15. Kernel Debugging with LiveKd & WinDbg (15 pts.) 15.使用LiveKd和WinDbg进行内核调试(15点)

What You Need你需要什么

Purpose目的

Practice using simple WinDbg commands.练习使用简单的WinDbg命令。 We'll use LiveKd , a utility that makes some limited kernel debugging possible with a single computer.我们将使用LiveKd ,这是一款使用单台计算机进行有限内核调试的实用程序。 LiveKd is read-only -- you can look at kernel processes and data structures, but cannot modify a running system or use breakpoints. LiveKd是只读的 - 您可以查看内核进程和数据结构,但无法修改正在运行的系统或使用断点。

Using LiveKd使用LiveKd

In a Command Prompt window, execute this command:在命令提示符窗口中,执行以下命令:
livekd -w livekd -w
When Livekd starts, it asks you whether to set the _NT_SYMBOL_PATH automatically, as shown below.当Livekd启动时,会询问您是否自动设置_NT_SYMBOL_PATH,如下所示。

Type y and press Enter . 输入 y并按Enter键

Livekd asks "Enter the folder to which symbols download". Livekd询问“输入符号下载的文件夹”。 Press Enter to accept the default option.Enter接受默认选项。

Windbg launches, as shown below. Windbg启动,如下所示。

This is a strange combination of a GUI and command-line, like the other debuggers we've used.这是GUI和命令行的奇怪组合,就像我们使用的其他调试器一样。 Commands are typed into the box at the bottom and the results appear in the large top pane.命令被输入到底部的框中​​,结果显示在大顶部窗格中。

At the bottom of the Command window, in the command bar, execute this command:在命令窗口的底部,在命令栏中执行以下命令:

!process !处理
You should see the " kd> !process " command, and its output, showing information about the windbg process, including its Cid number, as shown below.您应该看到“ kd>!process ”命令及其输出,显示有关windbg进程的信息,包括其Cid号,如下所示。

When I did it, the Cid was 0b14 in hexadecimal, which is 11*256 + 16 + 4 = 2836.当我这样做时,Cid是十六进制的0b14,即11 * 256 + 16 + 4 = 2836。

Viewing Processes with Task Manager使用任务管理器查看进程

At the bottom of the desktop, point to an unused portion of the taskbar and right-click.在桌面底部,指向任务栏中未使用的部分,然后右键单击。 Click " Task Manager ".点击“ 任务管理器 ”。 In Task Manager, click the Processes tab.在任务管理器中,单击进程选项卡。

Find the windbg process, and its PID, as shown below.找到windbg进程及其PID,如下所示。 It should match the Cid from Windbg.它应该匹配Windbg的Cid。

Close Task Manager.关闭任务管理器。 In Windbg, at the bottom of the Command window, in the command bar, execute this command:在Windbg中,在命令窗口的底部,在命令栏中,执行以下命令:

!process 0 0 !进程0 0
You see a long list of all processes, as shown below.您会看到所有进程的长列表,如下所示。

Online Help网上帮助

At the bottom of the Command window, in the command bar, execute this command:在命令窗口的底部,在命令栏中执行以下命令:
.help process .help过程
You see a brief help message about the "process" command, as shown below.您将看到有关“process”命令的简要帮助消息,如下所示。

At the bottom of the Command window, in the command bar, execute this command:在命令窗口的底部,在命令栏中执行以下命令:

.hh process .hh过程
You see a much more complete help window, as shown below.您会看到更完整的帮助窗口,如下所示。

Listing Modules with lm用lm列出模块

At the bottom of the Command window, in the command bar, execute this command:在命令窗口的底部,在命令栏中执行以下命令:
lm LM
A long list of all loaded modules scrolls by.所有加载的模块的一长串列表滚动。

Scroll back to see the lm command you entered, and the first few loaded kernel modules, as shown below.向后滚动查看您输入的lm命令以及前几个加载的内核模块,如下所示。

Scroll down to find the module named nt , as shown below.向下滚动以查找名为nt的模块,如下所示。 It's easy to spot because it'e one of the few modules that shows a Symbols path.很容易发现,因为它是显示符号路径的少数几个模块之一。

This is Ntoskrnl, the main kernel module.这是主要的内核模块Ntoskrnl。

Viewing Memory查看内存

Here are some commands that display memory:以下是一些显示内存的命令: In WinDbg, execute this command:在WinDbg中,执行以下命令:

dd nt dd nt

You see the first several bytes of Ntoskrnl.exe, as shown below.您会看到Ntoskrnl.exe的前几个字节,如下所示。

