windbg查看死锁

!locks

Resource @ nt!IopDriverLoadResource (0x83db3820)    Exclusively owned
     Threads: 855a6020-01<*>
KD: Scanning for held locks..

Resource @ klbg (0x87e18180)    Shared 1 owning threads
    Contention Count = 399
    NumberOfExclusiveWaiters = 1
     Threads: 862fcd48-01<*>
     Threads Waiting On Exclusive Access:
              855a6020      

KD: Scanning for held locks.....

Resource @ 0x863b1800    Exclusively owned
    Contention Count = 2
    NumberOfExclusiveWaiters = 2
     Threads: 855a6020-01<*>
     Threads Waiting On Exclusive Access:
              862fcd48       863b6268  
-------------------------------------------------------------------------------------------------------------------

查看具体信息，堆栈信息是拥有这个锁的堆栈信息。

1: kd> !locks -v 0x87e18180

Resource @ klbg (0x87e18180)    Shared 1 owning threads
    Contention Count = 399
    NumberOfExclusiveWaiters = 1
     Threads: 862fcd48-01<*>

     THREAD 862fcd48 Cid 0004.00bc Teb: 00000000 Win32Thread: 00000000 WAIT: (WrResource) KernelMode Non-Alertable
         8637f580 SynchronizationEvent
     IRP List:
         864545f8: (0006,01fc) Flags: 00000884 Mdl: 00000000
         86306258: (0006,01fc) Flags: 00000884 Mdl: 00000000
     Not impersonating
     DeviceMap                 88e08b98
     Owning Process            85523170       Image:         System
     Wait Start TickCount      2324           Ticks: 238 (0:00:00:03.712)
     Context Switch Count      1424            
     UserTime                  00:00:00.0000
     KernelTime                00:00:00.0624
     Win32 Start Address Ntfs!EfspCheckVolumeForRecoveryLog (0x880946dd)
     Stack Init 8d368fd0 Current 8d3682b0 Base 8d369000 Limit 8d366000 Call 0
     Priority 14 BasePriority 8 PriorityDecrement 96
     ChildEBP RetAddr
     8d3682c8 83cbbb15 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
     8d368300 83cba403 nt!KiSwapThread+0x266
     8d368328 83cb42cf nt!KiCommitThreadWait+0x1df
     8d3683a4 83cec193 nt!KeWaitForSingleObject+0x393
     8d3683fc 83cb76ae nt!ExpWaitForResource+0x16f
     8d368448 843bec3b nt!ExAcquireResourceExclusiveLite+0x1cf //ExAcquireResourceExclusiveLite等待863b1800
     8d368494 843b37f4 fltmgr!FltpDoFilterNotificationForNewVolume+0x3d (FPO: [Non-Fpo])
     8d3684d8 83c894bc fltmgr!FltpCreate+0x206 (FPO: [Non-Fpo])
     8d3684f0 83e8d62d nt!IofCallDriver+0x63
     8d3685c8 83e6e1d7 nt!IopParseDevice+0xed7
     8d368644 83e9424d nt!ObpLookupObjectName+0x4fa
     8d3686a4 83e8c5ab nt!ObOpenObjectByName+0x159
     8d368720 83e97eb6 nt!IopCreateFile+0x673
     8d36876c 83c9042a nt!NtCreateFile+0x34
     8d36876c 83c8decd nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8d3687a0)
     8d368810 87e14846 nt!ZwCreateFile+0x11 (FPO: [11,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
     00000000 00000000 klbg+0x3846 //ZwCreateFile ： 从kis某函数1调用过来。
   callstack错误，查看堆栈补齐后续的callstack
   8d368888 87e16361 klbg+0x5361
   8d3688e4 87e14cb5 klbg+0x3cb5
   8d3688f8 8439caeb fltmgr!FltpPerformPreCallbacks+0x34d
  
     Threads Waiting On Exclusive Access:
              855a6020      

1 total locks, 1 locks currently held

1: kd> !locks -v 0x863b1800   

Resource @ 0x863b1800    Exclusively owned
    Contention Count = 2
    NumberOfExclusiveWaiters = 2
     Threads: 855a6020-01<*>

     THREAD 855a6020 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrResource) KernelMode Non-Alertable
         863822d0 SynchronizationEvent
     IRP List:
         863bc6b8: (0006,01fc) Flags: 00000884 Mdl: 00000000
         863b57d0: (0006,01fc) Flags: 00000884 Mdl: 00000000
     Not impersonating
     DeviceMap                 88e08b98
     Owning Process            85523170       Image:         System
     Wait Start TickCount      2324           Ticks: 238 (0:00:00:03.712)
     Context Switch Count      3578            
     UserTime                  00:00:00.0000
     KernelTime                00:00:02.0714
     Win32 Start Address nt!Phase1Initialization (0x83dd846f)
     Stack Init 80786fd0 Current 80785c50 Base 80787000 Limit 80784000 Call 0
     Priority 31 BasePriority 8 PriorityDecrement 0
     ChildEBP RetAddr
     80785c68 83cbbb15 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
     80785ca0 83cba403 nt!KiSwapThread+0x266
     80785cc8 83cb42cf nt!KiCommitThreadWait+0x1df
     80785d44 83cec193 nt!KeWaitForSingleObject+0x393
     80785d9c 83cb76ae nt!ExpWaitForResource+0x16f
     80785de8 87e163f9 nt!ExAcquireResourceExclusiveLite+0x1cf // ExAcquireResourceExclusiveLite等待0x87e18180
WARNING: Stack unwind information not available. Following frames may be wrong.
     80785e4c 87e14cb5 klbg+0x3cb5
     83c19700 c6640000 fltmgr!FltpPerformPreCallbacks+0x34d (FPO: [Non-Fpo])

