首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 软件逆向
    3. 发新帖
[转载][分享]解剖XP最核心的dll――NTDLL.dll
2005-1-6 15:10 9926

[转载][分享]解剖XP最核心的dll――NTDLL.dll

great1234 活跃值
2005-1-6 15:10
9926
原作:cyper
出处:http://club.sohu.com/read-os-114021-0-14.html

========================================================

打开NTDLL.dll,惊奇的发现原来CRT的许多基本函数居然都是在这里实现的!甚至包括qsort,ceil这样的函数,还有臭名昭著的strcpy(严格来讲,这只能怪使用者不当心)。堆的释放,进城管理,似乎都是在这。于是,我决定,仔细察看以下它,这1410个函数是做什么的

用户模式的代码在调用系统内核函数的时候,首先把一个叫做system call number的数放在EAX中,把参数放在其它的寄存器中了。然后调用INT 2E中断。但是大部分应用程序并不需要直接这么做。通常都是在调用kernel32.dll等时由他们来调用INT 2E.

内核模式的代码,做法稍微有点不同。他们通常调用由NTOSKRNL.EXE导出的NTDLL.dll中Zw开头的那一系列函数,比如ZwWaitForSingleObject, 反之,如果是用户级代码需要调用内核,就会利用INT 2E调用WaitForSingleObject.对于许多函数的批量调用,你会明显发现 Zw族要比Rtl族效率高很多。

可惜ntdll.dll中的大部分函数都是undocumented.
对于一部分得知其定义形式的函数,可以这样调用:
1.先将NTDLL.DLL读入 LoadLibrary(TEXT("NTDLL.dll"))
2.利用GetProcAddress 获取其函数入口地址
3.利用得到的函数指针调用

但是可以大致的分为几类吧
1 PropertyLengthAsVariant  它被排在了第一号,但是我就是不明白它是做什么的
2  Csr(configuration status register? Command and Status Register?)系列  
CsrAllocateCaptureBuffer CsrAllocateMessagePointer CsrCaptureMessageBuffer CsrCaptureMessageMultiUnicodeStringsInPlace CsrCaptureMessageString CsrCaptureTimeout CsrClientCallServer CsrClientConnectToServer CsrFreeCaptureBuffer CsrGetProcessId CsrIdentifyAlertableThread CsrNewThread CsrProbeForRead CsrProbeForWrite CsrSetPriorityClass

3 Dbg系列 调试函数
DbgBreakPoint DbgPrint DbgPrintEx DbgPrintReturnControlC DbgPrompt DbgQueryDebugFilterState DbgSetDebugFilterState DbgUiConnectToDbg DbgUiContinue DbgUiConvertStateChangeStructure DbgUiDebugActiveProcess DbgUiGetThreadDebugObject DbgUiIssueRemoteBreakin DbgUiRemoteBreakin DbgUiSetThreadDebugObject DbgUiStopDebugging DbgUiWaitStateChange DbgUserBreakPoint

4 ki系列
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher

5 Ldr系列  Loader APIs,共34个

API
NTDLL APIs
LoadResource
LdrAccessResource
LdrAlternateResourcesEnabled
DisableThreadLibraryCalls
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrFindAppCompatVariableInfo
LdrFindEntryForAddress
EnumResourceTypesW
LdrFindResourceDirectory_U
FindResourceExA
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetAlternateResourceModuleHandle
GetModuleHandleForUnicodeString
LdrGetDllHandle
GetProcAddress
LdrGetProcedureAddress
LdrInitializeThunk
LoadLibraryEx (LOAD_LIBRARY_AS_DATAFILE)
LdrLoadAlternateResourceModule
LoadLibrary
LdrLoadDll
LdrProcessRelocationBlock
LdrQueryApplicationCompatibilityGoo
LdrQueryImageFileExecutionOptions
LdrQueryProcessModuleInformation
LdrRelocateImage
ExitProcess
LdrShutdownProcess
ExitThread
LdrShutdownThread
LdrUnloadAlternateResourceModule
FreeLibrary
LdrUnloadDll
LdrVerifyImageMatchesChecksum
LdrVerifyMappedImageMatchesChecksum

6 Nls(National Language Support)系列  代码页管理
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag

7 Nt系列 共285个,大部分都是kernel32.dll,user32.dll等的核心实现

NtCreateFile, NtOpenFile, NtClose, NtWaitForSingleObject 是kernel32.dll中许多用户级代码的核心实现。

NTSTATUS NtClose( HANDLE  Handle);
竟然是CloseHandle 的原身!唯一的缺点是该函数并没有导出库,如果要调用,就必须使用GetProcAddress 来获得其函数指针然后调用。

NtCreateFile  可以说是DDK的核心

RtlUnwind initiates an unwind of procedure call frames
结构化异常(Structured Exception Handling, SEH )的 核心。

