8) ntdll!RtlpBreakPointHeap() -------------------------------------------------------------------------- ; __stdcall RtlpBreakPointHeap(x) _RtlpBreakPointHeap@4 proc near arg_0= dword ptr 4 mov eax, large fs:18h ; +0x018 Self : Ptr32 _NT_TIB,指向_TEB mov eax, [eax+30h] ; +0x030 ProcessEnvironmentBlock : Ptr32 _PEB cmp byte ptr [eax+2], 0 ; +0x002 BeingDebugged : UChar ; ; if ( FALSE == _PEB.BeingDebugged ) ; { ; goto RtlpBreakPointHeap_exit ; } jz short RtlpBreakPointHeap_exit mov eax, [esp+arg_0] ; EAX现在等于第一形参 mov _RtlpHeapInvalidBreakPoint, 1 mov _RtlpHeapInvalidBadAddress, eax call near ptr _DbgBreakPoint@0 ; from XP DDK ; ; /* ; * breaks into the kernel debugger ; */ ; VOID NTAPI DbgBreakPoint ; ( ; VOID ; ); mov _RtlpHeapInvalidBreakPoint, 0 RtlpBreakPointHeap_exit: retn 4 _RtlpBreakPointHeap@4 endp -------------------------------------------------------------------------- -------------------------------------------------------------------------- /* * 这是ntdll.dll中定义的两个全局变量 */ extern BOOL RtlpHeapInvalidBreakPoint; extern PVOID RtlpHeapInvalidBadAddress; void __stdcall RtlpBreakPointHeap ( PVOID addr ) { if ( _PEB.BeingDebugged ) { RtlpHeapInvalidBreakPoint = TRUE; RtlpHeapInvalidBadAddress = addr; /* * from XP DDK * * breaks into the kernel debugger * * 如果在target上安装了kd一类的调试器,将"陷入"。 */ DbgBreakPoint(); RtlpHeapInvalidBreakPoint = FALSE; } return; } /* end of RtlpBreakPointHeap */ --------------------------------------------------------------------------