如何用windbg对dll所有导出函数下断
本帖最后由 元始天尊 于 2015-8-6 08:56 编辑①lm获取基址 base
②解析导出表 r@$t1=base+poi(base+poi(base+0x3c)+0x78)
③遍历导出函数 .for(r@$t2=0;@$t2<poi(@$t1+0x18);r@$t2=@$t2+1) {bp base+poi(base+poi(@$t1+0x1c)+4*@$t2)}
kd> ? nt!PsInitialSystemProcess
Evaluate expression: -2141867436 = 8055b254
kd> ? nt!PspInitialSystemProcessHandle
Evaluate expression: -2140730544 = 80670b50
_EPROCESS
+0x0c4 ObjectTable _HANDLE_TABLE
+0x190 ThreadListHead _LIST_ENTRY
_KPROCESS
+0x050 ThreadListHead _LIST_ENTRY
_HANDLE_TABLE
+0x01c HandleTableList _LIST_ENTRY
遍历所有线程
!list -t nt!_LIST_ENTRY.Flink -x "dt nt!_KTHREAD @@(#CONTAINING_RECORD(@$extret,nt!_KTHREAD,ThreadListEntry))" poi( EPROCESS地址 +@@(#FIELD_OFFSET(nt!_KPROCESS,ThreadListHead)))
枚举句柄
!list -t nt!_LIST_ENTRY.Flink -x "dt nt!_HANDLE_TABLE @@(#CONTAINING_RECORD(@$extret,nt!_HANDLE_TABLE,HandleTableList))" nt!HandleTableListHead
未完待续。。。。。。。。。。。。 这个收藏了请及时续上 写写
页:
[1]