第一課過tp調(diào)試內(nèi)核

大家是嘲笑鳥天講第一課用IDA調(diào)試DXF開啟后的windows們只是研究逆向如果你干壞事和我無關(guān)想要學(xué)習(xí)就加入我們QQ群如果覺得對你有些幫助就請掃描贊助一些吧謝謝以后我會出幫助新人CEDXFDXFSwapContextIDT0EHook個(gè)頁表完后自己自己內(nèi)存會出錯(cuò)也就是發(fā)生異常PageFaultCPU會最先進(jìn)入IDT0E的處理函數(shù)這里由于IDT0etphook所以就進(jìn)入了tp的函數(shù)給他真實(shí)的頁表否則就給你頁表可能是csrss.exe的頁表給你了導(dǎo)致你csrss.exe很多文章這里閑話少說因?yàn)镈XF有保護(hù)所以需要有一個(gè)調(diào)試器能過他的保護(hù)我們選擇IDA+GDB+Vmware調(diào)試我的vmware是版本去的就行了IDA6.8.15IDAIDAok記住選擇同時(shí)IDA最好先全部卸載干凈完后再安裝首先編輯vmxdebugStub.listen.guest64="TRUE"debugStub.hideBreakpoints="TRUE"debugStub.listen.guest64.remote"TRUE"monitor.debugOnStartGuest64="TRUE"完后啟動(dòng)虛擬機(jī)完后我們打開IDAlocalhost0okIDA我們跳到內(nèi)核函數(shù)swapcontext么也沒有因?yàn)榇藭r(shí)還沒有加載內(nèi)核各個(gè)模塊的符號所以需要編寫IDA加載這是一個(gè)IDA你要查看哪些模塊的符號就加入這個(gè)列表并且把他們從虛擬機(jī)系統(tǒng)里拷貝出來到一個(gè)指定的文件夾里然后在這里設(shè)置好那個(gè)文件夾路徑最后記得保存完后回到IDA執(zhí)行點(diǎn)擊yes還會出現(xiàn)一次再次點(diǎn)擊yesIDLEswapcontexttphook之前的函數(shù)IDASwapcontextSwapcontextntoskrnl.exe:FFFFF80003CDF230SwapContextproc CODEXREF: KiSwapContext+75p...ntoskrnl.exe:FFFFF80003CDF230var_3C=dwordptr-3Chntoskrnl.exe:FFFFF80003CDF230var_18=qwordptr-18hntoskrnl.exe:FFFFF80003CDF230var_10=byteptr-10hntoskrnl.exe:FFFFF80003CDF230var_8=qwordptr-8ntoskrnl.exe:FFFFF80003CDF230sub rsp,38hntoskrnl.exe:FFFFF80003CDF234mov [rsp+38h+var_8],rbpntoskrnl.exe:FFFFF80003CDF239prefetchwbyteptrntoskrnl.exe:FFFFF80003CDF23Dmov [rsp+38h+var_10],clntoskrnl.exe:FFFFF80003CDF241cmp byteptr[rsi+49h],0ntoskrnl.exe:FFFFF80003CDF245jnz ntoskrnl.exe:FFFFF80003CDF24B CODEXREF:SwapContext+28B_x0019_jntoskrnl.exe:FFFFF80003CDF24Bpush ntoskrnl.exe:FFFFF80003CDF250mov [rsp+40h+var_3C],0FFFFF880hntoskrnl.exe:FFFFF80003CDF258retnSwapcontext4883EC3848896C 300F0D4E49884C28807E49000F85 020000680000F6此時(shí)發(fā)現(xiàn)swapcontext指令已經(jīng)被tphook了這些指令都是指令目的就是hookretnjump這個(gè)call就是的不讓你分析出他到底跳到哪里直接單MEMORY:FFFFF88003F60000MEMORY:FFFFF88003F60000push MEMORY:FFFFF88003F60001mov rax,5874688005123458hMEMORY:FFFFF88003F6000Bsub rsp,8MEMORY:FFFFF88003F6000Fmov [rsp],raxMEMORY:FFFFF88003F60013xor [rsp],rdxMEMORY:FFFFF88003F60017call MEMORY:FFFFF88003F6001Cmov [rsi-1],ebpMEMORY:FFFFF88003F6001Fand