分析windbg内核调试通信数据

2018-01-19  本文已影响0人  超哥__

layout: post
title: 分析windbg内核调试通信数据
categories: Debug
description: 分析windbg内核调试通信数据
keywords:
url: https://lichao890427.github.io/ https://github.com/lichao890427/


分析windbg内核调试通信数据

结果

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

 00000000   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii            
 00000010   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii            
 00000020   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii            
 00000030   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii            
 00000040   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii            
 00000050   30 30 30 07 00 0F 01 00  08 80 80 44 33 00 00 31   000      €€D3  1
 00000060   30 00 00 00 00 00 00 01  00 00 00 00 00 00 00 40   0              @
 00000070   37 55 80 FF FF FF FF C4  F4 52 80 FF FF FF FF 1F   7U€聂R€ 
00000080   00 00 00 00 00 00 00 00  80 4D 80 FF FF FF FF FF           €M€
00000090   FF FF FF 00 00 00 00 D3  50 20 00 80 84 1F 00 00       覲  €?  
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000110   00 00 00 00 00 00 00 10  00 00 00 BC FA 05 00 F0              贱  ?
00000120   0F FF FF 00 04 00 00 10  00 03 00 CC 5D C2 0C 00            蘛? 
00000130   CC CC CC CC CC 8B FF 55  8B EC FF 08 00 23 00 23   烫烫虌U嬱  # #
00000140   00 30 00 82 00 00 00 00  00 00 00 00 00 00 00 5C    0 ?          \
 00000150   57 49 4E 44 4F 57 53 5C  73 79 73 74 65 6D 33 32   WINDOWS\system32
 00000160   5C 6E 74 6B 72 6E 6C 70  61 2E 65 78 65 00 AA 69   \ntkrnlpa.exe 猧
00000170   69 69 69 06 00 00 00 63  F8 05 00 00 00 00 00 30   iii    c?     0
 00000180   30 30 30 07 00 0F 01 00  00 80 80 44 33 00 00 31   000      €€D3  1
 00000190   30 00 00 00 00 00 00 01  00 00 00 00 00 00 00 40   0              @
 000001A0   37 55 80 FF FF FF FF C4  F4 52 80 FF FF FF FF 1F   7U€聂R€ 
000001B0   00 00 00 00 00 00 00 00  80 4D 80 FF FF FF FF FF           €M€
000001C0   FF FF FF 00 00 00 00 D3  50 20 00 80 84 1F 00 00       覲  €?  
000001D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000001E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000200   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000210   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000220   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000230   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
 00000240   00 00 00 00 00 00 00 10  00 00 00 BC FA 05 00 F0              贱  ?
00000250   0F FF FF 00 04 00 00 10  00 03 00 CC 5D C2 0C 00            蘛? 
00000260   CC CC CC CC CC 8B FF 55  8B EC FF 08 00 23 00 23   烫烫虌U嬱  # #
00000270   00 30 00 82 00 00 00 00  00 00 00 00 00 00 00 5C    0 ?          \
 00000280   57 49 4E 44 4F 57 53 5C  73 79 73 74 65 6D 33 32   WINDOWS\system32
