-
-
Windows内核-内存(八)
-
2022-8-21 16:49
-
八、内存
8.1.VAD私有内存
1.vaddemo.cpp
#include <stdio.h>
#include <Windows.h>
int main()
{
system("pause");
PVOID base = VirtualAlloc(NULL,0x1000,MEM_RESERVE,PAGE_NOACCESS);
printf("not allocate base % p\r\n",base);
system("pause");
base = VirtualAlloc(base, 0x1000, MEM_COMMIT, PAGE_READWRITE);
printf("allocate base % p\r\n", base);
system("pause");
return 0;
}2.在虚拟机里面运行
3.查看Vad_Root
kd> dt _EPROCESS 85e3a760 +0x278 VadRoot : _MM_AVL_TABLE
4.查看申请的内存D0位置
vad描述的是申请时的内存属性
87e94130 5 d0 d0 1 Private NO_ACCESS #private:表示私有内存 #NO_ACCESS:表示申请时的页属性:不可访问
ce查看,视图-->内存区域
kd> !VAD 85e3a760+278 VAD Level Start End Commit 85e3a9d8 0 0 0 4869 Mapped NO_ACCESS Pagefile section, shared commit 0 85dc4550 5 10 1f 0 Mapped READWRITE Pagefile section, shared commit 0x10 85d54bc8 4 20 2f 0 Mapped READWRITE Pagefile section, shared commit 0x10 85dc44a8 5 30 33 0 Mapped READONLY Pagefile section, shared commit 0x4 87e958c8 3 40 40 0 Mapped READONLY Pagefile section, shared commit 0x1 86b552f0 5 50 50 1 Private READWRITE 85dc78b8 4 60 c6 0 Mapped READONLY \Windows\System32\locale.nls 87e94130 5 d0 d0 1 Private NO_ACCESS 87daf488 2 210 30f 4 Private READWRITE 8809b038 4 4b0 5af 21 Private READWRITE 85dc7788 3 d20 e4f 84 Mapped Exe EXECUTE_WRITECOPY \Users\S12\Desktop\1.vad.exe 85dc2fc0 5 75830 7587b 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apphelp.dll 85cc46a0 4 75b10 75b59 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll 85d86388 5 75ed0 75fa3 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll 85cc4630 1 777f0 7792b 9 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll 85d76150 3 77a30 77a30 0 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apisetschema.dll 85dc7900 4 7f6f0 7f7ef 0 Mapped READONLY Pagefile section, shared commit 0x5 85d7c438 2 7ffa0 7ffd2 0 Mapped READONLY Pagefile section, shared commit 0x33 8809a3a0 3 7ffd5 7ffd5 1 Private READWRITE 87deea60 4 7ffdf 7ffdf 1 Private READWRITE Total VADs: 20, average level: 4, maximum depth: 5 Total private commit: 0x1388 pages (20000 KB) Total shared commit: 0x5d pages (372 KB)
Mapped:映射内存
Private:私有内存
Mapped Exe:pe文件的映射
start:是按页为单位的
5.查看vad结构
Private内存用MMVAD_SHORT查看
kd> dt _MMVAD_SHORT 87e94130 -r1 nt!_MMVAD_SHORT +0x000 u1 : <unnamed-tag> +0x000 Balance : 0y00 +0x000 Parent : 0x85dc78b8 _MMVAD +0x004 LeftChild : (null) +0x008 RightChild : (null) +0x00c StartingVpn : 0xd0 +0x010 EndingVpn : 0xd0 +0x014 u : <unnamed-tag> +0x000 LongFlags : 0x98000001 +0x000 VadFlags : _MMVAD_FLAGS +0x018 PushLock : _EX_PUSH_LOCK +0x000 Locked : 0y0 +0x000 Waiting : 0y0 +0x000 Waking : 0y0 +0x000 MultipleShared : 0y0 +0x000 Shared : 0y0000000000000000000000000000 (0) +0x000 Value : 0 +0x000 Ptr : (null) +0x01c u5 : <unnamed-tag> +0x000 LongFlags3 : 0 +0x000 VadFlags3 : _MMVAD_FLAGS3
