Windbg验证物理地址

b1uerry

已于 2023-09-29 10:38:44 修改

阅读量225

点赞数

文章标签： windows

于 2023-09-21 16:30:58 首次发布

本文链接：https://blog.csdn.net/m0_62601763/article/details/133137481

版权

1 待查进程

#include<stdio.h>

int main(int argc, char* argv[]){
	const char *str;
	str = "Hello!I'm PAE!";
	printf("%08x\n", str);  # 输出字符串地址
	getchar();
	return 0;
}

2 Windbg 安装

Windbg安装

Windbg符号表报错

lkd> !process
NT symbols are incorrect, please fix symbols

微软不再提供使用于Windows的脱机符号包了。可以看下面一篇文章配置好符号表。
Windbg符号表配置相关操作

3 将被调试机器设置成调试模式

以管理员身份运行命令提示符，输入：

bcdedit -debug on

如果显示“该值受安全引导策略保护，无法进行修改或删除。”，按下面这篇文章设置BIOS并重启即可。
关闭secureBoot
重启后，再以管理员身份运行命令提示符，并输入上面的命令。若操作成功，会显示“操作成功”字样。

4 Windbg调试内核

运行前面编写好的程序

在这里插入图片描述

64位4KB页面分页机制

address：0x00404000
bin：0000 0000 0000 0000 0000 0000 0100 0000 0100 0000 0000 0000

(9’b)PML4： $0000 0000 0)_2 = (0)_{10}$
(9’b)PDP： $0000 0000 0)_2 = (0)_{10}$
(9’b)PDE： $0000 0001 0)_2 = (2)_{10}$
(9’b)PTE： $0000 0010 0)_2 = (4)_{10}$
页内地址： $0$

以管理员身份打开Windbg：File -> Attach to kernel -> local -> OK，开始内核调试。

lkd> !process 0 0 PAE.exe
PROCESS ffffe68c09111080
    SessionId: 1  Cid: 4760    Peb: 0038f000  ParentCid: 2720
    DirBase: 1e80dd002  ObjectTable: ffffd68805292b40  HandleCount:  53.
    Image: PAE.exe

lkd> !dq 1e80dd000
#1e80dd000 8a000001`38de6867 00000000`00000000
#1e80dd010 00000000`00000000 00000000`00000000
#1e80dd020 00000000`00000000 00000000`00000000
#1e80dd030 00000000`00000000 00000000`00000000
#1e80dd040 00000000`00000000 00000000`00000000
#1e80dd050 00000000`00000000 00000000`00000000
#1e80dd060 00000000`00000000 00000000`00000000
#1e80dd070 00000000`00000000 00000000`00000000
lkd> !dq 1`38de6000
#138de6000 0a000001`310e7867 0a000000`499f0867
#138de6010 00000000`00000000 00000000`00000000
#138de6020 00000000`00000000 00000000`00000000
#138de6030 00000000`00000000 00000000`00000000
#138de6040 00000000`00000000 00000000`00000000
#138de6050 00000000`00000000 00000000`00000000
#138de6060 00000000`00000000 00000000`00000000
#138de6070 00000000`00000000 00000000`00000000
lkd> !dq 1`310e7000+8*2
#1310e7010 0a000001`bc7e8867 0a000001`1bcfd867
#1310e7020 00000000`00000000 00000000`00000000
#1310e7030 0a000000`34252867 00000000`00000000
#1310e7040 00000000`00000000 00000000`00000000
#1310e7050 00000000`00000000 00000000`00000000
#1310e7060 00000000`00000000 00000000`00000000
#1310e7070 00000000`00000000 00000000`00000000
#1310e7080 00000000`00000000 00000000`00000000
lkd> !dq 1`bc7e8000+8*4
#1bc7e8020 81000001`f2e87005 81000000`2a536847
#1bc7e8030 81000002`22c45805 81000001`f4f82205
#1bc7e8040 81000000`09b5e205 00000000`00000000
#1bc7e8050 00000000`00000000 00000000`00000000
#1bc7e8060 00000000`00000000 00000000`00000000
#1bc7e8070 00000000`00000000 00000000`00000000
#1bc7e8080 00000000`00000000 00000000`00000000
#1bc7e8090 00000000`00000000 00000000`00000000
lkd> !db 1`f2e87000
#1f2e87000 48 65 6c 6c 6f 21 49 27-6d 20 50 41 45 21 00 25 Hello!I'm PAE!.%
#1f2e87010 30 38 78 0a 00 00 00 00-90 15 40 00 55 6e 6b 6e 08x.......@.Unkn
#1f2e87020 6f 77 6e 20 65 72 72 6f-72 00 00 00 5f 6d 61 74 own error..._mat
#1f2e87030 68 65 72 72 28 29 3a 20-25 73 20 69 6e 20 25 73 herr(): %s in %s
#1f2e87040 28 25 67 2c 20 25 67 29-20 20 28 72 65 74 76 61 (%g, %g)  (retva
#1f2e87050 6c 3d 25 67 29 0a 00 00-41 72 67 75 6d 65 6e 74 l=%g)...Argument
#1f2e87060 20 64 6f 6d 61 69 6e 20-65 72 72 6f 72 20 28 44  domain error (D
#1f2e87070 4f 4d 41 49 4e 29 00 41-72 67 75 6d 65 6e 74 20 OMAIN).Argument 
lkd> !vtop 1e80dd000 404000
Amd64VtoP: Virt 0000000000404000, pagedir 00000001e80dd000
Amd64VtoP: PML4E 00000001e80dd000
Amd64VtoP: PDPE 0000000138de6000
Amd64VtoP: PDE 00000001310e7010
Amd64VtoP: PTE 00000001bc7e8020
Amd64VtoP: Mapped phys 00000001f2e87000
Virtual address 404000 translates to physical address 1f2e87000.
lkd> .formats 404000
Evaluate expression:
  Hex:     00000000`00404000
  Decimal: 4210688
  Decimal (unsigned) : 4210688
  Octal:   0000000000000020040000
  Binary:  00000000 00000000 00000000 00000000 00000000 01000000 01000000 00000000
  Chars:   .....@@.
  Time:    Thu Feb 19 01:38:08 1970
  Float:   low 5.90043e-039 high 0
  Double:  2.08036e-317