WinDbg使用心得N+1
本帖最后由 元始天尊 于 2015-2-1 09:33 编辑今天突发奇想研究fastdns,张慧星写的dns加速器,想研究其实现原理。开始以为使用什么dns api呢,研究了一天加上昨天滑雪回来腰酸背痛,效率好低,整整一天才用windbg研究了个大概。要是该软件不用borland而用vc写,我会感觉爽很多,borland那么多库函数,各种对象封装,着实难弄。现在的研究结果有2个:
1.该软件dns测速部分采用mswsock.dll的wsp*系列函数。
2.如何使用windbg得到api调用记录
对于单个dll,例如我要跟踪mswsock.dll的wsp*导出函数调用记录,可以用bm mswsock!*WSP* "kc1;gc",结果如下:
MSWSOCK!WSPSetSockOpt
MSWSOCK!WSPSendTo
MSWSOCK!WSPBind
MSWSOCK!WSPSelect
MSWSOCK!WSPRecvFrom
KERNEL32!GetCurrentProcess
MSWSOCK!WSPSocket
MSWSOCK!WSPShutdown
MSWSOCK!WSPCloseSocket
MSWSOCK!WSPSetSockOpt
MSWSOCK!WSPSendTo
MSWSOCK!WSPBind
MSWSOCK!WSPSelect
MSWSOCK!WSPRecvFrom
MSWSOCK!WSPRecvFrom
MSWSOCK!WSPSendTo
MSWSOCK!WSPSendTo
MSWSOCK!WSPSelect
MSWSOCK!WSPSelect
。。。
扩展到所有加载dll,自然用x指令+foreach循环
我提供3种方式:
bm * "kc1;g"
.foreach (addr {x /0 /D /f *!*}) {bp ${addr} "kc1;g"}
.foreach (addr {.foreach (mod {lm 1m}) {x /0 /D /f ${mod}!*}}) {bp addr "kc1;g"}
很长时间以后你会发现所有api和符号都下了断点,每次经过断点并不停下,而是打印该函数
一般不建议这么做,而是挑一些关键dll按照前面的方法下断
PS:本文成果纯属个人研究,绝无抄袭之处。论坛中有些文章,实在是。。。别人都写过了,你搬过来有什么意义呢,你感觉你创造什?蒙骗了小白?还是浪费了时间?其次,对于我个人,不是我写的我会注明出处。很多人还是缺乏自己的想法,机械地学习。另外一些则是花哨的东西,要有实用价值,我在这里还没发现有真正“大牛”水平的程序员,浮躁和耍酷是程序员的通病,希望大家有则改之,这句话对包括我和我认识的人在内,都是适用的。
想想3个月前还在苦逼的看数据结构和算法,自己默默研究,即使很多东西初学,不过论坛里仍不乏我创新的足迹,我的文章几乎可以达到篇篇都有自己的创新点(不过我的缺点是看别人文章不是很多因此和别人研究重复了或者有错误),虽然有错误,但是也有亮点,再看看近来的帖子,你们都喜欢摆一堆看起来完美实则别人都研究过已无研究性的东西放在那里让别人认为你是大牛吗?觉得对的给我赞,觉得伤了自尊心的当我没说,好吧。 本帖最后由 元始天尊 于 2015-2-1 22:29 编辑
接上面所述,既然知道 fastdns在测速时的api调用序列,通过调用栈就可以知道其实还是调用的ws2_32中的函数,如下:
WS2_32!socket
WS2_32!setsockopt
WS2_32!htons
WS2_32!sendto
WS2_32!select
WS2_32!shutdown
WS2_32!closesocket
针对每个函数,我编写了相应的命令以输出更有用的信息(超强^_^可以用于其他软件):
bp WS2_32!socket "~.;.printf \"socket: af=%d type=%d protocol=%d \",poi(esp+4),poi(esp+8),poi(esp+0x0C);gu;.printf \"socket=%d\\n\",eax;gc"
bp WS2_32!setsockopt "~.;.printf \"setsockopt: socket=%d level=%d optname=%d optval=%d optlen=%d\\n\",poi(esp+4),poi(esp+8),poi(esp+0x0c),poi(poi(esp+0x10)),poi(esp+0x14);gc"
bp WS2_32!htons "~.;.printf \"htons: port=%d\\n\",poi(esp+4)&0xffff;gc"
bp WS2_32!sendto "~.;r $t0=poi(poi(esp+0x14)+4);.printf \"sendto: socket=%d ip=%d.%d.%d.%d:%d send=\\n\",poi(esp+4),$t0&0xff,($t0>>8)&0xff,($t0>>0x10)&0xff,($t0>>0x18)&0xff,poi(poi(esp+0x14)+2)&0xffff;db poi(esp+8) lpoi(esp+0x0C);gc"
bp WS2_32!select "~.;.printf \"select: socket=%d timeout=%d.%ds\\n\",poi(poi(esp+8)+4),poi(poi(esp+0x14)),poi(poi(esp+0x14)+4);gc"
bp WS2_32!shutdown "~.;.printf \"shutdown: socket=%d how=%d\\n\",poi(esp+4),poi(esp+8);gc"
bp WS2_32!closesocket"~.;.printf \"closesocket: socket=%d\\n\",poi(esp+4);gc"
得到运行结果如下:
Create thread 1:2b48
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: *** WARNING: Unable to verify checksum for FastDNS.exe
*** ERROR: Symbol file could not be found.Defaulted to export symbols for FastDNS.exe -
FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 socket=976
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=976 level=65535 optname=32 optval=0 optlen=4
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
sendto: socket=976 ip=4.2.2.1:13568 send=
01c284b011 a9 01 00 00 01 00 00-00 00 00 00 03 77 77 77.............www
01c284c009 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00.microsoft.com..
01c284d001 00 01 ...
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
select: socket=976 timeout=2.0s
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
Create thread 5:17b8
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 .1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
shutdown: socket=976 how=1
.1Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
closesocket: socket=976
socket=924
