2.windbg script-随手script示例

1.s搜索命令

    1.1搜索dword 

0:000> dd esp
0029e898  00050001 7ffdf6cc cccccccc cccccccc
0029e8a8  636e6554 20746e65 68636554 6f6c6f6e
0029e8b8  53287967 7a6e6568 296e6568 6d6f4320
0029e8c8  796e6170 6d694c20 64657469 00000000
0029e8d8  00000000 00000000 00000000 00000000
0029e8e8  00000000 00000000 00000000 00000000
0029e8f8  00000000 00000000 00000000 00000000
0029e908  00000000 00000000 00000000 00000000
0:000> s -[1]d 0029e898  L200 20746e65 
0x0029e8ac

-[1]在搜索输出中仅显示匹配项的地址。该选项在使用 .foreach把输出通过管道传递给其他命令作为输入时很有用
 
   1.2搜索字符串
0:000> dc 0029eeec 
0029eeec  505c3a43 72676f72 61446d61 545c6174  C:\ProgramData\T
0029eefc  65636e65 545c746e 6c755653 545c7746  encent\TSVulFw\T
0029ef0c  6c755653 442e5746 00005441 f13f0003  SVulFW.DAT....?.
0029ef1c  f1d8a8e6 3f0003e6 01293f5b 03000300  .......?[?).....
0029ef2c  3f293f05 3f3f3f29 3f00033f 3f293f5b  .?)?)????..?[?)?
0029ef3c  0001033f 00000000 00000000 00000000  ?...............
0029ef4c  00000000 00000000 00000000 00000000  ................
0029ef5c  00000000 00000000 00000000 00000000  ................
0:000> s -[1]a  0029eeec  L1000 "TSVulFw"
0x0029ef03
0:000> da 0x0029ef03
0029ef03  "TSVulFw\TSVulFW.DAT"
注意是大小写字符敏感的


下面的命令显示所有位于0x77000000 到0x7F000000地址范围内的模块的详细信息

0:000>  .foreach (place {lm1m}) {.if(( place >0x77000000)&( place <=0x7f000000)){.echo ${place}}}
sechost
USP10
MSCTF
IMM32
SHLWAPI
imagehlp
GDI32
OLEAUT32
ole32
ntdll
USER32
0:000>  .foreach (place {lm1m}) {.if(( place >0x77000000)&( place <=0x7f000000)){dd ${place} L1}}
770b0000  00905a4d
770d0000  00905a4d
77170000  00905a4d
77290000  00905a4d
77340000  00905a4d
773a0000  00905a4d
773d0000  00905a4d
77420000  00905a4d
77790000  00905a4d
77c40000  00905a4d
77d90000  00905a4d

  •  r (Registers) ? 标志一起使用。该标志为伪寄存器$t0$t1指派有类型的值。循环体中,$t1具有ntdll!_LDR_DATA_TABLE_ENTRY*类型,所以程序可以直接引用它的成员。
0:000> dt _PEB -y Ldr @$peb
VerifyTxSignDemo!_PEB
   +0x00c Ldr : 0x77d17880 _PEB_LDR_DATA
0:000> dt _PEB_LDR_DATA -v @$peb
VerifyTxSignDemo!_PEB_LDR_DATA
struct _PEB_LDR_DATA, 7 elements, 0x28 bytes
   +0x000 Length           : 0x8010000
   +0x004 Initialized      : 0xff ''
   +0x008 SsHandle         : 0x01000000 
   +0x00c InLoadOrderModuleList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
 [ 0x77d17880 - 0x391c30 ]
   +0x014 InMemoryOrderModuleList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
 [ 0x0 - 0x390000 ]
   +0x01c InInitializationOrderModuleList : struct _LIST_ENTRY, 2 elements, 0x8 bytes
 [ 0x77d17380 - 0x0 ]
   +0x024 EntryInProgress  : (null) 

0:000> r? $t1=&@$peb->Ldr->InLoadOrderModuleList;r $t1
$t1=77d1788c
首先贴下脚本:

.echo "遍历链表"
r? $t0=&@$peb->Ldr->InLoadOrderModuleList
r $t0
.for (r? $t1 = *(ntdll!_LDR_DATA_TABLE_ENTRY**)@$t0;
      (@$t1 != 0) & (@$t1 != @$t0);
      r? $t1 = (ntdll!_LDR_DATA_TABLE_ENTRY*)@$t1->InLoadOrderLinks.Flink)
{

	as /x ${/v:$Base} @@c++(@$t1->DllBase)


	 as /msu ${/v:$Mod} @@c++(&@$t1->BaseDllName)

	.block
    	{
        	.echo ${$Mod} at ${$Base}
    	}

 	ad ${/v:$Base}
	ad ${/v:$Mod}

}
运行结果如下:

遍历链表
$t0=77d1788c
VerifyTxSignDemo.exe at 0x1000000
ntdll.dll at 0x77c40000
kernel32.dll at 0x76230000
KERNELBASE.dll at 0x76050000
USER32.dll at 0x77d90000
GDI32.dll at 0x773d0000
LPK.dll at 0x75db0000
USP10.dll at 0x770d0000
msvcrt.dll at 0x77000000
MSIMG32.dll at 0x721b0000
COMDLG32.dll at 0x761b0000
SHLWAPI.dll at 0x77340000
COMCTL32.dll at 0x750c0000
ADVAPI32.dll at 0x76310000
sechost.dll at 0x770b0000
RPCRT4.dll at 0x760a0000
SHELL32.dll at 0x763b0000
WINSPOOL.DRV at 0x75310000
ole32.dll at 0x77790000
OLEAUT32.dll at 0x77420000
oledlg.dll at 0x6c500000
gdiplus.dll at 0x740b0000
OLEACC.dll at 0x72d80000
IMM32.dll at 0x77290000
MSCTF.dll at 0x77170000
WINMM.dll at 0x73e30000
uxtheme.dll at 0x74240000
dwmapi.dll at 0x73ea0000
CRYPTBASE.dll at 0x75d10000
Crypt32.dll at 0x75ed0000
MSASN1.dll at 0x75e10000
WINTRUST.DLL at 0x75ff0000
imagehlp.dll at 0x773a0000
CRYPTSP.dll at 0x756f0000
rsaenh.dll at 0x755c0000
ncrypt.dll at 0x75950000
bcrypt.dll at 0x75930000
bcryptprimitives.dll at 0x75520000

分析:

0:000> r? $t0=&@$peb->Ldr->InLoadOrderModuleList
0:000> r $t0
$t0=77d1788c
0:000> dt _PEB -y ldr @$peb
VerifyTxSignDemo!_PEB
   +0x00c Ldr : 0x77d17880 _PEB_LDR_DATA
0:000> dt 0x77d17880 _PEB_LDR_DATA
VerifyTxSignDemo!_PEB_LDR_DATA
   +0x000 Length           : 0x30
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x3928a8 - 0x3cfd90 ]
   +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x3928b0 - 0x3cfd98 ]
   +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x392948 - 0x3cfda0 ]
   +0x024 EntryInProgress  : (null) 

可以看到,$t0此时指向了
InLoadOrderModuleList
指针,指向了_LDR_DATA_TABLE_ENTRY的一个链表,可以看下这个结构

0:000> dt -r2 _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
      +0x000 Flink            : Ptr32 _LIST_ENTRY
         +0x000 Flink            : Ptr32 _LIST_ENTRY
         +0x004 Blink            : Ptr32 _LIST_ENTRY
      +0x004 Blink            : Ptr32 _LIST_ENTRY
         +0x000 Flink            : Ptr32 _LIST_ENTRY
         +0x004 Blink            : Ptr32 _LIST_ENTRY

这个结构是个循环链表,其中它的InLoadOrderLinks.Flink又指向下一个_LDR_DATA_TABLE_ENTRY,

0:000> r? $t1 = *(ntdll!_LDR_DATA_TABLE_ENTRY**)@$t0;
0:000> r $t1
$t1=003928a8
0:000> dd $t0 L1
77d1788c  003928a8

所以$t0所指向的内容是一个_LDR_DATA_TABLE_ENTRY指针,所以$t0是一个指向LDR_DATA_TABLE_ENTRY指针的指针(双指针),所以用(ntdll!_LDR_DATA_TABLE_ENTRY**)来强制转换!

