使用Windbg查看系统SSDT表与ShadowSSDT表

x86操作系统

1. 查看当前系统是否已经载入win2k.sys的相关符号信息:

kd> lm
start    end        module name
80586000 8058f000   kdcom      (deferred)             
80e03000 81391000   nt         (pdb symbols)          d:\symbols\websymbo\ntkrpamp.pdb\E2342527EA214C109CD28A19ED4FBCCE2\ntkrpamp.pdb
81391000 813e6000   hal        (deferred)             
81c3b000 81c78000   spaceport   (deferred)             
81c78000 81c8b000   volmgr     (deferred)             
81c8b000 81cd9000   volmgrx    (deferred)             
81cd9000 81ce0000   intelide   (deferred)             
81ce0000 81cee000   PCIIDEX    (deferred)             
81cee000 81d04800   vmci       (deferred)             
81d05000 81d1a000   mountmgr   (deferred)             
81d1a000 81d33000   lsi_sas    (deferred)             
81d33000 81d80000   storport   (deferred)             
81d80000 81d89000   atapi      (deferred)             
81d89000 81db4000   ataport    (deferred)             
81db4000 81dc8000   EhStorClass   (deferred)             
81dc8000 81de6000   luafv      (deferred)             
81e00000 81e26000   cdrom      (deferred)             
81e35000 81e81000   fltmgr     (deferred)             
81e81000 81e92000   fileinfo   (deferred)             
81e92000 81ec5000   WdFilter   (deferred)             
81ec5000 81f97000   ndis       (deferred)             
81f97000 81ff0000   NETIO      (deferred)             
82000000 82014000   rspndr     (deferred)             
8201a000 821e9000   tcpip      (deferred)             
821e9000 821f4000   BasicRender   (deferred)             
82200000 82208000   Null       (deferred)             
82208000 8220f000   Beep       (deferred)             
82210000 82254000   fwpkclnt   (deferred)             
82254000 82261000   wfplwfs    (deferred)             
82261000 822ca000   fvevol     (deferred)             
822ca000 822da000   agp440     (deferred)             
822da000 82320000   volsnap    (deferred)             
82320000 8234f000   rdyboost   (deferred)             
8234f000 82360000   mup        (deferred)             
82360000 82367980   vmrawdsk   (deferred)             
8236b000 82383000   disk       (deferred)             
82383000 823ce000   CLASSPNP   (deferred)             
823ce000 823de000   crashdmp   (deferred)             
823de000 823e9000   monitor    (deferred)             
823e9000 823f9000   lltdio     (deferred)             
87a13000 87aa5000   mcupdate_GenuineIntel   (deferred)             
87aa5000 87ae8000   CLFS       (deferred)             
87ae8000 87b04000   tm         (deferred)             
87b04000 87b17000   PSHED      (deferred)             
87b17000 87b20000   BOOTVID    (deferred)             
87b20000 87b94000   CI         (deferred)             
87b94000 87bcc000   msrpc      (deferred)             
87bcc000 87bde000   pdc        (deferred)             
87bde000 87bf3000   partmgr    (deferred)             
87e00000 87e20000   tpm        (deferred)             
87e29000 87eaa000   Wdf01000   (deferred)             
87eaa000 87eb8000   WDFLDR     (deferred)             
87eb8000 87ec8000   acpiex     (deferred)             
87ec8000 87ed2000   WppRecorder   (deferred)             
87ed2000 87f2a000   ACPI       (deferred)             
87f2a000 87f33000   WMILIB     (deferred)             
87f33000 87f3b000   msisadrv   (deferred)             
87f3b000 87f6d000   pci        (deferred)             
87f6d000 87fe7000   cng        (deferred)             
87ff1000 87ffc000   vdrvroot   (deferred)             
88000000 8802a000   ksecpkg    (deferred)             
