📄 rootkit 直接访问硬件之[三].txt
字号:
+0x4f8 KeAlignmentFixupCount : Uint4B
+0x4fc KeContextSwitches : Uint4B
+0x500 KeDcacheFlushCount : Uint4B
+0x504 KeExceptionDispatchCount : Uint4B
+0x508 KeFirstLevelTbFills : Uint4B
+0x50c KeFloatingEmulationCount : Uint4B
+0x510 KeIcacheFlushCount : Uint4B
+0x514 KeSecondLevelTbFills : Uint4B
+0x518 KeSystemCalls : Uint4B
+0x51c SpareCounter0 : [1] Uint4B
+0x520 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x5a0 PPNPagedLookasideList : [32] _PP_LOOKASIDE_LIST
+0x6a0 PPPagedLookasideList : [32] _PP_LOOKASIDE_LIST
+0x7a0 PacketBarrier : Uint4B
+0x7a4 ReverseStall : Uint4B
+0x7a8 IpiFrame : Ptr32 Void
+0x7ac PrcbPad2 : [52] UChar
+0x7e0 CurrentPacket : [3] Ptr32 Void
+0x7ec TargetSet : Uint4B
+0x7f0 WorkerRoutine : Ptr32 void
+0x7f4 IpiFrozen : Uint4B
+0x7f8 PrcbPad3 : [40] UChar
+0x820 RequestSummary : Uint4B
+0x824 SignalDone : Ptr32 _KPRCB
+0x828 PrcbPad4 : [56] UChar
+0x860 DpcListHead : _LIST_ENTRY
+0x868 DpcStack : Ptr32 Void
+0x86c DpcCount : Uint4B
+0x870 DpcQueueDepth : Uint4B
+0x874 DpcRoutineActive : Uint4B
+0x878 DpcInterruptRequested : Uint4B
+0x87c DpcLastCount : Uint4B
+0x880 DpcRequestRate : Uint4B
+0x884 MaximumDpcQueueDepth : Uint4B
+0x888 MinimumDpcRate : Uint4B
+0x88c QuantumEnd : Uint4B
+0x890 PrcbPad5 : [16] UChar
+0x8a0 DpcLock : Uint4B
+0x8a4 PrcbPad6 : [28] UChar
+0x8c0 CallDpc : _KDPC
+0x8e0 ChainedInterruptList : Ptr32 Void
+0x8e4 LookasideIrpFloat : Int4B
+0x8e8 SpareFields0 : [6] Uint4B
+0x900 VendorString : [13] UChar
+0x90d InitialApicId : UChar
+0x90e LogicalProcessorsPerPhysicalProcessor : UChar
+0x910 MHz : Uint4B
+0x914 FeatureBits : Uint4B
+0x918 UpdateSignature : _LARGE_INTEGER
+0x920 NpxSaveArea : _FX_SAVE_AREA
+0xb30 PowerState : _PROCESSOR_POWER_STATE
5。CurrentThread偏移0x44处对应于ApcState.Process, 即当前进程。
lkd> dt _kthread
ntdll!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY
+0x018 InitialStack : Ptr32 Void
+0x01c StackLimit : Ptr32 Void
+0x020 Teb : Ptr32 Void
+0x024 TlsArray : Ptr32 Void
+0x028 KernelStack : Ptr32 Void
+0x02c DebugActive : UChar
+0x02d State : UChar
+0x02e Alerted : [2] UChar
+0x030 Iopl : UChar
+0x031 NpxState : UChar
+0x032 Saturation : Char
+0x033 Priority : Char
+0x034 ApcState : _KAPC_STATE
+0x04c ContextSwitches : Uint4B
+0x050 IdleSwapBlock : UChar
+0x051 Spare0 : [3] UChar
+0x054 WaitStatus : Int4B
+0x058 WaitIrql : UChar
+0x059 WaitMode : Char
+0x05a WaitNext : UChar
+0x05b WaitReason : UChar
+0x05c WaitBlockList : Ptr32 _KWAIT_BLOCK
