1、条件断点
bp ICAAPI!IcaStackIoControl "j poi(@esp+8) = 0x382447 '';'gc'"
命中堆栈：
00 000ad590 00382447 0274f258 ICAAPI!IcaStackIoControl
01 02492120 00000005 0274f258 rdpwsx!WsxEscape+0x92
02 00000002 000006c0 000cee18 termsrv!WinStationUpdateClientCachedCredentialsWorker+0x23c
03 000c7a70 0274fcc0 00000002 termsrv!RpcWinStationUpdateClientCachedCredentials+0xba
04 76496bbe 0274fae0 00000010 RPCRT4!Invoke+0x30
05 00000000 00000000 000d41b4 RPCRT4!NdrStubCall2+0x299
06 000d41b4 000be880 000d41b4 RPCRT4!NdrServerCall2+0x19
07 764af984 000d41b4 0274fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
08 0000003f 00000000 764b589c RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
09 000d41b4 00000000 764b589c RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
0a 000c6f18 000bbb48 000c8788 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
0b 000bbb80 0274fe38 000c6f18 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
0c 0274ffac 77c5872d 000bbb48 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
0d 000bbb48 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
0e 0009c9d8 0274ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
0f 000d4538 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
10 77c4b0f5 000d4538 00000000 kernel32!BaseThreadStart+0x34

2、kd> dd esp
0274f1e0  724c5955 000ad590 00382447 0274f258
0274f1f0  00000604 00000000 00000000 0274f228

kd> db 0274f258
0274f258  41 00 64 00 6d 00 69 00-6e 00 69 00 73 00 74 00  A.d.m.i.n.i.s.t. <--登录用户名
0274f268  72 00 61 00 74 00 6f 00-72 00 00 00 00 00 00 00  r.a.t.o.r.......
0274f278  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
...
此后还有明文密码

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课