我可以在ntdll.dll!_LdrpInitializeProcess中设置断点吗?
调试 Windows 进程时,有时尽早中断会很方便。
初始调用堆栈看起来像这样:(例如,当您在 DLL_PROCESS_ATTACH 上的 DllMain 函数中设置断点时,您会得到这个)
...
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 bytes
ntdll.dll!_LdrpRunInitializeRoutines@4() + 0x205 bytes
> ntdll.dll!_LdrpInitializeProcess@20() - 0x96d bytes
ntdll.dll!__LdrpInitialize@12() + 0x6269 bytes
ntdll.dll!_KiUserApcDispatcher@20() + 0x7 bytes
因此在这些 ntdll 例程之一中设置断点应该确实会中断这个过程很早。
但是,我不知道如何在调试器中启动进程之前设置断点。在 Visual Studio (2005) 中可能吗?如何?可以在WinDbg中完成吗?
When debugging a Windows process, it would sometimes be convenient to break as early as possible.
Inital Callstack looks like this: (you get this e.g. when you set a breakpoint in a DllMain function on DLL_PROCESS_ATTACH)
...
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 bytes
ntdll.dll!_LdrpRunInitializeRoutines@4() + 0x205 bytes
> ntdll.dll!_LdrpInitializeProcess@20() - 0x96d bytes
ntdll.dll!__LdrpInitialize@12() + 0x6269 bytes
ntdll.dll!_KiUserApcDispatcher@20() + 0x7 bytes
so setting a breakpoint in one of these ntdll routines should really break the process very early.
However, I can't figure out how to set a breakpoint there prior to starting the process in the debugger. Is it possible in Visual Studio (2005)? How? Can it be done in WinDbg?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我会使用类似 GFlags 来启动进程启动时的调试器。
以下是 test.exe 的示例 gflags 设置
这是调试器输出。注意
ntdll!LdrpInitializeProcess的调用堆栈或者您可以在 Windbg 之类的调试器中打开进程,默认情况下它会中断到
ntdll!LdrpInitializeProcess。华泰
I would use something like GFlags to launch the debugger when the process starts.
Here is a sample gflags settings for test.exe
And here is the debugger output. Notice the call-stack with
ntdll!LdrpInitializeProcessOr you could open the process within the debugger like Windbg which would break into
ntdll!LdrpInitializeProcessby default.HTH
我已经找到了如何在 Visual Studio 中执行此操作。
这里的问题是,在任何汇编函数中设置断点都会被记住为“数据断点”。一旦进程停止,这些断点就会被禁用,所以即使我在此函数中设置了一个断点(我可以这样做,因为如果我在任何 DllMain 函数中设置断点,我的函数就在堆栈上),该断点也将被禁用一段时间新进程运行。
但是对于ntdll.dll(和kernel32.dll)来说,加载地址几乎是固定的并且不会改变(至少在重新启动之前不会改变)。
因此,在开始该过程之前,我只需重新启用与该 NtDll 函数对应的地址的数据断点,调试器就会在那里停止。
I have found out how to do it in Visual Studio.
The problem here is, that setting a breakpoint in any assembly function will be remembered as a "Data Breakpoint". These breakpoints are disabled as soon as the process stops, so even if I set one in this function (I can do this because I have the function on the stack if I set a breakpoint in any DllMain function) this breakpoint will be disabled for a new process run.
However for ntdll.dll (and kernel32.dll) the load addresses are pretty much fixed and won't change (and least not until reboot).
So, before starting the process, I just have to re-enable the Data Breakpoint for the address that corresponds to this NtDll function and the debugger will then stop there.