能力值:
( LV12,RANK:300 )
|
-
-
2 楼
EnumWindows->win32k!NtUserBuildHwndList
可以SSDT Shadow HOOK
你说你不会跟,那我就跟给你看好了:
lkd> uf user32!EnumWindows
USER32!EnumWindows:
77d2a5ae 8bff mov edi,edi
77d2a5b0 55 push ebp
77d2a5b1 8bec mov ebp,esp
77d2a5b3 33c0 xor eax,eax
77d2a5b5 50 push eax
77d2a5b6 50 push eax
77d2a5b7 ff750c push dword ptr [ebp+0Ch]
77d2a5ba ff7508 push dword ptr [ebp+8]
77d2a5bd 50 push eax
77d2a5be 50 push eax
77d2a5bf e8d0feffff call USER32!InternalEnumWindows (77d2a494)
77d2a5c4 5d pop ebp
77d2a5c5 c20800 ret 8
得到EnumWindows->InternalEnumWindows
USER32!InternalEnumWindows:
77d2a494 8bff mov edi,edi
77d2a496 55 push ebp
77d2a497 8bec mov ebp,esp
77d2a499 51 push ecx
77d2a49a 57 push edi
77d2a49b 8d451c lea eax,[ebp+1Ch]
77d2a49e 50 push eax
77d2a49f ff7518 push dword ptr [ebp+18h]
77d2a4a2 c745fc01000000 mov dword ptr [ebp-4],1
77d2a4a9 ff751c push dword ptr [ebp+1Ch]
77d2a4ac ff750c push dword ptr [ebp+0Ch]
77d2a4af ff7508 push dword ptr [ebp+8]
77d2a4b2 e865000000 call USER32!BuildHwndList (77d2a51c)
77d2a4b7 8bf8 mov edi,eax
77d2a4b9 83ffff cmp edi,0FFFFFFFFh
........
可以看到InternalEnumWindows->BuildHwndList
USER32!BuildHwndList:
77d2a51c 8bff mov edi,edi
77d2a51e 55 push ebp
77d2a51f 8bec mov ebp,esp
77d2a521 51 push ecx
77d2a522 51 push ecx
77d2a523 56 push esi
77d2a524 57 push edi
77d2a525 33f6 xor esi,esi
77d2a527 56 push esi
77d2a528 685412d777 push offset USER32!phwndCache (77d71254)
77d2a52d c745fc40000000 mov dword ptr [ebp-4],40h
77d2a534 ff157c13d177 call dword ptr [USER32!_imp__InterlockedExchange (77d1137c)]
77d2a53a 8bf8 mov edi,eax
77d2a53c 3bfe cmp edi,esi
77d2a53e 0f841e300000 je USER32!BuildHwndList+0x24 (77d2d562)
USER32!BuildHwndList+0x45:
77d2a544 53 push ebx
77d2a545 8d45fc lea eax,[ebp-4]
77d2a548 50 push eax
77d2a549 57 push edi
77d2a54a ff75fc push dword ptr [ebp-4]
77d2a54d ff7514 push dword ptr [ebp+14h]
77d2a550 ff7510 push dword ptr [ebp+10h]
77d2a553 ff750c push dword ptr [ebp+0Ch]
77d2a556 ff7508 push dword ptr [ebp+8]
77d2a559 e83c000000 call USER32!NtUserBuildHwndList (77d2a59a)
77d2a55e 8b1da413d177 mov ebx,dword ptr [USER32!_imp__HeapFree (77d113a4)]
77d2a564 8975f8 mov dword ptr [ebp-8],esi
77d2a567 be230000c0 mov esi,0C0000023h
到这里得到BuildHwndList->USER32!NtUserBuildHwndList
USER32!NtUserBuildHwndList进入内核调用win32k中的同名函数。
当然如果你想确认到底,在Local Kernel Debug情况下可以再继续查下去:
lkd> uf USER32!NtUserBuildHwndList
