📄 747.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Windows CE初探 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography,arm" />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'><b>专题文章 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>Windows CE初探</h1><br>创建时间:2004-11-05 更新时间:2004-12-06<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=2'>san</a> (san_at_xfocus.org)<br><br>整理:san<br />
创建:2004.10.17<br />
更新:2004.11.09<br />
<br />
--[ 1. ARM简介<br />
<br />
从Platform Builder来看,Windows CE支持相当多CPU,但现在市场上实际销售的PDA几乎全部采用ARM芯片。ARM是一个RISC构架的32位微处理器,它一次有16个可见的寄存器:r0-r15。其中r0-r7是通用寄存器并可以做任何目的;r8-r12也是通用寄存器,但是在切换到FIQ模式的时候,使用它们的影子(shadow)寄存器;最后这三个是特殊寄存器:<br />
<br />
r13 (sp) - 堆栈指针<br />
r14 (lr) - 链接寄存器<br />
r15 (pc/psr) - 程序计数器/状态寄存器<br />
<br />
IDAPro和调试器里都是用别名表示。和其它RISC指令类似,ARM指令主要有分支(branch)指令、载入和存储指令和其它指令等,除了载入和存储指令,其它指令都是不能直接操作内存的,而且载入和存储指令操作的是4字节类型,那么内存地址必须要求4字节对齐,这也是RISC指令和CISC指令差异比较大的地方,在操作字符串的时候相对就比较麻烦。ARM指令一个很有趣的地方就是可以直接修改访问pc寄存器,这样如果写shellcode的话就不必象SPARC或PowerPC一样需要多条指令来定位自身。<br />
<br />
另外Windows CE默认使用的字节序是little-endian。<br />
<br />
--[ 2. Windows CE核心结构<br />
<br />
Windows CE是一个32位的操作系统,所以其虚拟内存的大小是4GB(2的32次方)。Windows CE把这4GB虚拟内存空间分为低地址2GB和高地址2GB。应用程序使用的地址空间是低地址2GB,高地址2GB专供Windows CE内核使用。在Windows CE 3.0源码的PRIVATE/WINCEOS/COREOS/NK/INC/nkarm.h头文件里有一些有趣的信息:<br />
<br />
/* High memory layout<br />
*<br />
* This structure is mapped in at the end of the 4GB virtual<br />
* address space.<br />
*<br />
* 0xFFFD0000 - first level page table (uncached) (2nd half is r/o)<br />
* 0xFFFD4000 - disabled for protection<br />
* 0xFFFE0000 - second level page tables (uncached)<br />
* 0xFFFE4000 - disabled for protection<br />
* 0xFFFF0000 - exception vectors<br />
* 0xFFFF0400 - not used (r/o)<br />
* 0xFFFF1000 - disabled for protection<br />
* 0xFFFF2000 - r/o (physical overlaps with vectors)<br />
* 0xFFFF2400 - Interrupt stack (1k)<br />
* 0xFFFF2800 - r/o (physical overlaps with Abort stack & FIQ stack)<br />
* 0xFFFF3000 - disabled for protection<br />
* 0xFFFF4000 - r/o (physical memory overlaps with vectors & intr. stack & FIQ stack)<br />
* 0xFFFF4900 - Abort stack (2k - 256 bytes)<br />
* 0xFFFF5000 - disabled for protection<br />
* 0xFFFF6000 - r/o (physical memory overlaps with vectors & intr. stack)<br />
* 0xFFFF6800 - FIQ stack (256 bytes)<br />
* 0xFFFF6900 - r/o (physical memory overlaps with Abort stack)<br />
* 0xFFFF7000 - disabled<br />
* 0xFFFFC000 - kernel stack<br />
* 0xFFFFC800 - KDataStruct<br />
* 0xFFFFCC00 - disabled for protection (2nd level page table for 0xFFF00000)<br />
*/<br />
<br />
typedef struct ARM_HIGH {<br />
ulong firstPT[4096]; // 0xFFFD0000: 1st level page table<br />
PAGETBL aPT[16]; // 0xFFFD4000: 2nd level page tables<br />
char reserved2[0x20000-0x4000-16*sizeof(PAGETBL)];<br />
<br />
char exVectors[0x400]; // 0xFFFF0000: exception vectors<br />
char reserved3[0x2400-0x400];<br />
<br />
char intrStack[0x400]; // 0xFFFF2400: interrupt stack<br />
char reserved4[0x4900-0x2800];<br />
<br />
char abortStack[0x700]; // 0xFFFF4900: abort stack<br />
char reserved5[0x6800-0x5000];<br />
<br />
char fiqStack[0x100]; // 0xFFFF6800: FIQ stack<br />
char reserved6[0xC000-0x6900];<br />
<br />
char kStack[0x800]; // 0xFFFFC000: kernel stack<br />
struct KDataStruct kdata; // 0xFFFFC800: kernel data page<br />
} ARM_HIGH;<br />
<br />
其中KDataStruct的结构非常重要而且有意思,有些类似Win32下的PEB结构,定义了系统各种重要的信息:<br />
<br />
struct KDataStruct {<br />
LPDWORD lpvTls; /* 0x000 Current thread local storage pointer */<br />
HANDLE ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */<br />
// NUM_SYS_HANDLES == 32 : PUBLIC/COMMON/SDK/INC/kfuncs.h<br />
0x004 SH_WIN32<br />
0x008 SH_CURTHREAD<br />
0x00c SH_CURPROC<br />
0x010 SH_KWIN32<br />
0x044 SH_GDI<br />
0x048 SH_WMGR<br />
0x04c SH_WNET<br />
0x050 SH_COMM<br />
0x054 SH_FILESYS_APIS<br />
0x058 SH_SHELL<br />
0x05c SH_DEVMGR_APIS<br />
0x060 SH_TAPI<br />
0x064 SH_PATCHER<br />
0x06c SH_SERVICES<br />
<br />
char bResched; /* 0x084 reschedule flag */<br />
char cNest; /* 0x085 kernel exception nesting */<br />
char bPowerOff; /* 0x086 TRUE during "power off" processing */<br />
char bProfileOn; /* 0x087 TRUE if profiling enabled */<br />
ulong unused; /* 0x088 unused */<br />
ulong rsvd2; /* 0x08c was DiffMSec */<br />
PPROCESS pCurPrc; /* 0x090 ptr to current PROCESS struct */<br />
PTHREAD pCurThd; /* 0x094 ptr to current THREAD struct */<br />
DWORD dwKCRes; /* 0x098 */<br />
ulong handleBase; /* 0x09c handle table base address */<br />
PSECTION aSections[64]; /* 0x0a0 section table for virutal memory */<br />
LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* 0x1a0 */<br />
LPVOID alpvIntrData[SYSINTR_MAX_DEVICES]; /* 0x220 */<br />
ulong pAPIReturn; /* 0x2a0 direct API return address for kernel mode */<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -