[原创]特殊的线性地址-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]特殊的线性地址

2023-7-28 15:21 4300

[原创]特殊的线性地址

ATrueMan

2023-7-28 15:21

4300

1、线性地址：0xC0000000

拆分地址：
1100 0000 00 -> 300*4 = C00
0000 0000 00
000

PROCESS 8986f278  SessionId: 0  Cid: 0458    Peb: 7ffde000  ParentCid: 05c4
    DirBase: 25973000  ObjectTable: e174bba8  HandleCount: 167.
    Image: notepad.exe
 
kd> !dd 25973000
#25973000 26130867 26923867 26634867 27a53867   CR3指向的PDT
#25973010 27223867 00000000 00000000 246df867
#25973020 00000000 00000000 278e0867 24721867
#25973030 2480e867 26b0f867 284d3867 24b95867
#25973040 24616867 00000000 00000000 00000000
#25973050 00000000 00000000 00000000 00000000
#25973060 00000000 00000000 00000000 00000000
#25973070 00000000 00000000 00000000 00000000
 
kd> !dd 26130000
#26130000 00000000 00000000 00000000 00000000   PTT- 0
#26130010 00000000 00000000 00000000 00000000
#26130020 00000000 00000000 00000000 00000000
#26130030 00000000 00000000 00000000 00000000
#26130040 26971867 00000000 00000000 00000000
#26130050 00000000 00000000 00000000 00000000
#26130060 00000000 00000000 00000000 00000000
#26130070 00000000 00000000 00000000 00000000
 
kd> !dd 26923000
#26923000 262b2867 23c33867 00000080 00000000   PTT - 1
#26923010 00000000 00000000 00000000 00000000
#26923020 00000000 00000000 00000000 00000000
#26923030 00000000 00000000 00000000 00000000
#26923040 26ee4867 266a5867 265a6867 24927867
#26923050 268e9867 243aa867 2796b867 273e8867
#26923060 00000000 00000000 00000000 00000000
#26923070 00000000 00000000 00000000 00000000
 
kd> !dd 26634000
#26634000 00000000 00000000 00000000 00000000   PTT - 2
#26634010 00000000 00000000 00000000 00000000
#26634020 00000000 00000000 00000000 00000000
#26634030 00000000 00000000 00000000 00000000
#26634040 00000000 00000000 00000000 00000000
#26634050 00000000 00000000 00000000 00000000
#26634060 00000000 00000000 00000000 00000000
#26634070 00000000 00000000 00000000 00000000
 
kd> !dd 25973000 + c00   
#25973c00 25973863 236f4863 00000000 0a464963   线性地址0xC00000000的PDE
#25973c10 0a465963 0a466963 0a467963 0a468963
#25973c20 0a469963 0a46a963 0a46b963 0a46c963
#25973c30 0a42d963 0a42e963 0a42f963 0a430963
#25973c40 0a431963 0a432963 0a433963 0a434963
#25973c50 0a435963 0a436963 0a437963 0a438963
#25973c60 0a439963 0a43a963 0a43b963 0a43c963
#25973c70 0a43d963 0a43e963 0a43f963 0a540963
 
kd> !dd 25973000 + 0
#25973000 26130867 26923867 26634867 27a53867   线性地址0xC00000000的PTT
#25973010 27223867 00000000 00000000 246df867
#25973020 00000000 00000000 278e0867 24721867
#25973030 2480e867 26b0f867 284d3867 24b95867
#25973040 24616867 00000000 00000000 00000000
#25973050 00000000 00000000 00000000 00000000
#25973060 00000000 00000000 00000000 00000000
#25973070 00000000 00000000 00000000 00000000
 
kd> !dd 26130000 + 0
#26130000 00000000 00000000 00000000 00000000   线性地址0xC00000000的PTE0对应的物理页，与PTT - 0相等
#26130010 00000000 00000000 00000000 00000000
#26130020 00000000 00000000 00000000 00000000
#26130030 00000000 00000000 00000000 00000000
#26130040 26971867 00000000 00000000 00000000
#26130050 00000000 00000000 00000000 00000000
#26130060 00000000 00000000 00000000 00000000
#26130070 00000000 00000000 00000000 00000000
 
kd> !dd 26923000 + 0
#26923000 262b2867 23c33867 00000080 00000000   线性地址0xC00000000的PTE1对应的物理页，与PTT - 1相等
#26923010 00000000 00000000 00000000 00000000
#26923020 00000000 00000000 00000000 00000000
#26923030 00000000 00000000 00000000 00000000
#26923040 26ee4867 266a5867 265a6867 24927867
#26923050 268e9867 243aa867 2796b867 273e8867
#26923060 00000000 00000000 00000000 00000000
#26923070 00000000 00000000 00000000 00000000

