kd> g
Breakpoint 0 hit
fffff801`425173b6 402ad6 sub dl,sil
====================================
kd> g
Breakpoint 0 hit
nt!DbgkOpenProcessDebugPort+0x21:
fffff801`3d61ea4d 4d8bf0 mov r14,r8
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0f85a090 fffff801`3d5d3ff2 nt!DbgkOpenProcessDebugPort+0x21
01 ffffde01`0f85a0e0 ffff9707`253ab461 nt!NtQueryInformationProcess+0x1488f2
02 ffffde01`0f85aaf0 00000000`00000002 0xffff9707`253ab461
03 ffffde01`0f85aaf8 ffffde01`0f85ab51 0x2
04 ffffde01`0f85ab00 00000000`00000000 0xffffde01`0f85ab51
////////////////////////////////////////////////////////////////
kd> g
Breakpoint 0 hit
nt!DbgkOpenProcessDebugPort+0x48:
fffff801`3d61ea74 4885db test rbx,rbx
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0f85a090 fffff801`3d5d3ff2 nt!DbgkOpenProcessDebugPort+0x48
01 ffffde01`0f85a0e0 ffff9707`253ab461 nt!NtQueryInformationProcess+0x1488f2
02 ffffde01`0f85aaf0 00000000`00000002 0xffff9707`253ab461
03 ffffde01`0f85aaf8 ffffde01`0f85ab51 0x2
04 ffffde01`0f85ab00 00000000`00000000 0xffffde01`0f85ab51
kd> g
Breakpoint 0 hit
nt!DbgkClearProcessDebugObject+0x34:
fffff801`3d4d9630 4885db test rbx,rbx
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0f85a9c0 fffff801`3d6207c3 nt!DbgkClearProcessDebugObject+0x34
01 ffffde01`0f85aa00 ffff9707`253ab4fa nt!NtRemoveProcessDebug+0x103
02 ffffde01`0f85aaf0 00000000`4522c3a0 0xffff9707`253ab4fa
03 ffffde01`0f85aaf8 ffffbd0c`a8455080 0x4522c3a0
04 ffffde01`0f85ab00 00000000`ffffffff 0xffffbd0c`a8455080
05 ffffde01`0f85ab08 00000000`00000000 0xffffffff
===========================================
Breakpoint 0 hit
nt!DbgkClearProcessDebugObject+0xd9d0a:
fffff801`3d5b3306 33ff xor edi,edi
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0f85a9c0 fffff801`3d6207c3 nt!DbgkClearProcessDebugObject+0xd9d0a
01 ffffde01`0f85aa00 ffff9707`253ab4fa nt!NtRemoveProcessDebug+0x103
02 ffffde01`0f85aaf0 00000000`4522c3a0 0xffff9707`253ab4fa
03 ffffde01`0f85aaf8 ffffbd0c`a8455080 0x4522c3a0
04 ffffde01`0f85ab00 00000000`ffffffff 0xffffbd0c`a8455080
05 ffffde01`0f85ab08 00000000`00000000 0xffffffff
kd> g
Breakpoint 0 hit
nt!DbgkpMarkProcessPeb+0x6a:
fffff801`3d61f172 0f95c1 setne cl
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0f85a950 fffff801`3d5b3315 nt!DbgkpMarkProcessPeb+0x6a
01 ffffde01`0f85a9c0 fffff801`3d6207c3 nt!DbgkClearProcessDebugObject+0xd9d19
02 ffffde01`0f85aa00 ffff9707`253ab4fa nt!NtRemoveProcessDebug+0x103
03 ffffde01`0f85aaf0 00000000`4522c3a0 0xffff9707`253ab4fa
04 ffffde01`0f85aaf8 ffffbd0c`a8455080 0x4522c3a0
05 ffffde01`0f85ab00 00000000`ffffffff 0xffffbd0c`a8455080
06 ffffde01`0f85ab08 00000000`00000000 0xffffffff
kd> g
PTModIoRequest:D[0]=0,D[1]=00
PTModIoRequest:D[0]=0,D[1]=ce
Breakpoint 0 hit
nt!DbgkCreateThread+0x8a:
fffff801`3d463832 0f856d681600 jne nt!DbgkCreateThread+0x1668fd (fffff801`3d5ca0a5)
kd> k
# Child-SP RetAddr Call Site
00 ffffde01`0fdd36f0 fffff801`3d463676 nt!DbgkCreateThread+0x8a
01 ffffde01`0fdd38d0 fffff801`3cfcaecc nt!PspUserThreadStartup+0xb6
02 ffffde01`0fdd39c0 fffff801`3cfcae40 nt!KiStartUserThread+0x1c
03 ffffde01`0fdd3b00 00007ff9`615ea250 nt!KiStartUserThreadReturn
04 00000000`69c4fcf8 00000000`00000000 ntdll!RtlUserThreadStart
> g
Breakpoint 0 hit
nt!KiDispatchException+0x279:
fffff801`3ce32bf9 0f85fea41b00 jne nt!KiDispatchException+0x1ba77d (fffff801`3cfed0fd)
Breakpoint 0 hit
nt!DbgkForwardException+0x99:
fffff801`3d4cec45 4532f6 xor r14b,r14b
Breakpoint 0 hit
nt!KiDispatchException+0x279:
fffff801`3ce32bf9 0f85fea41b00 jne nt!KiDispatchException+0x1ba77d (fffff801`3cfed0fd)
nt!DbgkForwardException+0x99:
fffff801`3d4cec45 4532f6 xor r14b,r14b
Breakpoint 0 hit
nt!KiDispatchException+0x279:
fffff801`3ce32bf9 0f85fea41b00 jne nt!KiDispatchException+0x1ba77d (fffff801`3cfed0fd)
reak instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
0033:00007ff9`61623080 cc int 3
记录了下看不懂呀
那个是写入的?
那个是访问的?
讨论下TP 清零
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
