--- title: Windbg 筆記 tags: security lang: zh_tw --- # Windbg 筆記 [TOC] * http://windbg.info/doc/1-common-cmds.html # Setting ## Load symbols * 先創好資料夾 `C:\MyLocalSymbols` * File -> Settings -> Debugging settings -> Symbol Path ``` srv*C:\MyLocalSymbols*http://msdl.microsoft.com/download/symbols ``` ## Dowload symbols manually * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/using-symchk#obtaining-symchk 使用 symchk.exe 下載, 其路徑在 `C:\Program Files (x86)\Windows Kits\10\Debuggers\x64` ``` symchk.exe <some dll or exe> /s <stored path> symchk.exe ntdll.dll /s C:\MySymbols ``` 或是用 windbg 指令 ``` # 列出所有 module lm # 下載 symbol ld ntdll ``` 或是用 symchk * 路徑 `C:\Program Files (x86)\Windows Kits\10\Debuggers\x64` * https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/using-symchk ``` symchk /r C:\Windows\System32\yourfile.dll /s srv*C:\symbols*https://msdl.microsoft.com/download/symbols ``` * 執行後如果有找到 symbol, 就會存到 `C:\symbols` # Windbg Remote Debugging * Target 執行以下指令 ``` bcdedit /debug on bcdedit /dbgsettings net hostip:<host ip> port:<target bind port> key:1.2.3.4 # e.g. # bcdedit /dbgsettings net hostip:10.87.87.1 port:55666 key:1.2.3.4 ``` * host 執行以下 > Open WinDbg Preview > Select File > Start debugging > Attach to kernel > Net > Provide the same port number and key as in bcdedit. Press OK. > Press Break (or use Ctrl + Break) to enter a debugging session ## Ref * https://juniper.github.io/contrail-windows-docs/For%20developers/Debugging/Kernel_Debugging/ # Cheat sheet * http://windbg.info/doc/1-common-cmds.html ## Help ``` .hh ``` ## Check symbols ``` x *! x kernel32!virtual* ``` ## Go - Step out `Shift` + `F11` - Step into `F11` - Step over `F10` - Continue `g` ## Breakpoint - Set breakpoint ``` bp KERNEL32!CreateFileA bp 00007ff9`ba68ca80 bp EIP # 踩到中斷點後,輸出字串,並繼續執行 bp raspptp!PptpCmDeactivateVcComplete ".echo PptpCmDeactivateVcComplete; g" ``` - List breakpoints ``` bl ``` - Clear breakpoint ``` bc 1 ``` ## Set Exception * 在 load 特定 module 時暫停: ``` 0:000> sxe ld:clr 0:000> g ModLoad: 00007fff`84860000 00007fff`8490e000 C:\Windows\System32\ADVAPI32.dll ModLoad: 00007fff`85540000 00007fff`855de000 C:\Windows\System32\msvcrt.dll ModLoad: 00007fff`84270000 00007fff`8430c000 C:\Windows\System32\sechost.dll ModLoad: 00007fff`83b00000 00007fff`83c25000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007fff`61d30000 00007fff`61dda000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll ModLoad: 00007fff`854e0000 00007fff`85535000 C:\Windows\System32\SHLWAPI.dll ModLoad: 00007fff`80eb0000 00007fff`80ec2000 C:\Windows\SYSTEM32\kernel.appcore.dll ModLoad: 00007fff`7c210000 00007fff`7c21a000 C:\Windows\SYSTEM32\VERSION.dll ModLoad: 00007fff`56530000 00007fff`57065000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll ntdll!ZwMapViewOfSection+0x14: 00007fff`8590d444 c3 ret ``` ## Module - List modules ``` lm ``` ## Display the stack frame (back trace) ``` kb ``` ## Display function data ``` .fnent 140002057 ``` * 爬 exception table 中關於函數的敘述 ## Threads - See a list of all threads ``` ~ ``` - Switch to other thread ``` ~0s ``` - Freeze/Unfreeze thread ``` ~3 f ~3 u ``` ## Memory - Show memory ``` d @esp dq 0x000000ac69d1fbf0 L10 ``` - Display Debugger Object Model Expression ``` dx -r1 (*((ntdll!_EVENT_HEADER *) @rcx)) ``` - Display char / w_char string ``` ds <char string pointer> dS <w_char string pointer> da <char string> du <w_char string> ``` ## Displays information about the memory ``` !address ``` ## disassemble at address ``` u address # e.g. # u 00007ff7`6d90c9dd ``` ## watch trace ``` wt ``` * 在 call, jmp 指令前使用, 會記錄各種 function call 統計資料 * system call ## edit register ``` r rip = fffff806`06912cec ``` ## edit memory ``` ed 0x12345678 0xf ``` ## Kernel Only command ### list drivers ``` .reload ``` * 先確保有執行過 .reload ``` lm // 以下是一樣的意思 !list -x "dt nt!_LDR_DATA_TABLE_ENTRY @$extret BaseDllName DllBAse" nt!PsLoadedModuleList ``` * 再列出所有 modules (drivers) * Ref: https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Svajcer-VB2018-KernelModeAnalysis.pdf ### list processes ``` !process 0 0 ``` * 列出所有 processes ### get msr ``` rdmsr c0000082 ``` * 取得 MSR * https://fishilico.github.io/generic-config/windows/windbg-kd.html * Kernel Processor Control Region * Common MSR * FSBase: 0xC0000100 * GSBase: 0xC0000101 * KernelGSBase: 0xC0000102 * syscall target: 0xc0000082 ### thread `!thread`: ``` 0: kd> !thread THREAD fffff8022313fb80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 14502 Ticks: 0 Context Switch Count 91174 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:03:09.671 Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670) Stack Init ffffa381133f8fb0 Current fffff8021e6b8c00 Base ffffa381133f9000 Limit ffffa381133f3000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site ffffa381`133f7e20 fffff802`2745339b : ffffd00a`1c2a0d30 ffffa381`133f8011 00000000`000000dc ffffd00a`1c2a0d30 : raspptp!CtlpEngine+0x329 ffffa381`133f7f60 fffff802`2745a7c1 : 00000000`000000dc ffffd00a`1d8a3c90 ffffd00a`1c97d0aa 00000000`00000201 : raspptp!CtlReceiveCallback+0x4b ffffa381`133f7fa0 fffff802`2745b21c : ffffd00a`1ca2caa0 00000000`0000000e 00000000`00000000 fffff802`2487a875 : raspptp!ReceiveData+0x219 ffffa381`133f8070 fffff802`26223d88 : ffffa381`133f81b8 00000000`00000000 ffffa381`133f82d0 ffffd00a`1e321c00 : raspptp!WskConnReceiveEvent+0x1c ffffa381`133f80b0 fffff802`25414842 : ffffd00a`1c97d08e ffffd00a`1c53f9a0 ffffd00a`1d862a20 00000000`00000000 : afd!WskProTLEVENTReceive+0xe8 ffffa381`133f8160 fffff802`25413d55 : ffffd00a`1d862a20 ffffd00a`1ca2caa0 ffffa381`133f8418 00000000`00000000 : tcpip!TcpIndicateData+0x112 ffffa381`133f8240 fffff802`25413399 : ffffa381`133f8618 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpDeliverDataToClient+0x565 ffffa381`133f83a0 fffff802`2541557b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!TcpDeliverReceive+0xd9 ffffa381`133f84a0 fffff802`25414d09 : 00000000`00000000 00000000`00000000 00000000`00000004 00000000`00000000 : tcpip!TcpTcbFastDatagram+0x42b ffffa381`133f86a0 fffff802`25412942 : ffffd00a`1a5a4280 00000000`00000000 00000000`00000000 ffffd00a`1a5a4280 : tcpip!TcpTcbReceive+0x189 ffffa381`133f8820 fffff802`25411ebd : 00000000`00000000 ffffd00a`1a1986b0 00000000`46ef463c 