- LJP-TW·Last edited by LJP-TW on Apr 1, 2025Linked with GitHubContributed by
- 1
Windbg 筆記
Setting
Load symbols
- 先創好資料夾
C:\MyLocalSymbols - File -> Settings -> Debugging settings -> Symbol Path
srv*C:\MyLocalSymbols*http://msdl.microsoft.com/download/symbols
Dowload symbols manually
使用 symchk.exe 下載, 其路徑在 C:\Program Files (x86)\Windows Kits\10\Debuggers\x64
symchk.exe <some dll or exe> /s <stored path>
symchk.exe ntdll.dll /s C:\MySymbols
或是用 windbg 指令
# 列出所有 module
lm
# 下載 symbol
ld ntdll
或是用 symchk
- 路徑
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64 - https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/using-symchk
symchk /r C:\Windows\System32\yourfile.dll /s srv*C:\symbols*https://msdl.microsoft.com/download/symbols
- 執行後如果有找到 symbol, 就會存到
C:\symbols
Windbg Remote Debugging
- Target 執行以下指令
bcdedit /debug on
bcdedit /dbgsettings net hostip:<host ip> port:<target bind port> key:1.2.3.4
# e.g.
# bcdedit /dbgsettings net hostip:10.87.87.1 port:55666 key:1.2.3.4
- host 執行以下
Open WinDbg Preview
Select File > Start debugging > Attach to kernel > Net
Provide the same port number and key as in bcdedit. Press OK.
Press Break (or use Ctrl + Break) to enter a debugging session
Attach to remote's user process
Remote 端:
- 先 attach 至 process
- 在 windbg 指令輸入
.server tcp:port=5005
會跳出一段類似以下文字:
-remote tcp:Port=5005,Server=<HostName>
複製後在 Local 端 cmd 執行:
windbgx -remote tcp:Port=5005,Server=<HostName>
或是用 GUI 裡的 "Connect to process server"
注意點:
- 是由 server 端負責下載和加載 symbol, 因此 symbol 是要放在 remote 端, symbol path 也是要在 server 端設定
Ref
- https://juniper.github.io/contrail-windows-docs/For developers/Debugging/Kernel_Debugging/
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-debugging-using-windbg
Cheat sheet
Help
.hh
Check symbols
x *!
x kernel32!virtual*
Go
- Step out
Shift+F11 - Step into
F11 - Step over
F10 - Continue
g
Breakpoint
- Set breakpoint
bp KERNEL32!CreateFileA bp 00007ff9`ba68ca80 bp EIP # 踩到中斷點後,輸出字串,並繼續執行 bp raspptp!PptpCmDeactivateVcComplete ".echo PptpCmDeactivateVcComplete; g" - List breakpoints
bl - Clear breakpoint
bc 1
Set Exception
- 在 load 特定 module 時暫停:
0:000> sxe ld:clr
0:000> g
ModLoad: 00007fff`84860000 00007fff`8490e000 C:\Windows\System32\ADVAPI32.dll
ModLoad: 00007fff`85540000 00007fff`855de000 C:\Windows\System32\msvcrt.dll
ModLoad: 00007fff`84270000 00007fff`8430c000 C:\Windows\System32\sechost.dll
ModLoad: 00007fff`83b00000 00007fff`83c25000 C:\Windows\System32\RPCRT4.dll
ModLoad: 00007fff`61d30000 00007fff`61dda000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
ModLoad: 00007fff`854e0000 00007fff`85535000 C:\Windows\System32\SHLWAPI.dll
ModLoad: 00007fff`80eb0000 00007fff`80ec2000 C:\Windows\SYSTEM32\kernel.appcore.dll
ModLoad: 00007fff`7c210000 00007fff`7c21a000 C:\Windows\SYSTEM32\VERSION.dll
ModLoad: 00007fff`56530000 00007fff`57065000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
ntdll!ZwMapViewOfSection+0x14:
00007fff`8590d444 c3 ret
Module
- List modules
lm
Display the stack frame (back trace)
kb
Display function data
.fnent 140002057
- 爬 exception table 中關於函數的敘述
Threads
- See a list of all threads
~ - Switch to other thread
~0s - Freeze/Unfreeze thread
~3 f ~3 u
Memory
- Show memory
d @esp dq 0x000000ac69d1fbf0 L10 - Display Debugger Object Model Expression
dx -r1 (*((ntdll!_EVENT_HEADER *) @rcx)) - Display char / w_char string
ds <char string pointer> dS <w_char string pointer> da <char string> du <w_char string>
Displays information about the memory
!address
disassemble at address
u address
# e.g.
# u 00007ff7`6d90c9dd
watch trace
wt
- 在 call, jmp 指令前使用, 會記錄各種 function call 統計資料
- system call
edit register
r rip = fffff806`06912cec
edit memory
ed 0x12345678 0xf
Kernel Only command
list drivers
.reload
- 先確保有執行過 .reload
lm
// 以下是一樣的意思
!list -x "dt nt!_LDR_DATA_TABLE_ENTRY @$extret BaseDllName DllBAse" nt!PsLoadedModuleList
- 再列出所有 modules (drivers)
- Ref: https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Svajcer-VB2018-KernelModeAnalysis.pdf
list processes
!process 0 0
- 列出所有 processes
get msr
rdmsr c0000082
- 取得 MSR
- https://fishilico.github.io/generic-config/windows/windbg-kd.html
- Kernel Processor Control Region
- Common MSR
- FSBase: 0xC0000100
- GSBase: 0xC0000101
- KernelGSBase: 0xC0000102
- syscall target: 0xc0000082
thread
!thread:
0: kd> !thread
THREAD fffff8022313fb80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 14502 Ticks: 0
Context Switch Count 91174 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:03:09.671
Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670)
Stack Init ffffa381133f8fb0 Current fffff8021e6b8c00
Base ffffa381133f9000 Limit ffffa381133f3000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffa381`133f7e20 fffff802`2745339b : ffffd00a`1c2a0d30 ffffa381`133f8011 00000000`000000dc ffffd00a`1c2a0d30 : raspptp!CtlpEngine+0x329
ffffa381`133f7f60 fffff802`2745a7c1 : 00000000`000000dc ffffd00a`1d8a3c90 ffffd00a`1c97d0aa 00000000`00000201 : raspptp!CtlReceiveCallback+0x4b
ffffa381`133f7fa0 fffff802`2745b21c : ffffd00a`1ca2caa0 00000000`0000000e 00000000`00000000 fffff802`2487a875 : raspptp!ReceiveData+0x219
ffffa381`133f8070 fffff802`26223d88 : ffffa381`133f81b8 00000000`00000000 ffffa381`133f82d0 ffffd00a`1e321c00 : raspptp!WskConnReceiveEvent+0x1c
ffffa381`133f80b0 fffff802`25414842 : ffffd00a`1c97d08e ffffd00a`1c53f9a0 ffffd00a`1d862a20 00000000`00000000 : afd!WskProTLEVENTReceive+0xe8
