标题:查看注册表回调的函数的地址。
经IDA分析:
CmRegisterCallback调用了CmpRegisterCallbackInternal
CmRegisterCallbackEx调用了CmpRegisterCallbackInternal
CmpRegisterCallbackInternal调用了CmpInsertCallbackInListByAltitude
CmpInsertCallbackInListByAltitude用到了CmpCallbackListLock,CallbackListHead,CmpCallbackCookie,CmpCallBackCount。
这里用到的只有CallbackListHead和CmpCallBackCount。
注意:
由CmpRegisterCallbackInternal构造的传递给CmpInsertCallbackInListByAltitude的第一个参数是个结构。
这个结构的第六个成员(索引为5)是回调函数的地址。
注意:一般情况下CmpCallBackCount的值位0。
--------------------------------------------------------------------------------------------------
下面是简要的分析过程:
4: kd> ||
. 0 Remote KD: KdSrv:Server=@{<Local>},Trans=@{COM:Port=\\.\pipe\com1,Baud=115200,Pipe,Timeout=4000,Resets=2}
4: kd> vertarget
Windows 10 Kernel Version 14393 MP (6 procs) Free x64
Built by: 14393.1593.amd64fre.rs1_release.170731-1934
Machine Name:
Kernel base = 0xfffff802`d5478000 PsLoadedModuleList = 0xfffff802`d5776040
Debug session time: Sun Jan 7 10:57:14.914 2018 (UTC + 8:00)
System Uptime: 0 days 0:11:10.290
4: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000004
0: kd> dq nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e1685e00 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000 01d38761`8331470c
fffff802`d5791c40 00000000`00000000 00000000`00000000 第一个是空的。
fffff802`d5791c50 fffff802`d5791c50 fffff802`d5791c50
fffff802`d5791c60 00000000`00060001 fffff802`d5791c68
fffff802`d5791c70 fffff802`d5791c68 00000000`00000000
fffff802`d5791c80 00000000`00060001 fffff802`d5791c88
fffff802`d5791c90 fffff802`d5791c88 00000000`00000000
0: kd> dq ffffbb89`e1cab4d0 下一个
ffffbb89`e1cab4d0 fffff802`d5791c20 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000 fffff802`d58bfa30
ffffbb89`e1cab500 00420074`000c000c ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c 0033006d`00650074
0: kd> u fffff802`d58bfa30
nt!RegistryCallback:竟然是这个
fffff802`d58bfa30 4c8bdc mov r11,rsp
fffff802`d58bfa33 49895b08 mov qword ptr [r11+8],rbx
fffff802`d58bfa37 49897310 mov qword ptr [r11+10h],rsi
fffff802`d58bfa3b 57 push rdi
fffff802`d58bfa3c 4883ec50 sub rsp,50h
fffff802`d58bfa40 488b05f980eaff mov rax,qword ptr [nt!_security_cookie (fffff802`d5767b40)]
fffff802`d58bfa47 4833c4 xor rax,rsp
fffff802`d58bfa4a 4889442440 mov qword ptr [rsp+40h],rax
0: kd> dq ffffbb89`e4789d10 下一个
ffffbb89`e4789d10 ffffbb89`e1cab4d0 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000 fffff805`ebdd1060
ffffbb89`e4789d40 00320035`000c000c ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980 00000000`00000000
0: kd> u fffff805`ebdd1060 自己注册的,测试专用。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> u test!RegistryCallback 反过来,验证下,也是正确的。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> dq ffffbb89`e25b60e0 下一个
ffffbb89`e25b60e0 ffffbb89`e4789d10 ffffbb89`e1685e00
ffffbb89`e25b60f0 00000000`00000000 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000 fffff805`eb762fa0
ffffbb89`e25b6110 00000000`000c000c ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355 00000000`00000000
0: kd> u fffff805`eb762fa0
registry!RegistryCallback: 还有这个?
