最近在调试一个ax,用comraider测试了下发现报了异常,异常的详细描述如下:
Exception Code: ACCESS_VIOLATION
Disasm: 7C9210C0 CMP DWORD PTR [EDX+4],-1 (ntdll.dll)
Seh Chain:
--------------------------------------------------
1 16B2FFE SeFavoritePlug.dll
2 7C839AA8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
ntdll.7C9210C0 SeFavoritePlug.1550C45
SeFavoritePlug.1550C45 SeFavoritePlug.15515A6
SeFavoritePlug.15515A6 SeFavoritePlug.1550ABC
SeFavoritePlug.1550ABC KERNEL32.7C80B683
Registers:
--------------------------------------------------
EIP 7C9210C0
EAX FEEEFEEE
EBX 00FB2188
ECX 00000000
EDX 00FB2190
EDI 01E5FBC4 -> 01E5FCA4
ESI 01E5FAEC -> 01E5FCA4
EBP 01E5FBC4 -> 01E5FCA4
ESP 01E5FAE0 -> FECFAFB5
Block Disassembly:
--------------------------------------------------
7C9210BF NOP
7C9210C0 CMP DWORD PTR [EDX+4],-1 <--- CRASH
7C9210C4 JE SHORT 7C92108B
7C9210C6 DEC DWORD PTR [ESP]
7C9210C9 JNZ SHORT 7C9210BE
7C9210CB ADD ESP,4
7C9210CE MOV ECX,FS:[18]
7C9210D5 JMP 7C921016
7C9210DA LEA ESP,[ESP]
7C9210E1 LEA ESP,[ESP]
ArgDump:
--------------------------------------------------
EBP+8 01E5FEC8 -> 01E5FFDC
EBP+12 CCCCCCCC
EBP+16 00FB2188
EBP+20 CCCCCCCC
EBP+24 CCCCCCCC
EBP+28 CCCCCCCC
Stack Dump:
--------------------------------------------------
1E5FAE0 B5 AF CF FE AF 0C 55 01 90 21 FB 00 A4 FC E5 01 [......U.........]
1E5FAF0 CC CC CC CC 88 21 FB 00 CC CC CC CC CC CC CC CC [................]
1E5FB00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC [................]
1E5FB10 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC [................]
1E5FB20 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC [................]
我在ida中反汇编这个地址,发现是在ntdll.dll中的RrlEnterCriticalSection函数里面发生了异常,由于这个函数是在系统空间,也有不少地方有到了这个函数,我怎么知道在异常发生前是从什么地方调用到这个地方的呢?请指教,工具用的不熟 啊
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法