win7x64 调试端口移位数据
自建调试系统写完了 这个就丢了直接运行: DbgkCopyProcessDebugPort 两处 [+0x20]
ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170
附加
DbgkpSetProcessDebugObject [+0xB5] 四处 四处
///
ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170
ew DbgkpSetProcessDebugObject+0xB5 0x170
ew DbgkpSetProcessDebugObject+0xCA 0x170
ew DbgkpSetProcessDebugObject+0xF20x170
ew DbgkpSetProcessDebugObject+0x1EB 0x170
ew DbgkForwardException+0x69 0x170
ew PspExitThread+0x15A 0x170
ew DbgkpMarkProcessPeb+0x9e 0x170
ewDbgkCreateThread+0x54 0x170
ewDbgkCreateThread+0x68 0x170
ewDbgkpQueueMessage+0xe6 0x170
ew KiDispatchException+0x23C 0x170
ew DbgkExitThread+0x2D 0x170
ew PspProcessDelete+0xE3 0x170
ew PspTerminateAllThreads+0x13b 0x170
ew DbgkExitProcess+0x2A 0x170
ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170
ewDbgkUnMapViewOfSection+0x31 0x170
ewDbgkMapViewOfSection +0x44 0x170
ew DbgkpCloseObject +0xD90x170
ew DbgkpCloseObject +0x12B0x170
ew DbgkpCloseObject +0x122 0x170
ewDbgkOpenProcessDebugPort +0x1B 0x170
ewDbgkOpenProcessDebugPort +0x76 0x170
////
DbgkOpenProcessDebugPort
ewDbgkOpenProcessDebugPort +0x1B 0x170
ewDbgkOpenProcessDebugPort +0x76 0x170
DbgkpCloseObject
ew DbgkpCloseObject +0xD90x170
ew DbgkpCloseObject +0x12B0x170
ew DbgkpCloseObject +0x122 0x170
DbgkUnMapViewOfSection
ewDbgkUnMapViewOfSection+0x31 0x170
DbgkMapViewOfSection
ewDbgkMapViewOfSection +0x44 0x170
DbgkClearProcessDebugObject
ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170
DbgkpMarkProcessPeb [+0x9E] 一处 这里可写可不写
ew DbgkpMarkProcessPeb+0x9e 0x170
DbgkCreateThread
ewDbgkCreateThread+0x54 0x170
ewDbgkCreateThread+0x68 0x170
DbgkpQueueMessage
ewDbgkpQueueMessage+0x89 0x170
ewDbgkpQueueMessage+0xe6 0x170
KiDispatchException
ew KiDispatchException+0x23C 0x170
DbgkForwardException
ew DbgkForwardException+0x69 0x170
PspExitThread
ew PspExitThread+0x15A 0x170
DbgkExitThread
ew DbgkExitThread+0x2D 0x170
PspTerminateAllThreads
ew PspTerminateAllThreads+0x13b 0x170
DbgkExitProcess
ew DbgkExitProcess+0x2A 0x170
PspProcessDelete
ew PspProcessDelete+0xE3 0x170
ntoskrnl+4055E0;dbgport
符号文件关闭回调 PspNotifyEnableMask 哈哈,这个厉害!
主贴太乱,复制了一份修改了一下(以下数据对应WIN7X64SP1):ew DbgkCopyProcessDebugPort+0x20 0x170
ew DbgkCopyProcessDebugPort+0x40 0x170
ew DbgkpSetProcessDebugObject+0xB5 0x170
ew DbgkpSetProcessDebugObject+0xCA 0x170
ew DbgkpSetProcessDebugObject+0xF20x170
ew DbgkpSetProcessDebugObject+0x1EB 0x170
ew DbgkCreateThread+0x54 0x170
ew DbgkCreateThread+0x68 0x170
ew DbgkClearProcessDebugObject+0x60 0x170
ew DbgkClearProcessDebugObject+0x76 0x170
ew DbgkpCloseObject +0xD90x170
ew DbgkpCloseObject +0x12B0x170
ew DbgkpCloseObject +0x122 0x170
ew DbgkOpenProcessDebugPort +0x1B 0x170
ew DbgkOpenProcessDebugPort +0x76 0x170
ew DbgkUnMapViewOfSection+0x31 0x170
ew DbgkMapViewOfSection +0x44 0x170
ew DbgkForwardException+0x69 0x170
ew DbgkExitProcess+0x2A 0x170
ew DbgkpMarkProcessPeb+0x9e 0x170
ew DbgkpQueueMessage+0xe6 0x170
ew DbgkExitThread+0x2D 0x170
ew PspProcessDelete+0xE3 0x170
ew PspTerminateAllThreads+0x13b 0x170
ew PspExitThread+0x15A 0x170
ew KiDispatchException+0x23C 0x170此外我觉得修改到0x168更好些。因为ExitTime有时候会作为判断进程是否存在的标志,这会影响到若干无关的API(比如PsGetProcessExitStatus、PsGetProcessExitTime等)。而CreateTime只是记录一个几乎不会再用到的数据。
页:
[1]