-
-
[求助]kd调试对r3程序下断点,CreateRemoteThread参数问题
-
发表于: 2013-9-24 22:04
-
WinDBG内核调试,.process /p EXPLORER的EPROCESS
.reload /user
bu kernel32!CreateRemoteThread
g
然后....
栈:
CreateRemoteThread原型:
这个诡异的90000地址是什么东西?dt _LPTHREAD_START_ROUTINE 90000无任何反映。看着也不像一个用户态的线性地址。
搞不下去了
,求助大神们.....
.reload /user
bu kernel32!CreateRemoteThread
g
然后....
kd> kb ChildEBP RetAddr Args to Child 00e1f85c 00da0447 00000248 00000000 00000000 kernel32!CreateRemoteThread WARNING: Frame IP not in any known module. Following frames may be wrong. 00e1fc10 77da6c03 00000264 00000000 00e1fc2c 0xda0447 00e1fc2c 77f4458d 00000264 00000000 00e1fdd0 ADVAPI32!BaseRegCloseKeyInternal+0x51 00e1fd60 77f445b8 80000001 7d598b00 7d598a10 SHLWAPI!SHRegGetValueW+0x11a 00e1fd84 7d5d9957 80000001 7d598b00 7d598a10 SHLWAPI!SHGetValueW+0x21 00e1fdac 01008bf2 000ddea0 00e1fdd0 000e4ce8 SHELL32!CStartMenuPin::GetChangeCount+0x2d 00e1fde0 01008c2d 000e4ba0 01008d96 00000409 Explorer!ByUsage::_FillPinnedItemsCache+0x2b 00e1fde8 01008d96 00000409 0001009e 00e1fe0c Explorer!ByUsage::PrePopulate+0xa 00e1fdf8 01008e77 00000000 00e1fe74 01003fed Explorer!SFTBarHost::_EnumerateContents+0x7e 00e1fe0c 77d18734 0001009e 00000409 00000000 Explorer!SFTBarHost::_WndProc+0x2ea 00e1fe38 77d18816 01003fed 0001009e 00000409 USER32!InternalCallWinProc+0x28 00e1fea0 77d189cd 000a0138 01003fed 0001009e USER32!UserCallWinProcCheckWow+0x150 00e1ff00 77d18a10 00e1ff28 00000000 00e1ff44 USER32!DispatchMessageWorker+0x306 00e1ff10 01001a35 00e1ff28 00000000 010460f8 USER32!DispatchMessageW+0xf 00e1ff44 0100ffd1 00000000 00e1ffb4 77f56fa2 Explorer!CTray::_MessageLoop+0xd9 00e1ff50 77f56fa2 010460f8 0000005c 00000000 Explorer!CTray::MainThreadProc+0x29 00e1ffb4 7c80b729 00000000 0000005c 00000000 SHLWAPI!WrapperThreadProc+0x94 00e1ffec 00000000 77f56f33 0007fdbc 00000000 kernel32!BaseThreadStart+0x37
栈:
kd> dd esp L10 00e1f860 00da0447 00000248 00000000 00000000 00e1f870 00090000 00000000 00000000 00000000 00e1f880 00da4b1e 00da5010 00da0080 003a0043 00e1f890 0057005c 004e0049 004f0044 00530057
CreateRemoteThread原型:
HANDLE WINAPI CreateRemoteThread( _In_ HANDLE hProcess, _In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, _In_ SIZE_T dwStackSize, _In_ LPTHREAD_START_ROUTINE lpStartAddress, _In_ LPVOID lpParameter, _In_ DWORD dwCreationFlags, _Out_ LPDWORD lpThreadId ); lpStartAddress [in] A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.
这个诡异的90000地址是什么东西?dt _LPTHREAD_START_ROUTINE 90000无任何反映。看着也不像一个用户态的线性地址。
搞不下去了
,求助大神们.....
|
|
|---|---|
|
|
|
|
|
|
|
|
|
