Yas Kernel Debugger

��ֽٳ֣��IRP DISPATCH HOOK

Sysnap — 2012��02��11�� 22:37

��ѧд�Ĵ��룬��һ��XXX��룬��д��ƪ��¡�
��ͨ��һ��ȡ��Ӧ��ͨ��ǵ��ObReferenceObjectByName��ObReferenceObjectByName��

NTSTATUS

ObReferenceObjectByName (

__in PUNICODE_STRING ObjectName,

__in ULONG Attributes,

__in_opt PACCESS_STATE AccessState,

__in_opt ACCESS_MASK DesiredAccess,

__in POBJECT_TYPE ObjectType,

__in KPROCESSOR_MODE AccessMode,

__inout_opt PVOID ParseContext,

__out PVOID *Object

)

��ͻ��ObjectNameȥ��Ӧ��Ŀ¼�µ��ж��󣬿��Щ��ָ�ObjectNameƥ�䡣��Ǵ洢��أ��𰸾��

OBJECT_HEADER_NAME_INFO��档

typedef struct _OBJECT_HEADER_NAME_INFO {

POBJECT_DIRECTORY Directory; //��·��

UNICODE_STRING Name;//��

ULONG QueryReferences;

} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;

��޸Ķ��ͨ��ObReferenceObjectByName��޷��ȡ��ȷ��ˡ��IRP DISPATCH HOOK��

1) ��ObReferenceObjectByName��ȡ\FileSystem\ntfs��Ӧ��ָ��pDrvObj

2��滻��Ҫ�滻��DISPACTHָ��

3��޸�\FileSystem\ntfs��

OBJECT_HEADER* lpObjectHeader = NULL;

POBJECT_HEADER_NAME_INFO lpObjectNameInfo = NULL;

UNICODE_STRING uniXX;

RtlInitUnicodeString (&uniXX, L"Hello 123");

RtlCopyUnicodeString(&pDrvObj->DriverName,&uniXX);

lpObjectHeader = OBJECT_TO_OBJECT_HEADER(pDrvObj);

lpObjectNameInfo = (POBJECT_HEADER_NAME_INFO)((DWORD)lpObjectHeader - (DWORD)lpObjectHeader->NameInfoOffset);

RtlCopyUnicodeString(&lpObjectNameInfo->Name,&uniXX);

4) ��ԭ��Ϣ

RtlCopyMemory(&pDrvObject,pDrvObj,sizeof(DRIVER_OBJECT));

5��IoCreateDriverc��һ��ͬ��󣬳�ʼ��DISPACTHָ��Ϊԭʼָ��

NTKERNELAPI

NTSTATUS

IoCreateDriver(

__in_opt PUNICODE_STRING DriverName,

__in PDRIVER_INITIALIZE DriverEntry

);

��ɡ�

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

WINDBG��չӦ�� - ͳ��Դ��

Sysnap — 2012��02��07�� ڶ� 14:43

��Ĵ��Ƚϼ򵥣��ʵ��

1��ͳ��,ֻ��ҪPDB�Ϳ��ԣ��ͳ�Ƴ��Ч��Щ��еĲ��ڡ�

2��ľֲ��ռ�ÿռ�ͳ�ƣ��ջ�Ǳ��Դ��

HRESULT
SymGetFunctionInfo(
    IN PCSTR FunctionName,
    OUT ULONG64 *Offset,
    OUT ULONG *Size,
    OUT ULONG *Locals, OPTIONAL
    OUT ULONG *Params, OPTIONAL
    OUT ULONG *cbFrame, OPTIONAL
    OUT BOOLEAN *fHasSEH OPTIONAL
    )
{

    HRESULT hr = S_FALSE;
    ULONG  Type = 0;
    ULONG64 tmpOffset = 0;
    FPO_DATA Fpo = { 0 };
    IMAGE_FUNCTION_ENTRY FucEntry = { 0 };

    if( FunctionName == NULL || Offset == NULL || Size == NULL )
        goto __EXIT0;

    hr = gDpVar.Control->GetActualProcessorType(&Type);
    if( FAILED( hr ) )
        goto __EXIT0;

    hr = SymGetOffset(FunctionName, &tmpOffset);
    if( FAILED( hr ) )
        goto __EXIT0;

    if( Type == IMAGE_FILE_MACHINE_I386 )
    {
        hr = gDpVar.Symbols3->GetFunctionEntryByOffset(tmpOffset,
            DEBUG_GETFNENT_DEFAULT,
            (PVOID)&Fpo,
            sizeof(Fpo),
            NULL
            );
        if( FAILED( hr ) )
            goto __EXIT0;

        *Offset = tmpOffset;
        *Size = Fpo.cbProcSize;

        if( Locals )
            *Locals = Fpo.cdwLocals;
        if( Params )
            *Params = Fpo.cdwParams;
        if( cbFrame )
            *cbFrame = Fpo.cbFrame;
        if( fHasSEH )
            *fHasSEH = Fpo.fHasSEH;

    }else
    {
        hr = gDpVar.Symbols3->GetFunctionEntryByOffset(tmpOffset,
            DEBUG_GETFNENT_DEFAULT,
            (PVOID)&FucEntry,
            sizeof(FucEntry),
            NULL
            );
        if( FAILED( hr ) )
            goto __EXIT0;
        *Offset = tmpOffset;
        *Size = (ULONG)(FucEntry.EndingAddress - FucEntry.StartingAddress);
    }

__EXIT0:
    return hr;

}

HRESULT
SymGetFunctionLineInfoByName(
    IN PCSTR FunctionName,
    OUT ULONG *StartLine,
    OUT ULONG *EndLine
    )
{
    HRESULT hr = S_FALSE;
    ULONG64 StartOffset = 0, EndOffset = 0;
    ULONG Size = 0;

    if( FunctionName == NULL || StartLine == NULL || EndLine == NULL )
        goto __EXIT0;

    hr = SymGetFunctionInfo(FunctionName, &StartOffset, &Size, NULL, NULL, NULL, NULL);
    if( FAILED( hr) )
        goto __EXIT0;

    EndOffset = (ULONG64)Size + StartOffset - 1; // make sure

    hr = gDpVar.Symbols->GetLineByOffset(StartOffset, StartLine, NULL, 0, NULL, NULL);
    if( FAILED( hr) )
        goto __EXIT0;

    hr = gDpVar.Symbols->GetLineByOffset(EndOffset, EndLine, NULL, 0, NULL, NULL);

__EXIT0:
    return hr;
}

ʹ��
    ULONG StartLine = 0, EndLine = 0;
    SymGetFunctionLineInfoByName("SysPrj!KernelTimeToSystemTime", &StartLine, &EndLine);