00000000`00000000 : tcpip!TcpMatchReceive+0x1f2 ffffa381`133f8a00 fffff802`25465e92 : ffffd00a`1c25bb06 fffff802`00000001 ffffd00a`00000000 00000000`00000001 : tcpip!TcpReceive+0x44d ffffa381`133f8af0 fffff802`25410068 : fffff802`00000014 ffffd00a`1a5a4280 ffffd00a`1c25ca20 fffff802`2540b9f1 : tcpip!TcpNlClientReceiveDatagrams+0x22 ffffa381`133f8b30 fffff802`2540f35b : 00000000`00000000 00000000`00000006 ffffa381`133f8ca9 ffffa381`133f8c80 : tcpip!IppProcessDeliverList+0xb8 ffffa381`133f8c20 fffff802`25410aaa : fffff802`255f0a10 ffffd00a`1a5ba8c0 ffffd00a`1a5a4000 ffffd00a`1a5a4200 : tcpip!IppReceiveHeaderBatch+0x21b ffffa381`133f8d10 fffff802`25565c5f : ffffd00a`18ebf210 ffffd00a`1c25ca20 00000000`00000001 00000000`00000000 : tcpip!IppReceivePackets+0x36a ffffa381`133f8e20 fffff802`2549b244 : ffffa381`133f8fb0 ffffa381`133f9000 fffff802`2313fb80 00000000`00000000 : tcpip!IppInspectInjectReceiveEx+0x157 ffffa381`133f8e70 fffff802`25719cf6 : ffffa381`133f8fb0 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppInspectInjectReceive+0x24 ffffa381`133f8ed0 fffff802`2281a42e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : fwpkclnt!FwppInjectionStackCallout+0x116 ffffa381`133f8f60 fffff802`2281a3ec : ffffa381`133f8fb0 fffff802`2313fb80 00000000`00000002 fffff802`22627c3b : nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffa381`133f8e20) fffff802`1e6b6dc0 fffff802`22627c3b : ffffa381`133f8fb0 fffff802`2313fb80 ffffa381`133f9000 fffff802`1e6b6e00 : nt!KiSwitchKernelStackContinue fffff802`1e6b6de0 fffff802`2271377b : fffff802`25719be0 fffff802`1e6b7030 00000000`00000000 fffff802`00000002 : nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19b fffff802`1e6b6e70 fffff802`22713593 : ffffd00a`1c25ca20 ffffd00a`1a2022a0 00000000`00000002 00000000`00000000 : nt!KiExpandKernelStackAndCalloutSwitchStack+0x13b fffff802`1e6b6ee0 fffff802`2271354d : fffff802`25719be0 fffff802`1e6b7030 ffffd00a`18ebc3d0 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x33 fffff802`1e6b6f50 fffff802`25704b24 : 00000000`00000001 ffffd00a`1ca2d750 00000000`00000000 fffff802`2759cc20 : nt!KeExpandKernelStackAndCalloutEx+0x1d fffff802`1e6b6f90 fffff802`2571ac3a : 00000000`00000000 fffff802`1e6b70a9 ffffd00a`1c25ca20 00000000`00000001 : fwpkclnt!NetioExpandKernelStackAndCallout+0x58 fffff802`1e6b6fd0 fffff802`2759a85d : ffffd00a`1ca2d750 00000000`00000000 00000000`00000002 ffffd00a`1ac082a0 : fwpkclnt!FwpsInjectNetworkReceiveAsync0+0x1da fffff802`1e6b70f0 fffff802`2487a875 : ffffd00a`1a1b23b0 fffff802`1e6b7280 fffff802`1e6b73c0 ffffd00a`1a1b2618 : ipnat!NatLocalInCallout+0x43d fffff802`1e6b7180 fffff802`2487a149 : 00000000`00000000 fffff802`1e6b7840 ffffd00a`1ca2caa0 ffffd00a`1ac082a0 : NETIO!ProcessCallout+0x2b5 fffff802`1e6b7310 fffff802`24878df4 : fffff802`1e6b75d8 fffff802`1e6b7540 ffffd00a`1e0dbaa0 ffffd00a`1e0db950 : NETIO!ArbitrateAndEnforce+0x5b9 fffff802`1e6b7440 fffff802`2549800e : ffffd00a`1c97d092 00000000`00000000 fffff802`255f0a10 00000000`00000000 : NETIO!KfdClassify+0x374 fffff802`1e6b7810 fffff802`2540fd1e : ffffd00a`1c53f9a0 00000000`00000014 00000000`00000001 ffffd00a`1a5a4000 : tcpip!ShimIpPacketInV4+0x87baa fffff802`1e6b7bf0 fffff802`2540f1ce : ffffd00a`1abd6620 00000000`00000000 ffffd00a`1ac082a0 ffffd00a`1a5a4000 : tcpip!IppReceiveHeadersHelper+0x28e fffff802`1e6b7d10 fffff802`25410aaa : fffff802`255f0a10 ffffd00a`1a5ba8c0 ffffd00a`1abcf010 ffffd00a`1a5a4100 : tcpip!IppReceiveHeaderBatch+0x8e fffff802`1e6b7e00 fffff802`253efaae : ffffd00a`18ebf210 00000000`00000000 fffff802`1e6b7f01 00000000`00000000 : tcpip!IppReceivePackets+0x36a fffff802`1e6b7f10 fffff802`253ed9d8 : 00000000`00000001 ffffd00a`1abd6600 fffff802`2545db30 fffff802`1e6b82e0 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x29e fffff802`1e6b8010 fffff802`227135d8 : 00000000`00000000 fffff802`253ed840 fffff802`2313fb80 00000000`00000002 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x198 fffff802`1e6b8150 fffff802`2271354d : fffff802`253ed840 fffff802`1e6b8300 ffffd00a`18ebd2d0 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78 fffff802`1e6b81c0 fffff802`2545da1d : fffff802`1e6b8270 00000000`c0010000 fffff802`1eb16800 00000000`00000800 : nt!KeExpandKernelStackAndCalloutEx+0x1d fffff802`1e6b8200 fffff802`2545d14f : 00000000`00000000 fffff802`1e6b8360 ffffd00a`1abd6620 00000000`00000000 : tcpip!NetioExpandKernelStackAndCallout+0x8d 0: kd> !process fffff8022313cac0 PROCESS fffff8022313cac0 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000 DirBase: 001ae000 ObjectTable: ffffb68d7fe51e00 HandleCount: 2265. Image: Idle VadRoot ffffd00a1885ef70 Vads 2 Clone 0 Private 9. Modified 1755. Locked 0. DeviceMap 0000000000000000 Token ffffb68d7fe55960 ElapsedTime 00:06:18.579 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 0 QuotaPoolUsage[NonPagedPool] 272 Working Set Sizes (now,min,max) (9, 50, 450) (36KB, 200KB, 1800KB) PeakWorkingSetSize 2 VirtualSize 0 Mb PeakVirtualSize 0 Mb PageFaultCount 9 MemoryPriority BACKGROUND BasePriority 0 CommitCharge 15 THREAD fffff8022313fb80 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 14502 Ticks: 0 Context Switch Count 91174 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:03:09.671 Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670) Stack Init ffffa381133f8fb0 Current fffff8021e6b8c00 Base ffffa381133f9000 Limit ffffa381133f3000 Call 0000000000000000 Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5 Child-SP RetAddr Call Site ffffa381`133f7e20 fffff802`2745339b raspptp!CtlpEngine+0x329 ffffa381`133f7f60 fffff802`2745a7c1 raspptp!CtlReceiveCallback+0x4b ffffa381`133f7fa0 fffff802`2745b21c raspptp!ReceiveData+0x219 ffffa381`133f8070 fffff802`26223d88 raspptp!WskConnReceiveEvent+0x1c ffffa381`133f80b0 fffff802`25414842 afd!WskProTLEVENTReceive+0xe8 ffffa381`133f8160 fffff802`25413d55 tcpip!TcpIndicateData+0x112 ffffa381`133f8240 fffff802`25413399 tcpip!TcpDeliverDataToClient+0x565 ffffa381`133f83a0 fffff802`2541557b tcpip!TcpDeliverReceive+0xd9 ffffa381`133f84a0 fffff802`25414d09 tcpip!TcpTcbFastDatagram+0x42b ffffa381`133f86a0 fffff802`25412942 tcpip!TcpTcbReceive+0x189 ffffa381`133f8820 fffff802`25411ebd tcpip!TcpMatchReceive+0x1f2 ffffa381`133f8a00 fffff802`25465e92 tcpip!TcpReceive+0x44d