加载符号
.symfix 设置符号路径
0:000> .symfix c:\symbols
.sympath 查看设置的符号路径
0:000> .sympath Symbol search path is: srv* Expanded Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload 重新加载符号
0:000> .reload Reloading current modules ....
ld 加载单个符号
0:000> ld KERNEL32 Symbols loaded for KERNEL32
设置环境变量
_NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols
lm 指令查看模块
lm 指令,用来查看模块列表,也可以查看单个模块的详细信息
0:000> lm start end module name 00400000 0041a000 Adplus (deferred) 79000000 7904a000 mscoree (deferred) 7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb 7c920000 7c9b3000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb
0:000> lm m kernel* start end module name 7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
0:000> lm vm KERNEL32 start end module name 7c800000 7c91e000 KERNEL32 (pdb symbols) c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb Loaded symbol image file: C:\WINDOWS\system32\KERNEL32.dll Image path: C:\WINDOWS\system32\KERNEL32.dll Image name: KERNEL32.dll Timestamp: Mon Apr 14 10:13:26 2008 (4802BDC6) CheckSum: 00122A2B ImageSize: 0011E000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: kernel32 OriginalFilename: kernel32 ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved.
显示汇编和修改汇编指令
u 是显示符号或地址汇编指令
0:000> u ntdll!__NtCurrentTeb ntdll!__NtCurrentTeb: 7c92121e 64a118000000 mov eax,dword ptr fs:[00000018h] 7c921224 c3 ret
0:000> u 7c921225 ntdll!RtlInitString: 7c921225 57 push edi 7c921226 8b7c240c mov edi,dword ptr [esp+0Ch] 7c92122a 8b542408 mov edx,dword ptr [esp+8] 7c92122e c70200000000 mov dword ptr [edx],0 7c921234 897a04 mov dword ptr [edx+4],edi 7c921237 0bff or edi,edi 7c921239 741e je ntdll!RtlInitString+0x34 (7c921259) 7c92123b 83c9ff or ecx,0FFFFFFFFh
ub 从该地址处向前反汇编
0:000> ub 7c92123b ntdll!__NtCurrentTeb+0x6: 7c921224 c3 ret ntdll!RtlInitString: 7c921225 57 push edi 7c921226 8b7c240c mov edi,dword ptr [esp+0Ch] 7c92122a 8b542408 mov edx,dword ptr [esp+8] 7c92122e c70200000000 mov dword ptr [edx],0 7c921234 897a04 mov dword ptr [edx+4],edi 7c921237 0bff or edi,edi 7c921239 741e je ntdll!RtlInitString+0x34 (7c921259)
uf 显示完整函数汇编代码
0:000> uf ntdll!RtlInitString ntdll!RtlInitString: 7c921225 57 push edi 7c921226 8b7c240c mov edi,dword ptr [esp+0Ch] 7c92122a 8b542408 mov edx,dword ptr [esp+8] 7c92122e c70200000000 mov dword ptr [edx],0 7c921234 897a04 mov dword ptr [edx+4],edi 7c921237 0bff or edi,edi 7c921239 741e je ntdll!RtlInitString+0x34 (7c921259) ntdll!RtlInitString+0x16: 7c92123b 83c9ff or ecx,0FFFFFFFFh 7c92123e 33c0 xor eax,eax 7c921240 f2ae repne scas byte ptr es:[edi] 7c921242 f7d1 not ecx 7c921244 81f9ffff0000 cmp ecx,0FFFFh 7c92124a 7605 jbe ntdll!RtlInitString+0x2c (7c921251) ntdll!RtlInitString+0x27: 7c92124c b9ffff0000 mov ecx,0FFFFh ntdll!RtlInitString+0x2c: 7c921251 66894a02 mov word ptr [edx+2],cx 7c921255 49 dec ecx 7c921256 66890a mov word ptr [edx],cx ntdll!RtlInitString+0x34: 7c921259 5f pop edi 7c92125a c20800 ret 8
