win7x64 调试端口移位数据

落笔飞花

自建调试系统写完了   这个就丢了
直接运行： DbgkCopyProcessDebugPort 两处 [+0x20] [0x40]
ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170

附加

DbgkpSetProcessDebugObject [+0xB5] 四处  [0xCA] [0xF2] [0x1EB] 四处  
///
ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170
ew DbgkpSetProcessDebugObject+0xB5 0x170
ew DbgkpSetProcessDebugObject+0xCA 0x170
ew DbgkpSetProcessDebugObject+0xF2  0x170
ew DbgkpSetProcessDebugObject+0x1EB 0x170

ew DbgkForwardException+0x69 0x170
ew PspExitThread+0x15A 0x170

ew DbgkpMarkProcessPeb+0x9e 0x170


ew  DbgkCreateThread+0x54 0x170
ew  DbgkCreateThread+0x68 0x170



ew  DbgkpQueueMessage+0xe6 0x170


ew KiDispatchException+0x23C 0x170
ew DbgkExitThread+0x2D 0x170
ew PspProcessDelete+0xE3 0x170
ew PspTerminateAllThreads+0x13b 0x170
ew DbgkExitProcess+0x2A 0x170

ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170
ew  DbgkUnMapViewOfSection+0x31 0x170
ew  DbgkMapViewOfSection +0x44 0x170

ew DbgkpCloseObject +0xD9  0x170
ew DbgkpCloseObject +0x12B  0x170
ew DbgkpCloseObject +0x122 0x170
ew  DbgkOpenProcessDebugPort +0x1B 0x170
ew  DbgkOpenProcessDebugPort +0x76 0x170

////


DbgkOpenProcessDebugPort [0x1B] [0x76]

ew  DbgkOpenProcessDebugPort +0x1B 0x170

ew  DbgkOpenProcessDebugPort +0x76 0x170

DbgkpCloseObject [0xD9] [0x12B] [0x122]
ew DbgkpCloseObject +0xD9  0x170
ew DbgkpCloseObject +0x12B  0x170
ew DbgkpCloseObject +0x122 0x170
DbgkUnMapViewOfSection [0x31]

ew  DbgkUnMapViewOfSection+0x31 0x170

DbgkMapViewOfSection [0x44]
ew  DbgkMapViewOfSection +0x44 0x170

DbgkClearProcessDebugObject [0x60] [0x76]
ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170
DbgkpMarkProcessPeb [+0x9E] 一处 这里可写可不写

ew DbgkpMarkProcessPeb+0x9e 0x170

DbgkCreateThread [0x54] [0x68]

ew  DbgkCreateThread+0x54 0x170
ew  DbgkCreateThread+0x68 0x170


DbgkpQueueMessage [0x88] [0xE6]
ew  DbgkpQueueMessage+0x89 0x170
ew  DbgkpQueueMessage+0xe6 0x170


KiDispatchException [0x23C]

ew KiDispatchException+0x23C 0x170



DbgkForwardException [0x69]

ew DbgkForwardException+0x69 0x170



PspExitThread[0x15A]

ew PspExitThread+0x15A 0x170

DbgkExitThread[0x2D]

ew DbgkExitThread+0x2D 0x170

PspTerminateAllThreads[0x13B]

ew PspTerminateAllThreads+0x13b 0x170

DbgkExitProcess     [0x2A]

ew DbgkExitProcess+0x2A 0x170

PspProcessDelete [0xE3]

ew PspProcessDelete+0xE3 0x170


ntoskrnl+4055E0;dbgport


符号文件关闭回调 PspNotifyEnableMask

Tesla.Angela

哈哈，这个厉害！
主贴太乱，复制了一份修改了一下（以下数据对应WIN7X64SP1）：

ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170

ew DbgkpSetProcessDebugObject+0xB5 0x170
ew DbgkpSetProcessDebugObject+0xCA 0x170
ew DbgkpSetProcessDebugObject+0xF2  0x170
ew DbgkpSetProcessDebugObject+0x1EB 0x170

ew DbgkCreateThread+0x54 0x170
ew DbgkCreateThread+0x68 0x170

ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170

ew DbgkpCloseObject +0xD9  0x170
ew DbgkpCloseObject +0x12B  0x170
ew DbgkpCloseObject +0x122 0x170

ew DbgkOpenProcessDebugPort +0x1B 0x170
ew DbgkOpenProcessDebugPort +0x76 0x170

ew DbgkUnMapViewOfSection+0x31 0x170
ew DbgkMapViewOfSection +0x44 0x170
ew DbgkForwardException+0x69 0x170
ew DbgkExitProcess+0x2A 0x170
ew DbgkpMarkProcessPeb+0x9e 0x170
ew DbgkpQueueMessage+0xe6 0x170
ew DbgkExitThread+0x2D 0x170

ew PspProcessDelete+0xE3 0x170
ew PspTerminateAllThreads+0x13b 0x170
ew PspExitThread+0x15A 0x170

ew KiDispatchException+0x23C 0x170

此外我觉得修改到0x168更好些。因为ExitTime有时候会作为判断进程是否存在的标志，这会影响到若干无关的API（比如PsGetProcessExitStatus、PsGetProcessExitTime等）。而CreateTime只是记录一个几乎不会再用到的数据。