WinDbg分析扫雷程序

最新推荐文章于 2021-04-18 23:45:07 发布

weixin_30888707

最新推荐文章于 2021-04-18 23:45:07 发布

阅读量303

点赞数

文章标签： shell 操作系统

原文链接：http://www.cnblogs.com/piyeyong/archive/2011/07/08/2101360.html

版权

WinDbg入门教材，请参照：

Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD

http://www.codeproject.com/KB/debug/cdbntsd.aspx

启动WinMine程序，启动WinDbg，attach到目标进程

查看加载了符号的模块

0:001> lml

start end module name

01000000 01020000 winmine (pdb symbols) c:\symbols\winmine.pdb\3B7D84751\winmine.pdb

76580000 76680000 kernel32 (pdb symbols) c:\symbols\wkernel32.pdb\247C9009E69B43AB95E8DDA34622320A2\wkernel32.pdb

77c00000 77d80000 ntdll (pdb symbols) c:\symbols\wntdll.pdb\FC9DB05873374DB5985BABAA3F8F734F2\wntdll.pdb

可以看到，windows的pdb符号服务器给我们提供了winmain的符号文件，这样，分析起来就方便多了。

查看winmine模块提供了哪些符号：

Winmain符号表

0 : 001 > x /a winmine!*
01001000 winmine!_imp__RegQueryValueExW = <no type information>
01001004 winmine!_imp__RegSetValueExW = <no type information>
01001008 winmine!_imp__RegOpenKeyExA = <no type information>
0100100c winmine!_imp__RegQueryValueExA = <no type information>
01001010 winmine!_imp__RegCreateKeyExW = <no type information>
01001014 winmine!_imp__RegCloseKey = <no type information>
01001018 winmine!ADVAPI32_NULL_THUNK_DATA = <no type information>
0100101c winmine!_imp__InitCommonControlsEx = <no type information>
01001020 winmine!COMCTL32_NULL_THUNK_DATA = <no type information>
01001024 winmine!_imp__SetROP2 = <no type information>
01001028 winmine!_imp__GetLayout = <no type information>
0100102c winmine!_imp__SetLayout = <no type information>
01001030 winmine!_imp__GetDeviceCaps = <no type information>
01001034 winmine!_imp__DeleteObject = <no type information>
01001038 winmine!_imp__LineTo = <no type information>
0100103c winmine!_imp__CreatePen = <no type information>
01001040 winmine!_imp__CreateCompatibleDC = <no type information>
01001044 winmine!_imp__CreateCompatibleBitmap = <no type information>
01001048 winmine!_imp__SelectObject = <no type information>
0100104c winmine!_imp__SetDIBitsToDevice = <no type information>
01001050 winmine!_imp__DeleteDC = <no type information>
01001054 winmine!_imp__MoveToEx = <no type information>
01001058 winmine!_imp__SetPixel = <no type information>
0100105c winmine!_imp__BitBlt = <no type information>
01001060 winmine!_imp__GetStockObject = <no type information>
01001064 winmine!GDI32_NULL_THUNK_DATA = <no type information>
01001068 winmine!_imp__FindResourceW = <no type information>
0100106c winmine!_imp__OutputDebugStringA = <no type information>
01001070 winmine!_imp__LockResource = <no type information>
01001074 winmine!_imp__LoadResource = <no type information>
01001078 winmine!_imp__lstrlenW = <no type information>
0100107c winmine!_imp__GetPrivateProfileIntW = <no type information>
01001080 winmine!_imp__GetPrivateProfileStringW = <no type information>
01001084 winmine!_imp__GetTickCount = <no type information>
01001088 winmine!_imp__GetModuleFileNameA = <no type information>
0100108c winmine!_imp__GetModuleHandleA = <no type information>
01001090 winmine!_imp__GetStartupInfoA = <no type information>
01001094 winmine!_imp__GetProcAddress = <no type information>
01001098 winmine!_imp__lstrcpyW = <no type information>
0100109c winmine!_imp__LoadLibraryA = <no type information>
010010a0 winmine!KERNEL32_NULL_THUNK_DATA = <no type information>
010010a4 winmine!_imp__ShellAboutW = <no type information>
010010a8 winmine!SHELL32_NULL_THUNK_DATA = <no type information>
010010ac winmine!_imp__LoadIconW = <no type information>
010010b0 winmine!_imp__GetDesktopWindow = <no type information>
010010b4 winmine!_imp__SetTimer = <no type information>
010010b8 winmine!_imp__MessageBoxW = <no type information>
010010bc winmine!_imp__LoadCursorW = <no type information>
010010c0 winmine!_imp__CheckMenuItem = <no type information>
010010c4 winmine!_imp__SetMenu = <no type information>
010010c8 winmine!_imp__GetDlgItemInt = <no type information>
010010cc winmine!_imp__RegisterClassW = <no type information>