a 修改汇编指令
下面的例子就是把
7c92121a地址处 int 3 指令修改成nop指
0:000> u ntdll!RtlpBreakWithStatusInstruction l2 ntdll!RtlpBreakWithStatusInstruction: 7c92121a cc int 3 7c92121b c20400 ret 4 0:000> a 7c92121a 7c92121a nop nop 7c92121b 0:000> u ntdll!RtlpBreakWithStatusInstruction l2 ntdll!RtlpBreakWithStatusInstruction: 7c92121a 90 nop 7c92121b c20400 ret 4
d 读取数据指令
这个指令比较丰富,如
da 读取ASCII字符串 db 读取BYTE数组 dd 读取DWORD数组 dD 读取双浮点数组 df 读取单浮点数组 dp 读取指针数组 du 读取unicode字符串 dw 读取word数组 另外,还有 dda读取ASCII字符串数组 dds/dps 读取函数指针数组 lkd> dds nt!KiServiceTable l5 80505450 805a5614 nt!NtAcceptConnectPort 80505454 805f1adc nt!NtAccessCheck 80505458 805f5312 nt!NtAccessCheckAndAuditAlarm 8050545c 805f1b0e nt!NtAccessCheckByType 80505460 805f534c nt!NtAccessCheckByTypeAndAuditAlarm lkd> dd 80505450 l7 80505450 805a5614 805f1adc 805f5312 805f1b0e 80505460 805f534c 805f1b44 805f5390 lkd> db 80505450 80505450 14 56 5a 80 dc 1a 5f 80-12 53 5f 80 0e 1b 5f 80 .VZ..._..S_..._. 80505460 4c 53 5f 80 44 1b 5f 80-90 53 5f 80 d4 53 5f 80 LS_.D._..S_..S_. 80505470 a2 63 61 80 e4 70 61 80-da ce 5e 80 32 cb 5e 80 .ca..pa...^.2.^. 80505480 3a 5b 5d 80 ea 5a 5d 80-c8 69 61 80 72 6f 5b 80 :[]..Z]..ia.ro[. 80505490 e4 5f 61 80 9e 9a 5a 80-96 15 5b 80 b0 54 c2 b1 ._a...Z...[..T.. 805054a0 8c 28 50 80 d6 70 61 80-e6 7a 57 80 d2 9b 53 80 .(P..pa..zW...S. 805054b0 b2 f5 60 80 ec d4 5b 80-4c 58 5f 80 56 43 62 80 ..`...[.LX_.VCb. 805054c0 3e 9d 5f 80 02 5d 5a 80-aa 45 62 80 b4 55 5a 80 >._..]Z..Eb..UZ.
e 写入数据指令
e指令与d指令一样很丰富
ea 写入ASCII字符串 eb 写入BYTE数组 ed 写入DWORD数组 eD 写入双浮点数组 ef 写入单浮点数组 ep 写入指针数组 eu 写入unicode字符串 ew 写入word数组 0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;} 0:000> ea 01009000 "hello world" 0:000> db 01009000 l50 01009000 68 65 6c 6c 6f 20 77 6f-72 6c 64 00 00 00 00 00 hello world..... 01009010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;} 0:000> eu 01009000 "unicode string" 0:000> db 01009000 l50 01009000 75 00 6e 00 69 00 63 00-6f 00 64 00 65 00 20 00 u.n.i.c.o.d.e. . 01009010 73 00 74 00 72 00 69 00-6e 00 67 00 00 00 00 00 s.t.r.i.n.g..... 01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;} 0:000> ed 01009000 0x1 0x2 0x3 0x4 0x5 0:000> db 01009000 l50 01009000 01 00 00 00 02 00 00 00-03 00 00 00 04 00 00 00 ................ 01009010 05 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 01009040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
s 内存搜索指令
0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;} 0:000> eu 01009000 "unicode string" 0:000> s -u 01009000 l50 "str"//搜Unicde字符串 01009010 0073 0074 0072 0069 006e 0067 0000 0000 s.t.r.i.n.g..... 0:000> s 01009000 01009040 'g'//搜索单个字符 0100901a 67 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 g............... 0:000> s -w 01009000 l50 0x64 //搜索一个word数值 0100900a 0064 0065 0020 0073 0074 0072 0069 006e d.e. .s.t.r.i.n.
http://blog.csdn.net/sunyikuyu