windbg跳过初始断点

windbg跳过初始断点
当我们用Windbg打开一个exe时，调试器第一次中断：

输入kb查看当前栈如下：
```
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 00fff8bc 77d498e0 5e7dcb19 0105b000 00000000 ntdll!LdrpDoDebuggerBreak+0x2b
01 00fffb18 77d05257 5e7dcb71 00000000 00000000 ntdll!LdrpInitializeProcess+0x1b20
02 00fffb70 77d05151 00000000 00000000 00000000 ntdll!_LdrpInitialize+0xb0
03 00fffb7c 00000000 00fffb90 77ca0000 00000000 ntdll!LdrInitializeThunk+0x11
```
LdrpInitialize函数是一个新进程的初始线程开始在用户态执行最早代码，LdrpInitializeProcess函数的一个主要任务是加载EXE文件所依赖的动态链接库，在加载每个DLL后，LdrpInitializeProcess都会检查当前进程是否被调试，如果是，则调用用DbgBreakPoint 通知调试器，注意此时并没有调用每个DLL的Dllmain函数。
我们称这个第一次中断叫初始断点，初始断点不是调试器可以得到的最早控制机会，如进程创建事件和EXE模块加载事件都会比它早。我们可以在进程创建事件时中断下来：

通过

或执行如下指令
```
sxe cpr
```
然后.restart就可以先断到进程创建的时候,然后强制把PEB的BeingDebugged字段改为0:
0:000> db @$peb
0118d000 00 00 01 04 ff ff ff ff-00 00 e4 00 00 00 00 00 ................
0118d010 00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d030 00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00 ................
0118d040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d050 00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f ..........6...6.
0118d060 28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00 (.9.............
0118d070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ....m........ ..
0:000> eb @$peb+2
0118d002 01 0
0
0118d003 04 08
08
0118d004 ff

0:000> db@$peb
0118d000 00 00 00 08 ff ff ff ff-00 00 e4 00 00 00 00 00 ................
0118d010 00 00 e1 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d030 00 00 00 00 00 00 00 00-00 00 e2 00 00 00 00 00 ................
0118d040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0118d050 00 00 00 00 00 00 00 00-00 00 36 7f 00 00 36 7f ..........6...6.
0118d060 28 00 39 7f 08 00 00 00-00 04 00 00 00 00 00 00 (.9.............
0118d070 00 80 9b 07 6d e8 ff ff-00 00 10 00 00 20 00 00 ....m........ ..
0:000> g
ModLoad: 77ca0000 77e3c000   ntdll.dll
ModLoad: 74de0000 74e33000   C:windowsSysWOW64MSCOREE.DLL
ModLoad: 76450000 76530000   C:windowsSysWOW64KERNEL32.dll

这样，windbg就不会中断到初始断点了！
相关阅读:
语法树，短语，直接短语，句柄
 理解文法和语法
 了解编译原理
 实习日记7.20
实习日记7.19
实习日记7.18
实习日记7.15
实习日记7.13-7.14
实习日记7.12
实习日记7.11
原文地址：https://www.cnblogs.com/yilang/p/12162571.html