Установка точки останова через bp kernelbase! RegOpenKeyExW не работает в WinDbg - PullRequest
2 голосов
/ 29 апреля 2020

Использование WinDbg Preview или WinDbg из Windows 10 SDK, при запуске 32-разрядного процесса на Windows 10 1909 (сборка 18363.815) установка точки останова на базе ядра! RegOpenKeyExW по имени не работает.

Пример:

  1. Запуск C: \ windows \ syswow64 \ notepad.exe под WinDbg
  2. .symfix C: \ symbols
  3. .reload
  4. bp ntdll! NtOpenKeyEx
  5. g
  6. k
     # ChildEBP RetAddr  
00 0308f314 74bb5030 ntdll!NtOpenKeyEx
01 0308f3c4 74bb4b87 KERNELBASE!LocalBaseRegOpenKey+0x110
02 0308f42c 74bb4a3c KERNELBASE!RegOpenKeyExInternalW+0x137
03 0308f450 761c34b9 KERNELBASE!RegOpenKeyExW+0x1c
04 0308f488 761c345c combase!ComVerifierSettings::ReadBooleanFromOleKey+0x35 [onecore\com\combase\verifier\verify.cxx @ 1046] 
05 0308f4a4 76115745 combase!ComVerifierSettings::ComVerifierSettings+0x2f [onecore\com\combase\verifier\verify.cxx @ 768] 
06 0308f4a8 756a6cd7 combase!`dynamic initializer for 'ComVerifierSettings::s_singleton''+0x5 [onecore\com\combase\verifier\verify.cxx @ 626] 
07 0308f4c0 761e1801 ucrtbase!_initterm+0x37
08 0308f500 761e175d combase!dllmain_crt_process_attach+0x8c [vccrt\vcstartup\src\startup\dll_dllmain.cpp @ 64] 
09 0308f510 761e196a combase!dllmain_crt_dispatch+0x3d [vccrt\vcstartup\src\startup\dll_dllmain.cpp @ 138] 
0a 0308f550 761e1a6e combase!dllmain_dispatch+0x59 [vccrt\vcstartup\src\startup\dll_dllmain.cpp @ 195] 
0b 0308f564 77071de6 combase!_DllMainCRTStartup+0x1e [vccrt\vcstartup\src\startup\dll_dllmain.cpp @ 253] 
0c 0308f584 77035608 ntdll!LdrxCallInitRoutine+0x16
0d 0308f5d0 77043f8f ntdll!LdrpCallInitRoutine+0x51
0e 0308f658 77044836 ntdll!LdrpInitializeNode+0x133
0f 0308f67c 7704484d ntdll!LdrpInitializeGraphRecurse+0x5d
10 0308f6a4 770a9542 ntdll!LdrpInitializeGraphRecurse+0x74
11 0308f6b4 770a9382 ntdll!LdrpInitializeGraph+0x13
12 0308f914 77051dd1 ntdll!LdrpInitializeProcess+0x1cc2
13 0308f96c 77051cc1 ntdll!_LdrpInitialize+0xba
14 0308f978 00000000 ntdll!LdrInitializeThunk+0x11
.restart b c * bp KERNELBASE! RegOpenKeyExW g Нет достижения точки останова .restart b c * x kernelbase! RegOpenKeyExW *
74bc64b0          KERNELBASE!RegOpenKeyExW (void)
74bb4a20          KERNELBASE!RegOpenKeyExW (_RegOpenKeyExW@20)
uf 74bc64b0
KERNELBASE!EventAccessControl:
74bc64b0 6a7f            push    7Fh
74bc64b2 58              pop     eax
74bc64b3 c21400          ret     14h
uf 74bb4a20
KERNELBASE!RegOpenKeyExW:
74bb4a20 8bff            mov     edi,edi
74bb4a22 55              push    ebp
74bb4a23 8bec            mov     ebp,esp
74bb4a25 51              push    ecx
74bb4a26 6a00            push    0
74bb4a28 ff7518          push    dword ptr [ebp+18h]
74bb4a2b ff7514          push    dword ptr [ebp+14h]
74bb4a2e ff7510          push    dword ptr [ebp+10h]
74bb4a31 ff750c          push    dword ptr [ebp+0Ch]
74bb4a34 ff7508          push    dword ptr [ebp+8]
74bb4a37 e814000000      call    KERNELBASE!RegOpenKeyExInternalW (74bb4a50)
74bb4a3c 59              pop     ecx
74bb4a3d 5d              pop     ebp
74bb4a3e c21400          ret     14h
bp 74bb4a20 g Удар по точке останова - почему я должен использовать этот адрес, а не имя? Почему дубликаты имен?
Breakpoint 0 hit
eax=0308f478 ebx=00000000 ecx=760de820 edx=00000000 esi=760de820 edi=760c8d98
eip=74bb4a20 esp=0308f454 ebp=0308f488 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!RegOpenKeyExW:
74bb4a20 8bff            mov     edi,edi
Проверка таблицы импорта процесса, на который ссылается адрес: 74bb4a20.
0:000> lmvm notepad
Browse full module list
start    end        module name
00fe0000 0100b000   notepad    (deferred)             
    Image path: notepad.exe
    Image name: notepad.exe
    Browse all global symbols  functions  data
    Image was built with /Brepro flag.
    Timestamp:        93B4E8FA (This is a reproducible build file hash, not a timestamp)
    CheckSum:         00032822
    ImageSize:        0002B000
    File version:     10.0.18362.693
    Product version:  10.0.18362.693
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     Notepad
        OriginalFilename: NOTEPAD.EXE
        ProductVersion:   10.0.18362.693
        FileVersion:      10.0.18362.693 (WinBuild.160101.0800)
        FileDescription:  Notepad
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
0:000> !dh 00fe0000 

