加工厂: 2018

2018年5月1日星期二

手工替换进程的令牌

标题:在内核调试器下给进程提权.

前言:
安全的一个重要话题是权限.
对于操作系统而言,其重要的安全就是两个:
1.进程(用户)自身的权限,即令牌.
2.对象自身的权限,如:文件,注册表,进程,线程,互斥体等.
3.以及和上面相关的结构.

但是对于CPU来说还有另外一个概念的权限,如:常说的ring0,cs代码段的内存的属性等.

另外还有漏洞,

另外还有网络,加密,通讯等的安全.

另外还有各种意义上的非技术的安全.

闲话不多,进入正题.

--------------------------------------------------------------------------------------------------

打开一个cmd.exe,在里面输入whoami,显示如下:
C:\Users\Administrator>whoami
desktop-aps5qst\administrator

挂上内核调试器,进行如下操作:

查看进程的令牌和system进程的令牌信息.

0: kd> vertarget
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff801`b020e000 PsLoadedModuleList = 0xfffff801`b056fff0
Debug session time: Fri Feb 23 08:55:50.166 2018 (UTC + 8:00)
System Uptime: 0 days 0:17:06.651
0: kd> dt nt!_eprocess token 
   +0x358 Token : _EX_FAST_REF
0: kd> dt _EX_FAST_REF
ntdll!_EX_FAST_REF
   +0x000 Object           : Ptr64 Void
   +0x000 RefCnt           : Pos 0, 4 Bits
   +0x000 Value            : Uint8B
0: kd> !process 0 0 system
PROCESS ffff9c804d0b9040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa000  ObjectTable: ffffc201774031c0  HandleCount: 2336.
    Image: System
0: kd> dq ffff9c804d0b9040+358 L1
ffff9c80`4d0b9398  ffffc201`7741804a
0: kd> ? ffffc201`7741804a & ffffffff`fffffff0
Evaluate expression: -68163425173440 = ffffc201`77418040
0: kd> !token ffffc201`77418040
_TOKEN 0xffffc20177418040
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
 03 S-1-16-16384
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-18
Privs: 
 02 0x000000002 SeCreateTokenPrivilege            Attributes - 
 03 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 16 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 21 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 31 0x00000001f SeTrustedCredManAccessPrivilege   Attributes - 
 32 0x000000020 SeRelabelPrivilege                Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - Enabled Default 
 34 0x000000022 SeTimeZonePrivilege               Attributes - Enabled Default 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - Enabled Default 
 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege  Attributes - Enabled Default 
Authentication ID:         (0,3e7)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: *SYSTEM*           TokenFlags: 0x2000 ( Token in use )
Token ID: 3eb              ParentToken ID: 0
Modified ID:               (0, 3ec)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 0
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Invalid AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION with no claims
Process Token TrustLevelSid: S-1-19-1024-8192

查看cmd.exe进程的令牌信息.

0: kd> !process 0 0 cmd.exe
PROCESS ffff9c804e97f080
    SessionId: 1  Cid: 10a4    Peb: fc49f44000  ParentCid: 1224
    DirBase: 9d213000  ObjectTable: ffffc201852a6900  HandleCount:  43.
    Image: cmd.exe
0: kd> dq ffff9c804e97f080+358 L1
ffff9c80`4e97f3d8  ffffc201`80ee306b
0: kd> ? ffffc201`80ee306b & ffffffff`fffffff0
Evaluate expression: -68163262861216 = ffffc201`80ee3060
0: kd> !token ffffc201`80ee3060
_TOKEN 0xffffc20180ee3060
TS Session ID: 0x1
User: S-1-5-21-4121102992-2463281863-3266931683-500
User Groups: 
 00 S-1-5-21-4121102992-2463281863-3266931683-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-114
    Attributes - DenyOnly 
 03 S-1-5-21-4121102992-2463281863-3266931683-1000
    Attributes - Mandatory Default Enabled 
 04 S-1-5-32-544
    Attributes - DenyOnly 
 05 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 06 S-1-5-4
    Attributes - Mandatory Default Enabled 
 07 S-1-2-1
    Attributes - Mandatory Default Enabled 
 08 S-1-5-11
    Attributes - Mandatory Default Enabled 
 09 S-1-5-15
    Attributes - Mandatory Default Enabled 
 10 S-1-5-113
    Attributes - Mandatory Default Enabled 
 11 S-1-5-5-0-263777
    Attributes - Mandatory Default Enabled LogonId 
 12 S-1-2-0
    Attributes - Mandatory Default Enabled 
 13 S-1-5-64-10
    Attributes - Mandatory Default Enabled 
 14 S-1-16-8192
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-21-4121102992-2463281863-3266931683-513
Privs: 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 34 0x000000022 SeTimeZonePrivilege               Attributes - 
Authentication ID:         (0,40725)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x2a00 ( Token in use )
Token ID: 327462           ParentToken ID: 40728
Modified ID:               (0, 40731)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)

最重要的一步就这一个操作:

0: kd> eq ffff9c80`4e97f3d8 ffffc201`77418040
0: kd> g

下面是验证:

C:\Users\Administrator>whoami
nt authority\system

不过,此时用procexp.exe查看,相应的conhost.exe的权限还是没有变.
而且cmd.exe的安全属性是打不开的,估计是权限不足.
注意:此时需要重新打开一下procexp.exe,否者显示的还是以前的信息.


--------------------------------------------------------------------------------------------------


参考:
https://www.anquanke.com/post/id/87292
https://blog.xpnsec.com/becoming-system/

made by correy
made at 9:32 2018/2/23
http://correy.webs.com

对象体由执行体管理
对象头由对象管理器管理器
句柄由进程的句柄表维护。

0: kd> $实验环境是：
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`7b41c000 PsLoadedModuleList = 0xfffff803`7b782fd0
Debug session time: Tue Mar 6 09:25:21.921 2018 (UTC + 8:00)
System Uptime: 27 days 19:47:07.599
0: kd> $文件的版本是：
0: kd> lm vm nt
Browse full module list
start end module name
fffff803`7b41c000 fffff803`7bcf1000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\9378084E8DBD4AB1A155099BCE693E341\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Mon Jan 1 19:07:05 2018 (5A4A1659)
CheckSum: 00842CC4
ImageSize: 008D5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> $测试的进程是：
0: kd> !process 0 0 cmd.exe
PROCESS ffff8c08dc95f080
SessionId: 4 Cid: 0fdc Peb: 008ff000 ParentCid: 1934
DirBase: 1d7a00000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

0: kd> $这里选定第二个。
0: kd> $另一个看法是：
0: kd> dt nt!_eprocess ffff8c08d9136080 ObjectTable
+0x418 ObjectTable : 0xffffa00a`63dc1600 _HANDLE_TABLE

句柄表的信息是：
0: kd> dt 0xffffa00a`63dc1600 nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : 0x400
+0x004 ExtraInfoPages : 0n0
+0x008 TableCode : 0xffffa00a`591d4000
+0x010 QuotaProcess : 0xffff8c08`d9136080 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY [ 0xffffa00a`74606b58 - 0xffffa00a`56527758 ]
+0x028 UniqueProcessId : 0x168
+0x02c Flags : 0x10
+0x02c StrictFIFO : 0y0
+0x02c EnableHandleExceptions : 0y0
+0x02c Rundown : 0y0
+0x02c Duplicated : 0y0
+0x02c RaiseUMExceptionOnInvalidHandleClose : 0y1
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] ""
+0x060 DebugInfo : (null)

要实现的效果是：
0: kd> !handle 0 0 0168

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

Handle table at ffffa00a63dc1600 with 40 entries in use

0004: Object: ffff8c08d7911fe0 GrantedAccess: 001f0003 (Protected) (Inherit)

