备注:
有道小练习题,检测是否理解。
专业吹水。小水一篇。思路,思路,思路。
流程分析:
主要代码逆向:
练习题:
Nt!KiPageFault+0x422->nt!KiExceptionDispatch+0xc2->nt!KiDispatchException+0x450
Nt!KiPageFault+0x422->nt!KiExceptionDispatch+0xc2->nt!KiDispatchException+0x450
关键流程处理
Nt!KiPageFault:
fffff800`03eafd48 b904000010 mov ecx,10000004h ;**开始处理STATUS_ACCESS_VIOLATION
fffff800`03eafd4d 4c8b5550 mov r10,qword ptr [rbp+50h] ;
fffff800`03eafd51 4c0fb64daa movzx r9,byte ptr [rbp-56h] ;rsp = rbp-50-30 是_KTRAP_FRAME
fffff800`03eafd56 4c8b85e8000000 mov r8,qword ptr [rbp+0E8h] ;产生异常的代码地址
fffff800`03eafd5d e81e220000 call nt!KiExceptionDispatch (fffff800`03eb1f80) 调用异常分发
nt!KiExceptionDispatch+0xc2
fffff800`03eb2005 8908 mov dword ptr [rax],ecx ;赋值_KEXCEPTION_FRAME->Return
fffff800`03eb2007 33c9 xor ecx,ecx
fffff800`03eb2009 894804 mov dword ptr [rax+4],ecx ;填充_EXCEPTION_RECORD 待商榷
fffff800`03eb200c 48894808 mov qword ptr [rax+8],rcx
fffff800`03eb2010 4c894010 mov qword ptr [rax+10h],r8
fffff800`03eb2014 895018 mov dword ptr [rax+18h],edx
fffff800`03eb2017 4c894820 mov qword ptr [rax+20h],r9
fffff800`03eb201b 4c895028 mov qword ptr [rax+28h],r10
fffff800`03eb201f 4c895830 mov qword ptr [rax+30h],r11
fffff800`03eb2023 448a8df0000000 mov r9b,byte ptr [rbp+0F0h]
fffff800`03eb202a 4180e101 and r9b,1 ;ExceptionAddress 地址。
fffff800`03eb202e c644242001 mov byte ptr [rsp+20h],1
fffff800`03eb2033 4c8d4580 lea r8,[rbp-80h] ;第三个参数为 _KTRAP_FRAME
fffff800`03eb2037 488bd4 mov rdx,rsp ;第二个参数可能为_KEXCEPTION_FRAME
fffff800`03eb203a 488bc8 mov rcx,rax ;第一个参数可能为:_EXCEPTION_RECORD
fffff800`03eb203d e8de880d00 call nt!KiDispatchException (fffff800`03f8a920);分发异常,
fffff800`03eb2042 488d8c2400010000 lea rcx,[rsp+100h] ;恢复寄存器从_KEXCEPTION_FRAME结构
......