结论：
线性地址0xC0000000指向的物理页与PTT-0是同一个物理页
线性地址0xC0001000指向的物理页与PTT-1是同一个物理页
......
线性地址0xC03FF000指向的物理页与PTT-1023是同一个物理页

线性地址0xC0000000 ~ 0xC03FF000，其大小是1024*4KB = 4M，指向了PTT
线性地址0xC0000000 ~ 0xC03FF000是连续的，但是对应的物理地址不一定连续

PTT的线性地址 = 0xC0000000 + PDI*4KB + PTI*4

2、线性地址：0xC0300000

拆分地址：
1100 0000 00 -> 300*4 = C00
1100 0000 00 -> 300*4 = C00
000

PROCESS 89c26020  SessionId: 0  Cid: 0250    Peb: 7ffd3000  ParentCid: 05b8
    DirBase: 15d0b000  ObjectTable: e29ee660  HandleCount: 167.
    Image: notepad.exe
 
kd> !dd 15d0b000
#15d0b000 16640867 15570867 169c1867 16d20867   通过CR3获得的物理页PDT
#15d0b010 15bb3867 00000000 00000000 16cec867
#15d0b020 00000000 00000000 16b6d867 169ae867
#15d0b030 16edb867 16e9c867 171a0867 17122867
#15d0b040 171a3867 00000000 00000000 00000000
#15d0b050 00000000 00000000 00000000 00000000
#15d0b060 00000000 00000000 00000000 00000000
#15d0b070 00000000 00000000 00000000 00000000   
 
kd> !dd 15d0b000 + c00
#15d0bc00 15d0b863 0068c863 00000000 0a464963   线程地址0xC0300000的PDE
#15d0bc10 0a465963 0a466963 0a467963 0a468963
#15d0bc20 0a469963 0a46a963 0a46b963 0a46c963
#15d0bc30 0a42d963 0a42e963 0a42f963 0a430963
#15d0bc40 0a431963 0a432963 0a433963 0a434963
#15d0bc50 0a435963 0a436963 0a437963 0a438963
#15d0bc60 0a439963 0a43a963 0a43b963 0a43c963
#15d0bc70 0a43d963 0a43e963 0a43f963 0a540963   
 
 
kd> !dd 15d0b000 + c00
#15d0bc00 15d0b863 0068c863 00000000 0a464963   线程地址0xC0300000的PTE  
#15d0bc10 0a465963 0a466963 0a467963 0a468963
#15d0bc20 0a469963 0a46a963 0a46b963 0a46c963
#15d0bc30 0a42d963 0a42e963 0a42f963 0a430963
#15d0bc40 0a431963 0a432963 0a433963 0a434963
#15d0bc50 0a435963 0a436963 0a437963 0a438963
#15d0bc60 0a439963 0a43a963 0a43b963 0a43c963
#15d0bc70 0a43d963 0a43e963 0a43f963 0a540963   
 
kd> !dd 15d0b000 + 0
#15d0b000 16640867 15570867 169c1867 16d20867   线程地址0xC0300000的物理页，与PDT相等
#15d0b010 15bb3867 00000000 00000000 16cec867
#15d0b020 00000000 00000000 16b6d867 169ae867
#15d0b030 16edb867 16e9c867 171a0867 17122867
#15d0b040 171a3867 00000000 00000000 00000000
#15d0b050 00000000 00000000 00000000 00000000
#15d0b060 00000000 00000000 00000000 00000000
#15d0b070 00000000 00000000 00000000 00000000   

结论：
线程地址0xC0300000指向的物理页与PDT是同一个物理页，大小是4KB
PDT的线性地址 = 0xC0300000 + PDI*4

通过这PDT和PTT的线性地址就控制了一个进程的所有物理内存的读写权

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#系统底层

收藏・2

点赞・2

打赏

最新回复 (1)
R0g 雪币： 2140 活跃值： (3538) 能力值： ( LV6，RANK：90 ) 在线值：发帖 3 回帖 121 粉丝 55 关注私信	R0g 2 2023-7-31 00:31 2 楼 0 新的上分佬出现了
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复