使用Windbg查看系统SSDT表与ShadowSSDT表
x86操作系统
发现当前系统并没有加载win32k.pdb这个符号。那么我们需要进行第二步操作;
2. 进入到一个GUI进程环境中,这个时候系统会自动加载win32k.sys:
首先我们枚举出当前系统所有进程,目标寻找explorer.exe
我们找到explorer.exe的EPROCESS地址是86b84540,因此我们用命令进入explorer.exe的领空:
完成之后我们让Windbg重新载入符号:
这个时候win32k.pdb已经被加载到windbg空间中了,那我们就可以通过符号来查询我们的SSDT与Shadow SSDT的列表了。
这个时候我们要做的第一步是找到系统导出的KeServiceDescriptorTable地址:
这个时候我们看到:
81017400这个地址就是我们要查看的nt! KeServiceDescriptorTable的首地址。
我们这里介绍一下另外一个数据结构:
其中 81017400 这个地址指向了 KSERVICE_TABLE_DESCRIPTOR 结构体的首地址,即 KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl这个变量里面存放的就是我们的SSDT表。
而win32k原本应该是存放Shadow SSDT表的,但是我们看内存区域 81017410 这个里面的内存是0,即里面没有内容。因为Windows将完整的 KSERVICE_TABLE_DESCRIPTOR 数据存在了另外一个地方。我们需要使用另外一个命令来查看:
我们在这次的结果里面看到第五行的地址很眼熟,是81017400。这是一个惊人的发现!
因为我们在查看nt!KeServiceDescriptorTable的时候返回的首地址就是它!
那么,我们再来看看这次返回的首地址:810173c0,看看它的内容是什么——80efb4d0 00000000 000001ad 80efbb88。我们发现,它的内容与81017400地址中的内容惊人的一致。那么来说,nt!KeServiceDescriptorTableShadow就是nt!KeService DescriptorTable的副本,但是有一点不同就是KeServiceDescriptorTableShadow的win32k子项里面是有数据的!说明这个里面存放的就是我们寻找的ShadowSSDT表。
这个正式我们的SSDT表实际内容
ShadowSSDT表的内容:
注:强行加载某一PDB的代码是
1. 查看当前系统是否已经载入win2k.sys的相关符号信息:
kd> lm
start end module name
80586000 8058f000 kdcom (deferred)
80e03000 81391000 nt (pdb symbols) d:\symbols\websymbo\ntkrpamp.pdb\E2342527EA214C109CD28A19ED4FBCCE2\ntkrpamp.pdb
81391000 813e6000 hal (deferred)
81c3b000 81c78000 spaceport (deferred)
81c78000 81c8b000 volmgr (deferred)
81c8b000 81cd9000 volmgrx (deferred)
81cd9000 81ce0000 intelide (deferred)
81ce0000 81cee000 PCIIDEX (deferred)
81cee000 81d04800 vmci (deferred)
81d05000 81d1a000 mountmgr (deferred)
81d1a000 81d33000 lsi_sas (deferred)
81d33000 81d80000 storport (deferred)
81d80000 81d89000 atapi (deferred)
81d89000 81db4000 ataport (deferred)
81db4000 81dc8000 EhStorClass (deferred)
81dc8000 81de6000 luafv (deferred)
81e00000 81e26000 cdrom (deferred)
81e35000 81e81000 fltmgr (deferred)
81e81000 81e92000 fileinfo (deferred)
81e92000 81ec5000 WdFilter (deferred)
81ec5000 81f97000 ndis (deferred)
81f97000 81ff0000 NETIO (deferred)
82000000 82014000 rspndr (deferred)
8201a000 821e9000 tcpip (deferred)
821e9000 821f4000 BasicRender (deferred)
82200000 82208000 Null (deferred)
82208000 8220f000 Beep (deferred)
82210000 82254000 fwpkclnt (deferred)
82254000 82261000 wfplwfs (deferred)
82261000 822ca000 fvevol (deferred)
822ca000 822da000 agp440 (deferred)
822da000 82320000 volsnap (deferred)
82320000 8234f000 rdyboost (deferred)
8234f000 82360000 mup (deferred)
82360000 82367980 vmrawdsk (deferred)
8236b000 82383000 disk (deferred)