0008: Object: ffff8c08d9a8b4d0 GrantedAccess: 00000001 (Inherit)

000c: Object: ffff8c08d4ae0700 GrantedAccess: 001f0003 (Protected) (Audit)

0010: Object: ffff8c08de983660 GrantedAccess: 000f00ff (Protected) (Inherit)

0014: Object: ffff8c08d509e430 GrantedAccess: 00100002

0018: Object: ffff8c08d65c3260 GrantedAccess: 00000001 (Protected) (Inherit)

001c: Object: ffff8c08d6353f30 GrantedAccess: 00100002

0020: Object: ffff8c08d50642b0 GrantedAccess: 00000001

0024: Object: ffff8c08d8e81e20 GrantedAccess: 00000804 (Protected) (Inherit) (Audit)

0028: Object: ffff8c08d78fabd0 GrantedAccess: 00000804 (Inherit)

002c: Object: ffff8c08d81c6bb0 GrantedAccess: 00000804

0030: Object: ffffa00a484f2560 GrantedAccess: 00000003 (Protected) (Inherit)

0034: Object: ffff8c08d82241f0 GrantedAccess: 001f0003 (Audit)

0038: Object: ffff8c08d7aeba60 GrantedAccess: 001f0003 (Protected) (Inherit)

003c: Object: ffff8c08d5b034b0 GrantedAccess: 00100020

0040: Object: ffff8c08d9b79e30 GrantedAccess: 0012019f

0044: Object: ffff8c08d8d678e0 GrantedAccess: 0012019f (Protected) (Inherit)

0048: Object: ffff8c08dfe92a10 GrantedAccess: 001f0001 (Inherit) (Audit)

004c: Object: ffff8c08d50d9ef0 GrantedAccess: 0012019f (Audit)

0050: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0054: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0058: Object: ffff8c08d7fcd1f0 GrantedAccess: 00000804 (Audit)

005c: Object: ffff8c08d477f070 GrantedAccess: 00000804 (Audit)

0060: Object: ffff8c08d7692080 GrantedAccess: 001f0003 (Protected) (Audit)

0064: Object: ffff8c08d5fef8a0 GrantedAccess: 000f00ff (Protected) (Inherit) (Audit)

0068: Object: ffff8c08d56f6470 GrantedAccess: 00100002 (Audit)

006c: Object: ffff8c08dbcbcbb0 GrantedAccess: 00000001

0070: Object: ffff8c08d3aa7b00 GrantedAccess: 00100002 (Protected) (Audit)

0074: Object: ffff8c08da19e7a0 GrantedAccess: 00000001 (Protected) (Inherit) (Audit)

0078: Object: ffffa00a651f3b20 GrantedAccess: 00020019 (Protected) (Inherit) (Audit)

007c: Object: ffff8c08db568700 GrantedAccess: 001fffff (Protected) (Audit)

0088: Object: ffffa00a5f9292a0 GrantedAccess: 000f003f (Protected) (Inherit) (Audit)

008c: Object: ffffa00a555e3780 GrantedAccess: 000f003f (Protected) (Audit)

0090: Object: ffffa00a62d1cf70 GrantedAccess: 00020019 (Audit)

0094: Object: ffffa00a5b95f760 GrantedAccess: 00020019 (Protected) (Inherit)

0098: Object: ffffa00a6f835950 GrantedAccess: 00020019 (Inherit)

009c: Object: ffff8c08d5ca9070 GrantedAccess: 00000804 (Audit)

00a0: Object: ffffa00a627c16c0 GrantedAccess: 00000001 (Protected)

00a4: Object: ffffa00a59d39880 GrantedAccess: 00020019 (Protected) (Audit)

00a8: Object: ffff8c08dba217c0 GrantedAccess: 00120089 (Protected)

也就是要手工实现/分析出这个命令的效果。
有时候仅仅这一个命令就够了，但是有时候，需要更详细的分析，会有更多/更深的用途。

--------------------------------------------------------------------------------------------------
先熟悉两个结构的信息：

nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : Uint4B
+0x004 ExtraInfoPages : Int4B
+0x008 TableCode : Uint8B
+0x010 QuotaProcess : Ptr64 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY
+0x028 UniqueProcessId : Uint4B
+0x02c Flags : Uint4B
+0x02c StrictFIFO : Pos 0, 1 Bit
+0x02c EnableHandleExceptions : Pos 1, 1 Bit
+0x02c Rundown : Pos 2, 1 Bit
+0x02c Duplicated : Pos 3, 1 Bit
+0x02c RaiseUMExceptionOnInvalidHandleClose : Pos 4, 1 Bit
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] UChar
+0x060 DebugInfo : Ptr64 _HANDLE_TRACE_DEBUG_INFO

0: kd> dt nt!_object_header
+0x000 PointerCount : Int8B
+0x008 HandleCount : Int8B
+0x008 NextToFree : Ptr64 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : UChar
+0x019 TraceFlags : UChar
+0x019 DbgRefTrace : Pos 0, 1 Bit
+0x019 DbgTracePermanent : Pos 1, 1 Bit
+0x01a InfoMask : UChar
+0x01b Flags : UChar
+0x01b NewObject : Pos 0, 1 Bit
+0x01b KernelObject : Pos 1, 1 Bit
+0x01b KernelOnlyAccess : Pos 2, 1 Bit
+0x01b ExclusiveObject : Pos 3, 1 Bit
+0x01b PermanentObject : Pos 4, 1 Bit
+0x01b DefaultSecurityQuota : Pos 5, 1 Bit
+0x01b SingleHandleEntry : Pos 6, 1 Bit
+0x01b DeletedInline : Pos 7, 1 Bit
+0x01c Reserved : Uint4B
+0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : Ptr64 Void
+0x028 SecurityDescriptor : Ptr64 Void
+0x030 Body : _QUAD
0: kd> ?? sizeof(nt!_object_header)
unsigned int64 0x38

因为nt!_object_header包含Body成员信息，所以nt!_object_header的大小为0x030。

0: kd> ?? sizeof(nt!_HANDLE_TABLE_ENTRY)
unsigned int64 0x10

注意：以上结构，你应该能看到位成员的信息，如果又联合还应看到联合成员的信息。

--------------------------------------------------------------------------------------------------

注意：_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，而且最低的几位是几维数组的标志。
这里是0，说明这就是HANDLE_TABLE_ENTRY的数组的第一个元素。
不过第一个元素始终为空，见各种书籍的说明。
之所以这样设计是因为句柄为0的是无效的吧！

_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，这句话的证据的是：见ExpAllocateHandleTable的函数。

0: kd> dq 0xffffa00a`591d4000
ffffa00a`591d4000 00000000`00000000 00000000`00000000
ffffa00a`591d4010 8c08d791`1fb0fffb 00000000`001f0003
ffffa00a`591d4020 8c08d9a8`b4a0fffd 00000000`00000001
ffffa00a`591d4030 8c08d4ae`06d0fff7 00000000`001f0003
ffffa00a`591d4040 8c08de98`3630fff9 00000000`000f00ff
ffffa00a`591d4050 8c08d509`e400fffd 00000000`00100002
ffffa00a`591d4060 8c08d65c`3230fffd 00000000`00000001
ffffa00a`591d4070 8c08d635`3f00fffd 00000000`00100002
注意：这个到底有多少个有效的呢？
WIN7的_HANDLE_TABLE有个成员叫HandleCount,但是win10没有。
其实dq的命令的地址的后面加个参数，就是显示的长度，尽量长些，但是不超过NextHandleNeedingPool。
可以发现，dq的第一个64位的值位0就是为空，就是无效的句柄。

注意：
1.句柄是按照数组的位置来计算的，具体的算法相信你应该领会，但是还是看WRK的代码为好。
2.句柄不一定是连续的，只要第一个64位不为空，就是有效的句柄，数组的大小不超过NextHandleNeedingPool。

