-
-
Windows内核-进程线程(四)
-
2022-8-10 22:33
-
四、进程线程
4.1.WRK安装
1.Project-->New Project-->选择wrk目录-->ok
2.Add and Remove Project Files--->选中四个文件-->Add Tree
3.搜索
4.2.KPCR
kpcr:cpu核控制块,cpu一个核一个kpcr结构
fs=0x30 在内核中的时候,指向的是kpcr结构
fs=0x3b 在应用层的时候,指向的是当前线程的TEB
1.kpcr结构
kd> dt _KPCR ntdll!_KPCR +0x000 NtTib : _NT_TIB +0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD +0x004 Used_StackBase : Ptr32 Void +0x008 Spare2 : Ptr32 Void +0x00c TssCopy : Ptr32 Void +0x010 ContextSwitches : Uint4B +0x014 SetMemberCopy : Uint4B +0x018 Used_Self : Ptr32 Void //指向自己或者线程的TEB +0x01c SelfPcr : Ptr32 _KPCR //一定会指向kpcr自己 +0x020 Prcb : Ptr32 _KPRCB //用于定位+0x120 _KPCR的位置 +0x024 Irql : UChar +0x028 IRR : Uint4B +0x02c IrrActive : Uint4B +0x030 IDR : Uint4B +0x034 KdVersionBlock : Ptr32 Void +0x038 IDT : Ptr32 _KIDTENTRY +0x03c GDT : Ptr32 _KGDTENTRY +0x040 TSS : Ptr32 _KTSS +0x044 MajorVersion : Uint2B +0x046 MinorVersion : Uint2B +0x048 SetMember : Uint4B +0x04c StallScaleFactor : Uint4B +0x050 SpareUnused : UChar +0x051 Number : UChar //当前跑在哪个核上 +0x052 Spare0 : UChar +0x053 SecondLevelCacheAssociativity : UChar +0x054 VdmAlert : Uint4B +0x058 KernelReserved : [14] Uint4B +0x090 SecondLevelCacheSize : Uint4B +0x094 HalReserved : [16] Uint4B +0x0d4 InterruptMode : Uint4B +0x0d8 Spare1 : UChar +0x0dc KernelReserved2 : [17] Uint4B +0x120 PrcbData : _KPRCB //KPCR扩展块
2.KiProcessorBlock
KiProcessorBlock:cpu控制扩展块数组,指向的是KPCR的0x120位置
KeNumberProcessors:核数量
扩展块
3.+0x000 NtTib
ntdll!_NT_TIB +0x000 ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD +0x004 StackBase : Ptr32 Void +0x008 StackLimit : Ptr32 Void //当前这个核上跑的线程的堆栈的栈顶和栈底 +0x00c SubSystemTib : Ptr32 Void +0x010 FiberData : Ptr32 Void +0x010 Version : Uint4B +0x014 ArbitraryUserPointer : Ptr32 Void +0x018 Self : Ptr32 _NT_TIB
4.3.函数类型
Windows是微内核,分内核结构和执行体结构
内核结构:只在内核中使用(KPROCESS属于内核结构)
执行体结构:专门用于和R3打交道 (EPROCESS属于执行体)
函数类型
Ex:执行体函数,进程、线程、链表、对象属性、赋值、取值、加锁相关
Ke:内核函数,大部分是导出
Ki:微内核函数,不导出,内部自己使用。进程、线程、cpu、调度相关
Ps:执行体函数,进程、线程相关
Mm:内存相关函数,一般导出
Mi:内存相关函数,Mm函数底层就是调用Mi,不导出
Io:文件、设备相关,导出
CC:文件缓存
Rtl:导出函数,一般是运行库,字符串操作等
Zw:SSDT,但是Zw不需要修改线程的先前模式
Nt:Zw函数会调用到Nt,本身Zw函数不实现功能
CM:注册表
hal:硬件函数
Ob:对象管理器,句柄,创建内核对象,查询内核对象等
Pnp:电源管理
Psp:执行体函数,进程、线程。Ps函数实现复杂功能的时候,都是调用Psp
4.4.KPROCESS
KPROCESS
kd> dt _KPROCESS ntdll!_KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x010 ProfileListHead : _LIST_ENTRY //性能分析 +0x018 DirectoryTableBase : Uint4B //CR3 +0x01c LdtDescriptor : _KGDTENTRY +0x024 Int21Descriptor : _KIDTENTRY +0x02c ThreadListHead : _LIST_ENTRY //当前进程有多少线程 +0x034 ProcessLock : Uint4B //自旋锁 +0x038 Affinity : _KAFFINITY_EX //亲核性 +0x044 ReadyListHead : _LIST_ENTRY //就绪链表 +0x04c SwapListEntry : _SINGLE_LIST_ENTRY //交换链表 +0x050 ActiveProcessors : _KAFFINITY_EX +0x05c AutoAlignment : Pos 0, 1 Bit +0x05c DisableBoost : Pos 1, 1 Bit +0x05c DisableQuantum : Pos 2, 1 Bit //时间碎片 +0x05c ActiveGroupsMask : Pos 3, 1 Bit +0x05c ReservedFlags : Pos 4, 28 Bits +0x05c ProcessFlags : Int4B +0x060 BasePriority : Char //初始优先级 +0x061 QuantumReset : Char //时间碎片值 +0x062 Visited : UChar +0x063 Unused3 : UChar +0x064 ThreadSeed : [1] Uint4B +0x068 IdealNode : [1] Uint2B +0x06a IdealGlobalNode : Uint2B +0x06c Flags : _KEXECUTE_OPTIONS +0x06d Unused1 : UChar +0x06e IopmOffset : Uint2B +0x070 Unused4 : Uint4B +0x074 StackCount : _KSTACK_COUNT +0x078 ProcessListEntry : _LIST_ENTRY +0x080 CycleTime : Uint8B +0x088 KernelTime : Uint4B +0x08c UserTime : Uint4B //统计线程开始到死亡活动的时间 +0x090 VdmTrapcHandler : Ptr32 Void
