Windows內核調試器原理淺析(二)

case DbgKdContinueApi:
            if (NT_SUCCESS(ManipulateState.u.Continue.ContinueStatus) != FALSE) {
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdContinueApi2:
            if (NT_SUCCESS(ManipulateState.u.Continue2.ContinueStatus) != FALSE) {
                KdpGetStateChange(&ManipulateState,ContextRecord);
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdRebootApi:
            KdpReboot();
            break;

        case DbgKdReadMachineSpecificRegister:
            KdpReadMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdWriteMachineSpecificRegister:
            KdpWriteMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSetSpecialCallApi:
            KdSetSpecialCall(&ManipulateState,ContextRecord);
            break;

        case DbgKdClearSpecialCallsApi:
            KdClearSpecialCalls();
            break;

        case DbgKdSetInternalBreakPointApi:
            KdSetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetInternalBreakPointApi:
            KdGetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetVersionApi:
            KdpGetVersion(&ManipulateState);
            break;

        case DbgKdCauseBugCheckApi:
            KdpCauseBugCheck(&ManipulateState);
            break;

        case DbgKdPageInApi:
            KdpNotSupported(&ManipulateState);
            break;

        case DbgKdWriteBreakPointExApi:
            Status = KdpWriteBreakPointEx(&ManipulateState,
                                          &MessageData,
                                          ContextRecord);
            if (Status) {
                ManipulateState.ApiNumber = DbgKdContinueApi;
                ManipulateState.u.Continue.ContinueStatus = Status;
                return ContinueError;
            }
            break;

        case DbgKdRestoreBreakPointExApi:
            KdpRestoreBreakPointEx(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSwitchProcessor:
            KdPortRestore ();
            ContinueStatus = KeSwitchFrozenProcessor(ManipulateState.Processor);
            KdPortSave ();
            return ContinueStatus;

        case DbgKdSearchMemoryApi:
            KdpSearchMemory(&ManipulateState, &MessageData, ContextRecord);
            break;

    讀寫(xiě)內存、搜索內存、設置/恢復斷點(diǎn)、繼續執行、重啟等等，WinDBG里的功能是不是都能實(shí)現了?呵呵。

    每次內核調試器接管系統是通過(guò)調用在KiDispatchException里調用KiDebugRoutine(KdpTrace)，但我們知道要讓系統執行到KiDispatchException必須是系統發(fā)生了異常。而內核調試器與被調試系統之間只是通過(guò)串口聯(lián)系，串口只會(huì )發(fā)生中斷，并不會(huì )讓系統引發(fā)異常。那么是怎么讓系統產(chǎn)生一個(gè)異常呢?答案就在KeUpdateSystemTime里，每當發(fā)生時(shí)鐘中斷后在HalpClockInterrupt做了一些底層處理后就會(huì )跳轉到這個(gè)函數來(lái)更新系統時(shí)間(因為是跳轉而不是調用，所以在WinDBG斷下來(lái)后回溯堆棧是不會(huì )發(fā)現HalpClockInterrupt的地址的)，是系統中調用最頻繁的幾個(gè)函數之一。在KeUpdateSystemTime里會(huì )判斷KdDebuggerEnable是否為T(mén)RUE，若為T(mén)RUE則調用KdPollBreakIn判斷是否有來(lái)自?xún)群?a class="contentlabel" href="http://dyxdggzs.com/news/listbylabel/label/調試器">調試器的包含中斷信息的包，若有則調用DbgBreakPointWithStatus，執行一個(gè)int 0x3指令，在異常處理流程進(jìn)入了KdpTrace后將根據處理不同向內核調試器發(fā)包并無(wú)限循環(huán)等待內核調試的回應?，F在能理解為什么在WinDBG里中斷系統后堆?；厮菘梢砸来伟l(fā)現KeUpdateSystemTime->RtlpBreakWithStatusInstruction，系統停在了int 0x3指令上(其實(shí)int 0x3已經(jīng)執行過(guò)了，只不過(guò)Eip被減了1而已)，實(shí)際已經(jīng)進(jìn)入KiDispatchException->KdpTrap，將控制權交給了內核調試器。