-
-
[原创]X86内核笔记_3_系统调用
-
发表于: 2021-9-23 20:28
-
API(应用程序编程接口)是微软为开发者提供的一套函数接口,可以用于与系统进行交互、实现一些复杂的功能等。
我们日常在3环写的API如:ReadMemory、CloseHandle、OpenProcess等。其真正的功能实现全部在驱动层,3环中我们使用的只是一个门票,用于通知驱动层我们要实现的功能。而这些API函数从3环的校验代码进入到0环的功能代码的步骤,就称为系统调用。
一些常见的动态链接库如下:
于防来说,了解系统调用可以更好的了解程序流程。对于一些恶意样本,攻击者会将API调用改为直接进入0环的方式,这样对于一些3环的监控工具则无法监控该样本的行为,一些3环的APIHOOK也将失效。同样的,IDA一类的反汇编工具也无法直接查看样本使用了哪些API函数。
于攻来说,了解系统调用可以让你真正知道API函数执行的本质,无论是自实现系统调用、驱动层HOOK或是以服务号调用API,都可以让你的攻击手段很难被安全从业者察觉、分析。而HOOK住驱动层的功能函数,也可以达到另类的驱动通信效果。
由于现在的系统带有PG保护,使得系统调用这个技术点无法被直接利用,现已作为基础知识慢慢的与其他技术相融合。
在MSDN上搜索该函数,发现其所属模块为kernel32.dll,但是当你去追kernel32里的流程,你会发现最终都是执行了一个return 0。这是历史遗留问题,所以不能盲目相信MSDN。
在WIN7镜像中,随便找个程序拖到OD里,Ctrl+G定位至ReadProcessMemory函数。发现该函数已经隶属于KernelBase模块了。且其内部没有什么有用的代码,只调用了ntdll的NtReadVirtualMemory函数。该函数是KernelBase的导入函数。
使用IDA打开ntdll,在导出函数选项卡中搜索NtReadVirtualMemory。
跟过去看一下该函数的实现。发现函数内部仅调用了[7FFE0300]处的函数,同时为eax赋值。
至此,3环绝大部分告一段落。可以发现ReadProcessMemory函数的3环执行流程就是跳来跳去,然后执行一个call [7FFE0300]。接下来我们需要探求7FFE0300里面存的是什么。
在继续分析之前,我们需要补充一个知识点:_KUSER_SHARED_DATA。这是一个3环与0环共享的结构体。
在3环,它的地址为7ffe0000,具备只读权限。在0环,它的地址为ffdf0000,具备读写权限。这两个地址指向同一个物理页,只是访问权限不同。该结构会在操作系统启动时由操作系统自己填充。
结构体信息如下:
其中偏移0x300处的成员为SystemCall,该成员指明了当发生系统调用时,3环进入0环走哪个函数,该成员就存储对应函数的地址。
由于现在的处理器均支持快速调用(sysenter指令),而旧处理器不支持,所以此处存储的函数地址有两种情况。后文仅演示快速调用。(中断门(0x2E)进0环已经在历史的长河中被替代了,有兴趣的可以了解下。)
为了查看7FFE0300的值,我们需要借助windbg动态调试。
在windbg中输入 !process 0 0遍历所有进程,随便附加其中一个即可。
输入 dt _KUSER_SHARED_DATA 7FFE0000查看该结构体的成员信息。可以发现偏移0x300处存储的值为0x77a470b0。
使用命令 u 77a470b0 查看该地址的函数。可以看到windbg帮我们识别出来是ntdll模块中的KiFastSystemCall函数。回到IDA中,定位至该函数,观察函数执行流程。
可以发现该函数只有两行代码:mov edx,esp sysenter。 sysenter将会进入0环。
在保护模式章节中,我们知道3环进0环必备的几个条件:
在旧CPU中,使用中断门(0x2E)进行系统调用,需要查询TSS来获取这几个寄存器的值。内存查询是很慢的。
而sysenter指令将会直接从MSR寄存器中读取并写入至CS、SS、EIP、ESP中,速度很快,因此称为快速调用。
MSR寄存器很大,存了很多的数据。
在偏移0x174处,存储着系统调用时0环的CS。
在偏移0x175处,存储着系统调用时0环的ESP。
在偏移0x176处,存储着系统调用时0环的EIP。
SS的值通过CS+8得到(具体原因参考保护模式章节,CS与SS的段描述符是相邻的)。
通过指令RDMSR/WRMSR可以对MSR寄存器进行读写。
在windbg中查看CS ESP EIP的值:
在windbg中输入命令 u 83e420c0查看这个函数
可以得知当我们在3环调用sysenter指令时,将会执行内核模块(ntoskrnl、ntkrnlpa)中的KiFastCallEntry函数
当发生系统调用时,若CPU支持快速调用,则走KiFastSystemCall函数,内部执行sysenter指令。并在0环执行KiFastCallEntry函数。同时携带了edx(3环堆栈)、eax(系统调用号)
以下结构体均在内核空间,3环无法直接访问
在进入0环时,该结构体用于保存3环寄存器。由windows进行维护。
结构体成员:
在3环时,FS指向TEB结构。在0环时,FS指向KPCR结构。该结构体用于描述对应的CPU的状态。(一核对应一个KPCR)
windbg中输入 dd KeNumberProcessor 查看核数
windbg中输入 dd KiProcessorBlock LXXX 查看每个核的KPCR结构地址。
结构体成员:
结构体成员:
线程结构体,每一个线程都有一个线程结构体,用于描述对应线程的各种属性。
结构体成员:
Ethread的子结构体,里面的成员相对于Ethread更重要。
结构体成员:
分析该函数需要时刻对照上文的几个结构体,否则无法理解函数在做什么。
函数内部首先填充DS ES FS寄存器,并切换堆栈。(由于MSR寄存器所有核共享一个,为了防止互相影响,又从各自的TSS中拿了单独的ESP0 )
然后填充TrapFrame结构,该结构存储在0环堆栈中,通过push依次进行成员的填充。
起始位置为HardwareSegSs,V86那四个寄存器是虚拟8086模式用的,所以直接省略了。
继续填充TrapFrame结构体的其余成员。
填充好后将TrapFrame结构的首地址赋值给Kthread中的TrapFrame成员。
在上文3环分析部分,可以看到ReadPrcMem函数仅调用了sysenter,并没有直接调用内核的某个对应函数。其真正调用的功能函数的地址,将通过查找系统服务表的方式得到。而3环传入的eax则是这个系统服务表的索引,也叫系统调用号。
系统服务表的宏观架构(系统服务表地址存储在Kthread+E0处):
3环在调用sysenter之前往eax中存的值决定了要调用哪个函数。
系统调用号仅低13位起作用,结构如下:
下标为12的位(第13位)如果为0,则查第一张系统服务表,为1则查第二张。
低12位(0~11)就是函数地址表和函数参数表的索引。
首先拆分系统调用号,找到系统服务表地址,取出索引。
获取函数地址、函数参数个数,复制参数至0环堆栈,并做第一次权限判断(3环堆栈地址判断)。
再次判断3环cs权限,通过后调用最终的功能函数。
上文通过Kthread+BC去得到了系统服务表地址。Windows中提供了一个导出的全局变量SystemServicesDescriptorTable。也叫SSDT。这个全局变量存储了系统服务表的地址,但仅存储了第一张表的地址。
在windbg中输入命令 dd KeServiceDescriptorTable查看该全局变量。可以发现只有一张表(16个字节)。第二张表全部为空。
内核中还有一个全局变量称为SSDT Shadow,该变量未导出,但可以查看所有的系统服务表。
在windbg中输入命令 dd KeServiceDescriptorTableShadow查看该全局变量。可以看到所有的系统服务表。
接近上文call ebx后,首先检查IRQL及线程挂靠相关信息。
然后检查ETW日志是否需要记录。并为Kthread->TrapFrame成员赋值。可用于恢复旧TrapFrame或蓝屏时进行堆栈回溯。
随后判断是否虚拟8086模式和之前的特权级。并相应的执行性能统计。
如果有APC需要处理则处理APC。(仅先前模式为用户模式时才会处理,APC知识后续章节学习。)
恢复异常链表及调试寄存器(如果为调试模式的话)。
进行一万个感觉没卵用的判断
最后恢复各种寄存器,并以iret方式返回3环。
