1. First define what the machine code being debugged
// r3.cpp: Defines the entry point console application. // #include " the stdafx.h " #include <stdio.h> #include <stdlib.h> int gupdate_value = 0 ; int main ( int argc, char * the argv []) { char buf [] = { 0x0 , 0 , 0 , 0 , 0x90 , 0 }; unsigned int value = 0 ; * ((unsigned int *) & buf [ 0 ]) = 0xF8AD1060; printf("%X\n",&gupdate_value); //获取机器地址 system("pause"); __asm { mov eax,0xF8AD1060; mov eax,[eax]; mov value,eax; call fword ptr ds:[buf] } printf("%X\n",gupdate_value); printf("%X\n",value); system("pause"); return 0; }
Then write a driver debugging machine
#include <ntddk.h> VOID DriverUpload (PDRIVER_OBJECT pDriver) { KdPrint (( " uninstall complete \ n- " )); } int g_value = 10 ; void __declspec (Naked) Test () { the __asm { int . 3 ; MOV EAX, 0x2E7140 ; // this is acquired by the address of the debug machines EBX MOV, 0x100 ; MOV [EAX], EBX; RETF; } } NTSTATUS the DriverEntry (PDRIVER_OBJECT pDriver, PUNICODE_STRING PREG) { KdPrint (( "welcome to driver world\n")); KdPrint(("%X\n", test)); pDriver->DriverUnload = DriverUpload; return STATUS_SUCCESS; }
Remember address 0x9A9CE270
Then WinDBG query function under the address is correct
0: kd> uf 0x9A9CE270 9a9ce270 cc int 3 9a9ce271 b840711b00 mov eax,1B7140h 9a9ce276 bb00010000 mov ebx,100h 9a9ce27b 8918 mov dword ptr [eax],ebx 9a9ce27d cb retf
Here you can see the function address is correct
Then the next we
0x9A9CE270 split into tabs 101,012
9A9CE 270
First, before the demolition of five and filled it
0010 0110 1010 26A
0001 1100 1101 1CD