1.虚拟化调试器通道重建-调试器与被调试程序建立连接
虚拟化调试器通道重建-调试器与被调试程序建立连接第一课上课的笔记:
//------------XP
【DebugActiveProcess】
<1>.kernel32!DbgUiConnectDbg()
ntdll!DbgUiConnectDbg()
ntdll!ZwCreateDebugObject()
ntdll!NtCreateDebugObject()
进入0环
<2>.kernel32!DbgUiDebugActiveProcess(被调试进程句柄)
ntdll!DbgUiDebugActiveProcess(被调试进程句柄)
ntdll!NtDebugActivePRocess(被调试进程句柄,调试器TEB+0xF24)
nt!NtDebugActiveProcess(HANDLE ProcessHandle,HANDLE DebugObjectHandle)
//------------WIN10(19043)
【DebugActiveProcess】
<1>.kernel32!DebugActiveProcess
kernelBase!DebugActiveProcess(被调试进程PID)
ntdll!DbgUiConnectToDbg()
ntdll!NtCreateDebugObject(&NtCurrentTeb()->DbgSsReserved,...) : +0x16A8 (调试器自己的TEB这个位置有值:DebugObjct的句柄)
被调试进程句柄 = ProcessIdToHandle(dwProcessId)
ntdll!DbgUiDebugActiveProcess(被调试进程句柄)
<2>.ntdll!DbgUiDebugActiveProcess(被调试进程句柄)
ntdll!NtDebugActiveProcess(被调试进程句柄,NtCurrentTeb()->DbgSsReserved) : +0x16A8
nt!进入0环的NtDebugActiveProcess
ntdll!DbgUiIssueRemoteBreakin(被调试进程句柄)
ntdll!ZwRemoveProcessDebug(被调试进程句柄, NtCurrentTeb()->DbgSsReserved);
思考:所以X64Dbg插件需要挂钩什么?
页:
[1]