0: kd> lm
start end module name
804d8000 806e3000 nt (pdb symbols) I:\Symbols\ntkrpamp.pdb\966DF78E558F483199141B029DF5A9D51\ntkrpamp.pdb
Unloaded modules:
f56ab000 f56d6000 kmixer.sys
f7b59000 f7b5a000 drmkaud.sys
f6fc8000 f6fd5000 DMusic.sys
f7018000 f7026000 swmidi.sys
f56d6000 f56f9000 aec.sys
f7ad9000 f7adb000 splitter.sys
f70dd000 f70e0000 wmiacpi.sys
f79fb000 f79ff000 kbdhid.sys
f78cf000 f78d4000 Cdaudio.SYS
f79ef000 f79f2000 Sfloppy.SYS
0: kd> x win32k!* win32k.sys的symbol文件没有被载入,此时无法查看win32k.sys的内容。
^ Couldn't resolve 'x win32k'
0: kd> uf win32k!NtUserGetForegroundWindow
Couldn't resolve error at 'win32k!NtUserGetForegroundWindow '
0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 861b5660 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 069c0020 ObjectTable: e1003e40 HandleCount: 255.
Image: System
PROCESS 85c99298 SessionId: none Cid: 0220 Peb: 7ffde000 ParentCid: 0004
DirBase: 069c0040 ObjectTable: e1366228 HandleCount: 21.
Image: smss.exe
PROCESS 85f92ca8 SessionId: 0 Cid: 025c Peb: 7ffde000 ParentCid: 0220
DirBase: 069c0060 ObjectTable: e13bfd50 HandleCount: 368.
Image: csrss.exe
......
PROCESS 85b61020 SessionId: 0 Cid: 0794 Peb: 7ffdd000 ParentCid: 02a0
DirBase: 069c0280 ObjectTable: e184ce98 HandleCount: 63.
Image: VMwareService.exe
PROCESS 85c9ab38 SessionId: 0 Cid: 06cc Peb: 7ffd4000 ParentCid: 060c
DirBase: 069c01c0 ObjectTable: e1043768 HandleCount: 49.
Image: notepad.exe
0: kd> .process 85c9ab38
Implicit process is now 85c9ab38
WARNING: .cache forcedecodeuser is not enabled
0: kd> .reload 重新载入符号
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
........................................................................................................................
Loading User Symbols
............................
Loading unloaded module list
..........
0: kd> x win32k!* 现在可以查看shadow ssdt了
bf9346be win32k!EngQueryLocalTime = <no type information>
bf938572 win32k!NtGdiCreateEllipticRgn = <no type information>
bf9ab110 win32k!ghwndSwitch = <no type information>
bf9248f9 win32k!SearchAndSetKbdTbl = <no type information>
bf92602a win32k!xxxUnlatchStickyKeys = <no type information>
bf814d93 win32k!NtUserInvalidateRect = <no type information>
bf98c678 win32k!_imp__IoGetStackLimits = <no type information>
bf944f4a win32k!vTransparentCopyS32D8 = <no type information>
bf8778da win32k!xxxMoveThumb = <no type information>
bf85ef37 win32k!KillTooltipTimer = <no type information>
bf8d3308 win32k!fsg_CompositeInnerGridFit = <no type information>
bf98c49c win32k!_imp__RtlSetOwnerSecurityDescriptor = <no type information>
bf8687ef win32k!bCalcMeshExtent = <no type information>
bf842cf7 win32k!xxxClientLoadMenu = <no type information>
bf8a1307 win32k!ParkIcon = <no type information>
......
uf一个函数试试:
0: kd> uf win32k!NtUserGetForegroundWindow ( win32k!NtUserGetForegroundWindow是win32 api GetForegroundWindow()的内核实现)
win32k!NtUserGetForegroundWindow:
bf823d3d 8bff mov edi,edi
bf823d3f 56 push esi
bf823d40 e8a4cefdff call win32k!EnterSharedCrit (bf800be9)
bf823d45 a160b59abf mov eax,dword ptr [win32k!gpqForeground (bf9ab560)]
bf823d4a 85c0 test eax,eax
bf823d4c 7429 je win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
win32k!NtUserGetForegroundWindow+0x11:
bf823d4e 83782800 cmp dword ptr [eax+28h],0
bf823d52 7423 je win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
win32k!NtUserGetForegroundWindow+0x17:
bf823d54 8b7028 mov esi,dword ptr [eax+28h]
bf823d57 ff1560c298bf call dword ptr [win32k!_imp__PsGetCurrentThread (bf98c260)]
bf823d5d 50 push eax
bf823d5e ff15f8c798bf call dword ptr [win32k!_imp__PsGetThreadWin32Thread (bf98c7f8)]
bf823d64 8b403c mov eax,dword ptr [eax+3Ch]
bf823d67 3b460c cmp eax,dword ptr [esi+0Ch]
bf823d6a 750b jne win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
PVOID
PsGetThreadWin32Thread(
__in PETHREAD Thread
)
{
return Thread->Tcb.Win32Thread;
}
PW32THREAD W32Thread;
PETHREAD PEThread = PsGetCurrentThread();
W32Thread = PsGetThreadWin32Thread(PEThread);
//不知道W32Thread和W32Thread->3Ch是什么结构
/*
0: kd> dt _W32THREAD
win32k!_W32THREAD
+0x000 pEThread : Ptr32 _ETHREAD
+0x004 RefCount : Uint4B
+0x008 ptlW32 : Ptr32 _TL
+0x00c pgdiDcattr : Ptr32 Void
+0x010 pgdiBrushAttr : Ptr32 Void
+0x014 pUMPDObjs : Ptr32 Void
+0x018 pUMPDHeap : Ptr32 Void
+0x01c dwEngAcquireCount : Uint4B
+0x020 pSemTable : Ptr32 Void
+0x024 pUMPDObj : Ptr32 Void
3Ch是什么?
