win10 压缩后的内存 windbg查找
抄袭自
- https://www-fireeye-com.translate.goog/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html?_x_tr_sl=auto&_x_tr_tl=zh-CN&_x_tr_hl=zh-CN&_x_tr_pto=wapp
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-memory-wp.pdf
- https://github.com/mandiant/win10_volatility
- https://www.blackhat.com/us-19/briefings/schedule/#paging-all-windows-geeks–finding-evil-in-windows–compressed-memory-15582
简介
笔记本突然蓝屏了,以为是遇到某个软件远程崩溃了,心想机会来了,终于可以调试一次蓝屏了,还以为是smb服务的蓝屏,接下来令人沮丧,并没有定位到蓝屏的具体原因和进程,但是dmp信息指向了compressed,想了想,还是跟踪看一下相关材料,现在只能做到可以利用了相关的工具,太菜,具体的结构现在也没有捋清楚,这个先暂时结一下,以后考古再回头看。
准备材料
申请内存过大,可以导致前面内存块被压缩的程序
win10_volatility 运行环境
内存申请程序
int main()
{
long long memsize = 0;
memsize += FILE_SIZE;
char* buf = new char[memsize];
cout <<"hello";
memcpy(buf,"hellworld,helloworld,hellworld,hellworld,hellworld,hellworld,hellworld",71);
memset((char*)(buf+77), 'A', memsize);
printf("memsize:%164d MB\r\n", memsize / 1024 / 1024);
printf("%llx", (char*)buf);
while (true)
{
memsize += FILE_SIZE;
char* sss = new char[memsize];
memset(sss, 'hihh', memsize);
printf("memsize:%164d MB\r\n", memsize / 1024 / 1024);
printf("%llx", &sss);
getchar();
}
}
过程
借助虚拟机的vmem,对着part2 和win10_volatility 对偏移,虚拟机也不知道哪里的bug, 同一个内存镜像 , 第一次导出的vmem偏移能对上,第二次的vmem对不上偏移,工具也找不对偏移,对上上次的vmem偏移,唯一的小问题就是最后的计算region of compressed pages va的偏移每个系统的版本是不同的,可参见 volatility 定义的结构体.在addrspces和windows下的win10_memcompression中
EXCEPTION_RECORD: ffff81823a10eeb8 -- (.exr 0xffff81823a10eeb8)
ExceptionAddress: fffff80778522c60 (nt!RtlDecompressBufferXpressLz+0x0000000000000050)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 0000000000000000
Parameter[1]: 00000174165d6f70//IO操作失败的内存地址
Parameter[2]: 00000000c0000185//具体IO操作错误
Inpage operation failed at 00000174165d6f70, due to I/O error 00000000c0000185
不正确的终端或基于 SCSI 设备的电缆被损坏,或者两个设备尝试使用同一 IRQ。
如果 I/O 状态为 C0000185,并且分页文件位于 SCSI 磁盘上(分页池),请检查磁盘电缆连接和 SCSI 终止是否存在问题。
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000174165d6f70
11111111 11111111 10110011 10000000 11111100 11011110 00010000 00000000
ffffb380
fcde1000
CONTEXT: ffff81823a10e6f0 -- (.cxr 0xffff81823a10e6f0)
rax=fffff80778522c10 rbx=ffffb380fcde1000 rcx=ffffb380fcde1000
rdx=ffffb380fcde1000 rsi=0000000000000002 rdi=00000174165d6f70
rip=fffff80778522c60 rsp=ffff81823a10f0f8 rbp=00000174165d6f26
r8=00000174165d6f70 r9=000000000000000c r10=ffffb380fcde1ea0
r11=00000174165d6f7c r12=ffff81823a10f368 r13=ffff8d09355dd000
r14=ffffb380fcde2000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00050246
nt!RtlDecompressBufferXpressLz+0x50:
fffff807`78522c60 418b08 mov ecx,dword ptr [r8] ds:002b:00000174`165d6f70=????????
