kmd 调试技巧
2017-08-24 19:45
106 查看
kmd 调试技巧
1.一般根据bar0的起始地址+寄存器的起始地址+具体寄存器的偏移地址
2.!pci 100 bus_num device_num function_num显示pci信息
3.!dd [uc] address
4.kdfiles命令替换kmd driver文件
Replacing driver files can be difficult. Frequently, you have to boot to the Microsoft Windows safe
build, replace the driver binary, and then boot again.
However, Windows XP and later versions of Windows support a simpler method of replacing driver files. You can
use this method to replace any kernel-mode driver (including display drivers), any Windows subsystem driver, or any other kernel-mode module. For simplicity, these files are called drivers in
this topic, even though you can use this method for any kernel-mode module.
You can use this method whenever WinDbg or KD is attached as a kernel debugger. You can also use this method
on a boot driver, but it is more difficult. For more information about how to use this method with boot drivers, see Replacing Boot Drivers.
To use a driver replacement map to replace driver files, do the following:
Create a driver replacement map file. This file is a text file that lists the drivers on the target computer and their replacement drivers on the host computer. You can replace any number of drivers. For example, you might create a file that is named
Mymap.ini in the d:\Map_Files directory of your host computer that contains the following information.
Copy
For more information about the syntax of this file, see Driver Replacement Map File Format.
Set up a kernel debugging connection to the target computer, and start the kernel debugger (KD or WinDbg) on your host computer. (You do not have to actually break in to the target computer.)
Load the driver replacement map file by doing one of the following:
Set the _NT_KD_FILES environment variable before
you start the kernel debugger.
Copy
Use the .kdfiles
(Set Driver Replacement Map) command after you start the kernel debugger.
Copy
You can also use the .kdfiles command to display the current driver replacement map file or to delete the driver replacement map.
If you do not use this command, the map persists until you exit the debugger.
After you complete this procedure, the driver replacement map takes effect.
Whenever the target computer is about to load a driver, it queries the kernel debugger to determine whether this driver has been mapped. If the driver has been mapped, the replacement file is sent over the kernel connection and copied over the old driver file.
The new driver is then loaded.
Each driver file replacement is indicated by three lines in the driver replacement map file.
The first line consists of the word "map".
The second line specifies the path and file name of the old driver on the target computer.
The third line specifies the full path of the new driver. This driver can be located on the host computer or on some other server.
You can repeat this pattern of information any number of times.
Paths and file names are case insensitive, and the actual driver file names can be different. The file that you specify on the third line is copied over the file that you specify on the second line when the target computer is about to load that driver.
Kdfiles will attempt to match the file name that is stored in the Service Control Manager (SCM) database. The name in the SCM database is identical to the name that was passed to MmLoadSystemImage.
In Windows 10 and later versions of the debugging tools, driver mapping works to match the driver name dynamically and determine the proper path. The full path does not need to be specified and the file extension is optional. You can use any of these entries
to match the NT file system driver.
ntfs
NTFS
ntfs.sys
windows\system32\drivers\ntfs.sys
You can use any of these entries to match the NT kernel driver.
ntoskrnl
NTOSKRNL
ntoskrnl.sys
windows\system32\drivers\ntoskrnl.sys
The map file can include blank lines and can include comment lines that begin with a number sign (#). However, after "map" appears
in the file, the next two lines must be the old driver and the new driver. The blank lines and comment lines cannot break up the three-line map blocks.
The following example shows a driver replacement map file.
Copy
The driver replacement map file must be a text file, but you can use any file name and file name extension (.ini, .txt, .map, and so on).
1.一般根据bar0的起始地址+寄存器的起始地址+具体寄存器的偏移地址
2.!pci 100 bus_num device_num function_num显示pci信息
3.!dd [uc] address
4.kdfiles命令替换kmd driver文件
Replacing driver files can be difficult. Frequently, you have to boot to the Microsoft Windows safe
build, replace the driver binary, and then boot again.
However, Windows XP and later versions of Windows support a simpler method of replacing driver files. You can
use this method to replace any kernel-mode driver (including display drivers), any Windows subsystem driver, or any other kernel-mode module. For simplicity, these files are called drivers in
this topic, even though you can use this method for any kernel-mode module.
You can use this method whenever WinDbg or KD is attached as a kernel debugger. You can also use this method
on a boot driver, but it is more difficult. For more information about how to use this method with boot drivers, see Replacing Boot Drivers.
