进程/线程 的实际入口
进程/线程 的实际入口
我之前会以为。进程装载,就只是是创建一块内存,然后把程序映射到这块内存,然后初始化寄存器等,再把 pc 设置到 pe 中的 enter point 中。
很显然我之前犯了形而上学的错误,认识应该是递进的,把细节忽略了然后自以为是的进行总结,结果就是学的不深入,学了和没学似的。
这是一个可以从软件讲到操作系统,再从操作系统讲到硬件,再回到软件的一个复杂的过程,虽然 windows 是闭源的。
为了分析 windows 创建进程的过程,首先要讲清楚一些数据结构和 windows api 的一些命名方式
windows api name convention
Prefix Description
Alpc Advanced Local Procedure Calls
Cc Common Cache
Cm Configuration manager
Dbg Kernel debug support
Dbgk Debugging Framework for user mode
Em Errata manager
Etw Event Tracing for Windows
Ex Executive support routines
FsRtl File System Runtime Library
Hv Hive library
Hvl Hypervisor library
Io I/O manager
Kd Kernel debugger
Ke Kernel
Kse Kernel Shim Engine
Lsa Local Security Authority
Mm Memory manager
Nt NT system services (accessible from user mode through system calls)
Ob Object manager
Pf Prefetcher
Po Power manager
PoFx Power framework
Pp PnP manager
Ppm Processor power manager
Ps Process support
Rtl Run time library
Se Security Reference Monitor
Sm Store Manager
Tm Transaction manager
Ttm Terminal timeout manager
Vf Driver Verifier
Vsl Virtual Secure Mode library
Wdi Windows Diagnostic Infrastructure
Wfp Windows FingerPrint
Whea Windows Hardware Error Architecture
Wmi Windows Management Instrumentation
Zw Mirror entry point for system services (beginning with Nt) that sets previous access mode to kernel, which eliminates parameter validation, because Nt system services validate parameters only if previous access mode is user.从 ntdll!RtlUserThreadStart 开始分析
ntdll!RtlUserThreadStart ( ntdll version 10.0.22000.527 )
ntdll!RtlUserThreadStart:
4883ec78 sub rsp, 78h
4c8bc9 mov r9, rcx # rcx 值为 entrypoint
488b05f2531700 mov rax, qword ptr [ntdll!Kernel32ThreadInitThunkFunction (00007ffd`b7259c30)]
4885c0 test rax, rax
741a je ntdll!RtlUserThreadStart+0x2d (00007ffd`b70e485d)
49ba7003d17ea7bfe589 mov r10, 89E5BFA77ED10370h
4c8bc2 mov r8, rdx
488bd1 mov rdx, rcx
33c9 xor ecx, ecx
ff15b5e71800 call qword ptr [ntdll!_guard_xfg_dispatch_icall_fptr (00007ffd`b7273010)]
eb2a jmp ntdll!RtlUserThreadStart+0x57 (00007ffd`b70e4887)
49ba70535218429f5d94 mov r10, 945D9F4218525370h
488bca mov rcx, rdx
498bc1 mov rax, r9
ff159de71800 call qword ptr [ntdll!_guard_xfg_dispatch_icall_fptr (00007ffd`b7273010)]
8bc8 mov ecx, eax
e826000000 call ntdll!RtlExitUserThread (00007ffd`b70e48a0)
90 nop
8bd0 mov edx, eax
4883c9ff or rcx, 0FFFFFFFFFFFFFFFFh
e83af40900 call ntdll!NtTerminateProcess (00007ffd`b7183cc0)
90 nop
4883c478 add rsp, 78h
c3 ret 检测 Kernel32ThreadInitThunkFunction(rax) 非 0 之后跳转到 ntdll!guard_xfg_dispatch_icall_nop ,再跳转到 ntdll!guard_dispatch_icall_nop ,通过 jmp rax,跳到初始化函数 KERNEL32!BaseThreadInitThunk
/*
a1 是在 ntdll!RtlUserThreadStart 中初始化为 0 的,这里( if(!a1) )做安全检测
*/
__int64 __fastcall BaseThreadInitThunk(int a1, __int64 a2, __int64 a3)
{
NTSTATUS inited; // eax
__int64 result; // rax
if ( !a1 )
{
inited = BaseThreadInitXfgThunk(a3);
RtlExitUserThread(inited);
__debugbreak();
}
if ( (RtlGetSuiteMask() & 0x10) == 0 )
return 0i64;
result = BasepInitializeTermsrvFpns();
if ( (int)result >= 0 )
return 0i64;
return result;
}KERNEL32!BaseThreadInitXfgThunk 直接跳转到 rdx 上,rdx 之前被 rcx 赋值为程序的 entrypoint,用户程序正式开始。
