刚刚用上WinDBG,玩起来比OD刺激多了~~

举个例子吧——taskmgr就是通过这样的调用框架杀掉进程的~~

f889f808 80583394 nt!PspTerminateThreadByPointer+0xa8
f889f834 804df7ec nt!NtTerminateProcess+0xd5
f889f834 7c92e4f4 nt!KiFastCallEntry+0xf8
0007f5d0 7c92de5c ntdll!KiFastSystemCallRet
0007f5d4 7c801e3a ntdll!ZwTerminateProcess+0xc
0007f5e4 0100c22c kernel32!TerminateProcess+0x20
0007f620 0100ceef taskmgr!CProcPage::KillProcess+0xaf
0007f634 01004840 taskmgr!CProcPage::HandleWMCOMMAND+0x40
0007f8b0 01005295 taskmgr!MainWnd_OnCommand+0xd1
0007f8e4 77d18734 taskmgr!MainWindowProc+0x43e
0007f910 77d23ce4 USER32!InternalCallWinProc+0x28
0007f97c 77d23b30 USER32!UserCallDlgProcCheckWow+0x146
0007f9c4 77d23d5c USER32!DefDlgProcWorker+0xa8
0007f9e0 77d18734 USER32!DefDlgProcW+0x22
0007fa0c 77d18816 USER32!InternalCallWinProc+0x28
0007fa74 77d28ea0 USER32!UserCallWinProcCheckWow+0x150
0007fac8 77d28eec USER32!DispatchClientMessage+0xa3
0007faf0 7c92e453 USER32!__fnDWORD+0x24
0007faf0 804e3b1c ntdll!KiUserCallbackDispatcher+0x13
f889fb04 80567b60 nt!KiCallUserMode+0x4
f889fb60 bf813d9b nt!KeUserModeCallback+0x87
f889fbe4 bf813f31 win32k!SfnDWORD+0xa8
f889fc2c bf814123 win32k!xxxSendMessageToClient+0x176
f889fc78 bf80ecc6 win32k!xxxSendMessageTimeout+0x1a6
f889fc9c bf8f82a1 win32k!xxxSendMessage+0x1b
f889fce4 bf8f809a win32k!xxxTranslateAccelerator+0x264
f889fd50 804df7ec win32k!NtUserTranslateAccelerator+0x85
f889fd50 7c92e4f4 nt!KiFastCallEntry+0xf8
0007faf0 7c92e453 ntdll!KiFastSystemCallRet
0007fb14 77d2fb07 ntdll!KiUserCallbackDispatcher+0x13
0007fb2c 01005775 USER32!NtUserTranslateAccelerator+0xc
0007ff5c 01005937 taskmgr!WinMainT+0x3e7
0007ffc0 7c817067 taskmgr!_ModuleEntry+0xdf
0007fff0 00000000 kernel32!BaseProcessStart+0x23

CategoriesUncategorized

One Reply to “刚刚用上WinDBG,玩起来比OD刺激多了~~”

Leave a Reply

Your email address will not be published. Required fields are marked *