_EPROCESS结构简单了解!
lkd> dt _EPROCESSnt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId: Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : Uint4B
+0x09c QuotaPeak : Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize: Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : Uint4B
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : Uint4B
+0x114 ForkInProgress : Ptr32 _ETHREAD
+0x118 HardwareTrigger: Uint4B
+0x11c VadRoot : Ptr32 Void
+0x120 VadHint : Ptr32 Void
+0x124 CloneRoot : Ptr32 Void
+0x128 NumberOfPrivatePages : Uint4B
+0x12c NumberOfLockedPages : Uint4B
+0x130 Win32Process : Ptr32 Void
+0x134 Job : Ptr32 _EJOB
+0x138 SectionObject : Ptr32 Void
+0x13c SectionBaseAddress : Ptr32 Void
+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch: Ptr32 _PAGEFAULT_HISTORY
+0x148 Win32WindowStation : Ptr32 Void
+0x14c InheritedFromUniqueProcessId : Ptr32 Void
+0x150 LdtInformation : Ptr32 Void
+0x154 VadFreeHint : Ptr32 Void
+0x158 VdmObjects : Ptr32 Void
+0x15c DeviceMap : Ptr32 Void
+0x160 PhysicalVadList: _LIST_ENTRY
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler : Uint8B
+0x170 Session : Ptr32 Void
+0x174 ImageFileName : UChar
+0x184 JobLinks : _LIST_ENTRY
+0x18c LockedPagesList: Ptr32 Void
+0x190 ThreadListHead : _LIST_ENTRY
+0x198 SecurityPort : Ptr32 Void
+0x19c PaeTop : Ptr32 Void
+0x1a0 ActiveThreads : Uint4B
+0x1a4 GrantedAccess : Uint4B
+0x1a8 DefaultHardErrorProcessing : Uint4B
+0x1ac LastThreadExitStatus : Int4B
+0x1b0 Peb : Ptr32 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER
+0x1c0 WriteOperationCount : _LARGE_INTEGER
+0x1c8 OtherOperationCount : _LARGE_INTEGER
+0x1d0 ReadTransferCount : _LARGE_INTEGER
+0x1d8 WriteTransferCount : _LARGE_INTEGER
+0x1e0 OtherTransferCount : _LARGE_INTEGER
+0x1e8 CommitChargeLimit : Uint4B
+0x1ec CommitChargePeak : Uint4B
+0x1f0 AweInfo : Ptr32 Void
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : Uint4B
+0x23c ModifiedPageCount : Uint4B
+0x240 NumberOfVads : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages: Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 HasPhysicalVad : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace: Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 Unused3 : Pos 22, 1 Bit
+0x248 Unused4 : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 5 Bits
+0x248 Unused1 : Pos 30, 1 Bit
+0x248 Unused2 : Pos 31, 1 Bit
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x255 WorkingSetAcquiredUnsafe : UChar
+0x258 Cookie : Uint4B
<span style="color: rgb(51, 0, 51);">//转贴
最近研究某驱动DebugPort清零,学习了使用Windbg查看_EPROCESS结构地址,采用Syser下断查找清零代码。
下面主要写下Windbg查看进程的_EPROCESS结构,便以后查阅。
大家知道,每一个进程都对应一个_EPROCESS结构,我们如何确定一个进程的_EPROCESS地址呢?以notepad.exe为例
使用Windbg的Kernel Debug,输入命令
lkd> !process 0 0 //查看当前进程
PROCESS 8a5e7088 SessionId: 0 Cid: 0ff0 Peb: 7ffdd000 ParentCid: 0324
DirBase: 0ac40520 ObjectTable: e1a13a30 HandleCount: 65.
Image: windbg.exe
PROCESS 882f2650 SessionId: 0 Cid: 07d8 Peb: 7ffd7000 ParentCid: 0324
DirBase: 0ac404e0 ObjectTable: e506af88 HandleCount: 48.
