标题:查看线程回调的函数的地址。
经IDA分析:
PsSetCreateThreadNotifyRoutine调用了PspSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx也调用了PspSetCreateThreadNotifyRoutine
分析PspSetCreateThreadNotifyRoutine用到了PspCreateThreadNotifyRoutine,PspCreateThreadNotifyRoutineCount,PspCreateThreadNotifyRoutineNonSystemCount。
下面是简要的分析过程:
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspCreateThreadNotifyRoutineCount L1
fffff800`95bfee84 00000002
0: kd> dd nt!PspCreateThreadNotifyRoutineNonSystemCount l1
fffff800`95bfee88 00000000
0: kd> dq nt!PspCreateThreadNotifyRoutine
fffff800`957acc80 ffffd489`a0e2ec0f ffffd489`a6c4a1ff
fffff800`957acc90 00000000`00000000 00000000`00000000
fffff800`957acca0 00000000`00000000 00000000`00000000
fffff800`957accb0 00000000`00000000 00000000`00000000
fffff800`957accc0 00000000`00000000 00000000`00000000
fffff800`957accd0 00000000`00000000 00000000`00000000
fffff800`957acce0 00000000`00000000 00000000`00000000
fffff800`957accf0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`a0e2ec0f - @@(sizeof(void *)) L1
ffffd489`a0e2ec07 fff80187`22d16c00
0: kd> u fffff80187`22d16c
nvlddmkm+0x11d16c:
fffff801`8722d16c 48895c2408 mov qword ptr [rsp+8],rbx
fffff801`8722d171 4889742410 mov qword ptr [rsp+10h],rsi
fffff801`8722d176 57 push rdi
fffff801`8722d177 4883ec20 sub rsp,20h
fffff801`8722d17b 488bf1 mov rsi,rcx
fffff801`8722d17e 418ad8 mov bl,r8b
fffff801`8722d181 488b0df0b76e00 mov rcx,qword ptr [nvlddmkm!nvDumpConfig+0x82f68 (fffff801`87918978)]
fffff801`8722d188 488bfa mov rdi,rdx
最后得出重要的脚本:
0: kd> r @$t0=(poi(nt!PspCreateThreadNotifyRoutineCount) + poi(nt!PspCreateThreadNotifyRoutineNonSystemCount));r @$t1=nt!PspCreateThreadNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ThreadNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ThreadNotifyRoutine(1):nvlddmkm+0x11d16c (fffff801`8722d16c)
ThreadNotifyRoutine(2):mmcss!CiThreadNotification (fffff801`88081010)
--------------------------------------------------------------------------------------------------
made by correy
made at 9:59 2018/1/7
http://correy.webs.com
经IDA分析:
PsSetCreateThreadNotifyRoutine调用了PspSetCreateThreadNotifyRoutine
PsSetCreateThreadNotifyRoutineEx也调用了PspSetCreateThreadNotifyRoutine
分析PspSetCreateThreadNotifyRoutine用到了PspCreateThreadNotifyRoutine,PspCreateThreadNotifyRoutineCount,PspCreateThreadNotifyRoutineNonSystemCount。
下面是简要的分析过程:
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspCreateThreadNotifyRoutineCount L1
fffff800`95bfee84 00000002
0: kd> dd nt!PspCreateThreadNotifyRoutineNonSystemCount l1
fffff800`95bfee88 00000000
0: kd> dq nt!PspCreateThreadNotifyRoutine
fffff800`957acc80 ffffd489`a0e2ec0f ffffd489`a6c4a1ff
fffff800`957acc90 00000000`00000000 00000000`00000000
fffff800`957acca0 00000000`00000000 00000000`00000000
fffff800`957accb0 00000000`00000000 00000000`00000000
fffff800`957accc0 00000000`00000000 00000000`00000000
fffff800`957accd0 00000000`00000000 00000000`00000000
fffff800`957acce0 00000000`00000000 00000000`00000000
fffff800`957accf0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`a0e2ec0f - @@(sizeof(void *)) L1
ffffd489`a0e2ec07 fff80187`22d16c00
0: kd> u fffff80187`22d16c
nvlddmkm+0x11d16c:
fffff801`8722d16c 48895c2408 mov qword ptr [rsp+8],rbx
fffff801`8722d171 4889742410 mov qword ptr [rsp+10h],rsi
fffff801`8722d176 57 push rdi
fffff801`8722d177 4883ec20 sub rsp,20h
fffff801`8722d17b 488bf1 mov rsi,rcx
fffff801`8722d17e 418ad8 mov bl,r8b
fffff801`8722d181 488b0df0b76e00 mov rcx,qword ptr [nvlddmkm!nvDumpConfig+0x82f68 (fffff801`87918978)]
fffff801`8722d188 488bfa mov rdi,rdx
最后得出重要的脚本:
0: kd> r @$t0=(poi(nt!PspCreateThreadNotifyRoutineCount) + poi(nt!PspCreateThreadNotifyRoutineNonSystemCount));r @$t1=nt!PspCreateThreadNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ThreadNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ThreadNotifyRoutine(1):nvlddmkm+0x11d16c (fffff801`8722d16c)
ThreadNotifyRoutine(2):mmcss!CiThreadNotification (fffff801`88081010)
--------------------------------------------------------------------------------------------------
made by correy
made at 9:59 2018/1/7
http://correy.webs.com
没有评论:
发表评论