     Threads Waiting On Exclusive Access:
              862fcd48       863b6268      

1 total locks, 1 locks currently held

87e163ec 6a01            push    1
87e163ee 688081e187      push    offset klbg+0x7180 (87e18180)
87e163f3 ff15cc70e187    call    dword ptr [klbg+0x60cc (87e170cc)] //ExAcquireResourceExclusiveLite

//搜索87e163ee 688081e187      push    offset klbg+0x7180 (87e18180) opcode， 主要是看另一个线程那个地方调用了ExAcquireResourceExclusiveLite，后来发现是同一个函数里面出问题，这个结果也没有什么意义了。
87e148fe 68 80 81 e1 87 ff 15 b0-70 e1 87 8b 35 1c 81 e1 h.......p...5...
87e15eb2 68 80 81 e1 87 ff 15 cc-70 e1 87 a1 6c 81 e1 87 h.......p...l...
87e15ff5 68 80 81 e1 87 a3 6c 81-e1 87 a3 68 81 e1 87 ff h.....l....h....
87e16037 68 80 81 e1 87 c7 05 6c-81 e1 87 68 81 e1 87 c7 h......l...h....
87e162d5 68 80 81 e1 87 ff 15 b0-70 e1 87 8b 35 68 81 e1 h.......p...5h..
87e163ee 68 80 81 e1 87 ff 15 cc-70 e1 87 8b 54 24 28 8b h.......p...T$(.
87e16412 68 80 81 e1 87 89 56 1d-c6 46 10 01 ff 15 f0 70 h.....V..F.....p

---------------------------------------------------------------------------------------------------------------------------

调用堆栈中都有87e14cb5 klbg+0x3cb5
87e14ca4 ff15ac70e187    call    dword ptr [klbg+0x60ac (87e170ac)]
87e14caa ff15a870e187    call    dword ptr [klbg+0x60a8 (87e170a8)]
87e14cb0 e80b160000      call    klbg+0x52c0 (87e162c0)
87e14cb5 eb02            jmp     klbg+0x3cb9 (87e14cb9)

---------------------------------------------------------------------------------------------------------------------------
klbg+0x52c0:
87e162c0 55              push    ebp
87e162c1 8bec            mov     ebp,esp
87e162c3 83e4f8          and     esp,0FFFFFFF8h
87e162c6 83ec40          sub     esp,40h
87e162c9 53              push    ebx
87e162ca 55              push    ebp
87e162cb 56              push    esi
87e162cc 57              push    edi
87e162cd ff15b470e187    call    dword ptr [klbg+0x60b4 (87e170b4)] //KeEnterCriticalRegion
87e162d3 6a01            push    1
87e162d5 688081e187      push    offset klbg+0x7180 (87e18180)  
87e162da ff15b070e187    call    dword ptr [klbg+0x60b0 (87e170b0)] // ExAcquireResourceSharedLite(87e18180, 1)
87e162e0 8b356881e187    mov     esi,dword ptr [klbg+0x7168 (87e18168)]
87e162e6 81fe6881e187    cmp     esi,offset klbg+0x7168 (87e18168)
87e162ec 0f8458010000    je      klbg+0x544a (87e1644a)

klbg+0x52f2:
87e162f2 33db            xor     ebx,ebx

klbg+0x52f4:
87e162f4 385e10          cmp     byte ptr [esi+10h],bl
87e162f7 8b4625          mov     eax,dword ptr [esi+25h]
87e162fa 8d7c3029        lea     edi,[eax+esi+29h]
87e162fe 0f8538010000    jne     klbg+0x543c (87e1643c)

klbg+0x5304:
87e16304 66391f          cmp     word ptr [edi],bx
87e16307 0f842f010000    je      klbg+0x543c (87e1643c)

klbg+0x530d:
87e1630d 837e08ff        cmp     dword ptr [esi+8],0FFFFFFFFh
87e16311 0f8425010000    je      klbg+0x543c (87e1643c)

klbg+0x5317:
87e16317 6867725442      push    42547267h
87e1631c 6800030000      push    300h
87e16321 6a01            push    1
87e16323 ff157470e187    call    dword ptr [klbg+0x6074 (87e17074)]
87e16329 8be8            mov     ebp,eax
87e1632b 3beb            cmp     ebp,ebx
87e1632d 0f8409010000    je      klbg+0x543c (87e1643c)

