-
-
[原创]TCPIP协议栈损坏修复案例
-
发表于: 2017-9-19 19:21
-
kd> !ndiskd.miniport
MiniDriver Miniport Name _
86667cc8 848fd4a0 VMware Accelerated AMD PCNet Adapter - XXXX Driver
86667cc8 847aaad0 WAN 微型端口 (IP) - XXXXDriver
86667cc8 84899130 Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - XXXXDriver
865d5358 866c3560 Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter
862a9678 86497850 Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
863ae6b0 865d3130 直接并行
862a9678 86290728 WAN 微型端口 (IP) - 数据包计划程序微型端口
862a9678 8649da10 VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
863b5ad8 862a9130 WAN 微型端口 (PPTP)
86615ca0 863b5130 WAN 微型端口 (PPPOE)
863d37b0 863b4b08 WAN 微型端口 (IP)
86553180 86491838 WAN 微型端口 (L2TP)
86554010 86491130 VMware Accelerated AMD PCNet Adapter
kd> !ndiskd.miniport866c3560
MINIPORT
Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter
Ndis Handle 866c3560
Ndis API Version v5.1
Adapter Context 85e86000
Miniport Driver 865d5358 - RTWlanU_XP.sys v0.1
Ndis Verifier [No flags set]
Media Type 802.3
Physical Medium WirelessLan
Device Path \??\USB#Vid_0bda&Pid_8178#00e04c000001#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{A264B0CF-D6BA-4191-B65F-1A44C7DAA4EE}
Device Object 866c3460
MAC Address 00-87-41-56-02-9d
STATE
Device PnP Started
Datapath Normal
Media Connected
Power D0
References 2
User Handles 0
Total Resets 0
Pending OID None
Flags 2c453800
↑ NOT_BUS_MASTER, IGNORE_PACKET_QUEUE, IGNORE_REQUEST_QUEUE,
IGNORE_TOKEN_RING_ERRORS, NDIS_5, DESERIALIZED, RESOURCES_AVAILABLE,
SUPPORTS_MEDIA_SENSE, DOES_NOT_DO_LOOPBACK, MEDIA_CONNECTED
PnPFlags 40410021 [Unrecognized flags 40000000]
↑ PM_SUPPORTED, DEVICE_POWER_ENABLED, RECEIVED_START, NDIS_WDM_DRIVER
BINDINGS
Open List Open Protocol Context _
XXXX 848ec3e8 8672b1a8 84939008
MORE INFORMATION
→ Driver handlers
→ Power management
→ Wake-on-LAN (WoL) → Packet filter
我们从上面可以看到我们的无线网卡是正常工作的。并没有什么问题,看下其他的miniport driver是否有问题kd> !ndiskd.miniport 86497850
MINIPORT
Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
Ndis Handle 86497850
Ndis API Version v5.0
Adapter Context 8664cad0
Miniport Driver 862a9678 - psched.sys v2.1
Ndis Verifier [No flags set]
Media Type 802.3
Physical Medium WirelessLan
Device Path \??\ROOT#MS_PSCHEDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}\{97B71194-D32A-4581-BA67-20F7257FE848}
Device Object 86497750
MAC Address 00-87-41-56-02-9d
STATE
Device PnP Started
Datapath Normal
Media Connected
Power D0
References 3
User Handles 0
Total Resets 0
Pending OID None
Flags 2445b800
↑ NOT_BUS_MASTER, IGNORE_PACKET_QUEUE, IGNORE_REQUEST_QUEUE,
IGNORE_TOKEN_RING_ERRORS, INTERMEDIATE_DRIVER, NDIS_5, DESERIALIZED,
RESOURCES_AVAILABLE, SUPPORTS_MEDIA_SENSE, DOES_LOOPBACK,
MEDIA_CONNECTED
PnPFlags 08019021
↑ PM_SUPPORTED, DEVICE_POWER_ENABLED, HIDDEN, NO_HALT_ON_SUSPEND,
RECEIVED_START, FILTER_IM
BINDINGS
Open List Open Protocol Context _
NDISUIO 849158f0 8663e128 866d67d8
AEGISP 848ea150 8669d428 84964cb0
MORE INFORMATION
→ Driver handlers
→ Power management
→ Wake-on-LAN (WoL) → Packet filter
同样这个也没有什么大问题。既然都是正常的,那么我们可以排除网卡驱动的问题,因为这个在后来,我发现用其他的无线网卡驱动上也会存在这样的现象,那么我们可以确认这并不是个例现象了。
既然上面我们无法确认是什么导致的,也没有好的思路去调试。我们可以换一个思路去想,在WINDOWS的网络层中,有一个TCP/IP协议,这个协议是数据收发的必经之地。那我们可以在这个必经之地下个断点,然后分别比较正常情况下和不正常情况下这个地方有什么变化。下面是我在非正常情况下查看的所有网络协议驱动相关的内容。
kd> !ndiskd.protocol
8672b1a8 - XXXXXX
8654d728 - VMware Accelerated AMD PCNet Adapter
86314ae0 - WAN 微型端口 (IP)
848ec3e8 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter
8669d428 - AEGISP
863a7350 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