ö�ٳ��PDB��к��SymGetFunctionLineInfoByName��ԡ��Щȫ�ֱ��֮��ռ�õ��Ҳͳ�Ƴ��ǿ��
    //
    //��ȡ��ҳ��Ϣ
    //

    PDEBUG_SYMBOL_SOURCE_ENTRY  pEntries = NULL;
    hr = gDpVar.Symbols3->GetSourceEntriesByLine(1, FileBuffer, DEBUG_GSEL_ALLOW_HIGHER ,
        NULL,
        0,
        &EntriesAvail
        );
    if( FAILED( hr ) )
    {
        ;
    }

    pEntries = new DEBUG_SYMBOL_SOURCE_ENTRY[EntriesAvail];
    hr = gDpVar.Symbols3->GetSourceEntriesByLine(1, FileBuffer, DEBUG_GSEL_ALLOW_HIGHER ,
        pEntries,
        EntriesAvail,
        NULL
        );
    if( FAILED( hr ) )
    {
        ;
    }

    for( int j = 0; j < EntriesAvail; j++ )
    {
        printf("Lines = %d-%d    ModuleBase = 0x%I64x Offset = 0x%I64x Size = %d \n",
            pEntries[j].StartLine,
            pEntries[j].EndLine ,
            pEntries[j].ModuleBase & 0xffffffff,
            pEntries[j].Offset & 0xffffffff,
            pEntries[j].Size);
    }

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

NDIS��ʵ��PING

Sysnap — 2012��02��03�� 11:43

��ǰ��Ƶ�ʱ��Ҫ�õ�PING,��Ϊ��ȷ��ÿ��һ��TCP��ӵ�ʱ��ҪPINGһ�»�ȡ��ݰ��ķ��ʱ�䡣��Ҫ�˽��TCP/IPЭ�飩

#include "precomp.h"
#include "packet.h"
#pragma hdrstop

#pragma pack(1)//�ڴ��,ʹ�ڴ��

/* IPv4 header structure */
typedef struct _IPv4_HEADER
{
    unsigned char IHL:4;
    unsigned char Version:4;
    unsigned char TOS;
    unsigned short Length;
    unsigned short Id;
    unsigned short FragFlags;
    unsigned char TTL;
    unsigned char Protocol;
    unsigned short Checksum;
    unsigned int SrcAddress;
    unsigned int DstAddress;
} IPv4_HEADER, *PIPv4_HEADER;

/* ICMP echo request/reply header structure */
typedef struct _ICMP_HEADER
{
    unsigned char Type;
    unsigned char Code;
    unsigned short Checksum;
    unsigned short Id;
    unsigned short SeqNum;
} ICMP_HEADER, *PICMP_HEADER;

typedef struct _ICMP_ECHO_PACKET
{
    ICMP_HEADER Icmp;
    LARGE_INTEGER Timestamp; //��￪ʼ��
    PTCP_CONNECTIONINFO_IPV4 ConnectionInfo;
} ICMP_ECHO_PACKET, *PICMP_ECHO_PACKET;

typedef struct __ICMP_ECHOPACKET
{
    EtherHeader  EthernetHeader;
    IPV4HEADER IpHeader;
    ICMP_ECHO_PACKET IcmpEchoHeader;
}ICMPECHOPACKET, *PICMPECHOPACKET;

#pragma pack()

NTSTATUS
inNdisSendIcmpEchoRequestMsg(
    IN NDIS_HANDLE  AdapterContext,
    IN ULONG SrcIp, //��˳��
    IN ULONG DstIp,
    IN UCHAR EtherSrcMacAddress[], //6
    IN UCHAR EtherDstMacAddress[])
{
    PICMPECHOPACKET IcmpEchoPacket;


    if (((PADAPT)AdapterContext)->MPDeviceState > NdisDeviceStateD0)
    {
        return NDIS_STATUS_FAILURE;
    }
    IcmpEchoPacket = ExAllocatePoolWithTag(NonPagedPool, sizeof(ICMPECHOPACKET), 'ICMP');
    if(IcmpEchoPacket)
    {
        RtlZeroMemory(IcmpEchoPacket, sizeof(ICMPECHOPACKET));
        //
        //Fill ethernet header
        //
        RtlCopyMemory(&IcmpEchoPacket->EthernetHeader.ether_src, EtherSrcMacAddress, 6);
        RtlCopyMemory(&IcmpEchoPacket->EthernetHeader.ether_dst, EtherDstMacAddress, 6);
        IcmpEchoPacket->EthernetHeader.ether_type = htons(NDIS_ETH_TYPE_IPV4);
        //
        //Fill ip header
        //
        IcmpEchoPacket->IpHeader.ip_v = 4;
        IcmpEchoPacket->IpHeader.ip_hl = 5; // һ��5
        IcmpEchoPacket->IpHeader.ip_tos = 0; //һ��Ϊ0
        IcmpEchoPacket->IpHeader.ip_len = htons(sizeof(struct ip_hdr) + sizeof(ICMP_ECHO_PACKET)); //��û�д��ݵ�
        IcmpEchoPacket->IpHeader.ip_id = 0;            // XXX make it something meaningful
        IcmpEchoPacket->IpHeader.ip_off = 0;
        IcmpEchoPacket->IpHeader.ip_ttl = 64;        //��ע��ȡ�ø�ֵ��һ��64��128
        IcmpEchoPacket->IpHeader.ip_p = IPPROTO_ICMP;
        IcmpEchoPacket->IpHeader.ip_sum = 0;            // for checksum calculation
        IcmpEchoPacket->IpHeader.ip_src = SrcIp;
        IcmpEchoPacket->IpHeader.ip_dst = DstIp;
        IcmpEchoPacket->IpHeader.ip_sum = __Checksum((USHORT*)&IcmpEchoPacket->IpHeader, 20) ;
        //
        //Fill IcmpEchoHeader
        //
        #define ICMPMSG_ECHOREQUEST 8
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Type     = ICMPMSG_ECHOREQUEST;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Code     = 0;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Id       = (USHORT)2;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.SeqNum   = htons((USHORT)0xeedd);
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Checksum = 0;
        KeQueryTickCount(&IcmpEchoPacket->IcmpEchoHeader.Timestamp);
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Checksum = __Checksum((PUSHORT)&IcmpEchoPacket->IcmpEchoHeader.Icmp,
            sizeof(ICMP_ECHO_PACKET));

        DbgPrint("Send Ping TimeStamp = 0x%I64d\n", IcmpEchoPacket->IcmpEchoHeader.Timestamp.QuadPart);
        return SendPacket2(AdapterContext, (PUCHAR)IcmpEchoPacket, sizeof(ICMPECHOPACKET));

