如何在windbg中找到function
[英]how to find a function in windbg
问题描述
我正在使用 windbg 调试 windows kernel 文件。 问题是我知道 function 设置断点,但我不知道 function 属于哪个模块。 我使用 windows 服务器 2019,模块应该是来自 IDA 导入的 ntoskrnl。 我没有以某种方式在windbg中找到该模块(也许有别名)。 如何知道哪个模块导入了function或function的地址? 加载的模块如下
start end module name
ffffaa98`27400000 ffffaa98`2778b000 win32kfull (pdb symbols) C:\ProgramData\Dbg\sym\win32kfull.pdb\BD15EC0EDD344DABCC32F9C2E347B97B1\win32kfull.pdb
ffffaa98`27790000 ffffaa98`279ec000 win32kbase (deferred)
ffffaa98`279f0000 ffffaa98`27a38000 cdd (deferred)
ffffaa98`28300000 ffffaa98`2838b000 win32k (deferred)
fffff801`19c0e000 fffff801`19cab000 hal (deferred)
fffff801`19cac000 fffff801`1a71c000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\45C12C294F739481AC5E8E014C068FB61\ntkrnlmp.pdb
fffff801`1a800000 fffff801`1a80e000 kdcom (deferred)
fffff80f`e7c00000 fffff80f`e7c70000 FLTMGR (deferred)
fffff80f`e7c80000 fffff80f`e7d8a000 clipsp (deferred)
fffff80f`e7d90000 fffff80f`e7d9e000 cmimcext (deferred)
fffff80f`e7da0000 fffff80f`e7dac000 ntosext (deferred)
fffff80f`e7db0000 fffff80f`e7e83000 CI (deferred)
fffff80f`e7e90000 fffff80f`e7f48000 cng (deferred)
fffff80f`e7f50000 fffff80f`e8021000 Wdf01000 (deferred)
fffff80f`e8030000 fffff80f`e8043000 WDFLDR (deferred)
fffff80f`e8050000 fffff80f`e8060000 WppRecorder (deferred)
fffff80f`e8070000 fffff80f`e807f000 SleepStudyHelper (deferred)
fffff80f`e8080000 fffff80f`e80a4000 acpiex (deferred)
fffff80f`e80b0000 fffff80f`e8101000 mssecflt (deferred)
fffff80f`e8110000 fffff80f`e812a000 SgrmAgent (deferred)
fffff80f`e8130000 fffff80f`e81f8000 ACPI (deferred)
fffff80f`e8200000 fffff80f`e8220000 mcupdate_AuthenticAMD (deferred)
fffff80f`e8230000 fffff80f`e8292000 msrpc (deferred)
fffff80f`e82a0000 fffff80f`e82cb000 ksecdd (deferred)
fffff80f`e82d0000 fffff80f`e82e1000 werkernel (deferred)
fffff80f`e82f0000 fffff80f`e835a000 CLFS (deferred)
fffff80f`e8360000 fffff80f`e8387000 tm (deferred)
fffff80f`e8390000 fffff80f`e83a8000 PSHED (deferred)
fffff80f`e83b0000 fffff80f`e83bb000 BOOTVID (deferred)
fffff80f`e83c0000 fffff80f`e83cc000 WMILIB (deferred)
fffff80f`e8400000 fffff80f`e8443000 intelpep (deferred)
fffff80f`e8450000 fffff80f`e845b000 WindowsTrustedRTProxy (deferred)
fffff80f`e8460000 fffff80f`e8474000 pcw (deferred)
fffff80f`e84a0000 fffff80f`e85f3000 NDIS (deferred)
fffff80f`e8600000 fffff80f`e8695000 NETIO (pdb symbols) C:\ProgramData\Dbg\sym\netio.pdb\C34301C2DC7F81959A5EF6C03D4BA3871\netio.pdb
fffff80f`e86a0000 fffff80f`e86ab000 msisadrv (deferred)
fffff80f`e86b0000 fffff80f`e86c2000 vdrvroot (deferred)
fffff80f`e86d0000 fffff80f`e873b000 pci (deferred)
fffff80f`e8740000 fffff80f`e876e000 pdc (deferred)
fffff80f`e8770000 fffff80f`e8789000 CEA (deferred)