klbg+0x5333:
87e16333 8b4e08          mov     ecx,dword ptr [esi+8]
87e16336 6880010000      push    180h
87e1633b 55              push    ebp
87e1633c 57              push    edi
87e1633d 51              push    ecx
87e1633e e80dffffff      call    klbg+0x5250 (87e16250)
87e16343 84c0            test    al,al
87e16345 0f84e9000000    je      klbg+0x5434 (87e16434)

klbg+0x534b:
87e1634b 55              push    ebp
87e1634c 8d54241c        lea     edx,[esp+1Ch]
87e16350 52              push    edx
87e16351 ff151471e187    call    dword ptr [klbg+0x6114 (87e17114)]
87e16357 8d442418        lea     eax,[esp+18h]
87e1635b 50              push    eax
87e1635c e82fe4ffff      call    klbg+0x3790 (87e14790) //会调用ZwCreateFile（导致THREAD 862fcd48 死锁）
87e16361 8bf8            mov     edi,eax
87e16363 3bfb            cmp     edi,ebx
87e16365 0f84c9000000    je      klbg+0x5434 (87e16434)

klbg+0x536b:
87e1636b 53              push    ebx
87e1636c 53              push    ebx
87e1636d 53              push    ebx
87e1636e 6a20            push    20h
87e16370 6a01            push    1
87e16372 6a07            push    7
87e16374 6880000000      push    80h
87e16379 53              push    ebx
87e1637a 8d542440        lea     edx,[esp+40h]
87e1637e 52              push    edx
87e1637f 8b152081e187    mov     edx,dword ptr [klbg+0x7120 (87e18120)]
87e16385 8d44245c        lea     eax,[esp+5Ch]
87e16389 50              push    eax
87e1638a 8d4c2440        lea     ecx,[esp+40h]
87e1638e 6801001000      push    100001h
87e16393 894c246c        mov     dword ptr [esp+6Ch],ecx
87e16397 8d4c2440        lea     ecx,[esp+40h]
87e1639b 51              push    ecx
87e1639c 57              push    edi
87e1639d 52              push    edx
87e1639e 895c244c        mov     dword ptr [esp+4Ch],ebx
87e163a2 c744247018000000 mov     dword ptr [esp+70h],18h
87e163aa 895c2474        mov     dword ptr [esp+74h],ebx
87e163ae c744247c40020000 mov     dword ptr [esp+7Ch],240h
87e163b6 899c2480000000 mov     dword ptr [esp+80h],ebx
87e163bd 899c2484000000 mov     dword ptr [esp+84h],ebx
87e163c4 e8c5000000      call    klbg+0x548e (87e1648e)
87e163c9 85c0            test    eax,eax
87e163cb 7c61            jl      klbg+0x542e (87e1642e)

klbg+0x53cd:
87e163cd 8b4c2414        mov     ecx,dword ptr [esp+14h]
87e163d1 8d442428        lea     eax,[esp+28h]
87e163d5 50              push    eax
87e163d6 57              push    edi
87e163d7 51              push    ecx
87e163d8 e883fcffff      call    klbg+0x5060 (87e16060)
87e163dd 84c0            test    al,al
87e163df 7443            je      klbg+0x5424 (87e16424)

klbg+0x53e1:
87e163e1 b98081e187      mov     ecx,offset klbg+0x7180 (87e18180)
87e163e6 ff15ac70e187    call    dword ptr [klbg+0x60ac (87e170ac)] // ExReleaseResourceLite(87e18180)
87e163ec 6a01            push    1
87e163ee 688081e187      push    offset klbg+0x7180 (87e18180)
87e163f3 ff15cc70e187    call    dword ptr [klbg+0x60cc (87e170cc)] //ExAcquireResourceExclusiveLite (导致THREAD 855a6020 死锁)
87e163f9 8b542428        mov     edx,dword ptr [esp+28h]
87e163fd 8b44242c        mov     eax,dword ptr [esp+2Ch]
87e16401 8b4c2430        mov     ecx,dword ptr [esp+30h]
87e16405 895611          mov     dword ptr [esi+11h],edx
87e16408 8b542434        mov     edx,dword ptr [esp+34h]
87e1640c 894615          mov     dword ptr [esi+15h],eax
87e1640f 894e19          mov     dword ptr [esi+19h],ecx
87e16412 688081e187      push    offset klbg+0x7180 (87e18180)
87e16417 89561d          mov     dword ptr [esi+1Dh],edx
87e1641a c6461001        mov     byte ptr [esi+10h],1
87e1641e ff15f070e187    call    dword ptr [klbg+0x60f0 (87e170f0)] //ExConvertExclusiveToSharedLite

klbg+0x5424:
87e16424 8b442414        mov     eax,dword ptr [esp+14h]
87e16428 50              push    eax
87e16429 e854000000      call    klbg+0x5482 (87e16482)

klbg+0x542e:
87e1642e 57              push    edi
87e1642f e854000000      call    klbg+0x5488 (87e16488)

klbg+0x5434:
87e16434 53              push    ebx
87e16435 55              push    ebp
87e16436 ff15fc70e187    call    dword ptr [klbg+0x60fc (87e170fc)]

klbg+0x543c:
87e1643c 8b36            mov     esi,dword ptr [esi]
87e1643e 81fe6881e187    cmp     esi,offset klbg+0x7168 (87e18168)
87e16444 0f85aafeffff    jne     klbg+0x52f4 (87e162f4)