ffffa381`133f8160 fffff802`25413d55 : ffffd00a`1d862a20 ffffd00a`1ca2caa0 ffffa381`133f8418 00000000`00000000 : tcpip!TcpIndicateData+0x112
ffffa381`133f8240 fffff802`25413399 : ffffa381`133f8618 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpDeliverDataToClient+0x565
ffffa381`133f83a0 fffff802`2541557b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpDeliverReceive+0xd9
ffffa381`133f84a0 fffff802`25414d09 : 00000000`00000000 00000000`00000000 00000000`00000004 00000000`00000000 : tcpip!TcpTcbFastDatagram+0x42b
ffffa381`133f86a0 fffff802`25412942 : ffffd00a`1a5a4280 00000000`00000000 00000000`00000000 ffffd00a`1a5a4280 : tcpip!TcpTcbReceive+0x189
ffffa381`133f8820 fffff802`25411ebd : 00000000`00000000 ffffd00a`1a1986b0 00000000`46ef463c 00000000`00000000 : tcpip!TcpMatchReceive+0x1f2
ffffa381`133f8a00 fffff802`25465e92 : ffffd00a`1c25bb06 fffff802`00000001 ffffd00a`00000000 00000000`00000001 : tcpip!TcpReceive+0x44d
ffffa381`133f8af0 fffff802`25410068 : fffff802`00000014 ffffd00a`1a5a4280 ffffd00a`1c25ca20 fffff802`2540b9f1 : tcpip!TcpNlClientReceiveDatagrams+0x22
ffffa381`133f8b30 fffff802`2540f35b : 00000000`00000000 00000000`00000006 ffffa381`133f8ca9 ffffa381`133f8c80 : tcpip!IppProcessDeliverList+0xb8
ffffa381`133f8c20 fffff802`25410aaa : fffff802`255f0a10 ffffd00a`1a5ba8c0 ffffd00a`1a5a4000 ffffd00a`1a5a4200 : tcpip!IppReceiveHeaderBatch+0x21b
ffffa381`133f8d10 fffff802`25565c5f : ffffd00a`18ebf210 ffffd00a`1c25ca20 00000000`00000001 00000000`00000000 : tcpip!IppReceivePackets+0x36a
ffffa381`133f8e20 fffff802`2549b244 : ffffa381`133f8fb0 ffffa381`133f9000 fffff802`2313fb80 00000000`00000000 : tcpip!IppInspectInjectReceiveEx+0x157
ffffa381`133f8e70 fffff802`25719cf6 : ffffa381`133f8fb0 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppInspectInjectReceive+0x24
ffffa381`133f8ed0 fffff802`2281a42e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : fwpkclnt!FwppInjectionStackCallout+0x116
ffffa381`133f8f60 fffff802`2281a3ec : ffffa381`133f8fb0 fffff802`2313fb80 00000000`00000002 fffff802`22627c3b : nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffa381`133f8e20)
fffff802`1e6b6dc0 fffff802`22627c3b : ffffa381`133f8fb0 fffff802`2313fb80 ffffa381`133f9000 fffff802`1e6b6e00 : nt!KiSwitchKernelStackContinue
fffff802`1e6b6de0 fffff802`2271377b : fffff802`25719be0 fffff802`1e6b7030 00000000`00000000 fffff802`00000002 : nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19b
fffff802`1e6b6e70 fffff802`22713593 : ffffd00a`1c25ca20 ffffd00a`1a2022a0 00000000`00000002 00000000`00000000 : nt!KiExpandKernelStackAndCalloutSwitchStack+0x13b
fffff802`1e6b6ee0 fffff802`2271354d : fffff802`25719be0 fffff802`1e6b7030 ffffd00a`18ebc3d0 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x33
fffff802`1e6b6f50 fffff802`25704b24 : 00000000`00000001 ffffd00a`1ca2d750 00000000`00000000 fffff802`2759cc20 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff802`1e6b6f90 fffff802`2571ac3a : 00000000`00000000 fffff802`1e6b70a9 ffffd00a`1c25ca20 00000000`00000001 : fwpkclnt!NetioExpandKernelStackAndCallout+0x58
fffff802`1e6b6fd0 fffff802`2759a85d : ffffd00a`1ca2d750 00000000`00000000 00000000`00000002 ffffd00a`1ac082a0 : fwpkclnt!FwpsInjectNetworkReceiveAsync0+0x1da
fffff802`1e6b70f0 fffff802`2487a875 : ffffd00a`1a1b23b0 fffff802`1e6b7280 fffff802`1e6b73c0 ffffd00a`1a1b2618 : ipnat!NatLocalInCallout+0x43d
fffff802`1e6b7180 fffff802`2487a149 : 00000000`00000000 fffff802`1e6b7840 ffffd00a`1ca2caa0 ffffd00a`1ac082a0 : NETIO!ProcessCallout+0x2b5
fffff802`1e6b7310 fffff802`24878df4 : fffff802`1e6b75d8 fffff802`1e6b7540 ffffd00a`1e0dbaa0 ffffd00a`1e0db950 : NETIO!ArbitrateAndEnforce+0x5b9
fffff802`1e6b7440 fffff802`2549800e : ffffd00a`1c97d092 00000000`00000000 fffff802`255f0a10 00000000`00000000 : NETIO!KfdClassify+0x374
fffff802`1e6b7810 fffff802`2540fd1e : ffffd00a`1c53f9a0 00000000`00000014 00000000`00000001 ffffd00a`1a5a4000 : tcpip!ShimIpPacketInV4+0x87baa
fffff802`1e6b7bf0 fffff802`2540f1ce : ffffd00a`1abd6620 00000000`00000000 ffffd00a`1ac082a0 ffffd00a`1a5a4000 : tcpip!IppReceiveHeadersHelper+0x28e
fffff802`1e6b7d10 fffff802`25410aaa : fffff802`255f0a10 ffffd00a`1a5ba8c0 ffffd00a`1abcf010 ffffd00a`1a5a4100 : tcpip!IppReceiveHeaderBatch+0x8e
fffff802`1e6b7e00 fffff802`253efaae : ffffd00a`18ebf210 00000000`00000000 fffff802`1e6b7f01 00000000`00000000 : tcpip!IppReceivePackets+0x36a
fffff802`1e6b7f10 fffff802`253ed9d8 : 00000000`00000001 ffffd00a`1abd6600 fffff802`2545db30 fffff802`1e6b82e0 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x29e
fffff802`1e6b8010 fffff802`227135d8 : 00000000`00000000 fffff802`253ed840 fffff802`2313fb80 00000000`00000002 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x198
fffff802`1e6b8150 fffff802`2271354d : fffff802`253ed840 fffff802`1e6b8300 ffffd00a`18ebd2d0 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78
fffff802`1e6b81c0 fffff802`2545da1d : fffff802`1e6b8270 00000000`c0010000 fffff802`1eb16800 00000000`00000800 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff802`1e6b8200 fffff802`2545d14f : 00000000`00000000 fffff802`1e6b8360 ffffd00a`1abd6620 00000000`00000000 : tcpip!NetioExpandKernelStackAndCallout+0x8d
0: kd> !process fffff8022313cac0
PROCESS fffff8022313cac0
SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 001ae000 ObjectTable: ffffb68d7fe51e00 HandleCount: 2265.
Image: Idle
VadRoot ffffd00a1885ef70 Vads 2 Clone 0 Private 9. Modified 1755. Locked 0.