//恢复异常发生时的寄存器
fffff800`03eb21b0 0fae55ac ldmxcsr dword ptr [rbp-54h]
fffff800`03eb21b4 0f2845f0 movaps xmm0,xmmword ptr [rbp-10h] rbp=_KTRAP_FRAME->Xmm1[+0x080]
fffff800`03eb21b8 0f284d00 movaps xmm1,xmmword ptr [rbp]
fffff800`03eb21bc 0f285510 movaps xmm2,xmmword ptr [rbp+10h]
fffff800`03eb21c0 0f285d20 movaps xmm3,xmmword ptr [rbp+20h]
fffff800`03eb21c4 0f286530 movaps xmm4,xmmword ptr [rbp+30h]
fffff800`03eb21c8 0f286d40 movaps xmm5,xmmword ptr [rbp+40h]
fffff800`03eb21cc 4c8b5de0 mov r11,qword ptr [rbp-20h]
fffff800`03eb21d0 4c8b55d8 mov r10,qword ptr [rbp-28h]
fffff800`03eb21d4 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`03eb21d8 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`03eb21dc 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`03eb21e0 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`03eb21e4 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`03eb21e8 488be5 mov rsp,rbp ;rbp=_KTRP_FRAME_->Xmm1[+0x080]
fffff800`03eb21eb 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
fffff800`03eb21f2 4881c4e8000000 add rsp,0E8h ;rsp 指向的内存: _KTRAP_FRAME->Rip[0x168= 0x080+0E8h]
fffff800`03eb21f9 48cf iretq ;返回到发生异常的位置
fffff800`03eb21fb 0f1f440000 nop dword ptr [rax+rax]
nt!KiDispatchException
fffff800`03f8ad22 4c897118 mov qword ptr [rcx+18h],r14 ;开始填充应用层用到的处理异常事件结构。
fffff800`03f8ad26 488b86f8000000 mov rax,qword ptr [rsi+0F8h]
fffff800`03f8ad2d 488901 mov qword ptr [rcx],rax
fffff800`03f8ad30 488bd3 mov rdx,rbx
fffff800`03f8ad33 488b4d58 mov rcx,qword ptr [rbp+58h];参数一:nt!_EXCEPTION_RECORD64
fffff800`03f8ad37 e83c0df1ff call nt!KeCopyExceptionRecord (fffff800`03e9ba78);
fffff800`03f8ad3c 488364242800 and qword ptr [rsp+28h],0
fffff800`03f8ad42 488b4510 mov rax,qword ptr [rbp+10h]
fffff800`03f8ad46 4889442420 mov qword ptr [rsp+20h],rax
fffff800`03f8ad4b 458bcd mov r9d,r13d
fffff800`03f8ad4e 4c8d4530 lea r8,[rbp+30h]
fffff800`03f8ad52 488b5d68 mov rbx,qword ptr [rbp+68h]
fffff800`03f8ad56 488bd3 mov rdx,rbx
fffff800`03f8ad59 b101 mov cl,1
fffff800`03f8ad5b e8285aedff call nt!RtlpCopyExtendedContext (fffff800`03e60788)
fffff800`03f8ad60 894518 mov dword ptr [rbp+18h],eax
fffff800`03f8ad63 488bcb mov rcx,rbx
fffff800`03f8ad66 488d5530 lea rdx,[rbp+30h]
fffff800`03f8ad6a 41b818000000 mov r8d,18h
fffff800`03f8ad70 e81b6df0ff call nt!memmove (fffff800`03e91a90)
fffff800`03f8ad75 4d89bc2480010000 mov qword ptr [r12+180h],r15 ; 因为上面将发生Exception时的运行状态保存在应用层栈中
fffff800`03f8ad7d fa cli ; 因此改变了RSP值 _KTRAP_FRAME->Rsp
fffff800`03f8ad7e b833000000 mov eax,33h
fffff800`03f8ad83 664189842470010000 mov word ptr [r12+170h],ax
fffff800`03f8ad8c 488b05652a1200 mov rax,qword ptr [nt!KeUserExceptionDispatcher (fffff800`040ad7f8)];此全局变量保存了用户层处理异常事件的地址(ntdll!KiUserExceptionDispatch)
fffff800`03f8ad93 4989842468010000 mov qword ptr [r12+168h],rax ;会返回到此地址进一步处理异常事件。
fffff800`03f8ad9b 65488b042588010000 mov rax,qword ptr gs:[188h] ;目前猜测IRETQ指令做返回到应用层工作。(intel 3C 文档 或者https://http://www.felixcloutier.com/x86/iret:iretd:iretq)
