在windbg中测试shadow ssdt , win32k!NtUserGetForegroundWindow , hook shadow ssdt
0: kd> lm
start end module name
804d8000 806e3000 nt (pdb symbols) I:\Symbols\ntkrpamp.pdb\966DF78E558F483199141B029DF5A9D51\ntkrpamp.pdb
Unloaded modules:
f56ab000 f56d6000 kmixer.sys
f7b59000 f7b5a000 drmkaud.sys
f6fc8000 f6fd5000 DMusic.sys
f7018000 f7026000 swmidi.sys
f56d6000 f56f9000 aec.sys
f7ad9000 f7adb000 splitter.sys
f70dd000 f70e0000 wmiacpi.sys
f79fb000 f79ff000 kbdhid.sys
f78cf000 f78d4000 Cdaudio.SYS
f79ef000 f79f2000 Sfloppy.SYS
0: kd> x win32k!* win32k.sys的symbol文件没有被载入,此时无法查看win32k.sys的内容。
^ Couldn't resolve 'x win32k'
0: kd> uf win32k!NtUserGetForegroundWindow
Couldn't resolve error at 'win32k!NtUserGetForegroundWindow '
0: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 861b5660 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 069c0020 ObjectTable: e1003e40 HandleCount: 255.
Image: System
PROCESS 85c99298 SessionId: none Cid: 0220 Peb: 7ffde000 ParentCid: 0004
DirBase: 069c0040 ObjectTable: e1366228 HandleCount: 21.
Image: smss.exe
PROCESS 85f92ca8 SessionId: 0 Cid: 025c Peb: 7ffde000 ParentCid: 0220
DirBase: 069c0060 ObjectTable: e13bfd50 HandleCount: 368.
Image: csrss.exe
......
PROCESS 85b61020 SessionId: 0 Cid: 0794 Peb: 7ffdd000 ParentCid: 02a0
DirBase: 069c0280 ObjectTable: e184ce98 HandleCount: 63.
Image: VMwareService.exe
PROCESS 85c9ab38 SessionId: 0 Cid: 06cc Peb: 7ffd4000 ParentCid: 060c
DirBase: 069c01c0 ObjectTable: e1043768 HandleCount: 49.
Image: notepad.exe
0: kd> .process 85c9ab38
Implicit process is now 85c9ab38
WARNING: .cache forcedecodeuser is not enabled
0: kd> .reload 重新载入符号
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
........................................................................................................................
Loading User Symbols
............................
Loading unloaded module list
..........
0: kd> x win32k!* 现在可以查看shadow ssdt了
bf9346be win32k!EngQueryLocalTime = <no type information>
bf938572 win32k!NtGdiCreateEllipticRgn = <no type information>
bf9ab110 win32k!ghwndSwitch = <no type information>
bf9248f9 win32k!SearchAndSetKbdTbl = <no type information>
bf92602a win32k!xxxUnlatchStickyKeys = <no type information>
bf814d93 win32k!NtUserInvalidateRect = <no type information>
bf98c678 win32k!_imp__IoGetStackLimits = <no type information>
bf944f4a win32k!vTransparentCopyS32D8 = <no type information>
bf8778da win32k!xxxMoveThumb = <no type information>
bf85ef37 win32k!KillTooltipTimer = <no type information>
bf8d3308 win32k!fsg_CompositeInnerGridFit = <no type information>
bf98c49c win32k!_imp__RtlSetOwnerSecurityDescriptor = <no type information>
bf8687ef win32k!bCalcMeshExtent = <no type information>
bf842cf7 win32k!xxxClientLoadMenu = <no type information>
bf8a1307 win32k!ParkIcon = <no type information>
......