_MMVAD_FLAGS
kd> dt _MMVAD_FLAGS 87e94130+14 nt!_MMVAD_FLAGS +0x000 CommitCharge : 0y0000000000000000001 (0x1) +0x000 NoChange : 0y0 //是否可以改属性 +0x000 VadType : 0y000 //VAD类型 +0x000 MemCommit : 0y0 //是否为提交的页 +0x000 Protection : 0y11000 (0x18) //初始分配的页属性 0x18为NO_ACCESS +0x000 Spare : 0y00 +0x000 PrivateMemory : 0y1
_MMVAD_FLAGS3
kd> dt _MMVAD_FLAGS3 87e94130+1C nt!_MMVAD_FLAGS3 +0x000 PreferredNode : 0y000000 (0) +0x000 Teb : 0y0 +0x000 Spare : 0y0 +0x000 SequentialAccess : 0y0 +0x000 LastSequentialTrim : 0y000000000000000 (0) +0x000 Spare2 : 0y00000000 (0)
8.2.锁页
1.查看Mapped属性的vad
kd> !VAD 85e3a760+278 VAD Level Start End Commit 85e3a9d8 0 0 0 4869 Mapped NO_ACCESS Pagefile section, shared commit 0 85dc4550 5 10 1f 0 Mapped READWRITE Pagefile section, shared commit 0x10 85d54bc8 4 20 2f 0 Mapped READWRITE Pagefile section, shared commit 0x10 85dc44a8 5 30 33 0 Mapped READONLY Pagefile section, shared commit 0x4 87e958c8 3 40 40 0 Mapped READONLY Pagefile section, shared commit 0x1 86b552f0 5 50 50 1 Private READWRITE 85dc78b8 4 60 c6 0 Mapped READONLY \Windows\System32\locale.nls 87e94130 5 d0 d0 1 Private NO_ACCESS 87daf488 2 210 30f 4 Private READWRITE 8809b038 4 4b0 5af 21 Private READWRITE 85dc7788 3 d20 e4f 84 Mapped Exe EXECUTE_WRITECOPY \Users\S12\Desktop\1.vad.exe 85dc2fc0 5 75830 7587b 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apphelp.dll 85cc46a0 4 75b10 75b59 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll 85d86388 5 75ed0 75fa3 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll 85cc4630 1 777f0 7792b 9 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll 85d76150 3 77a30 77a30 0 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apisetschema.dll 85dc7900 4 7f6f0 7f7ef 0 Mapped READONLY Pagefile section, shared commit 0x5 85d7c438 2 7ffa0 7ffd2 0 Mapped READONLY Pagefile section, shared commit 0x33 8809a3a0 3 7ffd5 7ffd5 1 Private READWRITE 87deea60 4 7ffdf 7ffdf 1 Private READWRITE kd> dt _MMVAD 85dc2fc0 nt!_MMVAD +0x000 u1 : <unnamed-tag> +0x004 LeftChild : (null) +0x008 RightChild : (null) +0x00c StartingVpn : 0x75830 +0x010 EndingVpn : 0x7587b +0x014 u : <unnamed-tag> +0x018 PushLock : _EX_PUSH_LOCK +0x01c u5 : <unnamed-tag> +0x020 u2 : <unnamed-tag> +0x024 Subsection : 0x87b312d0 _SUBSECTION +0x024 MappedSubsection : 0x87b312d0 _MSUBSECTION +0x028 FirstPrototypePte : 0x9acfc958 _MMPTE +0x02c LastContiguousPte : 0xfffffffc _MMPTE +0x030 ViewLinks : _LIST_ENTRY [ 0x887fd6f0 - 0x85e0ac20 ] +0x038 VadsProcess : 0x85e3a761 _EPROCESS
2._MSUBSECTION
