ja1e0's blog

Binary Emulation - Dumpulator

2021-12-26T16:00:00.000Z

Dumpulator

Reference

https://www.youtube.com/watch?v=4Pfu98Xx9Yo

sample SHA256: eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827

0x01 MiniDump

emulate this function instead of recreating it in python with Dumpulator module.

Load up x32dbg, and run this sample .Then we’ll break on EnrtyPoint and take a mini dump by Minidump plugin. 、

Command MiniDump emotet.dmp and build a dump for it.

hasn’t executed anything,it’s done.It’s just set up its environment.

0x02 Emulated

Go over to Python shell

We’ll import Dumpulator and init Dumpulator class.

1 2	>>> from dumpulator import Dumpulator >>> dp = Dumpulator("emotet.dmp")

We can call deccrypt_string_function and pass it the offset to the beginning of the .text section.

For example，select dword_6A901218,offset is 0x1218,sub_6A917AF5 is xref to it.

Then we analysis Calling convention of this function, __usercall = __fastcall.

So We just passed last two arguments on the stack.

The Return Value are returned in the EAX register.

#emluate function
>>> dp.call(0x6A917AF5,[0xE94E3, 0x6A901218])
emulation finished, cip = 5000
15491624
# Read the return value
>>> dp.read(dp.regs.eax,256)
bytearray(b'C\x00o\x00n\x00t\x00e\x00n\x00t\x00-\x00T\x00y\x00p\x00e\x00:\x00 \x00m\x00u\x00l\x00t\x00i\x00p\x00a\x00r\x00t\x00/\x00f\x00o\x00r\x00m\x00-\x00d\x00a\x00t\x00a\x00;\x00 \x00b\x00o\x00u\x00n\x00d\x00a\x00r\x00y\x00=\x00%\x00s\x00\r\x00\n\x00\x00\x00\x14\x00C\x00V\x00\xab\xab\xab\xab\xab\xab\xab\xab\x00\x00\x00\x00\x00\x00\x00\x00\xea$\xf7\xbcHx\x00\x00\xc0\x00\xeb\x00h\xa9\xeb\x00\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe\xee\xfe')
# format strings
>>> dp.read(dp.regs.eax,256).split(b'\x00\x00')[0].replace(b'\x00',b'')
bytearray(b'Content-Type: multipart/form-data; boundary=%s\r\n')

0x2 Modern_Windows_Exploit_Development_Mona2

2021-12-21T16:00:00.000Z

https://github.com/aW3ikun/Modern_Windows_Exploit_Development

0x0 Environment

Win10 21h2

run Windbg Preview as an administrator

0x1 Mona2

0x11 Installation in Windbg Preview

Reference： https://whatdocumentary.tistory.com/67

Save this WebPage as a PDF in Folder

install Python2.7 (x64 and x86).
(if you analysis x86 file,u have to use python_x86, and so are the x64 edition )

install pykd modulde by pip.

check python version.Then install pykd.

py --list.

1 2	py -2.7-64 -m pip install --upgrade pykd py -2.7-32 -m pip install --upgrade pykd

Download mona、windbglib、pykd.dll.
1. mona.py https://github.com/corelan/mona
2. windbglib https://github.com/corelan/windbglib
3. pykd.dll(x64_edition And x86_edition,It is better to change the name to distinguish) https://githomelab.ru/pykd/pykd-ext/-/wikis/Downloads
  gsudo regsvr32.exe .\msdia120.dll,Register msdia120.dll through the regsvr32.exe. u have to do it in cmd with administrator privileges.
Use Mona.py
When Windbg launch x64 File。
1. .extpath+ D:\dbgext
1
2
0: kd> .extpath D:\dbgext
Extension search path is: D:\dbgext
1. .load pykd_x64
2. !select -2.7 change python editon.
3. !py D:\dbgext\mona
4. !py D:\dbgext\mona update
attach the x32 file,pykd_x86.dll loads well.
Python runs in 32-bit.
comment out these print.

Or Run the Initiation script，use$$>a command.

`0x12 Configurationw`

`0x121 Set Working directory`

dump data to files created in the mona’s working directory.

We can specify a working directory which depends on the process name and id by using the format specifiers %p (process name) and %i (process id).

!py d:\dbgext\mona config -set workingfolder "d:\temp\mona_files\%p_%i"

`0x123 Exclude module`

exclude specific modules

1 2	!py d:\dbgext\mona config -set excluded_modules "module1.dll,module2.dll" !py d:\dbgext\mona config -add excluded_modules "module3.dll,module4.dll"

`0x124 Set the author`

!py d:\dbgext\mona config -set author aWei

`0x13 Mona Manual`

kanxue(Chinese Edition)

offical

`0x14 Example`

!py d:\dbgext\mona findwild -s "push r32 # * # pop eax # inc eax # * # retn"

Command	Description
findwild	find chains of instructions with a particular form
-s	specifies the shape of the chain
‘#’	instructions are separated with ‘#’
r32	is any 32-bit register
*	is any sequenece of instructions
-depth \	maximun length of the chain
-b \	base address for the search
-t \	top address for the search
-all	returns also chains which contain “bad” instruction that might break the chian(jumps,calls,..)

`0x15 ROP Chains`

Mona can find ROP gadgets and build ROP chains.



0x1 Modern_Windows_Exploit_Development_Windbg
2021-12-13T16:00:00.000Z
0x0 Environment
Vmware Workstation 16 Pro 16.1.2
Win7 x64 sp1
Windbg Preview
0x1 Windbg
refer to other’s blog that  《Setting up kernel debugging using WinDbg and VMware》。
Setting symbol File Path
Windbg Preview 
File ->  Setting -> Debugging Settings->Symbol path 
enter SRV*d:\\pdb*http://msdl.microsoft.com/download/symbols
0x11 symbol
Command/Example Description
!wow64exts.sw Switches between x86 and native mode.
.sympath+ c:\symbolpath append a symbol search path to the default one during debugging
.reload reload the symbols
x *!* / x kernel32!virtual* Checking Symbols
ld* load symbols for all modules
.hh / .hh \ get Help Or press F1
0x12 Modules
Load an Executable or Attach to a Process
Command Description
lmf list the loader module
lmf m ntdll list a specifc module
!dh ntdll/!dh 0x400000 get the image header (PE Info)
0x13 Expressions
use register, symbol ,value.
Expressions Description
bp 0x70000 / bp eip+1 breakpoint
u ntdll!NtCommitTransaction+0x41 use symbol to disassembly
dd esp+4 use registers to Specifies value
0x14 Numbers
are by default in base 16.
0x123 base 16 (hexadecimal)
0n123 base 10 (decimal)
0t123 base 8 (octal)
0y111 base 2 (binary)
.formats display a value in mant formats
?eax+4 /?4+4 evaluate an expression
0x15 Pseudo-registers
Pseudo-registers are indicated by the
prefix ‘$‘. 
the prefix ‘@‘ which tells WinDbg that what follows is
a register and not a symbol. If ‘@‘ is not used, WinDbg will first try to interpret the name as a symbol.
$teb or @$teb (address of the TEB)
$peb or @$peb (address of the PEB)
$thread or @$thread (current thread)
0x16 Exceptions
Single-chance means that the exception hasn’t been sent to the debuggee yet.
When we resume the execution, WinDbg sends the exception to the debuggee. If the debuggee doesn’t
handle the exception, WinDbg stops again and says that there’s been a second-chance exception
Command Description
sxe / sex ld ,…, / sxe ld user32 break when a moudule is loaded
sx list of exceptions type
sxi / sxi ld /sxi sse ignore an exception \ ignore load module \ ignore single-chance single step exceptions
0x17 Breakpoint
0x171 sofrware brekpoint
When you put a software breakpoint on one instruction, WinDbg saves to memory the first byte of the
instruction and overwrites it with 0xCC which is the opcode for “int 3“.
When the “int 3” is executed, the breakpoint is triggered, the execution stops and WinDbg restores the
instruction by restoring its first byte.
Command Description
bp 4110a3 breakpoint at the address 0x4110a3
bp 4110a3 3 breakpoint  ignored the first 2 times
g resume the execution (go)
g \ run until a certain address 
‘g’ puts a one-time software breakpoint.
0x172 hardware breakpoint
use specific registers of the CPU。
can’t set more than 4 breakpoints.
It’s not possible to use hardware breakpoints for a process
ba \ \ \ 
\ ‘e’for execute 
‘r’for read/write memory access 
‘w’ for write memory access
\ specifies the size of the location, in bytes, to monitor for access (it’s always 1 when \\ is ‘e‘).
\ the loction
\
0x173 Handling Breakpoints
Command Description
bl breakpoint list
bd disable a breakpoint
bc delete a breakpoint
bc * delete all the breakpoints
1
2
0:016> bl
     0 e Disable Clear  04000000     0001 (0001)  0:**** uTools!v8_inspector::V8StackTraceId::IsInvalid+0x99b20
0 : breakpoint ID
e : breakpoint status; can be (e)nabled or (d)isabled
Disable : click Disable
Clear : click Clear
04000000 : memory address 
0001(0001) : the number of passes
0:****  : the associated process and thread. The asterisks mean that the breakpoint is not thread-
specific
uTools!v8_inspector::V8StackTraceId::IsInvalid+0x99b20 : the moudule, function and offset where the breakpoint is located
0x174 Breakpoint Commands
example:
bp Main ".echo \"Here are the registers:\n\"; r"
1
2
3
4
5
6
Here are the registers:
eax=013b5f70 ebx=0117a000 ecx=00000001 edx=013b66e0 esi=00951023 edi=00951023
eip=00951810 esp=0133f9d0 ebp=0133f9ec iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ConsoleApplication1!main:
00951810 55              push    ebp
bp 00951811   ".printf \"new Array Data: addr = 0x%p\\n\",eax;g"
1
new Array Data: addr = 0x013b5f70
0x18 Stepping
Command Description
t step-in
p step-over
gu step-out
pa/ta \ step/trace to address
pc/tc step/trace to next call/int instruction
pt/tt step/trace to next ret (discussed above at point 3
pct/tct step/trace to next call/int or ret
ph/th step/trace to next branching instruction
0x19 Memory
0x191 Displaying Memory
Command \ d* Description
db display bytes
dw display words (2 bytes)
dd display dwords (4 bytes)
dq display qwords (8 bytes)
dyb display bits
da display null-terminated ASCII strings
du display null-terminated Unicode strings
d* [range]
[range] Example
\ \ db 77cac000 77cac0ff
\ L\ dd 77cac000  L10
\ will display 128 bytes
0x192 Editing Memory
e[d|w|b] 
 [ ... ]
d = dword, w = word, b = byte
ed eip cc cc This overwrites the first two dwords at the address in eip with the value 0xCC
0x193 Searching Memory
s [-d|-w|-b|-a|-u]  L? 
0x1A Miscellaneous Commands
0x1A1 Pointer
dd poi(ebp+4)
0x1A2
Command Description
r display the register
u unassemble
u EIP L3 print the first 3 instrutions
k display the call stack
0x1A3 Dumping Structures
Command Description
!teb Displays the TEB (Thread Environment Block).
$teb Address of the TEB.
!peb Displays the PEB (Process Environment Block).
$peb Address of the PEB.
!exchain Displays the current exception handler chain.
!vadump Displays the list of memory pages and info.
!lmi \ Displays information for the specified module.
!slist \ 
[ \ [\] ] Displays a singly-linked list, where: 
 is the address of the pointer to the first node of the list 


 is the name of the structure of the nodes 

 is the offset of the field “next” within the node
dt \ Displays the structure .
dt \ \ Displays the field  of the structure \.
dt \ \ Displays the data at \ as a structure of type \ (you needsymbols for \).
dg \[\] Displays the segment descriptor for the specified selectors.


类普通继承的内存模型
2021-11-11T16:00:00.000Z
类普通继承的内存模型
测试环境
VS2019 x64    
关闭优化、关闭仅支持我的代码调试
IDA7.6
工具
通过这两个工具查看内存模型
开发者命令行
cd {存储的cpp文件夹}
cl /d1reportSingleClassLayout{类名} Main.cpp
根据文字结构图形，查看类的内存分布
VS自带调试器
自带模型分布结构和内存查看。
普通继承与多继承
类成员基础模型：
了解类成员和类成员函数基础布局。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include
using namespace std;

class NewBase {
public:
void Go(){ cout << "this is Base  " << endl; };
private:
int m_a;
};

int main(int argc, char* argv[])
{
NewBase* base = new NewBase( );
base->Go( );

system("pause");
return 0;
}
此类内部值包含了成员函数和一个成员类。且调用了一次GO();
而在内存对象模型中，该函数是直接静态绑定的。
通过调试器查看内存布局，内中只存在m_a，而函数GO（）不在。
而在反汇编中可直接看到直接去调用的静态函数，并没有去使用指针什么的加上偏移值调用。
指针与直接调用类函数的区别1：
增加成员变量，查看指针调用和引用函数的不同。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include
using namespace std;

class NewBase {
public:
void Go(){ cout << "this is Base  " << endl; };
public:
int m_b;
int m_a;
};

int main(int argc, char* argv[])
{
NewBasebase2;
base2.m_b = 0;
base2.m_a = 1;
auto *pt = &base2;
pt->m_a = 2;

base2.Go( );
pt->Go( );
}
从调试器可知二者地址相同。而在成员函数的二者也如初一致，通过首地址（this指针）加上偏移为成员变量进行赋值。函数调用上也是一致的，将指向类头部的地址赋予rcx（this指针)，然后进行调用。
指针与直接调用类函数的区别2：
根据《深入探索C++对象模型》3.3描述，当子类继承的是虚类（virtual base class），子类指针进行调用时，会出现延迟性绑定。什么是延迟性绑定写个测试样例看看汇编好了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include
using namespace std;


class NewBase {
public:
//void Go(){ cout << "this is Base  " << endl; };
virtual void Go( ) = 0;
public:
int m_b;
int m_a;
};
class NewSub:public NewBase
{
public:
//void Go( ) { cout << "this is NewSub  " << endl; }
void Go( ) { m_c += 1; }
public:
int m_c;

};
int main(int argc, char* argv[])
{

NewSubsub;
sub.m_b = 0;
sub.m_a = 1;
auto *pt = ⊂
pt->m_c = 2;

sub.Go( );
pt->Go( );
}
着重看看MSVC编译后函数调用汇编代码。
1号直接是直接通过NewSub类型进行调用，采用了静态绑定，直接call全局地址。
2号框通过两层偏移获取最后的rax，然后rcx=this指针，最后call [rax]。
从下图中可以看出大致的内存布局，头部有一个八字节的_vfptr虚表指针，剩余3个分别是四字节的成员。并且该成员的排布符合声明顺序，且基类的成员函数在前，可能也是为了之后的指针访问提供遍历。
再看看虚表指针指向的结构，表中包含一个函数地址。
从IDA反汇编再看，vftable的地址处上方有RTTI结构体，下方则是成员函数
虚函数与多次继承与多态的反汇编及内存模型：
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#include
using namespace std;

class VirtualBase
{
//Purevirtualfunctions
public:
VirtualBase( )
{
x = 1;
}
virtual void Demon( ) = 0;
virtualvoid Base( ) { cout << "this is father class" << endl; }
virtual void Base2( ) { cout << "this is father2 class" << endl; };
private:
long  x;
};

class VirtualBase2
{
//Purevirtualfunctions
public:
virtualvoid Base( ) { cout << "this is father class" << endl; }
private:
long  n = 5;
};

class SubVirtual :public VirtualBase {
public:

SubVirtual( )
{
y = 2;
}
void Demon( ) { cout << "SubVirtual Demon" << endl; };
//void Base( ) { cout << "this is SubVirtual class" << endl; };
private:
long  y;

};
class SubVirtual2 :public VirtualBase {
public:
SubVirtual2( )
{
z = 3;
}
void Demon( ) { cout << "SubVirtual2 Demon" << endl; };
void Base( ) { cout << "this is SubVirtual2 class" << endl; };
private:
long  z;
};



class SubVirtual3 :  public  VirtualBase,public VirtualBase2 {
public:
SubVirtual3( )
{
m = 4;
}
void Demon( ) { cout << "this is SubVirtual3 class" << endl; };
       virtual void VirtualFunction( )
{
cout << "111" << endl;
}
private:
long  m;
};


void call(VirtualBase* vb)
{
vb->Demon( );
vb->Base( );
vb->Base2( );
}


long  main(long  argc, char* argv[])
{

VirtualBase* sv = newSubVirtual( );
VirtualBase* sv2 = newSubVirtual2( );
SubVirtual3* sv3 = newSubVirtual3( );

sv3->VirtualFunction( );
    
call(sv);
cout << "======================" << endl;
call(sv2);
cout << "======================" << endl;
call(sv3);

system("pause");
return 0;
}
使用VS查看类的内存空间分布
通过在call函数头部打上断点，查看传入进来的对象。
sv
只是去实现了Demon虚函数，和上述内存结构一致。
sv2
与sv差距不大，重点看看虚表的不同：
SubVirtual2比SubVirtual多实现了一个Base（）虚函数。从__vfptr的指针我们可以看出，两个类分别维护了一个指向三个函数的虚表，且虚函数Base2( )都是没有实现的，所以指向的同一函数地址。虚表中存储的函数属于是按照基类的声明顺序存储。最后相当于访问vfptr指向的函数指针数组。
sv3
sv3使用了两个基类进行多重继承，结构简单明了,重叠结构通过内存查看即可得知简单的重叠结构，却发现自有的虚函数不见踪影。
查看该虚函数的调用过程可知自有的虚函数是在第一个的虚表指针中，偏移地址是第4个。
开发者命令行能完整地显示出来
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Main.cpp

class SubVirtual3       size(20):
        +---
 0      | +--- (base class VirtualBase)
 0      | | {vfptr}
 4      | | x
         | +---
 8      | +--- (base class VirtualBase2)
 8      | | {vfptr}
12     | | n
         | +---
16     | m
        +---

SubVirtual3::$vftable@VirtualBase@:
         | &SubVirtual3_meta
         |  0
 0      | &SubVirtual3::Demon
 1      | &VirtualBase::Base
 2      | &VirtualBase::Base2
 3      | &SubVirtual3::VirtualFunction

SubVirtual3::$vftable@VirtualBase2@:
         | -8
 0      | &VirtualBase2::Base
VirtualBase
VirtualBase存在一个纯虚函数，从IDA中我们可以看到在这个RTTI的结构体下方有一个导入的purecall函数，根据和源码的对比可以发现这就是Demon纯虚函数的位置。根据官方解释，The default pure virtual function call error handler. The compiler generates code to call this function when a pure virtual member function is called.默认_purecall函数回去访问错误处理程序，也就是该函数被意外调用时，能处理掉异常。
Call()
写了一个Call去满足多态调用。多态我觉得简单来说就是。子类实现了基类的虚拟函数，然后用父类指针调用这些虚拟函数（接口）。因为有不同的子类函数实现，也就呈现了虚拟函数多种形态（多态）。
接下来看看Call的汇编，红框是获取虚表首地址和this指针，然后通过固定偏移Call函数。这符合VirtualBase的调用结构。
同时因为上述虚表指针都是在实体类的头部，按顺序维护着虚函数的实现，进一步方便了多态的实现与调用。



SysMon与Powershell
2021-10-27T16:00:00.000Z
SysMon与Powershell
https://www.socinvestigation.com/threat-hunting-using-sysmon-advanced-log-analysis-for-windows/
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
通过引用的文章进行相关学习。
环境
Windows 10.0.19043
PowerShell 7.1.3
SysMon作用
监控进程所有活动
进程创建（完整命令行和hash)
进程终止
网络连接
驱动程序/DLL加载
文件创建时间戳改变
远程线程创建
磁盘写入
内存访问
SysMon简单原理
SysMon.exe
通过自身释放驱动文件，进行释放拷贝注册驱动运行。
获取到IRP的数据后，写入到日志中。
SysmonDrv.sys
通过微过滤框架，回调和通知进行日志记录。
SysMon增强与开源版本的SysMonX架构图如下：
https://github.com/marcosd4h/sysmonx
运行SysMon与监控流程
SysMon下载
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon.
SysMon运行
管理员模式下运行.\Sysmon.exe -i -a -accepteula
事件ID描述参考
ID Tag
1 ProcessCreate Process Create : A detailed information about the process created
2 FileCreateTime File creation time Used to check integrity of file creationtime
3 NetworkConnect Network connection detected : Event logs TCP/UDP connections on the machine
4 Sysmon service state changed Sysmon service state change : The service state change event reports the state of the Sysmon service (started or stopped).
5 ProcessTerminate Process terminated : A detailed information about the process termination
6 DriverLoad Driver Loaded : A detailed information about the drive installed in addition with HASH value
7 ImageLoad Image loaded : The image loaded event logs when a module is loaded in a specific process
8 CreateRemoteThread CreateRemoteThread detected : Event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes
9 RawAccessRead RawAccessRead detected : The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation.
10 ProcessAccess Process accessed : The event reports when a process opens another process
11 FileCreate File created : File create operations are logged when a file is created or overwritte
12 RegistryEvent Registry object added or deleted : Registry key and value create and delete operations map to this event type,
13 RegistryEvent Registry value set : This Registry event type identifies Registry value modifications.
14 RegistryEvent Registry object renamed : This Registry event type identifies Registry value renamed
15 FileCreateStreamHash File stream created : This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream.
16 ServiceConfigurationChange Sysmon configuration change : Event triggered when Sysmon configuration change
17 PipeEvent Named pipe created : This event generates when a named pipe is created.
18 PipeEvent Named pipe connected : This event logs when a named pipe connection is made between a client and a server.
19 WmiEvent WMI filter : When a WMI event filter is registered
20 WmiEvent WMI consumer : This event logs the registration of WMI consumers
21 WmiEvent WMI consumer filter : When a consumer binds to a filter, this event logs the consumer name and filter path.
22 DNSQuery DNS query : This event is generated when a process executes a DNS query
23 FileDelete File Delete archived : A file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory
24 ClipboardChange New content in the clipboard : This event is generated when the system clipboard contents change.
25 ProcessTampering Process image change : This event is generated when process hiding techniques such as “hollow” or “herpaderp” are being detected.
26 FileDeleteDetected File Delete logged : A file was deleted.
GUI事件查看
进入事件管理器进行查看，根据Id进行索引排序。
PowerShell过滤查询
以下都在命令行管理员模式下执行
获取Log
$test =  Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational"
Id过滤
$test | Where-Object {$_.Id -eq 1}
Message相关过滤
-like, -ilike 验证字符串包含关系，允许模式匹配，大小写不敏感 “PsTips.Net” -like “p*”
-clike 验证字符串包含关系，允许模式匹配，大小写敏感 “PsTips.Net” – clike “P*”
-notlike,-inotlike 验证字符串不包含关系，允许模式匹配，大小写不敏感 “PowerShell” -notlike “PS*”
-cnotlike 验证字符串不包含关系，允许模式匹配，大小写敏感 “PowerShell” -cnotlike “PO*
-eq, -ieq 验证是否相等，大小写不敏感 “Power” -eq “power”
-ceq 验证是否相等，大小写敏感 “Power” -eq “Power”
$test | Where-Object {$_.Message -like "*chrome*"}
XML配置过滤
简单模板如下：
NetworkConnect -> include->chrome.exe
只收集chrome.exe的网络连接
1
2
3
4
5
6
7
<Sysmon schemaversion="4.1">
  <EventFiltering>
<NetworkConnect onmatch="include">
  <Image condition="contains">chrome.exeImage>
NetworkConnect>
  EventFiltering>
Sysmon>
效果如图所示
详细配置查看微软官方文档https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon。


IDAPython入门
2021-10-02T16:00:00.000Z
IDAPython
IDAPython 版本移植
IDAPython py2移植到py3版本
 https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml
代码参考
参考博客
 http://pwn4.fun/2016/10/29/IDAPython-Learning-part1/
环境
IDAPRO_7.5
Python_3
目的
批量解密字符串，并进行注释，方便后期逆向。
通过参考上述博客代码，完成上述目标。
解密思路
通过解密函数的交叉引用，获取到调用解密函数的各个地址。并获取其参数，通过自解密，并进行注释。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def Final(name):
    address = getAddress(name)
    list_xref = list()
    #通过交叉引用获取引用的地址
    for xref in XrefsTo(address, 0):
    #    print(xref.type, XrefTypeName(xref.type), 'from', hex(xref.frm), 'to', hex(xref.to))
        list_xref.append(hex(xref.frm))
    #print(list_xref)
    for i in list_xref:    
        addr = eval(i)
        tmp_str = Decrypt(get_function_arg(addr))
        if tmp_str != "":
            print(tmp_str)
            print(addr)
            addDecompilerComment(addr,tmp_str)
库导入
1
2
3
import idc
import idaapi
import idautils
解密函数
1
2
3
4
5
def Decrypt(encrypt_str) -> str :
    plaintext= ""
    # dosomething.....
    
    return plaintext
获取解密函数的函数参数
这里是通过匹配opcode获取到参数地址。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#00014000139F 2768 48 8D 0D 5A 82 01 00  lea     rcx, XXXX ; "XXXXXX"
def get_function_arg(addr):
    tmp_str = ""
    for i in range(30):
        #获取上一个命令头部地址
        addr = idc.prev_head(addr)
        # 获取前一个操作符 获取操作数
        # 匹配第一个和第二个opcode
        if idc.print_insn_mnem(addr) == "lea" and idc.print_operand(addr,0) == "rcx":
            #获取第二操作数地址
            tmp = idc.get_operand_value(addr,1)
            stmp = idc.get_strlit_contents(tmp)
            #判断是否为空
            if stmp ==  None:
                break
            tmp_str = idc.get_strlit_contents(tmp).decode("utf-8")
            # print("found it at 0x{} | str: {}".format(tmp,stmp))
            break
    return tmp_str
根据函数名获取其地址
1
2
3
#根据函数名获取地址
def getAddress(name):
    return eval(hex(idc.get_name_ea_simple(name)))
注释
满足F5注释和反汇编注释
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 注释
def addDecompilerComment(addr, comment):
    #反汇编注释
    idc.set_cmt(addr,comment,True)

    #F5 注释
    cfunc = idaapi.decompile(addr)
    eamap = cfunc.get_eamap()
    decompObjAddr = eamap[addr][0].ea
    tl = idaapi.treeloc_t()
    tl.ea = decompObjAddr
    commentSet = False
    for itp in range (idaapi.ITP_SEMI, idaapi.ITP_COLON):
        tl.itp = itp
        cfunc.set_user_cmt(tl, comment)
        cfunc.save_user_cmts()
        unused = cfunc.__str__()
        if not cfunc.has_orphan_cmts():
            commentSet = True
            cfunc.save_user_cmts()
            break
        cfunc.del_orphan_cmts()
    if not commentSet:
        print ("pseudo comment error at %08x" % addr)
最终拼在一起
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!python3

import idc
import idaapi
import idautils

def Decrypt(encrypt_str) -> str :
    plaintext= ""
    #dosomething.......

    return plaintext

# 注释
def addDecompilerComment(addr, comment):
    #反汇编注释
    idc.set_cmt(addr,comment,True)

    #F5 注释
    cfunc = idaapi.decompile(addr)
    eamap = cfunc.get_eamap()
    decompObjAddr = eamap[addr][0].ea
    tl = idaapi.treeloc_t()
    tl.ea = decompObjAddr
    commentSet = False
    for itp in range (idaapi.ITP_SEMI, idaapi.ITP_COLON):
        tl.itp = itp
        cfunc.set_user_cmt(tl, comment)
        cfunc.save_user_cmts()
        unused = cfunc.__str__()
        if not cfunc.has_orphan_cmts():
            commentSet = True
            cfunc.save_user_cmts()
            break
        cfunc.del_orphan_cmts()
    if not commentSet:
        print ("pseudo comment error at %08x" % addr) 

#根据函数名获取地址
def getAddress(name):
    return eval(hex(idc.get_name_ea_simple(name)))

#获取函数参数
#00014000139F 2768 48 8D 0D 5A 82 01 00                               lea     rcx, a8qlnxjy0bgkb9g ; "8QLnXjY0bgkb9GEb94eR9E"
def get_function_arg(addr):
    tmp_str = ""
    for i in range(30):
        #获取上一个命令头部地址
        addr = idc.prev_head(addr)
        # 获取前一个操作符 获取操作数
        if idc.print_insn_mnem(addr) == "lea" and idc.print_operand(addr,0) == "rcx":
            #获取第二操作数地址
            tmp = idc.get_operand_value(addr,1)
            stmp = idc.get_strlit_contents(tmp)
            #判断是否为空
            if stmp ==  None:
                break
            tmp_str = idc.get_strlit_contents(tmp).decode("utf-8")
            # print("found it at 0x{} | str: {}".format(tmp,stmp))
            break
    return tmp_str

def Final(name):
    address = getAddress(name)
    list_xref = list()
    #通过交叉引用获取引用的地址
    for xref in XrefsTo(address, 0):
    #    print(xref.type, XrefTypeName(xref.type), 'from', hex(xref.frm), 'to', hex(xref.to))
        list_xref.append(hex(xref.frm))
    #print(list_xref)
    for i in list_xref:    
        addr = eval(i)
        tmp_str = Decrypt(get_function_arg(addr))
        if tmp_str != "":
            print(tmp_str)
            print(addr)
            addDecompilerComment(addr,tmp_str)
    
def main():
    #输入解密函数名
    Final("DecryptString")
        
main()



SSDT 查找与HOOK
2021-10-01T16:00:00.000Z
SSDT 查找与HOOK
在内存中进行Hook，需要使用低版本或者32位的Windows版本，或者关闭掉了PatchGuard，或者一些其他的漏洞进行Hook。
x64支持的编译器内部函数
一些封装好的操作，开中断，关中断等，不用额外写汇编函数。
https://docs.microsoft.com/zh-cn/cpp/intrinsics/x64-amd64-intrinsics-list?view=msvc-160
环境
VM -> Windows7 sp1 x64
VS2019 wdk1903 
InlineHook
不适用汇编的情况，采用填充shellcode进行Hook。
以NtOpenProcess为列，进行Hook的大概思路为以下几点：
获取NtOpenProcess的地址。
1
PVOID pApiAddr = MmGetSystemRoutineAddress(&puApiName);
   原函数如下
   1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
//PAGE:00000001403532EC                                         ; NTSTATUS __stdcall NtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
//PAGE:00000001403532EC                                         public NtOpenProcess
//PAGE : 00000001403532EC                                         NtOpenProcess proc near
//PAGE : 00000001403532EC
//PAGE : 00000001403532EC                                         var_18 = byte ptr - 18h
//PAGE : 00000001403532EC                                         PreviousMode = byte ptr - 10h
//PAGE : 00000001403532EC
//PAGE : 00000001403532EC 000 48 83 EC 38                         sub     rsp, 38h
//PAGE : 00000001403532F0 038 65 48 8B 04 25 88 01 00 00          mov     rax, gs:188h
//PAGE : 00000001403532F9 038 44 8A 90 F6 01 00 00                mov     r10b, [rax + 1F6h]
//PAGE:0000000140353300 038 44 88 54 24 28                      mov[rsp + 38h + PreviousMode], r10b; PreviousMode
//PAGE : 0000000140353305 038 44 88 54 24 20                      mov[rsp + 38h + var_18], r10b; char
//PAGE : 000000014035330A 038 E8 51 FC FF FF                      call    PsOpenProcess
//PAGE : 000000014035330F 038 48 83 C4 38                         add     rsp, 38h
//PAGE : 0000000140353313 000 C3                                  retn
保存Hook前的旧代码，并拷贝到内存空间中。
1
2
3
4
5
6
7
8
9
pOldCode = ExAllocatePool(NonPagedPool, 0x100);

if (!pOldCode) {
    DbgPrint("ExAllocatePool Failed!\n");
}
//进行旧数据保存
RtlZeroMemory(pOldCode, 0x100);

RtlCopyMemory(pOldCode, pApiAddr, 12);
在上述旧代码内存之后，构造一份跳回到原函数的汇编。
跳转代码使用0xFF25进行跳转，避免了寄存器的污染。
1
2
//00007FF95BB10935 | FF25 00000000 | jmp qword ptr ds : [7FF95BB1093B] |
//00007FF95BB1093B | 1111 | adc dword ptr ds : [rcx] , edx |
1
2
3
4
5
CHAR SpringBoard[14] = { 0xFF,0x25,0x00,0x00,0x00,0x00,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11};

*((PULONG64)(SpringBoard + 6)) = (ULONG64)pApiAddr + 13;
    //辅助跳板构建
 RtlCopyMemory((PVOID)((ULONG64)pOldCode + 13), SpringBoard, sizeof(SpringBoard));
将NtOpenProcess的头部进行Hook，跳转到自己的函数中。
1
2
3
4
5
6
7
8
9
10
11
12
CHAR JmpCode[12] = { 0x48,0xB8,0x22,0x22,0x22,0x22,0x11,0x11,0x11,0x11,0xFF,0xE0 };

*((PULONG64)(JmpCode+2)) = (PULONG64)MyNtOpenProcess;

//提升中断权限
OldIrql = UpIRQL();

//Hook
RtlCopyMemory(pApiAddr, JmpCode, sizeof(JmpCode));

//降低中断权限
DownIRQL(OldIrql);
卸载驱动后，将原代码进行恢复。
示例
https://github.com/aW3ikun/Windows-Kernel-Driver-Programming-Practice/blob/master/SSDT_HOOK/main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#include

//Windows7 sp1

//PAGE:00000001403532EC                                         ; NTSTATUS __stdcall NtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
//PAGE:00000001403532EC                                         public NtOpenProcess
//PAGE : 00000001403532EC                                         NtOpenProcess proc near
//PAGE : 00000001403532EC
//PAGE : 00000001403532EC                                         var_18 = byte ptr - 18h
//PAGE : 00000001403532EC                                         PreviousMode = byte ptr - 10h
//PAGE : 00000001403532EC
//PAGE : 00000001403532EC 000 48 83 EC 38                         sub     rsp, 38h
//PAGE : 00000001403532F0 038 65 48 8B 04 25 88 01 00 00          mov     rax, gs:188h
//PAGE : 00000001403532F9 038 44 8A 90 F6 01 00 00                mov     r10b, [rax + 1F6h]
//PAGE:0000000140353300 038 44 88 54 24 28                      mov[rsp + 38h + PreviousMode], r10b; PreviousMode
//PAGE : 0000000140353305 038 44 88 54 24 20                      mov[rsp + 38h + var_18], r10b; char
//PAGE : 000000014035330A 038 E8 51 FC FF FF                      call    PsOpenProcess
//PAGE : 000000014035330F 038 48 83 C4 38                         add     rsp, 38h
//PAGE : 0000000140353313 000 C3                                  retn

//00007FF9959406C0 | 48:B8 2222222211111111                 | mov rax,1111111122222222                                    |
//00007FF9959406CA | FFE0 | jmp rax |

//00007FF95BB10935 | FF25 00000000 | jmp qword ptr ds : [7FF95BB1093B] |
//00007FF95BB1093B | 1111 | adc dword ptr ds : [rcx] , edx |
//00007FF95BB1093D | 1111 | adc dword ptr ds : [rcx] , edx |
//00007FF95BB1093F | 1111 | adc dword ptr ds : [rcx] , edx |
//00007FF95BB10941 | 1111 | adc dword ptr ds : [rcx] , edx |

typedef NTSTATUS (*pNtOpenProcess)(
PHANDLE            ProcessHandle,
ACCESS_MASK        DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID         ClientId
);

PVOID pOldCode = NULL;

PULONG64 ReturnCode = NULL;

PVOID pApiAddr = NULL;

NTSTATUS MyNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);

KIRQLUpIRQL();

VOIDDownIRQL(KIRQL OldIrql);

VOIDRestoreCode();

VOIDDriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("UnLoad\n");
//恢复钩子
RestoreCode();
//释放创建的内存
ExFreePool(pOldCode, 0x100);

return;
}

NTSTATUSDriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
pDriverObject->DriverUnload = DriverUnload;

