能力值:
( LV4,RANK:50 )
2 楼
0:000> ?
Open debugger.chm for complete debugger documentation
B[C|D|E][<bps>] - clear/disable/enable breakpoint(s)
BL - list breakpoints
BA <access> <size> <addr> - set processor breakpoint
BP <address> - set soft breakpoint
D[type][<range>] - dump memory
DT [-n|y] [[mod!]name] [[-n|y]fields]
[address] [-l list] [-a[]|c|i|o|r[#]|v] - dump using type information
DV [<name>] - dump local variables
E[type] <address> [<values>] - enter memory values
G[H|N] [=<address> [<address>...]] - go
K <count> - stacktrace
KP <count> - stacktrace with source arguments
LM[k|l|u|v] - list modules
LN <expr> - list nearest symbols
P [=<addr>] [<value>] - step over
Q - quit
R [[<reg> [= <expr>]]] - view or set registers
S[<opts>] <range> <values> - search memory
SX [{e|d|i|n} [-c "Cmd1"] [-c2 "Cmd2"] [-h] {Exception|Event|*}] - event filter
T [=<address>] [<expr>] - trace into
U [<range>] - unassemble
version - show debuggee and debugger version
X [<*|module>!]<*|symbol> - view symbols
? <expr> - display expression
?? <expr> - display C++ expression
$< <filename> - take input from a command file
Hit Enter... <expr> unary ops: + - not by wo dwo qwo poi hi low
binary ops: + - * / mod(%) and(&) xor(^) or(|)
comparisons: == (=) < > !=
operands: number in current radix, public symbol, <reg>
<type> : b (byte), w (word), d[s] (doubleword [with symbols]),
a (ascii), c (dword and Char), u (unicode), l (list)
f (float), D (double), s|S (ascii/unicode string)
q (quadword)
<pattern> : [(nt | <dll-name>)!]<var-name> (<var-name> can include ? and *)
<range> : <address> <address>
: <address> L <count>
User-mode options:
~ - list threads status
~#s - set default thread
| - list processes status
|#s - set default process
x86 options:
DG <selector> - dump selector
<reg> : [e]ax, [e]bx, [e]cx, [e]dx, [e]si, [e]di, [e]bp, [e]sp, [e]ip, [e]fl,
al, ah, bl, bh, cl, ch, dl, dh, cs, ds, es, fs, gs, ss
dr0, dr1, dr2, dr3, dr6, dr7
fpcw, fpsw, fptw, st0-st7, mm0-mm7
xmm0-xmm7
<flag> : iopl, of, df, if, tf, sf, zf, af, pf, cf
<addr> : #<16-bit protect-mode [seg:]address>,
&<V86-mode [seg:]address>
Open debugger.chm for complete debugger documentation
能力值:
( LV4,RANK:50 )
3 楼
CMD
TASKLIST /SVC
notepad.exe
1672------------------------PID
ntdll.dll,
kernel32.dll,
comdlg32.dll,
SHLWAPI.dll,
ADVAPI32.dll,
RPCRT4.dll,
Secur32.dll,
GDI32.dll,
USER32.dll,
msvcrt.dll,
COMCTL32.dll,
SHELL32.dll,
WINSPOOL.DRV,
ShimEng.dll,
AcGenral.DLL,
WINMM.dll,
ole32.dll,
OLEAUT32.dll,
MSACM32.dll,
VERSION.dll,
USERENV.dll,
UxTheme.dll,
IMM32.DLL,
LPK.DLL,
USP10.dll,
ClientMain.dll,
INDICDLL.dll,
winstanp.dll,
winstaic.dll,
winstauc.dll,
WinScript.dll,
msctfime.ime
能力值:
( LV4,RANK:50 )
4 楼
0:000> u
ntdll!DbgBreakPoint:
7c921230 cc int 3
7c921231 c3 ret
7c921232 8bff mov edi,edi
ntdll!DbgUserBreakPoint:
7c921234 90 nop
7c921235 90 nop
7c921236 90 nop
7c921237 90 nop
ntdll!DbgBreakPointWithStatus:
7c921238 90 nop
0:000> u
ntdll!DbgUserBreakPoint:
7c921239 cc int 3
7c92123a c3 ret
7c92123b 90 nop
7c92123c 8bff mov edi,edi
ntdll!DbgBreakPointWithStatus:
7c92123e 90 nop
7c92123f 90 nop
7c921240 90 nop
7c921241 90 nop
0:000> notepad.exe 1672 ntdll.dll, kernel32.dll, comdlg32.dll,
^ Syntax error in 'notepad.exe 1672 ntdll.dll, kernel32.dll, comdlg32.dll,'
0:000> SHLWAPI.dll, ADVAPI32.dll, RPCRT4.dll,
Couldn't resolve error at 'HLWAPI.dll, ADVAPI32.dll, RPCRT4.dll,'
0:000> Secur32.dll, GDI32.dll, USER32.dll,
Couldn't resolve error at 'ecur32.dll, GDI32.dll, USER32.dll,'
0:000> msvcrt.dll, COMCTL32.dll, SHELL32.dll,
Couldn't resolve error at 'svcrt.dll, COMCTL32.dll, SHELL32.dll,'
0:000> WINSPOOL.DRV, ShimEng.dll, AcGenral.DLL,
^ Syntax error in ' WINSPOOL.DRV, ShimEng.dll, AcGenral.DLL,'
0:000> WINMM.dll, ole32.dll, OLEAUT32.dll,
^ Syntax error in ' WINMM.dll, ole32.dll, OLEAUT32.dll,'
0:000> MSACM32.dll, VERSION.dll, USERENV.dll,
Couldn't resolve error at 'SACM32.dll, VERSION.dll, USERENV.dll,'
0:000> UxTheme.dll, IMM32.DLL, LPK.DLL, USP10.dll,
^ Missing whitespace after u in ' UxTheme.dll, IMM32.DLL, LPK.DLL, USP10.dll,'
0:000> ClientMain.dll, INDICDLL.dll, winstanp.dll,
Couldn't resolve error at 'lientMain.dll, INDICDLL.dll, winstanp.dll,'
0:000> winstaic.dll, winstauc.dll, WinScript.dll,
^ Syntax error in ' winstaic.dll, winstauc.dll, WinScript.dll,'
0:000> u msctfime.ime
Couldn't resolve error at 'msctfime.ime'
0:000> u
ntdll!RtlpBreakWithStatusInstruction:
7c921242 90 nop
ntdll!DbgBreakPointWithStatus:
7c921243 8b442404 mov eax,dword ptr [esp+4]
ntdll!RtlpBreakWithStatusInstruction:
7c921247 cc int 3
7c921248 c20400 ret 4
7c92124b 90 nop
7c92124c 90 nop
7c92124d 90 nop
7c92124e 90 nop
0:000> u
ntdll!RtlpBreakWithStatusInstruction+0x8:
7c92124f 90 nop
ntdll!__NtCurrentTeb:
7c921250 64a118000000 mov eax,dword ptr fs:[00000018h]
7c921256 c3 ret
7c921257 90 nop
7c921258 90 nop
7c921259 90 nop
7c92125a 90 nop
7c92125b 90 nop
0:000> u
ntdll!RtlInitString:
7c92125c 57 push edi
7c92125d 8b7c240c mov edi,dword ptr [esp+0Ch]
7c921261 8b542408 mov edx,dword ptr [esp+8]
7c921265 c70200000000 mov dword ptr [edx],0
7c92126b 897a04 mov dword ptr [edx+4],edi
7c92126e 0bff or edi,edi
7c921270 741e je ntdll!RtlInitString+0x34 (7c921290)
7c921272 83c9ff or ecx,0FFFFFFFFh
0:000> u
ntdll!RtlInitString+0x19:
7c921275 33c0 xor eax,eax
7c921277 f2ae repne scas byte ptr es:[edi]
7c921279 f7d1 not ecx
7c92127b 81f9ffff0000 cmp ecx,0FFFFh
7c921281 7605 jbe ntdll!RtlInitString+0x2c (7c921288)
7c921283 b9ffff0000 mov ecx,0FFFFh
7c921288 66894a02 mov word ptr [edx+2],cx
7c92128c 49 dec ecx
能力值:
( LV4,RANK:50 )
5 楼
C:\WINDOWS\system32>debug notepad.exe
-d
0B3B:0000 0E 1F BA 0E 00 B4 09 CD-21 B8 01 4C CD 21 54 68 ........!..L.!Th
0B3B:0010 69 73 20 70 72 6F 67 72-61 6D 20 63 61 6E 6E 6F is program canno
0B3B:0020 74 20 62 65 20 72 75 6E-20 69 6E 20 44 4F 53 20 t be run in DOS
0B3B:0030 6D 6F 64 65 2E 0D 0D 0A-24 00 00 00 00 00 00 00 mode....$.......
0B3B:0040 EC 85 5B A1 A8 E4 35 F2-A8 E4 35 F2 A8 E4 35 F2 ..[...5...5...5.
0B3B:0050 6B EB 3A F2 A9 E4 35 F2-6B EB 55 F2 A9 E4 35 F2 k.:...5.k.U...5.
0B3B:0060 6B EB 68 F2 BB E4 35 F2-A8 E4 34 F2 63 E4 35 F2 k.h...5...4.c.5.
0B3B:0070 6B EB 6B F2 A9 E4 35 F2-6B EB 6A F2 BF E4 35 F2 k.k...5.k.j...5.
-d
0B3B:0080 6B EB 6F F2 A9 E4 35 F2-52 69 63 68 A8 E4 35 F2 k.o...5.Rich..5.
0B3B:0090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0B3B:00A0 50 45 00 00 4C 01 03 00-C3 7C 10 41 00 00 00 00 PE..L....|.A....
0B3B:00B0 00 00 00 00 E0 00 00 00-0B 01 07 0A 00 78 00 00 .............x..
0B3B:00C0 00 88 00 00 00 00 00 00-9D 73 00 00 00 10 00 00 .........s......
0B3B:00D0 00 90 00 00 00 00 00 01-00 10 00 00 00 02 00 00 ................
0B3B:00E0 05 00 01 00 05 00 01 00-04 00 00 00 00 00 00 00 ................
0B3B:00F0 00 30 01 00 00 04 00 00-59 79 01 00 02 00 00 80 .0......Yy......
-r
AX=0000 BX=0001 CX=0200 DX=0000 SP=00B8 BP=0000 SI=0000 DI=0000
DS=0B2B ES=0B2B SS=0B3B CS=0B3B IP=0000 NV UP EI PL NZ NA PO NC
0B3B:0000 0E PUSH CS
-u
0B3B:0000 0E PUSH CS
0B3B:0001 1F POP DS
0B3B:0002 BA0E00 MOV DX,000E
0B3B:0005 B409 MOV AH,09
0B3B:0007 CD21 INT 21
0B3B:0009 B8014C MOV AX,4C01
0B3B:000C CD21 INT 21
0B3B:000E 54 PUSH SP
0B3B:000F 68 DB 68
0B3B:0010 69 DB 69
0B3B:0011 7320 JNB 0033
0B3B:0013 7072 JO 0087
0B3B:0015 6F DB 6F
0B3B:0016 67 DB 67
0B3B:0017 7261 JB 007A
0B3B:0019 6D DB 6D
0B3B:001A 206361 AND [BP+DI+61],AH
0B3B:001D 6E DB 6E
0B3B:001E 6E DB 6E
0B3B:001F 6F DB 6F
-
-u
0B3B:0020 7420 JZ 0042
0B3B:0022 62 DB 62
0B3B:0023 65 DB 65
0B3B:0024 207275 AND [BP+SI+75],DH
0B3B:0027 6E DB 6E
0B3B:0028 20696E AND [BX+DI+6E],CH
0B3B:002B 20444F AND [SI+4F],AL
0B3B:002E 53 PUSH BX
0B3B:002F 206D6F AND [DI+6F],CH
0B3B:0032 64 DB 64
0B3B:0033 65 DB 65
0B3B:0034 2E CS:
0B3B:0035 0D0D0A OR AX,0A0D
0B3B:0038 2400 AND AL,00
0B3B:003A 0000 ADD [BX+SI],AL
0B3B:003C 0000 ADD [BX+SI],AL
0B3B:003E 0000 ADD [BX+SI],AL
-u
0B3B:0040 EC IN AL,DX
0B3B:0041 855BA1 TEST BX,[BP+DI-5F]
0B3B:0044 A8E4 TEST AL,E4
0B3B:0046 35F2A8 XOR AX,A8F2
0B3B:0049 E435 IN AL,35
0B3B:004B F2 REPNZ
0B3B:004C A8E4 TEST AL,E4
0B3B:004E 35F26B XOR AX,6BF2
0B3B:0051 EB3A JMP 008D
0B3B:0053 F2 REPNZ
0B3B:0054 A9E435 TEST AX,35E4
0B3B:0057 F2 REPNZ
0B3B:0058 6B DB 6B
0B3B:0059 EB55 JMP 00B0
0B3B:005B F2 REPNZ
0B3B:005C A9E435 TEST AX,35E4
0B3B:005F F2 REPNZ
0B3B:0060 6B DB 6B
-u
能力值:
( LV4,RANK:50 )
6 楼
0:000> r
eax=001a1eb4 ebx=7ffd4000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c921230 esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c921230 cc int 3
能力值:
( LV4,RANK:50 )
7 楼
CommandLine: C:\WINDOWS\system32\notepad.exe
Symbol search path is: srv*d:\symbolslocal*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 01000000 01013000 notepad.exe
ModLoad: 7c920000 7c9b4000 ntdll.dll
ModLoad: 7c800000 7c91d000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 76320000 76367000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77f40000 77fb6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77da0000 77e49000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e50000 77ee2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77ef0000 77f37000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d10000 77da0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77180000 77283000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
ModLoad: 7d590000 7dd84000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 72f70000 72f96000 C:\WINDOWS\system32\WINSPOOL.DRV
(b5c.d08): Break instruction exception - code 80000003 (first chance)
eax=001a1eb4 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c921230 esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c921230 cc int 3
0:000> t
eax=001a1eb4 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c921231 esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint+0x1:
7c921231 c3 ret
0:000> t
eax=001a1eb4 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c95edc0 esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!LdrpInitializeProcess+0xffa:
7c95edc0 8b4368 mov eax,dword ptr [ebx+68h] ds:0023:7ffde068=00000070
0:000> t
eax=00000070 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c95edc3 esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!LdrpInitializeProcess+0xffd:
7c95edc3 d1e8 shr eax,1
0:000> t
eax=00000038 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c95edc5 esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
ntdll!LdrpInitializeProcess+0xfff:
7c95edc5 2401 and al,1
0:000> t
eax=00000000 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c95edc7 esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0x1001:
7c95edc7 a221c1997c mov byte ptr [ntdll!ShowSnaps (7c99c121)],al ds:0023:7c99c121=00
0:000> t
eax=00000000 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c95edcc esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0x1006:
7c95edcc e99528feff jmp ntdll!LdrpInitializeProcess+0x1006 (7c941666)
0:000> t
eax=00000000 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c941666 esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0x1006:
7c941666 833d68d2997c01 cmp dword ptr [ntdll!LdrpNumberOfProcessors (7c99d268)],1 ds:0023:7c99d268=00000001
