以下命令都是正确无误的,具体解释看微软WinDBG使用手册。
g @$exentry
Bp 0044e9b9 "r $t0=@$t0+1;.printf\"function executes: %d times\",@$t0;.echo;gc"
bp 004312D9 ".if( (@ecx &0x0`ffffffff) =0x0`ffffffff) {} .else {gc} "
ba r 1 004b8408
r st0
r
pt
t
p
g
ph
ntsd -d -y C:\WINDOWS\Symbols -p PID 附着到调试的程序上
Ntsd -d -y C:\WINDOWS\Symbols C:\Program Files\xxx.exe
dd esp
u 00440B4E L15
Bp 441D79".echo 441D79-----;gc"
Bp 0047A57A ".printf\"---0047A57A ---\";.echo;gc"
Ba r 1 13FB71 ".if( (poi(0x13FB71)) =0x30303034) {.echo 123} .else {gc} "
Ba r 1 0013fabc ".if( (@eip&&0x0'ffffffff) <01361000 &&(@eip&&0x0'ffffffff)> 00400000) {.echo 123} .else {gc} "
?poi(eax+1BBh)
eb 004515A5
ed 004b84a4
a 00440b48
Bp 7c812af5 ".if (((poi(eax))&0x0`ffffffff) = 0x80040155) {.echo Match} .else {.echo MisMatch; gc}
Bp 0041f3f4 "r $t0=@$t0+1;.printf\"function executes: %d times\",@$t0;.echo;.if @$t0 = 0x27 {} .else {gc}" ---执行39次后停止
ba r 1 56fa84 ".if (@eip&0x0`ffffffff) =0x0`0042db0e {} .else {gc} "
ba r 1 0056fc24 ".if( (@eip&0x0`ffffffff) !=0x0`004344fb){.echo 123; } .else {gc} "
ba r 1 0056fc24 ".printf\"pass through %x ----------------\",@eip ;"
非常重要!!在内核态返回用户态程序中可以用以下命令序列:
0: kd> !process 8604b2c0
然后
0: kd> .thread 86213230
0: kd> k
0: kd> ba e 1 00434bc4
s -a 00400000 l00f61000 "score.dat"
Bp 004347F0 ".if(poi(@esp+8)==0x0100){.echo match}.else{gc;}"
x *!*GetDeviceState*