This may be more familiar in ASCII.这在ASCII中可能更为熟悉。

In WinDbg, execute this command:在WinDbg中,执行以下命令:

da nt 达nt

You see the characters "MZ" --they are at the start of every EXE file.你看到字符“MZ” - 他们在每个EXE文件的开头。

In WinDbg, execute this command:在WinDbg中,执行以下命令:

db nt db nt

This displays the bytes on the left, and the ASCII on the right.这将显示左侧的字节,右侧显示ASCII。 Now you can see the message " This program cannot be run in DOS mode ", which appears at the start of many EXE files.现在你可以在许多EXE文件的开始处看到消息“ 这个程序不能在DOS模式下运行 ”。

Examining Symbols检查符号

The x command examines symbols, which include function names. x命令检查符号,其中包括函数名称。

Searching for Functions搜索功能

In WinDbg, execute this command:在WinDbg中,执行以下命令:

x nt!* x nt!*

This finds all the functions in Ntoskrnl.这可以找到Ntoskrnl中的所有功能。 There are a lot of them, as shown below.其中有很多,如下所示。 It may take a minute or so to show them.展示它们可能需要一分钟左右的时间。

In WinDbg, execute this command:在WinDbg中,执行以下命令:

x nt!*Create* x nt!*创建*

This finds all the symbols in Ntoskrnl that contain the word "Create".这将找到Ntoskrnl中包含单词“创建”的所有符号。

There are a lot of them, too.也有很多。

In WinDbg, execute this command:在WinDbg中,执行以下命令:

x nt!*CreateFile* x nt!* CreateFile *

This finds all the symbols in Ntoskrnl that contain the word "CreateFile".这将找到Ntoskrnl中包含单词“CreateFile”的所有符号。

There are only about ten of those, including "nt!NtCreateFile", as shown below:其中只有10个,包括“nt!NtCreateFile”,如下所示:

Unassembling a Function拆卸功能

In WinDbg, execute this command:在WinDbg中,执行以下命令:

u nt!NtCreateFile nt!NtCreateFile

This shows the first few bytes of the function, disassembled, as shown below:这显示了反汇编函数的前几个字节,如下所示:

To see more of this function, it helps to use the WinDbg Disassembly window.要查看更多此功能,可以使用WinDbg Disassembly窗口。

If the Command window is maximized, make it smaller.如果命令窗口最大化,请将其缩小。

From the WinDbg menu bar, click View , Disassembly , as shown below:在WinDbg菜单栏中,单击查看反汇编 ,如下所示:

In the Offset bar at the top, enter在顶部的偏移栏中,输入

nt!NtCreateFile !NT NtCreateFile

This shows the assembly code before and after the start of the NtCreateFile function.这显示了NtCreateFile函数启动之前和之后的汇编代码。 Using the up-arrow and down-arrow keys, you can scroll to see the entire assembly code for this function, as shown below:使用向上箭头和向下箭头键,您可以滚动查看该功能的整个汇编代码,如下所示:

Viewing Type Information for a Structure查看结构的类型信息

In WinDbg, execute this command:在WinDbg中,执行以下命令:

dt nt!_DRIVER_OBJECT dt nt!_DRIVER_OBJECT

This shows the first few lines of a driver object structure, which stores information about a kernel driver, as shown below.这显示了驱动程序对象结构的前几行,该结构存储有关内核驱动程序的信息,如下所示。 Notice the DriverStart pointer--this contains the location of the driver in memory.注意DriverStart指针 - 这包含驱动程序在内存中的位置。

Challenge 15a: Function Name (5 pts)挑战15a:功能名称(5分)

Find the Windows kernel function that has a name fitting this pattern: two characters, RegistryKey , then six more letters, like this:找到适合该模式的Windows内核函数:两个字符, RegistryKey ,然后是六个字母,如下所示:
--RegistryKey------
Use the form below to get your points.使用下面的表格来获得你的观点。
Your Name: 你的名字:
Function name like this: 函数名称如下所示:
IopCreateFile

Challenge 15b: Beep (10 pts)挑战15b:哔声(10分)

Disassemble the Beep module, near its DriverEntry.拆卸Beep模块,靠近其DriverEntry。

Find the hexadecimal values covered by the green box in the image below.查找下图中绿色框所涵盖的十六进制值。

Use the form below to get your points.使用下面的表格来获得你的观点。

Your Name: 你的名字:
Hexadecimal values like this: 像这样的十六进制值:
DEADBEEF

References参考

Common WinDbg Commands (Thematically Grouped) 常见的WinDbg命令(主题分组)
!process !处理


Posted 7-16-17 by Sam Bowne由Sam Bowne发表于7-16-17
Modified 7-26-17 2:10 pm修改7-26-17 2:10 pm