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
     14C machine (i386)
       6 number of sections
93B4E8FA time date stamp
       0 file pointer to symbol table
       0 number of symbols
      E0 size of optional header
     102 characteristics
            Executable
            32 bit word machine

OPTIONAL HEADER VALUES
     10B magic #
   14.15 linker version
   1FC00 size of code
    7400 size of initialized data
       0 size of uninitialized data
   1F8D0 address of entry point
    1000 base of code
         ----- new -----
00fe0000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
   10.00 operating system version
   10.00 image version
   10.00 subsystem version
   2B000 size of image
     400 size of headers
   32822 checksum
00040000 size of stack reserve
00011000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
    C140  DLL characteristics
            Dynamic base
            NX compatible
            Guard
            Terminal server aware
       0 [       0] address [size] of Export Directory
   234B8 [     370] address [size] of Import Directory
   27000 [     BE0] address [size] of Resource Directory
       0 [       0] address [size] of Exception Directory
       0 [       0] address [size] of Security Directory
   28000 [    21A8] address [size] of Base Relocation Directory
    4A80 [      54] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
    13D4 [      18] address [size] of Thread Storage Directory
    1330 [      A4] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
   23000 [     4B4] address [size] of Import Address Table Directory
   207A4 [      E0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory


SECTION HEADER #1
   .text name
   1FB50 virtual size
    1000 virtual address
   1FC00 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read


Debug Directories(3)
    Type       Size     Address  Pointer
    cv           24        5078     4478    Format: RSDS, guid, 1, notepad.pdb
    (    13)     3a4        509c     449c
    (    16)      24        5440     4840

