使用Windbg查看系統SSDT表與ShadowSSDT表

原創 毛主席夸帅 2018-08-27 19:54
x86操作系統

1. 查看當前系統是否已經載入win2k.sys的相關符號信息:

kd> lm
start    end        module name
80586000 8058f000   kdcom      (deferred)             
80e03000 81391000   nt         (pdb symbols)          d:\symbols\websymbo\ntkrpamp.pdb\E2342527EA214C109CD28A19ED4FBCCE2\ntkrpamp.pdb
81391000 813e6000   hal        (deferred)             
81c3b000 81c78000   spaceport   (deferred)             
81c78000 81c8b000   volmgr     (deferred)             
81c8b000 81cd9000   volmgrx    (deferred)             
81cd9000 81ce0000   intelide   (deferred)             
81ce0000 81cee000   PCIIDEX    (deferred)             
81cee000 81d04800   vmci       (deferred)             
81d05000 81d1a000   mountmgr   (deferred)             
81d1a000 81d33000   lsi_sas    (deferred)             
81d33000 81d80000   storport   (deferred)             
81d80000 81d89000   atapi      (deferred)             
81d89000 81db4000   ataport    (deferred)             
81db4000 81dc8000   EhStorClass   (deferred)             
81dc8000 81de6000   luafv      (deferred)             
81e00000 81e26000   cdrom      (deferred)             
81e35000 81e81000   fltmgr     (deferred)             
81e81000 81e92000   fileinfo   (deferred)             
81e92000 81ec5000   WdFilter   (deferred)             
81ec5000 81f97000   ndis       (deferred)             
81f97000 81ff0000   NETIO      (deferred)             
82000000 82014000   rspndr     (deferred)             
8201a000 821e9000   tcpip      (deferred)             
821e9000 821f4000   BasicRender   (deferred)             
82200000 82208000   Null       (deferred)             
82208000 8220f000   Beep       (deferred)             
82210000 82254000   fwpkclnt   (deferred)             
82254000 82261000   wfplwfs    (deferred)             
82261000 822ca000   fvevol     (deferred)             
822ca000 822da000   agp440     (deferred)             
822da000 82320000   volsnap    (deferred)             
82320000 8234f000   rdyboost   (deferred)             
8234f000 82360000   mup        (deferred)             
82360000 82367980   vmrawdsk   (deferred)             
8236b000 82383000   disk       (deferred)             
82383000 823ce000   CLASSPNP   (deferred)             
823ce000 823de000   crashdmp   (deferred)             
823de000 823e9000   monitor    (deferred)             
823e9000 823f9000   lltdio     (deferred)             
87a13000 87aa5000   mcupdate_GenuineIntel   (deferred)             
87aa5000 87ae8000   CLFS       (deferred)             
87ae8000 87b04000   tm         (deferred)             
87b04000 87b17000   PSHED      (deferred)             
87b17000 87b20000   BOOTVID    (deferred)             
87b20000 87b94000   CI         (deferred)             
87b94000 87bcc000   msrpc      (deferred)             
87bcc000 87bde000   pdc        (deferred)             
87bde000 87bf3000   partmgr    (deferred)             
87e00000 87e20000   tpm        (deferred)             
87e29000 87eaa000   Wdf01000   (deferred)             
87eaa000 87eb8000   WDFLDR     (deferred)             
87eb8000 87ec8000   acpiex     (deferred)             
87ec8000 87ed2000   WppRecorder   (deferred)             
87ed2000 87f2a000   ACPI       (deferred)             
87f2a000 87f33000   WMILIB     (deferred)             
87f33000 87f3b000   msisadrv   (deferred)             
87f3b000 87f6d000   pci        (deferred)             
87f6d000 87fe7000   cng        (deferred)             
87ff1000 87ffc000   vdrvroot   (deferred)             