82383000 823ce000 CLASSPNP (deferred)
823ce000 823de000 crashdmp (deferred)
823de000 823e9000 monitor (deferred)
823e9000 823f9000 lltdio (deferred)
87a13000 87aa5000 mcupdate_GenuineIntel (deferred)
87aa5000 87ae8000 CLFS (deferred)
87ae8000 87b04000 tm (deferred)
87b04000 87b17000 PSHED (deferred)
87b17000 87b20000 BOOTVID (deferred)
87b20000 87b94000 CI (deferred)
87b94000 87bcc000 msrpc (deferred)
87bcc000 87bde000 pdc (deferred)
87bde000 87bf3000 partmgr (deferred)
87e00000 87e20000 tpm (deferred)
87e29000 87eaa000 Wdf01000 (deferred)
87eaa000 87eb8000 WDFLDR (deferred)
87eb8000 87ec8000 acpiex (deferred)
87ec8000 87ed2000 WppRecorder (deferred)
87ed2000 87f2a000 ACPI (deferred)
87f2a000 87f33000 WMILIB (deferred)
87f33000 87f3b000 msisadrv (deferred)
87f3b000 87f6d000 pci (deferred)
87f6d000 87fe7000 cng (deferred)
87ff1000 87ffc000 vdrvroot (deferred)
88000000 8802a000 ksecpkg (deferred)
8803c000 881cf000 Ntfs (deferred)
881cf000 881e5000 ksecdd (deferred)
881e5000 881f3000 pcw (deferred)
881f3000 881fc000 Fs_Rec (deferred)
8be0a000 8bf3a000 dxgkrnl (deferred)
8bf3a000 8bf48000 watchdog (deferred)
8bf48000 8bf8b000 dxgmms1 (deferred)
8bf8b000 8bf9a000 BasicDisplay (deferred)
8bf9a000 8bfa8000 Npfs (deferred)
8bfa8000 8bfb2000 Msfs (deferred)
8bfb2000 8bfcf000 tdx (deferred)
8bfcf000 8bfdc000 TDI (deferred)
8bfdc000 8bfe5000 ws2ifsl (deferred)
8bfe5000 8bff9000 dump_dumpfve (deferred)
8c800000 8c81a000 usbccgp (deferred)
8c81a000 8c824000 hidusb (deferred)
8c82a000 8c889000 USBPORT (deferred)
8c889000 8c8a6200 E1G60I32 (deferred)
8c8a7000 8c8b9000 usbehci (deferred)
8c8b9000 8c8be000 CmBatt (deferred)
8c8be000 8c8c9000 BATTC (deferred)
8c8c9000 8c8e0000 intelppm (deferred)
8c8e0000 8c8f9000 raspptp (deferred)
8c8f9000 8c914000 ras (deferred)
8c914000 8c929000 raspppoe (deferred)
8c929000 8c92a300 swenum (deferred)
8c92b000 8c96a000 ks (deferred)
8c96a000 8c973000 rdpbus (deferred)
8c973000 8c984000 NDProxy (deferred)
8c984000 8c98e000 flpydisk (deferred)
8c98e000 8c9e2000 usbhub (deferred)
8c9e2000 8c9eb000 USBD (deferred)
8c9eb000 8c9ff000 HIDCLASS (deferred)
8ca00000 8ca06780 HIDPARSE (deferred)
8ca07000 8ca10000 mouhid (deferred)
8ca10000 8ca1b000 dump_diskdump (deferred)
8ca1b000 8ca34000 dump_LSI_SAS (deferred)
8ca3a000 8ca7e000 netbt (deferred)
8ca7e000 8caf1000 afd (deferred)
8caf1000 8cb16000 pacer (deferred)
8cb16000 8cb24000 netbios (deferred)
8cb24000 8cb45580 vmhgfs (deferred)
8cb46000 8cb9f000 rdbss (deferred)
8cb9f000 8cbbb000 vm3dmp (deferred)
8cbbb000 8cbff000 udfs (deferred)