SECTION HEADER #2
   .data name
    1DB0 virtual size
   21000 virtual address
     800 size of raw data
   20000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #3
  .idata name
    2472 virtual size
   23000 virtual address
    2600 size of raw data
   20800 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #4
  .didat name
      78 virtual size
   26000 virtual address
     200 size of raw data
   22E00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #5
   .rsrc name
     BE0 virtual size
   27000 virtual address
     C00 size of raw data
   23000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #6
  .reloc name
    21A8 virtual size
   28000 virtual address
    2200 size of raw data
   23C00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         (no align specified)
         Read Only
0:000> dps 00fe0000+23000 00fe0000+23000+4B4
01003000  639b5690 COMCTL32!CreateStatusWindowW
01003004  63a48240 COMCTL32!TaskDialogIndirect
01003008  00000000
0100300c  76f04680 GDI32!SelectObject
01003010  76f07930 GDI32!GetTextFaceW
01003014  76f077a0 GDI32!EnumFontsW
01003018  76f079b0 GDI32!TextOutW
0100301c  76f06a80 GDI32!GetTextExtentPoint32WStub
01003020  76f05790 GDI32!SetMapModeStub
01003024  76f060e0 GDI32!SetViewportExtExStub
01003028  76f060a0 GDI32!SetWindowExtExStub
0100302c  76f05540 GDI32!LPtoDPStub
01003030  76f03660 GDI32!DeleteObject
01003034  76f07950 GDI32!GetTextMetricsW
01003038  76f06370 GDI32!EndPage
0100303c  76f0b990 GDI32!AbortDoc
01003040  76f068c0 GDI32!EndDoc
01003044  76f03290 GDI32!DeleteDC
01003048  76f0b000 GDI32!SetAbortProc
0100304c  76f06840 GDI32!StartDocW
01003050  76f06340 GDI32!StartPage
01003054  76f06c60 GDI32!CreateDCW
01003058  76f04940 GDI32!CreateFontIndirectW
0100305c  76f047f0 GDI32!SetBkMode
01003060  76f041e0 GDI32!GetDeviceCaps
01003064  00000000
01003068  75450180 USER32!SetThreadDpiAwarenessContext
0100306c  7543e3f0 USER32!PostMessageW
01003070  75474170 USER32!DialogBoxParamW
01003074  7543ea10 USER32!GetFocus
01003078  75491370 USER32!MessageBoxW
0100307c  75432fe0 USER32!GetMenu
01003080  75446e40 USER32!CheckMenuItem
01003084  75447a10 USER32!GetSubMenu
01003088  75445f90 USER32!EnableMenuItem
0100308c  75455bd0 USER32!NtUserShowWindow
01003090  7543e8b0 USER32!GetDC
01003094  7543e290 USER32!ReleaseDC
01003098  754544dc USER32!SetCursorStub
0100309c  75451760 USER32!GetDpiForWindow
010030a0  75455840 USER32!NtUserSetActiveWindow
010030a4  7543f580 USER32!LoadStringW
010030a8  770882e0 ntdll!NtdllDefWindowProc_W
010030ac  7543b6f0 USER32!IsIconic
010030b0  75455980 USER32!NtUserSetFocus
010030b4  754543c0 USER32!PostQuitMessage
010030b8  75454ae0 USER32!NtUserDestroyWindow
010030bc  7549f1b0 USER32!MessageBeep
010030c0  75455470 USER32!NtUserMoveWindow
