加载符号

.symfix 设置符号路径

0:000> .symfix c:\symbols

.sympath 查看设置的符号路径

0:000> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

.reload 重新加载符号

0:000> .reload
Reloading current modules
....

ld 加载单个符号

0:000> ld KERNEL32
Symbols loaded for KERNEL32

设置环境变量

_NT_SYMBOL_PATH=srv*c:\symbols*http://msdl.microsoft.com/download/symbols

lm 指令查看模块

lm 指令，用来查看模块列表，也可以查看单个模块的详细信息

0:000> lm
start    end        module name
00400000 0041a000   Adplus     (deferred)             
79000000 7904a000   mscoree    (deferred)             
7c800000 7c91e000   KERNEL32   (pdb symbols)          c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
7c920000 7c9b3000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb

0:000> lm m kernel*
start    end        module name
7c800000 7c91e000   KERNEL32   (pdb symbols)          c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb

0:000> lm vm KERNEL32
start    end        module name
7c800000 7c91e000   KERNEL32   (pdb symbols)          c:\symbols\kernel32.pdb\34560E80F5C54175B208848EF863C5BD2\kernel32.pdb
    Loaded symbol image file: C:\WINDOWS\system32\KERNEL32.dll
    Image path: C:\WINDOWS\system32\KERNEL32.dll
    Image name: KERNEL32.dll
    Timestamp:        Mon Apr 14 10:13:26 2008 (4802BDC6)
    CheckSum:         00122A2B
    ImageSize:        0011E000
    File version:     5.1.2600.5512
    Product version:  5.1.2600.5512
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     kernel32
    OriginalFilename: kernel32
    ProductVersion:   5.1.2600.5512
    FileVersion:      5.1.2600.5512 (xpsp.080413-2111)
    FileDescription:  Windows NT BASE API Client DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

显示汇编和修改汇编指令

u 是显示符号或地址汇编指令

0:000> u ntdll!__NtCurrentTeb
ntdll!__NtCurrentTeb:
7c92121e 64a118000000    mov     eax,dword ptr fs:[00000018h]
7c921224 c3              ret

0:000> u 7c921225 
ntdll!RtlInitString:
7c921225 57              push    edi
7c921226 8b7c240c        mov     edi,dword ptr [esp+0Ch]
7c92122a 8b542408        mov     edx,dword ptr [esp+8]
7c92122e c70200000000    mov     dword ptr [edx],0
7c921234 897a04          mov     dword ptr [edx+4],edi
7c921237 0bff            or      edi,edi
7c921239 741e            je      ntdll!RtlInitString+0x34 (7c921259)
7c92123b 83c9ff          or      ecx,0FFFFFFFFh

ub 从该地址处向前反汇编

0:000> ub 7c92123b 
ntdll!__NtCurrentTeb+0x6:
7c921224 c3              ret
ntdll!RtlInitString:
7c921225 57              push    edi
7c921226 8b7c240c        mov     edi,dword ptr [esp+0Ch]
7c92122a 8b542408        mov     edx,dword ptr [esp+8]
7c92122e c70200000000    mov     dword ptr [edx],0
7c921234 897a04          mov     dword ptr [edx+4],edi
7c921237 0bff            or      edi,edi
7c921239 741e            je      ntdll!RtlInitString+0x34 (7c921259)

uf 显示完整函数汇编代码

0:000> uf ntdll!RtlInitString
ntdll!RtlInitString:
7c921225 57              push    edi
7c921226 8b7c240c        mov     edi,dword ptr [esp+0Ch]
7c92122a 8b542408        mov     edx,dword ptr [esp+8]
7c92122e c70200000000    mov     dword ptr [edx],0
7c921234 897a04          mov     dword ptr [edx+4],edi
7c921237 0bff            or      edi,edi
7c921239 741e            je      ntdll!RtlInitString+0x34 (7c921259)

ntdll!RtlInitString+0x16:
7c92123b 83c9ff          or      ecx,0FFFFFFFFh
7c92123e 33c0            xor     eax,eax
7c921240 f2ae            repne scas byte ptr es:[edi]
7c921242 f7d1            not     ecx
7c921244 81f9ffff0000    cmp     ecx,0FFFFh
7c92124a 7605            jbe     ntdll!RtlInitString+0x2c (7c921251)

ntdll!RtlInitString+0x27:
7c92124c b9ffff0000      mov     ecx,0FFFFh

ntdll!RtlInitString+0x2c:
7c921251 66894a02        mov     word ptr [edx+2],cx
7c921255 49              dec     ecx
7c921256 66890a          mov     word ptr [edx],cx

ntdll!RtlInitString+0x34:
7c921259 5f              pop     edi
7c92125a c20800          ret     8

a 修改汇编指令

下面的例子就是把

7c92121a地址处 int 3 指令修改成nop指

0:000> u ntdll!RtlpBreakWithStatusInstruction l2
ntdll!RtlpBreakWithStatusInstruction:
7c92121a cc              int     3
7c92121b c20400          ret     4
0:000> a 7c92121a 
7c92121a nop
nop
7c92121b 

