-
-
[原创]X64获取SSDT表 计算分析
-
发表于:
2017-4-1 22:12
3576
-
1 kd> rdmsr 0C0000082h
msr[c0000082] = fffff800`03c8f640
2 kd> ln fffff800`03c8f640
(fffff800`03c8f640) nt!KiSystemCall64 | (fffff800`03c8f75e) nt!KiSystemServiceStart
Exact matches:
nt!KiSystemCall64 = <no type information>
3 uf fffff800`03c8f640
... ...
nt!KiSystemCall64+0x110:
fffff800`03c8f750 fb sti
fffff800`03c8f751 48898be0010000 mov qword ptr [rbx+1E0h],rcx
fffff800`03c8f758 8983f8010000 mov dword ptr [rbx+1F8h],eax
fffff800`03c8f75e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
// 1 特征码
fffff800`03c8f765 8bf8 mov edi,eax
fffff800`03c8f767 c1ef07 shr edi,7
fffff800`03c8f76a 83e720 and edi,20h
fffff800`03c8f76d 25ff0f0000 and eax,0FFFh
// 2 0x8d4c 这里会取得nt!KeServiceDescriptorTable的地址
nt!KiSystemServiceRepeat:
fffff800`03c8f772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`03ec1840)]
fffff800`03c8f779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800`03ec1880)]
fffff800`03c8f780 f7830001000080000000 test dword ptr [rbx+100h],80h
fffff800`03c8f78a 4d0f45d3 cmovne r10,r11
fffff800`03c8f78e 423b441710 cmp eax,dword ptr [rdi+r10+10h]
fffff800`03c8f793 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff800`03c8fa82)
// 3开始计算
if (*(USHORT*)IterAddr == (USHORT)0x8d4c)
{
return (PVOID)(((LONGLONG)IterAddr +7) + *(LONG*)(IterAddr +3));
}
此时 CurAddr = fffff800`03c8f772
((LONGLONG)CurAddr +7) = fffff800`03c8f772+7 = fffff800`03c8f779 //a
(CurAddr +3) = fffff800`03c8f775
kd> dd fffff800`03c8f775
fffff800`03c8f775 002320c7 001d8d4c f7002321 00010083
取值002320c7 //b
fffff800`03c8f779+002320c7 = FFFFF800'03EC1840
即
fffff800`03c8f772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`03ec1840)]
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法