kd> dt 0x87b312d0 _MSUBSECTION nt!_MSUBSECTION +0x000 ControlArea : 0x87b31280 _CONTROL_AREA +0x004 SubsectionBase : 0x9acfc958 _MMPTE +0x008 NextSubsection : 0x87b312f0 _SUBSECTION +0x008 NextMappedSubsection : 0x87b312f0 _MSUBSECTION +0x00c PtesInSubsection : 1 +0x010 UnusedPtes : 0 +0x010 GlobalPerSessionHead : (null) +0x014 u : <unnamed-tag> +0x018 StartingSector : 0 +0x01c NumberOfFullSectors : 2 +0x020 u1 : <unnamed-tag> +0x024 LeftChild : 0x9acfc960 _MMSUBSECTION_NODE +0x028 RightChild : 0x87b31310 _MMSUBSECTION_NODE +0x02c DereferenceList : _LIST_ENTRY [ 0x3c - 0x0 ] +0x034 NumberOfMappedViews : 6
3.锁页,把下面两个位都改为1,可以锁页
NoChange:改为1
SecNoChange:改为1
kd> dt 85dc2fc0+14 _MMVAD_FLAGS nt!_MMVAD_FLAGS +0x000 CommitCharge : 0y0000000000000000100 (0x4) +0x000 NoChange : 0y0 //改为1 +0x000 VadType : 0y010 +0x000 MemCommit : 0y0 +0x000 Protection : 0y00111 (0x7) +0x000 Spare : 0y00 +0x000 PrivateMemory : 0y0 kd> dt 85dc2fc0+20 _MMVAD_FLAGS2 nt!_MMVAD_FLAGS2 +0x000 FileOffset : 0y000000000000000000000000 (0) +0x000 SecNoChange : 0y0 //改为1 +0x000 OneSecured : 0y0 +0x000 MultipleSecured : 0y0 +0x000 Spare : 0y0 +0x000 LongVad : 0y0 +0x000 ExtendableFile : 0y0 +0x000 Inherit : 0y1 +0x000 CopyOnWrite : 0y0
8.3.数据库页帧
1._MMPFN
kd> dt _MMPFN -r1 nt!_MMPFN +0x000 u1 : <unnamed-tag> +0x000 Flink : Uint4B +0x000 WsIndex : Uint4B +0x000 Event : Ptr32 _KEVENT +0x000 Next : Ptr32 Void +0x000 VolatileNext : Ptr32 Void +0x000 KernelStackOwner : Ptr32 _KTHREAD +0x000 NextStackPfn : _SINGLE_LIST_ENTRY +0x004 u2 : <unnamed-tag> +0x000 Blink : Uint4B +0x000 ImageProtoPte : Ptr32 _MMPTE +0x000 ShareCount : Uint4B //当前页被映射了多少次 +0x008 PteAddress : Ptr32 _MMPTE +0x000 u : <unnamed-tag> +0x008 VolatilePteAddress : Ptr32 Void +0x008 Lock : Int4B +0x008 PteLong : Uint4B +0x00c u3 : <unnamed-tag> +0x000 ReferenceCount : Uint2B //引用次数,为0的时候表示释放了 +0x002 e1 : _MMPFNENTRY +0x000 e2 : <unnamed-tag> +0x010 OriginalPte : _MMPTE +0x000 u : <unnamed-tag> +0x010 AweReferenceCount : Int4B +0x014 u4 : <unnamed-tag> +0x000 PteFrame : Pos 0, 25 Bits +0x000 PfnImageVerified : Pos 25, 1 Bit +0x000 AweAllocation : Pos 26, 1 Bit +0x000 PrototypePte : Pos 27, 1 Bit +0x000 PageColor : Pos 28, 4 Bits
2._MMPFN的u3
+0x00c u3 : <unnamed-tag> +0x000 ReferenceCount : Uint2B +0x002 e1 : _MMPFNENTRY +0x000 PageLocation : Pos 0, 3 Bits //属于哪个链表,就可以知道当前页的状态 +0x000 WriteInProgress : Pos 3, 1 Bit +0x000 Modified : Pos 4, 1 Bit //是否被修改过 +0x000 ReadInProgress : Pos 5, 1 Bit +0x000 CacheAttribute : Pos 6, 2 Bits //是否有缓存 +0x001 Priority : Pos 0, 3 Bits +0x001 Rom : Pos 3, 1 Bit +0x001 InPageError : Pos 4, 1 Bit +0x001 KernelStack : Pos 5, 1 Bit +0x001 RemovalRequested : Pos 6, 1 Bit +0x001 ParityError : Pos 7, 1 Bit +0x000 e2 : <unnamed-tag> +0x000 ReferenceCount : Uint2B +0x000 VolatileReferenceCount : Int2B +0x002 ShortFlags : Uint2B