 00000290   5C 6E 74 6B 72 6E 6C 70  61 2E 65 78 65 00 AA 69   \ntkrnlpa.exe 猧
000002A0   69 69 69 04 00 00 00 00  00 80 80 00 00 00 00 30   iii      €€    0
 000002B0   30 30 30 02 00 38 00 00  00 80 80 9C 0B 00 00 46   000  8   €€?  F
 000002C0   31 00 00 80 F6 7D 07 03  01 00 00 F4 F6 7D 07 02   1  €鰙     赧}  
000002D0   BE B7 52 01 5E AE 52 07  00 00 00 01 00 00 00 00   痉R ^甊         
000002E0   00 00 00 02 00 00 00 11  BF B7 52 2C F7 7D 07 00           糠R,鱹  
000002F0   00 00 00 07 00 00 00 AA  69 69 69 04 00 00 00 00          猧ii     
 00000300   00 80 80 00 00 00 00 30  30 30 30 02 00 38 00 01    €€    0000  8  
 00000310   00 80 80 3F 17 00 00 46  31 00 00 80 F6 7D 07 00    €€?   F1  €鰙  
00000320   00 00 00 F4 F6 7D 07 0F  00 28 0A 06 00 02 00 4C      赧}   (     L
 00000330   01 0C 03 2D 00 00 00 00  80 4D 80 FF FF FF FF C0      -    €M€?
00000340   4F 55 80 FF FF FF FF F4  8E 67 80 FF FF FF FF AA   OU€魩g€?
00000350   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€    
00000360   30 30 30 30 02 00 38 00  01 00 80 80 B1 13 00 00   0000  8   €€?  
00000370   30 31 00 00 FE FF FF FF  38 F6 7D 07 34 11 BC 77   01  ?8鰙 4 紈
00000380   F4 8E 67 80 FF FF FF FF  04 00 00 00 D4 F5 7D 07   魩g€    怎} 
00000390   18 11 8D 07 38 00 00 00  38 00 00 00 03 00 00 00       8   8       
 000003A0   E8 79 E1 00 03 00 00 00  AA 69 69 69 04 00 00 00   鑩?    猧ii    
 000003B0   01 00 80 80 00 00 00 00  30 30 30 30 02 00 3C 00     €€    0000  < 
 000003C0   00 00 80 80 D4 11 00 00  30 31 00 00 FE FF FF FF     €€?  01  ?
000003D0   00 00 00 00 34 11 BC 77  F4 8E 67 80 FF FF FF FF       4 紈魩g€
000003E0   04 00 00 00 04 00 00 00  18 11 8D 07 38 00 00 00               8   
 000003F0   38 00 00 00 03 00 00 00  E8 79 E1 00 03 00 00 00   8       鑩?    
00000400   E0 6A 54 80 AA 69 69 69  69 04 00 00 00 00 00 80   鄇T€猧iii      €
00000410   80 00 00 00 00 30 30 30  30 02 00 38 00 00 00 80   €    0000  8   €
00000420   80 E7 10 00 00 30 31 00  00 BA 02 00 00 48 F7 7D   €?  01  ?  H鱹
00000430   07 A0 74 C1 77 E0 6A 54  80 FF FF FF FF 18 00 00    爐羨鄇T€   
00000440   00 34 11 BC 77 20 00 00  00 28 00 00 00 A8 02 E1    4 紈    (   ??
00000450   00 5C EE 7D 07 50 00 00  00 20 00 00 00 AA 69 69    \題 P       猧i
 00000460   69 04 00 00 00 00 00 80  80 00 00 00 00 30 30 30   i      €€    000
 00000470   30 02 00 50 00 01 00 80  80 40 14 00 00 30 31 00   0  P   €€@   01 
 00000480   00 BA 02 00 00 00 00 00  00 A0 74 C1 77 E0 6A 54    ?      爐羨鄇T
 00000490   80 FF FF FF FF 18 00 00  00 18 00 00 00 20 00 00   €           
000004A0   00 28 00 00 00 A8 02 E1  00 5C EE 7D 07 50 00 00    (   ??\題 P  
 000004B0   00 20 00 00 00 F4 8E 67  80 F4 8E 67 80 00 00 00        魩g€魩g€   
000004C0   00 00 00 00 00 4B 44 42  47 90 02 00 00 AA 69 69        KDBG    猧i