返回的代码真正有用的就是恢复寄存器的几行,其余全是在做先前模式相关的判断。其中穿插了一个处理APC的逻辑。
当有APC需要处理时,会以另一套流程返回3环,由于目前不具备APC知识,暂不做分析。
整体分析流程皆以 先前模式为用户级别 为前提去分析,可以看到判断还是很多的,甚至考虑了其他非正常cs的情况。
SSDT HOOK代码不算难,个人觉得比Inline HOOK简单的多。
还挺好玩的,简单的保护了DbgView进程。
Kernel32.dll : 最核心的功能模块,如内存管理,进程线程相关函数等。User32.dll : 用户界面相关的函数。GDI32.dll : 图形设备接口,用于绘制和显示文本等。Ntdll.dll : 大多数API都会通过这个dll进入0环。
Kernel32.dll : 最核心的功能模块,如内存管理,进程线程相关函数等。User32.dll : 用户界面相关的函数。GDI32.dll : 图形设备接口,用于绘制和显示文本等。Ntdll.dll : 大多数API都会通过这个dll进入0环。
//0x5f0 bytes (sizeof)
struct _KUSER_SHARED_DATA{ ULONG TickCountLowDeprecated; //0x0
ULONG TickCountMultiplier; //0x4
volatile struct _KSYSTEM_TIME InterruptTime; //0x8
volatile struct _KSYSTEM_TIME SystemTime; //0x14
volatile struct _KSYSTEM_TIME TimeZoneBias; //0x20
USHORT ImageNumberLow; //0x2c
USHORT ImageNumberHigh; //0x2e
WCHAR NtSystemRoot[260]; //0x30
ULONG MaxStackTraceDepth; //0x238
ULONG CryptoExponent; //0x23c
ULONG TimeZoneId; //0x240
ULONG LargePageMinimum; //0x244
ULONG Reserved2[7]; //0x248
enum _NT_PRODUCT_TYPE NtProductType; //0x264
UCHAR ProductTypeIsValid; //0x268
ULONG NtMajorVersion; //0x26c
ULONG NtMinorVersion; //0x270
UCHAR ProcessorFeatures[64]; //0x274
ULONG Reserved1; //0x2b4
ULONG Reserved3; //0x2b8
volatile ULONG TimeSlip; //0x2bc
enum _ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; //0x2c0
ULONG AltArchitecturePad[1]; //0x2c4
union _LARGE_INTEGER SystemExpirationDate; //0x2c8
ULONG SuiteMask; //0x2d0
UCHAR KdDebuggerEnabled; //0x2d4
UCHAR NXSupportPolicy; //0x2d5
volatile ULONG ActiveConsoleId; //0x2d8
volatile ULONG DismountCount; //0x2dc
ULONG ComPlusPackage; //0x2e0
ULONG LastSystemRITEventTickCount; //0x2e4
ULONG NumberOfPhysicalPages; //0x2e8
UCHAR SafeBootMode; //0x2ec
union
{
UCHAR TscQpcData; //0x2ed
struct
{
UCHAR TscQpcEnabled:1; //0x2ed
UCHAR TscQpcSpareFlag:1; //0x2ed
UCHAR TscQpcShift:6; //0x2ed
};
};
UCHAR TscQpcPad[2]; //0x2ee
union
{
ULONG SharedDataFlags; //0x2f0
struct
{
ULONG DbgErrorPortPresent:1; //0x2f0
ULONG DbgElevationEnabled:1; //0x2f0
ULONG DbgVirtEnabled:1; //0x2f0
ULONG DbgInstallerDetectEnabled:1; //0x2f0
ULONG DbgSystemDllRelocated:1; //0x2f0
ULONG DbgDynProcessorEnabled:1; //0x2f0
ULONG DbgSEHValidationEnabled:1; //0x2f0
ULONG SpareBits:25; //0x2f0
};
};
ULONG DataFlagsPad[1]; //0x2f4
ULONGLONG TestRetInstruction; //0x2f8
ULONG SystemCall; //0x300
ULONG SystemCallReturn; //0x304
ULONGLONG SystemCallPad[3]; //0x308
union
{
volatile struct _KSYSTEM_TIME TickCount; //0x320
volatile ULONGLONG TickCountQuad; //0x320
ULONG ReservedTickCountOverlay[3]; //0x320
};
ULONG TickCountPad[1]; //0x32c
ULONG Cookie; //0x330
ULONG CookiePad[1]; //0x334
LONGLONG ConsoleSessionForegroundProcessId; //0x338
ULONG Wow64SharedInformation[16]; //0x340
USHORT UserModeGlobalLogger[16]; //0x380
ULONG ImageFileExecutionOptions; //0x3a0
ULONG LangGenerationCount; //0x3a4
ULONGLONG Reserved5; //0x3a8
volatile ULONGLONG InterruptTimeBias; //0x3b0
volatile ULONGLONG TscQpcBias; //0x3b8
volatile ULONG ActiveProcessorCount; //0x3c0
volatile USHORT ActiveGroupCount; //0x3c4
USHORT Reserved4; //0x3c6
volatile ULONG AitSamplingValue; //0x3c8
volatile ULONG AppCompatFlag; //0x3cc
ULONGLONG SystemDllNativeRelocation; //0x3d0
ULONG SystemDllWowRelocation; //0x3d8
ULONG XStatePad[1]; //0x3dc
struct _XSTATE_CONFIGURATION XState; //0x3e0
};//0x5f0 bytes (sizeof)
struct _KUSER_SHARED_DATA{ ULONG TickCountLowDeprecated; //0x0
ULONG TickCountMultiplier; //0x4
volatile struct _KSYSTEM_TIME InterruptTime; //0x8
volatile struct _KSYSTEM_TIME SystemTime; //0x14
volatile struct _KSYSTEM_TIME TimeZoneBias; //0x20
USHORT ImageNumberLow; //0x2c
USHORT ImageNumberHigh; //0x2e
WCHAR NtSystemRoot[260]; //0x30
