英文:
How to evaluate RtlDecodePointer from a dump in WinDBG?
问题
我有一个用户模式Windows程序的崩溃转储,并且我想仿真RtlDecodePointer(),即解码使用RtlEncodePointer()编码的某些指针。我该如何做?
英文:
I have a crash dump of a user-mode Windows program and I want to emulate RtlDecodePointer(), that is, decode some pointer encoded with RtlEncodePointer(). How do I do that?
答案1
得分: 2
这段代码是针对 ntdll!RtlDecodePointer 函数的反汇编进行分析,能够通过 WinDBG 表达式进行解码。这个方法即使在没有完整内存的迷你转储文件上也能很好地运行。
英文:
I studied disasm of ntdll!RtlDecodePointer and was able to compose the following WinDBG expression:
r $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue)
r $t2 = @$t1 & 3f
r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2)
.printf "Decoded pointer: %p\n", @$t3 ^ @$t1
Or, as a one-liner:
r $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue); r $t2 = @$t1 & 3f; r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2); .printf "Decoded pointer: %p\n", @$t3 ^ @$t1
This works well even on mini-dumps without full memory.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论