-
-
[讨论]windbg不用符号的方法
-
发表于: 2013-3-4 13:16
-
有时候在用uf反汇编的时候,代码里面与地址有关的地方都有那些很长很长的符号,
很难看,不好阅读,还不如纯汇编码。于是就去找不加载符号的方法。
看帮助里有.symopt命令,可是不能解决问题!
后来看到.reload命令的/u选项,可以解决这个问题。
除此之外,windbg还有什么方法或者选项,可以控制符号不加载。
举个例子
0:000> uf 7d632faf
SHELL32!ShellAboutW:
7d632faf 8bff mov edi,edi
7d632fb1 55 push ebp
7d632fb2 8bec mov ebp,esp
7d632fb4 83ec0c sub esp,0Ch
7d632fb7 8b4514 mov eax,dword ptr [ebp+14h]
7d632fba 8945f4 mov dword ptr [ebp-0Ch],eax
7d632fbd 8b450c mov eax,dword ptr [ebp+0Ch]
7d632fc0 8945f8 mov dword ptr [ebp-8],eax
7d632fc3 8b4510 mov eax,dword ptr [ebp+10h]
7d632fc6 8945fc mov dword ptr [ebp-4],eax
7d632fc9 e8fff6ffff call SHELL32!SHCreateQueryCancelAutoPlayMoniker+0x20
6a7 (7d6326cd)
7d632fce 85c0 test eax,eax
7d632fd0 7407 je SHELL32!ShellAboutW+0x2a (7d632fd9)
SHELL32!ShellAboutW+0x23:
7d632fd2 e8f6f6ffff call SHELL32!SHCreateQueryCancelAutoPlayMoniker+0x20
6a7 (7d6326cd)
7d632fd7 eb05 jmp SHELL32!ShellAboutW+0x2f (7d632fde)
SHELL32!ShellAboutW+0x2a:
7d632fd9 a1a4f5797d mov eax,dword ptr [SHELL32!StrStrW+0x324c2 (7d79f5a
4)]
SHELL32!ShellAboutW+0x2f:
7d632fde 8d4df4 lea ecx,[ebp-0Ch]
7d632fe1 51 push ecx
7d632fe2 68ab2c637d push offset SHELL32!SHCreateQueryCancelAutoPlayMonik
er+0x20c85 (7d632cab)
7d632fe7 ff7508 push dword ptr [ebp+8]
7d632fea 6810380000 push offset <Unloaded_EHLP.dll>+0x380f (00003810)
7d632fef 50 push eax
7d632ff0 e8bcd3fdff call SHELL32!Ordinal61+0xfb (7d6103b1)
7d632ff5 c9 leave
7d632ff6 c21000 ret 10h
卸载模块符号
0:000> .reload /u shell32.dll
Unloaded shell32.dll
再次看看
0:000> uf 7d632faf
7d632faf 8bff mov edi,edi
7d632fb1 55 push ebp
7d632fb2 8bec mov ebp,esp
7d632fb4 83ec0c sub esp,0Ch
7d632fb7 8b4514 mov eax,dword ptr [ebp+14h]
7d632fba 8945f4 mov dword ptr [ebp-0Ch],eax
7d632fbd 8b450c mov eax,dword ptr [ebp+0Ch]
7d632fc0 8945f8 mov dword ptr [ebp-8],eax
7d632fc3 8b4510 mov eax,dword ptr [ebp+10h]
7d632fc6 8945fc mov dword ptr [ebp-4],eax
7d632fc9 e8fff6ffff call 7d6326cd
7d632fce 85c0 test eax,eax
7d632fd0 7407 je 7d632fd9
7d632fd2 e8f6f6ffff call 7d6326cd
7d632fd7 eb05 jmp 7d632fde
7d632fd9 a1a4f5797d mov eax,dword ptr ds:[7D79F5A4h]
7d632fde 8d4df4 lea ecx,[ebp-0Ch]
7d632fe1 51 push ecx
7d632fe2 68ab2c637d push 7D632CABh
7d632fe7 ff7508 push dword ptr [ebp+8]
7d632fea 6810380000 push offset <Unloaded_EHLP.dll>+0x380f (00003810)
7d632fef 50 push eax
7d632ff0 e8bcd3fdff call 7d6103b1
7d632ff5 c9 leave
7d632ff6 c21000 ret 10h
很难看,不好阅读,还不如纯汇编码。于是就去找不加载符号的方法。
看帮助里有.symopt命令,可是不能解决问题!