ULONG MaxStackTraceDepth; //0x238
ULONG CryptoExponent; //0x23c
ULONG TimeZoneId; //0x240
ULONG LargePageMinimum; //0x244
ULONG Reserved2[7]; //0x248
enum _NT_PRODUCT_TYPE NtProductType; //0x264
UCHAR ProductTypeIsValid; //0x268
ULONG NtMajorVersion; //0x26c
ULONG NtMinorVersion; //0x270
UCHAR ProcessorFeatures[64]; //0x274
ULONG Reserved1; //0x2b4
ULONG Reserved3; //0x2b8
volatile ULONG TimeSlip; //0x2bc
enum _ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; //0x2c0
ULONG AltArchitecturePad[1]; //0x2c4
union _LARGE_INTEGER SystemExpirationDate; //0x2c8
ULONG SuiteMask; //0x2d0
UCHAR KdDebuggerEnabled; //0x2d4
UCHAR NXSupportPolicy; //0x2d5
volatile ULONG ActiveConsoleId; //0x2d8
volatile ULONG DismountCount; //0x2dc
ULONG ComPlusPackage; //0x2e0
ULONG LastSystemRITEventTickCount; //0x2e4
ULONG NumberOfPhysicalPages; //0x2e8
UCHAR SafeBootMode; //0x2ec
union
{
UCHAR TscQpcData; //0x2ed
struct
{
UCHAR TscQpcEnabled:1; //0x2ed
UCHAR TscQpcSpareFlag:1; //0x2ed
UCHAR TscQpcShift:6; //0x2ed
};
};
UCHAR TscQpcPad[2]; //0x2ee
union
{
ULONG SharedDataFlags; //0x2f0
struct
{
ULONG DbgErrorPortPresent:1; //0x2f0
ULONG DbgElevationEnabled:1; //0x2f0
ULONG DbgVirtEnabled:1; //0x2f0
ULONG DbgInstallerDetectEnabled:1; //0x2f0
ULONG DbgSystemDllRelocated:1; //0x2f0
ULONG DbgDynProcessorEnabled:1; //0x2f0
ULONG DbgSEHValidationEnabled:1; //0x2f0
ULONG SpareBits:25; //0x2f0
};
};
ULONG DataFlagsPad[1]; //0x2f4
ULONGLONG TestRetInstruction; //0x2f8
ULONG SystemCall; //0x300
ULONG SystemCallReturn; //0x304
ULONGLONG SystemCallPad[3]; //0x308
union
{
volatile struct _KSYSTEM_TIME TickCount; //0x320
volatile ULONGLONG TickCountQuad; //0x320
ULONG ReservedTickCountOverlay[3]; //0x320
};
ULONG TickCountPad[1]; //0x32c
ULONG Cookie; //0x330
ULONG CookiePad[1]; //0x334
LONGLONG ConsoleSessionForegroundProcessId; //0x338
ULONG Wow64SharedInformation[16]; //0x340
USHORT UserModeGlobalLogger[16]; //0x380
ULONG ImageFileExecutionOptions; //0x3a0
ULONG LangGenerationCount; //0x3a4
ULONGLONG Reserved5; //0x3a8
volatile ULONGLONG InterruptTimeBias; //0x3b0
volatile ULONGLONG TscQpcBias; //0x3b8
volatile ULONG ActiveProcessorCount; //0x3c0
volatile USHORT ActiveGroupCount; //0x3c4
USHORT Reserved4; //0x3c6
volatile ULONG AitSamplingValue; //0x3c8
volatile ULONG AppCompatFlag; //0x3cc
ULONGLONG SystemDllNativeRelocation; //0x3d0
ULONG SystemDllWowRelocation; //0x3d8
ULONG XStatePad[1]; //0x3dc
struct _XSTATE_CONFIGURATION XState; //0x3e0
};//0x8c bytes (sizeof)
struct _KTRAP_FRAME{ ULONG DbgEbp; //0x0
ULONG DbgEip; //0x4
ULONG DbgArgMark; //0x8
ULONG DbgArgPointer; //0xc
USHORT TempSegCs; //0x10
UCHAR Logging; //0x12
UCHAR Reserved; //0x13
ULONG TempEsp; //0x14
ULONG Dr0; //0x18
ULONG Dr1; //0x1c
ULONG Dr2; //0x20
ULONG Dr3; //0x24
ULONG Dr6; //0x28
ULONG Dr7; //0x2c
ULONG SegGs; //0x30
ULONG SegEs; //0x34
ULONG SegDs; //0x38
ULONG Edx; //0x3c
ULONG Ecx; //0x40
ULONG Eax; //0x44
ULONG PreviousPreviousMode; //0x48
struct _EXCEPTION_REGISTRATION_RECORD* ExceptionList; //0x4c
ULONG SegFs; //0x50
ULONG Edi; //0x54
ULONG Esi; //0x58
ULONG Ebx; //0x5c
ULONG Ebp; //0x60
ULONG ErrCode; //0x64
ULONG Eip; //0x68
ULONG SegCs; //0x6c
ULONG EFlags; //0x70
ULONG HardwareEsp; //0x74
ULONG HardwareSegSs; //0x78
ULONG V86Es; //0x7c
ULONG V86Ds; //0x80
ULONG V86Fs; //0x84
ULONG V86Gs; //0x88
};//0x8c bytes (sizeof)
struct _KTRAP_FRAME{ ULONG DbgEbp; //0x0
ULONG DbgEip; //0x4
ULONG DbgArgMark; //0x8
ULONG DbgArgPointer; //0xc
USHORT TempSegCs; //0x10
UCHAR Logging; //0x12
UCHAR Reserved; //0x13
ULONG TempEsp; //0x14
ULONG Dr0; //0x18
ULONG Dr1; //0x1c
ULONG Dr2; //0x20
ULONG Dr3; //0x24
ULONG Dr6; //0x28