从这里也能看到一些信息，如准许的权限等。
注意第一个是空的。

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4010
+0x000 VolatileLowValue : 0n-8356192090284032005
+0x000 LowValue : 0n-8356192090284032005
+0x000 InfoTable : 0x8c08d791`1fb0fffb _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n2031619
+0x008 NextFreeHandleEntry : 0x00000000`001f0003 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356192090284032005
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111101 (0x7ffd)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101011110010001000111111011 (0x8c08d7911fb)
+0x008 GrantedAccessBits : 0y0000111110000000000000011 (0x1f0003)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0
0: kd> dt nt!_HANDLE_TABLE_ENTRY_INFO
+0x000 AuditMask : Uint4B
+0x004 MaxRelativeAccessMask : Uint4B
0: kd> dt nt!_EXHANDLE
+0x000 TagBits : Pos 0, 2 Bits
+0x000 Index : Pos 2, 30 Bits
+0x000 GenericHandleOverlay : Ptr64 Void
+0x000 Value : Uint8B

注意：
0x8c08d7911fb
ffff8c08d7911fe0
最后一个补0，高位补f,还差0x30

0: kd> !object ffff8c08d7911fe0
Object: ffff8c08d7911fe0 Type: (ffff8c08d32ecdb0) Event
ObjectHeader: ffff8c08d7911fb0 (new version)
HandleCount: 1 PointerCount: 32768

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4020
+0x000 VolatileLowValue : 0n-8356189789977772035
+0x000 LowValue : 0n-8356189789977772035
+0x000 InfoTable : 0x8c08d9a8`b4a0fffd _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n1
+0x008 NextFreeHandleEntry : 0x00000000`00000001 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356189789977772035
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111110 (0x7ffe)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101100110101000101101001010 (0x8c08d9a8b4a)
+0x008 GrantedAccessBits : 0y0000000000000000000000001 (0x1)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0

0: kd> dt nt!_HANDLE_TABLE_ENTRY
+0x000 VolatileLowValue : Int8B
+0x000 LowValue : Int8B
+0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : Int8B
+0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : Int8B
+0x000 Unlocked : Pos 0, 1 Bit
+0x000 RefCnt : Pos 1, 16 Bits
+0x000 Attributes : Pos 17, 3 Bits
+0x000 ObjectPointerBits : Pos 20, 44 Bits
+0x008 GrantedAccessBits : Pos 0, 25 Bits
+0x008 NoRightsUpgrade : Pos 25, 1 Bit
+0x008 Spare1 : Pos 26, 6 Bits
+0x00c Spare2 : Uint4B
注意：位和联合的定义。

--------------------------------------------------------------------------------------------------

注意：WRK还顶一个系统进程的句柄表，可以说是内核的全局的句柄表，专用于内核的句柄的。
0: kd> x nt!ObpKernelHandleTable
fffff803`7b780ce0 nt!ObpKernelHandleTable = <no type information>

made by correy
made at 10:36 2018/3/8
http://correy.webs.com

枚举ObRegisterCallbacks注册的信息

2: kd> dt nt!_OBJECT_TYPE poi(nt!PsProcessType)
+0x000 TypeList : _LIST_ENTRY [ 0xffff8481`f02d7350 - 0xffff8481`f02d7350 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x3f
+0x030 TotalNumberOfHandles : 0x20a
+0x034 HighWaterNumberOfObjects : 0x51
+0x038 HighWaterNumberOfHandles : 0x25c
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffcf0d`19f25b90 - 0xffffcf0d`19f25b90 ]

这个CallbackList链表的前后节点都一样,我还以为是空呢?

2: kd> dps ffffcf0d`19f25b90
ffffcf0d`19f25b90 ffff8481`f02d7418 这个和下面的一样,可以考虑是LIST_ENTRY
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25ba8 ffffcf0d`19f25b70 又是一个结构
ffffcf0d`19f25bb0 ffff8481`f02d7350 是PsProcessType
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000 未知,补充,保留
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0 是PsThreadType
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
2: kd> !object ffff8481`f02d7350
Object: ffff8481f02d7350 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02d7320 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Process
2: kd> !object ffff8481`f02c7ac0
Object: ffff8481f02c7ac0 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02c7a90 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Thread
2: kd> dps ffffcf0d`19f25b70 L20
ffffcf0d`19f25b70 00000000`00020100
ffffcf0d`19f25b78 fffff802`425f50b0 ObCallbackTest!CBCallbackRegistration
ffffcf0d`19f25b80 00000000`00080008
ffffcf0d`19f25b88 ffffcf0d`19f25c10
ffffcf0d`19f25b90 ffff8481`f02d7418
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003
ffffcf0d`19f25ba8 ffffcf0d`19f25b70
ffffcf0d`19f25bb0 ffff8481`f02d7350
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
ffffcf0d`19f25c10 00300030`00300031
ffffcf0d`19f25c18 00000012`00000201
ffffcf0d`19f25c20 3066744e`0303030c
ffffcf0d`19f25c28 07be696e`a40c5c62
ffffcf0d`19f25c30 ffffcf0d`18bec700
ffffcf0d`19f25c38 ffffcf0d`19f8e430
ffffcf0d`19f25c40 00000064`04d44d5b
ffffcf0d`19f25c48 00000073`006c006f
ffffcf0d`19f25c50 6e664d46`03160303
ffffcf0d`19f25c58 07be696e`a40c5c12
ffffcf0d`19f25c60 00000000`0150f204
ffffcf0d`19f25c68 00000000`00000000

typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;

typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;

https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
https://www.unknowncheats.me/forum/dayz-sa/166167-douggem-_callback_entry-rebuilding.html

2018年4月28日星期六

minifilter驱动的静态分析

前言：

有不少的minifilter驱动是可以用IDA静态分析的，但是如何分析呢？
做过minifilter驱动的都知道FltRegisterFilter的第二个参数是关键。

如果分析呢？也就是如何定义这个参数的类型呢？
思路有三：
1.导入头文件，这个最省事，但是也容易出错。
2.那就自己写个头文件，然后导入，这也不少费事，但成功率比较高，还通用。
3.那就是自己在IDA中手动定义/添加结构，这个比较复杂，不通用，别的工程还得重复这样做。

其实还有一种办法，就是本文的，比较省事，但是不通用。
前提是你知道这些数据结构。

怎么做呢？
这就有用一个实例演示下。

怎么演示呢？
实际分析的SYS是没有符号的而且是经过优化的发行版。
这里以一个调试版，且有符号的和一个发行版且没有符号文件的对比做演示。
选用的工程是WDK的ctx工程，之所以选择这个，是因为它比较全，有上下文的处理。

下面正式开始：

--------------------------------------------------------------------------------------------------