NTSTATUS status = STATUS_SUCCESS;

CHAR JmpCode[12] = { 0x48,0xB8,0x22,0x22,0x22,0x22,0x11,0x11,0x11,0x11,0xFF,0xE0 };

CHAR SpringBoard[14] = { 0xFF,0x25,0x00,0x00,0x00,0x00,0x11,0x11,0x11,0x11,0x11,0x11,0x11,0x11};

UNICODE_STRING puApiName = { 0 };

KIRQL OldIrql = 0;

RtlInitUnicodeString(&puApiName, L"NtOpenProcess");
//获取函数地址
pApiAddr = MmGetSystemRoutineAddress(&puApiName);

if (pApiAddr == NULL) {
return STATUS_NOT_FOUND;
}

//构建shellcode
*((PULONG64)(JmpCode+2)) = (PULONG64)MyNtOpenProcess;

*((PULONG64)(SpringBoard + 6)) = (ULONG64)pApiAddr + 13;

pOldCode = ExAllocatePool(NonPagedPool, 0x100);

if (!pOldCode) {
DbgPrint("ExAllocatePool Failed!\n");
}
//进行旧数据保存
RtlZeroMemory(pOldCode, 0x100);

RtlCopyMemory(pOldCode, pApiAddr, 12);

//辅助跳板构建
RtlCopyMemory((PVOID)((ULONG64)pOldCode + 13), SpringBoard, sizeof(SpringBoard));

//提升中断权限
OldIrql = UpIRQL();
//Hook
RtlCopyMemory(pApiAddr, JmpCode, sizeof(JmpCode));

//降低中断权限
DownIRQL(OldIrql);

return status;
}

NTSTATUS MyNtOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{
if (ClientId->UniqueProcess == 3628) 
{
DbgPrint("OpenProcess Pid:%d\n", ClientId->UniqueProcess);

return STATUS_ACCESS_DENIED;
}

pNtOpenProcess pFunc = pOldCode;

return pFunc(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

//提升中断权限，防止被打断
//关闭写保护 操作Cr0标志位
//关中断 当前执行不被中断
KIRQL UpIRQL()
{
KIRQL OldIrql = KeRaiseIrqlToDpcLevel();

UINT64 cr0 = __readcr0();

cr0 &= 0xfffffffffffeffff;

__writecr0(cr0);

_disable();

return OldIrql;
}
//恢复中断短线
//打开写保护
//开中断
VOID DownIRQL(KIRQL OldIrql)
{
KeLowerIrql(OldIrql);

UINT64 cr0 = __readcr0();

cr0 |= 0x10000;

__writecr0(cr0);

_enable();

return;
}
VOIDRestoreCode() {

KIRQL OldIrql = UpIRQL();

RtlCopyMemory(pApiAddr, pOldCode, 12);

DownIRQL(OldIrql);
return;
}
SSDT 结构
1
2
3
4
5
6
typedef struct _KSERVICE_TABLE_DESCRIPTOR {
PULONG_PTR ServiceTableBase;//SSDT基址
PVOID ServiceCounterTableBase;//SSDT中服务被调用次数计数器
ULONG NumberOfService;//SSDT服务个数
PUCHAR ParamTableBase;
} KSERVICE_TABLE_DESCRIPTOR, * PKSERVICE_TABLE_DESCRIPTOR;
获取SSDT
根据序列号获取特定函数地址
根据MSR寄存器获取到KiSystemCall64的地址。
通过特征码搜寻lea r10, 动态获取到SSDT的地址
根据结构体获取到基址，再通过计算相加得到最终的函数地址。
示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
NTSTATUS FindSSDT() {
NTSTATUSstatus = STATUS_SUCCESS;
PUCHARpSystemCall = 0;
ULONGuCodeOffset = 0;
ULONGuFuncOffset = 0;
PULONGuFuncNum = 0;
DWORD dwNum = 2;
PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable = NULL;
PULONG_PTR pBaseAddr = NULL;
ULONG64 pFuncAddr = NULL;


pSystemCall = (PUCHAR)__readmsr(0xC0000082);

//.text:FFFFF80003E98772                                         KiSystemServiceRepeat:                  ; CODE XREF: KiSystemCall64+47B↓j
//.text:FFFFF80003E98772 000 4C 8D 15 C7 20 23 00                lea     r10, KeServiceDescriptorTable
for (int i = 0; i < 1000; i++) {
if (*(pSystemCall + i) == 0x4c && *(pSystemCall + i + 1) == 0x8D && *(pSystemCall + i + 2) == 0x15) {
pSystemCall += i;
uCodeOffset = *((PULONG32)(pSystemCall + 3));
KeServiceDescriptorTable = (PKSERVICE_TABLE_DESCRIPTOR)((ULONG64)pSystemCall + 7 + uCodeOffset);

break;
}
}

pBaseAddr = KeServiceDescriptorTable->ServiceTableBase;
uFuncNum = (PULONG)pBaseAddr;
uFuncOffset = uFuncNum[dwNum] >> 4;
pFuncAddr = (ULONG64)pBaseAddr + uFuncOffset;

DbgPrint("Function Address: %p\n", pFuncAddr);

return status;
}
进阶
通用SSDT获取
遍历NT函数地址
ldr遍历
win10 1903
通过PEB结构体中的_PEB_LDR_DATA中的InLoadOrderModuleList双向链表进行模块遍历
1
2
3
4
5
6
7
8
9
10
11
dt _PEB_LDR_DATA
nt!_PEB_LDR_DATA
   +0x000 Length           : Uint4B
   +0x004 Initialized      : UChar
   +0x008 SsHandle         : Ptr64 Void
   +0x010 InLoadOrderModuleList : _LIST_ENTRY
   +0x020 InMemoryOrderModuleList : _LIST_ENTRY
   +0x030 InInitializationOrderModuleList : _LIST_ENTRY
   +0x040 EntryInProgress  : Ptr64 Void
   +0x048 ShutdownInProgress : UChar
   +0x050 ShutdownThreadId : Ptr64 Void
    代码参考：https://www.0xaa55.com/thread-25915-1-1.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
VOID EnumerateModule(HANDLE hPid)
{
    KAPC_STATE ks;
    PEPROCESS eproc = LookupProcess(hPid);
    if (eproc == NULL)
    {
        DbgPrint("Can't find the EPROCESS...\n");
        return;
    }
 
 
    __try
    {
        // Get the peb address, the PEB structure in the EPROCESS is a pointer to PEB, named PPEB.
        // So the "(ULONG64)eproc + PEB_OFFSET_IN_EPROCESS" is the address the pointer to PEB.
        // And finally, use the "*" to get the address to the PEB structure.
        ULONG64 peb = *(PULONG64)((ULONG64)eproc + PEB_OFFSET_IN_EPROCESS);
 
        KeStackAttachProcess(eproc, &ks);
 
 
        // The LDR structure in PEB is also a pointer to PEB_LDR_DATA
        // So, "(ULONG64)peb + LDR_OFFSET_IN_PEB" is the address of pointer to PEB_LDR_DATA.
        // And the ULONG64 ldr is finally get the address of PEB_LDR_DATA structure.
        ULONG64 ldr = *(PULONG64)((ULONG64)peb + LDR_OFFSET_IN_PEB);
 
        // Get the address of "InLoadOrderModuleList" which in the PEB_LDR_DATA structure.
        PLIST_ENTRY pListHead = (PLIST_ENTRY)(ldr + InLoadOrderModuleList_OFFSET);
        PLIST_ENTRY pMod = pListHead->Flink;
 
        while (pMod != pListHead)
        {
            DbgPrint("Base=%p, Size=%ld, Path=%wZ\n",
                (PVOID)(((PLDR_DATA_TABLE_ENTRY)pMod)->DllBase),
                (ULONG)(((PLDR_DATA_TABLE_ENTRY)pMod)->SizeOfImage),
                &(((PLDR_DATA_TABLE_ENTRY)pMod)->FullDllName));
            pMod = pMod->Flink;
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        DbgPrint("EXCEPTION_EXECUTE_HANDLER is occure...\n");
    }
    KeUnstackDetachProcess(&ks);
}
ZwQuerySystemInformation查询
通过ZwQuerySystemInformation查询系统模块（SystemModuleInformation），第一个即为nt模块地址信息，获取ImageBase。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
//Based on: http://alter.org.ua/docs/nt_kernel/procaddr
PVOIDUndocumented::GetKernelBase(PULONG pImageSize) {
typedef struct _SYSTEM_MODULE_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;

#pragma warning(disable:4200)
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_ENTRY Module[0];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

PVOID pModuleBase = NULL;
NTSTATUSstatus = STATUS_SUCCESS;
ULONGSystemInfoBuffersize = 0;
PSYSTEM_MODULE_INFORMATION pSystemModuleInfo = NULL;

status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation,
&SystemInfoBuffersize,
0,
&SystemInfoBuffersize);
if (!SystemInfoBuffersize) {
DbgPrint("[-]ZwQuerySystemInformation GetLengthError\n");
return NULL;
}

pSystemModuleInfo = (PSYSTEM_MODULE_INFORMATION)RtlAllocateMemory(true, SystemInfoBuffersize * 2);
if (!pSystemModuleInfo) {
DbgPrint("[-]RtlAllocateMemory SystemModuleInfoError\n");
return NULL;
}

status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation,
pSystemModuleInfo,
SystemInfoBuffersize * 2,
&SystemInfoBuffersize);
if (NT_SUCCESS(status)) {
pModuleBase = pSystemModuleInfo->Module[0].ImageBase;
if (pImageSize)
*pImageSize = pSystemModuleInfo->Module[0].ImageSize;
}
else {
DbgPrint("[-]ZwQuerySystemInformation SystemModuleInfoError\n");
}

RtlFreeMemory(pSystemModuleInfo);

return pModuleBase;
}
定位text代码开头
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PVOIDSSDT::NtMoudleTextFind() {
ULONGKernelSize;
ULONG_PTRKernelBase = (ULONG_PTR)Undocumented::GetKernelBase(&KernelSize);
if (KernelBase == 0 || KernelBase == 0)
return NULL;

//查找.text段
PIMAGE_NT_HEADERS pNtHeader = RtlImageNtHeader((PVOID)KernelBase);
PIMAGE_SECTION_HEADERpSection = IMAGE_FIRST_SECTION(pNtHeader);
PIMAGE_SECTION_HEADERpTextSetion = NULL;
for (ULONG i = 0; i < pNtHeader->FileHeader.NumberOfSections; i++) {
char SectionName[IMAGE_SIZEOF_SHORT_NAME + 1] = { 0 };
RtlCopyMemory(SectionName, pSection->Name, IMAGE_SIZEOF_SHORT_NAME);
SectionName[IMAGE_SIZEOF_SHORT_NAME] = '\0';
//判断text段名
if (strncmp(SectionName, ".text", sizeof(".text") - sizeof(char)) == 0) {
pTextSetion = pSection;
}
pSection++;
}

return pTextSetion;
}
特征码查找
通过先查找KiSystemServiceStart函数特征码,然后往下遍历查找lea     r10, KeServiceDescriptorTable; //.text:FFFFF8046BDCDE1B 190 4C 8D 1D 5E 1C 3A 00特征即可定位。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
PSSDTStruct SSDT::SSDTFind() {
staticPSSDTStruct pSSDT = NULL;
ULONGKernelSize;
ULONG_PTRKernelBase = (ULONG_PTR)Undocumented::GetKernelBase(&KernelSize);
if (KernelBase == 0 || KernelBase == 0)
return NULL;

//获取nt模块text段地址
PIMAGE_SECTION_HEADERpTextSetion = (PIMAGE_SECTION_HEADER)NtMoudleTextFind();
if (pTextSetion == NULL)
return NULL;
//.text:FFFFF8046BDCDE00                                         KiSystemServiceStart : ; DATA XREF : KiServiceInternal + 5A↑o
//.text:FFFFF8046BDCDE00 190 48 89 A3 90 00 00 00                                mov[rbx + 90h], rsp; _KTHREAD.SystemCallNumber = rsp
//.text:FFFFF8046BDCDE07 190 8B F8                                               mov     edi, eax
//.text:FFFFF8046BDCDE09 190 C1 EF 07                                            shr     edi, 7; 除以128
//.text:FFFFF8046BDCDE0C 190 83 E7 20 and edi, 20h; 计算偏移号
//.text:FFFFF8046BDCDE0F 190 25 FF 0F 00 00 and eax, 0FFFh; GDI 系统调用（调用号 >= 0x1000
//.text:FFFFF8046BDCDE14
//.text:FFFFF8046BDCDE14                                         KiSystemServiceRepeat : ; CODE XREF : KiSystemCall64 + 8EE↓j
//.text:FFFFF8046BDCDE14 190 4C 8D 15 65 9A 3B 00                                lea     r10, KeServiceDescriptorTable; #pragma pack()
//.text:FFFFF8046BDCDE1B 190 4C 8D 1D 5E 1C 3A 00                                lea     r11, KeServiceDescriptorTableShadow
//查找KiSystemServiceStart特征码
constunsigned char KiSystemServiceStartPattern[] = { 0x8B, 0xF8, 0xC1, 0xEF, 0x07, 0x83, 0xE7, 0x20, 0x25, 0xFF, 0x0F, 0x00, 0x00 };
constULONGSignatureSize = sizeof(KiSystemServiceStartPattern);
BOOL Found = FALSE;
ULONGi;
for (i = 0; i < pTextSetion->Misc.VirtualSize - SignatureSize; i++) {
if (RtlEqualMemory((PUCHAR)(KernelBase + pTextSetion->VirtualAddress + i), KiSystemServiceStartPattern, SignatureSize) == TRUE) {
Found = TRUE;
break;
}
}
if (!Found)
return NULL;

//.text:FFFFF8046BDCDE14 190 4C 8D 15 65 9A 3B 00                                lea     r10, KeServiceDescriptorTable; #pragma pack()
//获取KeServiceDescriptorTable的相对偏移值
ULONG_PTR LeaR10 = KernelBase + pTextSetion->VirtualAddress + i + SignatureSize;
LONGSSDTOffset = 0;
if ((*(PUCHAR)LeaR10 == 0x4c) &&
(*(PUCHAR)(LeaR10 + 1) == 0x8D) &&
(*(PUCHAR)(LeaR10 + 2) == 0x15)) {
SSDTOffset = *(PLONG)(LeaR10 + 3);
}
if (SSDTOffset == 0)
return NULL;

pSSDT = (PSSDTStruct)(LeaR10 + SSDTOffset + 7);
#ifdef _DEBUG
DbgPrint("[+]SSDTAddress:0x%p\n",pSSDT);
#endif // _DEBUG


return pSSDT;
}
    
通用查找ShadowSSDT
ShadowSSDT在SSDT的命令下方，且存在一个SSDT结构体的的间隙。
相同模式直接获取ShadowSSDT地址，但是需要使用KeStackAttachProcess附加到图形界面程序，再获取响应函数，还有一种是通过符号进行函数地址获取，不多赘述。
与SSDTFind()不同之处，红色标识了地方。
完整代码
https://github.com/aW3ikun/Windows-Kernel-Driver-Programming-Practice/tree/master/SSDT_HOOK


TDI网络过滤驱动初探
2021-09-14T16:00:00.000Z
TDI网络驱动适用于Windows2000->Win7,Windows7之后的系统最好使用WFP。
TDI位于传输层的过滤。
TDI网络驱动架构
https://blog.csdn.net/maomao171314/article/details/22917131
一个大致的从上到下的网络驱动模型如下图所示
=======================================
应用程序 socket api ⇓
WS2_32.dll socket irp ⇓ 
Afd.sys tdi irp ⇓ Build_irp-> TDI编程
Tcpip.sys 回调函数接口 ⇓ 实现协议（NDIS驱动）
各Ndis中间层过滤驱动 回调函数接口 ⇓
小端口驱动中断交互操作 ⇓
网卡
=======================================
TDI就是链接协议层和应用层的接口。
可以每一层之间再插上一层，实现过滤。
创建设备 实现IRP
实现TDI过滤的话，
需要创建一个网络设备。
1
status = IoCreateDevice(pDriverObject, 0, NULL, FILE_DEVICE_NETWORK, FILE_DEVICE_SECURE_OPEN, FALSE, &pfilterdevobj);
需要自定义IRP_MJ_INTERNAL_DEVICE_CONTROL的IRP分发函数，
1
2
3
4
for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
pDriverObject->MajorFunction[i] = NotSupport;
}
pDriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = MyDispatch;
使用IoAttachDevice绑定设备，例如\\Device\\Tcp,\\Device\\Udp等.
 1
2
//第三个参数是下层设备的指针
status = IoAttachDevice(pfilterdevobj, &devicename, &pdodevobj);
不使用的IRP一定要数据传递给下一层。
 1
2
3
4
5
6
NTSTATUS NotSupport(DEVICE_OBJECT* pDeviceObject, IRP* pIrp) {
    //递增跳过，让下一层拿到当前的数据
    IoSkipCurrentIrpStackLocation(pIrp);
    //一定要使用AttachDevice后的下层驱动设备指针
    return IoCallDriver(pdodevobj, pIrp);
}
进行过滤操作的IRP最后要将数据传递给下一层。
通过绑定后的设备进行判断，通过MinorFunction的操作数进行操作的分发和过滤。
 就能达到所有网络类型的过滤。
代码示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#include
#include
#include
#include

#define  HTONS(A) (((A&0xff00) >> 8) | ((A&0x00ff) << 8))
//Windows7
PDEVICE_OBJECT pfilterdevobj = NULL;

PDEVICE_OBJECT pdodevobj = NULL;

BOOLEAN g_attachTcp = FALSE;

NTSTATUS MyDispatch(DEVICE_OBJECT* DeviceObject, IRP* pIrp);
NTSTATUS NotSupport(DEVICE_OBJECT* DeviceObject, IRP* pIrp);

typedef struct _NETWORK_ADDRESS {
UCHAR address[4];
CHAR port[4];
}NETWORK_ADDRESS,*PNETWORK_ADDRESS;

VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
//__debugbreak();
DbgPrint("UnLoad\n");

if (g_attachTcp) {
IoDetachDevice(pdodevobj);
}
if (pfilterdevobj != NULL) {
IoDeleteDevice(pfilterdevobj);
}
return;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
pDriverObject->DriverUnload = DriverUnload;

NTSTATUS status = STATUS_SUCCESS;

UNICODE_STRING devicename = { 0 };
//__debugbreak();
do {
status = IoCreateDevice(pDriverObject, 0, NULL, FILE_DEVICE_NETWORK, FILE_DEVICE_SECURE_OPEN, FALSE, &pfilterdevobj);

if (!NT_SUCCESS(status)) {
DbgPrint("Error Create %x\n", status);
break;
}

for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
pDriverObject->MajorFunction[i] = NotSupport;
}
pDriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = MyDispatch;

RtlInitUnicodeString(&devicename, L"\\Device\\Tcp");
//__debugbreak();
//第三个参数是下层设备的指针
status = IoAttachDevice(pfilterdevobj, &devicename, &pdodevobj);

if (!NT_SUCCESS(status)) {
DbgPrint("Error Attach %x\n", status);

IoDeleteDevice(pfilterdevobj);

break;
}
g_attachTcp = TRUE;
} while (FALSE);

return status;

}
NTSTATUS NotSupport(DEVICE_OBJECT* pDeviceObject, IRP* pIrp) {
//递增跳过，让下一层拿到当前的数据
IoSkipCurrentIrpStackLocation(pIrp);
//一定要使用AttachDevice后的下层驱动设备指针
return IoCallDriver(pdodevobj, pIrp);
}

NTSTATUS MyDispatch(DEVICE_OBJECT* pDeviceObject, IRP* pIrp) {
//DbgPrint("This Is Filter\n");
PIO_STACK_LOCATION pIrpStack = NULL;
//判断是否是当前的过滤设备
if (pDeviceObject == pfilterdevobj) {
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);

if (pIrpStack == NULL) {
return STATUS_UNSUCCESSFUL;
}
//MajorFunction 对应IRP_MJ_XXXX
//MinorFunction 对应定义的其他请求

if (pIrpStack->MinorFunction == TDI_CONNECT) {
NETWORK_ADDRESS network = { 0 };

PTDI_REQUEST_KERNEL_CONNECT param = (PTDI_REQUEST_KERNEL_CONNECT)(&pIrpStack->Parameters);

PTA_ADDRESS remote_addr = ((TRANSPORT_ADDRESS*)(param->RequestConnectionInformation->RemoteAddress))->Address;

PTDI_ADDRESS_IP tdi_addr = (PTDI_ADDRESS_IP)(remote_addr->Address);

DWORD address = tdi_addr->in_addr;

DWORD port = tdi_addr->sin_port;

network.address[0] = ((PUCHAR)&address)[0];

network.address[1] = ((PUCHAR)&address)[1];

network.address[2] = ((PUCHAR)&address)[2];

network.address[3] = ((PUCHAR)&address)[3];

port = HTONS(port);

DbgPrint("connect ip address [%d.%d.%d.%d:%d]\n", network.address[0],network.address[1],network.address[2],network.address[3],port);
}
}

//递增跳过，让下一层拿到当前的数据
IoSkipCurrentIrpStackLocation(pIrp);
//一定要使用AttachDevice后的下层驱动设备指针
return IoCallDriver(pdodevobj, pIrp);
}



枚举注册表和进程回调以及去保护
2021-09-11T16:00:00.000Z
对抗注册表保护
通过CmUnRegisterCallback的CallbackListHead全局变量，然后进行调试分析。可分析处如下截图。
CallbackListHead使用了一个这样的结构体进行数据存储。
https://www.write-bug.com/article/2318.html
1
2
3
4
5
6
7
typedef struct {
LIST_ENTRY listentry;
ULONG64 unknown;
LARGE_INTEGER  cookie;
ULONG64 context;
ULONG64 function;
}CM_NOTIFY_ENTRY,*PCM_NOTIFY_ENTRY;
找到回调函数地址后
进行头部patch
使用卸载函数加Cookie参数。
将CmpCallBackCount清零。
示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
VOID EnumRegisterCallback() {
UNICODE_STRING apiname = { 0 };

PUCHAR apiaddr = NULL;

PLONG64 CallbackListHead = NULL;

PCM_NOTIFY_ENTRY tempNotifyEntry = NULL;

PCM_NOTIFY_ENTRY pNotifyEntry = NULL;

LONG offset = 0;

int i = 0;

LARGE_INTEGER lNum[50] = { 0 };

RtlInitUnicodeString(&apiname, L"CmUnRegisterCallback");

apiaddr = MmGetSystemRoutineAddress(&apiname);

if (!apiaddr) {
DbgPrint("Not Found CmUnRegisterCallback\n");
return;
}

DbgPrint("CmUnRegisterCallback addr %p\n", apiaddr);

//0B8 48 8D 0D 06 D8 C3 FF                                lea     rcx, CallbackListHead

for (int i = 0; i < 1000; i++) {
if (*(apiaddr + i) == 0x48 && *(apiaddr + i + 1) == 0x8D && *(apiaddr + i + 2) == 0x0D) {
apiaddr = apiaddr + i;

offset = *(PLONG32)(apiaddr + 3);

CallbackListHead = apiaddr + 7 + offset;


break;
}
}
DbgPrint("%p\n", CallbackListHead);

pNotifyEntry = tempNotifyEntry = *CallbackListHead;
do
{
if (MmIsAddressValid((PVOID)(tempNotifyEntry->function))) {

DbgPrint("[CmRegCallBack] FuncAddr: %p,Cookie: %p\n", tempNotifyEntry->function, tempNotifyEntry->cookie.QuadPart);

//函数卸载
lNum[i] = tempNotifyEntry->cookie;

i++;
}

tempNotifyEntry = tempNotifyEntry->listentry.Flink;

} while (tempNotifyEntry->listentry.Flink != pNotifyEntry);

//__debugbreak();
//函数卸载
for (i = 0;i < 50;i++) {
if (lNum[i].QuadPart == 0) {
break;
}
CmUnRegisterCallback(lNum[i]);

}
return;
}
对抗进程保护
通过类型对象POBJECT_TYPE的结构进行枚举。
通过CallbackList结构体进行枚举。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
1: kd> dt _OBJECT_TYPE
nt!_OBJECT_TYPE
   +0x000 TypeList         : _LIST_ENTRY
   +0x010 Name             : _UNICODE_STRING
   +0x020 DefaultObject    : Ptr64 Void
   +0x028 Index            : UChar
   +0x02c TotalNumberOfObjects : Uint4B
   +0x030 TotalNumberOfHandles : Uint4B
   +0x034 HighWaterNumberOfObjects : Uint4B
   +0x038 HighWaterNumberOfHandles : Uint4B
   +0x040 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0b8 TypeLock         : _EX_PUSH_LOCK
   +0x0c0 Key              : Uint4B
   +0x0c8 CallbackList     : _LIST_ENTRY
指向的结构体如下所示
1
2
3
4
5
6
7
8
typedef struct{
LIST_ENTRY listEntry;
ULONG64unkonw;
ULONG64 objectHead;
ULONG64 handle;
ULONG64 prefunc;
ULONG64 postfunc;
}OBJECTCALLBACK,*POBJECTCALLBACK;
通过链表进行遍历获取需要的数据。
如何禁用回调
找到handle值进行卸载
找函数地址进行patch
示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
VOID EnumProcessCallBack() {
POBJECTCALLBACK pObjectCallBack = NULL;

POBJECTCALLBACK ptempobject = NULL;

PULONG64 temp = NULL;

PUCHAR pObject = NULL;

int i = 0;

ULONG64 ulNum[50] = { 0 };

pObject = (PUCHAR)*PsProcessType;

temp = (PULONG64)(pObject + 0x0c8);

ptempobject = pObjectCallBack = (POBJECTCALLBACK)*temp;

DbgPrint("%p\n", pObjectCallBack);

do
{
DbgPrint("[ProcCallBack] handle: %p,PreFunc: %p, PostFunc: %p\n", ptempobject->handle,ptempobject->prefunc, ptempobject->postfunc);

//卸载
ulNum[i] = ptempobject->handle;

i++;

ptempobject = ptempobject->listEntry.Flink;

} while (pObjectCallBack != ptempobject->listEntry.Flink);

//函数卸载
for (i = 0;i < 50;i++) {
if (ulNum[i]== 0) {
break;
}
ObUnRegisterCallbacks((PVOID)ulNum[i]);
}

return;
}
TIPS
驱动中的偏移值是带符号的，32位使用LONG。


驱动编程：内核通知与进程回调例程
2021-09-09T16:00:00.000Z
事件通知（notify）与回调（callback)的区别
通知
通知只接受结果，无法对这个结果做出改变。
回调
回调能处理反馈信息，再次处理并返回。
进程通知
记得在DriverUnload函数中使用TRUE进行卸载。
设置进程通知
PsSetCreateProcessNotifyRoutine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
status = PsSetCreateProcessNotifyRoutine(MyCreateProcessRoutine, FALSE);

VOID MyCreateProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) {
//Create = TRUE 创建进程 FALSE 结束进程
if (Create) {
PEPROCESStempep = NULL;

NTSTATUSstatus = STATUS_SUCCESS;

//根据ProcessId返回对应的EPROCESS结构指针
status = PsLookupProcessByProcessId(ProcessId, &tempep);

if (NT_SUCCESS(status)) {
//减引用
ObDereferenceObject(tempep);

PCHAR imagename = PsGetProcessImageFileName(tempep);

DbgPrint("pid :<%d> --- name: <%s>\n", ProcessId, imagename);
}
}
return;
}
第二个设置通知函数
PsSetCreateProcessNotifyRoutineEx
需在“项目-属性-链接器-命令行”位置添加 /INTEGRITYCHECK 即可。
https://xiaodaozhi.com/kernel/18.html
PPS_CREATE_NOTIFY_INFO中的数据比较重要
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_ps_create_notify_info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)MyCreateProcessRoutineEx, FALSE);

VOID MyCreateProcessRoutineEx(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo) {

HANDLE hParentProcessId = NULL;

HANDLE hParentThreadId = NULL;

HANDLE hCurrnetThreadId = NULL;
//获取当前的线程id
hCurrnetThreadId = PsGetCurrentThreadId();

if (CreateInfo == NULL) {
//进程结束
__debugbreak();
DbgPrint(" Destory hCurrnetThreadId:<%d>,ProcessID:<%d>\n", hCurrnetThreadId, ProcessId);
return;
}
//__debugbreak();
hParentProcessId = CreateInfo->CreatingThreadId.UniqueProcess;
hParentThreadId = CreateInfo->CreatingThreadId.UniqueThread;

DbgPrint(" Create hCurrnetThreadId:<0x%x>,hParentProcessId:<%d>,hParentThreadId:<%d>,ProcessID:<%d>, ProcessName:<%wZ>\n", hCurrnetThreadId, hParentProcessId, hParentThreadId, ProcessId,CreateInfo->ImageFileName);
    //子进程的线程ID，父进程的进程ID，父进程的创建子进程线程的ID，被创建的子进程的进程ID
return;
}
加载模块通知
设置通知
PsSetLoadImageNotifyRoutine
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
status = PsSetLoadImageNotifyRoutine(MySetLoadImageNotifyRoutine);

VOID MySetLoadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo) {
//模块名 //加载模块的进程

PEPROCESS tempep = NULL;

NTSTATUS status = STATUS_SUCCESS;

status = PsLookupProcessByProcessId(ProcessId, &tempep);

if (NT_SUCCESS(status)) {
ObDereferenceObject(tempep);

PCHAR imagename = PsGetProcessImageFileName(tempep);

DbgPrint("[%s] Load Image [%wZ] ,Baseaddr: [0x%x], size is [0x%llx]\n", imagename, FullImageName, ImageInfo->ImageBase, ImageInfo->ImageSize);

}
return;
}
卸载通知
PsRemoveLoadImageNotifyRoutine(MySetLoadImageNotifyRoutine)
额外知识
在win7系统之后，如果PIMAGE_INFO->ExtendedInfoPresent为1，可判断该结构体为PIMAGE_INFO_EX的成员，通过CONTAINING_RECORD获取EX结构体的指针。
1
2
3
4
5
typedef struct _IMAGE_INFO_EX {
  SIZE_T              Size;
  IMAGE_INFO          ImageInfo;
  struct _FILE_OBJECT *FileObject;
} IMAGE_INFO_EX, *PIMAGE_INFO_EX;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
VOID MySetLoadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo) {
//模块名 //加载模块的进程

PEPROCESS tempep = NULL;

NTSTATUS status = STATUS_SUCCESS;

status = PsLookupProcessByProcessId(ProcessId, &tempep);

PCHAR imagename = NULL;

if (!NT_SUCCESS(status)) {
return;
}

ObDereferenceObject(tempep);

imagename = PsGetProcessImageFileName(tempep);

if (ImageInfo->ExtendedInfoPresent)
{
PIMAGE_INFO_EX pInfo = CONTAINING_RECORD(ImageInfo, IMAGE_INFO_EX, ImageInfo);

DbgPrint("[%s] Load Image [%wZ] ,FileObject [0x%x],Baseaddr: [0x%x], size is [0x%llx]\n", imagename, FullImageName, pInfo->FileObject,ImageInfo->ImageBase, ImageInfo->ImageSize);

return;
}

DbgPrint("[%s] Load Image [%wZ] ,Baseaddr: [0x%x], size is [0x%llx]\n", imagename, FullImageName, ImageInfo->ImageBase, ImageInfo->ImageSize);

return;
}
线程通知
创建
PsSetCreateThreadNotifyRoutine()
卸载
PsRemoveCreateThreadNotifyRoutine()
事例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
status = PsSetCreateThreadNotifyRoutine(MyCreateThreadNotifyRoutine);

VOID MyCreateThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create) {
NTSTATUS status;

PEPROCESS tempep = NULL;

status = PsLookupProcessByProcessId(ProcessId, &tempep);

PCHAR imagefilename;

if (NT_SUCCESS(status)) {
imagefilename = PsGetProcessImageFileName(tempep);

if (Create) {
DbgPrint("[%s] Create Thread [%d]\n", imagefilename, ThreadId);
}
else {
DbgPrint("[%s] Destory Thread [%d]\n", imagefilename, ThreadId);
}

}
return;
}
枚举进程通知例程
通过pchunter我们可以看到各种通知例程，那么是如何实现的了。
需要去逆向PsSetCreateThreadNotifyRoutine。
该函数例程通过这个一个PspCreateProcessNotifyRoutine表进行访问，该地址和0xFFFFFFFFFFFFFFF8进行与运算得到通知例程地址。（原因放到额外解析）
通过获取PsSetCreateThreadNotifyRoutine的地址，根据偏移找到PspCreateProcessNotifyRoutine，然后搜索特征码4C 8D 2D 9F 93 D4 FF   lea     r13, PspCreateProcessNotifyRoutine,得到通知例程表的地址。
查看XXXXCount的全局变量，可获得通知例程的数量。
摘取通知
通过遍历数组，直接使用对应的函数即可摘去掉通知例程。
修改PspNotifyEnableMask的值，只能停掉已经注册的通知
PspNotifyEnableMask在win10 1903中的原始值为F对应二进制1111
第三位 CreateThread、
第一位和第二位分别是 CreateProcess(分别是PsSetCreateThreadNotifyRoutine和PsSetCreateThreadNotifyRoutineEx)，测试了下随便开一个都行。
第零位 LoadImage 。
代码样例 
https://www.unknowncheats.me/forum/anti-cheat-bypass/285491-pspnotifyenablemask-tricks-explained.html
例子
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
VOID FindProcessNotify() {
UNICODE_STRING apiname = { 0 };

PUCHARapiaddr = NULL;

LONG offset = 0;

PULONG64 PspCreateProcessNotifyRoutine = NULL;
RtlInitUnicodeString(&apiname, L"PsSetCreateThreadNotifyRoutine");

apiaddr = MmGetSystemRoutineAddress(&apiname);

if (!apiaddr) {
DbgPrint("Not Found\n");

return;
}
//__debugbreak();
DbgPrint("PsSetCreateThreadNotifyRoutine Addr :0x%llp\n", (PVOID)apiaddr);

apiaddr = apiaddr + 6;

offset = *(PULONG)(apiaddr + 1);
// E8 65 00 00 00                                      call    PspSetCreateThreadNotifyRoutine
apiaddr = apiaddr + offset + 5;

//4C 8D 2D 9F 93 D4 FF   lea     r13, PspCreateProcessNotifyRoutine
for (int i = 0; i < 1000; i++) {
if (*(apiaddr + i) == 0x4c && *(apiaddr + i + 1) == 0x8D && *(apiaddr + i + 2) == 0x2D) {
apiaddr = apiaddr + i;

offset = *(PLONG)(apiaddr + 3);

PspCreateProcessNotifyRoutine = apiaddr + offset + 7;

break;
}
}

DbgPrint("Routine Nums Addr ：%p\n", PspCreateProcessNotifyRoutine);
//__debugbreak();

PULONG64 reallyNotify = NULL;

ULONG64 RoutineNotify = NULL;

NTSTATUS status = STATUS_SUCCESS;

for (int i = 0; i < 64; i++) {

reallyNotify = (ULONG64)(PspCreateProcessNotifyRoutine) + i*8;

if (*reallyNotify == 0)
break;
RoutineNotify = *(PULONG64)(*reallyNotify & 0xFFFFFFFFFFFFFFF8);

DbgPrint("CreateProcess Routine Notify:0x%p\n", RoutineNotify);

