windbg跳过初始断点
当我们用Windbg打开一个exe时,调试器第一次中断:
输入kb查看当前栈如下:
0:000> kb # ChildEBP RetAddr Args to Child 00 00fff8bc 77d498e0 5e7dcb19 0105b000 00000000 ntdll!LdrpDoDebuggerBreak+0x2b 01 00fffb18 77d05257 5e7dcb71 00000000 00000000 ntdll!LdrpInitializeProcess+0x1b20 02 00fffb70 77d05151 00000000 00000000 00000000 ntdll!_LdrpInitialize+0xb0 03 00fffb7c 00000000 00fffb90 77ca0000 00000000 ntdll!LdrInitializeThunk+0x11
LdrpInitialize函数是一个新进程的初始线程开始在用户态执行最早代码,LdrpInitializeProcess函数的一个主要任务是加载EXE文件所依赖的动态链接库,在加载每个DLL后,LdrpInitializeProcess都会检查当前进程是否被调试,如果是,则调用用DbgBreakPoint 通知调试器,注意此时并没有调用每个DLL的Dllmain函数。
我们称这个第一次中断叫初始断点,初始断点不是调试器可以得到的最早控制机会,如进程创建事件和EXE模块加载事件都会比它早。我们可以在进程创建事件时中断下来:
通过
或执行如下指令
sxe cpr
然后.restart就可以先断到进程创建的时候,然后强制把PEB的BeingDebugged字段改为0:
0:000> db @$peb
0118d000 00 00 01 04 ff ff ff ff-00 00 e4 00 00 00 00 00 ................
0118d010 00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d030 00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00 ................
0118d040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d050 00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f ..........6...6.
0118d060 28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00 (.9.............
0118d070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ....m........ ..
0:000> eb @$peb+2
0118d002 01 0
0
0118d003 04 08
08
0118d004 ff
0:000> db@$peb
0118d000 00 00 00 08 ff ff ff ff-00 00 e4 00 00 00 00 00 ................
0118d010 00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d030 00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00 ................
0118d040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d050 00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f ..........6...6.
0118d060 28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00 (.9.............
0118d070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ....m........ ..
0:000> g
ModLoad: 77ca0000 77e3c000 ntdll.dll
ModLoad: 74de0000 74e33000 C:\windows\SysWOW64\MSCOREE.DLL
ModLoad: 76450000 76530000 C:\windows\SysWOW64\KERNEL32.dll
这样,windbg就不会中断到初始断点了!