<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Windows內核調試器原理淺析 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦點, xfocus, 陷阱網絡, honeynet, honeypot, 調查取證, forensic, 入侵檢測, intrusion detection, 無線安全, wireless security, 安全論壇, security forums, 安全工具, security tools, 攻擊程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培訓, security training, 安全幫助, security help, 安全標準, security standards, 安全代碼, security code, 安全資源, security resources, 安全編程, security programming, 加密, cryptography,windows內核調試器 WinDBG kd SoftICE" />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
  <div class="searchBox">
    <form name="searchform" action="http://www.google.com/search" method="get">
      <input type="hidden" name="domains" value="www.xfocus.net">
      <input type="hidden" name="sitesearch" value="www.xfocus.net">
      <input type="text" name="q" size="20">
      <input type="submit" name="btnG" value="Google Search">
    </form>
  </div>
  <img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
  <img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
  <a href="../../index.html" class="plain">首頁</a>
  <a href="../../releases/index.html" class="plain">焦點原創</a>
  <a href="../../articles/index.html" class="selected">安全文摘</a>
  <a href="../../tools/index.html" class="plain">安全工具</a>
  <a href="../../vuls/index.html" class="plain">安全漏洞</a>
  <a href="../../projects/index.html" class="plain">焦點項目</a>
  <a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦點論壇</a>
  <a href="../../about/index.html" class="plain">關于我們</a>
</div>
<div class="personalBar">
  <a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
  <tr>
    <td class="left">
<div class="box">
  <h5>&nbsp;文章分類&nbsp;</h5>
  <div class="body">
    <div class="content odd">
       <div style="white-space: nowrap;">
	    <img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>專題文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教學</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'><b>編程技術 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介紹</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墻技術</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵檢測</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解專題</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦點公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦點峰會</a><br>
       </div>
	    
    </div>
  </div>
</div>

<div class="box">
  <h5>&nbsp;文章推薦&nbsp;</h5>
  <div class="body">
    <div class="content odd">
	    <img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>補丁管理最佳安全實踐之資產評估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>國內網絡安全風險評估市場與技術操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>協作的信息系統風險評估</a><br>
    </div>
  </div>
</div>
	</td>
    <td class="main">
	  <h1>Windows內核調試器原理淺析</h1><br>創建時間：2004-12-23<br>文章屬性：原創<br>文章提交：<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=57204'>SoBeIt</a> (kinsephi_at_hotmail.com)<br><br>Windows內核調試器原理淺析<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SoBeIt<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;前段時間忽然對內核調試器實現原來發生了興趣，于是簡單分析了一下當前windows下主流內核調試器原理，并模仿原理自己也寫了個極其簡單的調試器:)<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;WinDBG<br />
&nbsp;&nbsp;&nbsp;&nbsp;<br />
&nbsp;&nbsp;&nbsp;&nbsp;WinDBG和用戶調試器一點很大不同是內核調試器在一臺機器上啟動，通過串口調試另一個相聯系的以Debug方式啟動的系統，這個系統可以是虛擬機上的系統，也可以是另一臺機器上的系統(這只是微軟推薦和實現的方法，其實象SoftICE這類內核調試器可以實現單機調試)。很多人認為主要功能都是在WinDBG里實現，事實上并不是那么一回事，windows已經把內核調試的機制集成進了內核，WinDBG、kd之類的內核調試器要做的僅僅是通過串行發送特定格式數據包來進行聯系，比如中斷系統、下斷點、顯示內存數據等等。然后把收到的數據包經過WinDBG處理顯示出來。&nbsp;&nbsp;&nbsp;&nbsp;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;在進一步介紹WinDBG之前，先介紹兩個函數：KdpTrace、KdpStub，我在《windows異常處理流程》一文里簡單提過這兩個函數。現在再提一下，當異常發生于內核態下，會調用KiDebugRoutine兩次，異常發生于用戶態下，會調用KiDebugRoutine一次，而且第一次調用都是剛開始處理異常的時候。<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;當WinDBG未被加載時KiDebugRoutine為KdpStub，處理也很簡單，主要是對由int 0x2d引起的異常如DbgPrint、DbgPrompt、加載卸載SYMBOLS(關于int 0x2d引起的異常將在后面詳細介紹)等，把Context.Eip加1，跳過int 0x2d后面跟著的int 0x3指令。<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;真正實現了WinDBG功能的函數是KdpTrap，它負責處理所有STATUS_BREAKPOINT和STATUS_SINGLE_STEP(單步)異常。STATUS_BREAKPOINT的異常包括int 0x3、DbgPrint、DbgPrompt、加載卸載SYMBOLS。DbgPrint的處理最簡單，KdpTrap直接向調試器發含有字符串的包。DbgPrompt因為是要輸出并接收字符串，所以先將含有字符串的包發送出去，再陷入循環等待接收來自調試器的含有回復字符串的包。SYMBOLS的加載和卸載通過調用KdpReportSymbolsStateChange，int 0x3斷點異常和int 0x1單步異常(這兩個異常基本上是內核調試器處理得最多的異常)通過調用KdpReportExceptionStateChange，這兩個函數很相似，都是通過調用KdpSendWaitContinue函數。KdpSendWaitContinue可以說是內核調試器功能的大管家，負責各個功能的分派。這個函數向內核調試器發送要發送的信息，比如當前所有寄存器狀態，每次單步后我們都可以發現寄存器的信息被更新，就是內核調試器接受它發出的包含最新機器狀態的包；還有SYMBOLS的狀態，這樣加載和卸載了SYMBOLS我們都能在內核調試器里看到相應的反應。然后KdpSendWaitContinue等待從內核調試器發來的包含命令的包，決定下一步該干什么。讓我們來看看KdpSendWaitContinue都能干些什么：<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdReadVirtualMemoryApi:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpReadVirtualMemory(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdReadVirtualMemory64Api:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpReadVirtualMemory64(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdWriteVirtualMemoryApi:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpWriteVirtualMemory(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdWriteVirtualMemory64Api:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpWriteVirtualMemory64(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdReadPhysicalMemoryApi:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpReadPhysicalMemory(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdWritePhysicalMemoryApi:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpWritePhysicalMemory(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdGetContextApi:<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;KdpGetContext(&amp;ManipulateState,&amp;MessageData,ContextRecord);<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;<br />
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;case DbgKdSetContextApi:<br />