fffff80f`e8790000 fffff80f`e87bf000 partmgr (deferred)
fffff80f`e87c0000 fffff80f`e87cb000 intelide (deferred)
fffff80f`e87d0000 fffff80f`e87e3000 PCIIDEX (deferred)
fffff80f`e87f0000 fffff80f`e8894000 spaceport (deferred)
fffff80f`e88a0000 fffff80f`e88b9000 volmgr (deferred)
fffff80f`e88c0000 fffff80f`e8923000 volmgrx (deferred)
fffff80f`e8930000 fffff80f`e894f000 mountmgr (deferred)
fffff80f`e8950000 fffff80f`e895d000 atapi (deferred)
fffff80f`e8960000 fffff80f`e8996000 ataport (deferred)
fffff80f`e89a0000 fffff80f`e89bc000 EhStorClass (deferred)
fffff80f`e89c0000 fffff80f`e89fe000 Wof (deferred)
fffff80f`e8a00000 fffff80f`e8a15000 dfsrro (deferred)
fffff80f`e8a20000 fffff80f`e8a92000 WdFilter (deferred)
fffff80f`e8aa0000 fffff80f`e8b0d000 volsnap (deferred)
fffff80f`e8b10000 fffff80f`e8b7f000 CLASSPNP (deferred)
fffff80f`e8b80000 fffff80f`e8b95000 filecrypt (deferred)
fffff80f`e8ba0000 fffff80f`e8bb6000 WindowsTrustedRT (deferred)
fffff80f`e8bc0000 fffff80f`e8bd4000 dfs (deferred)
fffff80f`e8be0000 fffff80f`e8bea000 Null (deferred)
fffff80f`e8c20000 fffff80f`e8c4e000 cdrom (deferred)
fffff80f`e8c50000 fffff80f`e8c5e000 tbs (deferred)
fffff80f`e8c60000 fffff80f`e8eed000 Ntfs (deferred)
fffff80f`e8ef0000 fffff80f`e8f48000 VBoxGuest (deferred)
fffff80f`e8f50000 fffff80f`e8f5d000 Fs_Rec (deferred)
fffff80f`e8f60000 fffff80f`e8f92000 ksecpkg (deferred)
fffff80f`e8fa0000 fffff80f`e8fbc000 disk (deferred)
fffff80f`e8fc0000 fffff80f`e8fdc000 crashdmp (deferred)
fffff80f`e9000000 fffff80f`e9078000 fwpkclnt (deferred)
fffff80f`e9080000 fffff80f`e90b0000 wfplwfs (deferred)
fffff80f`e90c0000 fffff80f`e90cb000 volume (deferred)
fffff80f`e90d0000 fffff80f`e90f5000 mup (deferred)
fffff80f`e9120000 fffff80f`e93fa000 tcpip (deferred)
fffff80f`e9a00000 fffff80f`e9a51000 netbt (deferred)
fffff80f`e9a60000 fffff80f`e9a73000 afunix (deferred)
fffff80f`e9a80000 fffff80f`e9b26000 afd (deferred)
fffff80f`e9b30000 fffff80f`e9b5b000 pacer (deferred)
fffff80f`e9b60000 fffff80f`e9b74000 netbios (deferred)
fffff80f`e9bc0000 fffff80f`e9efb000 dxgkrnl (deferred)
fffff80f`e9f00000 fffff80f`e9f16000 watchdog (deferred)
fffff80f`e9f20000 fffff80f`e9f36000 BasicDisplay (deferred)
fffff80f`e9f40000 fffff80f`e9f51000 BasicRender (deferred)
fffff80f`e9f60000 fffff80f`e9f7c000 Npfs (deferred)
fffff80f`e9f80000 fffff80f`e9f91000 Msfs (deferred)
fffff80f`e9fa0000 fffff80f`e9fc7000 tdx (deferred)
fffff80f`e9fd0000 fffff80f`e9fe0000 TDI (deferred)
fffff80f`ea000000 fffff80f`ea04e000 ahcache (deferred)
fffff80f`ea050000 fffff80f`ea061000 CompositeBus (deferred)
fffff80f`ea070000 fffff80f`ea07d000 kdnic (deferred)
fffff80f`ea080000 fffff80f`ea095000 umbus (deferred)
