Windows kernel analysis index directory : https: //www.cnblogs.com/onetrainee/p/11675224.html
Windows API system call ring from 0 to 3 rings (lower)
If the API in part tricyclic do not understand, you can view the API tricyclic section of the Windows system call (function based on the analysis rewrite ReadProcessMemory
Part I: Windows system call API from 0 to 3 rings ring (on)
This article is divided into two, in which the preliminary papers to explain the outline, by focusing on next experiments to explore its internal implementation, in the final analysis two functions (quick access to system interrupts), interrupts directly implemented by the system call the kernel function .
A, INT 0x2E into the ring 0
.text: 77F070C0 // before the function is called mov eax, 0x115, passed to a function number EAX
.text: 77F070C0 LEA edx, [ESP + arg_4] // current pointer stored in edx parameter in
.text: 77F070C4 int 2Eh; // into the kernel interrupt gate in the form of
1) View 0x2eh in the GDT
In this section door protection mode, we learned that when an interrupt occurs, the operating system looks idt table, find the door interrupt descriptor table idt in accordance with the interrupt number, read from CS interrupt gate descriptor: EIP's information.
After, SS EIP GDT by searching a table stored in the respective TSS descriptor (a TSS each process, a core TSS, TSS storing various registers for task switching), to find the SS EIP kernel.
Figure: We have to find out the address by windbg gdt + 2e * 8
After the split 83e8ee00`00082fee understood SS splicing an interrupt gate descriptor properties: 08 / EIP: 83e82fee
2) View EIP: 83e82fee this function
kd> u 83e82fee
nt!KiSystemService:
83e82fee 6a00 push 0
83e82ff0 55 push ebp
83e82ff1 53 push ebx
83e82ff2 56 push esi
83e82ff3 57 push edi
83e82ff4 0fa0 push fs
83e82ff6 bb30000000 mov ebx,30h
83e82ffb 668ee3 mov fs,bx
The nt! KiSystemService function kernel function is true, it is not under ntdll.dll module, which is present in ntoskrnl.exe / ntkrnlpa.exe in (depending on different selection procedures paging mode)
Second, by systenter into the ring 0
MSR register memory into the core of the CS, the value of ESP, EIP register, SS = IA32_SYSENTER_CS + 8.
1) windbg checking the value of the register MSR
rdmsr 174 // View CS
rdmsr 175 // View ESP
rdmsr 176 // Check EIP
2) Check the function EIP
KD> U 83e830c0
NT KiFastCallEntry:!
83e830c0 b923000000 MOV ECX, 23 h
83e830c5 6a30 Push 30h
83e830c7 0fa1 POP FS
83e830c9 8ed9 MOV DS, CX
83e830cb 8ec1 MOV ES, CX
83e830cd 648b0d40000000 MOV ECX, DWORD PTR FS: [40H]
83e830d4 8b6104 MOV ESP , DWORD ptr [ECX + 4]
83e830d7 6a23 the Push 23h
which is calling nt! KiFastCallEntry this function, with nt! KiSystemService as this function is the real kernel function.
Third, to rewrite ReadProcessMemory function by interrupting (you can see this by implementing a quick call when the API tricyclic section of the Windows system call (based on the analysis rewrite ReadProcessMemory function) )
1 #include "pch.h" 2 #include <iostream> 3 #include <algorithm> 4 #include <Windows.h> 5 void ReadMemory(HANDLE hProcess, PVOID pAddr, PVOID pBuffer, DWORD dwSize, DWORD *dwSizeRet) 6 { 7 8 _asm 9 { 10 11 lea eax, [ebp + 0x14] 12 push eax 13 push[ebp + 0x14] 14 push[ebp + 0x10] 15 push[ebp + 0xc] 16 push[ebp + 8] 17 mov eax, 0x115 18 mov edx,esp 19 int 0x2e 20 add esp, 20 21 } 22 } 23 int main() 24 { 25 HANDLE hProcess = 0; 26 int t = 123; 27 DWORD pBuffer; 28 //hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0,a); 29 ReadMemory((HANDLE)-1, (PVOID)&t, &pBuffer, sizeof(int), 0); 30 printf("%X\n", pBuffer); 31 ReadProcessMemory((HANDLE)-1, &t, &pBuffer, sizeof(int), 0); 32 printf("%X\n", pBuffer); 33 34 getchar(); 35 return 0; 36 }