Win32k里面调用3环下的函数,最终都是通过KiUserCallbackDispatcher,调用__Client***实现,这些函数主要负责参数的处理等工作.
通过ida在user32.dll可以看到如下的列表(在我这里ida并不能识别对应的符号,只能在windbg看).
.text:77D66274 ; sub_77D65F1D+24Bo
.text:77D66274 unicode 0, </Sessions>,0
.text:77D66288 off_77D66288 dd offset sub_77D5E5DA ; DATA XREF: sub_77D65F1D+1C4o
.text:77D6628C dd offset sub_77D99EDA
.text:77D66290 dd offset sub_77D70A41
.text:77D66294 dd offset sub_77D61469
.text:77D66298 dd offset sub_77D807E2
.text:77D6629C dd offset sub_77D99FB4
.text:77D662A0 dd offset sub_77D5BF8E
.text:77D662A4 dd offset sub_77D9A27E
.text:77D662A8 dd offset sub_77D64AC2
.text:77D662AC dd offset sub_77D9A19C
.text:77D662B0 dd offset sub_77D6398E
.text:77D662B4 dd offset sub_77D9A1DA
.text:77D662B8 dd offset sub_77D7B208
.text:77D662BC dd offset sub_77D9A317
.text:77D662C0 dd offset sub_77D9A317
.text:77D662C4 dd offset sub_77D99FF4
.text:77D662C8 dd offset sub_77D79B1E
.text:77D662CC dd offset sub_77D62086
事实上在前面所说的PEB. KernelCallbackTable 就是指向这个地方.
.text:77D660D8 mov eax, large fs:18h
.text:77D660DE mov eax, [eax+30h]
.text:77D660E1 mov dword ptr [eax+2Ch], offset off_77D66288
.text:77D660E8 mov eax, large fs:18h
.text:77D660EE mov eax, [eax+30h]
.text:77D660F1 mov [eax+14Ch], edi
.text:77D660F7 mov eax, ds:FindResourceExA
上面这段代码来自于user32! _UserClientDllInitialize函数,而user32! _UserClientDllInitialize在user32! DllEntry 里面被调用:
text:77D6642D ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
.text:77D6642D public DllEntryPoint
.text:77D6642D DllEntryPoint proc near
.text:77D6642D
.text:77D6642D hinstDLL = dword ptr 8
.text:77D6642D fdwReason = dword ptr 0Ch
.text:77D6642D lpReserved = dword ptr 10h
.text:77D6642D
.text:77D6642D mov edi, edi
.text:77D6642F push ebp
.text:77D66430 mov ebp, esp
.text:77D66432 cmp [ebp+fdwReason], 1
.text:77D66436 jnz short loc_77D66445
.text:77D66438 push [ebp+lpReserved]
.text:77D6643B push 1
.text:77D6643D push [ebp+hinstDLL]
.text:77D66440 call sub_77D664E6
.text:77D66445
.text:77D66445 loc_77D66445: ; CODE XREF: DllEntryPoint+9j
.text:77D66445 pop ebp
.text:77D66446 jmp sub_77D65F1D //user32! _UserClientDllInitialize