fffff80f`ea0a0000 fffff80f`ea0c1000 i8042prt (deferred)
fffff80f`ea0d0000 fffff80f`ea0e3000 kbdclass (deferred)
fffff80f`ea0f0000 fffff80f`ea13a000 VBoxMouse (deferred)
fffff80f`ea140000 fffff80f`ea153000 mouclass (deferred)
fffff80f`ea160000 fffff80f`ea1d6000 VBoxWddm (deferred)
fffff80f`ea1e0000 fffff80f`ea204080 E1G6032E (deferred)
fffff80f`ea210000 fffff80f`ea21f000 usbohci (deferred)
fffff80f`ea220000 fffff80f`ea29b000 USBPORT (deferred)
fffff80f`ea2a0000 fffff80f`ea2af000 CmBatt (deferred)
fffff80f`ea2b0000 fffff80f`ea2c0000 BATTC (deferred)
fffff80f`ea2d0000 fffff80f`ea30a000 amdppm (deferred)
fffff80f`ea310000 fffff80f`ea31d000 NdisVirtualBus (deferred)
fffff80f`ea320000 fffff80f`ea32c000 swenum (deferred)
fffff80f`ea330000 fffff80f`ea3a5000 ks (deferred)
fffff80f`ea3b0000 fffff80f`ea3be000 rdpbus (deferred)
fffff80f`ea3c0000 fffff80f`ea448000 usbhub (deferred)
fffff80f`ea450000 fffff80f`ea45e000 USBD (deferred)
fffff80f`ea460000 fffff80f`ea47f000 cdfs (deferred)
fffff80f`ea490000 fffff80f`ea49f000 dump_dumpata (deferred)
fffff80f`ea4b0000 fffff80f`ea4bd000 dump_atapi (deferred)
fffff80f`ea4c0000 fffff80f`ea4d2000 hidusb (deferred)
fffff80f`ea4e0000 fffff80f`ea51b000 HIDCLASS (deferred)
fffff80f`ea520000 fffff80f`ea533000 HIDPARSE (deferred)
fffff80f`ea540000 fffff80f`ea5c9000 mrxsmb (deferred)
fffff80f`ea5d0000 fffff80f`ea616000 mrxsmb20 (deferred)
fffff80f`ea620000 fffff80f`ea66f000 srvnet (deferred)
fffff80f`ea670000 fffff80f`ea735000 srv2 (deferred)
fffff80f`ea740000 fffff80f`ea76b000 winquic (deferred)
fffff80f`ea770000 fffff80f`ea8aa000 HTTP (deferred)
fffff80f`ea8b0000 fffff80f`ea986000 peauth (deferred)
fffff80f`ea990000 fffff80f`ea9a4000 tcpipreg (deferred)
fffff80f`ea9b0000 fffff80f`ea9cc000 rassstp (deferred)
fffff80f`ea9d0000 fffff80f`ea9e8000 NDProxy (deferred)
fffff80f`ea9f0000 fffff80f`eaa17000 AgileVpn (deferred)
fffff80f`eaa20000 fffff80f`eaa41000 rasl2tp (deferred)
fffff80f`eaa50000 fffff80f`eaa70000 raspptp (deferred)
fffff80f`eaa80000 fffff80f`eaa9c000 raspppoe (deferred)
fffff80f`eaaa0000 fffff80f`eaab5000 rasgre (deferred)
fffff80f`eaac0000 fffff80f`eaacf000 ndistapi (deferred)
fffff80f`eaad0000 fffff80f`eab0b000 ndiswan (deferred)
fffff80f`eab10000 fffff80f`eab23000 condrv (deferred)
fffff80f`eab30000 fffff80f`eab3f000 mouhid (deferred)
fffff80f`eab40000 fffff80f`eab56000 monitor (deferred)
fffff80f`eab60000 fffff80f`eac38000 dxgmms2 (deferred)
fffff80f`eac40000 fffff80f`eac69000 luafv (deferred)
fffff80f`eac70000 fffff80f`eac9d000 wcifs (deferred)
fffff80f`eaca0000 fffff80f`ead16000 cldflt (deferred)
fffff80f`ead20000 fffff80f`ead3b000 storqosflt (deferred)
fffff80f`ead40000 fffff80f`ead58000 lltdio (deferred)
