* Monitor windows process activities by set breakpoint on API, and print out the parameter contents. 0:000> bp kernel32!CreateFileW ".echo ---------------------------------------;kL;du poi(@esp+4);gu;.echo =======;r eax;g" 0:000> g ModLoad: 62c20000 62c29000 C:/WINDOWS/system32/LPK.DLL ModLoad: 77180000 77283000 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03/comctl32.dll --------------------------------------- ChildEBP RetAddr 0012e374 7c814d65 kernel32!CreateFileW 0012e5dc 7c801d3a kernel32!BasepLoadLibraryAsDataFile+0x125 0012e640 7c8171dd kernel32!LoadLibraryExW+0x178 0012e66c 7c81715d kernel32!BasepSxsFindSuitableManifestResourceFor+0x51 0012e96c 7720b80d kernel32!CreateActCtxW+0x69e 0012eba4 7720b83f comctl32_77180000!SHFusionInitializeIDCC+0x83 0012ebb8 7720b857 comctl32_77180000!SHFusionInitializeID+0x12 0012ebc8 771841a9 comctl32_77180000!SHFusionInitialize+0xf 0012ebdc 77184267 comctl32_77180000!_ProcessAttach+0x32 0012ebe8 7c9211a7 comctl32_77180000!LibMain+0x21 0012ec08 7c93cbab ntdll!LdrpCallInitRoutine+0x14 0012ed10 7c936178 ntdll!LdrpRunInitializeRoutines+0x344 0012efbc 7c9362da ntdll!LdrpLoadDll+0x3e5 0012f264 7c801bb9 ntdll!LdrLoadDll+0x230 0012f2cc 7c80ae5c kernel32!LoadLibraryExW+0x18e 0012f2e0 77f5b1a3 kernel32!LoadLibraryW+0x11 0012f504 766a1110 SHLWAPI!LoadLibraryWrapW+0x51 0012f53c 766a10af WININET!SHFusionLoadLibrary+0x29 0012f548 766a107d WININET!DelayLoadCC+0x15 0012f77c 766a0ff7 WININET!SHFusionInitializeIDCC+0x92 0012e3d0 "C:/WINDOWS/WindowsShell.Manifest" 0012e410 "" ======= eax=00000794 --------------------------------------- ChildEBP RetAddr 0012f8cc 7c801a4f kernel32!CreateFileW 0012f8f0 76d357ff kernel32!CreateFileA+0x30 0012f954 76d3570a iphlpapi!OpenIPDriver+0x115 0012f99c 76d35454 iphlpapi!OpenTCPDriver+0xee 0012f9d0 76d35351 iphlpapi!DllMain+0x157 0012f9f0 7c9211a7 iphlpapi!_DllMainCRTStartup+0x52 0012fa10 7c93cbab ntdll!LdrpCallInitRoutine+0x14 0012fb18 7c94173e ntdll!LdrpRunInitializeRoutines+0x344 0012fc94 7c941639 ntdll!LdrpInitializeProcess+0x1131 0012fd1c 7c92eac7 ntdll!_LdrpInitialize+0x183 00000000 00000000 ntdll!KiUserApcDispatcher+0x7 7ffdfc00 "//./Ip" ======= eax=00000780 --------------------------------------- *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Program Files/Tencent/QQ2009/Bin/KernelUtil.dll - ChildEBP RetAddr 0012fc34 0044a69c kernel32!CreateFileW *** ERROR: Module load completed but symbols could not be loaded for QQ.exe WARNING: Stack unwind information not available. Following frames may be wrong. 0012fca8 004029bd KernelUtil!Version::Init+0x8c 0012ff08 004027d9 QQ+0x29bd 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00c8eca8 "C:/Program Files/Tencent/QQ2009/" 00c8ece8 "Bin/vi.dat" ======= eax=00000720 --------------------------------------- ChildEBP RetAddr 0012eab4 0044a2ad kernel32!CreateFileW WARNING: Stack unwind information not available. Following frames may be wrong. 0012fbb4 0044a4ea KernelUtil!Util::URL::OpenUrlWithTT+0x1cd 0012fc4c 0044a6fc KernelUtil!Version::GetBuildVer+0xca 0012fca8 004029bd KernelUtil!Version::Init+0xec 0012ff08 004027d9 QQ+0x29bd 0012ff28 00402635 QQ+0x27d9 0012ffc0 7c816fd7 QQ+0x2635 0012fff0 00000000 kernel32!BaseProcessStart+0x23 00c8ede0 "C:/Program Files/Tencent/QQ2009/" 00c8ee20 "Bin/QQ.exe" ======= eax=00000720
-->
No comments:
Post a Comment