ULONG Dr7; //0x2c
ULONG SegGs; //0x30
ULONG SegEs; //0x34
ULONG SegDs; //0x38
ULONG Edx; //0x3c
ULONG Ecx; //0x40
ULONG Eax; //0x44
ULONG PreviousPreviousMode; //0x48
struct _EXCEPTION_REGISTRATION_RECORD* ExceptionList; //0x4c
ULONG SegFs; //0x50
ULONG Edi; //0x54
ULONG Esi; //0x58
ULONG Ebx; //0x5c
ULONG Ebp; //0x60
ULONG ErrCode; //0x64
ULONG Eip; //0x68
ULONG SegCs; //0x6c
ULONG EFlags; //0x70
ULONG HardwareEsp; //0x74
ULONG HardwareSegSs; //0x78
ULONG V86Es; //0x7c
ULONG V86Ds; //0x80
ULONG V86Fs; //0x84
ULONG V86Gs; //0x88
};//0x3748 bytes (sizeof)
struct _KPCR{ union
{
struct _NT_TIB NtTib; //0x0
struct
{
struct _EXCEPTION_REGISTRATION_RECORD* Used_ExceptionList; //0x0
VOID* Used_StackBase; //0x4
VOID* Spare2; //0x8
VOID* TssCopy; //0xc
ULONG ContextSwitches; //0x10
ULONG SetMemberCopy; //0x14
VOID* Used_Self; //0x18
};
};
struct _KPCR* SelfPcr; //0x1c
struct _KPRCB* Prcb; //0x20
UCHAR Irql; //0x24
ULONG IRR; //0x28
ULONG IrrActive; //0x2c
ULONG IDR; //0x30
VOID* KdVersionBlock; //0x34
struct _KIDTENTRY* IDT; //0x38
struct _KGDTENTRY* GDT; //0x3c
struct _KTSS* TSS; //0x40
USHORT MajorVersion; //0x44
USHORT MinorVersion; //0x46
ULONG SetMember; //0x48
ULONG StallScaleFactor; //0x4c
UCHAR SpareUnused; //0x50
UCHAR Number; //0x51
UCHAR Spare0; //0x52
UCHAR SecondLevelCacheAssociativity; //0x53
ULONG VdmAlert; //0x54
ULONG KernelReserved[14]; //0x58
ULONG SecondLevelCacheSize; //0x90
ULONG HalReserved[16]; //0x94
ULONG InterruptMode; //0xd4
UCHAR Spare1; //0xd8
ULONG KernelReserved2[17]; //0xdc
struct _KPRCB PrcbData; //0x120
};//0x3748 bytes (sizeof)
struct _KPCR{ union
{
struct _NT_TIB NtTib; //0x0
struct
{
struct _EXCEPTION_REGISTRATION_RECORD* Used_ExceptionList; //0x0
VOID* Used_StackBase; //0x4
VOID* Spare2; //0x8
VOID* TssCopy; //0xc
ULONG ContextSwitches; //0x10
ULONG SetMemberCopy; //0x14
VOID* Used_Self; //0x18
};
};
struct _KPCR* SelfPcr; //0x1c
struct _KPRCB* Prcb; //0x20
UCHAR Irql; //0x24
ULONG IRR; //0x28
ULONG IrrActive; //0x2c
ULONG IDR; //0x30
VOID* KdVersionBlock; //0x34
struct _KIDTENTRY* IDT; //0x38
struct _KGDTENTRY* GDT; //0x3c
struct _KTSS* TSS; //0x40
USHORT MajorVersion; //0x44
USHORT MinorVersion; //0x46
ULONG SetMember; //0x48
ULONG StallScaleFactor; //0x4c
UCHAR SpareUnused; //0x50
UCHAR Number; //0x51
UCHAR Spare0; //0x52
UCHAR SecondLevelCacheAssociativity; //0x53
ULONG VdmAlert; //0x54
ULONG KernelReserved[14]; //0x58
ULONG SecondLevelCacheSize; //0x90
ULONG HalReserved[16]; //0x94
ULONG InterruptMode; //0xd4
UCHAR Spare1; //0xd8
ULONG KernelReserved2[17]; //0xdc
struct _KPRCB PrcbData; //0x120
};//0x3628 bytes (sizeof)
struct _KPRCB{ USHORT MinorVersion; //0x0
USHORT MajorVersion; //0x2
struct _KTHREAD* CurrentThread; //0x4
struct _KTHREAD* NextThread; //0x8
struct _KTHREAD* IdleThread; //0xc
UCHAR LegacyNumber; //0x10
UCHAR NestingLevel; //0x11
USHORT BuildType; //0x12
CHAR CpuType; //0x14
CHAR CpuID; //0x15
union
{
USHORT CpuStep; //0x16
struct
{
UCHAR CpuStepping; //0x16
UCHAR CpuModel; //0x17
};
};
struct _KPROCESSOR_STATE ProcessorState; //0x18
ULONG KernelReserved[16]; //0x338
ULONG HalReserved[16]; //0x378
ULONG CFlushSize; //0x3b8
UCHAR CoresPerPhysicalProcessor; //0x3bc
UCHAR LogicalProcessorsPerCore; //0x3bd
UCHAR PrcbPad0[2]; //0x3be
ULONG MHz; //0x3c0
UCHAR CpuVendor; //0x3c4
UCHAR GroupIndex; //0x3c5
USHORT Group; //0x3c6
ULONG GroupSetMember; //0x3c8
ULONG Number; //0x3cc
UCHAR PrcbPad1[72]; //0x3d0
struct _KSPIN_LOCK_QUEUE LockQueue[17]; //0x418
struct _KTHREAD* NpxThread; //0x4a0
ULONG InterruptCount; //0x4a4
ULONG KernelTime; //0x4a8
ULONG UserTime; //0x4ac
ULONG DpcTime; //0x4b0
ULONG DpcTimeCount; //0x4b4
