You can also debug user-mode programs in KD mode in windbg.

Before debugging the Winlogon program, you must make some settings in the system registry. Later, I saw the LSASS program being debugged on the Internet.

Use the following method:

! Process 0 0 lsass.exe

. Process/P/R 815196c0

I found that the above method is not required to set the registry, which is very convenient.

Then we can debug the breakpoint just like the program in the user-triggered mode.

 

For example, you need to enter the user name and password during the login process. You can see the entered content in the following process.

I am at USER32! The getdlgitemtextw has a breakpoint. I can see it in od for reference.

(You can copy a copy without running it. You only need to look at the disassembly code. The Assembly Code reversed by OD is quite good ).

Kd>! Process 0 0 winlogon.exe find the process
Process 821661c8 sessionid: 0 CID: 018c peb: 7ffd9000 parentcid: 0138
Dirbase: 0ceb5000 objecttable: e14b1220 handlecount: 392.
Image: Winlogon. exe

Kd>. Process/P/R 821661c8 is set to the current process, so that you can operate on its virtual space.
Implicit process is now 821661c8
. Cache forcedecodeuser done
Loading user symbols
........................................ ...............
Kd> BP USER32! Getdlgitemtextw breakpoint
Kd> BL
0 e 77d24305 0001 (0001) USER32! Getdlgitemtextw

Kd> G to continue running, click the user name and enter the password
Breakpoint 0 hit
USER32! Getdlgitemtextw:
001b: 77d24305 8bff mov EDI, EDI
Kd> kN view the stack
# Childebp retaddr
00 0006e778 758d7f60 USER32! Getdlgitemtextw
01 0006e7c8 758d7e1d msgina! Attemptlogon + 0x4f
* ** Warning: unable to verify checksum for winlogon.exe
02 0006e974 0103acc7 msgina! Logondlgproc + 0xc61
03 0006e998 77d18734 Winlogon! Rootdlgproc + 0x6e
04 0006e9c4 77d23ce4 USER32! Internalcallwinproc + 0x28
05 0006ea30 77d23b30 USER32! Usercalldlgproccheckwow + 0x146
06 0006ea78 77d23d5c USER32! Defdlgprocworker + 0xa8
07 0006ea94 77d18734 USER32! Defdlgprocw + 0x22
08 0006eac0 77d18816 USER32! Internalcallwinproc + 0x28
09 0006eb28 77d2927b USER32! Usercallwinproccheckwow + 0x150
0a 0006eb64 77d292e3 USER32! Sendmessageworker + 0x4a5
0b 0006eb84 758f29c8 USER32! Sendmessagew + 0x7f
0C 0006ebb0 758f2e0d msgina! Clogondialog: handle_logon_logon_user + 0x9f
0d 0006f004 758e39bf msgina! Clogondialog: handle_wm_logonservicerequest + 0x89
0e 0006f018 758d6c3a msgina! _ Shell_logondialog_dlgproc + 0x58
0f 0006f1d0 0103acc7 msgina! Logondlgproc + 0x93b
10 0006f1f4 77d18734 Winlogon! Rootdlgproc + 0x6e
11 0006f220 77d23ce4 USER32! Internalcallwinproc + 0x28
12 0006f28c 77d23b30 USER32! Usercalldlgproccheckwow + 0x146
13 0006f2d4 77d23d5c USER32! Defdlgprocworker + 0xa8
Kd> dd ESP view return address ($ RA) and Parameters
0006e77c 758d7f60 0003002a 000005df 00b20800
0006e78c 00000200 0003002a 00000000 0008cd10
0006e79c 00000001 0006e7ac 77d1971c 00000000
0006e7ac 0006e7c4 758d7c4e 0002004a 00000000
0006e7bc 0003002a 00b20000 00b20400 0006e974
0006e7cc 758d7e1d 0003002a 0007e368 0007e3f8
0006e7dc 00000111 00000000 0006edf4 771a3dda
0006e7ec dcbaabcd 00000000 0006e838 771a3dda
Kd> G 758d7f60 run this API to get the content
Msgina! Attemptlogon + 0x4f:
001b: 758d7f60 57 push EDI
Kd> du 00b20800
00b20800 "111222" this is the password I entered
Kd> G
Breakpoint 0 hit
USER32! Getdlgitemtextw:
001b: 77d24305 8bff mov EDI, EDI
Kd> dd ESP view return address ($ RA) and Parameters
0006e77c 758d7fd1 0003002a 000005de 00b20000
0006e78c 00000200 0003002a 00000000 0008cd10
0006e79c 00000001 0006e7ac 77d1971c 00000000
0006e7ac 0006e7c4 758d7c4e 0002004a 0002004a
0006e7bc 00000000 00b20000 00b20400 0006e974
0006e7cc 758d7e1d 0003002a 0007e368 0007e3f8
0006e7dc 00000111 00000000 0006edf4 771a3dda
0006e7ec dcbaabcd 00000000 0006e838 771a3dda
Kd> G 758d7fd1 run this API to get the content
Msgina! Attemptlogon + 0xb8:
001b: 758d7fd1 53 push EBX
Kd> du 00b20000

00b20000 "Administrator" Display User Name