eax,cs:dword_FFFFF87F8CF60025MEMORY:FFFFF88003F60025 dwordptr5048B858341205 6874584883EC0889042448311424 10000000896EFF發(fā)現(xiàn)還是指令繼續(xù)單步步入callFFFFF88003F6002CMEMORY:FFFFF88003F6002Cloc_FFFFF88003F6002C: ;CODEXREF:MEMORY:FFFFF88003F60017pMEMORY:FFFFF88003F6002Cmov rax,587468800193C03ChMEMORY:FFFFF88003F60036xor [rsp],raxMEMORY:FFFFF88003F6003Amov rax,[rsp]MEMORY:FFFFF88003F6003Eadd rsp,8MEMORY:FFFFF88003F60042xor rax,rdxMEMORY:FFFFF88003F60045xor [rsp],raxMEMORY:FFFFF88003F60049mov rax,[rsp]MEMORY:FFFFF88003F6004Dxor rax,[rsp+8]MEMORY:FFFFF88003F60052mov [rsp],raxMEMORY:FFFFF88003F60056mov rax,[rsp+8]MEMORY:FFFFF88003F6005Bxor rax,[rsp]MEMORY:FFFFF88003F6005Fmov [rsp+8],raxMEMORY:FFFFF88003F60064mov rax,[rsp]MEMORY:FFFFF88003F60068xor rax,[rsp+8]MEMORY:FFFFF88003F6006Dmov [rsp],raxMEMORY:FFFFF88003F60071mov rax,[rsp]MEMORY:FFFFF88003F60075add rsp,8MEMORY:FFFFF88003F60079retnFFFFF88003F6002C這個(gè)call其實(shí)就是一個(gè)最終跳轉(zhuǎn)的地址用了大量的xor指令你的分析繼續(xù)單步跳到了真實(shí)的函數(shù)地址 F478mov byteptr[rsi+49h],1 F47Ccli F47Drdtsc F47F rdx, F483or rax,rdx F486pushfq rax; rsp, rax, short cr3, XREF:dwordptr[rsp+4],offset5D5E5F41584159 5A415B415C415Dcall后面判斷是call結(jié)果是否為0不為0就替換cr3為頁表為0表示不需要替換callFFFFF88007614684FFFFF88007614684XREF:sub_FFFFF88007614684proc; r9d, eax, r9d, short r8, rdx, ;XREF:rcx,[rdx-shortrcx,shortrdx,eax, B7jl shortloc_FFFFF B9loc_FFFFF ;CODEXREF:sub_FFFFF88007614684+Cj B9 eax,; ;XREF: C9sub_FFFFF88007614684F5cvoid*fastcallsub_FFFFF88007614684(void{intv1;//eax@1void**v2;//rdx@2void*result;//v1=if(dword_FFFFF880077F4EE0<=0result=}{v2=off_FFFFF880077F4ED8+while(a1!=*(v2-2)&&a1!=*v2{v2+=if(v1>=dword_FFFFF880077F4EE0)gotoLABEL_6;}result=off_FFFFF880077F4ED8[1551*}return}這里太厲害直接利用IDAf5功能一鍵還原為c語言代碼F5之前需要把指function0猜測數(shù)組里存放的是一些的進(jìn)程頁表地址如果發(fā)現(xiàn)匹配就給他一個(gè)頁表否則就不用給到此就分析完畢了同樣我們可以分析一下idt0e的hook地址跳到哪里了注意需要gdb命令行輸入ridtr IDA顯示base地址是0xfffffa +0xe*10= E00E180h;E2E30E40E58EhE60F5hE73E880h;E90F8hEAEBEC0ED0EE0EF0idt最后IDA跳過去發(fā)現(xiàn)沒有匯編指令我們直接CreateFunction之后就看到廬山了完后發(fā)現(xiàn)這些指令還是 指令就是干擾你不讓你知道他的最終地址IDT0E處理函數(shù)起始地址匯編碼:MEMORY:FFFFF88003F58000push MEMORY:FFFFF88003F58001mov