//摘除
if (MmIsAddressValid(*reallyNotify)) {
DbgPrint("1\n");
status = PsSetCreateProcessNotifyRoutine((PVOID)RoutineNotify,TRUE);

if (NT_SUCCESS(status))
{
DbgPrint("Remove CreateProcess Notify :0x%p\n", RoutineNotify);
}
}
}
return;
}
其他枚举
例如枚举线程通知例程，通过IDA就可以看到存放通知例程的数组地址。同样也要使用0xFFFFFFFFFFFFFFF8进行解密。
注册表回调
注册表回调注册
1
2
3
4
5
LARGE_INTEGER g_cookie = { 0 };
CmRegisterCallback(_In_     PEX_CALLBACK_FUNCTION Function,
                   _In_opt_ PVOID                 Context,
                   _Out_    PLARGE_INTEGER        Cookie
                    );
回调函数卸载
1
CmUnRegisterCallback(g_cookie);
回调函数模型
1
NTSTATUS RregistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
第一个参数 传递的参数
第二个参数 注册表类型
第三个参数 REG_XXXX_INFORMATION 结构体
通过注册表的类型判断，进行分发处理，通过结构体的不同成员对象进行判断拦截。
例子
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
NTSTATUS RregistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
NTSTATUS status = STATUS_SUCCESS;

switch ((REG_NOTIFY_CLASS)Argument1)
{
case RegNtPreOpenKey:
case RegNtPreOpenKeyEx:
case RegNtPreCreateKey:
case RegNtPreCreateKeyEx:
{
//DbgPrint("Create Key or Open Key\n");

PREG_CREATE_KEY_INFORMATIONpkeyinfo = (PREG_CREATE_KEY_INFORMATION)Argument2;

UNICODE_STRING tempservice = { 0 };
//不过过滤大小写的话，必须大写 ，过滤注册表创建
RtlInitUnicodeString(&tempservice,L"SYSTEM\\CONTROLSET001\\SERVICES\\*");

__try
{
//打印注册表路径
//DbgPrint("key info [%wZ]\n", pkeyinfo->CompleteName);
//
if (FsRtlIsNameInExpression(&tempservice, pkeyinfo->CompleteName, TRUE, NULL)) {
DbgPrint("Bad Create\n");

//通过匹配字符串，注册表的拦截
status = STATUS_ACCESS_DENIED;
}
}
__except (1)
{
DbgPrint("Bad Memory\n");
}
break;
}
default:
break;
}
return status;
}
进程回调
https://revers.engineering/superseding-driver-altitude-checks-on
内核当中的对象描述了具体的事物（窗口，进程，驱动，。。。。）。
回调就是将一个对象和一种操作进行绑定，当该对象进行这种操作的时候必然会调用这个操作，这个操作就是回调。
因为微软的MmVerifyCallbackFunction强制要求下必须要使用数字签名才能进行使用回调函数所以修改如下：
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {

    PKLDR_DATA_TABLE_ENTRY DriverSection = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;

    DriverSection->Flags |= LDRP_VALID_SECTION;
}
注册回调
使用ObRegisterCallbacks注册回调。
使用OB_CALLBACK_REGISTRATION结构体
1
2
3
4
5
6
7
typedef struct _OB_CALLBACK_REGISTRATION {
    _In_ USHORT                     Version; //版本
    _In_ USHORT                     OperationRegistrationCount; //回调的个数
    _In_ UNICODE_STRING             Altitude; //高度
    _In_ PVOID                      RegistrationContext; //传给回调的参数
    _In_ OB_OPERATION_REGISTRATION  *OperationRegistration; //指向回调注册结构体的指针
} OB_CALLBACK_REGISTRATION, *POB_CALLBACK_REGISTRATION;
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_operation_registration
1
2
3
4
5
6
typedef struct _OB_OPERATION_REGISTRATION {
    _In_ POBJECT_TYPE                *ObjectType; //回调例程的对象类型的指针
    _In_ OB_OPERATION                Operations; //句柄操作类型
    _In_ POB_PRE_OPERATION_CALLBACK  PreOperation; //前操作函数指针
    _In_ POB_POST_OPERATION_CALLBACK PostOperation; //后操作函数指针
} OB_OPERATION_REGISTRATION, *POB_OPERATION_REGISTRATION;
ObjectType有多种类型,包括进程，线程，注册表等。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
extern POBJECT_TYPE *CmKeyObjectType;
extern POBJECT_TYPE *IoFileObjectType;
extern POBJECT_TYPE *ExEventObjectType;
extern POBJECT_TYPE *ExSemaphoreObjectType;
extern POBJECT_TYPE *TmTransactionManagerObjectType;
extern POBJECT_TYPE *TmResourceManagerObjectType;
extern POBJECT_TYPE *TmEnlistmentObjectType;
extern POBJECT_TYPE *TmTransactionObjectType;
extern POBJECT_TYPE *PsProcessType;
extern POBJECT_TYPE *PsThreadType;
extern POBJECT_TYPE *PsJobType;
extern POBJECT_TYPE *SeTokenObjectType;
#if (NTDDI_VERSION >= NTDDI_THRESHOLD)
extern POBJECT_TYPE *ExDesktopObjectType;
#endif
事例
回调注册
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
NTSTATUS RegProcessCallBack(PDRIVER_OBJECT pDriverObject) {

NTSTATUS status = STATUS_SUCCESS;
//进程对象回调
//https://revers.engineering/superseding-driver-altitude-checks-on
PKLDR_DATA_TABLE_ENTRY pLdr = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;

pLdr->Flags |= LDRP_VALID_SECTION;

OB_CALLBACK_REGISTRATION ob = { 0 };

OB_OPERATION_REGISTRATION oor = { 0 };

//高度,谁注册的高先通知谁,高度合适就行
UNICODE_STRING attde = { 0 };
//注册回调版本
ob.Version = ObGetFilterVersion();
//OperationRegistration的条数
ob.OperationRegistrationCount = 1;
//数组指针
ob.OperationRegistration = &oor;
//高度
RtlInitUnicodeString(&attde, L"321999");
ob.Altitude = attde;
//参数
ob.RegistrationContext = NULL;

//指向触发回调例程的对象类型的指针
oor.ObjectType = PsProcessType;
//标志位
//打开，复制句柄
oor.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
//前操作例程
oor.PreOperation = PreOperation_Process;
//后操作例程
oor.PostOperation = NULL;

status = ObRegisterCallbacks(&ob, &ProcessCallBackHandle);

return status;
}
回调操作
保护带有calc的进程名被操作。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
OB_PREOP_CALLBACK_STATUS   PreOperation_Process(PVOID RegistrationContext,
POB_PRE_OPERATION_INFORMATION OperationInformation) {
//操作的是进程对象

OB_PREOP_CALLBACK_STATUS status = OB_PREOP_SUCCESS;

PUCHAR imagefilename = PsGetProcessImageFileName(OperationInformation->Object);

DbgPrint("Process Name : [%s]\n", imagefilename);

//保护带有calc的进程。
if (strstr(imagefilename, "calc")) {
//__debugbreak();
//https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_pre_create_handle_information
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;

OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;
}

return  status;
}
线程回调
回调注册
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
NTSTATUS RegThreadCallBack(PDRIVER_OBJECT pDriverObject) {
NTSTATUS status = STATUS_SUCCESS;

PKLDR_DATA_TABLE_ENTRY pLdr = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;

pLdr->Flags |= LDRP_VALID_SECTION;

OB_CALLBACK_REGISTRATION ob = { 0 };

OB_OPERATION_REGISTRATION oor = { 0 };

UNICODE_STRING altitude = { 0 };

RtlInitUnicodeString(&altitude, L"319999");

ob.Version = ObGetFilterVersion();

ob.OperationRegistrationCount = 1;

ob.RegistrationContext = NULL;

ob.Altitude = altitude;

ob.OperationRegistration = &oor;

oor.ObjectType = PsThreadType;

oor.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

oor.PreOperation = PreOperation_Thread;

oor.PostOperation = NULL;

ObRegisterCallbacks(&ob, &ThreadCallBackHandle);

return status;
}
回调操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
OB_PREOP_CALLBACK_STATUS PreOperation_Thread(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
OB_PREOP_CALLBACK_STATUS status = OB_PREOP_SUCCESS;

PETHREAD pthread = OperationInformation->Object;

HANDLE ThreadId = PsGetThreadId(pthread);

PEPROCESS peprocess = PsGetThreadProcess(pthread);

PUCHAR imagefilename = PsGetProcessImageFileName(peprocess);

DbgPrint("Process Name : [%s] CreateThread [%d] \n", imagefilename, ThreadId);

if (strstr(imagefilename, "calc")) {
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) {
if ((OperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_CREATE_THREAD) == PROCESS_CREATE_THREAD){
DbgPrint("Calc Create Thread Failed\n");

OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;

status = STATUS_UNSUCCESSFUL;
}
}
}

return status;
}
Ps函数
PsLookupProcessByProcessId
根据ProcessId获取EPROCESS指针。
1
2
3
4
5
PEPROCESS tempep = NULL;

NTSTATUS status = STATUS_SUCCESS;

status = PsLookupProcessByProcessId(ProcessId, &tempep);
PsGetProcessImageFileName
根据EPROCESS指针获取模块名字。 
PsGetThreadProcess
根据ETHREAD指针获取PEPROCESS结构体指针。
Fs函数
FsRtlIsNameInExpression
字符正则匹配
Mm函数
MmIsAddressValid
验证地址是否可用
额外解析
PsSetCreateProcessNotifyRoutine解析
PsSetCreateProcessNotifyRoutine的本质函数是PspSetCreateThreadNotifyRoutine。
使用windbg查表，如图所示。取的全局变量地址是一个指向函数地址的地址表，然后末4位清零，再偏移8得到通知例程地址，与pchunter中看到的地址一致，
分析
通过分析得知，会对通知历程的地址表进行遍历，会对ExCompareExchangeCallBack传入参数。
ExAllocateCallBack则是对一个结构体使用的传参进行初始化
ExCompareExchangeCallBack会对地址进行校验如果为空则对地址数值进行计算和对数组进行赋值。
第一个参数地址为PspCreateProcessNotifyRoutine的数组地址
第二个为有通知函数的结构体地址
第三个0
ExCompareExchangeCallBack
ExAllocatePoolWithTag在64位系统中对齐到16字节边界,所以地址是0xXXXXXXXXXXXXXXX0.
地址加上0xF进行赋值。0xXXXXXXXXXXXXXXXF
总结
所以通知例程的地址就是 (数组地址&0xFFFFFFFFFFFFFFF0)+0x8 = 数组地址 & 0xFFFFFFFFFFFFFFF8。