后面要注意的是,由于别名之前被定义过了,

  • ${/v: } 标记会逐字解释别名,避免如果脚本运行之前定义过同名的别名使得它被替换的情况,所以不要用ad ${$Mod},因为这样的话,别名在前面定义过了,就直接被替换了!

  • .block 标记用于增加一个额外的别名替换步骤。别名在整个脚本被加载时会进行一次替换,在进入每个语句块的时候还会进行一次替换。如果没有.block 标记和它的大括号,.echo命令无法接收到上一行中赋给$Mod$Base 别名的值



无聊,再给个while遍历的:

.echo "开始遍历模块的脚本"

r? @$t0=&@$peb->Ldr->InLoadOrderModuleList
r? $t1 = *(ntdll!_LDR_DATA_TABLE_ENTRY**)@$t0; 

.while(@$t1!=@$t0)
{
as /x ${/v:$Base} @@c++(@$t1->DllBase)
as /msu ${/v:$FullDllName} @@c++(&@$t1->FullDllName)
.block
{
.echo ${$FullDllName} at ${$Base}  
}  
  
ad ${/v:$Base}  
ad ${/v:$FullDllName}  	

 r? $t1 = (ntdll!_LDR_DATA_TABLE_ENTRY*)@$t1->InLoadOrderLinks.Flink
}

结果如下:

开始遍历模块的脚本
E:\工作临时区\VerifyTxSignDemo\Debug\VerifyTxSignDemo.exe at 0x1190000
C:\Windows\SYSTEM32\ntdll.dll at 0x77520000
C:\Windows\system32\kernel32.dll at 0x75b20000
C:\Windows\system32\KERNELBASE.dll at 0x75630000
C:\Windows\system32\USER32.dll at 0x75f50000
C:\Windows\system32\GDI32.dll at 0x75f00000
C:\Windows\system32\LPK.dll at 0x77740000
C:\Windows\system32\USP10.dll at 0x75e60000
C:\Windows\system32\msvcrt.dll at 0x75c00000
C:\Windows\system32\MSIMG32.dll at 0x736d0000
C:\Windows\system32\COMDLG32.dll at 0x760d0000
C:\Windows\system32\SHLWAPI.dll at 0x75960000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll at 0x712e0000
C:\Windows\system32\ADVAPI32.dll at 0x76290000
C:\Windows\SYSTEM32\sechost.dll at 0x77690000
C:\Windows\system32\RPCRT4.dll at 0x772b0000
C:\Windows\system32\SHELL32.dll at 0x76540000
C:\Windows\system32\WINSPOOL.DRV at 0x6ed10000
C:\Windows\system32\ole32.dll at 0x76330000
C:\Windows\system32\OLEAUT32.dll at 0x759c0000
C:\Windows\system32\oledlg.dll at 0x6eb50000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll at 0x73ee0000
C:\Windows\system32\OLEACC.dll at 0x73600000
C:\Windows\system32\IMM32.dll at 0x77660000
C:\Windows\system32\MSCTF.dll at 0x75a50000
C:\Windows\system32\WINMM.dll at 0x756c0000
C:\Windows\system32\UxTheme.dll at 0x74070000
C:\Windows\system32\dwmapi.dll at 0x755e0000
C:\Windows\system32\CRYPTBASE.dll at 0x752e0000
C:\Windows\system32\Crypt32.dll at 0x75470000
C:\Windows\system32\MSASN1.dll at 0x753d0000
C:\Windows\system32\WINTRUST.DLL at 0x75690000
C:\Windows\system32\imagehlp.dll at 0x760a0000
C:\Windows\system32\CRYPTSP.dll at 0x74e10000
C:\Windows\system32\rsaenh.dll at 0x74bb0000
C:\Windows\system32\ncrypt.dll at 0x74f40000
C:\Windows\system32\bcrypt.dll at 0x74f20000
C:\Windows\system32\bcryptprimitives.dll at 0x74af0000
C:\Program Files\360\360safe\safemon\safemon.dll at 0x6b0b0000
C:\Windows\system32\PSAPI.DLL at 0x76530000
C:\Windows\system32\WININET.dll at 0x75840000
C:\Windows\system32\Normaliz.dll at 0x77680000
C:\Windows\system32\iertutil.dll at 0x77360000
C:\Windows\system32\urlmon.dll at 0x77190000
C:\Windows\system32\VERSION.dll at 0x74860000
C:\Windows\system32\WS2_32.dll at 0x764f0000
C:\Windows\system32\NSI.dll at 0x75e50000
C:\Windows\system32\NETAPI32.dll at 0x73b50000
C:\Windows\system32\netutils.dll at 0x73b40000
C:\Windows\system32\srvcli.dll at 0x750d0000
C:\Windows\system32\wkscli.dll at 0x73b30000
C:\Windows\system32\apphelp.dll at 0x75290000
C:\Windows\system32\SOGOUPY.IME at 0x10000000
C:\Program Files\SogouInput\Components\AddressSearch\1.0.0.1169\AddressSearch.dll at 0x70f30000
C:\Windows\system32\ntmarta.dll at 0x739d0000
C:\Windows\system32\WLDAP32.dll at 0x76240000
C:\Program Files\SogouInput\Components\PicFace\1.0.0.730\PicFace.dll at 0x70e80000