010030c4  75431cb0 USER32!GetDlgCtrlID
010030c8  75455b70 USER32!NtUserSetWindowPos
010030cc  754556c0 USER32!NtUserRedrawWindow
010030d0  7543f040 USER32!GetKeyboardLayout
010030d4  75453dc0 USER32!CharNextWStub
010030d8  7543fd40 USER32!SetWinEventHook
010030dc  7543e730 USER32!GetMessageW
010030e0  7544b790 USER32!TranslateAcceleratorW
010030e4  75437fe0 USER32!IsDialogMessageW
010030e8  754383c0 USER32!TranslateMessage
010030ec  75433eb0 USER32!DispatchMessageW
010030f0  75455c80 USER32!NtUserUnhookWinEvent
010030f4  75430620 USER32!SetWindowTextW
010030f8  7544fbd0 USER32!OpenClipboard
010030fc  7544f420 USER32!IsClipboardFormatAvailableStub
01003100  75450e80 USER32!CloseClipboardStub
01003104  75451380 USER32!SetDlgItemTextW
01003108  75450cf0 USER32!GetDlgItemTextW
0100310c  75450630 USER32!EndDialog
01003110  75440720 USER32!SendDlgItemMessageW
01003114  75441400 USER32!SetScrollPos
01003118  75455300 USER32!NtUserInvalidateRect
0100311c  75432f60 USER32!UpdateWindow
01003120  754551a0 USER32!NtUserGetWindowPlacement
01003124  75455b60 USER32!NtUserSetWindowPlacement
01003128  7543fca0 USER32!CharUpperWStub
0100312c  754550b0 USER32!NtUserGetSystemMenu
01003130  75453020 USER32!LoadAcceleratorsW
01003134  75438800 USER32!SetWindowLongW
01003138  7542f6c0 USER32!CreateWindowExW
0100313c  754306f0 USER32!MonitorFromWindow
01003140  7543f5b0 USER32!RegisterWindowMessageW
01003144  754313a0 USER32!LoadCursorW
01003148  7542e4c0 USER32!RegisterClassExW
0100314c  75430680 USER32!GetWindowTextLengthW
01003150  75433470 USER32!GetWindowLongW
01003154  75439da0 USER32!PeekMessageW
01003158  754312c0 USER32!GetWindowTextW
0100315c  7543fc80 USER32!EnableWindow
01003160  75451400 USER32!CreateDialogParamW
01003164  754531f0 USER32!DrawTextExW
01003168  75433b50 USER32!GetClientRect
0100316c  754342e0 USER32!SendMessageW
01003170  75454e10 USER32!NtUserGetForegroundWindow
01003174  7542e440 USER32!LoadIconW
01003178  75453220 USER32!LoadImageW
0100317c  00000000
01003180  7604ded0 advapi32!IsTextUnicode
01003184  00000000
01003188  76177de0 combase!CoCreateFreeThreadedMarshaler [onecore\com\combase\dcomrem\ipmrshl.cxx @ 201]
0100318c  761a79d0 combase!CoWaitForMultipleHandles [onecore\com\combase\dcomrem\sync.cxx @ 87]
01003190  761534c0 combase!PropVariantClear [onecore\com\combase\util\propvar.cxx @ 278]
01003194  76182860 combase!CoTaskMemAlloc [onecore\com\combase\class\memapi.cxx @ 428]
01003198  761440a0 combase!CoCreateGuid [onecore\com\combase\class\cocrguid.cxx @ 49]
0100319c  761829e0 combase!CoTaskMemFree [onecore\com\combase\class\memapi.cxx @ 444]
010031a0  76159910 combase!CoCreateInstance [onecore\com\combase\objact\actapi.cxx @ 109]