ULONG InterruptTime; //0x4b8
ULONG AdjustDpcThreshold; //0x4bc
ULONG PageColor; //0x4c0
UCHAR DebuggerSavedIRQL; //0x4c4
UCHAR NodeColor; //0x4c5
UCHAR PrcbPad20[2]; //0x4c6
ULONG NodeShiftedColor; //0x4c8
struct _KNODE* ParentNode; //0x4cc
ULONG SecondaryColorMask; //0x4d0
ULONG DpcTimeLimit; //0x4d4
ULONG PrcbPad21[2]; //0x4d8
ULONG CcFastReadNoWait; //0x4e0
ULONG CcFastReadWait; //0x4e4
ULONG CcFastReadNotPossible; //0x4e8
ULONG CcCopyReadNoWait; //0x4ec
ULONG CcCopyReadWait; //0x4f0
ULONG CcCopyReadNoWaitMiss; //0x4f4
volatile LONG MmSpinLockOrdering; //0x4f8
volatile LONG IoReadOperationCount; //0x4fc
volatile LONG IoWriteOperationCount; //0x500
volatile LONG IoOtherOperationCount; //0x504
union _LARGE_INTEGER IoReadTransferCount; //0x508
union _LARGE_INTEGER IoWriteTransferCount; //0x510
union _LARGE_INTEGER IoOtherTransferCount; //0x518
ULONG CcFastMdlReadNoWait; //0x520
ULONG CcFastMdlReadWait; //0x524
ULONG CcFastMdlReadNotPossible; //0x528
ULONG CcMapDataNoWait; //0x52c
ULONG CcMapDataWait; //0x530
ULONG CcPinMappedDataCount; //0x534
ULONG CcPinReadNoWait; //0x538
ULONG CcPinReadWait; //0x53c
ULONG CcMdlReadNoWait; //0x540
ULONG CcMdlReadWait; //0x544
ULONG CcLazyWriteHotSpots; //0x548
ULONG CcLazyWriteIos; //0x54c
ULONG CcLazyWritePages; //0x550
ULONG CcDataFlushes; //0x554
ULONG CcDataPages; //0x558
ULONG CcLostDelayedWrites; //0x55c
ULONG CcFastReadResourceMiss; //0x560
ULONG CcCopyReadWaitMiss; //0x564
ULONG CcFastMdlReadResourceMiss; //0x568
ULONG CcMapDataNoWaitMiss; //0x56c
ULONG CcMapDataWaitMiss; //0x570
ULONG CcPinReadNoWaitMiss; //0x574
ULONG CcPinReadWaitMiss; //0x578
ULONG CcMdlReadNoWaitMiss; //0x57c
ULONG CcMdlReadWaitMiss; //0x580
ULONG CcReadAheadIos; //0x584
ULONG KeAlignmentFixupCount; //0x588
ULONG KeExceptionDispatchCount; //0x58c
ULONG KeSystemCalls; //0x590
ULONG AvailableTime; //0x594
ULONG PrcbPad22[2]; //0x598
struct _PP_LOOKASIDE_LIST PPLookasideList[16]; //0x5a0
struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32]; //0x620
struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32]; //0xf20
volatile ULONG PacketBarrier; //0x1820
volatile LONG ReverseStall; //0x1824
VOID* IpiFrame; //0x1828
UCHAR PrcbPad3[52]; //0x182c
VOID* volatile CurrentPacket[3]; //0x1860
volatile ULONG TargetSet; //0x186c
VOID (* volatileWorkerRoutine)(VOID* arg1, VOID* arg2, VOID* arg3, VOID* arg4); //0x1870
volatile ULONG IpiFrozen; //0x1874
UCHAR PrcbPad4[40]; //0x1878
volatile ULONG RequestSummary; //0x18a0
struct _KPRCB* volatile SignalDone; //0x18a4
UCHAR PrcbPad50[56]; //0x18a8
struct _KDPC_DATA DpcData[2]; //0x18e0
VOID* DpcStack; //0x1908
LONG MaximumDpcQueueDepth; //0x190c
ULONG DpcRequestRate; //0x1910
ULONG MinimumDpcRate; //0x1914
ULONG DpcLastCount; //0x1918
ULONG PrcbLock; //0x191c
struct _KGATE DpcGate; //0x1920
UCHAR ThreadDpcEnable; //0x1930
volatile UCHAR QuantumEnd; //0x1931
volatile UCHAR DpcRoutineActive; //0x1932
volatile UCHAR IdleSchedule; //0x1933
union
{
volatile LONG DpcRequestSummary; //0x1934
SHORT DpcRequestSlot[2]; //0x1934
struct
{
SHORT NormalDpcState; //0x1934
union
{
volatile USHORT DpcThreadActive:1; //0x1936
SHORT ThreadDpcState; //0x1936
};
};
};
volatile ULONG TimerHand; //0x1938
ULONG LastTick; //0x193c
LONG MasterOffset; //0x1940
ULONG PrcbPad41[2]; //0x1944
ULONG PeriodicCount; //0x194c
ULONG PeriodicBias; //0x1950
ULONGLONG TickOffset; //0x1958
struct _KTIMER_TABLE TimerTable; //0x1960
struct _KDPC CallDpc; //0x31a0
LONG ClockKeepAlive; //0x31c0
UCHAR ClockCheckSlot; //0x31c4
UCHAR ClockPollCycle; //0x31c5
UCHAR PrcbPad6[2]; //0x31c6
LONG DpcWatchdogPeriod; //0x31c8
LONG DpcWatchdogCount; //0x31cc
LONG ThreadWatchdogPeriod; //0x31d0