88000000 8802a000   ksecpkg    (deferred)             
8803c000 881cf000   Ntfs       (deferred)             
881cf000 881e5000   ksecdd     (deferred)             
881e5000 881f3000   pcw        (deferred)             
881f3000 881fc000   Fs_Rec     (deferred)             
8be0a000 8bf3a000   dxgkrnl    (deferred)             
8bf3a000 8bf48000   watchdog   (deferred)             
8bf48000 8bf8b000   dxgmms1    (deferred)             
8bf8b000 8bf9a000   BasicDisplay   (deferred)             
8bf9a000 8bfa8000   Npfs       (deferred)             
8bfa8000 8bfb2000   Msfs       (deferred)             
8bfb2000 8bfcf000   tdx        (deferred)             
8bfcf000 8bfdc000   TDI        (deferred)             
8bfdc000 8bfe5000   ws2ifsl    (deferred)             
8bfe5000 8bff9000   dump_dumpfve   (deferred)             
8c800000 8c81a000   usbccgp    (deferred)             
8c81a000 8c824000   hidusb     (deferred)             
8c82a000 8c889000   USBPORT    (deferred)             
8c889000 8c8a6200   E1G60I32   (deferred)             
8c8a7000 8c8b9000   usbehci    (deferred)             
8c8b9000 8c8be000   CmBatt     (deferred)             
8c8be000 8c8c9000   BATTC      (deferred)             
8c8c9000 8c8e0000   intelppm   (deferred)             
8c8e0000 8c8f9000   raspptp    (deferred)             
8c8f9000 8c914000   rasl2tp    (deferred)             
8c914000 8c929000   raspppoe   (deferred)             
8c929000 8c92a300   swenum     (deferred)             
8c92b000 8c96a000   ks         (deferred)             
8c96a000 8c973000   rdpbus     (deferred)             
8c973000 8c984000   NDProxy    (deferred)             
8c984000 8c98e000   flpydisk   (deferred)             
8c98e000 8c9e2000   usbhub     (deferred)             
8c9e2000 8c9eb000   USBD       (deferred)             
8c9eb000 8c9ff000   HIDCLASS   (deferred)             
8ca00000 8ca06780   HIDPARSE   (deferred)             
8ca07000 8ca10000   mouhid     (deferred)             
8ca10000 8ca1b000   dump_diskdump   (deferred)             
8ca1b000 8ca34000   dump_LSI_SAS   (deferred)             
8ca3a000 8ca7e000   netbt      (deferred)             
8ca7e000 8caf1000   afd        (deferred)             
8caf1000 8cb16000   pacer      (deferred)             
8cb16000 8cb24000   netbios    (deferred)             
8cb24000 8cb45580   vmhgfs     (deferred)             
8cb46000 8cb9f000   rdbss      (deferred)             
8cb9f000 8cbbb000   vm3dmp     (deferred)             
8cbbb000 8cbff000   udfs       (deferred)             
8cc00000 8cc70000   csc        (deferred)             
8cc70000 8cc86000   wanarp     (deferred)             
8cc86000 8cc91000   nsiproxy   (deferred)             
8cc91000 8cc9c000   npsvctrig   (deferred)             
8cc9c000 8cca7000   mssmbios   (deferred)             
8cca7000 8ccb5000   discache   (deferred)             
8ccb5000 8ccd0000   dfsc       (deferred)             
8ccd0000 8ccdb000   usbuhci    (deferred)             
8ccde000 8cce9000   ndistapi   (deferred)             
8cce9000 8cd0f000   ndiswan    (deferred)             
8cd0f000 8cd26000   rassstp    (deferred)             
8cd26000 8cd38000   AgileVpn   (deferred)             
8cd38000 8cd5b000   tunnel     (deferred)             
8cd5b000 8cd68000   CompositeBus   (deferred)             
8cd68000 8cd72000   kdnic      (deferred)             
8cd72000 8cd80000   umbus      (deferred)             
8cd80000 8cd9b000   i8042prt   (deferred)             
8cd9b000 8cda8000   kbdclass   (deferred)             
8cda8000 8cda9280

