debugging 如何从WinDBG中的转储中评估RtlDecodePointer?

wz3gfoph  于 2023-02-19  发布在  其他
关注(0)|答案(1)|浏览(183)

我有一个用户模式Windows程序的崩溃转储,我想模拟RtlDecodePointer(),也就是说,解码一些用RtlEncodePointer()编码的指针。

ecfdbz9o

ecfdbz9o1#

我研究了ntdll!RtlDecodePointer的disasm,并能够编写以下WinDBG表达式:

r $t0 = 86aaaa40`0007ff77 // put value to decoded here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue)
r $t2 = @$t1 & 3f
r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2)
.printf "Decoded pointer: %p\n", @$t3 ^ @$t1

或者,作为一行程序:

r $t0 = 86aaaa40`0007ff77 // put value to decoded here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue); r $t2 = @$t1 & 3f; r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2); .printf "Decoded pointer: %p\n", @$t3 ^ @$t1

即使在没有满内存的小型转储上,这也能很好地工作。

相关问题