USER32!NtUserBuildHwndList:
77d2a59a b838110000 mov eax,1138h
77d2a59f ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
77d2a5a4 ff12 call dword ptr [edx]
77d2a5a6 c21c00 ret 1Ch
这样进入KeServiceDescriptorTableShadow:
lkd> dd KeServiceDescriptorTableShadow
8055d6c0 80505460 00000000 0000011c 805058d4
8055d6d0 bf99a000 00000000 0000029b bf99ad10
8055d6e0 00000000 00000000 00000000 00000000
8055d6f0 00000000 00000000 00000000 00000000
8055d700 80505460 00000000 0000011c 805058d4
8055d710 00000000 00000000 00000000 00000000
8055d720 00000000 00000000 00000000 00000000
8055d730 00000000 00000000 00000000 00000000
第二个表,服务号0x138:
lkd> dd bf99a000+4*138
bf99a4e0 bf835ee5 bf8b3745 bf913328 bf85a549
bf99a4f0 bf836521 bf890fd0 bf836714 bf82864e
bf99a500 bf8f7300 bf8f8ce9 bf801112 bf8010ca
bf99a510 bf8366d4 bf8edc8d bf8acc6e bf8b424f
bf99a520 bf8ccb2b bf88a45b bf8fa602 bf8ee8ba
bf99a530 bf8b3420 bf8b34e2 bf8c14d0 bf8ecdf9
bf99a540 bf90de5b bf8f73a5 bf8b632a bf84b18c
bf99a550 bf893692 bf914b78 bf8edfe8 bf834928
bf835ee5就是驱动对应的处理函数地址,看看它是什么:
lkd> ln bf835ee5
(bf835ee5) win32k!NtUserBuildHwndList | (bf836068) win32k!DesktopAlloc
Exact matches:
win32k!NtUserBuildHwndList = <no type information>
从而得到win32k!NtUserBuildHwndList
因此调用层次为:
USER32!EnumWindows->USER32!InternalEnumWindows->USER32!BuildHwndList->USER32!NtUserBuildHwndList->win32k!NtUserBuildHwndList
|
能力值:
( LV5,RANK:60 )
|
-
-
3 楼
一语中的啊,大哥你太好了,帮我几次了
弱弱的问一句,你们是怎么确定一个API会调用什么内核函数,一步步的单下去?
|
能力值:
( LV12,RANK:300 )
|
-
-
4 楼
跟给你看了,这个调用关系静态反汇编看就可以了……
|
能力值:
( LV5,RANK:60 )
|
-
-
5 楼
其实你跟过的我都跟了一遍,哈哈,因为在OD中跟的,所以函数名没有,所以我看不出来。。。看见你用WinDbg跟了我也试了一下,甚好用,再次谢谢
|
能力值:
( LV12,RANK:210 )
|
-
-
6 楼
77d2a59a b838110000 mov eax,1138h
这里怎么试1138
|
能力值:
( LV5,RANK:60 )
|
-
-
7 楼
是1138的,没错
对于KeServiceDescriptorTableShadow 获取服务地址是:
*(DWORD*)((0x1138 -0x1000)*0x04 + base);
|
能力值:
( LV10,RANK:170 )
|
-
-
8 楼
好精彩..
|
能力值:
( LV5,RANK:60 )
|
-
-
9 楼
他们这些人的技术太IMBA了。。。
|
能力值:
( LV3,RANK:20 )
|
-
-
10 楼
这个能跟出调用什么。要什么知识啊?楼上的几位介绍下?
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
为什么我打 uf user32!EnumWindows 提示Couldn't resolve error at 'user32!EnumWindows'
符号文件导入了
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
出来了,好像每次都要.reload一下
|
能力值:
( LV9,RANK:610 )
|
-
-
13 楼
小聪太棒啦~
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
赞轩辕小聪~~
|
能力值:
( LV2,RANK:10 )
|
-
-
15 楼
教主为什么我导入不了user32符号,我用的windbg
|
|
|