54.windbg-a、.dvalloc (直接写反汇编和new内存,实例:加入附加的printf)

a(Assemble)

a 命令对指令助记符进行汇编，并将指令代码的结果放入内存。

如果没有指定地址，汇编会从指令指针的当前值所指向的地址开始。要汇编新的指令，可以输入需要的助记符并按下ENTER。要结束汇编，直接按下ENTER

.dvalloc

.dvalloc 命令使得Windows在目标进程中分配附加的内存。

加入附加的printf

以下是原始的测试代码，自己随意写的:

char* g_char = "I am string";DWORD ThreadProc(LPVOID lp){while(1){// todo}return 0;}int _tmain(int argc, _TCHAR* argv[]){printf("%s\n",g_char);CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc,0,0,0);getchar();return 0;}

windbg附加:

查看ThreadProc函数

0:000> u 012313c0 L10test1!ThreadProc [d:\windbg\test1\test1.cpp @ 11]:012313c0 55              push    ebp012313c1 8bec            mov     ebp,esp012313c3 81ecc0000000    sub     esp,0C0h012313c9 53              push    ebx012313ca 56              push    esi012313cb 57              push    edi012313cc 8dbd40ffffff    lea     edi,[ebp-0C0h]012313d2 b930000000      mov     ecx,30h012313d7 b8cccccccc      mov     eax,0CCCCCCCCh012313dc f3ab            rep stos dword ptr es:[edi]012313de b801000000      mov     eax,1012313e3 85c0            test    eax,eax012313e5 7402            je      test1!ThreadProc+0x29 (012313e9)012313e7 ebf5            jmp     test1!ThreadProc+0x1e (012313de)<span style="white-space:pre"></span>///< 这一句又跳回去了，就在这句下手012313e9 33c0            xor     eax,eax012313eb 5f              pop     edi

1.先构造跳转内存,一块存printf的格式化字符串，一块存跳转

0:000> .dvalloc 100Allocated 1000 bytes starting at 000300000:000> .dvalloc 100Allocated 1000 bytes starting at 000f00000:000> eza 000f0000 "sorry i am not exist string"0:000> da f0000000f0000  "sorry i am not exist string"

2.写新加的printf函数

0:000> a 0003000000030000 pushadpushad00030001 pushfdpushfd00030002 push f0000push f000000030007 call dword ptr [test1!_imp__printf]call dword ptr [test1!_imp__printf]0003000d add esp,4add esp,400030010 popfdpopfd00030011 popadpopad00030012 jmp     test1!ThreadProc+0x1ejmp     test1!ThreadProc+0x1e00030017 0:000> u 30000 L1000030000 60              pushad00030001 9c              pushfd00030002 6800000f00      push    0F0000h00030007 ff15c4822301    call    dword ptr [test1!_imp__printf (012382c4)]0003000d 83c404          add     esp,400030010 9d              popfd00030011 61              popad00030012 e9c7132001      jmp     test1!ThreadProc+0x1e (012313de)00030017 0000            add     byte ptr [eax],al

3.把

012313e7 ebf5            jmp     test1!ThreadProc+0x1e (012313de)

修改成

0:000> a 012313e7 012313e7 jmp 30000jmp 30000012313ec 0:000> u 012313e7 test1!ThreadProc+0x27 [d:\windbg\test1\test1.cpp @ 15]:

运行：