klbg+0x544a:
87e1644a b98081e187      mov     ecx,offset klbg+0x7180 (87e18180)
87e1644f ff15ac70e187    call    dword ptr [klbg+0x60ac (87e170ac)] // ExReleaseResourceLite(87e18180)
87e16455 ff15a870e187    call    dword ptr [klbg+0x60a8 (87e170a8)] //KeLeaveCriticalRegion
87e1645b 5f              pop     edi
87e1645c 5e              pop     esi
87e1645d 5d              pop     ebp
87e1645e 5b              pop     ebx
87e1645f 8be5            mov     esp,ebp
87e16461 5d              pop     ebp
87e16462 c3              ret

解决方法（未验证）：
修改下面的指令
87e162da ff15b070e187    call    dword ptr [klbg+0x60b0 (87e170b0)] // ExAcquireResourceSharedLite
改为：
87e162da ff15cc70e187    call    dword ptr [klbg+0x60cc (87e170cc)] //ExAcquireResourceExclusiveLite

这样这个函数就不会出现重入问题，不过带来的就是效率问题。

我觉得并不是很好，为什么？

假设有这么一种情况：

用户在一个button中点击一个停止线程操作（OnThreadStop），正确的做法我们必须要在OnThreadStop中等待线程退出才可以返回。

假设这个线程在退出的时候需要通过某种回调机制，通知用户界面更新某些界面的东西，这个时候我们用户的GUI的线程却阻塞在OnThreadStop消息处理中，从而造成了死锁。

所以我觉得还是用一个事件来接受结束的通知，这样OnThreadStop在接受到事件后就退出了。不会造成死锁的情况。

x86系统的内核栈大小是12k大小，由于每个线程都会分配一个内核栈，所以这个大小变大一点，系统的内存开销就会大大增加，所以一个系统的内核栈大小是固定。

如果栈空间被占完，有可能返回下面几个错误

0x7F: UNEXPECTED_KERNEL_MODE_TRAP with Parm1 set to EXCEPTION_DOUBLE_FAULT, which is caused by running off the end of a kernel stack.

0x1E: KMODE_EXCEPTION_NOT_HANDLED, 0x7E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED, or 0x8E: KERNEL_MODE_EXCEPTION_NOT_HANDLED, with an exception code of STATUS_ACCESS_VIOLATION, which indicates a memory access violation.

0x2B: PANIC_STACK_SWITCH, which usually occurs when a kernel-mode driver uses too much stack space.

首先先谈谈一些基本知识点：

IA64具有128个通用寄存器，这样大大提高了函数的执行速度，因为一些局部变量不再需要保存在栈上，可以直接使用寄存器来操作。128个寄存器分别是R0-R127，其中R1就是GP register（GLOBAL POINTER）。在说明这个寄存器作用前，我们先比较下x86和IA64 opcode的在访问全局地址时的差别。

X86指令：MOV ECX, [78001234h] ，由于X86是32位，所以在一条指令中，可以直接包含一个32位地址（78001234h）。

而IA64中是64位，而每个IA64指令只有41位长，所以在一条指令中不可能包含一个64位地址。所以这里GP register就起作用了。我们看看一个典型的IA64指令：add r29 = 0x123456, gp 这个指令将0x123456加上gp寄存器的值保存到R29中，这样R29就包含了一个完整的64位地址。

那GP寄存器的值是怎么来的呢？

GP的值是同模块相关的，这个值得对于上层程序员是透明的，在模块间的调用时调用函数会设置GP为被调用函数模块的GP值，这样在被调用函数中访问数据时就是相对于被调用模块的GP值。

那在HOOK时为什么要注意GP呢？

上面提到了，在模块间调用时，GP的值是由调用者设置的。如果我们HOOK一个函数后，进入到我们HOOK函数时，GP的值就是被HOOK函数模块的GP值，我们在访问数据时就会出错了，所以在我们HOOK函数内，我们第一步就要手动设置GP的值，从而保证我们后续程序的正确性。

这些只是本人的一些粗浅的理解，由于还没有在IA64下开发过，所以也不知道是否正确。等以后有机会从事相关开发时在仔细研究。这里先记录下，方便以后好找资料。呵呵。

参考资料：http://msdn2.microsoft.com/zh-cn/magazine/bb985017(en-us).aspx

                  http://msdn2.microsoft.com/zh-cn/magazine/cc301708(en-us).aspx

KeUserModeCallback (
    IN ULONG ApiNumber,
    IN PVOID InputBuffer,
    IN ULONG InputLength,
    OUT PVOID *OutputBuffer,
    IN PULONG OutputLength
    )

/*++

Routine Description:

    This function call out from kernel mode to a user mode function.

Arguments:

    ApiNumber - Supplies the API number.

    InputBuffer - Supplies a pointer to a structure that is copied
        to the user stack.

    InputLength - Supplies the length of the input structure.

    Outputbuffer - Supplies a pointer to a variable that receives
        the address of the output buffer.

    Outputlength - Supplies a pointer to a variable that receives
        the length of the output buffer.