分析是从 ntdll!RtlUserThreadStart 开始的,显然环境以及初始化过了,下面就是分析初始化的过程。
通过 api monitor,找到第一个系统调用 NtQueryVolumeInformationFile ( 0x0000000000000058, 0x00000047d01fec50, 0x00000047d01fec70, 8, FileFsDeviceInformation ),windbg 跟踪。
从 CreateProcess 分析
调用链
CreateProcessW->KERNEL32!CreateProcessAStub->KERNELBASE!CreateProcessA->CreateProcessInternalA->KERNELBASE!Basep8BitStringToDynamicUnicodeString + KERNELBASE!CreateProcessInternalW->
KERNELBASE!memset
KERNELBASE!memset
KERNELBASE!IsProcessInJob
KERNELBASE!BaseFormatObjectAttributes
KERNELBASE!BaseFormatObjectAttributes
qword ptr [KERNELBASE!_imp_RtlFreeUnicodeString (00007ffd`b4b0c490)]
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BasepFreeAppCompatData (00007ffd`b4c14608)]
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BasepReleaseSxsCreateProcessUtilityStruct (00007ffd`b4c14610)]
KERNELBASE!memset
KERNELBASE!BasepFreeBnoIsolationParameter
qword ptr [KERNELBASE!_imp_RtlAllocateHeap
qword ptr [KERNELBASE!_imp_RtlGetExePath
KERNELBASE!SearchPathW (00007ffd`b492a470)
KERNELBASE!GetFileAttributesW
qword ptr [KERNELBASE!_imp_RtlDosPathNameToNtPathName_U (00007ffd`b4b0c570)]
qword ptr [KERNELBASE!_imp_RtlInitUnicodeStringEx (00007ffd`b4b0cb40)]
qword ptr [KERNELBASE!_imp_RtlDetermineDosPathNameType_U (00007ffd`b4b0c6c8)]
KERNELBASE!BasepAdjustApplicationPath
qword ptr [KERNELBASE!_imp_GetEmbeddedImageMitigationPolicy (00007ffd`b4c14010)]
KERNELBASE!memset
qword ptr [KERNELBASE!_imp_RtlWow64GetProcessMachines (00007ffd`b4b0d7e8)]
KERNELBASE!BasepCreateProcessParameters
KERNELBASE!QueryChpeConfiguration
qword ptr [KERNELBASE!_imp_NtCreateUserProcess
qword ptr [KERNELBASE!_imp_RtlDestroyProcessParameters (00007ffd`b4b0cf20)]
qword ptr [KERNELBASE!_imp_RtlAllocateHeap (00007ffd`b4b0da50)]
qword ptr [KERNELBASE!_imp_LdrQueryImageFileKeyOption (00007ffd`b4b0d818)]
qword ptr [KERNELBASE!_imp_RtlFreeHeap (00007ffd`b4b0cba0)]
qword ptr [KERNELBASE!_imp_LdrQueryImageFileKeyOption (00007ffd`b4b0d818)]
KERNELBASE!LoadAppExecutionAliasInfoForExecutable
call KERNELBASE!ValidateAppExecutionAliasRedirectPackageIdentity
KERNELBASE!BuildAppExecutionAliasCommandLine
qword ptr [KERNELBASE!_imp_RtlInitUnicodeString (00007ffd`b4b0c498)]
qword ptr [KERNELBASE!_imp_NtClose (00007ffd`b4b0cb48)]
qword ptr [KERNELBASE!_imp_RtlFreeHeap (00007ffd`b4b0cba0)]
qword ptr [KERNELBASE!_imp_RtlFreeUnicodeString (00007ffd`b4b0c490)]
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BasepFreeAppCompatData (00007ffd`b4c14608)]
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BasepReleaseSxsCreateProcessUtilityStruct (00007ffd`b4c14610)]
KERNELBASE!memset
KERNELBASE!BasepFreeBnoIsolationParameter
qword ptr [KERNELBASE!_imp_RtlDosPathNameToNtPathName_U (00007ffd`b4b0c570)]
qword ptr [KERNELBASE!_imp_RtlInitUnicodeStringEx (00007ffd`b4b0cb40)]
qword ptr [KERNELBASE!_imp_RtlDetermineDosPathNameType_U (00007ffd`b4b0c6c8)]
KERNELBASE!BasepAdjustApplicationPath
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BasepAppXExtension (00007ffd`b4c14618)]
qword ptr [KERNELBASE!_imp_RtlInitUnicodeString (00007ffd`b4b0c498)]
qword ptr [KERNELBASE!_imp_RtlInitUnicodeString (00007ffd`b4b0c498)]
KERNELBASE!memset
...
qword ptr [KERNELBASE!_imp_NtCreateUserProcess
...
