教你WIN7 X64位系统 SSDT函数获得
曾经在网上看到一片文章,在早期64位系统,内核函数开头地址的低四位一般是0,形如:xxxxxxxx`xxxxxxx0,这一特征在SSDT表中有很强大的引用,SSDT表在64位系统于32位系统有较大的差别。以下是在64位系统下的KeServiceDescriptorTable:kd> dp KeServiceDescriptorTable
fffff800`0117bb80fffff800`01076e00 00000000`00000000
fffff800`0117bb9000000000`00000128 00000000`00000000表的第二项于第四项都为0,这两项在32位系统下分别对应ServiceCounterTableBase与ParamTableBase。SSDT表还是同32位系统每4字节表示一项,由于函数的起始地址最低四位都是0,所以微软将SSDT中的低四位用来记录这个函数有多少个参数。并且由于表的每一项都为四个字节,保存的就不可能是绝对地址,而是相对KeServiceDescriptorTable表的地址。所以地址计算方法如下:FuncAddr=(+KeServiceDescriptortable)&0xFFFFFFF0用公式,尝试了一下,果然找到了正确的地址。
不过到了WIN7 X64下又有所改变 。nt!KiSystemServiceStart+0x7:
fffff800`03cc7fe5 8bf8 mov edi,eax ; copy system service number
kd> p
nt!KiSystemServiceStart+0x9:
fffff800`03cc7fe7 c1ef07 shr edi,7 ; isolate service table number(SERVICE_TABLE_SHIFT)
kd> p
nt!KiSystemServiceStart+0xc:
fffff800`03cc7fea 83e720 and edi,20h ;(SERVICE_TABLE_MASK)
kd> p
nt!KiSystemServiceStart+0xf:
fffff800`03cc7fed 25ff0f0000 and eax,0FFFh ;(SERVICE_NUMBER_MASK )isolate service table offset 0fffh
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc7fed rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=0000000000000084
r11=0000000000000206 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei pl zr na po nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000246
nt!KiSystemServiceStart+0xf:
fffff800`03cc7fed 25ff0f0000 and eax,0FFFh
kd> p
nt!KiSystemServiceRepeat:
fffff800`03cc7ff2 4c8d1547782300lea r10,
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc7ff2 rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=0000000000000084
r11=0000000000000206 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei pl nz na pe nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000202
nt!KiSystemServiceRepeat:
fffff800`03cc7ff2 4c8d1547782300lea r10,
kd> p
nt!KiSystemServiceRepeat+0x7:
fffff800`03cc7ff9 4c8d1d80782300lea r11,
kd> p
nt!KiSystemServiceRepeat+0xe:
fffff800`03cc8000 f7830001000080000000 test dword ptr ,80h
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc8000 rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003eff840
r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei pl nz na pe nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000202
nt!KiSystemServiceRepeat+0xe:
fffff800`03cc8000 f7830001000080000000 test dword ptr ,80h ds:002b:fffffa80`0edc0200=00000060
kd> db fffff800`03eff840
fffff800`03eff84000 9b cc 03 00 f8 ff ff-00 00 00 00 00 00 00 00................
fffff800`03eff85091 01 00 00 00 00 00 00-8c a7 cc 03 00 f8 ff ff................
fffff800`03eff86000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................
fffff800`03eff87000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................
fffff800`03eff88000 9b cc 03 00 f8 ff ff-00 00 00 00 00 00 00 00................
fffff800`03eff89091 01 00 00 00 00 00 00-8c a7 cc 03 00 f8 ff ff................
fffff800`03eff8a000 1c 0e 00 60 f9 ff ff-00 00 00 00 00 00 00 00....`...........
fffff800`03eff8b03b 03 00 00 00 00 00 00-1c 39 0e 00 60 f9 ff ff;........9..`...