Windows系统调用
2021-09-07T16:00:00.000Z
系统调用备份，后面填坑，现在做备份
Win10 1903 x64
https://www.matteomalvica.com/minutes/windows_kernel/#nt-kisystemcall64shadow-under-the-miscroscope
https://mirokaku.github.io/Blog/2017/2-System-Call/
KiSystemCall64
调用 KiSystemServiceUser,通过访问SSDT表，获取函数地址。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
KiSystemCall64                                              KiSystemCall64  proc near               ; DATA XREF: sub_FFFFF8034C8622F4+21↑o
KiSystemCall64                                                                                      ; .pdata:FFFFF8034CBD19B8↓o
KiSystemCall64                                                                                      ; KiInitializeBootStructures+198↓o
KiSystemCall64
KiSystemCall64                                              var_1E8         = byte ptr -1E8h
KiSystemCall64                                              var_1C0         = qword ptr -1C0h
KiSystemCall64                                              var_1B8         = qword ptr -1B8h
KiSystemCall64                                              var_1B0         = qword ptr -1B0h
KiSystemCall64                                              var_1A8         = qword ptr -1A8h
KiSystemCall64                                              var_1A0         = qword ptr -1A0h
KiSystemCall64                                              anonymous_0     = qword ptr -198h
KiSystemCall64                                              anonymous_1     = qword ptr -190h
KiSystemCall64                                              anonymous_2     = qword ptr -188h
KiSystemCall64                                              anonymous_3     = qword ptr -180h
KiSystemCall64                                              anonymous_4     = qword ptr -178h
KiSystemCall64                                              anonymous_5     = qword ptr -170h
KiSystemCall64                                              anonymous_6     = qword ptr -168h
KiSystemCall64                                              anonymous_7     = qword ptr -160h
KiSystemCall64                                              anonymous_8     = qword ptr -158h
KiSystemCall64                                              anonymous_9     = qword ptr -150h
KiSystemCall64                                              anonymous_10    = qword ptr -148h
KiSystemCall64                                              anonymous_11    = qword ptr -140h
KiSystemCall64                                              anonymous_12    = qword ptr -138h
KiSystemCall64                                              anonymous_13    = qword ptr -130h
KiSystemCall64                                              anonymous_14    = qword ptr -128h
KiSystemCall64                                              anonymous_15    = xmmword ptr -120h
KiSystemCall64                                              var_110         = xmmword ptr -110h
KiSystemCall64                                              anonymous_16    = xmmword ptr -100h
KiSystemCall64                                              anonymous_17    = xmmword ptr -0F0h
KiSystemCall64                                              anonymous_18    = xmmword ptr -0E0h
KiSystemCall64                                              anonymous_19    = xmmword ptr -0D0h
KiSystemCall64                                              anonymous_20    = qword ptr -0C0h
KiSystemCall64                                              anonymous_21    = qword ptr -0B8h
KiSystemCall64                                              anonymous_22    = qword ptr -0B0h
KiSystemCall64                                              anonymous_23    = qword ptr -0A8h
KiSystemCall64                                              anonymous_24    = qword ptr -0A0h
KiSystemCall64                                              var_90          = qword ptr -90h
KiSystemCall64                                              anonymous_25    = qword ptr -58h
KiSystemCall64                                              anonymous_26    = qword ptr -38h
KiSystemCall64                                              anonymous_27    = qword ptr -28h
KiSystemCall64                                              anonymous_28    = qword ptr -20h
KiSystemCall64                                              anonymous_29    = qword ptr -18h
KiSystemCall64                                              anonymous_30    = qword ptr -10h
KiSystemCall64                                              anonymous_31    = qword ptr -8
KiSystemCall64
KiSystemCall64                                              ; __unwind { // KiSystemServiceHandler
KiSystemCall64      000 0F 01 F8                                            swapgs ;gs指向cpu的kpcr
KiSystemCall64+3    000 65 48 89 24 25 10 00 00 00                          mov     gs:10h, rsp     ; r3 rsp存放到UserRsp
KiSystemCall64+C    000 65 48 8B 24 25 A8 01 00 00                          mov     rsp, gs:1A8h    ; rsp切换到内核栈Prcb.RspBase
KiSystemCall64+15   000 6A 2B                                               push    2Bh ; '+'       ; KTRAP_FRAME.SegSs = 0x2b
KiSystemCall64+17   008 65 FF 34 25 10 00 00 00                             push    qword ptr gs:10h ; KTRAP_FRAME.Rsp保存r3的rsp
KiSystemCall64+1F   010 41 53                                               push    r11             ; KTRAP_FRAME.EFlags 保存r11保存之前的RFLAGS
KiSystemCall64+21   018 6A 33                                               push    33h ; '3'       ; KTRAP_FRAME.SegCs = 0x33
KiSystemCall64+23   020 51                                                  push    rcx             ; KTRAP_FRAME.Rip = rcx 保存返回值
KiSystemCall64+24   028 49 8B CA                                            mov     rcx, r10        ; 第一个参数赋值给rcx
KiSystemCall64+27   028 48 83 EC 08                                         sub     rsp, 8          ; 填充8字节
KiSystemCall64+2B   030 55                                                  push    rbp             ; KTRAP_FRAME.Rbp = rbp (0x158偏移处
KiSystemCall64+2C   038 48 81 EC 58 01 00 00                                sub     rsp, 158h       ; 开辟剩余的KTRAP_FRAME的栈 Rsp = &KTRAP_FRAME.P1Home
KiSystemCall64+33   190 48 8D AC 24 80 00 00 00                             lea     rbp, [rsp+80h]  ; rbp=KTRAP_FRAME.Xmm1 = KTRAP_FRAME+0x80
KiSystemCall64+3B   190 48 89 9D C0 00 00 00                                mov     [rbp+0C0h], rbx ; KTRAP_FRAME.Rbx = rbx
KiSystemCall64+42   190 48 89 BD C8 00 00 00                                mov     [rbp+0C8h], rdi ; KTRAP_FRAME.Rdi = rdi
KiSystemCall64+49   190 48 89 B5 D0 00 00 00                                mov     [rbp+0D0h], rsi ; KTRAP_FRAME.Rsi = rsi
KiSystemCall64+50   190 65 F6 04 25 24 64 00 00 02                          test    byte ptr gs:6424h, 2 ;
KiSystemCall64+50                                                                                   ; ksamd64.inc文件中定义
KiSystemCall64+50                                                                                   ; Prcb->FeatureBits & KF_SMAP（0x0200000000H）
KiSystemCall64+50                                                                                   ; 检查SMAP是否开启
KiSystemCall64+59   190 74 0C                                               jz      short loc_FFFFF8034C87BB27 ; KTRAP_FRAME.Rax = rax
KiSystemCall64+5B   190 F6 85 F0 00 00 00 01                                test    byte ptr [rbp+0F0h], 1 ; 检查KTRAP_FRAME.SegCs的RPL
KiSystemCall64+62   190 74 03                                               jz      short loc_FFFFF8034C87BB27 ; KTRAP_FRAME.Rax = rax
KiSystemCall64+64   190 0F 01 CB                                            stac                    ; 关闭SMAP
KiSystemCall64+67
KiSystemCall64+67                                           loc_FFFFF8034C87BB27:                   ; CODE XREF: KiSystemCall64+59↑j
KiSystemCall64+67                                                                                   ; KiSystemCall64+62↑j
KiSystemCall64+67   190 48 89 45 B0                                         mov     [rbp-50h], rax  ; KTRAP_FRAME.Rax = rax
KiSystemCall64+6B   190 48 89 4D B8                                         mov     [rbp-48h], rcx  ; KTRAP_FRAME.Rcx = rcx
KiSystemCall64+6F   190 48 89 55 C0                                         mov     [rbp-40h], rdx  ; KTRAP_FRAME.Rdx =rdx
KiSystemCall64+73   190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:_KPCR.Prcb.CurrentThread ; _KTHREAD
KiSystemCall64+7C   190 48 8B 89 20 02 00 00                                mov     rcx, [rcx+220h] ; _KTHREAD._KPROCESS* = _EPROCESS *
KiSystemCall64+83   190 48 8B 89 60 08 00 00                                mov     rcx, [rcx+860h] ; _EPROCESS.SecurityDomain
KiSystemCall64+8A   190 65 48 89 0C 25 70 02 00 00                          mov     gs:270h, rcx    ; TrappedSecurityDomain
KiSystemCall64+93   190 65 8A 0C 25 50 08 00 00                             mov     cl, gs:850h     ; BpbRetpolineExitSpecCtrl
KiSystemCall64+93                                                                                   ;
KiSystemCall64+93                                                                                   ; 之后都是预测执行侧信道的缓解措施
KiSystemCall64+93                                                                                   ; https://simplecore-prc.intel.cn/intel-china-newsroom/wp-content/uploads/sites/2/intel-analysis-of-speculative-execution-side-channels-cn.pdf
KiSystemCall64+9B   190 65 88 0C 25 51 08 00 00                             mov     gs:851h, cl     ; BpbTrappedRetpolineExitSpecCtrl
KiSystemCall64+A3   190 65 8A 0C 25 78 02 00 00                             mov     cl, gs:_KPCR.Prcb.___u40.__s0.BpbState
KiSystemCall64+AB   190 65 88 0C 25 52 08 00 00                             mov     gs:_KPCR.Prcb.___u45.__s0.BpbTrappedBpbState, cl
KiSystemCall64+B3   190 65 0F B6 04 25 7B 02 00 00                          movzx   eax, gs:_KPCR.Prcb.___u40.__s0.BpbKernelSpecCtrl
KiSystemCall64+BC   190 65 38 04 25 7A 02 00 00                             cmp     gs:_KPCR.Prcb.___u40.__s0.BpbCurrentSpecCtrl, al
KiSystemCall64+C4   190 74 11                                               jz      short loc_FFFFF8034C87BB97
KiSystemCall64+C6   190 65 88 04 25 7A 02 00 00                             mov     gs:_KPCR.Prcb.___u40.__s0.BpbCurrentSpecCtrl, al
KiSystemCall64+CE   190 B9 48 00 00 00                                      mov     ecx, 48h ; 'H'
KiSystemCall64+D3   190 33 D2                                               xor     edx, edx
KiSystemCall64+D5   190 0F 30                                               wrmsr                   ; IA32_SPEC_CTRL
KiSystemCall64+D5                                                                                   ; 单线程间接分支预测器 (STIBP)。
KiSystemCall64+D5                                                                                   ; 防止间接分支预测被同核的超线程所控制
KiSystemCall64+D7
KiSystemCall64+D7                                           loc_FFFFF8034C87BB97:                   ; CODE XREF: KiSystemCall64+C4↑j
KiSystemCall64+D7   190 65 0F B6 14 25 78 02 00 00                          movzx   edx, byte ptr gs:278h
KiSystemCall64+E0   190 F7 C2 08 00 00 00                                   test    edx, 1000b      ; BpbIbpbOnTrap
KiSystemCall64+E6   190 74 13                                               jz      short loc_FFFFF8034C87BBBB ; BpbTrappedFlushRsbOnTrap
KiSystemCall64+E8   190 B8 01 00 00 00                                      mov     eax, 1
KiSystemCall64+ED   190 33 D2                                               xor     edx, edx
KiSystemCall64+EF   190 B9 49 00 00 00                                      mov     ecx, 49h ; 'I'  ; IA32_PRED_CMD
KiSystemCall64+EF                                                                                   ; 间接分支预测障碍 (IBPB)
KiSystemCall64+EF                                                                                   ; 确保前期代码的行为不会控制后续间接分支预测
KiSystemCall64+F4   190 0F 30                                               wrmsr
KiSystemCall64+F6   190 E9 3E 01 00 00                                      jmp     loc_FFFFF8034C87BCF9
KiSystemCall64+FB                                           ; ---------------------------------------------------------------------------
KiSystemCall64+FB
KiSystemCall64+FB                                           loc_FFFFF8034C87BBBB:                   ; CODE XREF: KiSystemCall64+E6↑j
KiSystemCall64+FB   190 F7 C2 02 00 00 00                                   test    edx, 10b        ; BpbTrappedFlushRsbOnTrap
KiSystemCall64+101  190 0F 84 2F 01 00 00                                   jz      loc_FFFFF8034C87BCF6 ; 在旧指令执行完毕前阻止较新指令的执行
KiSystemCall64+101                                                                                  ; Wait On Following Instructions Until(preceding instructions complete);
KiSystemCall64+107  190 65 F6 04 25 79 02 00 00 04                          test    gs:_KPCR.Prcb.___u40.__s0.BpbFeatures, 4
KiSystemCall64+110  190 0F 85 20 01 00 00                                   jnz     loc_FFFFF8034C87BCF6 ; 在旧指令执行完毕前阻止较新指令的执行
KiSystemCall64+110                                                                                  ; Wait On Following Instructions Until(preceding instructions complete);
KiSystemCall64+116  190 E8 0E 01 00 00                                      call    loc_FFFFF8034C87BCE9
KiSystemCall64+11B
KiSystemCall64+11B                                          loc_FFFFF8034C87BBDB:                   ; CODE XREF: KiSystemCall64+128↓p
KiSystemCall64+11B  190 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+11F  188 E8 0E 01 00 00                                      call    loc_FFFFF8034C87BCF2
KiSystemCall64+124
KiSystemCall64+124                                          loc_FFFFF8034C87BBE4:                   ; CODE XREF: KiSystemCall64+131↓p
KiSystemCall64+124  188 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+128  180 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BBDB
KiSystemCall64+12D
KiSystemCall64+12D                                          loc_FFFFF8034C87BBED:                   ; CODE XREF: KiSystemCall64+13A↓p
KiSystemCall64+12D  180 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+131  178 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BBE4
KiSystemCall64+136
KiSystemCall64+136                                          loc_FFFFF8034C87BBF6:                   ; CODE XREF: KiSystemCall64+143↓p
KiSystemCall64+136  178 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+13A  170 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BBED
KiSystemCall64+13F
KiSystemCall64+13F                                          loc_FFFFF8034C87BBFF:                   ; CODE XREF: KiSystemCall64+14C↓p
KiSystemCall64+13F  170 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+143  168 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BBF6
KiSystemCall64+148
KiSystemCall64+148                                          loc_FFFFF8034C87BC08:                   ; CODE XREF: KiSystemCall64+155↓p
KiSystemCall64+148  168 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+14C  160 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BBFF
KiSystemCall64+151
KiSystemCall64+151                                          loc_FFFFF8034C87BC11:                   ; CODE XREF: KiSystemCall64+15E↓p
KiSystemCall64+151  160 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+155  158 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC08
KiSystemCall64+15A
KiSystemCall64+15A                                          loc_FFFFF8034C87BC1A:                   ; CODE XREF: KiSystemCall64+167↓p
KiSystemCall64+15A  158 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+15E  150 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC11
KiSystemCall64+163
KiSystemCall64+163                                          loc_FFFFF8034C87BC23:                   ; CODE XREF: KiSystemCall64+170↓p
KiSystemCall64+163  150 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+167  148 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC1A
KiSystemCall64+16C
KiSystemCall64+16C                                          loc_FFFFF8034C87BC2C:                   ; CODE XREF: KiSystemCall64+179↓p
KiSystemCall64+16C  148 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+170  140 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC23
KiSystemCall64+175
KiSystemCall64+175                                          loc_FFFFF8034C87BC35:                   ; CODE XREF: KiSystemCall64+182↓p
KiSystemCall64+175  140 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+179  138 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC2C
KiSystemCall64+17E
KiSystemCall64+17E                                          loc_FFFFF8034C87BC3E:                   ; CODE XREF: KiSystemCall64+18B↓p
KiSystemCall64+17E  138 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+182  130 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC35
KiSystemCall64+187
KiSystemCall64+187                                          loc_FFFFF8034C87BC47:                   ; CODE XREF: KiSystemCall64+194↓p
KiSystemCall64+187  130 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+18B  128 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC3E
KiSystemCall64+190
KiSystemCall64+190                                          loc_FFFFF8034C87BC50:                   ; CODE XREF: KiSystemCall64+19D↓p
KiSystemCall64+190  128 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+194  120 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC47
KiSystemCall64+199
KiSystemCall64+199                                          loc_FFFFF8034C87BC59:                   ; CODE XREF: KiSystemCall64+1A6↓p
KiSystemCall64+199  120 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+19D  118 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC50
KiSystemCall64+1A2
KiSystemCall64+1A2                                          loc_FFFFF8034C87BC62:                   ; CODE XREF: KiSystemCall64+1AF↓p
KiSystemCall64+1A2  118 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1A6  110 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC59
KiSystemCall64+1AB
KiSystemCall64+1AB                                          loc_FFFFF8034C87BC6B:                   ; CODE XREF: KiSystemCall64+1B8↓p
KiSystemCall64+1AB  110 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1AF  108 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC62
KiSystemCall64+1B4
KiSystemCall64+1B4                                          loc_FFFFF8034C87BC74:                   ; CODE XREF: KiSystemCall64+1C1↓p
KiSystemCall64+1B4  108 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1B8  100 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC6B
KiSystemCall64+1BD
KiSystemCall64+1BD                                          loc_FFFFF8034C87BC7D:                   ; CODE XREF: KiSystemCall64+1CA↓p
KiSystemCall64+1BD  100 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1C1  0F8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC74
KiSystemCall64+1C6
KiSystemCall64+1C6                                          loc_FFFFF8034C87BC86:                   ; CODE XREF: KiSystemCall64+1D3↓p
KiSystemCall64+1C6  0F8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1CA  0F0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC7D
KiSystemCall64+1CF
KiSystemCall64+1CF                                          loc_FFFFF8034C87BC8F:                   ; CODE XREF: KiSystemCall64+1DC↓p
KiSystemCall64+1CF  0F0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1D3  0E8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC86
KiSystemCall64+1D8
KiSystemCall64+1D8                                          loc_FFFFF8034C87BC98:                   ; CODE XREF: KiSystemCall64+1E5↓p
KiSystemCall64+1D8  0E8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1DC  0E0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC8F
KiSystemCall64+1E1
KiSystemCall64+1E1                                          loc_FFFFF8034C87BCA1:                   ; CODE XREF: KiSystemCall64+1EE↓p
KiSystemCall64+1E1  0E0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1E5  0D8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BC98
KiSystemCall64+1EA
KiSystemCall64+1EA                                          loc_FFFFF8034C87BCAA:                   ; CODE XREF: KiSystemCall64+1F7↓p
KiSystemCall64+1EA  0D8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1EE  0D0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCA1
KiSystemCall64+1F3
KiSystemCall64+1F3                                          loc_FFFFF8034C87BCB3:                   ; CODE XREF: KiSystemCall64+200↓p
KiSystemCall64+1F3  0D0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+1F7  0C8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCAA
KiSystemCall64+1FC
KiSystemCall64+1FC                                          loc_FFFFF8034C87BCBC:                   ; CODE XREF: KiSystemCall64+209↓p
KiSystemCall64+1FC  0C8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+200  0C0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCB3
KiSystemCall64+205
KiSystemCall64+205                                          loc_FFFFF8034C87BCC5:                   ; CODE XREF: KiSystemCall64+212↓p
KiSystemCall64+205  0C0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+209  0B8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCBC
KiSystemCall64+20E
KiSystemCall64+20E                                          loc_FFFFF8034C87BCCE:                   ; CODE XREF: KiSystemCall64+21B↓p
KiSystemCall64+20E  0B8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+212  0B0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCC5
KiSystemCall64+217
KiSystemCall64+217                                          loc_FFFFF8034C87BCD7:                   ; CODE XREF: KiSystemCall64+224↓p
KiSystemCall64+217  0B0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+21B  0A8 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCCE
KiSystemCall64+220
KiSystemCall64+220                                          loc_FFFFF8034C87BCE0:                   ; CODE XREF: KiSystemCall64+22D↓p
KiSystemCall64+220  0A8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+224  0A0 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCD7
KiSystemCall64+229
KiSystemCall64+229                                          loc_FFFFF8034C87BCE9:                   ; CODE XREF: KiSystemCall64+116↑p
KiSystemCall64+229  0A0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+22D  098 E8 EE FF FF FF                                      call    loc_FFFFF8034C87BCE0
KiSystemCall64+232
KiSystemCall64+232                                          loc_FFFFF8034C87BCF2:                   ; CODE XREF: KiSystemCall64+11F↑p
KiSystemCall64+232  098 48 83 C4 08                                         add     rsp, 8
KiSystemCall64+236
KiSystemCall64+236                                          loc_FFFFF8034C87BCF6:                   ; CODE XREF: KiSystemCall64+101↑j
KiSystemCall64+236                                                                                  ; KiSystemCall64+110↑j
KiSystemCall64+236  090 0F AE E8                                            lfence                  ; 在旧指令执行完毕前阻止较新指令的执行
KiSystemCall64+236                                                                                  ; Wait On Following Instructions Until(preceding instructions complete);
KiSystemCall64+239
KiSystemCall64+239                                          loc_FFFFF8034C87BCF9:                   ; CODE XREF: KiSystemCall64+F6↑j
KiSystemCall64+239  190 65 C6 04 25 53 08 00 00 00                          mov     gs:_KPCR.Prcb.___u45.__s0.BpbRetpolineState, 0
KiSystemCall64+242
KiSystemCall64+242                                          KiSystemServiceUser:                    ; CODE XREF: KiSystemService+236↑j
KiSystemCall64+242                                                                                  ; KiSystemCall64Shadow+25A↓j
KiSystemCall64+242  190 C6 45 AB 02                                         mov     byte ptr [rbp-55h], 2
KiSystemCall64+246  190 65 48 8B 1C 25 88 01 00 00                          mov     rbx, gs:_KPCR.Prcb.CurrentThread ; _KTHREAD
KiSystemCall64+24F  190 0F 0D 8B 90 00 00 00                                prefetchw byte ptr [rbx+90h] ; 预加载 kpcr.CurrentThread._KTRAP_FRAME
KiSystemCall64+256  190 0F AE 5D AC                                         stmxcsr dword ptr [rbp-54h] ; KTRAP_FRAM.MxCsr = MXCSR
KiSystemCall64+25A  190 65 0F AE 14 25 80 01 00 00                          ldmxcsr dword ptr gs:180h ; mxcsr = _KPCR.Prcb.MxCsr
KiSystemCall64+263  190 80 7B 03 00                                         cmp     byte ptr [rbx+3], 0 ; _kpcr._KPRCB._KTHREAD._DISPATCHER_HEADER.DebugActive
KiSystemCall64+267  190 66 C7 85 80 00 00 00 00 00                          mov     word ptr [rbp+80h], 0 ; _KTRAP_FRAME._KTRAP_FRAME = 0
KiSystemCall64+270  190 0F 84 A8 00 00 00                                   jz      loc_FFFFF8034C87BDDE ; rax = _KTRAP_FRAME.rax
KiSystemCall64+276  190 F6 43 03 03                                         test    byte ptr [rbx+3], 11b ; _KPCR.Prcb.CurrentThread.DispatchHeader.DebugActive(0x3).(ActiveDR7 & Instrumented)
KiSystemCall64+27A  190 4C 89 45 C8                                         mov     [rbp-38h], r8   ; _KTRAP_FRAME.r8 = r8
KiSystemCall64+27E  190 4C 89 4D D0                                         mov     [rbp-30h], r9   ; _KTRAP_FRAME.r9 = r9
KiSystemCall64+282  190 74 05                                               jz      short loc_FFFFF8034C87BD49 ;  _KPCR.Prcb.CurrentThread.DispatchHeader.DebugActive.Minimal
KiSystemCall64+284  190 E8 A7 F0 FE FF                                      call    KiSaveDebugRegisterState ; 保存调试寄存器
KiSystemCall64+289
KiSystemCall64+289                                          loc_FFFFF8034C87BD49:                   ; CODE XREF: KiSystemCall64+282↑j
KiSystemCall64+289  190 F6 43 03 04                                         test    byte ptr [rbx+3], 100b ;  _KPCR.Prcb.CurrentThread.DispatchHeader.DebugActive.Minimal
KiSystemCall64+28D  190 74 2E                                               jz      short loc_FFFFF8034C87BD7D ; _KPCR.Prcb.CurrentThread.DispatchHeader.DebugActive.UmsPrimary
KiSystemCall64+28F  190 4C 89 55 E0                                         mov     [rbp-20h], r10  ; _KTRAP_FRAME.r11=r10
KiSystemCall64+293  190 4C 89 55 D8                                         mov     [rbp-28h], r10  ; _KTRAP_FRAME.r10=r10
KiSystemCall64+297  190 0F 29 45 F0                                         movaps  xmmword ptr [rbp-10h], xmm0 ; 保存xmm寄存器到_KTRAP_FRAME
KiSystemCall64+29B  190 0F 29 4D 00                                         movaps  xmmword ptr [rbp+0], xmm1
KiSystemCall64+29F  190 0F 29 55 10                                         movaps  xmmword ptr [rbp+10h], xmm2
KiSystemCall64+2A3  190 0F 29 5D 20                                         movaps  xmmword ptr [rbp+20h], xmm3
KiSystemCall64+2A7  190 0F 29 65 30                                         movaps  xmmword ptr [rbp+30h], xmm4
KiSystemCall64+2AB  190 0F 29 6D 40                                         movaps  xmmword ptr [rbp+40h], xmm5
KiSystemCall64+2AF  190 FB                                                  sti                     ; 开中断
KiSystemCall64+2B0  190 48 8B CC                                            mov     rcx, rsp
KiSystemCall64+2B3  190 E8 48 98 6F 00                                      call    PsPicoSystemCallDispatch ; 如果当前thread->_DISPATCHER_HEADER中设置了Minimal标志位，
KiSystemCall64+2B3                                                                                  ; 则KiSystemCall64会调用nt!PsPicoSystemCallDispatch进行pico相关分发，
KiSystemCall64+2B3                                                                                  ; 不走原始的sdt分发表。
KiSystemCall64+2B8  190 E9 98 04 00 00                                      jmp     KiSystemServiceExitPico
KiSystemCall64+2BD                                          ; ---------------------------------------------------------------------------
KiSystemCall64+2BD
KiSystemCall64+2BD                                          loc_FFFFF8034C87BD7D:                   ; CODE XREF: KiSystemCall64+28D↑j
KiSystemCall64+2BD  190 F6 43 03 80                                         test    byte ptr [rbx+3], 80h ; '€' ; _KPCR.Prcb.CurrentThread.DispatchHeader.DebugActive.UmsPrimary
KiSystemCall64+2C1  190 74 48                                               jz      short loc_FFFFF8034C87BDCB ; CurrentThread.DispatchHeader.DebugActive.UmsScheduled
KiSystemCall64+2C3  190 B9 02 01 00 C0                                      mov     ecx, 0C0000102h ; IA32_KERNEL_GS_BASE
KiSystemCall64+2C8  190 0F 32                                               rdmsr                   ; 读取用户层的GS地址
KiSystemCall64+2C8                                                                                  ; edx存着高32位地址，eax存着低32位地址
KiSystemCall64+2CA  190 48 C1 E2 20                                         shl     rdx, 32
KiSystemCall64+2CE  190 48 0B C2                                            or      rax, rdx        ; rax = r3.gs_base 指向TEB
KiSystemCall64+2D1  190 48 3B 05 E0 F7 1A 00                                cmp     rax, cs:MmUserProbeAddress ; MmUserProbeAddress是一个全局变量，
KiSystemCall64+2D1                                                                                  ; 它保存着一个将用户空间与内核空间分开的地址。
KiSystemCall64+2D1                                                                                  ; 与此值的比较用于确定地址是指向用户空间还是内核空间。
KiSystemCall64+2D8  190 48 0F 43 05 D8 F7 1A 00                             cmovnb  rax, cs:MmUserProbeAddress ; 如果大于等于，rax = MmUserProbeAddress
KiSystemCall64+2E0  190 48 39 83 F0 00 00 00                                cmp     [rbx+0F0h], rax ; CurrentThread.TEB 和TEB比较
KiSystemCall64+2E7  190 74 22                                               jz      short loc_FFFFF8034C87BDCB ; CurrentThread.DispatchHeader.DebugActive.UmsScheduled
KiSystemCall64+2E9  190 48 8B 93 F0 01 00 00                                mov     rdx, [rbx+1F0h] ; rdx = _KTHREAD.WaitBlock[3].Object
KiSystemCall64+2F0  190 0F BA 6B 74 08                                      bts     dword ptr [rbx+74h], 8 ; _KTHREAD.MiscFlags.UmsDirectedSwitchEnable
KiSystemCall64+2F5  190 66 FF 8B E6 01 00 00                                dec     word ptr [rbx+1E6h] ; _KTHREAD.SpecialApcDisable
KiSystemCall64+2FC  190 48 89 82 80 00 00 00                                mov     [rdx+80h], rax
KiSystemCall64+303  190 FB                                                  sti                     ; 开中断
KiSystemCall64+304  190 E8 F7 12 00 00                                      call    KiUmsCallEntry  ; https://www.cnblogs.com/DreamoneOnly/p/13300318.html
KiSystemCall64+309  190 EB 0B                                               jmp     short loc_FFFFF8034C87BDD6 ; r8 = _KTRAP_FRAME.r8
KiSystemCall64+30B                                          ; ---------------------------------------------------------------------------
KiSystemCall64+30B
KiSystemCall64+30B                                          loc_FFFFF8034C87BDCB:                   ; CODE XREF: KiSystemCall64+2C1↑j
KiSystemCall64+30B                                                                                  ; KiSystemCall64+2E7↑j
KiSystemCall64+30B  190 F6 43 03 40                                         test    byte ptr [rbx+3], 40h ; '@' ; CurrentThread.DispatchHeader.DebugActive.UmsScheduled
KiSystemCall64+30F  190 74 05                                               jz      short loc_FFFFF8034C87BDD6 ; r8 = _KTRAP_FRAME.r8
KiSystemCall64+311  190 0F BA 6B 74 10                                      bts     dword ptr [rbx+74h], 16 ; MiscFlags.UmsPerformingSyscall
KiSystemCall64+316
KiSystemCall64+316                                          loc_FFFFF8034C87BDD6:                   ; CODE XREF: KiSystemCall64+309↑j
KiSystemCall64+316                                                                                  ; KiSystemCall64+30F↑j
KiSystemCall64+316  190 4C 8B 45 C8                                         mov     r8, [rbp-38h]   ; r8 = _KTRAP_FRAME.r8
KiSystemCall64+31A  190 4C 8B 4D D0                                         mov     r9, [rbp-30h]   ; r9 = _KTRAP_FRAME.r9
KiSystemCall64+31E
KiSystemCall64+31E                                          loc_FFFFF8034C87BDDE:                   ; CODE XREF: KiSystemCall64+270↑j
KiSystemCall64+31E  190 48 8B 45 B0                                         mov     rax, [rbp-50h]  ; rax = _KTRAP_FRAME.rax
KiSystemCall64+322  190 48 8B 4D B8                                         mov     rcx, [rbp-48h]  ; rcx = _KTRAP_FRAME.rcx
KiSystemCall64+326  190 48 8B 55 C0                                         mov     rdx, [rbp-40h]  ; rdx = _KTRAP_FRAME.rdx
KiSystemCall64+32A  190 FB                                                  sti                     ; 开中断
KiSystemCall64+32B  190 48 89 8B 88 00 00 00                                mov     [rbx+88h], rcx  ; _KTHREAD.FirstArgument = rcx
KiSystemCall64+332  190 89 83 80 00 00 00                                   mov     [rbx+80h], eax  ; 记录调用号
KiSystemCall64+332                                                                                  ; _KTHREAD.SystemCallNumber = eax
KiSystemCall64+338  190 0F 1F 84 00 00 00 00 00                             nop     dword ptr [rax+rax+00000000h]
KiSystemCall64+340
KiSystemCall64+340                                          KiSystemServiceStart:                   ; DATA XREF: KiServiceInternal+5A↑o
KiSystemCall64+340                                                                                  ; .data:FFFFF8034CACF340↓o
KiSystemCall64+340  190 48 89 A3 90 00 00 00                                mov     [rbx+90h], rsp  ; 记录之前构造的_KTRAP_FRAME
KiSystemCall64+340                                                                                  ; _KTHREAD.SystemCallNumber = rsp
KiSystemCall64+347  190 8B F8                                               mov     edi, eax
KiSystemCall64+349  190 C1 EF 07                                            shr     edi, 7          ; 除以128
KiSystemCall64+34C  190 83 E7 20                                            and     edi, 20h ; ' '  ; 计算偏移号
KiSystemCall64+34F  190 25 FF 0F 00 00                                      and     eax, 0FFFh      ; 修正调用号
KiSystemCall64+34F                                                                                  ; GDI 系统调用（调用号>= 0x1000
KiSystemCall64+354
KiSystemCall64+354                                          KiSystemServiceRepeat:                  ; CODE XREF: KiSystemCall64+8EE↓j
KiSystemCall64+354  190 4C 8D 15 65 9A 3B 00                                lea     r10, KeServiceDescriptorTable ;
KiSystemCall64+354                                                                                  ; #pragma pack(1)
KiSystemCall64+354                                                                                  ; typedef struct _SERVICE_DESCIPTOR_TABLE
KiSystemCall64+354                                                                                  ; {
KiSystemCall64+354                                                                                  ;    PULONG ServiceTableBase;          // SSDT基址
KiSystemCall64+354                                                                                  ;    PVOID ServiceCounterTableBase; // SSDT中服务被调用次数计数器
KiSystemCall64+354                                                                                  ;    ULONGLONG NumberOfService;     // SSDT服务个数
KiSystemCall64+354                                                                                  ;    PVOID ParamTableBase;          // 系统服务参数表基址
KiSystemCall64+354                                                                                  ; }SSDTEntry, *PSSDTEntry;
KiSystemCall64+354                                                                                  ; #pragma pack()
KiSystemCall64+35B  190 4C 8D 1D 5E 1C 3A 00                                lea     r11, KeServiceDescriptorTableShadow
KiSystemCall64+362  190 F7 43 78 80 00 00 00                                test    dword ptr [rbx+78h], 80h ; '€' ; _KTHREAD.ThreadFlags.GuiThread
KiSystemCall64+362                                                                                  ; 判断是否是gui线程
KiSystemCall64+369  190 74 13                                               jz      short loc_FFFFF8034C87BE3E ; 判断是否越界 _KSYSTEM_SERVICE_TABLE.NumberOfService
KiSystemCall64+36B  190 F7 43 78 00 00 20 00                                test    dword ptr [rbx+78h], 200000h ; 是否启用系统调用过滤，如果启用系统调用过滤，会在进程级别上进行检测
KiSystemCall64+372  190 74 07                                               jz      short loc_FFFFF8034C87BE3B
KiSystemCall64+374  190 4C 8D 1D 85 1C 3A 00                                lea     r11, KeServiceDescriptorTableFilter ; r11 = SSDTFilter
KiSystemCall64+37B
KiSystemCall64+37B                                          loc_FFFFF8034C87BE3B:                   ; CODE XREF: KiSystemCall64+372↑j
KiSystemCall64+37B  190 4D 8B D3                                            mov     r10, r11
KiSystemCall64+37E
KiSystemCall64+37E                                          loc_FFFFF8034C87BE3E:                   ; CODE XREF: KiSystemCall64+369↑j
KiSystemCall64+37E  190 41 3B 44 3A 10                                      cmp     eax, [r10+rdi+10h] ; 判断是否越界 _KSYSTEM_SERVICE_TABLE.NumberOfService
KiSystemCall64+383  190 0F 83 2C 05 00 00                                   jnb     loc_FFFFF8034C87C375
KiSystemCall64+389  190 4D 8B 14 3A                                         mov     r10, [r10+rdi]  ; r10 = _KSYSTEM_SERVICE_TABLE.ServiceTableBase
KiSystemCall64+38D  190 4D 63 1C 82                                         movsxd  r11, dword ptr [r10+rax*4] ; 获取调用号的SSDT [ServiceTableBase + SystemCallNumber * 4]
KiSystemCall64+391  190 49 8B C3                                            mov     rax, r11
KiSystemCall64+394  190 49 C1 FB 04                                         sar     r11, 4          ; https://bbs.pediy.com/thread-194447.htm
KiSystemCall64+394                                                                                  ; 这个四节的偏移最后四位是例程的参数个数，所以需要右移四位后取得真正的偏移
KiSystemCall64+394                                                                                  ; r11 >> 4
KiSystemCall64+398  190 4D 03 D3                                            add     r10, r11        ; r10 = ServiceTableBase +  r11
KiSystemCall64+39B  190 83 FF 20                                            cmp     edi, 20h ; ' '  ; 检查是否是gdi的API，0x20<<4 = 0x1000
KiSystemCall64+39E  190 75 50                                               jnz     short loc_FFFFF8034C87BEB0 ; 获取参数个数
KiSystemCall64+3A0  190 4C 8B 9B F0 00 00 00                                mov     r11, [rbx+0F0h] ; _KTHREAD.TEB
KiSystemCall64+3A7
KiSystemCall64+3A7                                          KiSystemServiceGdiTebAccess:            ; DATA XREF: KiSystemServiceHandler+D↑o
KiSystemCall64+3A7  190 41 83 BB 40 17 00 00 00                             cmp     dword ptr [r11+1740h], 0 ; _KTHREAD.TEB.GdiBatchCount
KiSystemCall64+3AF  190 74 3F                                               jz      short loc_FFFFF8034C87BEB0 ; 获取参数个数
KiSystemCall64+3B1  190 48 89 45 B0                                         mov     [rbp-50h], rax  ; 保存 _KTRAP_FRAME ra,rcx,rdx
KiSystemCall64+3B5  190 48 89 4D B8                                         mov     [rbp-48h], rcx
KiSystemCall64+3B9  190 48 89 55 C0                                         mov     [rbp-40h], rdx
KiSystemCall64+3BD  190 49 8B D8                                            mov     rbx, r8         ; 保存 r8 r9 r10
KiSystemCall64+3C0  190 49 8B F9                                            mov     rdi, r9
KiSystemCall64+3C3  190 49 8B F2                                            mov     rsi, r10
KiSystemCall64+3C6  190 B9 07 00 00 00                                      mov     ecx, 7
KiSystemCall64+3CB  190 33 D2                                               xor     edx, edx
KiSystemCall64+3CD  190 4D 33 C0                                            xor     r8, r8
KiSystemCall64+3D0  190 4D 33 C9                                            xor     r9, r9
KiSystemCall64+3D3  190 E8 48 1A 40 00                                      call    PsInvokeWin32Callout
KiSystemCall64+3D8  190 48 8B 45 B0                                         mov     rax, [rbp-50h]  ; 恢复寄存器
KiSystemCall64+3DC  190 48 8B 4D B8                                         mov     rcx, [rbp-48h]
KiSystemCall64+3E0  190 48 8B 55 C0                                         mov     rdx, [rbp-40h]
KiSystemCall64+3E4  190 4C 8B C3                                            mov     r8, rbx
KiSystemCall64+3E7  190 4C 8B CF                                            mov     r9, rdi
KiSystemCall64+3EA  190 4C 8B D6                                            mov     r10, rsi
KiSystemCall64+3ED  190 0F 1F 00                                            nop     dword ptr [rax]
KiSystemCall64+3F0
KiSystemCall64+3F0                                          loc_FFFFF8034C87BEB0:                   ; CODE XREF: KiSystemCall64+39E↑j
KiSystemCall64+3F0                                                                                  ; KiSystemCall64+3AF↑j
KiSystemCall64+3F0  190 83 E0 0F                                            and     eax, 1111b      ; 获取参数个数
KiSystemCall64+3F3  190 0F 84 B7 00 00 00                                   jz      KiSystemServiceCopyEnd ; 是否存在动态跟踪
KiSystemCall64+3F9  190 C1 E0 03                                            shl     eax, 3          ; 根据栈上参数个数*8，计算 KiSystemServiceCopyStart函数调用偏移
KiSystemCall64+3FC  190 48 8D 64 24 90                                      lea     rsp, [rsp-70h]  ; 开辟70h的栈
KiSystemCall64+401  200 48 8D 7C 24 18                                      lea     rdi, [rsp+18h]
KiSystemCall64+406  200 48 8B B5 00 01 00 00                                mov     rsi, [rbp+100h] ; rsi = _KTRAP_FRAME.Rsp
KiSystemCall64+40D  200 48 8D 76 20                                         lea     rsi, [rsi+20h]
KiSystemCall64+411  200 F6 85 F0 00 00 00 01                                test    byte ptr [rbp+0F0h], 1 ; _KTRAP_FRAME.SegCs 检查初始调用权限
KiSystemCall64+418  200 74 16                                               jz      short loc_FFFFF8034C87BEF0
KiSystemCall64+41A  200 48 3B 35 97 F6 1A 00                                cmp     rsi, cs:MmUserProbeAddress
KiSystemCall64+421  200 48 0F 43 35 8F F6 1A 00                             cmovnb  rsi, cs:MmUserProbeAddress ; rsi = 内核地址
KiSystemCall64+429  200 0F 1F 80 00 00 00 00                                nop     dword ptr [rax+00000000h]
KiSystemCall64+430
KiSystemCall64+430                                          loc_FFFFF8034C87BEF0:                   ; CODE XREF: KiSystemCall64+418↑j
KiSystemCall64+430  200 4C 8D 1D 79 00 00 00                                lea     r11, KiSystemServiceCopyEnd ; 是否存在动态跟踪
KiSystemCall64+437  200 4C 2B D8                                            sub     r11, rax
KiSystemCall64+43A  200 41 FF E3                                            jmp     r11
KiSystemCall64+43A                                          ; ---------------------------------------------------------------------------
KiSystemCall64+43D  190 CC CC CC                                            align 20h
KiSystemCall64+440
KiSystemCall64+440                                          KiSystemServiceCopyStart:               ; DATA XREF: KiSystemServiceHandler+1A↑o
KiSystemCall64+440  190 48 8B 46 70                                         mov     rax, [rsi+70h]  ; 拷贝r3栈上的参数到0环的栈上
KiSystemCall64+444  190 48 89 47 70                                         mov     [rdi+70h], rax
KiSystemCall64+448  190 48 8B 46 68                                         mov     rax, [rsi+68h]
KiSystemCall64+44C  190 48 89 47 68                                         mov     [rdi+68h], rax
KiSystemCall64+450  190 48 8B 46 60                                         mov     rax, [rsi+60h]
KiSystemCall64+454  190 48 89 47 60                                         mov     [rdi+60h], rax
KiSystemCall64+458  190 48 8B 46 58                                         mov     rax, [rsi+58h]
KiSystemCall64+45C  190 48 89 47 58                                         mov     [rdi+58h], rax
KiSystemCall64+460  190 48 8B 46 50                                         mov     rax, [rsi+50h]
KiSystemCall64+464  190 48 89 47 50                                         mov     [rdi+50h], rax
KiSystemCall64+468  190 48 8B 46 48                                         mov     rax, [rsi+48h]
KiSystemCall64+46C  190 48 89 47 48                                         mov     [rdi+48h], rax
KiSystemCall64+470  190 48 8B 46 40                                         mov     rax, [rsi+40h]
KiSystemCall64+474  190 48 89 47 40                                         mov     [rdi+40h], rax
KiSystemCall64+478  190 48 8B 46 38                                         mov     rax, [rsi+38h]
KiSystemCall64+47C  190 48 89 47 38                                         mov     [rdi+38h], rax
KiSystemCall64+480  190 48 8B 46 30                                         mov     rax, [rsi+30h]
KiSystemCall64+484  190 48 89 47 30                                         mov     [rdi+30h], rax
KiSystemCall64+488  190 48 8B 46 28                                         mov     rax, [rsi+28h]
KiSystemCall64+48C  190 48 89 47 28                                         mov     [rdi+28h], rax
KiSystemCall64+490  190 48 8B 46 20                                         mov     rax, [rsi+20h]
KiSystemCall64+494  190 48 89 47 20                                         mov     [rdi+20h], rax
KiSystemCall64+498  190 48 8B 46 18                                         mov     rax, [rsi+18h]
KiSystemCall64+49C  190 48 89 47 18                                         mov     [rdi+18h], rax
KiSystemCall64+4A0  190 48 8B 46 10                                         mov     rax, [rsi+10h]
KiSystemCall64+4A4  190 48 89 47 10                                         mov     [rdi+10h], rax
KiSystemCall64+4A8  190 48 8B 46 08                                         mov     rax, [rsi+8]
KiSystemCall64+4AC  190 48 89 47 08                                         mov     [rdi+8], rax
KiSystemCall64+4B0
KiSystemCall64+4B0                                          KiSystemServiceCopyEnd:                 ; CODE XREF: KiSystemCall64+3F3↑j
KiSystemCall64+4B0                                                                                  ; DATA XREF: KiSystemServiceHandler+27↑o
KiSystemCall64+4B0                                                                                  ; KiSystemCall64:loc_FFFFF8034C87BEF0↑o
KiSystemCall64+4B0  190 F7 05 06 16 3A 00 01 00 00 00                       test    cs:KiDynamicTraceMask, 1 ; 是否存在动态跟踪
KiSystemCall64+4BA  190 0F 85 93 04 00 00                                   jnz     loc_FFFFF8034C87C413
KiSystemCall64+4C0  190 F7 05 7E 14 3A 00 40 00 00 00                       test    dword ptr cs:PerfGlobalGroupMask+8, 64 ; https://www.twblogs.net/a/5b88c3872b71775d1cde365d
KiSystemCall64+4C0                                                                                  ; 內核日誌記錄器是一個事件提供者，它有一個預定義GUID，即內核變量SystemTraceControlGuid。內核日誌記錄器支持多種事件類，採用標誌位（flag）來指示是否記錄某一類型的事件。進一步將這些事件分爲8個組，每個組使用一個掩碼（29位）來描述。系統的全局組掩碼是由全局變量PerfGlobalGroupMask定義的。
KiSystemCall64+4CA  190 0F 85 F7 04 00 00                                   jnz     loc_FFFFF8034C87C487
KiSystemCall64+4D0  190 49 8B C2                                            mov     rax, r10
KiSystemCall64+4D3  190 FF D0                                               call    rax             ; +++调用计算出来的系统服务例程+++
KiSystemCall64+4D5  190 0F 1F 00                                            nop     dword ptr [rax]
KiSystemCall64+4D8
KiSystemCall64+4D8                                          loc_FFFFF8034C87BF98:                   ; CODE XREF: KiSystemCall64+9C2↓j
KiSystemCall64+4D8                                                                                  ; KiSystemCall64+A19↓j
KiSystemCall64+4D8  190 65 FF 04 25 B8 2E 00 00                             inc     dword ptr gs:2EB8h ; kpcr._KPRCB.KeSystemCalls + 1
KiSystemCall64+4D8                                                                                  ; 自系统启动以来发生的系统调用数量的单调计数器。
KiSystemCall64+4E0
KiSystemCall64+4E0                                          KiSystemServiceExit:                    ; CODE XREF: KiSystemCall64+90F↓j
KiSystemCall64+4E0                                                                                  ; KiSystemCall64+91A↓j
KiSystemCall64+4E0                                                                                  ; DATA XREF: KiCallUserMode+219↑o
KiSystemCall64+4E0                                                                                  ; KiSystemServiceHandler+48↑o
KiSystemCall64+4E0  190 48 8B 9D C0 00 00 00                                mov     rbx, [rbp+0C0h] ; _KTRAP_FRAME.Rbx 恢复寄存器 rbx,rdi,rsi
KiSystemCall64+4E7  190 48 8B BD C8 00 00 00                                mov     rdi, [rbp+0C8h]
KiSystemCall64+4EE  190 48 8B B5 D0 00 00 00                                mov     rsi, [rbp+0D0h]
KiSystemCall64+4F5  190 65 4C 8B 1C 25 88 01 00 00                          mov     r11, gs:188h    ; r11 = _KTHREAD *(CurrnetThread)
KiSystemCall64+4FE  190 F6 85 F0 00 00 00 01                                test    byte ptr [rbp+0F0h], 1 ; _KTRAP_FRAME.SegCs 检查上一环权限
KiSystemCall64+505  190 0F 84 1D 02 00 00                                   jz      loc_FFFFF8034C87C1E8 ; 0环则跳走
KiSystemCall64+50B  190 44 0F 20 C1                                         mov     rcx, cr8        ; Task Priority Register
KiSystemCall64+50F  190 41 0A 8B 4A 02 00 00                                or      cl, [r11+24Ah]  ; CurrentThread.ApcStateIndex
KiSystemCall64+516  190 41 0B 8B E4 01 00 00                                or      ecx, [r11+1E4h] ; CurrentThread.KernelApcDisable
KiSystemCall64+51D  190 0F 85 FC 03 00 00                                   jnz     loc_FFFFF8034C87C3DF
KiSystemCall64+523  190 FA                                                  cli                     ; 关中断
KiSystemCall64+524
KiSystemCall64+524                                          loc_FFFFF8034C87BFE4:                   ; CODE XREF: KiSystemCall64+58D↓j
KiSystemCall64+524  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h    ; 循环检测APC，有则初始化
KiSystemCall64+524                                                                                  ; rcx = _KTHREAD *(CurrnetThread)
KiSystemCall64+52D  190 F6 81 C2 00 00 00 03                                test    byte ptr [rcx+_KTHREAD.___u25.ApcState.___u4], 11b
KiSystemCall64+534  190 74 59                                               jz      short loc_FFFFF8034C87C04F
KiSystemCall64+536  190 48 89 45 B0                                         mov     [rbp-50h], rax  ; 保存rax
KiSystemCall64+53A  190 33 C0                                               xor     eax, eax        ; 清零
KiSystemCall64+53C  190 48 89 45 B8                                         mov     [rbp-48h], rax  ; _KTRAP_FRAME的r8,r9,r10,r11,edx清零
KiSystemCall64+540  190 48 89 45 C0                                         mov     [rbp-40h], rax
KiSystemCall64+544  190 48 89 45 C8                                         mov     [rbp-38h], rax
KiSystemCall64+548  190 48 89 45 D0                                         mov     [rbp-30h], rax
KiSystemCall64+54C  190 48 89 45 D8                                         mov     [rbp-28h], rax
KiSystemCall64+550  190 48 89 45 E0                                         mov     [rbp-20h], rax
KiSystemCall64+554  190 66 0F EF C0                                         pxor    xmm0, xmm0      ; _KTRAP_FRAME的xmm寄存器清零
KiSystemCall64+558  190 0F 29 45 F0                                         movaps  xmmword ptr [rbp-10h], xmm0
KiSystemCall64+55C  190 0F 29 45 00                                         movaps  xmmword ptr [rbp+0], xmm0
KiSystemCall64+560  190 0F 29 45 10                                         movaps  xmmword ptr [rbp+10h], xmm0
KiSystemCall64+564  190 0F 29 45 20                                         movaps  xmmword ptr [rbp+20h], xmm0
KiSystemCall64+568  190 0F 29 45 30                                         movaps  xmmword ptr [rbp+30h], xmm0
KiSystemCall64+56C  190 0F 29 45 40                                         movaps  xmmword ptr [rbp+40h], xmm0
KiSystemCall64+570  190 B9 01 00 00 00                                      mov     ecx, 1
KiSystemCall64+575  190 44 0F 22 C1                                         mov     cr8, rcx        ; cr8 = APC_LEVEL
KiSystemCall64+575                                                                                  ; https://zh.wikipedia.org/wiki/IRQL
KiSystemCall64+579  190 FB                                                  sti
KiSystemCall64+57A  190 E8 E1 2C FF FF                                      call    KiInitiateUserApc
KiSystemCall64+57F  190 FA                                                  cli
KiSystemCall64+580  190 B9 00 00 00 00                                      mov     ecx, 0
KiSystemCall64+585  190 44 0F 22 C1                                         mov     cr8, rcx        ; cr8 = LOW_LEVEL
KiSystemCall64+589  190 48 8B 45 B0                                         mov     rax, [rbp-50h]  ; 恢复rax
KiSystemCall64+58D  190 EB 95                                               jmp     short loc_FFFFF8034C87BFE4 ; 循环检测APC，有则初始化
KiSystemCall64+58D                                                                                  ; rcx = _KTHREAD *(CurrnetThread)
KiSystemCall64+58F                                          ; ---------------------------------------------------------------------------
KiSystemCall64+58F
KiSystemCall64+58F                                          loc_FFFFF8034C87C04F:                   ; CODE XREF: KiSystemCall64+534↑j
KiSystemCall64+58F  190 65 F6 04 25 7E 02 00 00 02                          test    byte ptr gs:_KPCR.Prcb.___u40.__s0.PairRegister, 2
KiSystemCall64+598  190 74 0F                                               jz      short loc_FFFFF8034C87C069
KiSystemCall64+59A  190 48 89 45 B0                                         mov     [rbp-50h], rax  ; 保存rax
KiSystemCall64+59E  190 33 C9                                               xor     ecx, ecx
KiSystemCall64+5A0  190 E8 1B 7C F2 FF                                      call    KiUpdateStibpPairing
KiSystemCall64+5A5  190 48 8B 45 B0                                         mov     rax, [rbp-50h]  ; 恢复rax
KiSystemCall64+5A9
KiSystemCall64+5A9                                          loc_FFFFF8034C87C069:                   ; CODE XREF: KiSystemCall64+598↑j
KiSystemCall64+5A9  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+5B2  190 F7 01 00 00 00 08                                   test    [rcx+_KTHREAD.Header.___u0.Lock], 8000000h
KiSystemCall64+5B8  190 74 3F                                               jz      short loc_FFFFF8034C87C0B9
KiSystemCall64+5BA  190 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+5BE  190 33 C0                                               xor     eax, eax
KiSystemCall64+5C0  190 48 89 45 B8                                         mov     [rbp-48h], rax
KiSystemCall64+5C4  190 48 89 45 C0                                         mov     [rbp-40h], rax
KiSystemCall64+5C8  190 48 89 45 C8                                         mov     [rbp-38h], rax
KiSystemCall64+5CC  190 48 89 45 D0                                         mov     [rbp-30h], rax
KiSystemCall64+5D0  190 48 89 45 D8                                         mov     [rbp-28h], rax
KiSystemCall64+5D4  190 48 89 45 E0                                         mov     [rbp-20h], rax
KiSystemCall64+5D8  190 66 0F EF C0                                         pxor    xmm0, xmm0
KiSystemCall64+5DC  190 0F 29 45 F0                                         movaps  xmmword ptr [rbp-10h], xmm0
KiSystemCall64+5E0  190 0F 29 45 00                                         movaps  xmmword ptr [rbp+0], xmm0
KiSystemCall64+5E4  190 0F 29 45 10                                         movaps  xmmword ptr [rbp+10h], xmm0
KiSystemCall64+5E8  190 0F 29 45 20                                         movaps  xmmword ptr [rbp+20h], xmm0
KiSystemCall64+5EC  190 0F 29 45 30                                         movaps  xmmword ptr [rbp+30h], xmm0
KiSystemCall64+5F0  190 0F 29 45 40                                         movaps  xmmword ptr [rbp+40h], xmm0
KiSystemCall64+5F4  190 E8 27 F7 FE FF                                      call    KiRestoreSetContextState
KiSystemCall64+5F9
KiSystemCall64+5F9                                          loc_FFFFF8034C87C0B9:                   ; CODE XREF: KiSystemCall64+5B8↑j
KiSystemCall64+5F9  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+602  190 F7 01 00 00 01 40                                   test    dword ptr [rcx], 1000000000000010000000000000000b
KiSystemCall64+608  190 74 2D                                               jz      short loc_FFFFF8034C87C0F7
KiSystemCall64+60A  190 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+60E  190 F6 41 02 01                                         test    byte ptr [rcx+2], 1
KiSystemCall64+612  190 74 0E                                               jz      short loc_FFFFF8034C87C0E2
KiSystemCall64+614  190 E8 D7 BC 0D 00                                      call    KiCopyCounters
KiSystemCall64+619  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+622
KiSystemCall64+622                                          loc_FFFFF8034C87C0E2:                   ; CODE XREF: KiSystemCall64+612↑j
KiSystemCall64+622  190 F6 41 03 40                                         test    byte ptr [rcx+3], 1000000b
KiSystemCall64+626  190 74 0B                                               jz      short loc_FFFFF8034C87C0F3
KiSystemCall64+628  190 48 8D 65 80                                         lea     rsp, [rbp-80h]
KiSystemCall64+62C  088 33 C9                                               xor     ecx, ecx
KiSystemCall64+62E  088 E8 4D 12 00 00                                      call    KiUmsExit
KiSystemCall64+633
KiSystemCall64+633                                          loc_FFFFF8034C87C0F3:                   ; CODE XREF: KiSystemCall64+626↑j
KiSystemCall64+633  088 48 8B 45 B0                                         mov     rax, [rbp-50h]
KiSystemCall64+637
KiSystemCall64+637                                          loc_FFFFF8034C87C0F7:                   ; CODE XREF: KiSystemCall64+608↑j
KiSystemCall64+637  088 0F AE 55 AC                                         ldmxcsr dword ptr [rbp-54h]
KiSystemCall64+63B  088 4D 33 D2                                            xor     r10, r10
KiSystemCall64+63E  088 66 83 BD 80 00 00 00 00                             cmp     word ptr [rbp+80h], 0
KiSystemCall64+646  088 74 41                                               jz      short loc_FFFFF8034C87C149
KiSystemCall64+648  088 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+64C  088 E8 5F EC FE FF                                      call    KiRestoreDebugRegisterState
KiSystemCall64+651  088 65 48 8B 04 25 88 01 00 00                          mov     rax, gs:188h
KiSystemCall64+65A  088 48 8B 80 B8 00 00 00                                mov     rax, [rax+0B8h]
KiSystemCall64+661  088 48 8B 80 D0 02 00 00                                mov     rax, [rax+2D0h]
KiSystemCall64+668  088 48 0B C0                                            or      rax, rax
KiSystemCall64+66B  088 74 18                                               jz      short loc_FFFFF8034C87C145
KiSystemCall64+66D  088 66 83 BD F0 00 00 00 33                             cmp     word ptr [rbp+0F0h], 33h ; '3'
KiSystemCall64+675  088 75 0E                                               jnz     short loc_FFFFF8034C87C145
KiSystemCall64+677  088 4C 8B 95 E8 00 00 00                                mov     r10, [rbp+0E8h]
KiSystemCall64+67E  088 48 89 85 E8 00 00 00                                mov     [rbp+0E8h], rax
KiSystemCall64+685
KiSystemCall64+685                                          loc_FFFFF8034C87C145:                   ; CODE XREF: KiSystemCall64+66B↑j
KiSystemCall64+685                                                                                  ; KiSystemCall64+675↑j
KiSystemCall64+685  088 48 8B 45 B0                                         mov     rax, [rbp-50h]
KiSystemCall64+689
KiSystemCall64+689                                          loc_FFFFF8034C87C149:                   ; CODE XREF: KiSystemCall64+646↑j
KiSystemCall64+689  088 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+68D  088 65 C6 04 25 53 08 00 00 00                          mov     byte ptr gs:853h, 0
KiSystemCall64+696  088 65 0F B6 04 25 7D 02 00 00                          movzx   eax, byte ptr gs:27Dh
KiSystemCall64+69F  088 65 38 04 25 7A 02 00 00                             cmp     gs:27Ah, al
KiSystemCall64+6A7  088 74 11                                               jz      short loc_FFFFF8034C87C17A
KiSystemCall64+6A9  088 65 88 04 25 7A 02 00 00                             mov     gs:27Ah, al
KiSystemCall64+6B1  088 B9 48 00 00 00                                      mov     ecx, 48h ; 'H'
KiSystemCall64+6B6  088 33 D2                                               xor     edx, edx
KiSystemCall64+6B8  088 0F 30                                               wrmsr
KiSystemCall64+6BA
KiSystemCall64+6BA                                          loc_FFFFF8034C87C17A:                   ; CODE XREF: KiSystemCall64+6A7↑j
KiSystemCall64+6BA  088 66 65 0F BA 34 25 78 02 00 00 02                    btr     word ptr gs:278h, 2
KiSystemCall64+6C5  088 73 0E                                               jnb     short loc_FFFFF8034C87C195
KiSystemCall64+6C7  088 B8 01 00 00 00                                      mov     eax, 1
KiSystemCall64+6CC  088 33 D2                                               xor     edx, edx
KiSystemCall64+6CE  088 B9 49 00 00 00                                      mov     ecx, 49h ; 'I'
KiSystemCall64+6D3  088 0F 30                                               wrmsr
KiSystemCall64+6D5
KiSystemCall64+6D5                                          loc_FFFFF8034C87C195:                   ; CODE XREF: KiSystemCall64+6C5↑j
KiSystemCall64+6D5  088 48 8B 45 B0                                         mov     rax, [rbp-50h]
KiSystemCall64+6D9  088 4C 8B 85 00 01 00 00                                mov     r8, [rbp+100h]
KiSystemCall64+6E0  088 4C 8B 8D D8 00 00 00                                mov     r9, [rbp+0D8h]
KiSystemCall64+6E7  088 33 D2                                               xor     edx, edx
KiSystemCall64+6E9  088 66 0F EF C0                                         pxor    xmm0, xmm0
KiSystemCall64+6ED  088 66 0F EF C9                                         pxor    xmm1, xmm1
KiSystemCall64+6F1  088 66 0F EF D2                                         pxor    xmm2, xmm2
KiSystemCall64+6F5  088 66 0F EF DB                                         pxor    xmm3, xmm3
KiSystemCall64+6F9  088 66 0F EF E4                                         pxor    xmm4, xmm4
KiSystemCall64+6FD  088 66 0F EF ED                                         pxor    xmm5, xmm5
KiSystemCall64+701  088 48 8B 8D E8 00 00 00                                mov     rcx, [rbp+0E8h]
KiSystemCall64+708  088 4C 8B 9D F8 00 00 00                                mov     r11, [rbp+0F8h]
KiSystemCall64+70F  088 F6 05 6A 96 3B 00 01                                test    cs:KiKvaShadow, 1 ; 判断是否开启KVAS，1为开启
KiSystemCall64+716  088 0F 85 A4 0B 18 00                                   jnz     KiKernelSysretExit ; 切换cr3和栈
KiSystemCall64+71C  088 49 8B E9                                            mov     rbp, r9
KiSystemCall64+71F  088 49 8B E0                                            mov     rsp, r8
KiSystemCall64+722  088 0F 01 F8                                            swapgs
KiSystemCall64+725  088 48 0F 07                                            sysret
KiSystemCall64+728                                          ; ---------------------------------------------------------------------------
KiSystemCall64+728
KiSystemCall64+728                                          loc_FFFFF8034C87C1E8:                   ; CODE XREF: KiSystemCall64+505↑j
KiSystemCall64+728  190 48 8B 95 B8 00 00 00                                mov     rdx, [rbp+0B8h]
KiSystemCall64+72F  190 49 89 93 90 00 00 00                                mov     [r11+90h], rdx
KiSystemCall64+736  190 8A 55 A8                                            mov     dl, [rbp-58h]
KiSystemCall64+739  190 41 88 93 32 02 00 00                                mov     [r11+232h], dl
KiSystemCall64+740  190 FA                                                  cli
KiSystemCall64+741  190 48 8B E5                                            mov     rsp, rbp
KiSystemCall64+744  190 48 8B AD D8 00 00 00                                mov     rbp, [rbp+0D8h]
KiSystemCall64+74B  190 48 8B A4 24 00 01 00 00                             mov     rsp, [rsp+190h+var_90]
KiSystemCall64+753  190 FB                                                  sti
KiSystemCall64+754  190 C3                                                  retn
KiSystemCall64+755                                          ; ---------------------------------------------------------------------------
KiSystemCall64+755
KiSystemCall64+755                                          KiSystemServiceExitPico:                ; CODE XREF: KiSystemCall64+2B8↑j
KiSystemCall64+755  190 65 4C 8B 1C 25 88 01 00 00                          mov     r11, gs:188h
KiSystemCall64+75E  190 44 0F 20 C1                                         mov     rcx, cr8
KiSystemCall64+762  190 41 0A 8B 4A 02 00 00                                or      cl, [r11+24Ah]
KiSystemCall64+769  190 41 0B 8B E4 01 00 00                                or      ecx, [r11+1E4h]
KiSystemCall64+770  190 0F 85 A9 01 00 00                                   jnz     loc_FFFFF8034C87C3DF
KiSystemCall64+776  190 FA                                                  cli
KiSystemCall64+777  190 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+77B
KiSystemCall64+77B                                          loc_FFFFF8034C87C23B:                   ; CODE XREF: KiSystemCall64+7A6↓j
KiSystemCall64+77B  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+784  190 F6 81 C2 00 00 00 03                                test    byte ptr [rcx+0C2h], 3
KiSystemCall64+78B  190 74 1B                                               jz      short loc_FFFFF8034C87C268
KiSystemCall64+78D  190 B9 01 00 00 00                                      mov     ecx, 1
KiSystemCall64+792  190 44 0F 22 C1                                         mov     cr8, rcx
KiSystemCall64+796  190 FB                                                  sti
KiSystemCall64+797  190 E8 C4 2A FF FF                                      call    KiInitiateUserApc
KiSystemCall64+79C  190 B9 00 00 00 00                                      mov     ecx, 0
KiSystemCall64+7A1  190 44 0F 22 C1                                         mov     cr8, rcx
KiSystemCall64+7A5  190 FA                                                  cli
KiSystemCall64+7A6  190 EB D3                                               jmp     short loc_FFFFF8034C87C23B
KiSystemCall64+7A8                                          ; ---------------------------------------------------------------------------
KiSystemCall64+7A8
KiSystemCall64+7A8                                          loc_FFFFF8034C87C268:                   ; CODE XREF: KiSystemCall64+78B↑j
KiSystemCall64+7A8  190 65 F6 04 25 7E 02 00 00 02                          test    byte ptr gs:27Eh, 2
KiSystemCall64+7B1  190 74 07                                               jz      short loc_FFFFF8034C87C27A
KiSystemCall64+7B3  190 33 C9                                               xor     ecx, ecx
KiSystemCall64+7B5  190 E8 06 7A F2 FF                                      call    KiUpdateStibpPairing
KiSystemCall64+7BA
KiSystemCall64+7BA                                          loc_FFFFF8034C87C27A:                   ; CODE XREF: KiSystemCall64+7B1↑j
KiSystemCall64+7BA  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+7C3  190 F7 01 00 00 00 08                                   test    dword ptr [rcx], 8000000h
KiSystemCall64+7C9  190 74 05                                               jz      short loc_FFFFF8034C87C290
KiSystemCall64+7CB  190 E8 50 F5 FE FF                                      call    KiRestoreSetContextState
KiSystemCall64+7D0
KiSystemCall64+7D0                                          loc_FFFFF8034C87C290:                   ; CODE XREF: KiSystemCall64+7C9↑j
KiSystemCall64+7D0  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+7D9  190 F6 41 02 01                                         test    byte ptr [rcx+2], 1
KiSystemCall64+7DD  190 74 0E                                               jz      short loc_FFFFF8034C87C2AD
KiSystemCall64+7DF  190 E8 0C BB 0D 00                                      call    KiCopyCounters
KiSystemCall64+7E4  190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:188h
KiSystemCall64+7ED
KiSystemCall64+7ED                                          loc_FFFFF8034C87C2AD:                   ; CODE XREF: KiSystemCall64+7DD↑j
KiSystemCall64+7ED  190 66 83 BD 80 00 00 00 00                             cmp     word ptr [rbp+80h], 0
KiSystemCall64+7F5  190 74 05                                               jz      short loc_FFFFF8034C87C2BC
KiSystemCall64+7F7  190 E8 B4 EA FE FF                                      call    KiRestoreDebugRegisterState
KiSystemCall64+7FC
KiSystemCall64+7FC                                          loc_FFFFF8034C87C2BC:                   ; CODE XREF: KiSystemCall64+7F5↑j
KiSystemCall64+7FC  190 65 C6 04 25 53 08 00 00 00                          mov     byte ptr gs:853h, 0
KiSystemCall64+805  190 65 0F B6 04 25 7D 02 00 00                          movzx   eax, byte ptr gs:27Dh
KiSystemCall64+80E  190 65 38 04 25 7A 02 00 00                             cmp     gs:27Ah, al
KiSystemCall64+816  190 74 11                                               jz      short loc_FFFFF8034C87C2E9
KiSystemCall64+818  190 65 88 04 25 7A 02 00 00                             mov     gs:27Ah, al
KiSystemCall64+820  190 B9 48 00 00 00                                      mov     ecx, 48h ; 'H'
KiSystemCall64+825  190 33 D2                                               xor     edx, edx
KiSystemCall64+827  190 0F 30                                               wrmsr
KiSystemCall64+829
KiSystemCall64+829                                          loc_FFFFF8034C87C2E9:                   ; CODE XREF: KiSystemCall64+816↑j
KiSystemCall64+829  190 66 65 0F BA 34 25 78 02 00 00 02                    btr     word ptr gs:278h, 2
KiSystemCall64+834  190 73 0E                                               jnb     short loc_FFFFF8034C87C304
KiSystemCall64+836  190 B8 01 00 00 00                                      mov     eax, 1
KiSystemCall64+83B  190 33 D2                                               xor     edx, edx
KiSystemCall64+83D  190 B9 49 00 00 00                                      mov     ecx, 49h ; 'I'
KiSystemCall64+842  190 0F 30                                               wrmsr
KiSystemCall64+844
KiSystemCall64+844                                          loc_FFFFF8034C87C304:                   ; CODE XREF: KiSystemCall64+834↑j
KiSystemCall64+844  190 0F AE 55 AC                                         ldmxcsr dword ptr [rbp-54h]
KiSystemCall64+848  190 0F 28 45 F0                                         movaps  xmm0, xmmword ptr [rbp-10h]
KiSystemCall64+84C  190 0F 28 4D 00                                         movaps  xmm1, xmmword ptr [rbp+0]
KiSystemCall64+850  190 0F 28 55 10                                         movaps  xmm2, xmmword ptr [rbp+10h]
KiSystemCall64+854  190 0F 28 5D 20                                         movaps  xmm3, xmmword ptr [rbp+20h]
KiSystemCall64+858  190 0F 28 65 30                                         movaps  xmm4, xmmword ptr [rbp+30h]
KiSystemCall64+85C  190 0F 28 6D 40                                         movaps  xmm5, xmmword ptr [rbp+40h]
KiSystemCall64+860  190 4C 8B 5D E0                                         mov     r11, [rbp-20h]
KiSystemCall64+864  190 4C 8B 55 D8                                         mov     r10, [rbp-28h]
KiSystemCall64+868  190 4C 8B 4D D0                                         mov     r9, [rbp-30h]
KiSystemCall64+86C  190 4C 8B 45 C8                                         mov     r8, [rbp-38h]
KiSystemCall64+870  190 48 8B 55 C0                                         mov     rdx, [rbp-40h]
KiSystemCall64+874  190 48 8B 4D B8                                         mov     rcx, [rbp-48h]
KiSystemCall64+878  190 48 8B 45 B0                                         mov     rax, [rbp-50h]
KiSystemCall64+87C  190 48 8B B5 D0 00 00 00                                mov     rsi, [rbp+0D0h]
KiSystemCall64+883  190 48 8B BD C8 00 00 00                                mov     rdi, [rbp+0C8h]
KiSystemCall64+88A  190 48 8B 9D C0 00 00 00                                mov     rbx, [rbp+0C0h]
KiSystemCall64+891  190 48 8B E5                                            mov     rsp, rbp
KiSystemCall64+894  190 48 8B AD D8 00 00 00                                mov     rbp, [rbp+0D8h]
KiSystemCall64+89B  190 48 81 C4 E8 00 00 00                                add     rsp, 0E8h
KiSystemCall64+8A2  0A8 F6 05 D7 94 3B 00 01                                test    cs:KiKvaShadow, 1
KiSystemCall64+8A9  0A8 74 05                                               jz      short loc_FFFFF8034C87C370
KiSystemCall64+8AB  0A8 E9 D0 07 18 00                                      jmp     KiKernelExit
KiSystemCall64+8B0                                          ; ---------------------------------------------------------------------------
KiSystemCall64+8B0
KiSystemCall64+8B0                                          loc_FFFFF8034C87C370:                   ; CODE XREF: KiSystemCall64+8A9↑j
KiSystemCall64+8B0  0A8 0F 01 F8                                            swapgs
KiSystemCall64+8B3  0A8 48 CF                                               iretq
KiSystemCall64+8B5                                          ; ---------------------------------------------------------------------------
KiSystemCall64+8B5
KiSystemCall64+8B5                                          loc_FFFFF8034C87C375:                   ; CODE XREF: KiSystemCall64+383↑j
KiSystemCall64+8B5  190 83 FF 20                                            cmp     edi, 20h ; ' '
KiSystemCall64+8B8  190 75 5B                                               jnz     short loc_FFFFF8034C87C3D5
KiSystemCall64+8BA  190 89 45 80                                            mov     [rbp-80h], eax
KiSystemCall64+8BD  190 48 89 4D 88                                         mov     [rbp-78h], rcx
KiSystemCall64+8C1  190 48 89 55 90                                         mov     [rbp-70h], rdx
KiSystemCall64+8C5  190 4C 89 45 98                                         mov     [rbp-68h], r8
KiSystemCall64+8C9  190 4C 89 4D A0                                         mov     [rbp-60h], r9
KiSystemCall64+8CD  190 E8 0E 21 FF FF                                      call    KiConvertToGuiThread
KiSystemCall64+8D2  190 0B C0                                               or      eax, eax
KiSystemCall64+8D4  190 8B 45 80                                            mov     eax, [rbp-80h]
KiSystemCall64+8D7  190 48 8B 4D 88                                         mov     rcx, [rbp-78h]
KiSystemCall64+8DB  190 48 8B 55 90                                         mov     rdx, [rbp-70h]
KiSystemCall64+8DF  190 4C 8B 45 98                                         mov     r8, [rbp-68h]
KiSystemCall64+8E3  190 4C 8B 4D A0                                         mov     r9, [rbp-60h]
KiSystemCall64+8E7  190 48 89 A3 90 00 00 00                                mov     [rbx+90h], rsp
KiSystemCall64+8EE  190 0F 84 60 FA FF FF                                   jz      KiSystemServiceRepeat ;
KiSystemCall64+8EE                                                                                  ; #pragma pack(1)
KiSystemCall64+8EE                                                                                  ; typedef struct _SERVICE_DESCIPTOR_TABLE
KiSystemCall64+8EE                                                                                  ; {
KiSystemCall64+8EE                                                                                  ;    PULONG ServiceTableBase;          // SSDT基址
KiSystemCall64+8EE                                                                                  ;    PVOID ServiceCounterTableBase; // SSDT中服务被调用次数计数器
KiSystemCall64+8EE                                                                                  ;    ULONGLONG NumberOfService;     // SSDT服务个数
KiSystemCall64+8EE                                                                                  ;    PVOID ParamTableBase;          // 系统服务参数表基址
KiSystemCall64+8EE                                                                                  ; }SSDTEntry, *PSSDTEntry;
KiSystemCall64+8EE                                                                                  ; #pragma pack()
KiSystemCall64+8F4  190 48 8D 3D E5 16 3A 00                                lea     rdi, xmmword_FFFFF8034CC1DAA0
KiSystemCall64+8FB  190 8B 77 10                                            mov     esi, [rdi+10h]
KiSystemCall64+8FE  190 48 8B 3F                                            mov     rdi, [rdi]
KiSystemCall64+901  190 3B C6                                               cmp     eax, esi
KiSystemCall64+903  190 73 10                                               jnb     short loc_FFFFF8034C87C3D5
KiSystemCall64+905  190 48 8D 3C B7                                         lea     rdi, [rdi+rsi*4]
KiSystemCall64+909  190 0F BE 04 07                                         movsx   eax, byte ptr [rdi+rax]
KiSystemCall64+90D  190 0B C0                                               or      eax, eax
KiSystemCall64+90F  190 0F 8E CB FB FF FF                                   jle     KiSystemServiceExit ; _KTRAP_FRAME.Rbx 恢复寄存器 rbx,rdi,rsi
KiSystemCall64+915
KiSystemCall64+915                                          loc_FFFFF8034C87C3D5:                   ; CODE XREF: KiSystemCall64+8B8↑j
KiSystemCall64+915                                                                                  ; KiSystemCall64+903↑j
KiSystemCall64+915  190 B8 1C 00 00 C0                                      mov     eax, 0C000001Ch
KiSystemCall64+91A  190 E9 C1 FB FF FF                                      jmp     KiSystemServiceExit ; _KTRAP_FRAME.Rbx 恢复寄存器 rbx,rdi,rsi
KiSystemCall64+91F                                          ; ---------------------------------------------------------------------------
KiSystemCall64+91F
KiSystemCall64+91F                                          loc_FFFFF8034C87C3DF:                   ; CODE XREF: KiSystemCall64+51D↑j
KiSystemCall64+91F                                                                                  ; KiSystemCall64+770↑j
KiSystemCall64+91F  190 B9 4A 00 00 00                                      mov     ecx, 4Ah ; 'J'
KiSystemCall64+924  190 45 33 C9                                            xor     r9d, r9d
KiSystemCall64+927  190 45 0F 20 C0                                         mov     r8, cr8
KiSystemCall64+92B  190 45 0B C0                                            or      r8d, r8d
KiSystemCall64+92E  190 75 14                                               jnz     short loc_FFFFF8034C87C404
KiSystemCall64+930  190 B9 01 00 00 00                                      mov     ecx, 1
KiSystemCall64+935  190 45 0F B6 83 4A 02 00 00                             movzx   r8d, byte ptr [r11+24Ah]
KiSystemCall64+93D  190 45 8B 8B E4 01 00 00                                mov     r9d, [r11+1E4h]
KiSystemCall64+944
KiSystemCall64+944                                          loc_FFFFF8034C87C404:                   ; CODE XREF: KiSystemCall64+92E↑j
KiSystemCall64+944  190 48 8B 95 E8 00 00 00                                mov     rdx, [rbp+0E8h]
KiSystemCall64+94B  190 4C 8B D5                                            mov     r10, rbp
KiSystemCall64+94E  190 E8 ED 00 00 00                                      call    KiBugCheckDispatch
KiSystemCall64+953                                          ; ---------------------------------------------------------------------------
KiSystemCall64+953
KiSystemCall64+953                                          loc_FFFFF8034C87C413:                   ; CODE XREF: KiSystemCall64+4BA↑j
KiSystemCall64+953  190 48 83 EC 50                                         sub     rsp, 50h
KiSystemCall64+957  1E0 48 89 4C 24 20                                      mov     [rsp+1E0h+var_1C0], rcx
KiSystemCall64+95C  1E0 48 89 54 24 28                                      mov     [rsp+1E0h+var_1B8], rdx
KiSystemCall64+961  1E0 4C 89 44 24 30                                      mov     [rsp+1E0h+var_1B0], r8
KiSystemCall64+966  1E0 4C 89 4C 24 38                                      mov     [rsp+1E0h+var_1A8], r9
KiSystemCall64+96B  1E0 4C 89 54 24 40                                      mov     [rsp+1E0h+var_1A0], r10
KiSystemCall64+970  1E0 49 8B CA                                            mov     rcx, r10
KiSystemCall64+973  1E0 48 8B D4                                            mov     rdx, rsp
KiSystemCall64+976  1E0 48 83 C2 20                                         add     rdx, 20h ; ' '
KiSystemCall64+97A  1E0 49 C7 C0 04 00 00 00                                mov     r8, 4
KiSystemCall64+981  1E0 4C 8B CC                                            mov     r9, rsp
KiSystemCall64+984  1E0 49 83 C1 70                                         add     r9, 70h ; 'p'
KiSystemCall64+988  1E0 E8 B3 F4 6A 00                                      call    KiTrackSystemCallEntry
KiSystemCall64+98D  1E0 48 89 45 B0                                         mov     [rbp-50h], rax
KiSystemCall64+991  1E0 48 8B 4C 24 20                                      mov     rcx, [rsp+1E0h+var_1C0]
KiSystemCall64+996  1E0 48 8B 54 24 28                                      mov     rdx, [rsp+1E0h+var_1B8]
KiSystemCall64+99B  1E0 4C 8B 44 24 30                                      mov     r8, [rsp+1E0h+var_1B0]
KiSystemCall64+9A0  1E0 4C 8B 4C 24 38                                      mov     r9, [rsp+1E0h+var_1A8]
KiSystemCall64+9A5  1E0 4C 8B 54 24 40                                      mov     r10, [rsp+1E0h+var_1A0]
KiSystemCall64+9AA  1E0 48 83 C4 50                                         add     rsp, 50h
KiSystemCall64+9AE  190 49 8B C2                                            mov     rax, r10
KiSystemCall64+9B1  190 FF D0                                               call    rax
KiSystemCall64+9B3  190 0F 1F 00                                            nop     dword ptr [rax]
KiSystemCall64+9B6  190 48 8B 4D B0                                         mov     rcx, [rbp-50h]
KiSystemCall64+9BA  190 48 8B D0                                            mov     rdx, rax
KiSystemCall64+9BD  190 E8 9E F5 6A 00                                      call    KiTrackSystemCallExit
KiSystemCall64+9C2  190 E9 11 FB FF FF                                      jmp     loc_FFFFF8034C87BF98 ; kpcr._KPRCB.KeSystemCalls + 1
KiSystemCall64+9C2                                                                                  ; 自系统启动以来发生的系统调用数量的单调计数器。
KiSystemCall64+9C7                                          ; ---------------------------------------------------------------------------
KiSystemCall64+9C7
KiSystemCall64+9C7                                          loc_FFFFF8034C87C487:                   ; CODE XREF: KiSystemCall64+4CA↑j
KiSystemCall64+9C7  190 48 83 EC 50                                         sub     rsp, 50h
KiSystemCall64+9CB  1E0 48 89 4C 24 20                                      mov     [rsp+1E0h+var_1C0], rcx
KiSystemCall64+9D0  1E0 48 89 54 24 28                                      mov     [rsp+1E0h+var_1B8], rdx
KiSystemCall64+9D5  1E0 4C 89 44 24 30                                      mov     [rsp+1E0h+var_1B0], r8
KiSystemCall64+9DA  1E0 4C 89 4C 24 38                                      mov     [rsp+1E0h+var_1A8], r9
KiSystemCall64+9DF  1E0 4C 89 54 24 40                                      mov     [rsp+1E0h+var_1A0], r10
KiSystemCall64+9E4  1E0 49 8B CA                                            mov     rcx, r10
KiSystemCall64+9E7  1E0 E8 54 F7 15 00                                      call    PerfInfoLogSysCallEntry
KiSystemCall64+9EC  1E0 48 8B 4C 24 20                                      mov     rcx, [rsp+1E0h+var_1C0]
KiSystemCall64+9F1  1E0 48 8B 54 24 28                                      mov     rdx, [rsp+1E0h+var_1B8]
KiSystemCall64+9F6  1E0 4C 8B 44 24 30                                      mov     r8, [rsp+1E0h+var_1B0]
KiSystemCall64+9FB  1E0 4C 8B 4C 24 38                                      mov     r9, [rsp+1E0h+var_1A8]
KiSystemCall64+A00  1E0 4C 8B 54 24 40                                      mov     r10, [rsp+1E0h+var_1A0]
KiSystemCall64+A05  1E0 48 83 C4 50                                         add     rsp, 50h
KiSystemCall64+A09  190 49 8B C2                                            mov     rax, r10
KiSystemCall64+A0C  190 FF D0                                               call    rax
KiSystemCall64+A0E  190 0F 1F 00                                            nop     dword ptr [rax]
KiSystemCall64+A11  190 48 8B C8                                            mov     rcx, rax
KiSystemCall64+A14  190 E8 C7 F7 15 00                                      call    PerfInfoLogSysCallExit
KiSystemCall64+A19  190 E9 BA FA FF FF                                      jmp     loc_FFFFF8034C87BF98 ; kpcr._KPRCB.KeSystemCalls + 1
KiSystemCall64+A19                                                                                  ; 自系统启动以来发生的系统调用数量的单调计数器。
KiSystemCall64+A1E                                          ; ---------------------------------------------------------------------------
KiSystemCall64+A1E  000 C3                                                  retn
KiSystemCall64+A1E                                          ; } // starts at FFFFF8034C87BAC0
KiSystemCall64+A1E                                          KiSystemCall64  endp ; sp-analysis failed
KiSystemCall64Shadow
和KisystemCall64区别不大，多了一个上文RPL校验，进行cr3的切换，最终都去调用 KiSystemServiceUser,通过访问SSDT表，获取函数地址。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
KiSystemCall64Shadow                                              KiSystemCall64Shadow proc near          ; DATA XREF: sub_FFFFF8034C8622F4+34↑o
KiSystemCall64Shadow                                                                                      ; .pdata:FFFFF8034CBE5BCC↓o
KiSystemCall64Shadow                                                                                      ; KiInitializeBootStructures+1B7↓o
KiSystemCall64Shadow
KiSystemCall64Shadow                                              var_110         = byte ptr -110h
KiSystemCall64Shadow
KiSystemCall64Shadow      000 0F 01 F8                                            swapgs
KiSystemCall64Shadow+3    000 65 48 89 24 25 10 70 00 00                          mov     gs:_KPCR.Prcb.UserRspShadow, rsp ; 保存r3的rsp
KiSystemCall64Shadow+C    000 65 48 8B 24 25 00 70 00 00                          mov     rsp, gs:_KPCR.Prcb.KernelDirectoryTableBase
KiSystemCall64Shadow+15   000 65 0F BA 24 25 18 70 00 00 01                       bt      gs:_KPCR.Prcb.ShadowFlags, 1
KiSystemCall64Shadow+1F   000 72 03                                               jb      short loc_FFFFF8034C9FD164 ; 切换内核栈
KiSystemCall64Shadow+21   000 0F 22 DC                                            mov     cr3, rsp        ; 切换cr3
KiSystemCall64Shadow+24
KiSystemCall64Shadow+24                                           loc_FFFFF8034C9FD164:                   ; CODE XREF: KiSystemCall64Shadow+1F↑j
KiSystemCall64Shadow+24   000 65 48 8B 24 25 08 70 00 00                          mov     rsp, gs:_KPCR.Prcb.RspBaseShadow ; 切换内核栈
KiSystemCall64Shadow+2D   000 6A 2B                                               push    2Bh ; '+'       ; SegSs 构造kTRAP_FRAME
KiSystemCall64Shadow+2F   008 65 FF 34 25 10 70 00 00                             push    gs:_KPCR.Prcb.UserRspShadow ; Rsp
KiSystemCall64Shadow+37   010 41 53                                               push    r11             ; EFLAGS
KiSystemCall64Shadow+39   018 6A 33                                               push    33h ; '3'       ; SegCs
KiSystemCall64Shadow+3B   020 51                                                  push    rcx             ; Rip
KiSystemCall64Shadow+3C   028 49 8B CA                                            mov     rcx, r10
KiSystemCall64Shadow+3F   028 48 83 EC 08                                         sub     rsp, 8          ; 填充ExceptionFrame
KiSystemCall64Shadow+43   030 55                                                  push    rbp             ; Rbp
KiSystemCall64Shadow+44   038 48 81 EC 58 01 00 00                                sub     rsp, 158h       ; 申请剩余栈空间
KiSystemCall64Shadow+4B   190 48 8D AC 24 80 00 00 00                             lea     rbp, [rsp+80h]  ; 指向xmm1
KiSystemCall64Shadow+53   190 48 89 9D C0 00 00 00                                mov     [rbp+0C0h], rbx ; Rbx
KiSystemCall64Shadow+5A   190 48 89 BD C8 00 00 00                                mov     [rbp+0C8h], rdi ; Rdi
KiSystemCall64Shadow+61   190 48 89 B5 D0 00 00 00                                mov     [rbp+0D0h], rsi ; Rsi
KiSystemCall64Shadow+68   190 65 F6 04 25 24 64 00 00 02                          test    byte ptr gs:_KPCR.Prcb.FeatureBits+4, 2
KiSystemCall64Shadow+71   190 74 0C                                               jz      short loc_FFFFF8034C9FD1BF ; 保存寄存器
KiSystemCall64Shadow+73   190 F6 85 F0 00 00 00 01                                test    byte ptr [rbp+0F0h], 1 ; RegCs 校验是否由r3调用 ，3环则关闭SMAP
KiSystemCall64Shadow+7A   190 74 03                                               jz      short loc_FFFFF8034C9FD1BF ; 保存寄存器
KiSystemCall64Shadow+7C   190 0F 01 CB                                            stac                    ; 关闭smap
KiSystemCall64Shadow+7F
KiSystemCall64Shadow+7F                                           loc_FFFFF8034C9FD1BF:                   ; CODE XREF: KiSystemCall64Shadow+71↑j
KiSystemCall64Shadow+7F                                                                                   ; KiSystemCall64Shadow+7A↑j
KiSystemCall64Shadow+7F   190 48 89 45 B0                                         mov     [rbp-50h], rax  ; 保存寄存器
KiSystemCall64Shadow+83   190 48 89 4D B8                                         mov     [rbp-48h], rcx
KiSystemCall64Shadow+87   190 48 89 55 C0                                         mov     [rbp-40h], rdx
KiSystemCall64Shadow+8B   190 65 48 8B 0C 25 88 01 00 00                          mov     rcx, gs:_KPCR.Prcb.CurrentThread
KiSystemCall64Shadow+94   190 48 8B 89 20 02 00 00                                mov     rcx, [rcx+_KTHREAD.Process]
KiSystemCall64Shadow+9B   190 48 8B 89 60 08 00 00                                mov     rcx, qword ptr [rcx+(_KPROCESS.Spare2+5D7h)]
KiSystemCall64Shadow+A2   190 65 48 89 0C 25 70 02 00 00                          mov     gs:_KPCR.Prcb.___u40.__s0.TrappedSecurityDomain, rcx
KiSystemCall64Shadow+AB   190 65 8A 0C 25 50 08 00 00                             mov     cl, gs:_KPCR.Prcb.___u45.__s0.BpbRetpolineExitSpecCtrl
KiSystemCall64Shadow+B3   190 65 88 0C 25 51 08 00 00                             mov     gs:_KPCR.Prcb.___u45.__s0.BpbTrappedRetpolineExitSpecCtrl, cl
KiSystemCall64Shadow+BB   190 65 8A 0C 25 78 02 00 00                             mov     cl, gs:_KPCR.Prcb.___u40.__s0.BpbState
KiSystemCall64Shadow+C3   190 65 88 0C 25 52 08 00 00                             mov     gs:_KPCR.Prcb.___u45.__s0.BpbTrappedBpbState, cl
KiSystemCall64Shadow+CB   190 65 0F B6 04 25 7B 02 00 00                          movzx   eax, gs:_KPCR.Prcb.___u40.__s0.BpbKernelSpecCtrl
KiSystemCall64Shadow+D4   190 65 38 04 25 7A 02 00 00                             cmp     gs:_KPCR.Prcb.___u40.__s0.BpbCurrentSpecCtrl, al
KiSystemCall64Shadow+DC   190 74 11                                               jz      short loc_FFFFF8034C9FD22F
KiSystemCall64Shadow+DE   190 65 88 04 25 7A 02 00 00                             mov     gs:_KPCR.Prcb.___u40.__s0.BpbCurrentSpecCtrl, al
KiSystemCall64Shadow+E6   190 B9 48 00 00 00                                      mov     ecx, 48h ; 'H'
KiSystemCall64Shadow+EB   190 33 D2                                               xor     edx, edx        ;  IA32_SPEC_CTRL
KiSystemCall64Shadow+ED   190 0F 30                                               wrmsr
KiSystemCall64Shadow+EF
KiSystemCall64Shadow+EF                                           loc_FFFFF8034C9FD22F:                   ; CODE XREF: KiSystemCall64Shadow+DC↑j
KiSystemCall64Shadow+EF   190 65 0F B6 14 25 78 02 00 00                          movzx   edx, gs:_KPCR.Prcb.___u40.__s0.BpbState
KiSystemCall64Shadow+F8   190 F7 C2 08 00 00 00                                   test    edx, 8
KiSystemCall64Shadow+FE   190 74 13                                               jz      short loc_FFFFF8034C9FD253
KiSystemCall64Shadow+100  190 B8 01 00 00 00                                      mov     eax, 1
KiSystemCall64Shadow+105  190 33 D2                                               xor     edx, edx
KiSystemCall64Shadow+107  190 B9 49 00 00 00                                      mov     ecx, 49h ; 'I'
KiSystemCall64Shadow+10C  190 0F 30                                               wrmsr                   ;  IA32_PRED_CMD
KiSystemCall64Shadow+10E  190 E9 3E 01 00 00                                      jmp     loc_FFFFF8034C9FD391 ; 分支预测补丁
KiSystemCall64Shadow+113                                          ; ---------------------------------------------------------------------------
KiSystemCall64Shadow+113
KiSystemCall64Shadow+113                                          loc_FFFFF8034C9FD253:                   ; CODE XREF: KiSystemCall64Shadow+FE↑j
KiSystemCall64Shadow+113  190 F7 C2 02 00 00 00                                   test    edx, 2
KiSystemCall64Shadow+119  190 0F 84 2F 01 00 00                                   jz      loc_FFFFF8034C9FD38E
KiSystemCall64Shadow+11F  190 65 F6 04 25 79 02 00 00 04                          test    gs:_KPCR.Prcb.___u40.__s0.BpbFeatures, 4
KiSystemCall64Shadow+128  190 0F 85 20 01 00 00                                   jnz     loc_FFFFF8034C9FD38E
KiSystemCall64Shadow+12E  190 E8 0E 01 00 00                                      call    loc_FFFFF8034C9FD381
KiSystemCall64Shadow+133
KiSystemCall64Shadow+133                                          loc_FFFFF8034C9FD273:                   ; CODE XREF: KiSystemCall64Shadow+140↓p
KiSystemCall64Shadow+133  190 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+137  188 E8 0E 01 00 00                                      call    loc_FFFFF8034C9FD38A
KiSystemCall64Shadow+13C
KiSystemCall64Shadow+13C                                          loc_FFFFF8034C9FD27C:                   ; CODE XREF: KiSystemCall64Shadow+149↓p
KiSystemCall64Shadow+13C  188 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+140  180 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD273
KiSystemCall64Shadow+145
KiSystemCall64Shadow+145                                          loc_FFFFF8034C9FD285:                   ; CODE XREF: KiSystemCall64Shadow+152↓p
KiSystemCall64Shadow+145  180 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+149  178 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD27C
KiSystemCall64Shadow+14E
KiSystemCall64Shadow+14E                                          loc_FFFFF8034C9FD28E:                   ; CODE XREF: KiSystemCall64Shadow+15B↓p
KiSystemCall64Shadow+14E  178 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+152  170 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD285
KiSystemCall64Shadow+157
KiSystemCall64Shadow+157                                          loc_FFFFF8034C9FD297:                   ; CODE XREF: KiSystemCall64Shadow+164↓p
KiSystemCall64Shadow+157  170 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+15B  168 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD28E
KiSystemCall64Shadow+160
KiSystemCall64Shadow+160                                          loc_FFFFF8034C9FD2A0:                   ; CODE XREF: KiSystemCall64Shadow+16D↓p
KiSystemCall64Shadow+160  168 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+164  160 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD297
KiSystemCall64Shadow+169
KiSystemCall64Shadow+169                                          loc_FFFFF8034C9FD2A9:                   ; CODE XREF: KiSystemCall64Shadow+176↓p
KiSystemCall64Shadow+169  160 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+16D  158 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2A0
KiSystemCall64Shadow+172
KiSystemCall64Shadow+172                                          loc_FFFFF8034C9FD2B2:                   ; CODE XREF: KiSystemCall64Shadow+17F↓p
KiSystemCall64Shadow+172  158 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+176  150 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2A9
KiSystemCall64Shadow+17B
KiSystemCall64Shadow+17B                                          loc_FFFFF8034C9FD2BB:                   ; CODE XREF: KiSystemCall64Shadow+188↓p
KiSystemCall64Shadow+17B  150 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+17F  148 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2B2
KiSystemCall64Shadow+184
KiSystemCall64Shadow+184                                          loc_FFFFF8034C9FD2C4:                   ; CODE XREF: KiSystemCall64Shadow+191↓p
KiSystemCall64Shadow+184  148 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+188  140 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2BB
KiSystemCall64Shadow+18D
KiSystemCall64Shadow+18D                                          loc_FFFFF8034C9FD2CD:                   ; CODE XREF: KiSystemCall64Shadow+19A↓p
KiSystemCall64Shadow+18D  140 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+191  138 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2C4
KiSystemCall64Shadow+196
KiSystemCall64Shadow+196                                          loc_FFFFF8034C9FD2D6:                   ; CODE XREF: KiSystemCall64Shadow+1A3↓p
KiSystemCall64Shadow+196  138 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+19A  130 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2CD
KiSystemCall64Shadow+19F
KiSystemCall64Shadow+19F                                          loc_FFFFF8034C9FD2DF:                   ; CODE XREF: KiSystemCall64Shadow+1AC↓p
KiSystemCall64Shadow+19F  130 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1A3  128 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2D6
KiSystemCall64Shadow+1A8
KiSystemCall64Shadow+1A8                                          loc_FFFFF8034C9FD2E8:                   ; CODE XREF: KiSystemCall64Shadow+1B5↓p
KiSystemCall64Shadow+1A8  128 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1AC  120 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2DF
KiSystemCall64Shadow+1B1
KiSystemCall64Shadow+1B1                                          loc_FFFFF8034C9FD2F1:                   ; CODE XREF: KiSystemCall64Shadow+1BE↓p
KiSystemCall64Shadow+1B1  120 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1B5  118 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2E8
KiSystemCall64Shadow+1BA
KiSystemCall64Shadow+1BA                                          loc_FFFFF8034C9FD2FA:                   ; CODE XREF: KiSystemCall64Shadow+1C7↓p
KiSystemCall64Shadow+1BA  118 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1BE  110 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2F1
KiSystemCall64Shadow+1C3
KiSystemCall64Shadow+1C3                                          loc_FFFFF8034C9FD303:                   ; CODE XREF: KiSystemCall64Shadow+1D0↓p
KiSystemCall64Shadow+1C3  110 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1C7  108 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD2FA
KiSystemCall64Shadow+1CC
KiSystemCall64Shadow+1CC                                          loc_FFFFF8034C9FD30C:                   ; CODE XREF: KiSystemCall64Shadow+1D9↓p
KiSystemCall64Shadow+1CC  108 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1D0  100 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD303
KiSystemCall64Shadow+1D5
KiSystemCall64Shadow+1D5                                          loc_FFFFF8034C9FD315:                   ; CODE XREF: KiSystemCall64Shadow+1E2↓p
KiSystemCall64Shadow+1D5  100 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1D9  0F8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD30C
KiSystemCall64Shadow+1DE
KiSystemCall64Shadow+1DE                                          loc_FFFFF8034C9FD31E:                   ; CODE XREF: KiSystemCall64Shadow+1EB↓p
KiSystemCall64Shadow+1DE  0F8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1E2  0F0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD315
KiSystemCall64Shadow+1E7
KiSystemCall64Shadow+1E7                                          loc_FFFFF8034C9FD327:                   ; CODE XREF: KiSystemCall64Shadow+1F4↓p
KiSystemCall64Shadow+1E7  0F0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1EB  0E8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD31E
KiSystemCall64Shadow+1F0
KiSystemCall64Shadow+1F0                                          loc_FFFFF8034C9FD330:                   ; CODE XREF: KiSystemCall64Shadow+1FD↓p
KiSystemCall64Shadow+1F0  0E8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1F4  0E0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD327
KiSystemCall64Shadow+1F9
KiSystemCall64Shadow+1F9                                          loc_FFFFF8034C9FD339:                   ; CODE XREF: KiSystemCall64Shadow+206↓p
KiSystemCall64Shadow+1F9  0E0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+1FD  0D8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD330
KiSystemCall64Shadow+202
KiSystemCall64Shadow+202                                          loc_FFFFF8034C9FD342:                   ; CODE XREF: KiSystemCall64Shadow+20F↓p
KiSystemCall64Shadow+202  0D8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+206  0D0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD339
KiSystemCall64Shadow+20B
KiSystemCall64Shadow+20B                                          loc_FFFFF8034C9FD34B:                   ; CODE XREF: KiSystemCall64Shadow+218↓p
KiSystemCall64Shadow+20B  0D0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+20F  0C8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD342
KiSystemCall64Shadow+214
KiSystemCall64Shadow+214                                          loc_FFFFF8034C9FD354:                   ; CODE XREF: KiSystemCall64Shadow+221↓p
KiSystemCall64Shadow+214  0C8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+218  0C0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD34B
KiSystemCall64Shadow+21D
KiSystemCall64Shadow+21D                                          loc_FFFFF8034C9FD35D:                   ; CODE XREF: KiSystemCall64Shadow+22A↓p
KiSystemCall64Shadow+21D  0C0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+221  0B8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD354
KiSystemCall64Shadow+226
KiSystemCall64Shadow+226                                          loc_FFFFF8034C9FD366:                   ; CODE XREF: KiSystemCall64Shadow+233↓p
KiSystemCall64Shadow+226  0B8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+22A  0B0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD35D
KiSystemCall64Shadow+22F
KiSystemCall64Shadow+22F                                          loc_FFFFF8034C9FD36F:                   ; CODE XREF: KiSystemCall64Shadow+23C↓p
KiSystemCall64Shadow+22F  0B0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+233  0A8 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD366
KiSystemCall64Shadow+238
KiSystemCall64Shadow+238                                          loc_FFFFF8034C9FD378:                   ; CODE XREF: KiSystemCall64Shadow+245↓p
KiSystemCall64Shadow+238  0A8 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+23C  0A0 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD36F
KiSystemCall64Shadow+241
KiSystemCall64Shadow+241                                          loc_FFFFF8034C9FD381:                   ; CODE XREF: KiSystemCall64Shadow+12E↑p
KiSystemCall64Shadow+241  0A0 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+245  098 E8 EE FF FF FF                                      call    loc_FFFFF8034C9FD378
KiSystemCall64Shadow+24A
KiSystemCall64Shadow+24A                                          loc_FFFFF8034C9FD38A:                   ; CODE XREF: KiSystemCall64Shadow+137↑p
KiSystemCall64Shadow+24A  098 48 83 C4 08                                         add     rsp, 8
KiSystemCall64Shadow+24E
KiSystemCall64Shadow+24E                                          loc_FFFFF8034C9FD38E:                   ; CODE XREF: KiSystemCall64Shadow+119↑j
KiSystemCall64Shadow+24E                                                                                  ; KiSystemCall64Shadow+128↑j
KiSystemCall64Shadow+24E  090 0F AE E8                                            lfence
KiSystemCall64Shadow+251
KiSystemCall64Shadow+251                                          loc_FFFFF8034C9FD391:                   ; CODE XREF: KiSystemCall64Shadow+10E↑j
KiSystemCall64Shadow+251  190 65 C6 04 25 53 08 00 00 00                          mov     gs:_KPCR.Prcb.___u45.__s0.BpbRetpolineState, 0
KiSystemCall64Shadow+25A  190 E9 63 E9 E7 FF                                      jmp     KiSystemServiceUser
KiSystemCall64Shadow+25F                                          ; ---------------------------------------------------------------------------
KiSystemCall64Shadow+25F  000 C3                                                  retn
KiSystemCall64Shadow+25F                                          KiSystemCall64Shadow endp ; sp-analysis failed
KiKernelSysretExit
从UserDirectoryTableBase中恢复cr3，恢复栈的rbp和rsp。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
KiKernelSysretExit                                              KiKernelSysretExit proc near            ; CODE XREF: KiCallUserMode+1BD↑j
KiKernelSysretExit                                                                                      ; KiSystemCall64+716↑j
KiKernelSysretExit                                                                                      ; KiUmsFastReturnToUser+254↑j
KiKernelSysretExit                                                                                      ; DATA XREF: .pdata:FFFFF8034CBE5BB4↓o
KiKernelSysretExit      000 65 8B 24 25 18 70 00 00                             mov     esp, gs:_KPCR.Prcb.ShadowFlags
KiKernelSysretExit+8    000 0F BA E4 01                                         bt      esp, 1
KiKernelSysretExit+C    000 72 36                                               jb      short loc_FFFFF8034C9FCDC4 ; 恢复rbp r9 = _KTRAP_FRAME.Rbp
KiKernelSysretExit+E    000 65 48 8B 2C 25 88 01 00 00                          mov     rbp, gs:_KPCR.Prcb.CurrentThread
KiKernelSysretExit+17   000 48 8B AD 20 02 00 00                                mov     rbp, [rbp+_KTHREAD.Process]
KiKernelSysretExit+1E   000 48 8B AD 80 02 00 00                                mov     rbp, [rbp+_KPROCESS.UserDirectoryTableBase]
KiKernelSysretExit+25   000 0F BA E5 00                                         bt      ebp, 0
KiKernelSysretExit+29   000 73 16                                               jnb     short loc_FFFFF8034C9FCDC1 ; 切回cr3
KiKernelSysretExit+2B   000 0F BA E4 00                                         bt      esp, 0
KiKernelSysretExit+2F   000 72 07                                               jb      short loc_FFFFF8034C9FCDB8
KiKernelSysretExit+31   000 48 0F BA ED 3F                                      bts     rbp, 111111b
KiKernelSysretExit+36   000 EB 09                                               jmp     short loc_FFFFF8034C9FCDC1 ; 切回cr3
KiKernelSysretExit+38                                           ; ---------------------------------------------------------------------------
KiKernelSysretExit+38
KiKernelSysretExit+38                                           loc_FFFFF8034C9FCDB8:                   ; CODE XREF: KiKernelSysretExit+2F↑j
KiKernelSysretExit+38   000 65 83 24 25 18 70 00 00 FE                          and     gs:_KPCR.Prcb.ShadowFlags, 0FFFFFFFEh
KiKernelSysretExit+41
KiKernelSysretExit+41                                           loc_FFFFF8034C9FCDC1:                   ; CODE XREF: KiKernelSysretExit+29↑j
KiKernelSysretExit+41                                                                                   ; KiKernelSysretExit+36↑j
KiKernelSysretExit+41   000 0F 22 DD                                            mov     cr3, rbp        ; 切回cr3
KiKernelSysretExit+44
KiKernelSysretExit+44                                           loc_FFFFF8034C9FCDC4:                   ; CODE XREF: KiKernelSysretExit+C↑j
KiKernelSysretExit+44   000 49 8B E9                                            mov     rbp, r9         ; 恢复rbp r9 = _KTRAP_FRAME.Rbp
KiKernelSysretExit+47   000 0F BA E4 01                                         bt      esp, 1
KiKernelSysretExit+4B   000 72 09                                               jb      short loc_FFFFF8034C9FCDD6 ; 恢复rsp
KiKernelSysretExit+4D   000 65 0F 00 2C 25 2A 70 00 00                          verw    gs:_KPCR.Prcb.VerwSelector
KiKernelSysretExit+56
KiKernelSysretExit+56                                           loc_FFFFF8034C9FCDD6:                   ; CODE XREF: KiKernelSysretExit+4B↑j
KiKernelSysretExit+56   000 49 8B E0                                            mov     rsp, r8         ; 恢复rsp
KiKernelSysretExit+59   000 0F 01 F8                                            swapgs
KiKernelSysretExit+5C   000 48 0F 07                                            sysret
KiKernelSysretExit+5F                                           ; ---------------------------------------------------------------------------
KiKernelSysretExit+5F   000 C3                                                  retn
KiKernelSysretExit+5F                                           KiKernelSysretExit endp
KiSystemCall32
int 2e