后来看到.reload命令的/u选项,可以解决这个问题。
除此之外,windbg还有什么方法或者选项,可以控制符号不加载。
举个例子
0:000> uf 7d632faf
SHELL32!ShellAboutW:
7d632faf 8bff mov edi,edi
7d632fb1 55 push ebp
7d632fb2 8bec mov ebp,esp
7d632fb4 83ec0c sub esp,0Ch
7d632fb7 8b4514 mov eax,dword ptr [ebp+14h]
7d632fba 8945f4 mov dword ptr [ebp-0Ch],eax
7d632fbd 8b450c mov eax,dword ptr [ebp+0Ch]
7d632fc0 8945f8 mov dword ptr [ebp-8],eax
7d632fc3 8b4510 mov eax,dword ptr [ebp+10h]
7d632fc6 8945fc mov dword ptr [ebp-4],eax
7d632fc9 e8fff6ffff call SHELL32!SHCreateQueryCancelAutoPlayMoniker+0x20
6a7 (7d6326cd)
7d632fce 85c0 test eax,eax
7d632fd0 7407 je SHELL32!ShellAboutW+0x2a (7d632fd9)
SHELL32!ShellAboutW+0x23:
7d632fd2 e8f6f6ffff call SHELL32!SHCreateQueryCancelAutoPlayMoniker+0x20
6a7 (7d6326cd)
7d632fd7 eb05 jmp SHELL32!ShellAboutW+0x2f (7d632fde)
SHELL32!ShellAboutW+0x2a:
7d632fd9 a1a4f5797d mov eax,dword ptr [SHELL32!StrStrW+0x324c2 (7d79f5a
4)]
SHELL32!ShellAboutW+0x2f:
7d632fde 8d4df4 lea ecx,[ebp-0Ch]
7d632fe1 51 push ecx
7d632fe2 68ab2c637d push offset SHELL32!SHCreateQueryCancelAutoPlayMonik
er+0x20c85 (7d632cab)
7d632fe7 ff7508 push dword ptr [ebp+8]
7d632fea 6810380000 push offset <Unloaded_EHLP.dll>+0x380f (00003810)
7d632fef 50 push eax
7d632ff0 e8bcd3fdff call SHELL32!Ordinal61+0xfb (7d6103b1)
7d632ff5 c9 leave
7d632ff6 c21000 ret 10h
卸载模块符号
0:000> .reload /u shell32.dll
Unloaded shell32.dll
再次看看
0:000> uf 7d632faf
7d632faf 8bff mov edi,edi
7d632fb1 55 push ebp
7d632fb2 8bec mov ebp,esp
7d632fb4 83ec0c sub esp,0Ch
7d632fb7 8b4514 mov eax,dword ptr [ebp+14h]
7d632fba 8945f4 mov dword ptr [ebp-0Ch],eax
7d632fbd 8b450c mov eax,dword ptr [ebp+0Ch]
7d632fc0 8945f8 mov dword ptr [ebp-8],eax
7d632fc3 8b4510 mov eax,dword ptr [ebp+10h]
7d632fc6 8945fc mov dword ptr [ebp-4],eax
7d632fc9 e8fff6ffff call 7d6326cd
7d632fce 85c0 test eax,eax
7d632fd0 7407 je 7d632fd9
7d632fd2 e8f6f6ffff call 7d6326cd
7d632fd7 eb05 jmp 7d632fde
7d632fd9 a1a4f5797d mov eax,dword ptr ds:[7D79F5A4h]
7d632fde 8d4df4 lea ecx,[ebp-0Ch]
7d632fe1 51 push ecx
7d632fe2 68ab2c637d push 7D632CABh
7d632fe7 ff7508 push dword ptr [ebp+8]
7d632fea 6810380000 push offset <Unloaded_EHLP.dll>+0x380f (00003810)
7d632fef 50 push eax
7d632ff0 e8bcd3fdff call 7d6103b1
7d632ff5 c9 leave
7d632ff6 c21000 ret 10h
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
