首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新,chm文档集成7篇实战18个辅助工具)
发表于: 2013-9-14 23:23 218339

[原创]现学现用之windbg的高级玩法(1,3,5,13,14,76,80,81,84,118,119,121,122楼已更新,chm文档集成7篇实战18个辅助工具)

ddlx 活跃值
5
2013-9-14 23:23
218339

查看主题内容

收藏
免费 12
支持
分享
最新回复 (250)
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
76
非常感谢大家的关注和支持。你们的参与让我更加有动力去完成它。
此贴不是简单翻译windbg帮助,我感觉那样做也没意义。我是要把windbg常用指令的用法,场景以及分析问题的思路相结合,为使用windbg作为调试工具的同学提供参考资料。
本人的能力是有限的,我也是边学习边写此文。最近在看《windbg高级调试》和《windbg用户态程序高效排错》,很不错。建议大家一读。
好废话少说,开更。
在调试时,避免不了使用断点。但是只使用简单的断点会存在如下问题:
1. 如果某个函数会被频繁调用,频繁被断下影响执行怎么办?
2. 我只想当某个值变了的时候断下它该怎么办?
3. 我只想让函数被调用第20次的时候断下它怎么办?
4. 字符串条件断点怎么写?
5. 我想下一个记录断点(只输出信息,不断下)怎么写?

32. 条件断点的高级用法
32.1. 字符串条件断点
如果想在加载某个模块时(如USER32.DLL)该怎么做呢?