+0x060 WaitListEntry : _LIST_ENTRY
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 WaitTime : Uint4B
+0x06c BasePriority : Char
+0x06d DecrementCount : UChar
+0x06e PriorityDecrement : Char
+0x06f Quantum : Char
+0x070 WaitBlock : [4] _KWAIT_BLOCK
+0x0d0 LegoData : Ptr32 Void
+0x0d4 KernelApcDisable : Uint4B
+0x0d8 UserAffinity : Uint4B
+0x0dc SystemAffinityActive : UChar
+0x0dd PowerState : UChar
+0x0de NpxIrql : UChar
+0x0df InitialNode : UChar
+0x0e0 ServiceTable : Ptr32 Void
+0x0e4 Queue : Ptr32 _KQUEUE
+0x0e8 ApcQueueLock : Uint4B
+0x0f0 Timer : _KTIMER
+0x118 QueueListEntry : _LIST_ENTRY
+0x120 SoftAffinity : Uint4B
+0x124 Affinity : Uint4B
+0x128 Preempted : UChar
+0x129 ProcessReadyQueue : UChar
+0x12a KernelStackResident : UChar
+0x12b NextProcessor : UChar
+0x12c CallbackStack : Ptr32 Void
+0x130 Win32Thread : Ptr32 Void
+0x134 TrapFrame : Ptr32 _KTRAP_FRAME
+0x138 ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0x140 PreviousMode : Char
+0x141 EnableStackSwap : UChar
+0x142 LargeStack : UChar
+0x143 ResourceIndex : UChar
+0x144 KernelTime : Uint4B
+0x148 UserTime : Uint4B
+0x14c SavedApcState : _KAPC_STATE
+0x164 Alertable : UChar
+0x165 ApcStateIndex : UChar
+0x166 ApcQueueable : UChar
+0x167 AutoAlignment : UChar
+0x168 StackBase : Ptr32 Void
+0x16c SuspendApc : _KAPC
+0x19c SuspendSemaphore : _KSEMAPHORE
+0x1b0 ThreadListEntry : _LIST_ENTRY
+0x1b8 FreezeCount : Char
+0x1b9 SuspendCount : Char
+0x1ba IdealProcessor : UChar
+0x1bb DisableBoost : UChar
lkd> dt _KAPC_STATE
ntdll!_KAPC_STATE
+0x000 ApcListHead : [2] _LIST_ENTRY
+0x010 Process : Ptr32 _KPROCESS
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
6。在Process偏移0x30处,对应于 IopmOffset。
lkd> dt _KPROCESS
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : [2] Uint4B
+0x020 LdtDescriptor : _KGDTENTRY
+0x028 Int21Descriptor : _KIDTENTRY
+0x030 IopmOffset : Uint2B
+0x032 Iopl : UChar
+0x033 Unused : UChar
+0x034 ActiveProcessors : Uint4B
+0x038 KernelTime : Uint4B
+0x03c UserTime : Uint4B
+0x040 ReadyListHead : _LIST_ENTRY
+0x048 SwapListEntry : _SINGLE_LIST_ENTRY
+0x04c VdmTrapcHandler : Ptr32 Void
+0x050 ThreadListHead : _LIST_ENTRY
+0x058 ProcessLock : Uint4B
+0x05c Affinity : Uint4B
+0x060 StackCount : Uint2B
+0x062 BasePriority : Char
+0x063 ThreadQuantum : Char
+0x064 AutoAlignment : UChar
+0x065 State : UChar
+0x066 ThreadSeed : UChar
+0x067 DisableBoost : UChar
+0x068 PowerState : UChar
+0x069 DisableQuantum : UChar