LONG ThreadWatchdogCount; //0x31d4
volatile LONG KeSpinLockOrdering; //0x31d8
ULONG PrcbPad70[1]; //0x31dc
struct _LIST_ENTRY WaitListHead; //0x31e0
ULONG WaitLock; //0x31e8
ULONG ReadySummary; //0x31ec
ULONG QueueIndex; //0x31f0
struct _SINGLE_LIST_ENTRY DeferredReadyListHead; //0x31f4
ULONGLONG StartCycles; //0x31f8
volatile ULONGLONG CycleTime; //0x3200
volatile ULONG HighCycleTime; //0x3208
ULONG PrcbPad71; //0x320c
ULONGLONG PrcbPad72[2]; //0x3210
struct _LIST_ENTRY DispatcherReadyListHead[32]; //0x3220
VOID* ChainedInterruptList; //0x3320
LONG LookasideIrpFloat; //0x3324
volatile LONG MmPageFaultCount; //0x3328
volatile LONG MmCopyOnWriteCount; //0x332c
volatile LONG MmTransitionCount; //0x3330
volatile LONG MmCacheTransitionCount; //0x3334
volatile LONG MmDemandZeroCount; //0x3338
volatile LONG MmPageReadCount; //0x333c
volatile LONG MmPageReadIoCount; //0x3340
volatile LONG MmCacheReadCount; //0x3344
volatile LONG MmCacheIoCount; //0x3348
volatile LONG MmDirtyPagesWriteCount; //0x334c
volatile LONG MmDirtyWriteIoCount; //0x3350
volatile LONG MmMappedPagesWriteCount; //0x3354
volatile LONG MmMappedWriteIoCount; //0x3358
volatile ULONG CachedCommit; //0x335c
volatile ULONG CachedResidentAvailable; //0x3360
VOID* HyperPte; //0x3364
UCHAR PrcbPad8[4]; //0x3368
UCHAR VendorString[13]; //0x336c
UCHAR InitialApicId; //0x3379
UCHAR LogicalProcessorsPerPhysicalProcessor; //0x337a
UCHAR PrcbPad9[5]; //0x337b
ULONG FeatureBits; //0x3380
union _LARGE_INTEGER UpdateSignature; //0x3388
volatile ULONGLONG IsrTime; //0x3390
ULONGLONG RuntimeAccumulation; //0x3398
struct _PROCESSOR_POWER_STATE PowerState; //0x33a0
struct _KDPC DpcWatchdogDpc; //0x3468
struct _KTIMER DpcWatchdogTimer; //0x3488
VOID* WheaInfo; //0x34b0
VOID* EtwSupport; //0x34b4
union _SLIST_HEADER InterruptObjectPool; //0x34b8
union _SLIST_HEADER HypercallPageList; //0x34c0
VOID* HypercallPageVirtual; //0x34c8
VOID* VirtualApicAssist; //0x34cc
ULONGLONG* StatisticsPage; //0x34d0
VOID* RateControl; //0x34d4
struct _CACHE_DESCRIPTOR Cache[5]; //0x34d8
ULONG CacheCount; //0x3514
ULONG CacheProcessorMask[5]; //0x3518
struct _KAFFINITY_EX PackageProcessorSet; //0x352c
ULONG PrcbPad91[1]; //0x3538
ULONG CoreProcessorSet; //0x353c
struct _KDPC TimerExpirationDpc; //0x3540
ULONG SpinLockAcquireCount; //0x3560
ULONG SpinLockContentionCount; //0x3564
ULONG SpinLockSpinCount; //0x3568
ULONG IpiSendRequestBroadcastCount; //0x356c
ULONG IpiSendRequestRoutineCount; //0x3570
ULONG IpiSendSoftwareInterruptCount; //0x3574
ULONG ExInitializeResourceCount; //0x3578
ULONG ExReInitializeResourceCount; //0x357c
ULONG ExDeleteResourceCount; //0x3580
ULONG ExecutiveResourceAcquiresCount; //0x3584
ULONG ExecutiveResourceContentionsCount; //0x3588
ULONG ExecutiveResourceReleaseExclusiveCount; //0x358c
ULONG ExecutiveResourceReleaseSharedCount; //0x3590
ULONG ExecutiveResourceConvertsCount; //0x3594
ULONG ExAcqResExclusiveAttempts; //0x3598
ULONG ExAcqResExclusiveAcquiresExclusive; //0x359c
ULONG ExAcqResExclusiveAcquiresExclusiveRecursive; //0x35a0
ULONG ExAcqResExclusiveWaits; //0x35a4
ULONG ExAcqResExclusiveNotAcquires; //0x35a8
ULONG ExAcqResSharedAttempts; //0x35ac
ULONG ExAcqResSharedAcquiresExclusive; //0x35b0
ULONG ExAcqResSharedAcquiresShared; //0x35b4
ULONG ExAcqResSharedAcquiresSharedRecursive; //0x35b8
ULONG ExAcqResSharedWaits; //0x35bc
ULONG ExAcqResSharedNotAcquires; //0x35c0
ULONG ExAcqResSharedStarveExclusiveAttempts; //0x35c4
ULONG ExAcqResSharedStarveExclusiveAcquiresExclusive; //0x35c8
ULONG ExAcqResSharedStarveExclusiveAcquiresShared; //0x35cc
ULONG ExAcqResSharedStarveExclusiveAcquiresSharedRecursive; //0x35d0