8cc00000 8cc70000 csc (deferred)
8cc70000 8cc86000 wanarp (deferred)
8cc86000 8cc91000 nsiproxy (deferred)
8cc91000 8cc9c000 npsvctrig (deferred)
8cc9c000 8cca7000 mssmbios (deferred)
8cca7000 8ccb5000 discache (deferred)
8ccb5000 8ccd0000 dfsc (deferred)
8ccd0000 8ccdb000 usbuhci (deferred)
8ccde000 8cce9000 ndistapi (deferred)
8cce9000 8cd0f000 ndiswan (deferred)
8cd0f000 8cd26000 rassstp (deferred)
8cd26000 8cd38000 AgileVpn (deferred)
8cd38000 8cd5b000 tunnel (deferred)
8cd5b000 8cd68000 CompositeBus (deferred)
8cd68000 8cd72000 kdnic (deferred)
8cd72000 8cd80000 umbus (deferred)
8cd80000 8cd9b000 i8042prt (deferred)
8cd9b000 8cda8000 kbdclass (deferred)
8cda8000 8cda9280发现当前系统并没有加载win32k.pdb这个符号。那么我们需要进行第二步操作;
2. 进入到一个GUI进程环境中,这个时候系统会自动加载win32k.sys:
首先我们枚举出当前系统所有进程,目标寻找explorer.exe
kd> !Process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 845c0cc0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00185000 ObjectTable: 87c03000 HandleCount:
Image: System
PROCESS 858a69c0 SessionId: none Cid: 0200 Peb: 7f0db000 ParentCid: 0004
DirBase: 3e0a7020 ObjectTable: 8b1cdec0 HandleCount:
Image: smss.exe
PROCESS 85ea4bc0 SessionId: 0 Cid: 0264 Peb: 7f55f000 ParentCid: 025c
DirBase: 3e0a7060 ObjectTable: 8c436740 HandleCount:
Image: csrss.exe
PROCESS 84669cc0 SessionId: 1 Cid: 029c Peb: 7f04a000 ParentCid: 0200
DirBase: 3e0a7080 ObjectTable: 00000000 HandleCount: 0.
Image: smss.exe
PROCESS 845b8040 SessionId: 0 Cid: 02a4 Peb: 7fcd8000 ParentCid: 025c
DirBase: 3e0a70a0 ObjectTable: 8b1fec00 HandleCount:
Image: wininit.exe
PROCESS 84655cc0 SessionId: 1 Cid: 02ac Peb: 7f0a4000 ParentCid: 029c
DirBase: 3e0a7040 ObjectTable: 87cdde00 HandleCount:
Image: csrss.exe
PROCESS 84662cc0 SessionId: 1 Cid: 02cc Peb: 7f2d9000 ParentCid: 029c
DirBase: 3e0a70c0 ObjectTable: 87cc6a00 HandleCount:
Image: winlogon.exe
PROCESS 8463fcc0 SessionId: 0 Cid: 02f8 Peb: 7f42d000 ParentCid: 02a4
DirBase: 3e0a70e0 ObjectTable: 91325f00 HandleCount:
Image: services.exe
PROCESS 845a0900 SessionId: 0 Cid: 0300 Peb: 7f885000 ParentCid: 02a4
DirBase: 3e0a7100 ObjectTable: 91328a00 HandleCount:
Image: lsass.exe
PROCESS 857b0040 SessionId: 0 Cid: 0364 Peb: 7f08f000 ParentCid: 02f8
DirBase: 3e0a7120 ObjectTable: 9be2f480 HandleCount:
Image: svchost.exe
PROCESS 8608e040 SessionId: 0 Cid: 0394 Peb: 7f43f000 ParentCid: 02f8
DirBase: 3e0a7140 ObjectTable: 9be62640 HandleCount:
Image: svchost.exe
PROCESS 860b5cc0 SessionId: 1 Cid: 03dc Peb: 7f353000 ParentCid: 02cc
DirBase: 3e0a7160 ObjectTable: 00000000 HandleCount: 0.
Image: LogonUI.exe
PROCESS 860f5cc0 SessionId: 1 Cid: 0428 Peb: 7f1bd000 ParentCid: 02cc
DirBase: 3e0a7180 ObjectTable: 9bf3e840 HandleCount:
Image: dwm.exe
PROCESS 86163040 SessionId: 0 Cid: 0474 Peb: 7f145000 ParentCid: 02f8
DirBase: 3e0a71a0 ObjectTable: 9cc01300 HandleCount:
Image: svchost.exe
PROCESS 86168200 SessionId: 0 Cid: 0490 Peb: 7fe6f000 ParentCid: 02f8
DirBase: 3e0a71c0 ObjectTable: 9cc19880 HandleCount:
Image: svchost.exe
PROCESS 861819c0 SessionId: 0 Cid: 04c4 Peb: 7f6f7000 ParentCid: 02f8
DirBase: 3e0a71e0 ObjectTable: 9cc696c0 HandleCount:
Image: svchost.exe
PROCESS 8618ca00 SessionId: 0 Cid: 04fc Peb: 7f4af000 ParentCid: 02f8
DirBase: 3e0a7200 ObjectTable: 9cc7cbc0 HandleCount:
Image: svchost.exe
PROCESS 85f3b6c0 SessionId: 0 Cid: 0560 Peb: 7f1ef000 ParentCid: 02f8
DirBase: 3e0a7220 ObjectTable: 9ccb56c0 HandleCount:
Image: svchost.exe
PROCESS 85f96040 SessionId: 0 Cid: 05f4 Peb: 7f0b4000 ParentCid: 02f8
DirBase: 3e0a7240 ObjectTable: 9cd30980 HandleCount:
Image: spoolsv.exe
PROCESS 861d4580 SessionId: 0 Cid: 0630 Peb: 7fedf000 ParentCid: 02f8
DirBase: 3e0a7280 ObjectTable: 9cd4a280 HandleCount:
Image: svchost.exe
PROCESS 869b5040 SessionId: 0 Cid: 06f8 Peb: 7fc77000 ParentCid: 02f8
DirBase: 3e0a72a0 ObjectTable: 9cdcc800 HandleCount:
Image: MsMpEng.exe
PROCESS 869e7040 SessionId: 0 Cid: 0730 Peb: 7f17b000 ParentCid: 02f8
DirBase: 3e0a72c0 ObjectTable: 9f869940 HandleCount:
Image: vmtoolsd.exe
PROCESS 86b6a9c0 SessionId: 1 Cid: 08b0 Peb: 7feda000 ParentCid: 02f8
DirBase: 3e0a7360 ObjectTable: 9cde4740 HandleCount:
Image: taskhostex.exe
PROCESS 86b84540 SessionId: 1 Cid: 0914 Peb: 7f7bc000 ParentCid: 08ec
DirBase: 3e0a73e0 ObjectTable: 9e0d83c0 HandleCount:
Image: explorer.exe
PROCESS 8515f040 SessionId: 0 Cid: 09f0 Peb: 7fa7b000 ParentCid: 02f8
DirBase: 3e0a7440 ObjectTable: 9e1c0a80 HandleCount:
Image: msdtc.exe
PROCESS 86b28cc0 SessionId: 0 Cid: 0a34 Peb: 7f6cd000 ParentCid: 02f8
DirBase: 3e0a7460 ObjectTable: 9e645bc0 HandleCount:
Image: svchost.exe
PROCESS 86a804c0 SessionId: 1 Cid: 0b4c Peb: 7f16f000 ParentCid: 0364
DirBase: 3e0a7320 ObjectTable: 9e6bae80 HandleCount:
Image: LiveComm.exe
PROCESS 86c8fcc0 SessionId: 0 Cid: 0b6c Peb: 7fc8b000 ParentCid: 02f8