首先找到驱动入口的FltRegisterFilter函数，点击第二个参数，进去是这样的：
.data:00000001400030A0 unk_1400030A0 db 70h ; p ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A1 db 0
.data:00000001400030A2 db 3
.data:00000001400030A3 db 2
.data:00000001400030A4 db 0
.data:00000001400030A5 db 0
.data:00000001400030A6 db 0
.data:00000001400030A7 db 0
.data:00000001400030A8 dq offset unk_1400020F0
.data:00000001400030B0 dq offset unk_140003000
.data:00000001400030B8 dq offset sub_140005458
.data:00000001400030C0 dq offset sub_1400054F0
.data:00000001400030C8 dq offset sub_1400055E4
.data:00000001400030D0 dq offset nullsub_2
.data:00000001400030D8 dq offset sub_1400055EC
.data:00000001400030E0 db 0
.data:00000001400030E1 db 0
.data:00000001400030E2 db 0
.data:00000001400030E3 db 0
.data:00000001400030E4 db 0
.data:00000001400030E5 db 0
.data:00000001400030E6 db 0
.data:00000001400030E7 db 0
.data:00000001400030E8 db 0
.data:00000001400030E9 db 0
.data:00000001400030EA db 0
.data:00000001400030EB db 0
.data:00000001400030EC db 0
.data:00000001400030ED db 0
.data:00000001400030EE db 0
.data:00000001400030EF db 0
.data:00000001400030F0 db 0
.data:00000001400030F1 db 0
.data:00000001400030F2 db 0
.data:00000001400030F3 db 0
.data:00000001400030F4 db 0
.data:00000001400030F5 db 0
.data:00000001400030F6 db 0
.data:00000001400030F7 db 0
.data:00000001400030F8 db 0
.data:00000001400030F9 db 0
.data:00000001400030FA db 0
.data:00000001400030FB db 0
.data:00000001400030FC db 0
.data:00000001400030FD db 0
.data:00000001400030FE db 0
.data:00000001400030FF db 0
.data:0000000140003100 db 0
.data:0000000140003101 db 0
.data:0000000140003102 db 0
.data:0000000140003103 db 0
.data:0000000140003104 db 0
.data:0000000140003105 db 0
.data:0000000140003106 db 0
.data:0000000140003107 db 0
.data:0000000140003108 db 0
.data:0000000140003109 db 0
.data:000000014000310A db 0
.data:000000014000310B db 0
.data:000000014000310C db 0
.data:000000014000310D db 0
.data:000000014000310E db 0
.data:000000014000310F db 0

但是，你在debug版本且带有符号文件的情况下，你会看到变量的名字，点击这个变量，你会看到这个全局的数据结构变量的解释。
这就是差别啊！
无奈我们没有符号文件且不是调试版本，假定如此，所以我们只能苦逼继续。

此时，我们可以根据工程找到FLT_REGISTRATION的定义，根据这个定义，我们可以重新定义/修改上面的数据如下：
.data:00000001400030A0 word_1400030A0 dw 70h ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A0 ; Size
.data:00000001400030A2 dw 203h ; Version 这个可以决定这个数据结构的大小，这个数据结构后面有几个扩展选项。
.data:00000001400030A4 dd 0 ; Flags 这个也有几个选项，不言了，你细看，深入探索。
.data:00000001400030A8 dq offset ContextRegistration ; 这里直接给这几个函数或成员改名。
.data:00000001400030B0 dq offset OperationRegistration
.data:00000001400030B8 dq offset FilterUnloadCallback
.data:00000001400030C0 dq offset InstanceSetupCallback
.data:00000001400030C8 dq offset InstanceQueryTeardownCallback
.data:00000001400030D0 dq offset InstanceTeardownStartCallback
.data:00000001400030D8 dq offset InstanceTeardownCompleteCallback
.data:00000001400030E0 dq 0 ; 这几个直接改变成员的类型/大小。
.data:00000001400030E8 dq 0
.data:00000001400030F0 dq 0
.data:00000001400030F8 dq 0
.data:0000000140003100 dq 0
.data:0000000140003108 dq 0
注意：
技巧：
1.点击一个数据，不停的按d直到切换到你选中的数据。
2.按;可以天机注释。
3.还可以给word_1400030A0这个变量改个名字，如：Registration 。

--------------------------------------------------------------------------------------------------

双击ContextRegistration，进入，得到如下界面：
.rdata:00000001400020F0 ContextRegistration db 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F1 db 0
.rdata:00000001400020F2 db 0
.rdata:00000001400020F3 db 0
.rdata:00000001400020F4 db 0
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset sub_140005478
.rdata:0000000140002100 db 20h
.rdata:0000000140002101 db 0
.rdata:0000000140002102 db 0
.rdata:0000000140002103 db 0
.rdata:0000000140002104 db 0
.rdata:0000000140002105 db 0
.rdata:0000000140002106 db 0
.rdata:0000000140002107 db 0
.rdata:0000000140002108 db 43h ; C
.rdata:0000000140002109 db 78h ; x
.rdata:000000014000210A db 49h ; I
.rdata:000000014000210B db 63h ; c
.rdata:000000014000210C db 0
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 db 0
.rdata:0000000140002111 db 0
.rdata:0000000140002112 db 0
.rdata:0000000140002113 db 0
.rdata:0000000140002114 db 0
.rdata:0000000140002115 db 0
.rdata:0000000140002116 db 0
.rdata:0000000140002117 db 0
.rdata:0000000140002118 db 0
.rdata:0000000140002119 db 0
.rdata:000000014000211A db 0
.rdata:000000014000211B db 0
.rdata:000000014000211C db 0
.rdata:000000014000211D db 0
.rdata:000000014000211E db 0
.rdata:000000014000211F db 0
.rdata:0000000140002120 db 0
.rdata:0000000140002121 db 0
.rdata:0000000140002122 db 0
.rdata:0000000140002123 db 0
.rdata:0000000140002124 db 0
.rdata:0000000140002125 db 0
.rdata:0000000140002126 db 0
.rdata:0000000140002127 db 0
.rdata:0000000140002128 db 4
.rdata:0000000140002129 db 0
.rdata:000000014000212A db 0
.rdata:000000014000212B db 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset sub_140005478
.rdata:0000000140002138 db 10h
.rdata:0000000140002139 db 0
.rdata:000000014000213A db 0
.rdata:000000014000213B db 0
.rdata:000000014000213C db 0
.rdata:000000014000213D db 0
.rdata:000000014000213E db 0
.rdata:000000014000213F db 0
.rdata:0000000140002140 db 43h ; C
.rdata:0000000140002141 db 78h ; x
.rdata:0000000140002142 db 46h ; F
.rdata:0000000140002143 db 63h ; c
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 db 0
.rdata:0000000140002149 db 0
.rdata:000000014000214A db 0
.rdata:000000014000214B db 0
.rdata:000000014000214C db 0
.rdata:000000014000214D db 0
.rdata:000000014000214E db 0
.rdata:000000014000214F db 0
.rdata:0000000140002150 db 0
.rdata:0000000140002151 db 0
.rdata:0000000140002152 db 0
.rdata:0000000140002153 db 0
.rdata:0000000140002154 db 0
.rdata:0000000140002155 db 0
.rdata:0000000140002156 db 0
.rdata:0000000140002157 db 0
.rdata:0000000140002158 db 0
.rdata:0000000140002159 db 0
.rdata:000000014000215A db 0
.rdata:000000014000215B db 0
.rdata:000000014000215C db 0
.rdata:000000014000215D db 0
.rdata:000000014000215E db 0
.rdata:000000014000215F db 0
.rdata:0000000140002160 db 8
.rdata:0000000140002161 db 0
.rdata:0000000140002162 db 0
.rdata:0000000140002163 db 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset sub_140005478
.rdata:0000000140002170 db 28h ; (
.rdata:0000000140002171 db 0
.rdata:0000000140002172 db 0
.rdata:0000000140002173 db 0
.rdata:0000000140002174 db 0
.rdata:0000000140002175 db 0
.rdata:0000000140002176 db 0
.rdata:0000000140002177 db 0
.rdata:0000000140002178 db 43h ; C
.rdata:0000000140002179 db 78h ; x
.rdata:000000014000217A db 53h ; S
.rdata:000000014000217B db 63h ; c
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 db 0
.rdata:0000000140002181 db 0
.rdata:0000000140002182 db 0
.rdata:0000000140002183 db 0
.rdata:0000000140002184 db 0
.rdata:0000000140002185 db 0
.rdata:0000000140002186 db 0
.rdata:0000000140002187 db 0
.rdata:0000000140002188 db 0
.rdata:0000000140002189 db 0
.rdata:000000014000218A db 0
.rdata:000000014000218B db 0
.rdata:000000014000218C db 0
.rdata:000000014000218D db 0
.rdata:000000014000218E db 0
.rdata:000000014000218F db 0
.rdata:0000000140002190 db 0
.rdata:0000000140002191 db 0
.rdata:0000000140002192 db 0
.rdata:0000000140002193 db 0
.rdata:0000000140002194 db 0
.rdata:0000000140002195 db 0
.rdata:0000000140002196 db 0
.rdata:0000000140002197 db 0
.rdata:0000000140002198 db 10h
.rdata:0000000140002199 db 0
.rdata:000000014000219A db 0
.rdata:000000014000219B db 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset sub_140005478
.rdata:00000001400021A8 db 18h
.rdata:00000001400021A9 db 0
.rdata:00000001400021AA db 0
.rdata:00000001400021AB db 0
.rdata:00000001400021AC db 0
.rdata:00000001400021AD db 0
.rdata:00000001400021AE db 0
.rdata:00000001400021AF db 0
.rdata:00000001400021B0 db 43h ; C
.rdata:00000001400021B1 db 78h ; x
.rdata:00000001400021B2 db 48h ; H
.rdata:00000001400021B3 db 63h ; c
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 db 0
.rdata:00000001400021B9 db 0
.rdata:00000001400021BA db 0
.rdata:00000001400021BB db 0
.rdata:00000001400021BC db 0
.rdata:00000001400021BD db 0
.rdata:00000001400021BE db 0
.rdata:00000001400021BF db 0
.rdata:00000001400021C0 db 0
.rdata:00000001400021C1 db 0
.rdata:00000001400021C2 db 0
.rdata:00000001400021C3 db 0
.rdata:00000001400021C4 db 0
.rdata:00000001400021C5 db 0
.rdata:00000001400021C6 db 0
.rdata:00000001400021C7 db 0
.rdata:00000001400021C8 db 0
.rdata:00000001400021C9 db 0
.rdata:00000001400021CA db 0
.rdata:00000001400021CB db 0
.rdata:00000001400021CC db 0
.rdata:00000001400021CD db 0
.rdata:00000001400021CE db 0
.rdata:00000001400021CF db 0
.rdata:00000001400021D0 db 0FFh
.rdata:00000001400021D1 db 0FFh
.rdata:00000001400021D2 db 0
.rdata:00000001400021D3 db 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 db 0
.rdata:00000001400021D9 db 0
.rdata:00000001400021DA db 0
.rdata:00000001400021DB db 0
.rdata:00000001400021DC db 0
.rdata:00000001400021DD db 0
.rdata:00000001400021DE db 0
.rdata:00000001400021DF db 0
.rdata:00000001400021E0 db 0
.rdata:00000001400021E1 db 0
.rdata:00000001400021E2 db 0
.rdata:00000001400021E3 db 0
.rdata:00000001400021E4 db 0
.rdata:00000001400021E5 db 0
.rdata:00000001400021E6 db 0
.rdata:00000001400021E7 db 0
.rdata:00000001400021E8 db 0
.rdata:00000001400021E9 db 0
.rdata:00000001400021EA db 0
.rdata:00000001400021EB db 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 db 0
.rdata:00000001400021F1 db 0
.rdata:00000001400021F2 db 0
.rdata:00000001400021F3 db 0
.rdata:00000001400021F4 db 0
.rdata:00000001400021F5 db 0
.rdata:00000001400021F6 db 0
.rdata:00000001400021F7 db 0
.rdata:00000001400021F8 db 0
.rdata:00000001400021F9 db 0
.rdata:00000001400021FA db 0
.rdata:00000001400021FB db 0
.rdata:00000001400021FC db 0
.rdata:00000001400021FD db 0
.rdata:00000001400021FE db 0
.rdata:00000001400021FF db 0
.rdata:0000000140002200 db 0
.rdata:0000000140002201 db 0
.rdata:0000000140002202 db 0
.rdata:0000000140002203 db 0
.rdata:0000000140002204 db 0
.rdata:0000000140002205 db 0
.rdata:0000000140002206 db 0
.rdata:0000000140002207 db 0
.rdata:0000000140002208 db 0
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0

