• 系统调用——共享区


    学校里的破事终于只剩下考试了,终于有时间接着学了。先复习一下以前学的

    在Windows xp中3环函数API进入0环函数,是有两种方法进入的:1.syscall、2.int

    在正式进行实验时,先介绍一点东西

    _KUSER_SHARED_DATA结构体

    共享区,3环和0环都映射的同一块物理页

    中断门进0环

     

     快速调用进0环

    ReadProcessMemory

    我们可以拿一个API函数ReadProcessMemory来验证一下:

    在kernel32中Alt+T进行搜索函数,找到后查看其代码:

    .text:7C8021D0 ; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
    .text:7C8021D0                 public ReadProcessMemory
    .text:7C8021D0 ReadProcessMemory proc near             ; CODE XREF: GetProcessVersion+2F12F↓p
    .text:7C8021D0                                         ; GetProcessVersion+2F14E↓p ...
    .text:7C8021D0
    .text:7C8021D0 hProcess        = dword ptr  8
    .text:7C8021D0 lpBaseAddress   = dword ptr  0Ch
    .text:7C8021D0 lpBuffer        = dword ptr  10h
    .text:7C8021D0 nSize           = dword ptr  14h
    .text:7C8021D0 lpNumberOfBytesRead= dword ptr  18h
    .text:7C8021D0
    .text:7C8021D0                 mov     edi, edi
    .text:7C8021D2                 push    ebp
    .text:7C8021D3                 mov     ebp, esp
    .text:7C8021D5                 lea     eax, [ebp+nSize]
    .text:7C8021D8                 push    eax             ; NumberOfBytesRead
    .text:7C8021D9                 push    [ebp+nSize]     ; NumberOfBytesToRead
    .text:7C8021DC                 push    [ebp+lpBuffer]  ; Buffer
    .text:7C8021DF                 push    [ebp+lpBaseAddress] ; BaseAddress
    .text:7C8021E2                 push    [ebp+hProcess]  ; ProcessHandle
    .text:7C8021E5                 call    ds:NtReadVirtualMemory
    .text:7C8021EB                 mov     ecx, [ebp+lpNumberOfBytesRead]
    .text:7C8021EE                 test    ecx, ecx
    .text:7C8021F0                 jnz     short loc_7C8021FD
    .text:7C8021F2
    .text:7C8021F2 loc_7C8021F2:                           ; CODE XREF: ReadProcessMemory+32↓j
    .text:7C8021F2                 test    eax, eax
    .text:7C8021F4                 jl      short loc_7C802204
    .text:7C8021F6                 xor     eax, eax
    .text:7C8021F8                 inc     eax
    .text:7C8021F9
    .text:7C8021F9 loc_7C8021F9:                           ; CODE XREF: ReadProcessMemory+3C↓j
    .text:7C8021F9                 pop     ebp
    .text:7C8021FA                 retn    14h

    查看导入表,得知调用的ntdll文件

    查看ntdll,通过查找,找到ntReadVirtualMemory函数

    很容易发现他通过调用0x7ffe0300,至于这里的eax其实是系统调用号的意思(跟ssdt表)

    .text:7C92D9E0                 public ZwReadVirtualMemory
    .text:7C92D9E0 ZwReadVirtualMemory proc near           ; CODE XREF: LdrFindCreateProcessManifest+1CC↓p
    .text:7C92D9E0                                         ; LdrCreateOutOfProcessImage+7C↓p ...
    .text:7C92D9E0                 mov     eax, 0BAh       ; NtReadVirtualMemory
    .text:7C92D9E5                 mov     edx, 7FFE0300h
    .text:7C92D9EA                 call    dword ptr [edx]
    .text:7C92D9EC                 retn    14h
    .text:7C92D9EC ZwReadVirtualMemory endp

    通过上述的介绍,并查看后,我们可以看到类似如下代码:

