|
1, 关于ExceptionPort,看了下Windows 8.1,是有一点变化,字段的名字变了,而且似乎有三个字段: kd> dt _EPROCESS 8541b880 -ny Exception ntdll!_EPROCESS +0x0e8 ExceptionPortData : 0x8343d3f0 Void +0x0e8 ExceptionPortValue : 0x8343d3f0 +0x0e8 ExceptionPortState : 0y000 但从字段的偏移可以看出,显然是定义成一个Union
观察其中的值: kd> !object 0x8343d3f0 Object: 8343d3f0 Type: (83497ea0) ALPC Port ObjectHeader: 8343d3d8 (new version) HandleCount: 1 PointerCount: 95 Directory Object: 82564ad0 Name: ApiPort 仍然是ALPC端口,交给!alpc命令解析一下: kd> !alpc /p 0x8343d3f0 Port 8343d3f0 Type : ALPC_CONNECTION_PORT CommunicationInfo : 8f0eb910 ConnectionPort : 8343d3f0 (ApiPort) ClientCommunicationPort : 00000000 ServerCommunicationPort : 00000000 OwnerProcess : 84c57040 (csrss.exe) SequenceNo : 0x0000072B (1835) CompletionPort : 00000000 CompletionList : 00000000 ConnectionPending : No ConnectionRefused : No Disconnected : No Closed : No FlushOnClose : Yes ReturnExtendedInfo : No Waitable : No Security : Static Wow64CompletionList : No 2 thread(s) are waiting on the port: THREAD 834a4440 Cid 0164.018c Teb: 7ff8c000 Win32Thread: 8c67da18 WAIT THREAD 834c5040 Cid 0164.01d4 Teb: 7ff8f000 Win32Thread: 8c67e650 WAIT Main queue is empty. Large message queue is empty. Pending queue is empty. Canceled queue is empty.
监听这个端口依然是csrss.exe进程,所以实质上没什么变化。
问题2,Win7做了一次DLL重构,本来在kernel32中的代码移入到了kernelbase,kernel32中做一个长跳转: 0:001> u kernel32!IsDebuggerPresent kernel32!IsDebuggerPresent: 75d44a04 ff25940dd475 jmp dword ptr [kernel32!_imp__IsDebuggerPresent (75d40d94)]
0:001> u KERNELBASE!IsDebuggerPresent KERNELBASE!IsDebuggerPresent: 74f3377c 64a118000000 mov eax,dword ptr fs:[00000018h] 74f33782 8b4030 mov eax,dword ptr [eax+30h] 74f33785 0fb64002 movzx eax,byte ptr [eax+2] 74f33789 c3 ret
问题3,事物无时无刻不在运动变化着,花几分钟浏览下《周易》的简介...
|