To use a driver replacement map to replace driver files, do the following:
Create a driver replacement map file. This file is a text file that lists the drivers on the target computer and their replacement drivers on the host computer. You can replace any number of drivers. For example, you might create a file that is named
Mymap.ini in the d:\Map_Files directory of your host computer that contains the following information.
Copy
map \Systemroot\system32\drivers\videoprt.sys \\myserver\myshare\new_drivers\videoprt.sys
For more information about the syntax of this file, see Driver Replacement Map File Format.
Set up a kernel debugging connection to the target computer, and start the kernel debugger (KD or WinDbg) on your host computer. (You do not have to actually break in to the target computer.)
Load the driver replacement map file by doing one of the following:
Set the _NT_KD_FILES environment variable before
you start the kernel debugger.
Copy
D:\Debugging Tools for Windows> set _NT_KD_FILES=d:\Map_Files\mymap.ini D:\Debugging Tools for Windows> kd
Use the .kdfiles
(Set Driver Replacement Map) command after you start the kernel debugger.
Copy
D:\Debugging Tools for Windows> kd kd> .kdfiles d:\Map_Files\mymap.ini KD file associations loaded from 'd:\Map_Files\mymap.ini'
You can also use the .kdfiles command to display the current driver replacement map file or to delete the driver replacement map.
If you do not use this command, the map persists until you exit the debugger.
After you complete this procedure, the driver replacement map takes effect.
Whenever the target computer is about to load a driver, it queries the kernel debugger to determine whether this driver has been mapped. If the driver has been mapped, the replacement file is sent over the kernel connection and copied over the old driver file.
The new driver is then loaded.
Driver Replacement Map File Format
Each driver file replacement is indicated by three lines in the driver replacement map file.The first line consists of the word "map".
The second line specifies the path and file name of the old driver on the target computer.
The third line specifies the full path of the new driver. This driver can be located on the host computer or on some other server.
You can repeat this pattern of information any number of times.
Paths and file names are case insensitive, and the actual driver file names can be different. The file that you specify on the third line is copied over the file that you specify on the second line when the target computer is about to load that driver.
Kdfiles will attempt to match the file name that is stored in the Service Control Manager (SCM) database. The name in the SCM database is identical to the name that was passed to MmLoadSystemImage.
In Windows 10 and later versions of the debugging tools, driver mapping works to match the driver name dynamically and determine the proper path. The full path does not need to be specified and the file extension is optional. You can use any of these entries
to match the NT file system driver.
ntfs
NTFS
ntfs.sys
windows\system32\drivers\ntfs.sys
You can use any of these entries to match the NT kernel driver.
ntoskrnl
NTOSKRNL
ntoskrnl.sys
windows\system32\drivers\ntoskrnl.sys
The map file can include blank lines and can include comment lines that begin with a number sign (#). However, after "map" appears
in the file, the next two lines must be the old driver and the new driver. The blank lines and comment lines cannot break up the three-line map blocks.
The following example shows a driver replacement map file.
Copy
map \Systemroot\system32\drivers\videoprt.sys e:\MyNewDriver\binaries\videoprt.sys map \Systemroot\system32\mydriver.sys \\myserver\myshare\new_drivers\mydriver0031.sys # Here is a comment map \??\c:\windows\system32\beep.sys \\myserver\myshare\new_drivers\new_beep.sys
The driver replacement map file must be a text file, but you can use any file name and file name extension (.ini, .txt, .map, and so on).
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- eclipse调试java程序的九个技巧
- 反调试技巧总结-原理和实现
- 对自己有用的VS调试技巧
- 【Visual Studio】VS常用调试技巧——笔记
- Java开发调试技巧及Eclipse快捷键使用方法
- 深入探索Linux coredump调试技巧
- Eclipse调试技巧
- myeclipse 断点调试技巧
- Visual Studio的调试技巧【部分】
- 一个调试的技巧
- 调试技巧--Windows端口号是否被占用
- 10个Eclipse调试技巧
- VS调试技巧 (转载)
- 20160220 - JavaScript for OS X Automation 调试技巧
- 【转】Visual Studio 非常实用的调试技巧
- Chrome 中的 JavaScript 断点设置和调试技巧
- 反调试技巧总结-原理和实现
- Atlas应用程序调试技巧
- ios 调试技巧和编译
- Java程序员的十个调试技巧