010010d0 winmine!_imp__LoadStringW = <no type information>
010010d4 winmine!_imp__LoadMenuW = <no type information>
010010d8 winmine!_imp__ReleaseCapture = <no type information>
010010dc winmine!_imp__PeekMessageW = <no type information>
010010e0 winmine!_imp__MapWindowPoints = <no type information>
010010e4 winmine!_imp__SetCapture = <no type information>
010010e8 winmine!_imp__PtInRect = <no type information>
010010ec winmine!_imp__WinHelpW = <no type information>
010010f0 winmine!_imp__SetDlgItemInt = <no type information>
010010f4 winmine!_imp__EndDialog = <no type information>
010010f8 winmine!_imp__SetDlgItemTextW = <no type information>
010010fc winmine!_imp__wsprintfW = <no type information>
01001100 winmine!_imp__SendMessageW = <no type information>
01001104 winmine!_imp__GetDlgItem = <no type information>
01001108 winmine!_imp__GetDlgItemTextW = <no type information>
0100110c winmine!_imp__GetSystemMetrics = <no type information>
01001110 winmine!_imp__InvalidateRect = <no type information>
01001114 winmine!_imp__SetRect = <no type information>
01001118 winmine!_imp__MoveWindow = <no type information>
0100111c winmine!_imp__GetMenuItemRect = <no type information>
01001120 winmine!_imp__DialogBoxParamW = <no type information>
01001124 winmine!_imp__DefWindowProcW = <no type information>
01001128 winmine!_imp__ReleaseDC = <no type information>
0100112c winmine!_imp__GetDC = <no type information>
01001130 winmine!_imp__PostMessageW = <no type information>
01001134 winmine!_imp__ShowWindow = <no type information>
01001138 winmine!_imp__PostQuitMessage = <no type information>
0100113c winmine!_imp__KillTimer = <no type information>
01001140 winmine!_imp__EndPaint = <no type information>
01001144 winmine!_imp__BeginPaint = <no type information>
01001148 winmine!_imp__DispatchMessageW = <no type information>
0100114c winmine!_imp__TranslateMessage = <no type information>
01001150 winmine!_imp__TranslateAcceleratorW = <no type information>
01001154 winmine!_imp__GetMessageW = <no type information>
01001158 winmine!_imp__UpdateWindow = <no type information>
0100115c winmine!_imp__CreateWindowExW = <no type information>
01001160 winmine!_imp__LoadAcceleratorsW = <no type information>
01001164 winmine!USER32_NULL_THUNK_DATA = <no type information>
01001168 winmine!_imp__PlaySoundW = <no type information>
0100116c winmine!WINMM_NULL_THUNK_DATA = <no type information>
01001170 winmine!_imp___controlfp = <no type information>
01001174 winmine!_imp____set_app_type = <no type information>
01001178 winmine!_imp____p__fmode = <no type information>
0100117c winmine!_imp___except_handler3 = <no type information>
01001180 winmine!_imp___adjust_fdiv = <no type information>
01001184 winmine!_imp____setusermatherr = <no type information>
01001188 winmine!_imp___initterm = <no type information>
0100118c winmine!_imp____getmainargs = <no type information>
01001190 winmine!_imp___acmdln = <no type information>
01001194 winmine!_imp__exit = <no type information>
01001198 winmine!_imp____p__commode = <no type information>
0100119c winmine!_imp___cexit = <no type information>
010011a0 winmine!_imp___XcptFilter = <no type information>
010011a4 winmine!_imp___exit = <no type information>
010011a8 winmine!_imp___c_exit = <no type information>
010011ac winmine!_imp__srand = <no type information>
010011b0 winmine!_imp__rand = <no type information>
010011b4 winmine!msvcrt_NULL_THUNK_DATA = <no type information>
010011b8 winmine!__xc_a = <no type information>
010011bc winmine!__xc_z = <no type information>
010011c0 winmine!__xi_a = <no type information>
010011c4 winmine!__xi_z = <no type information>
0100140c winmine!FLocalButton = <no type information>
01001516 winmine!FixMenus = <no type information>
010015a6 winmine!PrefDlgProc = <no type information>
010016ba winmine!SetDText = <no type information>
010016fa winmine!BestDlgProc = <no type information>
0100181f winmine!EnterDlgProc = <no type information>
01001915 winmine!OurGetSystemMetrics = <no type information>
