最初发表在QQ空间,全文见 为什么对TerminateProcess断点不起作用
在内核态下巧设用户模块断点介绍了在内核态下设置用户模块的断点,结尾处留了一个问号,为了简化问题,这次直接在用户态下调试。使用windbg 打开一个notepad程序。设置断点。
0:000> bl
0 e 77e616b8 0001 (0001) 0:**** kernel32!TerminateProcess
0:000> g
关闭notepad,正如在内核态下巧设用户模块断点描述的,期望的断点没有起到作用,windbg显示如下信息。
eax=00000000 ebx=00000000 ecx=ffffffff edx=00000000 esi=77f7663e edi=00000000
eip=7ffe0304 esp=0006fdf8 ebp=0006fef0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202
SharedUserData!SystemCallStub+0x4:
7ffe0304 c3 ret
正常的解释会是这样,TerminateProcess不会使用在进程的正常退出过程中。看看MSDN的解释。
The TerminateProcess function is used to unconditionally cause a process to exit. The state of global data maintained by dynamic-link libraries (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess.
TerminateProcess initiates termination and returns immediately. This stops execution of all threads within the process and requests cancellation of all pending I/O. The terminated process cannot exit until all pending I/O has been completed or canceled.
A process cannot prevent itself from being terminated.
也就是说进程的正常退出一般使用ExitProcess。如果我没有做下面的动作的话,这个解释应该足够了。可惜人生总是充满意外,
0:000> kv
ChildEBP RetAddr Args to Child
0006fdf4 77f7664a 77e798ec ffffffff 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0006fdf8 77e798ec ffffffff 00000000 77e7ad86 ntdll!NtTerminateProcess+0xc (FPO: [2,0,0])
0006fef0 77e7990f 00000000 77e8f3b0 ffffffff kernel32!_ExitProcess+0x57 (FPO: [Non-Fpo])
0006ff04 77c379c8 00000000 77c37ad9 00000000 kernel32!Termina