能力值:
( LV9,RANK:610 )
|
-
-
2 楼
反汇编后查看就可以了啊,比如查看OpenProcess,Windbg输入"u kernel32!OpenProcess"
lkd> ld kernel32
Symbols loaded for kernel32
lkd> u kernel32!OpenProcess
kernel32!OpenProcess:
7c81e079 8bff mov edi,edi
7c81e07b 55 push ebp
7c81e07c 8bec mov ebp,esp
7c81e07e 83ec20 sub esp,20h
7c81e081 8b4510 mov eax,dword ptr [ebp+10h]
7c81e084 8945f8 mov dword ptr [ebp-8],eax
7c81e087 8b450c mov eax,dword ptr [ebp+0Ch]
7c81e08a 56 push esi
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
呵呵,谢谢大牛。我就是要的这个答案
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
还会有大牛进来看吗?
lkd> ld kernel32
No modules matched 'kernel32'
lkd> ld user32
No modules matched 'user32'
已经做了以下工作:
lkd> .sympath SRV*D:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
lkd> !sym noisy
lkd> !lmi nt //这里开始有问题
Loaded Module Info: [nt]
Module: ntkrpamp
Base Address: 804d8000
Image Name: ntkrpamp.exe
Machine Type: 332 (I386)
Time Stamp: 4bd6e04d Tue Apr 27 21:02:05 2010
Size: 20c000
CheckSum: 1fc58b
Characteristics: 12e
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 25, 9ff0, 95f0 RSDS - GUID: (0x46be65f3, 0x7705, 0x4d1d, 0x91, 0x90, 0x4d, 0xb7, 0x6a, 0x85, 0xd9, 0xb1)
Age: 1, Pdb: ntkrpamp.pdb
Image Type: FILE - Image read successfully from debugger.
ntkrpamp.exe
Symbol Type: PDB - Symbols loaded successfully from symbol server.
D:\WINDOWS\Symbols\ntkrpamp.pdb\46BE65F377054D1D91904DB76A85D9B11\ntkrpamp.pdb
Load Report: public symbols , not source indexed
D:\WINDOWS\Symbols\ntkrpamp.pdb\46BE65F377054D1D91904DB76A85D9B11\ntkrpamp.pdb
lkd> .reload /f nt
SYMSRV: D:\WINDOWS\Symbols\ntoskrnl.exe\4BD6E04D20c000\ntoskrnl.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/4BD6E04D20c000/ntoskrnl.exe not found
SYMSRV: D:\WINDOWS\Symbols\ntkrnlup.exe\4BD6E04D20c000\ntkrnlup.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/4BD6E04D20c000/ntkrnlup.exe not found
SYMSRV: D:\WINDOWS\Symbols\ntkrnlpa.exe\4BD6E04D20c000\ntkrnlpa.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/4BD6E04D20c000/ntkrnlpa.exe not found
SYMSRV: D:\WINDOWS\Symbols\ntkrnlmp.exe\4BD6E04D20c000\ntkrnlmp.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/4BD6E04D20c000/ntkrnlmp.exe not found
DBGHELP: D:\WINDOWS\Symbols\ntkrpamp.exe\4BD6E04D20c000\ntkrpamp.exe - OK
DBGENG: D:\WINDOWS\Symbols\ntkrpamp.exe\4BD6E04D20c000\ntkrpamp.exe - Mapped image memory
DBGHELP: nt - public symbols
D:\WINDOWS\Symbols\ntkrpamp.pdb\46BE65F377054D1D91904DB76A85D9B11\ntkrpamp.pdb
lkd> !peb
GetContextState failed, 0x80004001
GetContextState failed, 0x80004001
PEB NULL...
|
能力值:
( LV4,RANK:50 )
|
-
-
5 楼
装了360?
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
恩,装了,是360的问题吗?该怎么办呢?
|
能力值:
( LV3,RANK:20 )
|
-
-
7 楼
如果是360 卸载了或者找个干净系统再调试么
|
能力值:
( LV9,RANK:610 )
|
-
-
8 楼
不是360的问题,是本地内核调试模式默认不显示ring3模块,所以也无法加载对应的符号,需要搞点小动作才行。你可以用windbg调试任意一个ring3程序,那样容易些~
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
如果有大牛指点一下,我到是不怕麻烦,学习本身就是件麻烦的事。
|
|
|