01001950 winmine!AdjustWindow = <no type information>
01001b49 winmine!DoPref = <no type information>
01001b81 winmine!DoEnterName = <no type information>
01001baa winmine!DoDisplayBest = <no type information>
01001bc9 winmine!MainWndProc = <no type information>
010021f0 winmine!WinMain = <no type information>
010023cd winmine!HFindBitmap = <no type information>
010023f1 winmine!CbBitmap = <no type information>
01002414 winmine!FLoadBitmaps = <no type information>
01002607 winmine!FreeBitmaps = <no type information>
0100263c winmine!CleanUp = <no type information>
01002646 winmine!DisplayBlk = <no type information>
010026a7 winmine!DrawGrid = <no type information>
0100272e winmine!DisplayGrid = <no type information>
01002752 winmine!DrawLed = <no type information>
01002785 winmine!DrawBombCount = <no type information>
01002801 winmine!DisplayBombCount = <no type information>
01002825 winmine!DrawTime = <no type information>
010028b5 winmine!DisplayTime = <no type information>
010028d9 winmine!DrawButton = <no type information>
01002913 winmine!DisplayButton = <no type information>
0100293d winmine!SetThePen = <no type information>
01002971 winmine!DrawBorder = <no type information>
01002a22 winmine!DrawBackground = <no type information>
01002ac3 winmine!DrawScreen = <no type information>
01002af0 winmine!DisplayScreen = <no type information>
01002b14 winmine!FInitLocal = <no type information>
01002b27 winmine!ReadInt = <no type information>
01002b80 winmine!ReadSz = <no type information>
01002bc2 winmine!ReadPreferences = <no type information>
01002d55 winmine!WriteInt = <no type information>
01002d7a winmine!WriteSz = <no type information>
01002dab winmine!WritePreferences = <no type information>
01002eab winmine!ChangeBlk = <no type information>
01002ed5 winmine!ClearField = <no type information>
01002f3b winmine!CountBombs = <no type information>
01002f80 winmine!ShowBombs = <no type information>
01002fe0 winmine!DoTimer = <no type information>
01003008 winmine!StepXY = <no type information>
01003084 winmine!StepBox = <no type information>
01003119 winmine!CountMarks = <no type information>
0100316b winmine!PushBoxDown = <no type information>
010031a0 winmine!PopBoxUp = <no type information>
010031d4 winmine!TrackMouse = <no type information>
0100341c winmine!PauseGame = <no type information>
0100344c winmine!ResumeGame = <no type information>
0100346a winmine!UpdateBombCount = <no type information>
0100347c winmine!GameOver = <no type information>
01003512 winmine!StepSquare = <no type information>
010035b7 winmine!StepBlock = <no type information>
0100367a winmine!StartGame = <no type information>
0100374f winmine!MakeGuess = <no type information>
010037e1 winmine!DoButton1Up = <no type information>
010038c2 winmine!FInitTunes = <no type information>
010038d7 winmine!EndTunes = <no type information>
010038ed winmine!PlayTune = <no type information>
01003940 winmine!Rnd = <no type information>
01003950 winmine!ReportErr = <no type information>
010039e7 winmine!LoadSz = <no type information>
01003a12 winmine!ReadIniInt = <no type information>
01003a87 winmine!ReadIniSz = <no type information>
01003ab0 winmine!InitConst = <no type information>
01003cc4 winmine!CheckEm = <no type information>
01003ce5 winmine!SetMenuBar = <no type information>
01003d1d winmine!DoAbout = <no type information>
01003d76 winmine!DoHelp = <no type information>
01003df6 winmine!GetDlgInt = <no type information>
01003e21 winmine!WinMainCRTStartup = <no type information>
01003fe8 winmine!_XcptFilter = <no type information>
01003fee winmine!_initterm = <no type information>
01003ff4 winmine!_setdefaultprecision = <no type information>
01004006 winmine!_matherr = <no type information>
01004006 winmine!_setargv = <no type information>
0100400c winmine!_SEH_prolog = <no type information>
01004045 winmine!_SEH_epilog = <no type information>
01004056 winmine!_controlfp = <no type information>
0100405c winmine!_except_handler3 = <no type information>
01004062 winmine!HtmlHelpA = <no type information>