kd> p
nt!KiSystemServiceRepeat+0x18:
fffff800`03cc800a 4d0f45d3 cmovner10,r11
kd> p
nt!KiSystemServiceRepeat+0x1c:
fffff800`03cc800e 423b441710 cmp eax,dword ptr ;check if valid service
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc800e rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003eff840
r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei pl zr na po nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000246
nt!KiSystemServiceRepeat+0x1c:
fffff800`03cc800e 423b441710 cmp eax,dword ptr ds:002b:fffff800`03eff850=00000191
kd> p
nt!KiSystemServiceRepeat+0x21:
fffff800`03cc8013 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff800`03cc8302)
kd> p
nt!KiSystemServiceRepeat+0x27:
fffff800`03cc8019 4e8b1417 mov r10,qword ptr ;table base
kd> p
nt!KiSystemServiceRepeat+0x2b:
fffff800`03cc801d 4d631c82 movsxdr11,dword ptr ; get system service offset
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc801d rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003cc9b00
r11=fffff80003eff880 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei ng nz na pe cy
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000283
nt!KiSystemServiceRepeat+0x2b:
fffff800`03cc801d 4d631c82 movsxdr11,dword ptr ds:002b:fffff800`03cc9fe0=000f3080
kd> p
nt!KiSystemServiceRepeat+0x2f:
fffff800`03cc8021 498bc3 mov rax,r11 ; system service offset
kd> r
rax=0000000000000138 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc8021 rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003cc9b00
r11=00000000000f3080 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei ng nz na pe cy
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000283
nt!KiSystemServiceRepeat+0x2f:
fffff800`03cc8021 498bc3 mov rax,r11
kd> p
nt!KiSystemServiceRepeat+0x32:
fffff800`03cc8024 49c1fb04 sar r11,4 ;关键所在 ,还得再右移4位
kd> p
nt!KiSystemServiceRepeat+0x36:
fffff800`03cc8028 4d03d3 add r10,r11 ;; add table base to 获得真正的函数地址
kd> r
rax=00000000000f3080 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc8028 rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003cc9b00
r11=000000000000f308 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei pl nz na pe nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000202
nt!KiSystemServiceRepeat+0x36:
fffff800`03cc8028 4d03d3 add r10,r11
kd> p
nt!KiSystemServiceRepeat+0x39:
fffff800`03cc802b 83ff20 cmp edi,20h
kd> r
rax=00000000000f3080 rbx=fffffa800edc0100 rcx=0000000000000084
rdx=0000000000000000 rsi=00000000002a8490 rdi=0000000000000000
rip=fffff80003cc802b rsp=fffff8800245dc20 rbp=fffff8800245dca0
r8=0000000000000001r9=0000000000000001 r10=fffff80003cd8e08
r11=000000000000f308 r12=00000000772c4420 r13=0000000000000000
r14=00000000772c4400 r15=00000000772c4498
iopl=0 nv up ei ng nz na pe nc
cs=0010ss=0018ds=002bes=002bfs=0053gs=002b efl=00000282
nt!KiSystemServiceRepeat+0x39:
fffff800`03cc802b 83ff20 cmp edi,20h
kd> u fffff80003cd8e08
nt!NtReleaseWorkerFactoryWorker:
fffff800`03cd8e08 4c8bdc mov r11,rsp
fffff800`03cd8e0b 49895b08 mov qword ptr ,rbx
fffff800`03cd8e0f 49896b18 mov qword ptr ,rbp
fffff800`03cd8e13 49897320 mov qword ptr ,rsi
fffff800`03cd8e17 57 push rdi
fffff800`03cd8e18 4154 push r12
fffff800`03cd8e1a 4155 push r13
fffff800`03cd8e1c 4883ec60 sub rsp,60h
kd> p
nt!KiSystemServiceRepeat+0x3c:
fffff800`03cc802e 7550 jne nt!KiSystemServiceGdiTebAccess+0x49 (fffff800`03cc8080)
kd> p
nt!KiSystemServiceGdiTebAccess+0x49:
fffff800`03cc8080 83e00f and eax,0Fh
kd> p
nt!KiSystemServiceGdiTebAccess+0x4c:
fffff800`03cc8083 0f84b7000000 je nt!KiSystemServiceCopyEnd (fffff800`03cc8140)
kd> p
nt!KiSystemServiceCopyEnd:
fffff800`03cc8140 f705fee4180040000000 test dword ptr ,40h
kd> p
nt!KiSystemServiceCopyEnd+0xa:
fffff800`03cc814a 0f8550020000 jne nt!KiSystemServiceExit+0x245 (fffff800`03cc83a0)
kd> p
nt!KiSystemServiceCopyEnd+0x10:
fffff800`03cc8150 41ffd2 call r10 ; ; call system service所以WIN7 X64下应该是:FuncAddr=( >>4 +KeServiceDescriptortable)&0xFFFFFFF0.而且和以前不同的是原来是从ETHREAD里取TABLE 地址,但现在通过 lea r10,
,扑灭了ROOTKITER们的最后一线HOOK 希望。 呵呵,我是进来帮顶一下的哈,辛苦了。。 扯淡啊,感觉你在开玩笑啊。 呵呵看看 就 OK 不下啦~。~辛苦了。 谢谢楼主,好久没看到这么好的贴了。 帖子不错,顶一个 灌水喽,哇哈哈, 看流星社区总规则 Ver 2.0 支持楼主,支持看流星社区,以后我会经常来! 支持楼主,支持看流星社区,以后我会经常来!
页:
[1]