發現當前系統並沒有加載win32k.pdb這個符號。那麼我們需要進行第二步操作;

2. 進入到一個GUI進程環境中,這個時候系統會自動加載win32k.sys:

首先我們枚舉出當前系統所有進程,目標尋找explorer.exe

kd> !Process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 845c0cc0  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87c03000  HandleCount: <Data Not Accessible>
    Image: System

PROCESS 858a69c0  SessionId: none  Cid: 0200    Peb: 7f0db000  ParentCid: 0004
    DirBase: 3e0a7020  ObjectTable: 8b1cdec0  HandleCount: <Data Not Accessible>
    Image: smss.exe

PROCESS 85ea4bc0  SessionId: 0  Cid: 0264    Peb: 7f55f000  ParentCid: 025c
    DirBase: 3e0a7060  ObjectTable: 8c436740  HandleCount: <Data Not Accessible>
    Image: csrss.exe

PROCESS 84669cc0  SessionId: 1  Cid: 029c    Peb: 7f04a000  ParentCid: 0200
    DirBase: 3e0a7080  ObjectTable: 00000000  HandleCount:   0.
    Image: smss.exe

PROCESS 845b8040  SessionId: 0  Cid: 02a4    Peb: 7fcd8000  ParentCid: 025c
    DirBase: 3e0a70a0  ObjectTable: 8b1fec00  HandleCount: <Data Not Accessible>
    Image: wininit.exe

PROCESS 84655cc0  SessionId: 1  Cid: 02ac    Peb: 7f0a4000  ParentCid: 029c
    DirBase: 3e0a7040  ObjectTable: 87cdde00  HandleCount: <Data Not Accessible>
    Image: csrss.exe

PROCESS 84662cc0  SessionId: 1  Cid: 02cc    Peb: 7f2d9000  ParentCid: 029c
    DirBase: 3e0a70c0  ObjectTable: 87cc6a00  HandleCount: <Data Not Accessible>
    Image: winlogon.exe

PROCESS 8463fcc0  SessionId: 0  Cid: 02f8    Peb: 7f42d000  ParentCid: 02a4
    DirBase: 3e0a70e0  ObjectTable: 91325f00  HandleCount: <Data Not Accessible>
    Image: services.exe

PROCESS 845a0900  SessionId: 0  Cid: 0300    Peb: 7f885000  ParentCid: 02a4
    DirBase: 3e0a7100  ObjectTable: 91328a00  HandleCount: <Data Not Accessible>
    Image: lsass.exe

PROCESS 857b0040  SessionId: 0  Cid: 0364    Peb: 7f08f000  ParentCid: 02f8
    DirBase: 3e0a7120  ObjectTable: 9be2f480  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 8608e040  SessionId: 0  Cid: 0394    Peb: 7f43f000  ParentCid: 02f8
    DirBase: 3e0a7140  ObjectTable: 9be62640  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 860b5cc0  SessionId: 1  Cid: 03dc    Peb: 7f353000  ParentCid: 02cc
    DirBase: 3e0a7160  ObjectTable: 00000000  HandleCount:   0.
    Image: LogonUI.exe

PROCESS 860f5cc0  SessionId: 1  Cid: 0428    Peb: 7f1bd000  ParentCid: 02cc
    DirBase: 3e0a7180  ObjectTable: 9bf3e840  HandleCount: <Data Not Accessible>
    Image: dwm.exe

PROCESS 86163040  SessionId: 0  Cid: 0474    Peb: 7f145000  ParentCid: 02f8
    DirBase: 3e0a71a0  ObjectTable: 9cc01300  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 86168200  SessionId: 0  Cid: 0490    Peb: 7fe6f000  ParentCid: 02f8
    DirBase: 3e0a71c0  ObjectTable: 9cc19880  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 861819c0  SessionId: 0  Cid: 04c4    Peb: 7f6f7000  ParentCid: 02f8
    DirBase: 3e0a71e0  ObjectTable: 9cc696c0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 8618ca00  SessionId: 0  Cid: 04fc    Peb: 7f4af000  ParentCid: 02f8
    DirBase: 3e0a7200  ObjectTable: 9cc7cbc0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 85f3b6c0  SessionId: 0  Cid: 0560    Peb: 7f1ef000  ParentCid: 02f8
    DirBase: 3e0a7220  ObjectTable: 9ccb56c0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 85f96040  SessionId: 0  Cid: 05f4    Peb: 7f0b4000  ParentCid: 02f8
    DirBase: 3e0a7240  ObjectTable: 9cd30980  HandleCount: <Data Not Accessible>
    Image: spoolsv.exe