fffff80f`ead60000 fffff80f`ead7a000 mslldp (deferred)
fffff80f`ead80000 fffff80f`ead9b000 rspndr (deferred)
fffff80f`eada0000 fffff80f`eadbc000 wanarp (deferred)
fffff80f`eadc0000 fffff80f`eade5000 bowser (deferred)
fffff80f`eae00000 fffff80f`eae7a000 VBoxSF (deferred)
fffff80f`eae80000 fffff80f`eaefa000 rdbss (deferred)
fffff80f`eaf00000 fffff80f`eaf12000 nsiproxy (deferred)
fffff80f`eaf20000 fffff80f`eaf2d000 npsvctrig (deferred)
fffff80f`eaf30000 fffff80f`eaf40000 mssmbios (deferred)
fffff80f`eaf50000 fffff80f`eaf7c000 dfsc (deferred)
fffff80f`eaf80000 fffff80f`eaf9a000 mpsdrv (deferred)
fffff80f`eafa0000 fffff80f`eafb4000 bam (deferred)
fffff80f`eafc0000 fffff80f`eafdb000 WdNisDrv (deferred)
1 个解决方案
解决方案1
0 2022-08-09 08:20:19
我使用 windows 服务器 2019,模块应该是来自 IDA 导入的 ntoskrnl。 我没有以某种方式在windbg中找到该模块(也许有别名)。
那是 Windows 的 kernel 二进制文件,它的符号名称是nt 。
如何知道哪个模块导入了function或function的地址?
有多种方法可以做到这一点,但我认为最简单的可能是:
- 重新加载所有模块的符号信息。
为此,您可以使用.reload命令,尤其是/f和/s开关。 请注意,这可能需要一些时间。
旁注:当您列出所有模块(使用lm )时,您可以看到它们被标记为“延迟”:
0: kd> lm
start end module name
ffffea92`71600000 ffffea92`718d3000 win32kbase (deferred)
ffffea92`718e0000 ffffea92`71c95000 win32kfull (deferred)
ffffea92`71ca0000 ffffea92`71ce9000 cdd (deferred)
ffffea92`72200000 ffffea92`7229a000 win32k (deferred)
fffff806`06200000 fffff806`06236000 wcifs (deferred)
fffff806`06240000 fffff806`06254000 mmcss (deferred)
fffff806`06260000 fffff806`062b6000 WUDFRd (deferred)
fffff806`062c0000 fffff806`06341000 cldflt (deferred)
...
这意味着仅在需要时才加载符号信息(“延迟 sombol 加载”;例如,在设置断点时)。 如果我们想找到一个符号,我们确实需要加载该信息,因此我们需要.reload /f /s (或只是.reload /f )。
- 搜索符号。
使用“检查符号”命令x 。 请注意,您可以使用通配符。
例子
假设您有NtCreateFile API 并且您想知道哪个模块正在实现它:
0: kd> .reload /f
Loading Kernel Symbols
...............................................................
................................................................
......
0: kd> x *!NtCreateFile
fffff806`08e99260 nt!NtCreateFile (NtCreateFile)
0: kd> lmDvm nt
Browse full module list
start end module name
fffff806`08800000 fffff806`09846000 nt (pdb symbols) g:\symbols\ntkrnlmp.pdb\5D6312DA6921E3A4E7F938B88330B0771\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 73F1C0C4 (This is a reproducible build file hash, not a timestamp)
CheckSum: 00A65799
ImageSize: 01046000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
它在nt模块(内核)中。
关于.reload
大多数时候,您不需要重新加载整个 kernel 空间的符号,因为理论上只有 kernel 二进制文件 (nt) 提供了将被调用的 API。 您应该只做x ,然后如果您没有正确的答案,请尝试使用.reload /f重新加载其他模块的符号信息。
如何从 Windbg 的崩溃转储中找到进程的图像基地址
[英]How do I find image base address of a process from a crash dump in Windbg
windbg如何解压缩位于user32.dll导出函数内的指令
[英]windbg how to unassemble instructions located inside an exported function of user32.dll
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.