PEB KernelCallbackTable
PEB 0x2C 中的 KernelCallbackTable 非常有意思,WIN是基于消息驱动的从某种迹象上来看确实是这样如CRSS的LPC通信,IRP I/O 与 设备的通信。kernel32!OpenProcess -> ntdll!ZwOpenProcess -> ntdll!KiFastSystemCall -> sysenter -> nt!KiFastCallEntry -> nt!NtOpenProcess -> nt!KiFastCallEntry(返回后)-> nt!KiServiceExit -> sysexit -> ntdll!KiFastSystemCallRet -> kernel32!OpenProcess
这是一个普通的系统调用过程 ring3->ring0->ring3
而有些时候情况并不是这样,系统有时需要一个回调,程序使用Int 2B KiCallbackReturn 把一条消息抛给系统(如WM_CHAR、WM_PAINT),系统并不会在内核中直接处理而是给了用户hook的机会,KiCallbackReturn -> nt!KeUserModeCallback -> nt!KiCallUserMode -> nt!KiServiceExit -> ntdll!KiUserCallbackDispatcher -> 回调函数 -> int2B循环
可以看到KiServiceExit后回到Ntdll Ring3层 调用 KiUserCallbackDispatcher 此函数是可以断下来的分析之。77546FC0 >64:8B0D 0000000>MOV ECX,DWORD PTR FS:
77546FC7 BA A06F5477 MOV EDX,ntdll.KiUserCallbackExceptionHandler
77546FCC 8D4424 10 LEA EAX,DWORD PTR SS:
77546FD0 894C24 10 MOV DWORD PTR SS:,ECX
77546FD4 895424 14 MOV DWORD PTR SS:,EDX ; ntdll.KiUserCallbackDispatcher
77546FD8 64:A3 00000000MOV DWORD PTR FS:,EAX
77546FDE 83C4 04 ADD ESP,4
77546FE1 5A POP EDX ; ntdll.KiUserCallbackDispatcher
77546FE2 64:A1 30000000MOV EAX,DWORD PTR FS:
77546FE8 8B40 2C MOV EAX,DWORD PTR DS:
77546FEB FF1490 CALL DWORD PTR DS:
77546FEE 50 PUSH EAX
77546FEF 6A 00 PUSH 0
77546FF1 6A 00 PUSH 0
77546FF3 E8 70E4FFFF CALL ntdll.ZwCallbackReturn
77546FF8 8BF0 MOV ESI,EAX
77546FFA 56 PUSH ESI
77546FFB E8 05010000 CALL ntdll.RtlRaiseStatus
77547000^ EB F8 JMP SHORT ntdll.77546FFA
77546FE2 64:A1 30000000MOV EAX,DWORD PTR FS:
77546FE8 8B40 2C MOV EAX,DWORD PTR DS:
很果断的取KernelCallbackTable 的地址
KernelCallbackTable 存在User32中 贴一段76F6D568 >76F564EBuser32.__fnCOPYDATA
76F6D56C76F9F0BCuser32.__fnCOPYGLOBALDATA
76F6D57076F64F59user32.__fnDWORD
76F6D57476F5B2A1user32.__fnNCDESTROY
76F6D57876F801A6user32.__fnDWORDOPTINLPMSG
76F6D57C76F9F196user32.__fnINOUTDRAG
76F6D58076F86BFDuser32.__fnGETTEXTLENGTHS
76F6D58476F9F3EAuser32.__fnINCNTOUTSTRING
76F6D58876F5AC7Auser32.__fnPOUTLPINT
76F6D58C76F9F2F5user32.__fnINLPCOMPAREITEMSTRUCT
76F6D59076F5E921user32.__fnINLPCREATESTRUCT
76F6D59476F6F057user32.__fnINLPDELETEITEMSTRUCT
76F6D59876F8629Auser32.__fnINLPDRAWITEMSTRUCT
76F6D59C76F9F333user32.__fnINLPHLPSTRUCT
76F6D5A076F9F333user32.__fnINLPHLPSTRUCT
76F6D5A476F9F1D6user32.__fnINLPMDICREATESTRUCT
.........
.........
页:
[1]