DeviceMap 0000000000000000
Token ffffb68d7fe55960
ElapsedTime 00:06:18.579
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 272
Working Set Sizes (now,min,max) (9, 50, 450) (36KB, 200KB, 1800KB)
PeakWorkingSetSize 2
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 9
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 15
THREAD fffff8022313fb80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 14502 Ticks: 0
Context Switch Count 91174 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:03:09.671
Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670)
Stack Init ffffa381133f8fb0 Current fffff8021e6b8c00
Base ffffa381133f9000 Limit ffffa381133f3000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5
Child-SP RetAddr Call Site
ffffa381`133f7e20 fffff802`2745339b raspptp!CtlpEngine+0x329
ffffa381`133f7f60 fffff802`2745a7c1 raspptp!CtlReceiveCallback+0x4b
ffffa381`133f7fa0 fffff802`2745b21c raspptp!ReceiveData+0x219
ffffa381`133f8070 fffff802`26223d88 raspptp!WskConnReceiveEvent+0x1c
ffffa381`133f80b0 fffff802`25414842 afd!WskProTLEVENTReceive+0xe8
ffffa381`133f8160 fffff802`25413d55 tcpip!TcpIndicateData+0x112
ffffa381`133f8240 fffff802`25413399 tcpip!TcpDeliverDataToClient+0x565
ffffa381`133f83a0 fffff802`2541557b tcpip!TcpDeliverReceive+0xd9
ffffa381`133f84a0 fffff802`25414d09 tcpip!TcpTcbFastDatagram+0x42b
ffffa381`133f86a0 fffff802`25412942 tcpip!TcpTcbReceive+0x189
ffffa381`133f8820 fffff802`25411ebd tcpip!TcpMatchReceive+0x1f2
ffffa381`133f8a00 fffff802`25465e92 tcpip!TcpReceive+0x44d
ffffa381`133f8af0 fffff802`25410068 tcpip!TcpNlClientReceiveDatagrams+0x22
ffffa381`133f8b30 fffff802`2540f35b tcpip!IppProcessDeliverList+0xb8
ffffa381`133f8c20 fffff802`25410aaa tcpip!IppReceiveHeaderBatch+0x21b
ffffa381`133f8d10 fffff802`25565c5f tcpip!IppReceivePackets+0x36a
ffffa381`133f8e20 fffff802`2549b244 tcpip!IppInspectInjectReceiveEx+0x157
ffffa381`133f8e70 fffff802`25719cf6 tcpip!IppInspectInjectReceive+0x24
ffffa381`133f8ed0 fffff802`2281a42e fwpkclnt!FwppInjectionStackCallout+0x116
ffffa381`133f8f60 fffff802`2281a3ec nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffa381`133f8e20)
fffff802`1e6b6dc0 fffff802`22627c3b nt!KiSwitchKernelStackContinue
fffff802`1e6b6de0 fffff802`2271377b nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19b
fffff802`1e6b6e70 fffff802`22713593 nt!KiExpandKernelStackAndCalloutSwitchStack+0x13b
fffff802`1e6b6ee0 fffff802`2271354d nt!KeExpandKernelStackAndCalloutInternal+0x33
fffff802`1e6b6f50 fffff802`25704b24 nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff802`1e6b6f90 fffff802`2571ac3a fwpkclnt!NetioExpandKernelStackAndCallout+0x58
fffff802`1e6b6fd0 fffff802`2759a85d fwpkclnt!FwpsInjectNetworkReceiveAsync0+0x1da
fffff802`1e6b70f0 fffff802`2487a875 ipnat!NatLocalInCallout+0x43d
fffff802`1e6b7180 fffff802`2487a149 NETIO!ProcessCallout+0x2b5
fffff802`1e6b7310 fffff802`24878df4 NETIO!ArbitrateAndEnforce+0x5b9
fffff802`1e6b7440 fffff802`2549800e NETIO!KfdClassify+0x374
fffff802`1e6b7810 fffff802`2540fd1e tcpip!ShimIpPacketInV4+0x87baa
fffff802`1e6b7bf0 fffff802`2540f1ce tcpip!IppReceiveHeadersHelper+0x28e
fffff802`1e6b7d10 fffff802`25410aaa tcpip!IppReceiveHeaderBatch+0x8e
fffff802`1e6b7e00 fffff802`253efaae tcpip!IppReceivePackets+0x36a
fffff802`1e6b7f10 fffff802`253ed9d8 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x29e
fffff802`1e6b8010 fffff802`227135d8 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x198
fffff802`1e6b8150 fffff802`2271354d nt!KeExpandKernelStackAndCalloutInternal+0x78
fffff802`1e6b81c0 fffff802`2545da1d nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff802`1e6b8200 fffff802`2545d14f tcpip!NetioExpandKernelStackAndCallout+0x8d
THREAD ffffa5809fb86140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593)
Context Switch Count 55011 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:03:22.531
Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670)
Stack Init ffffa38113229c70 Current ffffa38113229c00
Base ffffa3811322a000 Limit ffffa38113224000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`132295a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf
ffffa381`132295b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14
ffffa381`132295e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c
ffffa381`13229a70 fffff802`2281a6c4 nt!PoIdle+0x3c6
ffffa381`13229c40 00000000`00000000 nt!KiIdleLoop+0x54
THREAD ffffa5809fccc140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 1594 Ticks: 12908 (0:00:03:21.687)
Context Switch Count 41034 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:03:02.968
Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670)
Stack Init ffffa38113237c70 Current ffffa38113237c00
Base ffffa38113238000 Limit ffffa38113232000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`132375a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf
ffffa381`132375b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14
ffffa381`132375e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c
ffffa381`13237a70 fffff802`2281a6c4 nt!PoIdle+0x3c6
ffffa381`13237c40 00000000`00000000 nt!KiIdleLoop+0x54
THREAD ffffa5809fda5140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593)
Context Switch Count 37746 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:03:19.125
Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670)
Stack Init ffffa38113245c70 Current ffffa38113245c00
Base ffffa38113246000 Limit ffffa38113240000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`132455a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf
ffffa381`132455b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14
ffffa381`132455e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c
ffffa381`13245a70 fffff802`2281a6c4 nt!PoIdle+0x3c6
ffffa381`13245c40 00000000`00000000 nt!KiIdleLoop+0x54
THREAD ffffd00a18924080 Cid 0000.002c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 34 Ticks: 14468 (0:00:03:46.062)
Context Switch Count 12 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0)
Stack Init ffffa3811326fc70 Current ffffa3811326f9e0
Base ffffa38113270000 Limit ffffa3811326a000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`1326fa20 fffff802`2275dd95 nt!KiSwapContext+0x76
ffffa381`1326fb60 fffff802`227bf6f1 nt!KiSwapThread+0x545
ffffa381`1326fc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111
ffffa381`1326fc40 00000000`00000000 nt!KiStartSystemThread+0x28
THREAD ffffd00a188e9080 Cid 0000.0034 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593)
Context Switch Count 2 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0)
Stack Init ffffa3811327dc70 Current ffffa3811327d9e0