分析

  windbg内核通信协议看起来比较复杂,常见的包为信息包和控制包、中断包。经过观察,有一些点需要注意:
1.管道读写,端口读写或者其他与内核通信的方式,有时候会缺失数据,比如本来是0x30303030的信息包,下面0x50处少一个0x30,现在的0x30是我后补上去的,编写通信模块需要注意这一部分
2.读写被调试主机传来的数据,用的是ReadFile/WriteFile,且很多时候是一个/若干个字节read/write一次,不明白为何这么低效!!!这样做就需要我们构建好数据包,再给数据包分析函数处理,主要是处理通信过程

API与结构体的映射

RemoteOperation CommandId LocalApi
DbgKdReadVirtualMemoryApi 0x00003130L ReadMemory
DbgKdWriteVirtualMemoryApi 0x00003131L WriteMemory
DbgKdGetContextApi 0x00003132L null
DbgKdSetContextApi 0x00003133L null
DbgKdWriteBreakPointApi 0x00003134L WriteBreakPoint
DbgKdRestoreBreakPointApi 0x00003135L RestoreBreakPoint
DbgKdContinueApi 0x00003136L Continue
DbgKdReadControlSpaceApi 0x00003137L ReadMemory
DbgKdWriteControlSpaceApi 0x00003138L WriteMemory
DbgKdReadIoSpaceApi 0x00003139L ReadWriteIo
DbgKdWriteIoSpaceApi 0x0000313AL ReadWriteIo
DbgKdRebootApi 0x0000313BL null
DbgKdContinueApi2 0x0000313CL Continue2
DbgKdReadPhysicalMemoryApi 0x0000313DL ReadMemory
DbgKdWritePhysicalMemoryApi 0x0000313EL WriteMemory
DbgKdQuerySpecialCallsApi 0x0000313FL QuerySpecialCalls
DbgKdSetSpecialCallApi 0x00003140L SetSpecialCall
DbgKdClearSpecialCallsApi 0x00003141L null
DbgKdSetInternalBreakPointApi 0x00003142L SetInternalBreakpoint
DbgKdGetInternalBreakPointApi 0x00003143L GetInternalBreakpoint
DbgKdReadIoSpaceExtendedApi 0x00003144L ReadWriteIoExtended
DbgKdWriteIoSpaceExtendedApi 0x00003145L ReadWriteIoExtended
DbgKdGetVersionApi 0x00003146L GetVersion32
DbgKdWriteBreakPointExApi 0x00003147L BreakPointEx
DbgKdRestoreBreakPointExApi 0x00003148L null
DbgKdCauseBugCheckApi 0x00003149L null
DbgKdSwitchProcessor 0x00003150L null
DbgKdPageInApi 0x00003151L null
DbgKdReadMachineSpecificRegister 0x00003152L ReadWriteMsr
DbgKdWriteMachineSpecificRegister 0x00003153L ReadWriteMsr
OldVlm1 0x00003154L null
OldVlm2 0x00003155L null
DbgKdSearchMemoryApi 0x00003156L SearchMemory
DbgKdGetBusDataApi 0x00003157L null
DbgKdSetBusDataApi 0x00003158L null
DbgKdCheckLowMemoryApi 0x00003159L null
DbgKdClearAllInternalBreakpointsApi 0x0000315AL null
DbgKdFillMemoryApi 0x0000315BL null
DbgKdQueryMemoryApi 0x0000315CL null
DbgKdSwitchPartition 0x0000315DL null
typedef struct _DBGKD_ANY_WAIT_STATE_CHANGE
 {
     ULONG NewState;
     USHORT ProcessorLevel;
     USHORT Processor;
     ULONG NumberProcessors;
     ULONG64 Thread;
     ULONG64 ProgramCounter;
     union
         {
         DBGKM_EXCEPTION64 Exception;
         DBGKD_LOAD_SYMBOLS64 LoadSymbols;
         DBGKD_COMMAND_STRING CommandString;
     } u;
     union
         {
         DBGKD_CONTROL_REPORT ControlReport;
         DBGKD_ANY_CONTROL_REPORT AnyControlReport;
     };
 } DBGKD_ANY_WAIT_STATE_CHANGE, *PDBGKD_ANY_WAIT_STATE_CHANGE;

