标题:查看映像回调的函数的地址。
经IDA分析:
PsSetLoadImageNotifyRoutine调用了PsSetLoadImageNotifyRoutineEx
PsSetLoadImageNotifyRoutineEx用到了PspLoadImageNotifyRoutine,PspLoadImageNotifyRoutineCount。
下面是简要的分析过程:
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspLoadImageNotifyRoutineCount L1
fffff800`95bfee80 00000001
0: kd> dq nt!PspLoadImageNotifyRoutine
fffff800`957ace80 ffffd489`9e93125f 00000000`00000000
fffff800`957ace90 00000000`00000000 00000000`00000000
fffff800`957acea0 00000000`00000000 00000000`00000000
fffff800`957aceb0 00000000`00000000 00000000`00000000
fffff800`957acec0 00000000`00000000 00000000`00000000
fffff800`957aced0 00000000`00000000 00000000`00000000
fffff800`957acee0 00000000`00000000 00000000`00000000
fffff800`957acef0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`9e93125f - @@(sizeof(void *)) L1
ffffd489`9e931257 fff80184`974e1000
0: kd> u fffff80184`974e10
ahcache!CitmpLoadImageCallback:
fffff801`84974e10 4885c9 test rcx,rcx
fffff801`84974e13 0f8472010000 je ahcache!CitmpLoadImageCallback+0x17b (fffff801`84974f8b)
fffff801`84974e19 4c8bdc mov r11,rsp
fffff801`84974e1c 55 push rbp
fffff801`84974e1d 4156 push r14
fffff801`84974e1f 4157 push r15
fffff801`84974e21 4883ec60 sub rsp,60h
fffff801`84974e25 4533ff xor r15d,r15d
最后得出重要的脚本:
0: kd> r @$t0=poi(nt!PspLoadImageNotifyRoutineCount);r @$t1=nt!PspLoadImageNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ImageNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ImageNotifyRoutine(1):ahcache!CitmpLoadImageCallback (fffff801`84974e10)
ImageNotifyRoutine(2):Memory access error at ')>>8) | ff00000000000000)'
--------------------------------------------------------------------------------------------------
made by correy
made at 9:59 2018/1/7
http://correy.webs.com
经IDA分析:
PsSetLoadImageNotifyRoutine调用了PsSetLoadImageNotifyRoutineEx
PsSetLoadImageNotifyRoutineEx用到了PspLoadImageNotifyRoutine,PspLoadImageNotifyRoutineCount。
下面是简要的分析过程:
0: kd> ||
. 0 64-bit Full kernel dump: C:\WINDOWS\livekd.dmp
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff800`95414000 PsLoadedModuleList = 0xfffff800`95775ff0
Debug session time: Fri Jan 5 20:23:00.320 2018 (UTC + 8:00)
System Uptime: 1 days 0:23:22.648
0: kd> dd nt!PspLoadImageNotifyRoutineCount L1
fffff800`95bfee80 00000001
0: kd> dq nt!PspLoadImageNotifyRoutine
fffff800`957ace80 ffffd489`9e93125f 00000000`00000000
fffff800`957ace90 00000000`00000000 00000000`00000000
fffff800`957acea0 00000000`00000000 00000000`00000000
fffff800`957aceb0 00000000`00000000 00000000`00000000
fffff800`957acec0 00000000`00000000 00000000`00000000
fffff800`957aced0 00000000`00000000 00000000`00000000
fffff800`957acee0 00000000`00000000 00000000`00000000
fffff800`957acef0 00000000`00000000 00000000`00000000
0: kd> dq ffffd489`9e93125f - @@(sizeof(void *)) L1
ffffd489`9e931257 fff80184`974e1000
0: kd> u fffff80184`974e10
ahcache!CitmpLoadImageCallback:
fffff801`84974e10 4885c9 test rcx,rcx
fffff801`84974e13 0f8472010000 je ahcache!CitmpLoadImageCallback+0x17b (fffff801`84974f8b)
fffff801`84974e19 4c8bdc mov r11,rsp
fffff801`84974e1c 55 push rbp
fffff801`84974e1d 4156 push r14
fffff801`84974e1f 4157 push r15
fffff801`84974e21 4883ec60 sub rsp,60h
fffff801`84974e25 4533ff xor r15d,r15d
最后得出重要的脚本:
0: kd> r @$t0=poi(nt!PspLoadImageNotifyRoutineCount);r @$t1=nt!PspLoadImageNotifyRoutine;.for(r @$t2=0; @$t2<@$t0; r @$t2=@$t2+1){.printf /D "ImageNotifyRoutine(%d):%y\n", (@$t2 + 1), ((poi(((poi(@$t1+@$t2*@@(sizeof(void *))))-@@(sizeof(void *))))>>8) | ff00000000000000)}
ImageNotifyRoutine(1):ahcache!CitmpLoadImageCallback (fffff801`84974e10)
ImageNotifyRoutine(2):Memory access error at ')>>8) | ff00000000000000)'
--------------------------------------------------------------------------------------------------
made by correy
made at 9:59 2018/1/7
http://correy.webs.com
没有评论:
发表评论