Image: notepad.exe
。。。。。
可以看到 PROCESS 882f2650,882f2650就是notepad.exe的_EPROCESS结构地址
lkd> dt _eprocess 882f2650 //查看notepad.exe的_EPROCESS
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1cb68eb`1575a5ee
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000007d8 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x805648b8 - 0x8a5e7110 ]
+0x090 QuotaUsage : 0xc58
+0x09c QuotaPeak : 0x1080
+0x0a8 CommitCharge : 0x220
+0x0ac PeakVirtualSize : 0x2453000
+0x0b0 VirtualSize : 0x22bf000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0xba632014 - 0x8a5e713c ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe1be7658 Void
+0x0c4 ObjectTable : 0xe506af88 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0x7bbc2
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x8a626df0 Void
+0x120 VadHint : 0x88380130 Void
+0x124 CloneRoot : (null)
_EPROCESS + bc处为Debugprot地址,可以使用Syser下断
bpm 882f2650+bc w 断在notepad.exe的DebugPort处,如有对它的处理就会断住。。</span>
//转贴
如果是直接来要最终结果的,请绕行,这里只对debugport 清零代码进行逆向。
由于TX会Anti Windbg,用上次的方法后,Windbg能很好的跑起来,但是作者还是热衷于单机调试,在一次偶然的情况下,发现TX没有对SyserDebugger进行anti,这里膜拜下syserdebugger的作者,该调试器据说是作者一人开发,而该作者对内核的熟悉程度,让人有点想流口水。
不管是windbg还是syserdbg, 你都可以下 对EPROCESS+0xbc的写入断点。
windbg ba w addr
syser bpm addr w
这里我们看到syser是兼容了softice指令的。下断后很快就会被断下,可见debugport被清零之频繁。
syser debugger 的菜单有时候会不灵,暂时只能用命令了。 u eip-40.
我们可以清晰的看到tessafe.sys如何对DebugPort清零的
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
xor ebx, ebx
cmp dword ptr , 5
push esi
mov byte ptr , 1
jne short B1DCB575
cmp dword ptr , ebx
mov byte ptr , 1
je short B1DCB578
mov byte ptr , bl
mov ecx, B1DD90B0
call dword ptr [<&hal.KfAcquireSpinLock>]
mov esi, dword ptr
cmp esi, B1DD8F60
mov byte ptr , al
je B1DCB61B
mov byte ptr , bl
push edi
mov ecx, dword ptr
mov ecx, dword ptr
lea edx, dword ptr
add ecx, dword ptr
xor eax, eax
xchg dword ptr , eax
cmp byte ptr , bl
je short B1DCB610
cmp byte ptr , bl
mov ecx, dword ptr
mov eax, dword ptr
mov ecx, dword ptr
mov edi, dword ptr
je short B1DCB5E0
cmp edi, ebx
jne short B1DCB610
mov ecx, dword ptr
mov ecx, dword ptr
cmp dword ptr , 103
je short B1DCB610
jmp short B1DCB5F2
mov ecx, dword ptr
mov ecx, dword ptr
cmp dword ptr , ebx
jne short B1DCB610
cmp edi, ebx
jne short B1DCB610
mov eax, dword ptr
mov ecx, dword ptr
mov dword ptr , eax
mov dword ptr , ecx
mov eax, B1DD529C
or ecx, FFFFFFFF
lock xadd dword ptr , ecx
push ebx
push edx
call dword ptr [<&ntoskrnl.ExFreePoolWithTag>]
mov esi, dword ptr
cmp esi, B1DD8F60
jne short B1DCB59C
pop edi
mov dl, byte ptr
mov ecx, B1DD90B0
call dword ptr [<&hal.KfReleaseSpinLock>]
mov al, byte ptr
pop esi
pop ebx
leave
retn
int3
int3
int3
int3
int3
int3
就这了。。。突然好累,不想写了。。。。 将那个指针改掉,不能改代码
新版dxxxxfffefefe 对原来的校验非常严格,这个方法已经早就行不通了,只有按照tufuzi说的,修复受影响的函数
页:
[1]