在Windbg中,在ntdll!LdrpDoDebuggerBreak之前,是否可以在模块加载时设置断点?

时间:2019-12-11 21:45:19

标签: windbg

使用WinDbg启动可执行文件,然后装入多个模块,然后再进入调试器。

df.select(df.colRegex("'.+ _24$'")).show()

---------------------------------------------------------------------------
Py4JJavaError                             Traceback (most recent call last)
C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\utils.py in deco(*a, **kw)
     97         try:
---> 98             return f(*a, **kw)
     99         except py4j.protocol.Py4JJavaError as e:

C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\lib\py4j-0.10.8.1-src.zip\py4j\protocol.py in get_return_value(answer, gateway_client, target_id, name)
    327                     "An error occurred while calling {0}{1}{2}.\n".
--> 328                     format(target_id, ".", name), value)
    329             else:

Py4JJavaError: An error occurred while calling o151.colRegex.
: org.apache.spark.sql.AnalysisException: Cannot resolve column name "'.+[_24]$'" among (timestamp, log1p_meter_reading, square_feet, air_temperature_max_168, air_temperature_max_48, air_temperature_median_120, air_temperature_median_24, air_temperature_median_6, air_temperature_min_168, dew_temperature, dew_temperature_max_120, dew_temperature_max_48, dew_temperature_min_48, precip_depth_1_hr_mean_48, precip_depth_1_hr_mean_72, sea_level_pressure_mean_168, wind_direction_mean_12, wind_direction_mean_168, wind_direction_mean_24, wind_direction_mean_48, wind_speed, building_id, floor_count, hour, primary_use, week, year_built, dayofweek, log1p_meter_reading_pred_ridge, log1p_meter_reading_pred_RF, log1p_meter_reading_pred_xgboost, log1p_meter_reading_pred_lgb);
    at org.apache.spark.sql.Dataset.$anonfun$resolve$1(Dataset.scala:267)
    at scala.Option.getOrElse(Option.scala:189)
    at org.apache.spark.sql.Dataset.resolve(Dataset.scala:260)
    at org.apache.spark.sql.Dataset.colRegex(Dataset.scala:1364)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at py4j.reflection.MethodInvoker.invoke(MethodInvoker.java:244)
    at py4j.reflection.ReflectionEngine.invoke(ReflectionEngine.java:357)
    at py4j.Gateway.invoke(Gateway.java:282)
    at py4j.commands.AbstractCommand.invokeMethod(AbstractCommand.java:132)
    at py4j.commands.CallCommand.execute(CallCommand.java:79)
    at py4j.GatewayConnection.run(GatewayConnection.java:238)
    at java.lang.Thread.run(Unknown Source)


During handling of the above exception, another exception occurred:

AnalysisException                         Traceback (most recent call last)
<ipython-input-114-d25b73f87021> in <module>
----> 1 df.select(df.colRegex("'.+_24$'")).show()

C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\dataframe.py in colRegex(self, colName)
    957         if not isinstance(colName, basestring):
    958             raise ValueError("colName should be provided as string")
--> 959         jc = self._jdf.colRegex(colName)
    960         return Column(jc)
    961 

C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\lib\py4j-0.10.8.1-src.zip\py4j\java_gateway.py in __call__(self, *args)
   1284         answer = self.gateway_client.send_command(command)
   1285         return_value = get_return_value(
-> 1286             answer, self.gateway_client, self.target_id, self.name)
   1287 
   1288         for temp_arg in temp_args:

C:\spark\spark-3.0.0-preview-bin-hadoop2.7\python\pyspark\sql\utils.py in deco(*a, **kw)
    100             converted = convert_exception(e.java_exception)
    101             if not isinstance(converted, UnknownException):
--> 102                 raise converted
    103             else:
    104                 raise

AnalysisException: Cannot resolve column name "'.+[_24]$'" among (timestamp, log1p_meter_reading, square_feet, air_temperature_max_168, air_temperature_max_48, air_temperature_median_120, air_temperature_median_24, air_temperature_median_6, air_temperature_min_168, dew_temperature, dew_temperature_max_120, dew_temperature_max_48, dew_temperature_min_48, precip_depth_1_hr_mean_48, precip_depth_1_hr_mean_72, sea_level_pressure_mean_168, wind_direction_mean_12, wind_direction_mean_168, wind_direction_mean_24, wind_direction_mean_48, wind_speed, building_id, floor_count, hour, primary_use, week, year_built, dayofweek, log1p_meter_reading_pred_ridge, log1p_meter_reading_pred_RF, log1p_meter_reading_pred_xgboost, log1p_meter_reading_pred_lgb);

在模块加载上设置断点,例如sxe ld shell32.dll,并使用.restart重新启动进程不会触发中断。在用户模式下使用WinDbg可以做到这一点,因为我想分析在其中一个模块加载期间运行的一些代码。

1 个答案:

答案 0 :(得分:2)

C:\>cdb -xe ld:ntdll calc

Microsoft (R) Windows Debugger Version 10.0.18362.1 X86
CommandLine: calc
Response                         Time (ms)     Location
Deferred xxxxxxxxxxxx
Symbol search path is: yyyyyyyyyyy
Executable search path is:
ModLoad: 004e0000 005a0000   calc.exe
ModLoad: 77630000 7776c000   ntdll.dll
eax=004f2d6c ebx=7ffd9000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=0015fb38 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000200

only the image and ntdll is loaded at this point executing  t,p,g anything will 
load all  the system modules if you know the internals a bit set selective
breapoints before  executing any execution commands 


ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax ss:0023:0015fb3c=00000000


0:000> g
ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
irrelevent mod load spew cut
ModLoad: 74c80000 74c89000   C:\Windows\system32\VERSION.dll
(b40.198): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0015f650 edx=776770f4 esi=fffffffe edi=00000000
eip=776d05a6 esp=0015f66c ebp=0015f698 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
776d05a6 cc              int     3  <<<<<<<<<<<<<< this comes later 
0:000>

在某些内部进行了编辑,很滑

0:000> sxe ld:ntdll ;.restart

CommandLine: calc


Executable search path is: 
ModLoad: 005c0000 00680000   calc.exe
ModLoad: 77630000 7776c000   ntdll.dll

eax=005d2d6c ebx=7ffdf000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=776770d8 esp=000bfb24 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000200
ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax ss:0023:000bfb28=00000000

0:000> u . l3
ntdll!RtlUserThreadStart:
776770d8 89442404        mov     dword ptr [esp+4],eax
776770dc 895c2408        mov     dword ptr [esp+8],ebx
776770e0 e9bec60100      jmp     ntdll!_RtlUserThreadStart (776937a3)

0:000> ln @eax

(005d2d6c)   calc!WinMainCRTStartup   |  (005d2e68)   calc!__xc_a
Exact matches:
    calc!WinMainCRTStartup (<no parameter info>)

0:000> dd @ebx l5
7ffdf000  08010000 ffffffff 005c0000 00000000
7ffdf010  00010000

0:000> $$ @ebx == ntdll!_CONTEXT 
0:000> $$ 8010000 contextflag EXCEPTION_ACTIVE | CONTEXT_I386

0:000> ?? ((ntdll!_CONTEXT *) @ebx)->ContextFlags
unsigned long 0x8010000

0:000> ?? ((ntdll!_CONTEXT *) @ebx)->Dr1
unsigned long 0x5c0000
0:000> Dr1 Holds the Module Base of Image



0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
eax=000bf72c ebx=7ffdf000 ecx=776936f6 edx=7770cd48 esi=77697de0 edi=00000000
eip=776922ae esp=000bf678 ebp=000bf7e4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrLoadDll:
776922ae 8bff            mov     edi,edi


0:000> dS poi(@esp+c)
77678230  "kernel32.dll"  <<<<<<<<<< next module load is kernel32

0:000> lm
start    end        module name
005c0000 00680000   calc       (pdb symbols)          e:\symbols\calc.pdb\971D2945E998438C847643A9DB39C88E2\calc.pdb
77630000 7776c000   ntdll      (pdb symbols)          e:\symbols\ntdll.pdb\CD4062A231154A17A18DAE7D1A0FBACC2\ntdll.pdb


0:000> !gflag +2
New NtGlobalFlag contents: 0x00000072
    sls - Show Loader Snaps
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000bf674 77697d33 00000000 00000000 77697de0 ntdll!LdrLoadDll
01 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
02 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
03 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10


0:000> bp 77697d33
0:000> g

ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
eax=776922ae ebx=00000000 ecx=000bf0e0 edx=00000062 esi=77688b19 edi=000bf100
eip=776922ae esp=000bf0c4 ebp=000bf0ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!LdrLoadDll:
776922ae 8bff            mov     edi,edi

0:000> dS poi(@esp+c)
00010020  "C:\Program Files\AVAST Software\"
00010060  "Avast\aswhook.dll"

0:000> bl
     0 e Disable Clear  776922ae     0001 (0001)  0:**** ntdll!LdrLoadDll
     1 e Disable Clear  77697d33     0001 (0001)  0:**** 
ntdll!LdrpInitializeProcess+0xfe7

0:000> g
ModLoad: 6afd0000 6afe0000   C:\Program Files\AVAST Software\Avast\aswhook.dll
ModLoad: 75890000 758da000   C:\Windows\system32\KERNELBASE.dll


Breakpoint 1 hit
eax=00000000 ebx=7ffdf000 ecx=000bf72c edx=7770789c esi=77697de0 edi=00000000
eip=77697d33 esp=000bf68c ebp=000bf7e4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpInitializeProcess+0xfe7:
77697d33 3bc7            cmp     eax,edi
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 000bf7e4 776960a7 000bf858 77630000 77fe439f ntdll!LdrpInitializeProcess+0xfe7
01 000bf834 77693659 000bf858 77630000 00000000 ntdll!_LdrpInitialize+0x78
02 000bf844 00000000 000bf858 77630000 00000000 ntdll!LdrInitializeThunk+0x10