Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.3k views
in Technique[技术] by (71.8m points)

c# - WinDbg "invalid access to memory location" - InitializeProcThreadAttributeList

I'm relatively new to WinDbg, so I'm hoping this is just something obvious I'm missing. I have a .NET assembly that contains the function calls InitializeProcThreadAttributeList, UpdateProcThreadAttribute and DeleteProcThreadAttributeList, defined using P/Invoke. All three of those functions are imported from the "kernel32.dll" library. My goal is to trace these functions to understand the ntdll sys calls being used.

I tried to set a breakpoint with this command:

bp KERNEL32!InitializeProcThreadAttributeList

, but got this error:

Couldn't resolve error at 'KERNEL32!InitializeProcThreadAttributeList'

Next, I searched for any sign of this function using the following command:

x kernel32!*procthread*

I got this reply:

00007ffd`c7598588 KERNEL32!_imp_InitializeProcThreadAttributeList = <no type information>

I then tried to set a breakpoint on this stub? function like this:

bp kernel32!_imp_InitializeProcThreadAttributeList

Although it says the breakpoint has been defined, when I continue execution, it errors with this:

Unable to insert breakpoint 0 at 00007ffd`c7598588, Win32 error 0n998
    "Invalid access to memory location."

I also tried setting the breakpoint with "bu", but that produced the same error.

Does anyone know how to set a breakpoint in this situation? Thank you in advance!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Most of the functions in kernel32 have been implemented in kernelbase.dll and kernel32 only contains a thunk

the telltale sign is the IMP denoting imported from

_imp_InitializeProcThreadAttributeList

try setting bp kernelbase!InitializeProcThreadAttributeList

0:000> x /v kernel32!InitializeProcThreadAttributeList
pub func   761f4fc1             0 kernel32!InitializeProcThreadAttributeList (<no parameter info>)

0:000> u kernel32!InitializeProcThreadAttributeList l1
kernel32!InitializeProcThreadAttributeList:
761f4fc1 ff25c0181476    jmp dword ptr [kernel32!_imp__InitializeProcThreadAttributeList (761418c0)]

0:000> ? poi(kernel32!_imp__InitializeProcThreadAttributeList)
Evaluate expression: 1978493618 = 75ed6ab2

0:000> ln poi(kernel32!_imp__InitializeProcThreadAttributeList)
Exact matches:
    KERNELBASE!InitializeProcThreadAttributeList (<no parameter info>)


0:000> bp poi(kernel32!_imp__InitializeProcThreadAttributeList)
0:000> bl
 0 e 75ed6ab2     0001 (0001)  0:**** KERNELBASE!InitializeProcThreadAttributeList

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...