fffff805`eb762fa0 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`eb762fa5 57 push rdi
fffff805`eb762fa6 4881ec80000000 sub rsp,80h
fffff805`eb762fad 488b05ac30ffff mov rax,qword ptr [registry!_security_cookie (fffff805`eb756060)]
fffff805`eb762fb4 4833c4 xor rax,rsp
fffff805`eb762fb7 4889442470 mov qword ptr [rsp+70h],rax
fffff805`eb762fbc 33db xor ebx,ebx
fffff805`eb762fbe 83fa0e cmp edx,0Eh
0: kd> dq ffffbb89`e1685e00 下一个
ffffbb89`e1685e00 ffffbb89`e25b60e0 fffff802`d5791c20
ffffbb89`e1685e10 00310030`00000000 01d38761`83314709
ffffbb89`e1685e20 00000000`00000000 fffff805`e99d7a50
ffffbb89`e1685e30 10000000`000c000c ffffbb89`e17c3ea0
ffffbb89`e1685e40 ffffbb89`e1685e40 ffffbb89`e1685e40
ffffbb89`e1685e50 6d4e624f`03030406 9369ee85`4f0dce38
ffffbb89`e1685e60 004c0074`00690042 0065006b`0063006f
ffffbb89`e1685e70 10000000`00000072 00000000`00001000
0: kd> u fffff805`e99d7a50
*** ERROR: Module load completed but symbols could not be loaded for SysmonDrv.sys
SysmonDrv+0x7a50: 这个不说了,你懂的。
fffff805`e99d7a50 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`e99d7a55 4889742410 mov qword ptr [rsp+10h],rsi
fffff805`e99d7a5a 57 push rdi
fffff805`e99d7a5b 4154 push r12
fffff805`e99d7a5d 4155 push r13
fffff805`e99d7a5f 4156 push r14
fffff805`e99d7a61 4157 push r15
fffff805`e99d7a63 4881ecc0000000 sub rsp,0C0h
再下一个就是开头了。
--------------------------------------------------------------------------------------------------
另一个看法:
5: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000003
5: kd> dps nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e25b60e0
fffff802`d5791c28 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000
fffff802`d5791c38 01d38761`8331470c
fffff802`d5791c40 00000000`00000000
fffff802`d5791c48 00000000`00000000 为空
fffff802`d5791c50 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c58 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c60 00000000`00060001
fffff802`d5791c68 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c70 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c78 00000000`00000000
fffff802`d5791c80 00000000`00060001
fffff802`d5791c88 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c90 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c98 00000000`00000000
5: kd> dps ffffbb89`e1cab4d0
ffffbb89`e1cab4d0 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e1cab4d8 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000
ffffbb89`e1cab4e8 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000
ffffbb89`e1cab4f8 fffff802`d58bfa30 nt!RegistryCallback
ffffbb89`e1cab500 00420074`000c000c
ffffbb89`e1cab508 ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab518 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106
ffffbb89`e1cab528 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c
ffffbb89`e1cab538 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c
ffffbb89`e1cab548 0033006d`00650074
5: kd> dps ffffbb89`e4789d10
ffffbb89`e4789d10 ffffbb89`e1cab4d0
ffffbb89`e4789d18 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000
ffffbb89`e4789d28 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000
ffffbb89`e4789d38 fffff805`ebdd1060 test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]
ffffbb89`e4789d40 00320035`000c000c
ffffbb89`e4789d48 ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d58 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106
ffffbb89`e4789d68 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210
ffffbb89`e4789d78 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980
ffffbb89`e4789d88 00000000`00000000
5: kd> dps ffffbb89`e25b60e0
ffffbb89`e25b60e0 ffffbb89`e4789d10
ffffbb89`e25b60e8 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e25b60f0 00000000`00000000
ffffbb89`e25b60f8 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000
ffffbb89`e25b6108 fffff805`eb762fa0 registry!RegistryCallback
ffffbb89`e25b6110 00000000`000c000c
ffffbb89`e25b6118 ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6128 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406
ffffbb89`e25b6138 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240
ffffbb89`e25b6148 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355
ffffbb89`e25b6158 00000000`00000000
再继续就从头开始了。
--------------------------------------------------------------------------------------------------
第三种分析思路:
1: kd> dd nt!CmpCallBackCount l1
fffff801`6919ae98 00000002
;注释:nt!CallbackListHead是个LIST_ENTRY结构的全局变量。
1: kd> x nt!CallbackListHead
fffff801`69197c20 nt!CallbackListHead = <no type information>
1: kd> dt nt!_LIST_ENTRY fffff801`69197c20
[ 0xffff9d06`80d42870 - 0xffff9d06`7a3da980 ]
+0x000 Flink : 0xffff9d06`80d42870 _LIST_ENTRY [ 0xffff9d06`7a3da980 - 0xfffff801`69197c20 ]
+0x008 Blink : 0xffff9d06`7a3da980 _LIST_ENTRY [ 0xfffff801`69197c20 - 0xffff9d06`80d42870 ]
;注释:经过IDA的分析可知这个结构的大小是0x50.