8803c000 881cf000   Ntfs       (deferred)             
881cf000 881e5000   ksecdd     (deferred)             
881e5000 881f3000   pcw        (deferred)             
881f3000 881fc000   Fs_Rec     (deferred)             
8be0a000 8bf3a000   dxgkrnl    (deferred)             
8bf3a000 8bf48000   watchdog   (deferred)             
8bf48000 8bf8b000   dxgmms1    (deferred)             
8bf8b000 8bf9a000   BasicDisplay   (deferred)             
8bf9a000 8bfa8000   Npfs       (deferred)             
8bfa8000 8bfb2000   Msfs       (deferred)             
8bfb2000 8bfcf000   tdx        (deferred)             
8bfcf000 8bfdc000   TDI        (deferred)             
8bfdc000 8bfe5000   ws2ifsl    (deferred)             
8bfe5000 8bff9000   dump_dumpfve   (deferred)             
8c800000 8c81a000   usbccgp    (deferred)             
8c81a000 8c824000   hidusb     (deferred)             
8c82a000 8c889000   USBPORT    (deferred)             
8c889000 8c8a6200   E1G60I32   (deferred)             
8c8a7000 8c8b9000   usbehci    (deferred)             
8c8b9000 8c8be000   CmBatt     (deferred)             
8c8be000 8c8c9000   BATTC      (deferred)             
8c8c9000 8c8e0000   intelppm   (deferred)             
8c8e0000 8c8f9000   raspptp    (deferred)             
8c8f9000 8c914000   ras    (deferred)             
8c914000 8c929000   raspppoe   (deferred)             
8c929000 8c92a300   swenum     (deferred)             
8c92b000 8c96a000   ks         (deferred)             
8c96a000 8c973000   rdpbus     (deferred)             
8c973000 8c984000   NDProxy    (deferred)             
8c984000 8c98e000   flpydisk   (deferred)             
8c98e000 8c9e2000   usbhub     (deferred)             
8c9e2000 8c9eb000   USBD       (deferred)             
8c9eb000 8c9ff000   HIDCLASS   (deferred)             
8ca00000 8ca06780   HIDPARSE   (deferred)             
8ca07000 8ca10000   mouhid     (deferred)             
8ca10000 8ca1b000   dump_diskdump   (deferred)             
8ca1b000 8ca34000   dump_LSI_SAS   (deferred)             
8ca3a000 8ca7e000   netbt      (deferred)             
8ca7e000 8caf1000   afd        (deferred)             
8caf1000 8cb16000   pacer      (deferred)             
8cb16000 8cb24000   netbios    (deferred)             
8cb24000 8cb45580   vmhgfs     (deferred)             
8cb46000 8cb9f000   rdbss      (deferred)             
8cb9f000 8cbbb000   vm3dmp     (deferred)             
8cbbb000 8cbff000   udfs       (deferred)             
8cc00000 8cc70000   csc        (deferred)             
8cc70000 8cc86000   wanarp     (deferred)             
8cc86000 8cc91000   nsiproxy   (deferred)             
8cc91000 8cc9c000   npsvctrig   (deferred)             
8cc9c000 8cca7000   mssmbios   (deferred)             
8cca7000 8ccb5000   discache   (deferred)             
8ccb5000 8ccd0000   dfsc       (deferred)             
8ccd0000 8ccdb000   usbuhci    (deferred)             
8ccde000 8cce9000   ndistapi   (deferred)             
8cce9000 8cd0f000   ndiswan    (deferred)             
8cd0f000 8cd26000   rassstp    (deferred)             
8cd26000 8cd38000   AgileVpn   (deferred)             
8cd38000 8cd5b000   tunnel     (deferred)             
8cd5b000 8cd68000   CompositeBus   (deferred)             
8cd68000 8cd72000   kdnic      (deferred)             
8cd72000 8cd80000   umbus      (deferred)             
8cd80000 8cd9b000   i8042prt   (deferred)             
8cd9b000 8cda8000   kbdclass   (deferred)             
8cda8000 8cda9280

发现当前系统并没有加载win32k.pdb这个符号。那么我们需要进行第二步操作;

