WinDbg 查看函数的参数



查看函数FunNewWlxLoggedOutSAS的参数

kd> kb

ChildEBP RetAddr Args to Child             

0006edc8 7c9859f2 00000000 c00000050006f0d0 ntdll!DbgBreakPoint

0006ee08 7c986101 0006f0d0 7c9861060006f088 ntdll!RtlUnhandledExceptionFilter2+0x27b

0006ee18 7c862cd3 0006f0d0 c0000005002a1e90 ntdll!RtlUnhandledExceptionFilter+0x12

0006f088 77c02f0f 0006f0d0 0000000000000000 kernel32!UnhandledExceptionFilter+0x149

0006f0a4 0103d4fa 00000000 0006f0d077c05cf5 msvcrt!_XcptFilter+0x161

0006f0b0 77c05cf5 0006f0d8 000000000006f0d8 winlogon!__report_gsfailure+0x29b

0006f0d8 7c9237bf 0006f1c4 0006ffe40006f1e0 msvcrt!_except_handler3+0x61

0006f0fc 7c92378b 0006f1c4 0006ffe40006f1e0 ntdll!ExecuteHandler2+0x26

0006f1ac 7c92eafa 00000000 0006f1e00006f1c4 ntdll!ExecuteHandler+0x24

0006f1ac 7c930370 00000000 0006f1e00006f1c4 ntdll!KiUserExceptionDispatcher+0xe

0006f4ac 77d1af53 ffffffff 00f4042000f498d8 ntdll!wcslen+0x8

0006f504 77d1a876 00f498d8 100023b80006f528 USER32!wvsprintfW+0x23a

0006f518 1000142f 00f498d8 100023b8ffffffff USER32!wsprintfW+0x14

0006f650 100015fb 0007c728 010345ab00089ae8 HookLogin!WriteLog+0x9f [e:\project\procmon\code\hooklogin\dllmain.cpp@ 293]

0006f658 010345ab 00089ae8 00000001 0007c7e4 HookLogin!FunNewWlxLoggedOutSAS+0x3b[e:\project\procmon\code\hooklogin\dllmain.cpp @ 389]

0006fcd8 01037791 0007b220 0007b22000072364 winlogon!LogonAttempt+0x162

0006fcfc 010315d5 0007b220 7c80b52900000000 winlogon!MainLoop+0x1cf

0006ff50 0103d4d0 01000000 0000000000072364 winlogon!WUNotify+0x68f

0006fff4 00000000 7ffde000 000000c80000015c winlogon!__report_gsfailure+0x271

 

 

kb命令显示函数的前3个参数，如上标红的部分，010345ab为返回地址，原函数定义如下

intWINAPI FunNewWlxLoggedOutSAS(

                   PVOID                  pWlxContext,

                   DWORD                  dwSasType,

                   PLUID                  pAuthenticationId,

                   PSID                   pLogonSid,

                   PDWORD                 pdwOptions,

                   PHANDLE                phToken,

                   PWLX_MPR_NOTIFY_INFO   pNprNotifyInfo,

                   PVOID*                pProfile

)

我们知道函数有7个参数，如何查看函数后面的4个参数呢？我们知道函数 的参数都在栈里，栈地址

0006f658，我们看看栈里都有什么

kd> dd 0006f658

0006f658 0007c728 010345ab 00089ae8 00000001

0006f668 0007c7e4 00f3eac0 0006f6bc 0006f6c4

0006f678 0006f69c 0006f6cc00000002 0007b220

0006f688 00000000 0006f6ac 0006f9c4 77d40494

0006f698 77d188b8 ffffffff 77d188b2 758dbdb3

0006f6a8 00030030 0007c728 0007b220 0007b2b0

0006f6b8 00000001 00000000 00f3eac0 00089ae8

0006f6c8 00089ae8 00000000 00000000 0006f774

 

 

010345ab返回地址

00089ae8第一个参数

00000001第2个参数

0007c7e4第3个参数

                  .

                  .

                  .

0006f69c第7个参数

 

 

kd> dd 0006f69c

0006f69c ffffffff 77d188b2 758dbdb3 00030030

0006f6ac 0007c728 0007b220 0007b2b0 00000001

0006f6bc 00000000 00f3eac0 00089ae8 00089ae8

0006f6cc 00000000 00000000 0006f774 5adc6877

0006f6dc 00030030 00001897 0006f7a4 00010000

0006f6ec 00020001 000000a0 0000001f 00000011

0006f6fc 00000004 00000003 00000000 00000000

0006f70c 00000004 00000003 00000000 00000000

 

由此可以看到第七个参数为ffffffff