010031a4  76195f60 combase!CoInitializeEx [onecore\com\combase\class\compobj.cxx @ 3792]
010031a8  76195fb0 combase!CoUninitialize [onecore\com\combase\class\compobj.cxx @ 3851]
010031ac  00000000
010031b0  74bcb460 KERNELBASE!GetTimeFormatW
010031b4  74bcf0d0 KERNELBASE!GetDateFormatW
010031b8  00000000
010031bc  74bc4bb0 KERNELBASE!IsDebuggerPresent
010031c0  74c0e2d0 KERNELBASE!wil::details::DebugBreak
010031c4  74c524b0 KERNELBASE!OutputDebugStringW
010031c8  00000000
010031cc  74c4d510 KERNELBASE!DelayLoadFailureHook
010031d0  00000000
010031d4  74bc1630 KERNELBASE!ResolveDelayLoadedAPI
010031d8  00000000
010031dc  74bc43a0 KERNELBASE!RaiseException
010031e0  74ba27a0 KERNELBASE!GetLastError
010031e4  77060240 ntdll!RtlSetLastWin32Error
010031e8  74bc0640 KERNELBASE!SetUnhandledExceptionFilter
010031ec  74c5b8f0 KERNELBASE!UnhandledExceptionFilter
010031f0  00000000
010031f4  74bbf770 KERNELBASE!FindClose
010031f8  74bc48d0 KERNELBASE!SetEndOfFile
010031fc  74b9ffb0 KERNELBASE!DeleteFileW
01003200  74bbc2d0 KERNELBASE!GetFullPathNameW
01003204  74ba1540 KERNELBASE!WriteFile
01003208  74b9f9e0 KERNELBASE!FindFirstFileW
0100320c  74bc0c50 KERNELBASE!GetFileAttributesExW
01003210  74b9f860 KERNELBASE!GetFileAttributesW
01003214  74ba20b0 KERNELBASE!CreateFileW
01003218  74ba1ee0 KERNELBASE!ReadFile
0100321c  74bc1750 KERNELBASE!GetFileInformationByHandle
01003220  00000000
01003224  74ba26f0 KERNELBASE!CloseHandle
01003228  00000000
0100322c  74b9b0b0 KERNELBASE!GetProcessHeap
01003230  7703ae50 ntdll!RtlAllocateHeap
01003234  7703dc70 ntdll!RtlFreeHeap
01003238  74bc4d20 KERNELBASE!HeapSetInformation
0100323c  00000000
01003240  74ba5210 KERNELBASE!LocalFree
01003244  74bbf030 KERNELBASE!GlobalAlloc
01003248  74ba5340 KERNELBASE!LocalAlloc
0100324c  74bb7c50 KERNELBASE!LocalUnlock
01003250  74b9b760 KERNELBASE!LocalReAlloc
01003254  74bb7aa0 KERNELBASE!LocalLock
01003258  74bbf820 KERNELBASE!GlobalFree
0100325c  00000000
01003260  757b4050 KERNEL32!GlobalLock
01003264  757b7b00 KERNEL32!LocalSize
01003268  757b4740 KERNEL32!GlobalUnlock
0100326c  00000000
01003270  74be0d80 KERNELBASE!MulDiv
01003274  00000000
01003278  74ba0420 KERNELBASE!GetModuleHandleW
0100327c  74ba1700 KERNELBASE!LoadLibraryExW
01003280  74b9ea60 KERNELBASE!GetProcAddress
01003284  74ba0320 KERNELBASE!FreeLibrary
01003288  74bbe8b0 KERNELBASE!GetModuleFileNameW
0100328c  74bbe7c0 KERNELBASE!GetModuleFileNameA
01003290  74b9f3b0 KERNELBASE!GetModuleHandleExW
01003294  00000000
01003298  74ba9a60 KERNELBASE!GetACP
0100329c  74b9b450 KERNELBASE!FormatMessageW
010032a0  74ba36e0 KERNELBASE!GetLocaleInfoW
010032a4  74c109a0 KERNELBASE!FindNLSString
010032a8  00000000
010032ac  74bbde70 KERNELBASE!GetUserDefaultUILanguage
010032b0  00000000