对通信数据的注解

00000000   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii                    发送复位控制包
00000010   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii                    发送复位控制包
00000020   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii                    发送复位控制包
00000030   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii                    发送复位控制包
00000040   69 69 69 69 06 00 00 00  00 00 00 00 00 00 00 00   iiii                    发送复位控制包
00000050   30 30 30 30 07 00 0F 01  00 08 80 80 44 33 00 00   0000      €€D3          接收DBGKD_ANY_WAIT_STATE_CHANGE信息包,长度0x10F
00000060   31 30 00 00 00 00 00 00  01 00 00 00 00 00 00 00   10                      包开始:NewState=DbgKdLoadSymbolsStateChange
00000070   40 37 55 80 FF FF FF FF  C4 F4 52 80 FF FF FF FF   @7U€聂R€
00000080   1F 00 00 00 00 00 00 00  00 80 4D 80 FF FF FF FF            €M€
00000090   FF FF FF FF 00 00 00 00  D3 50 20 00 80 84 1F 00       覲  €? 
000000A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000110   00 00 00 00 00 00 00 00  10 00 00 00 BC FA 05 00               贱  
00000120   F0 0F FF FF 00 04 00 00  10 00 03 00 CC 5D C2 0C   ?        蘛?
00000130   00 CC CC CC CC CC 8B FF  55 8B EC FF 08 00 23 00    烫烫虌U嬱  # 
00000140   23 00 30 00 82 00 00 00  00 00 00 00 00 00 00 00   # 0 ?          
00000150   5C 57 49 4E 44 4F 57 53  5C 73 79 73 74 65 6D 33   \WINDOWS\system3        包以0xAA结束,然而由于0x50处原先少一个0x30
00000160   32 5C 6E 74 6B 72 6E 6C  70 61 2E 65 78 65 00 AA   2\ntkrnlpa.exe ?        (为了方便查看,我补上了缺少的0x30)
00000170   69 69 69 69 06 00 00 00  63 F8 05 00 00 00 00 00   iiii    c?             接收请求重新连接信息包
00000180   30 30 30 30 07 00 0F 01  00 00 80 80 44 33 00 00   0000      €€D3    接收PACKET_TYPE_KD_STATE_CHANGE64信息包,长度0x10F
00000190   31 30 00 00 00 00 00 00  01 00 00 00 00 00 00 00   10                                包开始:NewState=DbgKdLoadSymbolsStateChange
000001A0   40 37 55 80 FF FF FF FF  C4 F4 52 80 FF FF FF FF   @7U€聂R€ETHREAD=0xFFFFFFFF80553740 BaseAddr=0xFFFFFFFF8052F4C4
000001B0   1F 00 00 00 00 00 00 00  00 80 4D 80 FF FF FF FF            €M€映像路径长度0x1F        Dll基址=0xFFFFFFFF804D8000
000001C0   FF FF FF FF 00 00 00 00  D3 50 20 00 80 84 1F 00       覲  € 进程ID=-1        映像大小=0x1F8480
000001D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00              
00000200   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000210   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000220   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000230   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000240   00 00 00 00 00 00 00 00  10 00 00 00 BC FA 05 00               贱  
00000250   F0 0F FF FF 00 04 00 00  10 00 03 00 CC 5D C2 0C   ?        蘛?
00000260   00 CC CC CC CC CC 8B FF  55 8B EC FF 08 00 23 00    烫烫虌U嬱  # 
00000270   23 00 30 00 82 00 00 00  00 00 00 00 00 00 00 00   # 0 ?          
00000280   5C 57 49 4E 44 4F 57 53  5C 73 79 73 74 65 6D 33   \WINDOWS\system3
00000290   32 5C 6E 74 6B 72 6E 6C  70 61 2E 65 78 65 00 AA   2\ntkrnlpa.exe ?        包结束
000002A0   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€      发送上次接收信息的确认包
000002B0   30 30 30 30 02 00 38 00  00 00 80 80 9C 0B 00 00   0000  8   €€?     发送读取版本控制信息包 DbgKdGetVersionApi,长度0x38