0:000> u ntdll!RtlpBreakWithStatusInstruction l2
ntdll!RtlpBreakWithStatusInstruction:
7c92121a 90              nop
7c92121b c20400          ret     4

d 读取数据指令

这个指令比较丰富，如

da 读取ASCII字符串
db 读取BYTE数组
dd 读取DWORD数组
dD 读取双浮点数组
df 读取单浮点数组
dp 读取指针数组
du 读取unicode字符串
dw 读取word数组
另外，还有
dda读取ASCII字符串数组
dds/dps 读取函数指针数组

lkd> dds nt!KiServiceTable l5
80505450  805a5614 nt!NtAcceptConnectPort
80505454  805f1adc nt!NtAccessCheck
80505458  805f5312 nt!NtAccessCheckAndAuditAlarm
8050545c  805f1b0e nt!NtAccessCheckByType
80505460  805f534c nt!NtAccessCheckByTypeAndAuditAlarm

lkd> dd 80505450 l7
80505450  805a5614 805f1adc 805f5312 805f1b0e
80505460  805f534c 805f1b44 805f5390

lkd> db 80505450
80505450  14 56 5a 80 dc 1a 5f 80-12 53 5f 80 0e 1b 5f 80  .VZ..._..S_..._.
80505460  4c 53 5f 80 44 1b 5f 80-90 53 5f 80 d4 53 5f 80  LS_.D._..S_..S_.
80505470  a2 63 61 80 e4 70 61 80-da ce 5e 80 32 cb 5e 80  .ca..pa...^.2.^.
80505480  3a 5b 5d 80 ea 5a 5d 80-c8 69 61 80 72 6f 5b 80  :[]..Z]..ia.ro[.
80505490  e4 5f 61 80 9e 9a 5a 80-96 15 5b 80 b0 54 c2 b1  ._a...Z...[..T..
805054a0  8c 28 50 80 d6 70 61 80-e6 7a 57 80 d2 9b 53 80  .(P..pa..zW...S.
805054b0  b2 f5 60 80 ec d4 5b 80-4c 58 5f 80 56 43 62 80  ..`...[.LX_.VCb.
805054c0  3e 9d 5f 80 02 5d 5a 80-aa 45 62 80 b4 55 5a 80  >._..]Z..Eb..UZ.

e 写入数据指令

e指令与d指令一样很丰富

ea 写入ASCII字符串
eb 写入BYTE数组
ed 写入DWORD数组
eD 写入双浮点数组
ef 写入单浮点数组
ep 写入指针数组
eu 写入unicode字符串
ew 写入word数组

0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> ea 01009000 "hello world"
0:000> db 01009000 l50
01009000  68 65 6c 6c 6f 20 77 6f-72 6c 64 00 00 00 00 00  hello world.....
01009010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}

0:000> eu 01009000 "unicode string"
0:000> db 01009000 l50
01009000  75 00 6e 00 69 00 63 00-6f 00 64 00 65 00 20 00  u.n.i.c.o.d.e. .
01009010  73 00 74 00 72 00 69 00-6e 00 67 00 00 00 00 00  s.t.r.i.n.g.....
01009020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}
0:000> ed 01009000 0x1 0x2 0x3 0x4 0x5
0:000> db 01009000 l50
01009000  01 00 00 00 02 00 00 00-03 00 00 00 04 00 00 00  ................
01009010  05 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009030  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
01009040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

s 内存搜索指令

0:000> .for(r $t1=0;@$t1!=50;r$t1=@$t1+1){eb 01009000+@$t1 0;}

0:000> eu 01009000 "unicode string"

0:000> s -u 01009000 l50 "str"//搜Unicde字符串 
01009010  0073 0074 0072 0069 006e 0067 0000 0000  s.t.r.i.n.g..... 
0:000> s 01009000 01009040  'g'//搜索单个字符 
0100901a  67 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  g............... 
0:000> s -w 01009000 l50 0x64 //搜索一个word数值 
0100900a  0064 0065 0020 0073 0074 0072 0069 006e  d.e. .s.t.r.i.n. 

转载请注明出处。ddlx studio。点点灵犀。

http://blog.csdn.net/sunyikuyu