bp 0x12345678 ".printf \"PID: %d, unkVar: %d\n\", ..., poi(poi(ecx+1c)+8)+c;g"
在Windbg中取消引用之前是否有任何方法可以测试内存地址? />
#1 楼
测试内存地址可以通过.if ( poi(@R32) operator CONST ) { commands }
完成,但我认为问题的目的是在内存访问失败时不中断
在这种情况下,请使用
.catch {} ; command to execute on exception
包装条件命令,这将使执行流程不会中断示例代码
#include <stdio.h>
int main (void)
{
__asm
{
xor eax , eax
increase:
inc eax
cmp eax , 0ffffffffh
jne increase
}
printf("we reached here\n");
__asm
{
loopfever:
jmp loopfever
}
return 0;
}
反汇编main <
0:001> uf 401000
image00400000+0x1000:
00401000 55 push ebp
00401001 8bec mov ebp,esp
00401003 33c0 xor eax,eax
image00400000+0x1005:
00401005 40 inc eax
00401006 83f8ff cmp eax,0FFFFFFFFh
00401009 75fa jne image00400000+0x1005 (00401005)
image00400000+0x100b:
0040100b 6840814000 push offset image00400000+0x8140 (00408140)
00401010 e809000000 call image00400000+0x101e (0040101e)
00401015 83c404 add esp,4
image00400000+0x1018:
00401018 ebfe jmp image00400000+0x1018 (00401018)
401006上的连续断点取消引用eax(将在近3 gb的地址空间中引发异常),包装在
中
.catch {} ; gc
bp
0:001> .bpcmds
bp0 0x00401006 " .catch { .printf \"%x\n\" , poi( @eax ) ; gc }; ? @eax ;gc ";
这是输出
Memory access error at ') ; gc '
Evaluate expression: 65529 = 0000fff9
Memory access error at ') ; gc '
Evaluate expression: 65530 = 0000fffa
Memory access error at ') ; gc '
Evaluate expression: 65531 = 0000fffb
Memory access error at ') ; gc '
Evaluate expression: 65532 = 0000fffc
Memory access error at ') ; gc '
Evaluate expression: 65533 = 0000fffd
Memory access error at ') ; gc '
Evaluate expression: 65534 = 0000fffe
Memory access error at ') ; gc '
Evaluate expression: 65535 = 0000ffff
380039 44003800 440038 44004400 440044 4b004400 4b0044 3d004b00 3d004b 45003d00 45003d 3a004500 3a0045 5c003a00 5c003a 39005c00 39005c 38003900 380039 44003800 440038 44004400
Environment starts at 0x10000 compare
0:000> s -su 10000 10100
00010000 "98DDK=E:DDK"
0001001e "=::=::\"
0001002e "=C:=C:\Documents and Settings\Ad"
7c90120e cc int 3
0:001> ~0s
eax=000100c4 ebx=7ffdf000 ecx=00000001 edx=0040c5f0 esi=00000000 edi=009af6ee
eip=00401006 esp=0013ff78 ebp=0013ff78 iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000303
image00400000+0x1006:
00401006 83f8ff cmp eax,0FFFFFFFFh