Base ffffa3811327e000 Limit ffffa38113278000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`1327da20 fffff802`2275dd95 nt!KiSwapContext+0x76
ffffa381`1327db60 fffff802`227bf6f1 nt!KiSwapThread+0x545
ffffa381`1327dc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111
ffffa381`1327dc40 00000000`00000000 nt!KiStartSystemThread+0x28
THREAD ffffd00a18957080 Cid 0000.003c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593)
Context Switch Count 1 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0)
Stack Init ffffa3811328bc70 Current ffffa3811328b9e0
Base ffffa3811328c000 Limit ffffa38113286000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`1328ba20 fffff802`2275dd95 nt!KiSwapContext+0x76
ffffa381`1328bb60 fffff802`227bf6f1 nt!KiSwapThread+0x545
ffffa381`1328bc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111
ffffa381`1328bc40 00000000`00000000 nt!KiStartSystemThread+0x28
THREAD ffffd00a189ce080 Cid 0000.0044 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffffb68d7fe25360
Owning Process fffff8022313cac0 Image: Idle
Attached Process ffffd00a188b1040 Image: System
Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593)
Context Switch Count 5 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0)
Stack Init ffffa38113299c70 Current ffffa381132999e0
Base ffffa3811329a000 Limit ffffa38113294000 Call 0000000000000000
Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa381`13299a20 fffff802`2275dd95 nt!KiSwapContext+0x76
ffffa381`13299b60 fffff802`227bf6f1 nt!KiSwapThread+0x545
ffffa381`13299c00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111
ffffa381`13299c40 00000000`00000000 nt!KiStartSystemThread+0x28
session
在 debug win32k 遇到的坑
首先查看 module (已經 .reload 過了)
0: kd> lm n
start end module name
00000245`51230000 00000245`51272000 ServerManager ServerManager.exe
00007ffd`abc80000 00007ffd`ac0d1000 D3DCOMPILER_47 D3DCOMPILER_47.dll
00007ffd`ac0e0000 00007ffd`ac28a000 UIAutomationCore UIAutomationCore.dll
00007ffd`ac290000 00007ffd`ac41d000 d3d9 d3d9.dll
00007ffd`ac450000 00007ffd`ac491000 System_ServiceProcess_ni System.ServiceProcess.ni.dll
00007ffd`ad030000 00007ffd`ad0ca000 PresentationFramework_Aero2_ni PresentationFramework.Aero2.ni.dll
00007ffd`ae400000 00007ffd`ae44b000 WindowsCodecsExt WindowsCodecsExt.dll
00007ffd`af100000 00007ffd`af109000 Microsoft_Management_Infrastructure_Native_Unmanaged Microsoft.Management.Infrastructure.Native.Unmanaged.DLL
00007ffd`afe70000 00007ffd`aff9b000 System_Configuration_ni System.Configuration.ni.dll
00007ffd`affa0000 00007ffd`b00cb000 clrjit clrjit.dll
00007ffd`b00d0000 00007ffd`b01e0000 PresentationNative_v0400 PresentationNative_v0400.dll
00007ffd`b01e0000 00007ffd`b028e000 MSVCP120_CLR0400 MSVCP120_CLR0400.dll
00007ffd`b0290000 00007ffd`b0440000 wpfgfx_v0400 wpfgfx_v0400.dll
00007ffd`b0440000 00007ffd`b1abc000 PresentationFramework_ni PresentationFramework.ni.dll
00007ffd`b1ac0000 00007ffd`b28a1000 PresentationCore_ni PresentationCore.ni.dll
00007ffd`b28b0000 00007ffd`b2dab000 WindowsBase_ni WindowsBase.ni.dll
00007ffd`b2db0000 00007ffd`b3800000 System_Core_ni System.Core.ni.dll
00007ffd`b3800000 00007ffd`b4444000 System_ni System.ni.dll
00007ffd`b4450000 00007ffd`b59e1000 mscorlib_ni mscorlib.ni.dll
00007ffd`b59f0000 00007ffd`b5ae7000 MSVCR120_CLR0400 MSVCR120_CLR0400.dll
00007ffd`b5af0000 00007ffd`b652b000 clr clr.dll
00007ffd`b6530000 00007ffd`b65cc000 mscoreei mscoreei.dll
00007ffd`b65d0000 00007ffd`b6636000 MSCOREE MSCOREE.DLL
00007ffd`bb620000 00007ffd`bb632000 virtdisk virtdisk.dll
00007ffd`bbbd0000 00007ffd`bbe39000 dwrite dwrite.dll
00007ffd`bdc00000 00007ffd`bdc14000 wbemsvc wbemsvc.dll
00007ffd`bdf60000 00007ffd`be054000 fastprox fastprox.dll
00007ffd`bf950000 00007ffd`bf960000 wbemprox wbemprox.dll
00007ffd`bf990000 00007ffd`bf99a000 FLTLIB FLTLIB.DLL
00007ffd`bfb40000 00007ffd`bfb6e000 wmidcom wmidcom.dll
00007ffd`bfd20000 00007ffd`bfd46000 srvcli srvcli.dll
00007ffd`bfd50000 00007ffd`bff13000 urlmon urlmon.dll
00007ffd`c1350000 00007ffd`c13ac000 miutils miutils.dll
00007ffd`c13b0000 00007ffd`c13d0000 mi mi.dll
00007ffd`c20a0000 00007ffd`c20aa000 VERSION VERSION.dll
00007ffd`c28c0000 00007ffd`c293f000 wbemcomn wbemcomn.dll
00007ffd`c2db0000 00007ffd`c2e41000 mscms mscms.dll
00007ffd`c2e50000 00007ffd`c2e6f000 msctfui msctfui.dll
00007ffd`c36b0000 00007ffd`c3835000 propsys propsys.dll
00007ffd`c5000000 00007ffd`c5049000 dataexchange dataexchange.dll
00007ffd`c5360000 00007ffd`c55da000 comctl32 comctl32.dll
00007ffd`c5ff0000 00007ffd`c627d000 d3d10warp d3d10warp.dll
00007ffd`c6280000 00007ffd`c6536000 d3d11 d3d11.dll
00007ffd`c6880000 00007ffd`c6a28000 WindowsCodecs WindowsCodecs.dll
00007ffd`c6a50000 00007ffd`c6d02000 iertutil iertutil.dll
00007ffd`c8250000 00007ffd`c8276000 dwmapi dwmapi.dll
00007ffd`c8280000 00007ffd`c8293000 wtsapi32 wtsapi32.dll
00007ffd`c85b0000 00007ffd`c8701000 dcomp dcomp.dll
00007ffd`c8a60000 00007ffd`c8a8b000 WINMMBASE WINMMBASE.dll
00007ffd`c8ac0000 00007ffd`c8ae3000 WINMM WINMM.dll
00007ffd`c8e10000 00007ffd`c8ea5000 uxtheme uxtheme.dll
00007ffd`c90e0000 00007ffd`c91f3000 twinapi_appcore twinapi.appcore.dll
00007ffd`c95e0000 00007ffd`c967f000 dxgi dxgi.dll
00007ffd`c9a30000 00007ffd`c9a63000 rsaenh rsaenh.dll
00007ffd`c9a70000 00007ffd`c9a7a000 DPAPI DPAPI.DLL
00007ffd`c9bf0000 00007ffd`c9bfd000 netutils netutils.dll
00007ffd`c9cb0000 00007ffd`c9cd0000 USERENV USERENV.dll
00007ffd`c9e80000 00007ffd`c9edd000 mswsock mswsock.dll
00007ffd`ca030000 00007ffd`ca047000 CRYPTSP CRYPTSP.dll
00007ffd`ca050000 00007ffd`ca05b000 CRYPTBASE CRYPTBASE.dll
00007ffd`ca230000 00007ffd`ca25c000 SspiCli SspiCli.dll
00007ffd`ca4a0000 00007ffd`ca4f6000 WINSTA WINSTA.dll
00007ffd`ca500000 00007ffd`ca52b000 bcrypt bcrypt.dll
00007ffd`ca5c0000 00007ffd`ca5d4000 profapi profapi.dll
00007ffd`ca5e0000 00007ffd`ca5f0000 MSASN1 MSASN1.dll
00007ffd`ca5f0000 00007ffd`ca5ff000 kernel_appcore kernel.appcore.dll
00007ffd`ca600000 00007ffd`ca64c000 powrprof powrprof.dll
00007ffd`ca650000 00007ffd`ca6ec000 msvcp_win msvcp_win.dll
00007ffd`ca6f0000 00007ffd`ca70e000 win32u win32u.dll
00007ffd`ca710000 00007ffd`ca77c000 bcryptPrimitives bcryptPrimitives.dll
00007ffd`ca890000 00007ffd`caf65000 windows_storage windows.storage.dll
00007ffd`caf70000 00007ffd`cb018000 shcore shcore.dll
00007ffd`cb020000 00007ffd`cb1a4000 gdi32full gdi32full.dll
00007ffd`cb1b0000 00007ffd`cb3ce000 KERNELBASE KERNELBASE.dll
00007ffd`cb3d0000 00007ffd`cb4c4000 ucrtbase ucrtbase.dll
00007ffd`cb4d0000 00007ffd`cb512000 cfgmgr32 cfgmgr32.dll
00007ffd`cb520000 00007ffd`cb713000 CRYPT32 CRYPT32.dll
00007ffd`cb800000 00007ffd`cb86a000 WS2_32 WS2_32.dll