PROCESS 861d4580  SessionId: 0  Cid: 0630    Peb: 7fedf000  ParentCid: 02f8
    DirBase: 3e0a7280  ObjectTable: 9cd4a280  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 869b5040  SessionId: 0  Cid: 06f8    Peb: 7fc77000  ParentCid: 02f8
    DirBase: 3e0a72a0  ObjectTable: 9cdcc800  HandleCount: <Data Not Accessible>
    Image: MsMpEng.exe

PROCESS 869e7040  SessionId: 0  Cid: 0730    Peb: 7f17b000  ParentCid: 02f8
    DirBase: 3e0a72c0  ObjectTable: 9f869940  HandleCount: <Data Not Accessible>
    Image: vmtoolsd.exe

PROCESS 86b6a9c0  SessionId: 1  Cid: 08b0    Peb: 7feda000  ParentCid: 02f8
    DirBase: 3e0a7360  ObjectTable: 9cde4740  HandleCount: <Data Not Accessible>
    Image: taskhostex.exe

PROCESS 86b84540  SessionId: 1  Cid: 0914    Peb: 7f7bc000  ParentCid: 08ec
    DirBase: 3e0a73e0  ObjectTable: 9e0d83c0  HandleCount: <Data Not Accessible>
    Image: explorer.exe

PROCESS 8515f040  SessionId: 0  Cid: 09f0    Peb: 7fa7b000  ParentCid: 02f8
    DirBase: 3e0a7440  ObjectTable: 9e1c0a80  HandleCount: <Data Not Accessible>
    Image: msdtc.exe

PROCESS 86b28cc0  SessionId: 0  Cid: 0a34    Peb: 7f6cd000  ParentCid: 02f8
    DirBase: 3e0a7460  ObjectTable: 9e645bc0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 86a804c0  SessionId: 1  Cid: 0b4c    Peb: 7f16f000  ParentCid: 0364
    DirBase: 3e0a7320  ObjectTable: 9e6bae80  HandleCount: <Data Not Accessible>
    Image: LiveComm.exe

PROCESS 86c8fcc0  SessionId: 0  Cid: 0b6c    Peb: 7fc8b000  ParentCid: 02f8
    DirBase: 3e0a7480  ObjectTable: 9e6ce3c0  HandleCount: <Data Not Accessible>
    Image: svchost.exe

PROCESS 86c31cc0  SessionId: 0  Cid: 0ce4    Peb: 7fcf3000  ParentCid: 04fc
    DirBase: 3e0a74e0  ObjectTable: 9e765b40  HandleCount: <Data Not Accessible>
    Image: dasHost.exe

PROCESS 86c45040  SessionId: 1  Cid: 0d8c    Peb: 7f68d000  ParentCid: 0364
    DirBase: 3e0a7520  ObjectTable: 9e686a00  HandleCount: <Data Not Accessible>
    Image: RuntimeBroker.exe

PROCESS 86b13540  SessionId: 1  Cid: 0e64    Peb: 7fb2c000  ParentCid: 0914
    DirBase: 3e0a7560  ObjectTable: a1666640  HandleCount: <Data Not Accessible>
    Image: VMwareTray.exe

PROCESS 869eca40  SessionId: 1  Cid: 0ecc    Peb: 7fcbf000  ParentCid: 0914
    DirBase: 3e0a75a0  ObjectTable: a17c5f40  HandleCount: <Data Not Accessible>
    Image: vmtoolsd.exe

PROCESS 85ea5040  SessionId: 0  Cid: 0ee4    Peb: 7f429000  ParentCid: 02f8
    DirBase: 3e0a75c0  ObjectTable: a16afb80  HandleCount: <Data Not Accessible>
    Image: SearchIndexer.exe

PROCESS 84739740  SessionId: 0  Cid: 0b54    Peb: 7f4df000  ParentCid: 0364
    DirBase: 3e0a7640  ObjectTable: a3e86440  HandleCount: <Data Not Accessible>
    Image: dllhost.exe

