看流星社区

 找回密码
 注册账号
查看: 2796|回复: 0

360SelfProtection.sys无法使用Driver Monitor加载

[复制链接]

该用户从未签到

发表于 2017-6-2 13:31:24 | 显示全部楼层 |阅读模式
原文:http://bbs.pediy.com/showthread.php?t=128515问题:虚拟机里使用DriverMonitor加载360SelfProtection.sys,外面使用windbg下了延迟断点。断点下在了DriverEntry第一句。结果。。。使用DriverMonitor加载时没有命中断点。。。之后DriverMonitor还提示连到系统上的设备没有发挥作用。。。。求高人指点。。。解决的思路:1. 双机调试时,开机断下后,用sxe命令下在加载360SelfProtection.sys断下2. 断下后,用lmvm看到当前360SelfProtection.sys在内存中的基址3. 在360SelfProtection.sys的入口点下断4. g起来,会在入口点处断下解答问题时用到了几个命令,学习一下:1. sxe命令:加载某个DLL 的时候下断点的WinDBG 命令:sxe ld:[dll name]卸载某个DLL 的时候下断点的WinDBG命令:sxe ud:[dll name]比如:sxe ld:wininet(在wininet.dll 被装载的时候断点)还可以通过直接在DllMain下断点来达到相同目的:bu wininet!DllMain2. lmvm命令lmvm命令可以查看任意一个已加载的DLL/EXE的详细信息,以及symbol的情况, 特别提醒的是,不要加后缀名(无论EXE/DLL),我开始学习时就出过这样的错3. kvn命令kvf, kvndisplay the stack frame of the given thread, together with related information4.poi指令Poi操作符在WinDBG中可以被用来对指针进行解引用. 类似C语言中对指针的操作符*.bpf67b4000+poi(poi(f67b4000+3c)+f67b4000+28) 用到的这句是在f674000模块的PE入口点处下断,PE头偏移28的位置是入口点比如说, 如果一个地址为0×00123456的指针, 指向地址0×00420000, 即内存地址地址中存放的值0×001234560×001234560×004200000×0012345A......0×004200000x88517517那么下面两条指令是等价的:0:000>dd 4200000:000>dd poi(123456)来源:<http://www.cnblogs.com/awpatp/archive/2012/08/04/2623499.html>5. K命令:k, kb, kc, kd, kp, kP, kv (Display Stack Backtrace)Thek*commands display the stack frame of the given thread, together with related information..vDisplays frame pointer omission (FPO) information. On x86-based processors, the display also includes calling convention information.nDisplays frame numbers.kvn 100:就是看下stack .v显示详细信息,n看的层数解决方法:windbg连上VM,在虚拟机启动的时候break一下,然后输入:sxeld360SelfProtectiong不一会就会断下,如下kd>lmvm360SelfProtectionstartendmodulenamef67b4000f67d1980360SelfProtection(nosymbols)Loadedsymbolimagefile:360SelfProtection.sysImagepath:360SelfProtection.sysImagename:360SelfProtection.sysTimestamp:TueJan1119:36:542011(4D2C40D6)CheckSum:00021EF4ImageSize:0001D980Fileversion:1.0.0.1054Productversion:1.0.0.1054Fileflags:0(Mask3F)FileOS:40004NTWin32Filetype:3.8DriverFiledate:00000000.00000000Translations:0804.04b0CompanyName:360安全中心ProductName:360安全中心InternalName:SelfProtectionOriginalFilename:SelfProtection.sysProductVersion:1,0,0,1054FileVersion:1,0,0,1054PrivateBuild:1,0,0,1054SpecialBuild:1,0,0,1054FileDescription:360安全卫士-SelfProtectionLegalCopyright:版权所有(C)2006-2010360安全中心LegalTrademarks:版权所有(C)2006-2010360安全中心Comments:版权所有(C)2006-2010360安全中心kd>kvn100#ChildEBPRetAddrArgstoChild00f819c39880527fcef819c430f819c3ac00000003nt!DebugService2+0x10(FPO:[3,0,0])01f819c3bc805a3ceaf819c430f67b4000ffffffffnt!DbgLoadImageSymbols+0x42(FPO:[3,4,0])02f819c56080576254f819c5e40000000000000000nt!MmLoadSystemImage+0xa34(FPO:[Non-Fpo])03f819c64080689770000006c80000000100000000nt!IopLoadDriver+0x370(FPO:[4,45,0])04f819c69c80686ad9000430000000000000000000nt!IopInitializeSystemDrivers+0x16c(FPO:[0,14,4])05f819c83c80684edd800870000000000081c4f3e8nt!IoInitSystem+0x7a3(FPO:[1,99,4])06f819cdac805c5a28800870000000000000000000nt!Phase1Initialization+0x9b5(FPO:[1,342,4])07f819cddc80541fa2806845288008700000000000nt!PspSystemThreadStartup+0x34(FPO:[Non-Fpo])080000000000000000000000000000000000000000nt!KiThreadStartup+0x16kd>bpf67b4000+poi(poi(f67b4000+3c)+f67b4000+28)kd>bl0ef67cee850001(0001)360SelfProtection+0x1ae85kd>uf67cee85360SelfProtection+0x1ae85:f67cee85a188ad7cf6moveax,dwordptr[360SelfProtection+0x16d88(f67cad88)]f67cee8a85c0testeax,eaxf67cee8cb94ee640bbmovecx,0BB40E64Ehf67cee917404je360SelfProtection+0x1ae97(f67cee97)f67cee933bc1cmpeax,ecxf67cee957519jne360SelfProtection+0x1aeb0(f67ceeb0)f67cee97a1a48a7cf6moveax,dwordptr[360SelfProtection+0x14aa4(f67c8aa4)]f67cee9c8b00moveax,dwordptr[eax]kd>gBreakpoint0hit360SelfProtection+0x1ae85:f67cee85a188ad7cf6moveax,dwordptr[360SelfProtection+0x16d88(f67cad88)]kd>kvn100#ChildEBPRetAddrArgstoChildWARNING:Stackunwindinformationnotavailable.Followingframesmaybewrong.00f819c64080689770000006c80000000100000000360SelfProtection+0x1ae8501f819c69c80686ad9000430000000000000000000nt!IopInitializeSystemDrivers+0x16c(FPO:[0,14,4])02f819c83c80684edd800870000000000081c4f3e8nt!IoInitSystem+0x7a3(FPO:[1,99,4])03f819cdac805c5a28800870000000000000000000nt!Phase1Initialization+0x9b5(FPO:[1,342,4])04f819cddc80541fa2806845288008700000000000nt!PspSystemThreadStartup+0x34(FPO:[Non-Fpo])050000000000000000000000000000000000000000nt!KiThreadStartup+0x16ok,进入此驱动内部,调试吧.
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 19:35

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表