加载符号
.symfix 设置符号路径
0:000> .symfix c:\symbols
.sympath 查看设置的符号路径
0:000> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload 重新加载符号
0:000> .reload
Reloading current modules
....
ld 加载单个符号
0:000> ld KERNEL32
Symbols loaded for KERNEL32
设置环境变量
_NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
lm 指令查看模块
lm 指令,用来查看模块列表,也可以查看单个模块的详细信息
0:000> lm
start end module name
00400000 0041a000 Adplus (deferred)
79000000 7904a000 mscoree (deferred)
7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
7c920000 7c9b3000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb
0:000> lm m kernel*
start end module name
7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
0:000> lm vm KERNEL32
start end module name
7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
Loaded symbol image file: C:\WINDOWS\system32\KERNEL32.dll
Image path: C:\WINDOWS\system32\KERNEL32.dll
Image name: KERNEL32.dll
Timestamp: Mon Apr 14 10:13:26 2008 (4802BDC6)
CheckSum: 00122A2B
ImageSize: 0011E000
File version: 5.1.2600.5512
Product version: 5.1.2600.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: kernel32
OriginalFilename: kernel32
ProductVersion: 5.1.2600.5512
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileDescription: Windows NT BASE API Client DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
显示汇编和修改汇编指令
u 是显示符号或地址汇编指令
0:000> u ntdll!__NtCurrentTeb
ntdll!__NtCurrentTeb:
7c92121e 64a118000000 mov eax,dword ptr fs:[00000018h]
7c921224 c3 ret
0:000> u 7c921225
ntdll!RtlInitString:
7c921225 57 push edi
7c921226 8b7c240c mov edi,dword ptr [esp+0Ch]
7c92122a 8b542408 mov edx,dword ptr [esp+8]
7c92122e c70200000000 mov dword ptr [edx],0
7c921234 897a04 mov dword ptr [edx+4],edi
7c921237 0bff or edi,edi
7c921239 741e je ntdll!RtlInitString+0x34 (7c921259)
7c92123b 83c9ff or ecx,0FFFFFFFFh
ub 从该地址处向前反汇编
0:000> ub 7c92123b
ntdll!__NtCurrentTeb+0x6:
7c921224 c3 ret
ntdll!RtlInitString:
7c921225 57 push edi
7c921226 8b7c240c mov edi,dword ptr [esp+0Ch]
7c92122a 8b542408 mov edx,dword ptr [esp+8]
7c92122e c70200000000 mov dword ptr [edx],0
7c921234 897a04 mov dword ptr [edx+4],edi
7c921237 0bff or edi,edi
7c921239 741e je ntdll!RtlInitString+0x34 (7c921259)
uf 显示完整函数汇编代码
0:000> uf ntdll!RtlInitString
ntdll!RtlInitString:
7c921225 57 push edi
7c921226 8b7c240c mov edi,dword ptr [esp+0Ch]
7c92122a 8b542408 mov edx,dword ptr [esp+8]
7c92122e c70200000000 mov dword ptr [edx],0
7c921234 897a04 mov dword ptr [edx+4],edi
7c921237 0bff or edi,edi
7c921239 741e je ntdll!RtlInitString+0x34 (7c921259)
ntdll!RtlInitString+0x16:
7c92123b 83c9ff or ecx,0FFFFFFFFh
7c92123e 33c0 xor eax,eax
7c921240 f2ae repne scas byte ptr es:[edi]
7c921242 f7d1 not ecx
7c921244 81f9ffff0000 cmp ecx,0FFFFh
7c92124a 7605 jbe ntdll!RtlInitString+0x2c (7c921251)
ntdll!RtlInitString+0x27:
7c92124c b9ffff0000 mov ecx,0FFFFh
ntdll!RtlInitString+0x2c:
7c921251 66894a02 mov word ptr [edx+2],cx
