C++ 查看windbg中挂起进程的eax寄存器中入口点的地址_C++_Windows_Windbg

C++ 查看windbg中挂起进程的eax寄存器中入口点的地址

c++ windows windbg

C++ 查看windbg中挂起进程的eax寄存器中入口点的地址,c++,windows,windbg,C++,Windows,Windbg,对于32位系统上的32位进程，EAX寄存器保存入口点的地址。但是windbg始终为此线程显示0 在创建处于挂起状态的进程并执行 .thread <thread_address> r 使用GetThreadContext（）进行检查时，我在EAX中获取当前值 if (!CreateProcess("test.exe", nullptr, nullptr, nullptr, false, CREATE_SUSPENDED, nullptr, nullptr, &Startu

对于

位系统上的

位进程，

EAX

寄存器保存入口点的地址。但是windbg始终为此线程显示

在创建处于挂起状态的进程并执行

 .thread <thread_address>
 r

使用

GetThreadContext（）

进行检查时，我在

EAX

中获取当前值

if (!CreateProcess("test.exe", nullptr, nullptr, nullptr, false, CREATE_SUSPENDED, nullptr, nullptr, &StartupInfo, &ProcessInfo))
{
    std::cout << "Failed to create process " << GetLastError();
    return 1;
}

CONTEXT Ctx;
Ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(ProcessInfo.hThread, &Ctx);
std::cout << Ctx.Eax << "\n"; //ImageBase + AddressOfEntryPoint

if（！CreateProcess（“test.exe”、nullptr、nullptr、nullptr、false、CREATE_SUSPENDED、nullptr、nullptr、&StartupInfo、&ProcessInfo））
{
std:：cout假设您已经在目标（vm/物理机器）中创建了如下暂停的进程

您使用内核调试器连接到该计算机

你有合适的二进制PDB，你可以简单地让WEBBG给你上下文。EAX使用？C++表达式计算器< /P>
测试代码
#include <windows.h>
#include <stdio.h>

int main (void) 
{
    printf("lets Create a suspended process and look at it in kd\n");
    STARTUPINFO si ={0};
    PROCESS_INFORMATION pi ={0};
    si.cb = sizeof(si);
    char *cmdln = "c:\\windows\\system32\\calc.exe\0";
    if( !CreateProcess( NULL,cmdln,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi ))
    {
        printf( "CreateProcess failed (%x).\n", GetLastError() );
        return 0;
    }
    CONTEXT ctx ={0};
    ctx.ContextFlags = CONTEXT_FULL;
    GetThreadContext(pi.hThread, &ctx);
    printf("Eax = %x\n",ctx.Eax);

    int ans = 'n';
    while (ans != 'y') 
    {
        Sleep(5000);
        ans = getchar();        
    }
    printf("resuming the process\n");
    ResumeThread(pi.hThread);    
    WaitForSingleObject( pi.hProcess, INFINITE );
    printf("wait returned closing handles\n");
    CloseHandle( pi.hProcess );
    CloseHandle( pi.hThread );
}

将编译后的可执行文件复制到运行32位win7sp1的vm并双击它
它执行eax打印并等待按键

在连接到此vm的kd中，您可以找到eax的实际值
kd> !process 0 2 cpsusp.exe  <<< find the DirectoryBase and Threads of Process one is interested in 

PROCESS 841cad40  SessionId: 1  Cid: 0110    Peb: 7ffd5000  ParentCid: 008c
    DirBase: 0f90a000  ObjectTable: 95d5d210  HandleCount:  12.
    Image: cpsusp.exe