PROCESS 847b0cc0  SessionId: 0  Cid: 0e0c    Peb: 7f8cc000  ParentCid: 02f8
    DirBase: 3e0a7500  ObjectTable: a3fe4980  HandleCount: <Data Not Accessible>
    Image: wmpnetwk.exe

PROCESS 8542a9c0  SessionId: 0  Cid: 02b4    Peb: 7f98f000  ParentCid: 0178
    DirBase: 3e0a7920  ObjectTable: a9d4f340  HandleCount: <Data Not Accessible>
    Image: MpCmdRun.exe

PROCESS 85406740  SessionId: 0  Cid: 0198    Peb: 7faae000  ParentCid: 06f8
    DirBase: 3e0a7940  ObjectTable: a9ca8800  HandleCount: <Data Not Accessible>
    Image: MpCmdRun.exe

PROCESS 84ed1cc0  SessionId: 0  Cid: 0bb8    Peb: 7fbfd000  ParentCid: 0198
    DirBase: 3e0a7900  ObjectTable: aa4d4580  HandleCount: <Data Not Accessible>
    Image: conhost.exe

PROCESS 84d2e200  SessionId: 0  Cid: 0a8c    Peb: 7fe37000  ParentCid: 02f8
    DirBase: 3e0a740

我們找到explorer.exe的EPROCESS地址是86b84540,因此我們用命令進入explorer.exe的領空:

kd> .process 86b84540
Implicit process is now 86b84540
WARNING: .cache forcedecodeuser is not enabled

完成之後我們讓Windbg重新載入符號:

kd> .reload
Connected to Windows 7 9200 x86 compatible target at (Thu Jan 16 14:55:08.096 2014 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
......................
Loading User Symbols
................................................................
...

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.............................................................
................................................................
.......
Loading unloaded module list
............................

這個時候win32k.pdb已經被加載到windbg空間中了,那我們就可以通過符號來查詢我們的SSDT與Shadow SSDT的列表了。

這個時候我們要做的第一步是找到系統導出的KeServiceDescriptorTable地址:

kd> dd nt!KeServiceDescriptorTable
81017400  80efb4d0 00000000 000001ad 80efbb88
81017410  00000000 00000000 00000000 00000000
81017420  80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430  06060001 00010001 00000001 00000000
81017440  00000000 00000000 00000014 00000001
81017450  00000014 00000003 00000004 00000001
81017460  00000000 00000000 00000000 7ffeffff
81017470  80000000 83000000 87951000 0003ff7d

這個時候我們看到:
81017400這個地址就是我們要查看的nt!KeServiceDescriptorTable的首地址。
我們這裏介紹一下另外一個數據結構: 

typedef struct _KSYSTEM_SERVICE_TABLE
{
        PULONG  ServiceTableBase;                        // SSDT (System Service Dispatch Table)的基地址
        PULONG  ServiceCounterTableBase;        // 包含 SSDT 中每個服務被調用的次數
        ULONG   NumberOfService;                        // 服務函數的個數, NumberOfService * 4 就是整個地址表的大小
        ULONG   ParamTableBase;                                // SSPT(System Service Parameter Table)的基地址

} KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;

typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
        KSYSTEM_SERVICE_TABLE   ntoskrnl;        // ntoskrnl.exe 的服務函數(SSDT)
        KSYSTEM_SERVICE_TABLE   win32k;                // win32k.sys 的服務函數(GDI32.dll/User32.dll 的內核支持,Shadow SSDT)
        KSYSTEM_SERVICE_TABLE   notUsed1;
        KSYSTEM_SERVICE_TABLE   notUsed2;

} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;

其中 81017400 這個地址指向了 KSERVICE_TABLE_DESCRIPTOR 結構體的首地址,即 KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl這個變量裏面存放的就是我們的SSDT表。
而win32k原本應該是存放Shadow SSDT表的,但是我們看內存區域 81017410 這個裏面的內存是0,即裏面沒有內容。因爲Windows將完整的KSERVICE_TABLE_DESCRIPTOR 數據存在了另外一個地方。我們需要使用另外一個命令來查看: 

kd> dd nt!KeServiceDescriptorTableShadow
810173c0  80efb4d0 00000000 000001ad 80efbb88
810173d0  8f712000 00000000 000003d8 8f713340
810173e0  80ee1ea3 00026161 00001388 00000000
810173f0  00200000 00000040 a0ef3fff 00000009
81017400  80efb4d0 00000000 000001ad 80efbb88
81017410  00000000 00000000 00000000 00000000
81017420  80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430  06060001 00010001 00000001 00000000