ULONG ExAcqResSharedStarveExclusiveWaits; //0x35d4
ULONG ExAcqResSharedStarveExclusiveNotAcquires; //0x35d8
ULONG ExAcqResSharedWaitForExclusiveAttempts; //0x35dc
ULONG ExAcqResSharedWaitForExclusiveAcquiresExclusive; //0x35e0
ULONG ExAcqResSharedWaitForExclusiveAcquiresShared; //0x35e4
ULONG ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive; //0x35e8
ULONG ExAcqResSharedWaitForExclusiveWaits; //0x35ec
ULONG ExAcqResSharedWaitForExclusiveNotAcquires; //0x35f0
ULONG ExSetResOwnerPointerExclusive; //0x35f4
ULONG ExSetResOwnerPointerSharedNew; //0x35f8
ULONG ExSetResOwnerPointerSharedOld; //0x35fc
ULONG ExTryToAcqExclusiveAttempts; //0x3600
ULONG ExTryToAcqExclusiveAcquires; //0x3604
ULONG ExBoostExclusiveOwner; //0x3608
ULONG ExBoostSharedOwners; //0x360c
ULONG ExEtwSynchTrackingNotificationsCount; //0x3610
ULONG ExEtwSynchTrackingNotificationsAccountedCount; //0x3614
struct _CONTEXT* Context; //0x3618
ULONG ContextFlags; //0x361c
struct _XSAVE_AREA* ExtendedState; //0x3620
};//0x3628 bytes (sizeof)
struct _KPRCB{ USHORT MinorVersion; //0x0
USHORT MajorVersion; //0x2
struct _KTHREAD* CurrentThread; //0x4
struct _KTHREAD* NextThread; //0x8
struct _KTHREAD* IdleThread; //0xc
UCHAR LegacyNumber; //0x10
UCHAR NestingLevel; //0x11
USHORT BuildType; //0x12
CHAR CpuType; //0x14
CHAR CpuID; //0x15
union
{
USHORT CpuStep; //0x16
struct
{
UCHAR CpuStepping; //0x16
UCHAR CpuModel; //0x17
};
};
struct _KPROCESSOR_STATE ProcessorState; //0x18
ULONG KernelReserved[16]; //0x338
ULONG HalReserved[16]; //0x378
ULONG CFlushSize; //0x3b8
UCHAR CoresPerPhysicalProcessor; //0x3bc
UCHAR LogicalProcessorsPerCore; //0x3bd
UCHAR PrcbPad0[2]; //0x3be
ULONG MHz; //0x3c0
UCHAR CpuVendor; //0x3c4
UCHAR GroupIndex; //0x3c5
USHORT Group; //0x3c6
ULONG GroupSetMember; //0x3c8
ULONG Number; //0x3cc
UCHAR PrcbPad1[72]; //0x3d0
struct _KSPIN_LOCK_QUEUE LockQueue[17]; //0x418
struct _KTHREAD* NpxThread; //0x4a0
ULONG InterruptCount; //0x4a4
ULONG KernelTime; //0x4a8
ULONG UserTime; //0x4ac
ULONG DpcTime; //0x4b0
ULONG DpcTimeCount; //0x4b4
ULONG InterruptTime; //0x4b8
ULONG AdjustDpcThreshold; //0x4bc
ULONG PageColor; //0x4c0
UCHAR DebuggerSavedIRQL; //0x4c4
UCHAR NodeColor; //0x4c5
UCHAR PrcbPad20[2]; //0x4c6
ULONG NodeShiftedColor; //0x4c8
struct _KNODE* ParentNode; //0x4cc
ULONG SecondaryColorMask; //0x4d0
ULONG DpcTimeLimit; //0x4d4
ULONG PrcbPad21[2]; //0x4d8
ULONG CcFastReadNoWait; //0x4e0
ULONG CcFastReadWait; //0x4e4
ULONG CcFastReadNotPossible; //0x4e8
ULONG CcCopyReadNoWait; //0x4ec
ULONG CcCopyReadWait; //0x4f0
ULONG CcCopyReadNoWaitMiss; //0x4f4
volatile LONG MmSpinLockOrdering; //0x4f8
volatile LONG IoReadOperationCount; //0x4fc
volatile LONG IoWriteOperationCount; //0x500
volatile LONG IoOtherOperationCount; //0x504
union _LARGE_INTEGER IoReadTransferCount; //0x508
union _LARGE_INTEGER IoWriteTransferCount; //0x510
union _LARGE_INTEGER IoOtherTransferCount; //0x518
ULONG CcFastMdlReadNoWait; //0x520
ULONG CcFastMdlReadWait; //0x524
ULONG CcFastMdlReadNotPossible; //0x528
ULONG CcMapDataNoWait; //0x52c
ULONG CcMapDataWait; //0x530
ULONG CcPinMappedDataCount; //0x534
ULONG CcPinReadNoWait; //0x538
ULONG CcPinReadWait; //0x53c
ULONG CcMdlReadNoWait; //0x540
ULONG CcMdlReadWait; //0x544
ULONG CcLazyWriteHotSpots; //0x548
ULONG CcLazyWriteIos; //0x54c
ULONG CcLazyWritePages; //0x550
ULONG CcDataFlushes; //0x554
ULONG CcDataPages; //0x558
ULONG CcLostDelayedWrites; //0x55c
ULONG CcFastReadResourceMiss; //0x560
ULONG CcCopyReadWaitMiss; //0x564
ULONG CcFastMdlReadResourceMiss; //0x568
ULONG CcMapDataNoWaitMiss; //0x56c
ULONG CcMapDataWaitMiss; //0x570
ULONG CcPinReadNoWaitMiss; //0x574
