-
-
[求助]win7 x64最新双机调试总是触发单步异常
-
发表于: 2018-8-29 03:35
-
这是我现在修改的地方,修改KeDebuggerEnabled,KdPitchDebugger,KiDebugRoutine,和
KdDisableDebugger
1 KeUpdateRunTime 有两处
第一处是KdDebuggerEnabled第二处是KdPitchDebugger
2. KeUpdateSystemTime
第一处是KdDebuggerEnabled
第二处也是KdDebuggerEnabled
第三处是KdPitchDebugger
3. KdPollBreakIn
第一处是KdPitchDebugger
第二处是KdDebuggerEnabled
共7处全给改掉 然后KdDebuggerEnabled清零,KdPitchDebugger置1
接下来替换KiDebugRoutine的KdTrap为KdStub
然后KdStub inline跳到KdTrap中
KdDisableDebugger直接Nop 然后ret
这些改完后,我以为会可以了,但是windbg一直会触发4000001e 单步异常,然后我准备调试下KiDispatchException,结果发现这个函数居然被修改了
今天在看雪看到了这个贴子https://bbs.pediy.com/thread-246498.htm 他是win7 32位下,KDCOM某段内存清理了,我现在不知道win7 x64下,TP是不是也这么做的,如果是,那么之前的全局变量的检测就都不需要了吗 有没有大神能解答一下呢,万分感激
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
但是我windbg中忽略这个异常后,再运行,就一直出现这个异常The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. The context is partially valid. Only x86 user-mode context is available. 应该怎么解决呢 |
|
|
|
|
|
|
|
|
我找到触发这个异常的线程了,然后无论是暂停还是结束,TP都会卡住,就是会一直进行安全扫描,至于接管异常是怎么接管呢 |
|
|
我谷歌了下,好像是目标系统是64,程序是32的时候,32触发异常后,windbg就会自动切换成32模式了,可以用 !wow64exts.sw 重新切换到64 |
|
|
|
|
|
该报的还是报,因为你没处理这个异常,我这边找的触发这个异常的线程,是TSALogin的主线程,结束掉,游戏就一直卡死。。。 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
用x64dbg附加windbg,然后搜索字符串L"The context is partially valid. Only x86 user-mode context is available.\n",点进去第一个,将这个全局变量改为4,就不会一直输出上面那句话了
最后于 2018-10-22 20:50
被冰小鸿编辑
,原因:
|
|
|
|
|
|
|
|
|
|
|
|
|
