388856
10 WinDbg 간단 사용법
368023
2007-11-18T13:29:22Z
http://kkamagui.springnote.com/pages/388856
2007-07-28T16:35:48Z
<h1>10 WinDbg 간단 사용법</h1>
<p><strong>원문 :</strong> <a href="/pages/388856"><strong>http://kkamagui.springnote.com/pages/388856</strong></a></p>
<p><strong>참고 : "</strong><a href="http://0range.net/entry/Windbg%EC%9D%84-%EB%A7%88%EC%8A%A4%ED%84%B0"><strong>http://0range.net/entry/Windbg을-마스터</strong></a><strong>-하자"</strong></p>
<p> </p>
<h2>들어가기 전에...</h2>
<div>
<ul>
<li><strong>이 글은 kkamagui에 의해 작성된 글입니다.</strong></li>
<li><strong>마음껏 인용하시거나 사용하셔도 됩니다. 단 출처(<a href="http://kkamagui.tistory.com/"><span style="COLOR: #800080">http://kkamagui.tistory.com</span></a>, <a href="/pages/404250#"><span style="COLOR: #800080">http://kkamagui.springnote.com</span></a>)는 밝혀 주십시오.</strong></li>
<li><strong>기타 사항은 kkakkunghehe at daum.net 이나</strong> <a href="http://kkamagui.tistory.com/"><strong><span style="COLOR: #800080">http://kkamagui.tistory.com</span></strong></a><strong>으로 보내주시면 반영하겠습니다.</strong></li>
</ul>
</div>
<p> </p>
<h2>웹 심볼(Web Symbol) 얻기</h2>
<div>
<p><strong><span style="COLOR: #ff0000"> SRV*D:\Symbol\WebSymbol*http://msdl.microsoft.com/download/symbols</span></strong> 를 Symbol Path에 넣으면 웹 심볼을 사용할 수 있다.</p>
</div>
<p> </p>
<h2>로드된 모듈 리스트 보기</h2>
<p><strong> lm</strong> 명령을 이용하면 된다.</p>
<div>
<ul>
<li>lm k : Kernel Mode 모듈 표시</li>
<li>lm u : User Mode 모듈 표시</li>
<li>lm m : 패턴을 검사하여 해당하는 것만 보여줌 <lm m my*></li>
</ul>
</div>
<p> </p>
<div>
<p>lkd> <strong>lm</strong><br />
start end module name<br />
00c80000 00c90000 NateOnHook40u (export symbols) C:\Program Files\NATEON\BIN\NateOnHook40u.dll<br />
00cb0000 00cb9000 MgHookDll C (export symbols) C:\Program Files\LG Software\On Screen Display\MgHookDll.dll<br />
01000000 0106a000 windbg (pdb symbols) D:\Symbol\WebSymbol\windbg.pdb\D6EF677AA54441279479F0307F05A8941\windbg.pdb<br />
016a0000 01784000 ext (export symbols) C:\Program Files\Debugging Tools for Windows\winext\ext.dll<br />
01790000 017c1000 kext (pdb symbols) D:\Symbol\WebSymbol\kext.pdb\6B643FC4E9F94FF4ABA4CEF1FD6F89D61\kext.pdb</p>
</div>
<p> </p>
<h2>모듈의 심볼(Symbol) 검사</h2>
<p> <strong>x 모듈!패턴 </strong>을 입력하면 된다.</p>
<div>
<p>lkd> x <strong>nt!Ke*<br /></strong>804f8c02 nt!KeQuerySystemTime = <no type information><br />
804f8c9e nt!KeEnableInterrupts = <no type information><br />
80500e38 nt!KeSwitchKernelStack = <no type information><br />
804fad32 nt!KeReadStateProcess = <no type information><br />
804f9188 nt!KeReleaseInterruptSpinLock = <no type information></p>
</div>
<p> </p>
<h2>데이터 타입(Date Type) 표시</h2>
<p> <strong>dt 데이터 타입</strong> 을 입력하면 된다.</p>
<div>
<p>lkd> <strong>dt _EPROCESS</strong><br />
+0x000 Pcb : _KPROCESS<br />
+0x06c ProcessLock : _EX_PUSH_LOCK<br />
+0x070 CreateTime : _LARGE_INTEGER<br />
+0x078 ExitTime : _LARGE_INTEGER<br />
+0x080 RundownProtect : _EX_RUNDOWN_REF<br />
+0x084 UniqueProcessId : Ptr32 Void<br />
+0x088 ActiveProcessLinks : _LIST_ENTRY<br />
+0x090 QuotaUsage : [3] Uint4B<br />
+0x09c QuotaPeak : [3] Uint4B<br />
+0x0a8 CommitCharge : Uint4B</p>
</div>
<p> </p>
<p> </p>
<h2>메모리 덤프(Memory Dump)</h2>
<p> <strong>d*</strong> 명령들을 이용하면 된다.</p>
<ul>
<li>db : Byte 형식 + Ascii 로 표시</li>
<li>dd : 데이터를 4Byte 형식으로 표시</li>
</ul>
<p> </p>
<div>
<p>lkd> <strong>db 8053db18</strong><br />
8053db18 8b ff 55 8b ec 8b 45 08-8b 4d 0c 8b 55 14 89 48 ..U...E..M..U..H<br />
8053db28 0c 8b 4d 10 89 48 10 03-ca 89 48 14 8b 4d 18 83 ..M..H....H..M..<br />
8053db38 c1 fe 89 48 18 8b 4d 1c-89 48 20 66 8b 4d 20 66 ...H..M..H f.M f</p>
</div>
<p> </p>
<p> </p>
<h2>디스어셈블리(Disassembly)</h2>
<p><strong> u 주소</strong> 를 이용하면 된다. 특정 함수를 디스어셈블리 하고 싶으면 <strong>uf 주소</strong> 를 하면 된다.</p>
<div>
<ul>
<li>u 주소 : 주소에서 일부분만 디스어셈블리</li>
<li>u 주소1 주소2 : 주소1에서 주소 2까지 디스어셈블리</li>
</ul>
</div>
<p> </p>
<div>
<p>lkd> <strong>u 8053db18 or uf nt!NtOpenProcess<br /></strong>nt!KeInitializeProfile:<br />
8053db18 8bff mov edi,edi<br />
8053db1a 55 push ebp<br />
8053db1b 8bec mov ebp,esp<br />
8053db1d 8b4508 mov eax,[ebp+0x8]<br />
8053db20 8b4d0c mov ecx,[ebp+0xc]</p>
</div>
<p> </p>
<h2>메모리 영역 속성 보기(VA Dump)</h2>
<p><strong> !vadump</strong> 명령을 사용하면 된다. 만약 특정 메모리의 속성을 보고 싶다면 <strong>!vprot 주소</strong> 명령을 사용하면 된다.</p>
<div>
<p>0:000> !vadump<br />
BaseAddress: 00000000<br />
RegionSize: 00010000<br />
State: 00010000 MEM_FREE<br />
Protect: 00000001 PAGE_NOACCESS<br />
<br />
BaseAddress: 00010000<br />
RegionSize: 00001000<br />
State: 00001000 MEM_COMMIT<br />
Protect: 00000004 PAGE_READWRITE<br />
Type: 00020000 MEM_PRIVATE</p>
</div>
<p> </p>
<div>
<p>0:000> !vprot 30c191c<br />
BaseAddress: 030c1000<br />
AllocationBase: 030c0000<br />
AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY<br />
RegionSize: 00011000<br />
State: 00001000 MEM_COMMIT<br />
Protect: 00000010 PAGE_EXECUTE<br />
Type: 01000000 MEM_IMAGE</p>
</div>
<p> </p>
<h2>프로세스 관련</h2>
<p> 모든 프로세스를 보기위해서는 <strong>!process 0 0</strong> 를 입력하면 된다. 디버거를 특정 프로세스에 붙이고 싶으면 <strong>.process /i [pid] </strong>를 입력하면 된다.</p>
<p> </p>
<div>
<p>lkd> <strong>!process 0 0<br /></strong>**** NT ACTIVE PROCESS DUMP ****<br />
PROCESS 8a3a3490 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000<br />
DirBase: 00780000 ObjectTable: e1001c70 HandleCount: 521.<br />
Image: System</p>
<p>PROCESS 8a184158 SessionId: none Cid: 03f0 Peb: 7ffdd000 ParentCid: 0004<br />
DirBase: 17a40020 ObjectTable: e163dd70 HandleCount: 20.<br />
Image: smss.exe</p>
<p>PROCESS 89df4da0 SessionId: 0 Cid: 0440 Peb: 7ffd5000 ParentCid: 03f0<br />
DirBase: 17a40040 ObjectTable: e1c6cb18 HandleCount: 626.<br />
Image: csrss.exe<br /></p>
</div>
<p> </p>
http://kkamagui.myid.net/
http://kkamagui.myid.net/
46