00007ffd`cb870000 00007ffd`cb8a4000 GDI32 GDI32.dll
00007ffd`cb8b0000 00007ffd`cbb76000 combase combase.dll
00007ffd`cbb80000 00007ffd`cbce6000 USER32 USER32.dll
00007ffd`cbcf0000 00007ffd`cbe0e000 RPCRT4 RPCRT4.dll
00007ffd`cbe10000 00007ffd`cbe6b000 sechost sechost.dll
00007ffd`cbe70000 00007ffd`cbf0f000 clbcatq clbcatq.dll
00007ffd`cbf10000 00007ffd`cd416000 shell32 shell32.dll
00007ffd`cd420000 00007ffd`cd57b000 MSCTF MSCTF.dll
00007ffd`cd580000 00007ffd`cd5ae000 IMM32 IMM32.DLL
00007ffd`cd610000 00007ffd`cd6bd000 KERNEL32 KERNEL32.dll
00007ffd`cd6c0000 00007ffd`cd766000 ADVAPI32 ADVAPI32.dll
00007ffd`cd770000 00007ffd`cd8a9000 ole32 ole32.dll
00007ffd`cd8b0000 00007ffd`cd970000 OLEAUT32 OLEAUT32.dll
00007ffd`ce080000 00007ffd`ce11e000 msvcrt msvcrt.dll
00007ffd`ce120000 00007ffd`ce172000 SHLWAPI SHLWAPI.dll
00007ffd`ce180000 00007ffd`ce34f000 ntdll ntdll.dll
ffffa238`39000000 ffffa238`39386000 win32kfull win32kfull.sys
ffffa238`39390000 ffffa238`3950e000 win32kbase win32kbase.sys
ffffa238`39520000 ffffa238`3952a000 TSDDD TSDDD.dll
ffffa238`39530000 ffffa238`3956f000 cdd cdd.dll
ffffa238`39600000 ffffa238`3963b000 win32k win32k.sys
fffff800`6b86e000 fffff800`6b89a000 kdcom kdnet.dll
fffff800`6c817000 fffff800`6c893000 hal hal.dll
fffff800`6c893000 fffff800`6d0b2000 nt ntkrnlmp.exe
fffff800`6d200000 fffff800`6d241000 kd_02_8086 kd_02_8086.dll
fffff802`4d200000 fffff802`4d262000 FLTMGR FLTMGR.SYS
fffff802`4d270000 fffff802`4d2ce000 msrpc msrpc.sys
fffff802`4d2d0000 fffff802`4d2f8000 ksecdd ksecdd.sys
fffff802`4d300000 fffff802`4d3b0000 clipsp clipsp.sys
fffff802`4d3b0000 fffff802`4d3bd000 cmimcext cmimcext.sys
fffff802`4d3c0000 fffff802`4d3cc000 ntosext ntosext.sys
fffff802`4d3d0000 fffff802`4d472000 CI CI.dll
fffff802`4d480000 fffff802`4d520000 cng cng.sys
fffff802`4d520000 fffff802`4d5f4000 Wdf01000 Wdf01000.sys
fffff802`4d600000 fffff802`4d613000 WDFLDR WDFLDR.SYS
fffff802`4d620000 fffff802`4d643000 acpiex acpiex.sys
fffff802`4d650000 fffff802`4d65e000 WppRecorder WppRecorder.sys
fffff802`4d660000 fffff802`4d713000 ACPI ACPI.sys
fffff802`4d720000 fffff802`4d72c000 WMILIB WMILIB.SYS
fffff802`4d740000 fffff802`4d75f000 WindowsTrustedRT WindowsTrustedRT.sys
fffff802`4d760000 fffff802`4d771000 intelpep intelpep.sys
fffff802`4d780000 fffff802`4d78b000 WindowsTrustedRTProxy WindowsTrustedRTProxy.sys
fffff802`4d790000 fffff802`4d7a2000 pcw pcw.sys
fffff802`4d7d0000 fffff802`4d82e000 volmgrx volmgrx.sys
fffff802`4d830000 fffff802`4d84e000 mountmgr mountmgr.sys
fffff802`4d850000 fffff802`4d885000 ataport ataport.SYS
fffff802`4d890000 fffff802`4d8b4000 storahci storahci.sys
fffff802`4d8c0000 fffff802`4d8dd000 mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll
fffff802`4d8e0000 fffff802`4d8f0000 werkernel werkernel.sys
fffff802`4d8f0000 fffff802`4d956000 CLFS CLFS.SYS
fffff802`4d960000 fffff802`4d985000 tm tm.sys
fffff802`4d990000 fffff802`4d9a7000 PSHED PSHED.dll
fffff802`4d9b0000 fffff802`4d9bc000 BOOTVID BOOTVID.dll
fffff802`4da00000 fffff802`4da57000 pci pci.sys
fffff802`4da60000 fffff802`4da72000 vdrvroot vdrvroot.sys
fffff802`4da80000 fffff802`4daa1000 pdc pdc.sys
fffff802`4dab0000 fffff802`4dac9000 CEA CEA.sys
fffff802`4dad0000 fffff802`4daf4000 partmgr partmgr.sys
fffff802`4db00000 fffff802`4db0a000 intelide intelide.sys
fffff802`4db10000 fffff802`4db21000 PCIIDEX PCIIDEX.SYS
fffff802`4db30000 fffff802`4dbca000 spaceport spaceport.sys
fffff802`4dbd0000 fffff802`4dbe8000 volmgr volmgr.sys
fffff802`4dbf0000 fffff802`4dc08000 vsock vsock.sys
fffff802`4dc10000 fffff802`4dd38000 NDIS NDIS.SYS
fffff802`4dd40000 fffff802`4ddb9000 NETIO NETIO.SYS
fffff802`4ddc0000 fffff802`4ddcb000 msisadrv msisadrv.sys
fffff802`4ddd0000 fffff802`4ddec000 vmci vmci.sys
fffff802`4ddf0000 fffff802`4ddfc000 atapi atapi.sys
fffff802`4de00000 fffff802`4e01c000 dxgkrnl dxgkrnl.sys
fffff802`4e030000 fffff802`4e0b3000 storport storport.sys
fffff802`4e0c0000 fffff802`4e0d9000 stornvme stornvme.sys
fffff802`4e0e0000 fffff802`4e0fc000 EhStorClass EhStorClass.sys
fffff802`4e100000 fffff802`4e138000 Wof Wof.sys
fffff802`4e140000 fffff802`4e18d000 WdFilter WdFilter.sys
fffff802`4e190000 fffff802`4e1a2000 netbios netbios.sys
fffff802`4e200000 fffff802`4e230000 ksecpkg ksecpkg.sys
fffff802`4e230000 fffff802`4e4a8000 tcpip tcpip.sys
fffff802`4e4b0000 fffff802`4e519000 fwpkclnt fwpkclnt.sys
fffff802`4e520000 fffff802`4e54a000 wfplwfs wfplwfs.sys
fffff802`4e550000 fffff802`4e55b000 volume volume.sys
fffff802`4e560000 fffff802`4e5c4000 volsnap volsnap.sys
fffff802`4e5d0000 fffff802`4e5f5000 mup mup.sys
fffff802`4e610000 fffff802`4e62f000 disk disk.sys
fffff802`4e630000 fffff802`4e692000 CLASSPNP CLASSPNP.SYS
fffff802`4e6c0000 fffff802`4e6d9000 crashdmp crashdmp.sys
fffff802`4e740000 fffff802`4e76b000 pacer pacer.sys
fffff802`4e780000 fffff802`4e79d000 filecrypt filecrypt.sys
fffff802`4e7a0000 fffff802`4e7ae000 tbs tbs.sys
fffff802`4e7b0000 fffff802`4e7ba000 Null Null.SYS
fffff802`4e7c0000 fffff802`4e7d0000 vmrawdsk vmrawdsk.sys
fffff802`4e7d0000 fffff802`4e7e4000 BasicDisplay BasicDisplay.sys
fffff802`4e7f0000 fffff802`4e804000 watchdog watchdog.sys
fffff802`4e810000 fffff802`4e822000 BasicRender BasicRender.sys
fffff802`4e830000 fffff802`4e849000 Npfs Npfs.SYS
fffff802`4e850000 fffff802`4e860000 Msfs Msfs.SYS
fffff802`4e860000 fffff802`4e883000 tdx tdx.sys
fffff802`4e890000 fffff802`4e8a0000 TDI TDI.SYS
fffff802`4e8a0000 fffff802`4e8ae000 ws2ifsl ws2ifsl.sys
fffff802`4e8b0000 fffff802`4e8fb000 netbt netbt.sys
fffff802`4e900000 fffff802`4e995000 afd afd.sys
fffff802`4e9a0000 fffff802`4ebd3000 NTFS NTFS.sys
fffff802`4ebe0000 fffff802`4ebed000 Fs_Rec Fs_Rec.sys
fffff802`4ee00000 fffff802`4ee22000 i8042prt i8042prt.sys
fffff802`4ee30000 fffff802`4ee43000 kbdclass kbdclass.sys
fffff802`4ee50000 fffff802`4ee59000 vmmouse vmmouse.sys
fffff802`4ee60000 fffff802`4ee72000 mouclass mouclass.sys
fffff802`4ee80000 fffff802`4ee8a000 vm3dmp_loader vm3dmp_loader.sys
fffff802`4ee90000 fffff802`4eede000 vm3dmp vm3dmp.sys
fffff802`4eee0000 fffff802`4eeeb000 vmgencounter vmgencounter.sys
fffff802`4eef0000 fffff802`4eefe000 CmBatt CmBatt.sys
fffff802`4ef00000 fffff802`4ef0e000 BATTC BATTC.SYS
fffff802`4ef10000 fffff802`4ef37000 amdppm amdppm.sys
fffff802`4ef40000 fffff802`4ef4d000 NdisVirtualBus NdisVirtualBus.sys
fffff802`4ef50000 fffff802`4ef5c000 swenum swenum.sys
fffff802`4ef60000 fffff802`4efc8000 ks ks.sys
fffff802`4efd0000 fffff802`4efde000 rdpbus rdpbus.sys
fffff802`4efe0000 fffff802`4f03b000 fastfat fastfat.SYS
fffff802`4f050000 fffff802`4f05f000 dump_diskdump dump_diskdump.sys
fffff802`4f080000 fffff802`4f099000 dump_stornvme dump_stornvme.sys