解释下为什么用&

因为我们需要的是对象的指针,而不是对象:

0:000> dt @$peb _PEB -y Ldr
VerifyTxSignDemo!_PEB
   +0x00c Ldr : 0x77647880 _PEB_LDR_DATA
我们可以看到0x77647880是_PEB_LDR_DATA的对象,但我们需要的是它的指针:

0:000> r? @$t0=&@$peb->Ldr; r @$t0;
$t0=7ffdb00c
0:000> r? @$t0=@$peb->Ldr; r @$t0;
$t0=77647880
0:000> dd 7ffdb00c L1
7ffdb00c  77647880


0:000> dd 7764788c L1
7764788c  003329a8
0:000> dd 003329a8 L1
003329a8  00332a38
0:000> dd 00332a38 L1
00332a38  00332d60
0:000> dd 00332d60 L1
00332d60  00332e78
0:000> dd 00332e78 L1
00332e78  003336e0
0:000> dd 003336e0 L1
003336e0  003337f0
0:000> dd 003337f0 L1
003337f0  00333970
0:000> dd 00333970 L1
00333970  00333b20
0:000> dd 00333b20 L1
00333b20  00333c08
0:000> dd 00333c08 L1
00333c08  00333ea0
0:000> dd 00333ea0 L1
00333ea0  00334008
0:000> dd 00334008 L1
00334008  003341e8
0:000> dd 003341e8 L1
003341e8  00334820
0:000> dd 00334820 L1
00334820  00334560
0:000> dd 00334560 L1
00334560  00334ae8
0:000> dd 00334ae8 L1
00334ae8  00334990
0:000> dd 00334ae8 L1
00334ae8  00334990
0:000> dd 00334990 L1
00334990  00334ce8
0:000> dd 00334ce8 L1
00334ce8  00334f08
0:000> dd 00334f08 L1
00334f08  00335258
0:000> dd 00335258 L1
00335258  00335438
0:000> dd 00335438 L1
00335438  00335608
0:000> dd 00335608 L1
00335608  00335c80
0:000> dd 00335c80 L1
00335c80  00335f48
0:000> dd 00335f48 L1
00335f48  00335e08
0:000> dd 00335e08 L1
00335e08  00336058
0:000> dd 00336058 L1
00336058  003362a8
0:000> dd 003362a8 L1
003362a8  7764788c
0:000> r? @$t0=&(@$peb->Ldr)->InLoadOrderModuleList; r @$t0;
$t0=7764788c
上面就是手动循环

也可以直接用简单的脚本来实现:

r @$t0=0x7764788c
r @$t1=dwo(@$t0)
.while(@$t1!=@$t0)
{
	dd @$t1 L1
	r @$t1=dwo(@$t1)
}











你可能感兴趣的:(2.windbg script-随手script示例)