Return Value:

    If the callout cannot be executed, then an error status is
    returned. Otherwise, the status returned by the callback function
    is returned.

--*/

{

    ULONG Length;
    ULONG NewStack;
    ULONG OldStack;
    NTSTATUS Status;
    PULONG UserStack;
    PVOID ValueBuffer;
    ULONG ValueLength;
    PEXCEPTION_REGISTRATION_RECORD ExceptionList;
    PTEB Teb;

    ASSERT(KeGetPreviousMode() == UserMode);

    //
    // Get the user mode stack pointer and attempt to copy input buffer
    // to the user stack.
    //

    UserStack = KiGetUserModeStackAddress(); //获得用户堆栈地址
    OldStack = *UserStack;
    try {

        //
        // Compute new user mode stack address, probe for writability,
        // and copy the input buffer to the user stack.
        //
        //将inputBuffer里面的值拷贝到用户堆栈
        Length = (InputLength + sizeof(CHAR) - 1) & ~(sizeof(CHAR) - 1);
        NewStack = OldStack - Length;
        ProbeForWrite((PCHAR)(NewStack - 16), Length + 16, sizeof(CHAR));
        RtlCopyMemory((PVOID)NewStack, InputBuffer, Length);

        //
        // Push arguments onto user stack.
        //
        //设置用户堆栈
        *(PULONG)(NewStack - 4) = (ULONG)InputLength;
        *(PULONG)(NewStack - 8) = (ULONG)NewStack;
        *(PULONG)(NewStack - 12) = ApiNumber;
        *(PULONG)(NewStack - 16) = 0;
        NewStack -= 16;

        //
        // Save the exception list in case another handler is defined during
        // the callout.
        //

        Teb = (PTEB)KeGetCurrentThread()->Teb;
        ExceptionList = Teb->NtTib.ExceptionList;

        //
        // Call user mode.
        //

        *UserStack = NewStack;
        Status = KiCallUserMode(OutputBuffer, OutputLength);

        //
        // Restore exception list.
        //

        Teb->NtTib.ExceptionList = ExceptionList;

    //
    // If an exception occurs during the probe of the user stack, then
    // always handle the exception and return the exception code as the
    // status value.
    //

    } except (EXCEPTION_EXECUTE_HANDLER) {
        return GetExceptionCode();
    }

    //
    // When returning from user mode, any drawing done to the GDI TEB
    // batch must be flushed.
    //

    if (Teb->GdiBatchCount > 0) {

        //
        // call GDI batch flush routine
        //

        *UserStack -= 256;
        KeGdiFlushUserBatch();
    }

    *UserStack = OldStack;
    return Status;
}

; NTSTATUS
; KiCallUserMode (
;    IN PVOID *Outputbuffer,
;    IN PULONG OutputLength
;    )
{
//关键代码
Kcb15: mov     eax,_KeUserCallbackDispatcher ; st address of callback dispatchr
        mov     [esp].TsEip,eax         ; //将KeUserCallbackDispatcher设置位Eip
        mov     eax,PCR[PcExceptionList] ; get current exception list
        mov     [esp].TsExceptionList,eax ; set previous exception list
        mov     eax,[edx].TsPreviousPreviousMode ; get previous mode
        mov     [esp].TsPreviousPreviousMode,eax ; set previous mode
        sti                             ; enable interrupts

        SET_DEBUG_DATA                  ; set system call debug data for exit

        jmp     _KiServiceExit          ; exit through service dispatch //跳到KiSystemService的退出历程，这样KeUserCallbackDispatcher将被调用。

}

;
; VOID
; KiUserCallbackDispatcher (
;    IN ULONG ApiNumber,
;    IN PVOID InputBuffer,
;    IN ULONG INputLength
;    )
{
        add     esp,4                   ; skip over return address
        pop     edx                     ; get address of callback function

                                        ; get peb pointer from teb
        mov     eax,fs:[PcTeb]
        mov     eax,[eax].TebPeb
        mov     eax,[eax].PebKernelCallbackTable    ; get address of callback table

        call    [eax+edx*4]             ; call specified function //调用实际的函数。APINumber是索引，inputbuffer是参数。
}

用windbg可以查看PebKernelCallbackTable的内容，xp sp2 的42h是user32!_ClientLoadLibrary函数地址，知道为什么密保呀，盒子呀要hook这个函数了吧。呵呵。

_ClientLoadLibrary 里面会调用LoadLibraryW

__ClientLoadLibrary的参数是个buffer指针，LoadLibraryW调用参数是buffer中的一段，调用前会调用下面这个函数来调整buffer中的地址，这里的pcb就是__ClientLoadLibrary的buffer， 相当与PE文件里面的Relocation的作用。

VOID FixupCallbackPointers(
    PCAPTUREBUF pcb)
{
    DWORD i;
    LPDWORD lpdwOffset;
    PVOID *ppFixup;

    lpdwOffset = (LPDWORD)((PBYTE)pcb + pcb->offPointers);
    for (i = 0; i < pcb->cCapturedPointers; ++i, ++lpdwOffset) {
        ppFixup = (PVOID *)((PBYTE)pcb + *lpdwOffset);
        *ppFixup = (PBYTE)pcb + (LONG_PTR)*ppFixup;
    }
}