1: kd> dps 0xffff9d06`7a3da980 L(0x50/@@(sizeof(void *)))
ffff9d06`7a3da980 fffff801`69197c20 nt!CallbackListHead
ffff9d06`7a3da988 ffff9d06`80d42870
ffff9d06`7a3da990 00000000`00000000
ffff9d06`7a3da998 01d38a03`2a85ebf0
ffff9d06`7a3da9a0 00000000`00000000
ffff9d06`7a3da9a8 fffff801`692c5a30 nt!RegistryCallback
ffff9d06`7a3da9b0 00420074`000c000c
ffff9d06`7a3da9b8 ffff9d06`79f6fcb0
ffff9d06`7a3da9c0 ffff9d06`7a3da9c0
ffff9d06`7a3da9c8 ffff9d06`7a3da9c0
1: kd> dps ffff9d06`80d42870 L(0x50/@@(sizeof(void *)))
ffff9d06`80d42870 ffff9d06`7a3da980
ffff9d06`80d42878 fffff801`69197c20 nt!CallbackListHead
ffff9d06`80d42880 00380002`00000000
ffff9d06`80d42888 01d38a03`2a85ebf1
ffff9d06`80d42890 00000000`00000000
ffff9d06`80d42898 fffff80a`bf002fa0
ffff9d06`80d428a0 00000001`000c000c
ffff9d06`80d428a8 ffff9d06`809702c0
ffff9d06`80d428b0 ffff9d06`80d428b0
ffff9d06`80d428b8 ffff9d06`80d428b0
自此结束了,在分析就是从头开始了,你看fffff801`69197c20 nt!CallbackListHead又出现了。
--------------------------------------------------------------------------------------------------
最后得出重要的脚本:
待定。
--------------------------------------------------------------------------------------------------
made by correy
made at 12:07 2018/1/7
http://correy.webs.com
经IDA分析:
CmRegisterCallback调用了CmpRegisterCallbackInternal
CmRegisterCallbackEx调用了CmpRegisterCallbackInternal
CmpRegisterCallbackInternal调用了CmpInsertCallbackInListByAltitude
CmpInsertCallbackInListByAltitude用到了CmpCallbackListLock,CallbackListHead,CmpCallbackCookie,CmpCallBackCount。
这里用到的只有CallbackListHead和CmpCallBackCount。
注意:
由CmpRegisterCallbackInternal构造的传递给CmpInsertCallbackInListByAltitude的第一个参数是个结构。
这个结构的第六个成员(索引为5)是回调函数的地址。
注意:一般情况下CmpCallBackCount的值位0。
--------------------------------------------------------------------------------------------------
下面是简要的分析过程:
4: kd> ||
. 0 Remote KD: KdSrv:Server=@{<Local>},Trans=@{COM:Port=\\.\pipe\com1,Baud=115200,Pipe,Timeout=4000,Resets=2}
4: kd> vertarget
Windows 10 Kernel Version 14393 MP (6 procs) Free x64
Built by: 14393.1593.amd64fre.rs1_release.170731-1934
Machine Name:
Kernel base = 0xfffff802`d5478000 PsLoadedModuleList = 0xfffff802`d5776040
Debug session time: Sun Jan 7 10:57:14.914 2018 (UTC + 8:00)
System Uptime: 0 days 0:11:10.290
4: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000004