7c921255 49 dec ecx
7c921256 66890a mov word ptr [edx],cx
ntdll!RtlInitString+0x34:
7c921259 5f pop edi
7c92125a c20800 ret 8
a 修改汇编指令
下面的例子就是把
7c92121a地址处 int 3 指令修改成nop指
0:000> u ntdll!RtlpBreakWithStatusInstruction l2
ntdll!RtlpBreakWithStatusInstruction:
7c92121a cc int 3
7c92121b c20400 ret 4
0:000> a 7c92121a
7c92121a nop
nop
7c92121b
0:000> u ntdll!RtlpBreakWithStatusInstruction l2
ntdll!RtlpBreakWithStatusInstruction:
7c92121a 90 nop
7c92121b c20400 ret 4
d 读取数据指令
这个指令比较丰富,如
da 读取ASCII字符串
db 读取BYTE数组
dd 读取DWORD数组
dD 读取双浮点数组
df 读取单浮点数组
dp 读取指针数组
du 读取unicode字符串
dw 读取word数组
另外,还有
dda读取ASCII字符串数组
dds/dps 读取函数指针数组
lkd> dds nt!KiServiceTable l5
80505450 805a5614 nt!NtAcceptConnectPort
80505454 805f1adc nt!NtAccessCheck
80505458 805f5312 nt!NtAccessCheckAndAuditAlarm
8050545c 805f1b0e nt!NtAccessCheckByType
80505460 805f534c nt!NtAccessCheckByTypeAndAuditAlarm
lkd> dd 80505450 l7
80505450 805a5614 805f1adc 805f5312 805f1b0e
80505460 805f534c 805f1b44 805f5390
lkd> db 80505450
80505450 14 56 5a 80 dc 1a 5f 80-12 53 5f 80 0e 1b 5f 80 .VZ..._..S_..._.
80505460 4c 53 5f 80 44 1b 5f 80-90 53 5f 80 d4 53 5f 80 LS_.D._..S_..S_.
80505470 a2 63 61 80 e4 70 61 80-da ce 5e 80 32 cb 5e 80 .ca..pa...^.2.^.
80505480 3a 5b 5d 80 ea 5a 5d 80-c8 69 61 80 72 6f 5b 80 :[]..Z]..ia.ro[.
80505490 e4 5f 61 80 9e 9a 5a 80-96 15 5b 80 b0 54 c2 b1 ._a...Z...[..T..
805054a0 8c 28 50 80 d6 70 61 80-e6 7a 57 80 d2 9b 53 80 .(P..pa..zW...S.
805054b0 b2 f5 60 80 ec d4 5b 80-4c 58 5f 80 56 43 62 80 ..`...[.LX_.VCb.
805054c0 3e 9d 5f 80 02 5d 5a 80-aa 45 62 80 b4 55 5a 80 >._..]Z..Eb..UZ.
e 写入数据指令
e指令与d指令一样很丰富
ea 写入ASCII字符串
eb 写入BYTE数组
ed 写入DWORD数组
eD 写入双浮点数组
ef 写入单浮点数组
ep 写入指针数组
eu 写入unicode字符串
ew 写入word数组
0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> ea 01009000 "hello world"
0:000> db 01009000 l50
01009000 68 65 6c 6c 6f 20 77 6f-72 6c 64 00 00 00 00 00 hello world.....
01009010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> eu 01009000 "unicode string"
0:000> db 01009000 l50
01009000 75 00 6e 00 69 00 63 00-6f 00 64 00 65 00 20 00 u.n.i.c.o.d.e. .
01009010 73 00 74 00 72 00 69 00-6e 00 67 00 00 00 00 00 s.t.r.i.n.g.....
01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> ed 01009000 0x1 0x2 0x3 0x4 0x5
0:000> db 01009000 l50
01009000 01 00 00 00 02 00 00 00-03 00 00 00 04 00 00 00 ................
01009010 05 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
s 内存搜索指令
0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> eu 01009000 "unicode string"
0:000> s -u 01009000 l50 "str"//搜Unicde字符串
01009010 0073 0074 0072 0069 006e 0067 0000 0000 s.t.r.i.n.g.....
0:000> s 01009000 01009040 'g'//搜索单个字符
0100901a 67 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 g...............
0:000> s -w 01009000 l50 0x64 //搜索一个word数值
0100900a 0064 0065 0020 0073 0074 0072 0069 006e d.e. .s.t.r.i.n.
转载请注明出处。ddlx studio。点点灵犀。 http://blog.csdn.net/sunyikuyu