fffff802`4f0a0000 fffff802`4f117000 mrxsmb mrxsmb.sys
fffff802`4f120000 fffff802`4f15b000 mrxsmb20 mrxsmb20.sys
fffff802`4f160000 fffff802`4f179000 mpsdrv mpsdrv.sys
fffff802`4f220000 fffff802`4f230000 monitor monitor.sys
fffff802`4f230000 fffff802`4f2d7000 dxgmms2 dxgmms2.sys
fffff802`4f2e0000 fffff802`4f307000 luafv luafv.sys
fffff802`4f310000 fffff802`4f330000 wcifs wcifs.sys
fffff802`4f330000 fffff802`4f349000 storqosflt storqosflt.sys
fffff802`4f350000 fffff802`4f368000 registry registry.sys
fffff802`4f370000 fffff802`4f386000 lltdio lltdio.sys
fffff802`4f390000 fffff802`4f3aa000 rspndr rspndr.sys
fffff802`4f3b0000 fffff802`4f3c8000 mslldp mslldp.sys
fffff802`4f3d0000 fffff802`4f3f2000 bowser bowser.sys
fffff802`4f440000 fffff802`4f4b4000 rdbss rdbss.sys
fffff802`4f4c0000 fffff802`4f4da000 nsiproxy nsiproxy.sys
fffff802`4f4e0000 fffff802`4f4ed000 npsvctrig npsvctrig.sys
fffff802`4f4f0000 fffff802`4f500000 mssmbios mssmbios.sys
fffff802`4f500000 fffff802`4f50a000 gpuenergydrv gpuenergydrv.sys
fffff802`4f510000 fffff802`4f53a000 dfsc dfsc.sys
fffff802`4f540000 fffff802`4f552000 HIDPARSE HIDPARSE.SYS
fffff802`4f560000 fffff802`4f59f000 ahcache ahcache.sys
fffff802`4f5a0000 fffff802`4f5b1000 CompositeBus CompositeBus.sys
fffff802`4f5c0000 fffff802`4f5ce000 kdnic kdnic.sys
fffff802`4f5d0000 fffff802`4f5e5000 umbus umbus.sys
fffff802`4f800000 fffff802`4f8c3000 peauth peauth.sys
fffff802`4f8d0000 fffff802`4f985000 srv2 srv2.sys
fffff802`4f990000 fffff802`4fa1c000 srv srv.sys
fffff802`4fa20000 fffff802`4fa34000 tcpipreg tcpipreg.sys
fffff802`4fa40000 fffff802`4fa6b000 vmhgfs vmhgfs.sys
fffff802`4fa70000 fffff802`4fa9f000 tunnel tunnel.sys
fffff802`507e0000 fffff802`508f4000 HTTP HTTP.sys
fffff802`50900000 fffff802`5090a000 vmmemctl vmmemctl.sys
fffff802`50910000 fffff802`50953000 srvnet srvnet.sys
fffff802`50960000 fffff802`50972000 condrv condrv.sys
fffff802`50980000 fffff802`509ce000 mrxsmb10 mrxsmb10.sys
Unloaded modules:
fffff802`4e6f0000 fffff802`4e6ff000 dump_storport.sys
fffff802`4e720000 fffff802`4e739000 dump_stornvme.sys
fffff802`4f540000 fffff802`4f554000 dam.sys
fffff802`4e740000 fffff802`4e771000 cdrom.sys
fffff802`4d730000 fffff802`4d740000 WdBoot.sys
fffff802`4e600000 fffff802`4e610000 hwpolicy.sys
fffff802`4d7b0000 fffff802`4d7cc000 sacdrv.sys
Unable to enumerate user-mode unloaded modules, Win32 error 0n30
查看 win32kfull 的函數會發現無法訪問:
0: kd> dq NtUserDestroyMenu
ffffa238`39120b70 ????????`???????? ????????`????????
ffffa238`39120b80 ????????`???????? ????????`????????
ffffa238`39120b90 ????????`???????? ????????`????????
ffffa238`39120ba0 ????????`???????? ????????`????????
ffffa238`39120bb0 ????????`???????? ????????`????????
ffffa238`39120bc0 ????????`???????? ????????`????????
ffffa238`39120bd0 ????????`???????? ????????`????????
ffffa238`39120be0 ????????`???????? ????????`????????
原因是 win32k 所處位址是 session address, 以下查看 session
0: kd> !session
Sessions on machine: 2
Valid Sessions: 0 1
Error in reading current session
查看第一個 session 內容包含了哪些 process, 其中可以看到 _MM_SESSION_SPACE 位址為 ffffc100655e5000:
0: kd> !sprocess 0
Dumping Session 0
_MM_SESSION_SPACE ffffc100655e5000
PROCESS ffffd28f4fa21800
SessionId: 0 Cid: 0168 Peb: dd97d4f000 ParentCid: 0160
DirBase: 10dc2d000 ObjectTable: ffffe58eb9a41000 HandleCount: <Data Not Accessible>
Image: csrss.exe
PROCESS ffffd28f4fa20080
SessionId: 0 Cid: 01c8 Peb: 1003c0000 ParentCid: 0160
DirBase: 10e82e000 ObjectTable: ffffe58eb9ade000 HandleCount: <Data Not Accessible>
Image: wininit.exe
PROCESS ffffd28f51294080
SessionId: 0 Cid: 024c Peb: df887d6000 ParentCid: 01c8
DirBase: 10ff80000 ObjectTable: ffffe58eb9b76000 HandleCount: <Data Not Accessible>
Image: services.exe
PROCESS ffffd28f5128e400
SessionId: 0 Cid: 0254 Peb: f8d9512000 ParentCid: 01c8
DirBase: 110497000 ObjectTable: ffffe58eb9baa000 HandleCount: <Data Not Accessible>
Image: lsass.exe
PROCESS ffffd28f4f95f800
SessionId: 0 Cid: 02a8 Peb: d014afb000 ParentCid: 024c
DirBase: 111399000 ObjectTable: ffffe58ebfbe1000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50cac800
SessionId: 0 Cid: 02d4 Peb: 622f4ab000 ParentCid: 024c
DirBase: 11187a000 ObjectTable: ffffe58ebfc5d000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f51377540
SessionId: 0 Cid: 03c8 Peb: bcb8de4000 ParentCid: 024c
DirBase: 114313000 ObjectTable: ffffe58ebfe14000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50cc2800
SessionId: 0 Cid: 03d4 Peb: 27fad70000 ParentCid: 024c
DirBase: 1144bf000 ObjectTable: ffffe58ebfe0a000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f51381340
SessionId: 0 Cid: 03f4 Peb: 35bc1fa000 ParentCid: 024c
DirBase: 11494c000 ObjectTable: ffffe58ebfe37000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f4f6a3780
SessionId: 0 Cid: 02b8 Peb: 1764ad2000 ParentCid: 024c
DirBase: 10e575000 ObjectTable: ffffe58ebfee8000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50bf9540
SessionId: 0 Cid: 02d0 Peb: 459bbf8000 ParentCid: 024c
DirBase: 117043000 ObjectTable: ffffe58ebfef8000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f4f7253c0
SessionId: 0 Cid: 046c Peb: 82479c000 ParentCid: 024c
DirBase: 117fe5000 ObjectTable: ffffe58ebff1d000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50cb6800
SessionId: 0 Cid: 047c Peb: 34fab21000 ParentCid: 024c
DirBase: 11801e000 ObjectTable: ffffe58ebff20000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f5107f800
SessionId: 0 Cid: 0614 Peb: e769f6000 ParentCid: 024c
DirBase: 119f80000 ObjectTable: ffffe58ec0160000 HandleCount: <Data Not Accessible>
Image: spoolsv.exe
PROCESS ffffd28f51076800
SessionId: 0 Cid: 0670 Peb: e2b513e000 ParentCid: 02b8
DirBase: 11b400000 ObjectTable: ffffe58ec01ea000 HandleCount: <Data Not Accessible>
Image: CompatTelRunner.exe
PROCESS ffffd28f51074800
SessionId: 0 Cid: 067c Peb: b02495b000 ParentCid: 024c
DirBase: 11b325000 ObjectTable: ffffe58ec01d6000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f5106e740
SessionId: 0 Cid: 06b4 Peb: f9bb7cb000 ParentCid: 0670
DirBase: 11c4ba000 ObjectTable: ffffe58ec0216000 HandleCount: <Data Not Accessible>
Image: conhost.exe
PROCESS ffffd28f5106c800
SessionId: 0 Cid: 06bc Peb: c3452e8000 ParentCid: 024c
DirBase: 11bd45000 ObjectTable: ffffe58ec021c000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50e3e800
SessionId: 0 Cid: 06d4 Peb: 4cc9088000 ParentCid: 024c
DirBase: 11d047000 ObjectTable: ffffe58ec0247000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f50eeb540
SessionId: 0 Cid: 06e0 Peb: 70261cb000 ParentCid: 024c
DirBase: 11d5cf000 ObjectTable: ffffe58ec0278000 HandleCount: <Data Not Accessible>
Image: VGAuthService.exe