    }

    return STATUS_SUCCESS;
}

typedef VOID (*__IcmpReplyCallback)(
    IN PVOID Packet,
    IN PVOID Context1,
    IN PVOID Context2);

//
//NET IN
//
VOID IcmpReplyCallBack(
    IN PVOID Packet)
{
    struct ether_hdr *Etheader= NULL;
    struct ip_hdr *IpHeader = NULL;
    ICMP_HEADER *IcmpHeader = NULL;
    Etheader = (struct ether_hdr *)Packet;
    IpHeader = (struct ip_hdr *)(Etheader + 1);
    IcmpHeader = (ICMP_HEADER*)( (PUCHAR)IpHeader + ((IpHeader->ip_hl & 0x0F)<<2) );

    if( IcmpHeader->Type == 0 && IcmpHeader->SeqNum == htons(0xeedd) )
    {
        LARGE_INTEGER CurTimestamp;
        PICMP_ECHO_PACKET echoPacket = (PICMP_ECHO_PACKET)IcmpHeader;
        CurTimestamp.QuadPart = KeQueryInterruptTime();
        if( echoPacket->ConnectionInfo )
        echoPacket->ConnectionInfo->RoundTime = CurTimestamp.QuadPart - echoPacket->Timestamp.QuadPart;
    }

}

NTSTATUS
NdisSendIcmpEchoRequestMsg(
    IN NDIS_HANDLE  AdapterContext,
    IN ULONG SrcIp, //��˳��
    IN ULONG DstIp,
    IN UCHAR EtherSrcMacAddress[], //6
    IN UCHAR EtherDstMacAddress[],
    IN PVOID ConnectionInfo)
{
    PICMPECHOPACKET IcmpEchoPacket;

    if (((PADAPT)AdapterContext)->MPDeviceState > NdisDeviceStateD0)
    {
        return NDIS_STATUS_FAILURE;
    }
    IcmpEchoPacket = ExAllocatePoolWithTag(NonPagedPool, sizeof(ICMPECHOPACKET), 'ICMP');
    if(IcmpEchoPacket)
    {
        RtlZeroMemory(IcmpEchoPacket, sizeof(ICMPECHOPACKET));
        //
        //Fill ethernet header
        //
        RtlCopyMemory(&IcmpEchoPacket->EthernetHeader.ether_src, EtherSrcMacAddress, 6);
        RtlCopyMemory(&IcmpEchoPacket->EthernetHeader.ether_dst, EtherDstMacAddress, 6);
        IcmpEchoPacket->EthernetHeader.ether_type = htons(NDIS_ETH_TYPE_IPV4);
        //
        //Fill ip header
        //
        IcmpEchoPacket->IpHeader.ip_v = 4;
        IcmpEchoPacket->IpHeader.ip_hl = 5; // һ��5
        IcmpEchoPacket->IpHeader.ip_tos = 0; //һ��Ϊ0
        IcmpEchoPacket->IpHeader.ip_len = htons(sizeof(struct ip_hdr) + sizeof(ICMP_ECHO_PACKET)); //��û�д��ݵ�
        IcmpEchoPacket->IpHeader.ip_id = 0;            // XXX make it something meaningful
        IcmpEchoPacket->IpHeader.ip_off = 0;
        IcmpEchoPacket->IpHeader.ip_ttl = 64;        //��ע��ȡ�ø�ֵ��һ��64��128
        IcmpEchoPacket->IpHeader.ip_p = IPPROTO_ICMP;
        IcmpEchoPacket->IpHeader.ip_sum = 0;            // for checksum calculation
        IcmpEchoPacket->IpHeader.ip_src = SrcIp;
        IcmpEchoPacket->IpHeader.ip_dst = DstIp;
        IcmpEchoPacket->IpHeader.ip_sum = __Checksum((USHORT*)&IcmpEchoPacket->IpHeader, 20) ;
        //
        //Fill IcmpEchoHeader
        //
#define ICMPMSG_ECHOREQUEST 8
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Type     = ICMPMSG_ECHOREQUEST;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Code     = 0;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Id       = (USHORT)2;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.SeqNum   = htons((USHORT)0xeedd);
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Checksum = 0;
        IcmpEchoPacket->IcmpEchoHeader.Timestamp.QuadPart = KeQueryInterruptTime();
        IcmpEchoPacket->IcmpEchoHeader.ConnectionInfo = ConnectionInfo;
        IcmpEchoPacket->IcmpEchoHeader.Icmp.Checksum =
            __Checksum((PUSHORT)&IcmpEchoPacket->IcmpEchoHeader.Icmp, sizeof(ICMP_ECHO_PACKET));

        return SendPacket2(AdapterContext, (PUCHAR)IcmpEchoPacket, sizeof(ICMPECHOPACKET));

    }

    return STATUS_SUCCESS;
}

NDIS_STATUS SendPacket2( IN NDIS_HANDLE MiniportAdapterContext,
                         IN PUCHAR pPacketBuff,
                         IN UINT uPacketSize)
{
    NDIS_STATUS  status = NDIS_STATUS_SUCCESS;
    NDIS_PHYSICAL_ADDRESS HighestAcceptableAddress;
    PVOID  VirtualAddress = NULL;
    PNDIS_BUFFER pNdisPacketBuffer = NULL;
    PSEND_RSVD      SendRsvd = NULL;
    PNDIS_PACKET pNewPacket = NULL;
    PADAPT              pAdapt = (PADAPT)MiniportAdapterContext;
    if( pAdapt == NULL || pPacketBuff == NULL )
        return 0;

    NdisAllocatePacket(&status, &pNewPacket, pAdapt->SendPacketPoolHandle);
    if(status != NDIS_STATUS_SUCCESS)
    {
        DbgPrint("SendPacket2 -> NdisAllocatePacket failed\n");
        return status;
    }

    HighestAcceptableAddress.QuadPart = -1;
    status = NdisAllocateMemory( &VirtualAddress, uPacketSize, 0, HighestAcceptableAddress );
    if(status != NDIS_STATUS_SUCCESS)
    {
        return status;
    }

    NdisAllocateBuffer( &status,
        &pNdisPacketBuffer,
        pAdapt->SendPacketPoolHandle,
        VirtualAddress,
        uPacketSize);
    if (NDIS_STATUS_SUCCESS != status)
    {
        NdisFreeMemory(VirtualAddress, uPacketSize, 0);
        return status;
    }

    NdisMoveMemory( VirtualAddress, pPacketBuff, uPacketSize );
    NdisChainBufferAtFront(pNewPacket, pNdisPacketBuffer );
    SendRsvd = (PSEND_RSVD)(pNewPacket->ProtocolReserved);
    SendRsvd->OriginalPkt = NULL; //��Ͱ��NDIS_STATUS_PENDINGʱ��Ҫ��PtSendComplete�ͷ��Դʱ��ͨ��ж�
    // SendRsvd->OriginalPkt��ȷ��Ƿ��ǹ��ݰ��

    pNewPacket->Private.Head->Next=NULL;
    pNewPacket->Private.Tail=NULL;

    NdisSetPacketFlags(pNewPacket, NDIS_FLAGS_DONT_LOOPBACK);

    //DbgPrint("NdisSend  ACK \n");

    NdisSend(&status, pAdapt->BindingHandle, pNewPacket);
    //DbgPrint("NdisSend  ACK status = 0x%x\n", status);

    if(status != NDIS_STATUS_PENDING)
    {
        UINT uSendBufferLen;
        PVOID pSendPacketBuffer = NULL;
        NdisUnchainBufferAtFront(pNewPacket, &pNdisPacketBuffer);

        NdisQueryBufferSafe(pNdisPacketBuffer,
            (PVOID *)&pSendPacketBuffer,
            &uSendBufferLen,
            HighPagePriority );

        NdisFreeBuffer(pNdisPacketBuffer);
        NdisFreeMemory(pSendPacketBuffer, uSendBufferLen, 0);
        NdisFreePacket(pNewPacket);

    }

    return status;

}

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

WINDBG�ں˵��ԣ��ʱ��ڵ��

Sysnap — 2012��02��02�� 16:45

bp nt!NtTestAlert "r $t0 = @@c++( ((nt!_EPROCESS*)@$proc)->ActiveThreads );.if(@$t0==1){r $t1=@@c++( ((nt!_ETHREAD*)@$thread)->Win32StartAddress);.printf\"Win32StartAddress:\%x\\n\",@$t1;bp /p @$proc @$t1;g;}.else{g;}"

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��PRC/LPC��㷵��״̬��

Sysnap — 2012��02��02�� 16:31

*** An Access Violation occurred in C:\Windows\system32\services.exe:

The instruction at 76EE32CC tried to write to a NULL pointer

*** enter .exr 00BCF5B0 for the exception record
*** enter .cxr 00BCF5CC for the context
*** then kb to get the faulting stack

Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
001b:774e7dfe cc int 3

kd> u 76ee32cc
RPCRT4!RpcpStrictAlpcToRpcStatus+0x13:
76ee32cc 890d00000000 mov dword ptr ds:[0],ecx
76ee32d2 b8e6060000 mov eax,6E6h

��RPCֻ��Ĺ̶��󷵻�ֵ
kd> dd 76430750
76430750 00000000 00000000 c0000037 000006be
76430760 c0000703 000006be c0000017 0000000e
76430770 c0000040 0000000e c0000097 0000000e
76430780 c000009a 0000000e c00000a1 0000000e
76430790 c0000007 0000000e c000012d 0000000e

764307a0 c0000702 000006be c0000022 000006be

��ܾ�Ҳ��ܼ򵥷��DENY

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��Ļ��̬�Ⱥͷ��

Sysnap — 2012��01��15�� 15:39

��ʱ��һЩ��⣬��ܽ�ɼ��˿��Ϊʲô��Ǹ��⣿��ʲô�ǶȾ��Ǹ��⡣

��̬�ȣ�

1��Ҫ��ͼͬʱȥ��⣬�ҳ��еġ�

2��Ч�򵥵İ취��80%��100%��⡣

3��֮ǰ��ȷ��ǲ��Լ��⡣

4��ⶼ�ܸ��һ��𰸣��Щ��Ĵ𰸿��

5��Լ��ٴ��󣬶��ȥ��п��ܵ��⡣

6��һ��£��80%û��100%��û��ᡣ

7��һ�ֽ��취��ܻ�ͬʱ��һЩ��⣬�е�ʱ��ֻ��

7��ѧ��

��

��: Ϊ��Ҷ��ʹ��ü򵥡�

��ۣ��ҳ��Ч�Ľ��취��

��ܣ�ֻ��Ҫ֪��Լ��ٴ��

ת�ƣ�ת��ì�ܣ��Ʋ�ɱ��û��֮ǰ��ľ��Ǵ�಻��ȥ��

�ų�: ��С��ķ�Χ��

��ܵ��͹۵��ƣ��еģ��ʱ��ܽ��ģ��취Ҳ�޷��ģ��

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��һЩ�򵥸��ܽ�

Sysnap — 2012��01��12�� 12:50

1��ԳƶԿ�

��Ӧ�ò��Ӧ�ò㣬��Կ��һ��Ȼû��ơ��ȫ��ƾ��: �Ƚ��û�ϵͳ��ںˣ�ռ��ơ��Ӧ�ü��غ��Щ��ơ�

2��ι�ϵ

��εĵ�λԽ�󣬷��Խ�󣬴��߼�Ҳ��Խ��ӡ��Σ��Σ��ȫ��ѡ��ԡ��ι�ϵ��ĵ�ҲҪ��պá�

3��壬��

��Ϊ%0.01��⣬��200%��ά��ʹ��򵥵Ŀ�ܱ�ø��ӣ��ϵ��ֻ��ĳ��㡣��һ��ǿ�˵�ʱ��Ͳ��Ǳ��͵ĵ㡣Ѱ�Ҷ̰壬�Ż��Լ��߼��ϵĹ��

4��ʱ��Ӧ�ٶ�

��󣬶Կ��һ��Ĺ��̣��з��һ��ֻ��ӹ��Ѷȣ��𹥻��б�֤�û��ȶ��ʼ��Ҫ�ġ�

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

2011.11��

Sysnap — 2011��11��12�� 17:13

1) ��;��ΪһЩ��һЩ�˶�ͣ��Ҫ�뿪��ͣ��̫�á�

2) ��ʱ��Ϊ��߽ݾ��ʱ��Ѱ�ҽݾ��ϡ�

3) ��Ҫ��Ƿ��Ŀ�ĵء�

4) ��ͻ��ִ��Ļ��Ȳ�Ҫָ��õ��ࡣѧ��

5) ϣ��֮��ǵȴ�, ��ϣ��õģ��ǵȴ��û�о�ͷ�ġ��Ҫ��ʧ��ȥ�ȣ��ȥ׷��

6) ��ִ�žͱ��д��еõ��ͱ��ʧȥ��

7) û�н��ٽ��Ҳֻ��߼��

8) ��鶼��ˣ��ã��ã��ã��Լ��ʱ��û�е��ָо��ˣ��õĶ��ǲ��ɴ��ģ�Ҳ�޷�Ѱ�ҡ�

9��ĳ��ԣ��Ϊ��ʲô��ܴ�̶��Ӱ��ǵ�̬�ȣ��Ϊ��̬��ĽǶȵȡ��ͬ�ĳ��ԣ��ͬ��£��Ҳ��ͬ��ȥ��Ҳ��ͬ��Դ�һ��˵��Ϊ��̬��Ƴ��Ŀ��ص��ʲô��

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

PE LOADER��MS�Դ��ĳ��

Sysnap — 2011��10��25�� ڶ� 18:51

֮ǰ��ŵĴ��룬ûɶ�ã��ɴ��ǰ��ĵ��·��
��ʵ��һ��PE LOADER��Լ�һЩ��취��ϸ��Լ��Ķ��룬��PE LOADER��WINDOWS�Ĵ󲿷ֳ��XP �¼��MS�ĳ��򶼿��ܣ��NOTEPAD, REGEDIT, ��ȡ�
     ��Ҫ��
     1��FormatMessage
     2��GetModuleFileName
     3��msvcrt��
     4��TLS
     5��
     6��ַ��ռ�õ��
     7��˳�
     8��
     9��ض��

Loader Ҫ��
1�� ȡ��ļ��ڴ�
2�� ض�λ��Դ��
3�� CALL��ں��

��Ϊ�Ǽ��EXEģ�飬XP�Ļ�Ĭ�ϼ��ػ��ַ��PEͷ�ֵ�ImageBase��ַ�ռ�һ��״̬��MEM_FREE��
XP
0:000> !address 0x01000000
    003a3000 : 003a3000 - 5fc4d000
                    Type     00000000
                    Protect  00000001 PAGE_NOACCESS
                    State    00010000 MEM_FREE
                    Usage    RegionUsageFree
��ַ��ʼ��ڴ�ɹ��ʺܴ��Loader��ñȽϼ򵥣�ֻ��Ҫ��Ϳ��ԣ��WIN 7��Ϊ�� ַ��ֲ� ��ƣ�EXE��صĵ�ַ��һ��ImageBase��ImageBase��ʼ��ڴ��Ѿ��ռ��
WIN 7
Usage:                  MemoryMappedFile
Allocation Base:        00870000
Base Address:           0096d000
End Address:            01470000 ��@@@@@@@@@@
Region Size:            00b03000
Type:                   00040000 MEM_MAPPED
State:                  00002000 MEM_RESERVE
Protect:                00000000
Mapped file name:       PageFile
ǿ��ʹ�õĺ��Ī��ı��
��XPΪ��ó��򾡿��ܵ��Ĭ�ϼ��صĻ��ַ��У�
��Ҫ��ImageBase��ǵ�EXE��ַ�壬��취��Ǳ��ģ��ѡһ��صĻ��ַ��
��ѡ�� 0x5FFF0000��ַ�Ϳ��Ա��ҪRUN��EXEģ��Ļ��ַ��ͻ�ˣ��Ϊ��WIN 7�ܣ��ҪDisable Image Randomization (/DYNAMICBASE:NO)��Ϊ�˱��DEP��³��Է��ڴ��һ�ɸ�ΪPAGE_EXECUTE_READWRITE

1��FormatMessage
XP�ܶ��ַ��Դ�У��ֻҪ��Դ�Ϳ��ˡ��WIN 7�У��ܶ��ַ��Ǵ��.MUI�ļ��ж��Դ�С�
��Ϊ΢��Ŀ��̨��򼸺��FormatMessage��ʧ�ܣ��Ĺ��ܾ͵ò��ִ�С��WIN 7��Ҫ��API��д��Ϊ��û��ȥ��Դ��.MUI�ļ��MUI�ļ�һ��SYSTEM32\ZH-CN\Ŀ¼��
��ļ��Ӧ��.MUI�ļ��ͨ��GetFileMUIPath��ȡ
ע:��ϵͳ�� Ӣ�ĵĻ��Եģ��ǾͲ��ZH-CN�ˣ��ͨ��API
BOOL SetThreadPreferredUILanguages(
  DWORD  dwFlags,
  PCWSTR  pwszLanguagesBuffer,
  PULONG  pulNumLanguages
);��ȡ��
.MUI��ص�ʱ��
.MUI��ص�ʱ��ǱȽ��ģ�Ҳ��ڽ��MAIN֮ǰ��LDR��ˡ�arpΪ��ӣ��arp.exeʱ��LdrpRunInitializeRoutines�ͻ��arp.exe.mui��ļ��Ȼ��Ż��뵽MAIN��档
��ˣ��Ϊ��Լ��Ҫ��е�ģ�飬��û��LdrpRunInitializeRoutines��Ȼ��ǽ��̿ռ��û��Ӧ��.mui�ļ��취��Ҫ�Լ�LoadLibraryEx(RUN_IMAGE_FILE_PATH, NULL, NULL);һ�¡��Ҫ��ǻ�ȡ .MUI�ļ��ȫ·��
DWORD WINAPI FormatMessage(
  __in          DWORD dwFlags,
  __in          LPCVOID lpSource,
  __in          DWORD dwMessageId,
  __in          DWORD dwLanguageId,
  __out         LPTSTR lpBuffer,
  __in          DWORD nSize,
  __in          va_list* Arguments
);
�Է��.MUI��ȡ�ַ��˵��dwFlags��Ҫ��FORMAT_MESSAGE_FROM_HMODULE
��־��жϵ��Ҫ��ݡ�MS�Լ��lpSource��ΪNULL��Զ��.MUI�ļ��.MUI��Լ��صģ��Ǵ��NULL��ɻᵼ��ʧ�ܣ�û��ҵ��Դ��ҪHOOK��API��lpSource�ĳ��LOAD .MUI�ļ��ڴ��ַ��

2��GetModuleFileName
��
7282f0ef ff766c          push    dword ptr [esi+6Ch]
7282f0f2 ff1568838372    call    dword ptr [MFC42u!_imp__GetModuleFileNameW (72838368)]
7282f0f8 8d8584010000    lea     eax,[ebp+184h]
7282f0fe 6a2e            push    2Eh
7282f100 50              push    eax
7282f101 ff1558878372    call    dword ptr [MFC42u!_imp__wcsrchr (72838758)]
7282f107 66832000        and     word ptr [eax],0         ds:0023:00000000=????
eax = 0��ɼ�GetModuleFileNameW��ص��NULL��΢��û�ж��ķ��ֵ��жϡ��Ե��±��
ΪʲôGetModuleFileNameW��أ�
GetModuleFileName�Ķ��
DWORD WINAPI GetModuleFileName(
  __in          HMODULE hModule,
  __out         LPTSTR lpFilename,
  __in          DWORD nSize
);