ffffa381`133f8af0 fffff802`25410068 tcpip!TcpNlClientReceiveDatagrams+0x22 ffffa381`133f8b30 fffff802`2540f35b tcpip!IppProcessDeliverList+0xb8 ffffa381`133f8c20 fffff802`25410aaa tcpip!IppReceiveHeaderBatch+0x21b ffffa381`133f8d10 fffff802`25565c5f tcpip!IppReceivePackets+0x36a ffffa381`133f8e20 fffff802`2549b244 tcpip!IppInspectInjectReceiveEx+0x157 ffffa381`133f8e70 fffff802`25719cf6 tcpip!IppInspectInjectReceive+0x24 ffffa381`133f8ed0 fffff802`2281a42e fwpkclnt!FwppInjectionStackCallout+0x116 ffffa381`133f8f60 fffff802`2281a3ec nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffa381`133f8e20) fffff802`1e6b6dc0 fffff802`22627c3b nt!KiSwitchKernelStackContinue fffff802`1e6b6de0 fffff802`2271377b nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19b fffff802`1e6b6e70 fffff802`22713593 nt!KiExpandKernelStackAndCalloutSwitchStack+0x13b fffff802`1e6b6ee0 fffff802`2271354d nt!KeExpandKernelStackAndCalloutInternal+0x33 fffff802`1e6b6f50 fffff802`25704b24 nt!KeExpandKernelStackAndCalloutEx+0x1d fffff802`1e6b6f90 fffff802`2571ac3a fwpkclnt!NetioExpandKernelStackAndCallout+0x58 fffff802`1e6b6fd0 fffff802`2759a85d fwpkclnt!FwpsInjectNetworkReceiveAsync0+0x1da fffff802`1e6b70f0 fffff802`2487a875 ipnat!NatLocalInCallout+0x43d fffff802`1e6b7180 fffff802`2487a149 NETIO!ProcessCallout+0x2b5 fffff802`1e6b7310 fffff802`24878df4 NETIO!ArbitrateAndEnforce+0x5b9 fffff802`1e6b7440 fffff802`2549800e NETIO!KfdClassify+0x374 fffff802`1e6b7810 fffff802`2540fd1e tcpip!ShimIpPacketInV4+0x87baa fffff802`1e6b7bf0 fffff802`2540f1ce tcpip!IppReceiveHeadersHelper+0x28e fffff802`1e6b7d10 fffff802`25410aaa tcpip!IppReceiveHeaderBatch+0x8e fffff802`1e6b7e00 fffff802`253efaae tcpip!IppReceivePackets+0x36a fffff802`1e6b7f10 fffff802`253ed9d8 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x29e fffff802`1e6b8010 fffff802`227135d8 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x198 fffff802`1e6b8150 fffff802`2271354d nt!KeExpandKernelStackAndCalloutInternal+0x78 fffff802`1e6b81c0 fffff802`2545da1d nt!KeExpandKernelStackAndCalloutEx+0x1d fffff802`1e6b8200 fffff802`2545d14f tcpip!NetioExpandKernelStackAndCallout+0x8d THREAD ffffa5809fb86140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593) Context Switch Count 55011 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:03:22.531 Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670) Stack Init ffffa38113229c70 Current ffffa38113229c00 Base ffffa3811322a000 Limit ffffa38113224000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`132295a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf ffffa381`132295b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14 ffffa381`132295e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c ffffa381`13229a70 fffff802`2281a6c4 nt!PoIdle+0x3c6 ffffa381`13229c40 00000000`00000000 nt!KiIdleLoop+0x54 THREAD ffffa5809fccc140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 1594 Ticks: 12908 (0:00:03:21.687) Context Switch Count 41034 IdealProcessor: 2 UserTime 00:00:00.000 KernelTime 00:03:02.968 Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670) Stack Init ffffa38113237c70 Current ffffa38113237c00 Base ffffa38113238000 Limit ffffa38113232000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`132375a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf ffffa381`132375b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14 ffffa381`132375e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c ffffa381`13237a70 fffff802`2281a6c4 nt!PoIdle+0x3c6 ffffa381`13237c40 00000000`00000000 nt!KiIdleLoop+0x54 THREAD ffffa5809fda5140 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593) Context Switch Count 37746 IdealProcessor: 3 UserTime 00:00:00.000 KernelTime 00:03:19.125 Win32 Start Address nt!KiIdleLoop (0xfffff8022281a670) Stack Init ffffa38113245c70 Current ffffa38113245c00 Base ffffa38113246000 Limit ffffa38113240000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`132455a8 fffff802`227c3b24 nt!HalProcessorIdle+0xf ffffa381`132455b0 fffff802`226552bc nt!PpmIdleDefaultExecute+0x14 ffffa381`132455e0 fffff802`226549d6 nt!PpmIdleExecuteTransition+0x77c ffffa381`13245a70 fffff802`2281a6c4 nt!PoIdle+0x3c6 ffffa381`13245c40 00000000`00000000 nt!KiIdleLoop+0x54 THREAD ffffd00a18924080 Cid 0000.002c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 34 Ticks: 14468 (0:00:03:46.062) Context Switch Count 12 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0) Stack Init ffffa3811326fc70 Current ffffa3811326f9e0 Base ffffa38113270000 Limit ffffa3811326a000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`1326fa20 fffff802`2275dd95 nt!KiSwapContext+0x76 ffffa381`1326fb60 fffff802`227bf6f1 nt!KiSwapThread+0x545 ffffa381`1326fc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111 ffffa381`1326fc40 00000000`00000000 nt!KiStartSystemThread+0x28 THREAD ffffd00a188e9080 Cid 0000.0034 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593) Context Switch Count 2 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0) Stack Init ffffa3811327dc70 Current ffffa3811327d9e0 Base ffffa3811327e000 Limit ffffa38113278000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`1327da20 fffff802`2275dd95 nt!KiSwapContext+0x76 ffffa381`1327db60 fffff802`227bf6f1 nt!KiSwapThread+0x545 ffffa381`1327dc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111 ffffa381`1327dc40 00000000`00000000 nt!KiStartSystemThread+0x28 THREAD ffffd00a18957080 Cid 0000.003c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593) Context Switch Count 1 IdealProcessor: 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0) Stack Init ffffa3811328bc70 Current ffffa3811328b9e0 Base ffffa3811328c000 Limit ffffa38113286000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`1328ba20 fffff802`2275dd95 nt!KiSwapContext+0x76 ffffa381`1328bb60 fffff802`227bf6f1 nt!KiSwapThread+0x545 ffffa381`1328bc00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111 ffffa381`1328bc40 00000000`00000000 nt!KiStartSystemThread+0x28 THREAD ffffd00a189ce080 Cid 0000.0044 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3 Not impersonating DeviceMap ffffb68d7fe25360 Owning Process fffff8022313cac0 Image: Idle Attached Process ffffd00a188b1040 Image: System Wait Start TickCount 0 Ticks: 14502 (0:00:03:46.593) Context Switch Count 5 IdealProcessor: 3 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff802227bf5e0) Stack Init ffffa38113299c70 Current ffffa381132999e0 Base ffffa3811329a000 Limit ffffa38113294000 Call 0000000000000000 Priority 127 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0 Child-SP RetAddr Call Site ffffa381`13299a20 fffff802`2275dd95 nt!KiSwapContext+0x76 ffffa381`13299b60 fffff802`227bf6f1 nt!KiSwapThread+0x545 ffffa381`13299c00 fffff802`2281a868 nt!KiExecuteDpcDelegate+0x111 ffffa381`13299c40 00000000`00000000 nt!KiStartSystemThread+0x28 ``` ### session 在 debug win32k 遇到的坑 首先查看 module (已經 .reload 過了) ``` 0: kd> lm n start end module name 00000245`51230000 00000245`51272000 ServerManager ServerManager.exe 00007ffd`abc80000 00007ffd`ac0d1000 D3DCOMPILER_47 D3DCOMPILER_47.dll 00007ffd`ac0e0000 00007ffd`ac28a000 UIAutomationCore UIAutomationCore.dll 00007ffd`ac290000 00007ffd`ac41d000 d3d9 d3d9.dll 00007ffd`ac450000 00007ffd`ac491000 System_ServiceProcess_ni System.ServiceProcess.ni.dll 00007ffd`ad030000 00007ffd`ad0ca000 PresentationFramework_Aero2_ni PresentationFramework.Aero2.ni.dll 00007ffd`ae400000 00007ffd`ae44b000 WindowsCodecsExt WindowsCodecsExt.dll 00007ffd`af100000 00007ffd`af109000 Microsoft_Management_Infrastructure_Native_Unmanaged Microsoft.Management.Infrastructure.Native.Unmanaged.DLL 00007ffd`afe70000 00007ffd`aff9b000 System_Configuration_ni System.Configuration.ni.dll 00007ffd`affa0000 00007ffd`b00cb000 clrjit clrjit.dll 00007ffd`b00d0000 00007ffd`b01e0000 PresentationNative_v0400 PresentationNative_v0400.dll 00007ffd`b01e0000 00007ffd`b028e000 MSVCP120_CLR0400 MSVCP120_CLR0400.dll 00007ffd`b0290000 00007ffd`b0440000 wpfgfx_v0400 wpfgfx_v0400.dll 00007ffd`b0440000 00007ffd`b1abc000 PresentationFramework_ni PresentationFramework.ni.dll 00007ffd`b1ac0000 00007ffd`b28a1000 PresentationCore_ni PresentationCore.ni.dll 00007ffd`b28b0000 00007ffd`b2dab000 WindowsBase_ni WindowsBase.ni.dll 00007ffd`b2db0000 00007ffd`b3800000 System_Core_ni System.Core.ni.dll 00007ffd`b3800000 00007ffd`b4444000 System_ni System.ni.dll 00007ffd`b4450000 00007ffd`b59e1000 mscorlib_ni mscorlib.ni.dll 00007ffd`b59f0000 00007ffd`b5ae7000 MSVCR120_CLR0400 MSVCR120_CLR0400.dll 00007ffd`b5af0000 00007ffd`b652b000 clr clr.dll 00007ffd`b6530000 00007ffd`b65cc000 mscoreei mscoreei.dll 00007ffd`b65d0000 00007ffd`b6636000 MSCOREE MSCOREE.DLL 00007ffd`bb620000 00007ffd`bb632000 virtdisk virtdisk.dll 00007ffd`bbbd0000 00007ffd`bbe39000 dwrite dwrite.dll 00007ffd`bdc00000 00007ffd`bdc14000 wbemsvc wbemsvc.dll 00007ffd`bdf60000 00007ffd`be054000 fastprox fastprox.dll 00007ffd`bf950000 00007ffd`bf960000 wbemprox wbemprox.dll 00007ffd`bf990000 00007ffd`bf99a000 FLTLIB FLTLIB.DLL 00007ffd`bfb40000 00007ffd`bfb6e000 wmidcom wmidcom.dll 00007ffd`bfd20000 00007ffd`bfd46000 srvcli srvcli.dll 00007ffd`bfd50000 00007ffd`bff13000 urlmon urlmon.dll 00007ffd`c1350000 00007ffd`c13ac000 miutils miutils.dll 00007ffd`c13b0000 00007ffd`c13d0000 mi mi.dll 00007ffd`c20a0000 00007ffd`c20aa000 VERSION VERSION.dll 00007ffd`c28c0000 00007ffd`c293f000 wbemcomn wbemcomn.dll 00007ffd`c2db0000 00007ffd`c2e41000 mscms mscms.dll 00007ffd`c2e50000 00007ffd`c2e6f000 msctfui msctfui.dll 00007ffd`c36b0000 00007ffd`c3835000 propsys propsys.dll 00007ffd`c5000000 00007ffd`c5049000 dataexchange dataexchange.dll 00007ffd`c5360000 00007ffd`c55da000 comctl32 comctl32.dll 00007ffd`c5ff0000 00007ffd`c627d000 d3d10warp d3d10warp.dll 00007ffd`c6280000 00007ffd`c6536000 d3d11 d3d11.dll 00007ffd`c6880000 00007ffd`c6a28000 WindowsCodecs WindowsCodecs.dll 00007ffd`c6a50000 00007ffd`c6d02000 iertutil iertutil.dll 00007ffd`c8250000 00007ffd`c8276000 dwmapi dwmapi.dll 00007ffd`c8280000 00007ffd`c8293000 wtsapi32 wtsapi32.dll 00007ffd`c85b0000 00007ffd`c8701000 dcomp dcomp.dll 00007ffd`c8a60000 00007ffd`c8a8b000 WINMMBASE WINMMBASE.dll 00007ffd`c8ac0000 00007ffd`c8ae3000 WINMM WINMM.dll 00007ffd`c8e10000 00007ffd`c8ea5000 uxtheme uxtheme.dll 00007ffd`c90e0000 00007ffd`c91f3000 twinapi_appcore twinapi.appcore.dll 00007ffd`c95e0000 00007ffd`c967f000 dxgi dxgi.dll 00007ffd`c9a30000 00007ffd`c9a63000 rsaenh rsaenh.dll 00007ffd`c9a70000 00007ffd`c9a7a000 DPAPI DPAPI.DLL 00007ffd`c9bf0000 00007ffd`c9bfd000 netutils netutils.dll 00007ffd`c9cb0000 00007ffd`c9cd0000 USERENV USERENV.dll 00007ffd`c9e80000 00007ffd`c9edd000 mswsock mswsock.dll 00007ffd`ca030000 00007ffd`ca047000 CRYPTSP CRYPTSP.dll 00007ffd`ca050000 00007ffd`ca05b000 CRYPTBASE CRYPTBASE.dll 00007ffd`ca230000 00007ffd`ca25c000 SspiCli SspiCli.dll 00007ffd`ca4a0000 00007ffd`ca4f6000 WINSTA WINSTA.dll 00007ffd`ca500000 00007ffd`ca52b000 bcrypt bcrypt.dll 00007ffd`ca5c0000 00007ffd`ca5d4000 profapi profapi.dll 00007ffd`ca5e0000 00007ffd`ca5f0000 MSASN1 MSASN1.dll 00007ffd`ca5f0000 00007ffd`ca5ff000 kernel_appcore kernel.appcore.dll 00007ffd`ca600000 00007ffd`ca64c000 powrprof powrprof.dll 00007ffd`ca650000 00007ffd`ca6ec000 msvcp_win msvcp_win.dll 00007ffd`ca6f0000 00007ffd`ca70e000 win32u win32u.dll 00007ffd`ca710000 00007ffd`ca77c000 bcryptPrimitives bcryptPrimitives.dll 00007ffd`ca890000 00007ffd`caf65000 windows_storage windows.storage.dll 00007ffd`caf70000 00007ffd`cb018000 shcore shcore.dll 00007ffd`cb020000 00007ffd`cb1a4000 gdi32full gdi32full.dll 00007ffd`cb1b0000 00007ffd`cb3ce000 KERNELBASE KERNELBASE.dll 00007ffd`cb3d0000 00007ffd`cb4c4000 ucrtbase ucrtbase.dll 00007ffd`cb4d0000 00007ffd`cb512000 cfgmgr32 cfgmgr32.dll 00007ffd`cb520000 00007ffd`cb713000 CRYPT32 CRYPT32.dll 00007ffd`cb800000 00007ffd`cb86a000 WS2_32 WS2_32.dll 00007ffd`cb870000 00007ffd`cb8a4000 GDI32 GDI32.dll 00007ffd`cb8b0000 00007ffd`cbb76000 combase combase.dll 00007ffd`cbb80000 00007ffd`cbce6000 USER32 USER32.dll 00007ffd`cbcf0000 00007ffd`cbe0e000 RPCRT4 RPCRT4.dll 00007ffd`cbe10000 00007ffd`cbe6b000 sechost sechost.dll 00007ffd`cbe70000 00007ffd`cbf0f000 clbcatq clbcatq.dll 00007ffd`cbf10000 00007ffd`cd416000 shell32 shell32.dll 00007ffd`cd420000 00007ffd`cd57b000 MSCTF MSCTF.dll 00007ffd`cd580000 00007ffd`cd5ae000 IMM32 IMM32.DLL 00007ffd`cd610000 00007ffd`cd6bd000 KERNEL32 KERNEL32.dll 00007ffd`cd6c0000 00007ffd`cd766000 ADVAPI32 ADVAPI32.dll 00007ffd`cd770000 00007ffd`cd8a9000 ole32 ole32.dll 00007ffd`cd8b0000 00007ffd`cd970000 