在buffer的0xIC偏移保存的就是DLL的路径的地址。

1.找到clid对应的ocx（我这里分析的是个ocx控件）,使用pexplorer.exe查看ocx的接口函数。

2.编写测试程序，用vc创建一个MFC工程，然后选择project－》add project－》components and controls， 在Registered ActiveX Controls中查找控件，然后insert，如果这里面没有，就需要先用regsrv32注册。

3.导入后vc自动就会生成一个控件的包装类，这样我们就可以new一个包装类，然后调用create函数创建控件的实例，接下来就可以使用控件的函数了。

4.用od打开我们生成的测试程序，找到函数调用的地方，为了方便查找，可以在函数调用前printf一个字符串，在函数调用的地方下断，断下来后，我们在ocx的text段下内存访问断点，这样操作n次（n>1），当堆栈的参数是我们函数调用的参数时，这时就是我们要找的函数在ocx中的地址了，然后你就可以呵呵呵呵。。一起东西都在你面前啦。

.text:00011A10 ; int __stdcall DriverEntry(PDRIVER_OBJECT DriverObject,PIRP Irp)
.text:00011A10                     public DriverEntry
.text:00011A10 DriverEntry         proc near
.text:00011A10
.text:00011A10 SymbolicLinkName= UNICODE_STRING ptr -20h
.text:00011A10 bInitOk             = dword ptr -18h
.text:00011A10 var_14              = dword ptr -14h
.text:00011A10 var_10              = dword ptr -10h
.text:00011A10 DeviceName          = UNICODE_STRING ptr -0Ch
.text:00011A10 DeviceObject        = dword ptr -4
.text:00011A10 DriverObject        = dword ptr      8
.text:00011A10 Irp                 = dword ptr      0Ch
.text:00011A10
.text:00011A10                     push        ebp
.text:00011A11                     mov         ebp, esp
.text:00011A13                     sub         esp, 20h
.text:00011A16                     mov         [ebp+DeviceObject], 0
.text:00011A1D                     mov         [ebp+var_14], 0C0000001h
.text:00011A24                     mov         [ebp+bInitOk], 0
.text:00011A2B                     call        RegValueInit
.text:00011A2B
.text:00011A30                     test        eax, eax
.text:00011A32                     jnz         short loc_11A3E
.text:00011A32
.text:00011A34                     jmp         Exit0
.text:00011A34
.text:00011A39 ; ---------------------------------------------------------------------------
.text:00011A39                     jmp         Exit0
.text:00011A39
.text:00011A3E ; ---------------------------------------------------------------------------
.text:00011A3E
.text:00011A3E loc_11A3E:                                  ; CODE XREF: DriverEntry+22 j
.text:00011A3E                     mov         eax, [ebp+DriverObject]
.text:00011A41                     mov         g_pDriverObject, eax
.text:00011A46                     push        offset g_PsLoadedModuleResource
.text:00011A4B                     push        offset g_PsLoadedModuleList
.text:00011A50                     call        GetModuleListAndModuleResource
.text:00011A50
.text:00011A55                     mov         [ebp+bInitOk], eax
.text:00011A58                     cmp         [ebp+bInitOk], 0
.text:00011A5C                     jnz         short loc_11A68
.text:00011A5C
.text:00011A5E                     jmp         Exit0
.text:00011A5E
.text:00011A63 ; ---------------------------------------------------------------------------
.text:00011A63                     jmp         Exit0
.text:00011A63
.text:00011A68 ; ---------------------------------------------------------------------------
.text:00011A68
.text:00011A68 loc_11A68:                                  ; CODE XREF: DriverEntry+4C j
.text:00011A68                     push        0                   ; dwUnkown
.text:00011A6A                     mov         ecx, offset g_val
.text:00011A6F                     call        globalInit
.text:00011A6F
.text:00011A74                     mov         [ebp+bInitOk], eax
.text:00011A77                     cmp         [ebp+bInitOk], 0
.text:00011A7B                     jnz         short loc_11A87
.text:00011A7B
.text:00011A7D                     jmp         Exit0
.text:00011A7D
.text:00011A82 ; ---------------------------------------------------------------------------
.text:00011A82                     jmp         Exit0
.text:00011A82
.text:00011A87 ; ---------------------------------------------------------------------------
.text:00011A87
.text:00011A87 loc_11A87:                                  ; CODE XREF: DriverEntry+6B j
.text:00011A87                     push        0
.text:00011A89                     mov         ecx, offset g_ntkrnlInfo
.text:00011A8E                     call        GetNtosInfo
.text:00011A8E
.text:00011A93                     mov         [ebp+bInitOk], eax
.text:00011A96                     cmp         [ebp+bInitOk], 0
.text:00011A9A                     jnz         short loc_11AA6
.text:00011A9A
.text:00011A9C                     jmp         Exit0
.text:00011A9C
.text:00011AA1 ; ---------------------------------------------------------------------------
.text:00011AA1                     jmp         Exit0
.text:00011AA1
.text:00011AA6 ; ---------------------------------------------------------------------------
.text:00011AA6
.text:00011AA6 loc_11AA6:                                  ; CODE XREF: DriverEntry+8A j
.text:00011AA6                     push        0
.text:00011AA8                     mov         ecx, offset g_SystemParam
.text:00011AAD                     call        InitSystemRelativeParam
.text:00011AAD
.text:00011AB2                     mov         [ebp+bInitOk], eax
.text:00011AB5                     cmp         [ebp+bInitOk], 0
.text:00011AB9                     jnz         short loc_11AC5
.text:00011AB9
.text:00011ABB                     jmp         Exit0
.text:00011ABB
.text:00011AC0 ; ---------------------------------------------------------------------------
.text:00011AC0                     jmp         Exit0
.text:00011AC0
.text:00011AC5 ; ---------------------------------------------------------------------------
.text:00011AC5
.text:00011AC5 loc_11AC5:                                  ; CODE XREF: DriverEntry+A9 j
.text:00011AC5                     push        200h                ; size
.text:00011ACA                     push        offset g_szKavInstallPath ; pszValue
.text:00011ACF                     call        GetKAVInstallPath
.text:00011ACF
.text:00011AD4                     mov         g_dwKavInstallPathSize, eax