*/
if( W32Thread->3Ch != [ [win32k!gpqForeground]+28h +0Ch ] ){
return 0; //hwnd=0
}
win32k!NtUserGetForegroundWindow+0x2f:
bf823d6c 8b36 mov esi,dword ptr [esi]
win32k!NtUserGetForegroundWindow+0x35:
bf823d6e e8a3cdfdff call win32k!LeaveCrit (bf800b16)
bf823d73 8bc6 mov eax,esi
bf823d75 5e pop esi
bf823d76 c3 ret
win32k!NtUserGetForegroundWindow+0x33:
bf823d77 33f6 xor esi,esi
bf823d79 ebf3 jmp win32k!NtUserGetForegroundWindow+0x35 (bf823d6e)
可以看到win32k!NtUserGetForegroundWindow()返回的值其实是 [ [win32k!gpqForeground]+28h ],我们在windbg就可以查看这个值:
0: kd> dd poi(poi(win32k!gpqForeground) +28h)
bc6542b0 00030100 00000009 e24102c8 85c4d480
bc6542c0 bc6542b0 40020049 80000300 00000910
bc6542d0 14cf0000 01000000 00000000 bc66d800
bc6542e0 bc66e010 bc6506e8 bc66e820 00000000
bc6542f0 00000041 00000045 00000299 000001d9
bc654300 00000045 00000077 00000295 000001d5
bc654310 01003429 bc654230 00000000 bc66e1c8
bc654320 00000000 00000000 bc654478 03040587
其中00030100 便是win32k!NtUserGetForegroundWindow()的返回值。
在驱动中可以这样实现:
ULONG ASM_GetForeground(){
//win32k.sys不常驻内存,调用它的函数前一定要先载入gui进程
KeAttachProcess(crsEProc);
DbgPrint("==hwnd:%x \n",g_OriginalNtUserGetForegroundWindow());//
__asm{
;call win32k!EnterSharedCrit (bf800be9)
;mov eax,0bf800be9h
;call eax
mov eax,0bf9ab560h ;win32k!gpqForeground.我用的是硬编码
mov eax,dword ptr [eax]
test eax,eax
je _failed
cmp dword ptr [eax+28h],0
je _failed
mov esi,dword ptr [eax+28h]
mov esi,[esi]
jmp _end
_failed:
mov esi,0
_end:
;call win32k!LeaveCrit (bf800b16)
;mov eax,0bf800b16h
;call eax
call KeDetachProcess
mov eax,esi
}
}
------------------------------------------------------
尝试一下下断点
0: kd> bu win32k!_imp__PsGetThreadWin32Thread
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
0: kd> bc *
0: kd> ba e1 win32k!_imp__PsGetThreadWin32Thread 必须下硬件断点,否则会导致异常!
0: kd> bl
0 e bf98c7f8 e 1 0001 (0001) win32k!_imp__PsGetThreadWin32Thread
至此下断点成功
------------------------------------------------------
最后是测试hook shadow ssdt 。 《Hook Shadow SSDT》 里面有参考代码.我测试了一下添加对NtUserInternalGetWindowText()的hook:
if ( majorVersion == 5 && minorVersion == 1 )
{
DbgPrint("comint32: Running on Windows XP\n");
NtUserFindWindowEx_callnumber = 0x17A;
NtUserGetForegroundWindow_callnumber = 0x194;
NtUserBuildHwndList_callnumber = 0x138;
NtUserQueryWindow_callnumber = 0x1E3;
NtUserWindowFromPoint_callnumber = 0x250;
NtUserInternalGetWindowText_callnumber = 0x1c1;
}
INT MyNtUserInternalGetWindowText(
IN HWND hwnd,
OUT LPWSTR lpString,
IN int nMaxCount){
INT result;
result=g_OriginalNtUserInternalGetWindowText(hwnd,lpString,nMaxCount);
DbgPrint("MyNtUserInternalGetWindowText() hwnd:%x, lpString:%x-\"%S\", %d, %d\n",hwnd,lpString,lpString,nMaxCount,result);
return result;
}
参考:
《shadow ssdt学习笔记(一)(二)》http://bbs.pediy.com/showthread.php?t=56955
《Hook Shadow SSDT》 http://bbs.pediy.com/showthread.php?t=65931
3475
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