2. 进入到一个GUI进程环境中,这个时候系统会自动加载win32k.sys:

首先我们枚举出当前系统所有进程,目标寻找explorer.exe

kd> !Process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 845c0cc0  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 87c03000  HandleCount: 
    Image: System

PROCESS 858a69c0  SessionId: none  Cid: 0200    Peb: 7f0db000  ParentCid: 0004
    DirBase: 3e0a7020  ObjectTable: 8b1cdec0  HandleCount: 
    Image: smss.exe

PROCESS 85ea4bc0  SessionId: 0  Cid: 0264    Peb: 7f55f000  ParentCid: 025c
    DirBase: 3e0a7060  ObjectTable: 8c436740  HandleCount: 
    Image: csrss.exe

PROCESS 84669cc0  SessionId: 1  Cid: 029c    Peb: 7f04a000  ParentCid: 0200
    DirBase: 3e0a7080  ObjectTable: 00000000  HandleCount:   0.
    Image: smss.exe

PROCESS 845b8040  SessionId: 0  Cid: 02a4    Peb: 7fcd8000  ParentCid: 025c
    DirBase: 3e0a70a0  ObjectTable: 8b1fec00  HandleCount: 
    Image: wininit.exe

PROCESS 84655cc0  SessionId: 1  Cid: 02ac    Peb: 7f0a4000  ParentCid: 029c
    DirBase: 3e0a7040  ObjectTable: 87cdde00  HandleCount: 
    Image: csrss.exe

PROCESS 84662cc0  SessionId: 1  Cid: 02cc    Peb: 7f2d9000  ParentCid: 029c
    DirBase: 3e0a70c0  ObjectTable: 87cc6a00  HandleCount: 
    Image: winlogon.exe

PROCESS 8463fcc0  SessionId: 0  Cid: 02f8    Peb: 7f42d000  ParentCid: 02a4
    DirBase: 3e0a70e0  ObjectTable: 91325f00  HandleCount: 
    Image: services.exe

PROCESS 845a0900  SessionId: 0  Cid: 0300    Peb: 7f885000  ParentCid: 02a4
    DirBase: 3e0a7100  ObjectTable: 91328a00  HandleCount: 
    Image: lsass.exe

PROCESS 857b0040  SessionId: 0  Cid: 0364    Peb: 7f08f000  ParentCid: 02f8
    DirBase: 3e0a7120  ObjectTable: 9be2f480  HandleCount: 
    Image: svchost.exe

PROCESS 8608e040  SessionId: 0  Cid: 0394    Peb: 7f43f000  ParentCid: 02f8
    DirBase: 3e0a7140  ObjectTable: 9be62640  HandleCount: 
    Image: svchost.exe

PROCESS 860b5cc0  SessionId: 1  Cid: 03dc    Peb: 7f353000  ParentCid: 02cc
    DirBase: 3e0a7160  ObjectTable: 00000000  HandleCount:   0.
    Image: LogonUI.exe

PROCESS 860f5cc0  SessionId: 1  Cid: 0428    Peb: 7f1bd000  ParentCid: 02cc
    DirBase: 3e0a7180  ObjectTable: 9bf3e840  HandleCount: 
    Image: dwm.exe

PROCESS 86163040  SessionId: 0  Cid: 0474    Peb: 7f145000  ParentCid: 02f8
    DirBase: 3e0a71a0  ObjectTable: 9cc01300  HandleCount: 
    Image: svchost.exe

PROCESS 86168200  SessionId: 0  Cid: 0490    Peb: 7fe6f000  ParentCid: 02f8
    DirBase: 3e0a71c0  ObjectTable: 9cc19880  HandleCount: 
    Image: svchost.exe

PROCESS 861819c0  SessionId: 0  Cid: 04c4    Peb: 7f6f7000  ParentCid: 02f8
    DirBase: 3e0a71e0  ObjectTable: 9cc696c0  HandleCount: 
    Image: svchost.exe

