我看本站首页那个资源部分第一个文章--Nt vs. Zw - Clearing Confusion... 有些疑问
就是我本机xp sp2,我执行u ntdll!NtReadFile是和文章介绍一样,但执行u SharedUserData!SystemCallStub 这个就不对了,没有看到sysenter 0f34???
0:000> u ntdll!NtReadFilentdll!ZwReadFile:7c92e27c b8b7000000 mov eax,0B7h7c92e281 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)7c92e286 ff12 call dword ptr [edx]7c92e288 c22400 ret 24h7c92e28b 90 nopntdll!NtReadFileScatter:7c92e28c 90 nop7c92e28d 90 nop7c92e28e 90 nop
0:000> u SharedUserData!SystemCallStubSharedUserData!SystemCallStub:7ffe0300 8beb mov ebp,ebx7ffe0302 92 xchg eax,edx7ffe0303 7c94 jl SharedUserData+0x299 (7ffe0299) //就是这里看不懂了,怎么不sysenter?7ffe0305 eb92 jmp SharedUserData+0x299 (7ffe0299)7ffe0307 7c00 jl SharedUserData!SystemCallStub+0x9 (7ffe0309)7ffe0309 0000 add byte ptr [eax],al7ffe030b 0000 add byte ptr [eax],al7ffe030d 0000 add byte ptr [eax],al0:000> u 7ffe0299SharedUserData+0x299:7ffe0299 0000 add byte ptr [eax],al7ffe029b 0000 add byte ptr [eax],al7ffe029d 0000 add byte ptr [eax],al7ffe029f 0000 add byte ptr [eax],al7ffe02a1 0000 add byte ptr [eax],al7ffe02a3 0000 add byte ptr [eax],al7ffe02a5 0000 add byte ptr [eax],al7ffe02a7 0000 add byte ptr [eax],al0:000> u 7ffe0309SharedUserData!SystemCallStub+0x9:7ffe0309 0000 add byte ptr [eax],al7ffe030b 0000 add byte ptr [eax],al7ffe030d 0000 add byte ptr [eax],al7ffe030f 0000 add byte ptr [eax],al7ffe0311 0000 add byte ptr [eax],al7ffe0313 0000 add byte ptr [eax],al7ffe0315 0000 add byte ptr [eax],al7ffe0317 0000 add byte ptr [eax],al
.......
按两个jl再次u的结果发现也不对啊最近在出差,张老师那本宝典没有带,那本宝典有一个大的问题,就是太厚,不好带 :) 所以有些疑问可能书上有,但自己没看,所以请哪位高手不吝指点下
那篇文章是我用 LaTeX 整理的。之所以要整理是因为那是篇好文章,但是部分内容过时了。所以我整理的时候做了脚注更新,楼主啊,您没仔细看啊......在 Win-XP-SP1 时代是文章中的这样:0: kd> u ntdll!ZwReadFilentdll!NtReadFile:77f761e8 b8b7000000 mov eax,0xb777f761ed ba0003fe7f mov edx,0x7ffe030077f761f2 ffd2 call edx77f761f4 c22400 ret 0x24而您帖的代码是 Win-XP-SP2 以后的操作系统:0:000> u ntdll!NtReadFilentdll!ZwReadFile:7c92e27c b8b7000000 mov eax,0B7h7c92e281 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)7c92e286 ff12 call dword ptr [edx]7c92e288 c22400 ret 24h注意到区别了吗?一个是 call EDX 一个是 call [EDX]所以,显然应该是:0: kd> dd SharedUserData!SystemCallStub7ffe0300 7c92e4f0 7c92e4f4 00000000 000000007ffe0310 00000000 00000000 00000000 000000007ffe0320 00000000 00000000 00000000 000000000: kd> u 7c92e4f0 ntdll!KiFastSystemCall:7c92e4f0 8bd4 mov edx,esp7c92e4f2 0f34 sysenterntdll!KiFastSystemCallRet:7c92e4f4 c3 ret至于为什么要改变这个 call [EDX],我特地查了《Kernel-mode Payloads on Windows》(Uninformed, 2005)写在脚注里且红色标出。Due to the fact that SharedUserData contained executable instructions, it was thus necessary that the SharedUserData mapping had to be marked as executable. When Microsoft began work on some of the security enhancements included with XP SP2 and 2003 SP1, such as Data Execution Prevention (DEP), they presumably realized that leaving SharedUserData executable was largely unnecessary and that doing so left open the possibility for abuse. To address this, the fields in KUSER_SHARED_DATA were changed from sets of instructions to function pointers that resided within ntdll.dll.由于 SharedUserData 中包含了可执行指令,那么 SharedUserData 所在的页就会被映射成可执行代码段。当微软试图对 XP SP2 以及 2003 SP1 做一些安全性增强工作时(例如:数据执行保护 DEP),他们大概意识到让 SharedUserData (所在页面)变得可执行非常地多余,这留下了潜在的滥用可能性。为了解决这个问题,那个在 KUSER_SHARED_DATA 里的域由一组指令变成了指向 ntdll.dll 里指令的函数指针.