fffff800`03f8ada4 488b4870 mov rcx,qword ptr [rax+70h] ;只要改变[r12+168h]:RIP的值就能改变异常处理流程。此时必须[r12+180h]:RSP值因为此值已经不同于应用层发生异常事件时的值。
fffff800`03f8ada8 488b9100010000 mov rdx,qword ptr [rcx+100h]
fffff800`03f8adaf 4885d2 test rdx,rdx
fffff800`03f8adb2 7415 je nt!KiDispatchException+0x4a9 (fffff800`03f8adc9)
fffff800`03f8adb4 498b842468010000 mov rax,qword ptr [r12+168h]
fffff800`03f8adbc 4989442458 mov qword ptr [r12+58h],rax
fffff800`03f8adc1 4989942468010000 mov qword ptr [r12+168h],rdx
关键流程处理
Nt!KiPageFault:
fffff800`03eafd48 b904000010 mov ecx,10000004h ;**开始处理STATUS_ACCESS_VIOLATION
fffff800`03eafd4d 4c8b5550 mov r10,qword ptr [rbp+50h] ;
fffff800`03eafd51 4c0fb64daa movzx r9,byte ptr [rbp-56h] ;rsp = rbp-50-30 是_KTRAP_FRAME
fffff800`03eafd56 4c8b85e8000000 mov r8,qword ptr [rbp+0E8h] ;产生异常的代码地址
fffff800`03eafd5d e81e220000 call nt!KiExceptionDispatch (fffff800`03eb1f80) 调用异常分发
nt!KiExceptionDispatch+0xc2
fffff800`03eb2005 8908 mov dword ptr [rax],ecx ;赋值_KEXCEPTION_FRAME->Return
fffff800`03eb2007 33c9 xor ecx,ecx
fffff800`03eb2009 894804 mov dword ptr [rax+4],ecx ;填充_EXCEPTION_RECORD 待商榷
fffff800`03eb200c 48894808 mov qword ptr [rax+8],rcx
fffff800`03eb2010 4c894010 mov qword ptr [rax+10h],r8
fffff800`03eb2014 895018 mov dword ptr [rax+18h],edx
fffff800`03eb2017 4c894820 mov qword ptr [rax+20h],r9
fffff800`03eb201b 4c895028 mov qword ptr [rax+28h],r10
fffff800`03eb201f 4c895830 mov qword ptr [rax+30h],r11
fffff800`03eb2023 448a8df0000000 mov r9b,byte ptr [rbp+0F0h]
fffff800`03eb202a 4180e101 and r9b,1 ;ExceptionAddress 地址。
fffff800`03eb202e c644242001 mov byte ptr [rsp+20h],1
fffff800`03eb2033 4c8d4580 lea r8,[rbp-80h] ;第三个参数为 _KTRAP_FRAME
fffff800`03eb2037 488bd4 mov rdx,rsp ;第二个参数可能为_KEXCEPTION_FRAME
fffff800`03eb203a 488bc8 mov rcx,rax ;第一个参数可能为:_EXCEPTION_RECORD
fffff800`03eb203d e8de880d00 call nt!KiDispatchException (fffff800`03f8a920);分发异常,
fffff800`03eb2042 488d8c2400010000 lea rcx,[rsp+100h] ;恢复寄存器从_KEXCEPTION_FRAME结构
......
//恢复异常发生时的寄存器
fffff800`03eb21b0 0fae55ac ldmxcsr dword ptr [rbp-54h]
fffff800`03eb21b4 0f2845f0 movaps xmm0,xmmword ptr [rbp-10h] rbp=_KTRAP_FRAME->Xmm1[+0x080]
fffff800`03eb21b8 0f284d00 movaps xmm1,xmmword ptr [rbp]
fffff800`03eb21bc 0f285510 movaps xmm2,xmmword ptr [rbp+10h]
fffff800`03eb21c0 0f285d20 movaps xmm3,xmmword ptr [rbp+20h]
fffff800`03eb21c4 0f286530 movaps xmm4,xmmword ptr [rbp+30h]
fffff800`03eb21c8 0f286d40 movaps xmm5,xmmword ptr [rbp+40h]
fffff800`03eb21cc 4c8b5de0 mov r11,qword ptr [rbp-20h]
fffff800`03eb21d0 4c8b55d8 mov r10,qword ptr [rbp-28h]
fffff800`03eb21d4 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`03eb21d8 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`03eb21dc 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`03eb21e0 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`03eb21e4 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`03eb21e8 488be5 mov rsp,rbp ;rbp=_KTRP_FRAME_->Xmm1[+0x080]
fffff800`03eb21eb 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2024-12-23 10:16
被NoHeart编辑
,原因:
