Windows NT 時代にあったカーネルのスタックトレース機能を調べてみた
Windows NT 4.0の青画面。スタックトレースが出ている。
Windows 2000からは、いらんメッセージでスタックトレースが削られた。https://t.co/XzDJKLPkTB pic.twitter.com/FlwyNrMHNA— 何言聞アマツカゼチャン (@a1lic) April 15, 2018
|。・ω・) 。o (え、なに?その機能欲しいぞ)
という訳で調べてみた
| L8011C4B9: cmp edi,[ebp-10h] jz L8011C51F mov ebx,00000000h mov [ebp-04h],edi mov edi,[edi] mov eax,[ebp-04h] push [eax+18h] call SUB_L80120B88 test eax,eax jz L8011C4E5 mov eax,[ebp-04h] push [eax+18h] call RtlImageNtHeader mov ebx,[eax+08h] L8011C4E5: push 00000020h lea eax,[ebp-4Ch] push eax mov eax,[ebp-04h] add eax,0000002Ch push eax call [ebp+18h] push eax mov ecx,[ebp-04h] push ebx push [ecx+18h] push SSZ8011C2B0__08lx__08lx_____18_18s_ push [ebp+0Ch] call sprintf add esp,00000014h push [ebp+0Ch] call [HAL.dll!HalDisplayString] inc [ebp-18h] cmp dword ptr [ebp-18h],00000002h jc L8011C4B9 L8011C51F: push L8011C2C8 (改行) inc esi call [HAL.dll!HalDisplayString] cmp esi,[ebp-08h] jc L8011C4A9 L8011C534: push L8011C2CC (改行) call [HAL.dll!HalDisplayString] L8011C53F: mov eax,[ebp+08h] xor edi,edi mov ebx,[eax+000000C4h] sub ebx,00000004h cmp esi,[ebp-08h] jnc L8011C652 L8011C556: add ebx,00000004h lea eax,[ebp-0Ch] push eax push ebx call SUB_L8011C6A8 test al,al jz L8011C647 lea eax,[ebp-04h] push eax push [ebp-0Ch] call SUB_L8011C65C test eax,eax jz L8011C63C test edi,edi jnz L8011C5AE push L8011C2D4 mov eax,[NtBuildNumber] and eax,0FFFFFFFh push eax push SSZ8011C2D8_Address__dword_dump___Build___ld push [ebp+0Ch] call sprintf add esp,00000010h inc esi inc edi push [ebp+0Ch] call [HAL.dll!HalDisplayString] L8011C5AE: push [ebp-0Ch] push ebx push SSZ8011C308__08lx__08lx_ push [ebp+0Ch] call sprintf add esp,00000010h push [ebp+0Ch] call [HAL.dll!HalDisplayString] mov dword ptr [ebp-20h],00000005h mov [ebp-14h],ebx L8011C5D5: lea eax,[ebp-0Ch] push eax push [ebp-14h] call SUB_L8011C6A8 test al,al jz L8011C5FD push [ebp-0Ch] push SSZ8011C318__08lx_ & nbsp; push [ebp+0Ch] call sprintf add esp,0000000Ch push [ebp+0Ch] jmp L8011C602 L8011C5FD: push SSZ8011C320__________ L8011C602: call [HAL.dll!HalDisplayString] add dword ptr [ebp-14h],00000004h dec [ebp-20h] jnz L8011C5D5 push 00000020h lea eax,[ebp-4Ch] push eax mov eax,[ebp-04h] add eax,0000002Ch push eax call [ebp+18h] push eax push SSZ8011C32C_____14_14s_ push [ebp+0Ch] call sprintf add esp,0000000Ch inc esi push [ebp+0Ch] call [HAL.dll!HalDisplayString] L8011C63C: cmp esi,[ebp-08h] jc L8011C556 jmp L8011C652 L8011C647: push L8011C2D0 call [HAL.dll!HalDisplayString] L8011C652: pop edi pop esi pop ebx mov esp,ebp pop ebp retn 0014h |
NT のコード、上の水色のところで関連DLLを出力。ループさせてる。
赤字のところがスタックトレース出力
| L0042AB06: lea eax,[ebp+10h] xor ebx,ebx push eax lea eax,[ebp+0Ch] push ebx push eax push [esi] call SUB_L0042AA2A mov edi,eax cmp edi,ebx jnz L0042AB33 push [esi] call SUB_L0043E6F0 cmp eax,ebx jz L0042AB95 mov edi,[esi] lea ecx,[ebp-28h] push 00000020h push ecx jmp L0042AB5C L0042AB33: mov eax,[ebp+0Ch] push [eax+18h] call SUB_L0044933E test eax,eax jz L0042AB50 mov eax,[ebp+0Ch] push [eax+18h] call RtlImageNtHeader mov ebx,[eax+08h] L0042AB50: lea eax,[ebp-28h] push 00000020h push eax mov eax,[ebp+0Ch] add eax,0000002Ch L0042AB5C: push eax call [ebp+14h] cmp byte ptr [ebp-01h],00h mov eax,L0042AAA8 jnz L0042AB70 mov eax,L0042AAAC L0042AB70: lea ecx,[ebp-28h] push ecx push ebx push edi push [esi] push eax push SSZ0042AAB0__s___Address__p_base_at__p__Date push [ebp+08h] call sprintf add esp,0000001Ch push [ebp+08h] call InbvDisplayString and byte ptr [ebp-01h],00h L0042AB95: add esi,00000004h dec [ebp-08h] & nbsp; jnz L0042AB06 pop ebx pop esiうぶn pop edi L0042ABA4: leave retn 0010h |
Windows 2000 の場合、赤字の部分の処理がすっぱりないのが分かる
Σ(・ω・) がーん、隠し機能なんてなかったのだ
Translate
Comments