Skip to content

标题: ntdll!RtlSetLastWin32Error()中的内置条件断点

https://scz.617.cn/windows/200707240000.txt

参看:

Debugger tricks: Break on a specific Win32 last error value in Windows Vista - [2007-07-24] http://www.nynaeve.net/?p=147

ntdll!RtlSetLastWin32Error()有个内置条件断点:

void ntdll!RtlSetLastWin32Error ( unsigned int err ) { unsigned long long sth;

if ( g_dwLastErrorToBreakOn && err == g_dwLastErrorToBreakOn )
{
    /*
     * 满足上述条件时,此处有个内置的int3
     */
    __debugbreak();
}
if ( NtCurrentTeb()->LastErrorValue != err )
{
    NtCurrentTeb()->LastErrorValue  = err;
    if ( g_isErrorOriginProviderEnabled )
    {
        if ( err )
        {
            EtwEventWrite
            (
                g_hUserDiagnosticProvider,
                &SetLastWin32ErrorEvent,
                1,
                &sth,
                &err,
                4
            );
        }
    }
}

}

"C:\Program Files\Windows Kits\10\Debuggers\x64\cdb.exe" -noinh -snul -hd -o -xe ld:ntdll "C:\Windows\System32\mspaint.exe"

!pde.err 5 0x00000005 ( - ): Access is denied.

ed ntdll!g_dwLastErrorToBreakOn 5 g

(2314.25f0): Break instruction exception - code 80000003 (first chance) ntdll!RtlSetLastWin32Error+0x61: 00007ffd`665d1631 cc int 3

kpn # Child-SP RetAddr Call Site 00 000000c9be96dd80 00007ffd63832e26 ntdll!RtlSetLastWin32Error+0x61 01 000000c9be96ddd0 00007ffd638555d2 KERNELBASE!BaseSetLastNTError+0x16 02 000000c9be96de00 00007ffd66238d42 KERNELBASE!AccessCheck+0x62 03 000000c9be96de60 00007ffd66238a7b KERNEL32!BasepIsServiceSidBlocked+0x1f6 04 000000c9be96df90 00007ffd663f57d6 KERNEL32!LoadAppInitDllsImplementation+0x4b 05 000000c9be96dff0 00007ffd663f5609 USER32!ClientThreadSetup+0x1a6 06 000000c9be96e280 00007ffd66633b14 USER32!_ClientThreadSetup+0x9 07 000000c9be96e2b0 00007ffd634d67a4 ntdll!KiUserCallbackDispatcherContinue 08 000000c9be96e308 00007ffd62a4cecd win32u!NtGdiInit+0x14 09 000000c9be96e310 00007ffd663e1e17 gdi32full!GdiDllInitialize+0x4d 0a 000000c9be96e340 00007ffd665a1473 USER32!_UserClientDllInitialize+0x427 0b 000000c9be96eab0 00007ffd665f6622 ntdll!LdrpCallInitRoutine+0x6f 0c 000000c9be96eb20 00007ffd665f646b ntdll!LdrpInitializeNode+0x15a 0d 000000c9be96ec40 00007ffd665f6491 ntdll!LdrpInitializeGraphRecurse+0x73 0e 000000c9be96ec80 00007ffd665f4525 ntdll!LdrpInitializeGraphRecurse+0x99 0f 000000c9be96ecc0 00007ffd665f42f9 ntdll!LdrpInitializeShimDllDependencies+0xd9 10 000000c9be96edf0 00007ffd665f4167 ntdll!LdrpLoadShimEngine+0x141 11 000000c9be96ef10 00007ffd66665ff6 ntdll!LdrpInitShimEngine+0x157 12 000000c9be96f330 00007ffd666575b3 ntdll!LdrpInitializeProcess+0x1cda 13 000000c9be96f770 00007ffd6660920b ntdll!_LdrpInitialize+0x4e393 14 000000c9be96f7f0 00007ffd666091be ntdll!LdrpInitialize+0x3b 15 000000c9be96f820 0000000000000000 ntdll!LdrInitializeThunk+0xe