<meter id="pryje"><nav id="pryje"><delect id="pryje"></delect></nav></meter>
          <label id="pryje"></label>

          新聞中心

          EEPW首頁(yè) > 電源與新能源 > Windows內(nèi)核調(diào)試器原理淺析(二)

          Windows內(nèi)核調(diào)試器原理淺析(二)

          ——
          作者: 時(shí)間:2007-04-18 來(lái)源: 收藏
          case DbgKdContinueApi:
                      if (NT_SUCCESS(ManipulateState.u.Continue.ContinueStatus) != FALSE) {
                          return ContinueSuccess;
                      } else {
                          return ContinueError;
                      }
                      break;

                  case DbgKdContinueApi2:
                      if (NT_SUCCESS(ManipulateState.u.Continue2.ContinueStatus) != FALSE) {
                          KdpGetStateChange(&ManipulateState,ContextRecord);
                          return ContinueSuccess;
                      } else {
                          return ContinueError;
                      }
                      break;

                  case DbgKdRebootApi:
                      KdpReboot();
                      break;

                  case DbgKdReadMachineSpecificRegister:
                      KdpReadMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
                      break;

                  case DbgKdWriteMachineSpecificRegister:
                      KdpWriteMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
                      break;

                  case DbgKdSetSpecialCallApi:
                      KdSetSpecialCall(&ManipulateState,ContextRecord);
                      break;

                  case DbgKdClearSpecialCallsApi:
                      KdClearSpecialCalls();
                      break;

                  case DbgKdSetInternalBreakPointApi:
                      KdSetInternalBreakpoint(&ManipulateState);
                      break;

                  case DbgKdGetInternalBreakPointApi:
                      KdGetInternalBreakpoint(&ManipulateState);
                      break;

                  case DbgKdGetVersionApi:
                      KdpGetVersion(&ManipulateState);
                      break;

                  case DbgKdCauseBugCheckApi:
                      KdpCauseBugCheck(&ManipulateState);
                      break;

                  case DbgKdPageInApi:
                      KdpNotSupported(&ManipulateState);
                      break;

                  case DbgKdWriteBreakPointExApi:
                      Status = KdpWriteBreakPointEx(&ManipulateState,
                                                    &MessageData,
                                                    ContextRecord);
                      if (Status) {
                          ManipulateState.ApiNumber = DbgKdContinueApi;
                          ManipulateState.u.Continue.ContinueStatus = Status;
                          return ContinueError;
                      }
                      break;

                  case DbgKdRestoreBreakPointExApi:
                      KdpRestoreBreakPointEx(&ManipulateState,&MessageData,ContextRecord);
                      break;

                  case DbgKdSwitchProcessor:
                      KdPortRestore ();
                      ContinueStatus = KeSwitchFrozenProcessor(ManipulateState.Processor);
                      KdPortSave ();
                      return ContinueStatus;

                  case DbgKdSearchMemoryApi:
                      KdpSearchMemory(&ManipulateState, &MessageData, ContextRecord);
                      break;

              讀寫(xiě)內(nèi)存、搜索內(nèi)存、設(shè)置/恢復(fù)斷點(diǎn)、繼續(xù)執(zhí)行、重啟等等,WinDBG里的功能是不是都能實(shí)現(xiàn)了?呵呵。

              每次內(nèi)核接管系統(tǒng)是通過(guò)調(diào)用在KiDispatchException里調(diào)用KiDebugRoutine(KdpTrace),但我們知道要讓系統(tǒng)執(zhí)行到KiDispatchException必須是系統(tǒng)發(fā)生了異常。而內(nèi)核與被調(diào)試系統(tǒng)之間只是通過(guò)串口聯(lián)系,串口只會(huì)發(fā)生中斷,并不會(huì)讓系統(tǒng)引發(fā)異常。那么是怎么讓系統(tǒng)產(chǎn)生一個(gè)異常呢?答案就在KeUpdateSystemTime里,每當(dāng)發(fā)生時(shí)鐘中斷后在HalpClockInterrupt做了一些底層處理后就會(huì)跳轉(zhuǎn)到這個(gè)函數(shù)來(lái)更新系統(tǒng)時(shí)間(因?yàn)槭翘D(zhuǎn)而不是調(diào)用,所以在WinDBG斷下來(lái)后回溯堆棧是不會(huì)發(fā)現(xiàn)HalpClockInterrupt的地址的),是系統(tǒng)中調(diào)用最頻繁的幾個(gè)函數(shù)之一。在KeUpdateSystemTime里會(huì)判斷KdDebuggerEnable是否為T(mén)RUE,若為T(mén)RUE則調(diào)用KdPollBreakIn判斷是否有來(lái)自內(nèi)核的包含中斷信息的包,若有則調(diào)用DbgBreakPointWithStatus,執(zhí)行一個(gè)int 0x3指令,在異常處理流程進(jìn)入了KdpTrace后將根據(jù)處理不同向內(nèi)核調(diào)試器發(fā)包并無(wú)限循環(huán)等待內(nèi)核調(diào)試的回應(yīng)?,F(xiàn)在能理解為什么在WinDBG里中斷系統(tǒng)后堆?;厮菘梢砸来伟l(fā)現(xiàn)KeUpdateSystemTime->RtlpBreakWithStatusInstruction,系統(tǒng)停在了int 0x3指令上(其實(shí)int 0x3已經(jīng)執(zhí)行過(guò)了,只不過(guò)Eip被減了1而已),實(shí)際已經(jīng)進(jìn)入KiDispatchException->KdpTrap,將控制權(quán)交給了內(nèi)核調(diào)試器。


          評(píng)論


          相關(guān)推薦

          技術(shù)專區(qū)

          關(guān)閉
          看屁屁www成人影院,亚洲人妻成人图片,亚洲精品成人午夜在线,日韩在线 欧美成人 (function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s); })();