��ȥ��ջ
0:000> kvnf
#   Memory  ChildEBP RetAddr  Args to Child
00           0012f650 7282f0f8 01000000 0012f874 00000104 kernel32!GetModuleFileNameW (FPO: [Non-Fpo])
��   hModule ��ֵ�� 01000000��ע��ֵ��Ļ��ַ��Ǳ�RUN��EXE�û��ַ��
��ſ�
GetModuleFileName�ڲ�ʵ�֣�
.text:7C80B458 loc_7C80B458:                           ; CODE XREF: GetModuleFileNameW(x,x,x)+85j
.text:7C80B458                 mov     [ebp+var_38], esi
.text:7C80B45B                 mov     ecx, [ebp+var_24]
.text:7C80B45E                 cmp     ecx, [esi+18h]
.text:7C80B461                 jz      short loc_7C80B481
.text:7C80B463                 mov     esi, [esi]
.text:7C80B465
.text:7C80B465 loc_7C80B465:                           ; CODE XREF: GetModuleFileNameW(x,x,x)+54j
.text:7C80B465                 mov     [ebp+var_2C], esi
.text:7C80B468                 cmp     esi, eax
.text:7C80B46A                 jnz     short loc_7C80B458
..........
.text:7C80B413 loc_7C80B413:                           ; CODE XREF: GetModuleFileNameW(x,x,x)+1C9j
.text:7C80B413                                         ; GetModuleFileNameW(x,x,x)+35979j
.text:7C80B413                 lea     eax, [ebp+var_1C]
.text:7C80B416                 push    eax
.text:7C80B417                 push    edi
.text:7C80B418                 push    1
.text:7C80B41A                 call    _LdrLockLoaderLock@12 ; LdrLockLoaderLock(x,x,x)
.text:7C80B41F                 mov     [ebp+ms_exc.disabled], edi
.text:7C80B422                 mov     eax, large fs:18h ��@@@@@@@@@@ TEB
.text:7C80B428                 mov     [ebp+var_30], eax
.text:7C80B42B                 mov     eax, [eax+30h] ��@@@@@@@@PEB
.text:7C80B42E                 mov     eax, [eax+0Ch] �� @@@@@@@@ _PEB_LDR_DATA
.text:7C80B431                 add     eax, 0Ch ��@@@@@@@@ nLoadOrderModuleList : _LIST_ENTRY
.text:7C80B434                 mov     [ebp+var_34], eax
.text:7C80B437                 mov     esi, [eax]
.text:7C80B439                 jmp     short loc_7C80B465
nLoadOrderModuleList ��г�Ա�Ľṹ�ǣ�
typedef struct _LDR_MODULE
{
    LIST_ENTRY          InLoadOrderModuleList;   +0x00
    LIST_ENTRY          InMemoryOrderModuleList; +0x08
    LIST_ENTRY          InInitializationOrderModuleList; +0x10
    void*               BaseAddress;  +0x18
    void*               EntryPoint;   +0x1c
    ULONG               SizeOfImage;
    UNICODE_STRING      FullDllName;
    UNICODE_STRING      BaseDllName;
    ULONG               Flags;
    SHORT               LoadCount;
    SHORT               TlsIndex;
    HANDLE              SectionHandle;
    ULONG               CheckSum;
    ULONG               TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
�ɼ� GetModuleFileName��ͨ��LoadOrderModuleList��Ȼ��hModule ��LDR_MODULE��BaseAddress ��ȣ��ȵĻ��ȡ��FullDllName��Ǵ��hModule�Ǳ��ģ��Ȼ��Ҳ��·��NULL��֮��MS�ֲ��жϾ�ֱ��÷��ֵ��±��

3��msvcrt��
WIN 7 ARP.EXE
.text:0100239E                 push    dword_1005968
.text:010023A4                 push    dword_1005960
.text:010023AA                 call    _main
msvcrt.dll ��һ�α��ص�ʱ�򣬻��GetCommandLine��ȡ��ǰ��Ȼ��д��msvcrt��ڲ��
msvcrt!__argc �� msvcrt!__argv��֮��ͨ��__getmainargs, __wgetmainargs�Ϳ��Ի�ȡ��Ӧ��ʱ�򲢲��GetCommandLine��WIN 7��ARP.EXE��ȡ��в��ͨ��__getmainargs��Ϊmsvcrt.dll�ڽ��е�ʱ��Ѿ��أ��޷��ص�GetCommandLine. ��LOAD msvcrt.dllʱ��ʼ��WIN 7ÿ��һ��оͻ��DLL.��Ҫ�Լ�HOOK __getmainargs, __wgetmainargs

4��TLS
0100887a 648b0d2c000000  mov     ecx,dword ptr fs:[2Ch]
01008881 56              push    esi
01008882 8d3481          lea     esi,[ecx+eax*4]
01008885 57              push    edi
01008886 8b3e            mov     edi,dword ptr [esi]  ds:0023:00000000=????????
01008888 83bf0400000000  cmp     dword ptr [edi+4],0

��Ϊ��  mov     ecx,dword ptr fs:[2Ch] ��TEB �� ThreadLocalStoragePointer�� ûģ��LOADER��ʼ��û��ͻ�ʧ�ܡ��Ҫ�Լ��TLSĿ¼��ȡ��ݣ���ڴ棬Ȼ��޸� ThreadLocalStoragePointerָ�롣��ʵֻ��Ҫ��ʿռ��С�Ϳ��ԡ��ݳ��Լ��ӣ��ó��ûʹ��TLS��̵߳�ThreadLocalStoragePointer��ΪNULL��Ȼ��Ҫ�ܵĳ��ʹ��TLS��Ƿ��ʸõط��ͱĶ��
void LdrInitThreadTls(PIMAGE_TLS_DIRECTORY pTlsDir)
{
PVOID *ThreadLocalStoragePointer = NULL;
UCHAR *pData = NULL;
ULONG TlsSize = 0;
ULONG TlsInitDataSize = 0;
TlsInitDataSize = pTlsDir->EndAddressOfRawData - pTlsDir->StartAddressOfRawData;
TlsSize = (pTlsDir->EndAddressOfRawData - pTlsDir->StartAddressOfRawData) + pTlsDir->SizeOfZeroFill;
ThreadLocalStoragePointer = (PVOID*)malloc(TlsSize+ sizeof(PVOID));
pData = (UCHAR*)ThreadLocalStoragePointer + sizeof(PVOID);
pData = (UCHAR*)ThreadLocalStoragePointer ;
memcpy( pData, (void *)pTlsDir->StartAddressOfRawData, TlsInitDataSize );
memset( pData + TlsInitDataSize, 0, pTlsDir->SizeOfZeroFill );
NtCurrentTeb()->ThreadLocalStoragePointer = ThreadLocalStoragePointer;
*(PVOID*)ThreadLocalStoragePointer = ThreadLocalStoragePointer;
}