下面咱们看一个例子。
当前程序有两个模块组成:break.exe和breakdll.dll。
break.exe在执行的过程中会加载breakdll.dll。

那怎么在加载breakdll.dll的时候断下呢?
//ascii字符串条件断点设置方法
0:000> [COLOR=Red]bp kernel32!LoadLibraryA "as /ma ${/v:dllname} poi(esp+4); .if($sicmp(\"${dllname}\",\"breakdll.dll\")==0){.echo ${dllname};}.else{gc;}"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
*** WARNING: Unable to verify checksum for break.exe
[COLOR=Purple]breakdll.dll[/COLOR]
eax=cccccccc ebx=7ffd8000 ecx=00000000 edx=00000001 esi=0012fe78 edi=0012ff68
eip=7c801d7b esp=0012fe70 ebp=0012ff68 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
kernel32!LoadLibraryA:
7c801d7b 8bff            mov     edi,edi
//Unicode字符串条件断点设置方法
0:000> [COLOR=Red]bp kernel32!LoadLibraryExW "as /mu ${/v:dllname} poi(esp+4); .if($sicmp(\"${dllname}\",\"breakdll.dll\")==0){.echo ${dllname};}.else{gc;}"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
[COLOR=Purple]breakdll.dll[/COLOR]
eax=7ffddbf8 ebx=7ffde000 ecx=7ffddc00 edx=004157bc esi=0012fe78 edi=0012ff68
eip=7c801af5 esp=0012fe40 ebp=0012fe50 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
kernel32!LoadLibraryExW:
7c801af5 6a34            push    34h
32.2. 多重断点设置方法
在加载完breakdll.dll的时候,会调用该模块的GetRandom函数(此函数用来生成随机数)。
现在我想在breakdll.dll加载完毕后,马上在GetRandom上下断点。
0:000> [COLOR=Red]bp kernel32!LoadLibraryA "as /ma ${/v:dllname} poi(esp+4); .if($sicmp(\"${dllname}\",\"breakdll.dll\")==0){.echo ${dllname};gu; bp breakdll!GetRandom;g;}.else{gc;}"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
*** WARNING: Unable to verify checksum for break.exe
[COLOR=Purple]breakdll.dll[/COLOR]
ModLoad: 10000000 1001b000   D:\test\windbgtest\break\Debug\breakdll.dll
*** WARNING: Unable to verify checksum for D:\test\windbgtest\break\Debug\breakdll.dll
Breakpoint 1 hit
eax=10011091 ebx=7ffd6000 ecx=7c937de9 edx=7c99b178 esi=0012fe78 edi=0012ff68
eip=10011420 esp=0012fe74 ebp=0012ff68 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
breakdll!GetRandom:
10011420 55              push    ebp
32.3. bu命令的用法
这个条件断点好长啊,很不好写,有没有更好的方法?这时候我想起了bu命令。
bu命令可以对那些还没加载的模块设置断点
0:000> [COLOR=Red]bu breakdll!GetRandom[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
*** WARNING: Unable to verify checksum for D:\test\windbgtest\break\Debug\breakdll.dll
ModLoad: 10000000 1001b000   D:\test\windbgtest\break\Debug\breakdll.dll [COLOR=Blue]//模块被加载[/COLOR]
Breakpoint 0 hit
eax=10011091 ebx=7ffd4000 ecx=7c937de9 edx=7c99b178 esi=0012fe78 edi=0012ff68
eip=10011420 esp=0012fe74 ebp=0012ff68 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
breakdll!GetRandom:
10011420 55              push    ebp
32.3. 命中次数
break.exe中会对breakdll!GetRandom函数执行20遍,我想在第10遍的时候断下它,怎么办呢?
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:000> [COLOR=Red]r @$t0 = 0[/COLOR]
0:000> [COLOR=Red]bu breakdll!GetRandom "r $t0=@$t0+1; .printf \"$t0=%d\\n\", @$t0;.if(@$t0==0n10){}.else{gc;}"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
*** WARNING: Unable to verify checksum for D:\test\windbgtest\break\Debug\breakdll.dll
ModLoad: 10000000 1001b000   D:\test\windbgtest\break\Debug\breakdll.dll
*** WARNING: Unable to verify checksum for break.exe
[COLOR=Purple]$t0=1
$t0=2
$t0=3
$t0=4
$t0=5
$t0=6
$t0=7
$t0=8
$t0=9
$t0=10[/COLOR]
eax=00000004 ebx=7ffd7000 ecx=c8c29a13 edx=00391ec0 esi=0012fe78 edi=0012ff68
eip=10011420 esp=0012fe74 ebp=0012ff68 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000287
breakdll!GetRandom:
10011420 55              push    ebp
32.4. 记录断点
我想知道每次breakdll!GetRandom执行完的返回值是多少,这个时候的写法为:
ntdll!DbgBreakPoint:
7c92120e cc              int     3
0:000> [COLOR=Red]bu breakdll!GetRandom "gu;.printf \"GetRandom ret: %d\\n\", @eax;g;"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
*** WARNING: Unable to verify checksum for D:\test\windbgtest\break\Debug\breakdll.dll
ModLoad: 10000000 1001b000   D:\test\windbgtest\break\Debug\breakdll.dll
*** WARNING: Unable to verify checksum for break.exe
[COLOR=Purple]GetRandom ret: 19267
GetRandom ret: 32169
GetRandom ret: 24352
GetRandom ret: 7475
GetRandom ret: 5700
GetRandom ret: 16672
GetRandom ret: 11921
GetRandom ret: 19360
GetRandom ret: 30209
GetRandom ret: 7458
GetRandom ret: 29727
GetRandom ret: 3199
GetRandom ret: 9226
GetRandom ret: 20818
GetRandom ret: 27630
GetRandom ret: 31281
GetRandom ret: 9424
GetRandom ret: 5549
GetRandom ret: 24090
GetRandom ret: 11321[/COLOR]
eax=00000000 ebx=00000000 ecx=7c800000 edx=10361e40 esi=7c92de50 edi=00000000
eip=7c92e4f4 esp=0012fdf0 ebp=0012feec iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c92e4f4 c3              ret
32.5. 监控变量值被修改
在break.exe中有一个全局变量g_nValue, 默认值为100;在执行过程中,此值会改变。我想知道此值被修改时的调用栈和修改后的值为多少,以及当时的汇编指令
CommandLine: D:\test\windbgtest\break\Debug\break.exe
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00400000 0041b000   break.exe
ModLoad: 7c920000 7c9b3000   ntdll.dll
ModLoad: 7c800000 7c91e000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 10200000 10372000   C:\WINDOWS\system32\MSVCR100D.dll
(d08.b60): Break instruction exception - code 80000003 (first chance)
eax=00251eb4 ebx=7ffdb000 ecx=00000003 edx=00000008 esi=00251f48 edi=00251eb4
eip=7c92120e esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c92120e cc              int     3
[COLOR=Blue]//执行到入口处[/COLOR]
0:000>[COLOR=Red] g break!wmain[/COLOR]
eax=00392bd8 ebx=7ffdb000 ecx=00392b40 edx=00000001 esi=0125f75a edi=0125f6ee
eip=00412f10 esp=0012ff6c ebp=0012ffb8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
break!wmain:
00412f10 55              push    ebp
[COLOR=Blue]//保存变量原先的值[/COLOR]
0:000> [COLOR=Red]r $t1=@@(break!g_nValue)[/COLOR]
0:000> [COLOR=Red]? @$t1[/COLOR]
Evaluate expression: 100 = 00000064
[COLOR=Blue]//设置写入断点[/COLOR]
0:000>[COLOR=Red] ba w4 break!g_nValue ".if(@$t1!=@@(break!g_nValue)){?? break!g_nValue;kp 5;ub eip l5;}.else{gc;}"[/COLOR]
0:000> [COLOR=Red]g[/COLOR]
ModLoad: 10000000 1001b000   D:\test\windbgtest\break\Debug\breakdll.dll
[COLOR=Blue]//打印当前值[/COLOR]
[COLOR=Purple]int 0n305[/COLOR] 
[COLOR=Blue]//打印调用栈[/COLOR]
[COLOR=Purple]ChildEBP RetAddr  
0012fe60 00412f9a break!SetValue(int n = 0n305)+0x26 [d:\test\windbgtest\break\break.cpp @ 14]
0012ff68 0041194f break!wmain(int argc = 0n1, wchar_t ** argv = 0x00392b40)+0x8a [d:\test\windbgtest\break\break.cpp @ 24]
0012ffb8 0041177f break!__tmainCRTStartup(void)+0x1bf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 552]
0012ffc0 7c817067 break!wmainCRTStartup(void)+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 371]
0012fff0 00000000 kernel32!BaseProcessStart+0x23
break!SetValue+0x12 [d:\test\windbgtest\break\break.cpp @ 12]:[/COLOR]
[COLOR=Blue]//打印反汇编[/COLOR]
[COLOR=Purple]00411a02 b930000000      mov     ecx,30h
00411a07 b8cccccccc      mov     eax,0CCCCCCCCh
00411a0c f3ab            rep stos dword ptr es:[edi]
00411a0e 8b4508          mov     eax,dword ptr [ebp+8]
00411a11 a314704100      mov     dword ptr [break!g_nValue (00417014)],eax[/COLOR] [COLOR=Blue]//此处为修改g_nValue 变量位置[/COLOR]
eax=00000131 ebx=7ffdb000 ecx=00000000 edx=00391ec0 esi=0012fe6c edi=0012fe60
eip=00411a16 esp=0012fd94 ebp=0012fe60 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
break!SetValue+0x26:
00411a16 5f              pop     edi
32.5. 只针对某个线程被断下
在break.exe中有一个全局变量g_nValue被多个线程修改,我只关心1号线程,这个时候我针对1好线程下断:
0:000> [COLOR=Red]~0 ba w4 break!g_nValue[/COLOR]
bm bp bu 指令同样可以对指定线程下断点
2013-9-19 11:57
0
cuannuo
雪    币: 39
活跃值: (169)
能力值: ( LV3,RANK:38 )
在线值:
发帖
回帖
粉丝
私信
77
过不了反调试一切都是浮云,好色的楼主
2013-9-19 12:46
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
78
期待后续更新,,,,wdg的确不容易上手
2013-9-19 16:13
0
wrgg
雪    币: 134
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
79
楼主强大 学习了
2013-9-19 16:39
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
80
33. wdb远程调试方法
使用调试器避免不了使用远程的方式,下面介绍两种使用windbg远程调试方法

