这两天想做点坏事,也没啥,就是PTE欺骗啦。
其中涉及了VirtualAddress(VA)转化PhysicalAddress(PA)的生成原理。
于是网上找了些相关资料,很努力地看。
但看来看去,怎么和MmGetPhysicalAddress逆向结果不大一样啊。
这才发现,大部分现存的资料都很旧了。虽然应用原理还是差不多,但是已经不能被我们伸手党使用了。
于是决定逆向一下MmGetPhysicalAddress,再正向它,尝试C++实现之。
----_HARDWARE_PTE结构
lkd> dt _hardware_pte
nt!_HARDWARE_PTE
+0x000 Valid : Pos 0, 1 Bit
+0x000 Write : Pos 1, 1 Bit
+0x000 Owner : Pos 2, 1 Bit
+0x000 WriteThrough : Pos 3, 1 Bit
+0x000 CacheDisable : Pos 4, 1 Bit
+0x000 Accessed : Pos 5, 1 Bit
+0x000 Dirty : Pos 6, 1 Bit
+0x000 LargePage : Pos 7, 1 Bit
+0x000 Global : Pos 8, 1 Bit
+0x000 CopyOnWrite : Pos 9, 1 Bit
+0x000 Prototype : Pos 10, 1 Bit
+0x000 reserved0 : Pos 11, 1 Bit
+0x000 PageFrameNumber : Pos 12, 26 Bits
+0x000 reserved1 : Pos 38, 26 Bits
+0x000 LowPart : Uint4B
+0x004 HighPart : Uint4B
typedef struct _HARDWARE_PTE_X86PAE
{
union
{
struct
{
ULONGLONG Valid:1;
ULONGLONG Write:1;
ULONGLONG Owner:1;
ULONGLONG WriteThrough:1;
ULONGLONG CacheDisable:1;
ULONGLONG Accessed:1;
ULONGLONG Dirty:1;
ULONGLONG LargePage:1;
ULONGLONG Global:1;
ULONGLONG CopyOnWrite:1;
ULONGLONG Prototype:1;
ULONGLONG reserved0:1;
ULONGLONG PageFrameNumber:26;
ULONGLONG reserved1:26;
};
struct
{
ULONG LowPart;
ULONG HighPart;
};
};
} HARDWARE_PTE_X86PAE, *PHARDWARE_PTE_X86PAE,MMPTE_HARDWARE, *PMMPTE_HARDWARE,_MMPTE_HARDWARE,HARDWARE_PTE,*PHARDWARE_PTE;
;Microsoft Windows XP Professional Service Pack 3 [ver 5.1.2600]
;ntkrnlpa.exe
;MD5 : E7E72F0935D0F224768126B49CF2A9E8
.text:00430CD2 _MmGetPhysicalAddress@4 proc near ; CODE XREF: IoSetDumpRange(x,x,x,x)+22p
.text:00430CD2 ; IoSetDumpRange(x,x,x,x)+62p ...