0: kd> dq nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e1685e00 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000 01d38761`8331470c
fffff802`d5791c40 00000000`00000000 00000000`00000000 第一个是空的。
fffff802`d5791c50 fffff802`d5791c50 fffff802`d5791c50
fffff802`d5791c60 00000000`00060001 fffff802`d5791c68
fffff802`d5791c70 fffff802`d5791c68 00000000`00000000
fffff802`d5791c80 00000000`00060001 fffff802`d5791c88
fffff802`d5791c90 fffff802`d5791c88 00000000`00000000
0: kd> dq ffffbb89`e1cab4d0 下一个
ffffbb89`e1cab4d0 fffff802`d5791c20 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000 fffff802`d58bfa30
ffffbb89`e1cab500 00420074`000c000c ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c 0033006d`00650074
0: kd> u fffff802`d58bfa30
nt!RegistryCallback:竟然是这个
fffff802`d58bfa30 4c8bdc mov r11,rsp
fffff802`d58bfa33 49895b08 mov qword ptr [r11+8],rbx
fffff802`d58bfa37 49897310 mov qword ptr [r11+10h],rsi
fffff802`d58bfa3b 57 push rdi
fffff802`d58bfa3c 4883ec50 sub rsp,50h
fffff802`d58bfa40 488b05f980eaff mov rax,qword ptr [nt!_security_cookie (fffff802`d5767b40)]
fffff802`d58bfa47 4833c4 xor rax,rsp
fffff802`d58bfa4a 4889442440 mov qword ptr [rsp+40h],rax
0: kd> dq ffffbb89`e4789d10 下一个
ffffbb89`e4789d10 ffffbb89`e1cab4d0 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000 fffff805`ebdd1060
ffffbb89`e4789d40 00320035`000c000c ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980 00000000`00000000
0: kd> u fffff805`ebdd1060 自己注册的,测试专用。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> u test!RegistryCallback 反过来,验证下,也是正确的。
test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]:
fffff805`ebdd1060 4c89442418 mov qword ptr [rsp+18h],r8
fffff805`ebdd1065 4889542410 mov qword ptr [rsp+10h],rdx
fffff805`ebdd106a 48894c2408 mov qword ptr [rsp+8],rcx
fffff805`ebdd106f 4883ec18 sub rsp,18h
fffff805`ebdd1073 c7042400000000 mov dword ptr [rsp],0
fffff805`ebdd107a 8b0424 mov eax,dword ptr [rsp]
fffff805`ebdd107d 4883c418 add rsp,18h
fffff805`ebdd1081 c3 ret
0: kd> dq ffffbb89`e25b60e0 下一个
ffffbb89`e25b60e0 ffffbb89`e4789d10 ffffbb89`e1685e00
ffffbb89`e25b60f0 00000000`00000000 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000 fffff805`eb762fa0
ffffbb89`e25b6110 00000000`000c000c ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355 00000000`00000000
0: kd> u fffff805`eb762fa0
registry!RegistryCallback: 还有这个?