qword ptr [KERNELBASE!_imp_NtAllocateVirtualMemory (00007ffd`b4b0d308)]
qword ptr [KERNELBASE!_imp_NtWriteVirtualMemory (00007ffd`b4b0d300)]
KERNELBASE!IsBaseCheckElevationPresent
qword ptr [KERNELBASE!_imp_BaseElevationPostProcessing (00007ffd`b4c145e8)]
qword ptr [KERNELBASE!_imp_BasepPostSuccessAppXExtension (00007ffd`b4c145e0)]
KERNELBASE!BasepUpdateProcessParametersField
qword ptr [KERNELBASE!_imp_CompleteAppExecutionAliasProcessCreationEx (00007ffd`b4c14268)]
qword ptr [KERNELBASE!_imp_NtResumeThread (00007ffd`b4b0d648)]
...OLD
windows visata之后线程的实际入口是ntdll!RtlUserThreadStart,我下了一个断点发现win10也是这样,只不过具体实现有些区别,本来我是打算一路找回去看看是不是能找到ntdll!RtlUserThreadStart这个函数的,不过应该要挺久,下次试试2333。单纯为了验证一下线程入口点,于是我就下断看了一下。
补充知识
fastcall
一个函数在调用时,前四个参数是从左至右依次存放于RCX、RDX、R8、R9寄存器里面,剩下的参数从右至左顺序入栈; 栈的增长方向为从高地址到低地址。
windbg
The x command displays the symbols in all contexts that match the specified pattern.
常用来匹配符号。
windows 关键数据结构及其用法
直接看 x64 下的
_PEB
0:000> dt _PEB
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 2, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 3, 1 Bit
+0x003 IsPackagedProcess : Pos 4, 1 Bit
+0x003 IsAppContainer : Pos 5, 1 Bit
+0x003 IsProtectedProcessLight : Pos 6, 1 Bit
+0x003 IsLongPathAwareProcess : Pos 7, 1 Bit
+0x004 Padding0 : [4] UChar
+0x008 Mutant : Ptr64 Void
+0x010 ImageBaseAddress : Ptr64 Void
+0x018 Ldr : Ptr64 _PEB_LDR_DATA
+0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData : Ptr64 Void
+0x030 ProcessHeap : Ptr64 Void
+0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
+0x040 AtlThunkSListPtr : Ptr64 _SLIST_HEADER
+0x048 IFEOKey : Ptr64 Void
+0x050 CrossProcessFlags : Uint4B
+0x050 ProcessInJob : Pos 0, 1 Bit
+0x050 ProcessInitializing : Pos 1, 1 Bit
+0x050 ProcessUsingVEH : Pos 2, 1 Bit
+0x050 ProcessUsingVCH : Pos 3, 1 Bit
+0x050 ProcessUsingFTH : Pos 4, 1 Bit
+0x050 ProcessPreviouslyThrottled : Pos 5, 1 Bit
+0x050 ProcessCurrentlyThrottled : Pos 6, 1 Bit
+0x050 ProcessImagesHotPatched : Pos 7, 1 Bit
+0x050 ReservedBits0 : Pos 8, 24 Bits
+0x054 Padding1 : [4] UChar
+0x058 KernelCallbackTable : Ptr64 Void
+0x058 UserSharedInfoPtr : Ptr64 Void
+0x060 SystemReserved : Uint4B
+0x064 AtlThunkSListPtr32 : Uint4B
+0x068 ApiSetMap : Ptr64 Void
+0x070 TlsExpansionCounter : Uint4B
+0x074 Padding2 : [4] UChar
+0x078 TlsBitmap : Ptr64 _RTL_BITMAP
+0x080 TlsBitmapBits : [2] Uint4B
+0x088 ReadOnlySharedMemoryBase : Ptr64 Void
+0x090 SharedData : Ptr64 Void
+0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
+0x0a0 AnsiCodePageData : Ptr64 Void
+0x0a8 OemCodePageData : Ptr64 Void
+0x0b0 UnicodeCaseTableData : Ptr64 Void
+0x0b8 NumberOfProcessors : Uint4B
+0x0bc NtGlobalFlag : Uint4B
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
+0x0c8 HeapSegmentReserve : Uint8B
+0x0d0 HeapSegmentCommit : Uint8B
+0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
+0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
+0x0e8 NumberOfHeaps : Uint4B
+0x0ec MaximumNumberOfHeaps : Uint4B
+0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
+0x0f8 GdiSharedHandleTable : Ptr64 Void
+0x100 ProcessStarterHelper : Ptr64 Void
+0x108 GdiDCAttributeList : Uint4B
+0x10c Padding3 : [4] UChar
+0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
+0x118 OSMajorVersion : Uint4B
+0x11c OSMinorVersion : Uint4B
