Windows內(nèi)核調(diào)試器原理淺析(二)

case DbgKdContinueApi:
            if (NT_SUCCESS(ManipulateState.u.Continue.ContinueStatus) != FALSE) {
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdContinueApi2:
            if (NT_SUCCESS(ManipulateState.u.Continue2.ContinueStatus) != FALSE) {
                KdpGetStateChange(&ManipulateState,ContextRecord);
                return ContinueSuccess;
            } else {
                return ContinueError;
            }
            break;

        case DbgKdRebootApi:
            KdpReboot();
            break;

        case DbgKdReadMachineSpecificRegister:
            KdpReadMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdWriteMachineSpecificRegister:
            KdpWriteMachineSpecificRegister(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSetSpecialCallApi:
            KdSetSpecialCall(&ManipulateState,ContextRecord);
            break;

        case DbgKdClearSpecialCallsApi:
            KdClearSpecialCalls();
            break;

        case DbgKdSetInternalBreakPointApi:
            KdSetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetInternalBreakPointApi:
            KdGetInternalBreakpoint(&ManipulateState);
            break;

        case DbgKdGetVersionApi:
            KdpGetVersion(&ManipulateState);
            break;

        case DbgKdCauseBugCheckApi:
            KdpCauseBugCheck(&ManipulateState);
            break;

        case DbgKdPageInApi:
            KdpNotSupported(&ManipulateState);
            break;

        case DbgKdWriteBreakPointExApi:
            Status = KdpWriteBreakPointEx(&ManipulateState,
                                          &MessageData,
                                          ContextRecord);
            if (Status) {
                ManipulateState.ApiNumber = DbgKdContinueApi;
                ManipulateState.u.Continue.ContinueStatus = Status;
                return ContinueError;
            }
            break;

        case DbgKdRestoreBreakPointExApi:
            KdpRestoreBreakPointEx(&ManipulateState,&MessageData,ContextRecord);
            break;

        case DbgKdSwitchProcessor:
            KdPortRestore ();
            ContinueStatus = KeSwitchFrozenProcessor(ManipulateState.Processor);
            KdPortSave ();
            return ContinueStatus;

        case DbgKdSearchMemoryApi:
            KdpSearchMemory(&ManipulateState, &MessageData, ContextRecord);
            break;

    讀寫(xiě)內(nèi)存、搜索內(nèi)存、設(shè)置/恢復(fù)斷點(diǎn)、繼續(xù)執(zhí)行、重啟等等，WinDBG里的功能是不是都能實(shí)現(xiàn)了?呵呵。

    每次內(nèi)核調(diào)試器接管系統(tǒng)是通過(guò)調(diào)用在KiDispatchException里調(diào)用KiDebugRoutine(KdpTrace)，但我們知道要讓系統(tǒng)執(zhí)行到KiDispatchException必須是系統(tǒng)發(fā)生了異常。而內(nèi)核調(diào)試器與被調(diào)試系統(tǒng)之間只是通過(guò)串口聯(lián)系，串口只會(huì)發(fā)生中斷，并不會(huì)讓系統(tǒng)引發(fā)異常。那么是怎么讓系統(tǒng)產(chǎn)生一個(gè)異常呢?答案就在KeUpdateSystemTime里，每當(dāng)發(fā)生時(shí)鐘中斷后在HalpClockInterrupt做了一些底層處理后就會(huì)跳轉(zhuǎn)到這個(gè)函數(shù)來(lái)更新系統(tǒng)時(shí)間(因?yàn)槭翘D(zhuǎn)而不是調(diào)用，所以在WinDBG斷下來(lái)后回溯堆棧是不會(huì)發(fā)現(xiàn)HalpClockInterrupt的地址的)，是系統(tǒng)中調(diào)用最頻繁的幾個(gè)函數(shù)之一。在KeUpdateSystemTime里會(huì)判斷KdDebuggerEnable是否為T(mén)RUE，若為T(mén)RUE則調(diào)用KdPollBreakIn判斷是否有來(lái)自?xún)?nèi)核調(diào)試器的包含中斷信息的包，若有則調(diào)用DbgBreakPointWithStatus，執(zhí)行一個(gè)int 0x3指令，在異常處理流程進(jìn)入了KdpTrace后將根據(jù)處理不同向內(nèi)核調(diào)試器發(fā)包并無(wú)限循環(huán)等待內(nèi)核調(diào)試的回應(yīng)?，F(xiàn)在能理解為什么在WinDBG里中斷系統(tǒng)后堆棧回溯可以依次發(fā)現(xiàn)KeUpdateSystemTime->RtlpBreakWithStatusInstruction，系統(tǒng)停在了int 0x3指令上(其實(shí)int 0x3已經(jīng)執(zhí)行過(guò)了，只不過(guò)Eip被減了1而已)，實(shí)際已經(jīng)進(jìn)入KiDispatchException->KdpTrap，將控制權(quán)交給了內(nèi)核調(diào)試器。