Windows内核函数基础
2021-09-02T16:00:00.000Z
代码地址
配合git –no-pager 和 git checkout进行代码查看 
https://github.com/aW3ikun/Windows-Kernel-Driver-programming-practice
常用初始化
1
2
OBJECT_ATTRIBUTES obja = { 0 };
InitializeObjectAttributes(&obja, &str, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
入门
driver的PUNICODE_STRING指向注册表地址，注册表存储着服务的相关信息。
如果pDriverObject->Unload没有对应的卸载函数，则不进行卸载，是一种保护措施。
需要在Unload函数中进行数据清理。
IRP————>IO请求包 ，发送给设备。
硬件设备–> hal.dll (设备虚拟层)
应用层————>DEVICE_OBJECT(FDO)（可不发送）->物理设备(PDO)
DEVICE_OBJECT可以不关联物理设备，可以实现r3进程间的通信。
名字结构
应用层无法直接打开物理设备，也无法直接打开虚拟设备，通过符号链接形式打开设备。
例如使用磁盘时：”WriteFile(C:\123.txt)”,\\??\\C:就是一个符号链接,最终是\\Device\\Harddiskvolume3
即使有了符号链接，但是消息分发没有注册，也无法处理相关信息。
驱动层与应用层的通信
一个驱动对象对应数个设备对象，应用层通过符号链接访问设备对象，然后驱动内部处理请求。
ReadFile WriteFile 通过缓冲区通信
DeviceIoControl 加 IRP_MJ_DEVICE_CONTROL
IRP派遣函数
注册
pDriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate;
派遣函数
派遣函数定义
1
2
3
4
DRIVER_DISPATCH (
    _In_ struct _DEVICE_OBJECT *DeviceObject,
    _Inout_ struct _IRP *Irp
    );
派遣函数返回值
1
2
3
4
5
6
7
pIRP->IoStatus.Status = status; //返回任务执行结果

