我正在尝试搜索程序中的跳转dll,但是当我这样做时,我正在尝试范围错误。有什么问题?
我的WinDbg输出如下:
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
.
.
.
ModLoad: 10000000 10094000 C:\Program Files\SoriTong\Player.dll
ModLoad: 42100000 42129000 C:\WINDOWS\system32\wmaudsdk.dll
ModLoad: 00fd0000 0101f000 C:\WINDOWS\system32\DRMClien.DLL
ModLoad: 5bc60000 5bc9f000 C:\WINDOWS\system32\strmdll.dll
ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll
(830.964): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for SoriTong.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SoriTong.exe -
eax=00130000 ebx=00000003 ecx=00000070 edx=00000070 esi=0017f4f4 edi=0012fd64
eip=00422e33 esp=0012da14 ebp=0012fd38 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
SoriTong!TmC13_5+0x3ea3:
00422e33 8810 mov byte ptr [eax],dl ds:0023:00130000=41
0:000> s 10000000 l 10094000 ff e4
^ Range error in 's 10000000 l 10094000 ff e4'
答案 0 :(得分:6)
你应该在Range Pattern
之前使用s -b(作为类型)这对我有用:
0:004> lm mkernel32
start end module name
7c800000 7c8f6000 kernel32 (pdb symbols)
0:004> s -b 7c800000 7c8f6000 ff e4
7c86467b ff e4 47 86 7c ff 15 58-15 80 7c 8d 85 38 fe ff ..G.|..X..|..8..
是jmp发现
0:004> u 7c86467b
kernel32!UnhandledExceptionFilter+0x7fc:
7c86467b ffe4 jmp esp
7c86467d 47 inc edi
7c86467e 867cff15 xchg bh,byte ptr [edi+edi*8+15h]
我不认为.pdb是相关的