rax,0FFFFF880076DF058hMEMORY:FFFFF88003F5800Bsub rsp,8MEMORY:FFFFF88003F5800Fmov [rsp],raxMEMORY:FFFFF88003F58013xor [rsp],rdxMEMORY:FFFFF88003F58017call loc_FFFFF88003F5802C//地址callMEMORY:FFFFF88003F5801Cmov [rsi-1],ebpMEMORY:FFFFF88003F5801Fand eax,cs:dword_FFFFF87F8CF58025MEMORY:FFFFF88003F58025 dwordptrIDT0E5048B858F06D07 F8FFFF4883EC0889042448311424 10000000896EFF我們還是按照分析swapcontext的方法下斷點(diǎn)單步步入到地址IDT0E處理函數(shù)地址call匯編碼MEMORY:FFFFF88003F5802Cloc_FFFFF88003F5802C: ;CODEXREF:MEMORY:FFFFF88003F58017pMEMORY:FFFFF88003F5802Cmov rax,0FFFFF880076D004ChMEMORY:FFFFF88003F58036xor [rsp],raxMEMORY:FFFFF88003F5803Amov rax,[rsp]MEMORY:FFFFF88003F5803Eadd rsp,8MEMORY:FFFFF88003F58042xor rax,rdxMEMORY:FFFFF88003F58045xor [rsp],raxMEMORY:FFFFF88003F58049mov rax,[rsp]MEMORY:FFFFF88003F5804Dxor rax,[rsp+8]MEMORY:FFFFF88003F58052mov [rsp],raxMEMORY:FFFFF88003F58056mov rax,[rsp+8]MEMORY:FFFFF88003F5805Bxor rax,[rsp]MEMORY:FFFFF88003F5805Fmov [rsp+8],raxMEMORY:FFFFF88003F58064mov rax,[rsp]MEMORY:FFFFF88003F58068xor rax,[rsp+8]MEMORY:FFFFF88003F5806Dmov [rsp],raxMEMORY:FFFFF88003F58071mov rax,[rsp]MEMORY:FFFFF88003F58075add rsp,8MEMORY:FFFFF88003F58079retnIDT0E處理函數(shù)地址call特征碼48B84C006D0780 FFFF483104244804244883C40848 C248310424488B發(fā)現(xiàn)上面還是之前看到的call就是不讓你分析出他跳到哪里去了我們繼續(xù)單步找到了跳轉(zhuǎn)的地址MEMORY:FFFFF88003F57008;MEMORY:FFFFF88003F57008push MEMORY:FFFFF88003F57009push MEMORY:FFFFF88003F5700Apush MEMORY:FFFFF88003F5700BpushfqMEMORY:FFFFF88003F5700Cpush MEMORY:FFFFF88003F5700Dmov rdi,rspMEMORY:FFFFF88003F57010lea rax,[rsp+80h]MEMORY:FFFFF88003F57018call MEMORY:FFFFF88003F5701Dcmp rax,0MEMORY:FFFFF88003F57021jnz MEMORY:FFFFF88003F57027pop MEMORY:FFFFF88003F57028popfqMEMORY:FFFFF88003F57029pop MEMORY:FFFFF88003F5702Apop MEMORY:FFFFF88003F5702Biretw5550539C57488B 488D8424800000E8420200004883 000F8510010000繼續(xù)單步跳到下面這函數(shù)loc_FFFFF88003F5725FMEMORY:FFFFF88003F5725Floc_FFFFF88003F5725F: ;CODEXREF:MEMORY:FFFFF88003F57018pMEMORY:FFFFF88003F5725Fadd rdi,80hMEMORY:FFFFF88003F57266xor rax,rdiMEMORY:FFFFF88003F57269cmp rax,0MEMORY:FFFFF88003F5726Dmov rdi,raxMEMORY:FFFFF88003F57270lea rbx,[rsp+48h]MEMORY:FFFFF88003F57275pop