+0x06a IdealNode : UChar
+0x06b Flags : _KEXECUTE_OPTIONS
+0x06b ExecuteOptions : UChar
了解了关键的值,我们把这段汇编代码还原为c的代码如下:
BOOLEAN
Ke386SetIoAccessMap (
ULONG MapNumber,
PKIO_ACCESS_MAP IoAccessMap
)
{
KIRQL oldIrql;
if ((MapNumber >1) || (MapNumber == 0)) {
return FALSE;
oldIrql = KeRaiseIrqlToSynchLevel();
PKPCR KiPcr = (PKPCR)0xffdff000;
void *pIOPM = &(KiPcr ->TSS->IoMaps[0].IoMap);
memcpy(pIOPM, IoAccessMap, 0x800);
KiPcr->TSS->IoMapBase = PsGetCurrentProcess ()->IopmOffset;
KfLowerIrql(oldIrql);
return TRUE;
}
lkd> u Ke386IoSetAccessProcess l 30
nt!Ke386IoSetAccessProcess:
804f81d4 8bff mov edi,edi
804f81d6 55 push ebp
804f81d7 8bec mov ebp,esp
804f81d9 56 push esi
804f81da 8b750c mov esi,dword ptr [ebp+0Ch] //参数2
804f81dd 83fe01 cmp esi,1
804f81e0 7604 jbe nt!Ke386IoSetAccessProcess+0x12 (804f81e6) //小于等于1
804f81e2 32c0 xor al,al
804f81e4 eb48 jmp nt!Ke386IoSetAccessProcess+0x5a (804f822e) //大于1
804f81e6 85f6 test esi,esi
804f81e8 7507 jne nt!Ke386IoSetAccessProcess+0x1d (804f81f1) ; //参数2!=0
804f81ea beac200000 mov esi,20ACh
804f81ef eb0c jmp nt!Ke386IoSetAccessProcess+0x29 (804f81fd)
804f81f1 69f624200000 imul esi,esi,2024h
804f81f7 81ee9c1f0000 sub esi,1F9Ch
804f81fd ff158c864d80 call dword ptr [nt!_imp__KeRaiseIrqlToSynchLevel (804d868c)]
804f8203 8ac8 mov cl,al
804f8205 8b4508 mov eax,dword ptr [ebp+8]
804f8208 8b5034 mov edx,dword ptr [eax+34h]
804f820b 66897030 mov word ptr [eax+30h],si //Process->IopmOffset
804f820f 3ea120f0dfff mov eax,dword ptr ds:[FFDFF020h]
804f8215 855014 test dword ptr [eax+14h],edx
804f8218 740c je nt!Ke386IoSetAccessProcess+0x52 (804f8226)
804f821a b800f0dfff mov eax,0FFDFF000h
804f821f 8b4040 mov eax,dword ptr [eax+40h]
804f8222 66897066 mov word ptr [eax+66h],si
804f8226 ff151c874d80 call dword ptr [nt!_imp_KfLowerIrql (804d871c)]
804f822c b001 mov al,1
804f822e 5e pop esi
804f822f 5d pop ebp
804f8230 c20800 ret 8
804f8233 cc int 3
还原为c的代码
BOOLEAN Ke386IoSetAccessProcess (
PKPROCESS Process,
ULONG MapNumber
)
{
WORD IOPMoffset;
KIRQL oldIrql;
if (MapNumber > 1)
{
return FALSE;
}
if(MapNumber == 0)
{
IOPMoffset = 0x20AC;
}
else
{
IOPMoffset = 0x2024 - 0x1F9C;
}
oldIrql = KeRaiseIrqlToSynchLevel();
Process->IopmOffset = IOPMoffset;
PKPCR KiPcr = (PKPCR)0xffdff000;
if(KiPcr->Prcb->SetMember != Process->Pcb.ActiveProcessors)
{
KiPcr->TSS->IoMapBase = IOPMoffset ;
}
KfLowerIrql(oldIrql);
return TRUE;
}
后面贴上一个著名的代码porttalk,供大家学习。⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -