62.windbg-p、t、pa、ta(单步步过、单步步入)

来源：互联网发布：js xml createelement 编辑：程序博客网时间：2024/05/13 06:13

p|t =startAddr count

可以让目标程序从指定的startAddr开始指行，注意，如果指定地址跳过了调整栈的代码，栈就会失去平衡

count指定要单步执行的次数，如t 2就是两次运行t

0:000> t 2eax=99e265e1 ebx=7ffd3000 ecx=00000000 edx=01b00370 esi=0026fc88 edi=0026fc80eip=01582e9c esp=0026fbd4 ebp=0026fc80 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286>   17: ZeroMemory(&ovi, sizeof(OSVERSIONINFO));VerifyTxSignDemo!BeginAnti+0x2c:01582e9c 6a00            push    0eax=99e265e1 ebx=7ffd3000 ecx=00000000 edx=01b00370 esi=0026fc88 edi=0026fc80eip=01582e9e esp=0026fbd0 ebp=0026fc80 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286

eip从9c更新到9e,对应汇编：

01582e9c 6a00            push    001582e9e 8d8564ffffff    lea     eax,[ebp-9Ch]

两步！

还可以用p|t =startAddr count "command"
command指定每次单步执行后要执行的命令

0:000> t 3 ".echo @\"run ok....\""eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80eip=018c24fe esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memset.asm'VerifyTxSignDemo!memset+0x1e:018c24fe 833da080b00100  cmp     dword ptr [VerifyTxSignDemo!__sse2_available (01b080a0)],0 ds:0023:01b080a0=00000001eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80eip=018c2505 esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memset.asm'VerifyTxSignDemo!memset+0x25:018c2505 7405            je      VerifyTxSignDemo!memset+0x2c (018c250c) [br=0]run ok....eax=00000000 ebx=7ffd3000 ecx=0026fbe4 edx=00000094 esi=0026fc88 edi=0026fc80eip=018c2507 esp=0026fbc8 ebp=0026fc80 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memset.asm'VerifyTxSignDemo!memset+0x27:018c2507 e983b9c9ff      jmp     VerifyTxSignDemo!ILT+16010(__VEC_memzero) (0155de8f)

可以看到,run ok....只执行了一次

pa|ta =startAddr stopAddr “command”

相当于反复调用p或t，不同就是，t会遇到函数调用进入到函数中，而不是越过

0:000> r eipeip=00452e7a0:000> pa 00452e8b ".echo @\"pa run ok...\""eax=00000001 ebx=7ffdb000 ecx=85fc7085 edx=009d0370 esi=0019fcc0 edi=0019fdc8eip=00452e7b esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206>   14: {VerifyTxSignDemo!BeginAnti+0xb:00452e7b 8dbd60ffffff    lea     edi,[ebp-0A0h]eax=00000001 ebx=7ffdb000 ecx=85fc7085 edx=009d0370 esi=0019fcc0 edi=0019fc18eip=00452e81 esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206>   14: {VerifyTxSignDemo!BeginAnti+0x11:00452e81 b928000000      mov     ecx,28heax=00000001 ebx=7ffdb000 ecx=00000028 edx=009d0370 esi=0019fcc0 edi=0019fc18eip=00452e86 esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206>   14: {VerifyTxSignDemo!BeginAnti+0x16:00452e86 b8cccccccc      mov     eax,0CCCCCCCChpa run ok...eax=cccccccc ebx=7ffdb000 ecx=00000028 edx=009d0370 esi=0019fcc0 edi=0019fc18eip=00452e8b esp=0019fc10 ebp=0019fcb8 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206>   14: {VerifyTxSignDemo!BeginAnti+0x1b:00452e8b f3ab            rep stos dword ptr es:[edi]

因为$ra总是代表当前函数的返回地址，所以可以使用pa @$ra来步出当前函数，也就是单步反复执行直到返回到上一级函数

相当于gu命令，但因为是单步的，所以可能会卡顿

pc|tc =startAddr count

用来单步执行到下一个函数调用指令CALL，count是指遇到的函数调用指令个数，

0:000> pc eax=0030fab0 ebx=7ffdf000 ecx=00000000 edx=01690370 esi=0030fb54 edi=0030fb4ceip=01112ea5 esp=0030fa98 ebp=0030fb4c iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202>   17: ZeroMemory(&ovi, sizeof(OSVERSIONINFO));VerifyTxSignDemo!BeginAnti+0x35:01112ea5 e83a37feff      call    VerifyTxSignDemo!ILT+50655(_memset) (010f65e4)

可以看出，在第一个call处断下来了

tc也一样，不同处是，如果count为2或更大，中间遇到call， pc 就步过了，而tc会跟进去

0:000> pc 2eax=0020f6b4 ebx=7ffdf000 ecx=00000000 edx=01b50370 esi=0020f758 edi=0020f750eip=015d2ea5 esp=0020f69c ebp=0020f750 iopl=0         nv up ei ng nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000282>   17: ZeroMemory(&ovi, sizeof(OSVERSIONINFO));VerifyTxSignDemo!BeginAnti+0x35:015d2ea5 e83a37feff      call    VerifyTxSignDemo!ILT+50655(_memset) (015b65e4)eax=0020f6b4 ebx=7ffdf000 ecx=0020f6b4 edx=00000000 esi=0020f6a8 edi=0020f750eip=015d2ec0 esp=0020f6a4 ebp=0020f750 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212>   20: GetVersionEx(&ovi);VerifyTxSignDemo!BeginAnti+0x50:015d2ec0 ff150caeb501    call    dword ptr [VerifyTxSignDemo!_imp__GetVersionExA (01b5ae0c)] ds:0023:01b5ae0c={kernel32!GetVersionExAStub (7668dd70)}

可以看到代码是在第二次call处断下

同样，ph|th可用于同样效果，追踪到下一分支指令