MEMORY:FFFFF88003F57276jz MEMORY:FFFFF88003F5727Cmov [rsi-1],ebpMEMORY:FFFFF88003F5727F eax,MEMORY:FFFFF88003F57285 dwordptr函數(shù)loc_FFFFF88003F5725F4881C780000000 33C74883F80048F8488D5C24485F 8435FEFFFF896E繼續(xù)單步跳到下面這EMORY:FFFFF88003F570B1loc_FFFFF88003F570B1: ;CODEXREF:MEMORY:FFFFF88003F57276_x0019_jMEMORY:FFFFF88003F570B1mov rax,cs:off_FFFFF88003F57294MEMORY:FFFFF88003F570B8mov rbx,raxMEMORY:FFFFF88003F570BBmov rax,8000000000000000hMEMORY:FFFFF88003F570C5test rax,rdiMEMORY:FFFFF88003F570C8jnz shortloc_FFFFF88003F570DAMEMORY:FFFFF88003F570CAmov [rdi+45h],espMEMORY:FFFFF88003F570CD eax,488B05DC010000 8BD848B8000000繼續(xù)單 跳到下面這MEMORY:FFFFF88003F570DAloc_FFFFF88003F570DA: ;CODEXREF:MEMORY:FFFFF88003F570C8jMEMORY:FFFFF88003F570DAmov rdi,1MEMORY:FFFFF88003F570E1mov rax,cs:off_FFFFF88003F5729CMEMORY:FFFFF88003F570E8jmp shortloc_FFFFF88003F5712248C7C701000000 8B05B4010000EB繼續(xù)單步跳到下面這MEMORY:FFFFF88003F57122loc_FFFFF88003F57122: ;CODEXREF:MEMORY:FFFFF88003F570E8jMEMORY:FFFFF88003F57122xor rbx,raxMEMORY:FFFFF88003F57125mov [rsp+20h],rbxMEMORY:FFFFF88003F5712Atest rdi,1MEMORY:FFFFF88003F57131jnz MEMORY:FFFFF88003F57137loc_FFFFF88003F57137: ;CODEXREF:MEMORY:FFFFF88003F57021jMEMORY:FFFFF88003F57137mov [rbp-1],ebpMEMORY:FFFFF88003F5713Aand eax,cs:dword_FFFFF87F8CF57140MEMORY:FFFFF88003F57140adc [ecx],espMEMORY:FFFFF88003F57143add eax,[rax]4833D848895C24 48F7C701000000851CFFFFFF896D 23050000008967繼續(xù)單步跳到下面這MEMORY:FFFFF88003F57053loc_FFFFF88003F57053: ;CODEXREF:MEMORY:FFFFF88003F57131_x0019_jMEMORY:FFFFF88003F57053pop MEMORY:FFFFF88003F57054popfqMEMORY:FFFFF88003F57055pop MEMORY:FFFFF88003F57056jmp shortloc_FFFFF88003F57059EMORY:FFFFF88003F57059;MEMORY:FFFFF88003F57059loc_FFFFF88003F57059: ;CODEXREF:MEMORY:FFFFF88003F57056jMEMORY:FFFFF88003F57059pop MEMORY:FFFFF88003F5705Aretn5F9D5BEB01FF58 CC繼續(xù)單步跳到下面這里終于看到廬 ACEr15,rax,[rsp+88h+arg_8],rax,rax,shortrax,rax,r9,r8,rax,rdx,rcx,rsp,MEMORY:FFFFF88007641301call nearptrunk_FFFFF MEMORY:FFFFF88007641306add rsp,30hAal,CFAMEMORY:FFFFF88007641315add [rsp+88h+arg_0],6 Ejmp 哈哈似曾相識知道IDT處理函數(shù)的過程都是保存現(xiàn)場這里就是廬山TP自己調(diào)用csrss.exe的內(nèi)存好累啊終于快要講完了但是只