+0x120 OSBuildNumber : Uint2B
+0x122 OSCSDVersion : Uint2B
+0x124 OSPlatformId : Uint4B
+0x128 ImageSubsystem : Uint4B
+0x12c ImageSubsystemMajorVersion : Uint4B
+0x130 ImageSubsystemMinorVersion : Uint4B
+0x134 Padding4 : [4] UChar
+0x138 ActiveProcessAffinityMask : Uint8B
+0x140 GdiHandleBuffer : [60] Uint4B
+0x230 PostProcessInitRoutine : Ptr64 void
+0x238 TlsExpansionBitmap : Ptr64 _RTL_BITMAP
+0x240 TlsExpansionBitmapBits : [32] Uint4B
+0x2c0 SessionId : Uint4B
+0x2c4 Padding5 : [4] UChar
+0x2c8 AppCompatFlags : _ULARGE_INTEGER
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x2d8 pShimData : Ptr64 Void
+0x2e0 AppCompatInfo : Ptr64 Void
+0x2e8 CSDVersion : _UNICODE_STRING
+0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x318 MinimumStackCommit : Uint8B
+0x320 SparePointers : [2] Ptr64 Void
+0x330 PatchLoaderData : Ptr64 Void
+0x338 ChpeV2ProcessInfo : Ptr64 _CHPEV2_PROCESS_INFO
+0x340 AppModelFeatureState : Uint4B
+0x344 SpareUlongs : [2] Uint4B
+0x34c ActiveCodePage : Uint2B
+0x34e OemCodePage : Uint2B
+0x350 UseCaseMapping : Uint2B
+0x352 UnusedNlsField : Uint2B
+0x358 WerRegistrationData : Ptr64 Void
+0x360 WerShipAssertPtr : Ptr64 Void
+0x368 EcCodeBitMap : Ptr64 Void
+0x370 pImageHeaderHash : Ptr64 Void
+0x378 TracingFlags : Uint4B
+0x378 HeapTracingEnabled : Pos 0, 1 Bit
+0x378 CritSecTracingEnabled : Pos 1, 1 Bit
+0x378 LibLoaderTracingEnabled : Pos 2, 1 Bit
+0x378 SpareTracingBits : Pos 3, 29 Bits
+0x37c Padding6 : [4] UChar
+0x380 CsrServerReadOnlySharedMemoryBase : Uint8B
+0x388 TppWorkerpListLock : Uint8B
+0x390 TppWorkerpList : _LIST_ENTRY
+0x3a0 WaitOnAddressHashTable : [128] Ptr64 Void
+0x7a0 TelemetryCoverageHeader : Ptr64 Void
+0x7a8 CloudFileFlags : Uint4B
+0x7ac CloudFileDiagFlags : Uint4B
+0x7b0 PlaceholderCompatibilityMode : Char
+0x7b1 PlaceholderCompatibilityModeReserved : [7] Char
+0x7b8 LeapSecondData : Ptr64 _LEAP_SECOND_DATA
+0x7c0 LeapSecondFlags : Uint4B
+0x7c0 SixtySecondEnabled : Pos 0, 1 Bit
+0x7c0 Reserved : Pos 1, 31 Bits
+0x7c4 NtGlobalFlag2 : Uint4B
+0x7c8 ExtendedFeatureDisableMask : Uint8B_TEB
0:000> dt _TEB
ntdll!_TEB
+0x000 NtTib : _NT_TIB
+0x038 EnvironmentPointer : Ptr64 Void
+0x040 ClientId : _CLIENT_ID
+0x050 ActiveRpcHandle : Ptr64 Void
+0x058 ThreadLocalStoragePointer : Ptr64 Void
+0x060 ProcessEnvironmentBlock : Ptr64 _PEB
+0x068 LastErrorValue : Uint4B
+0x06c CountOfOwnedCriticalSections : Uint4B
+0x070 CsrClientThread : Ptr64 Void
+0x078 Win32ThreadInfo : Ptr64 Void
+0x080 User32Reserved : [26] Uint4B
+0x0e8 UserReserved : [5] Uint4B
+0x100 WOW32Reserved : Ptr64 Void
+0x108 CurrentLocale : Uint4B
+0x10c FpSoftwareStatusRegister : Uint4B
+0x110 ReservedForDebuggerInstrumentation : [16] Ptr64 Void
+0x190 SystemReserved1 : [30] Ptr64 Void
+0x280 PlaceholderCompatibilityMode : Char
+0x281 PlaceholderHydrationAlwaysExplicit : UChar
+0x282 PlaceholderReserved : [10] Char
+0x28c ProxiedProcessId : Uint4B
+0x290 _ActivationStack : _ACTIVATION_CONTEXT_STACK
+0x2b8 WorkingOnBehalfTicket : [8] UChar
+0x2c0 ExceptionCode : Int4B
+0x2c4 Padding0 : [4] UChar
+0x2c8 ActivationContextStackPointer : Ptr64 _ACTIVATION_CONTEXT_STACK
+0x2d0 InstrumentationCallbackSp : Uint8B
+0x2d8 InstrumentationCallbackPreviousPc : Uint8B