OLEAUT32 OLEAUT32.dll 00007ffd`ce080000 00007ffd`ce11e000 msvcrt msvcrt.dll 00007ffd`ce120000 00007ffd`ce172000 SHLWAPI SHLWAPI.dll 00007ffd`ce180000 00007ffd`ce34f000 ntdll ntdll.dll ffffa238`39000000 ffffa238`39386000 win32kfull win32kfull.sys ffffa238`39390000 ffffa238`3950e000 win32kbase win32kbase.sys ffffa238`39520000 ffffa238`3952a000 TSDDD TSDDD.dll ffffa238`39530000 ffffa238`3956f000 cdd cdd.dll ffffa238`39600000 ffffa238`3963b000 win32k win32k.sys fffff800`6b86e000 fffff800`6b89a000 kdcom kdnet.dll fffff800`6c817000 fffff800`6c893000 hal hal.dll fffff800`6c893000 fffff800`6d0b2000 nt ntkrnlmp.exe fffff800`6d200000 fffff800`6d241000 kd_02_8086 kd_02_8086.dll fffff802`4d200000 fffff802`4d262000 FLTMGR FLTMGR.SYS fffff802`4d270000 fffff802`4d2ce000 msrpc msrpc.sys fffff802`4d2d0000 fffff802`4d2f8000 ksecdd ksecdd.sys fffff802`4d300000 fffff802`4d3b0000 clipsp clipsp.sys fffff802`4d3b0000 fffff802`4d3bd000 cmimcext cmimcext.sys fffff802`4d3c0000 fffff802`4d3cc000 ntosext ntosext.sys fffff802`4d3d0000 fffff802`4d472000 CI CI.dll fffff802`4d480000 fffff802`4d520000 cng cng.sys fffff802`4d520000 fffff802`4d5f4000 Wdf01000 Wdf01000.sys fffff802`4d600000 fffff802`4d613000 WDFLDR WDFLDR.SYS fffff802`4d620000 fffff802`4d643000 acpiex acpiex.sys fffff802`4d650000 fffff802`4d65e000 WppRecorder WppRecorder.sys fffff802`4d660000 fffff802`4d713000 ACPI ACPI.sys fffff802`4d720000 fffff802`4d72c000 WMILIB WMILIB.SYS fffff802`4d740000 fffff802`4d75f000 WindowsTrustedRT WindowsTrustedRT.sys fffff802`4d760000 fffff802`4d771000 intelpep intelpep.sys fffff802`4d780000 fffff802`4d78b000 WindowsTrustedRTProxy WindowsTrustedRTProxy.sys fffff802`4d790000 fffff802`4d7a2000 pcw pcw.sys fffff802`4d7d0000 fffff802`4d82e000 volmgrx volmgrx.sys fffff802`4d830000 fffff802`4d84e000 mountmgr mountmgr.sys fffff802`4d850000 fffff802`4d885000 ataport ataport.SYS fffff802`4d890000 fffff802`4d8b4000 storahci storahci.sys fffff802`4d8c0000 fffff802`4d8dd000 mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll fffff802`4d8e0000 fffff802`4d8f0000 werkernel werkernel.sys fffff802`4d8f0000 fffff802`4d956000 CLFS CLFS.SYS fffff802`4d960000 fffff802`4d985000 tm tm.sys fffff802`4d990000 fffff802`4d9a7000 PSHED PSHED.dll fffff802`4d9b0000 fffff802`4d9bc000 BOOTVID BOOTVID.dll fffff802`4da00000 fffff802`4da57000 pci pci.sys fffff802`4da60000 fffff802`4da72000 vdrvroot vdrvroot.sys fffff802`4da80000 fffff802`4daa1000 pdc pdc.sys fffff802`4dab0000 fffff802`4dac9000 CEA CEA.sys fffff802`4dad0000 fffff802`4daf4000 partmgr partmgr.sys fffff802`4db00000 fffff802`4db0a000 intelide intelide.sys fffff802`4db10000 fffff802`4db21000 PCIIDEX PCIIDEX.SYS fffff802`4db30000 fffff802`4dbca000 spaceport spaceport.sys fffff802`4dbd0000 fffff802`4dbe8000 volmgr volmgr.sys fffff802`4dbf0000 fffff802`4dc08000 vsock vsock.sys fffff802`4dc10000 fffff802`4dd38000 NDIS NDIS.SYS fffff802`4dd40000 fffff802`4ddb9000 NETIO NETIO.SYS fffff802`4ddc0000 fffff802`4ddcb000 msisadrv msisadrv.sys fffff802`4ddd0000 fffff802`4ddec000 vmci vmci.sys fffff802`4ddf0000 fffff802`4ddfc000 atapi atapi.sys fffff802`4de00000 fffff802`4e01c000 dxgkrnl dxgkrnl.sys fffff802`4e030000 fffff802`4e0b3000 storport storport.sys fffff802`4e0c0000 fffff802`4e0d9000 stornvme stornvme.sys fffff802`4e0e0000 fffff802`4e0fc000 EhStorClass EhStorClass.sys fffff802`4e100000 fffff802`4e138000 Wof Wof.sys fffff802`4e140000 fffff802`4e18d000 WdFilter WdFilter.sys fffff802`4e190000 fffff802`4e1a2000 netbios netbios.sys fffff802`4e200000 fffff802`4e230000 ksecpkg ksecpkg.sys fffff802`4e230000 fffff802`4e4a8000 tcpip tcpip.sys fffff802`4e4b0000 fffff802`4e519000 fwpkclnt fwpkclnt.sys fffff802`4e520000 fffff802`4e54a000 wfplwfs wfplwfs.sys fffff802`4e550000 fffff802`4e55b000 volume volume.sys fffff802`4e560000 fffff802`4e5c4000 volsnap volsnap.sys fffff802`4e5d0000 fffff802`4e5f5000 mup mup.sys fffff802`4e610000 fffff802`4e62f000 disk disk.sys fffff802`4e630000 fffff802`4e692000 CLASSPNP CLASSPNP.SYS fffff802`4e6c0000 fffff802`4e6d9000 crashdmp crashdmp.sys fffff802`4e740000 fffff802`4e76b000 pacer pacer.sys fffff802`4e780000 fffff802`4e79d000 filecrypt filecrypt.sys fffff802`4e7a0000 fffff802`4e7ae000 tbs tbs.sys fffff802`4e7b0000 fffff802`4e7ba000 Null Null.SYS fffff802`4e7c0000 fffff802`4e7d0000 vmrawdsk vmrawdsk.sys fffff802`4e7d0000 fffff802`4e7e4000 BasicDisplay BasicDisplay.sys fffff802`4e7f0000 fffff802`4e804000 watchdog watchdog.sys fffff802`4e810000 fffff802`4e822000 BasicRender BasicRender.sys fffff802`4e830000 fffff802`4e849000 Npfs Npfs.SYS fffff802`4e850000 fffff802`4e860000 Msfs Msfs.SYS fffff802`4e860000 fffff802`4e883000 tdx tdx.sys fffff802`4e890000 fffff802`4e8a0000 TDI TDI.SYS fffff802`4e8a0000 fffff802`4e8ae000 ws2ifsl ws2ifsl.sys fffff802`4e8b0000 fffff802`4e8fb000 netbt netbt.sys fffff802`4e900000 fffff802`4e995000 afd afd.sys fffff802`4e9a0000 fffff802`4ebd3000 NTFS NTFS.sys fffff802`4ebe0000 fffff802`4ebed000 Fs_Rec Fs_Rec.sys fffff802`4ee00000 fffff802`4ee22000 i8042prt i8042prt.sys fffff802`4ee30000 fffff802`4ee43000 kbdclass kbdclass.sys fffff802`4ee50000 fffff802`4ee59000 vmmouse vmmouse.sys fffff802`4ee60000 fffff802`4ee72000 mouclass mouclass.sys fffff802`4ee80000 fffff802`4ee8a000 vm3dmp_loader vm3dmp_loader.sys fffff802`4ee90000 fffff802`4eede000 vm3dmp vm3dmp.sys fffff802`4eee0000 fffff802`4eeeb000 vmgencounter vmgencounter.sys fffff802`4eef0000 fffff802`4eefe000 CmBatt CmBatt.sys fffff802`4ef00000 fffff802`4ef0e000 BATTC BATTC.SYS fffff802`4ef10000 fffff802`4ef37000 amdppm amdppm.sys fffff802`4ef40000 fffff802`4ef4d000 NdisVirtualBus NdisVirtualBus.sys fffff802`4ef50000 fffff802`4ef5c000 swenum swenum.sys fffff802`4ef60000 fffff802`4efc8000 ks ks.sys fffff802`4efd0000 fffff802`4efde000 rdpbus rdpbus.sys fffff802`4efe0000 fffff802`4f03b000 fastfat fastfat.SYS fffff802`4f050000 fffff802`4f05f000 dump_diskdump dump_diskdump.sys fffff802`4f080000 fffff802`4f099000 dump_stornvme dump_stornvme.sys fffff802`4f0a0000 fffff802`4f117000 mrxsmb mrxsmb.sys fffff802`4f120000 fffff802`4f15b000 mrxsmb20 mrxsmb20.sys fffff802`4f160000 fffff802`4f179000 mpsdrv mpsdrv.sys fffff802`4f220000 fffff802`4f230000 monitor monitor.sys fffff802`4f230000 fffff802`4f2d7000 dxgmms2 dxgmms2.sys fffff802`4f2e0000 fffff802`4f307000 