NTSTATUS NtWaitForSingleObject(  HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout);
Waits until the specified object attains a state of signaled
我想,信号同步等,应该与之有莫大的联系吧

8 pfx 不明白
PfxFindPrefix
PfxInitialize
PfxInsertPrefix
PfxRemovePrefix

9 RestoreEm87Context SaveEm87Context

10 rtl系列 共506个。我想,rtl应该是runtime library的缩写吧。一个很庞大的函数族,里面包含像 RtlCreateUserProcess 这样的一些很基本的函数,通常供内核模式的driver等调用
下面是一部分示例
APIs Forwarded to NTDLL

API
Destination
DeleteCriticalSection
Forwarded to NTDLL.RtlDeleteCriticalSection
EnterCriticalSection
Forwarded to NTDLL.RtlEnterCriticalSection
HeapAlloc
Forwarded to NTDLL.RtlAllocateHeap
HeapFree
Forwarded to NTDLL.RtlFreeHeap
HeapReAlloc
Forwarded to NTDLL.RtlReAllocateHeap
HeapSize
Forwarded to NTDLL.RtlSizeHeap
LeaveCriticalSection
Forwarded to NTDLL.RtlLeaveCriticalSection
RtlFillMemory
Forwarded to NTDLL.RtlFillMemory
RtlMoveMemory
Forwarded to NTDLL.RtlMoveMemory
RtlUnwind
Forwarded to NTDLL.RtlUnwind
RtlZeroMemory
Forwarded to NTDLL.RtlZeroMemory
SetCriticalSectionSpinCount
Forwarded to NTDLL.RtlSetCriticalSection- SpinCount
TryEnterCriticalSection
Forwarded to NTDLL.RtlTryEnterCriticalSection
VerSetConditionMask
Forwarded to NTDLL.VerSetConditionMask

11 VerSetConditionMask 用于确认系统信息
The VerSetConditionMask function sets the bits of a 64-bit value to indicate the comparison operator to use for a specified operating system version attribute. This function is used to build the dwlConditionMask parameter of the VerifyVersionInfo function.

12 Zw系列 共284个。前面已经说过,为可执行性系统服务提供内核模式的入口, 为NTOSKRNL.EXE 提供实现。由于是内核模式,所以在执行的时候并不检查用户是否有执行权限
13 内部函数 共116个。具体作用不明,很底层的东西。无法查到任何相关资料。无法得知与其相关的任何信息。
_CIcos _CIlog _CIpow _CIsin _CIsqrt __eCommonExceptions __eEmulatorInit __eF2XM1 __eFABS __eFADD32 __eFADD64 __eFADDPreg __eFADDreg __eFADDtop __eFCHS __eFCOM __eFCOM32 __eFCOM64 __eFCOMP __eFCOMP32 __eFCOMP64 __eFCOMPP __eFCOS __eFDECSTP __eFDIV32 __eFDIV64 __eFDIVPreg __eFDIVR32 __eFDIVR64 __eFDIVRPreg __eFDIVRreg __eFDIVRtop __eFDIVreg __eFDIVtop __eFFREE __eFIADD16 __eFIADD32 __eFICOM16 __eFICOM32 __eFICOMP16 __eFICOMP32 __eFIDIV16 __eFIDIV32 __eFIDIVR16 __eFIDIVR32 __eFILD16 __eFILD32 __eFILD64 __eFIMUL16 __eFIMUL32 __eFINCSTP __eFINIT __eFIST16 __eFIST32 __eFISTP16 __eFISTP32 __eFISTP64 __eFISUB16 __eFISUB32 __eFISUBR16 __eFISUBR32 __eFLD1 __eFLD32 __eFLD64 __eFLD80 __eFLDCW __eFLDENV __eFLDL2E __eFLDLN2 __eFLDPI __eFLDZ __eFMUL32 __eFMUL64 __eFMULPreg __eFMULreg __eFMULtop __eFPATAN __eFPREM __eFPREM1 __eFPTAN __eFRNDINT __eFRSTOR __eFSAVE __eFSCALE __eFSIN __eFSQRT __eFST __eFST32 __eFST64 __eFSTCW __eFSTENV __eFSTP __eFSTP32 __eFSTP64 __eFSTP80 __eFSTSW __eFSUB32 __eFSUB64 __eFSUBPreg __eFSUBR32 __eFSUBR64 __eFSUBRPreg __eFSUBRreg __eFSUBRtop __eFSUBreg __eFSUBtop __eFTST __eFUCOM __eFUCOMP __eFUCOMPP __eFXAM __eFXCH __eFXTRACT __eFYL2X __eFYL2XP1 __eGetStatusWord

