|
阅读:1668回复:7
Hook ServiceDescriptorTableShadow问题请教
我是一个新手,请大家帮帮我。
我想恢复原始 SHADOW表。 操作系统XP SP1,装了虚拟机,用WINDBG调试内核,成功连接以后 0: kd> dd nt!KeServiceDescriptorTableShadow 8054a180 804fefd8 00000000 0000011c 804ff44c 8054a190 bf998c40 00000000 0000029b bf9927a0 8054a1a0 00000000 00000000 00000000 00000000 8054a1b0 00000000 00000000 00000000 00000000 8054a1c0 804fefd8 00000000 0000011c 804ff44c 8054a1d0 00000000 00000000 00000000 00000000 8054a1e0 00000000 00000000 00000000 00000000 8054a1f0 00000000 00000000 00000000 00000000 0: kd> dd bf998c40 bf998c40 ???????? ???????? ???????? ???????? bf998c50 ???????? ???????? ???????? ???????? bf998c60 ???????? ???????? ???????? ???????? bf998c70 ???????? ???????? ???????? ???????? bf998c80 ???????? ???????? ???????? ???????? bf998c90 ???????? ???????? ???????? ???????? bf998ca0 ???????? ???????? ???????? ???????? bf998cb0 ???????? ???????? ???????? ???????? 0: kd> dd win32k!W32pServiceTable bf998c40 ???????? ???????? ???????? ???????? bf998c50 ???????? ???????? ???????? ???????? bf998c60 ???????? ???????? ???????? ???????? bf998c70 ???????? ???????? ???????? ???????? bf998c80 ???????? ???????? ???????? ???????? bf998c90 ???????? ???????? ???????? ???????? bf998ca0 ???????? ???????? ???????? ???????? bf998cb0 ???????? ???????? ???????? ???????? 为什么win32k!W32pServiceTable里面会是这样的呢? 引用第chenting1987于2007-07-21 10:53发表的 : 0: kd> .process Implicit process is now 80549c00 然后 0: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81ef0280 SessionId: 0 Cid: 0254 Peb: 7ffdf000 ParentCid: 0214 DirBase: 06fee000 ObjectTable: e1386cf8 HandleCount: 312. Image: CSRSS.EXE 然后 0: kd> .process 81ef0280 Implicit process is now 81ef0280 0: kd> .process Implicit process is now 80549c00 结果一看,还是在原来的进程 请问,我的操作对吗,如果不对,应该如何操作,才能正确的看到 函数地址。 我很菜,请多指教,谢谢大家 |
|
|
沙发#
发布于:2007-11-23 02:35
请各位帮帮我。
|
|
|
板凳#
发布于:2007-11-25 11:07
引用第2楼wdnfa于2007-11-24 19:15发表的 : 请问用WINDBG虚拟机调试,如何可以切换到指定进程? 0: kd> .process Implicit process is now 80549c00 然后 0: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS 81ef0280 SessionId: 0 Cid: 0254 Peb: 7ffdf000 ParentCid: 0214 DirBase: 06fee000 ObjectTable: e1386cf8 HandleCount: 312. Image: CSRSS.EXE 然后 0: kd> .process 81ef0280 Implicit process is now 81ef0280 0: kd> .process Implicit process is now 80549c00 结果一看,还是在原来的进程 应该如何做,请给我一个列子,谢谢 |
|