0100415c winmine!_IMPORT_DESCRIPTOR_msvcrt = <no type information>
01004170 winmine!_IMPORT_DESCRIPTOR_ADVAPI32 = <no type information>
01004184 winmine!_IMPORT_DESCRIPTOR_KERNEL32 = <no type information>
01004198 winmine!_IMPORT_DESCRIPTOR_GDI32 = <no type information>
010041ac winmine!_IMPORT_DESCRIPTOR_USER32 = <no type information>
010041c0 winmine!_IMPORT_DESCRIPTOR_SHELL32 = <no type information>
010041d4 winmine!_IMPORT_DESCRIPTOR_WINMM = <no type information>
010041e8 winmine!_IMPORT_DESCRIPTOR_COMCTL32 = <no type information>
010041fc winmine!_NULL_IMPORT_DESCRIPTOR = <no type information>
01005000 winmine!fStatus = <no type information>
01005004 winmine!rgPrefEditID = <no type information>
01005010 winmine!rgLevelData = <no type information>
01005034 winmine!szXYZZY = <no type information>
010050d0 winmine!rgszPref = <no type information>
01005118 winmine!xCur = <no type information>
0100511c winmine!yCur = <no type information>
01005120 winmine!szIniFile = <no type information>
01005138 winmine!__defaultmatherr = <no type information>
01005140 winmine!fButton1Down = <no type information>
01005144 winmine!fBlock = <no type information>
01005148 winmine!fIgnoreClick = <no type information>
0100514c winmine!fLocalPause = <no type information>
01005150 winmine!idRadCurr = <no type information>
01005154 winmine!iXYZZY = <no type information>
01005158 winmine!hGrayPen = <no type information>
0100515c winmine!fUpdateIni = <no type information>
01005160 winmine!iButtonCur = <no type information>
01005164 winmine!fTimer = <no type information>
01005168 winmine!fOldTimerStatus = <no type information>
0100516c winmine!_dowildcard = <no type information>
01005170 winmine!_newmode = <no type information>
01005174 winmine!_commode = <no type information>
01005178 winmine!_fmode = <no type information>
0100518c winmine!pHtmlHelpW = <no type information>
01005190 winmine!pHtmlHelpA = <no type information>
01005194 winmine!cBombLeft = <no type information>
010051a0 winmine!rgStepX = <no type information>
01005330 winmine!cBombStart = <no type information>
01005334 winmine!xBoxMac = <no type information>
01005338 winmine!yBoxMac = <no type information>
01005340 winmine!rgBlk = <no type information>
010056a0 winmine!Preferences = <no type information>
01005798 winmine!iStepMac = <no type information>
0100579c winmine!cSec = <no type information>
010057a0 winmine!cBoxVisitMac = <no type information>
010057a4 winmine!cBoxVisit = <no type information>
010057c0 winmine!rgStepY = <no type information>
01005950 winmine!g_hReg = <no type information>
01005954 winmine!hResButton = <no type information>
01005958 winmine!hResBlks = <no type information>
0100595c winmine!lpDibLed = <no type information>
01005960 winmine!rgDibButton = <no type information>
01005980 winmine!MemBlkBitmap = <no type information>
010059c0 winmine!rgDibOff = <no type information>
01005a00 winmine!lpDibButton = <no type information>
01005a04 winmine!lpDibBlks = <no type information>
01005a08 winmine!hResLed = <no type information>
01005a20 winmine!MemBlkDc = <no type information>
01005a60 winmine!rgDibLedOff = <no type information>
01005a90 winmine!dxpBorder = <no type information>
01005a94 winmine!hMenu = <no type information>
01005aa0 winmine!szClass = <no type information>
01005ae0 winmine!szTime = <no type information>
01005b20 winmine!dyWindow = <no type information>
01005b24 winmine!hwndMain = <no type information>
01005b28 winmine!hIconMain = <no type information>
01005b2c winmine!dxWindow = <no type information>
01005b30 winmine!hInst = <no type information>
01005b34 winmine!dypMenu = <no type information>
01005b38 winmine!bInitMinimized = <no type information>
01005b40 winmine!szDefaultName = <no type information>
01005b80 winmine!dypCaption = <no type information>
01005b84 winmine!dypBorder = <no type information>
01005b88 winmine!dypAdjust = <no type information>
01005b8c winmine!__onexitend = <no type information>
01005b90 winmine!__onexitbegin = <no type information>