14 一些CRT的基本函数 共131个 主要是字符串管理,还有些基本的数学函数
__isascii __iscsym __iscsymf __toascii _alldiv _alldvrm _allmul _alloca_probe _allrem _allshl _allshr _atoi64 _aulldiv _aulldvrm _aullrem _aullshr _chkstk _fltused _ftol _i64toa _i64tow _itoa _itow _lfind _ltoa _ltow _memccpy _memicmp _snprintf _snwprintf _splitpath _strcmpi _stricmp _strlwr _strnicmp _strupr _tolower _toupper _ui64toa _ui64tow _ultoa _ultow _vsnprintf _vsnwprintf _wcsicmp _wcslwr _wcsnicmp _wcsupr _wtoi _wtoi64 _wtol abs atan atoi atol bsearch ceil cos fabs floor isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper iswalpha iswctype iswdigit iswlower iswspace iswxdigit isxdigit labs log mbstowcs memchr memcmp memcpy memmove memset pow qsort sin sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr strtol strtoul swprintf tan tolower toupper towlower towupper vDbgPrintEx vDbgPrintExWithPrefix vsprintf wcscat wcschr wcscmp wcscpy wcscspn wcslen wcsncat wcsncmp wcsncpy wcspbrk wcsrchr wcsspn wcsstr wcstol wcstombs wcstoul

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
打赏
分享
最新回复 (5)
great1234
雪    币: 16
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
great1234 2005-1-6 15:11
2
0
Notes on the use of the loader lock in Windows XP (SP1)

_LdrpInitialize@12 (2 references to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlTryEnterCriticalSection or,
        if the loader lock is not yet initialized, RtlEnterCriticalSection.

_LdrpInitializeProcess@20 (3 references to LdrpLoaderLock)
    Description - Adds the loader lock to the critical section list.
    Internal NTDLL references to LdrpInitializeProcess
        LdrpInitialize

LdrShutdownProcess (73) (1 reference to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlEnterCriticalSection if the
        process is not already shutting down.
    External references to LdrShutdownProcess
        KERNEL32.DLL
            ExitProcess

LdrShutdownThread (74) (1 reference to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlEnterCriticalSection.
    External references to LdrShutdownThread
        KERNEL32.DLL
            ExitThread

_LdrpForkProcess@0 (3 references to LdrpLoaderLock)
    Description - Updates the loader lock by adding the FastPebLock after it to
        the critical section list.
    Internal NTDLL references to LdrpForkProcess
        LdrpInitialize

LdrLockLoaderLock (67) (2 references to LdrpLoaderLock)
    3 parameters
    Internal NTDLL references to LdrLockLoaderLock
        LdrAddRefDll
            External references
                KERNEL32.DLL
                    BasepGetModuleHandleEx
        LdrDisableThreadCalloutsForDll
            External references
                KERNEL32.DLL
                    DisableThreadLibraryCalls
                SFCFILES.DLL
        LdrEnumerateLoadedModules
            External references
                KERNEL32.DLL
                    LoadLibraryExW
        LdrFlushAlternateResourceModules
            External references
                USER32.DLL
                WINSRV.DLL
        LdrGetDllHandleEx (via LdrGetDllHandle)
                KERNEL32.DLL
                    LoadLibraryExW
                    BasepGetModuleHandleEx
        LdrInitShimEngineDynamic
            External references
                SHIMENG.DLL
        LdrLoadAlternateResourceModule
            External references
                KERNEL32.DLL
                    LoadLibraryExW
        LdrLoadDll - no corresponding call, buried in internal routine
            External references
                KERNEL32.DLL
                    LoadLibraryExW
                    SetConsolePalette
                    CreateProcessInternalW
                LSASRV.DLL
                SAMSRV.DLL
                SFC_OS.DLL
                SHIMENG.DLL
                SMSS.EXE
                VERIFIER.DLL
        LdrSetAppCompatDllRedirectionCallback
        LdrUnloadAlternateResourceModule
            External references
                KERNEL32.DLL
                    FreeLibrary
        RtlPcToFileHeader
            External references
                KERNEL32.DLL
                    BasepGetModuleHandleEx
                USER32.DLL
                WOW32.DLL
        RtlQueryInformationActivationContext
        RtlQueryInformationActivationContext
            External references
                KERNEL32.DLL
                    CreateRemoteThread
                    QueryActCtx
                    QueueUserAPC
    External references to LdrLockLoaderLock
        FAULTREP.DLL
        KERNEL32.DLL
            BasepGetModuleHandleExW
            GetModuleFileNameW
            UnhandledExceptionFilter
        MSCTF.DLL