.text:00430CD2
.text:00430CD2 BaseAddress = dword ptr 8
.text:00430CD2
.text:00430CD2 8B FF mov edi, edi
.text:00430CD4 55 push ebp
.text:00430CD5 8B EC mov ebp, esp
.text:00430CD7 53 push ebx
.text:00430CD8 56 push esi
.text:00430CD9 57 push edi
.text:00430CDA 8B 7D 08 mov edi, [ebp+BaseAddress]
.text:00430CDD 8B CF mov ecx, edi
.text:00430CDF C1 E9 12 shr ecx, 12h
.text:00430CE2 81 E1 F8 3F 00 00 and ecx, 3FF8h
.text:00430CE8 8B 81 00 00 60 C0 mov eax, [ecx+0C0600000h]
.text:00430CEE 8B 89 04 00 60 C0 mov ecx, [ecx+0C0600004h]
.text:00430CF4 BE 81 00 00 00 mov esi, 81h
.text:00430CF9 8B D0 mov edx, eax
.text:00430CFB 23 D6 and edx, esi
.text:00430CFD 33 DB xor ebx, ebx
.text:00430CFF 3B D6 cmp edx, esi
.text:00430D01 75 1F jnz short loc_430D22
.text:00430D03 85 DB test ebx, ebx
.text:00430D05 75 1B jnz short loc_430D22
.text:00430D07 0F AC C8 0C shrd eax, ecx, 0Ch
.text:00430D0B C1 E9 0C shr ecx, 0Ch
.text:00430D0E 8B CF mov ecx, edi
.text:00430D10 C1 E9 0C shr ecx, 0Ch
.text:00430D13 25 FF FF FF 03 and eax, 3FFFFFFh
.text:00430D18 81 E1 FF 01 00 00 and ecx, 1FFh
.text:00430D1E 03 C1 add eax, ecx
.text:00430D20 EB 3F jmp short loc_430D61
.text:00430D22 ; ---------------------------------------------------------------------------
.text:00430D22
.text:00430D22 loc_430D22: ; CODE XREF: MmGetPhysicalAddress(x)+2Fj
.text:00430D22 ; MmGetPhysicalAddress(x)+33j
.text:00430D22 83 E0 01 and eax, 1
.text:00430D25 33 C9 xor ecx, ecx
.text:00430D27 0B C1 or eax, ecx
.text:00430D29 74 24 jz short loc_430D4F
.text:00430D2B 8B CF mov ecx, edi
.text:00430D2D C1 E9 09 shr ecx, 9
.text:00430D30 81 E1 F8 FF 7F 00 and ecx, 7FFFF8h
.text:00430D36 8B 91 04 00 00 C0 mov edx, [ecx+0C0000004h]
.text:00430D3C 81 E9 00 00 00 40 sub ecx, -0C0000000h
.text:00430D42 8B 01 mov eax, [ecx]
.text:00430D44 8B C8 mov ecx, eax
.text:00430D46 83 E1 01 and ecx, 1
.text:00430D49 33 F6 xor esi, esi
.text:00430D4B 0B CE or ecx, esi
.text:00430D4D 75 06 jnz short loc_430D55
.text:00430D4F
.text:00430D4F loc_430D4F: ; CODE XREF: MmGetPhysicalAddress(x)+57j
.text:00430D4F 33 C0 xor eax, eax
.text:00430D51 33 D2 xor edx, edx
.text:00430D53 EB 1F jmp short loc_430D74
.text:00430D55 ; ---------------------------------------------------------------------------
.text:00430D55
.text:00430D55 loc_430D55: ; CODE XREF: MmGetPhysicalAddress(x)+7Bj
.text:00430D55 0F AC D0 0C shrd eax, edx, 0Ch
.text:00430D59 C1 EA 0C shr edx, 0Ch
.text:00430D5C 25 FF FF FF 03 and eax, 3FFFFFFh
.text:00430D61
.text:00430D61 loc_430D61: ; CODE XREF: MmGetPhysicalAddress(x)+4Ej
.text:00430D61 33 C9 xor ecx, ecx
.text:00430D63 0F A4 C1 0C shld ecx, eax, 0Ch
.text:00430D67 C1 E0 0C shl eax, 0Ch
.text:00430D6A 81 E7 FF 0F 00 00 and edi, 0FFFh
.text:00430D70 03 C7 add eax, edi
.text:00430D72 8B D1 mov edx, ecx
.text:00430D74
.text:00430D74 loc_430D74: ; CODE XREF: MmGetPhysicalAddress(x)+81j
.text:00430D74 5F pop edi
.text:00430D75 5E pop esi
.text:00430D76 5B pop ebx
.text:00430D77 5D pop ebp
.text:00430D78 C2 04 00 retn 4
.text:00430D78 _MmGetPhysicalAddress@4 endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
紧随jerry师傅的脚步进来支持,lz辛苦了~
