-
-
[求助]2003 调试内核apc注入,rep movsb内存复制错误
-
发表于:
2019-7-5 15:57
3663
-
[求助]2003 调试内核apc注入,rep movsb内存复制错误
在2003上测试内核apc注入进程代码,成功执行到
KeInitializeApc的回调函数,然后调用ZwAllocateVirtualMemory分配内存空间,再用rep movsb将shellcode复制过去。 复制过程中却出现了奇怪的错误,目标内存区域第一个字节被改成了CC,其他地方却完全一样。 windbg调试输出如下
kd> p
fffffadf`e69652ef f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
kd> r
rax=0000000000000000 rbx=fffffadfd75dea40 rcx=0000000000000600
rdx=fffffadfd75dec01 rsi=fffffadfe6965337 rdi=0000000002050000
rip=fffffadfe69652ef rsp=fffffadfd75de9d0 rbp=fffffadfe6965f90
r8=fffffadfe721cad0 r9=fffffadfe6445928 r10=fffffadfe7520b60
r11=fffffadfe76b6040 r12=fffffadfe6445590 r13=0000000000000001
r14=fffffadfd75dec70 r15=fffff80001000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000246
fffffadf`e69652ef f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
kd> db 0000000002050000
00000000`02050000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
00000000`02050070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
kd> db rsi
fffffadf`e6965337 48 92 31 c9 51 51 49 89-c9 4c 8d 05 0d 00 00 00 H.1.QQI..L......
fffffadf`e6965347 89 ca 48 83 ec 20 ff d0-48 83 c4 30 c3 fc 48 83 ..H.. ..H..0..H.
fffffadf`e6965357 e4 f0 e8 cc 00 00 00 41-51 41 50 52 51 56 48 31 .......AQAPRQVH1
fffffadf`e6965367 d2 65 48 8b 52 60 48 8b-52 18 48 8b 52 20 48 8b .eH.R`H.R.H.R H.
fffffadf`e6965377 72 50 48 0f b7 4a 4a 4d-31 c9 48 31 c0 ac 3c 61 rPH..JJM1.H1..<a
fffffadf`e6965387 7c 02 2c 20 41 c1 c9 0d-41 01 c1 e2 ed 52 41 51 |., A...A....RAQ
fffffadf`e6965397 48 8b 52 20 8b 42 3c 48-01 d0 66 81 78 18 0b 02 H.R .B<H..f.x...
fffffadf`e69653a7 0f 85 72 00 00 00 8b 80-88 00 00 00 48 85 c0 74 ..r.........H..t
kd> t
fffffadf`e69652ef f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
kd> db 0000000002050000
00000000`02050000 cc 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
kd> t
fffffadf`e69652ef f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
kd> db 0000000002050000
00000000`02050000 cc 92 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00000000`02050070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
kd> p
fffffadf`e69652f1 488b45f0 mov rax,qword ptr [rbp-10h]
kd> db 0000000002050000
00000000`02050000 cc 92 31 c9 51 51 49 89-c9 4c 8d 05 0d 00 00 00 ..1.QQI..L......
00000000`02050010 89 ca 48 83 ec 20 ff d0-48 83 c4 30 c3 fc 48 83 ..H.. ..H..0..H.
00000000`02050020 e4 f0 e8 cc 00 00 00 41-51 41 50 52 51 56 48 31 .......AQAPRQVH1
00000000`02050030 d2 65 48 8b 52 60 48 8b-52 18 48 8b 52 20 48 8b .eH.R`H.R.H.R H.
00000000`02050040 72 50 48 0f b7 4a 4a 4d-31 c9 48 31 c0 ac 3c 61 rPH..JJM1.H1..<a
00000000`02050050 7c 02 2c 20 41 c1 c9 0d-41 01 c1 e2 ed 52 41 51 |., A...A....RAQ
00000000`02050060 48 8b 52 20 8b 42 3c 48-01 d0 66 81 78 18 0b 02 H.R .B<H..f.x...
00000000`02050070 0f 85 72 00 00 00 8b 80-88 00 00 00 48 85 c0 74 ..r.........H..t
kd> db fffffadf`e6965337
fffffadf`e6965337 48 92 31 c9 51 51 49 89-c9 4c 8d 05 0d 00 00 00 H.1.QQI..L......
fffffadf`e6965347 89 ca 48 83 ec 20 ff d0-48 83 c4 30 c3 fc 48 83 ..H.. ..H..0..H.
fffffadf`e6965357 e4 f0 e8 cc 00 00 00 41-51 41 50 52 51 56 48 31 .......AQAPRQVH1
fffffadf`e6965367 d2 65 48 8b 52 60 48 8b-52 18 48 8b 52 20 48 8b .eH.R`H.R.H.R H.
fffffadf`e6965377 72 50 48 0f b7 4a 4a 4d-31 c9 48 31 c0 ac 3c 61 rPH..JJM1.H1..<a
fffffadf`e6965387 7c 02 2c 20 41 c1 c9 0d-41 01 c1 e2 ed 52 41 51 |., A...A....RAQ
fffffadf`e6965397 48 8b 52 20 8b 42 3c 48-01 d0 66 81 78 18 0b 02 H.R .B<H..f.x...
fffffadf`e69653a7 0f 85 72 00 00 00 8b 80-88 00 00 00 48 85 c0 74 ..r.........H..t
在
rep movsb
处单步,第一个字节复制错误,执行完
rep movsb
后发现只有第一个字节是错误的。 有哪位大佬见过这种情况吗?是什么原因? 非常感谢帮忙!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课