熟悉minifilter编程的人都知道，这是一个FLT_CONTEXT_REGISTRATION的数组，数组的最后一个成员是FLT_CONTEXT_END。
这个结构有8个成员，而实际经常使用的有5个。认真和有留意的人是会发现的。
经过整理和分析后，可以变为下面的样子：
.rdata:00000001400020F0 ContextRegistration dw 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F0 ; ContextType == FLT_INSTANCE_CONTEXT
.rdata:00000001400020F2 dw 0 ; Flags
.rdata:00000001400020F4 db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset ContextCleanupCallback
.rdata:0000000140002100 dq 20h ; Size
.rdata:0000000140002108 dd 'cIxC' ; PoolTag
.rdata:000000014000210C db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 dq 0 ; ContextAllocateCallback
.rdata:0000000140002118 dq 0 ; ContextFreeCallback
.rdata:0000000140002120 dq 0 ; Reserved1
.rdata:0000000140002128 dw 4 ; ContextType == FLT_FILE_CONTEXT
.rdata:000000014000212A dw 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset ContextCleanupCallback
.rdata:0000000140002138 dq 10h
.rdata:0000000140002140 dd 'cFxC'
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 dq 0
.rdata:0000000140002150 dq 0
.rdata:0000000140002158 dq 0
.rdata:0000000140002160 dw 8 ; ContextType == FLT_STREAM_CONTEXT
.rdata:0000000140002162 dw 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset ContextCleanupCallback
.rdata:0000000140002170 dq 28h
.rdata:0000000140002178 dd 'cSxC'
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 dq 0
.rdata:0000000140002188 dq 0
.rdata:0000000140002190 dq 0
.rdata:0000000140002198 dw 10h ; ContextType == FLT_STREAMHANDLE_CONTEXT
.rdata:000000014000219A dw 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset ContextCleanupCallback
.rdata:00000001400021A8 dq 18h
.rdata:00000001400021B0 dd 'cHxC'
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 dq 0
.rdata:00000001400021C0 dq 0
.rdata:00000001400021C8 dq 0
.rdata:00000001400021D0 dw 0FFFFh ; 结束标记：FLT_CONTEXT_END
.rdata:00000001400021D2 dw 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 dq 0
.rdata:00000001400021E0 dq 0
.rdata:00000001400021E8 dd 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 dq 0
.rdata:00000001400021F8 dq 0
.rdata:0000000140002200 dq 0
.rdata:0000000140002208 db 0 ; 结束，后面是多余的，对齐。
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0

--------------------------------------------------------------------------------------------------

双击OperationRegistration，进入如下界面：
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003001 db 0
.data:0000000140003002 db 0
.data:0000000140003003 db 0
.data:0000000140003004 db 1
.data:0000000140003005 db 0
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset InstanceQueryTeardownCallback
.data:0000000140003010 dq offset sub_140005614
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h
.data:0000000140003021 db 0
.data:0000000140003022 db 0
.data:0000000140003023 db 0
.data:0000000140003024 db 1
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset sub_140005940
.data:0000000140003030 align 20h
.data:0000000140003040 db 2
.data:0000000140003041 db 0
.data:0000000140003042 db 0
.data:0000000140003043 db 0
.data:0000000140003044 db 1
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset sub_1400059B4
.data:0000000140003050 align 20h
.data:0000000140003060 db 6
.data:0000000140003061 db 0
.data:0000000140003062 db 0
.data:0000000140003063 db 0
.data:0000000140003064 db 1
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset sub_140005A28
.data:0000000140003070 dq offset sub_1400057A8
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; €
.data:0000000140003081 db 0
.data:0000000140003082 db 0
.data:0000000140003083 db 0
.data:0000000140003084 db 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 db 0
.data:0000000140003089 db 0
.data:000000014000308A db 0
.data:000000014000308B db 0
.data:000000014000308C db 0
.data:000000014000308D db 0
.data:000000014000308E db 0
.data:000000014000308F db 0
.data:0000000140003090 db 0
.data:0000000140003091 db 0
.data:0000000140003092 db 0
.data:0000000140003093 db 0
.data:0000000140003094 db 0
.data:0000000140003095 db 0
.data:0000000140003096 db 0
.data:0000000140003097 db 0
.data:0000000140003098 db 0
.data:0000000140003099 db 0
.data:000000014000309A db 0
.data:000000014000309B db 0
.data:000000014000309C db 0
.data:000000014000309D db 0
.data:000000014000309E db 0
.data:000000014000309F db 0

