如何在WinDBG中从转储中评估RtlDecodePointer?

huangapple go评论73阅读模式
英文:

How to evaluate RtlDecodePointer from a dump in WinDBG?

问题

我有一个用户模式Windows程序的崩溃转储,并且我想仿真RtlDecodePointer(),即解码使用RtlEncodePointer()编码的某些指针。我该如何做?

英文:

I have a crash dump of a user-mode Windows program and I want to emulate RtlDecodePointer(), that is, decode some pointer encoded with RtlEncodePointer(). How do I do that?

答案1

得分: 2

这段代码是针对 ntdll!RtlDecodePointer 函数的反汇编进行分析,能够通过 WinDBG 表达式进行解码。这个方法即使在没有完整内存的迷你转储文件上也能很好地运行。

英文:

I studied disasm of ntdll!RtlDecodePointer and was able to compose the following WinDBG expression:

r $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue)
r $t2 = @$t1 & 3f
r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2)
.printf "Decoded pointer: %p\n", @$t3 ^ @$t1

Or, as a one-liner:

r $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue); r $t2 = @$t1 & 3f; r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2); .printf "Decoded pointer: %p\n", @$t3 ^ @$t1

This works well even on mini-dumps without full memory.

huangapple
  • 本文由 发表于 2023年2月19日 00:51:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/75494861.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定