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=924 level=65535 optname=32 optval=0 optlen=4
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
sendto: socket=924 ip=4.2.2.2:13568 send=
01c28b3820 d8 01 00 00 01 00 00-00 00 00 00 03 77 77 77 ............www
01c28b4809 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00.microsoft.com..
01c28b5801 00 01 ...
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
select: socket=924 timeout=2.0s
(31f8.17b8): Unknown exception - code 0eedfade (first chance)
Create thread 1:24ec
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 .5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
shutdown: socket=924 how=1
.5Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
closesocket: socket=924
socket=1020
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=1020 level=65535 optname=32 optval=0 optlen=4
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
sendto: socket=1020 ip=4.2.2.3:13568 send=
01c1d74017 dd 01 00 00 01 00 00-00 00 00 00 03 77 77 77.............www
01c1d75009 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00.microsoft.com..
01c1d76001 00 01 ...
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
select: socket=1020 timeout=2.0s
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
Create thread 5:3b0
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 socket=516
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=516 level=65535 optname=32 optval=0 optlen=4
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
sendto: socket=516 ip=4.2.2.4:13568 send=
01c296144b 87 01 00 00 01 00 00-00 00 00 00 03 77 77 77K............www
01c2962409 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00.microsoft.com..
01c2963401 00 01 ...
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
shutdown: socket=1020 how=1
.1Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
closesocket: socket=1020
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
select: socket=516 timeout=2.0s
(31f8.3b0): Unknown exception - code 0eedfade (first chance)
Create thread 1:1f80
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 .5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
shutdown: socket=516 how=1
.5Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
closesocket: socket=516
socket=1020
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=1020 level=65535 optname=32 optval=0 optlen=4
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
sendto: socket=1020 ip=4.2.2.5:13568 send=
01c3830466 79 01 00 00 01 00 00-00 00 00 00 03 77 77 77fy...........www
01c3831409 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00.microsoft.com..
01c3832401 00 01 ...
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
select: socket=1020 timeout=2.0s
(31f8.1f80): Unknown exception - code 0eedfade (first chance)
Create thread 2:2ea0
.2Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
socket: af=2 type=2 protocol=0 socket=828
.2Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
setsockopt: socket=828 level=65535 optname=32 optval=0 optlen=4
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
shutdown: socket=1020 how=1
.1Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
closesocket: socket=1020
.2Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
WS2_32!htons
.2Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
Priority: 0Priority class: 32Affinity: f
。。。。。。。。。。。。
按单个线程来分析,得到api调用序列如下:
线程2b48:
socket
setsockopt
htons 53
sendto
select
recvfrom
htons 13568
shutdown
closesocket
发现sub_40970C sub_40EA3C为重要函数,可以从中分析出流程
今天分析到这里,以后再分析
调试网络程序的好方法
页:
[1]