WinDbg使用心得N+1

元始天尊 · 发表于 2015-2-1 00:09:25

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

本帖最后由元始天尊于 2015-2-1 09:33 编辑

今天突发奇想研究fastdns，张慧星写的dns加速器，想研究其实现原理。开始以为使用什么dns api呢，研究了一天加上昨天滑雪回来腰酸背痛，效率好低，整整一天才用windbg研究了个大概。要是该软件不用borland而用vc写，我会感觉爽很多，borland那么多库函数，各种对象封装，着实难弄。现在的研究结果有2个：
1.该软件dns测速部分采用mswsock.dll的wsp*系列函数。
2.如何使用windbg得到api调用记录

对于单个dll，例如我要跟踪mswsock.dll的wsp*导出函数调用记录，可以用bm mswsock!*WSP* "kc1;gc",结果如下：

MSWSOCK!WSPSetSockOpt

MSWSOCK!WSPSendTo

MSWSOCK!WSPBind

MSWSOCK!WSPSelect

MSWSOCK!WSPRecvFrom

KERNEL32!GetCurrentProcess

MSWSOCK!WSPSocket

MSWSOCK!WSPShutdown

MSWSOCK!WSPCloseSocket

MSWSOCK!WSPSetSockOpt

MSWSOCK!WSPSendTo

MSWSOCK!WSPBind

MSWSOCK!WSPSelect

MSWSOCK!WSPRecvFrom

MSWSOCK!WSPRecvFrom

MSWSOCK!WSPSendTo

MSWSOCK!WSPSendTo

MSWSOCK!WSPSelect

MSWSOCK!WSPSelect
。。。

扩展到所有加载dll，自然用x指令+foreach循环
我提供3种方式：
bm * "kc1;g"
.foreach (addr {x /0 /D /f *!*}) {bp ${addr} "kc1;g"}
.foreach (addr {.foreach (mod {lm 1m}) {x /0 /D /f ${mod}!*}}) {bp addr "kc1;g"}
很长时间以后你会发现所有api和符号都下了断点，每次经过断点并不停下，而是打印该函数
一般不建议这么做，而是挑一些关键dll按照前面的方法下断

PS：本文成果纯属个人研究，绝无抄袭之处。论坛中有些文章，实在是。。。别人都写过了，你搬过来有什么意义呢，你感觉你创造什？蒙骗了小白？还是浪费了时间？其次，对于我个人，不是我写的我会注明出处。很多人还是缺乏自己的想法，机械地学习。另外一些则是花哨的东西，要有实用价值，我在这里还没发现有真正“大牛”水平的程序员，浮躁和耍酷是程序员的通病，希望大家有则改之，这句话对包括我和我认识的人在内，都是适用的。
想想3个月前还在苦逼的看数据结构和算法，自己默默研究，即使很多东西初学，不过论坛里仍不乏我创新的足迹，我的文章几乎可以达到篇篇都有自己的创新点（不过我的缺点是看别人文章不是很多因此和别人研究重复了或者有错误），虽然有错误，但是也有亮点，再看看近来的帖子，你们都喜欢摆一堆看起来完美实则别人都研究过已无研究性的东西放在那里让别人认为你是大牛吗？觉得对的给我赞，觉得伤了自尊心的当我没说，好吧。

元始天尊 · 发表于 2015-2-1 22:27:21

本帖最后由元始天尊于 2015-2-1 22:29 编辑

接上面所述，既然知道 fastdns在测速时的api调用序列，通过调用栈就可以知道其实还是调用的ws2_32中的函数，如下：
WS2_32!socket
WS2_32!setsockopt
WS2_32!htons
WS2_32!sendto
WS2_32!select
WS2_32!shutdown
WS2_32!closesocket

针对每个函数，我编写了相应的命令以输出更有用的信息（超强^_^可以用于其他软件）：
bp WS2_32!socket    "~.;.printf \"socket: af=%d type=%d protocol=%d \",poi(esp+4),poi(esp+8),poi(esp+0x0C);gu;.printf \"socket=%d\\n\",eax;gc"
bp WS2_32!setsockopt "~.;.printf \"setsockopt: socket=%d level=%d optname=%d optval=%d optlen=%d\\n\",poi(esp+4),poi(esp+8),poi(esp+0x0c),poi(poi(esp+0x10)),poi(esp+0x14);gc"
bp WS2_32!htons       "~.;.printf \"htons: port=%d\\n\",poi(esp+4)&0xffff;gc"
bp WS2_32!sendto    "~.;r $t0=poi(poi(esp+0x14)+4);.printf \"sendto: socket=%d ip=%d.%d.%d.%d:%d send=\\n\",poi(esp+4),$t0&0xff,($t0>>8)&0xff,($t0>>0x10)&0xff,($t0>>0x18)&0xff,poi(poi(esp+0x14)+2)&0xffff;db poi(esp+8) lpoi(esp+0x0C);gc"
bp WS2_32!select    "~.;.printf \"select: socket=%d timeout=%d.%ds\\n\",poi(poi(esp+8)+4),poi(poi(esp+0x14)),poi(poi(esp+0x14)+4);gc"
bp WS2_32!shutdown    "~.;.printf \"shutdown: socket=%d how=%d\\n\",poi(esp+4),poi(esp+8);gc"
bp WS2_32!closesocket  "~.;.printf \"closesocket: socket=%d\\n\",poi(esp+4);gc"