4.5.EPROCESS
kd> dt _EPROCESS 88079d40 ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x098 ProcessLock : _EX_PUSH_LOCK //自旋锁 +0x0a0 CreateTime : _LARGE_INTEGER 0x01d88c86`b179ff84 //进程创建的时间 +0x0a8 ExitTime : _LARGE_INTEGER 0x0 //进程退出的时间 +0x0b0 RundownProtect : _EX_RUNDOWN_REF +0x0b4 UniqueProcessId : 0x00000cb8 Void //进程pid +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x83f59c88 - 0x88067540 ] //活动进程链表 +0x0c0 ProcessQuotaUsage : [2] 0x3688 +0x0c8 ProcessQuotaPeak : [2] 0x373c +0x0d0 CommitCharge : 0x602 +0x0d4 QuotaBlock : 0x87acf1c0 _EPROCESS_QUOTA_BLOCK +0x0d8 CpuQuotaBlock : (null) +0x0dc PeakVirtualSize : 0x8156000 +0x0e0 VirtualSize : 0x8115000 +0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x8f18f010 - 0x87d6adbc ] //当前用户进程链表 +0x0ec DebugPort : (null) //如果有值,说明正在被调试 +0x0f0 ExceptionPortData : 0x879e0f00 Void +0x0f0 ExceptionPortValue : 0x879e0f00 +0x0f0 ExceptionPortState : 0y000 +0x0f4 ObjectTable : 0xa4738a78 _HANDLE_TABLE //句柄表 +0x0f8 Token : _EX_FAST_REF +0x0fc WorkingSetPage : 0xf226 //用了多少页 +0x100 AddressCreationLock : _EX_PUSH_LOCK +0x104 RotateInProgress : (null) +0x108 ForkInProgress : (null) +0x10c HardwareTrigger : 0 +0x110 PhysicalVadRoot : (null) +0x114 CloneRoot : (null) +0x118 NumberOfPrivatePages : 0x44e +0x11c NumberOfLockedPages : 0 +0x120 Win32Process : 0xffa40510 Void +0x124 Job : (null) +0x128 SectionObject : 0x99dff928 Void +0x12c SectionBaseAddress : 0x00be0000 Void +0x130 Cookie : 0x910986dc +0x134 Spare8 : 0 +0x138 WorkingSetWatch : (null) +0x13c Win32WindowStation : 0x00000038 Void +0x140 InheritedFromUniqueProcessId : 0x00000554 Void +0x144 LdtInformation : (null) +0x148 VdmObjects : (null) +0x14c ConsoleHostProcess : 0 +0x150 DeviceMap : 0x83650490 Void +0x154 EtwDataSource : (null) +0x158 FreeTebHint : 0x7ffde000 Void +0x160 PageDirectoryPte : _HARDWARE_PTE_X86 +0x160 Filler : 0 +0x168 Session : 0x8f18f000 Void +0x16c ImageFileName : [15] "notepad.exe" //进程名字 +0x17b PriorityClass : 0x2 '' +0x17c JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x184 LockedPagesList : (null) +0x188 ThreadListHead : _LIST_ENTRY [ 0x85da7298 - 0x88094fb0 ] //线程链表 +0x190 SecurityPort : (null) +0x194 PaeTop : 0x86b79560 Void +0x198 ActiveThreads : 4 //当前进程有多少个线程 +0x19c ImagePathHash : 0xeb1b961a +0x1a0 DefaultHardErrorProcessing : 1 +0x1a4 LastThreadExitStatus : 0n0 +0x1a8 Peb : 0x7ffdf000 _PEB //PEB +0x1ac PrefetchTrace : _EX_FAST_REF +0x1b0 ReadOperationCount : _LARGE_INTEGER 0x1c +0x1b8 WriteOperationCount : _LARGE_INTEGER 0x4 +0x1c0 OtherOperationCount : _LARGE_INTEGER 0x1fa +0x1c8 ReadTransferCount : _LARGE_INTEGER 0x4b9031 +0x1d0 WriteTransferCount : _LARGE_INTEGER 0x2a38 +0x1d8 OtherTransferCount : _LARGE_INTEGER 0x126c +0x1e0 CommitChargeLimit : 0 +0x1e4 CommitChargePeak : 0xb49 +0x1e8 AweInfo : (null) +0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO //进程名完整路劲 +0x1f0 Vm : _MMSUPPORT +0x25c MmProcessLinks : _LIST_ENTRY [ 0x83f600f0 - 0x880676e4 ] +0x264 HighestUserAddress : 0x7fff0000 Void +0x268 ModifiedPageCount : 0x209 +0x26c Flags2 : 0x200d000 +0x26c JobNotReallyActive : 0y0 +0x26c AccountingFolded : 0y0 +0x26c NewProcessReported : 0y0 +0x26c ExitProcessReported : 0y0 +0x26c ReportCommitChanges : 0y0 +0x26c LastReportMemory : 0y0 +0x26c ReportPhysicalPageChanges : 0y0 +0x26c HandleTableRundown : 0y0 +0x26c NeedsHandleRundown : 0y0 +0x26c RefTraceEnabled : 0y0 +0x26c NumaAware : 0y0 +0x26c ProtectedProcess : 0y0 //保护进程 +0x26c DefaultPagePriority : 0y101 +0x26c PrimaryTokenFrozen : 0y1 +0x26c ProcessVerifierTarget : 0y0 +0x26c StackRandomizationDisabled : 0y0 +0x26c AffinityPermanent : 0y0 +0x26c AffinityUpdateEnable : 0y0 +0x26c PropagateNode : 0y0 +0x26c ExplicitAffinity : 0y0 +0x270 Flags : 0x144d0801 +0x270 CreateReported : 0y1 +0x270 NoDebugInherit : 0y0 +0x270 ProcessExiting : 0y0 +0x270 ProcessDelete : 0y0 +0x270 Wow64SplitPages : 0y0 +0x270 VmDeleted : 0y0 +0x270 OutswapEnabled : 0y0 +0x270 Outswapped : 0y0 +0x270 ForkFailed : 0y0 +0x270 Wow64VaSpace4Gb : 0y0 +0x270 AddressSpaceInitialized : 0y10 +0x270 SetTimerResolution : 0y0 +0x270 BreakOnTermination : 0y0 +0x270 DeprioritizeViews : 0y0 +0x270 WriteWatch : 0y0 +0x270 ProcessInSession : 0y1 +0x270 OverrideAddressSpace : 0y0 +0x270 HasAddressSpace : 0y1 +0x270 LaunchPrefetched : 0y1 +0x270 InjectInpageErrors : 0y0 +0x270 VmTopDown : 0y0 //申请的内存地址从大地址开始,默认是小地址 +0x270 ImageNotifyDone : 0y1 +0x270 PdeUpdateNeeded : 0y0 +0x270 VdmAllowed : 0y0 +0x270 CrossSessionCreate : 0y0 +0x270 ProcessInserted : 0y1 +0x270 DefaultIoPriority : 0y010 +0x270 ProcessSelfDelete : 0y0 +0x270 SetTimerResolutionLink : 0y0 +0x274 ExitStatus : 0n259 //判断进程是否退出,不是259就是退出 +0x278 VadRoot : _MM_AVL_TABLE +0x298 AlpcContext : _ALPC_PROCESS_CONTEXT +0x2a8 TimerResolutionLink : _LIST_ENTRY [ 0x0 - 0x0 ] +0x2b0 RequestedTimerResolution : 0 +0x2b4 ActiveThreadsHighWatermark : 6 +0x2b8 SmallestTimerResolution : 0 +0x2bc TimerResolutionStackRecord : (null)
4.6.OBJECT-HEADER
EPROCESS有一个对象头object_header,在减18位置
位置:-0x18,
Flags:修改OBJECT_HEADER的Flags为4可以保护进程
kd> dt _OBJECT_HEADER 88079d40-0x18 nt!_OBJECT_HEADER +0x000 PointerCount : 0n54 //引用次数 +0x004 HandleCount : 0n3 +0x004 NextToFree : 0x00000003 Void +0x008 Lock : _EX_PUSH_LOCK +0x00c TypeIndex : 0x7 '' //对象类型 +0x00d TraceFlags : 0 '' +0x00e InfoMask : 0x8 '' +0x00f Flags : 0 '' //把flags改成4,可以保护进程 +0x010 ObjectCreateInfo : 0x87acf1c0 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : 0x87acf1c0 Void +0x014 SecurityDescriptor : 0x8ce7aeca Void +0x018 Body : _QUAD kd> eb 88079d40-0x18+f 4 kd> g
4.7.保护进程
DriverEntry.c
#include <ntifs.h>
EXTERN_C UCHAR * PsGetProcessImageFileName(
__in PEPROCESS Process
);
//设置Object_Header的Flags位
VOID SetProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) |= 4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) |= 4;
