为什么 WinDbg 显示的 function 来源与 MSDN 不同?
[英]Why does WinDbg show different function origin than MSDN?
问题描述
我一直在调试一个程序,我必须在CreateProcessAsUserW function 上设置断点。 The Microsoft Docs for this function ( https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasuserw ) state that the function is located (exported) from Advapi32.dll . 但是WinDbg“声明” function 位于KernelBase.dll ,据我正确理解这些结果(来自WinDbg):
0:000> dt advapi32!CreateProc*
0:000> dt kernelbase!CreateProcessAsUser*
00007ffc504da520 KERNELBASE!CreateProcessAsUserA
00007ffc504da550 KERNELBASE!CreateProcessAsUserW
为什么会这样,为什么结果不同,因为两个来源都是值得信赖的?
2 个解决方案
解决方案1
1 已采纳 2022-08-17 09:30:04
当 WinDbg 有一个模块的符号时,不幸的是它忽略了从 PE 导出部分转发的 function 导出。
如果您启动另一个 WinDbg 实例而没有正确的 advapi32 符号,您可以执行bp advapi32!CreateProcessAsUserW等。这当然不是一个很好的解决方案。
只要知道发生这种情况通常就足够了。 当您找不到 function 时,请查看 kernelbase (kernel32, advapi32), ntdll (kernel32, user32) 或 shcore (shlwapi, shell32)...
解决方案2
1 已采纳 2022-08-18 12:11:45
kernelbase.dll 和 advapi32.dll 都导出 Function CreateProcessAsuserA/W
C:\Windows\System32>dumpbin /exports KernelBase.dll | find /I "AsU"
216 D0 001BEA00 CreateProcessAsUserA
217 D1 001BEA40 CreateProcessAsUserW
222 D6 001AEA00 CreatePseudoConsoleAsUser
C:\Windows\System32>dumpbin /exports advapi32.dll | find /I "AsU"
1140 8A 00034190 CreateProcessAsUserA
1141 8B 00020560 CreateProcessAsUserW
在 kernelbase 下,导出的 function 地址是许多重定向 function 的占位符,但未实现 ErrorReturn
0:000> x KernelBase!CreateProcessAsUserW
00000001`80096ab0 KernelBase!CreateProcessAsUserW (void)
0:000> uf KernelBase!CreateProcessAsUserW
KernelBase!IsServerVersionOrAbove:
00000001`80096ab0 4883ec28 sub rsp,28h
00000001`80096ab4 b97f000000 mov ecx,7Fh
00000001`80096ab9 48ff1580c41200 call qword ptr [KernelBase!_imp_RtlSetLastWin32Error (00000001`801c2f40)]
00000001`80096ac0 0f1f440000 nop dword ptr [rax+rax]
00000001`80096ac5 33c0 xor eax,eax
00000001`80096ac7 4883c428 add rsp,28h
00000001`80096acb c3 ret
0:000> ln KernelBase!CreateProcessAsUserW
(00000001`80096ab0) KernelBase!IsServerVersionOrAbove | (00000001`80096ae0) KernelBase!LsaIExtractTargetInfo
Exact matches:
KernelBase!GetUrlCacheConfigInfoA (void)
KernelBase!FwIsValidPorts (void)
KernelBase!AbortPrinter (void)
KernelBase!RangeMapCreate (void)
KernelBase!IsThreadDesktopComposited (void)
KernelBase!ASN1utctime_cmp (void)
KernelBase!SetWindowCompositionAttribute (void)
XXXXXXXXXXXXXXXXXXXXXXcut off XXXXXXXXXXXXXXX
实际实现也在 kernelbase.dll 在不同的地址完成(非导出)
0:000> x KernelBase!CreateProcessA*
00000001`80096ab0 KernelBase!CreateProcessAsUserA (void)
00000001`80096ab0 KernelBase!CreateProcessAsUserW (void) <<<<<<< as above
00000001`8010bf50 KernelBase!CreateProcessAsUserA (CreateProcessAsUserA)
00000001`800071c0 KernelBase!CreateProcessA (CreateProcessA)
00000001`80006360 KernelBase!CreateProcessAsUserW (CreateProcessAsUserW) <<<<<<< actual implementation
0:000> uf 00000001`80006360
KernelBase!CreateProcessAsUserW:
00000001`80006360 4c8bdc mov r11,rsp
00000001`80006363 4883ec68 sub rsp,68h
00000001`80006367 498363f000 and qword ptr [r11-10h],0
00000001`8000636c 488b8424c0000000 mov rax,qword ptr [rsp+0C0h]
00000001`80006374 498943e8 mov qword ptr [r11-18h],rax
00000001`80006378 488b8424b8000000 mov rax,qword ptr [rsp+0B8h]
00000001`80006380 498943e0 mov qword ptr [r11-20h],rax
00000001`80006384 488b8424b0000000 mov rax,qword ptr [rsp+0B0h]
00000001`8000638c 498943d8 mov qword ptr [r11-28h],rax
00000001`80006390 488b8424a8000000 mov rax,qword ptr [rsp+0A8h]
00000001`80006398 498943d0 mov qword ptr [r11-30h],rax
00000001`8000639c 8b8424a0000000 mov eax,dword ptr [rsp+0A0h]
00000001`800063a3 89442430 mov dword ptr [rsp+30h],eax
00000001`800063a7 8b842498000000 mov eax,dword ptr [rsp+98h]
00000001`800063ae 89442428 mov dword ptr [rsp+28h],eax
00000001`800063b2 488b842490000000 mov rax,qword ptr [rsp+90h]
00000001`800063ba 498943b8 mov qword ptr [r11-48h],rax
00000001`800063be e8cd1a0000 call KernelBase!CreateProcessInternalW (00000001`80007e90)
00000001`800063c3 4883c468 add rsp,68h
00000001`800063c7 c3 ret
advapi32.dll 指向的此地址没有符号匹配
0:000> ln 00000001`80006360
(00000001`80006360) KernelBase!CreateProcessAsUserW | (00000001`800063d0) KernelBase!Wow64SetThreadDefaultGuestMachine
Exact matches:
0:000>
0:000> uf /c advapi32!CreateProcessAsUserWStub
advapi32!CreateProcessAsUserWStub (00007ffb`d89d7cc0)
advapi32!CreateProcessAsUserWStub+0x59 (00007ffb`d89d7d19):
call to KERNELBASE!CreateProcessAsUserW (00007ffb`d6d96360)
0:000> u 00007ffb`d89d7d19 l2
advapi32!CreateProcessAsUserWStub+0x59:
00007ffb`d89d7d19 48ff1598120600 call qword ptr [advapi32!_imp_CreateProcessAsUserW (00007ffb`d8a38fb8)]
00007ffb`d89d7d20 0f1f440000 nop dword ptr [rax+rax]
0:000> dps 00007ffb`d8a38fb8 l1
00007ffb`d8a38fb8 00007ffb`d6d96360 KERNELBASE!CreateProcessAsUserW
0:000>
为什么dumpbin中的可执行文件的入口点地址与WinDbg不同?
[英]Why Entry Point Address of executable in dumpbin is different from WinDbg?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.