Analysis of the Ring3 to Ring0 process of FindNextFileW

Others 2021-03-30 00:35:55 views: null

Analysis of the Ring3 to Ring0 process of FindNextFileW

Insert picture description here
FindNextFileW was officially realized by Microsoft in kernel32.dll, but in actual debugging, it was found in kernelBase.dll. The official Microsoft documents are not credible either. Open IDA disassembly and load PDB information, you can see the use of _SEH_prolog4 function. Then first learn this knowledge point.

SEH's prolog4 function and epilog4 function

Insert picture description here
As shown in the figure, it is the stack and information when the FinNextFileW function is just broken.
Insert picture description here
You can see that the stack frame structure of this function is a bit different. First push four parameters: stack size, scope table entry, _except_handler4, FS:0 (pExceptionList), then open up the stack, and use the ebp of the original function in the stack to cover the stack size data, etc. A series of operations, specific Implementation details are no longer delved into.
Insert picture description here
The Scope table entry will be overwritten by -0x2. That is, the coverage of 0xFFFFFFFFE in the figure.
In the figure, the purple bar is the ebp after executing the __SEH_prolog4 function. Below the purple bar is the stack before calling __SEH_prolog4. The parameters are still taken according to the stack frame rules, but the purple bars above are records of some special fields, you can refer to them URL. The pointer to the next SHE record is old fs:[0].

Here is a simple analysis of this function because this function is often added to the module function to check the stack, similar to the GS mechanism of the application layer. mainlyCode recognition, see the __SEH_prolog4 function to be recognized

The epilog4 function is of course to verify whether the encrypted cookie can be restored normally.

If you go deeper, recommend a learning link
to prolog4 and epilog in SEH

The essence of FindNextFileW

Insert picture description here
Look At This Picture, the assembly code in the red box is viewed as a module, which is actually judging whether the hFindFile handle value is 1 or 0x-1. The overall analysis has been posted on the map and annotated in more detail. One thing I don't understand here is that edi is hFindFile, which is essentially void*, a four-byte pointer stored in the process heap area. But why is there lea eax,[edi+0x1C], can we conclude that the address of edi+0x1C is the parameter of the RtlEnterCriticalSection function? The guess may be that the context has not been analyzed. The guess here may also be that FindFirstFileW has also done some tricks at hFindFile handle +0x1C...
Insert picture description here
The EDI memory data at that time...
Insert picture description here
Then find the starting address of the process heap area from the PEB structure and call it as a parameter The RtlAllocateHeap function implements the allocation of the heap area.
Insert picture description here
But at the end, when I saw some data information written to edi+0x8, edi+0xC, edi+0x10 addresses, I realized that these are only temporary storage data areas, not official structures. Because the FindNextFileW function will be called multiple times, these data can be used as a reference for some subsequent calls.
Insert picture description here
Then I called the NtQueryDirectoryFile function.
Insert picture description here
Call the NtQueryDirectoryFile function of ntdll to enumerate file information. From here leads to the deep Windows kernel. Hehe.
Insert picture description here
After that, the data in the process heap area obtained from the kernel is crazily copied to the corresponding location of the FindFileData data structure. Finish things and call for work.

in conclusion

When looping through the files, when the FindNextFileW function is called for the first time when traversing the files, it applies for space in the process heap, and calls the NtQueryDirectoryFile function to obtain the FindFileData data structure of all eligible files in this directory at one time. In the subsequent loop calls to FindNextFileW multiple times, since the flag has been set in the heap, only the FindFileData data information of the process heap area is copied to the memory of the main thread stack area.

references

Prolog4 and epilog in SEH
https://www.it610.com/article/4637171.htm

Trap_Frame, KPCR, EPROCESS, ETHREAD, PEB structure
https://www.cnblogs.com/wf751620780/p/10588949.html#autoid-5-0-0

About FS register and analysis environment
https://bbs.pediy.com/thread-226524.htm

Guess you like

Origin blog.csdn.net/qq_43312649/article/details/109487154
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com