33.1. windbg+windbg方式
两边都是windbg。windbg本身支持的链接类型有很多:tcp、pipe、com、ssl等。这里只介绍tcp方式
设置方法:
目标机器(需要设置端口)
方式一:通过命令行
[COLOR=Red]windbg.exe -server tcp:port=12345[/COLOR]
方式二:windbg运行过程中使用命令
[COLOR=Red].server tcp:port=12345[/COLOR]
本地机器(设置目标机器的Ip和端口)
方式一:通过命令行
[COLOR=Red]windbg.exe -remote tcp:port=12345,server=192.168.1.101[/COLOR]
方式二:运行时
[COLOR=Red]通过菜单选择 File->Connect to Remot Session...,在弹出的对话框中输入tcp:port=12345,server=192.168.1.101[/COLOR]
通过上述方法即可链接目标机,并调试目标机程序。
此方法的特点:


    [*]1. pdb符号文件必须存放在目标机器。
    [*]2. 使用启动调试功能时,需要在目标机器使用windbg启动要调试的进程

pdb符号一般都很大,放在目标机确实有很多不便。有没有其他方式呢?咱们看第二种

2. windbg+dbgsrv 方式
目标机器使用dbgsrv,本地机器使用windbg
dbgsrv是windbg中的一个组件
设置方法:
目标机器(需要设置端口)
通过命令行方式启动
[COLOR=Red]dbgsrv.exe -t tcp:port=8888[/COLOR]
本地机器(设置目标机器的Ip和端口)
运行时启动
[COLOR=Red]通过菜单选择 File->Connect to Remot Stub...,在弹出的对话框中输入tcp:port=8888,server=192.168.1.101[/COLOR]
联通后,附加进程调试
此方法的特点:


    [*]1. pdb符号存放在本地机器
    [*]2. 不能使用启动调试功能
2013-9-19 17:13
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
81
34. 查看进程列表指令: .tlist
[COLOR=Blue]//查看进程列表信息[/COLOR]
0:001> [COLOR=Red].tlist[/COLOR]
    0n0 System Process
    0n4 System
  0n572 smss.exe
  0n644 csrss.exe
  0n668 winlogon.exe
  0n712 services.exe
  0n724 lsass.exe
  0n888 vmacthlp.exe
  0n916 svchost.exe
  0n996 svchost.exe
 0n1096 svchost.exe
 0n1208 svchost.exe
 0n2792 Uedit32.exe
 0n2284 vcpkgsrv.exe
 0n2480 SogouCloud.exe
  0n776 windbg.exe
 0n1256 PEViewer.exe
  0n404 SogouSmartInfo.exe
[COLOR=Blue]//查看进程列表详细信息[/COLOR]
0:001> [COLOR=Red].tlist -v[/COLOR]
  0n0 System Process
  0n4 System
0n572 smss.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Command Line: \SystemRoot\System32\smss.exe
0n644 csrss.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Command Line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
0n668 winlogon.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Command Line: winlogon.exe
0n712 services.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Services: Eventlog,PlugPlay  Command Line: C:\WINDOWS\system32\services.exe
0n724 lsass.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Services: PolicyAgent,ProtectedStorage,SamSs  Command Line: C:\WINDOWS\system32\lsass.exe
0n888 vmacthlp.exe
     Session: 0  User: NT AUTHORITY\SYSTEM  Services: VMware Physical Disk Helper Service  Command Line: "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
35. 查看线程环境快指令:!teb
!teb指令显示线程摘要
线程详细信息可以通过dt _TEB 7ffdf000查看
0:000>[COLOR=Red] !teb[/COLOR]
TEB at 7ffdf000
    ExceptionList:        0012ef1c [COLOR=Blue]//SHE异常链[/COLOR]
    StackBase:            00130000 [COLOR=Blue]//栈基地址[/COLOR]
    StackLimit:           00128000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffdf000 [COLOR=Blue]//自身地址[/COLOR]
    EnvironmentPointer:   00000000
    ClientId:             000004e8 . 000002b0 //PID . TID
    RpcHandle:            00000000
    Tls Storage:          00000000
    PEB Address:          7ffdb000 [COLOR=Blue]//进程环境快地址[/COLOR]
    LastErrorValue:       0 [COLOR=Blue]//GetLastError()函数返回的最近一次错误码[/COLOR]
    LastStatusValue:      c0000135 [COLOR=Blue]//最近的状态码[/COLOR]
    Count Owned Locks:    0
    HardErrorMode:        0
36. 查看进程环境快指令:!peb
!peb指令显示进程摘要
进程详细信息可以通过dt _PEB 7ffdb000查看
0:001> [COLOR=Red]!peb[/COLOR]
PEB at 7ffdb000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes[COLOR=Blue] //是否有调试器[/COLOR]
   [COLOR=Blue] //模块信息[/COLOR]
    ImageBaseAddress:         00400000
    Ldr                       00251ea0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 00251f58 . 00254750
    Ldr.InLoadOrderModuleList:           00251ee0 . 00254980
    Ldr.InMemoryOrderModuleList:         00251ee8 . 00254988
            Base TimeStamp                     Module
          400000 523463a1 Sep 14 21:24:49 2013 C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.exe
        7c920000 4802bdc5 Apr 14 10:13:25 2008 C:\WINDOWS\system32\ntdll.dll
        7c800000 4802bdc6 Apr 14 10:13:26 2008 C:\WINDOWS\system32\kernel32.dll
        78b60000 4ba1f9bc Mar 18 18:00:28 2010 C:\WINDOWS\system32\mfc100d.dll
        10200000 4ba1dbd4 Mar 18 15:52:52 2010 C:\WINDOWS\system32\MSVCR100D.dll
        77d10000 4802bdbd Apr 14 10:13:17 2008 C:\WINDOWS\system32\USER32.dll
        77ef0000 4802bd81 Apr 14 10:12:17 2008 C:\WINDOWS\system32\GDI32.dll
        77f40000 4802bdbb Apr 14 10:13:15 2008 C:\WINDOWS\system32\SHLWAPI.dll
        77da0000 4802bd89 Apr 14 10:12:25 2008 C:\WINDOWS\system32\ADVAPI32.dll
        77e50000 4802bdae Apr 14 10:13:02 2008 C:\WINDOWS\system32\RPCRT4.dll
        77fc0000 4802bdc1 Apr 14 10:13:21 2008 C:\WINDOWS\system32\Secur32.dll
        77be0000 4802be3f Apr 14 10:15:27 2008 C:\WINDOWS\system32\msvcrt.dll
        5d170000 4802bda1 Apr 14 10:12:49 2008 C:\WINDOWS\system32\COMCTL32.dll
        762f0000 4802be16 Apr 14 10:14:46 2008 C:\WINDOWS\system32\MSIMG32.dll
        770f0000 4802bdbd Apr 14 10:13:17 2008 C:\WINDOWS\system32\OLEAUT32.dll
        76990000 4802bdbc Apr 14 10:13:16 2008 C:\WINDOWS\system32\ole32.dll
        10480000 4ba1dbdf Mar 18 15:53:03 2010 C:\WINDOWS\system32\MSVCP100D.dll
        76300000 4802bdb3 Apr 14 10:13:07 2008 C:\WINDOWS\system32\IMM32.DLL
        62c20000 4802bd9f Apr 14 10:12:47 2008 C:\WINDOWS\system32\LPK.DLL
        73fa0000 4802bdbf Apr 14 10:13:19 2008 C:\WINDOWS\system32\USP10.dll
        5adc0000 4802bdc0 Apr 14 10:13:20 2008 C:\WINDOWS\system32\UxTheme.dll
        5d360000 4df2e068 Jun 11 11:26:32 2011 C:\WINDOWS\system32\MFC100CHS.DLL
        74680000 4802bde3 Apr 14 10:13:55 2008 C:\WINDOWS\system32\MSCTF.dll
        73640000 4802bde4 Apr 14 10:13:56 2008 C:\WINDOWS\system32\msctfime.ime
        76320000 4802bda2 Apr 14 10:12:50 2008 C:\WINDOWS\system32\comdlg32.dll
        7d590000 4802bdb6 Apr 14 10:13:10 2008 C:\WINDOWS\system32\SHELL32.dll
        77180000 4802bd6c Apr 14 10:11:56 2008 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
        76d70000 4802bd96 Apr 14 10:12:38 2008 C:\WINDOWS\system32\appHelp.dll
        76fa0000 4802bd92 Apr 14 10:12:34 2008 C:\WINDOWS\system32\CLBCATQ.DLL
        77020000 4802bda7 Apr 14 10:12:55 2008 C:\WINDOWS\system32\COMRes.dll
        77bd0000 4802bdbf Apr 14 10:13:19 2008 C:\WINDOWS\system32\VERSION.dll