熟悉minifilter编程的人都知道，这是一个FLT_OPERATION_REGISTRATION的数组，最后一项是IRP_MJ_OPERATION_END。
经过整理和分析后，可以变为下面的样子：
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003000 ; MajorFunction == IRP_MJ_CREATE
.data:0000000140003001 dd 1000000h ; Flags
.data:0000000140003005 db 0 ; 数据结构成员的内存地址的对齐/填充。
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset PreCreate
.data:0000000140003010 dq offset PostCreate
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h ; MajorFunction == IRP_MJ_CLEANUP
.data:0000000140003021 dd 1000000h
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset PreCleanUp
.data:0000000140003030 align 20h ; 这个隐藏了两个成员。
.data:0000000140003040 db 2 ; MajorFunction == IRP_MJ_CLOSE
.data:0000000140003041 dd 1000000h
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset PreClose
.data:0000000140003050 align 20h
.data:0000000140003060 db 6 ; MajorFunction == IRP_MJ_SET_INFORMATION
.data:0000000140003061 dd 1000000h
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset PreSetInfo
.data:0000000140003070 dq offset PostSetInfo
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; € ; 结束标记：IRP_MJ_OPERATION_END
.data:0000000140003081 dd 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 dq 0
.data:0000000140003090 dq 0
.data:0000000140003098 dq 0

--------------------------------------------------------------------------------------------------

至此，可以告一个段落。
下一步就是根据这里分析出的函数，定义这些函数的类型，甚至是参数的个数（如IDA分析x64程序），特别是参数的类型。
因为发行版经常没有符号文件，有好些系统经常用的数据结构IDA没有解析出，如文件过滤驱动的minifilter和网络过滤驱动的WFP。

made by correy
made at 15:40 2018/4/28
http://correy.webs.com

2018年2月9日星期五

查看系统的minifilter信息

标题：查看系统的minifilter信息

minifilter驱动也写几年了，别人的minifilter驱动也分析了几个。

突然之间，思想有所觉悟，看看系统的minifilter驱动框架的信息，因为系统不只是自己的驱动，还有别的驱动，甚至是系统自身的。

再比如，有时用procmon监控文件操作时，看到：FASTIO_NETWORK_QUERY_OPEN的结果是FAST IO DISALLOWED。
稍微懂点内核的人都知道，这是不好的，费时间和效率的，甚至想是哪个王八蛋驱动搞得这个结果。
这用procmon之身是查不出的，因为它的机制(ETW)，尽管它用了minifilter，不信，你看调用栈。
咋办呢？相信你看完本文，你就能做到，做不到等于你看不懂本文。

看完本文，你应该能做到不卸载某个minifilter驱动，但是让它的效果失效。
那个驱动可以是别人的文件保护驱动，透明加解密驱动，杀毒软件的驱动等。

首先说明，本文不说原始的设备挂载的文件过来驱动，如：sfilter等。
这个应该简单，根据驱动（或设备）对象，依次能找到好多有用的信息/函数。

--------------------------------------------------------------------------------------------------

下面正式开始：

首先说下本文的实验环境：
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`1968f000 PsLoadedModuleList = 0xfffff803`199f5fd0
Debug session time: Thu Jan 11 09:19:53.306 2018 (UTC + 8:00)
System Uptime: 0 days 2:41:56.055

查看系统上的minifilter驱动，只需要一个命令就可以了。
0: kd> !fltkd.filters

Filter List: ffffa28ba51f83a0 "Frame 1"
FLT_FILTER: ffffa28bae0c8830 "PROCMON23" "385200"
Filter List: ffffa28ba4bd10c0 "Frame 0"
FLT_FILTER: ffffa28ba7ecf350 "storqosflt" "244000"
FLT_FILTER: ffffa28ba7db7a80 "wcifs" "189900"
FLT_INSTANCE: ffffa28ba7df9950 "wcifs Instance" "189900"
FLT_INSTANCE: ffffa28ba7dff950 "wcifs Instance" "189900"
FLT_FILTER: ffffa28ba7e9fb40 "CldFlt" "180451"
FLT_FILTER: ffffa28ba6136b30 "FileCrypt" "141100"
FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"
FLT_FILTER: ffffa28ba7e91010 "luafv" "135000"
FLT_INSTANCE: ffffa28ba7e93010 "luafv" "135000"
FLT_FILTER: ffffa28ba64cb750 "npsvctrig" "46000"
FLT_INSTANCE: ffffa28ba65f8910 "npsvctrig" "46000"
FLT_FILTER: ffffa28ba57e59a0 "Wof" "40700"
FLT_INSTANCE: ffffa28ba61abb60 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba696a780 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba66d8460 "Wof Instance" "40700"
FLT_INSTANCE: ffffa28ba6752b60 "Wof Instance" "40700"
FLT_FILTER: ffffa28ba57e4490 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba61c2b40 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba618eb40 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba64e1010 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba66d8910 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba734e910 "FileInfo" "40500"
FLT_INSTANCE: ffffa28ba76feb40 "FileInfo" "40500"

这里有两个Filter List，这个不关系，不深入分析。
Filter List下有FLT_FILTER，这就是每个minifilter驱动，这其实是_FLT_FILTER结构，也可以用!fltkd.filter来查看。
FLT_FILTER下有FLT_INSTANCE，这就是这个minifilter附加了哪个设备/卷，这其实是_FLT_INSTANCE结构，也可以用!fltkd.instace来查看

这里选用FileCrypt，之所以选择这个，是因为这个信息全，有上下文。

0: kd> !fltkd.filter ffffa28ba6136b30

FLT_FILTER: ffffa28ba6136b30 "FileCrypt" "141100"
FLT_OBJECT: ffffa28ba6136b30 [02000000] Filter
RundownRef : 0x0000000000000006 (3)
PointerCount : 0x00000001
PrimaryLink : [ffffa28ba7e91020-ffffa28ba7e9fb50]
Frame : ffffa28ba4bd1010 "Frame 0"
Flags : [00000002] FilteringInitiated
DriverObject : ffffa28ba63fcac0
FilterLink : [ffffa28ba7e91020-ffffa28ba7e9fb50]
PreVolumeMount : 0000000000000000 (null)
PostVolumeMount : 0000000000000000 (null)
FilterUnload : fffff801814eb820 filecrypt!FCFilterUnload
InstanceSetup : fffff801814ea010 filecrypt!FCInstanceSetup
InstanceQueryTeardown : fffff801814ea420 filecrypt!FCInstanceQueryTeardown
InstanceTeardownStart : 0000000000000000 (null)
InstanceTeardownComplete : 0000000000000000 (null)
ActiveOpens : (ffffa28ba6136ce8) mCount=0
Communication Port List : (ffffa28ba6136d38) mCount=0
Client Port List : (ffffa28ba6136d88) mCount=0
VerifierExtension : 0000000000000000
Operations : ffffa28ba6136de0
OldDriverUnload : 0000000000000000 (null)
SupportedContexts : (ffffa28ba6136c60)
VolumeContexts : (ffffa28ba6136c60)
ALLOCATE_CONTEXT_NODE: ffffa28ba6135d80 "FileCrypt" [01] LookasideList (size=56)
InstanceContexts : (ffffa28ba6136c68)
FileContexts : (ffffa28ba6136c70)
StreamContexts : (ffffa28ba6136c78)
ALLOCATE_CONTEXT_NODE: ffffa28ba6135ec0 "FileCrypt" [01] LookasideList (size=40)
StreamHandleContexts : (ffffa28ba6136c80)
TransactionContext : (ffffa28ba6136c88)
(null) : (ffffa28ba6136c90)
InstanceList : (ffffa28ba6136b98)
FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"

看到了吧！
这里显示不少的信息。
有些信息很明显，这里就不细说了。
这里主要说三个：
1.Operations成员里面存放是的指针，指针的类型后面说。
2.SupportedContexts是个数组，数组的大小后面给出，缩进的是显示的数组的内容。
3.InstanceList后面给出所有的实例，这个驱动只有一个，这和!fltkd.filters显示的是一样的。

--------------------------------------------------------------------------------------------------

说到实例，这里就先说下，插一道杠子。
0: kd> dt fltmgr!_FLT_INSTANCE ffffa28ba7347460
+0x000 Base : _FLT_OBJECT
+0x030 OperationRundownRef : 0xffffa28b`a6caec20 _EX_RUNDOWN_REF_CACHE_AWARE
+0x038 Volume : 0xffffa28b`a730e7e0 _FLT_VOLUME
+0x040 Filter : 0xffffa28b`a6136b30 _FLT_FILTER
+0x048 Flags : 0 (No matching name)
+0x050 Altitude : _UNICODE_STRING "141100"
+0x060 Name : _UNICODE_STRING "FileCrypt Instance"
+0x070 FilterLink : _LIST_ENTRY [ 0xffffa28b`a6136c00 - 0xffffa28b`a6136c00 ]
+0x080 ContextLock : _EX_PUSH_LOCK
+0x088 Context : (null)
+0x090 TransactionContexts : _CONTEXT_LIST_CTRL
+0x098 TrackCompletionNodes : 0xffffa28b`a6aacc90 _TRACK_COMPLETION_NODES
+0x0a0 CallbackNodes : [50] (null)
0: kd> !fltkd.instance ffffa28ba7347460

FLT_INSTANCE: ffffa28ba7347460 "FileCrypt Instance" "141100"
FLT_OBJECT: ffffa28ba7347460 [01000000] Instance
RundownRef : 0x0000000000000000 (0)
PointerCount : 0x00000001
PrimaryLink : [ffffa28ba6752b70-ffffa28ba7dff960]
OperationRundownRef : ffffa28ba6caec20
Number : 4
PoolToFree : ffffa28ba72fe5d0
OperationsRefs : ffffa28ba72fe600 (0)
PerProcessor Ref[0] : 0xffffffffffffff56 (-85)
PerProcessor Ref[1] : 0x0000000000000006 (3)
PerProcessor Ref[2] : 0x00000000000000bc (94)
PerProcessor Ref[3] : 0xffffffffffffffe8 (-12)
Flags : [00000000]
Volume : ffffa28ba730e7e0 "\Device\HarddiskVolume4"
Filter : ffffa28ba6136b30 "FileCrypt"
TrackCompletionNodes : ffffa28ba6aacc90
ContextLock : (ffffa28ba73474e0)
Context : 0000000000000000
CallbackNodes : (ffffa28ba7347500)
VolumeLink : [ffffa28ba6752b70-ffffa28ba7dff960]
FilterLink : [ffffa28ba6136c00-ffffa28ba6136c00]
这里也有一些信息，很直白，都不说了。

--------------------------------------------------------------------------------------------------

继续上面的，咱可以换另一种看法：
0: kd> dt fltmgr!_FLT_FILTER ffffa28ba6136b30
+0x000 Base : _FLT_OBJECT
+0x030 Frame : 0xffffa28b`a4bd1010 _FLTP_FRAME
+0x038 Name : _UNICODE_STRING "FileCrypt"
+0x048 DefaultAltitude : _UNICODE_STRING "141100"
+0x058 Flags : 2 ( FLTFL_FILTERING_INITIATED )
+0x060 DriverObject : 0xffffa28b`a63fcac0 _DRIVER_OBJECT
+0x068 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x0e8 VerifierExtension : (null)
+0x0f0 VerifiedFiltersLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x100 FilterUnload : 0xfffff801`814eb820 long filecrypt!FCFilterUnload+0
+0x108 InstanceSetup : 0xfffff801`814ea010 long filecrypt!FCInstanceSetup+0
+0x110 InstanceQueryTeardown : 0xfffff801`814ea420 long filecrypt!FCInstanceQueryTeardown+0
+0x118 InstanceTeardownStart : (null)
+0x120 InstanceTeardownComplete : (null)
+0x128 SupportedContextsListHead : 0xffffa28b`a6135d80 _ALLOCATE_CONTEXT_HEADER
+0x130 SupportedContexts : [7] 0xffffa28b`a6135d80 _ALLOCATE_CONTEXT_HEADER
+0x168 PreVolumeMount : (null)
+0x170 PostVolumeMount : (null)
+0x178 GenerateFileName : (null)
+0x180 NormalizeNameComponent : (null)
+0x188 NormalizeNameComponentEx : (null)
+0x190 NormalizeContextCleanup : (null)
+0x198 KtmNotification : (null)
+0x1a0 SectionNotification : (null)
+0x1a8 Operations : 0xffffa28b`a6136de0 _FLT_OPERATION_REGISTRATION
+0x1b0 OldDriverUnload : (null)
+0x1b8 ActiveOpens : _FLT_MUTEX_LIST_HEAD
+0x208 ConnectionList : _FLT_MUTEX_LIST_HEAD
+0x258 PortList : _FLT_MUTEX_LIST_HEAD
+0x2a8 PortLock : _EX_PUSH_LOCK
这里之关心：Operations和SupportedContexts（SupportedContextsListHead），别的都很直白。
这里要和前面的!fltkd.filter结合讲会更好。
因为，我们不但关心FLT_REGISTRATION，还关心这个结构的FLT_CONTEXT_REGISTRATION和FLT_OPERATION_REGISTRATION子结构。
注意：这个结构的好些成员也是结构，如Frame是_FLTP_FRAME。

可以看到SupportedContexts和SupportedContextsListHead的值是一样的。
SupportedContexts的数组的大小是7，WIN8之前是6，增加了一个FLT_SECTION_CONTEXT。
尽管开发是时候是以FLT_CONTEXT_END结束的，但是实际上这个好像没有用。

