200311242121.txt.md

8. ntdll!RtlpBreakPointHeap()

---

; __stdcall RtlpBreakPointHeap(x) _RtlpBreakPointHeap@4 proc near

arg_0= dword ptr 4

mov eax, large fs:18h               ; +0x018 Self : Ptr32 _NT_TIB，指向_TEB
mov eax, [eax+30h]                  ; +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
cmp byte ptr [eax+2], 0             ; +0x002 BeingDebugged : UChar
                                    ;
                                    ; if ( FALSE == _PEB.BeingDebugged )
                                    ; {
                                    ;     goto RtlpBreakPointHeap_exit
                                    ; }
jz  short RtlpBreakPointHeap_exit
mov eax, [esp+arg_0]                ; EAX现在等于第一形参
mov _RtlpHeapInvalidBreakPoint, 1
mov _RtlpHeapInvalidBadAddress, eax
call near ptr _DbgBreakPoint@0      ; from XP DDK
                                    ;
                                    ; /*
                                    ;  * breaks into the kernel debugger
                                    ;  */
                                    ; VOID NTAPI DbgBreakPoint
                                    ; (
                                    ;     VOID
                                    ; );
mov _RtlpHeapInvalidBreakPoint, 0

RtlpBreakPointHeap_exit: retn 4 _RtlpBreakPointHeap@4 endp

---

/*

• 这是ntdll.dll中定义的两个全局变量 */ extern BOOL RtlpHeapInvalidBreakPoint; extern PVOID RtlpHeapInvalidBadAddress;

void __stdcall RtlpBreakPointHeap ( PVOID addr ) { if ( _PEB.BeingDebugged ) { RtlpHeapInvalidBreakPoint = TRUE; RtlpHeapInvalidBadAddress = addr; /* * from XP DDK * * breaks into the kernel debugger * * 如果在target上安装了kd一类的调试器，将"陷入"。 / DbgBreakPoint(); RtlpHeapInvalidBreakPoint = FALSE; } return; } / end of RtlpBreakPointHeap */