.text:00011AD9                     cmp         g_dwKavInstallPathSize, 2
.text:00011AE0                     ja          short loc_11AEC
.text:00011AE0
.text:00011AE2                     jmp         Exit0
.text:00011AE2
.text:00011AE7 ; ---------------------------------------------------------------------------
.text:00011AE7                     jmp         Exit0
.text:00011AE7
.text:00011AEC ; ---------------------------------------------------------------------------
.text:00011AEC
.text:00011AEC loc_11AEC:                                  ; CODE XREF: DriverEntry+D0 j
.text:00011AEC                     mov         ecx, g_dwKavInstallPathSize
.text:00011AF2                     sub         ecx, 2
.text:00011AF5                     mov         g_dwKavInstallPathSize, ecx
.text:00011AFB                     call        sub_14350
.text:00011AFB
.text:00011B00                     call        SSDTHook
.text:00011B00
.text:00011B05                     call        ServiceTableShadowHook
.text:00011B05
.text:00011B0A                     push        offset SourceString ; "\\Device\\KAVBase"
.text:00011B0F                     lea         edx, [ebp+DeviceName]
.text:00011B12                     push        edx                 ; DestinationString
.text:00011B13                     call        ds:RtlInitUnicodeString
.text:00011B19                     lea         eax, [ebp+DeviceObject]
.text:00011B1C                     push        eax                 ; DeviceObject
.text:00011B1D                     push        1                   ; Exclusive
.text:00011B1F                     push        0                   ; DeviceCharacteristics
.text:00011B21                     push        8300h               ; DeviceType
.text:00011B26                     lea         ecx, [ebp+DeviceName]
.text:00011B29                     push        ecx                 ; DeviceName
.text:00011B2A                     push        4                   ; DeviceExtensionSize
.text:00011B2C                     mov         edx, [ebp+DriverObject]
.text:00011B2F                     push        edx                 ; DriverObject
.text:00011B30                     call        ds:IoCreateDevice
.text:00011B36                     mov         [ebp+var_14], eax
.text:00011B39                     cmp         [ebp+var_14], 0
.text:00011B3D                     jl          short loc_11B9E
.text:00011B3D
.text:00011B3F                     mov         eax, [ebp+DeviceObject]
.text:00011B42                     mov         ecx, [eax+28h]
.text:00011B45                     mov         [ebp+var_10], ecx
.text:00011B48                     push        offset s_DosdevicesKav ; "\\DosDevices\\KAVBase"
.text:00011B4D                     lea         edx, [ebp+SymbolicLinkName]
.text:00011B50                     push        edx                 ; DestinationString
.text:00011B51                     call        ds:RtlInitUnicodeString
.text:00011B57                     lea         eax, [ebp+DeviceName]
.text:00011B5A                     push        eax                 ; DeviceName
.text:00011B5B                     lea         ecx, [ebp+SymbolicLinkName]
.text:00011B5E                     push        ecx                 ; SymbolicLinkName
.text:00011B5F                     call        ds:IoCreateSymbolicLink
.text:00011B65                     mov         [ebp+var_14], eax
.text:00011B68                     mov         edx, [ebp+DriverObject]
.text:00011B6B                     mov         dword ptr [edx+70h], offset DispatchCreateAndClose ; IRP_MJ_DEVICE_CONTROL
.text:00011B72                     mov         eax, [ebp+DriverObject]
.text:00011B75                     mov         ecx, [ebp+DriverObject]
.text:00011B78                     mov         edx, [ecx+70h]
.text:00011B7B                     mov         [eax+40h], edx      ; IRP_MJ_CLOSE
.text:00011B7E                     mov         eax, [ebp+DriverObject]
.text:00011B81                     mov         ecx, [ebp+DriverObject]
.text:00011B84                     mov         edx, [ecx+40h]
.text:00011B87                     mov         [eax+38h], edx      ; IRP_MJ_CREATE
.text:00011B8A                     mov         eax, [ebp+DriverObject]
.text:00011B8D                     mov         dword ptr [eax+78h], offset Dispatch ; IRP_MJ_SHUTDOWN
.text:00011B94                     mov         ecx, [ebp+DeviceObject]
.text:00011B97                     push        ecx                 ; DeviceObject
.text:00011B98                     call        ds:IoRegisterShutdownNotification
.text:00011B98
.text:00011B9E
.text:00011B9E loc_11B9E:                                  ; CODE XREF: DriverEntry+12D j
.text:00011B9E                     cmp         [ebp+var_14], 0
.text:00011BA2                     jge         short Exit0
.text:00011BA2
.text:00011BA4                     cmp         [ebp+DeviceObject], 0
.text:00011BA8                     jz          short Exit0
.text:00011BA8
.text:00011BAA                     mov         edx, [ebp+DeviceObject]
.text:00011BAD                     push        edx                 ; DeviceObject
.text:00011BAE                     call        ds:IoDeleteDevice
.text:00011BAE
.text:00011BB4
.text:00011BB4 Exit0:                                      ; CODE XREF: DriverEntry+24 j
.text:00011BB4                                             ; DriverEntry+29 j
.text:00011BB4                                             ; DriverEntry+4E j
.text:00011BB4                                             ; DriverEntry+53 j
.text:00011BB4                                             ; DriverEntry+6D j
.text:00011BB4                                             ; DriverEntry+72 j ...
.text:00011BB4                     mov         eax, [ebp+var_14]
.text:00011BB7                     mov         esp, ebp
.text:00011BB9                     pop         ebp
.text:00011BBA                     retn        8
.text:00011BBA
.text:00011BBA DriverEntry         endp