我們在這次的結果裏面看到第五行的地址很眼熟,是81017400。這是一個驚人的發現!
因爲我們在查看nt!KeServiceDescriptorTable的時候返回的首地址就是它!
那麼,我們再來看看這次返回的首地址:810173c0,看看它的內容是什麼——80efb4d0 00000000 000001ad 80efbb88。我們發現,它的內容與81017400地址中的內容驚人的一致。那麼來說,nt!KeServiceDescriptorTableShadow就是nt!KeServiceDescriptorTable的副本,但是有一點不同就是KeServiceDescriptorTableShadow的win32k子項裏面是有數據的!說明這個裏面存放的就是我們尋找的ShadowSSDT表。

OK,下面我們就來查看SSDT表的內容:

kd> dds 80efb4d0 L000001ad 
80efb4d0  80ed5901 nt!NtWorkerFactoryWorkerReady
80efb4d4  80e741e2 nt!NtYieldExecution
80efb4d8  81126540 nt!NtWriteVirtualMemory
80efb4dc  811ae0af nt!NtWriteRequestData
80efb4e0  81163478 nt!NtWriteFileGather
80efb4e4  8105548f nt!NtWriteFile
80efb4e8  811f3434 nt!NtWaitLowEventPair
80efb4ec  811f33cb nt!NtWaitHighEventPair
...
...
...

這個正式我們的SSDT表實際內容


ShadowSSDT表的內容:

kd> dds 8f712000 L000003d8 
8f712000  8f6051a3 win32k!NtUserYieldTask
8f712004  8f668e22 win32k!NtGdiWidenPath
8f712008  8f6692bc win32k!NtGdiUpdateColors
8f71200c  8f66af6d win32k!NtGdiUnrealizeObject
8f712010  8f66ae25 win32k!NtGdiUnmapMemFont
8f712014  8f68a84c win32k!NtGdiUnloadPrinterDriver
8f712018  8f4561d7 win32k!NtGdiTransparentBlt
8f71201c  8f4ef8d6 win32k!NtGdiTransformPoints
8f712020  8f66ba58 win32k!NtGdiSwapBuffers
8f712024  8f668a89 win32k!NtGdiStrokePath
8f712028  8f668ba9 win32k!NtGdiStrokeAndFillPath
8f71202c  8f504c5d win32k!NtGdiStretchDIBitsInternal
8f712030  8f4bfb5b win32k!NtGdiStretchBlt
8f712034  8f431ee6 win32k!NtGdiStartPage
...
...
...

注:強行加載某一PDB的代碼是

.reload /i XXXX.exe







發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

用戶態調試模型

在用戶態調試過程中調試器和被調試進程是兩個獨立的進程,而調試器需要通過控制被調試進程來進行調試,這與獨立的兩個進程之間的數據不可互相訪問相矛盾。考慮進程的邏輯內存共4G大小,而高2G爲系統空間,在實際中所有進程共用同一個系統空間。所以爲了

pokeyode 2020-07-07 00:27:42

棧和函數調用

def:棧是一種後入先出的數據結構,天然適合用來保存需要函數調用等需要保存的信息。在windows的用戶進程中都包含用戶棧和內核棧兩個棧。 每個線程都至少包含有一個棧,每個棧都對應內核中的一個_KTHREAD結構: 在線程開始運行之前需

pokeyode 2020-07-07 00:27:32

蟲趣:BAD POOL CALLER (par1: 0x20)

【作者:張佩】 【原文:http://www.yiiyee.cn/Blog/0x19-1/】 內核在管理內存的時候,爲了提高內存使用效率,對於小片內存的申請(小於一個PAGE大小),都是通過內存池來操作的。系統裏面有兩種不同的內存池:

