1000 // MODULEBASE+RVA
MEMORY_BASIC_INFORMATION
BaseAddress = 00007FFD`66181000 // dst
AllocationBase = 00007FFD`66180000 // MODULEBASE
RegionSize = 1000 // dstlen
AllocationProtect = 80
State = 1000
Protect = 20 // old
Type = 1000000
> !vprot psapi+0x1000 // MODULEBASE+RVA
BaseAddress: 00007ffd66181000 // dst
AllocationBase: 00007ffd66180000 // MODULEBASE
AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY
RegionSize: 0000000000001000 // dstlen
State: 00001000 MEM_COMMIT
Protect: 00000020 PAGE_EXECUTE_READ // old
Type: 01000000 MEM_IMAGE
修改模块的.text内存属性为PAGE_NOACCESS:
> !debugext.Protect 0x7FFD66181000 0x1000 0x1
New protection (1)
Old protection (20)
触发内存属性断点:
> !address ntdll
(bd8.ef4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
psapi!GetMappedFileNameWStub:
00007ffd`661813b0 ?? ???
> kpn
psapi!GetMappedFileNameWStub
ext!UmMapFileMappings+0x25e
ext!UmAnalyzeAddress+0x264
ext!Extension::address+0x1ad
ext!ExtExtension::CallExtCodeCEH+0xea
ext!ExtExtension::CallExtCodeSEH+0x57
ext!address+0x5d
dbgeng!ExtensionInfo::CallA+0x287
dbgeng!ExtensionInfo::Call+0x121
dbgeng!ExtensionInfo::CallAny+0x9d
dbgeng!ParseBangCmd+0x47b
dbgeng!ProcessCommands+0xdbb
dbgeng!ProcessCommandsAndCatch+0xa5
dbgeng!Execute+0x2bb
dbgeng!DebugClient::ExecuteWide+0x83
cdb!MainLoop+0x516
cdb!wmain+0x46e
恢复模块的.text内存属性为PAGE_EXECUTE_READ:
> !debugext.Protect 0x7FFD66181000 0x1000 0x20
New protection (20)
Old protection (1)
用gh继续,表示0xc0000005号异常已被处理:
> gh poi(@rsp)
上面这个例子不好,用PAGE_NOACCESS的话,还需要手工恢复内存属性才能继续,应
该换用PAGE_GUARD:
PAGE_NOACCESS 1
PAGE_READONLY 2
PAGE_READWRITE 4
PAGE_WRITECOPY 8
PAGE_EXECUTE 10
PAGE_EXECUTE_READ 20
PAGE_EXECUTE_READWRITE 40
PAGE_EXECUTE_WRITECOPY 80
PAGE_GUARD 100
PAGE_NOCACHE 200
PAGE_WRITECOMBINE 400
修改模块的.text内存属性为PAGE_EXECUTE_READ+PAGE_GUARD:
> !debugext.Protect 0x7FFD66181000 0x1000 0x120
New protection (120)
Old protection (20)
触发内存属性断点:
> !address ntdll
(818.1394): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
psapi!GetMappedFileNameWStub:
00007ffd`661813b0 48ff25f90d0000 jmp qword ptr [psapi!_imp_K32GetMappedFileNameW] ds:00007ffd`661821b0={KERNELBASE!K32GetMappedFileNameW
检查此时模块的.text内存属性,已恢成0x20。