5��
MS��̨��printf��fprintf
.text:0100215B loc_100215B:                            ; CODE XREF: _PutMsg+5Ej
.text:0100215B                 mov     dl, [eax]
.text:0100215D                 inc     eax
.text:0100215E                 test    dl, dl
.text:01002160                 jnz     short loc_100215B
.text:01002162                 sub     eax, ecx
.text:01002164                 push    eax             ; cchDstLength
.text:01002165                 push    dword ptr [ebp+lpszSrc] ; lpszDst
.text:01002168                 push    dword ptr [ebp+lpszSrc] ; lpszSrc
.text:0100216B                 call    ds:__imp__CharToOemBuffA@12 ; CharToOemBuffA(x,x,x)
.text:01002171                 push    dword ptr [ebp+lpszSrc]
.text:01002174                 push    offset aS       ; "%s"
.text:01002179                 push    esi             ; File
.text:0100217A                 call    ds:__imp__fprintf
.text:01002180                 add     esp, 0Ch
.text:01002183                 push    dword ptr [ebp+lpszSrc] ; hMem
.text:01002186                 call    ds:__imp__LocalFree@4 ; LocalFree(x)
.text:0100218C                 mov     eax, edi
.text:0100218E                 pop     esi
��ֻҪ IAT HOOK fprintf�Ϳ��ԡ�

6��ַ��ռ�õ��
PELOADER��ַ��ռ�õ��
��
LOADERҪ��һ��EXE�ļ��EXE�ļ��صĵ�ַ��0x400000��LOADER��MAIN��棬��ַ�Ѿ��ռ�ã��ǲ��ȥFree��ַ��·ֲ��ģ��ܻᵼ�³��
��
LOADER��һЩDLL��API��ЩDLL��LOADER��е�ʱ��ϵͳ��ЩDLL��ЩDLL��г�ʼ��̵߳Ȳ��ǵ�ַ��ռ�õĸ��Ƿǳ��ġ��Ҳ��TLSִ��֮ǰ�ġ�
��
1��ӳټ��DLL��֤��ֻ��kernel32.dll
2)��Ҫʹ��MFC��Ϊ��ʱ��л��ռ��Ҫ��صĵ�ַ
3��HOOK ��ڴ�ĺ��ֹ��ĳ��ַ��ʼ��һƬ��ַ��
��Ҫʹ��MFCдLOADER��Ψһ�İ취��
�ӳټ��DLL��֤��ֻ��kernel32.dll
��Ź��𴴽��Լ��䱣��ڴ棬�˳��

7��˳�
��⣺
��ڴ��еĳ��򣬱��arp.EXEִ��֮��ͻ��˳��ǽ��ExitProcess��ã��ǽ��Ҳ��Ȼ��ǲ�ϣ��
��취��HOOK ExitProcess��
��MS��̨��˳��ǵ��exit
#   Memory  ChildEBP RetAddr  Args to Child
00           003ef554 7c92df5a 7c939b23 000007f4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
01         4 003ef558 7c939b23 000007f4 00000000 00000000 ntdll!NtWaitForSingleObject+0xc (FPO: [3,0,0])
02        88 003ef5e0 7c921046 00c31ae8 77c0a5eb 77c31ae8 ntdll!RtlpWaitForCriticalSection+0x132 (FPO: [Non-Fpo])
03         8 003ef5e8 77c0a5eb 77c31ae8 7c8099cf 003ef608 ntdll!RtlEnterCriticalSection+0x46 (FPO: [1,0,0])
04        10 003ef5f8 77c09de8 00000008 7c8099cf 003ef61c msvcrt!_lock+0x30 (FPO: [Non-Fpo])
05        10 003ef608 77c09e90 00000000 00000000 00000000 msvcrt!_cinit+0x5e (FPO: [Non-Fpo])
06        14 003ef61c 01002735 00000000 00000000 003efbc4 msvcrt!exit+0x12 (FPO: [Non-Fpo])

��һ��HOOK ExitProcess�� ڴ��arp.EXE֮��ͻ��Զ��ԣ��HOOK ExitProcess��ֻ��HOOK msvcrt!exit

��⻹��Ҫһ��ɣ��ڴ��еĳ��EXE��һ��߳��ɣ��HOOK msvcrt!exitҲû�취��߼�
void Fakeexit(
    int status
    )
{
if( status == 0xbeebee )
  Oldexit(status);
ExitThread(0xbeebee);
}

��Ϊ�Ǵ��̣߳��ֻ��Ҫ�滻��ExitThread(0xbeebee);֮�󣬽��˳��⶯��ͱ��ˣ�Ȼ��exit��ΪExitThread(0xbeebee)��߳̾��˳��ؿ��Ƶ��EXEģ��ⴴ��߳�ʱҪ�Լ�ע��ջ��⣬��ջ��ܻ�ռ��Ҫ��EXE�ĵ�ַ�ռ䣬��ʧ�ܣ��Ա��ȷ��ڴ�ռ��ܴ��̡߳�

8��
MIAN�Ĳ��ѹ�ģ�

int __cdecl _tmainCRTStartup()
.text:60022B50 ; int __cdecl _tmainCRTStartup()
//
//��GetCommandLineA֮��setargv��У��ʵ��ڲ��___argv��___argc��֮��PUSH��CALL MAIN
//
.text:60022BE8 loc_60022BE8:                           ; CODE XREF: __tmainCRTStartup+8Cj
.text:60022BE8                 call    ds:__imp__GetCommandLineA@0 ; GetCommandLineA()
.text:60022BEE                 mov     __acmdln, eax
.text:60022BF3                 call    j____crtGetEnvironmentStringsA
.text:60022BF8                 mov     __aenvptr, eax
.text:60022BFD                 call    j___setargv