张佩 2020-07-06 11:10:59

蟲趣:除0引起的崩潰

【作者:張佩】【原文: http://www.yiiyee.cn/Blog/0x7f-1/】 內核之所以脆弱,是因爲它沒有辦法很好地隔離自己。它是一個大整體,屬於一榮俱榮、一損俱損的大整體。它需要一切都按部就班地執行有序。否則,一個角

张佩 2020-07-06 11:10:49

蟲趣:Win8系統Bug分析一例

【作者:張佩】【原文URL: http://www.yiiyee.cn/Blog/win80x7e/】 有肉的地方總能發現蚊蠅。有軟件的地方,就有臭蟲相隨(注1)。操作系統就是個大軟件,所以臭蟲是少不了的。最近碰到一個Windows

张佩 2020-07-06 11:10:49

Windbg調試命令詳解(1)

轉載註明>> 【作者:張佩】【鏡像:http://www.yiiyee.cn/Blog】1. 概述用戶成功安裝微軟Windows調試工具集後,能夠在安裝目錄下發現四個調試器程序,分別是:cdb.exe、ntsd.exe、kd.exe和Wi

张佩 2020-07-06 11:10:49

linux 安裝zip/unzip/g++/gdb/vi/vim等軟件

最近公司新配置了一臺64位雲服務器,去部署的時候發現,沒有安裝zip/unzip壓縮解壓軟件。 於是只好自己安裝這兩個軟件,linux最好用的還是yum。兩個指令就安裝好了。 首先把軟件安裝包列出來: #yum list |grep z

帘卷西风 2020-07-05 21:16:00

linux安裝valgrind

       轉載請註明出處:簾卷西風的專欄(http://blog.csdn.net/ljxfblog)       最近服務器程序出了一個崩潰,確定是內存地址訪問越界,但是不能定位在哪裏,沒辦法只好用valgrind來跑一下,以前公司

帘卷西风 2020-07-05 21:15:49

linux編譯zlib庫的動態庫so

轉載請註明出處:簾卷西風的專欄(http://blog.csdn.net/ljxfblog)  zlib庫是一個強大的通用的開源壓縮庫,用途比較廣,在windows下能夠很容易的編譯或者拿到編譯成功的二進制文件。但是linux下的比較少

帘卷西风 2020-07-05 21:15:49

雙機調試用戶態應用程序

    我在本地調試API鉤子的時候經常遇到調試到一半機器就卡死了,我懷疑是不是因爲鉤子導致的鎖死問題。所以考慮到這樣決定使用雙機調試。網上查了一下雙機調試的方法,是主要有兩種:VS2005雙機調試、Windbg雙機調試。從配置方法上講V

baggiowangyu 2020-06-16 16:13:56

Xshell終端ssh連接ubuntu中文版編譯服務器顯示中文字符亂碼

Xshell工具需要設置一下: New Session Properties - Terminal - Enconding - 選擇Unicode(UTF-8)

wgembed 2020-06-16 11:41:43

查找當前目錄以下重複的頭文件並輸出

拷貝以下代碼,保存爲.sh文件執行 #!/bin/bash dir_arr=$(find -name "*h" -print;) temp_path="temp_path.txt" if [ -f $temp_pat

wgembed 2020-06-16 11:41:33

ubuntu shell腳本line 1: #!/bin/bash: No such file or directory

腳本文件是在windows系統編寫的,在ubuntu系統執行總是提示如下: line 1: #!/bin/bash: No such file or directory 或 line 1: #!/bin/bash: 沒有那個文件或目錄

wgembed 2020-06-16 11:41:33

gprof原理與缺陷

gprof是一個程序性能分析工具,通過監測程序運行,返回函數動態調用關係、函數調用次數以及每個函數的執行時間,從而有利於程序員發現性能瓶頸,對程序進行優化。對gprof的使用介紹,網上已經很多,例如百度百科上的介紹(wikipedia上

ygtff 2020-06-16 09:53:03

VS2005設置可以在Release模式下調試( 圖)

一、首先:從“配置管理器”中將項目配置成Release版: 在下拉列表中選擇了Release後,點擊“關閉”即可。     見圖-1 。     二、按Alt+F7:進入當前項目的屬性設置: 經過上面的設置,應該是“活動(Release)

zyrr159487 2020-06-12 17:07:54