         5960000 4df5c853 Jun 13 16:20:35 2011 C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
         5940000 51bf3c9f Jun 18 00:43:11 2013 C:\Program Files\TortoiseSVN\bin\TortoiseStub32.dll
         11c0000 51bf3be8 Jun 18 00:40:08 2013 C:\Program Files\TortoiseSVN\bin\TortoiseSVN32.dll
        76680000 4802bddf Apr 14 10:13:51 2008 C:\WINDOWS\system32\WININET.dll
        765e0000 4802bdb0 Apr 14 10:13:04 2008 C:\WINDOWS\system32\CRYPT32.dll
        76db0000 4802bddd Apr 14 10:13:49 2008 C:\WINDOWS\system32\MSASN1.dll
         1240000 51bf3b31 Jun 18 00:37:05 2013 C:\Program Files\TortoiseSVN\bin\libsvn_tsvn32.dll
        6eec0000 51bf3a86 Jun 18 00:34:14 2013 C:\Program Files\TortoiseSVN\bin\libapr_tsvn32.dll
        71a20000 4802be08 Apr 14 10:14:32 2008 C:\WINDOWS\system32\WS2_32.dll
        71a10000 4802be09 Apr 14 10:14:33 2008 C:\WINDOWS\system32\WS2HELP.dll
        719c0000 4802be45 Apr 14 10:15:33 2008 C:\WINDOWS\system32\MSWSOCK.dll
        10000000 5098858e Nov 06 11:35:42 2012 C:\WINDOWS\system32\MSVCR110.dll
        6ee60000 51bf3a97 Jun 18 00:34:31 2013 C:\Program Files\TortoiseSVN\bin\libaprutil_tsvn32.dll
        76f30000 4802bdd3 Apr 14 10:13:39 2008 C:\WINDOWS\system32\WLDAP32.dll
         15c0000 51bf3aca Jun 18 00:35:22 2013 C:\Program Files\TortoiseSVN\bin\intl3_tsvn32.dll
         15e0000 51bf3aa8 Jun 18 00:34:48 2013 C:\Program Files\TortoiseSVN\bin\libsasl32.dll
        76bc0000 4802bdab Apr 14 10:12:59 2008 C:\WINDOWS\system32\PSAPI.DLL
         1610000 50988595 Nov 06 11:35:49 2012 C:\WINDOWS\system32\MSVCP110.dll
        76060000 4802bdb0 Apr 14 10:13:04 2008 C:\WINDOWS\system32\SETUPAPI.dll
        76960000 4802bdcf Apr 14 10:13:35 2008 C:\WINDOWS\system32\ntshrui.dll
        76af0000 4802bda9 Apr 14 10:12:57 2008 C:\WINDOWS\system32\ATL.DLL
        5fdd0000 4802bda6 Apr 14 10:12:54 2008 C:\WINDOWS\system32\NETAPI32.dll
        759d0000 4802bdbe Apr 14 10:13:18 2008 C:\WINDOWS\system32\USERENV.dll
    SubSystemData:     00000000
    [COLOR=Blue]//进程默认的堆地址[/COLOR]
    ProcessHeap:       00150000
   [COLOR=Blue] //启动参数信息[/COLOR]
    ProcessParameters: 00020000
    CurrentDirectory:  'C:\WINDOWS\system32\'
    WindowTitle:  'C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.exe'
    ImageFile:    'C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.exe'
    [COLOR=Blue]//命令行[/COLOR]
    CommandLine:  '"C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.exe"'
    [COLOR=Blue]//Dll加载时搜索路径[/COLOR]
    DllPath:      'C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\TortoiseSVN\bin'
    [COLOR=Blue]//环境变量信息[/COLOR]
    Environment:  00010000
        =::=::\
        ALLUSERSPROFILE=C:\Documents and Settings\All Users
        APPDATA=C:\Documents and Settings\Administrator\Application Data
        CLIENTNAME=Console
        CommonProgramFiles=C:\Program Files\Common Files
        COMPUTERNAME=DDLX-XPWORK
        ComSpec=C:\WINDOWS\system32\cmd.exe
        FP_NO_HOST_CHECK=NO
        HOMEDRIVE=C:
        HOMEPATH=\Documents and Settings\Administrator
        LOGONSERVER=\\DDLX-XPWORK
        NUMBER_OF_PROCESSORS=2
        OS=Windows_NT
        Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\TortoiseSVN\bin
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
        PROCESSOR_ARCHITECTURE=x86
        PROCESSOR_IDENTIFIER=x86 Family 21 Model 16 Stepping 1, AuthenticAMD
        PROCESSOR_LEVEL=21
        PROCESSOR_REVISION=1001
        ProgramFiles=C:\Program Files
        SESSIONNAME=Console
        SystemDrive=C:
        SystemRoot=C:\WINDOWS
        TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
        TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
        USERDOMAIN=DDLX-XPWORK
        USERNAME=Administrator
        USERPROFILE=C:\Documents and Settings\Administrator
        VS100COMNTOOLS=C:\Program Files\Microsoft Visual Studio 10.0\Common7\Tools\
        WDKPATH=C:\WINDDK\7600.16385.1
        WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86)
        windir=C:\WINDOWS
        _NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
37. 查看模块列表指令:lm
[COLOR=Blue]//查看所有模块列表[/COLOR]
0:001>[COLOR=Red] lm[/COLOR]
start    end        module name
00400000 00449000   PEViewer C (private pdb symbols)  C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.pdb
011c0000 0122f000   TortoiseSVN32   (deferred)             
01240000 0159e000   libsvn_tsvn32   (deferred)             
015c0000 015cd000   intl3_tsvn32   (deferred)             
015e0000 015f3000   libsasl32   (deferred)             
77020000 770ba000   COMRes     (deferred)             
770f0000 7717b000   OLEAUT32   (deferred)             
77180000 77283000   comctl32_77180000   (deferred)             
77bd0000 77bd8000   VERSION    (deferred)             
77be0000 77c38000   msvcrt     (deferred)             
77d10000 77da0000   USER32     (deferred)             
77da0000 77e49000   ADVAPI32   (deferred)             
77e50000 77ee2000   RPCRT4     (deferred)             
77ef0000 77f39000   GDI32      (deferred)             
77f40000 77fb6000   SHLWAPI    (deferred)             
77fc0000 77fd1000   Secur32    (deferred)             
78b60000 79203000   mfc100d    (deferred)             
7c800000 7c91e000   kernel32   (deferred)             
7c920000 7c9b3000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb
7d590000 7dd84000   SHELL32    (deferred)             

