windbg脚本小试
本帖最后由 元始天尊 于 2015-10-21 18:48 编辑偶然看到dump中数据如下:
81922000 e2 a2 01 00 02 00 40 01 01 00 00 00 00 00 00 00 10 00 6a 00 12 00 04 00 01 00 00 00 11 00 04 00......@...........j.............
81922020 d2 07 00 00 13 00 04 00 0f 80 20 02 15 00 4a 00 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00.......... ...J.C.:.\.W.I.N.D.O.
81922040 57 00 53 00 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 64 00 72 00 69 00 76 00W.S.\.s.y.s.t.e.m.3.2.\.d.r.i.v.
81922060 65 00 72 00 73 00 5c 00 65 00 74 00 63 00 5c 00 68 00 6f 00 73 00 74 00 73 00 16 00 00 00 10 00e.r.s.\.e.t.c.\.h.o.s.t.s.......
81922080 4c 00 12 00 04 00 01 00 00 00 11 00 04 00 55 0b 00 00 13 00 04 00 0f 80 20 02 15 00 2c 00 43 00L.............U......... ...,.C.
819220a0 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 57 00 53 00 5c 00 74 00 61 00 73 00 6b 00 73 00 5c 00:.\.W.I.N.D.O.W.S.\.t.a.s.k.s.\.
819220c0 2a 00 2e 00 6a 00 6f 00 62 00 16 00 00 00 10 00 56 00 12 00 04 00 01 00 00 00 11 00 04 00 56 0b*...j.o.b.......V.............V.
819220e0 00 00 13 00 04 00 0f 80 20 02 15 00 36 00 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 57d....................... ...D.C.
代码:
int __stdcall sub_2FEC6(int Src, unsigned int MaxLen, __int16 ObjLen, void *Dst, PULONG DstLen)
{
int v5; // edx@1
int v6; // esi@1
PULONG v7; // eax@3
USHORT v8; // cx@7
int v9; // edx@7
unsigned __int16 v10; // cx@8
ULONG v11; // ebx@10
const void *v12; // edx@11
int v14; // @1
v5 = Src;
v6 = 0;
v14 = 0;
if ( Src )
{
if ( Dst )
{
v7 = DstLen;
if ( DstLen )
{
if ( MaxLen >= 4 && *DstLen > 0 && MaxLen >= 4 )
{
while ( 1 )
{
v8 = *(_WORD *)v5;
v9 = v5 + 2;
if ( v8 == ObjLen )
break;
v10 = *(_WORD *)v9;
v5 = v9 + *(_WORD *)v9 + 2;
v6 += v10 + 4;
if ( (unsigned int)(unsigned __int16)v6 + 4 > MaxLen )
return v14;
}
v11 = *(_WORD *)v9;
if ( v11 <= *DstLen )
{
v12 = (const void *)(v9 + 2);
qmemcpy(Dst, v12, 4 * (v11 >> 2));
v14 = (int)((char *)v12 + v11);
v7 = DstLen;
qmemcpy((char *)Dst + 4 * (v11 >> 2), (char *)v12 + 4 * (v11 >> 2), v11 & 3);
}
*v7 = v11;
}
}
}
}
return v14;
}
数据较多,于是打算写脚本,得到:
r@eax=0x81922000;
r@$t1=@eax+0x10;
.while @$t1 < @eax + (poi(@eax) & 0xFFFF) {du @$t1+0x20;r@$t1=@$t1 + 4 + (poi(@$t1+2) & 0xFFFF);}
结果:
81922030"C:\WINDOWS\system32\drivers\etc\"
81922070"hosts."
8192209e"C:\WINDOWS\tasks\*.job."
819220ee"C:\WINDOWS\system32\tasks\*."
81922148"C:\Documents and Settings\*\「开始」"
81922188"菜单\*."
819221b4"C:\Documents and Settings\*\Star"
819221f4"t Menu\*."
81922228"C:\Users\*\AppData\Roaming\Micro"
81922268"soft\Windows\Start Menu\*."
819222be"%PROGRAMDATA%\Microsoft\Windows\"
819222fe"Start Menu\*."
8192233a"C:\Documents and Settings\*\「开始」"
8192237a"菜单\程序\启动\*."
819223b2"C:\Documents and Settings\*\Star"
819223f2"t Menu\Programs\Startup\*."
81922448"C:\Users\*\AppData\Roaming\Micro"
81922488"soft\Windows\Start Menu\Programs"
819224c8"\Startup\*."
81922500"%PROGRAMDATA%\Microsoft\Windows\"
81922540"Start Menu\Programs\Startup\*."
8192259e"C:\Program Files\WinRAR\RarExt.d"
819225de"ll."
81922606"C:\WINDOWS\system32\Macromed\Fla"
81922646"sh\*.ocx."
8192267a"C:\WINDOWS\SysWOW64\Macromed\Fla"
819226ba"sh\*.ocx."
819226ee"C:\WINDOWS\system32\GroupPolicy\"
8192272e"User\Scripts\logon\*."
8192277a"C:\WINDOWS\system32\GroupPolicy\"
819227ba"User\Scripts\logoff\*."
81922808"C:\WINDOWS\system32\GroupPolicy\"
81922848"Machine\Scripts\Startup\*."
8192289e"C:\WINDOWS\system32\GroupPolicy\"
819228de"Machine\Scripts\Shutdown\*."
81922936"c:\boot.ini."
81922970"c:\ntdetect.com."
819229b2"c:\ntldr."
819229e6"c:\ntbootdd.sys."
81922a28"c:\pagefile.sys."
81922a6a"c:\hiberfil.sys."
81922aac"c:\bootmgr."
81922ae4"C:\Program Files\Outlook Express"
81922b24"\*.dll."
81922b54"C:\Program Files\Outlook Express"
81922b94"\*.exe."
81922bc4"C:\Program Files (x86)\Windows N"
81922c04"T\*\*.dll."
81922c3a"C:\Program Files (x86)\Windows N"
81922c7a"T\*\*.exe."
81922cb0"C:\Program Files (x86)\Windows N"
81922cf0"T\*.dll."
81922d22"C:\Program Files (x86)\Windows N"
81922d62"T\*.exe."
81922d94"C:\Program Files\Windows NT\*\*."
81922dd4"exe."
81922dfe"C:\Program Files\Windows NT\*\*."
。。。
怎么拼成完成字符串呢?
先列编辑去掉地址,然后notepad++用\1替换"\r\n"([^C])搞定 可以可以!!
页:
[1]