windbg跳过初始断点

当我们用Windbg打开一个exe时,调试器第一次中断:

 

输入kb查看当前栈如下:

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00fff8bc 77d498e0 5e7dcb19 0105b000 00000000 ntdll!LdrpDoDebuggerBreak+0x2b
01 00fffb18 77d05257 5e7dcb71 00000000 00000000 ntdll!LdrpInitializeProcess+0x1b20
02 00fffb70 77d05151 00000000 00000000 00000000 ntdll!_LdrpInitialize+0xb0
03 00fffb7c 00000000 00fffb90 77ca0000 00000000 ntdll!LdrInitializeThunk+0x11

LdrpInitialize函数是一个新进程的初始线程开始在用户态执行最早代码,LdrpInitializeProcess函数的一个主要任务是加载EXE文件所依赖的动态链接库,在加载每个DLL后,LdrpInitializeProcess都会检查当前进程是否被调试,如果是,则调用用DbgBreakPoint 通知调试器,注意此时并没有调用每个DLL的Dllmain函数。
我们称这个第一次中断叫初始断点,初始断点不是调试器可以得到的最早控制机会,如进程创建事件和EXE模块加载事件都会比它早。我们可以在进程创建事件时中断下来:

通过

 

 或执行如下指令

sxe cpr

然后.restart就可以先断到进程创建的时候,然后强制把PEB的BeingDebugged字段改为0:
0:000> db @$peb
0118d000  00 00 01 04 ff ff ff ff-00 00 e4 00 00 00 00 00  ................
0118d010  00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d030  00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00  ................
0118d040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d050  00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f  ..........6...6.
0118d060  28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00  (.9.............
0118d070  00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00  ....m........ ..
0:000> eb @$peb+2
0118d002 01 0
0
0118d003 04 08
08
0118d004 ff

0:000> db@$peb
0118d000  00 00 00 08 ff ff ff ff-00 00 e4 00 00 00 00 00  ................
0118d010  00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d030  00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00  ................
0118d040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0118d050  00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f  ..........6...6.
0118d060  28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00  (.9.............
0118d070  00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00  ....m........ ..
0:000> g
ModLoad: 77ca0000 77e3c000   ntdll.dll
ModLoad: 74de0000 74e33000   C:\windows\SysWOW64\MSCOREE.DLL
ModLoad: 76450000 76530000   C:\windows\SysWOW64\KERNEL32.dll

这样,windbg就不会中断到初始断点了!

posted on 2020-01-07 17:05  活着的虫子  阅读(860)  评论(0编辑  收藏  举报

导航