uf一个函数试试:
0: kd> uf win32k!NtUserGetForegroundWindow (win32k!NtUserGetForegroundWindow是win32 api GetForegroundWindow()的内核实现)
win32k!NtUserGetForegroundWindow:
bf823d3d 8bff mov edi,edi
bf823d3f 56 push esi
bf823d40 e8a4cefdff call win32k!EnterSharedCrit (bf800be9)
bf823d45 a160b59abf mov eax,dword ptr [win32k!gpqForeground (bf9ab560)]
bf823d4a 85c0 test eax,eax
bf823d4c 7429 je win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
win32k!NtUserGetForegroundWindow+0x11:
bf823d4e 83782800 cmp dword ptr [eax+28h],0
bf823d52 7423 je win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
win32k!NtUserGetForegroundWindow+0x17:
bf823d54 8b7028 mov esi,dword ptr [eax+28h]
bf823d57 ff1560c298bf call dword ptr [win32k!_imp__PsGetCurrentThread (bf98c260)]
bf823d5d 50 push eax
bf823d5e ff15f8c798bf call dword ptr [win32k!_imp__PsGetThreadWin32Thread (bf98c7f8)]
bf823d64 8b403c mov eax,dword ptr [eax+3Ch]
bf823d67 3b460c cmp eax,dword ptr [esi+0Ch]
bf823d6a 750b jne win32k!NtUserGetForegroundWindow+0x33 (bf823d77)
PVOID
PsGetThreadWin32Thread(
__in PETHREAD Thread
)
{
return Thread->Tcb.Win32Thread;
}
PW32THREAD W32Thread;
PETHREAD PEThread = PsGetCurrentThread();
W32Thread = PsGetThreadWin32Thread(PEThread);
//不知道W32Thread和W32Thread->3Ch是什么结构
/*
0: kd> dt _W32THREAD
win32k!_W32THREAD
+0x000 pEThread : Ptr32 _ETHREAD
+0x004 RefCount : Uint4B
+0x008 ptlW32 : Ptr32 _TL
+0x00c pgdiDcattr : Ptr32 Void
+0x010 pgdiBrushAttr : Ptr32 Void
+0x014 pUMPDObjs : Ptr32 Void
+0x018 pUMPDHeap : Ptr32 Void
+0x01c dwEngAcquireCount : Uint4B
+0x020 pSemTable : Ptr32 Void
+0x024 pUMPDObj : Ptr32 Void
3Ch是什么?
*/
if( W32Thread->3Ch != [ [win32k!gpqForeground]+28h +0Ch ] ){
return 0; //hwnd=0
}
win32k!NtUserGetForegroundWindow+0x2f:
bf823d6c 8b36 mov esi,dword ptr [esi]
win32k!NtUserGetForegroundWindow+0x35:
bf823d6e e8a3cdfdff call win32k!LeaveCrit (bf800b16)
bf823d73 8bc6 mov eax,esi
bf823d75 5e pop esi
bf823d76 c3 ret
win32k!NtUserGetForegroundWindow+0x33:
bf823d77 33f6 xor esi,esi
bf823d79 ebf3 jmp win32k!NtUserGetForegroundWindow+0x35 (bf823d6e)
可以看到win32k!NtUserGetForegroundWindow()返回的值其实是 [ [win32k!gpqForeground]+28h ],我们在windbg就可以查看这个值:
0: kd> dd poi(poi(win32k!gpqForeground) +28h)
bc6542b0 00030100 00000009 e24102c8 85c4d480
bc6542c0 bc6542b0 40020049 80000300 00000910
bc6542d0 14cf0000 01000000 00000000 bc66d800
bc6542e0 bc66e010 bc6506e8 bc66e820 00000000
bc6542f0 00000041 00000045 00000299 000001d9
bc654300 00000045 00000077 00000295 000001d5
bc654310 01003429 bc654230 00000000 bc66e1c8
bc654320 00000000 00000000 bc654478 03040587
其中00030100 便是win32k!NtUserGetForegroundWindow()的返回值。
在驱动中可以这样实现:
ULONG ASM_GetForeground(){
//win32k.sys不常驻内存,调用它的函数前一定要先载入gui进程
KeAttachProcess(crsEProc);
DbgPrint("==hwnd:%x \n",g_OriginalNtUserGetForegroundWindow());//
__asm{
;call win32k!EnterSharedCrit (bf800be9)
;mov eax,0bf800be9h
;call eax
mov eax,0bf9ab560h ;win32k!gpqForeground.我用的是硬编码
mov eax,dword ptr [eax]
test eax,eax
je _failed
cmp dword ptr [eax+28h],0
je _failed
mov esi,dword ptr [eax+28h]
mov esi,[esi]
jmp _end
_failed:
mov esi,0
_end:
;call win32k!LeaveCrit (bf800b16)
;mov eax,0bf800b16h
;call eax
call KeDetachProcess
mov eax,esi
}
}
------------------------------------------------------
尝试一下下断点
0: kd> bu win32k!_imp__PsGetThreadWin32Thread
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.
0: kd> bc *
0: kd> ba e1 win32k!_imp__PsGetThreadWin32Thread 必须下硬件断点,否则会导致异常!
