ntdll!LdrpDoDebuggerBreak+0x2c: 7757054e cc int 3 0:000> kv ChildEBP RetAddr Args to Child 0030f3c8 77550e00 7ffdf000 7ffd3000 775a714c ntdll!LdrpDoDebuggerBreak+0x2c (FPO: [SEH]) 0030f528 77536047 0030f59c 774d0000 7121b76b ntdll!LdrpInitializeProcess+0x11a9 (FPO: [2,83,4]) 0030f578 775335e9 0030f59c 774d0000 00000000 ntdll!_LdrpInitialize+0x78 (FPO: [SEH]) 0030f588 00000000 0030f59c 774d0000 00000000 ntdll!LdrInitializeThunk+0x10 (FPO: [2,0,0]
LdrpInitialize函数是一个新进程的初始线程开始在用户态执行最早代码,LdrpInitializeProcess函数的一个主要任务是加载EXE文件所依赖的动态链接库,在加载每个DLL后,LdrpInitializeProcess都会检查当前进程是否被调试,如果是,则调用用DbgBreakPoint 通知调试器,注意此时并没有调用每个DLL的Dllmain函数
初始断点不是调试器可以得到的最早控制机会,如进程创建事件和EXE模块加载事件都会比它早
如:
sxe cpr
然后.restart就可以先断到进程创建的时候
然后强制把PEB的BeingDebugged字段改为0:
0:000> db @$peb 7ffdb000 00 00 01 08 ff ff ff ff-00 00 2e 01 00 00 00 00 ................ 7ffdb010 00 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 7ffdb020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 7ffdb030 00 00 00 00 00 00 00 00-00 00 71 77 00 00 00 00 ..........qw.... 7ffdb040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 7ffdb050 00 00 00 00 00 00 00 00-00 00 fa 7f 00 00 fa 7f ................ 7ffdb060 24 00 fd 7f 04 00 00 00-00 00 00 00 00 00 00 00 $............... 7ffdb070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ....m........ .. 0:000> eb @$peb+2 7ffdb002 01 0 0 7ffdb003 08 0:000> db @$peb 7ffdb000 00 00 00 08 ff ff ff ff-00 00 2e 01 00 00 00 00 ................ 7ffdb010 00 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
这样,windbg就不会中断到初始断点了!