PROCESS 8618ca00  SessionId: 0  Cid: 04fc    Peb: 7f4af000  ParentCid: 02f8
    DirBase: 3e0a7200  ObjectTable: 9cc7cbc0  HandleCount: 
    Image: svchost.exe

PROCESS 85f3b6c0  SessionId: 0  Cid: 0560    Peb: 7f1ef000  ParentCid: 02f8
    DirBase: 3e0a7220  ObjectTable: 9ccb56c0  HandleCount: 
    Image: svchost.exe

PROCESS 85f96040  SessionId: 0  Cid: 05f4    Peb: 7f0b4000  ParentCid: 02f8
    DirBase: 3e0a7240  ObjectTable: 9cd30980  HandleCount: 
    Image: spoolsv.exe

PROCESS 861d4580  SessionId: 0  Cid: 0630    Peb: 7fedf000  ParentCid: 02f8
    DirBase: 3e0a7280  ObjectTable: 9cd4a280  HandleCount: 
    Image: svchost.exe

PROCESS 869b5040  SessionId: 0  Cid: 06f8    Peb: 7fc77000  ParentCid: 02f8
    DirBase: 3e0a72a0  ObjectTable: 9cdcc800  HandleCount: 
    Image: MsMpEng.exe

PROCESS 869e7040  SessionId: 0  Cid: 0730    Peb: 7f17b000  ParentCid: 02f8
    DirBase: 3e0a72c0  ObjectTable: 9f869940  HandleCount: 
    Image: vmtoolsd.exe

PROCESS 86b6a9c0  SessionId: 1  Cid: 08b0    Peb: 7feda000  ParentCid: 02f8
    DirBase: 3e0a7360  ObjectTable: 9cde4740  HandleCount: 
    Image: taskhostex.exe

PROCESS 86b84540  SessionId: 1  Cid: 0914    Peb: 7f7bc000  ParentCid: 08ec
    DirBase: 3e0a73e0  ObjectTable: 9e0d83c0  HandleCount: 
    Image: explorer.exe

PROCESS 8515f040  SessionId: 0  Cid: 09f0    Peb: 7fa7b000  ParentCid: 02f8
    DirBase: 3e0a7440  ObjectTable: 9e1c0a80  HandleCount: 
    Image: msdtc.exe

PROCESS 86b28cc0  SessionId: 0  Cid: 0a34    Peb: 7f6cd000  ParentCid: 02f8
    DirBase: 3e0a7460  ObjectTable: 9e645bc0  HandleCount: 
    Image: svchost.exe

PROCESS 86a804c0  SessionId: 1  Cid: 0b4c    Peb: 7f16f000  ParentCid: 0364
    DirBase: 3e0a7320  ObjectTable: 9e6bae80  HandleCount: 
    Image: LiveComm.exe

PROCESS 86c8fcc0  SessionId: 0  Cid: 0b6c    Peb: 7fc8b000  ParentCid: 02f8
    DirBase: 3e0a7480  ObjectTable: 9e6ce3c0  HandleCount: 
    Image: svchost.exe

PROCESS 86c31cc0  SessionId: 0  Cid: 0ce4    Peb: 7fcf3000  ParentCid: 04fc
    DirBase: 3e0a74e0  ObjectTable: 9e765b40  HandleCount: 
    Image: dasHost.exe

PROCESS 86c45040  SessionId: 1  Cid: 0d8c    Peb: 7f68d000  ParentCid: 0364
    DirBase: 3e0a7520  ObjectTable: 9e686a00  HandleCount: 
    Image: RuntimeBroker.exe

PROCESS 86b13540  SessionId: 1  Cid: 0e64    Peb: 7fb2c000  ParentCid: 0914
    DirBase: 3e0a7560  ObjectTable: a1666640  HandleCount: 
    Image: VMwareTray.exe