[COLOR=Blue]Unloaded modules:[/COLOR]
77bd0000 77bd8000   version.dll
76590000 765de000   cscui.dll
76570000 7658c000   CSCDLL.dll
74d90000 74dfd000   RichEd20.dll
75ef0000 75fed000   browseui.dll
7e550000 7e6c1000   shdocvw.dll
75430000 754a1000   CRYPTUI.dll
76c00000 76c2e000   WINTRUST.dll
76c60000 76c88000   IMAGEHLP.dll
[COLOR=Blue]//查看PEViewer模块的详细信息[/COLOR]
0:001> [COLOR=Red]lm vm PEViewer[/COLOR]
start    end        module name
00400000 00449000   PEViewer C (private pdb symbols)  C:\Documents and Settings\Administrator\桌面\PEViewer0.9\PEViewer\Debug\PEViewer.pdb
    Loaded symbol image file: PEViewer.exe
    Image path: PEViewer.exe
    Image name: PEViewer.exe
    Timestamp:        Sat Sep 14 21:24:49 2013 (523463A1)
    CheckSum:         00000000
    ImageSize:        00049000
    File version:     0.9.0.0
    Product version:  1.0.0.1
    File flags:       1 (Mask 3F) Debug
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0804.04b0
    CompanyName:      点点灵犀工作室
    ProductName:      PEViewer
    InternalName:     PEViewer
    OriginalFilename: PEViewer.EXE
    ProductVersion:   0.9
    FileVersion:      0.9
    PrivateBuild:     0.9
    SpecialBuild:     0.9
    FileDescription:  PE文件分析工具
    LegalCopyright:   版权所有 (C) 2010
    LegalTrademarks:  版权所有 (C) 2010
    Comments:         点点灵犀工作室
[COLOR=Blue]//查找模块,支持通配符[/COLOR]
0:001> [COLOR=Red]lm m MSV*[/COLOR]
start    end        module name
01610000 01695000   MSVCP110   (deferred)             
10000000 100d6000   MSVCR110   (deferred)             
10200000 10372000   MSVCR100D   (deferred)             
10480000 10537000   MSVCP100D   (deferred)             
77be0000 77c38000   msvcrt     (deferred)
38. 查看句柄表指令:!handle
用户态命令操作:!handle [Handle [UMFlags [TypeName]]]
[COLOR=Blue]//查看所有进程信息[/COLOR]
0:000>[COLOR=Red] !handle[/COLOR]
Handle 2e8
  Type             File
Handle 7e0
  Type             WindowStation
Handle 7e4
  Type             Event
Handle 7ec
  Type             Port
Handle 7f0
  Type             Directory
Handle 7f8
  Type             Directory
Handle 7fc
  Type             KeyedEvent
 [COLOR=Blue] //统计结果[/COLOR]
7 Handles
Type               Count
Event              1
File               1
Port               1
Directory          2
WindowStation      1
KeyedEvent         1
[COLOR=Blue]//查看句柄为2e8的信息[/COLOR]
0:000> [COLOR=Red]!handle 2e8[/COLOR]
Handle 2e8
  Type             File
[COLOR=Blue]//查看句柄为2e8的详细信息[/COLOR]
0:000> [COLOR=Red]!handle 2e8 3[/COLOR]
Handle 2e8
  Type             File
  Attributes       0
  GrantedAccess    0x100020:
         Synch
         Execute/Traverse
  HandleCount      3
  PointerCount     4
[COLOR=Blue]//查看类型为Directory的句柄详细信息[/COLOR]
0:000> [COLOR=Red]!handle 0 3 Directory[/COLOR]
Handle 7f0
  Type             Directory
  Attributes       0x10
  GrantedAccess    0xf000f:
         Delete,ReadControl,WriteDac,WriteOwner
         Query,Traverse,Create,CreateSubdir
  HandleCount      35
  PointerCount     40
Handle 7f8
  Type             Directory
  Attributes       0x10
  GrantedAccess    0x3:
         None
         Query,Traverse
  HandleCount      36
  PointerCount     73
2 handles of type Directory
39. 查看进程堆信息指令: !heap
[COLOR=Blue]//查看进程所有的堆[/COLOR]
0:000> [COLOR=Red]!heap[/COLOR]
NtGlobalFlag enables following debugging aids for new heaps:    tail checking
    free checking
    validate parameters
    [COLOR=Blue]//发现有4个堆,第一个是默认堆,其他的是由C运行时库等创建的[/COLOR]
Index   Address  Name      Debugging options enabled
  1:   00150000                 tail checking free checking validate parameters
  2:   00250000                 tail checking free checking validate parameters
  3:   00260000                 tail checking free checking validate parameters
  4:   00390000                 tail checking free checking validate parameters
[COLOR=Blue]//查看默认堆信息[/COLOR]
0:000> [COLOR=Red]!heap 00150000[/COLOR]  
[COLOR=Blue]//总共有一个堆段   [/COLOR]            
Index   Address  Name      Debugging options enabled
  1:   00150000 
    Segment at 00150000 to 00250000 (00004000 bytes committed)
[COLOR=Blue]//查看默认堆的详细信息[/COLOR]
0:000>[COLOR=Blue] [COLOR=Red]!heap -a 00150000  [/COLOR]  [/COLOR]             
Index   Address  Name      Debugging options enabled
  1:   00150000 
    Segment at 00150000 to 00250000 (00004000 bytes committed)
    Flags:                50000062
    ForceFlags:           40000060
    Granularity:          8 bytes
    Segment Reserve:      00100000
    Segment Commit:       00002000
    DeCommit Block Thres: 00000200
    DeCommit Total Thres: 00002000
    Total Free Size:      0000026a
    Max. Allocation Size: 7ffdefff
    Lock Variable at:     00150608
    Next TagIndex:        0000
    Maximum TagIndex:     0000
    Tag Entries:          00000000
    PsuedoTag Entries:    00000000
    Virtual Alloc List:   00150050
    UCR FreeList:        00150598
    FreeList Usage:      00000000 00000000 00000000 00000000
    FreeList[ 00 ] at 00150178: 00152cb8 . 00152cb8  
        00152cb0: 000f8 . 01350 [14] - free
    Segment00 at 00150640:
        Flags:           00000000
        Base:            00150000
        First Entry:     00150680
        Last Entry:      00250000
        Total Pages:     00000100
        Total UnCommit:  000000fc
        Largest UnCommit:000fc000
        UnCommitted Ranges: (1)
            00154000: 000fc000