#endif
}
VOID CloseProcessFlags(PEPROCESS Process)
{
PUCHAR ObjectHeader = NULL;
#ifdef _WIN64
ObjectHeader = ((PUCHAR)Process - 0x30);
*(ObjectHeader + 0x1b) &= ~4;
#else
ObjectHeader = ((PUCHAR)Process - 0x18);
*(ObjectHeader + 0xf) &= ~4;
#endif
}
PEPROCESS FindProceeByName(char* name)
{
PEPROCESS findProcess = NULL;
for (int i = 4; i < 0x1000000; i += 4)
{
PEPROCESS Process = NULL;
//根据pid获取进程对象
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &Process);
if (!NT_SUCCESS(status))
{
continue;
}
//获取进程名字
PUCHAR processName = PsGetProcessImageFileName(Process);
if (processName && _stricmp(processName, name) == 0)
{
findProcess = Process;
break;
}
ObDereferenceObject(Process); //引用计数-1
}
return findProcess;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return;
}
CloseProcessFlags(Process);
ObDereferenceObject(Process); //引用计数-1
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProceeByName("Dbgview.exe");
if (!Process)
{
return STATUS_UNSUCCESSFUL;
}
SetProcessFlags(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}4.8.进程断链
DriverEntry.c
#include <ntifs.h>
PEPROCESS FindProcessByName(PWCH name)
{
PEPROCESS Process = NULL;
PEPROCESS findProcess = NULL;
for (int i = 8; i < 0x1000000; i += 4)
{
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i,&Process);
if (!NT_SUCCESS(status))
{
continue;
}
PUNICODE_STRING ProcessName = NULL;
status = SeLocateProcessImageName(Process, &ProcessName); //进程全路劲名字
if (!NT_SUCCESS(status))
{
ObDereferenceObject(Process);
continue;
}
if (ProcessName->Length)
{
_wcsupr(ProcessName->Buffer);
if (wcsstr(ProcessName->Buffer, name) != 0)
{
findProcess = Process;
ExFreePoolWithTag(ProcessName,0); //释放
break;
}
}
ExFreePoolWithTag(ProcessName, 0);
ObDereferenceObject(Process);
}
return findProcess;
}
ULONG GetProcessActiveProcessLinkOffset()
{
static ULONG offset = 0;
if (offset) return offset;
UNICODE_STRING Name;
RtlInitUnicodeString(&Name,L"PsGetProcessId");
PUCHAR func = (PUCHAR)MmGetSystemRoutineAddress(&Name);
for (int i = 0; i < 100; i ++)
{
if (func[i] == 0x8b && func[i + 1] == 0x80)
{
offset = *(PULONG)(func + i + 2);
offset += 4; //通过特征码定位
break;
}
}
return offset;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PEPROCESS Process = FindProcessByName(L"DBGVIEW.EXE");
ULONG offset = GetProcessActiveProcessLinkOffset();
RemoveEntryList((PUCHAR)Process + offset); //断链
InitializeListHead((PUCHAR)Process + offset); //初始化链表
ObDereferenceObject(Process);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}4.9.线程查找
KTHREAD
+0x074 WaitListEntry : _LIST_ENTRY //就绪线程
dt nt!_KPRCB
//链表包含32个成员,对应就绪位图的32位。就绪位图的位为1,说明这个链表对应的索引成员有就绪线程 +0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY //就绪位图,二进制32位, +0x31ec ReadySummary : Uint4B
KiFindReadyThread函数逆向分析,首先按x,进到KiSerachForNewThread,找到KiFindReadyThread的三个参数
然后开始分析KiFindReadyThread
4.10.线程主动切换
KiSwapThread
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2022-8-14 14:57
被zhang_derek编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
我好像还有滴水的教程,要不我分享一下? |
|
|
|
|
|
|