0:000> t
eax=00000000 ebx=7ffde000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c94166d esp=0007fb24 ebp=0007fc94 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpInitializeProcess+0x100d:
7c94166d 7606 jbe ntdll!LdrpInitializeProcess+0x1015 (7c941675) [br=1]
能力值:
( LV4,RANK:50 )
8 楼
DLL初学者指南(非MFC) 作者:Notsosuperhero
译者:小刀人
环境: Visual C++ 2003, Windows
源代码下载:DLL_Project.rar -DLL Project的源代码及测试项目
原文出处: codeguru
我正在学习DLLs,谈不上对其有什么高屋建瓴的见解;本文只是(通过)编码让你看到并想知道代码是如何运行的。在本文中,我假定你知道如何使用你的编译器特性,比如设置目录路径等等。
为了建立项目,请选择Win32 控制台项目(Win32 Console Application),并且在应用程序设置标签(the advanced tab)上,选择DLL和空项目选项。DLLs可能并不如你想像的那样难。首先写你的头文件(header file);称为DLLTutorial.h。这个文件与其它头文件一样,其中只是一些函数的原型。 #ifndef _DLL_TUTORIAL_H_#define _DLL_TUTORIAL_H_#include <iostream>
#if defined DLL_EXPORT#define DECLDIR __declspec(dllexport)#else#define DECLDIR __declspec(dllimport)#endif
extern "C"{ DECLDIR int Add( int a, int b ); DECLDIR void Function( void );}#endif
前面两行指示编译器只包含这个文件一次。extern "C"告诉编译器该部分可以在C/C++中使用。
在VC++中这里有两个方法来导出函数:
1、使用__declspec,一个Microsoft定义的关键字。
2、创建一个模块定义文件(Module-Definition File即.DEF)。第一种方法稍稍比第二种方法简单些,但两种都工作得很好。
__declspec(dllexport)导出函数符号到在你的DLL中的一个存储类。当下面一行被定义时我定义DECLDIR来运行这个函数, #define DLL_EXPORT
同时也导入函数如果下面一行
#define DLL_EXPORT
没有在源文件中出现。在此情况下,你将导出函数Add(int a, int b)和Function()。
现在,你需要写一个将要称为DLLTutorial.cpp的源文件。 #include <iostream>#include "DLL_Tutorial.h"
#define DLL_EXPORT
extern "C"{ DECLDIR int Add( int a, int b ) { return( a + b ); }
DECLDIR void Function( void ) { std::cout << "DLL Called!" << std::endl; }
}
这里你定义了(DLL中的)所有函数。Int Add(int a, int b)只简单地将两个数相加而void Function(void)只是在你的DLL被调用时(将信息)通知你。在我像你展示如何使用DLL前,我想告诉你一些关于模块定义文件(.def)的内容。
模块定义文件(.def)
模块定义文件是一个有着.def文件扩展名的文本文件。它被用于导出一个DLL的函数,和__declspec(dllexport)很相似,但是.def文件并不是Microsoft定义的。一个.def文件中只有两个必需的部分:LIBRARY 和 EXPORTS。让我们先看一个基本的.def文件稍后我将解析之。 LIBRARY dll_tutorialDESCRIPTION "our simple DLL"EXPORTS Add @1 Function @2
第一行,''LIBRARY''是一个必需的部分。它告诉链接器(linker)如何命名你的DLL。下面被标识为''DESCRIPTION''的部分并不是必需的,但是我喜欢把它放进去。该语句将字符串写入 .rdata 节[据 MSDN],它告诉人们谁可能使用这个DLL,这个DLL做什么或它为了什么(存在)。再下面的部分标识为''EXPORTS''是另一个必需的部分;这个部分使得该函数可以被其它应用程序访问到并且它创建一个导入库。当你生成这个项目时,不仅是一个.dll文件被创建,而且一个文件扩展名为.lib的导出库也被创建了。除了前面的部分以外,这里还有其它四个部分标识为:NAME, STACKSIZE, SECTIONS, 和 VERSION。我将不再在本文中涉及这些内容,但是如果你在Internet上搜索,我想你将找到一些东西(译注: MSDN2003上对模板定义文件各部分内容有详尽解释,请参阅)。另外,一个分号(;)开始一个注解,如同''//''在C++中一样。
现在你已经创建了你的DLL,你需要学习如何在一个应用程序中使用它了。当这个DLL被生成后,它创建了一个.dll文件和一个.lib文件;这两个都是你需要的。
隐式链接
这里有两个方法来载入一个DLL;一个方法是捷径另一个则相比要复杂些。捷径是只链接到你.lib 文件并将.dll文件置入你的新项目的路径中去。因此,创建一个新的空的Win32控制台项目并添加一个源文件。将你做的DLL放入你的新项目相同的目录下。 #include <iostream>#include <DLLTutorial.h>
int main(){ Function(); std::cout << Add(32, 58) << "\n"; return(1);}
你必需要链接到DLLTutorial.lib文件。我在项目属性中设置了,但是你可能会用下面的语句代替:
#pragma comment(lib, "DLLTutorial.lib")
请注意我让编译器来查看我的DLL文件夹已获得.lib文件同时让它顺便看下该目录中的DLL头文件。如果你不想这么做,你可以总是把他们放入你的新项目的目录中并使用""(引号)而不是<>。这就是载入一个DLL的简单方法。
显示链接
难点的加载DLL的方法是有稍微有点复杂的。你将需要函数指针和一些Windows函数。但是,通过这种载入DLLs的方法,你不需要DLL的.lib或头文件,而只需要DLL。下面列出一些代码,我稍后将解析之。
#include <iostream>#include <windows.h>
typedef int (*AddFunc)(int,int);typedef void (*FunctionFunc)();int main(){ AddFunc _AddFunc; FunctionFunc _FunctionFunc; HINSTANCE hInstLibrary = LoadLibrary("DLL_Tutorial.dll");
if (hInstLibrary == NULL) { FreeLibrary(hInstLibrary); } _AddFunc = (AddFunc)GetProcAddress(hInstLibrary, "Add");
_FunctionFunc = (FunctionFunc)GetProcAddress(hInstLibrary, "Function");
if ((_AddFunc == NULL) || (_FunctionFunc == NULL)) { FreeLibrary(hInstLibrary); }
std::cout << _AddFunc(23, 43) << std::endl; _FunctionFunc();
std::cin.get();
FreeLibrary(hInstLibrary);
return(1); }
首先你会注意到:这里包括进了文件“windows.h”同时移走了“DLL_Tutorial.h”。原因很简单:因为windows.h包含了一些Windows函数,当然你现在将只需要其中几个而已。它也包含了一些将会用到的Windows特定变量。你可以去掉DLL的头文件(DLL_Tutorial.h)因为-如我前面所说-当你使用这个方法载入DLL时你并不需要它。
下面你会看到:以下面形式的一小块古灵精怪的代码:
typedef int (*AddFunc)(int,int);
typedef void (*FunctionFunc)();
这是函数指针。因为这是一个关于DLL的自学指南,深入探究函数指针超出了本指南的范围;因此,现在我们只把它们当作DLL包含的函数的别名。我喜欢在尾部用“Func”命名之。(int,int)部分是这个函数的参数部分,比如,Add函数要获得两个整数;因此,你需要它们(译注:指(int,int)部分)作为函数指针的参数。Function函数没有参数,因此你让它为空。main()部分中的前面两行是声明函数指针以使得你可以认为它们等同于DLL内部的函数。我只是喜欢预先定义它们。
一个HINSTANCE是一个Windows数据类型:是一个实例的句柄;在此情况下,这个实例将是这个DLL。你可以通过使用函数LoadLibrary()获得DLL的实例,它获得一个名称作为参数。在调用LoadLibrary函数后,你必需查看一下函数返回是否成功。你可以通过检查HINSTANCE是否等于NULL(在Windows.h中定义为0或Windows.h包含的一个头文件)来查看其是否成功。如果其等于NULL,该句柄将是无效的,并且你必需释放这个库。换句话说,你必需释放DLL获得的内存。如果函数返回成功,你的HINSTANCE就包含了指向DLL的句柄。
一旦你获得了指向DLL的句柄,你现在可以从DLL中重新获得函数。为了这样作,你必须使用函数GetProcAddress(),它将DLL的句柄(你可以使用HINSTANCE)和函数的名称作为参数。你可以让函数指针获得由GetProcAddress()返回的值,同时你必需将GetProcAddress()转换为那个函数定义的函数指针。举个例子,对于Add()函数,你必需将GetProcAddress()转换为AddFunc;这就是它知道参数及返回值的原因。现在,最好先确定函数指针是否等于NULL以及它们拥有DLL的函数。这只是一个简单的if语句;如果其中一个等于NULL,你必需如前所述释放库。
一旦函数指针拥有DLL的函数,你现在就可以使用它们了,但是这里有一个需要注意的地方:你不能使用函数的实际名称;你必需使用函数指针来调用它们。在那以后,所有你需要做的是释放库如此而已。
现在你知道了DLL的一些基本知识。你知道如何创建它们,你也知道如何用两种不同的方法链接它们。这里仍然有更多的东西需要我们学习,但我把它们留给你们自己探索了和更棒的作者来写了。
作者
我爱弹吉他,我也爱编程。 没别的了啊,我的生活可“真乏味”,:)
能力值:
( LV4,RANK:50 )
9 楼
浅析本机API
创建时间:2005-03-09
文章属性:转载
文章提交:cisocker (cisocker_at_163.com)
by sunwear [E.S.T]
2004/10/02
shellcoder@163.com
此文只能说是一篇笔记,是关于本机API的.本机API是除了Win32 API,NT平台开放了另一个基本接口。本机API也被很多人所熟悉,因为内核模式模块位于更低的系统级别,在那个级别上环境子系统是不可见的。尽管如此,并不需要驱动级别去访问这个接口,普通的Win32程序可以在任何时候向下调用本机API。并没有任何技术上的限制,只不过微软不支持这种应用开发方法。
User32.dll,kernel32.dll,shell32.dll,gdi32.dll,rpcrt4.dll,comctl32.dll,advapi32.dll,version.dll等dll代表了Win32 API的基本提供者。Win32 API中的所有调用最终都转向了ntdll.dll,再由它转发至ntoskrnl.exe。ntdll.dll是本机 API用户模式的终端。真正的接口在ntoskrnl.exe里完成。事实上,内核模式的驱动大部分时间调用这个模块,如果它们请求系统服务。Ntdll.dll的主要作用就是让内核函数的特定子集可以被用户模式下运行的程序调用。Ntdll.dll通过软件中断int 2Eh进入ntoskrnl.exe,就是通过中断门切换CPU特权级。比如kernel32.dll导出的函数DeviceIoControl()实际上调用ntdll.dll中导出的NtDeviceIoControlFile(),反汇编一下这个函数可以看到,EAX载入magic数0x38,实际上是系统调用号,然后EDX指向堆栈。目标地址是当前堆栈指针ESP+4,所以EDX指向返回地址后面一个,也就是指向在进入NtDeviceIoControlFile()之前存入堆栈的东西。事实上就是函数的参数。下一个指令是int 2Eh,转到中断描述符表IDT位置0x2E处的中断处理程序。
反编汇这个函数得到:
mov eax, 38h
lea edx, [esp+4]
int 2Eh
ret 28h
当然int 2E接口不仅仅是简单的API调用调度员,他是从用户模式进入内核模式的main gate。
W2k Native API由248个这么处理的函数组成,比NT 4.0多了37个。可以从ntdll.dll的导出列表中很容易认出来:前缀Nt。Ntdll.dll中导出了249个,原因在于NtCurrentTeb()为一个纯用户模式函数,所以不需要传给内核。令人惊奇的是,仅仅Native API的一个子集能够从内核模式调用。而另一方面,ntoskrnl.exe导出了两个Nt*符号,它们不存在于ntdll.dll中: NtBuildNumber, NtGlobalFlag。它们不指向函数,事实上,是指向ntoskrnl.exe的变量,可以被使用C编译器extern关键字的驱动模块导入。Ntdll.dll和ntoskrnl.exe中都有两种前缀Nt*,Zw*。事实上ntdll.dll中反汇编结果两者是一样的。而在ntoskrnl.exe中,nt前缀指向真正的代码,而zw还是一个int 2Eh的stub。也就是说zw*函数集通过用户模式到内核模式门传递的,而Nt*符号直接指向模式切换以后的代码。Ntdll.dll中的NtCurrentTeb()没有相对应的zw函数。Ntoskrnl并不导出配对的Nt/zw函数。有些函数只以一种方式出现。
2Eh中断处理程序把EAX里的值作为查找表中的索引,去找到最终的目标函数。这个表就是系统服务表SST,C的结构SYSTEM_SERVICE_TABLE的定义如下:清单也包含了结构SERVICE_DESCRIPTOR_TABLE中的定义,为SST数组第四个成员,前两个有着特别的用途。
typedef NTSTATUS (NTAPI *NTPROC) ( ) ;
typedef NTPROC *PNTPROC;
#define NTPROC_ sizeof (NTPROC)
typedef struct _SYSTEM_SERVICE_TABLE
{ PNTPROC ServiceTable; // 这里是入口指针数组
PDWORD CounterTable; // 此处是调用次数计数数组
DWORD ServiceLimit ; // 服务入口的个数
PBYTE ArgumentTable; // 服务参数字节数的数组
) SYSTEM_SERVICE_TABLE ,
* PSYSTEM_SERVICE_TABLE ,
* * PPSYSTEM_SERVICE_TABLE ;
/ / _ _ _ _ _ _ _ _ _ _ _ _
typedef struct _SERVICE_DESCRIPTOR_TABLE
{ SYSTEM_SERVICE_TABLE ntoskrnl ; // ntoskrnl所实现的系统服务,本机的API}
SYSTEM_SERVICE_TABLE win32k; // win32k所实现的系统服务
SYSTEM_SERVICE_TABLE Table3; // 未使用
SYSTEM_SERVICE_TABLE Table4; // 未使用
} SERVICE_DESCRIPTOR_TABLE ,
* PSERVICE_DESCRIPTOR_TABLE,
* PPSERVICE_DESCRIPTOR_TABLE ;
ntoskrnl通过KeServiceDescriptorTable符号,导出了主要SDT的一个指针。内核维护另外的一个SDT,就是KeServiceDescriptorTableShadow。但这个符号没有导出。要想在内核模式组件中存取主要SDT很简单,只需两行C语言的代码:
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE psdt= KeServiceDescriptorTable;
NTPROC为本机 API的方便的占位符,他类似于Win32编程中的PROC。Native API正常的返回应该是一个NTSTATUS代码,他使用NTAPI调用约定,它和_stdcall一样。ServiceLimit成员有在ServiceTable数组里找到的入口数目。在2000下,默认值是248。ArgumentTable为BYTEs的数组,每一个对应于ServiceTable的位置并显示了在调用者堆栈里的参数比特数。这个信息与EDX结合,这是内核从调用者堆栈copy参数到自己的堆栈所需的。CounterTable成员在free buid的2000中并没有使用到,在debug build中,这个成员指向代表所有函数使用计数的DWORDS数组,这个信息能用于性能分析。
可以使用这个命令来显示:dd KeServiceDescriptorTable,调试器把此符号解析为0x8046e0c0。只有前四行是最重要的,对应那四个SDT成员。
运行这个命令:ln 8046e100,显示符号是KeServiceDescriptorTableShadow,说明第五个开始确实为内核维护的第二个SDT。主要的区别在于后一个包含了win32k.sys的入口,前一个却没有。在这两个表中,Table3与Table4都是空的。Ntoskrnl.exe提供了一个方便的API函数。这个函数的名字为:
KeAddSystemServiceTable
此函数去填充这些位置。
2Eh的中断处理标记是KisystemService()。这也是ntoskrnl.exe没有导出的内部的符号,但包含在2k符号文件中。关于KisystemService的操作如下:
1 从当前的线程控制块检索SDT指针
2 决定使用SDT中4个SST的其中一个。通过测试EAX中递送ID的第12和13位来决定。ID在0x0000-0x0fff的映射至ntoskrnl表格,ID在
0x1000与0x1ffff的分配给win32k表格。剩下的0x2000-0x2ffff与
0x3000-0x3ffff则是Table3和Table4保留。
3 通过选定SST中的ServiceLimit成员检查EAX的0-11位。如果ID超过了范围,返回错误代码为STATUS_INVALID_SYSTEM_SERVICE。
4 检查EAX中的参数堆栈指针与MmUserProbeAddress。这是一个ntoskrnl导出的全局变量。通常等于0x7FFF0000,如果参数指针不在这个地址之下,返回STATUS_ACCESS_VIOLATION。
5 查找ArgumentTable中的参数堆栈的字节数,从调用者的堆栈copy所有的参数至当前内核模式堆栈。
6 搜索serviceTable中的服务函数指针,并调用这个函数。
7 控制转到内部的函数KiserviceExit,在此次服务调用返回之后。
从对SDT的讨论可以看到与本机API一起还有第二个内核模式接口。这个接口把Win32子系统的图形设备接口和窗口管理器和内核模式组件Win32k连接起来。Win32k接口一样是基于int 2eh。本机API的服务号是从0x0000到0x0fff,win32k的服务号是从0x1000到0x1fff。(ddW32pServiceTable认定win32k.sys的符号可用。)win32k总共包含639个系统服务。 2Eh的处理过程没有使用全局SDT KeServiceDescriptorTable。
而是一个与线程相关的指针。显然,线程可以有不同得SDT相关到自身。线程初试化的时候,KeInitializeThread()把KeServiceDescriptorTable写到线程的控制块。尽管这样,这个默认设置之后可能被改变为其它值,例如KeServiceDescriptorTableShadow。 Windows 2000运行时库
Ntdll.dll至少导出了不少于1179个符号。其中的249/248是属于Nt*/zw*集合。所以还有682个函数不是通过int 2eh门中转。很显然,这么多的函数不依靠2k的内核。
其中一些是和c运行时库几乎一样的函数。其实ntoskrnl也实现了一些类似C运行时库的一些函数。可以通过ddk里的ntdll.lib来链接和使用这些函数。反汇编ntdll.dll与ntoskrnl.exe的C运行时函数能发现,ntdll.dll并不是依赖ntoskrnl.exe。这两个模块各自实现了这些函数。
除了C运行时库外,2000还提供了一个扩展的运行时函数集合。再一次,ntdll.dll与ntoskrnl.exe各自实现了它们。同样,实现集合有重复,但是并不完全匹配。这个集合的函数都是以Rtl开头的。2000运行时库包括一些辅助函数用于C运行时候无法完成的任务。例如有些处理安全事务,另外的操纵2000专用的数据结构,还有些支持内存管理。微软仅仅在DDK中记录了很有用的406个函数中的115个函数。
Ntdll.dll还提供了另外一个函数集合,以__e前缀开头。实际上它们用于浮点数模拟器。
还有很多的函数集合,所有这些函数的前缀如下:
__e(浮点模拟),Cc(Cache管理),Csr(c/s运行时库),Dbg(调试支持),Ex(执行支持),FsRtl(文件系统运行时),Hal(硬件抽象层),Inbv(系统初试化/vga启动驱动程序bootvid.dll),Init(系统初试化),Interlocked(线程安全变量操作),Io(IO管理器),Kd(内核调试器支持),Ke(内核例程),Ki(内核中断处理),Ldr(映象装载器),Lpc(本地过程调用),Lsa(本地安全授权),Mm(内存管理),Nls(国际化语言支持),Nt(NT本机API),Ob(对象管理器),Pfx(前缀处理),Po(电源管理),Ps(进程支持),READ_REGISTER_(从寄存器地址读),Rtl(2k运行时库),Se(安全处理),WRITE_REGISTER_(写寄存器地址),Zw(本机API的替换叫法),<其它>(辅助函数和C运行时库)。
当编写从用户模式通过ntdll.dll或内核模式通过ntoskrnl.exe和2000内核交互的软件的时候,需要处理很多基本的数据结构,这些结构在Win32世界中很少见到。
常用数据结构
l 整数
ANSI字符是有符号的,而Unicode WCHAR是无符号的
MASM的TBYTE是80位的浮点数,用于高精度浮点运算单元操作,注意它与Win32的TBYTE(text byte)完全不同。
TABLE 2-3. Equivalent Integral Data Types
BITS MASM FUNDAMENTAL ALIAS #1 ALIAS #2 SIGNED
8 BYTE unsigned char UCHAR CHAR
16 WORD unsigned short USHORT WCHAR SHORT
32 DWORD unsigned long ULONG LONG
32 DWORD unsigned int UINT INT
64 QWORD unsigned _int64 ULONGLONG DWORDLONG LONGLONG
80 TBYTE N/A
typedef union _LARGE_INTEGER
{ struct{
ULONG LowPart;
LONG HighPart;};
LONGLONG QuadPart;
}
LARGE_INTEGER , * PULARGE_INTEGER ;
typedef union _ULARGE_INTEGER{
struct{
ULONG LowPart;
ULONG HighPart;}
ULONGLONG QuadPart;
}ULARGE_INTEGER, *PULARGE_INTEGER;
l 字符
Win32编程中PSTR用户CHAR*,PWSTR用于WCHAR*。取决于是否定义了UNICODE,PTSTR解释为PSTR或者PWSTR。在2k内核模式下,常用的数据类型是UNICODE_STRING,而STRING用来表示ANSI字符串:
typedef struct _UNICODE_STRING{
USHORT Length; //当前字节长度,不是字符!!!