+0x2e0 InstrumentationCallbackPreviousSp : Uint8B
+0x2e8 TxFsContext : Uint4B
+0x2ec InstrumentationCallbackDisabled : UChar
+0x2ed UnalignedLoadStoreExceptions : UChar
+0x2ee Padding1 : [2] UChar
+0x2f0 GdiTebBatch : _GDI_TEB_BATCH
+0x7d8 RealClientId : _CLIENT_ID
+0x7e8 GdiCachedProcessHandle : Ptr64 Void
+0x7f0 GdiClientPID : Uint4B
+0x7f4 GdiClientTID : Uint4B
+0x7f8 GdiThreadLocalInfo : Ptr64 Void
+0x800 Win32ClientInfo : [62] Uint8B
+0x9f0 glDispatchTable : [233] Ptr64 Void
+0x1138 glReserved1 : [29] Uint8B
+0x1220 glReserved2 : Ptr64 Void
+0x1228 glSectionInfo : Ptr64 Void
+0x1230 glSection : Ptr64 Void
+0x1238 glTable : Ptr64 Void
+0x1240 glCurrentRC : Ptr64 Void
+0x1248 glContext : Ptr64 Void
+0x1250 LastStatusValue : Uint4B
+0x1254 Padding2 : [4] UChar
+0x1258 StaticUnicodeString : _UNICODE_STRING
+0x1268 StaticUnicodeBuffer : [261] Wchar
+0x1472 Padding3 : [6] UChar
+0x1478 DeallocationStack : Ptr64 Void
+0x1480 TlsSlots : [64] Ptr64 Void
+0x1680 TlsLinks : _LIST_ENTRY
+0x1690 Vdm : Ptr64 Void
+0x1698 ReservedForNtRpc : Ptr64 Void
+0x16a0 DbgSsReserved : [2] Ptr64 Void
+0x16b0 HardErrorMode : Uint4B
+0x16b4 Padding4 : [4] UChar
+0x16b8 Instrumentation : [11] Ptr64 Void
+0x1710 ActivityId : _GUID
+0x1720 SubProcessTag : Ptr64 Void
+0x1728 PerflibData : Ptr64 Void
+0x1730 EtwTraceData : Ptr64 Void
+0x1738 WinSockData : Ptr64 Void
+0x1740 GdiBatchCount : Uint4B
+0x1744 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0x1744 IdealProcessorValue : Uint4B
+0x1744 ReservedPad0 : UChar
+0x1745 ReservedPad1 : UChar
+0x1746 ReservedPad2 : UChar
+0x1747 IdealProcessor : UChar
+0x1748 GuaranteedStackBytes : Uint4B
+0x174c Padding5 : [4] UChar
+0x1750 ReservedForPerf : Ptr64 Void
+0x1758 ReservedForOle : Ptr64 Void
+0x1760 WaitingOnLoaderLock : Uint4B
+0x1764 Padding6 : [4] UChar
+0x1768 SavedPriorityState : Ptr64 Void
+0x1770 ReservedForCodeCoverage : Uint8B
+0x1778 ThreadPoolData : Ptr64 Void
+0x1780 TlsExpansionSlots : Ptr64 Ptr64 Void
+0x1788 ChpeV2CpuAreaInfo : Ptr64 _CHPEV2_CPUAREA_INFO
+0x1790 Unused : Ptr64 Void
+0x1798 MuiGeneration : Uint4B
+0x179c IsImpersonating : Uint4B
+0x17a0 NlsCache : Ptr64 Void
+0x17a8 pShimData : Ptr64 Void
+0x17b0 HeapData : Uint4B
+0x17b4 Padding7 : [4] UChar
+0x17b8 CurrentTransactionHandle : Ptr64 Void
+0x17c0 ActiveFrame : Ptr64 _TEB_ACTIVE_FRAME
+0x17c8 FlsData : Ptr64 Void
+0x17d0 PreferredLanguages : Ptr64 Void
+0x17d8 UserPrefLanguages : Ptr64 Void
+0x17e0 MergedPrefLanguages : Ptr64 Void
+0x17e8 MuiImpersonation : Uint4B
+0x17ec CrossTebFlags : Uint2B
+0x17ec SpareCrossTebBits : Pos 0, 16 Bits
+0x17ee SameTebFlags : Uint2B
+0x17ee SafeThunkCall : Pos 0, 1 Bit
+0x17ee InDebugPrint : Pos 1, 1 Bit
+0x17ee HasFiberData : Pos 2, 1 Bit
+0x17ee SkipThreadAttach : Pos 3, 1 Bit
+0x17ee WerInShipAssertCode : Pos 4, 1 Bit
+0x17ee RanProcessInit : Pos 5, 1 Bit
+0x17ee ClonedThread : Pos 6, 1 Bit
+0x17ee SuppressDebugMsg : Pos 7, 1 Bit
+0x17ee DisableUserStackWalk : Pos 8, 1 Bit
+0x17ee RtlExceptionAttached : Pos 9, 1 Bit
+0x17ee InitialThread : Pos 10, 1 Bit
+0x17ee SessionAware : Pos 11, 1 Bit
+0x17ee LoadOwner : Pos 12, 1 Bit
+0x17ee LoaderWorker : Pos 13, 1 Bit
+0x17ee SkipLoaderInit : Pos 14, 1 Bit
+0x17ee SkipFileAPIBrokering : Pos 15, 1 Bit
+0x17f0 TxnScopeEnterCallback : Ptr64 Void