DirBase: 3e0a7480 ObjectTable: 9e6ce3c0 HandleCount:
Image: svchost.exe
PROCESS 86c31cc0 SessionId: 0 Cid: 0ce4 Peb: 7fcf3000 ParentCid: 04fc
DirBase: 3e0a74e0 ObjectTable: 9e765b40 HandleCount:
Image: dasHost.exe
PROCESS 86c45040 SessionId: 1 Cid: 0d8c Peb: 7f68d000 ParentCid: 0364
DirBase: 3e0a7520 ObjectTable: 9e686a00 HandleCount:
Image: RuntimeBroker.exe
PROCESS 86b13540 SessionId: 1 Cid: 0e64 Peb: 7fb2c000 ParentCid: 0914
DirBase: 3e0a7560 ObjectTable: a1666640 HandleCount:
Image: VMwareTray.exe
PROCESS 869eca40 SessionId: 1 Cid: 0ecc Peb: 7fcbf000 ParentCid: 0914
DirBase: 3e0a75a0 ObjectTable: a17c5f40 HandleCount:
Image: vmtoolsd.exe
PROCESS 85ea5040 SessionId: 0 Cid: 0ee4 Peb: 7f429000 ParentCid: 02f8
DirBase: 3e0a75c0 ObjectTable: a16afb80 HandleCount:
Image: SearchIndexer.exe
PROCESS 84739740 SessionId: 0 Cid: 0b54 Peb: 7f4df000 ParentCid: 0364
DirBase: 3e0a7640 ObjectTable: a3e86440 HandleCount:
Image: dllhost.exe
PROCESS 847b0cc0 SessionId: 0 Cid: 0e0c Peb: 7f8cc000 ParentCid: 02f8
DirBase: 3e0a7500 ObjectTable: a3fe4980 HandleCount:
Image: wmpnetwk.exe
PROCESS 8542a9c0 SessionId: 0 Cid: 02b4 Peb: 7f98f000 ParentCid: 0178
DirBase: 3e0a7920 ObjectTable: a9d4f340 HandleCount:
Image: MpCmdRun.exe
PROCESS 85406740 SessionId: 0 Cid: 0198 Peb: 7faae000 ParentCid: 06f8
DirBase: 3e0a7940 ObjectTable: a9ca8800 HandleCount:
Image: MpCmdRun.exe
PROCESS 84ed1cc0 SessionId: 0 Cid: 0bb8 Peb: 7fbfd000 ParentCid: 0198
DirBase: 3e0a7900 ObjectTable: aa4d4580 HandleCount:
Image: conhost.exe
PROCESS 84d2e200 SessionId: 0 Cid: 0a8c Peb: 7fe37000 ParentCid: 02f8
DirBase: 3e0a740我们找到explorer.exe的EPROCESS地址是86b84540,因此我们用命令进入explorer.exe的领空:
kd> .process 86b84540
Implicit process is now 86b84540
WARNING: .cache forcedecodeuser is not enabled完成之后我们让Windbg重新载入符号:
kd> .reload
Connected to Windows 7 9200 x86 compatible target at (Thu Jan 16 14:55:08.096 2014 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
......................
Loading User Symbols
................................................................
...
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
.............................................................
................................................................
.......
