感谢 sudaim同学的回答， 让我等小菜不必费劲脑经想起他办法进入

 

 

windbg连上VM,在虚拟机启动的时候break一下,然后输入:sxe ld 360SelfProtectiong 不一会就会断下,如下kd> lmvm 360SelfProtection start end module namef67b4000 f67d1980 360SelfProtection (no symbols) Loaded symbol image file: 360SelfProtection.sysImage path: 360SelfProtection.sysImage name: 360SelfProtection.sysTimestamp: Tue Jan 11 19:36:54 2011 (4D2C40D6)CheckSum: 00021EF4ImageSize: 0001D980File version: 1.0.0.1054Product version: 1.0.0.1054File flags: 0 (Mask 3F)File OS: 40004 NT Win32File type: 3.8 DriverFile date: 00000000.00000000Translations: 0804.04b0CompanyName: 360安全中心ProductName: 360安全中心InternalName: SelfProtectionOriginalFilename: SelfProtection.sysProductVersion: 1, 0, 0, 1054FileVersion: 1, 0, 0, 1054PrivateBuild: 1, 0, 0, 1054SpecialBuild: 1, 0, 0, 1054FileDescription: 360安全卫士 - SelfProtectionLegalCopyright: 版权所有 (C) 2006-2010 360安全中心LegalTrademarks: 版权所有 (C) 2006-2010 360安全中心Comments: 版权所有 (C) 2006-2010 360安全中心 kd> kvn 100# ChildEBP RetAddr Args to Child 00 f819c398 80527fce f819c430 f819c3ac 00000003 nt!DebugService2+0x10 (FPO: [3,0,0])01 f819c3bc 805a3cea f819c430 f67b4000 ffffffff nt!DbgLoadImageSymbols+0x42 (FPO: [3,4,0])02 f819c560 80576254 f819c5e4 00000000 00000000 nt!MmLoadSystemImage+0xa34 (FPO: [Non-Fpo])03 f819c640 80689770 000006c8 00000001 00000000 nt!IopLoadDriver+0x370 (FPO: [4,45,0])04 f819c69c 80686ad9 00043000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c (FPO: [0,14,4])05 f819c83c 80684edd 80087000 00000000 81c4f3e8 nt!IoInitSystem+0x7a3 (FPO: [1,99,4])06 f819cdac 805c5a28 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5 (FPO: [1,342,4])07 f819cddc 80541fa2 80684528 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])08 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16  kd> bp f67b4000+poi(poi(f67b4000+3c)+f67b4000+28)kd> bl0 e f67cee85 0001 (0001) 360SelfProtection+0x1ae85 kd> u f67cee85360SelfProtection+0x1ae85:f67cee85 a188ad7cf6 mov eax,dword ptr [360SelfProtection+0x16d88 (f67cad88)]f67cee8a 85c0 test eax,eaxf67cee8c b94ee640bb mov ecx,0BB40E64Ehf67cee91 7404 je 360SelfProtection+0x1ae97 (f67cee97)f67cee93 3bc1 cmp eax,ecxf67cee95 7519 jne 360SelfProtection+0x1aeb0 (f67ceeb0)f67cee97 a1a48a7cf6 mov eax,dword ptr [360SelfProtection+0x14aa4 (f67c8aa4)]f67cee9c 8b00 mov eax,dword ptr [eax] kd> gBreakpoint 0 hit360SelfProtection+0x1ae85:f67cee85 a188ad7cf6 mov eax,dword ptr [360SelfProtection+0x16d88 (f67cad88)] kd> kvn 100# ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong.00 f819c640 80689770 000006c8 00000001 00000000 360SelfProtection+0x1ae8501 f819c69c 80686ad9 00043000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c (FPO: [0,14,4])02 f819c83c 80684edd 80087000 00000000 81c4f3e8 nt!IoInitSystem+0x7a3 (FPO: [1,99,4])03 f819cdac 805c5a28 80087000 00000000 00000000 nt!Phase1Initialization+0x9b5 (FPO: [1,342,4])04 f819cddc 80541fa2 80684528 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])05 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 ok,进入此驱动内部,调试吧.