PROCESS ffffd28f50e4e080
SessionId: 0 Cid: 06f0 Peb: be9880d000 ParentCid: 024c
DirBase: 11db80000 ObjectTable: ffffe58ec028a000 HandleCount: <Data Not Accessible>
Image: vm3dservice.exe
PROCESS ffffd28f50e64800
SessionId: 0 Cid: 06fc Peb: a0349cf000 ParentCid: 024c
DirBase: 11bc40000 ObjectTable: ffffe58ec0295000 HandleCount: <Data Not Accessible>
Image: vmtoolsd.exe
PROCESS ffffd28f50e7a700
SessionId: 0 Cid: 0738 Peb: f99d285000 ParentCid: 024c
DirBase: 11c973000 ObjectTable: ffffe58ec02ab000 HandleCount: <Data Not Accessible>
Image: MsMpEng.exe
PROCESS ffffd28f50ea0300
SessionId: 0 Cid: 0748 Peb: 866352000 ParentCid: 024c
DirBase: 11bf4e000 ObjectTable: ffffe58ec02ae000 HandleCount: <Data Not Accessible>
Image: wlms.exe
PROCESS ffffd28f4f8d8800
SessionId: 0 Cid: 0964 Peb: 68829b6000 ParentCid: 024c
DirBase: 122a80000 ObjectTable: ffffe58ec0704000 HandleCount: <Data Not Accessible>
Image: dllhost.exe
PROCESS ffffd28f51701080
SessionId: 0 Cid: 09dc Peb: 5217b4f000 ParentCid: 02a8
DirBase: 124979000 ObjectTable: ffffe58ec07b4000 HandleCount: <Data Not Accessible>
Image: WmiPrvSE.exe
PROCESS ffffd28f5162d800
SessionId: 0 Cid: 0a10 Peb: 3f62162000 ParentCid: 024c
DirBase: 125da7000 ObjectTable: ffffe58ec07e0000 HandleCount: <Data Not Accessible>
Image: msdtc.exe
PROCESS ffffd28f51a85800
SessionId: 0 Cid: 0ebc Peb: c7bed07000 ParentCid: 02a8
DirBase: 08dfa000 ObjectTable: ffffe58ec113e000 HandleCount: <Data Not Accessible>
Image: WmiPrvSE.exe
PROCESS ffffd28f50e9e4c0
SessionId: 0 Cid: 037c Peb: b29c0fb000 ParentCid: 024c
DirBase: 2c07f000 ObjectTable: ffffe58ec7d4f000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f52bf8800
SessionId: 0 Cid: 07cc Peb: f5e82de000 ParentCid: 024c
DirBase: b462f000 ObjectTable: ffffe58ec650e000 HandleCount: <Data Not Accessible>
Image: svchost.exe
PROCESS ffffd28f530c0800
SessionId: 0 Cid: 08f8 Peb: bdc6d2e000 ParentCid: 024c
DirBase: b290e000 ObjectTable: ffffe58ec6d31000 HandleCount: <Data Not Accessible>
Image: TrustedInstaller.exe
PROCESS ffffd28f53101800
SessionId: 0 Cid: 0868 Peb: 9836819000 ParentCid: 02a8
DirBase: b2664000 ObjectTable: ffffe58ec6d36000 HandleCount: <Data Not Accessible>
Image: TiWorker.exe
查看 _MM_SESSION_SPACE 結構
0: kd> dt nt!_MM_SESSION_SPACE ffffc100655e5000
+0x000 ReferenceCount : 0n32
+0x004 u : <unnamed-tag>
+0x008 SessionId : 0
+0x00c ProcessReferenceToSession : 0n33
+0x010 ProcessList : _LIST_ENTRY [ 0xffffd28f`4fa21b40 - 0xffffd28f`53101b40 ]
+0x020 SessionPageDirectoryIndex : 0x10db45
+0x028 NonPagablePages : 0x26
+0x030 CommittedPages : 0x36f
+0x038 PagedPoolStart : 0xffffa207`c0000000 Void
+0x040 PagedPoolEnd : 0xffffa227`bfffffff Void
+0x048 SessionObject : 0xffffd28f`509d6690 Void
+0x050 SessionObjectHandle : 0xffffffff`8000029c Void
+0x058 SessionPoolAllocationFailures : [4] 0
+0x068 ImageTree : _RTL_AVL_TREE
+0x070 LocaleId : 0x409
+0x074 AttachCount : 0
+0x078 AttachGate : _KGATE
+0x090 WsListEntry : _LIST_ENTRY [ 0xffffc100`6464d090 - 0xfffff800`6cbb96d0 ]
+0x0a0 WsTreeEntry : _RTL_BALANCED_NODE
+0x0c0 Lookaside : [21] _GENERAL_LOOKASIDE
+0xb40 Session : _MMSESSION
+0xb60 PagedPoolInfo : _MM_PAGED_POOL_INFO
+0xbc0 Vm : _MMSUPPORT_FULL
+0xd00 AggregateSessionWs : _MMSUPPORT_AGGREGATION
+0xd20 DriverUnload : _MI_SESSION_DRIVER_UNLOAD
+0xd40 PagedPool : _POOL_DESCRIPTOR
+0x1e80 PageDirectory : _MMPTE
+0x1e88 SessionVaLock : _EX_PUSH_LOCK
+0x1e90 DynamicVaBitMap : _RTL_BITMAP
+0x1ea0 DynamicVaHint : 0x10
+0x1ea8 SpecialPool : _MI_SPECIAL_POOL
+0x1ef8 SessionPteLock : _EX_PUSH_LOCK
+0x1f00 PoolBigEntriesInUse : 0n141
+0x1f04 PagedPoolPdeCount : 2
+0x1f08 SpecialPoolPdeCount : 0
+0x1f0c DynamicSessionPdeCount : 0x10
+0x1f10 SystemPteInfo : _MI_SYSTEM_PTE_TYPE
+0x1f78 PoolTrackTableExpansion : (null)
+0x1f80 PoolTrackTableExpansionSize : 0
+0x1f88 PoolTrackBigPages : 0xffffd28f`506d2000 Void
+0x1f90 PoolTrackBigPagesSize : 0x200
+0x1f98 IoState : 4 ( IoSessionStateDisconnected )
+0x1f9c IoStateSequence : 3
+0x1fa0 IoNotificationEvent : _KEVENT
+0x1fb8 ServerSilo : (null)
+0x1fc0 CreateTime : 0x8f2b4ae
+0x2000 PoolTags : [8192] "--- memory read error at address 0xffffc100`655e7000 ---"
PagedPoolStart~PagedPoolEnd為此 session 的 session space
切換 session 後, 就能訪問 session space:
0: kd> !session -s 0
Sessions on machine: 2
Implicit process is now ffffd28f`4fa21800
.cache forcedecodeptes done
Using session 0l
0: kd> dq NtUserDestroyMenu
ffffa238`39120b70 8b4820ec`83485340 c9330000`0001bad9
ffffa238`39120b80 8d480023`37da15ff fff4884c`e838244c
ffffa238`39120b90 23225f15`ffcb8b48 8548c88b`48db3300
ffffa238`39120ba0 40a82840`8b0e74c0 8bfff6cc`31e80775
ffffa238`39120bb0 bde83824`4c8d48d8 2337a715`fffff489
ffffa238`39120bc0 20c48348`c3634800 cccccccc`ccccc35b
ffffa238`39120bd0 74894808`245c8948 4118247c`89481024
ffffa238`39120be0 000000b0`ec814856 f28bf88b`49f18b45
Ref: https://www.debugging.tv/Frames/0x28/Episode-0x28-WinDbg-log.txt
SOS (.NET)
loading
- load DAC
.cordll -ve -u -l - load sos
.loadby sos clr(for version 4.0 of the CLR)- 若還沒 load clr.dll,可以先用
sxe ld:clr在 load 到 clr.dll 時暫停
0:000> .loadby sos clr Unable to find module 'clr' 0:000> sxe ld:clr 0:000> g ModLoad: 00007fff`84860000 00007fff`8490e000 C:\Windows\System32\ADVAPI32.dll ModLoad: 00007fff`85540000 00007fff`855de000 C:\Windows\System32\msvcrt.dll ModLoad: 00007fff`84270000 00007fff`8430c000 C:\Windows\System32\sechost.dll ModLoad: 00007fff`83b00000 00007fff`83c25000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007fff`61d30000 00007fff`61dda000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll ModLoad: 00007fff`854e0000 00007fff`85535000 C:\Windows\System32\SHLWAPI.dll ModLoad: 00007fff`80eb0000 00007fff`80ec2000 C:\Windows\SYSTEM32\kernel.appcore.dll ModLoad: 00007fff`7c210000 00007fff`7c21a000 C:\Windows\SYSTEM32\VERSION.dll ModLoad: 00007fff`56530000 00007fff`57065000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll ntdll!ZwMapViewOfSection+0x14: 00007fff`8590d444 c3 ret 0:000> !token2ee No export token2ee found 0:000> .loadby sos clr 0:000> !token2ee ************* Symbol Loading Error Summary ************** Module name Error clr The system cannot find the file specified You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. PDB symbol for clr.dll not loaded CLRDLL: Loaded DLL C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll Automatically loaded SOS Extension Usage: !Token2EE module_name mdToken You can pass * for module_name to search all modules.- 若還沒 load clr.dll,可以先用
.loadby sos mscorwks(for version 1.0 or 2.0 of the CLR)
bpmd
0:006> !bpmd mscorlib.dll System.Reflection.Emit.DynamicILInfo.GetTokenFor
Found 8 methods in module 00007ff813eb1000...