luafv luafv.sys fffff802`4f310000 fffff802`4f330000 wcifs wcifs.sys fffff802`4f330000 fffff802`4f349000 storqosflt storqosflt.sys fffff802`4f350000 fffff802`4f368000 registry registry.sys fffff802`4f370000 fffff802`4f386000 lltdio lltdio.sys fffff802`4f390000 fffff802`4f3aa000 rspndr rspndr.sys fffff802`4f3b0000 fffff802`4f3c8000 mslldp mslldp.sys fffff802`4f3d0000 fffff802`4f3f2000 bowser bowser.sys fffff802`4f440000 fffff802`4f4b4000 rdbss rdbss.sys fffff802`4f4c0000 fffff802`4f4da000 nsiproxy nsiproxy.sys fffff802`4f4e0000 fffff802`4f4ed000 npsvctrig npsvctrig.sys fffff802`4f4f0000 fffff802`4f500000 mssmbios mssmbios.sys fffff802`4f500000 fffff802`4f50a000 gpuenergydrv gpuenergydrv.sys fffff802`4f510000 fffff802`4f53a000 dfsc dfsc.sys fffff802`4f540000 fffff802`4f552000 HIDPARSE HIDPARSE.SYS fffff802`4f560000 fffff802`4f59f000 ahcache ahcache.sys fffff802`4f5a0000 fffff802`4f5b1000 CompositeBus CompositeBus.sys fffff802`4f5c0000 fffff802`4f5ce000 kdnic kdnic.sys fffff802`4f5d0000 fffff802`4f5e5000 umbus umbus.sys fffff802`4f800000 fffff802`4f8c3000 peauth peauth.sys fffff802`4f8d0000 fffff802`4f985000 srv2 srv2.sys fffff802`4f990000 fffff802`4fa1c000 srv srv.sys fffff802`4fa20000 fffff802`4fa34000 tcpipreg tcpipreg.sys fffff802`4fa40000 fffff802`4fa6b000 vmhgfs vmhgfs.sys fffff802`4fa70000 fffff802`4fa9f000 tunnel tunnel.sys fffff802`507e0000 fffff802`508f4000 HTTP HTTP.sys fffff802`50900000 fffff802`5090a000 vmmemctl vmmemctl.sys fffff802`50910000 fffff802`50953000 srvnet srvnet.sys fffff802`50960000 fffff802`50972000 condrv condrv.sys fffff802`50980000 fffff802`509ce000 mrxsmb10 mrxsmb10.sys Unloaded modules: fffff802`4e6f0000 fffff802`4e6ff000 dump_storport.sys fffff802`4e720000 fffff802`4e739000 dump_stornvme.sys fffff802`4f540000 fffff802`4f554000 dam.sys fffff802`4e740000 fffff802`4e771000 cdrom.sys fffff802`4d730000 fffff802`4d740000 WdBoot.sys fffff802`4e600000 fffff802`4e610000 hwpolicy.sys fffff802`4d7b0000 fffff802`4d7cc000 sacdrv.sys Unable to enumerate user-mode unloaded modules, Win32 error 0n30 ``` 查看 win32kfull 的函數會發現無法訪問: ``` 0: kd> dq NtUserDestroyMenu ffffa238`39120b70 ????????`???????? ????????`???????? ffffa238`39120b80 ????????`???????? ????????`???????? ffffa238`39120b90 ????????`???????? ????????`???????? ffffa238`39120ba0 ????????`???????? ????????`???????? ffffa238`39120bb0 ????????`???????? ????????`???????? ffffa238`39120bc0 ????????`???????? ????????`???????? ffffa238`39120bd0 ????????`???????? ????????`???????? ffffa238`39120be0 ????????`???????? ????????`???????? ``` 原因是 win32k 所處位址是 session address, 以下查看 session ``` 0: kd> !session Sessions on machine: 2 Valid Sessions: 0 1 Error in reading current session ``` 查看第一個 session 內容包含了哪些 process, 其中可以看到 `_MM_SESSION_SPACE` 位址為 `ffffc100655e5000`: ``` 0: kd> !sprocess 0 Dumping Session 0 _MM_SESSION_SPACE ffffc100655e5000 PROCESS ffffd28f4fa21800 SessionId: 0 Cid: 0168 Peb: dd97d4f000 ParentCid: 0160 DirBase: 10dc2d000 ObjectTable: ffffe58eb9a41000 HandleCount: <Data Not Accessible> Image: csrss.exe PROCESS ffffd28f4fa20080 SessionId: 0 Cid: 01c8 Peb: 1003c0000 ParentCid: 0160 DirBase: 10e82e000 ObjectTable: ffffe58eb9ade000 HandleCount: <Data Not Accessible> Image: wininit.exe PROCESS ffffd28f51294080 SessionId: 0 Cid: 024c Peb: df887d6000 ParentCid: 01c8 DirBase: 10ff80000 ObjectTable: ffffe58eb9b76000 HandleCount: <Data Not Accessible> Image: services.exe PROCESS ffffd28f5128e400 SessionId: 0 Cid: 0254 Peb: f8d9512000 ParentCid: 01c8 DirBase: 110497000 ObjectTable: ffffe58eb9baa000 HandleCount: <Data Not Accessible> Image: lsass.exe PROCESS ffffd28f4f95f800 SessionId: 0 Cid: 02a8 Peb: d014afb000 ParentCid: 024c DirBase: 111399000 ObjectTable: ffffe58ebfbe1000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50cac800 SessionId: 0 Cid: 02d4 Peb: 622f4ab000 ParentCid: 024c DirBase: 11187a000 ObjectTable: ffffe58ebfc5d000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f51377540 SessionId: 0 Cid: 03c8 Peb: bcb8de4000 ParentCid: 024c DirBase: 114313000 ObjectTable: ffffe58ebfe14000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50cc2800 SessionId: 0 Cid: 03d4 Peb: 27fad70000 ParentCid: 024c DirBase: 1144bf000 ObjectTable: ffffe58ebfe0a000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f51381340 SessionId: 0 Cid: 03f4 Peb: 35bc1fa000 ParentCid: 024c DirBase: 11494c000 ObjectTable: ffffe58ebfe37000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f4f6a3780 SessionId: 0 Cid: 02b8 Peb: 1764ad2000 ParentCid: 024c DirBase: 10e575000 ObjectTable: ffffe58ebfee8000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50bf9540 SessionId: 0 Cid: 02d0 Peb: 459bbf8000 ParentCid: 024c DirBase: 117043000 ObjectTable: ffffe58ebfef8000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f4f7253c0 SessionId: 0 Cid: 046c Peb: 82479c000 ParentCid: 024c DirBase: 117fe5000 ObjectTable: ffffe58ebff1d000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50cb6800 SessionId: 0 Cid: 047c Peb: 34fab21000 ParentCid: 024c DirBase: 11801e000 ObjectTable: ffffe58ebff20000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f5107f800 SessionId: 0 Cid: 0614 Peb: e769f6000 ParentCid: 024c DirBase: 119f80000 ObjectTable: ffffe58ec0160000 HandleCount: <Data Not Accessible> Image: spoolsv.exe PROCESS ffffd28f51076800 SessionId: 0 Cid: 0670 Peb: e2b513e000 ParentCid: 02b8 DirBase: 11b400000 ObjectTable: ffffe58ec01ea000 HandleCount: <Data Not Accessible> Image: CompatTelRunner.exe PROCESS ffffd28f51074800 SessionId: 0 Cid: 067c Peb: b02495b000 ParentCid: 024c DirBase: 11b325000 ObjectTable: ffffe58ec01d6000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f5106e740 SessionId: 0 Cid: 06b4 Peb: f9bb7cb000 ParentCid: 0670 DirBase: 11c4ba000 ObjectTable: ffffe58ec0216000 HandleCount: <Data Not Accessible> Image: conhost.exe PROCESS ffffd28f5106c800 SessionId: 0 Cid: 06bc Peb: c3452e8000 ParentCid: 024c DirBase: 11bd45000 ObjectTable: ffffe58ec021c000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50e3e800 SessionId: 0 Cid: 06d4 Peb: 4cc9088000 ParentCid: 024c DirBase: 11d047000 ObjectTable: ffffe58ec0247000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f50eeb540 SessionId: 0 Cid: 06e0 Peb: 70261cb000 ParentCid: 024c DirBase: 11d5cf000 ObjectTable: ffffe58ec0278000 