000002C0   46 31 00 00 80 F6 7D 07  03 01 00 00 F4 F6 7D 07   F1  €鰙     赧}   包开始
000002D0   02 BE B7 52 01 5E AE 52  07 00 00 00 01 00 00 00    痉R ^甊        
000002E0   00 00 00 00 02 00 00 00  11 BF B7 52 2C F7 7D 07            糠R,鱹 
000002F0   00 00 00 00 07 00 00 00  AA 00 00 00 00 00 00 00           ?              包结束
00000300   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€            接收到服务器收到信息的确认包
00000310   30 30 30 30 02 00 38 00  01 00 80 80 3F 17 00 00   0000  8   €€?           接收读取版本控制信息包 DbgKdGetVersionApi,长度0x38
00000320   46 31 00 00 80 F6 7D 07  00 00 00 00 F4 F6 7D 07   F1  €鰙     赧}         包开始
00000330   0F 00 28 0A 06 00 02 00  4C 01 0C 03 2D 00 00 00     (     L   -   
00000340   00 80 4D 80 FF FF FF FF  C0 4F 55 80 FF FF FF FF    €M€繭U€PsLoadedModuleList=0xFFFFFFFF80554FC0        DebuggerDataList=0xFFFFFFFF80678EF4
00000350   F4 8E 67 80 FF FF FF FF  AA 00 00 00 00 00 00 00   魩g€?     包结束
00000360   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€            发送上次接收信息的确认包
00000370   30 30 30 30 02 00 38 00  01 00 80 80 B1 13 00 00   0000  8   €€?          发送读取内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x38
00000380   30 31 00 00 FE FF FF FF  38 F6 7D 07 34 11 BC 77   01  ?8鰙 4 紈        包开始
00000390   F4 8E 67 80 FF FF FF FF  04 00 00 00 D4 F5 7D 07   魩g€      读取0x80678EF4处4字节
000003A0   18 11 8D 07 38 00 00 00  38 00 00 00 03 00 00 00       8   8               
000003B0   E8 79 E1 00 03 00 00 00  AA 00 00 00 00 00 00 00   鑩?    ?              包结束
000003C0   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€            接收到服务器收到信息的确认包
000003D0   30 30 30 30 02 00 3C 00  00 00 80 80 D4 11 00 00   0000  <   €€?          接收内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x3C
000003E0   30 31 00 00 FE FF FF FF  00 00 00 00 34 11 BC 77   01  ?    4 紈        包开始
000003F0   F4 8E 67 80 FF FF FF FF  04 00 00 00 04 00 00 00   魩g€    
00000400   18 11 8D 07 38 00 00 00  38 00 00 00 03 00 00 00       8   8       
00000410   E8 79 E1 00 03 00 00 00  E0 6A 54 80 AA 00 00 00   鑩?    鄇T€?          包结束,读取得到E0 6A 54 80
00000420   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€            发送上次接收信息的确认包
00000430   30 30 30 30 02 00 38 00  00 00 80 80 E7 10 00 00   0000  8   €€?          发送读取内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x38
00000440   30 31 00 00 BA 02 00 00  48 F7 7D 07 A0 74 C1 77   01  ?  H鱹 爐羨        包开始
00000450   E0 6A 54 80 FF FF FF FF  18 00 00 00 34 11 BC 77   鄇T€    4 读取0x80546AE0处0x18字节(DBGKD_DEBUG_DATA_HEADER64)
00000460   20 00 00 00 28 00 00 00  A8 02 E1 00 5C EE 7D 07       (   ??\題 
00000470   50 00 00 00 20 00 00 00  AA 00 00 00 00 00 00 00   P       ?              包结束
00000480   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€            接收到服务器收到信息的确认包
00000490   30 30 30 30 02 00 50 00  01 00 80 80 40 14 00 00   0000  P   €€@           接收内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x50
000004A0   30 31 00 00 BA 02 00 00  00 00 00 00 A0 74 C1 77   01  ?      爐羨        包开始
000004B0   E0 6A 54 80 FF FF FF FF  18 00 00 00 18 00 00 00   鄇T€        
000004C0   20 00 00 00 28 00 00 00  A8 02 E1 00 5C EE 7D 07       (   ??\題 
000004D0   50 00 00 00 20 00 00 00  F4 8E 67 80 F4 8E 67 80   P       魩g€魩g€