pIRP->IoStatus.Information = 0; //输出Buffer的大小

IoCompleteRequest(pIRP, IO_NO_INCREMENT); //完成派遣函数

return STATUS_SUCCESS; //返回执行成功
事例
1
2
3
4
5
6
7
8
9
10
11
12
13
NTSTATUS MyCreate(PDEVICE_OBJECT pDevice, PIRP pIRP) {
NTSTATUS status = STATUS_SUCCESS;

DbgPrint("My Device has be opened\n");

pIRP->IoStatus.Status = status;

pIRP->IoStatus.Information = 0;

IoCompleteRequest(pIRP, IO_NO_INCREMENT);

return STATUS_SUCCESS;
}
设备IO
创建设备对象
IoCreateDevice.
1
2
3
4
5
6
7
8
9
//DriverEntry(PDRIVER_OBJECT pDriverObject,)

#define DEVICE_NAME L"\\Device\\MyFirstDevice"

UNICODE_STRING DeviceName = { 0 };
PDEVICE_OBJECT pDevice = NULL;
RtlInitUnicodeString(&DeviceName, DEVICE_NAME);

status = IoCreateDevice(pDriverObject, 200/*DeviceExtensionSize 设备扩展大小*/, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &pDevice);
设置驱动读写方式
1
pDevice->Flags |= DO_BUFFERED_IO; // 0xc8 | 0x200 = 0x2c
创建符号链接
IoCreateSymbolicLink
只有创建符号链接，才能让应用层访问到，实现交互
1
2
3
4
5
6
7
8
#define SYM_NAME L"\\??\\MyFirstDevice"

UNICODE_STRING symname = { 0 };

RtlInitUnicodeString(&symname, SYM_NAME);

//IoDeleteSymbolicLink(&symname);
status = IoCreateSymbolicLink(&symname, &DeviceName);
注册设备控制IRP
1
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyControl;
设置控制IRP常规写法
获取输入输出缓冲区的长度，避免溢出。获取控制码，方便进行函数分发。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#define IOCTL_MUL (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN,0x9888,METHOD_BUFFERED,FILE_ANY_ACCESS)
NTSTATUS MyControl(PDEVICE_OBJECT pDevice, PIRP pIRP) {
NTSTATUS status = STATUS_SUCCESS;
//请求的消息通过IRP保存。
//获得缓冲区
PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIRP);
//获取功能号
ULONG uIocode = pStack->Parameters.DeviceIoControl.IoControlCode;
//获得输入缓冲区长度
ULONG ulInlen = pStack->Parameters.DeviceIoControl.InputBufferLength;
//获得输出缓冲区长度
ULONG ulOutlen = pStack->Parameters.DeviceIoControl.OutputBufferLength;

ULONG ulIoinfo = 0;
//进行控制码的分发
switch (uIocode)
{
case IOCTL_COPY: {
FILEPATH filepath = *(FILEPATH*)pIRP->AssociatedIrp.SystemBuffer;
        
             //do something......

ulIoinfo = ulOutlen;

break;
}
default:
status = STATUS_UNSUCCESSFUL;

ulIoinfo = 0;

break;
}

pIRP->IoStatus.Status = status;

       //通过指针返回给r3的长度，长度不对容易溢出。
pIRP->IoStatus.Information = ulIoinfo;

IoCompleteRequest(pIRP, IO_NO_INCREMENT);

return STATUS_SUCCESS;
}
字符串操作
字符串初始化
RTL_CONSTANT_STRING(),初始化不可修改的字符
RtlInitUnicodeString()，不申请内存，只是buffer指针指向字符串。
1
2
3
4
5
6
7
PWCHAR testbuffer = ExAllocatePool(NonPagedPool, 0x1000);

RtlZeroMemory(testbuffer, 0x1000);

RtlCopyMemory(testbuffer,L"buffFFFFF",sizeof(L"buffFFFFF"));

RtlInitUnicodeString(&DeviceName, testbuffer);
窄字符转成成宽字符
窄字符转成成宽字符,RtlAnsiStringToUnicodeString();
1
2
3
4
5
6
PCHARtempbuffer = "C:\\123\\312\\123\\123.txt";
STRINGstr = { 0 };
RtlInitString(&str, tempbuffer);
//转换成宽字符
RtlAnsiStringToUnicodeString(&DeviceName, &str, TRUE);
RtlFreeUnicodeString(&DeviceName);//一定要释放
字符串的拷贝
字符串的拷贝，定义缓冲区，长度。缓冲区清零。拷贝内存。
1
2
3
4
5
6
7
8
9
10
11
12
uTargetUnicode.Buffer = ExAllocatePool(NonPagedPool, 0x1000);
uTargetUnicode.MaximumLength = 0x1000;

RtlZeroMemory(uTargetUnicode.Buffer,0x1000);

RtlCopyUnicodeString(&uTargetUnicode, &DeviceName);

DbgPrint("--%wZ--\n", &uTargetUnicode);

//释放之前申请的缓冲区
RtlFreeUnicodeString(&DeviceName);
RtlFreeUnicodeString(&uTargetUnicode);
 RtlInitEmptyUnicodeString初始化temp1的缓冲区指向dst_buf。
1
2
3
4
WCHAR dst_buf[256];
UNICODE_STRING temp1 = { 0 };
RtlInitEmptyUnicodeString(&temp1, dst_buf, sizeof(dst_buf));
RtlCopyUnicodeString(&strTest3, &strTest);
字符转成大写
转换为大写，RtlUpcaseUnicodeString(),可以自己转自己，也可以转乘其他字符串的缓冲区中。第三个标志位决定。
安全拷贝字符
安全拷贝字符函数,RtlStringCbCopyW。
1
2
3
4
5
6
7
#include

PWCHAR tempbuffer2 = ExAllocatePool(NonPagedPool, 0x1000);

RtlZeroMemory(tempbuffer2, 0x1000);

RtlStringCbCopyW(&tempbuffer2, 0x1000, L"\\??\\");
字符追加
字符追加 RtlStringCbCatW(),RtlStringCbCatW(tempbuffer2, 0x1000, L"C:\\ABc\\ccc\\bbb\\eee.txt");
字符前缀判断
字符前缀判断 RtlPrefixUnicodeString(1，2，大小写敏感标志位),判断2有没有1的前缀。TRUE大小写不敏感。
字符串比较
字符串比较， RtlEqualString(1，2，大小写敏感标志位)
字符搜索
搜寻字符,通配符配大写字符串。
1
2
3
4
5
6
7
8
9
//字符查找
RtlInitUnicodeString(&temp4, L"C:\\ABc\\CCC\\bbb\\eee.txt");
UNICODE_STRING temp5 = { 0 };
//一定要大写
RtlInitUnicodeString(&temp5, L"*EEE*");//*EEE.TXT
  
if (FsRtlIsNameInExpression(&temp5, &temp4, TRUE, NULL)) {
DbgPrint("Searched\n");
}
文件操作
ZW函数–>检查参数，检查发起操作的模式->NT函数
删除文件
ZwDeleteFile 删除文件.初始化OBJECT_ATTRIBUTES结构体。但不能删除被占用的文件。
1
2
3
4
5
6
7
OBJECT_ATTRIBUTES obja = { 0 };

RtlInitUnicodeString(&uFilePath, file_path);

InitializeObjectAttributes(&obja, &uFilePath, OBJ_CASE_INSENSITIVE, NULL, NULL);

status = ZwDeleteFile(&obja);
文件拷贝
文件读取写入实现拷贝,ZwCreateFile,ZwReadFile,ZwWriteFile.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
TSTATUS KernelSmallCopyFile(PWCHAR pwDestPath, PWCHAR pwSourcePath) {
UINT64 count = 0;
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING target = { 0 };
UNICODE_STRING source = { 0 };

//初始化文件字符串
RtlInitUnicodeString(&target, pwDestPath);
RtlInitUnicodeString(&source, pwSourcePath);

HANDLE htarget = NULL;
HANDLE hsource = NULL;

PVOID buffer = NULL;
LARGE_INTEGER offset = { 0 };
IO_STATUS_BLOCK io_stack = { 0 };

do
{
buffer = ExAllocatePool(NonPagedPool, 1024 * 4);
if (!buffer) {
DbgPrint("AllocateBuffer Failed\n");
break;
}

OBJECT_ATTRIBUTES obja_target = { 0 };
OBJECT_ATTRIBUTES obja_source = { 0 };

InitializeObjectAttributes(&obja_target, &target, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
InitializeObjectAttributes(&obja_source, &source, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

status = ZwCreateFile(
&htarget,
GENERIC_ALL,
&obja_target,
&io_stack,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_SUPERSEDE,//文件不存在 则创建
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);

if (!NT_SUCCESS(status)) {
DbgPrint("CreateFile target Failed: %x\n", status);
break;
}

status = ZwCreateFile(
&hsource,
GENERIC_ALL,
&obja_source,
&io_stack,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN_IF,//文件存在才打开
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);


if (!NT_SUCCESS(status)) {
DbgPrint("CreateFile Source Failed: %x\n", status);
break;
}

while (1) {
UINT64 length = 4 * 1024;
status = ZwReadFile(
hsource, NULL, NULL, NULL,
&io_stack, buffer, length, &offset, NULL
);
if (!NT_SUCCESS(status)) {
if (status == STATUS_END_OF_FILE)
status = STATUS_SUCCESS;
else
DbgPrint("ReadFile Failed: %x\n", status);
break;
}
//获得实际读取的长度
length = io_stack.Information;

status = ZwWriteFile(
htarget, NULL, NULL, NULL,
&io_stack, buffer, length, &offset, NULL
);
if (!NT_SUCCESS(status)) {
if (status == STATUS_END_OF_FILE)
status = STATUS_SUCCESS;
else
DbgPrint("WriteFile Failed: %x\n", status);
break;
}
offset.QuadPart += length;
count += 1;
}

} while (0);

if (htarget != NULL)
ZwClose(htarget);
if (hsource != NULL)
ZwClose(hsource);
if (buffer != NULL)
ExFreePool(buffer);

DbgPrint("Copy File %d 4kPage\n", count);
return status;
}
文件属性查询
ZwQueryInformationFile
注册表操作
start决定了驱动的启动方式，3为DemandStart，2为AutoStart,1为SystemStart，0为BootStart。4是禁用。启动方式存在限制。
Zw函数
打开注册表
ZwCreateKey,ZwOpenKey。
查询注册表
ZwQueryValueKey
修改注册表值
ZwSetValueKey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
HANDLE hKey = NULL;

ULONG ulRetSize = 0;

OBJECT_ATTRIBUTES objaReg = { 0 };

PKEY_VALUE_PARTIAL_INFORMATION keyinfo = NULL;

InitializeObjectAttributes(&objaReg,pRegistryPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

//Open Key
//ZwCreateKey可以创建也可以打开
/*status = ZwCreateKey(&hKey, KEY_ALL_ACCESS, &objaReg, NULL, NULL, REG_OPTION_NON_VOLATILE, &ulDispostion);

if (NT_SUCCESS(status)) {
if (ulDispostion == REG_CREATED_NEW_KEY) {
DbgPrint("Key has be Created\n");
}
else if (ulDispostion == REG_OPENED_EXISTING_KEY)
{
DbgPrint("Key has be Opened\n");
}
else {
DbgPrint("Error\n");
}
}
else {
DbgPrint("Create Key Failed: %x\n", status);
}
*/

//确定该注册表存在的时候使用

status = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &objaReg);

do {
    UNICODE_STRING name = { 0 };

    RtlInitUnicodeString(&name, L"ImagePath");

    if (!NT_SUCCESS(status))
        break;

    status = ZwQueryValueKey(hKey, &name, KeyValuePartialInformation, NULL, 0, &ulRetSize);

    if (status == STATUS_BUFFER_TOO_SMALL && ulRetSize != 0) {

        keyinfo = ExAllocatePool(NonPagedPool, ulRetSize);

        if (!keyinfo) {

            DbgPrint("ExAllocatePool Secondly Failed\n");

            break;
        }
        RtlZeroMemory(keyinfo, ulRetSize);
    }
    status = ZwQueryValueKey(hKey, &name, KeyValuePartialInformation, keyinfo, ulRetSize, &ulRetSize);

    if (!NT_SUCCESS(status))
        break;

    PWCHAR imagepath = (PWCHAR)(keyinfo->Data);

    DbgPrint("---ImagePath---%ws\n", imagepath);

    //C:\\Windows\System32\drivers \SystemRoot\System32\drivers\acpipmi.sys 更早的启动

    //课后作业 判断前缀是否是\\SystemRoot\\ 则已经拷贝

    UNICODE_STRING prefix = { 0 };
    UNICODE_STRING uImagePath = { 0 };

    RtlInitUnicodeString(&prefix, L"\\SystemRoot\\");
    RtlInitUnicodeString(&uImagePath, imagepath);


    if (RtlPrefixUnicodeString(&prefix, &uImagePath, TRUE)) {

        DbgPrint("Already Copied File\n");

        break;
    }

    status = KernelSmallCopyFile(L"\\??\\C:\\Windows\\System32\\drivers\\NewDriver.sys", imagepath);

    if (!NT_SUCCESS(status)) {
        DbgPrint("Copy File Failed :%x\n", status);
        break;
    }

    //change path
    PWCHAR  rootpath = L"\\SystemRoot\\system32\\drivers\\NewDriver.sys";

    status = ZwSetValueKey(hKey, &name, 0, REG_EXPAND_SZ/*使用环境变量的UNICODE字符串*/,rootpath, wcslen(rootpath) * 2 + 2);

    if (!NT_SUCCESS(status)) {
        DbgPrint("SetValueKey Failed :%x\n", status);
        break;
    }

}while (0);

if (keyinfo != NULL)
    ExFreePool(keyinfo);
if (hKey != NULL) {
    ZwClose(hKey);
    hKey = NULL;
}

//先删除子项 才能删除父项
//ZwDeleteKey(hKey);
运行时函数
RtlWriteRegistryValue，写入注册表值
1
2
3
ULONG tempstart = 1;
//封装好的函数
RtlWriteRegistryValue(RTL_REGISTRY_ABSOLUTE, pRegistryPath->Buffer, L"Start", REG_DWORD, &tempstart, 4);
注册表快速检查 RtlCheckRegistryKey
  //检测注册表是否存在
  //status = RtlCheckRegistryKey(RTL_REGISTRY_SERVICES, L”123456”);
注册表创建 RtlCreateRegistryKey
1
RtlCreateRegistryKey(RTL_REGISTRY_SERVICES, L"123456");
R3注册表操作
RegCreateKeyEx,RegSetValueEx,RegGetValue。句柄关闭RegCloseKey();
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
HKEY hkey = NULL;
DWORD dwdisp = 0;
DWORD dwRet = 0;

const WCHAR* value = L"Number";
const WCHAR* reg = L"SYSTEM\\ControlSet001\\Services\\AddNumber";
DWORD dwData = 1;
DWORD cbData =  4 ;
DWORD dwType = 0;
dwRet = RegCreateKeyEx(HKEY_LOCAL_MACHINE, reg, 0,
                       NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, NULL, &hkey, &dwdisp);

dwRet = RegSetValueEx(hkey, value, 0, REG_DWORD, (PBYTE)&dwData, cbData);

RegGetValue(HKEY_LOCAL_MACHINE, reg, value, REG_DWORD, &dwType, (PBYTE)&dwData, &cbData);
RegCloseKey(hkey);
中断级
IRQL 软中断
0    PASSIVE_LEVEL (pass_level)
1    APC_LEVEL
2    DISPATCH_LEVEL (dpc_level)  非硬件中断最高级别，只能访问非分页内存。（当页面在物理内存不会出现问题。内存页面没在物理内存中时，触动缺页异常引发中断进行换页操作，但无法中断DPC，触发访问无效地址蓝屏）
Driver_Entry中断级别为0。
ISR：Interrupt Service Routines中断服务例程。使用dpc延迟过程调用，当某个硬件设备引发高级别中断的时候，将不那么紧急的任务放到dpc里跑。（降低了中断级别，又可以让以其他硬件设备引发中断，通知CPU。
DPC是一个队列，当CPU处理完高于DPC中断级的任务后，就来找这个队列，拿出例程按顺序执行。
也可能使用不插队的形式，短暂的把当前任务请求级提高的DPC。 
提高irql后，要降回原来的irql。
提高IRQL的好处
进行HOOK的时候，
不希望该函数执行
不希望HOOK过程被打断
先把IRQL提升到DPC，然后关中断。中断级别高，外部中断无法介入，顺利完成HOOK，避免出错。
手动提高中断级别到DPC
KeRaiseIrqlToDpcLevel提升，KeLowerIrql()恢复。
1
2
3
4
5
6
7
KIRQL oldirql = 0;

oldirql = KeRaiseIrqlToDpcLevel();

DbgPrint("---Current Irql = %d---\n", KeGetCurrentIrql());

KeLowerIrql(oldirql);
自旋锁
自选锁的本质是一种忙等待，一直在询问获取。
保护多线程安全性
操作重入危险数据 全局变量
可重入代码
自旋锁是将该处中断级别提高到dpc_level,保证这段代码不会被抢占。
1
2
3
//wdm.h
#define KeAcquireSpinLock(SpinLock, OldIrql) \
    *(OldIrql) = KeAcquireSpinLockRaiseToDpc(SpinLock)
pdb中的ldr
自旋锁初始化
静态变量 ，全局变量 KSPIN_LOCK spinlock = { 0 };
KeInitializeSpinLock(&spinlock);,一般在DriverEntry中
加锁，解锁
KeAcquireSpinLock()，KeReleaseSpinLock()
1
2
3
4
5
6
7
8
9
KIRQL oldirql = 0;

//加锁
KeAcquireSpinLock(&spinlock, &oldirql);

//...to do something

//解锁
KeReleaseSpinLock(&spinlock,oldirql);
优雅的锁
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
//ndis.h
BOOL bLock = FALSE;
//避免高中断级跑过多代码
if (!bLock) { 
    //加锁
    KeAcquireSpinLock(&spinlock, &oldirql);

    bLock = TRUE;

    //解锁
    KeReleaseSpinLock(&spinlock, oldirql);

    //
    //遍历链表
    //

    DbgPrint("AAAAAAAAAAAAAAA\n");

    bLock = FALSE;
}
DPC操作
手动插入DPC队列
KeInitializeDpc初始化，KeInsertQueueDpc插入。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
KDPC dpcobj = { 0 };

VOID DpcRoutine(PVOID context) {

DbgPrint("---Dpc Run Current Irql=%d\n", KeGetCurrentIrql());

return;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = DrvierUnload;

NTSTATUS status = STATUS_SUCCESS;

KeInitializeDpc(&dpcobj, DpcRoutine, NULL);

KeInsertQueueDpc(&dpcobj, NULL, NULL);

return status;
}
内存
带标识符分配内存
PVOID tempbuffer = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 'xxaa');
常用的标识符
1
2
3
4
5
6
7
8
9
10
11
typedef _Enum_is_bitflag_ enum _POOL_TYPE {
    NonPagedPool,
    NonPagedPoolExecute = NonPagedPool,
    PagedPool,
    NonPagedPoolMustSucceed = NonPagedPool + 2,//分配必须成功
    DontUseThisType,
    NonPagedPoolCacheAligned = NonPagedPool + 4, //内存对齐，32位系统四字节，64位8字节
    PagedPoolCacheAligned,
    NonPagedPoolCacheAlignedMustS = NonPagedPool + 6, //内存对齐加分配必须成功
    MaxPoolType
}
内存清零
RtlZeroMemory(tempbuffer, 0x1000);
内存填充
RtlFillMemory(tempbuffer, 0x1000, 0xcc);
释放
ExFreePoolWithTag(tempbuffer, ‘xxaa’);
内存是否相等
//RtlCompareMemory()
RtlEqualMemory((Destination,Source,Length);用的比较多，相等返回TRUE，不等返回FALSE。
本质都是由C语言实现的宏
1
2
3
4
5
#define RtlEqualMemory(Destination,Source,Length) (!memcmp((Destination),(Source),(Length)))
#define RtlMoveMemory(Destination,Source,Length) memmove((Destination),(Source),(Length))
#define RtlCopyMemory(Destination,Source,Length) memcpy((Destination),(Source),(Length))
#define RtlFillMemory(Destination,Length,Fill) memset((Destination),(Fill),(Length))
#define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length))
可以使用WDK自带的poolMon.exe进行查看
旁视列表 LookAside
为了减少内存碎片，一开始就申请一片复用的内存空间，在固定的内存空间，再次分配或者释放内存。
详情看书3.7.2旁视列表.
非分页主要函数位ExInitializeNPagedLookasideList(),
链表
进行全局变量的链表修改时，容易造成多线程安全，应合理使用自旋锁。
1
2
3
4
typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;
   struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
链表初始化
填充为自己的地址
1
2
3
LIST_ENTRY listhead = { 0 };

InitializeListHead(&listhead);
链表插入
1
2
InsertHeadList(,)//头部插入
InsertTailList(&listhead, &(ptempptr->list)); //尾部插入
链表删除
1
2
RemoveTailList //移除头部
RemoveHeadList //移除部
链表遍历
1
2
3
4
5
6
7
8
9
10
11
typedef struct _MyStruct {
HANDLE pid;
LIST_ENTRY list;
}MyStruct, * PMyStruct;

PLIST_ENTRY  templist = NULL;
PMyStruct tempptr = NULL;
for (PLIST_ENTRY templist = listhead.Flink; templist != &listhead; templist = templist->Flink) {
    PMyStruct tempptr = CONTAINING_RECORD(templist, MyStruct, list);
    DbgPrint("--%d--%p--%s\n",tempptr->pid, tempptr->pEprocesspbj, tempptr->processname);
}
链表遍历并删除
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

while (listhead.Flink != &listhead) {
    //返回节点指针
    templist = RemoveTailList(&listhead);

    tempptr = CONTAINING_RECORD(templist, MyStruct, list);

    DbgPrint("--%d--%p--%s\n",
             tempptr->pid, tempptr->pEprocesspbj, tempptr->processname);

    ExFreePool(tempptr);
}
if (IsListEmpty(&listhead)) {
    DbgPrint("Free List Succeed\n");
}
}
线程与事件
申请事件
1
KEVENT gkevent = { 0 };
初始化事件
1
KeInitializeEvent(&gkevent, NotificationEvent, FALSE);
创建线程
1
NTSTATUS status = PsCreateSystemThread(&hthread, 0, NULL, NULL, NULL, KernelThread2, &gkevent);
结束线程
1
PsTerminateSystemThread(0);
等待线程
KeWaitForSingleObject(&gkevent, Executive, KernelMode, FALSE, NULL);
设置超时等待
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
LARGE_INTEGER timeout = { 0 };

timeout.QuadPart = -10 * 1000 * 1000 * 5;
    
while (1)
{
//设置超时时间
NTSTATUS status =  KeWaitForSingleObject(pKernelEvent, Executive, KernelMode, FALSE, &timeout);

if (status == STATUS_TIMEOUT) {
DbgPrint("Time Out\n");

break;
}

DbgPrint("This Requset com from R3 Routine\n");
}

PsTerminateSystemThread(0);
}
通知事件NotificationEvent
如果一个事件被设置为通知事件(NotificationEvent),那么当这个事件被设置成激发态以后,如果还需要用到这个事件进行同步,那么需要开发人员手动设置为不激发状态。
通常的情况就只是使用一次。
同步事件SynchronizationEvent
如果某一个事件我们设置为同步事件SynchronizationEvent
那么当这个事件遇到KeWt等待函数通过然后系统会自动将事件重置为未激发态。
设置时间为激发态
KeSetEvent(&gkevent, IO_NO_INCREMENT, FALSE);
设置时间为非激发态
KeResetEvent(&gkevent);
事例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
VOID KernelThread1(PVOID context) {
KeInitializeEvent(&gkevent, NotificationEvent, FALSE);

HANDLE hthread = NULL;

NTSTATUS status = PsCreateSystemThread(&hthread, 0, NULL, NULL, NULL, KernelThread2, &gkevent);

if (!NT_SUCCESS(status)) {
DbgPrint("Create Thread Failed : %x", status);
return;
}

ZwClose(hthread);

while(1) {
KeWaitForSingleObject(&gkevent, Executive, KernelMode, FALSE, NULL);

KeResetEvent(&gkevent);