得到运行结果如下：
Create thread 1:2b48
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: *** WARNING: Unable to verify checksum for FastDNS.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FastDNS.exe -
FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 socket=976
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=976 level=65535 optname=32 optval=0 optlen=4
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
sendto: socket=976 ip=4.2.2.1:13568 send=
01c284b0  11 a9 01 00 00 01 00 00-00 00 00 00 03 77 77 77  .............www
01c284c0  09 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00  .microsoft.com..
01c284d0  01 00 01                                        ...
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
select: socket=976 timeout=2.0s
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
Create thread 5:17b8
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 .  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
shutdown: socket=976 how=1
.  1  Id: 31f8.2b48 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
closesocket: socket=976
socket=924
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=924 level=65535 optname=32 optval=0 optlen=4
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
sendto: socket=924 ip=4.2.2.2:13568 send=
01c28b38  20 d8 01 00 00 01 00 00-00 00 00 00 03 77 77 77 ............www
01c28b48  09 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00  .microsoft.com..
01c28b58  01 00 01                                        ...
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
select: socket=924 timeout=2.0s
(31f8.17b8): Unknown exception - code 0eedfade (first chance)
Create thread 1:24ec
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 .  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
shutdown: socket=924 how=1
.  5  Id: 31f8.17b8 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
closesocket: socket=924
socket=1020
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=1020 level=65535 optname=32 optval=0 optlen=4
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
sendto: socket=1020 ip=4.2.2.3:13568 send=
01c1d740  17 dd 01 00 00 01 00 00-00 00 00 00 03 77 77 77  .............www
01c1d750  09 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00  .microsoft.com..
01c1d760  01 00 01                                        ...
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
select: socket=1020 timeout=2.0s
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
Create thread 5:3b0
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 socket=516
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=516 level=65535 optname=32 optval=0 optlen=4
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
sendto: socket=516 ip=4.2.2.4:13568 send=
01c29614  4b 87 01 00 00 01 00 00-00 00 00 00 03 77 77 77  K............www
01c29624  09 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00  .microsoft.com..
01c29634  01 00 01                                        ...
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
shutdown: socket=1020 how=1
.  1  Id: 31f8.24ec Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
closesocket: socket=1020
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
select: socket=516 timeout=2.0s
(31f8.3b0): Unknown exception - code 0eedfade (first chance)
Create thread 1:1f80
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 .  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
shutdown: socket=516 how=1
.  5  Id: 31f8.3b0 Suspend: 1 Teb: 7fe99000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
closesocket: socket=516
socket=1020
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=1020 level=65535 optname=32 optval=0 optlen=4
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
sendto: socket=1020 ip=4.2.2.5:13568 send=
01c38304  66 79 01 00 00 01 00 00-00 00 00 00 03 77 77 77  fy...........www
01c38314  09 6d 69 63 72 6f 73 6f-66 74 03 63 6f 6d 00 00  .microsoft.com..
01c38324  01 00 01                                        ...
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
select: socket=1020 timeout=2.0s
(31f8.1f80): Unknown exception - code 0eedfade (first chance)
Create thread 2:2ea0
.  2  Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
socket: af=2 type=2 protocol=0 socket=828
.  2  Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
setsockopt: socket=828 level=65535 optname=32 optval=0 optlen=4
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
shutdown: socket=1020 how=1
.  1  Id: 31f8.1f80 Suspend: 1 Teb: 7ffda000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
closesocket: socket=1020
.  2  Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f

WS2_32!htons
.  2  Id: 31f8.2ea0 Suspend: 1 Teb: 7ffd7000 Unfrozen
   Start: FastDNS!Rtflabelinitialization$qqrv+0x25458 (0043d310)
   Priority: 0  Priority class: 32  Affinity: f
。。。。。。。。。。。。
按单个线程来分析，得到api调用序列如下：
线程2b48：
socket
setsockopt
htons 53
sendto
select
recvfrom
htons 13568
shutdown
closesocket

发现sub_40970C sub_40EA3C为重要函数，可以从中分析出流程
今天分析到这里，以后再分析

renminbi · 发表于 2015-9-6 09:59:19

调试网络程序的好方法

账号		自动登录	找回密码
密码			立即注册→加入我们