010032b4  74bbf740 KERNELBASE!UnmapViewOfFile
010032b8  74bbe6f0 KERNELBASE!MapViewOfFile
010032bc  74ba0910 KERNELBASE!CreateFileMappingW
010032c0  00000000
010032c4  74bc5000 KERNELBASE!GetCommandLineW
010032c8  00000000
010032cc  757b1a60 KERNEL32!GetCurrentThreadId
010032d0  757c3bf0 KERNEL32!GetCurrentProcess
010032d4  74bbf520 KERNELBASE!OpenProcessToken
010032d8  757c3c00 KERNEL32!GetCurrentProcessId
010032dc  757b9aa0 KERNEL32!GetStartupInfoWStub
010032e0  757bf420 KERNEL32!TerminateProcessStub
010032e4  00000000
010032e8  74bc0940 KERNELBASE!GetProcessMitigationPolicy
010032ec  00000000
010032f0  77060550 ntdll!RtlQueryPerformanceCounter
010032f4  00000000
010032f8  74bb4a20 KERNELBASE!RegOpenKeyExW
010032fc  74bb5800 KERNELBASE!RegCloseKey
01003300  74bb4460 KERNELBASE!RegQueryValueExW
01003304  74bd4530 KERNELBASE!RegSetValueExW
01003308  00000000
0100330c  7604efe0 advapi32!RegCreateKeyW
01003310  00000000
01003314  74b9f2c0 KERNELBASE!PathFileExistsW
01003318  74bd25a0 KERNELBASE!PathIsFileSpecW
0100331c  74bbebd0 KERNELBASE!PathFindExtensionW
01003320  00000000
01003324  74bb1de0 KERNELBASE!WideCharToMultiByte
01003328  74bd1490 KERNELBASE!FoldStringW
0100332c  74bb0390 KERNELBASE!CompareStringOrdinal
01003330  74ba6350 KERNELBASE!MultiByteToWideChar
01003334  00000000
01003338  757b7740 KERNEL32!lstrcmpiWStub
0100333c  00000000
01003340  770360b0 ntdll!RtlEnterCriticalSection
01003344  7705c380 ntdll!RtlDeleteCriticalSection
01003348  74ba0cb0 KERNELBASE!CreateMutexExW
0100334c  74bbeba0 KERNELBASE!SetEvent
01003350  77058680 ntdll!RtlLeaveCriticalSection
01003354  77053b40 ntdll!RtlReleaseSRWLockShared
01003358  74bbeac0 KERNELBASE!InitializeCriticalSectionEx
0100335c  74b9d850 KERNELBASE!OpenSemaphoreW
01003360  74bc1720 KERNELBASE!ReleaseSemaphore
01003364  74baef90 KERNELBASE!WaitForSingleObject
01003368  770384a0 ntdll!RtlAcquireSRWLockExclusive
0100336c  74baef10 KERNELBASE!ReleaseMutex
01003370  74b9f320 KERNELBASE!CreateSemaphoreExW
01003374  7703ec20 ntdll!RtlReleaseSRWLockExclusive
01003378  74baefb0 KERNELBASE!WaitForSingleObjectEx
0100337c  74bbe9c0 KERNELBASE!CreateEventExW
01003380  77053c10 ntdll!RtlAcquireSRWLockShared
01003384  00000000
01003388  74bbf590 KERNELBASE!Sleep
0100338c  77068e00 ntdll!RtlWakeAllConditionVariable
01003390  74bc3f70 KERNELBASE!SleepConditionVariableSRW
01003394  00000000
01003398  74bbe020 KERNELBASE!GetLocalTime
0100339c  74bbc6a0 KERNELBASE!GetSystemTimeAsFileTime
010033a0  74bb1a20 KERNELBASE!GetTickCount
010033a4  00000000
010033a8  77053ee0 ntdll!TpSetTimer
010033ac  77052580 ntdll!TpWaitForTimer
010033b0  770524f0 ntdll!TpReleaseTimer
010033b4  74bc3350 KERNELBASE!CreateThreadpoolTimer
010033b8  00000000