DbgPrint("Event Has be seted\n");
}
PsTerminateSystemThread(0);
}
r3和r0进行同步
获取r3的句柄的内核对象
ObReferenceObjectByHandle()
释放引用
ObDereferenceObject()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
HANDLE hEvent = (HANDLE)dwIndata;
//句柄只隶属于当前进程,获取当前的事件对象
//https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obreferenceobjectbyhandle
status = ObReferenceObjectByHandle(hEvent, EVENT_MODIFY_STATE, *ExEventObjectType, KernelMode, &pKernelEvent, NULL);

if (NT_SUCCESS(status)) {
    //提前引用计数减一
    //方便其他操作该内核对象
    ObDereferenceObject(pKernelEvent);

    HANDLE hThread = NULL;

    status = PsCreateSystemThread(&hThread, 0, NULL, NULL, NULL, KernelThread3, NULL);
}
r0与r3的线程同步技巧
不要设置线程超时，因为调试器很慢，有时候内核直接超市掉线，失去交互了。
使用调试器分别调试r3和r0，r3的有些错误并不会通过返回值并不会通过返回值表现出来，使用调试器接收异常是一个好的选择。
定时器
负数表示相对时间，从现在起。
-101000\1000 = 1s 使用100纳秒为单位。
1s = 1000ms = 10^6微秒 = 10^9 纳秒 
IO定时器
是基于设备的派遣函数，可能会切到其他进程。
1s一次。
IO定时器初始化
1
2
3
4
5
6
7
VOID TimeWorker(PVOID context) {
    DbgPrint("Irql = %d\n", KeGetCurrentIrql());
    DbgPrint("Processname = %s\n",            
    PsGetProcessImageFileName(PsGetCurrentProcess()));
    return;
}
IoInitializeTimer(pDevice, TimeWorker, NULL);
IO定时器启动
IoStartTimer(pDevice);
IO定时器卸载
1
2
3
4
void DrvierUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint("Unload\n");
IoStopTimer(pDriverObject->DeviceObject);
}
DISPATCHER_HEADER的重要性
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
typedef struct _DISPATCHER_HEADER {
    union {
        struct {
            UCHAR Type;
            union {
                UCHAR Absolute;
                UCHAR NpxIrql;
            };
            union {
                UCHAR Size;
                UCHAR Hand;
            };

            union {
                UCHAR Inserted;
                BOOLEAN DebugActive;
            };
        };
        volatile LONG Lock;
    };
    LONG SignalState;
    LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER;
比较重要的，一个是SignalState，指定信号量或者事件的信号状态，小于等于0时线程需要等待。另一个WaitListHead，本质上是个双向循环链表
反PChunter小技巧
初始化两次IO定时器
1
2
3
4
IoInitializeTimer(pDevice, TimeWorker, NULL);
IoInitializeTimer(pDevice, TimeWorker, NULL);

IoStartTimer(pDevice);
DPC定时器
为何使用DPC定时器，使用高中断级执行代码。
DPC定时器
KeInitializeTimer(&kerneltimer);
初始化DPC
KeInitializeDpc(&dpcobj, DpcRoutine, NULL);
插入dpc队列后 两秒后执行
1
2
LARGE_INTEGER dpctime = { 0 };
dpctime.QuadPart = -10 * 1000 * 1000 * 2;
设置DPCtimer
KeSetTimer()
事例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//DPC定时器
KeInitializeTimer(&kerneltimer);

//初始化DPC
KeInitializeDpc(&dpcobj, DpcRoutine, NULL);

//插入dpc队列后 两秒后执行
LARGE_INTEGER dpctime = { 0 };
dpctime.QuadPart = -10 * 1000 * 1000 * 2;

//设置timer
//KeSetTimer(&kerneltimer, dpctime, &dpcobj);
KeSetTimer(&kerneltimer, dpctime, NULL);

KeWaitForSingleObject(&kerneltimer,Executive,KernelMode,FALSE,NULL);

DbgPrint("Dpc Timer has worked\n");
向系统线程池中插入自身函数
初始化工作例程
ExInitializeWorkItem(&workobj, WorkItemRoutine, NULL);
插入工作例程
ExQueueWorkItem(&workobj, CriticalWorkQueue);
一般使用CriticalWorkQueue,DelayedWorkQueue。
CriticalWorkQueue 表示实时系统工作线程。分配的优先级为 13。
DelayedWorkQueue 表示普通工作线程。分配的优先级为 12。
可以使用事件进行线程延迟同步。
Ps函数
获取进程名
PsGetProcessImageFileName(PsGetCurrentProcess())
Mm函数
获取导出函数地址
MmGetSystemRoutineAddress() 


2021-08-16-花指令学习
2021-08-16T06:48:09.000Z
https://bbs.pediy.com/thread-129526.htm    
之前没有细致去了解，只了解简单的一些方便，遇到混淆还是有些畏难。所以好好的学习一下。需要了解一定的opcode。
opcode查询 http://ref.x86asm.net/coder32.html。
只能说加密与解密里是简单带过，略读一下就行。着重看下这个文章。
算是一篇摘抄总结文与简单实践。
花指令分类
可执行花指令
①可以正常运行；
②不改变任何寄存器的值；
③反汇编器可以正确反汇编该指令。
1
2
3
4
mov edi,edi
push eax
pop eax
nop
不可执行花指令
① 不可以正常运行；
② 不改变任何寄存器的值；
③ 反汇编器可能会错误反汇编这些字节。
__emit 0xe9
人话来说，通过干扰反编译引擎，生成错误的汇编指令。但是执行并不会按照反编译的汇编指令执行。造成了机器执行与人眼执行的区别。
反汇编算法：
线性扫描反汇编算法
从代码段开始，从头到尾逐字节扫描，匹配汇编。这样很容易不执行的数据解析成汇编代码。造成错误。
行进递归反汇编算法
从代码段开始，逐字节扫描解析，遇到跳转后，则跳转到该地址再进行扫描解析。
正文
简单不可执行花指令
1
2
3
4
5
6
7
8
9
10
11
12
13
int main()
{
__asm {
//简单不可执行花指令
jmp Lable1
__emit 0x8
//0xEa
//0xeB
//0xec
}
Lable1:
    std::cout << "Hello World!\n";
}
已经混淆，人眼发现下一步还是跳转。
执行一步后，如下，解析正常。
稍复杂的花指令
多节跳转
使用多重嵌套能混淆更多的指令。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int main()
{
__asm {
//多节花指令
jmp Lable2
__emit 0xe8
__emit 0x41
Lable2:
push eax
mov eax,1
pop ebx
mov eax,ebx
jmp Lable1
__emit 0xe9
}
Lable1:
    std::cout << "Hello World!\n";
}
多层乱序嵌套
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int main()
{
__asm {
jmp Lable1
__emit 0xe8
__emit 0x41
Lable2:
xor eax,eax
jnz Lable1
jz Lable3
__emit 0x76
__emit 0x7c
Lable1:
mov eax,0xe8e9ece8
jmp Lable2
__emit 0x75
}
Lable3:
    std::cout << "Hello World!\n";
}
总结
jmp/call/ret+垃圾数据，非常容易被识别。可以说几乎没有什么作用。
放到x32dbg中虽有混淆，但意图明显，很容易过滤掉。
ida中直接被过滤。
①检测跳转结构的固定形态特征，当然这不是绝对的，如果检测机制没能预见到这种形态特征，此点可以忽略，本文后边会提到一些这样的情况。
②用可靠的方法直接证明，垃圾数据部分在任何情况下都不会被执行。应该说该点是对“不可执行花指令”的无敌检测手段，然而却难在“可靠”二字上，目前已知的实践，只是做到“可供参考”的程度。
创意的花指令
①采用新的固定结构，许多插件还没有检测，比如下文提到的xor-cmp的结构。
②非固定结构的“伪条件跳转”替代“强制跳转”
使用互补条件跳转
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int main()
{
__asm {
cmp eax,ebx
jge Lable2
jle Lable2
__emit 0xe8
__emit 0x41
Lable2:
mov eax,2
cmp eax,esp
jnz Lable3
jz Lable3
}
Lable3:
    std::cout << "Hello World!\n";
}
IDA混淆效果显著。
改进版—用随机值获得确定性标志位
通过某些隐蔽的手法，使得某个标志位有确定性的值，然后利用这个确定值，进行确定性条件跳转。
利用某确定值，进行跳转。这个需要查询影响CF标志位等的操作符。 参考：http://abcdxyzk.github.io/blog/2012/12/20/assembly-cmd-flags/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int main()
{
DWORD d;
__asm {
mov d ,0x123
xor eax,d
cmp eax,d
jne Lable3
__emit 0xc2
            
              //mov d ,0x123
//and eax,d
//sub eax,d
//jle Lable3
//__emit 0xc2
}
Lable3:
    std::cout << "Hello World!\n";
}
效果不错。
ida阵亡。
利用API返回确定值
大部分API函数的返回值是不确定的，只要有方法使得API返回确定值，那么后面接续的条件跳转，就是等价的。比如说CreateFile返回文件句柄，句柄可能是任意值且有不确定性，然而我们可以使得函数CreateFile返回值是确定的。
1)令CreateFile返回错误码，比如故意向CreateFile传入错误参数，还可以使用类似inc esp，使得堆栈不4字节对齐，即使传入正确参数，也会返回错误码。
2)由于句柄值实际上是句柄表索引，所以CreatFile返回的正确句柄值都是4的倍数，我们把句柄值取4的模，得0是一定的。
总结
通过某种方法，去构造一个看似任意值，实则最后获得确定值。以保证影响标志寄存器具有唯一性，则跳转也存在唯一性。
指令检测
思路是检测垃圾代码是否被清除,一般使用nop清除。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
void Msg() {
MessageBoxA(NULL,"detected",NULL,MB_OK);
exit(1);
}
int main()
{
DWORD d;
__asm {
mov d ,0x123
and eax,d
sub eax,d
jne Lable3
__emit 0xc2
}
Lable3:
__asm {
lea eax, Lable3
add eax,-1
mov al,byte ptr[eax]
cmp al,0x90
jne Label4
call Msg
}
Label4:
    std::cout << "Hello World!\n";
}
总结
都是针对静态相关的花指令，基于动态调试的破解技术,保护效果并不明显。
所以耐心通过动态调试，是能攻破的。
而vm保护就不一样了。后续再聊！


SMAP_SMEP_PGAING_KPTI 解析
2021-08-08T16:00:00.000Z
SMAP_SMEP
https://www.bilibili.com/video/BV1nJ411T7R6
如果通过Windbg手工构造21号中断，在win10内是无法正常执行的，关掉SMEP可以执行。
这涉及到了SMAP，SMEP。Cr4中的标志位如下。（白皮书 2.5 CONTROL REGISTERS）
SMAP，SMEP 白皮书 4.6  ACCESS RIGHTS
CR4.SMEP = 1, 不能执行任何用户模式的指令
CR4.SMAP = 1， CR0.WP = 1,EFLAGS.AC = 0 或者隐式访问，不能向用户模式的地址写入任何数据。使用汇编指令stac（1F 01 CB),将EFLAG标志位AC置为1，暂时关闭SAMP保护。
能进行部分内核的地址获取并传给r3地址，但仍然有一定限制（只能访问 idt,gdt,KVASCODE其他则蓝屏)，涉及到KPTI（页表隔离机制）。
SMEP和SMAP保护涉及ProtectionKeys保护标志位。
Protection Keys
白皮书 4.6.2 Protection Keys
Protection keys apply to shadow-stack accesses just as they do to ordinary data accesses.
保护密钥适用于影子堆栈访问，就像它们适用于普通数据访问一样。
4 级分页和5级分页每个线性地址将有4位ProtectionKeys,（ProtectionKeys位于映射线性地址页面的分页结构条目62:59区间)。两个ProtectionKeys功能根据其保护密钥控制对线性地址的访问.
PKRU
32位寄存器，存在i（0<=i<=15),PKRU[2i]位访问禁止位ADi，PKRU[2i+1]是写入调用位WDi。
llRDPKRU，WRPKRU ecx = 0;读取写入PKRU。
IA32_PKRS
IA32_PKRS MSR 格式相同(保留63:32位，为0)。
线性地址上的保护键只保护访问的数据，不保护取指令。
Cr4.PKE = 0 AND Cr4.PKS=0 ,不启用保护。
CR4.PKE = 1, 使用PKRU（Protection Key Rights Register ）寄存器, 通过判断ProtectionKeys，判断是否能对用户层进行读写。
If CR4.PKS = 1, 使用MSR寄存器 IA32_PKRS MSR (6E1H), 判断是否有权限读取或写入r0地址。
ADi = 1, 不允许数据访问。
WDi = 1, CR0.WP = 1,不允许r3地址的写入
分页
PAE PAGING
PDPTE->PDE->PTE->PhyscialAddress
   2    9   9     12
1
2
3
4
5
6
7
8
9
PAE PAGING

00PDPTE 0  pdpti
000000 010PDE2*8 pdi
00001 1010PTE26*8 pdi 
0111 10110000offset 1968

va of ptd = 0xC0000000 + ((addr >> 12)<<3)
va of ptd = 0xC0060000 + ((addr >> 21)<<3)
非PAE： 
    表size 400000h
    PTE C0000000H
    PDE C0300000H
PAE：
    表size 800000h
    PTE C0000000H
    PDE C0600000H
4 Level PAGING
INTEL:    PML4E->PDPTE->PDE->PTE->PhyscialAddress
Microsoft：PXE  -> PPE->PDE->PTE->PhyscialAddress
9       9     9    9     12
都是八字节的索引，8字节
通过cr3的物理地址查表，根据index进行索引。索引到的值后12位仍为属性值，查表时可忽略。
1
2
3
4
5
6
7
fffff803`4f25dfb0 
( !dq )
1 1111 0000 0x1f0  *0n8    + cr3
0 0000 1101 0xD *0n8  + 00000000`00e08000
0 0111 1001 0x79 *0n8 + 00000000`00e09000
0 0101 1101 0x5D *0n8 +  00000000`00faa000
1111 1011 0000 0xFB0  + 000000`0885d000
8字节对应一个页4KB(2^12)，PTE的地址变为随机地址，
PTE g_PTE_BASE + address的后48位/4KB * 8 = (address &0xFFFFFFFFFFFF>>12)<<3 + g_PTE_BASE
一个PDE对应（2^21）2MB大小。
同理:
1
2
3
4
PTE_address =   (ULONG64)(address &0xFFFFFFFFFFFF>>12)<<3 + g_PTE_BASE 
PDE_address =   (ULONG64)(address &0xFFFFFFFFFFFF>>21)<<3 + g_PDE_BASE  
PPE_address =   (ULONG64)(address &0xFFFFFFFFFFFF>>30)<<3 + g_PPE_BASE
PXE_address =   (ULONG64)(address &0xFFFFFFFFFFFF>>39)<<3 + g_PXE_BASE
PTE地址定位
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
kd> !pte 0 获取PTE页表头部
                                           VA 0000000000000000
PXE at FFFFF0F87C3E1000    PPE at FFFFF0F87C200000    PDE at FFFFF0F840000000    PTE at FFFFF08000000000
contains 8A0000000583E867  contains 0000000000000000
pfn 583e      ---DA--UW-V  contains 0000000000000000
not valid

kd> s -q fffff803`4c6ae000 L6400 FFFFF08000000000
fffff803`4c6bb040  fffff080`00000000 ffffffb9`49c08b49
fffff803`4c6bc068  fffff080`00000000 894cf003`4cc08b48
fffff803`4c6bd280  fffff080`00000000 0f000045`3e993d83
fffff803`4c6beb00  fffff080`00000000 ffffbaff`fffed4e9
fffff803`4c6bf210  fffff080`00000000 c148f003`48c08b49
fffff803`4c6c4cd8  fffff080`00000000 48f81c8b`481fe783
fffff803`4c6c8ff8  fffff080`00000000 b841904d`8d48d233
fffff803`4c6c93d8  fffff080`00000000 000fffff`ffffba49
fffff803`4c6de018  fffff080`00000000 1c0e2c84`0ff68548
通过暴力搜索匹配到PTE数据，会发现IDA中与windbg的数据不一样，可能是加载内核的时候进行改变。过特定函数的偏移地址或者搜索硬编码，获取g_PTE_BASE。
强制依赖于特定内核版本。
通过DriverObject中的_LDR_DATA_TABLE_ENTRY进行模块遍历
https://bbs.pediy.com/thread-264140.htm
ZwQuerySystemInformation 遍历模块
ntdkk.h中的函数是ntoskrnl.exe的导出函数。
此次使用MmProtectMdlSystemAddress函数的硬偏移获取PTE_BASE.
https://bbs.pediy.com/thread-262432.htm此处还有两种获取pte_base的方法。
KPTI
https://www.cnblogs.com/aliflycoris/p/9945995.html
https://wumb0.in/windows-10-kvas-and-software-smep.html
内核页表隔离（Kernel page-table isolation），用来缓解熔断（meltdown）漏洞。
隔离用户空间和内核空间页表。
内核地址在R3中只有极少数被映射。大部分都无效。r3的地址保护使用SMAP和SMEP。
AMD处理器不用开启。使用Kisystemcall64。
intel开启使用Kisystemcall64Shadow。
关闭smap和smep
从自建终端门提升权限后，获取cr3.与windbg中的cr3做比较。
使用程序内部获取的到cr3与windbg看到的cr3不一致
通过KPROCESS结构也可以看到DirectoryTableBase（r0)和UserDirectoryTableBaser（r3）。
1
2
3
4
5
6
kd> dt _kprocess ffffd68ea0bed480
nt!_KPROCESS
   +0x028 DirectoryTableBase : 0x2de0c002
   +0x280 UserDirectoryTableBase : 0x44b0b001

二者指向的地址一致，但是属性不同。
内存空间权限分隔如下：
 
r cr3显示的是内核层cr3，而程序中打印的是用户层使用的cr3。当我们的程序进入内核是是需要切换cr3的，以保证影射了足够的内核空间代码如.text段。不切换的话只能再KVASCODE中执行。
手动转换地址，也可得知user cr3无法访问ntoskrnl的.text段。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
kd> !process 0 0 forwin10.exe
PROCESS ffffd68ea12f2080
    SessionId: 1  Cid: 04d4    Peb: 003f0000  ParentCid: 0ca0
    DirBase: 6d8b2002  ObjectTable: ffff950635085240  HandleCount:  49.
    Image: ForWin10.exe
    
kd> dt _kprocess  ffffd68ea12f2080
nt!_KPROCESS
   +0x028 DirectoryTableBase : 0x6d8b2002
   +0x280 UserDirectoryTableBase : 0x75831001
   
kd> dt _kpcr fffff8034b6b9000
nt!_KPCR
   +0x180 Prcb             : _KPRCB
kd> dx -id 0,0,ffffd68e9ba8a380 -r1 (*((ntkrnlmp!_KPRCB *)0xfffff8034b6b9180))
(*((ntkrnlmp!_KPRCB *)0xfffff8034b6b9180))                 [Type: _KPRCB]
    [+0x6e80] KernelDirectoryTableBase : 0x80000000001ad002 [Type: unsigned __int64]
    
kd> u FFFFF8034C87BAC0
nt!KiSystemCall64:
fffff803`4c87bac0 0f01f8          swapgs
fffff803`4c87bac3 654889242510000000 mov   qword ptr gs:[10h],rsp
fffff803`4c87bacc 65488b2425a8010000 mov   rsp,qword ptr gs:[1A8h]

kd> !vtop 0x6d8b2000  FFFFF8034C87BAC0
Amd64VtoP: Virt fffff8034c87bac0, pagedir 000000006d8b2000
Amd64VtoP: PML4E 000000006d8b2f80
Amd64VtoP: PDPE 0000000000e08068
Amd64VtoP: PDE 0000000000e09320
Amd64VtoP: PTE 0000000000e153d8
Amd64VtoP: Mapped phys 0000000002e70ac0
Virtual address fffff8034c87bac0 translates to physical address 2e70ac0.

kd> !vtop 1ad000 FFFFF8034C87BAC0
Amd64VtoP: Virt fffff8034c87bac0, pagedir 00000000001ad000
Amd64VtoP: PML4E 00000000001adf80
Amd64VtoP: PDPE 0000000000e08068
Amd64VtoP: PDE 0000000000e09320
Amd64VtoP: PTE 0000000000e153d8
Amd64VtoP: Mapped phys 0000000002e70ac0
Virtual address fffff8034c87bac0 translates to physical address 2e70ac0.
即使DirectoryTableBase是当前进程隔离的内核页表的cr3.
KernelDirectoryTableBase的值与DirectoryTableBase不相同，是system的cr3.
1
2
3
4
5
6
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffd68e9ba8a380
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001ad002  ObjectTable: ffff950630204b00  HandleCount: 2013.
    Image: System
总结
根据另一个例子验证后，本进程的r3的cr3和r0的cr3都存储在KPROCESS结构里。DirectoryTableBase的cr3值拥有访问内核的权限。
而prcb中的KernelDirectoryTableBase是系统中某进程的r0的cr3。
猜测与如何进入内核的方式有关。
分析KiBreakpointTrapShadow
int 3中断是从用户层到内核层，参考意义较大。
开启KPTI后，默认使用KiBreakpointTrapShadow，进行cr3切换和内核栈切换。
win10中使用切换栈到_KPCR.IdtBase+4200h，使用这个内存空间暂时保存（中转）这些寄存器的值，然后切换栈之后，内核线程再读取这些数值后存储。
而不像xp时直接压在当前的栈上进行存储。
CFG
_guard_dispatch_icall
如果正常执行可以看作为call rax.



IA-32e模式笔记
2021-07-26T16:00:00.000Z
https://space.bilibili.com/37877654/channel/detail?cid=89742&ctype=0
IA-32e模式:内核64位,用户64或32位
强制平坦段,不支持任务切换
Legacy模式:内核32位,用户32位
支持非平坦段,任务切换,虚拟8086,实模式等
用户模式地址的范围：0x00000000`00000000~0x0000FFFF`FFFFFFFF；
内核模式地址的范围：0xFFFF0000`00000000~0xFFFFFFFF`FFFFFFFF。
https://wiki.osdev.org/CPU_Registers_x86-64#MSRs
IA32_EFER MSR 0xC0000080H
Bit(s) Label Description
0 SCE System Call Extensions
1-7 0 Reserved
8 LME Long Mode Enable //IA32e mode
10 LMA Long Mode Active
11 NXE No-Execute Enable
12 SVME Secure Virtual Machine Enable
13 LMSLE Long Mode Segment Limit Enable
14 FFXSR Fast FXSAVE/FXRSTOR
15 TCE Translation Cache Extension
16-63 0 Reserved
MSR
MSR INDEX Description
IA32_FS_BASE 0xC0000100H 
IA32_GS_BASE 0xC0000101 
IA32_KERNEL_GS_BASE 0xC0000102 
IA32_STAR 0xC0000081 Ring 0 and Ring 3 Segments + SYSCALL EIP:
00-31 = SYSCALL EIP
32-47 = kernel segment base
48-63 = user segment base.
IA32_LSTAR 0xC0000082 64位系统调用函数，KiSystemCall64，KiSystemCall64Shadow.
IA32_CSTAR 0xC0000083 The kernel’s RIP for SYSCALL in compatibility mode.32bit兼容模式的系统调用函数。
IA32_FMASK 0xC0000084 The low 32 bits are the SYSCALL flag mask. If a bit in this is set, the corresponding bit in EFLAGS is cleared.
段描述符
5.2.1 Code-Segment Descriptor in 64-bit Mode 段描述符
由L位决定是否是64位寻址。
当L为0时，D为0是16位寻址。D为1是32位寻址
当L为1时,D只能为0，使用64位寻址。尝试使用D的位置则会产生General Protection Exception (#GP)。
Type的第一位，0为data段，1为code段。四位一起看就是小于0n8就是data段，大于7就是code段。
64位系统中使用强制平坦模式，段描述符有32位的0环，3环code段和数据段，有64位的code段，没有64bit的数据段。(GDT 全局描述符表)
数据段描述符，代码段描述符使用64位描述符。
TSS段
TSS段扩展到128位。
找到TSS
TSS存放rsp栈指针和中断栈表（IST）的指针。
默认使用第一个rsp栈指针。
IDT_Gate_Descriptors（6.8）中的IST标志位决定使用的IST索引。标志位为0，使用rsp0。
64位IDT
32位段选择子
32位段选择子寻址参考：https://zhuanlan.zhihu.com/p/36875677
段选择子，64位fs，gs并没有扩展，但仍然Fs:[0],gs:[0]在3环指向TEB，0环指向KPCR。通过rdmsr读取IA32_GS_BASE 0xC0000101H，指向KPCR。
通过swapgs汇编指令进行gs赋值，将当前 GS 基址寄存器（0xC0000101H）值与MSR地址IA32_KERNEL_GS_BASE (C0000102H )中包含的值交换。
权限提升（进入内核） ：
中断：  中断指令后，查找IDT表，根据IDT表进行跳转，保存cs,ss,esp,eflag,eip，关中断，保存信息，切换到内核栈（esp，ss由TSS提供），cs。开中断，访问中断处理例程。只有一张IDT表， 64位中，通过栈保存的cs判断先前模式。
https://blog.csdn.net/qq_38474570/article/details/103652993
系统调用
只有一张SSDT表。
xp使用int2e进入中断。
之后的32位系统使用sysenter和sysexit。
64位使用syscall和sysexit。x86在ring3（ntddll.dll)中切换到x64内核模式（参数等东西放到64位栈里），再进入内核。
32位程序如何翻译到64位
结论：依赖ntdll.dll通过修改cs寄存器，从0x23h切换到0x33h。0x23h
0x23指向第四个GDT，0x33h指向第六个GDT。
实例
所有的32位Nt函数都会调用Wow64Transition
然后通过jmp far段间跳转，切换cs为0x33，执行后续的x64汇编指令，进行跳转。
同时支持x32和x64的汇编，使用windbg内核调试器。
syscall 解析
白皮书 4.3 Instructions SYSCALL-Fast System Call
通过IA32_LSTAR读取系统调用的函数地址,例如KiSystemCall64或者KiSystemCall64Shadow等的地址。
syscall的下一条指令保存到RCX，
保存RFLAGS到R11，
IA32_FMASK MSR寄存器值屏蔽RFLAGS的值，处理器根据IA32_FMASK 屏蔽RFLAGS的值
CS和SS选择子从IA32_STAR[47:32]（0xC0000081H）读取。
指令不保存RSP,rsp由IDT中IST决定，默认rsp0；
1
2
3
CS.Selector := IA32_STAR[47:32] AND FFFCH (* Operating system provides CS; RPL forced to 0 *)

SS.Selector := IA32_STAR[47:32] + 8; (* SS just above CS *)
以x32debug.exe为例
1
2
3
4
5
6
7
8
9
10
11
12
kd> !process 0 0 x32dbg.exe
PROCESS ffffdf0f661e30c0
    SessionId: 1  Cid: 0870    Peb: 00e7f000  ParentCid: 03bc
    DirBase: 5d633002  ObjectTable: ffffce83988e91c0  HandleCount: 319.
    Image: x32dbg.exe

kd> .process /i ffffdf0f661e30c0
You need to continue execution (press 'g' ) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.

kd> bp 77a06000
断下来之后，调试到syscall指令上。
需要关注cs,ss,rsp,rcx,r11,rflags和IA32_FMASK ，IA32_STAR；
cs 0x33 已经切换到64位
ss 0x2b
rsp 0x000000000335eb18
rcx 0x0000000000000006
r11 0x000000000345fb90
rflags 
IA32_FMASK 00000000`00004700
IA32_LSTAR fffff800`25d4f140
IA32_STAR 00230010`00000000
IA32_LSTAR地址为 nt!KiSystemCall64Shadow.
kd> bp   nt!KiSystemCall64Shadow+0x2d  
红框部分在进行内核栈切换，不能设置断点，否则蓝屏。
断点设置参考： https://www.cnblogs.com/DreamoneOnly/p/12779106.html
cs 0x0010 0环code段
ss 0x18 0环data段
rsp 0xffffad8d3d1eac90
rcx 0x0000000077a01cbc
r11 0x0000000000000246
rflags 
IA32_FMASK 00000000`00004700
IA32_LSTAR fffff800`25d4f140
混淆，反调试思路
代码参考
32位插入64位汇编，因为x86代码自动屏蔽通用寄存器(R0～R14)。win10_1903,21H1可正常运行。
通过32位汇编指令执行jmp far 33:address跳转到x64汇编,该address使用x64汇编go_write()编写，使用r12寄存器存数值。然后go_read()从r12取数值到内存地址中，x86代码读取地址。
实现数据保护和一定的反调试。
32位程序调用64位函数解析
64位系统在加载32位程序的时候，也会加载64位的DLL。
https://bbs.pediy.com/thread-221236.htm
從 32 位元地獄一路打回天堂聖地（上）深度逆向工程 WOW64 設計 https://blog.30cm.tw/2021/06/32-wow64.html
具体解析流程
调试使用x32dbg.exe,打断点会直接使用NtOpenProcess，方便调试。
windbg进入32位程序，断点到找到的NtOpenProcess地址，.reload.会发现32位的ntdll在符号中的名字位wntdll。
然后进入ntdll_779e0000!Wow64SystemServiceCall (77a68c50).在跳转到ntdll_779e0000!Wow64Transition (77b01228)
然后jmp     0033:779D6009
解析成64位汇编jmp     qword ptr [r15+0F8h] {wow64cpu!CpupReturnFromSimulatedCode (00000000^779d1742)},进入到wow64cpu.dll中
调用wow64!Wow64SystemServiceEx,通过调用号查询 sdwhnt32JumpTable调用表的第26号。
调用whNtOpenProcess调用NtOpenProcess。
最后的调用栈如下:
https://zh.wikipedia.org/wiki/WoW64
Wow64.dll，通往Windows NT内核的核心接口，它转换32位与64位调用，包括指针)和调用栈操作。
Wow64win.dll，为32位应用程序提供适当的入口点。
Wow64cpu.dll，负责解决进程从32位切换到64位模式。
RunSimulatedCode:
r11 保存rsp+4，参数地址
r12指向TEB（gs:[30h]
r13 指向TEB+1488h，指向_WOW64_CONTEXT 
r14 保存rsp
r15 保存wow64cpu!TurboThunkDispatch 的地址


如何分析X64的SEH
2021-07-24T16:00:00.000Z
如何分析X64的SEH
文章首发于安全客
参考链接
https://www.pediy.com/kssd/pediy12/142371.html
https://www.bilibili.com/video/BV1tJ411M7kd
微软文档 查询 https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc-160
感谢周壑老师和boxcounter。
环境
VS2019
idapro7.5
正文
在PE+的结构中，异常处理的信息存储在ExceptionDirectory中，且每个字段都是3*4=12字节。
1
2
3
4
5
typedef struct _RUNTIME_FUNCTION {
    ULONG BeginAddress;
    ULONG EndAddress;
    ULONG UnwindData;
} RUNTIME_FUNCTION, *PRUNTIME_FUNCTION;
了解SEH的习惯，x64 SEH 不基于栈，不发生异常和通常执行没有区别（效率高），每个非叶函数至少对应一个 RUNTIME FUCNTION结构体叶函数如果使用了SEH, 也会对应 RUNTIME FUCNTION结构体。
既不调用函数、又没有修改栈指针，也没有使用 SEH 的函数就叫做“叶函数”。
代码演示
使用代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include
#include
#include
int filter() {
printf("filter\n");
return 1;
}

void exc() {
int x = 0;
int y = x / x;
}

int main() {
__try {
__try {
exc();
}
__finally {
printf("111\n");
}
}
__except (filter()) {
printf("222\n");
}
system("pause");
return 0;
}
通过除零异常，进行异常处理流程的学习。根据执行结果可看到，在exc()异常（EXCEPT_POINT ）后，首先执行filter函数（EXCEPT_FILTER ），然后执行finally函数（FINALLY_HANDLER ），再执行except中的异常处理函数（EXCEPT_HANDLER ）。 这是基础的执行流程。
然后在IDA中进行分析，找到main函数的引用，指向pdata段的一个RUNTIME_FUNCTION结构体，RUNTIME_FUNCTION里面存储的地址都是基于BaseAddress的32位RVA。依次是BeginAddress 就是函数开始地址，EndAddress也就是结束的地址，UnwindData是指向_UNWIND_INFO的地址。这个结构体表明了该异常处理的范围和异常处理回滚（unwind）所需要的信息。
_UNWIND_INFO是用来记录一个函数上堆栈指针的操作，以及非易失性寄存器保存在堆栈上的位置。（除了rcx，rdx，r8,r9,r10,r11为易失寄存器，其他都是非易失寄存器，使用前push进行保存，使用后pop进行恢复）。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
typedef enum _UNWIND_OP_CODES {
    UWOP_PUSH_NONVOL = 0, /* info == register number */
    UWOP_ALLOC_LARGE,     /* no info, alloc size in next 2 slots */
    UWOP_ALLOC_SMALL,     /* info == size of allocation / 8 - 1 */
    UWOP_SET_FPREG,       /* no info, FP = RSP + UNWIND_INFO.FPRegOffset*16 */
    UWOP_SAVE_NONVOL,     /* info == register number, offset in next slot */
    UWOP_SAVE_NONVOL_FAR, /* info == register number, offset in next 2 slots */
    UWOP_SAVE_XMM128 = 8, /* info == XMM reg number, offset in next slot */
    UWOP_SAVE_XMM128_FAR, /* info == XMM reg number, offset in next 2 slots */
    UWOP_PUSH_MACHFRAME   /* info == 0: no error-code, 1: error-code */
} UNWIND_CODE_OPS;

typedef union _UNWIND_CODE {
    struct {
        UBYTE CodeOffset;
        UBYTE UnwindOp : 4;
        UBYTE OpInfo   : 4;
    };
    USHORT FrameOffset;
} UNWIND_CODE, *PUNWIND_CODE;

