通过内存检查防止Windbg日志断点失败

逆向工程 | 2021-01-12 | 编程黑洞网 | 0条评论 | 300 人阅读

在某些情况下，以下中断点由于内存地址错误而失败，并导致执行中断：

bp 0x12345678 ".printf \"PID: %d, unkVar: %d\n\", ..., poi(poi(ecx+1c)+8)+c;g"

在Windbg中取消引用之前是否有任何方法可以测试内存地址？ />

#1 楼

测试内存地址可以通过

.if ( poi(@R32) operator CONST ) { commands }

完成，但我认为问题的目的是在内存访问失败时不中断

在这种情况下，请使用.catch {} ; command to execute on exception包装条件命令，这将使执行流程不会中断

示例代码

#include <stdio.h>

int main (void)
{
    __asm
    {
        xor eax , eax
            increase:
            inc eax
            cmp eax , 0ffffffffh
            jne increase
    }
    printf("we reached here\n");
    __asm
    {
loopfever:
        jmp loopfever
    }
    return 0;
}

反汇编main <

0:001> uf 401000
image00400000+0x1000:
00401000 55              push    ebp
00401001 8bec            mov     ebp,esp
00401003 33c0            xor     eax,eax

image00400000+0x1005:
00401005 40              inc     eax
00401006 83f8ff          cmp     eax,0FFFFFFFFh
00401009 75fa            jne     image00400000+0x1005 (00401005)

image00400000+0x100b:
0040100b 6840814000      push    offset image00400000+0x8140 (00408140)
00401010 e809000000      call    image00400000+0x101e (0040101e)
00401015 83c404          add     esp,4

image00400000+0x1018:
00401018 ebfe            jmp     image00400000+0x1018 (00401018)

401006上的连续断点取消引用eax（将在近3 gb的地址空间中引发异常），包装在
中

.catch {} ; gc

0:001> .bpcmds
bp0 0x00401006  " .catch { .printf \"%x\n\" , poi( @eax ) ; gc };  ? @eax ;gc ";

这是输出

Memory access error at ') ; gc '
Evaluate expression: 65529 = 0000fff9
Memory access error at ') ; gc '
Evaluate expression: 65530 = 0000fffa
Memory access error at ') ; gc '
Evaluate expression: 65531 = 0000fffb
Memory access error at ') ; gc '
Evaluate expression: 65532 = 0000fffc
Memory access error at ') ; gc '
Evaluate expression: 65533 = 0000fffd
Memory access error at ') ; gc '
Evaluate expression: 65534 = 0000fffe
Memory access error at ') ; gc '
Evaluate expression: 65535 = 0000ffff
380039 44003800 440038 44004400 440044 4b004400 4b0044 3d004b00 3d004b 45003d00 45003d 3a004500 3a0045 5c003a00 5c003a 39005c00 39005c 38003900 380039 44003800 440038 44004400 
Environment starts at 0x10000 compare  

0:000> s -su 10000 10100
00010000  "98DDK=E:DDK"
0001001e  "=::=::\"
0001002e  "=C:=C:\Documents and Settings\Ad"

7c90120e cc              int     3
0:001> ~0s
eax=000100c4 ebx=7ffdf000 ecx=00000001 edx=0040c5f0 esi=00000000 edi=009af6ee
eip=00401006 esp=0013ff78 ebp=0013ff78 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000303
image00400000+0x1006:
00401006 83f8ff          cmp     eax,0FFFFFFFFh