LdrUnlockLoaderLock (77) (2 references to LdrpLoaderLock)
    2 parameters
    Internal NTDLL references to LdrUnlockLoaderLock
        (For external references see LdrLockLoaderLock)
        LdrAddRefDll
        LdrDisableThreadCalloutsForDll
        LdrEnumerateLoadedModules
        LdrFlushAlternateResourceModules
        LdrGetDllHandleEx
        LdrInitShimEngineDynamic
        LdrLoadAlternateResourceModule
        LdrLoadDll
        LdrSetAppCompatDllRedirectionCallback
        LdrUnloadAlternateResourceModule
        RtlPcToFileHeader
        RtlQueryInformationActivationContext - 2 LdrLockLoaderLock calls
    External references to LdrUnlockLoaderLock
        FAULTREP.DLL
        KERNEL32.DLL
            BasepGetModuleHandleExW
            GetModuleFileNameW
            UnhandledExceptionFilter
        MSCTF.DLL

_LdrpLoadDll@24 (1 reference to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlEnterCriticalSection if the process
        is not in loader initialization.
    Internal NTDLL references to LdrpLoadDll
        LdrLoadDll
        LdrpInitializeProcess
        LdrpLoadShimEngine
        LdrpSnapThunk

LdrUnloadDll (76) (1 reference to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlEnterCriticalSection if the process
        is not in loader initialization.
    Internal NTDLL references to LdrUnloadDll
        PropertyLengthAsVariant
        RtlConvertPropertyToVariant
        RtlConvertVariantToProperty
        ImportTablepHashCanonicalLists
        LdrpCodeAuthzCheckDllAllowed
        LdrpCorUnloadImage
        LdrpCorValidateImage
        LdrpLoadDll
        LdrpUnloadShimEngine
    External references to LdrUnloadDll
        BASESRV.DLL
        CSRSRV.DLL
        KERNEL32.DLL
            BasepCheckBadapp
            BasepCheckWinSaferRestrictions
            BasepReplaceProcessThreadTokens
            FreeLibrary
            FreeLibraryAndExitThread
        SAMSRV.DLL
        SFC_OS.DLL
        SHIMENG.DLL
        SMSS.EXE
        VERIFIER.DLL

_LdrpGetProcedureAddress@20 (1 reference to LdrpLoaderLock)
    Description - Acquires the loader lock via RtlEnterCriticalSection if the process
        is not in loader initialization.
    Internal NTDLL references to LdrpGetProcedureAddress
        LdrGetProcedureAddress
            Note - This routine is a thin wrapper around GetProcAddress; this means
            *any* call to GetProcAddress acquires the loader lock.
        LdrpCodeAuthzCheckDllAllowed
        LdrpGetShimEngineInterface
        LdrpSnapThunk

_LdrQueryModuleInfoLocalLoaderLock@0 (1 reference to LdrpLoaderLock)
    Description - not referenced internally by NTDLL or externally by system DLLs.
        Acquires the loader lock via RtlEnterCriticalSection if the process is not
        in loader initialization.

RtlCheckForOrphanedCriticalSections (425) (1 reference to LdrpLoaderLock)
    Description - Tests if the current critical section in the critical section
        list-walk is the loader lock.
    External references to RtlCheckForOrphanedCriticalSections
        OLE32.DLL
            CDllHost::STAWorkerLoop
            CRpcThread::WorkerLoop
        VERIFIER.DLL

RtlpNotOwnerCriticalSection (865) (1 reference to LdrpLoaderLock)
    Description - not referenced internally by NTDLL or externally by system DLLs.
        Tests if the 1st input parameter is the loader lock.

RtlpWaitForCriticalSection (873)  (2 references to LdrpLoaderLock)
    Description - tests if the 1st parameter is the loader lock but does not acquire it.
    Internal NTDLL references to RtlpWaitForCriticalSection
        RtlEnterCriticalSection
    External references to RtlpWaitForCriticalSection
        VERIFIER.DLL

_RtlpCheckForCriticalSectionsInMemoryRange@12 (1 reference to LdrpLoaderLock)
    Description - Tests if the current critical section in the critical section
        list-walk is the loader lock.
    Internal NTDLL references to RtlpCheckForCriticalSectionsInMemoryRange
        LdrUnloadDll
        RtlpDebugPageHeapDestroy
        RtlpDebugPageHeapFree@
        RtlpDphNormalHeapFree
jdpack
雪    币: 207
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
jdpack 1 2005-1-6 15:13
3
0
转载来点专业精神好不好???
原作:cyper
出处:http://club.sohu.com/read-os-114021-0-14.html
great1234
雪    币: 16
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
great1234 2005-1-6 15:22
4
0
哦,那就写上【转载】?字呗,无所谓,只是让大家都来分享一下的,你不会跟我要版权费吧?
firstrose
雪    币: 390
活跃值: (707)
能力值: ( LV12,RANK:650 )
在线值:
发帖
回帖
粉丝
私信
firstrose 16 2005-1-6 16:32
5
0
你也看到了?说个实话,他都打算重写了。
pendan2001
雪    币: 61
活跃值: (160)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
pendan2001 4 2005-1-6 16:36
6
0
支持原创!!!
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回