USHORT MaximumLength; //Buffer的最大字节长度
PWSTR Buffer;}UNICODE_STRING , * PUNICODE_STRING ;
typedef struct _STRING{
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;}STRING, *PSTRING;
typedef STRING ANSI_STRING, *PANSI_STRING;
typedef STRING OEM_STRING, *POEM_STRING;
操纵函数:RtlCreatUnicodeString(),RtlInitUnicodeString(),
RtlCopyUnicodeString()等等
l 结构
许多内核API函数需要一个固定大小的OBJECT_ATTRIBUTES结构,比如NtOpenFile()。对象的属性是OBJ_*值的组合,可以从ntdef.h中查到。
IO_STATUS_BLOCK结构提供了所请求操作结果的信息,很简单,status成员包含一个NTSTATUS代码, 如果操作成功 information成员提供特定请求的信息。
还有一个结构是LIST_ENTRY,这是一个双向环链表。
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBDTES, *POBJECT_ ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK
{
NTSTATDS Status;
ULONG Information;
}IO_STATUS_BLOCK , * PIO_STATUS_BLOCK ;
typedef struct _LIST_ENTRY
{
Struct _LIST_ENTRY *Flink;
Struct _LIST_ENTRY *Blink;
}LIST_ENTRY, *PLIST_ENTRY;
双向链表的典型例子就是进程和线程链。内部变量PsActiveProcessHead是一个LIST_ENTRY结构,在ntoskrnl.exe的数据段中,指定了系统进程列表的第一个成员。
CLIENT_ID结构由进程和线程ID组成。
typedef struct _CLIENT_ID
{ HANDLE UniqueProcess;
HANDLE UniqueThread;
)CLIENT_ID, *PCLIENT_ID;
想要从用户模式调用ntdll.dll中的API函数,必须考虑到以下四点:
1 SDK头文件没有包括这些函数的原型
2 这些函数使用的若干基本数据类型没有包括在SDK文件中
3 SDK和DDK头文件不兼容,不能在win32的c源文件包含ntddk.h中
4 ntdll.lib没有包括在VC的默认导入库列表中。
第4个很容易解决:#progma comment(linker,“/defaultlib:ntdll.lib”)
缺失的定义比较难解决,最简单的方法是写一个自定义的头文件,刚刚包含需要调用ntdll.dll中函数的定义。幸运的是,已经在光盘的w2k_def.h文件中做了这个工作。因为这个头文件将用于用户模式和内核模式程序,所以必须在用户模式代码中,#include<w2k_def.h>之前#define _USER_MODE_,使得DDK中出现而SDK中没有的定义可用。 本文部分翻译于一篇电子书<win api about>.也感谢朋友GameHunter这位英语极好的朋友帮忙.与Free的指导
能力值:
( LV4,RANK:50 )
10 楼
打开NTDLL.dll,惊奇的发现原来CRT的许多基本函数居然都是在这里实现的!甚至包括qsort,ceil这样的函数,还有臭名昭著的strcpy(严格来讲,这只能怪使用者不当心)。堆的释放,进城管理,似乎都是在这。于是,我决定,仔细察看以下它,这1410个函数是做什么的 用户模式的代码在调用系统内核函数的时候,首先把一个叫做system call number的数放在EAX中,把参数放在其它的寄存器中了。然后调用INT 2E中断。但是大部分应用程序并不需要直接这么做。通常都是在调用kernel32.dll等时由他们来调用INT 2E.
内核模式的代码,做法稍微有点不同。他们通常调用由NTOSKRNL.EXE导出的NTDLL.dll中Zw开头的那一系列函数,比如ZwWaitForSingleObject, 反之,如果是用户级代码需要调用内核,就会利用INT 2E调用WaitForSingleObject.对于许多函数的批量调用,你会明显发现 Zw族要比Rtl族效率高很多。 可惜ntdll.dll中的大部分函数都是undocumented.
对于一部分得知其定义形式的函数,可以这样调用:
1.先将NTDLL.DLL读入 LoadLibrary(TEXT("NTDLL.dll"))
2.利用GetProcAddress 获取其函数入口地址
3.利用得到的函数指针调用
但是可以大致的分为几类吧
1 PropertyLengthAsVariant 它被排在了第一号,但是我就是不明白它是做什么的
2 Csr(configuration status register? Command and Status Register?)系列
CsrAllocateCaptureBuffer CsrAllocateMessagePointer CsrCaptureMessageBuffer CsrCaptureMessageMultiUnicodeStringsInPlace CsrCaptureMessageString CsrCaptureTimeout CsrClientCallServer CsrClientConnectToServer CsrFreeCaptureBuffer CsrGetProcessId CsrIdentifyAlertableThread CsrNewThread CsrProbeForRead CsrProbeForWrite CsrSetPriorityClass
3 Dbg系列 调试函数
DbgBreakPoint DbgPrint DbgPrintEx DbgPrintReturnControlC DbgPrompt DbgQueryDebugFilterState DbgSetDebugFilterState DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgUserBreakPoint
4 ki系列
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher
5 Ldr系列 Loader APIs,共34个
API
NTDLL APIs
LoadResource
LdrAccessResource
LdrAlternateResourcesEnabled
DisableThreadLibraryCalls
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
LdrFindResourceDirectory_U
FindResourceExA
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
LdrGetDllHandle
GetProcAddress
LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
LdrLoadAlternateResourceModule
LoadLibrary
LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
LdrShutdownProcess
ExitThread
LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum 6 Nls(National Language Support)系列 代码页管理
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag
7 Nt系列 共285个,大部分都是kernel32.dll,user32.dll等的核心实现
NtCreateFile, NtOpenFile, NtClose, NtWaitForSingleObject 是kernel32.dll中许多用户级代码的核心实现。
NTSTATUS NtClose( HANDLE Handle);
竟然是CloseHandle 的原身!唯一的缺点是该函数并没有导出库,如果要调用,就必须使用GetProcAddress 来获得其函数指针然后调用。
NtCreateFile 可以说是DDK的核心
RtlUnwind initiates an unwind of procedure call frames
结构化异常(Structured Exception Handling, SEH )的 核心。
NTSTATUS NtWaitForSingleObject( HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
Waits until the specified object attains a state of signaled
我想,信号同步等,应该与之有莫大的联系吧
8 pfx 不明白
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix
9 RestoreEm87Context SaveEm87Context
10 rtl系列 共506个。我想,rtl应该是runtime library的缩写吧。一个很庞大的函数族,里面包含像 RtlCreateUserProcess 这样的一些很基本的函数,通常供内核模式的driver等调用
下面是一部分示例
APIs Forwarded to NTDLL
API
Destination
DeleteCriticalSection
Forwarded to NTDLL.RtlDeleteCriticalSection
EnterCriticalSection
Forwarded to NTDLL.RtlEnterCriticalSection
HeapAlloc
Forwarded to NTDLL.RtlAllocateHeap
HeapFree
Forwarded to NTDLL.RtlFreeHeap
HeapReAlloc
Forwarded to NTDLL.RtlReAllocateHeap
HeapSize
Forwarded to NTDLL.RtlSizeHeap
LeaveCriticalSection
Forwarded to NTDLL.RtlLeaveCriticalSection
RtlFillMemory
Forwarded to NTDLL.RtlFillMemory
RtlMoveMemory
Forwarded to NTDLL.RtlMoveMemory
RtlUnwind
Forwarded to NTDLL.RtlUnwind
RtlZeroMemory
Forwarded to NTDLL.RtlZeroMemory
SetCriticalSectionSpinCount
Forwarded to NTDLL.RtlSetCriticalSection- SpinCount
TryEnterCriticalSection
Forwarded to NTDLL.RtlTryEnterCriticalSection
VerSetConditionMask
Forwarded to NTDLL.VerSetConditionMask
11 VerSetConditionMask 用于确认系统信息
The VerSetConditionMask function sets the bits of a 64-bit value to indicate the comparison operator to use for a specified operating system version attribute. This function is used to build the dwlConditionMask parameter of the VerifyVersionInfo function.
12 Zw系列 共284个。前面已经说过,为可执行性系统服务提供内核模式的入口, 为NTOSKRNL.EXE 提供实现。由于是内核模式,所以在执行的时候并不检查用户是否有执行权限
13 内部函数 共116个。具体作用不明,很底层的东西。无法查到任何相关资料。无法得知与其相关的任何信息。
_CIcos _CIlog _CIpow _CIsin _CIsqrt __eCommonExceptions __eEmulatorInit __eF2XM1 __eFABS __eFADD32 __eFADD64 __eFADDPreg __eFADDreg __eFADDtop __eFCHS __eFCOM __eFCOM32 __eFCOM64 __eFCOMP __eFCOMP32 __eFCOMP64 __eFCOMPP __eFCOS __eFDECSTP __eFDIV32 __eFDIV64 __eFDIVPreg __eFDIVR32 __eFDIVR64 __eFDIVRPreg __eFDIVRreg __eFDIVRtop __eFDIVreg __eFDIVtop __eFFREE __eFIADD16 __eFIADD32 __eFICOM16 __eFICOM32 __eFICOMP16 __eFICOMP32 __eFIDIV16 __eFIDIV32 __eFIDIVR16 __eFIDIVR32 __eFILD16 __eFILD32 __eFILD64 __eFIMUL16 __eFIMUL32 __eFINCSTP __eFINIT __eFIST16 __eFIST32 __eFISTP16 __eFISTP32 __eFISTP64 __eFISUB16 __eFISUB32 __eFISUBR16 __eFISUBR32 __eFLD1 __eFLD32 __eFLD64 __eFLD80 __eFLDCW __eFLDENV __eFLDL2E __eFLDLN2 __eFLDPI __eFLDZ __eFMUL32 __eFMUL64 __eFMULPreg __eFMULreg __eFMULtop __eFPATAN __eFPREM __eFPREM1 __eFPTAN __eFRNDINT __eFRSTOR __eFSAVE __eFSCALE __eFSIN __eFSQRT __eFST __eFST32 __eFST64 __eFSTCW __eFSTENV __eFSTP __eFSTP32 __eFSTP64 __eFSTP80 __eFSTSW __eFSUB32 __eFSUB64 __eFSUBPreg __eFSUBR32 __eFSUBR64 __eFSUBRPreg __eFSUBRreg __eFSUBRtop __eFSUBreg __eFSUBtop __eFTST __eFUCOM __eFUCOMP __eFUCOMPP __eFXAM __eFXCH __eFXTRACT __eFYL2X __eFYL2XP1 __eGetStatusWord
14 一些CRT的基本函数 共131个 主要是字符串管理,还有些基本的数学函数
__isascii __iscsym __iscsymf __toascii _alldiv _alldvrm _allmul _alloca_probe _allrem _allshl _allshr _atoi64 _aulldiv _aulldvrm _aullrem _aullshr _chkstk _fltused _ftol _i64toa _i64tow _itoa _itow _lfind _ltoa _ltow _memccpy _memicmp _snprintf _snwprintf _splitpath _strcmpi _stricmp _strlwr _strnicmp _strupr _tolower _toupper _ui64toa _ui64tow _ultoa _ultow _vsnprintf _vsnwprintf _wcsicmp _wcslwr _wcsnicmp _wcsupr _wtoi _wtoi64 _wtol abs atan atoi atol bsearch ceil cos fabs floor isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper iswalpha iswctype iswdigit iswlower iswspace iswxdigit isxdigit labs log mbstowcs memchr memcmp memcpy memmove memset pow qsort sin sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr strtol strtoul swprintf tan tolower toupper towlower towupper vDbgPrintEx vDbgPrintExWithPrefix vsprintf wcscat wcschr wcscmp wcscpy wcscspn wcslen wcsncat wcsncmp wcsncpy wcspbrk wcsrchr wcsspn wcsstr wcstol wcstombs wcstoul
================塞纳河畔
能力值:
( LV4,RANK:50 )
11 楼
ntdll.dll ====WINXP 的,用NOTEPAD.exe打开,1000多个API? CsrAllocateCaptureBuffer CsrAllocateMessagePointer CsrCaptureMessageBuffer CsrCaptureMessageMultiUnicodeStringsInPlace CsrCaptureMessageString CsrCaptureTimeout CsrClientCallServer CsrClientConnectToServer CsrFreeCaptureBuffer CsrGetProcessId CsrIdentifyAlertableThread CsrNewThread CsrProbeForRead CsrProbeForWrite CsrSetPriorityClass DbgBreakPoint DbgPrint DbgPrintEx DbgPrintReturnControlC DbgPrompt DbgQueryDebugFilterState DbgSetDebugFilterState DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgUserBreakPoint KiFastSystemCall KiFastSystemCallRet KiIntSystemCall KiRaiseUserExceptionDispatcher KiUserApcDispatcher KiUserCallbackDispatcher KiUserExceptionDispatcher LdrAccessOutOfProcessResource LdrAccessResource LdrAddRefDll LdrAlternateResourcesEnabled LdrCreateOutOfProcessImage LdrDestroyOutOfProcessImage LdrDisableThreadCalloutsForDll LdrEnumResources LdrEnumerateLoadedModules LdrFindCreateProcessManifest LdrFindEntryForAddress LdrFindResourceDirectory_U LdrFindResourceEx_U LdrFindResource_U LdrFlushAlternateResourceModules LdrGetDllHandle LdrGetDllHandleEx LdrGetProcedureAddress LdrHotPatchRoutine LdrInitShimEngineDynamic LdrInitializeThunk LdrLoadAlternateResourceModule LdrLoadDll LdrLockLoaderLock LdrProcessRelocationBlock LdrQueryImageFileExecutionOptions LdrQueryProcessModuleInformation LdrSetAppCompatDllRedirectionCallback LdrSetDllManifestProber LdrShutdownProcess LdrShutdownThread LdrUnloadAlternateResourceModule LdrUnloadDll LdrUnlockLoaderLock LdrVerifyImageMatchesChecksum NlsAnsiCodePage NlsMbCodePageTag NlsMbOemCodePageTag NtAcceptConnectPort NtAccessCheck NtAccessCheckAndAuditAlarm NtAccessCheckByType NtAccessCheckByTypeAndAuditAlarm NtAccessCheckByTypeResultList NtAccessCheckByTypeResultListAndAuditAlarm NtAccessCheckByTypeResultListAndAuditAlarmByHandle NtAddAtom NtAddBootEntry NtAdjustGroupsToken NtAdjustPrivilegesToken NtAlertResumeThread NtAlertThread NtAllocateLocallyUniqueId NtAllocateUserPhysicalPages NtAllocateUuids NtAllocateVirtualMemory NtAreMappedFilesTheSame NtAssignProcessToJobObject NtCallbackReturn NtCancelDeviceWakeupRequest NtCancelIoFile NtCancelTimer NtClearEvent NtClose NtCloseObjectAuditAlarm NtCompactKeys NtCompareTokens NtCompleteConnectPort NtCompressKey NtConnectPort NtContinue NtCreateDebugObject NtCreateDirectoryObject NtCreateEvent NtCreateEventPair NtCreateFile NtCreateIoCompletion NtCreateJobObject NtCreateJobSet NtCreateKey NtCreateKeyedEvent NtCreateMailslotFile NtCreateMutant NtCreateNamedPipeFile NtCreatePagingFile NtCreatePort NtCreateProcess NtCreateProcessEx NtCreateProfile NtCreateSection NtCreateSemaphore NtCreateSymbolicLinkObject NtCreateThread NtCreateTimer NtCreateToken NtCreateWaitablePort NtCurrentTeb NtDebugActiveProcess NtDebugContinue NtDelayExecution NtDeleteAtom NtDeleteBootEntry NtDeleteFile NtDeleteKey NtDeleteObjectAuditAlarm NtDeleteValueKey NtDeviceIoControlFile NtDisplayString NtDuplicateObject NtDuplicateToken NtEnumerateBootEntries NtEnumerateKey NtEnumerateSystemEnvironmentValuesEx NtEnumerateValueKey NtExtendSection NtFilterToken NtFindAtom NtFlushBuffersFile NtFlushInstructionCache NtFlushKey NtFlushVirtualMemory NtFlushWriteBuffer NtFreeUserPhysicalPages NtFreeVirtualMemory NtFsControlFile NtGetContextThread NtGetDevicePowerState NtGetPlugPlayEvent NtGetWriteWatch NtImpersonateAnonymousToken NtImpersonateClientOfPort NtImpersonateThread NtInitializeRegistry NtInitiatePowerAction NtIsProcessInJob NtIsSystemResumeAutomatic NtListenPort NtLoadDriver NtLoadKey NtLoadKey2 NtLockFile NtLockProductActivationKeys NtLockRegistryKey NtLockVirtualMemory NtMakePermanentObject NtMakeTemporaryObject NtMapUserPhysicalPages NtMapUserPhysicalPagesScatter NtMapViewOfSection NtModifyBootEntry NtNotifyChangeDirectoryFile NtNotifyChangeKey NtNotifyChangeMultipleKeys NtOpenDirectoryObject NtOpenEvent NtOpenEventPair NtOpenFile NtOpenIoCompletion NtOpenJobObject NtOpenKey