+0x17f8 TxnScopeExitCallback : Ptr64 Void
+0x1800 TxnScopeContext : Ptr64 Void
+0x1808 LockCount : Uint4B
+0x180c WowTebOffset : Int4B
+0x1810 ResourceRetValue : Ptr64 Void
+0x1818 ReservedForWdf : Ptr64 Void
+0x1820 ReservedForCrt : Uint8B
+0x1828 EffectiveContainerId : _GUID
+0x1838 LastSleepCounter : Uint8B
+0x1840 SpinCallCount : Uint4B
+0x1844 Padding8 : [4] UChar
+0x1848 ExtendedFeatureDisableMask : Uint8Bidt
(my blog idt)[https://wr-web.github.io/2021/05/22/dll_injection_hook/#IDT-interrupt-descriptor-table]
ssdt
(my blog ssdt)[https://wr-web.github.io/2021/05/22/dll_injection_hook/#SSDT-system-service-descriptor-table]
windows fs gs
| pointer | FS:[0x00] | GS:[0x00] | Win9x and NT | Current Structured Exception Handling (SEH) frameNote: the 64-bit version of Windows uses stack unwinding done in kernel mode instead. |
|---|---|---|---|---|
| pointer | FS:[0x18] | GS:[0x30] | Win9x and NT | Linear address of TEB |
| pointer | FS:[0x30] | GS:[0x60] | NT | Linear address of Process Environment Block (PEB) |
| pointer | FS:[0xC0] | GS:[0x100] | NT | Reserved for Wow64. Contains a pointer to FastSysCall in Wow64. |
通过 fs,gs 寄存器几乎可以得到进程,线程的大部分信息,通过 peb,teb
利用 gs 获取加载的 dll 名称,地址等。
读取 gs[0x60] 上的 peb 地址,再通过 peb->Ldr
typedef struct _PEB_LDR_DATA
{
ULONG Length; // +0x00
BOOLEAN Initialized; // +0x04
PVOID SsHandle; // +0x08
LIST_ENTRY InLoadOrderModuleList; // +0x0c
LIST_ENTRY InMemoryOrderModuleList; // +0x14
LIST_ENTRY InInitializationOrderModuleList;// +0x1c
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24
// 和 linux 中的双向链表使用方法一样
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
0:000> dt _LDR_DATA_TABLE_ENTRY
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x010 InMemoryOrderLinks : _LIST_ENTRY
+0x020 InInitializationOrderLinks : _LIST_ENTRY
+0x030 DllBase : Ptr64 Void
+0x038 EntryPoint : Ptr64 Void
+0x040 SizeOfImage : Uint4B
+0x048 FullDllName : _UNICODE_STRING
+0x058 BaseDllName : _UNICODE_STRING
+0x068 FlagGroup : [4] UChar
+0x068 Flags : Uint4B
+0x068 PackagedBinary : Pos 0, 1 Bit
+0x068 MarkedForRemoval : Pos 1, 1 Bit
+0x068 ImageDll : Pos 2, 1 Bit
+0x068 LoadNotificationsSent : Pos 3, 1 Bit
+0x068 TelemetryEntryProcessed : Pos 4, 1 Bit
+0x068 ProcessStaticImport : Pos 5, 1 Bit
+0x068 InLegacyLists : Pos 6, 1 Bit
+0x068 InIndexes : Pos 7, 1 Bit
+0x068 ShimDll : Pos 8, 1 Bit
+0x068 InExceptionTable : Pos 9, 1 Bit
+0x068 ReservedFlags1 : Pos 10, 2 Bits
+0x068 LoadInProgress : Pos 12, 1 Bit
+0x068 LoadConfigProcessed : Pos 13, 1 Bit
+0x068 EntryProcessed : Pos 14, 1 Bit
+0x068 ProtectDelayLoad : Pos 15, 1 Bit
+0x068 ReservedFlags3 : Pos 16, 2 Bits
+0x068 DontCallForThreads : Pos 18, 1 Bit
+0x068 ProcessAttachCalled : Pos 19, 1 Bit
+0x068 ProcessAttachFailed : Pos 20, 1 Bit
+0x068 CorDeferredValidate : Pos 21, 1 Bit
+0x068 CorImage : Pos 22, 1 Bit
+0x068 DontRelocate : Pos 23, 1 Bit
+0x068 CorILOnly : Pos 24, 1 Bit
+0x068 ChpeImage : Pos 25, 1 Bit
+0x068 ChpeEmulatorImage : Pos 26, 1 Bit
+0x068 ReservedFlags5 : Pos 27, 1 Bit
+0x068 Redirected : Pos 28, 1 Bit
+0x068 ReservedFlags6 : Pos 29, 2 Bits
+0x068 CompatDatabaseProcessed : Pos 31, 1 Bit
+0x06c ObsoleteLoadCount : Uint2B
+0x06e TlsIndex : Uint2B
+0x070 HashLinks : _LIST_ENTRY
+0x080 TimeDateStamp : Uint4B
