資源描述:
《Windows操作系統(tǒng)學(xué)習(xí)之——啟動引導(dǎo)過程調(diào)試》由會員上傳分享,免費在線閱讀,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫。
1、Windows操作系統(tǒng)學(xué)習(xí)之——啟動引導(dǎo)過程調(diào)試?關(guān)于Windows的啟動引導(dǎo)過程,相信很多大牛都了如指掌,這里只是將自己的學(xué)習(xí)過程分享,文章中肯定有很多理解的不是很到位的地方,還望各位牛指點。????一、MBR調(diào)試???關(guān)于MBR的調(diào)試,網(wǎng)上也有好多帖子了,這個帖子也只是把我的學(xué)習(xí)過程分享出來,如果可以,我會從MBR開始,一步一步的去調(diào)試,去學(xué)習(xí)Windows操作系統(tǒng),同時也把這個過程分享出來。閑話不多說了,開始進入主題。???目前用到的工具:???虛擬機:VMware???系統(tǒng):ReactOS.0.3.15(安裝win732位或者XP系統(tǒng)也可以用這個方法調(diào)試,這里選擇
2、ReactOS是為了后面的調(diào)試做準(zhǔn)備)???調(diào)試工具:IDA??首先設(shè)置虛擬機。在VMware創(chuàng)建的系統(tǒng)文件夾下找到.vmx文件,用記事本打開,添加如下配置信息????代碼:debugStub.listen.guest32="TRUE"debugStub.hideBreakpoints="TRUE"bios.bootDelay="3000"????然后設(shè)置IDA。打開IDA,Debugger-->Attach-->RemoteGDBdebugger,在彈出的對話框進行如下設(shè)置????啟動虛擬機后,再點擊IDA彈出的對話框的"OK"按鈕,選擇第一個進程,點"OK",如下圖?
3、???進入調(diào)試窗口后,轉(zhuǎn)到0x7c00處,按"F2"下斷點,然后按"F9"運行程序,當(dāng)程序斷下來之后,按"Alt+s",選擇16位編碼,這時反匯編可能會變成一堆數(shù)據(jù),我們只要將其選中(446個字節(jié)),然后按“C”,選擇“Force”,將數(shù)據(jù)強行轉(zhuǎn)換成代碼即可。?????接下來就開始我們的調(diào)試了,先看下面的代碼代碼:MEMORY:7C00loc_7C00:???????????????;CODEXREF:MEMORY:loc_7CAEJMEMORY:7C00????????cliMEMORY:7C01????????cldMEMORY:7C02????????xor??ax
4、,axMEMORY:7C04????????mov??ss,axMEMORY:7C06????????mov??ds,axMEMORY:7C08????????mov??bp,7C00hMEMORY:7C0B????????lea??sp,[bp-20h]MEMORY:7C0E????????stiMEMORY:7C0F????????mov??ax,1FE0hMEMORY:7C12????????mov??es,axMEMORY:7C14????????assumees:nothingMEMORY:7C14????????mov??si,bpMEMORY:7C16???
5、?????mov??di,bpMEMORY:7C18????????mov??cx,100hMEMORY:7C1B????????repmovsw???????;把MBR移動到1FE0h:7C00h處MEMORY:7C1D????????jmp??farptr1FE0h:7C22h???這段代碼很簡單,就是把MBR拷貝到1FE0h:7C00h處,然后跳轉(zhuǎn)到1FE0h:7C22h繼續(xù)執(zhí)行。接下來是在分區(qū)表中查找活動分區(qū),看代碼代碼:MEMORY:27A22loc_27A22:???????????????;CODEXREF:MEMORY:7C1DJMEMORY:27A22?
6、???????mov??ds,axMEMORY:27A24????????assumeds:MEMORYMEMORY:27A24????????mov??ss,axMEMORY:27A26????????assumess:MEMORYMEMORY:27A26????????xor??ax,axMEMORY:27A28????????mov??es,axMEMORY:27A2A????????lea??di,[bp+1BEh]?;獲取分區(qū)表地址MEMORY:27A2E????????test??byteptr[di],80h;是否是活動分區(qū)MEMORY:27A31?????
7、???jnz??shortloc_7AA0附件6243MEMORY:27A33????????add??di,10h????;每個分區(qū)表項大小為16個字節(jié)MEMORY:27A36????????cmp??di,7DFEh???;分區(qū)表搜索是否結(jié)束MEMORY:27A3A????????jb???shortloc_7A2E???這里需要對MBR有所了解才行。MBR是磁盤的第一個扇區(qū),占512個字節(jié)(每個扇區(qū)都是512個字節(jié))。前446個字節(jié)是引導(dǎo)代碼,接下來的64個字節(jié)是分區(qū)表,共四個表項,最后兩個字節(jié)是結(jié)束標(biāo)志0xAA55。分