安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况
2022/4/8 6:19:02
本文主要是介绍安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
kd> kv # ChildEBP RetAddr Args to Child 00 0012fe4c 77d31923 00000000 00000100 0012fec4 Test!LowLevelKbHookRoutine (FPO: [3,0,0]) 01 0012fe80 77d58d78 000d0000 00000100 0012fec4 USER32!DispatchHookA+0x101 (FPO: [Non-Fpo]) 02 0012fea4 7c92e453 0012feb4 00000024 000d0000 USER32!__fnHkINLPKBDLLHOOKSTRUCT+0x24 (FPO: [Non-Fpo]) 03 0012fea4 80500690 0012feb4 00000024 000d0000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) 04 b2862ac8 8059806d b2862b78 b2862b74 b2862b70 nt!KiCallUserMode+0x4 (FPO: [2,3,4]) 05 b2862b24 bf92b13a 0000002d b2862b4c 00000024 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo]) 06 b2862b98 bf8522f2 000d0000 00000100 b2862c74 win32k!fnHkINLPKBDLLHOOKSTRUCT+0x52 (FPO: [Non-Fpo]) 07 b2862bd0 bf83c702 00401000 00000000 00000100 win32k!xxxHkCallHook+0x396 (FPO: [Non-Fpo]) 08 b2862c48 bf841ae4 316b17e8 00000000 00000100 win32k!xxxCallHook2+0x25d (FPO: [Non-Fpo]) 09 b2862cb0 bf801eda e187eeb0 b2862d64 0012fef0 win32k!xxxReceiveMessage+0x1ba (FPO: [Non-Fpo]) 0a b2862cec bf819e6c b2862d18 000020c8 00000012 win32k!xxxRealInternalGetMessage+0x1d7 (FPO: [Non-Fpo]) 0b b2862d4c 8053e638 0012ff18 00000000 00000012 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo]) 0c b2862d4c 7c92e4f4 0012ff18 00000000 00000012 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2862d64) 0d 0012fea4 7c92e453 0012feb4 00000024 000d0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0e 0012fed4 77d191be 77d2776b 0012ff18 00000000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0]) 0f 0012fefc 00401117 0012ff18 00000000 00000012 USER32!NtUserGetMessage+0xc 10 0012ff30 004012ba 00400000 00000000 00152348 Test!WinMain+0x47 (FPO: [4,7,0]) 11 0012ffc0 7c817067 0007d868 7c92d950 7ffdc000 Test!__tmainCRTStartup+0x113 (FPO: [Non-Fpo]) 12 0012fff0 00000000 00401325 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) kd> kvn # ChildEBP RetAddr Args to Child 00 b28e2760 bf8b18db 00000042 b28e27cc 00000090 nt!KeUserModeCallback (FPO: [Non-Fpo]) 01 b28e29e8 bf8b19e6 b28e2a04 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo]) 02 b28e2c18 bf83c87e 00000003 e1c65d20 b28e2d14 win32k!xxxLoadHmodIndex+0x86 (FPO: [Non-Fpo]) 03 b28e2c84 bf83c8d5 036cbeb0 00000000 00000001 win32k!xxxCallHook2+0x19b (FPO: [Non-Fpo]) 04 b28e2ca0 bf801ad6 00000000 00000001 00000002 win32k!xxxCallHook+0x26 (FPO: [Non-Fpo]) 05 b28e2ce8 bf8036ec b28e2d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264 (FPO: [Non-Fpo]) 06 b28e2d48 8053e638 0007fde8 00000000 00000000 win32k!NtUserPeekMessage+0x40 (FPO: [Non-Fpo]) 07 b28e2d48 7c92e4f4 0007fde8 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28e2d64) 08 0007fce0 77d193e9 77d193a8 0007fde8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 09 0007fd0c 77d2a43b 0007fde8 00000000 00000000 USER32!NtUserPeekMessage+0xc 0a 0007fd38 00402702 0007fde8 00000000 00000000 USER32!PeekMessageA+0xeb (FPO: [Non-Fpo]) 0b 0007ff1c 00402fa9 00400000 00000000 000a2331 ctfmon!WinMain+0x1ec (FPO: [Non-Fpo]) 0c 0007ffc0 7c817067 00340032 00390030 7ffd7000 ctfmon!WinMainCRTStartup+0x174 (FPO: [Non-Fpo]) 0d 0007fff0 00000000 00402e35 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) kd> db b28e27cc L 100 b28e27cc 90 00 00 00 68 00 00 00-01 00 00 00 5c 28 8e b2 ....h.......\(.. b28e27dc 24 00 00 00 00 00 00 00-66 00 68 00 28 00 00 00 $.......f.h.(... b28e27ec 00 00 00 00 1c 00 00 00-43 00 3a 00 5c 00 44 00 ........C.:.\.D. b28e27fc 6f 00 63 00 75 00 6d 00-65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s. b28e280c 20 00 61 00 6e 00 64 00-20 00 53 00 65 00 74 00 .a.n.d. .S.e.t. b28e281c 74 00 69 00 6e 00 67 00-73 00 5c 00 41 00 64 00 t.i.n.g.s.\.A.d. b28e282c 6d 00 69 00 6e 00 69 00-73 00 74 00 72 00 61 00 m.i.n.i.s.t.r.a. b28e283c 74 00 6f 00 72 00 5c 00-4c 68 62 97 5c 00 54 00 t.o.r.\.Lhb.\.T. b28e284c 65 00 73 00 74 00 2e 00-64 00 6c 00 6c 00 00 00 e.s.t...d.l.l... b28e285c 78 28 8e b2 02 00 00 00-02 00 00 00 00 21 01 00 x(...........!.. b28e286c 88 28 8e b2 fc b2 7d f8-02 00 00 00 02 00 fb 81 .(....}......... b28e287c 02 00 fb 81 a0 4d 1e 82-cc ab 7d f8 84 20 00 00 .....M....}.. .. b28e288c a0 4d 1e 82 d5 a4 7d f8-70 a4 c6 81 50 34 0f 82 .M....}.p...P4.. b28e289c bc 28 8e b2 7c 59 2a f8-48 a4 c6 81 00 00 00 00 .(..|Y*.H....... b28e28ac 98 8c 01 82 78 a4 c6 81-9c 3d 01 82 07 ff ff 01 ....x....=...... b28e28bc 00 00 00 00 2e 00 00 00-1c 29 8e b2 00 00 00 00 .........)......
这篇关于安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-12-28一步到位:购买适合 SEO 的域名全攻略
- 2024-12-27OpenFeign服务间调用学习入门
- 2024-12-27OpenFeign服务间调用学习入门
- 2024-12-27OpenFeign学习入门:轻松掌握微服务通信
- 2024-12-27OpenFeign学习入门:轻松掌握微服务间的HTTP请求
- 2024-12-27JDK17新特性学习入门:简洁教程带你轻松上手
- 2024-12-27JMeter传递token学习入门教程
- 2024-12-27JMeter压测学习入门指南
- 2024-12-27JWT单点登录学习入门指南
- 2024-12-27JWT单点登录原理学习入门