ULONG CcPinReadWaitMiss; //0x578
ULONG CcMdlReadNoWaitMiss; //0x57c
ULONG CcMdlReadWaitMiss; //0x580
ULONG CcReadAheadIos; //0x584
ULONG KeAlignmentFixupCount; //0x588
ULONG KeExceptionDispatchCount; //0x58c
ULONG KeSystemCalls; //0x590
ULONG AvailableTime; //0x594
ULONG PrcbPad22[2]; //0x598
struct _PP_LOOKASIDE_LIST PPLookasideList[16]; //0x5a0
struct _GENERAL_LOOKASIDE_POOL PPNPagedLookasideList[32]; //0x620
struct _GENERAL_LOOKASIDE_POOL PPPagedLookasideList[32]; //0xf20
volatile ULONG PacketBarrier; //0x1820
volatile LONG ReverseStall; //0x1824
VOID* IpiFrame; //0x1828
UCHAR PrcbPad3[52]; //0x182c
VOID* volatile CurrentPacket[3]; //0x1860
volatile ULONG TargetSet; //0x186c
VOID (* volatileWorkerRoutine)(VOID* arg1, VOID* arg2, VOID* arg3, VOID* arg4); //0x1870
volatile ULONG IpiFrozen; //0x1874
UCHAR PrcbPad4[40]; //0x1878
volatile ULONG RequestSummary; //0x18a0
struct _KPRCB* volatile SignalDone; //0x18a4
UCHAR PrcbPad50[56]; //0x18a8
struct _KDPC_DATA DpcData[2]; //0x18e0
VOID* DpcStack; //0x1908
LONG MaximumDpcQueueDepth; //0x190c
ULONG DpcRequestRate; //0x1910
ULONG MinimumDpcRate; //0x1914
ULONG DpcLastCount; //0x1918
ULONG PrcbLock; //0x191c
struct _KGATE DpcGate; //0x1920
UCHAR ThreadDpcEnable; //0x1930
volatile UCHAR QuantumEnd; //0x1931
volatile UCHAR DpcRoutineActive; //0x1932
volatile UCHAR IdleSchedule; //0x1933
union
{
volatile LONG DpcRequestSummary; //0x1934
SHORT DpcRequestSlot[2]; //0x1934
struct
{
SHORT NormalDpcState; //0x1934
union
{
volatile USHORT DpcThreadActive:1; //0x1936
SHORT ThreadDpcState; //0x1936
};
};
};
volatile ULONG TimerHand; //0x1938
ULONG LastTick; //0x193c
LONG MasterOffset; //0x1940
ULONG PrcbPad41[2]; //0x1944
ULONG PeriodicCount; //0x194c
ULONG PeriodicBias; //0x1950
ULONGLONG TickOffset; //0x1958
struct _KTIMER_TABLE TimerTable; //0x1960
struct _KDPC CallDpc; //0x31a0
LONG ClockKeepAlive; //0x31c0
UCHAR ClockCheckSlot; //0x31c4
UCHAR ClockPollCycle; //0x31c5
UCHAR PrcbPad6[2]; //0x31c6
LONG DpcWatchdogPeriod; //0x31c8
LONG DpcWatchdogCount; //0x31cc
LONG ThreadWatchdogPeriod; //0x31d0
LONG ThreadWatchdogCount; //0x31d4
volatile LONG KeSpinLockOrdering; //0x31d8
ULONG PrcbPad70[1]; //0x31dc
struct _LIST_ENTRY WaitListHead; //0x31e0
ULONG WaitLock; //0x31e8
ULONG ReadySummary; //0x31ec
ULONG QueueIndex; //0x31f0
struct _SINGLE_LIST_ENTRY DeferredReadyListHead; //0x31f4
ULONGLONG StartCycles; //0x31f8
volatile ULONGLONG CycleTime; //0x3200
volatile ULONG HighCycleTime; //0x3208
ULONG PrcbPad71; //0x320c
ULONGLONG PrcbPad72[2]; //0x3210
struct _LIST_ENTRY DispatcherReadyListHead[32]; //0x3220
VOID* ChainedInterruptList; //0x3320
LONG LookasideIrpFloat; //0x3324
volatile LONG MmPageFaultCount; //0x3328
volatile LONG MmCopyOnWriteCount; //0x332c
volatile LONG MmTransitionCount; //0x3330
volatile LONG MmCacheTransitionCount; //0x3334
volatile LONG MmDemandZeroCount; //0x3338
volatile LONG MmPageReadCount; //0x333c
volatile LONG MmPageReadIoCount; //0x3340
volatile LONG MmCacheReadCount; //0x3344
volatile LONG MmCacheIoCount; //0x3348
volatile LONG MmDirtyPagesWriteCount; //0x334c
volatile LONG MmDirtyWriteIoCount; //0x3350
volatile LONG MmMappedPagesWriteCount; //0x3354
volatile LONG MmMappedWriteIoCount; //0x3358
volatile ULONG CachedCommit; //0x335c
volatile ULONG CachedResidentAvailable; //0x3360
VOID* HyperPte; //0x3364
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2021-9-24 17:04
被SSH山水画编辑
,原因:
|
|
|---|---|
|
|
|
|
|
已经进内核了,是ntoskrnl或者ntkrnlpa,看你分页模式,不过代码都差不多 |
|
|
进入内核后,怎么用IDA分析的程序啊? |
|
|
windbg里不是识别出来SystemCall函数了吗,IDA里搜一下就行了呀 |
|
|
|
|
|
不好意思,我私信回复不了,我们是杭州的安全创业公司,有兴趣的话聊一下vx sbqqqq |
|
|
|
|
|
啥系统啊,蓝屏要么是你写错了,要么PG了 |
|
|
|