fffff805`eb762fa0 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`eb762fa5 57 push rdi
fffff805`eb762fa6 4881ec80000000 sub rsp,80h
fffff805`eb762fad 488b05ac30ffff mov rax,qword ptr [registry!_security_cookie (fffff805`eb756060)]
fffff805`eb762fb4 4833c4 xor rax,rsp
fffff805`eb762fb7 4889442470 mov qword ptr [rsp+70h],rax
fffff805`eb762fbc 33db xor ebx,ebx
fffff805`eb762fbe 83fa0e cmp edx,0Eh
0: kd> dq ffffbb89`e1685e00 下一个
ffffbb89`e1685e00 ffffbb89`e25b60e0 fffff802`d5791c20
ffffbb89`e1685e10 00310030`00000000 01d38761`83314709
ffffbb89`e1685e20 00000000`00000000 fffff805`e99d7a50
ffffbb89`e1685e30 10000000`000c000c ffffbb89`e17c3ea0
ffffbb89`e1685e40 ffffbb89`e1685e40 ffffbb89`e1685e40
ffffbb89`e1685e50 6d4e624f`03030406 9369ee85`4f0dce38
ffffbb89`e1685e60 004c0074`00690042 0065006b`0063006f
ffffbb89`e1685e70 10000000`00000072 00000000`00001000
0: kd> u fffff805`e99d7a50
*** ERROR: Module load completed but symbols could not be loaded for SysmonDrv.sys
SysmonDrv+0x7a50: 这个不说了,你懂的。
fffff805`e99d7a50 48895c2408 mov qword ptr [rsp+8],rbx
fffff805`e99d7a55 4889742410 mov qword ptr [rsp+10h],rsi
fffff805`e99d7a5a 57 push rdi
fffff805`e99d7a5b 4154 push r12
fffff805`e99d7a5d 4155 push r13
fffff805`e99d7a5f 4156 push r14
fffff805`e99d7a61 4157 push r15
fffff805`e99d7a63 4881ecc0000000 sub rsp,0C0h
再下一个就是开头了。
--------------------------------------------------------------------------------------------------
另一个看法:
5: kd> dd nt!CmpCallBackCount l1
fffff802`d5794e98 00000003
5: kd> dps nt!CallbackListHead
fffff802`d5791c20 ffffbb89`e25b60e0
fffff802`d5791c28 ffffbb89`e1cab4d0
fffff802`d5791c30 00000000`00000000
fffff802`d5791c38 01d38761`8331470c
fffff802`d5791c40 00000000`00000000
fffff802`d5791c48 00000000`00000000 为空
fffff802`d5791c50 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c58 fffff802`d5791c50 nt!CmpPreloadedHivesList
fffff802`d5791c60 00000000`00060001
fffff802`d5791c68 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c70 fffff802`d5791c68 nt!CmpLoadWorkerEvent+0x8
fffff802`d5791c78 00000000`00000000
fffff802`d5791c80 00000000`00060001
fffff802`d5791c88 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c90 fffff802`d5791c88 nt!CmpLoadWorkerDebugEvent+0x8
fffff802`d5791c98 00000000`00000000
5: kd> dps ffffbb89`e1cab4d0
ffffbb89`e1cab4d0 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e1cab4d8 ffffbb89`e4789d10
ffffbb89`e1cab4e0 00000000`00000000
ffffbb89`e1cab4e8 01d38761`8331470a
ffffbb89`e1cab4f0 00000000`00000000
ffffbb89`e1cab4f8 fffff802`d58bfa30 nt!RegistryCallback
ffffbb89`e1cab500 00420074`000c000c
ffffbb89`e1cab508 ffffbb89`e17b9930
ffffbb89`e1cab510 ffffbb89`e1cab510
ffffbb89`e1cab518 ffffbb89`e1cab510
ffffbb89`e1cab520 6d4e6f49`03090106
ffffbb89`e1cab528 9369ee85`4faf2548
ffffbb89`e1cab530 006e0069`0057005c
ffffbb89`e1cab538 00730077`006f0064
ffffbb89`e1cab540 00730079`0053005c
ffffbb89`e1cab548 0033006d`00650074
5: kd> dps ffffbb89`e4789d10
ffffbb89`e4789d10 ffffbb89`e1cab4d0
ffffbb89`e4789d18 ffffbb89`e25b60e0
ffffbb89`e4789d20 00360061`00000000
