資源描述:
《Windows操作系統(tǒng)學(xué)習(xí)之——啟動(dòng)引導(dǎo)過(guò)程調(diào)試》由會(huì)員上傳分享,免費(fèi)在線閱讀,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫(kù)。
1、Windows操作系統(tǒng)學(xué)習(xí)之——啟動(dòng)引導(dǎo)過(guò)程調(diào)試?關(guān)于Windows的啟動(dòng)引導(dǎo)過(guò)程,相信很多大牛都了如指掌,這里只是將自己的學(xué)習(xí)過(guò)程分享,文章中肯定有很多理解的不是很到位的地方,還望各位牛指點(diǎn)。????一、MBR調(diào)試???關(guān)于MBR的調(diào)試,網(wǎng)上也有好多帖子了,這個(gè)帖子也只是把我的學(xué)習(xí)過(guò)程分享出來(lái),如果可以,我會(huì)從MBR開(kāi)始,一步一步的去調(diào)試,去學(xué)習(xí)Windows操作系統(tǒng),同時(shí)也把這個(gè)過(guò)程分享出來(lái)。閑話不多說(shuō)了,開(kāi)始進(jìn)入主題。???目前用到的工具:???虛擬機(jī):VMware???系統(tǒng):ReactOS.0.3.15(安裝win732位或者XP系統(tǒng)也可以用這個(gè)方法調(diào)試,這里選擇
2、ReactOS是為了后面的調(diào)試做準(zhǔn)備)???調(diào)試工具:IDA??首先設(shè)置虛擬機(jī)。在VMware創(chuàng)建的系統(tǒng)文件夾下找到.vmx文件,用記事本打開(kāi),添加如下配置信息????代碼:debugStub.listen.guest32="TRUE"debugStub.hideBreakpoints="TRUE"bios.bootDelay="3000"????然后設(shè)置IDA。打開(kāi)IDA,Debugger-->Attach-->RemoteGDBdebugger,在彈出的對(duì)話框進(jìn)行如下設(shè)置????啟動(dòng)虛擬機(jī)后,再點(diǎn)擊IDA彈出的對(duì)話框的"OK"按鈕,選擇第一個(gè)進(jìn)程,點(diǎn)"OK",如下圖?
3、???進(jìn)入調(diào)試窗口后,轉(zhuǎn)到0x7c00處,按"F2"下斷點(diǎn),然后按"F9"運(yùn)行程序,當(dāng)程序斷下來(lái)之后,按"Alt+s",選擇16位編碼,這時(shí)反匯編可能會(huì)變成一堆數(shù)據(jù),我們只要將其選中(446個(gè)字節(jié)),然后按“C”,選擇“Force”,將數(shù)據(jù)強(qiáng)行轉(zhuǎn)換成代碼即可。?????接下來(lái)就開(kāi)始我們的調(diào)試了,先看下面的代碼代碼:MEMORY:7C00loc_7C00:???????????????;CODEXREF:MEMORY:loc_7CAEJMEMORY:7C00????????cliMEMORY:7C01????????cldMEMORY:7C02????????xor??ax
4、,axMEMORY:7C04????????mov??ss,axMEMORY:7C06????????mov??ds,axMEMORY:7C08????????mov??bp,7C00hMEMORY:7C0B????????lea??sp,[bp-20h]MEMORY:7C0E????????stiMEMORY:7C0F????????mov??ax,1FE0hMEMORY:7C12????????mov??es,axMEMORY:7C14????????assumees:nothingMEMORY:7C14????????mov??si,bpMEMORY:7C16???
5、?????mov??di,bpMEMORY:7C18????????mov??cx,100hMEMORY:7C1B????????repmovsw???????;把MBR移動(dòng)到1FE0h:7C00h處MEMORY:7C1D????????jmp??farptr1FE0h:7C22h???這段代碼很簡(jiǎn)單,就是把MBR拷貝到1FE0h:7C00h處,然后跳轉(zhuǎn)到1FE0h:7C22h繼續(xù)執(zhí)行。接下來(lái)是在分區(qū)表中查找活動(dòng)分區(qū),看代碼代碼:MEMORY:27A22loc_27A22:???????????????;CODEXREF:MEMORY:7C1DJMEMORY:27A22?
6、???????mov??ds,axMEMORY:27A24????????assumeds:MEMORYMEMORY:27A24????????mov??ss,axMEMORY:27A26????????assumess:MEMORYMEMORY:27A26????????xor??ax,axMEMORY:27A28????????mov??es,axMEMORY:27A2A????????lea??di,[bp+1BEh]?;獲取分區(qū)表地址MEMORY:27A2E????????test??byteptr[di],80h;是否是活動(dòng)分區(qū)MEMORY:27A31?????
7、???jnz??shortloc_7AA0附件6243MEMORY:27A33????????add??di,10h????;每個(gè)分區(qū)表項(xiàng)大小為16個(gè)字節(jié)MEMORY:27A36????????cmp??di,7DFEh???;分區(qū)表搜索是否結(jié)束MEMORY:27A3A????????jb???shortloc_7A2E???這里需要對(duì)MBR有所了解才行。MBR是磁盤的第一個(gè)扇區(qū),占512個(gè)字節(jié)(每個(gè)扇區(qū)都是512個(gè)字節(jié))。前446個(gè)字節(jié)是引導(dǎo)代碼,接下來(lái)的64個(gè)字節(jié)是分區(qū)表,共四個(gè)表項(xiàng),最后兩個(gè)字節(jié)是結(jié)束標(biāo)志0xAA55。分