+0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
+0x090 Lock : Ptr64 Void
+0x098 DdagNode : Ptr64 _LDR_DDAG_NODE
+0x0a0 NodeModuleLink : _LIST_ENTRY
+0x0b0 LoadContext : Ptr64 _LDRP_LOAD_CONTEXT
+0x0b8 ParentDllBase : Ptr64 Void
+0x0c0 SwitchBackContext : Ptr64 Void
+0x0c8 BaseAddressIndexNode : _RTL_BALANCED_NODE
+0x0e0 MappingInfoIndexNode : _RTL_BALANCED_NODE
+0x0f8 OriginalBase : Uint8B
+0x100 LoadTime : _LARGE_INTEGER
+0x108 BaseNameHashValue : Uint4B
+0x10c LoadReason : _LDR_DLL_LOAD_REASON
+0x110 ImplicitPathOptions : Uint4B
+0x114 ReferenceCount : Uint4B
+0x118 DependentLoadFlags : Uint4B
+0x11c SigningLevel : UChar
+0x120 CheckSum : Uint4B
+0x128 ActivePatchImageBase : Ptr64 Void
+0x130 HotPatchState : _LDR_HOT_PATCH_STATE0:000> !peb
PEB at 00000044333bb000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00007ff7fdf00000
NtGlobalFlag: 70
NtGlobalFlag2: 0
Ldr 00007ffdb725a120
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000205cd2b3f90 . 00000205cd2b4860
Ldr.InLoadOrderModuleList: 00000205cd2b4160 . 00000205cd2b6c60
Ldr.InMemoryOrderModuleList: 00000205cd2b4170 . 00000205cd2b6c70
Base TimeStamp Module
7ff7fdf00000 622895d5 Mar 09 19:56:05 2022 C:\Users\orz10\ROOT\security\learn\start\a.exe
7ffdb70e0000 931cda92 Mar 18 18:55:14 2048 C:\Windows\SYSTEM32\ntdll.dll
7ffdb6bc0000 7b65e245 Aug 09 20:17:09 2035 C:\Windows\System32\KERNEL32.DLL
7ffdb48d0000 71a5cb5d Jun 03 12:21:49 2030 C:\Windows\System32\KERNELBASE.dll
7ffdb6a70000 90483ed2 Sep 16 03:49:38 2046 C:\Windows\System32\msvcrt.dll
0:000> dt _PEB_LDR_DATA 00007ffdb725a120
ntdll!_PEB_LDR_DATA
+0x000 Length : 0x58
+0x004 Initialized : 0x1 ''
+0x008 SsHandle : (null)
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000205`cd2b4160 - 0x00000205`cd2b6c60 ]
+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000205`cd2b4170 - 0x00000205`cd2b6c70 ]
+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000205`cd2b3f90 - 0x00000205`cd2b4860 ]
+0x040 EntryInProgress : (null)
+0x048 ShutdownInProgress : 0 ''
+0x050 ShutdownThreadId : (null)
# 查看 InLoadOrderModuleList 的第一项
0:000> dq 00007ffdb725a130
00007ffd`b725a130 00000205`cd2b4160 00000205`cd2b6c60
00007ffd`b725a140 00000205`cd2b4170 00000205`cd2b6c70
00007ffd`b725a150 00000205`cd2b3f90 00000205`cd2b4860
00007ffd`b725a160 00000000`00000000 00000000`00000000
00007ffd`b725a170 00000000`00000000 00000000`00000001
00007ffd`b725a180 00000205`cd2b0000 00000000`00000000
00007ffd`b725a190 00000000`00000000 00000000`00000000
00007ffd`b725a1a0 00000000`00000000 00000000`00000000
# InLoadOrderModuleList 链表节点
# 0x00000205`cd2b4160 0x00000205`cd2b3f70
# 0x00000205`cd2b4840 0x00000205`cd2b4f70
# 0x00000205`cd2b6c60 0x00007ffd`b725a130
# 0x00000205`cd2b4160
# 第一个加载的是 a.exe
0:000> dt _LDR_DATA_TABLE_ENTRY 00000205`cd2b4160
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b3f70 - 0x00007ffd`b725a130 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b3f80 - 0x00007ffd`b725a140 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x030 DllBase : 0x00007ff7`fdf00000 Void
+0x038 EntryPoint : 0x00007ff7`fdf014d0 Void
+0x040 SizeOfImage : 0x42000
+0x048 FullDllName : _UNICODE_STRING "C:\Users\orz10\ROOT\security\learn\start\a.exe"
+0x058 BaseDllName : _UNICODE_STRING "a.exe"
+0x068 FlagGroup : [4] "???"