01005b94 winmine!_adjust_fdiv = <no type information>

开始时共10个雷，搜索内存，发现有3处

0:001> s 01005000 L595 0a

01005010 0a 00 00 00 09 00 00 00-09 00 00 00 28 00 00 00 ............(...

01005194 0a 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

01005330 0a 00 00 00 09 00 00 00-09 00 00 00 00 00 00 00 ................

排除一个雷，再次搜索

0:001> s 01005000 L595 09

01005014 09 00 00 00 09 00 00 00-28 00 00 00 10 00 00 00 ........(.......

01005018 09 00 00 00 28 00 00 00-10 00 00 00 10 00 00 00 ....(...........

01005194 09 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

01005334 09 00 00 00 09 00 00 00-00 00 00 00 10 10 10 10 ................

01005338 09 00 00 00 00 00 00 00-10 10 10 10 10 10 10 10 ................

比较一下，两个都出现的是01005194这个地址，从符号表也可找到

01005194 winmine!cBombLeft = <no type information>

从命名可以看出，该地址应该就是剩余雷的个数。

通过继续分析，发现每个方格的状态存在winmine!rgBlk中，行列索引winmine!xCur和winmine!yCur。

每行分配32Byte，index从1开始，例如x=3,y=4,则索引到winmine!rgBlk+32*y+x的地址

8f有雷，0f无雷

例如：

第一行，第六列有雷

0:001> dd winmine!rgBlk

01005340 10101010 10101010 0f101010 0f0f0f0f

01005350 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005360 0f0f0f10 0f8f0f0f 0f100f0f 0f0f0f0f

01005370 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005380 0f0f0f10 0f0f0f0f 0f100f0f 0f0f0f0f

01005390 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010053a0 0f0f0f10 0f0f0f0f 0f100f8f 0f0f0f0f

010053b0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

0:001> dd

010053c0 0f0f0f10 8f0f0f0f 0f108f8f 0f0f0f0f

010053d0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010053e0 8f0f8f10 0f0f0f0f 0f100f0f 0f0f0f0f

010053f0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005400 0f0f0f10 0f0f0f0f 0f100f0f 0f0f0f0f

01005410 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005420 0f0f0f10 0f0f0f8f 0f100f0f 0f0f0f0f

01005430 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

0:001> dd

01005440 0f8f0f10 0f0f0f0f 0f100f0f 0f0f0f0f

01005450 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005460 0f0f0f10 0f0f0f0f 0f108f0f 0f0f0f0f

01005470 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005480 10101010 10101010 0f101010 0f0f0f0f

01005490 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010054a0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010054b0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

如果已经探过雷，标记改为40,41,42分别表示周围有0,1,2个雷，标记为雷的是8e

0:001> dd winmine!rgBlk

01005340 10101010 10101010 0f101010 0f0f0f0f

01005350 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005360 40404010 40404040 0f104040 0f0f0f0f

01005370 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005380 41424210 40414141 0f104040 0f0f0f0f

01005390 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010053a0 0f8f8f10 40418e0f 0f104141 0f0f0f0f