000004E0   00 00 00 00 00 00 00 00  4B 44 42 47 90 02 00 00           KDBG            读取得到F4 8E 67 80 F4 8E 67 80 00 00 00 00 00 00 00 00 4B 44 42 47 90 02 00 00
000004F0   AA 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ?                      包结束
00000500   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€            发送上次接收信息的确认包
00000510   30 30 30 30 02 00 38 00  01 00 80 80 02 1A 00 00   0000  8   €€            发送读取内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x38
00000520   30 31 00 00 05 00 00 00  00 EF 7D 07 34 11 BC 77   01       飣 4 紈        包开始
00000530   F8 6A 54 80 FF FF FF FF  78 02 00 00 FE FF FF FF   鴍T€x   ?        读取0x80546AF8处0x278字节  0x80546AE0整个是KDDEBUGGER_DATA64结构
00000540   D8 EE 7D 07 AA 1E BC 77  00 00 00 00 E8 DE E1 00   仡} ?紈    柁?
00000550   B8 DE E1 00 E8 DE E1 00  AA 00 00 00 00 00 00 00   皋?柁??                      包结束
00000560   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€            接收到服务器收到信息的确认包
00000570   30 30 30 30 02 00 B0 02  00 00 80 80 80 97 00 00   0000  ?  €€€?         接收内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x2B0
00000580   30 31 00 00 05 00 00 00  00 00 00 00 34 11 BC 77   01          4 紈        包开始
00000590   F8 6A 54 80 FF FF FF FF  78 02 00 00 78 02 00 00   鴍T€x   x   
000005A0   D8 EE 7D 07 AA 1E BC 77  00 00 00 00 E8 DE E1 00   仡} ?紈    柁?
000005B0   B8 DE E1 00 E8 DE E1 00  00 80 4D 80 00 00 00 00   皋?柁? €M€            有效数据开始 00 80 4D 80 00 00 00 0
000005C0   DC 8B 52 80 00 00 00 00  00 00 00 00 00 00 00 00   軏R€            
000005D0   2C 01 08 00 18 00 01 00  8C 06 50 80 00 00 00 00   ,       ?P€    
000005E0   00 00 00 00 00 00 00 00  C0 4F 55 80 00 00 00 00           繭U€    
000005F0   58 B1 55 80 00 00 00 00  60 B2 55 80 00 00 00 00   X盪€    `睻€        
00000600   88 D6 55 80 00 00 00 00  20 C5 55 80 00 00 00 00   堉U€     臮€    
00000610   AC BA 54 80 00 00 00 00  1C 3F 55 80 00 00 00 00   T€     ?U€    
00000620   F8 3F 55 80 00 00 00 00  40 49 55 80 00 00 00 00   ?U€    @IU€    
00000630   C0 28 FF FF 00 04 00 00  10 00 03 00 CC 5D C2 0C   ?        蘛?
00000640   00 CC CC CC CC CC 8B FF  55 8B EC FF 08 00 23 00    烫烫虌U嬱  # 
00000650   23 00 30 00 82 00 00 00  00 00 00 00 00 00 00 00   # 0 ?          
00000660   5C 57 49 4E 44 4F 57 53  5C 73 79 73 74 65 6D 33   \WINDOWS\system3
00000670   32 5C 6E 74 6B 72 6E 6C  70 61 2E 65 78 65 00 33   2\ntkrnlpa.exe 3
00000680   32 5C 6E 74 6B 72 6E 6C  70 61 2E 65 78 65 00 00   2\ntkrnlpa.exe          
00000690   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000006F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000700   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000710   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000720   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000730   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000740   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000750   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000760   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000770   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000780   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000790   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007C0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000007F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00       
