bp ntdll!LdrLoadDll
在断点下输入:
ed Kd_LDR_MASK ffffffff
ed Kd_MM_MASK ffffffff
ed Kd_DEFAULT_MASK ffffffff
ed ntdll!ShowSnaps 1
ed ntdll!ShowErrors 1
下面是一段log
[5e0,5e4] LDR: Recursive DLL load
[5e0,5e4] Previous DLL being loaded: "kernel32.dll"
[5e0,5e4] DLL being requested: "inject.dll"
[5e0,5e4] No DLL initializer was running
LDR: LdrLoadDll, loading inject.dll from
LDR: LdrpSearchPath - Looking for inject.dll in C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS
\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
LDR: LdrpSearchPath - Looking for C:\WINDOWS\system32\inject.dll
LDR: LdrpResolveFullName - Expanding full name of C:\WINDOWS\system32\inject.dll
LDR: LdrpResolveFullName - Expanded to C:\WINDOWS\system32\inject.dll
LDR: LdrpSearchPath - Returning CLDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS
\system32\inject.dll
LDR: Fixups successfully re-applied @ 001A0000
LDR: KERNEL32.dll used by inject.dll
LDR: Fixups unsuccessfully re-applied @ 001B0000
LDR: LdrpLoadImportModule - LdrpMapDll(00000000, KERNEL32.dll, NULL, TRUE, 0, 0006EC2C) failed with
status c0000018
LDR: LdrpWalkImportTable - LdrpLoadImportModule failed on import KERNEL32.dll with status c0000018
LDR: Unloading inject.dll due to error c0000018 walking import descriptors
LDR: UNINIT LIST
(1) [inject.dll] C:\WINDOWS\system32\inject.dll (0) deinit 0
LDR: Unmapping [inject.dll]
LDR: LdrLoadDll - failing because LdrpLoadDll(inject.dll) returned status c0000018
LDR: kernel32.dll bound to ntdll.dll
LDR: kernel32.dll has correct binding to ntdll.dll
LDR: LdrGetProcedureAddress by NAME - BaseProcessInitPostImport
[5e0,5e4] LDR: Real INIT LIST for process C:\WINDOWS\system32\calc.exe pid 1504 0x5e0
[5e0,5e4] C:\WINDOWS\system32\kernel32.dll init routine 77E646B6
[5e0,5e4] LDR: kernel32.dll loaded - Calling init routine at 77E646B6
LDR: LdrGetProcedureAddress by NAME - BaseQueryModuleData
LDR: calc.exe bound to KERNEL32.dll
LDR: calc.exe has stale binding to KERNEL32.dll
LDR: Stale Bind KERNEL32.dll from calc.exe
LDR: calc.exe bound to SHELL32.dll