Resetting default scope
ecx,edx,r8d,r9d,
2: kd> uf nt!RtlDecompressBufferXpressLz
nt!RtlDecompressBufferXpressLz:
fffff807`78522c10 48895c2408 mov qword ptr [rsp+8],rbx
fffff807`78522c15 48896c2410 mov qword ptr [rsp+10h],rbp
fffff807`78522c1a 4889742418 mov qword ptr [rsp+18h],rsi
fffff807`78522c1f 48897c2420 mov qword ptr [rsp+20h],rdi
fffff807`78522c24 4156 push r14
fffff807`78522c26 4157 push r15
fffff807`78522c28 488bd9 mov rbx,rcx
fffff807`78522c2b 4183f905 cmp r9d,5
fffff807`78522c2f 0f829e030000 jb nt!RtlDecompressBufferXpressLz+0x3c3 (fffff807`78522fd3) Branch
nt!RtlDecompressBufferXpressLz+0x25:
fffff807`78522c35 448bf2 mov r14d,edx
fffff807`78522c38 488bd1 mov rdx,rcx
fffff807`78522c3b 4c03f1 add r14,rcx
fffff807`78522c3e 458bd9 mov r11d,r9d
fffff807`78522c41 4d03d8 add r11,r8
fffff807`78522c44 4533ff xor r15d,r15d
fffff807`78522c47 4d8d96a0feffff lea r10,[r14-160h]
fffff807`78522c4e 498d6baa lea rbp,[r11-56h]
fffff807`78522c52 0f1f4000 nop dword ptr [rax]
fffff807`78522c56 66660f1f840000000000 nop word ptr [rax+rax]
nt!RtlDecompressBufferXpressLz+0x50:
fffff807`78522c60 418b08 mov ecx,dword ptr [r8]
bcdedit /debug on
bcdedit /dbgsettings net hostip :xxx port :xxx key:xxxx.xxx.aaa.xxd
STACK_TEXT:
kb k
Child-SP return adress 参数
ffff8182`3a10f0f8 fffff807`784d2530 : ffffb380`fcde1000 ffffb380`fcde1000 00000000`00000002 00000174`165d6f70 : nt!RtlDecompressBufferXpressLz+0x50
ffff8182`3a10f110 fffff807`7843b670 : 00000000`00000001 00000000`00000000 00000000`00000000 ffffafa4`3da5b7b5 : nt!RtlDecompressBufferEx+0x60
ffff8182`3a10f160 fffff807`7843b4fd : 00000000`00000004 fffff807`7843b8b6 00000000`00000000 00000000`00000001 : nt!ST_STORE<SM_TRAITS>::StDmSinglePageCopy+0x150
ffff8182`3a10f220 fffff807`7843be28 : 00000000`00000001 00000000`00016f70 ffff8d09`2f430000 ffff8d09`00001000 : nt!ST_STORE<SM_TRAITS>::StDmSinglePageTransfer+0xa5
ffff8182`3a10f270 fffff807`78539c1c : 00000000`ffffffff ffff8d09`355dd000 ffff8182`3a10f350 ffff8d09`2ec89250 : nt!ST_STORE<SM_TRAITS>::StDmpSinglePageRetrieve+0x180
ffff8182`3a10f310 fffff807`78539a69 : ffffb380`f5788730 00000000`00000001 00000000`00000000 00000000`00000000 : nt!ST_STORE<SM_TRAITS>::StDmPageRetrieve+0xc8
ffff8182`3a10f3c0 fffff807`78539921 : ffff8d09`2f430000 ffff8d09`2ec89250 ffff8d09`355dd000 ffff8d09`2f4319c0 : nt!SMKM_STORE<SM_TRAITS>::SmStDirectReadIssue+0x85
ffff8182`3a10f440 fffff807`78427328 : ffff8d09`471d1080 ffff8d09`2f430000 00000000`00000000 ffff8d09`4c7a3650 : nt!SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout+0x21
ffff8182`3a10f470 fffff807`7853adf7 : fffff807`78539900 ffff8182`3a10f510 00000000`00000003 00000000`00000000 : nt!KeExpandKernelStackA