MethodDesc = 00007ff814288ca8
MethodDesc = 00007ff814288cb8
MethodDesc = 00007ff814288cc8
MethodDesc = 00007ff814288cd8
MethodDesc = 00007ff814288ce8
MethodDesc = 00007ff814288cf8
MethodDesc = 00007ff814288d08
MethodDesc = 00007ff814288d18
Setting breakpoint: bp 00007FF814D990A0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(Byte[])]
Setting breakpoint: bp 00007FF814D99080 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.String)]
Setting breakpoint: bp 00007FF814D99060 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeTypeHandle)]
Setting breakpoint: bp 00007FF814D99040 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeFieldHandle, System.RuntimeTypeHandle)]
Setting breakpoint: bp 00007FF814D99020 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeFieldHandle)]
Setting breakpoint: bp 00007FF814D99000 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeMethodHandle, System.RuntimeTypeHandle)]
Setting breakpoint: bp 00007FF814D98FE0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.Reflection.Emit.DynamicMethod)]
Setting breakpoint: bp 00007FF814D98FC0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeMethodHandle)]
Adding pending breakpoints...
token2ee
0:006> !token2ee mscorlib.dll 0x06004910
Module: 00007ff813eb1000
Assembly: mscorlib.dll
Token: 0000000006004910
MethodDesc: 00007ff8141aafc0
Name: System.Reflection.Emit.DynamicMethod..ctor(System.String, System.Type, System.Type[], System.Type, Boolean)
JITTED Code Address: 00007ff814d99450
以這個例子來說,address 是在 C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll:
0:006> !address 00007ff814d99450
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Image
Base Address: 00007ff8`143a4000
End Address: 00007ff8`153dd000
Region Size: 00000000`01039000 ( 16.223 MB)
State: 00001000 MEM_COMMIT
Protect: 00000020 PAGE_EXECUTE_READ
Type: 01000000 MEM_IMAGE
Allocation Base: 00007ff8`13eb0000
Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Image Path: C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll
Module Name: mscorlib_ni
Loaded Image Name: C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll
Mapped Image Name:
More info: lmv m mscorlib_ni
More info: !lmi mscorlib_ni
More info: ln 0x7ff814d99450
More info: !dh 0x7ff813eb0000
Content source: 1 (target), length: 643bb0
sxe clr
Catch exception
0:000> sxe clr
0:000> g
ModLoad: 00007ff8`11580000 00007ff8`116af000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
ModLoad: 00007ff8`21760000 00007ff8`218fc000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ff8`202a0000 00007ff8`2031b000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00000272`b4b50000 00000272`b4b58000 image00000272`b4b50000
ModLoad: 00000272`b4b60000 00000272`b4b68000 image00000272`b4b60000
Breakpoint 1 hit
mscorlib_ni+0x579595:
00007ff8`14429595 488b05dcfbd5ff mov rax,qword ptr [mscorlib_ni+0x2d9178 (00007ff8`14189178)] ds:00007ff8`14189178=00007ff8144295a0
0:000> g
(88fc.6fe4): CLR exception - code e0434352 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!RaiseException+0x6c:
00007ff8`207f051c 0f1f440000 nop dword ptr [rax+rax]
0:000> !CLRStack
OS Thread Id: 0x6fe4 (0)
Child SP IP Call Site
000000ca6713eab8 00007ff8207f051c [HelperMethodFrame: 000000ca6713eab8]
000000ca6713eba0 00007ff81518772a System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr, System.Type) [f:\dd\ndp\clr\src\BCL\system\runtime\interopservices\marshal.cs @ 2607]
000000ca6713edf0 00007ff8158d12c3 [DebuggerU2MCatchHandlerFrame: 000000ca6713edf0]
000000ca6713f068 00007ff8158d12c3 [HelperMethodFrame_PROTECTOBJ: 000000ca6713f068] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
000000ca6713f1e0 00007ff81441bd18 System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:\dd\ndp\clr\src\BCL\system\reflection\methodinfo.cs @ 761]
000000ca6713f240 00007ff8143f77c6 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:\dd\ndp\clr\src\BCL\system\reflection\methodinfo.cs @ 735]
000000ca6713f2c0 00007ff814417c92 System.Reflection.MethodBase.Invoke(System.Object, System.Object[]) [f:\dd\ndp\clr\src\BCL\system\reflection\methodbase.cs @ 211]
000000ca6713f300 00007ff814b433ee DomainNeutralILStubClass.IL_STUB_COMtoCLR(System.StubHelpers.NativeVariant, IntPtr, IntPtr)
000000ca6713f4f0 00007ff8158d14a9 [ComMethodFrame: 000000ca6713f4f0]
0:000> !PrintException
Exception object: 00000272b6565460
Exception type: System.ArgumentNullException
Message: Value cannot be null.
InnerException: <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004003
0:000>
switch mode
!wow64exts.sw
Some point
- nt!KiSystemCall64
Read more
Linux Kernel pwn
Linux Kernel pwn Inspection 取得 symbol address 方便下斷點觀察 # 觀察 printk 輸出 echo /proc/sys/kernel/dmesg_restrict # 觀察是否有權限讀 printk 輸出 dmesg # 拿 kernel module address
May 22, 2023Signal Handling in Linux
好文: http://courses.cms.caltech.edu/cs124/lectures-wi2016/CS124Lec15.pdf 其他篇筆記: https://hackmd.io/@LJP/BJAb95O1c 在 task_struct 有兩個 member:
Apr 29, 2022AArch64 EL1 IRQ handling in Linux
主要想追蹤一下 Linux 是怎麼做 irq handling 的。 本篇追蹤的 Linux 版本為 5.17.1 head.S arch/arm64/kernel/head.S 先找 vector table 的配置 primary_entry
Apr 29, 2022Signal
其他篇筆記: https://hackmd.io/@LJP/SkrXX8OSc Kernel 發生 signal arch_do_signal_or_restart() https://elixir.bootlin.com/linux/latest/source/arch/x86/kernel/signal.c#L864
Apr 28, 2022Published on 
HackMD
HackMD