NtOpenKeyedEvent NtOpenMutant NtOpenObjectAuditAlarm NtOpenProcess NtOpenProcessToken NtOpenProcessTokenEx NtOpenSection NtOpenSemaphore NtOpenSymbolicLinkObject NtOpenThread NtOpenThreadToken NtOpenThreadTokenEx NtOpenTimer NtPlugPlayControl NtPowerInformation NtPrivilegeCheck NtPrivilegeObjectAuditAlarm NtPrivilegedServiceAuditAlarm NtProtectVirtualMemory NtPulseEvent NtQueryAttributesFile NtQueryBootEntryOrder NtQueryBootOptions NtQueryDebugFilterState NtQueryDefaultLocale NtQueryDefaultUILanguage NtQueryDirectoryFile NtQueryDirectoryObject NtQueryEaFile NtQueryEvent NtQueryFullAttributesFile NtQueryInformationAtom NtQueryInformationFile NtQueryInformationJobObject NtQueryInformationPort NtQueryInformationProcess NtQueryInformationThread NtQueryInformationToken NtQueryInstallUILanguage NtQueryIntervalProfile NtQueryIoCompletion NtQueryKey NtQueryMultipleValueKey NtQueryMutant NtQueryObject NtQueryOpenSubKeys NtQueryPerformanceCounter NtQueryPortInformationProcess NtQueryQuotaInformationFile NtQuerySection NtQuerySecurityObject NtQuerySemaphore NtQuerySymbolicLinkObject NtQuerySystemEnvironmentValue NtQuerySystemEnvironmentValueEx NtQuerySystemInformation NtQuerySystemTime NtQueryTimer NtQueryTimerResolution NtQueryValueKey NtQueryVirtualMemory NtQueryVolumeInformationFile NtQueueApcThread NtRaiseException NtRaiseHardError NtReadFile NtReadFileScatter NtReadRequestData NtReadVirtualMemory NtRegisterThreadTerminatePort NtReleaseKeyedEvent NtReleaseMutant NtReleaseSemaphore NtRemoveIoCompletion NtRemoveProcessDebug NtRenameKey NtReplaceKey NtReplyPort NtReplyWaitReceivePort NtReplyWaitReceivePortEx NtReplyWaitReplyPort NtRequestDeviceWakeup NtRequestPort NtRequestWaitReplyPort NtRequestWakeupLatency NtResetEvent NtResetWriteWatch NtRestoreKey NtResumeProcess NtResumeThread NtSaveKey NtSaveKeyEx NtSaveMergedKeys NtSecureConnectPort NtSetBootEntryOrder NtSetBootOptions NtSetContextThread NtSetDebugFilterState NtSetDefaultHardErrorPort NtSetDefaultLocale NtSetDefaultUILanguage NtSetEaFile NtSetEvent NtSetEventBoostPriority NtSetHighEventPair NtSetHighWaitLowEventPair NtSetInformationDebugObject NtSetInformationFile NtSetInformationJobObject NtSetInformationKey NtSetInformationObject NtSetInformationProcess NtSetInformationThread NtSetInformationToken NtSetIntervalProfile NtSetIoCompletion NtSetLdtEntries NtSetLowEventPair NtSetLowWaitHighEventPair NtSetQuotaInformationFile NtSetSecurityObject NtSetSystemEnvironmentValue NtSetSystemEnvironmentValueEx NtSetSystemInformation NtSetSystemPowerState NtSetSystemTime NtSetThreadExecutionState NtSetTimer NtSetTimerResolution NtSetUuidSeed NtSetValueKey NtSetVolumeInformationFile NtShutdownSystem NtSignalAndWaitForSingleObject NtStartProfile NtStopProfile NtSuspendProcess NtSuspendThread NtSystemDebugControl NtTerminateJobObject NtTerminateProcess NtTerminateThread NtTestAlert NtTraceEvent NtTranslateFilePath NtUnloadDriver NtUnloadKey NtUnloadKeyEx NtUnlockFile NtUnlockVirtualMemory NtUnmapViewOfSection NtVdmControl NtWaitForDebugEvent NtWaitForKeyedEvent NtWaitForMultipleObjects NtWaitForSingleObject NtWaitHighEventPair NtWaitLowEventPair NtWriteFile NtWriteFileGather NtWriteRequestData NtWriteVirtualMemory NtYieldExecution PfxFindPrefix PfxInitialize PfxInsertPrefix PfxRemovePrefix PropertyLengthAsVariant RtlAbortRXact RtlAbsoluteToSelfRelativeSD RtlAcquirePebLock RtlAcquireResourceExclusive RtlAcquireResourceShared RtlActivateActivationContext RtlActivateActivationContextEx RtlActivateActivationContextUnsafeFast RtlAddAccessAllowedAce RtlAddAccessAllowedAceEx RtlAddAccessAllowedObjectAce RtlAddAccessDeniedAce RtlAddAccessDeniedAceEx RtlAddAccessDeniedObjectAce RtlAddAce RtlAddActionToRXact RtlAddAtomToAtomTable RtlAddAttributeActionToRXact RtlAddAuditAccessAce RtlAddAuditAccessAceEx RtlAddAuditAccessObjectAce RtlAddCompoundAce RtlAddRange RtlAddRefActivationContext RtlAddRefMemoryStream RtlAddVectoredExceptionHandler RtlAddressInSectionTable RtlAdjustPrivilege RtlAllocateAndInitializeSid RtlAllocateHandle RtlAllocateHeap RtlAnsiCharToUnicodeChar RtlAnsiStringToUnicodeSize RtlAnsiStringToUnicodeString RtlAppendAsciizToString RtlAppendPathElement RtlAppendStringToString RtlAppendUnicodeStringToString RtlAppendUnicodeToString RtlApplicationVerifierStop RtlApplyRXact RtlApplyRXactNoFlush RtlAreAllAccessesGranted RtlAreAnyAccessesGranted RtlAreBitsClear RtlAreBitsSet RtlAssert RtlAssert2 RtlCancelTimer RtlCaptureContext RtlCaptureStackBackTrace RtlCaptureStackContext RtlCharToInteger RtlCheckForOrphanedCriticalSections RtlCheckProcessParameters RtlCheckRegistryKey RtlClearAllBits RtlClearBits RtlCloneMemoryStream RtlCommitMemoryStream RtlCompactHeap RtlCompareMemory RtlCompareMemoryUlong RtlCompareString RtlCompareUnicodeString RtlCompressBuffer RtlComputeCrc32 RtlComputeImportTableHash RtlComputePrivatizedDllName_U RtlConsoleMultiByteToUnicodeN RtlConvertExclusiveToShared RtlConvertLongToLargeInteger RtlConvertPropertyToVariant RtlConvertSharedToExclusive RtlConvertSidToUnicodeString RtlConvertToAutoInheritSecurityObject RtlConvertUiListToApiList RtlConvertUlongToLargeInteger RtlConvertVariantToProperty RtlCopyLuid RtlCopyLuidAndAttributesArray RtlCopyMemoryStreamTo RtlCopyOutOfProcessMemoryStreamTo RtlCopyRangeList RtlCopySecurityDescriptor RtlCopySid RtlCopySidAndAttributesArray RtlCopyString RtlCopyUnicodeString RtlCreateAcl RtlCreateActivationContext RtlCreateAndSetSD RtlCreateAtomTable RtlCreateBootStatusDataFile RtlCreateEnvironment RtlCreateHeap RtlCreateProcessParameters RtlCreateQueryDebugBuffer RtlCreateRegistryKey RtlCreateSecurityDescriptor RtlCreateSystemVolumeInformationFolder RtlCreateTagHeap RtlCreateTimer RtlCreateTimerQueue RtlCreateUnicodeString RtlCreateUnicodeStringFromAsciiz RtlCreateUserProcess RtlCreateUserSecurityObject RtlCreateUserThread RtlCustomCPToUnicodeN RtlCutoverTimeToSystemTime RtlDeNormalizeProcessParams RtlDeactivateActivationContext RtlDeactivateActivationContextUnsafeFast RtlDebugPrintTimes RtlDecodePointer RtlDecodeSystemPointer RtlDecompressBuffer RtlDecompressFragment RtlDefaultNpAcl RtlDelete RtlDeleteAce RtlDeleteAtomFromAtomTable RtlDeleteCriticalSection RtlDeleteElementGenericTable RtlDeleteElementGenericTableAvl RtlDeleteNoSplay RtlDeleteOwnersRanges RtlDeleteRange RtlDeleteRegistryValue RtlDeleteResource RtlDeleteSecurityObject RtlDeleteTimer RtlDeleteTimerQueue RtlDeleteTimerQueueEx RtlDeregisterWait RtlDeregisterWaitEx RtlDestroyAtomTable RtlDestroyEnvironment RtlDestroyHandleTable RtlDestroyHeap RtlDestroyProcessParameters RtlDestroyQueryDebugBuffer RtlDetermineDosPathNameType_U RtlDllShutdownInProgress RtlDnsHostNameToComputerName RtlDoesFileExists_U RtlDosApplyFileIsolationRedirection_Ustr RtlDosPathNameToNtPathName_U RtlDosSearchPath_U RtlDosSearchPath_Ustr RtlDowncaseUnicodeChar RtlDowncaseUnicodeString RtlDumpResource RtlDuplicateUnicodeString RtlEmptyAtomTable RtlEnableEarlyCriticalSectionEventCreation RtlEncodePointer RtlEncodeSystemPointer RtlEnlargedIntegerMultiply RtlEnlargedUnsignedDivide RtlEnlargedUnsignedMultiply RtlEnterCriticalSection RtlEnumProcessHeaps RtlEnumerateGenericTable RtlEnumerateGenericTableAvl RtlEnumerateGenericTableLikeADirectory RtlEnumerateGenericTableWithoutSplaying RtlEnumerateGenericTableWithoutSplayingAvl RtlEqualComputerName RtlEqualDomainName RtlEqualLuid RtlEqualPrefixSid RtlEqualSid RtlEqualString RtlEqualUnicodeString RtlEraseUnicodeString RtlExitUserThread RtlExpandEnvironmentStrings_U RtlExtendHeap RtlExtendedIntegerMultiply RtlExtendedLargeIntegerDivide RtlExtendedMagicDivide RtlFillMemory RtlFillMemoryUlong RtlFinalReleaseOutOfProcessMemoryStream RtlFindActivationContextSectionGuid RtlFindActivationContextSectionString RtlFindCharInUnicodeString RtlFindClearBits RtlFindClearBitsAndSet RtlFindClearRuns RtlFindLastBackwardRunClear RtlFindLeastSignificantBit RtlFindLongestRunClear RtlFindMessage RtlFindMostSignificantBit RtlFindNextForwardRunClear RtlFindRange RtlFindSetBits RtlFindSetBitsAndClear RtlFirstEntrySList RtlFirstFreeAce RtlFlushSecureMemoryCache RtlFormatCurrentUserKeyPath RtlFormatMessage RtlFreeAnsiString RtlFreeHandle RtlFreeHeap RtlFreeOemString RtlFreeRangeList RtlFreeSid RtlFreeThreadActivationContextStack RtlFreeUnicodeString RtlFreeUserThreadStack RtlGUIDFromString RtlGenerate8dot3Name RtlGetAce RtlGetActiveActivationContext RtlGetCallersAddress RtlGetCompressionWorkSpaceSize RtlGetControlSecurityDescriptor RtlGetCurrentDirectory_U RtlGetCurrentPeb RtlGetDaclSecurityDescriptor RtlGetElementGenericTable RtlGetElementGenericTableAvl RtlGetFirstRange RtlGetFrame RtlGetFullPathName_U RtlGetGroupSecurityDescriptor RtlGetLastNtStatus RtlGetLastWin32Error RtlGetLengthWithoutLastFullDosOrNtPathElement RtlGetLengthWithoutTrailingPathSeperators RtlGetLongestNtPathLength RtlGetNativeSystemInformation RtlGetNextRange RtlGetNtGlobalFlags RtlGetNtProductType RtlGetNtVersionNumbers RtlGetOwnerSecurityDescriptor RtlGetProcessHeaps RtlGetSaclSecurityDescriptor RtlGetSecurityDescriptorRMControl RtlGetSetBootStatusData RtlGetUnloadEventTrace RtlGetUserInfoHeap RtlGetVersion RtlHashUnicodeString RtlIdentifierAuthoritySid RtlImageDirectoryEntryToData RtlImageNtHeader RtlImageRvaToSection RtlImageRvaToVa RtlImpersonateSelf RtlInitAnsiString RtlInitCodePageTable RtlInitMemoryStream RtlInitNlsTables RtlInitOutOfProcessMemoryStream RtlInitString RtlInitUnicodeString RtlInitUnicodeStringEx RtlInitializeAtomPackage RtlInitializeBitMap RtlInitializeContext RtlInitializeCriticalSection RtlInitializeCriticalSectionAndSpinCount RtlInitializeGenericTable RtlInitializeGenericTableAvl RtlInitializeHandleTable RtlInitializeRXact RtlInitializeRangeList RtlInitializeResource RtlInitializeSListHead RtlInitializeSid RtlInitializeStackTraceDataBase RtlInsertElementGenericTable RtlInsertElementGenericTableAvl RtlInt64ToUnicodeString RtlIntegerToChar RtlIntegerToUnicodeString RtlInterlockedFlushSList RtlInterlockedPopEntrySList RtlInterlockedPushEntrySList RtlInterlockedPushListSList RtlInvertRangeList RtlIpv4AddressToStringA RtlIpv4AddressToStringExA RtlIpv4AddressToStringExW RtlIpv4AddressToStringW RtlIpv4StringToAddressA RtlIpv4StringToAddressExA RtlIpv4StringToAddressExW RtlIpv4StringToAddressW RtlIpv6AddressToStringA RtlIpv6AddressToStringExA RtlIpv6AddressToStringExW RtlIpv6AddressToStringW RtlIpv6StringToAddressA RtlIpv6StringToAddressExA RtlIpv6StringToAddressExW RtlIpv6StringToAddressW RtlIsActivationContextActive RtlIsDosDeviceName_U RtlIsGenericTableEmpty RtlIsGenericTableEmptyAvl RtlIsNameLegalDOS8Dot3 RtlIsRangeAvailable RtlIsTextUnicode RtlIsThreadWithinLoaderCallout RtlIsValidHandle RtlIsValidIndexHandle RtlLargeIntegerAdd RtlLargeIntegerArithmeticShift RtlLargeIntegerDivide RtlLargeIntegerNegate RtlLargeIntegerShiftLeft RtlLargeIntegerShiftRight RtlLargeIntegerSubtract RtlLargeIntegerToChar RtlLeaveCriticalSection RtlLengthRequiredSid RtlLengthSecurityDescriptor RtlLengthSid RtlLocalTimeToSystemTime RtlLockBootStatusData RtlLockHeap RtlLockMemoryStreamRegion RtlLogStackBackTrace RtlLookupAtomInAtomTable RtlLookupElementGenericTable RtlLookupElementGenericTableAvl RtlMakeSelfRelativeSD RtlMapGenericMask RtlMapSecurityErrorToNtStatus RtlMergeRangeLists RtlMoveMemory RtlMultiAppendUnicodeStringBuffer RtlMultiByteToUnicodeN RtlMultiByteToUnicodeSize RtlNewInstanceSecurityObject RtlNewSecurityGrantedAccess RtlNewSecurityObject RtlNewSecurityObjectEx RtlNewSecurityObjectWithMultipleInheritance RtlNormalizeProcessParams RtlNtPathNameToDosPathName RtlNtStatusToDosError RtlNtStatusToDosErrorNoTeb RtlNumberGenericTableElements RtlNumberGenericTableElementsAvl RtlNumberOfClearBits RtlNumberOfSetBits RtlOemStringToUnicodeSize RtlOemStringToUnicodeString RtlOemToUnicodeN