Windows內(nèi)核調(diào)試器原理淺析(二)

case DbgKdContinueApi:
            if (NT_SUCCESS(ManipulateState.u.Continue.ContinueStatus) != FALSE) {
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdContinueApi2:
            if (NT_SUCCESS(ManipulateState.u.Continue2.ContinueStatus) != FALSE) {
                KdpGetStateChange(&ManipulateState,ContextRecord);
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdRebootApi:
            KdpReboot();
            break;

        case DbgKdReadMachineSpecificRegister:
            KdpReadMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdWriteMachineSpecificRegister:
            KdpWriteMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSetSpecialCallApi:
            KdSetSpecialCall(&ManipulateState,ContextRecord);
            break;

        case DbgKdClearSpecialCallsApi:
            KdClearSpecialCalls();
            break;

        case DbgKdSetInternalBreakPointApi:
            KdSetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetInternalBreakPointApi:
            KdGetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetVersionApi:
            KdpGetVersion(&ManipulateState);
            break;

        case DbgKdCauseBugCheckApi:
            KdpCauseBugCheck(&ManipulateState);
            break;

        case DbgKdPageInApi:
            KdpNotSupported(&ManipulateState);
            break;

        case DbgKdWriteBreakPointExApi:
            Status = KdpWriteBreakPointEx(&ManipulateState,
                                          &MessageData,
                                          ContextRecord);
            if (Status) {
                ManipulateState.ApiNumber = DbgKdContinueApi;
                ManipulateState.u.Continue.ContinueStatus = Status;
                return ContinueError;
            }
            break;

        case DbgKdRestoreBreakPointExApi:
            KdpRestoreBreakPointEx(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSwitchProcessor:
            KdPortRestore ();
            ContinueStatus = KeSwitchFrozenProcessor(ManipulateState.Processor);
            KdPortSave ();
            return ContinueStatus;

        case DbgKdSearchMemoryApi:
            KdpSearchMemory(&ManipulateState, &MessageData, ContextRecord);
            break;

    讀寫內(nèi)存、搜索內(nèi)存、設(shè)置/恢復(fù)斷點、繼續(xù)執(zhí)行、重啟等等，WinDBG里的功能是不是都能實現(xiàn)了?呵呵。

    每次內(nèi)核調(diào)試器接管系統(tǒng)是通過調(diào)用在KiDispatchException里調(diào)用KiDebugRoutine(KdpTrace)，但我們知道要讓系統(tǒng)執(zhí)行到KiDispatchException必須是系統(tǒng)發(fā)生了異常。而內(nèi)核調(diào)試器與被調(diào)試系統(tǒng)之間只是通過串口聯(lián)系，串口只會發(fā)生中斷，并不會讓系統(tǒng)引發(fā)異常。那么是怎么讓系統(tǒng)產(chǎn)生一個異常呢?答案就在KeUpdateSystemTime里，每當(dāng)發(fā)生時鐘中斷后在HalpClockInterrupt做了一些底層處理后就會跳轉(zhuǎn)到這個函數(shù)來更新系統(tǒng)時間(因為是跳轉(zhuǎn)而不是調(diào)用，所以在WinDBG斷下來后回溯堆棧是不會發(fā)現(xiàn)HalpClockInterrupt的地址的)，是系統(tǒng)中調(diào)用最頻繁的幾個函數(shù)之一。在KeUpdateSystemTime里會判斷KdDebuggerEnable是否為TRUE，若為TRUE則調(diào)用KdPollBreakIn判斷是否有來自內(nèi)核調(diào)試器的包含中斷信息的包，若有則調(diào)用DbgBreakPointWithStatus，執(zhí)行一個int 0x3指令，在異常處理流程進入了KdpTrace后將根據(jù)處理不同向內(nèi)核調(diào)試器發(fā)包并無限循環(huán)等待內(nèi)核調(diào)試的回應(yīng)?，F(xiàn)在能理解為什么在WinDBG里中斷系統(tǒng)后堆?；厮菘梢砸来伟l(fā)現(xiàn)KeUpdateSystemTime->RtlpBreakWithStatusInstruction，系統(tǒng)停在了int 0x3指令上(其實int 0x3已經(jīng)執(zhí)行過了，只不過Eip被減了1而已)，實際已經(jīng)進入KiDispatchException->KdpTrap，將控制權(quán)交給了內(nèi)核調(diào)試器。