HandleCount: <Data Not Accessible> Image: VGAuthService.exe PROCESS ffffd28f50e4e080 SessionId: 0 Cid: 06f0 Peb: be9880d000 ParentCid: 024c DirBase: 11db80000 ObjectTable: ffffe58ec028a000 HandleCount: <Data Not Accessible> Image: vm3dservice.exe PROCESS ffffd28f50e64800 SessionId: 0 Cid: 06fc Peb: a0349cf000 ParentCid: 024c DirBase: 11bc40000 ObjectTable: ffffe58ec0295000 HandleCount: <Data Not Accessible> Image: vmtoolsd.exe PROCESS ffffd28f50e7a700 SessionId: 0 Cid: 0738 Peb: f99d285000 ParentCid: 024c DirBase: 11c973000 ObjectTable: ffffe58ec02ab000 HandleCount: <Data Not Accessible> Image: MsMpEng.exe PROCESS ffffd28f50ea0300 SessionId: 0 Cid: 0748 Peb: 866352000 ParentCid: 024c DirBase: 11bf4e000 ObjectTable: ffffe58ec02ae000 HandleCount: <Data Not Accessible> Image: wlms.exe PROCESS ffffd28f4f8d8800 SessionId: 0 Cid: 0964 Peb: 68829b6000 ParentCid: 024c DirBase: 122a80000 ObjectTable: ffffe58ec0704000 HandleCount: <Data Not Accessible> Image: dllhost.exe PROCESS ffffd28f51701080 SessionId: 0 Cid: 09dc Peb: 5217b4f000 ParentCid: 02a8 DirBase: 124979000 ObjectTable: ffffe58ec07b4000 HandleCount: <Data Not Accessible> Image: WmiPrvSE.exe PROCESS ffffd28f5162d800 SessionId: 0 Cid: 0a10 Peb: 3f62162000 ParentCid: 024c DirBase: 125da7000 ObjectTable: ffffe58ec07e0000 HandleCount: <Data Not Accessible> Image: msdtc.exe PROCESS ffffd28f51a85800 SessionId: 0 Cid: 0ebc Peb: c7bed07000 ParentCid: 02a8 DirBase: 08dfa000 ObjectTable: ffffe58ec113e000 HandleCount: <Data Not Accessible> Image: WmiPrvSE.exe PROCESS ffffd28f50e9e4c0 SessionId: 0 Cid: 037c Peb: b29c0fb000 ParentCid: 024c DirBase: 2c07f000 ObjectTable: ffffe58ec7d4f000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f52bf8800 SessionId: 0 Cid: 07cc Peb: f5e82de000 ParentCid: 024c DirBase: b462f000 ObjectTable: ffffe58ec650e000 HandleCount: <Data Not Accessible> Image: svchost.exe PROCESS ffffd28f530c0800 SessionId: 0 Cid: 08f8 Peb: bdc6d2e000 ParentCid: 024c DirBase: b290e000 ObjectTable: ffffe58ec6d31000 HandleCount: <Data Not Accessible> Image: TrustedInstaller.exe PROCESS ffffd28f53101800 SessionId: 0 Cid: 0868 Peb: 9836819000 ParentCid: 02a8 DirBase: b2664000 ObjectTable: ffffe58ec6d36000 HandleCount: <Data Not Accessible> Image: TiWorker.exe ``` 查看 `_MM_SESSION_SPACE` 結構 ``` 0: kd> dt nt!_MM_SESSION_SPACE ffffc100655e5000 +0x000 ReferenceCount : 0n32 +0x004 u : <unnamed-tag> +0x008 SessionId : 0 +0x00c ProcessReferenceToSession : 0n33 +0x010 ProcessList : _LIST_ENTRY [ 0xffffd28f`4fa21b40 - 0xffffd28f`53101b40 ] +0x020 SessionPageDirectoryIndex : 0x10db45 +0x028 NonPagablePages : 0x26 +0x030 CommittedPages : 0x36f +0x038 PagedPoolStart : 0xffffa207`c0000000 Void +0x040 PagedPoolEnd : 0xffffa227`bfffffff Void +0x048 SessionObject : 0xffffd28f`509d6690 Void +0x050 SessionObjectHandle : 0xffffffff`8000029c Void +0x058 SessionPoolAllocationFailures : [4] 0 +0x068 ImageTree : _RTL_AVL_TREE +0x070 LocaleId : 0x409 +0x074 AttachCount : 0 +0x078 AttachGate : _KGATE +0x090 WsListEntry : _LIST_ENTRY [ 0xffffc100`6464d090 - 0xfffff800`6cbb96d0 ] +0x0a0 WsTreeEntry : _RTL_BALANCED_NODE +0x0c0 Lookaside : [21] _GENERAL_LOOKASIDE +0xb40 Session : _MMSESSION +0xb60 PagedPoolInfo : _MM_PAGED_POOL_INFO +0xbc0 Vm : _MMSUPPORT_FULL +0xd00 AggregateSessionWs : _MMSUPPORT_AGGREGATION +0xd20 DriverUnload : _MI_SESSION_DRIVER_UNLOAD +0xd40 PagedPool : _POOL_DESCRIPTOR +0x1e80 PageDirectory : _MMPTE +0x1e88 SessionVaLock : _EX_PUSH_LOCK +0x1e90 DynamicVaBitMap : _RTL_BITMAP +0x1ea0 DynamicVaHint : 0x10 +0x1ea8 SpecialPool : _MI_SPECIAL_POOL +0x1ef8 SessionPteLock : _EX_PUSH_LOCK +0x1f00 PoolBigEntriesInUse : 0n141 +0x1f04 PagedPoolPdeCount : 2 +0x1f08 SpecialPoolPdeCount : 0 +0x1f0c DynamicSessionPdeCount : 0x10 +0x1f10 SystemPteInfo : _MI_SYSTEM_PTE_TYPE +0x1f78 PoolTrackTableExpansion : (null) +0x1f80 PoolTrackTableExpansionSize : 0 +0x1f88 PoolTrackBigPages : 0xffffd28f`506d2000 Void +0x1f90 PoolTrackBigPagesSize : 0x200 +0x1f98 IoState : 4 ( IoSessionStateDisconnected ) +0x1f9c IoStateSequence : 3 +0x1fa0 IoNotificationEvent : _KEVENT +0x1fb8 ServerSilo : (null) +0x1fc0 CreateTime : 0x8f2b4ae +0x2000 PoolTags : [8192] "--- memory read error at address 0xffffc100`655e7000 ---" ``` * `PagedPoolStart` ~ `PagedPoolEnd` 為此 session 的 session space 切換 session 後, 就能訪問 session space: ``` 0: kd> !session -s 0 Sessions on machine: 2 Implicit process is now ffffd28f`4fa21800 .cache forcedecodeptes done Using session 0l 0: kd> dq NtUserDestroyMenu ffffa238`39120b70 8b4820ec`83485340 c9330000`0001bad9 ffffa238`39120b80 8d480023`37da15ff fff4884c`e838244c ffffa238`39120b90 23225f15`ffcb8b48 8548c88b`48db3300 ffffa238`39120ba0 40a82840`8b0e74c0 8bfff6cc`31e80775 ffffa238`39120bb0 bde83824`4c8d48d8 2337a715`fffff489 ffffa238`39120bc0 20c48348`c3634800 cccccccc`ccccc35b ffffa238`39120bd0 74894808`245c8948 4118247c`89481024 ffffa238`39120be0 000000b0`ec814856 f28bf88b`49f18b45 ``` Ref: https://www.debugging.tv/Frames/0x28/Episode-0x28-WinDbg-log.txt ## SOS (.NET) ### loading 1. load DAC `.cordll -ve -u -l` 2. load sos * `.loadby sos clr` (for version 4.0 of the CLR) * 若還沒 load clr.dll,可以先用 `sxe ld:clr` 在 load 到 clr.dll 時暫停 ``` 0:000> .loadby sos clr Unable to find module 'clr' 0:000> sxe ld:clr 0:000> g ModLoad: 00007fff`84860000 00007fff`8490e000 C:\Windows\System32\ADVAPI32.dll ModLoad: 00007fff`85540000 00007fff`855de000 C:\Windows\System32\msvcrt.dll ModLoad: 00007fff`84270000 00007fff`8430c000 C:\Windows\System32\sechost.dll ModLoad: 00007fff`83b00000 00007fff`83c25000 C:\Windows\System32\RPCRT4.dll ModLoad: 00007fff`61d30000 00007fff`61dda000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll ModLoad: 00007fff`854e0000 00007fff`85535000 C:\Windows\System32\SHLWAPI.dll ModLoad: 00007fff`80eb0000 00007fff`80ec2000 C:\Windows\SYSTEM32\kernel.appcore.dll ModLoad: 00007fff`7c210000 00007fff`7c21a000 C:\Windows\SYSTEM32\VERSION.dll ModLoad: 00007fff`56530000 00007fff`57065000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll ntdll!ZwMapViewOfSection+0x14: 00007fff`8590d444 c3 ret 0:000> !token2ee No export token2ee found 0:000> .loadby sos clr 0:000> !token2ee ************* Symbol Loading Error Summary ************** Module name Error clr The system cannot find the file specified