RtlOpenCurrentUser RtlPcToFileHeader RtlPinAtomInAtomTable RtlPopFrame RtlPrefixString RtlPrefixUnicodeString RtlProtectHeap RtlPushFrame RtlQueryAtomInAtomTable RtlQueryDepthSList RtlQueryEnvironmentVariable_U RtlQueryHeapInformation RtlQueryInformationAcl RtlQueryInformationActivationContext RtlQueryInformationActiveActivationContext RtlQueryInterfaceMemoryStream RtlQueryProcessBackTraceInformation RtlQueryProcessDebugInformation RtlQueryProcessHeapInformation RtlQueryProcessLockInformation RtlQueryRegistryValues RtlQuerySecurityObject RtlQueryTagHeap RtlQueryTimeZoneInformation RtlQueueApcWow64Thread RtlQueueWorkItem RtlRaiseException RtlRaiseStatus RtlRandom RtlRandomEx RtlReAllocateHeap RtlReadMemoryStream RtlReadOutOfProcessMemoryStream RtlRealPredecessor RtlRealSuccessor RtlRegisterSecureMemoryCacheCallback RtlRegisterWait RtlReleaseActivationContext RtlReleaseMemoryStream RtlReleasePebLock RtlReleaseResource RtlRemoteCall RtlRemoveVectoredExceptionHandler RtlResetRtlTranslations RtlRestoreLastWin32Error RtlRevertMemoryStream RtlRunDecodeUnicodeString RtlRunEncodeUnicodeString RtlSecondsSince1970ToTime RtlSecondsSince1980ToTime RtlSeekMemoryStream RtlSelfRelativeToAbsoluteSD RtlSelfRelativeToAbsoluteSD2 RtlSetAllBits RtlSetAttributesSecurityDescriptor RtlSetBits RtlSetControlSecurityDescriptor RtlSetCriticalSectionSpinCount RtlSetCurrentDirectory_U RtlSetCurrentEnvironment RtlSetDaclSecurityDescriptor RtlSetEnvironmentVariable RtlSetGroupSecurityDescriptor RtlSetHeapInformation RtlSetInformationAcl RtlSetIoCompletionCallback RtlSetLastWin32Error RtlSetLastWin32ErrorAndNtStatusFromNtStatus RtlSetMemoryStreamSize RtlSetOwnerSecurityDescriptor RtlSetProcessIsCritical RtlSetSaclSecurityDescriptor RtlSetSecurityDescriptorRMControl RtlSetSecurityObject RtlSetSecurityObjectEx RtlSetThreadIsCritical RtlSetThreadPoolStartFunc RtlSetTimeZoneInformation RtlSetTimer RtlSetUnicodeCallouts RtlSetUserFlagsHeap RtlSetUserValueHeap RtlSizeHeap RtlSplay RtlStartRXact RtlStatMemoryStream RtlStringFromGUID RtlSubAuthorityCountSid RtlSubAuthoritySid RtlSubtreePredecessor RtlSubtreeSuccessor RtlSystemTimeToLocalTime RtlTimeFieldsToTime RtlTimeToElapsedTimeFields RtlTimeToSecondsSince1970 RtlTimeToSecondsSince1980 RtlTimeToTimeFields RtlTraceDatabaseAdd RtlTraceDatabaseCreate RtlTraceDatabaseDestroy RtlTraceDatabaseEnumerate RtlTraceDatabaseFind RtlTraceDatabaseLock RtlTraceDatabaseUnlock RtlTraceDatabaseValidate RtlTryEnterCriticalSection RtlUlongByteSwap RtlUlonglongByteSwap RtlUnhandledExceptionFilter RtlUnhandledExceptionFilter2 RtlUnicodeStringToAnsiSize RtlUnicodeStringToAnsiString RtlUnicodeStringToCountedOemString RtlUnicodeStringToInteger RtlUnicodeStringToOemSize RtlUnicodeStringToOemString RtlUnicodeToCustomCPN RtlUnicodeToMultiByteN RtlUnicodeToMultiByteSize RtlUnicodeToOemN RtlUniform RtlUnlockBootStatusData RtlUnlockHeap RtlUnlockMemoryStreamRegion RtlUnwind RtlUpcaseUnicodeChar RtlUpcaseUnicodeString RtlUpcaseUnicodeStringToAnsiString RtlUpcaseUnicodeStringToCountedOemString RtlUpcaseUnicodeStringToOemString RtlUpcaseUnicodeToCustomCPN RtlUpcaseUnicodeToMultiByteN RtlUpcaseUnicodeToOemN RtlUpdateTimer RtlUpperChar RtlUpperString RtlUsageHeap RtlUshortByteSwap RtlValidAcl RtlValidRelativeSecurityDescriptor RtlValidSecurityDescriptor RtlValidSid RtlValidateHeap RtlValidateProcessHeaps RtlValidateUnicodeString RtlVerifyVersionInfo RtlWalkFrameChain RtlWalkHeap RtlWriteMemoryStream RtlWriteRegistryValue RtlZeroHeap RtlZeroMemory RtlZombifyActivationContext RtlpApplyLengthFunction RtlpEnsureBufferSize RtlpNotOwnerCriticalSection RtlpNtCreateKey RtlpNtEnumerateSubKey RtlpNtMakeTemporaryKey RtlpNtOpenKey RtlpNtQueryValueKey RtlpNtSetValueKey RtlpUnWaitCriticalSection RtlpWaitForCriticalSection RtlxAnsiStringToUnicodeSize RtlxOemStringToUnicodeSize RtlxUnicodeStringToAnsiSize RtlxUnicodeStringToOemSize VerSetConditionMask ZwAcceptConnectPort ZwAccessCheck ZwAccessCheckAndAuditAlarm ZwAccessCheckByType ZwAccessCheckByTypeAndAuditAlarm ZwAccessCheckByTypeResultList ZwAccessCheckByTypeResultListAndAuditAlarm ZwAccessCheckByTypeResultListAndAuditAlarmByHandle ZwAddAtom ZwAddBootEntry ZwAdjustGroupsToken ZwAdjustPrivilegesToken ZwAlertResumeThread ZwAlertThread ZwAllocateLocallyUniqueId ZwAllocateUserPhysicalPages ZwAllocateUuids ZwAllocateVirtualMemory ZwAreMappedFilesTheSame ZwAssignProcessToJobObject ZwCallbackReturn ZwCancelDeviceWakeupRequest ZwCancelIoFile ZwCancelTimer ZwClearEvent ZwClose ZwCloseObjectAuditAlarm ZwCompactKeys ZwCompareTokens ZwCompleteConnectPort ZwCompressKey ZwConnectPort ZwContinue ZwCreateDebugObject ZwCreateDirectoryObject ZwCreateEvent ZwCreateEventPair ZwCreateFile ZwCreateIoCompletion ZwCreateJobObject ZwCreateJobSet ZwCreateKey ZwCreateKeyedEvent ZwCreateMailslotFile ZwCreateMutant ZwCreateNamedPipeFile ZwCreatePagingFile ZwCreatePort ZwCreateProcess ZwCreateProcessEx ZwCreateProfile ZwCreateSection ZwCreateSemaphore ZwCreateSymbolicLinkObject ZwCreateThread ZwCreateTimer ZwCreateToken ZwCreateWaitablePort ZwDebugActiveProcess ZwDebugContinue ZwDelayExecution ZwDeleteAtom ZwDeleteBootEntry ZwDeleteFile ZwDeleteKey ZwDeleteObjectAuditAlarm ZwDeleteValueKey ZwDeviceIoControlFile ZwDisplayString ZwDuplicateObject ZwDuplicateToken ZwEnumerateBootEntries ZwEnumerateKey ZwEnumerateSystemEnvironmentValuesEx ZwEnumerateValueKey ZwExtendSection ZwFilterToken ZwFindAtom ZwFlushBuffersFile ZwFlushInstructionCache ZwFlushKey ZwFlushVirtualMemory ZwFlushWriteBuffer ZwFreeUserPhysicalPages ZwFreeVirtualMemory ZwFsControlFile ZwGetContextThread ZwGetDevicePowerState ZwGetPlugPlayEvent ZwGetWriteWatch ZwImpersonateAnonymousToken ZwImpersonateClientOfPort ZwImpersonateThread ZwInitializeRegistry ZwInitiatePowerAction ZwIsProcessInJob ZwIsSystemResumeAutomatic ZwListenPort ZwLoadDriver ZwLoadKey ZwLoadKey2 ZwLockFile ZwLockProductActivationKeys ZwLockRegistryKey ZwLockVirtualMemory ZwMakePermanentObject ZwMakeTemporaryObject ZwMapUserPhysicalPages ZwMapUserPhysicalPagesScatter ZwMapViewOfSection ZwModifyBootEntry ZwNotifyChangeDirectoryFile ZwNotifyChangeKey ZwNotifyChangeMultipleKeys ZwOpenDirectoryObject ZwOpenEvent ZwOpenEventPair ZwOpenFile ZwOpenIoCompletion ZwOpenJobObject ZwOpenKey ZwOpenKeyedEvent ZwOpenMutant ZwOpenObjectAuditAlarm ZwOpenProcess ZwOpenProcessToken ZwOpenProcessTokenEx ZwOpenSection ZwOpenSemaphore ZwOpenSymbolicLinkObject ZwOpenThread ZwOpenThreadToken ZwOpenThreadTokenEx ZwOpenTimer ZwPlugPlayControl ZwPowerInformation ZwPrivilegeCheck ZwPrivilegeObjectAuditAlarm ZwPrivilegedServiceAuditAlarm ZwProtectVirtualMemory ZwPulseEvent ZwQueryAttributesFile ZwQueryBootEntryOrder ZwQueryBootOptions ZwQueryDebugFilterState ZwQueryDefaultLocale ZwQueryDefaultUILanguage ZwQueryDirectoryFile ZwQueryDirectoryObject ZwQueryEaFile ZwQueryEvent ZwQueryFullAttributesFile ZwQueryInformationAtom ZwQueryInformationFile ZwQueryInformationJobObject ZwQueryInformationPort ZwQueryInformationProcess ZwQueryInformationThread ZwQueryInformationToken ZwQueryInstallUILanguage ZwQueryIntervalProfile ZwQueryIoCompletion ZwQueryKey ZwQueryMultipleValueKey ZwQueryMutant ZwQueryObject ZwQueryOpenSubKeys ZwQueryPerformanceCounter ZwQueryPortInformationProcess ZwQueryQuotaInformationFile ZwQuerySection ZwQuerySecurityObject ZwQuerySemaphore ZwQuerySymbolicLinkObject ZwQuerySystemEnvironmentValue ZwQuerySystemEnvironmentValueEx ZwQuerySystemInformation ZwQuerySystemTime ZwQueryTimer ZwQueryTimerResolution ZwQueryValueKey ZwQueryVirtualMemory ZwQueryVolumeInformationFile ZwQueueApcThread ZwRaiseException ZwRaiseHardError ZwReadFile ZwReadFileScatter ZwReadRequestData ZwReadVirtualMemory ZwRegisterThreadTerminatePort ZwReleaseKeyedEvent ZwReleaseMutant ZwReleaseSemaphore ZwRemoveIoCompletion ZwRemoveProcessDebug ZwRenameKey ZwReplaceKey ZwReplyPort ZwReplyWaitReceivePort ZwReplyWaitReceivePortEx ZwReplyWaitReplyPort ZwRequestDeviceWakeup ZwRequestPort ZwRequestWaitReplyPort ZwRequestWakeupLatency ZwResetEvent ZwResetWriteWatch ZwRestoreKey ZwResumeProcess ZwResumeThread ZwSaveKey ZwSaveKeyEx ZwSaveMergedKeys ZwSecureConnectPort ZwSetBootEntryOrder ZwSetBootOptions ZwSetContextThread ZwSetDebugFilterState ZwSetDefaultHardErrorPort ZwSetDefaultLocale ZwSetDefaultUILanguage ZwSetEaFile ZwSetEvent ZwSetEventBoostPriority ZwSetHighEventPair ZwSetHighWaitLowEventPair ZwSetInformationDebugObject ZwSetInformationFile ZwSetInformationJobObject ZwSetInformationKey ZwSetInformationObject ZwSetInformationProcess ZwSetInformationThread ZwSetInformationToken ZwSetIntervalProfile ZwSetIoCompletion ZwSetLdtEntries ZwSetLowEventPair ZwSetLowWaitHighEventPair ZwSetQuotaInformationFile ZwSetSecurityObject ZwSetSystemEnvironmentValue ZwSetSystemEnvironmentValueEx ZwSetSystemInformation ZwSetSystemPowerState ZwSetSystemTime ZwSetThreadExecutionState ZwSetTimer ZwSetTimerResolution ZwSetUuidSeed ZwSetValueKey ZwSetVolumeInformationFile ZwShutdownSystem ZwSignalAndWaitForSingleObject ZwStartProfile ZwStopProfile ZwSuspendProcess ZwSuspendThread ZwSystemDebugControl ZwTerminateJobObject ZwTerminateProcess ZwTerminateThread ZwTestAlert ZwTraceEvent ZwTranslateFilePath ZwUnloadDriver ZwUnloadKey ZwUnloadKeyEx ZwUnlockFile ZwUnlockVirtualMemory ZwUnmapViewOfSection ZwVdmControl ZwWaitForDebugEvent ZwWaitForKeyedEvent ZwWaitForMultipleObjects ZwWaitForSingleObject ZwWaitHighEventPair ZwWaitLowEventPair ZwWriteFile ZwWriteFileGather ZwWriteRequestData ZwWriteVirtualMemory ZwYieldExecution _CIcos _CIlog _CIpow _CIsin _CIsqrt __isascii __iscsym __iscsymf __toascii _alldiv _alldvrm _allmul _alloca_probe _allrem _allshl _allshr _atoi64 _aulldiv _aulldvrm _aullrem _aullshr _chkstk _fltused _ftol _i64toa _i64tow _itoa _itow _lfind _ltoa _ltow _memccpy _memicmp _snprintf _snwprintf _splitpath _strcmpi _stricmp _strlwr _strnicmp _strupr _tolower _toupper _ui64toa _ui64tow _ultoa _ultow _vsnprintf _vsnwprintf _wcsicmp _wcslwr _wcsnicmp _wcsupr _wtoi _wtoi64 _wtol abs atan atoi atol bsearch ceil cos fabs floor isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper iswalpha iswctype iswdigit iswlower iswspace iswxdigit isxdigit labs log mbstowcs memchr memcmp memcpy memmove memset pow qsort sin sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr strtol strtoul swprintf tan tolower toupper towlower towupper vDbgPrintEx vDbgPrintExWithPrefix vsprintf wcscat wcschr wcscmp wcscpy wcscspn wcslen wcsncat wcsncmp wcsncpy wcspbrk wcsrchr wcsspn wcsstr wcstol wcstombs wcstoul
能力值:
( LV4,RANK:50 )
12 楼
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: notepad.exe
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 01000000 01013000 notepad.exe
ModLoad: 7c920000 7c9b4000 ntdll.dll
ModLoad: 7c800000 7c91d000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 76320000 76367000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77f40000 77fb6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77da0000 77e49000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e50000 77ee2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77ef0000 77f37000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d10000 77da0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77180000 77283000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Cont
rols_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
ModLoad: 7d590000 7dd84000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 72f70000 72f96000 C:\WINDOWS\system32\WINSPOOL.DRV
(9a4.c58): Break instruction exception - code 80000003 (first chance)
eax=001a1eb4 ebx=7ffdd000 ecx=00000007 edx=00000080 esi=001a1f48 edi=001a1eb4
eip=7c921230 esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdl
l.dll -
ntdll!DbgBreakPoint:
7c921230 cc int 3
0:000>
能力值:
( LV4,RANK:50 )
13 楼
用NTSD 符号表不行?