PROCESS 869eca40  SessionId: 1  Cid: 0ecc    Peb: 7fcbf000  ParentCid: 0914
    DirBase: 3e0a75a0  ObjectTable: a17c5f40  HandleCount: 
    Image: vmtoolsd.exe

PROCESS 85ea5040  SessionId: 0  Cid: 0ee4    Peb: 7f429000  ParentCid: 02f8
    DirBase: 3e0a75c0  ObjectTable: a16afb80  HandleCount: 
    Image: SearchIndexer.exe

PROCESS 84739740  SessionId: 0  Cid: 0b54    Peb: 7f4df000  ParentCid: 0364
    DirBase: 3e0a7640  ObjectTable: a3e86440  HandleCount: 
    Image: dllhost.exe

PROCESS 847b0cc0  SessionId: 0  Cid: 0e0c    Peb: 7f8cc000  ParentCid: 02f8
    DirBase: 3e0a7500  ObjectTable: a3fe4980  HandleCount: 
    Image: wmpnetwk.exe

PROCESS 8542a9c0  SessionId: 0  Cid: 02b4    Peb: 7f98f000  ParentCid: 0178
    DirBase: 3e0a7920  ObjectTable: a9d4f340  HandleCount: 
    Image: MpCmdRun.exe

PROCESS 85406740  SessionId: 0  Cid: 0198    Peb: 7faae000  ParentCid: 06f8
    DirBase: 3e0a7940  ObjectTable: a9ca8800  HandleCount: 
    Image: MpCmdRun.exe

PROCESS 84ed1cc0  SessionId: 0  Cid: 0bb8    Peb: 7fbfd000  ParentCid: 0198
    DirBase: 3e0a7900  ObjectTable: aa4d4580  HandleCount: 
    Image: conhost.exe

PROCESS 84d2e200  SessionId: 0  Cid: 0a8c    Peb: 7fe37000  ParentCid: 02f8
    DirBase: 3e0a740

我们找到explorer.exe的EPROCESS地址是86b84540,因此我们用命令进入explorer.exe的领空:

kd> .process 86b84540
Implicit process is now 86b84540
WARNING: .cache forcedecodeuser is not enabled

完成之后我们让Windbg重新载入符号:

kd> .reload
Connected to Windows 7 9200 x86 compatible target at (Thu Jan 16 14:55:08.096 2014 (UTC + 8:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
......................
Loading User Symbols
................................................................
...

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.............................................................
................................................................
.......
Loading unloaded module list
............................

这个时候win32k.pdb已经被加载到windbg空间中了,那我们就可以通过符号来查询我们的SSDT与Shadow SSDT的列表了。

这个时候我们要做的第一步是找到系统导出的KeServiceDescriptorTable地址:

kd> dd nt!KeServiceDescriptorTable
81017400  80efb4d0 00000000 000001ad 80efbb88
81017410  00000000 00000000 00000000 00000000
81017420  80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430  06060001 00010001 00000001 00000000
81017440  00000000 00000000 00000014 00000001
81017450  00000014 00000003 00000004 00000001
81017460  00000000 00000000 00000000 7ffeffff
81017470  80000000 83000000 87951000 0003ff7d

这个时候我们看到:
81017400这个地址就是我们要查看的nt! KeServiceDescriptorTable的首地址。
我们这里介绍一下另外一个数据结构:

typedef struct _KSYSTEM_SERVICE_TABLE
{
        PULONG  ServiceTableBase;                        // SSDT (System Service Dispatch Table)的基地址
        PULONG  ServiceCounterTableBase;        // 包含 SSDT 中每个服务被调用的次数
        ULONG   NumberOfService;                        // 服务函数的个数, NumberOfService * 4 就是整个地址表的大小
        ULONG   ParamTableBase;                                // SSPT(System Service Parameter Table)的基地址

} KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;

typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
        KSYSTEM_SERVICE_TABLE   ntoskrnl;        // ntoskrnl.exe 的服务函数(SSDT)
        KSYSTEM_SERVICE_TABLE   win32k;                // win32k.sys 的服务函数(GDI32.dll/User32.dll 的内核支持,Shadow SSDT)
        KSYSTEM_SERVICE_TABLE   notUsed1;
        KSYSTEM_SERVICE_TABLE   notUsed2;

} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;

其中  81017400 这个地址指向了  KSERVICE_TABLE_DESCRIPTOR 结构体的首地址,即  KSYSTEM_SERVICE_TABLE ntoskrnl;
ntoskrnl这个变量里面存放的就是我们的SSDT表。
而win32k原本应该是存放Shadow SSDT表的,但是我们看内存区域  81017410 这个里面的内存是0,即里面没有内容。因为Windows将完整的 KSERVICE_TABLE_DESCRIPTOR  数据存在了另外一个地方。我们需要使用另外一个命令来查看:

kd> dd nt!KeServiceDescriptorTableShadow
810173c0  80efb4d0 00000000 000001ad 80efbb88
810173d0  8f712000 00000000 000003d8 8f713340
810173e0  80ee1ea3 00026161 00001388 00000000
810173f0  00200000 00000040 a0ef3fff 00000009
81017400  80efb4d0 00000000 000001ad 80efbb88
81017410  00000000 00000000 00000000 00000000
81017420  80e8e42a 87f7f0b0 ffd5826a ffffffff
81017430  06060001 00010001 00000001 00000000

我们在这次的结果里面看到第五行的地址很眼熟,是81017400。这是一个惊人的发现!
因为我们在查看nt!KeServiceDescriptorTable的时候返回的首地址就是它!
那么,我们再来看看这次返回的首地址:810173c0,看看它的内容是什么——80efb4d0 00000000 000001ad 80efbb88。我们发现,它的内容与81017400地址中的内容惊人的一致。那么来说,nt!KeServiceDescriptorTableShadow就是nt!KeService DescriptorTable的副本,但是有一点不同就是KeServiceDescriptorTableShadow的win32k子项里面是有数据的!说明这个里面存放的就是我们寻找的ShadowSSDT表。

OK,下面我们就来查看SSDT表的内容:

kd> dds 80efb4d0 L000001ad 
80efb4d0  80ed5901 nt!NtWorkerFactoryWorkerReady
80efb4d4  80e741e2 nt!NtYieldExecution
80efb4d8  81126540 nt!NtWriteVirtualMemory
80efb4dc  811ae0af nt!NtWriteRequestData
80efb4e0  81163478 nt!NtWriteFileGather
80efb4e4  8105548f nt!NtWriteFile
80efb4e8  811f3434 nt!NtWaitLowEventPair
80efb4ec  811f33cb nt!NtWaitHighEventPair
...
...
...

这个正式我们的SSDT表实际内容


ShadowSSDT表的内容:

kd> dds 8f712000 L000003d8 
8f712000  8f6051a3 win32k!NtUserYieldTask
8f712004  8f668e22 win32k!NtGdiWidenPath
8f712008  8f6692bc win32k!NtGdiUpdateColors
8f71200c  8f66af6d win32k!NtGdiUnrealizeObject
8f712010  8f66ae25 win32k!NtGdiUnmapMemFont
8f712014  8f68a84c win32k!NtGdiUnloadPrinterDriver
8f712018  8f4561d7 win32k!NtGdiTransparentBlt
8f71201c  8f4ef8d6 win32k!NtGdiTransformPoints
8f712020  8f66ba58 win32k!NtGdiSwapBuffers
8f712024  8f668a89 win32k!NtGdiStrokePath
8f712028  8f668ba9 win32k!NtGdiStrokeAndFillPath
8f71202c  8f504c5d win32k!NtGdiStretchDIBitsInternal
8f712030  8f4bfb5b win32k!NtGdiStretchBlt
8f712034  8f431ee6 win32k!NtGdiStartPage
...
...
...

注:强行加载某一PDB的代码是

.reload /i XXXX.exe







你可能感兴趣的:(软件调试)