You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. PDB symbol for clr.dll not loaded CLRDLL: Loaded DLL C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll Automatically loaded SOS Extension Usage: !Token2EE module_name mdToken You can pass * for module_name to search all modules. ``` * `.loadby sos mscorwks` (for version 1.0 or 2.0 of the CLR) ### bpmd ``` 0:006> !bpmd mscorlib.dll System.Reflection.Emit.DynamicILInfo.GetTokenFor Found 8 methods in module 00007ff813eb1000... MethodDesc = 00007ff814288ca8 MethodDesc = 00007ff814288cb8 MethodDesc = 00007ff814288cc8 MethodDesc = 00007ff814288cd8 MethodDesc = 00007ff814288ce8 MethodDesc = 00007ff814288cf8 MethodDesc = 00007ff814288d08 MethodDesc = 00007ff814288d18 Setting breakpoint: bp 00007FF814D990A0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(Byte[])] Setting breakpoint: bp 00007FF814D99080 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.String)] Setting breakpoint: bp 00007FF814D99060 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeTypeHandle)] Setting breakpoint: bp 00007FF814D99040 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeFieldHandle, System.RuntimeTypeHandle)] Setting breakpoint: bp 00007FF814D99020 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeFieldHandle)] Setting breakpoint: bp 00007FF814D99000 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeMethodHandle, System.RuntimeTypeHandle)] Setting breakpoint: bp 00007FF814D98FE0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.Reflection.Emit.DynamicMethod)] Setting breakpoint: bp 00007FF814D98FC0 [System.Reflection.Emit.DynamicILInfo.GetTokenFor(System.RuntimeMethodHandle)] Adding pending breakpoints... ``` ### token2ee ``` 0:006> !token2ee mscorlib.dll 0x06004910 Module: 00007ff813eb1000 Assembly: mscorlib.dll Token: 0000000006004910 MethodDesc: 00007ff8141aafc0 Name: System.Reflection.Emit.DynamicMethod..ctor(System.String, System.Type, System.Type[], System.Type, Boolean) JITTED Code Address: 00007ff814d99450 ``` 以這個例子來說,address 是在 `C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll`: ``` 0:006> !address 00007ff814d99450 Mapping file section regions... Mapping module regions... Mapping PEB regions... Mapping TEB and stack regions... Mapping heap regions... Mapping page heap regions... Mapping other regions... Mapping stack trace database regions... Mapping activation context regions... Usage: Image Base Address: 00007ff8`143a4000 End Address: 00007ff8`153dd000 Region Size: 00000000`01039000 ( 16.223 MB) State: 00001000 MEM_COMMIT Protect: 00000020 PAGE_EXECUTE_READ Type: 01000000 MEM_IMAGE Allocation Base: 00007ff8`13eb0000 Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY Image Path: C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll Module Name: mscorlib_ni Loaded Image Name: C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\3b9003e4f27d92e40668f0efad11e022\mscorlib.ni.dll Mapped Image Name: More info: lmv m mscorlib_ni More info: !lmi mscorlib_ni More info: ln 0x7ff814d99450 More info: !dh 0x7ff813eb0000 Content source: 1 (target), length: 643bb0 ``` ### sxe clr Catch exception ``` 0:000> sxe clr 0:000> g ModLoad: 00007ff8`11580000 00007ff8`116af000 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll ModLoad: 00007ff8`21760000 00007ff8`218fc000 C:\WINDOWS\System32\ole32.dll ModLoad: 00007ff8`202a0000 00007ff8`2031b000 C:\WINDOWS\System32\bcryptPrimitives.dll ModLoad: 00000272`b4b50000 00000272`b4b58000 image00000272`b4b50000 ModLoad: 00000272`b4b60000 00000272`b4b68000 image00000272`b4b60000 Breakpoint 1 hit mscorlib_ni+0x579595: 00007ff8`14429595 488b05dcfbd5ff mov rax,qword ptr [mscorlib_ni+0x2d9178 (00007ff8`14189178)] ds:00007ff8`14189178=00007ff8144295a0 0:000> g (88fc.6fe4): CLR exception - code e0434352 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. KERNELBASE!RaiseException+0x6c: 00007ff8`207f051c 0f1f440000 nop dword ptr [rax+rax] 0:000> !CLRStack OS Thread Id: 0x6fe4 (0) Child SP IP Call Site 000000ca6713eab8 00007ff8207f051c [HelperMethodFrame: 000000ca6713eab8] 000000ca6713eba0 00007ff81518772a System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr, System.Type) [f:\dd\ndp\clr\src\BCL\system\runtime\interopservices\marshal.cs @ 2607] 000000ca6713edf0 00007ff8158d12c3 [DebuggerU2MCatchHandlerFrame: 000000ca6713edf0] 000000ca6713f068 00007ff8158d12c3 [HelperMethodFrame_PROTECTOBJ: 000000ca6713f068] System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean) 000000ca6713f1e0 00007ff81441bd18 System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[]) [f:\dd\ndp\clr\src\BCL\system\reflection\methodinfo.cs @ 761] 000000ca6713f240 00007ff8143f77c6 System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo) [f:\dd\ndp\clr\src\BCL\system\reflection\methodinfo.cs @ 735] 000000ca6713f2c0 00007ff814417c92 System.Reflection.MethodBase.Invoke(System.Object, System.Object[]) [f:\dd\ndp\clr\src\BCL\system\reflection\methodbase.cs @ 211] 000000ca6713f300 00007ff814b433ee DomainNeutralILStubClass.IL_STUB_COMtoCLR(System.StubHelpers.NativeVariant, IntPtr, IntPtr) 000000ca6713f4f0 00007ff8158d14a9 [ComMethodFrame: 000000ca6713f4f0] 0:000> !PrintException Exception object: 00000272b6565460 Exception type: System.ArgumentNullException Message: Value cannot be null. InnerException: <none> StackTrace (generated): <none> StackTraceString: <none> HResult: 80004003 0:000> ``` ## switch mode ``` !wow64exts.sw ``` ### Some point * nt!KiSystemCall64
Last changed by  
LJP-TW
早安你好再見。
1321

Read more

Linux Kernel pwn

Linux Kernel pwn Inspection 取得 symbol address 方便下斷點觀察 # 觀察 printk 輸出 echo /proc/sys/kernel/dmesg_restrict # 觀察是否有權限讀 printk 輸出 dmesg # 拿 kernel module address

5/22/2023
Signal Handling in Linux

好文: http://courses.cms.caltech.edu/cs124/lectures-wi2016/CS124Lec15.pdf 其他篇筆記: https://hackmd.io/@LJP/BJAb95O1c 在 task_struct 有兩個 member:

4/29/2022
AArch64 EL1 IRQ handling in Linux

主要想追蹤一下 Linux 是怎麼做 irq handling 的。 本篇追蹤的 Linux 版本為 5.17.1 head.S arch/arm64/kernel/head.S 先找 vector table 的配置 primary_entry

4/29/2022
Signal

其他篇筆記: https://hackmd.io/@LJP/SkrXX8OSc Kernel 發生 signal arch_do_signal_or_restart() https://elixir.bootlin.com/linux/latest/source/arch/x86/kernel/signal.c#L864

4/28/2022
Read more from LJP-TW
Published on HackMD