ffffbb89`e4789d28 01d38761`8331470c
ffffbb89`e4789d30 00000000`00000000
ffffbb89`e4789d38 fffff805`ebdd1060 test!RegistryCallback [d:\users\administrator\source\repos\test\test\test.cpp @ 15]
ffffbb89`e4789d40 00320035`000c000c
ffffbb89`e4789d48 ffffbb89`e3433cb0
ffffbb89`e4789d50 ffffbb89`e4789d50
ffffbb89`e4789d58 ffffbb89`e4789d50
ffffbb89`e4789d60 58706e50`03040106
ffffbb89`e4789d68 9369ee85`4a1d0d08
ffffbb89`e4789d70 ffffbb89`e3999210
ffffbb89`e4789d78 ffffbb89`e47e5f10
ffffbb89`e4789d80 ffffbb89`e3ebe980
ffffbb89`e4789d88 00000000`00000000
5: kd> dps ffffbb89`e25b60e0
ffffbb89`e25b60e0 ffffbb89`e4789d10
ffffbb89`e25b60e8 fffff802`d5791c20 nt!CallbackListHead
ffffbb89`e25b60f0 00000000`00000000
ffffbb89`e25b60f8 01d38761`8331470b
ffffbb89`e25b6100 00000000`00000000
ffffbb89`e25b6108 fffff805`eb762fa0 registry!RegistryCallback
ffffbb89`e25b6110 00000000`000c000c
ffffbb89`e25b6118 ffffbb89`ebfbc1a0
ffffbb89`e25b6120 ffffbb89`e25b6120
ffffbb89`e25b6128 ffffbb89`e25b6120
ffffbb89`e25b6130 6944624f`03030406
ffffbb89`e25b6138 00000000`00000000
ffffbb89`e25b6140 ffffbb89`e208a240
ffffbb89`e25b6148 ffffce07`2ce7a960
ffffbb89`e25b6150 00000000`2125a355
ffffbb89`e25b6158 00000000`00000000
再继续就从头开始了。
--------------------------------------------------------------------------------------------------
第三种分析思路:
1: kd> dd nt!CmpCallBackCount l1
fffff801`6919ae98 00000002
;注释:nt!CallbackListHead是个LIST_ENTRY结构的全局变量。
1: kd> x nt!CallbackListHead
fffff801`69197c20 nt!CallbackListHead = <no type information>
1: kd> dt nt!_LIST_ENTRY fffff801`69197c20
[ 0xffff9d06`80d42870 - 0xffff9d06`7a3da980 ]
+0x000 Flink : 0xffff9d06`80d42870 _LIST_ENTRY [ 0xffff9d06`7a3da980 - 0xfffff801`69197c20 ]
+0x008 Blink : 0xffff9d06`7a3da980 _LIST_ENTRY [ 0xfffff801`69197c20 - 0xffff9d06`80d42870 ]
;注释:经过IDA的分析可知这个结构的大小是0x50.
1: kd> dps 0xffff9d06`7a3da980 L(0x50/@@(sizeof(void *)))
ffff9d06`7a3da980 fffff801`69197c20 nt!CallbackListHead
ffff9d06`7a3da988 ffff9d06`80d42870
ffff9d06`7a3da990 00000000`00000000
ffff9d06`7a3da998 01d38a03`2a85ebf0
ffff9d06`7a3da9a0 00000000`00000000
ffff9d06`7a3da9a8 fffff801`692c5a30 nt!RegistryCallback
ffff9d06`7a3da9b0 00420074`000c000c
ffff9d06`7a3da9b8 ffff9d06`79f6fcb0
ffff9d06`7a3da9c0 ffff9d06`7a3da9c0
ffff9d06`7a3da9c8 ffff9d06`7a3da9c0
1: kd> dps ffff9d06`80d42870 L(0x50/@@(sizeof(void *)))
ffff9d06`80d42870 ffff9d06`7a3da980
ffff9d06`80d42878 fffff801`69197c20 nt!CallbackListHead
ffff9d06`80d42880 00380002`00000000
ffff9d06`80d42888 01d38a03`2a85ebf1
ffff9d06`80d42890 00000000`00000000
ffff9d06`80d42898 fffff80a`bf002fa0
ffff9d06`80d428a0 00000001`000c000c
ffff9d06`80d428a8 ffff9d06`809702c0
ffff9d06`80d428b0 ffff9d06`80d428b0
ffff9d06`80d428b8 ffff9d06`80d428b0
自此结束了,在分析就是从头开始了,你看fffff801`69197c20 nt!CallbackListHead又出现了。
--------------------------------------------------------------------------------------------------
最后得出重要的脚本:
待定。
--------------------------------------------------------------------------------------------------
made by correy
made at 12:07 2018/1/7
http://correy.webs.com
没有评论:
发表评论