010033bc  761d39b0 combase!SetRestrictedErrorInfo [onecore\com\combase\winrt\error\restrictederror.cpp @ 125]
010033c0  00000000
010033c4  761ddef0 combase!RoGetMatchingRestrictedErrorInfo [onecore\com\combase\winrt\error\restrictederror.cpp @ 205]
010033c8  00000000
010033cc  7615ec90 combase!RoGetActivationFactory [onecore\com\combase\winrtbase\winrtbase.cpp @ 1062]
010033d0  761d1b80 combase!RoInitialize [onecore\com\combase\winrtbase\winrtbase.cpp @ 329]
010033d4  761db3e0 combase!RoUninitialize [onecore\com\combase\winrtbase\winrtbase.cpp @ 454]
010033d8  00000000
010033dc  761626a0 combase!WindowsCreateStringReference [onecore\com\combase\winrt\string\string.cpp @ 70]
010033e0  761bcf30 combase!WindowsDeleteString [onecore\com\combase\winrt\string\string.cpp @ 146]
010033e4  7619c530 combase!WindowsGetStringRawBuffer [onecore\com\combase\winrt\string\string.cpp @ 226]
010033e8  7614b690 combase!WindowsCreateString [onecore\com\combase\winrt\string\string.cpp @ 30]
010033ec  00000000
010033f0  77044d10 ntdll!EtwEventUnregister
010033f4  77065d70 ntdll!EtwEventWriteTransfer
010033f8  7705e180 ntdll!EtwEventSetInformation
010033fc  7705f800 ntdll!EtwEventRegister
01003400  00000000
01003404  74ba10d0 KERNELBASE!GetTokenInformation
01003408  00000000
0100340c  756095b0 shcore!SHStrDupW
01003410  00000000
01003414  755ffea0 shcore!PathIsNetworkPathW
01003418  00000000
0100341c  75618a90 shcore!GetDpiForMonitor
01003420  00000000
01003424  74a46dd0 msvcrt!__dllonexit
01003428  74a373a0 msvcrt!free
0100342c  74a216c0 msvcrt!iswdigit
01003430  74aa5ba0 msvcrt!_acmdln
01003434  74a566f0 msvcrt!exit
01003438  74a88540 msvcrt!__setusermatherr
0100343c  74a56fe0 msvcrt!_unlock
01003440  74a25c50 msvcrt!__getmainargs
01003444  74a56e30 msvcrt!_lock
01003448  74a46eb0 msvcrt!_onexit
0100344c  74a561b0 msvcrt!_amsg_exit
01003450  74a7ab30 msvcrt!wcsnlen
01003454  74a3eb40 msvcrt!_ismbblead
01003458  74a47600 msvcrt!__set_app_type
0100345c  74a56230 msvcrt!_cexit
01003460  74a25d60 msvcrt!__p__commode
01003464  74a56110 msvcrt!_exit
01003468  74a44c40 msvcrt!_XcptFilter
0100346c  74a564c0 msvcrt!_initterm
01003470  74a77f60 msvcrt!_wcsicmp
01003474  74a23db0 msvcrt!_wtol
01003478  74a79910 msvcrt!memmove_s
0100347c  74a48bc0 msvcrt!_purecall
01003480  74a79500 msvcrt!memcpy_s
01003484  74a66ef0 msvcrt!_vsnwprintf
01003488  74a2b000 msvcrt!__CxxFrameHandler
0100348c  74a89fc0 msvcrt!_controlfp
01003490  74a2a670 msvcrt!terminate
01003494  74a48370 msvcrt!_except_handler4_common
01003498  74a25db0 msvcrt!__p__fmode
0100349c  74a37580 msvcrt!malloc
010034a0  74a34d70 msvcrt!_callnewh
010034a4  74a79130 msvcrt!memcmp
010034a8  74a79190 msvcrt!memcpy
010034ac  74a79970 msvcrt!memset
010034b0  00000000
010034b4  77088cb0 ntdll!LdrpValidateUserCallTarget

