Revision history [back]

运行lm，列不出modules。

lm start end module name

用的是内置的kernel,加了个参数nokaslr

geduer@gdk:~$ uname -a Linux gdk 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x8664 x8664 x8664 GNU/Linux geduer@gdk:~$ cat /proc/cmdline BOOTIMAGE=/boot/vmlinuz-5.0.0-23-generic root=UUID=fa675f11-698d-4d70-a28f-eac0617cdd5b ro nokaslr

log:

```

File View Output Nano Debugger (NDB) 1.0.258 Starting... Starting KD session type=usb3,proto=dcid,ipc=open,opt=rxs

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

All logic CPU threads detected: 1000 1001 1002 1003 Switched to processor 0, its device id is 0x1000 Kernel Debugger connection established Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Read module entry failedConnected to Windows 7 7601 x64 target at (Fri Jun 26 09:57:57.466 2020 (UTC + 8:00)), ptr64 TRUE Symbol search path is: srv* Executable search path is: Unable to create shared user data image Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Unable to read KTHREAD address 00000000000000b8 Unable to get PEB pointer

"nt" was not found in the image list. Debugger will attempt to load "nt" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll) for more reliable results.Base address and size overrides can be given as .reload <image.ext>=<base>,<size>. Unable to add module at 0000000000000000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 KdDebuggerData.KernBase < SystemRangeStart Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Windows 7 Kernel Version 7601 MP (4 procs) Free x64 Machine Name: Kernel base = 0xffeeffee80000000 PsLoadedModuleList = 0xfffd000000004028 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 System Uptime: not available Found NGB marker in target memory at ffffffffff5ff000 ffffffff81a36897 65488b0425005c0100 mov rax,qword ptr gs:[15C00h] lm start end module name 0: kd> 0%100%

```

运行lm，列不出modules。

lm start end module name

用的是内置的kernel,加了个参数nokaslr

geduer@gdk:~$ uname -a Linux gdk 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x8664 x8664 x8664 GNU/Linux geduer@gdk:~$ cat /proc/cmdline BOOTIMAGE=/boot/vmlinuz-5.0.0-23-generic root=UUID=fa675f11-698d-4d70-a28f-eac0617cdd5b ro nokaslr

log:

```

File View Output Nano Debugger (NDB) 1.0.258 Starting... Starting KD session type=usb3,proto=dcid,ipc=open,opt=rxs

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

All logic CPU threads detected: 1000 1001 1002 1003 Switched to processor 0, its device id is 0x1000 Kernel Debugger connection established Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Read module entry failedConnected failed Connected to Windows 7 7601 x64 target at (Fri Jun 26 09:57:57.466 2020 (UTC + 8:00)), ptr64 TRUE Symbol search path is: srv* Executable search path is: Unable to create shared user data image Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Unable to read KTHREAD address 00000000000000b8 Unable to get PEB pointer

"nt" was not found in the image list. Debugger will attempt to load "nt" at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll) for more reliable results.Base address and size overrides can be given as .reload <image.ext>=<base>,<size>. Unable to add module at 0000000000000000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 KdDebuggerData.KernBase < SystemRangeStart Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Windows 7 Kernel Version 7601 MP (4 procs) Free x64 Machine Name: Kernel base = 0xffeeffee80000000 PsLoadedModuleList = 0xfffd000000004028 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 Found NGB marker in target memory at ffffffffff5ff000 Unable to read KTHREAD address 00000000000000b8 System Uptime: not available Found NGB marker in target memory at ffffffffff5ff000 ffffffff81a36897 65488b0425005c0100 mov rax,qword ptr gs:[15C00h] lm start end module name 0: kd> 0%100%

运行lm，列不出modules。

lm start end module name

用的是内置的kernel,加了个参数nokaslr

geduer@gdk:~$ uname -a Linux gdk 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x8664 x8664 x8664 GNU/Linux geduer@gdk:~$ cat /proc/cmdline BOOTIMAGE=/boot/vmlinuz-5.0.0-23-generic root=UUID=fa675f11-698d-4d70-a28f-eac0617cdd5b ro nokaslr

log:

File View Output
Nano Debugger (NDB) 1.0.258
Starting...
Starting KD session type=usb3,proto=dcid,ipc=open,opt=rxs
 
type=usb3,proto=dcid,ipc=open,opt=rxs

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
reserved.

All logic CPU threads detected: 1000 1001 1002 1003
Switched to processor 0, its device id is 0x1000
Kernel Debugger connection established
Found NGB marker in target memory at ffffffffff5ff000
Found NGB marker in target memory at ffffffffff5ff000
Found NGB marker in target memory at ffffffffff5ff000
Read **Read module entry failed failed** Connected to Windows 7 7601 x64 target at (Fri Jun 26 09:57:57.466 2020 (UTC + 8:00)), ptr64 TRUE
Symbol search path is: srv*
Executable search path is:
Unable to create shared user data image
Found NGB marker in target memory at ffffffffff5ff000
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
Unable to read KTHREAD address 00000000000000b8
Unable to get PEB pointer
 
pointer

"nt" was not found in the image list.
Debugger will attempt to load "nt" at given base 00000000`00000000.
 
00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 0000000000000000
00000000`00000000
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
KdDebuggerData.KernBase < SystemRangeStart
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
Found NGB marker in target memory at ffffffffff5ff000
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
Windows 7 Kernel Version 7601 MP (4 procs) Free x64
Machine Name:
Kernel base = 0xffeeffee80000000 0xffeeffee`80000000 PsLoadedModuleList = 0xfffd000000004028
0xfffd0000`00004028
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
Found NGB marker in target memory at ffffffffff5ff000
Unable to read KTHREAD address 00000000000000b8
System Uptime: not available
Found NGB marker in target memory at ffffffffff5ff000
ffffffff81a36897 ffffffff`81a36897 65488b0425005c0100 mov rax,qword ptr gs:[15C00h]
lm
start end module name
0: kd>
0%100%0%100%