Loading unloaded module list
............................这个时候win32k.pdb已经被加载到windbg空间中了,那我们就可以通过符号来查询我们的SSDT与Shadow SSDT的列表了。
这个时候我们要做的第一步是找到系统导出的KeServiceDescriptorTable地址:
kd> dd nt!KeServiceDescriptorTable
81017400 80efb4d0 00000000 000001ad 80efbb88
81017410 00000000 00000000 00000000 00000000
81017420 80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430 06060001 00010001 00000001 00000000
81017440 00000000 00000000 00000014 00000001
81017450 00000014 00000003 00000004 00000001
81017460 00000000 00000000 00000000 7ffeffff
81017470 80000000 83000000 87951000 0003ff7d这个时候我们看到:
81017400这个地址就是我们要查看的nt! KeServiceDescriptorTable的首地址。
我们这里介绍一下另外一个数据结构:
typedef struct _KSYSTEM_SERVICE_TABLE
{
PULONG ServiceTableBase; // SSDT (System Service Dispatch Table)的基地址
PULONG ServiceCounterTableBase; // 包含 SSDT 中每个服务被调用的次数
ULONG NumberOfService; // 服务函数的个数, NumberOfService * 4 就是整个地址表的大小
ULONG ParamTableBase; // SSPT(System Service Parameter Table)的基地址
} KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
KSYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe 的服务函数(SSDT)
KSYSTEM_SERVICE_TABLE win32k; // win32k.sys 的服务函数(GDI32.dll/User32.dll 的内核支持,Shadow SSDT)
KSYSTEM_SERVICE_TABLE notUsed1;
KSYSTEM_SERVICE_TABLE notUsed2;
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;其中 81017400 这个地址指向了 KSERVICE_TABLE_DESCRIPTOR 结构体的首地址,即 KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl这个变量里面存放的就是我们的SSDT表。
而win32k原本应该是存放Shadow SSDT表的,但是我们看内存区域 81017410 这个里面的内存是0,即里面没有内容。因为Windows将完整的 KSERVICE_TABLE_DESCRIPTOR 数据存在了另外一个地方。我们需要使用另外一个命令来查看:
kd> dd nt!KeServiceDescriptorTableShadow
810173c0 80efb4d0 00000000 000001ad 80efbb88
810173d0 8f712000 00000000 000003d8 8f713340
810173e0 80ee1ea3 00026161 00001388 00000000
810173f0 00200000 00000040 a0ef3fff 00000009
81017400 80efb4d0 00000000 000001ad 80efbb88
81017410 00000000 00000000 00000000 00000000
81017420 80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430 06060001 00010001 00000001 00000000我们在这次的结果里面看到第五行的地址很眼熟,是81017400。这是一个惊人的发现!
因为我们在查看nt!KeServiceDescriptorTable的时候返回的首地址就是它!
那么,我们再来看看这次返回的首地址:810173c0,看看它的内容是什么——80efb4d0 00000000 000001ad 80efbb88。我们发现,它的内容与81017400地址中的内容惊人的一致。那么来说,nt!KeServiceDescriptorTableShadow就是nt!KeService DescriptorTable的副本,但是有一点不同就是KeServiceDescriptorTableShadow的win32k子项里面是有数据的!说明这个里面存放的就是我们寻找的ShadowSSDT表。
OK,下面我们就来查看SSDT表的内容:
kd> dds 80efb4d0 L000001ad
80efb4d0 80ed5901 nt!NtWorkerFactoryWorkerReady
80efb4d4 80e741e2 nt!NtYieldExecution
80efb4d8 81126540 nt!NtWriteVirtualMemory
80efb4dc 811ae0af nt!NtWriteRequestData
80efb4e0 81163478 nt!NtWriteFileGather
80efb4e4 8105548f nt!NtWriteFile
80efb4e8 811f3434 nt!NtWaitLowEventPair
80efb4ec 811f33cb nt!NtWaitHighEventPair
...
...
...这个正式我们的SSDT表实际内容
ShadowSSDT表的内容:
kd> dds 8f712000 L000003d8
8f712000 8f6051a3 win32k!NtUserYieldTask
8f712004 8f668e22 win32k!NtGdiWidenPath
8f712008 8f6692bc win32k!NtGdiUpdateColors
8f71200c 8f66af6d win32k!NtGdiUnrealizeObject
8f712010 8f66ae25 win32k!NtGdiUnmapMemFont
8f712014 8f68a84c win32k!NtGdiUnloadPrinterDriver
8f712018 8f4561d7 win32k!NtGdiTransparentBlt
8f71201c 8f4ef8d6 win32k!NtGdiTransformPoints
8f712020 8f66ba58 win32k!NtGdiSwapBuffers
8f712024 8f668a89 win32k!NtGdiStrokePath
8f712028 8f668ba9 win32k!NtGdiStrokeAndFillPath
8f71202c 8f504c5d win32k!NtGdiStretchDIBitsInternal
8f712030 8f4bfb5b win32k!NtGdiStretchBlt
8f712034 8f431ee6 win32k!NtGdiStartPage
...
...
...注:强行加载某一PDB的代码是
.reload /i XXXX.exe