00000800   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000810   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000820   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                           有效数据结束,然而没有遇到0xAA,所以一直等待
 。。。。。。。。。。。。。。。。。。。。。。。。。。。。。  
00002E60   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 AA                  ?        结束符0xAA
00002E70   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€            发送上次接收信息的确认包
00002E80   30 30 30 30 02 00 38 00  00 00 80 80 74 0E 00 00   0000  8   €€t           发送读取内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x38
00002E90   30 31 00 00 00 00 00 00  48 F7 7D 07 A0 74 C1 77   01      H鱹 爐羨        包开始
00002EA0   5C 8C 4D 80 FF FF FF FF  05 01 00 00 34 11 BC 77   \孧€    4        读取0x804D8C5C处0x105大小的数据
00002EB0   0D 01 00 00 18 01 00 00  20 03 E1 00 24 EB 7D 07             ?$雧 
00002EC0   05 04 00 00 0D 01 00 00  AA 00 00 00 00 00 00 00           ?      
00002ED0   69 69 69 69 04 00 00 00  00 00 80 80 00 00 00 00   iiii      €€            接收到服务器收到信息的确认包
00002EE0   30 30 30 30 02 00 3D 01  01 00 80 80 A9 75 00 00   0000  =   €€﹗          接收内存控制信息包 DbgKdReadVirutalMemoryApi,长度0x13D
00002EF0   30 31 00 00 00 00 00 00  00 00 00 00 A0 74 C1 77   01          爐羨        包开始
00002F00   5C 8C 4D 80 FF FF FF FF  05 01 00 00 05 01 00 00   \孧€        
00002F10   0D 01 00 00 18 01 00 00  20 03 E1 00 24 EB 7D 07             ?$雧 
00002F20   05 04 00 00 0D 01 00 00  32 36 30 30 2E 78 70 73           2600.xps
00002F30   70 2E 30 38 30 34 31 33  2D 32 31 31 31 00 00 00   p.080413-2111   
00002F40   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00002F50   28 73 2A C1 1F F8 D2 11  BA 4B 00 A0 C9 3E C9 3B   (s*? 篕 犐>?
00002F60   16 E3 C9 E3 5C 0B B8 4D  81 7D F9 2D F0 02 15 AE    闵鉢 窶 }?? ?
00002F70   A2 A0 D0 EB E5 B9 33 44  87 C0 68 B6 B7 26 99 C7   须骞3D嚴h斗&櫱
00002F80   AA C8 08 58 8F 7E E0 42  85 D2 E1 E9 04 34 CF B3    X ~郆呉衢 4铣
00002F90   A0 60 9B AF 31 14 62 00  78 A7 55 80 00 00 00 00   燻洴1 b x€    
00002FA0   70 A7 55 80 00 00 00 00  90 B1 54 80 00 00 00 00   p€     盩€    
00002FB0   68 97 55 80 00 00 00 00  80 97 55 80 00 00 00 00   h桿€    €桿€    
00002FC0   68 99 55 80 00 00 00 00  E8 4B 55 80 00 00 00 00   h橴€    鐺U€    
00002FD0   E0 4B 55 80 00 00 00 00  78 4F 55 80 00 00 00 00   郖U€    xOU€    
00002FE0   00 95 55 80 00 00 00 00  BC B0 54 80 00 00 00 00    昒€    及T€    
00002FF0   C4 99 55 80 00 00 00 00  C8 99 55 80 00 00 00 00   臋U€    葯U€     
00003000   EC 97 55 80 00 00 00 00  20 99 55 80 00 00 00 00   鞐U€     橴€    
00003010   38 4C 55 80 00 00 00 00  78 B5 54 80 00 00 00 00   8LU€    x礣€    
00003020   7C B5 54 80 00 00 00 00  34 4C 55 80 00 4F BC 68   |礣€    4LU€ O糷
00003030   33 11 71 4A 69 AD C1 1F  DD 6B 00 00 00            3 qJi 輐                   包结束,然而等待0xAA标志
 。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
000034C0   00 2B AA 00 00 00 00 00  00 00 00 00 00 00 00 00    +?                    0xAA标志
000034D0   69 69 69 69 04 00 00 00  01 00 80 80 00 00 00 00   iiii      €€    
000034E0   30 30 30 30 02 00 38 00  01 00 80 80 67 11 00 00   0000  8   €€g   
000034F0   30 31 00 00 58 A9 B1 52  44 F4 7D 07 A0 74 C1 77   01  X┍RD魙 爐羨
上一篇下一篇

猜你喜欢

热点阅读