Повторная загрузка символов не изменила:

0:007> .reload /f kernelbase.dll
SYMSRV:  BYINDEX: 0x49
         C:\symbols*https://msdl.microsoft.com/download/symbols
         wkernelbase.pdb
         017FA9C5278235B7E6BFBA74A9A5AAD91
SYMSRV:  PATH: C:\symbols\wkernelbase.pdb\017FA9C5278235B7E6BFBA74A9A5AAD91\wkernelbase.pdb
SYMSRV:  RESULT: 0x00000000
DBGHELP: KERNELBASE - public symbols  
        C:\symbols\wkernelbase.pdb\017FA9C5278235B7E6BFBA74A9A5AAD91\wkernelbase.pdb

Я могу установить точку останова через bm, используя подстановочный знак , но в прошлом мне никогда не приходилось делать это:

0:000> bm kernelbase!RegOpenKeyExW*
  1: 74bc64b0          @!"KERNELBASE!RegOpenKeyExW"
  2: 74bb4a20          @!"KERNELBASE!RegOpenKeyExW"

Интересно, есть ли какие-либо специфические c изменения, вызывающие это, или есть проблема с символами, и т. д. c?

1 Ответ

1 голос
/ 01 мая 2020

Ну, один из них - закрытый символ CLRTYPE. Я не знаю, как он закрался, но в iir c есть еще несколько подобных символов

. Используйте .symopt + 4000, чтобы загрузить только публичные c символы. Ваша точка останова будет установлена ​​правильно

0:000> .symopt
Symbol options are 0x30337:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000020 - SYMOPT_OMAP_FIND_NEAREST
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0:000> x /v /f /t kernelbase!RegOpenKeyExW*
prv func   00007fff`582a3120    6 <CLR type> KERNELBASE!RegOpenKeyExW (void)
pub func   00007fff`58248c60    0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)
0:000> .symopt+4000
Symbol options are 0x34337:
  0x00000001 - SYMOPT_CASE_INSENSITIVE
  0x00000002 - SYMOPT_UNDNAME
  0x00000004 - SYMOPT_DEFERRED_LOADS
  0x00000010 - SYMOPT_LOAD_LINES
  0x00000020 - SYMOPT_OMAP_FIND_NEAREST
  0x00000100 - SYMOPT_NO_UNQUALIFIED_LOADS
  0x00000200 - SYMOPT_FAIL_CRITICAL_ERRORS
  0x00004000 - SYMOPT_PUBLICS_ONLY
  0x00010000 - SYMOPT_AUTO_PUBLICS
  0x00020000 - SYMOPT_NO_IMAGE_SEARCH
0:000> x /v /f /t kernelbase!RegOpenKeyExW*
pub func   00007fff`58248c60    0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)
0:000> bp KERNELBASE!RegOpenKeyExW
0:000> bl
     0 e Disable Clear  00007fff`58248c60     0001 (0001)  0:**** KERNELBASE!RegOpenKeyExW
0:000> g
ModLoad: 00007fff`59140000 00007fff`5916e000   C:\WINDOWS\System32\IMM32.DLL
Breakpoint 0 hit
KERNELBASE!RegOpenKeyExW:
00007fff`58248c60 4883ec38        sub     rsp,38h
0:000> uf .
KERNELBASE!RegOpenKeyExW:
00007fff`58248c60 4883ec38        sub     rsp,38h
00007fff`58248c64 488b442460      mov     rax,qword ptr [rsp+60h]
00007fff`58248c69 488364242800    and     qword ptr [rsp+28h],0
00007fff`58248c6f 4889442420      mov     qword ptr [rsp+20h],rax
00007fff`58248c74 e817000000      call    KERNELBASE!RegOpenKeyExInternalW (00007fff`58248c90)
00007fff`58248c79 4883c438        add     rsp,38h
00007fff`58248c7d c3              ret

Как уже говорилось, есть несколько символов, которые все указывают на этот адрес

windbg -c ".logopen d:\syms.txt;x /v /t kernelbase!*

;.logclose;q" windbg

D:\>wc -l syms.txt

    41405 syms.txt

    D:\>grep -i RegOpenKeyExW syms.txt
    prv func   00007fff`582a3120    6 <CLR type> KERNELBASE!RegOpenKeyExW (void)
    pub func   00007fff`58248c60    0 <NoType> KERNELBASE!RegOpenKeyExW (<no parameter info>)

    D:\>grep -i 00007fff`582a3120 syms.txt | wc -l
    1935

    D:\>grep -i prv.*00007fff`582a3120 syms.txt | wc -l
    1935

    D:\>grep -i pub.*00007fff`582a3120 syms.txt | wc -l
    0 
...