保护的代码都在SSDTHook 和ServiceTableShadowHook中

分别hook了servicetable中的ZwCreatekey，ZwOpenProcess，ZwSetValueKey和servicetableshadow中的NtUserFindWindowEx，NtUserQueryWindow。

保护规则如下：首先从注册表中读取kav的安装路径，如果是此路径下的程序调用上面的函数通通放行。如果注册表操作中有image file option，同时后面是kavmain.exe就返回失败。对于查找窗口，如果不是kav目录下的程序，findwindowex都返回null。

下面是重要的两个结构，中间有些没有分析出来，好像程序中没有操作这些变量，也可能是自己看漏了。

00000000 GlobalVal         struc ; (sizeof=0x1C)
00000000 dwVersion         dd ?
00000004 InitSafeBootMode dd ?
00000008 ActiveProcessListEntry dd ?
0000000C dwimageFileNameOffsetInEprocess dd ?
00000010 ActiveProcessLinksOffset dd ?
00000014 dwNtosKrnlbase    dd ?
00000018 dwNtosKrnlSize    dd ?
0000001C GlobalVal         ends
0000001C
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 g_NTosInfo        struc ; (sizeof=0x8C)
00000000 dwNtosKrnlbase_0 dd ?
00000004 dwNtosKrnlSize_4 dd ?
00000008 dwNtosKrnlbase_8 dd ?
0000000C dwNtokrnlNtHeader_C dd ?
00000010 SectionHeader_10 dd ?
00000014 EntryExport_14    dd ?
00000018 EntryImport_18    dd ?
0000001C BaseReloc_1C      dd ?
00000020 field_20          dd ?
00000024 field_24          dd ?
00000028 field_28          dd ?
0000002C field_2C          dd ?
00000030 field_30          dd ?
00000034 dwNtosKrnlbase_34 dd ?
00000038 dwNtosKrnlSize_38 dd ?
0000003C ObQueryNameStringAddress_3C dd ?
00000040 KeUnstackDetachProcessAddress_40 dd ?
00000044 KeStackAttachProcessAddress_44 dd ?
00000048 ExEnumHandleTableAddress_48 dd ?
0000004C PsLookupProcessByProcessIdAddress_4C dd ?
00000050 field_50          dd ?
00000054 field_54          dd ?
00000058 field_58          dd ?
0000005C field_5C          dd ?
00000060 ObOpenObjectByPointerAddress_60 dd ?
00000064 KeAttachProcessAddress_64 dd ?
00000068 KeDetachProcessAddress_68 dd ?
0000006C NtQuerySystemInformationAddress_6C dd ?
00000070 IoDriverObjectTypeAddress_70 dd ?
00000074 PsThreadTypeAddress_74 dd ?
00000078 KeServiceDescriptorTableShadowAddress_78 dd ?
0000007C LockedServiceTableAddress_7C dd ?
00000080 field_80          dd ?
00000084 field_84          dd ?
00000088 field_88          dd ?
0000008C g_NTosInfo        ends

驱动中发现了同处理消息相关的冬冬，但是好像没有使用，是不是下次升级才放呢？

     偶下午把程序调整了下,现在不去脱壳啦.直接在一些关键API下断点,这样很多样本都可以扫出来了哦.呵呵.估计能到10%的量.

     现在都没有考虑加密壳,无所谓啦,反正不多,只要能处理普通的压缩壳就ok啦.

不过摩托一直担心会跑飞,这个可能性还是存在的.想想有什么解决方法.