+0x068 Flags : 0x22cc
+0x068 PackagedBinary : 0y0
# 第二个是 ntdll.dll
0:000> dt _LDR_DATA_TABLE_ENTRY 0x00000205`cd2b3f70
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4840 - 0x00000205`cd2b4160 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4850 - 0x00000205`cd2b4170 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4f90 - 0x00007ffd`b725a150 ]
+0x030 DllBase : 0x00007ffd`b70e0000 Void
+0x038 EntryPoint : (null)
+0x040 SizeOfImage : 0x209000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\SYSTEM32\ntdll.dll"
+0x058 BaseDllName : _UNICODE_STRING "ntdll.dll"
+0x068 FlagGroup : [4] "???"
# 第三个 KERNEL32.DLL
0:000> dt _LDR_DATA_TABLE_ENTRY 0x00000205`cd2b4840
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4f70 - 0x00000205`cd2b3f70 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4f80 - 0x00000205`cd2b3f80 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00007ffd`b725a150 - 0x00000205`cd2b4f90 ]
+0x030 DllBase : 0x00007ffd`b6bc0000 Void
+0x038 EntryPoint : 0x00007ffd`b6bd5580 Void
+0x040 SizeOfImage : 0xbd000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\System32\KERNEL32.DLL"
+0x058 BaseDllName : _UNICODE_STRING "KERNEL32.DLL"
+0x068 FlagGroup : [4] "???"
# 第四个 KERNELBASE.dll
0:000> dt _LDR_DATA_TABLE_ENTRY 0x00000205`cd2b4f70
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b6c60 - 0x00000205`cd2b4840 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b6c70 - 0x00000205`cd2b4850 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4860 - 0x00000205`cd2b3f90 ]
+0x030 DllBase : 0x00007ffd`b48d0000 Void
+0x038 EntryPoint : 0x00007ffd`b48f4620 Void
+0x040 SizeOfImage : 0x374000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\System32\KERNELBASE.dll"
+0x058 BaseDllName : _UNICODE_STRING "KERNELBASE.dll"
# 第五个 msvcrt.dll
0:000> dt _LDR_DATA_TABLE_ENTRY 0x00000205`cd2b6c60
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00007ffd`b725a130 - 0x00000205`cd2b4f70 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00007ffd`b725a140 - 0x00000205`cd2b4f80 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x030 DllBase : 0x00007ffd`b6a70000 Void
+0x038 EntryPoint : 0x00007ffd`b6a77af0 Void
+0x040 SizeOfImage : 0xa3000
+0x048 FullDllName : _UNICODE_STRING "C:\Windows\System32\msvcrt.dll"
+0x058 BaseDllName : _UNICODE_STRING "msvcrt.dll"
# 第六个为 空
0:000> dt _LDR_DATA_TABLE_ENTRY 0x00007ffd`b725a130
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4160 - 0x00000205`cd2b6c60 ]
+0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b4170 - 0x00000205`cd2b6c70 ]
+0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000205`cd2b3f90 - 0x00000205`cd2b4860 ]
+0x030 DllBase : (null)
+0x038 EntryPoint : (null)
+0x040 SizeOfImage : 0
+0x048 FullDllName : _UNICODE_STRING ""
+0x058 BaseDllName : _UNICODE_STRING ""
+0x068 FlagGroup : [4] ""
+0x068 Flags : 0
+0x068 PackagedBinary : 0y0
+0x068 MarkedForRemoval : 0y0
+0x068 ImageDll : 0y0
通过这些数据结构,可以获得 对应 dll 的基地址,利用 wow64 heaven’s gate 跳转到 x64 后再调用这些接口,我们就可以悄悄地执行一些库函数。虽然研究过直接调用一些系统调用,但是 windows 的系统调用封装的比较好,还不是很明白。
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 R0gerThat!
相关推荐
评论