0: kd> bl
0 e bf98c7f8 e 1 0001 (0001) win32k!_imp__PsGetThreadWin32Thread
至此下断点成功
------------------------------------------------------
最后是测试hook shadow ssdt 。《Hook Shadow SSDT》 里面有参考代码.我测试了一下添加对NtUserInternalGetWindowText()的hook:
if ( majorVersion == 5 && minorVersion == 1 )
{
DbgPrint("comint32: Running on Windows XP\n");
NtUserFindWindowEx_callnumber = 0x17A;
NtUserGetForegroundWindow_callnumber = 0x194;
NtUserBuildHwndList_callnumber = 0x138;
NtUserQueryWindow_callnumber = 0x1E3;
NtUserWindowFromPoint_callnumber = 0x250;
NtUserInternalGetWindowText_callnumber = 0x1c1;
}
INT MyNtUserInternalGetWindowText(
IN HWND hwnd,
OUT LPWSTR lpString,
IN int nMaxCount){
INT result;
result=g_OriginalNtUserInternalGetWindowText(hwnd,lpString,nMaxCount);
DbgPrint("MyNtUserInternalGetWindowText() hwnd:%x, lpString:%x-\"%S\", %d, %d\n",hwnd,lpString,lpString,nMaxCount,result);
return result;
}
参考:
《shadow ssdt学习笔记(一)(二)》http://bbs.pediy.com/showthread.php?t=56955
《Hook Shadow SSDT》 http://bbs.pediy.com/showthread.php?t=65931
转载于:https://www.cnblogs.com/marryZhan/archive/2012/06/27/2797290.html
在windbg中测试shadow ssdt , win32k!NtUserGetForegroundWindow , hook shadow ssdt相关推荐
- 在windbg中显示win32k.sys调试符号
在windbg中测试shadow ssdt , win32k!NtUserGetForegroundWindow , hook shadow ssdt 在windbg中查看shadow ssdt: 0 ...
- 如何在Windbg中安装mona
文章目录 01 问题描述 02 解决步骤 2.1 安装和检查Python2.x环境并确保安装了Windbg 2.2 把`Mona.py,windbglib.py`放入Windbg.exe同级文件夹下, ...
- kotlin中的异常处理_如何使用assertFailsWith在Kotlin中测试异常
kotlin中的异常处理 by Daniel Newton 丹尼尔·牛顿 如何使用assertFailsWith在Kotlin中测试异常 (How to test exceptions in Kotl ...
- eclipse中测试Hibernate异常报 ORA-00926: 缺失 VALUES 关键字
eclipse中测试Hibernate异常报 ORA-00926: 缺失 VALUES 关键字 参考文章: (1)eclipse中测试Hibernate异常报 ORA-00926: 缺失 VALUES ...
- Windbg中使用查找内存并设置访问断点
在windbg中通过s 命令在内存中查找字符串或者关键字节码信息 0:005> s -u 00c00000 L1000000 "你好 20:15 2012/6/620:15 2012/ ...
- 如何将WinDBG中命令的输出保存到文本文件中
从本质上说, 这个功能是WinDBG的日志功能的一个应用而已. WinDBG的log功能可以记录你在WinDBG中使用的每一个命令以及其对应的输出. 那么如何开启WinDBG的日志功能呢? 首先, 可 ...
- python里countsget_在Python中测试访问同一数据的竞争条件的方法
当你有多个进程或线程访问相同的数据时,竞争条件是一个威胁.本文探讨了在发现竞争条件后如何测试它们. Incrmnt 你在一个名为"Incrmnt"的火热新创公司工作,该公司只做一件 ...
- 使用外部同步的 Boost.Test 调用在 MT 环境中测试单元测试框架的可用性
使用外部同步的 Boost.Test 调用在 MT 环境中测试单元测试框架的可用性 实现功能 C++实现代码 实现功能 使用外部同步的 Boost.Test 调用在 MT 环境中测试单元测试框架的可用 ...
- 如何在单元测试中测试异步函数,block回调这种
大概有四种方法: runloop 阻塞主进程等待结果 semphaore 阻塞主进程等待结果 使用XCTestExpectation 阻塞主线程等待(我用这个,xcode自带的,为啥不用) 使用第三方 ...
最新文章
- iOS中UIDynamic物理仿真详解
- 混合云计算应用中小企业市场前景看好
- python读取word文档
- [转]开源项目学习方法ABC
- 为PHP设置服务器(Apache/Nginx)环境变量
- TI公司dsp的cmd配置文件的说明
- 洛谷 - P4556 [Vani有约会]雨天的尾巴 /【模板】线段树合并(树上差分+线段树合并)
- leetcode初级算法1.删除排序数组中的重复项
- python try语句相关(try/except/else/finally)
- LeetCode(806)——写字符串需要的行数(JavaScript)
- 基金:能赚大钱的人往往会在3个方面谨慎
- 开源项目推荐ruoyi
- MATLAB实现离散信号的DTFT和DFT
- 【测试】26.用户需求规格跟踪矩阵
- Linux系统日志分析与管理
- 通达信sar源码和分时均价线(结算价)源码
- python数据分析中data_dict={h:v for h,v in zip(header,zip(header,zip(*value)}的含义
- 聚焦传统网络,学习SDN基础和案例
- Android利用Socket与硬件通信之智能家居APP
- 数字电路的一些基本知识