        [COLOR=Blue]//堆内分配信息[/COLOR]
    Heap entries for Segment00 in Heap 00150000
        00150000: 00000 . 00640 [01] - busy (640)
        00150640: 00640 . 00040 [01] - busy (40)
        00150680: 00040 . 01818 [07] - busy (1800), tail fill - unable to read heap entry extra at 00151e90
        00151e98: 01818 . 00040 [07] - busy (22), tail fill - unable to read heap entry extra at 00151ed0
        00151ed8: 00040 . 00048 [07] - busy (29), tail fill - unable to read heap entry extra at 00151f18
        00151f20: 00048 . 002f0 [07] - busy (2d8), tail fill - unable to read heap entry extra at 00152208
        00152210: 002f0 . 00330 [07] - busy (314), tail fill - unable to read heap entry extra at 00152538
        00152540: 00330 . 00330 [07] - busy (314), tail fill - unable to read heap entry extra at 00152868
        00152870: 00330 . 00040 [07] - busy (24), tail fill - unable to read heap entry extra at 001528a8
        001528b0: 00040 . 00028 [07] - busy (10), tail fill - unable to read heap entry extra at 001528d0
        001528d8: 00028 . 00058 [07] - busy (40), tail fill - unable to read heap entry extra at 00152928
        00152930: 00058 . 00058 [07] - busy (40), tail fill - unable to read heap entry extra at 00152980
        00152988: 00058 . 00230 [07] - busy (214), tail fill - unable to read heap entry extra at 00152bb0
        00152bb8: 00230 . 000f8 [07] - busy (e0), tail fill - unable to read heap entry extra at 00152ca8
        00152cb0: 000f8 . 01350 [14] free fill
        00154000:      000fc000      - uncommitted bytes.
2013-9-19 18:02
0
天涯一鸿
雪    币: 1040
活跃值: (1293)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
82
其实一点都不浮云,调试可以干的事情多了,调试WINDOWS一些崩溃或者有符号的程序WINDBG比OD好得多……不要老想着破解……
2013-9-19 18:05
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
83
正解+1
2013-9-19 18:06
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
84
使用windbg最郁闷的事莫过于符号无法加载问题了,一起来看看wdb怎么加载符号
40. 设置符号路径命令
40.1. 设置本地符号和查看符号路径:.sympath
[COLOR=Blue]//重置本地符号路径[/COLOR]
0:015> .[COLOR=Red]sympath d:\ddlxsyms1;[/COLOR]
Symbol search path is: d:\ddlxsyms1
Expanded Symbol search path is: d:\ddlxsyms1
[COLOR=Blue]//增加一个本地符号路径[/COLOR]
0:015> [COLOR=Red].sympath+ d:\ddlxsyms2;[/COLOR]
Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2
Expanded Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2
[COLOR=Blue]//查看符号路径[/COLOR]
0:015> [COLOR=Red].sympath[/COLOR]
Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2
Expanded Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2
40.2. 设置一个指向微软符号服务器的路径命令:.symfix
[COLOR=Blue]//增加一个指向微软符号服务器的路径[/COLOR]
0:015> [COLOR=Red].symfix+ c:\symbols;[/COLOR]
0:015> [COLOR=Red].sympath
[/COLOR] Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2;srv*
Expanded Symbol search path is: d:\ddlxsyms1;d:\ddlxsyms2;SRV*c:\symbols;*http://msdl.microsoft.com/download/symbols
[COLOR=Blue]//重置一个指向微软符号服务器的路径[/COLOR]
0:015> .[COLOR=Red]symfix c:\symbols;[/COLOR]
0:015> [COLOR=Red].sympath[/COLOR]
Symbol search path is: srv*
Expanded Symbol search path is: SRV*c:\symbols;*http://msdl.microsoft.com/download/symbols
41. 加载符号命令
41.1. 重新加载符号命令: .reload
0:015>[COLOR=Red] .reload[/COLOR]
Reloading current modules
................................................................
...........................
0:015>[COLOR=Red] .reload /f YodaoDict.exe[/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Administrator\Local Settings\Application Data\Youdao\Dict\Application\YodaoDict.exe
41.2. 加载符号命令: ld
0:015>[COLOR=Red] ld YodaoDict[/COLOR]
Symbols already loaded for YodaoDict
0:015>[COLOR=Red] lm m YodaoDict[/COLOR]
start    end        module name
00400000 00782000   YodaoDict   (no symbols)
41.3. 加载符号命令: !reload
与.reload相同
41.4. 显示加载符号信息命令: !sym
无法加载符号时,我们很苦恼,有符号为啥就是加载不了呢?
使用!sym命令,它可以告诉你是符号不匹配还是没有找到符号路径导致的加载失败。
[COLOR=Blue]//开启加载时显示匹配的路径信息[/COLOR]
0:015>[COLOR=Red] !sym noisy[/COLOR]
noisy mode - symbol prompts on
[COLOR=Blue]再次加载YodaoDict模块[/COLOR]
0:015> [COLOR=Red].reload /f YodaoDict.exe[/COLOR]
[COLOR=Blue]//日志输出(告诉你都从那些路径去找pdb了,并说明为啥没找到)[/COLOR]
SYMSRV:  c:\symbols\YodaoDict.pdb\2B63977EE831464EB469F099979CF6DC1\YodaoDict.pdb not found
DBGHELP: *http://msdl.microsoft.com/download/symbols\YodaoDict.pdb - file not found
DBGHELP: *http://msdl.microsoft.com/download/symbols\exe\YodaoDict.pdb - file not found