010053b0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

0:001> dd

010053c0 0f0f8f10 4041410f 0f108f42 0f0f0f0f

010053d0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010053e0 0f0f0f10 42420f0f 0f108f43 0f0f0f0f

010053f0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005400 0f0f0f10 8f8f0f0f 0f100f0f 0f0f0f0f

01005410 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005420 0f0f0f10 0f420f0f 0f100f0f 0f0f0f0f

01005430 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

0:001> dd

01005440 0f0f0f10 0f0f0f0f 0f100f8f 0f0f0f0f

01005450 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005460 0f0f0f10 0f0f0f0f 0f108f0f 0f0f0f0f

01005470 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

01005480 10101010 10101010 0f101010 0f0f0f0f

01005490 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010054a0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

010054b0 0f0f0f0f 0f0f0f0f 0f0f0f0f 0f0f0f0f

分析出了关键数据在内存中的位置，我们就可以通过dll注入方式，用程序读取这些雷在什么位置，并显示出来。

关于dll injection，可以参照http://www.codeproject.com/KB/threads/completeinject.aspx

dll注入后，会调用该dll中的Initialize方法，代码如下：

注入代码

1 extern " C " __declspec(dllexport) void Initialize()
2 {
3 HMODULE hModule = GetModuleHandle(TEXT( " winmine.exe " ));
4 if (hModule == NULL)
5 {
6 MessageBoxA( 0 , " Can't find module: winmine.exe " , " Error " , 0 );
7 return ;
8 }
9 MODULEINFO moduleInfo;
10 if ( ! GetModuleInformation(GetCurrentProcess(), hModule, & moduleInfo, sizeof (moduleInfo)))
11 {
12 MessageBoxA( 0 , " Can't get information of module: winmine.exe " , " Error " , 0 );
13 return ;
14 }
15
16 DWORD winmineAddr = (DWORD)moduleInfo.lpBaseOfDll; // 0x01000000;
17 DWORD cBombLeftAddr = winmineAddr + 0x5194 ;
18 DWORD rgBlkAddr = winmineAddr + 0x5340 ;
19
20 int cBombLeft = * ( int * )cBombLeftAddr;
21 CHAR temp[ 256 ];
22 sprintf(temp, " Locked and Loaded.%d " , cBombLeft);
23 // MessageBoxA(0, temp, "DLL Injection Successful!", 0);
24
25 CHAR str[ 1024 ];
26 memset(str, 0x00 , 1024 );
27 int len = 0 ;
28 // strcpy(str, " 1 2 3 4 5 6 7 8 9\r\n");
29 // len = strlen(str);
30 for ( int y = 1 ; y < 10 ; y ++ )
31 {
32 // str[len++]=y+0x30;
33 // str[len++]=' ';
34 for ( int x = 1 ; x < 10 ; x ++ )
35 {
36 DWORD addr = rgBlkAddr + y * 0x20 + x;
37 if ( * (BYTE * )addr == 0x8f )
38 {
39 // sprintf(str+len, "(%d,%d)\r\n", x, y);
40 // len = strlen(str);
41 str[len ++ ] = ' X ' ;
42 str[len ++ ] = ' ' ;
43 }
44 else
45 {
46 str[len ++ ] = ' - ' ;
47 str[len ++ ] = ' ' ;
48 }
49 }
50 str[len ++ ] = ' \r ' ;
51 str[len ++ ] = ' \n ' ;
52 }
53 MessageBoxA( 0 , str, " DLL Injection Successful! " , 0 );
54
55 }

从WinDbg分析可以发现，每次winmain载入都是0x01000000，但是为了确保例外，程序先调用GetModuleInformation取得了加载的模块地址，然后在计算偏移。

运行效果图：

下载程序

转载于:https://www.cnblogs.com/piyeyong/archive/2011/07/08/2101360.html

weixin_30888707

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
WinDbg分析扫雷程序

WinDbg入门教材，请参照：Debug Tutorial Part 1:Beginning Debugging Using CDB and NTSDhttp://www.codeproject.com/KB/debug/cdbntsd.aspx启动WinMine程序，启动WinDbg，attach到目标进程查看加载了符号的模块0:001>l...
复制链接

扫一扫