点击SupportedContexts出现：
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 (*((FLTMGR!_ALLOCATE_CONTEXT_HEADER * (*)[7])0xffffa28ba6136c60))
(*((FLTMGR!_ALLOCATE_CONTEXT_HEADER * (*)[7])0xffffa28ba6136c60)) [Type: _ALLOCATE_CONTEXT_HEADER * [7]]
[0] : 0xffffa28ba6135d80 [Type: _ALLOCATE_CONTEXT_HEADER *]
[1] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[2] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[3] : 0xffffa28ba6135ec0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[4] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[5] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[6] : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
空的是没有的，就是驱动编码时没有填写的。
看样子和他们定义的顺序时一一对应的。索引0对应FLT_VOLUME_CONTEXT，索引3对应FLT_STREAM_CONTEXT，等等。
分别点击0和3出现：
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 ((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135d80)
((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135d80) : 0xffffa28ba6135d80 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x000] Filter : 0xffffa28ba6136b30 [Type: _FLT_FILTER *]
[+0x008] ContextCleanupCallback : 0xfffff801814eb7d0 [Type: void (__cdecl*)(void *,unsigned short)]
[+0x010] Next : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x018] ContextType : 0x1 [Type: unsigned short]
[+0x01a] Flags : 0x1 [Type: unsigned char]
[+0x01b] AllocationType : 0x1 [Type: unsigned char]
0: kd> dx -id 0,0,ffffa28ba514a080 -r1 ((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135ec0)
((FLTMGR!_ALLOCATE_CONTEXT_HEADER *)0xffffa28ba6135ec0) : 0xffffa28ba6135ec0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x000] Filter : 0xffffa28ba6136b30 [Type: _FLT_FILTER *]
[+0x008] ContextCleanupCallback : 0xfffff801814eb790 [Type: void (__cdecl*)(void *,unsigned short)]
[+0x010] Next : 0x0 [Type: _ALLOCATE_CONTEXT_HEADER *]
[+0x018] ContextType : 0x8 [Type: unsigned short]
[+0x01a] Flags : 0x1 [Type: unsigned char]
[+0x01b] AllocationType : 0x1 [Type: unsigned char]
分别点击上面的ContextCleanupCallback出现：
其实，你也可以自己输入，如果你的windbg不支持的话。
0: kd> u fffff801814eb7d0
filecrypt!FCCleanupVolumeContext:
fffff801`814eb7d0 4053 push rbx
fffff801`814eb7d2 4883ec20 sub rsp,20h
fffff801`814eb7d6 488bd9 mov rbx,rcx
fffff801`814eb7d9 488b4908 mov rcx,qword ptr [rcx+8]
fffff801`814eb7dd 4885c9 test rcx,rcx
fffff801`814eb7e0 7413 je filecrypt!FCCleanupVolumeContext+0x25 (fffff801`814eb7f5)
fffff801`814eb7e2 ba46436e76 mov edx,766E4346h
fffff801`814eb7e7 ff1553caffff call qword ptr [filecrypt!_imp_ExFreePoolWithTag (fffff801`814e8240)]
0: kd> u fffff801814eb790
filecrypt!FCCleanupStreamContext:
fffff801`814eb790 4053 push rbx
fffff801`814eb792 4883ec20 sub rsp,20h
fffff801`814eb796 488bd9 mov rbx,rcx
fffff801`814eb799 488b4918 mov rcx,qword ptr [rcx+18h]
fffff801`814eb79d 4885c9 test rcx,rcx
fffff801`814eb7a0 740d je filecrypt!FCCleanupStreamContext+0x1f (fffff801`814eb7af)
fffff801`814eb7a2 e81d0b0000 call filecrypt!FCpFreeChamberId (fffff801`814ec2c4)
fffff801`814eb7a7 48c7431800000000 mov qword ptr [rbx+18h],0

关于FLTMGR!_ALLOCATE_CONTEXT_HEADER和FLT_CONTEXT_REGISTRATION的关系，这里就不说了。

至此，上下文分析完毕。

--------------------------------------------------------------------------------------------------

下面分析重要的文件各种操作对应的处理函数。

首先要说说这个，对文件各种操作的类型的处理的数量。
我们开发的时候，经常这样写IRP_MJ_OPERATION_END，就是把这个放在数组的最后一个。
这个的定义是：
#define IRP_MJ_OPERATION_END ((UCHAR)0x80)

经过IDA分析FltRegisterFilter函数可知，它也是搜索这个标志，得到处理消息的个数的。

这是个数组，每个数组成员的大小，在X64上是：
0: kd> ?? sizeof(fltmgr!_FLT_OPERATION_REGISTRATION)
unsigned int64 0x20

这里先解释下，后面的命令显示那个数组的数量的问题。

简单的，你可以这么看：
0: kd> dt 0xffffa28b`a6136de0 _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0 ''
+0x004 Flags : 0
+0x008 PreOperation : 0xfffff801`814ebb70 _FLT_PREOP_CALLBACK_STATUS filecrypt!FCPreCreate+0
+0x010 PostOperation : 0xfffff801`814eb890 _FLT_POSTOP_CALLBACK_STATUS filecrypt!FCPostCreate+0
+0x018 Reserved1 : (null)
这是显示第一个（索引为0）的MajorFunction == 0（即IRP_MJ_CREATE）的注册的信息。
还可以继续：
0: kd> dt 0xffffa28b`a6136de0 + @@(sizeof(FLTMGR!_FLT_OPERATION_REGISTRATION)) _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0x6 ''
+0x004 Flags : 0
+0x008 PreOperation : 0xfffff801`814ec040 _FLT_PREOP_CALLBACK_STATUS filecrypt!FCPreSetInformation+0
+0x010 PostOperation : (null)
+0x018 Reserved1 : (null)
直到出现：MajorFunction == IRP_MJ_OPERATION_END，如:
0: kd> dt 0xffffa28b`a6136e00 + @@(sizeof(FLTMGR!_FLT_OPERATION_REGISTRATION)) _FLT_OPERATION_REGISTRATION
FLTMGR!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0x80 ''
+0x004 Flags : 0
+0x008 PreOperation : (null)
+0x010 PostOperation : (null)
+0x018 Reserved1 : (null)
如果，对脚本熟悉，这里可以编写脚本处理。
也可以用另一种方式显示：
0: kd> dps 0xffffa28b`a6136de0 L80
ffffa28b`a6136de0 00000000`00000000
ffffa28b`a6136de8 fffff801`814ebb70 filecrypt!FCPreCreate
ffffa28b`a6136df0 fffff801`814eb890 filecrypt!FCPostCreate
ffffa28b`a6136df8 00000000`00000000
ffffa28b`a6136e00 00000000`00000006
ffffa28b`a6136e08 fffff801`814ec040 filecrypt!FCPreSetInformation
ffffa28b`a6136e10 00000000`00000000
ffffa28b`a6136e18 00000000`00000000
ffffa28b`a6136e20 00000000`00000080
ffffa28b`a6136e28 00000000`00000000
ffffa28b`a6136e30 00000000`00000000
ffffa28b`a6136e38 00000000`00000000
......

至此，文件的消息的处理函数分析完毕。
很幸运，这个驱动处理的消息/操作很少。

--------------------------------------------------------------------------------------------------

其实操作系统也提供了各种信息枚举的接口，不信，你看：
0: kd> x fltmgr!fltenum*
fffff801`800a0220 FLTMGR!FltEnumerateInstanceInformationByDeviceObject (void)
fffff801`800a9256 FLTMGR!FltEnumerateInstanceInformationByDeviceObject$fin$0 (void)
fffff801`800ae5a1 FLTMGR!FltEnumerateInstanceInformationByVolumeName$fin$0 (void)
fffff801`8009d580 FLTMGR!FltEnumerateInstances (void)
fffff801`800a5fb0 FLTMGR!FltEnumerateFilterInformation (void)
fffff801`800ae4a0 FLTMGR!FltEnumerateInstanceInformationByVolume (<no parameter info>)
fffff801`800ae290 FLTMGR!FltEnumerateFilters (<no parameter info>)
fffff801`800ae600 FLTMGR!FltEnumerateVolumes (<no parameter info>)
fffff801`800ae3b0 FLTMGR!FltEnumerateInstanceInformationByFilter (<no parameter info>)
fffff801`800ae4d0 FLTMGR!FltEnumerateInstanceInformationByVolumeName (<no parameter info>)
fffff801`800ae5d0 FLTMGR!FltEnumerateVolumeInformation (<no parameter info>)
一个编码的例子，可参考：
http://correy.webs.com/articles/computer/c/FltEnumerateFilters.C.txt
再结合本文的分析，你所能做的事都在于你的脑子了。

made by correy
made at 14:03 2018/1/10
http://correy.web.com

订阅：博文 (Atom)