我有一个用户模式 Windows 程序的故障转储,我想模拟
RtlDecodePointer()RtlEncodePointer()我研究了
ntdll!RtlDecodePointerr $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue)
r $t2 = @$t1 & 3f
r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2)
.printf "Decoded pointer: %p\n", @$t3 ^ @$t1
或者,作为单线:
r $t0 = 86aaaa40`0007ff77 // put value to decode here
r $t1 = dwo(ntdll!`RtlpGetCookieValue'::`2'::CookieValue); r $t2 = @$t1 & 3f; r $t3 = (@$t0 >> (0x40 - @$t2)) | (@$t0 << @$t2); .printf "Decoded pointer: %p\n", @$t3 ^ @$t1
即使在没有完整内存的小型转储上也能很好地工作。