首页
社区
课程
招聘
[原创] DbgkSendSystemDllMessages的实现
发表于: 2022-11-20 10:32 7868

[原创] DbgkSendSystemDllMessages的实现

2022-11-20 10:32
7868

WINX64重建调试体系
最近在学习重构WIN10的调试体系,顺便熟悉一下X64汇编,上面那个链接是关于WIN7的,给了我很大的启发(COPY),但是其中有一个函数也就是DbgkSendSystemDllMessages,贴主并没有实现,虽然说没有实现的必要,但是我有强迫症,搜索了国内国外的资料发现没有能够让我COPY的,所以我就自己逆了一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
VOID hkDbgkSendSystemDllMessages(
    PETHREAD        Thread,
    PDEBUG_OBJECT    DebugObject,
    PDBGKM_APIMSG    ApiMsg
    )
{
    PMYEPROCESS Process;
    DBGKM_LOAD_DLL* LoadDllInfo;
    PSYSTEM_DLL_INFO SystemDllInfo;
    PTEB teb;
    BOOLEAN Flags;
    KAPC_STATE ApcState;
    PIMAGE_NT_HEADERS NtHeaders;
    PMYETHREAD CurrentThread;
    OBJECT_ATTRIBUTES ObjectAttributes;
    IO_STATUS_BLOCK IoStatusBlock;
    NTSTATUS status;
    if (Thread)
    {
        Process = (PMYEPROCESS)Thread->Process;
    }
    else
    {
        Process = (PMYEPROCESS)PsGetCurrentThread()->ApcState.Process;
    }
    LoadDllInfo = &ApiMsg->u.LoadDll;
    for (int i = 0; i < 6; ++i)
    {
        SystemDllInfo = (PSYSTEM_DLL_INFO)pPsQuerySystemDllInfo(i);
 
        if (!SystemDllInfo)
        {
            continue;
        }
        if (i > 0)
        {
            if (!SystemDllInfo->Flags ||
                !Process->WoW64Process ||
                i != (unsigned int)pPsWow64GetProcessNtdllType((PEPROCESS)Process))
            {
                continue;
            }
        }
 
        memset(LoadDllInfo, 0, sizeof(DBGKM_LOAD_DLL));
        teb = NULL;
        LoadDllInfo->BaseOfDll = SystemDllInfo->pDllBase;
 
        if (Thread && i)
        {
            //只有第一次循环不会附加到进程
            Flags = TRUE;
            KeStackAttachProcess((PEPROCESS)Process, &ApcState);
        }
        else
        {
            Flags = FALSE;
        }
 
        __try
        {
            NtHeaders = RtlImageNtHeader(LoadDllInfo->BaseOfDll);
            if (NtHeaders)
            {
                LoadDllInfo->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
                LoadDllInfo->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
            }
            if (!Thread)
            {
                CurrentThread = (PMYETHREAD)PsGetCurrentThread();
 
                if (CurrentThread->Tcb.SystemThread != 0 || CurrentThread->Tcb.ApcStateIndex == 1)
                {
                    teb = NULL;
                }
                else {
                    teb = (PTEB)CurrentThread->Tcb.Teb;
                }
                if (teb)
                {
                    RtlStringCbCopyW(teb->StaticUnicodeBuffer, sizeof(teb->StaticUnicodeBuffer), (NTSTRSAFE_PCWSTR)SystemDllInfo->StaticUnicodeBuffer);
                    teb->NtTib.ArbitraryUserPointer = (UINT64)teb->StaticUnicodeBuffer;
                    LoadDllInfo->NamePointer = &teb->NtTib.ArbitraryUserPointer;
 
                }
            }
        }
        __except(EXCEPTION_EXECUTE_HANDLER){
 
            LoadDllInfo->DebugInfoFileOffset = 0;
            LoadDllInfo->DebugInfoSize = 0;
            LoadDllInfo->NamePointer = NULL;
        }
 
        if (Flags)
        {
            KeUnstackDetachProcess(&ApcState);
        }
 
        ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
        ObjectAttributes.RootDirectory = NULL;
        ObjectAttributes.ObjectName = SystemDllInfo->szDllFullName;
        ObjectAttributes.Attributes = OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
        ObjectAttributes.SecurityDescriptor = NULL;
        ObjectAttributes.SecurityQualityOfService = NULL;
 
        status = ZwOpenFile(
            &LoadDllInfo->FileHandle,
            GENERIC_READ | SYNCHRONIZE,
            &ObjectAttributes,
            &IoStatusBlock,
            FILE_SHARE_VALID_FLAGS,
            FILE_SYNCHRONOUS_IO_NONALERT
        );
 
        if (!NT_SUCCESS(status))
        {
            LoadDllInfo->FileHandle = NULL;
        }
        ApiMsg->h.u1.Length = 0x500028;
        ApiMsg->h.u2.ZeroInit = 0x8;
        ApiMsg->ApiNumber = DbgKmLoadDllApi;
        if (Thread)
        {
            status = pDbgkpQueueMessage((PEPROCESS)Process, Thread, ApiMsg, DEBUG_EVENT_NOWAIT, DebugObject);
            if (!NT_SUCCESS(status) && LoadDllInfo->FileHandle)
            {
                ObCloseHandle(LoadDllInfo->FileHandle, KernelMode);
            }
        }
        else
        {
            pDbgkpSendApiMessage((PEPROCESS)Process, DEBUG_EVENT_NOWAIT | DEBUG_EVENT_READ, ApiMsg);
            if (LoadDllInfo->FileHandle)
                ObCloseHandle(LoadDllInfo->FileHandle, KernelMode);
            __try
            {
                if (teb)
                    teb->NtTib.ArbitraryUserPointer = NULL;
            }
            __except (EXCEPTION_EXECUTE_HANDLER)
            {
 
            }
        }
    }
}

再次感谢tmflxw大佬,前人栽树后人乘凉,我们都是站在巨人的肩膀上


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (1)
雪    币: 3836
活跃值: (4142)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2022-11-21 08:56
0
游客
登录 | 注册 方可回帖
返回
//