NTSD 的lm命令
0:000> lm
start end module name
01000000 01013000 notepad (deferred)
72f70000 72f96000 WINSPOOL (deferred)
76320000 76367000 comdlg32 (deferred)
77180000 77283000 COMCTL32 (deferred)
77be0000 77c38000 msvcrt (deferred)
77d10000 77da0000 USER32 (deferred)
77da0000 77e49000 ADVAPI32 (deferred)
77e50000 77ee2000 RPCRT4 (deferred)
77ef0000 77f37000 GDI32 (deferred)
77f40000 77fb6000 SHLWAPI (deferred)
77fc0000 77fd1000 Secur32 (deferred)
7c800000 7c91d000 kernel32 (deferred)
7c920000 7c9b4000 ntdll (export symbols) C:\WINDOWS\system32\ntdll.
dll
7d590000 7dd84000 SHELL32 (deferred)
=======================
WINDBG的lm命令:
0:000> lm
start end module name
01000000 01013000 notepad (pdb symbols) d:\symbolslocal\notepad.pdb\F679AEF8BE1F44CAB4CBC4B52D77241B1\notepad.pdb
72f70000 72f96000 WINSPOOL (pdb symbols) d:\symbolslocal\winspool.pdb\97A6ECC94EA7450CA7D375BD9DFFCA5E2\winspool.pdb
76320000 76367000 comdlg32 (pdb symbols) d:\symbolslocal\comdlg32.pdb\4FCBEAD63D7345998C1F92D8DBB0DC272\comdlg32.pdb
77180000 77283000 COMCTL32 (pdb symbols) d:\symbolslocal\MicrosoftWindowsCommon-Controls-6.0.2600.2982-comctl32.pdb\C0A72EE9578847AAB7770CF02FFED0941\MicrosoftWindowsCommon-Controls-6.0.2600.2982-comctl32.pdb
77be0000 77c38000 msvcrt (pdb symbols) d:\symbolslocal\msvcrt.pdb\A678F3C30DED426B839032B996987E381\msvcrt.pdb
77d10000 77da0000 USER32 (pdb symbols) d:\symbolslocal\user32.pdb\F049F32D0C8948C0B48F7A065FC5C1B12\user32.pdb
77da0000 77e49000 ADVAPI32 (pdb symbols) d:\symbolslocal\advapi32.pdb\455D6C5F184D45BBB5C5F30F829751142\advapi32.pdb
77e50000 77ee2000 RPCRT4 (pdb symbols) d:\symbolslocal\rpcrt4.pdb\2D7278066B8B4F0AAA1AB3E4F8CEA0DA2\rpcrt4.pdb
77ef0000 77f37000 GDI32 (pdb symbols) d:\symbolslocal\gdi32.pdb\9B3E80DB35BB40DB80025720CB72CF012\gdi32.pdb
77f40000 77fb6000 SHLWAPI (pdb symbols) d:\symbolslocal\shlwapi.pdb\C3BC8438C9E7452F871D9BF14476F7F62\shlwapi.pdb
77fc0000 77fd1000 Secur32 (pdb symbols) d:\symbolslocal\secur32.pdb\85DD72BF4CAD42EFB989699A8B082F1D2\secur32.pdb
7c800000 7c91d000 kernel32 (pdb symbols) d:\symbolslocal\kernel32.pdb\006D2240474D414087FF801C64935DDD2\kernel32.pdb
7c920000 7c9b4000 ntdll (pdb symbols) d:\symbolslocal\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7d590000 7dd84000 SHELL32 (pdb symbols) d:\symbolslocal\shell32.pdb\9A8D69139E21498F9FFDA33E5E27AE622\shell32.pdb wt命令好厉害:
0:000> wt
Tracing ntdll!DbgBreakPoint to return address 7c941639
6 0 [ 0] ntdll!RtlInitializeSListHead
16 0 [ 0] ntdll!RtlLookupElementGenericTable
10 0 [ 1] ntdll!RtlNtPathNameToDosPathName
31 0 [ 2] ntdll!RtlInitUnicodeString
19 31 [ 1] ntdll!RtlNtPathNameToDosPathName
3 0 [ 2] ntdll!LdrLoadDll
19 0 [ 3] ntdll!strchr
154 19 [ 2] ntdll!LdrLoadDll
12 0 [ 2] ntdll!RtlValidateUnicodeString
44 0 [ 3] ntdll!memmove
28 44 [ 2] ntdll!RtlValidateUnicodeString
31 0 [ 3] ntdll!RtlInitUnicodeString
37 75 [ 2] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlValidateUnicodeString
19 0 [ 4] ntdll!strchr
135 19 [ 3] ntdll!RtlValidateUnicodeString
24 0 [ 4] ntdll!RtlFindActivationContextSectionString
24 0 [ 5] ntdll!RtlFormatCurrentUserKeyPath
41 24 [ 4] ntdll!RtlFindActivationContextSectionString
24 0 [ 5] ntdll!bsearch
30 0 [ 6] ntdll!bsearch
2 0 [ 6] ntdll!RtlQueryDepthSList
8 0 [ 6] ntdll!bsearch
51 0 [ 7] ntdll!bsearch
27 0 [ 8] ntdll!bsearch
13 0 [ 9] ntdll!bsearch
31 13 [ 8] ntdll!bsearch
2 0 [ 8] ntdll!RtlGetLongestNtPathLength
5 0 [ 8] ntdll!bsearch
75 51 [ 7] ntdll!bsearch
31 126 [ 6] ntdll!bsearch
29 189 [ 5] ntdll!bsearch
60 242 [ 4] ntdll!RtlFindActivationContextSectionString
35 0 [ 5] ntdll!RtlHashUnicodeString
190 0 [ 6] ntdll!RtlHashUnicodeString
44 190 [ 5] ntdll!RtlHashUnicodeString
2 0 [ 5] ntdll!RtlValidateUnicodeString
2 0 [ 5] ntdll!RtlHashUnicodeString
20 0 [ 5] ntdll!RtlValidateUnicodeString
22 0 [ 6] ntdll!bsearch
9 0 [ 7] ntdll!bsearch
3 0 [ 7] ntdll!RtlFindActivationContextSectionString
34 12 [ 6] ntdll!bsearch
24 46 [ 5] ntdll!RtlValidateUnicodeString
6 0 [ 5] ntdll!RtlHashUnicodeString
73 556 [ 4] ntdll!RtlFindActivationContextSectionString
27 0 [ 5] ntdll!RtlHashUnicodeString
41 0 [ 6] ntdll!bsearch
51 0 [ 7] ntdll!bsearch
28 0 [ 8] ntdll!bsearch
13 0 [ 9] ntdll!bsearch
32 13 [ 8] ntdll!bsearch
2 0 [ 8] ntdll!RtlGetLongestNtPathLength
5 0 [ 8] ntdll!bsearch
75 52 [ 7] ntdll!bsearch
65 127 [ 6] ntdll!bsearch
29 192 [ 5] ntdll!RtlHashUnicodeString
6 0 [ 5] ntdll!RtlValidateUnicodeString
8 0 [ 6] ntdll!RtlAddRefActivationContext
10 8 [ 5] ntdll!RtlValidateUnicodeString
3 0 [ 5] ntdll!RtlHashUnicodeString
75 798 [ 4] ntdll!RtlFindActivationContextSectionString
2 0 [ 4] ntdll!RtlValidateUnicodeString
14 0 [ 4] ntdll!RtlFindActivationContextSectionString
122 0 [ 5] ntdll!RtlHashUnicodeString
27 122 [ 4] ntdll!RtlFindActivationContextSectionString
27 0 [ 5] ntdll!RtlHashUnicodeString
32 0 [ 6] ntdll!bsearch
2 0 [ 6] ntdll!RtlGetLongestNtPathLength
5 0 [ 6] ntdll!bsearch
32 39 [ 5] ntdll!RtlHashUnicodeString
37 193 [ 4] ntdll!RtlFindActivationContextSectionString
147 1124 [ 3] ntdll!RtlValidateUnicodeString
10 0 [ 4] ntdll!RtlUpcaseUnicodeChar
164 1134 [ 3] ntdll!RtlValidateUnicodeString
93 0 [ 4] ntdll!RtlEqualUnicodeString
166 1227 [ 3] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlPushFrame
10 0 [ 3] ntdll!RtlValidateUnicodeString
68 0 [ 4] ntdll!RtlEqualUnicodeString
12 68 [ 3] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlPushFrame
10 0 [ 3] ntdll!RtlValidateUnicodeString
93 0 [ 4] ntdll!RtlEqualUnicodeString
12 93 [ 3] ntdll!RtlValidateUnicodeString
7 0 [ 3] ntdll!RtlPushFrame
5 0 [ 3] ntdll!RtlValidateUnicodeString
5 0 [ 4] ntdll!wcslen
6 5 [ 3] ntdll!RtlValidateUnicodeString
9 0 [ 4] ntdll!strchr
7 14 [ 3] ntdll!RtlValidateUnicodeString
49 1687 [ 2] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!snwprintf
19 0 [ 4] ntdll!strchr
12 19 [ 3] ntdll!snwprintf
3 0 [ 4] ntdll!snwprintf
144 22 [ 3] ntdll!snwprintf
35 0 [ 4] ntdll!LdrQueryImageFileExecutionOptions
3 0 [ 5] ntdll!snwprintf
39 3 [ 4] ntdll!LdrQueryImageFileExecutionOptions
31 0 [ 5] ntdll!RtlInitUnicodeString
56 34 [ 4] ntdll!LdrQueryImageFileExecutionOptions
24 0 [ 5] ntdll!RtlFindActivationContextSectionString
24 0 [ 6] ntdll!RtlFormatCurrentUserKeyPath
41 24 [ 5] ntdll!RtlFindActivationContextSectionString
24 0 [ 6] ntdll!bsearch
30 0 [ 7] ntdll!bsearch
2 0 [ 7] ntdll!RtlQueryDepthSList
8 0 [ 7] ntdll!bsearch
51 0 [ 8] ntdll!bsearch
27 0 [ 9] ntdll!bsearch
13 0 [ 10] ntdll!bsearch
31 13 [ 9] ntdll!bsearch
2 0 [ 9] ntdll!RtlGetLongestNtPathLength
5 0 [ 9] ntdll!bsearch
75 51 [ 8] ntdll!bsearch
31 126 [ 7] ntdll!bsearch
29 189 [ 6] ntdll!bsearch
60 242 [ 5] ntdll!RtlFindActivationContextSectionString
35 0 [ 6] ntdll!RtlHashUnicodeString
190 0 [ 7] ntdll!RtlHashUnicodeString
44 190 [ 6] ntdll!RtlHashUnicodeString
2 0 [ 6] ntdll!RtlValidateUnicodeString
2 0 [ 6] ntdll!RtlHashUnicodeString
20 0 [ 6] ntdll!RtlValidateUnicodeString
22 0 [ 7] ntdll!bsearch
9 0 [ 8] ntdll!bsearch
3 0 [ 8] ntdll!RtlFindActivationContextSectionString
34 12 [ 7] ntdll!bsearch
24 46 [ 6] ntdll!RtlValidateUnicodeString
6 0 [ 6] ntdll!RtlHashUnicodeString
73 556 [ 5] ntdll!RtlFindActivationContextSectionString
27 0 [ 6] ntdll!RtlHashUnicodeString
41 0 [ 7] ntdll!bsearch
51 0 [ 8] ntdll!bsearch
28 0 [ 9] ntdll!bsearch
13 0 [ 10] ntdll!bsearch
32 13 [ 9] ntdll!bsearch
2 0 [ 9] ntdll!RtlGetLongestNtPathLength
5 0 [ 9] ntdll!bsearch
75 52 [ 8] ntdll!bsearch
65 127 [ 7] ntdll!bsearch
29 192 [ 6] ntdll!RtlHashUnicodeString
6 0 [ 6] ntdll!RtlValidateUnicodeString
8 0 [ 7] ntdll!RtlAddRefActivationContext
10 8 [ 6] ntdll!RtlValidateUnicodeString
3 0 [ 6] ntdll!RtlHashUnicodeString
75 798 [ 5] ntdll!RtlFindActivationContextSectionString
2 0 [ 5] ntdll!RtlValidateUnicodeString
14 0 [ 5] ntdll!RtlFindActivationContextSectionString
122 0 [ 6] ntdll!RtlHashUnicodeString
27 122 [ 5] ntdll!RtlFindActivationContextSectionString
27 0 [ 6] ntdll!RtlHashUnicodeString
32 0 [ 7] ntdll!bsearch
2 0 [ 7] ntdll!RtlGetLongestNtPathLength
5 0 [ 7] ntdll!bsearch
32 39 [ 6] ntdll!RtlHashUnicodeString
37 193 [ 5] ntdll!RtlFindActivationContextSectionString
70 1139 [ 4] ntdll!LdrQueryImageFileExecutionOptions
21 0 [ 5] ntdll!snwprintf
3 0 [ 6] ntdll!RtlAllocateHeap
19 0 [ 7] ntdll!strchr
14 19 [ 6] ntdll!RtlAllocateHeap
4 0 [ 6] ntdll!wcsncat
3 0 [ 7] ntdll!wcsncat
19 0 [ 8] ntdll!strchr
13 19 [ 7] ntdll!wcsncat
6 0 [ 7] ntdll!RtlInitializeSListHead
3 0 [ 8] ntdll!RtlpNtMakeTemporaryKey
19 0 [ 9] ntdll!strchr
17 19 [ 8] ntdll!RtlpNtMakeTemporaryKey
14 0 [ 9] ntdll!RtlUnicodeToMultiByteSize
39 33 [ 8] ntdll!RtlpNtMakeTemporaryKey
11 0 [ 9] ntdll!RtlEnterCriticalSection
44 44 [ 8] ntdll!RtlpNtMakeTemporaryKey
15 0 [ 9] ntdll!RtlpNtMakeTemporaryKey
10 0 [ 10] ntdll!RtlpNtMakeTemporaryKey
27 10 [ 9] ntdll!RtlpNtMakeTemporaryKey
48 81 [ 8] ntdll!RtlpNtMakeTemporaryKey
3 0 [ 9] ntdll!wcsncat
19 0 [ 10] ntdll!strchr
13 19 [ 9] ntdll!wcsncat
2 0 [ 9] ntdll!RtlInitializeSListHead
55 0 [ 9] ntdll!wcsncat
18 0 [ 9] ntdll!RtlSetUserValueHeap
7 0 [ 9] ntdll!wcsncat
7 0 [ 9] ntdll!RtlSetUserValueHeap
15 0 [ 9] ntdll!wcsncat
17 0 [ 10] ntdll!wcsncpy
25 17 [ 9] ntdll!wcsncat
10 0 [ 9] ntdll!RtlInitializeSListHead
3498 0 [ 10] ntdll!RtlCompareMemoryUlong
14 3498 [ 9] ntdll!RtlInitializeSListHead
32 0 [ 9] ntdll!wcsncat
6 0 [ 9] ntdll!RtlSetUserValueHeap
7 0 [ 9] ntdll!RtlInitializeSListHead 。。。。。。。。。。。。。。。。
。。。。。。。。。。。。。。
。。。。。。。。。。。。 kernel32!lstrcmpW 188 2 93 38
kernel32!lstrcmpiW 160 22 22 22
kernel32!lstrcpyW 87 12 12 12
kernel32!lstrcpyn 10 1 8 3
kernel32!lstrcpynW 3 5 331 186
kernel32!lstrlenW 45 12 12 12
msvcrt!_STRINGTOLD 2 4 8 6
msvcrt!__unguarded_readlc_active_add_func 3 4 30 16
msvcrt!_crtCompareStringA 1 141 141 141
msvcrt!_crtLCMapStringA 2 1654 1667 1660
msvcrt!_crtLCMapStringW 1 11 11 11
msvcrt!_dllonexit 162 2 46 14
msvcrt!_getmainargs 3 6 69 29
msvcrt!_p__winver 1 8 8 8
msvcrt!_threadhandle 1 31 31 31
msvcrt!_unDNameEx 1 5 5 5
msvcrt!beginthreadex 1 330 330 330
msvcrt!bsearch 1 4197 4197 4197
msvcrt!c_exit 5 8 16 14
msvcrt!calloc 3 4 92 46
msvcrt!clock 1 24 24 24
msvcrt!control87 1 24 24 24
msvcrt!controlfp 1 12 12 12
msvcrt!expand 3 21 32 26
msvcrt!fpreset 2 36 47 41