848ea150 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
86679008 - PACKETDRIVER
8663e128 - NDISUIO
8656b0e0 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
849158f0 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
86443440 - TCPIP_WANARP
864f15a0 - WAN 微型端口 (IP) - 数据包计划程序微型端口
861da560 - TCPIP
867330e0 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
86726670 - NDPROXY
8671a520 - 直接并行
866f4290 - 直接并行
86300918 - WAN 微型端口 (L2TP)
8654b428 - WAN 微型端口 (L2TP)
8669e538 - PSCHED
86639618 - VMware Accelerated AMD PCNet Adapter - XXXXXXXX
848caa18 - WAN 微型端口 (IP) - XXXXX
84944220 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - XXXXXXXX
86615bb8 - RASPPPOE
863d3898 - NDISWAN
866e11a8 - 直接并行
8643eea0 - WAN 微型端口 (PPTP)
866d3678 - WAN 微型端口 (PPPOE)
866f5840 - WAN 微型端口 (L2TP)
kd> !ndiskd.protocol 861da560
PROTOCOL
TCPIP
Ndis Handle 861da560
Ndis API Version v4.0
Reference Count 2
Flags [No flags set]
BINDINGS
Open Miniport Miniport Name _
867330e0 8649da10 VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
HANDLERS
Protocol Handler Function pointer Symbol (if available)
BindAdapterHandler eed26579 bp tcpip!IPBindAdapter
UnbindAdapterHandler eed3d938 bp tcpip!ARPUnbindAdapter
PnPEventHandler eed23719 bp tcpip!ARPPnPEvent
UnloadHandler 0
OpenAdapterCompleteHandler eed3d3ce bp tcpip!ARPOAComplete
CloseAdapterCompleteHandler eed3d3ed bp tcpip!ARPCAComplete
SendCompleteHandler eed127f0 bp tcpip!ARPSendComplete
TransferDataCompleteHandler eed3d40c bp tcpip!ARPTDComplete
ReceiveHandler eed146b5 bp tcpip!ARPRcv
ReceivePacketHandler eed0f800 bp tcpip!ARPRcvPacket
ReceiveCompleteHandler eed0f7f3 bp tcpip!ARPRcvComplete
StatusHandler eed28a83 bp tcpip!ARPStatus
StatusCompleteHandler eed2897b bp tcpip!LoopClose
RequestCompleteHandler eed18b80 bp tcpip!ARPRequestComplete
ResetCompleteHandler eed3d42e bp tcpip!ARPResetComplete
我们在ReceiveHandler和ReceivePacketHandler这两个函数下断,然后随便打开百度。发现并没有断下来,其实没断下来是正常的,因为从上面的协议驱动绑定的情况上来看,TCPIP只绑在了本地的网卡上(也就是VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口),我们的无线网卡驱动并没有绑上去。 正因为我们的无线网卡驱动没有被TCPIP协议驱动绑上,导致无线网卡无法上网。至于它无法获取到IP和网关这些信息,是因为当无线网卡连接到一个热点上的时候,它获取的IP地址以及网关之类的信息是通过GetAdaptersInfo去获取的,而这个函数的实现,部份是通过读取注册表上对应网卡的设置的值来设置的,刚好我们的注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces上的值是不正常的,因此我们就看到kd> !ndiskd.protocol
8672b1a8 - XXXXX
86610988 - VMware Accelerated AMD PCNet Adapter
86314ae0 - WAN 微型端口 (IP)
84942ec0 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter
8669d428 - AEGISP
862f1ec0 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
864a4618 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
86679008 - PACKETDRIVER
8663e128 - NDISUIO
84949268 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
864496f8 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口
86443440 - TCPIP_WANARP
866292c0 - WAN 微型端口 (IP) - 数据包计划程序微型端口
861da560 - TCPIP
848e9b58 - VMware Accelerated AMD PCNet Adapter - 数据包计划程序微型端口
8495faf0 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - 数据包计划程序微型端口 --->good
86726670 - NDPROXY
8671a520 - 直接并行
866f4290 - 直接并行
86300918 - WAN 微型端口 (L2TP)
8654b428 - WAN 微型端口 (L2TP)
8669e538 - PSCHED
848c5300 - VMware Accelerated AMD PCNet Adapter - XXXXX
8654a2c0 - Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter - XXXXX
8668fca8 - WAN 微型端口 (IP) - XXXXX
86615bb8 - RASPPPOE
863d3898 - NDISWAN
866e11a8 - 直接并行
8643eea0 - WAN 微型端口 (PPTP)
866d3678 - WAN 微型端口 (PPPOE)
866f5840 - WAN 微型端口 (L2TP)
你发现了什么没有?对了就是在正常情况下TCP/IP的协议驱动是绑在无线网卡驱动上的。这点我们可以对TCPIP协议驱动的收包函数下断,我们就会发现,当你打开百度的时候,WINDBG就会断下来,说明它正常工作了。[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