    0: kd> dt _KUSER_SHARED_DATA 0x7ffe0000
    ntdll!_KUSER_SHARED_DATA
       +0x000 TickCountLow     : 0x83114
       +0x004 TickCountMultiplier : 0xfa00000
       +0x008 InterruptTime    : _KSYSTEM_TIME
       +0x014 SystemTime       : _KSYSTEM_TIME
       +0x020 TimeZoneBias     : _KSYSTEM_TIME
       +0x02c ImageNumberLow   : 0x14c
       +0x02e ImageNumberHigh  : 0x14c
       +0x030 NtSystemRoot     : [260] 0x43
       +0x238 MaxStackTraceDepth : 0
       +0x23c CryptoExponent   : 0
       +0x240 TimeZoneId       : 0
       +0x244 Reserved2        : [8] 0
       +0x264 NtProductType    : 1 ( NtProductWinNt )
       +0x268 ProductTypeIsValid : 0x1 ''
       +0x26c NtMajorVersion   : 5
       +0x270 NtMinorVersion   : 1
       +0x274 ProcessorFeatures : [64]  ""
       +0x2b4 Reserved1        : 0x7ffeffff
       +0x2b8 Reserved3        : 0x80000000
       +0x2bc TimeSlip         : 0
       +0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
       +0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
       +0x2d0 SuiteMask        : 0x110
       +0x2d4 KdDebuggerEnabled : 0x3 ''
       +0x2d5 NXSupportPolicy  : 0x2 ''
       +0x2d8 ActiveConsoleId  : 0
       +0x2dc DismountCount    : 0
       +0x2e0 ComPlusPackage   : 0xffffffff
       +0x2e4 LastSystemRITEventTickCount : 0x7f50a6
       +0x2e8 NumberOfPhysicalPages : 0xbff6a
       +0x2ec SafeBootMode     : 0 ''
       +0x2f0 TraceLogging     : 0
       +0x2f8 TestRetInstruction : 0xc3
       +0x300 SystemCall       : 0x7c92e4f0
       +0x304 SystemCallReturn : 0x7c92e4f4
       +0x308 SystemCallPad    : [3] 0
       +0x320 TickCount        : _KSYSTEM_TIME
       +0x320 TickCountQuad    : 0
       +0x330 Cookie           : 0xe996c383

    查看偏移为0x300的systemcall成员,说明当前我是用的快速调用进入的0环

    0: kd> u 0x7c92e4f0
    ntdll!KiFastSystemCall:
    7c92e4f0 8bd4            mov     edx,esp
    7c92e4f2 0f34            sysenter

    这里有几个点,查看MSR寄存器

     

     如下是快速调用的代码

    0: kd> rdmsr 176
    msr[176] = 00000000`80542520
    0: kd> u 80542520
    ReadVirtual: 80542520 not properly sign extended
    80542520 b923000000      mov     ecx,23h
    80542525 6a30            push    30h
    80542527 0fa1            pop     fs
    80542529 8ed9            mov     ds,cx
    8054252b 8ec1            mov     es,cx
    8054252d 648b0d40000000  mov     ecx,dword ptr fs:[40h]
    80542534 8b6104          mov     esp,dword ptr [ecx+4]
    80542537 6a23            push    23h

     不过我再来看看Int进入0环试试

    0: kd> u KiIntSystemCall
    ntdll!KiIntSystemCall:
    7c92e500 8d542408        lea     edx,[esp+8]
    7c92e504 cd2e            int     2Eh
    7c92e506 c3              ret

     下面就是该int对应的代码区

    0: kd> u 80542451
    80542451 6a00            push    0
    80542453 55              push    ebp
    80542454 53              push    ebx
    80542455 56              push    esi
    80542456 57              push    edi
    80542457 0fa0            push    fs
    80542459 bb30000000      mov     ebx,30h
    8054245e 668ee3          mov     fs,bx
    0: kd> u KiSystemService
    nt!KiSystemService:
    80542451 6a00            push    0
    80542453 55              push    ebp
    80542454 53              push    ebx
    80542455 56              push    esi
    80542456 57              push    edi
    80542457 0fa0            push    fs
    80542459 bb30000000      mov     ebx,30h
    8054245e 668ee3          mov     fs,bx
  • 相关阅读:
    Cesium中的坐标系及转换
    Cesium Workshop
    window.postMessage 跨窗口,跨iframe javascript 通信
    VUE课程参考---7、跑马灯效果
    VUE课程---9、事件绑定v-on
    VUE课程---8、属性绑定v-bind
    VUE课程---7、解决插值表达式闪烁问题
    小谈chrome调试命令:console.log的使用
    Hadoop平台配置总结
    hadoop 关闭进程时报错no 进程 to stop
  • 原文地址:https://www.cnblogs.com/pppyyyzzz/p/14206924.html
Copyright © 2020-2023  润新知