msvcrt!free 259 4 31 14
msvcrt!get_sbh_threshold 120 16 475 31
msvcrt!getenv 2 4 16 10
msvcrt!initterm 11 24 2082 231
msvcrt!lock 269 10 14674 68
msvcrt!malloc 41 12 15 12
msvcrt!mbsnbicoll 1 24 24 24
msvcrt!modf 6 5 13 7
msvcrt!msize 162 4 29 16
msvcrt!operator delete 15 5 5 5
msvcrt!operator new 35 10 10 10
msvcrt!realloc 4 4 399 131
msvcrt!set_sbh_threshold 77 121 280 217
msvcrt!setlocale 2 66 66 66
msvcrt!setmbcp 3 4 3691 1233
msvcrt!strerror 739 4 4116 17
msvcrt!unlock 259 8 8 8
msvcrt!wcscat 1 212 212 212
msvcrt!wcscpy 31 16 440 137
msvcrt!wcsicmp 1 448 448 448
msvcrt!wcslen 24 64 279 125
msvcrt!wcsncpy 4 38 198 95
msvcrt!write 5 4 3572 1011
msvcrt!wsplitpath 1 418 418 418
msvcrt!yn 2 12 36 24
ntdll!CsrAllocateCaptureBuffer 3 35 38 37
ntdll!CsrAllocateMessagePointer 36 2 304 55
ntdll!CsrCaptureMessageMultiUnicodeStringsInPla 6 28 91 49
ntdll!CsrCaptureMessageString 4 35 35 35
ntdll!CsrClientCallServer 174 6 231 30
ntdll!CsrClientConnectToServer 1 82 82 82
ntdll!CsrFreeCaptureBuffer 6 9 28 16
ntdll!DbgPrintEx 8 12 12 12
ntdll!KiFastSystemCall 979 2 2 2
ntdll!KiUserCallbackDispatcher 1 5 5 5
ntdll!LdrAccessOutOfProcessResource 1 21 21 21
ntdll!LdrAccessResource 77 4 6 5
ntdll!LdrAlternateResourcesEnabled 41 4 11 10
ntdll!LdrCreateOutOfProcessImage 1 40 40 40
ntdll!LdrDestroyOutOfProcessImage 1 24 24 24
ntdll!LdrDisableThreadCalloutsForDll 32 3 29 17
ntdll!LdrEnumerateLoadedModules 1 49 49 49
ntdll!LdrFindCreateProcessManifest 2 5 37 21
ntdll!LdrFindResourceDirectory_U 143 1 289 29
ntdll!LdrFindResourceEx_U 1 11 11 11
ntdll!LdrFindResource_U 36 11 11 11
ntdll!LdrGetDllHandle 21 11 11 11
ntdll!LdrGetDllHandleEx 54 3 372 95
ntdll!LdrGetProcedureAddress 4573 3 1139 87
ntdll!LdrInitializeThunk 22 16 16 16
ntdll!LdrLoadAlternateResourceModule 38 22 22 22
ntdll!LdrLoadDll 88 3 1284 64
ntdll!LdrLockLoaderLock 16 26 26 26
ntdll!LdrQueryImageFileExecutionOptions 395 3 3796 180
ntdll!LdrUnloadAlternateResourceModule 1 6 6 6
ntdll!LdrUnloadDll 4 8 8 8
ntdll!LdrUnlockLoaderLock 16 12 12 12
ntdll!NtAddAtom 2 1 3 2
ntdll!NtCallbackReturn 1 3 3 3
ntdll!NtClose 226 1 3 2
ntdll!NtCreateFile 14 1 3 2
ntdll!NtCreateKey 10 1 3 2
ntdll!NtCreateSection 34 1 3 2
ntdll!NtCreateSemaphore 10 1 3 2
ntdll!NtDeviceIoControlFile 2 1 3 2
ntdll!NtDuplicateObject 22 1 3 2
ntdll!NtFlushInstructionCache 98 1 3 2
ntdll!NtFreeVirtualMemory 2 1 3 2
ntdll!NtOpenDirectoryObject 2 1 3 2
ntdll!NtOpenFile 40 1 3 2
ntdll!NtOpenKey 218 1 3 2
ntdll!NtOpenProcessToken 6 1 3 2
ntdll!NtOpenSection 22 1 3 2
ntdll!NtOpenThreadTokenEx 14 1 3 2
ntdll!NtQueryAttributesFile 36 1 3 2
ntdll!NtQueryDebugFilterState 16 1 3 2
ntdll!NtQueryDefaultUILanguage 6 1 3 2
ntdll!NtQueryInformationFile 6 1 3 2
ntdll!NtQueryKey 20 1 3 2
ntdll!NtQueryPerformanceCounter 6 1 3 2
ntdll!NtQuerySystemInformation 46 1 3 2
ntdll!NtQueryTimerResolution 2 1 3 2
ntdll!NtRequestWaitReplyPort 6 1 3 2
ntdll!NtUnmapViewOfSection 18 1 3 2
ntdll!RtlAcquirePebLock 155 14 14 14
ntdll!RtlAcquireResourceExclusive 2 11 27 19
ntdll!RtlActivateActivationContext 8 22 58 38
ntdll!RtlActivateActivationContextEx 9 8 273 128
ntdll!RtlActivateActivationContextUnsafeFast 160 20 20 20
ntdll!RtlAddAccessAllowedAce 7 12 12 12
ntdll!RtlAddAce 1 29 29 29
ntdll!RtlAddRefActivationContext 253 2 8 7
ntdll!RtlAddressInSectionTable 3 16 16 16
ntdll!RtlAllocateAndInitializeSid 16 8 42 30
ntdll!RtlAllocateHandle 2 8 11 9
ntdll!RtlAllocateHeap 1760 3 22 14
ntdll!RtlAnsiCharToUnicodeChar 8 34 34 34
ntdll!RtlAnsiStringToUnicodeString 695 8 1067 85
ntdll!RtlAppendPathElement 12 3 11 7
ntdll!RtlAppendUnicodeStringToString 99 40 40 40
ntdll!RtlAppendUnicodeToString 65 43 43 43
ntdll!RtlCharToInteger 2 8 13 10
ntdll!RtlCompareMemory 190 18 18 18
ntdll!RtlCompareMemoryUlong 666 11 7782 707
ntdll!RtlCompareUnicodeString 372 2 319 56
ntdll!RtlConvertSidToUnicodeString 49 63 470 163
ntdll!RtlCopySid 7 16 16 16
ntdll!RtlCopyUnicodeString 7 57 57 57
ntdll!RtlCreateAcl 4 24 24 24
ntdll!RtlCreateActivationContext 4 62 112 87
ntdll!RtlCreateHeap 92 2 1055 138
ntdll!RtlCreateSecurityDescriptor 4 19 19 19
ntdll!RtlCreateUnicodeStringFromAsciiz 6 18 18 18
ntdll!RtlDeactivateActivationContext 4 60 60 60
ntdll!RtlDeactivateActivationContextUnsafeFast 160 15 15 15
ntdll!RtlDecodePointer 2 5 5 5
ntdll!RtlDeleteCriticalSection 373 5 27 12
ntdll!RtlDetermineDosPathNameType_U 516 2 1724 148
ntdll!RtlDoesFileExists_U 119 2 23 6
ntdll!RtlDosApplyFileIsolationRedirection_Ustr 475 7 182 132
ntdll!RtlDosPathNameToNtPathName_U 133 2 30 14
ntdll!RtlDosSearchPath_U 41 23 737 160
ntdll!RtlDosSearchPath_Ustr 4 2 92 25
ntdll!RtlDowncaseUnicodeString 429 2 43 13
ntdll!RtlEncodePointer 4 15 15 15
ntdll!RtlEncodeSystemPointer 158 7 7 7
ntdll!RtlEnterCriticalSection 1514 11 12 11
ntdll!RtlEqualUnicodeString 891 18 1583 88
ntdll!RtlExpandEnvironmentStrings_U 18 2 6639 2947
ntdll!RtlFillMemoryUlong 1064 8 7779 472
ntdll!RtlFindActivationContextSectionString 714 3 75 41
ntdll!RtlFindCharInUnicodeString 255 7 127 90
ntdll!RtlFindClearBits 31 5 98 47
ntdll!RtlFindClearBitsAndSet 17 19 19 19
ntdll!RtlFirstFreeAce 17 11 69 38
ntdll!RtlFormatCurrentUserKeyPath 287 24 90 34
ntdll!RtlFreeAnsiString 516 11 17 11
ntdll!RtlFreeHeap 374 2 20 11
ntdll!RtlFreeSid 7 15 15 15
ntdll!RtlGetActiveActivationContext 114 2 329 95
ntdll!RtlGetCurrentDirectory_U 1 34 34 34
ntdll!RtlGetFrame 4 2 14 8
ntdll!RtlGetFullPathName_U 29 4 22 14
ntdll!RtlGetLastWin32Error 133 3 3 3
ntdll!RtlGetLengthWithoutLastFullDosOrNtPathEle 6 10 304 109
ntdll!RtlGetLongestNtPathLength 1010 2 23 6
ntdll!RtlGetNtGlobalFlags 1552 4 4 4
ntdll!RtlGetNtProductType 15 12 94 44
ntdll!RtlGetNtVersionNumbers 10 2 18 6
ntdll!RtlGetVersion 12 47 67 62
ntdll!RtlHashUnicodeString 2766 2 469 47
ntdll!RtlImageDirectoryEntryToData 1053 2 23 21
ntdll!RtlImageNtHeader 289 5 5 5
ntdll!RtlImageRvaToSection 62 3 507 177
ntdll!RtlImageRvaToVa 12 2 2 2
ntdll!RtlInitAnsiString 285 9 80 30
ntdll!RtlInitCodePageTable 3 33 126 86
ntdll!RtlInitString 92 26 55 35
ntdll!RtlInitUnicodeString 505 9 211 39
ntdll!RtlInitUnicodeStringEx 142 23 23 23
ntdll!RtlInitializeCriticalSection 385 2 43 10
ntdll!RtlInitializeCriticalSectionAndSpinCount 324 16 35 25
ntdll!RtlInitializeGenericTable 2 22 22 22
ntdll!RtlInitializeHandleTable 57 3 4152 77
ntdll!RtlInitializeResource 2 62 62 62
ntdll!RtlInitializeSListHead 4196 2 567 15
ntdll!RtlInitializeSid 9 23 81 29
ntdll!RtlIsDosDeviceName_U 1 16 16 16
ntdll!RtlIsValidHandle 991 3 20 10
ntdll!RtlLeaveCriticalSection 1514 6 8 7
ntdll!RtlLengthSid 7 8 8 8
ntdll!RtlLockHeap 20 25 25 25
ntdll!RtlLogStackBackTrace 162 9 9 9
ntdll!RtlLookupElementGenericTable 1 70 70 70
ntdll!RtlMultiAppendUnicodeStringBuffer 400 2 600 45
ntdll!RtlMultiByteToUnicodeN 488 6 10 8
ntdll!RtlMultiByteToUnicodeSize 444 3 7 5
ntdll!RtlNtPathNameToDosPathName 2 32 100 66
ntdll!RtlNtStatusToDosError 132 14 14 14
ntdll!RtlNtStatusToDosErrorNoTeb 137 5 540 142
ntdll!RtlOemStringToUnicodeSize 222 14 14 14
ntdll!RtlOpenCurrentUser 7 37 37 37
ntdll!RtlPrefixUnicodeString 4 13 46 30
ntdll!RtlPushFrame 134 2 121 5
ntdll!RtlQueryDepthSList 244 2 2 2
ntdll!RtlQueryEnvironmentVariable_U 41 7 118 36
ntdll!RtlQueueWorkItem 154 2 27 14
ntdll!RtlReAllocateHeap 66 2 109 46
ntdll!RtlReadMemoryStream 6 7 7 7
ntdll!RtlReadOutOfProcessMemoryStream 1 24 24 24
ntdll!RtlReleaseActivationContext 1 21 21 21
ntdll!RtlReleasePebLock 155 5 5 5
ntdll!RtlReleaseResource 2 5 10 7
ntdll!RtlRestoreLastWin32Error 139 8 8 8
ntdll!RtlSetBits 31 6 26 18
ntdll!RtlSetDaclSecurityDescriptor 4 25 25 25
ntdll!RtlSetGroupSecurityDescriptor 2 21 21 21
ntdll!RtlSetOwnerSecurityDescriptor 2 21 21 21
ntdll!RtlSetUserValueHeap 2067 2 784 13
ntdll!RtlSubAuthorityCountSid 29 2 6 2
ntdll!RtlSubAuthoritySid 224 2 2 2
ntdll!RtlTimeToSecondsSince1980 25 4 8 6
ntdll!RtlTimeToTimeFields 580 4 402 48
ntdll!RtlUnicodeStringToAnsiString 158 8 35 13
ntdll!RtlUnicodeStringToInteger 2 145 145 145
ntdll!RtlUnicodeToMultiByteN 108 6 10 8
ntdll!RtlUnicodeToMultiByteSize 821 4 14 12
ntdll!RtlUnlockHeap 20 25 25 25
ntdll!RtlUpcaseUnicodeChar 361 10 12 10
ntdll!RtlValidAcl 11 3 30 20
ntdll!RtlValidSid 28 7 22 18
ntdll!RtlValidateUnicodeString 1819 2 166 23
ntdll!RtlZeroHeap 190 27 27 27
ntdll!RtlpApplyLengthFunction 2 44 44 44
ntdll!RtlpNtMakeTemporaryKey 3936 3 96 27
ntdll!RtlxUnicodeStringToOemSize 54 14 14 14
ntdll!ZwAccessCheck 4 1 3 2
ntdll!ZwAllocateVirtualMemory 60 1 3 2
ntdll!ZwCreateEvent 10 1 3 2
ntdll!ZwCreateMutant 2 1 3 2
ntdll!ZwEnumerateValueKey 110 1 3 2
ntdll!ZwMapViewOfSection 44 1 3 2
ntdll!ZwOpenEvent 2 1 3 2
ntdll!ZwOpenProcessTokenEx 14 1 3 2
ntdll!ZwProtectVirtualMemory 196 1 3 2
ntdll!ZwQueryDefaultLocale 76 1 3 2
ntdll!ZwQueryInformationProcess 14 1 3 2
ntdll!ZwQueryInformationToken 16 1 3 2
ntdll!ZwQueryInstallUILanguage 2 1 3 2
ntdll!ZwQuerySection 16 1 3 2
ntdll!ZwQueryValueKey 254 1 3 2
ntdll!ZwQueryVirtualMemory 8 1 3 2
ntdll!ZwSetInformationObject 2 1 3 2
ntdll!aulldvrm 3 31 31 31
ntdll!bsearch 4087 5 75 30
ntdll!iswdigit 1466 2 68 19
ntdll!mbstowcs 2 12 69 40
ntdll!memmove 362 26 99 43
ntdll!snwprintf 203 3 270 31
ntdll!strchr 10675 9 80 14
ntdll!strcmpi 135 49 130 67
ntdll!strncmp 322 28 38 36
ntdll!strnicmp 31 20 113 49
ntdll!swprintf 2 31 31 31
ntdll!towlower 6402 3 399 63
ntdll!vDbgPrintExWithPrefix 8 23 23 23
ntdll!wcscat 15 2 196 97
ntdll!wcschr 68 2 28 6
ntdll!wcscpy 108 40 520 283
ntdll!wcsicmp 38 31 469 58
ntdll!wcslen 1904 5 983 35
ntdll!wcslwr 1 117 117 117
ntdll!wcsncat 6032 2 5168 27
ntdll!wcsncmp 119 19 62 32
ntdll!wcsncpy 1802 2 331 21
ntdll!wcsnicmp 252 16 250 52
ntdll!wcsrchr 12 204 252 239
ntdll!wcsstr 10 2 229 70
ntdll!wcstol 13 3 5 3
ole32 5 24 24 24
ole32!CoRevokeClassObject 130 1 115 16
ole32!CoTaskMemAlloc 17 4 29 10
ole32!ComPs_NdrDllCanUnloadNow 45 4 19 10
979 system calls were executed
Calls System Call
979 ntdll!KiFastSystemCall
eax=00000000 ebx=00000000 ecx=00009308 edx=0007fa6e esi=7ffdd000 edi=7ffdf000
eip=7c941639 esp=0007fcb0 ebp=0007fd1c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlLookupElementGenericTable+0x80:
7c941639 8bf8 mov edi,eax
0:000>
能力值:
( LV4,RANK:50 )
14 楼
用Dll函数查看器V2.0
[I][QUOTE][/QUOTE]WINDOWXP NTDLL.dll[/I] 全部函数1315个!