        THREAD 841b8d48  Cid 0110.0644  Teb: 7ffdf000 Win32Thread: 00000000 WAIT:
 (WrLpcReply) UserMode Non-Alertable
            841b8f7c  Semaphore Limit 0x1

kd> .thread /p /r /P 841b8d48    << setting the thread context (just .thread isn't enough
Implicit thread is now 841b8d48    Implicit process is now 841cad40
.cache forcedecodeptes done
kd> kb
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  Args to Child              
00 8ce3bae8 8285bd75 841b8d48 82925f08 82922d20 nt!KiSwapContext+0x26
XXXXXXXXXXXXXXXXXX snipped off irrelevent stack 
16 0015f8e0 013d13d4 00000001 002cfe60 002d0bd8 cpsusp!main+0x114 [e:\code\cpsusp\cpsusp.cpp @ 25] 
YYYYYYYYYYYYY  snipped of iirelevent stack 
1b 0015f98c 00000000 013d14b9 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b

kd> .frame /r /c 0x16   <<<< seeting the frame and forcing to retrieve the actual volatile registers
16 0015f8e0 013d13d4 cpsusp!main+0x114 [e:\code\cpsusp\cpsusp.cpp @ 25]
cpsusp!main+0x114:
001b:013d1114 89852cfdffff    mov     dword ptr [ebp-2D4h],eax
kd> dv
            ctx = struct _CONTEXT   <<<<<<<<<
          cmdln = 0x014101d8 "c:\windows\system32\calc.exe"
             pi = struct _PROCESS_INFORMATION
            ans = 0n110
             si = struct _STARTUPINFOA
kd> ?? ctx.Eax  <<<<<<
unsigned long 0x212d6c   <<<< this is the value you got printed in the remote machine

kd>！process 0 2 cpsup.exe为什么认为EAX保存入口点的地址？应该检查gethreadcontext（）
在所有内核模式上下文的图像上返回值-这与用户模式线程上下文有何关系？@RbMm因为我使用切换到线程。thread，我难道不能看到寄存器内容吗？@1201programalm，大多数情况下，入口点在32位的eax和64位的rcx中。在这种情况下，它是定义的因为GetThreadContext（）确实给出了正确的值，该值应该是imagebase+addressofentrypoint偏移量。
cl /Zi /W4 /analyze /Od /EHsc cpsusp.cpp /link /release

kd> !process 0 2 cpsusp.exe  <<< find the DirectoryBase and Threads of Process one is interested in 

PROCESS 841cad40  SessionId: 1  Cid: 0110    Peb: 7ffd5000  ParentCid: 008c
    DirBase: 0f90a000  ObjectTable: 95d5d210  HandleCount:  12.
    Image: cpsusp.exe

        THREAD 841b8d48  Cid 0110.0644  Teb: 7ffdf000 Win32Thread: 00000000 WAIT:
 (WrLpcReply) UserMode Non-Alertable
            841b8f7c  Semaphore Limit 0x1

kd> .thread /p /r /P 841b8d48    << setting the thread context (just .thread isn't enough
Implicit thread is now 841b8d48    Implicit process is now 841cad40
.cache forcedecodeptes done
kd> kb
  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr  Args to Child              
00 8ce3bae8 8285bd75 841b8d48 82925f08 82922d20 nt!KiSwapContext+0x26
XXXXXXXXXXXXXXXXXX snipped off irrelevent stack 
16 0015f8e0 013d13d4 00000001 002cfe60 002d0bd8 cpsusp!main+0x114 [e:\code\cpsusp\cpsusp.cpp @ 25] 
YYYYYYYYYYYYY  snipped of iirelevent stack 
1b 0015f98c 00000000 013d14b9 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b

kd> .frame /r /c 0x16   <<<< seeting the frame and forcing to retrieve the actual volatile registers
16 0015f8e0 013d13d4 cpsusp!main+0x114 [e:\code\cpsusp\cpsusp.cpp @ 25]
cpsusp!main+0x114:
001b:013d1114 89852cfdffff    mov     dword ptr [ebp-2D4h],eax
kd> dv
            ctx = struct _CONTEXT   <<<<<<<<<
          cmdln = 0x014101d8 "c:\windows\system32\calc.exe"
             pi = struct _PROCESS_INFORMATION
            ans = 0n110
             si = struct _STARTUPINFOA
kd> ?? ctx.Eax  <<<<<<
unsigned long 0x212d6c   <<<< this is the value you got printed in the remote machine