DBGHELP: *http://msdl.microsoft.com/download/symbols\symbols\exe\YodaoDict.pdb - file not found
DBGHELP: C:\Documents and Settings\Administrator\Local Settings\Application Data\Youdao\Dict\Application\YodaoDict.pdb - file not found
DBGHELP: e:\TeamCity\workspace\5.4.x_bind\src\bin\release\YodaoDict.pdb - file not found
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Administrator\Local Settings\Application Data\Youdao\Dict\Application\YodaoDict.exe
DBGHELP: YodaoDict - no symbols loaded
[COLOR=Blue]//加载ntdll模块[/COLOR]
0:015> [COLOR=Red].reload /f ntdll.dll[/COLOR]
DBGHELP: ntdll - public symbols  
         c:\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb
[COLOR=Blue]//关闭加载时显示匹配的路径信息[/COLOR]
0:015> [COLOR=Red]!sym quiet[/COLOR]
quiet mode - symbol prompts on
[COLOR=Blue]//加载ntdll模块(此时不会再出现加载信息了)[/COLOR]
0:015> .reload /f ntdll.dll
[COLOR=Blue]//显示配置信息[/COLOR]
0:015> [COLOR=Red]!sym[/COLOR]
!sym <noisy/quiet - prompts/prompts off> - quiet mode - symbol prompts on
42. 设置源码路径指令
42.1. 设置本地源码和查看源码路径:.srcpath
用法与.sympath相似
0:015> [COLOR=Red].srcpath d:\ddlxsrcs1[/COLOR]
Source search path is: d:\ddlxsrcs1
0:015> .[COLOR=Red]srcpath+ d:\ddlxsrcs2[/COLOR]
Source search path is: d:\ddlxsrcs1;d:\ddlxsrcs2
0:015> [COLOR=Red].srcpath[/COLOR]
Source search path is: d:\ddlxsrcs1;d:\ddlxsrcs2
42.1. 设置一个指向源码服务器的路径命令:.srcfix
用法与.symfix相似
0:015> [COLOR=Red].srcfix+ c:\srcs[/COLOR]
Source search path is: d:\ddlxsrcs1;d:\ddlxsrcs2;SRV*;c:\srcs
WARNING: Inaccessible path: 'c:\srcs'
0:015> [COLOR=Red].srcpath[/COLOR]
Source search path is: d:\ddlxsrcs1;d:\ddlxsrcs2;SRV*;c:\srcs
WARNING: Inaccessible path: 'c:\srcs'
0:015> [COLOR=Red].srcfix c:\srcs[/COLOR]
Source search path is: SRV*;c:\srcs
WARNING: Inaccessible path: 'c:\srcs'
0:015> [COLOR=Red].srcpath[/COLOR]
Source search path is: SRV*;c:\srcs
WARNING: Inaccessible path: 'c:\srcs'
43. 加载源码命令
43.1. 显示某一处地址源代码:lsa
0:000>[COLOR=Red] lsa 00412f9a [/COLOR]
    20:     for( int i=0; i<20; i++ )
    21:     {
    22:         nvalue = GetRandom();
    23:     }
>   24:     SetValue(305);
    25:     return 0;
    26: }
    27:
43.2. 打开源码文件:.open
windbg> .[COLOR=Red]open break.cpp[/COLOR]
windbg> [COLOR=Red].open stdafx.h[/COLOR]
43.3. 加载和卸载源码文件:lsf
0:000> [COLOR=Red]lsf stdafx.h[/COLOR]
D:\test\windbgtest\break\stdafx.h
0:000>[COLOR=Red] lsf- stdafx.h[/COLOR]
Unloaded 'stdafx.h'
2013-9-19 19:01
0
PPTV
雪    币: 9698
活跃值: (2506)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
85
这个得整理会更好
2013-9-19 19:15
0
zyr零零发
雪    币: 808
活跃值: (10)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
86
感谢楼主!!!
2013-9-19 20:01
0
getxxx
雪    币: 54
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
87
楼主好人啊。。。。。。。。最近正在研究windbg啊,,,,功能超强,微软的东西,不得不佩服。。。
2013-9-20 00:17
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
88
有兴趣一起讨论啊哈哈
2013-9-20 13:32
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
89
继续下中秋专版,,,话说看到你那个TX聊天记录贴,,真跟晕了
2013-9-21 13:42
0
hgfangying
雪    币: 166
活跃值: (42)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
90
先顶再看:)
2013-9-21 14:13
0
zrhai
雪    币: 230
活跃值: (106)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
91
楼主有心,学习了~
2013-9-21 21:51
0
jet_coder
雪    币: 165
活跃值: (1481)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
92
good job,整理得不错,有心人!
2013-9-22 09:24
0
猪猡公园
雪    币: 599
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
93
好帖子,表示支持!
2013-9-22 09:34
0
闹闹
雪    币: 214
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
94
大圣 吊爆了
2013-9-22 09:48
0
cqzj70
雪    币: 77
活跃值: (48)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
95
做了一件功德无量的事
2013-9-22 10:22
0
西川
雪    币: 72
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
96
顶楼主,非常好用的文档,值得推荐
2013-9-22 10:24
0
wodexinren
雪    币: 74
活跃值: (748)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
97
好强大,mark先
2013-9-22 14:20
0
brucexlee
雪    币: 254
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
98
多谢了!!!
2013-9-22 18:52
0
catface
雪    币: 49
活跃值: (19)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
99
介绍使用wdb排查像访问异常、缓冲区溢出、死锁、内存泄露、句柄泄露等思路和方法
本文持续更新。主要包含命令详解篇和应用实战篇,并持续发布chm格式文档

这两句话赞一下 谢谢
2013-9-23 16:23
0
ddlx
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
100
感谢支持
2013-9-23 19:11
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//