kd> p
nt!RtlCompareString+0x6e:
805d898c 0fb64510 movzx eax,byte ptr [ebp+10h]
kd> p
nt!RtlCompareString+0x72:
805d8990 eb16 jmp nt!RtlCompareString+0x8a (805d89a8)
kd> p
nt!RtlCompareString+0x8a:
805d89a8 2bc1 sub eax,ecx
kd> p
nt!RtlCompareString+0x8c:
805d89aa ebd6 jmp nt!RtlCompareString+0x64 (805d8982)
kd> t
nt!RtlCompareString+0x64:
805d8982 5f pop edi
kd> t
nt!RtlCompareString+0x65:
805d8983 5e pop esi
kd> t
nt!RtlCompareString+0x66:
805d8984 5b pop ebx
kd> t
nt!RtlCompareString+0x67:
805d8985 c9 leave
kd> t
nt!RtlCompareString+0x68:
805d8986 c20c00 ret 0Ch
kd> t
IrpDispatch!NtMyOpenProcess+0x4b:
f9f4ea7b 85c0 test eax,eax
kd> t
IrpDispatch!NtMyOpenProcess+0x65:
f9f4ea95 60 pushad
kd> t
IrpDispatch!NtMyOpenProcess+0x66:
f9f4ea96 ff75c8 push dword ptr [ebp-38h]
kd> t
IrpDispatch!NtMyOpenProcess+0x69:
f9f4ea99 ff75dc push dword ptr [ebp-24h]
kd> t
IrpDispatch!NtMyOpenProcess+0x6c:
f9f4ea9c 61 popad
kd> t
IrpDispatch!NtMyOpenProcess+0x6d:
f9f4ea9d ff3538e6f4f9 push dword ptr [IrpDispatch!p_ReturnAddress (f9f4e638)]
kd> t
IrpDispatch!NtMyOpenProcess+0x73:
f9f4eaa3 ff253ce6f4f9 jmp dword ptr [IrpDispatch!ObOpenObjectByPointerAddress (f9f4e63c)]
kd> g
Access violation - code c0000005 (!!! second chance !!!)
nt!ObReferenceObjectByPointer+0xe:
80522d26 394808 cmp dword ptr [eax+8],ecx
kd> u ObReferenceObjectByPointer
nt!ObReferenceObjectByPointer:
80522d18 8bff mov edi,edi
80522d1a 55 push ebp
80522d1b 8bec mov ebp,esp
80522d1d 8b4508 mov eax,dword ptr [ebp+8]
80522d20 8b4d10 mov ecx,dword ptr [ebp+10h]
80522d23 83c0e8 add eax,0FFFFFFE8h
80522d26 394808 cmp dword ptr [eax+8],ecx 此处 出现错误
80522d29 894508 mov dword ptr [ebp+8],eax
提示
Access violation - code c0000005 (!!! second chance !!!)
但是我发现ObReferenceObjectByPointer 在我系统上的 跟虚拟机不一样 而且我也没去改
虚拟机CALL nop //上面的被我改了 下面没改 没改 805b10d0缺访问不了
805c1042 e88900ffff call nt!ObOpenObjectByPointer (805b10d0)
805c1047 8bf8 mov edi,eax
805c1049 8d8548ffffff lea eax,[ebp-0B8h]
805c104f 50 push eax
kd> g
Access violation - code c0000005 (!!! second chance !!!)
nt!ObReferenceObjectByPointer+0xe:
80522d26 394808 cmp dword ptr [eax+8],ecx
d> g
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
nt!IoGetCurrentProcess:
804ef4d2 64a124010000 mov eax,dword ptr fs:[00000124h]
kd> g
Access violation - code c0000005 (!!! second chance !!!)
nt!ObReferenceObjectByPointer+0xe:
80522d26 394808 cmp dword ptr [eax+8],ecx
[课程]Android-CTF解题方法汇总!