标题: windbg内存属性断点

创建: 2018-03-21 14:32
链接: https://scz.617.cn/windows/201803211432.txt

Extending windbg with Page Fault Breakpoints - [2011-05-01]
http://www.codeproject.com/Articles/186230/Extending-windbg-with-Page-Fault-Breakpoints
http://www.codeproject.com/KB/debug/ExtendingWindbg/pagefaultbp_demo.zip
http://www.codeproject.com/KB/debug/ExtendingWindbg/pagefaultbp_src.zip

debugext.dll相比sdbgext.dll，前者提供源码，并且支持x64。

> .load debugext.dll

--------------------------------------------------------------------------
> !debugext.help
Commands for C:\Program Files\Windows Kits\10\Debuggers\x64\winext\debugext.dll:
  !MemInfo - Read memory information
             Usage: !MemInfo <address>

  !Protect - Protect page from access
             Usage: !Protect <address> <size> <protection>
             Example: !Protect 65310000 1000 1
             Protection flags:
             PAGE_EXECUTE = 0x10
             PAGE_EXECUTE_READ = 0x20
             PAGE_EXECUTE_READWRITE = 0x40
             PAGE_EXECUTE_WRITECOPY = 0x80
             PAGE_NOACCESS = 0x01
             PAGE_READONLY = 0x02
             PAGE_READWRITE = 0x04
             PAGE_WRITECOPY = 0x08
             "lm" can be used to display module boundary addresses
             "!dh <module baseadress>" can be used to display the PE header

  !help    - Displays information on available extension commands
!help <cmd> will give more information for a particular command
--------------------------------------------------------------------------
> !debugext.help MemInfo
!MemInfo [/pid <pid>] <Address>
  <Address> -  Memory address to protect
  /pid <pid> - Process ID (defaults to @$tpid)
Read memory information
Usage: !MemInfo <address>
--------------------------------------------------------------------------
> !debugext.help Protect
!Protect [/pid <pid>] <Address> <Size> <Mask>
  <Address> -  Memory address to protect
  <Size> -  Memory Size to protect
  <Mask> -  Protection mask
  /pid <pid> - Process ID (defaults to @$tpid)
Protect page from access
Usage: !Protect <address> <size> <protection>
Example: !Protect 65310000 1000 1
Protection flags:
PAGE_EXECUTE = 0x10
PAGE_EXECUTE_READ = 0x20
PAGE_EXECUTE_READWRITE = 0x40
PAGE_EXECUTE_WRITECOPY = 0x80
PAGE_NOACCESS = 0x01
PAGE_READONLY = 0x02
PAGE_READWRITE = 0x04
PAGE_WRITECOPY = 0x08
"lm" can be used to display module boundary addresses
"!dh <module baseadress>" can be used to display the PE header
--------------------------------------------------------------------------

举例说明其使用。已知被调试进程会调用模块psapi中的函数，修改psapi的.text内
存属性，使得流程转入psapi时断下来。

> lm m psapi
start             end                 module name
00007ffd`66180000 00007ffd`66188000   psapi

> !dh -s psapi

SECTION HEADER #1
   .text name
     467 virtual size
    1000 virtual address                            // RVA
     600 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read
...

没必要lm，模块名就相当于模块基址。大多数时候没必要!dh，.text的RVA很可能是
0x1000。

> !debugext.MemInfo psapi+0x1000                    // MODULEBASE+RVA
MEMORY_BASIC_INFORMATION
  BaseAddress = 00007FFD`66181000                   // dst
  AllocationBase = 00007FFD`66180000                // MODULEBASE
  RegionSize = 1000                                 // dstlen
  AllocationProtect = 80
  State = 1000
  Protect = 20                                      // old
  Type = 1000000

> !vprot psapi+0x1000                               // MODULEBASE+RVA
BaseAddress:       00007ffd66181000                 // dst
AllocationBase:    00007ffd66180000                 // MODULEBASE
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        0000000000001000                 // dstlen
State:             00001000  MEM_COMMIT
Protect:           00000020  PAGE_EXECUTE_READ      // old
Type:              01000000  MEM_IMAGE

修改模块的.text内存属性为PAGE_NOACCESS:

> !debugext.Protect 0x7FFD66181000 0x1000 0x1
New protection (1)
Old protection (20)

触发内存属性断点:

> !address ntdll

(bd8.ef4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
psapi!GetMappedFileNameWStub:
00007ffd`661813b0 ??              ???

> kpn

psapi!GetMappedFileNameWStub
ext!UmMapFileMappings+0x25e
ext!UmAnalyzeAddress+0x264
ext!Extension::address+0x1ad
ext!ExtExtension::CallExtCodeCEH+0xea
ext!ExtExtension::CallExtCodeSEH+0x57
ext!address+0x5d
dbgeng!ExtensionInfo::CallA+0x287
dbgeng!ExtensionInfo::Call+0x121
dbgeng!ExtensionInfo::CallAny+0x9d
dbgeng!ParseBangCmd+0x47b
dbgeng!ProcessCommands+0xdbb
dbgeng!ProcessCommandsAndCatch+0xa5
dbgeng!Execute+0x2bb
dbgeng!DebugClient::ExecuteWide+0x83
cdb!MainLoop+0x516
cdb!wmain+0x46e

恢复模块的.text内存属性为PAGE_EXECUTE_READ:

> !debugext.Protect 0x7FFD66181000 0x1000 0x20
New protection (20)
Old protection (1)

用gh继续，表示0xc0000005号异常已被处理:

> gh poi(@rsp)

上面这个例子不好，用PAGE_NOACCESS的话，还需要手工恢复内存属性才能继续，应
该换用PAGE_GUARD:

PAGE_NOACCESS           1
PAGE_READONLY           2
PAGE_READWRITE          4
PAGE_WRITECOPY          8
PAGE_EXECUTE            10
PAGE_EXECUTE_READ       20
PAGE_EXECUTE_READWRITE  40
PAGE_EXECUTE_WRITECOPY  80
PAGE_GUARD              100
PAGE_NOCACHE            200
PAGE_WRITECOMBINE       400

修改模块的.text内存属性为PAGE_EXECUTE_READ+PAGE_GUARD:

> !debugext.Protect 0x7FFD66181000 0x1000 0x120
New protection (120)
Old protection (20)

触发内存属性断点:

> !address ntdll

(818.1394): Guard page violation - code 80000001 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
psapi!GetMappedFileNameWStub:
00007ffd`661813b0 48ff25f90d0000  jmp     qword ptr [psapi!_imp_K32GetMappedFileNameW] ds:00007ffd`661821b0={KERNELBASE!K32GetMappedFileNameW

检查此时模块的.text内存属性，已恢成0x20。