#define UNW_FLAG_NHANDLER 0x0
#define UNW_FLAG_EHANDLER  0x01
#define UNW_FLAG_UHANDLER  0x02
#define UNW_FLAG_CHAININFO 0x04

typedef struct _UNWIND_INFO {
    UBYTE Version       : 3;
    UBYTE Flags         : 5;
    UBYTE SizeOfProlog;
    UBYTE CountOfCodes;
    UBYTE FrameRegister : 4;
    UBYTE FrameOffset   : 4;
    UNWIND_CODE UnwindCode[1];
/*  UNWIND_CODE MoreUnwindCode[((CountOfCodes + 1) & ~1) - 1];
*   union {
*       OPTIONAL ULONG ExceptionHandler;
*       OPTIONAL ULONG FunctionEntry;
*   };
*   OPTIONAL ULONG ExceptionData[]; */
} UNWIND_INFO, *PUNWIND_INFO;

typedef struct _SCOPE_TABLE {
    ULONG Count;
    struct
    {
        ULONG BeginAddress;
        ULONG EndAddress;
        ULONG HandlerAddress;
        ULONG JumpTarget;
    } ScopeRecord[1];
} SCOPE_TABLE, *PSCOPE_TABLE;
手把手解析_UNWIND_INFO结构体
结构体后面的冒号表示使用多少位，例如 Version+Flags一共使用8位，也就是1字节。
第0行
代表着结构数据有Version + Flags，SizeOfProlog，CountOfCodes,FrameRegister+FrameOffset。
Version + Flags
0x19h = 0y00010011 
Version= 0y011 = 3
Flags = 0y00010 = 2
根据数值找到对应的flag。
UNW_FLAG_NHANDLER 0x0 不对异常进行处理
UNW_FLAG_EHANDLER  0x01 使用Except函数进行处理。
UNW_FLAG_UHANDLER  0x02 使用finally函数处理。
UNW_FLAG_CHAININFO 0x04 使用调用链。
SizeOfProlog
函数头的大小。比较产生异常的相对函数头的大小与该值，判断回滚操作。函数头大小为6字节。
如果大于该值，则两个UNWIND_CODE都执行。如果小于该值，则通过UNWIND_CODE的CodeOffset进一步判断。CodeOffset小于相对数值则会进行该UNWIND_CODE的回滚。
CountOfCodes
下面UWIND_CODE的数量。2个。
FrameRegister+FrameOffset
根据FP进行相关操作。
第一行
UNWIND_CODE
UWIND_CODE用于记录函数头中有关非易失性寄存器和RSP的操作。
解析第一个，<6,32h>.
在距离便宜头部6字节及以内的地方异常，都会执行该操作。
32h = 0y00100011
UnwindOp = 2 //UWOP_ALLOC_SMALL
OpInfo = 3
所以创建了3*8+8 = 0n32= 0x24 所以记录了创建栈空间0x24字节，回滚时则需要释放32字节空间。
然而IDA已经标注了OPCODE，所以能很方便的进行判断。
第二个则是记录了压入 RDI。
0x70 = 0y01110000
UnwindOp = 0y0000 = 0n0
OpInfo = 0y0111 = 0n7
第三行
_C_specific_handler_0 是一个导入函数，是进行异常处理分发的，可以不用分析。
第四行
第四行解析_SCOPE_TABLE结构体。
有2组ScopeRecord。
引用boxcounter：
Count 表示 ScopeRecord 数组的大小。
ScopeRecord 等同于 x86 中的 scopetable_entry 成员。其中，
BeginAddress 和 EndAddress 表示某个 __try 保护域的范围。
HandlerAddress 和 JumpTarget 表示 EXCEPTION_FILTER、EXCEPT_HANDLER 和 FINALLY_HANDLER。具体对应情况为：对于 try/except 组合，HandlerAddress 代表 EXCEPT_FILTER，JumpTarget 代表 EXCEPT_HANDLER。
对于 try/finally 组合，HandlerAddress 代表 FINALLY_HANDLER，JumpTarget 等于 0。
    这四个域通常都是 RVA，但当 EXCEPT_FILTER 简单地返回或等于 EXCEPTION_EXECUTE_HANDLER 时，HandlerAddress 可能直接等于 EXCEPTION_EXECUTE_HANDLER，而不再是一个 RVA。
所以第一排指向Finally函数。
第二排指向filter和Except函数。
这时候看注释就明白很多。
当Flags为UNW_FLAG_CHAININFO
0x21 = 0y00100001
Flags = 0y00100=4,会看到末尾指向了一个_RUNTIME_FUNCTION，形成了链式结构，继续进行回滚判断。类似子函数对引用母函数的回滚。
进行异常回滚模拟
如果是在exc()函数中异常,首先查看自身函数的 RUNTIME_FUNCTION,找到UNWIND_INFO,进行回滚判断并操作。
恢复栈空间0x10字节 add rsp,0x10h
pop rdi
然后根据栈查看调用者，再查看RUNTIME_FUNCTION找到UNWIND_INFO。这里也就是main的UNWIND_INFO。判断FLAGS为，00010为2，UNW_FLAG_UHANDLER  。
由于调用exc()函数实在六字节外，所以进行回滚。
add rsp,0x20h
pop rdi
然后交给__C_specific_handler_0，_
判断异常相对于_SCOPE_TABLE字段的位置，都在内部。则两个都要执行。
由于第一个是JmpTarget是0，所以是finally，在此处进行记录。直到找到filter接管后，再执行。
然后第二个SCOPE_TABLE：
执行EXCEPT_FILTER
FINALLY_HANDLER
EXCEPT_HANDLER
顺序执行到system(“pause”)
总结
分析好后，就能更好地去理解IDA的注释了，读懂注释了。
异常处理函数反向查找引用函数
通过最后的引用的RVA，进行搜索，最终定位到C_SCOPE_TABLE，找到UWIND_INFO结构体，然后找到其引用RUNTIME_FUNCTION,定位到调用者函数。
以filter为例,定位到调用者，假设看不到其引用。我们进行搜索。
定位到疑似结构体。
然后就能找到引用该异常处理的函数部分。
万一有用？
文档中获取特定信息的宏。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#define GetUnwindCodeEntry(info, index) \
    ((info)->UnwindCode[index])

#define GetLanguageSpecificDataPtr(info) \
    ((PVOID)&GetUnwindCodeEntry((info),((info)->CountOfCodes + 1) & ~1))

#define GetExceptionHandler(base, info) \
    ((PEXCEPTION_HANDLER)((base) + *(PULONG)GetLanguageSpecificDataPtr(info)))

#define GetChainedFunctionEntry(base, info) \
    ((PRUNTIME_FUNCTION)((base) + *(PULONG)GetLanguageSpecificDataPtr(info)))

#define GetExceptionDataPtr(info) \
    ((PVOID)((PULONG)GetLanguageSpecificData(info) + 1)



解析Excel 4.0宏教程
2021-03-16T16:00:00.000Z
解析Excel 4.0宏教程
此次挑战题目来自大佬分享.同时很巧也看到了出题方的推特.动手分析Excel4.0宏,下载后续的payload并分析,进行答题.
界面如下:
解题顺序如下:下载样本->查看参考资料->安装需要的工具->答题.
根据Questions的问题发展思维分析样本.
分析环境
Windows 10
Windows Terminal 
office 2007
Powershell 7.0.2
（REMnux是一个针对恶意软件分析师的工具包Linux系统，笔者懒惰，没去折腾）
工具准备
Excel4.0的宏很容易理解，都是常见关键词。FORMULA里面是一些需要执行的东西。
XLMDeobfuscator
去混淆.
项目地址
1
2
3
4
5
py -3 -m pip install XLMMacroDeobfuscator
py -3 -m pip install pywin32
py -3 -m pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip
py -3 -m pip install -U https://github.com/DissectMalware/pyxlsb2/archive/master.zip
py -3 -m pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
命令行运行xlmdeobfuscator.exe -h,能正常输出图标则表示安装成功.
OLEDUMP
ole工具集
项目介绍
下载地址
下载zip后解压到合适的文件夹中,进行代码patch.修复excel中的sheet显示不完全的bug.(不知道是否patch得当,只是满足目前需求)
1319行return P23Decode(data[1:1 + cch])修改为return P23Decode(data[2:1 + cch + 1]),注意推进.    
msoffcrypto-crack.py
密码爆破工具
项目介绍
下载地址
建议放在oledump文件夹中。
## 
解题
Sample1
Question 1
文档解压密码是多少？
最开始思路是去考虑这个密码难道是vba密码？直接使用AOPR（
Advanced Office Password Recovery）进行密码破解，后发现文不对题。
使用提到的工具进行文件解析。运行
1
2
3
4
# 当前地址为oledump文件夹中

$sample1 =  D:\malware\sample1-f—b5ed444ddc37d748639f624397cff2a.bin
py -3 .\oledump.py --plugins=plugin_biff $sample1
脚本标识出了该文件被密码保护。
使用二号工具，命令行运行xlmdeobfuscator.exe -f $sample1.”-f”参数意为filepath，指向文件地址。
该工具解析结果也显示是加密文件，需加上--password参数进行解密。
难道这下就没有答案了吗？不然，最后在oledump.py页面上搜索“password”关键词找到了解答方法。
使用msoffcrypto-crack.py进行爆破，该工具已经在上方放出了下载地址。运行py -3 .\msoffcrypto-crack.py $sample1,得到输出“Password found: VelvetSweatshop”，VelvetSweatshop即为密码也是该题答案。
通过搜索可得知VelvetSweatshop为默认密码，加密excel文件首先会使用该密码解密自身，如果无法解密则会让用户输入密码。
Question 2
对plugin_biff使用什么参数解析所有关于Excel4.0的宏？
同样在oledump的页面中搜索Excel 4.0，得到博客地址
得到答案x
Question 3
列出工作表的名字，顺序按照plugin_biff的输出。
所以根据二题可以参考plugin_biff和-x参数的输出。
由于plugin_biff是需要未加密的excel文件，所以我们首先要进行解密。
通过在页面中搜寻得到答案,通过msoffcrypto-crack.py和oledump进行联合解析，但是在笔者本机上出现了一些问题。最后参考爆破脚本使用msoffcrypto-tool进行解密。脚本如下
1
2
3
4
5
6
7
8
9
10
11
12
13
#!python3

import msoffcrypto

encrypted = open("D:\\malware\\sample1-fb5ed444ddc37d748639f624397cff2a.bin", "rb")
file = msoffcrypto.OfficeFile(encrypted)

file.load_key(password="VelvetSweatshop")  # Use password

with open("D:\\malware\\sample1.new", "wb") as f:
    file.decrypt(f)

encrypted.close()
pwsh更新$sample1,$sample1="D:\\malware\\sample1.new"
py -3 .\oledump.py -p VelvetSweatshop --plugins=plugin_biff --pluginoptions "-x" $sample1
修复后的脚本输出如下：
答案为SOCWNEScLLxkLhtJp,OHqYbvYcqmWjJJjsF,Macro2,Macro3,Macro4,Macro5
Question 4
该恶意程序下载的url是多少。
通过三题，执行py -3 .\oledump.py -p VelvetSweatshop --plugins=plugin_biff --pluginoptions "-x" $sample1 >> 1.txt
使用vscode打开1.txt，c语言高亮。可看到如下字段，179行和182行，可估计调用urlmon中的函数执行下载。
答案为http://rilaer.com
Question 5
下载的是什么恶意软件家族？
我们可以使用virustotal进行查询。
最终如下所示，微软和卡巴都显示为Dridex家族。
答案即为Dridex
Sample2
执行$sample2 = "D:\malware\sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin"
尝试在虚拟机中打开恶意样本，运行宏后一片空白。
Question 6
这个文档的表单属性为very hidden的名字是什么
按照常理先用xlmdeobfuscator跑一下，xlmdeobfuscator.exe -f $sample2  >> sample2.txt,虽然输出报错了，但应该能使用一部分。打开txt文件。没有显示hidden的工作表。但也没有被加密。
py -3 .\oledump.py -p VelvetSweatshop --plugins=plugin_biff --pluginoptions "-x" $sample2 >> .\sample2_ole.txt,打开txt，
显然易见，有了答案：CSHykdYHvi。
vba中运行下列代码，即可显示隐藏的sheet。指名点姓的显示sheet。
1
2
3
Sub UnhideAllSheets()
    Sheets("CSHykdYHvi").Visible = xlSheetVisible
End Sub
Question 7
使用reg.exe检查注册表哪个键值？
查询可知GET.WORKSPACE(2)是查询Excel版本，打开注册表，没什么东西。可能是解析问题。换个工具试试。打开sample2_ole.txt，搜索”reg.exe”
如上方图所示出现了”VBAWarnings”=dword:00000002,
试一下,即为正确答案。这里思考一下，去检查VBAWarnings干什么呢？
Question 8
使用reg.exe,通过访问的键值为多少能识别为沙箱环境？
根据前一题，是否是相关的呢？搜索VBAWarnings indicates a sandbox environment,从这可以得知沙箱通常将VBAWARINGS的值设为1，不禁止宏运行，但是一般正常人会为2，禁用宏。
所以当值为1的时候会认为是沙箱环境。
答案为1，001不行，0x1可以。
Question 9
本文档执行几个额外的反分析检查。它使用了什么Excel 4宏函数？
从上到下是：
检查工作区的宽度，长度，是否存在鼠标以及计算机是否能够播放声音，GET.WORKSPACE（1）检查运行Microsoft Excel的环境。
使用了GET.WORKSPACE函数。
Question 10
此文档检查运行Excel的环境的名称，比较了什么值？
当然是Windows。
Question 11
下载的payload的格式。
图中可知使用URLDownadToFileA函数下载文件保存为html后缀文件。
同样使用virustotal，查询网址https[:]//ethelenecrace.xyz/fbb3,没有文件下载信息
使用alienvault查询网址得到了HASH和文件格式。
文件格式为dll
Question 12
恶意软件从哪个URL下载有效载荷
当然是https://ethelenecrace.xyz/fbb3
Question 13
载荷被保存的文件名是什么?
答案为bmjn5ef.html
Question 14
有效载荷是如何执行的?
从sample2.txt中可知使用ShellExecuteA运行rundll32执行dll的导出函数。
答案为rundll32.exe
Question 15
归属于哪个恶意软件家族？
从alienvault得到hash，上vt查询。MD5：62cb6a2a517351472698f669a845f91c
答案为zloader。
仅仅是根据题目来进行分析，对该样本的excel4.0的执行流程没有进行仔细分析。
实战操作分析
此次样本使用的是微步报告中的Excel4.0宏样本。
样本下载
首先我们使用xlmdeobfuscator（v0.1.7)进行解析，发现是未加密文件，但是工具加载失败，暂时没修复。修复了一小部分，不足以使用.
再使用oledump+plugin_biff 插件进行解析，py -3 .\oledump.py -p plugin_biff --pluginoptions "-x" D:\malware\ecaaab9e2fc089eefb6accae9750ac60.bin
从输出可以看到拥有三个表格，sheet15，sheet1，shee2，只有sheet2处于可见的状态。然后虚拟机打开表格，启用宏。
会发现下方的表格名字从sheet1变为sheet2，展现诱饵文档。通过两种方法，可以显现隐藏的工作表
VBA
使用alt+F11在任意VBA项目中运行下方代码，即可显示所有工作表。且适用于very hide.
1
2
3
4
5
6
7
Sub UnhideAllSheets()
    Dim wks As Worksheet
 
    For Each wks In ActiveWorkbook.Worksheets
        wks.Visible = xlSheetVisible
    Next wks
End Sub
右键下方工作表，点击取消隐藏，选择取消隐藏的工作表。只适用于hidden。
在sheet15中搜索oledump出现的字符串，如“GET.WORKSPACE”
发现字符在Z列，且被隐藏无法编辑。发现是实现了工作表保护，需要输入密码。而msoffcrypto-crack.py只能暴力破解加密文件，无法取得工作表保护密码。
最后在同一作者的blog找到。通过更改密码保护的flag值取消密码保护。具体操作如下：
py -3 .\oledump.py -p plugin_biff --pluginoptions "-o protect -a" D:\malware\ecaaab9e2fc089eefb6accae9750ac60.bin
值为小端序（01 00）即为0x1,表示启用了保护，通过16进制编辑器将这些0x1的值修改为0x0。第四行为密码计算后的hash值。
py -3 .\oledump.py -p plugin_biff --pluginoptions "-o protect -R" D:\malware\ecaaab9e2fc089eefb6accae9750ac60.bin
搜索红框中的值，将flag的值置为0，保存文件，正常打开就可以取消保护工作表了。
后续分析详情看上方的报告即可，笔者就不再赘述了。
Reference
https://www.sneakymonkey.net/2020/06/22/excel-4-0-macros-so-hot-right-now/
https://github.com/nolze/msoffcrypto-tool
https://0xevilc0de.com/excel-4-macros-get-workspace-reference/
https://clickallthethings.wordpress.com/2020/04/06/covid-19-excel-4-0-macros-and-sandbox-detection/
https://securitynews.sonicwall.com/xmlpost/improvements-in-malicious-excel-files-distributing-zloader/


T-pot搭建
2021-01-06T16:00:00.000Z
起因
最近心血来潮,花了10美刀,vultr送30天的50美刀.
最开始想着弄一套HiFish集群,发现无法捕获恶意样本,遂放弃了. (使用iptables -L和iptbles -F 查看和清除规则,centos系统)
后面发现T-pot全能,就顺势学着搭建一波.
操作
安装Debain10,x64. T-bot基于Debain10打包的.选择内存8g的系统,4g内存会卡死.
ssh连接.
查看iptables,有规则则清除.
1
2
3
4
sudo apt-get install git
git clone https://github.com/telekom-security/tpotce
cd tpotce/iso/installer/
./install.sh --type=user
dps.sh,查看服务是否正常,不正常则去排除问题.
因为没有使用iso安装,则会没有tsec账号,手动添加.
1
2
3
4
adduser tsec
nano /etc/sudoers

"tsec    ALL=(ALL:ALL) ALL"
登入https://ip:64294/,打上勾.输入tsec和密码.登陆检查权限,查看是否可以访问dokcer服务.



某黑产攻击分析与简单关联
2020-03-22T16:00:00.000Z
0x01 样本信息
样本名称 MT CONVOY  T. KARUNIA 2  V.2006N & V.2006N1.docx
样本大小 11,760 字节
MD5 ca69a722a82dcd5bd57ffe805c502f82
SHA-1 4ba9d6060409b091e1b817f433cdc0097bb219f1
木马家族 Lokibot
VT上传时间 2020-03-23 05:48:06 UTC
样本地址: link
0x02 分析环境
win10 x64 pro
VMware Workstaion 15
0x03 分析
Word文件分析
使用模板注入下载文件,设置文件位于\word\_rels\webSetting.xml.rels
invoice_22115.doc
样本名称 invoice_22115.doc
MD5 61b211906dfd28d5bbe6724e50c3bb20
SHA-1 84354e4cbfc989c37c46f848622175e54f31eccf
利用漏洞 CVE-2017-11882
使用GlobalLock锁定全局内存.避免shellcode消失.
异或解密shellcode后,通过Ldr获取所需Dll.
使用URLDownloadToFileW从源地址进行文件并保存为%appdata%\\vbc.exe.
ShellExecuteA执行下载后的文件.
vbc.exe
MD5 834300d014ae6e65201ce04d091219fc
SHA-1 56af653938b12a12c4185ed71f221812c3fb4590
文件版本 1.7.9.1
原始文件名 Printstream Dropping.exe
家族 Lokibot
该文件行为与常见的Lokibot木马存在一致性.
在%Appdata%中创建随机字符文件夹名和文件名,并拷贝.在RSA文件中创建文件收集基本信息.移除自身文件.
注册表使用目的域名作为键,键值为目的文件地址.
在流量特征中也存在ckav.ru特征关键字.
此样本使用网上现有的基于aPACK算法的压缩器aPLib嵌入软件自身作为保护.
解压缩后,样本为常见的Lokibot木马.
0x04 IOC
SHA-1
84354e4cbfc989c37c46f848622175e54f31eccf
4ba9d6060409b091e1b817f433cdc0097bb219f1
56af653938b12a12c4185ed71f221812c3fb4590
ip:
103.99.2.42
23.95.132.48
url:
http[:]//tescohomegroseryandelectronicstday2store.duckdns.org/chnsfrnd2/regasm.exe
http[:]//23.95.132.48/~main/.isuoxiso/w.php/2sN0gEZTW0LpL
0x05 关联分析
漏洞样本从apprun中获取,且该样本来来自于黑产相关的钓鱼垃圾邮件中.
通过VT的关联存在相关链接地址.且invoice文件一直在实时更新名字,黑产活动频繁.
此ip也对应三个域名地址.
而访问此ip时,该文件夹下只具有一个doc文件,另一个文件夹也只存在一个Lokibot文件.时间都在最近.
第二个ip也被微步标记为垃圾邮件



Sodinokibi勒索病毒分析
2020-03-04T16:00:00.000Z
0x01 样本信息
样本名称: 2
样本大小:  280,579 字节
MD5:  7d88dfcfe457bdc715371dbeaa4a5ef7
SHA-1: f2f36ef9976259a55123250ecc78fda3487f8848
SHA-256:  8bf7a344480c29b572fcead838c863093a5c88ba21d51085b6fc6ec3d8e8fbac
家族: Sodinokibi
idb与样本地址:  github
0x02 分析环境
win10 x64 pro
VMware Workstaion 15
0x03 行为分析
行为一览:
进程树
从中可以看到启动vssadmin.exe删除卷影备份,bcedit.exe自动回复和开机启动禁用Windows开机启动错误恢复模式.
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
勒索信
通过上传勒索信到ID Randomware,识别出Sodinokibi勒索病毒.
每个文件夹下面都会释放一个readme文件.
注册表操作
在注册表键HKLM\\SOFTWARE\\WOWO6432Node\\recfg注册键值.0_key,pk_key,rnd_ext,sk_key,stat.
rnd_ext为加密文件后缀.
0x04 分析
2020-03-09 后期补充:
RC4解密
CVE-2018- 8453
加密函数
密钥创建函数
使用word图标进行迷惑受害者.诱导执行.win10与win7启动时需要过UAC认证,算是一定程度上的阻止执行,但会无限弹窗UAC认证.
无壳,VC程序.
时间戳为星期三, 24.10.2018 10:14:32 UTC
调试分析
壳
释放加密数据到堆上
XXTEA解密数据.
更改权限,跳转到新程序处.
二次外壳
通过动态加载获得VirtualAlloc函数地址,并在0x5430000处申请空间.
经过拷贝到目标地址后,dump下来单独分析.
后续执行情况为将此处程序拷贝修复后到0x40000,跳转执行.
本体加密程序
pe特征
时间戳 星期日, 19.05.2019 18:08:46 UTC
MD5 0c2f9a02415c38d1cb1d5c558af971b8
SHA-1 6b53b24a4dd24db73e6ccf46e58f6d61a482047a
SHA-256 103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14
存在资源表
据相关资料得知红框为密钥.
调试分析
加载函数
动态解密字符串,从dll输出表寻找对应函数,获取函数地址.
并获取CreateStreamOnHGlobal地址.
创建互斥量
通过字符串计算函数,得到互斥量名字,创建互斥量
释放资源表
对资源表进行CRC32资源表循环校验,后进行解密释放资源表到堆中
RC4解密
解密数据一览json格式,0x66cb大小.全部字符串放在资源表解密.txt中了.从中看出公钥,被加密和被排除文件,背景图片,readme文件等信息.
格式化后的样子:
公钥:”pk”: “pzprC6xbhNFhM/+qJI6gCrd2pnCgyRdai+B89OUhWAw=”
dbg 模式
白名单过滤,目录,文件,后缀:
1
2
3
4
"fld": ["tor browser", "msocache", "$windows.~ws", "application data", "windows", "mozilla", "program files", "windows.old", "$windows.~bt", "perflogs", "program files (x86)", "programdata", "system volume information", "google", "$recycle.bin", "intel", "boot", "appdata"],
"fls": ["ntuser.dat.log", "boot.ini", "thumbs.db", "autorun.inf", "bootsect.bak", "bootfont.bin", "desktop.ini", "iconcache.db", "ntldr", "ntuser.ini", "ntuser.dat"],
"ext": ["cmd", "hta", "sys", "cab", "exe", "diagcfg", "shs", "diagcab", "scr", "themepack", "ps1", "prf", "nomedia", "mpa", "ldf", "drv", "msc", "dll", "msi", "cur", "icns", "diagpkg", "nls", "theme", "msstyles", "lnk", "386", "deskthemepack", "ico", "cpl", "idx", "bat", "mod", "lock", "msp", "spl", "com", "rom", "msu", "bin", "key", "hlp", "icl", "rtp", "ocx", "wpx", "ani", "adv", "ics"]
"wfld": ["backup"],
结束进程: 
1
"prc": ["xfssvccon.exe", "msaccess.exe", "dbsnmp.exe", "sqbcoreservice.exe", "synctime.exe", "onenote.exe", "dbeng50.exe", "outlook.exe", "msftesql.exe", "excel.exe", "agntsvc.exe", "mysqld_opt.exe", "ocautoupds.exe", "thebat.exe", "sqlbrowser.exe", "wordpad.exe", "powerpnt.exe", "ocssd.exe", "sqlservr.exe", "winword.exe", "mysqld.exe", "thebat64.exe", "encsvc.exe", "steam.exe", "firefoxconfig.exe", "mydesktopqos.exe", "mspub.exe", "thunderbird.exe", "visio.exe", "oracle.exe", "mydesktopservice.exe", "mysqld_nt.exe", "infopath.exe", "isqlplussvc.exe", "sqlagent.exe", "ocomm.exe", "sqlwriter.exe", "tbirdconfig.exe"]
域名
网络状态
read-me文件内容编码
readme文件名”{EXT}-readme.txt”
exploit是否使用
图片编码:QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA”
漏洞利用
如果exp为True,则执行shellcode
提升权限
通过PEB获取版本号,判断操作系统是否为Vista系统及以上.判断权限.
判断令牌类型,若不为管理员权限,则释放互斥体,使用ShellExcuteEx使用runas执行自身程序提升权限.因为是无限循环,所以导致拒绝后会一直弹窗申请权限.
高权限模拟登录
判断是否为最高权限,使用 ImpersonateLoggedOnUser()函数模拟当前登录用户。
获得所需信息
格式化字符串如勒索告知等
注册表密钥
注册表密钥放图注册表中
因为是32位程序,系统为64位,所以在HKLC\\SOFTWARE\\WOW6432Node\\refg中
rnd_ext和stat添加进注册表中
获得键盘布局,判断国家
add eax, 0FFFFFFE8h后,看是否包含下列国家
解密勒索信和背景文字
将与需要的信息格式化进解密后的勒索信.
勒索背景文字.
结束进程
删除卷影备份等
IOCP多线程函数执行
使用IOCP相关函数加速加密执行
磁盘遍历
文件创建函数
在每个文件夹下创建lock文件和勒索信文件
密钥创建函数
具体流程还是得看别人的分析报告,自己有点没弄清.
加密函数
使用GetQueueCompletionStatus函数获取消息,进行文件操作如加密移动写入等.
网络共享资源加密
用了模块“MPR.DLL”的典型 API 函数,枚举网络共享并调用加密函数.
背景设置
流程
文字参数
壁纸参数
壁纸文件
网络连接
使用For循环遍历json中dmn的值,
通过伪随机字符进行域名后缀和文件名的设定,包括以下字符
完整表示为https://broccolisoep.nl /static/image/jare.jpg
https:// 
broccolisoep.nl / wp-content / images / . jpg
boloria.de static pictures png
bajova.sk content image gif
…… include temp (a-z + a-z) 
uploads tmp 随机字符最多8组 
news graphic 16字节
data assets 
admin pics 
game 
会先判断是否能打开网址,再通过WinHttpSendRequest发送数据.
0x05 IOC
hash:
7d88dfcfe457bdc715371dbeaa4a5ef7
0c2f9a02415c38d1cb1d5c558af971b8
0x06总结
勒索病毒集成了勒索与xbxiuzji自己对算法相关识别还是不够敏感.无法看出salsa20的加密算法还需要多下功夫.
0x07 reference
XXTEA: https://www.shangmayuan.com/a/4c68db7440754c2c990d597d.html
CRC32: https://www.klavor.com/dev/20190618-552.html
CPUID: https://blog.cubieserver.de/2018/query-cpuid-with-inline-assembly/
网络注册表: https://www.guidetotcpip.com/wp-content/uploads/files/Appendices/tcpip5e_WindowsRegistrySettings.pdf
Keyboard identifiers: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-language-pack-default-values
IOCP: https://www.jianshu.com/p/838fbf0ce761
WNetOpenEnumW: https://www.chainnews.com/zh-hant/articles/127835063940.htm
analysis: https://www.secureworks.com/research/revil-sodinokibi-ransomware
https://www.antiy.com/response/20190628.html
http://www.jiangmin.com/download/Sodinokibi.pdf
https://www.tgsoft.it/immagini/news/20190705Sodinokibi/Sodinokibi_eng.pdf

Command/Example	Description
!wow64exts.sw	Switches between x86 and native mode.
.sympath+ c:\symbolpath	append a symbol search path to the default one during debugging
.reload	reload the symbols
x ! / x kernel32!virtual*	Checking Symbols
ld*	load symbols for all modules
.hh / .hh \	get Help Or press F1

Command	Description
lmf	list the loader module
lmf m ntdll	list a specifc module
!dh ntdll/!dh 0x400000	get the image header (PE Info)

Expressions	Description
bp 0x70000 / bp eip+1	breakpoint
u ntdll!NtCommitTransaction+0x41	use symbol to disassembly
dd esp+4	use registers to Specifies value


0x123	base 16 (hexadecimal)
0n123	base 10 (decimal)
0t123	base 8 (octal)
0y111	base 2 (binary)
.formats	display a value in mant formats
?eax+4 /?4+4	evaluate an expression

Command	Description
sxe / sex ld ,…, / sxe ld user32	break when a moudule is loaded
sx	list of exceptions type
sxi / sxi ld /sxi sse	ignore an exception \ ignore load module \ ignore single-chance single step exceptions

Command	Description
bp 4110a3	breakpoint at the address 0x4110a3
bp 4110a3 3	breakpoint ignored the first 2 times
g	resume the execution (go)
g \	run until a certain address ‘g’ puts a one-time software breakpoint.


ba \ \ \
\	‘e’for execute ‘r’for read/write memory access ‘w’ for write memory access
\	specifies the size of the location, in bytes, to monitor for access (it’s always 1 when \\ is ‘e‘).
\	the loction
\

Command	Description
bl	breakpoint list
bd	disable a breakpoint
bc	delete a breakpoint
bc *	delete all the breakpoints

Command	Description
t	step-in
p	step-over
gu	step-out
pa/ta \	step/trace to address
pc/tc	step/trace to next call/int instruction
pt/tt	step/trace to next ret (discussed above at point 3
pct/tct	step/trace to next call/int or ret
ph/th	step/trace to next branching instruction

Command \ d*	Description
db	display bytes
dw	display words (2 bytes)
dd	display dwords (4 bytes)
dq	display qwords (8 bytes)
dyb	display bits
da	display null-terminated ASCII strings
du	display null-terminated Unicode strings

[range]	Example
\ \	db 77cac000 77cac0ff
\ L\	dd 77cac000 L10
\	will display 128 bytes

Command	Description
r	display the register
u	unassemble
u EIP L3	print the first 3 instrutions
k	display the call stack

Command	Description
!teb	Displays the TEB (Thread Environment Block).
$teb	Address of the TEB.
!peb	Displays the PEB (Process Environment Block).
$peb	Address of the PEB.
!exchain	Displays the current exception handler chain.
!vadump	Displays the list of memory pages and info.
!lmi \	Displays information for the specified module.
!slist \
[ \ [\] ]	Displays a singly-linked list, where: is the address of the pointer to the first node of the list is the name of the structure of the nodes is the offset of the field “next” within the node
dt \	Displays the structure .
dt \ \	Displays the field of the structure \.
dt \ \	Displays the data at \ as a structure of type \ (you needsymbols for \).
dg \[\]	Displays the segment descriptor for the specified selectors.

ID	Tag
1 ProcessCreate	Process Create : A detailed information about the process created
2 FileCreateTime	File creation time Used to check integrity of file creationtime
3 NetworkConnect	Network connection detected : Event logs TCP/UDP connections on the machine
4 Sysmon service state changed	Sysmon service state change : The service state change event reports the state of the Sysmon service (started or stopped).
5 ProcessTerminate	Process terminated : A detailed information about the process termination
6 DriverLoad	Driver Loaded : A detailed information about the drive installed in addition with HASH value
7 ImageLoad	Image loaded : The image loaded event logs when a module is loaded in a specific process
8 CreateRemoteThread	CreateRemoteThread detected : Event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes
9 RawAccessRead	RawAccessRead detected : The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation.
10 ProcessAccess	Process accessed : The event reports when a process opens another process
11 FileCreate	File created : File create operations are logged when a file is created or overwritte
12 RegistryEvent	Registry object added or deleted : Registry key and value create and delete operations map to this event type,
13 RegistryEvent	Registry value set : This Registry event type identifies Registry value modifications.
14 RegistryEvent	Registry object renamed : This Registry event type identifies Registry value renamed
15 FileCreateStreamHash	File stream created : This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream.
16 ServiceConfigurationChange	Sysmon configuration change : Event triggered when Sysmon configuration change
17 PipeEvent	Named pipe created : This event generates when a named pipe is created.
18 PipeEvent	Named pipe connected : This event logs when a named pipe connection is made between a client and a server.
19 WmiEvent	WMI filter : When a WMI event filter is registered
20 WmiEvent	WMI consumer : This event logs the registration of WMI consumers
21 WmiEvent	WMI consumer filter : When a consumer binds to a filter, this event logs the consumer name and filter path.
22 DNSQuery	DNS query : This event is generated when a process executes a DNS query
23 FileDelete	File Delete archived : A file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory
24 ClipboardChange	New content in the clipboard : This event is generated when the system clipboard contents change.
25 ProcessTampering	Process image change : This event is generated when process hiding techniques such as “hollow” or “herpaderp” are being detected.
26 FileDeleteDetected	File Delete logged : A file was deleted.


-like, -ilike	验证字符串包含关系，允许模式匹配，大小写不敏感	“PsTips.Net” -like “p*”
-clike	验证字符串包含关系，允许模式匹配，大小写敏感	“PsTips.Net” – clike “P*”
-notlike,-inotlike	验证字符串不包含关系，允许模式匹配，大小写不敏感	“PowerShell” -notlike “PS*”
-cnotlike	验证字符串不包含关系，允许模式匹配，大小写敏感	“PowerShell” -cnotlike “PO*
-eq, -ieq	验证是否相等，大小写不敏感	“Power” -eq “power”
-ceq	验证是否相等，大小写敏感	“Power” -eq “Power”

Bit(s)	Label	Description
0	SCE	System Call Extensions
1-7	0	Reserved
8	LME	Long Mode Enable //IA32e mode
10	LMA	Long Mode Active
11	NXE	No-Execute Enable
12	SVME	Secure Virtual Machine Enable
13	LMSLE	Long Mode Segment Limit Enable
14	FFXSR	Fast FXSAVE/FXRSTOR
15	TCE	Translation Cache Extension
16-63	0	Reserved

MSR	INDEX	Description
IA32_FS_BASE	0xC0000100H
IA32_GS_BASE	0xC0000101
IA32_KERNEL_GS_BASE	0xC0000102
IA32_STAR	0xC0000081	Ring 0 and Ring 3 Segments + SYSCALL EIP: 00-31 = SYSCALL EIP 32-47 = kernel segment base 48-63 = user segment base.
IA32_LSTAR	0xC0000082	64位系统调用函数，KiSystemCall64，KiSystemCall64Shadow.
IA32_CSTAR	0xC0000083	The kernel’s RIP for SYSCALL in compatibility mode.32bit兼容模式的系统调用函数。
IA32_FMASK	0xC0000084	The low 32 bits are the SYSCALL flag mask. If a bit in this is set, the corresponding bit in EFLAGS is cleared.

cs	0x33 已经切换到64位
ss	0x2b
rsp	0x000000000335eb18
rcx	0x0000000000000006
r11	0x000000000345fb90
rflags
IA32_FMASK	00000000`00004700
IA32_LSTAR	fffff800`25d4f140
IA32_STAR	00230010`00000000

cs	0x0010 0环code段
ss	0x18 0环data段
rsp	0xffffad8d3d1eac90
rcx	0x0000000077a01cbc
r11	0x0000000000000246
rflags
IA32_FMASK	00000000`00004700
IA32_LSTAR	fffff800`25d4f140

样本名称	MT CONVOY T. KARUNIA 2 V.2006N & V.2006N1.docx
样本大小	11,760 字节
MD5	ca69a722a82dcd5bd57ffe805c502f82
SHA-1	4ba9d6060409b091e1b817f433cdc0097bb219f1
木马家族	Lokibot
VT上传时间	2020-03-23 05:48:06 UTC

样本名称	invoice_22115.doc
MD5	61b211906dfd28d5bbe6724e50c3bb20
SHA-1	84354e4cbfc989c37c46f848622175e54f31eccf
利用漏洞	CVE-2017-11882

MD5	834300d014ae6e65201ce04d091219fc
SHA-1	56af653938b12a12c4185ed71f221812c3fb4590
文件版本	1.7.9.1
原始文件名	Printstream Dropping.exe
家族	Lokibot

时间戳	星期日, 19.05.2019 18:08:46 UTC
MD5	0c2f9a02415c38d1cb1d5c558af971b8
SHA-1	6b53b24a4dd24db73e6ccf46e58f6d61a482047a
SHA-256	103e3743db5511f5f4aef4aaf02cdaf732531c9e8b894caa97de348e852bfa14

https://
broccolisoep.nl	/	wp-content	/	images	/		.	jpg
boloria.de		static		pictures				png
bajova.sk		content		image				gif
……		include		temp		(a-z + a-z)
		uploads		tmp		随机字符最多8组
		news		graphic				16字节
		data		assets
		admin		pics
				game