0:000> wt
Tracing ntdll!DbgBreakPoint to return address 7c941639
6 0 [ 0] ntdll!RtlInitializeSListHead
16 0 [ 0] ntdll!RtlLookupElementGenericTable
10 0 [ 1] ntdll!RtlNtPathNameToDosPathName
31 0 [ 2] ntdll!RtlInitUnicodeString
19 31 [ 1] ntdll!RtlNtPathNameToDosPathName
3 0 [ 2] ntdll!LdrLoadDll
19 0 [ 3] ntdll!strchr
154 19 [ 2] ntdll!LdrLoadDll
12 0 [ 2] ntdll!RtlValidateUnicodeString
44 0 [ 3] ntdll!memmove
28 44 [ 2] ntdll!RtlValidateUnicodeString
31 0 [ 3] ntdll!RtlInitUnicodeString
37 75 [ 2] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlValidateUnicodeString
19 0 [ 4] ntdll!strchr
135 19 [ 3] ntdll!RtlValidateUnicodeString
24 0 [ 4] ntdll!RtlFindActivationContextSectionString
24 0 [ 5] ntdll!RtlFormatCurrentUserKeyPath
41 24 [ 4] ntdll!RtlFindActivationContextSectionString
24 0 [ 5] ntdll!bsearch
30 0 [ 6] ntdll!bsearch
2 0 [ 6] ntdll!RtlQueryDepthSList
8 0 [ 6] ntdll!bsearch
51 0 [ 7] ntdll!bsearch
27 0 [ 8] ntdll!bsearch
13 0 [ 9] ntdll!bsearch
31 13 [ 8] ntdll!bsearch
2 0 [ 8] ntdll!RtlGetLongestNtPathLength
5 0 [ 8] ntdll!bsearch
75 51 [ 7] ntdll!bsearch
31 126 [ 6] ntdll!bsearch
29 189 [ 5] ntdll!bsearch
60 242 [ 4] ntdll!RtlFindActivationContextSectionString
35 0 [ 5] ntdll!RtlHashUnicodeString
190 0 [ 6] ntdll!RtlHashUnicodeString
44 190 [ 5] ntdll!RtlHashUnicodeString
2 0 [ 5] ntdll!RtlValidateUnicodeString
2 0 [ 5] ntdll!RtlHashUnicodeString
20 0 [ 5] ntdll!RtlValidateUnicodeString
22 0 [ 6] ntdll!bsearch
9 0 [ 7] ntdll!bsearch
3 0 [ 7] ntdll!RtlFindActivationContextSectionString
34 12 [ 6] ntdll!bsearch
24 46 [ 5] ntdll!RtlValidateUnicodeString
6 0 [ 5] ntdll!RtlHashUnicodeString
73 556 [ 4] ntdll!RtlFindActivationContextSectionString
27 0 [ 5] ntdll!RtlHashUnicodeString
41 0 [ 6] ntdll!bsearch
51 0 [ 7] ntdll!bsearch
28 0 [ 8] ntdll!bsearch
13 0 [ 9] ntdll!bsearch
32 13 [ 8] ntdll!bsearch
2 0 [ 8] ntdll!RtlGetLongestNtPathLength
5 0 [ 8] ntdll!bsearch
75 52 [ 7] ntdll!bsearch
65 127 [ 6] ntdll!bsearch
29 192 [ 5] ntdll!RtlHashUnicodeString
6 0 [ 5] ntdll!RtlValidateUnicodeString
8 0 [ 6] ntdll!RtlAddRefActivationContext
10 8 [ 5] ntdll!RtlValidateUnicodeString
3 0 [ 5] ntdll!RtlHashUnicodeString
75 798 [ 4] ntdll!RtlFindActivationContextSectionString
2 0 [ 4] ntdll!RtlValidateUnicodeString
14 0 [ 4] ntdll!RtlFindActivationContextSectionString
122 0 [ 5] ntdll!RtlHashUnicodeString
27 122 [ 4] ntdll!RtlFindActivationContextSectionString
27 0 [ 5] ntdll!RtlHashUnicodeString
32 0 [ 6] ntdll!bsearch
2 0 [ 6] ntdll!RtlGetLongestNtPathLength
5 0 [ 6] ntdll!bsearch
32 39 [ 5] ntdll!RtlHashUnicodeString
37 193 [ 4] ntdll!RtlFindActivationContextSectionString
147 1124 [ 3] ntdll!RtlValidateUnicodeString
10 0 [ 4] ntdll!RtlUpcaseUnicodeChar
164 1134 [ 3] ntdll!RtlValidateUnicodeString
93 0 [ 4] ntdll!RtlEqualUnicodeString
166 1227 [ 3] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlPushFrame
10 0 [ 3] ntdll!RtlValidateUnicodeString
68 0 [ 4] ntdll!RtlEqualUnicodeString
12 68 [ 3] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!RtlPushFrame
10 0 [ 3] ntdll!RtlValidateUnicodeString
93 0 [ 4] ntdll!RtlEqualUnicodeString
12 93 [ 3] ntdll!RtlValidateUnicodeString
7 0 [ 3] ntdll!RtlPushFrame
5 0 [ 3] ntdll!RtlValidateUnicodeString
5 0 [ 4] ntdll!wcslen
6 5 [ 3] ntdll!RtlValidateUnicodeString
9 0 [ 4] ntdll!strchr
7 14 [ 3] ntdll!RtlValidateUnicodeString
49 1687 [ 2] ntdll!RtlValidateUnicodeString
3 0 [ 3] ntdll!snwprintf
19 0 [ 4] ntdll!strchr
12 19 [ 3] ntdll!snwprintf
3 0 [ 4] ntdll!snwprintf
144 22 [ 3] ntdll!snwprintf
35 0 [ 4] ntdll!LdrQueryImageFileExecutionOptions
3 0 [ 5] ntdll!snwprintf
39 3 [ 4] ntdll!LdrQueryImageFileExecutionOptions
31 0 [ 5] ntdll!RtlInitUnicodeString
56 34 [ 4] ntdll!LdrQueryImageFileExecutionOptions
24 0 [ 5] ntdll!RtlFindActivationContextSectionString
24 0 [ 6] ntdll!RtlFormatCurrentUserKeyPath
41 24 [ 5] ntdll!RtlFindActivationContextSectionString
24 0 [ 6] ntdll!bsearch
30 0 [ 7] ntdll!bsearch
2 0 [ 7] ntdll!RtlQueryDepthSList
8 0 [ 7] ntdll!bsearch
51 0 [ 8] ntdll!bsearch
27 0 [ 9] ntdll!bsearch
13 0 [ 10] ntdll!bsearch
31 13 [ 9] ntdll!bsearch
2 0 [ 9] ntdll!RtlGetLongestNtPathLength
5 0 [ 9] ntdll!bsearch
75 51 [ 8] ntdll!bsearch
31 126 [ 7] ntdll!bsearch
29 189 [ 6] ntdll!bsearch
60 242 [ 5] ntdll!RtlFindActivationContextSectionString
35 0 [ 6] ntdll!RtlHashUnicodeString
190 0 [ 7] ntdll!RtlHashUnicodeString
44 190 [ 6] ntdll!RtlHashUnicodeString
2 0 [ 6] ntdll!RtlValidateUnicodeString
2 0 [ 6] ntdll!RtlHashUnicodeString
20 0 [ 6] ntdll!RtlValidateUnicodeString
22 0 [ 7] ntdll!bsearch
9 0 [ 8] ntdll!bsearch
3 0 [ 8] ntdll!RtlFindActivationContextSectionString
34 12 [ 7] ntdll!bsearch
24 46 [ 6] ntdll!RtlValidateUnicodeString
6 0 [ 6] ntdll!RtlHashUnicodeString
73 556 [ 5] ntdll!RtlFindActivationContextSectionString
27 0 [ 6] ntdll!RtlHashUnicodeString
41 0 [ 7] ntdll!bsearch
51 0 [ 8] ntdll!bsearch
28 0 [ 9] ntdll!bsearch
13 0 [ 10] ntdll!bsearch
32 13 [ 9] ntdll!bsearch
2 0 [ 9] ntdll!RtlGetLongestNtPathLength
5 0 [ 9] ntdll!bsearch
75 52 [ 8] ntdll!bsearch
65 127 [ 7] ntdll!bsearch
29 192 [ 6] ntdll!RtlHashUnicodeString
6 0 [ 6] ntdll!RtlValidateUnicodeString
8 0 [ 7] ntdll!RtlAddRefActivationContext
10 8 [ 6] ntdll!RtlValidateUnicodeString
3 0 [ 6] ntdll!RtlHashUnicodeString
75 798 [ 5] ntdll!RtlFindActivationContextSectionString
2 0 [ 5] ntdll!RtlValidateUnicodeString
14 0 [ 5] ntdll!RtlFindActivationContextSectionString
122 0 [ 6] ntdll!RtlHashUnicodeString
27 122 [ 5] ntdll!RtlFindActivationContextSectionString
27 0 [ 6] ntdll!RtlHashUnicodeString
32 0 [ 7] ntdll!bsearch
2 0 [ 7] ntdll!RtlGetLongestNtPathLength
5 0 [ 7] ntdll!bsearch
32 39 [ 6] ntdll!RtlHashUnicodeString
37 193 [ 5] ntdll!RtlFindActivationContextSectionString
70 1139 [ 4] ntdll!LdrQueryImageFileExecutionOptions
21 0 [ 5] ntdll!snwprintf
3 0 [ 6] ntdll!RtlAllocateHeap
19 0 [ 7] ntdll!strchr
14 19 [ 6] ntdll!RtlAllocateHeap
4 0 [ 6] ntdll!wcsncat
3 0 [ 7] ntdll!wcsncat
19 0 [ 8] ntdll!strchr
13 19 [ 7] ntdll!wcsncat
6 0 [ 7] ntdll!RtlInitializeSListHead
3 0 [ 8] ntdll!RtlpNtMakeTemporaryKey
19 0 [ 9] ntdll!strchr
17 19 [ 8] ntdll!RtlpNtMakeTemporaryKey
14 0 [ 9] ntdll!RtlUnicodeToMultiByteSize
39 33 [ 8] ntdll!RtlpNtMakeTemporaryKey
11 0 [ 9] ntdll!RtlEnterCriticalSection
44 44 [ 8] ntdll!RtlpNtMakeTemporaryKey
15 0 [ 9] ntdll!RtlpNtMakeTemporaryKey
10 0 [ 10] ntdll!RtlpNtMakeTemporaryKey
27 10 [ 9] ntdll!RtlpNtMakeTemporaryKey
48 81 [ 8] ntdll!RtlpNtMakeTemporaryKey
3 0 [ 9] ntdll!wcsncat
19 0 [ 10] ntdll!strchr
13 19 [ 9] ntdll!wcsncat
2 0 [ 9] ntdll!RtlInitializeSListHead
55 0 [ 9] ntdll!wcsncat
18 0 [ 9] ntdll!RtlSetUserValueHeap
7 0 [ 9] ntdll!wcsncat
7 0 [ 9] ntdll!RtlSetUserValueHeap
15 0 [ 9] ntdll!wcsncat
17 0 [ 10] ntdll!wcsncpy
25 17 [ 9] ntdll!wcsncat
10 0 [ 9] ntdll!RtlInitializeSListHead
3498 0 [ 10] ntdll!RtlCompareMemoryUlong
14 3498 [ 9] ntdll!RtlInitializeSListHead
32 0 [ 9] ntdll!wcsncat
6 0 [ 9] ntdll!RtlSetUserValueHeap
7 0 [ 9] ntdll!RtlInitializeSListHead
能力值:
( LV4,RANK:50 )
15 楼
confused:
可惜这工具不能全部复制1315个函数
[/QUOTE][QUOTE=lilianjie;492429]用Dll函数查看器V2.0
WINDOWXP NTDLL.dll全部函数1315个!
0:000> wt
Tracing ntdll!DbgBreakPoint to return address 7c941639
6 0 [ 0] ntdll!RtlInitializeSListHead...[/QUOTE]
上传的附件:
能力值:
( LV4,RANK:50 )
16 楼
NTSD PING:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: ping
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 01000000 01008000 ping.exe
ModLoad: 7c920000 7c9b4000 ntdll.dll
ModLoad: 7c800000 7c91d000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77da0000 77e49000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e50000 77ee2000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 76d30000 76d48000 C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 77d10000 77da0000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77ef0000 77f37000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 71a20000 71a37000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71a10000 71a18000 C:\WINDOWS\system32\WS2HELP.dll
(82c.d50): Break instruction exception - code 80000003 (first chance)
eax=00191eb4 ebx=7ffde000 ecx=00000002 edx=00000004 esi=00191f48 edi=00191eb4
eip=7c921230 esp=0007fb20 ebp=0007fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdl
l.dll -
ntdll!DbgBreakPoint:
7c921230 cc int 3
0:000> g
ModLoad: 5cc30000 5cc56000 C:\WINDOWS\system32\ShimEng.dll
ModLoad: 58fb0000 5917a000 C:\WINDOWS\AppPatch\AcGenral.DLL
ModLoad: 76b10000 76b3a000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 76990000 76acd000 C:\WINDOWS\system32\ole32.dll
ModLoad: 770f0000 7717b000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77bb0000 77bc5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd8000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 7d590000 7dd84000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f40000 77fb6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 759d0000 75a7e000 C:\WINDOWS\system32\USERENV.dll
ModLoad: 5adc0000 5adf7000 C:\WINDOWS\system32\UxTheme.dll
ModLoad: 76300000 7631d000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 62c20000 62c29000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 73fa0000 7400b000 C:\WINDOWS\system32\USP10.dll
ModLoad: 77180000 77283000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Cont
rols_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
ModLoad: 5d170000 5d20a000 C:\WINDOWS\system32\comctl32.dll
ModLoad: 00930000 00959000 C:\WINDOWS\system32\ClientMain.dll
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c99c080 esi=7c92e88e edi=00000001
eip=7c92eb94 esp=0007f8e0 ebp=0007f9dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c92eb94 c3 ret
0:000>
------------------------------
WINDBG PING INT3正好一个字符没显
上传的附件:
能力值:
( LV2,RANK:10 )
17 楼
无语!!!!
能力值:
( LV2,RANK:10 )
18 楼
分析的好详细啊
能力值:
( LV4,RANK:45 )
19 楼
消失吧
要闭关了
能力值:
( LV13,RANK:410 )
20 楼
你没有看过贴吧。
能力值:
( LV2,RANK:10 )
21 楼
什么啊?一点看不懂,一头雾水。