....
.text:60022C42 loc_60022C42:                           ; CODE XREF: __tmainCRTStartup+E4j
.text:60022C42                 mov     ecx, __environ
.text:60022C48                 mov     ___initenv, ecx
.text:60022C4E                 mov     edx, __environ
.text:60022C54                 push    edx
.text:60022C55                 mov     eax, ___argv ;@@@@@@@@@�ڲ��
.text:60022C5A                 push    eax
.text:60022C5B                 mov     ecx, ___argc  ;@@@@@@@@@�ڲ��
.text:60022C61                 push    ecx
.text:60022C62                 call    j__main

int __cdecl _setargv()
.text:60031F40 ; int __cdecl _setargv()
.text:60031F40 __setargv       proc near               ; CODE XREF: j___setargvj
.text:60031F6E                 push    0               ; hModule
.text:60031F70                 call    ds:__imp__GetModuleFileNameA@12 ; GetModuleFileNameA(x,x,x)
.text:60031F76                 push    offset _pgmname ; _Value
.text:6003201B loc_6003201B:                           ; CODE XREF: __setargv+D4j
.text:6003201B                 lea     ecx, [ebp+numchars]
.text:6003201E                 push    ecx             ; numchars
.text:6003201F                 lea     edx, [ebp+numargs]
.text:60032022                 push    edx             ; numargs
.text:60032023                 mov     eax, [ebp+numargs]
.text:60032026                 mov     ecx, [ebp+p]
.text:60032029                 lea     edx, [ecx+eax*4]
.text:6003202C                 push    edx             ; args
.text:6003202D                 mov     eax, [ebp+p]
.text:60032030                 push    eax             ; argv
.text:60032031                 mov     ecx, [ebp+cmdstart]
.text:60032034                 push    ecx             ; cmdstart
.text:60032035                 call    parse_cmdline
.text:6003203A                 add     esp, 14h
.text:6003203D                 mov     edx, [ebp+numargs]
.text:60032040                 sub     edx, 1
.text:60032043                 mov     ___argc, edx  ;@@@@@@@@@�ڲ��
.text:60032049                 mov     eax, [ebp+p]
.text:6003204C                 mov     ___argv, eax ;@@@@@@@@@�ڲ��
.text:60032051                 xor     eax, eax

kernel32!GetCommandLineA:
7c812fbd a1f455887c      mov     eax,dword ptr [kernel32!BaseAnsiCommandLine+0x4 (7c8855f4)] ds:0023:7c8855f4=00151ee0
kernel32!GetCommandLineW:
7c817023 a10450887c      mov     eax,dword ptr [kernel32!BaseUnicodeCommandLine+0x4 (7c885004)]
7c817028 c3              ret
�ɼ��û��PEB��HOOK  GetCommandLine��޸�BaseAnsiCommandLine��BaseUnicodeCommandLine�Ϳ��Բ��޸��д��

9)�ض��
��Ϊ�Ǽ��EXEģ�飬XP�Ļ�Ĭ�ϼ��ػ��ַ��PEͷ�ֵ�ImageBase��WIN 7��Ϊ�� ַ��ֲ� ��ƣ�EXE��صĵ�ַ��һ��
ImageBase��
��Ҫ�ض��򣬵��и��⣬��Ǽ��/GS��ѡ��EXE��⡣
�ڽ��MAIN��֮ǰ��ִ��ôһ�δ��
60022e60 8bff            mov     edi,edi
60022e62 55              push    ebp
60022e63 8bec            mov     ebp,esp
60022e65 e84ba6ffff      call    _________!ILT+1200(___security_init_cookie) (6001d4b5)
60022e6a e811000000      call    _________!__tmainCRTStartup (60022e80)
_________!__security_init_cookie:
600312f0 8bff            mov     edi,edi
600312f2 55              push    ebp
600312f3 8bec            mov     ebp,esp
600312f5 83ec18          sub     esp,18h
600312f8 c745f800000000  mov     dword ptr [ebp-8],0
600312ff c745fc00000000  mov     dword ptr [ebp-4],0
60031306 813d38d108604ee640bb cmp dword ptr [_________!__security_cookie (6008d138)],0BB40E64Eh
...........

��security cookie��ȫ�ֱ��Щ��û��ض����ص� ��ַ��PEͷ�ֵ�ImageBase��ͻ��ַ��ʴ��󣬵��±��
��취��

��Ҫ��ص� PEͷ��ImageBase ��ĵ�ַ��ǵ�EXE��ַ��ͻ��ô�죿 ��취��Ǳ��ģ��ѡһ��صĻ��ַ��
��ѡ�� 0x5FFF0000��ַ�Ϳ��Ա��ҪRUN��EXEģ��Ļ��ַ��ͻ�ˣ��Ϊ��WIN 7�ܣ��ҪDisable Image Randomization (/DYNAMICBASE:NO)�� Ϊ�˱��DEP��³��Է��ڴ��һ�ɸ�Ϊ
PAGE_EXECUTE_READWRITE

�� http://bbs.pediy.com/showthread.php?t=141891

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

��IDebugSymbols

Sysnap — 2011��10��09�� 14:30

��д��С��Ҫ�õ��ص�һЩ��Ϊͼ��ֱ�� IDebugSymbols��κ��ڵ��StartSymbolMatchʱ��ʧ�ܣ��ֳ��

.text:0212343B                 mov     ?g_EngineNesting@@3KA, eax ; ulong g_EngineNesting
.text:02123440                 cmp     ?g_Process@@3PAVProcessInfo@@A, 0 ; ProcessInfo * g_Process
.text:02123447                 jnz     short loc_212345A
.text:02123449                 mov     [ebp+var_C], 8000FFFFh
.text:02123450                 jmp     loc_21235E3

Ҳ��ڵ��ø÷�ʽ֮ǰ��Ҫ��һ��TARGET��DUMP�ļ��Ҳ��Ӧ�ó��֮��ǲ��ֱ��ã��Ҳֻ�ܵõ�TARGET��е�ģ��ķ��Ϣ

��ۣ��PDB��ʺ��IDebugSymbols��DIA SDK��

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

Yas Kernel Debugger

�������ֽٳ֣��������IRP DISPATCH HOOK

WINDBG��չӦ�� - ͳ��Դ��������

NDIS�����ʵ��PING

WINDBG�ں˵��ԣ���������ʱ������ڵ����

����PRC/LPC������㷵��״̬��

�������Ļ���̬�Ⱥͷ���

������һЩ�򵥸����ܽ�

2011.11�������

PE LOADER��������MS�Դ��ĳ���

����IDebugSymbols

��ֽٳ֣��IRP DISPATCH HOOK

WINDBG��չӦ�� - ͳ��Դ��

NDIS��ʵ��PING

WINDBG�ں˵��ԣ��ʱ��ڵ��

��PRC/LPC��㷵��״̬��

��Ļ��̬�Ⱥͷ��

��һЩ�򵥸��ܽ�

2011.11��

PE LOADER��MS�Դ��ĳ��

��IDebugSymbols