3.MmPageLocationList
PMMPFNLIST MmPageLocationList[NUMBER_OF_PAGE_LISTS] = {
&MmZeroedPageListHead,
&MmFreePageListHead,
&MmStandbyPageListHead,
&MmModifiedPageListHead,
&MmModifiedNoWritePageListHead,
&MmBadPageListHead,
NULL,
NULL };MmZeroedPageListHead:零化页表,剩余的物理地址 都挂在这个链表上,并且这个物理地址里面的内容都是0
MmFreePageListHead : 释放链表
MmStandbyPageListHead:备用链表:已经被移出内存工作集的物理地址,内存内容没有被修改,可以转移到磁盘上,被其他映射使用,要使用之前,先得把数据交换到磁盘上,当 然也可以重新召唤到原工作集 继续使用
MmModifiedPageListHead: 修改链表:跟备用链表一样,只是内容是被修改的,无论你是否召回到原工作集 他都要交换磁盘上
MmModifiedNoWritePageListHead:修改不写出链表:跟备用链表一样,只是内容是被修改的,无论你是否召回到原工作集他都不会交换到磁盘上
MmBadPageListHead:损坏链表
8.4.修改页属性
1.附加到进程
PROCESS 8809b718 SessionId: 1 Cid: 035c Peb: 7ffdf000 ParentCid: 0578 DirBase: 23b59000 ObjectTable: ab6de1a0 HandleCount: 13. Image: 1.vad.exe PROCESS 8638fd40 SessionId: 1 Cid: 0ef0 Peb: 7ffd5000 ParentCid: 0804 DirBase: 5fec5000 ObjectTable: a4161a98 HandleCount: 580. Image: cheatengine-i386.exe kd> .process /i 8809b718 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. kd> g
2.查看pte和MMPFNDATABASE
pte的523DF867除掉后三位,523DF是页帧的索引
kd> !pte d0000 VA 000d0000 PDE at C0300000 PTE at C0000340 contains 271CE867 contains 523DF867 pfn 271ce ---DA--UWEV pfn 523df ---DA--UWEV kd> dd MMPFNDATABASE 841ad814 85400000 00000000 00000001 0007ffff 841ad824 0007ff7e 7ffeffff 80000000 7fff0000 841ad834 80d41000 0007ffff 80000000 86001c2c 841ad844 86001c24 86001c00 c01fffbc c03007fc 841ad854 00000000 00000001 00000002 00000001 841ad864 00000000 00000002 00000000 00000001 841ad874 00000002 00000001 00000000 00000002 841ad884 00000000 00000000 00000000 00000000
3.查看+0x010 OriginalPte位置
kd> dt _MMPFN 85400000+523DF*1C -r2
+0x010 OriginalPte : _MMPTE +0x000 u : <unnamed-tag> +0x000 Long : 0x5560001 +0x000 VolatileLong : 0x5560001 //原型pte权限 +0x000 Flush : _HARDWARE_PTE +0x000 Hard : _MMPTE_HARDWARE +0x000 Proto : _MMPTE_PROTOTYPE +0x000 Soft : _MMPTE_SOFTWARE +0x000 TimeStamp : _MMPTE_TIMESTAMP +0x000 Trans : _MMPTE_TRANSITION +0x000 Subsect : _MMPTE_SUBSECTION +0x000 List : _MMPTE_LIST +0x010 AweReferenceCount : 0n89522177
4.修改
c0:可读可写可执行
80:可读可写
0:No Access ,改成0 就变成无访问权限,可以避免注入后被检测到
kd> ed 85400000+523DF*1C+10 c0 kd> dt _MMPTE 85400000+523DF*1c+0x10 -r1 nt!_MMPTE +0x000 u : <unnamed-tag> +0x000 Long : 0xc0 +0x000 VolatileLong : 0xc0 +0x000 Flush : _HARDWARE_PTE +0x000 Hard : _MMPTE_HARDWARE +0x000 Proto : _MMPTE_PROTOTYPE +0x000 Soft : _MMPTE_SOFTWARE +0x000 TimeStamp : _MMPTE_TIMESTAMP +0x000 Trans : _MMPTE_TRANSITION +0x000 Subsect : _MMPTE_SUBSECTION +0x000 List : _MMPTE_LIST
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
