Windows kernel analysis index directory : https: //www.cnblogs.com/onetrainee/p/11675224.html
Acquaintance VEH chain (further explore the user's abnormal distribution)
VEH chain is a very important mechanism in the process of handling exceptions.
In front of our analysis to the user after entering the abnormal returns again to the R3 kernel layer calling KeExceptionDispatcher function attempts to deal with.
The main purpose of this function is to search VEH find unusual solutions if not found to be zero rings thrown again.
A, is achieved by loading the C code VEH
The following code, VEH process is a global exception handler chain.
VEH can only handle a single process behind the SEH global process in the kernel.
1 // veh.cpp: This file contains the "main" function. Program execution will begin and end here. 2 // . 3 . 4 #include " pch.h " . 5 #include <the iostream> . 6 #include <the Windows.h> . 7 a LONG NTAPI MyVeH ( struct _EXCEPTION_POINTERS * exceptionInfo) { . 8 // . 9 // detected the error and process c0000094 . 10 // . 11 IF (ExceptionInfo-> ExceptionRecord-> the ExceptionCode = 0xC0000094 ) { 12 is the MessageBoxA (NULL, NULL, NULL, NULL); 13 is 14 // 15 //Method a: assembly code division two bytes, EIP + 2 can skip 16 // . 17 // ExceptionInfo-> ContextRecord-> the Eip + = 2; 18 is . 19 // 20 is // Method Two: Modify the ECX register ( the original register is 0) 21 is // 22 is ExceptionInfo-> ContextRecord-> = ECx . 1 ; 23 is return EXCEPTION_CONTINUE_EXECUTION is; 24 25 } 26 is return EXCEPTION_CONTINUE_SEARCH is; 27 } 28 int main () 29 { 30 // 31 is // our exception VEH handler hanging head 32 // 33 AddVectoredExceptionHandler (TRUE, MyVeH); 34 is 35 // 36 // assembler code generation c0000094 division by zero 37 [ // 38 is _asm { 39 MOV EAX, . 1 40 MOV ECX, 0 41 is IDIV ECX 42 is } 43 is getchar (); 44 is STD cout << :: " ! the Hello World \ the n- " ; 45 }
Two, AddVectoredExceptionHandler (ntdll.dll) disassembly Code Interpretation
Note that, to mount them into the kernel function MyVeH encrypted, encrypted using XOR specifically, the secret key by the current system time calculated.
1. flowchart
2. Interpretation of the code disassembly
1 .text:7C9625F9 ; START OF FUNCTION CHUNK FOR _RtlCallVectoredExceptionHandlers@8 2 .text:7C9625F9 3 .text:7C9625F9 loc_7C9625F9: ; CODE XREF: RtlCallVectoredExceptionHandlers(x,x)+13↑j 4 .text:7C9625F9 mov eax, [ebp+arg_0] 5 .text:7C9625FC push ebx 6 .text:7C9625FD push esi 7 .text:7C9625FE mov [ebp+var_8], eax 8 .text:7C962601 mov eax, [ebp+arg_4] 9 .text:7C962604 mov ebx, offset _RtlpCalloutEntryLock 10 .text:7C962609 push ebx 11 .text:7C96260A mov [ebp+var_4], eax 12 .text:7C96260D call _RtlEnterCriticalSection@4 ; RtlEnterCriticalSection(x) 13 .text:7C962612 mov esi, _RtlpCalloutEntryList 14 .text:7C962618 jmp short loc_7C96262F 15 .text:7C96261A ; --------------------------------------------------------------------------- 16 .text:7C96261A 17 .text:7C96261A loc_7C96261A: ; CODE XREF: RtlCallVectoredExceptionHandlers(x,x)+17D1D↓j 18 .text:7C96261A push dword ptr [esi+8] 19 .text:7C96261D call _RtlDecodePointer@4 ; RtlDecodePointer(x) 20 .text:7C962622 lea ecx, [ebp+var_8] 21 .text:7C962625 push ecx 22 .text:7C962626 call eax 23 .text:7C962628 cmp eax, 0FFFFFFFFh 24 .text:7C96262B jz short loc_7C962647 25 .text:7C96262D mov esi, [esi] 26 .text:7C96262F 27 .text:7C96262F loc_7C96262F: ; CODE XREF: RtlCallVectoredExceptionHandlers(x,x)+17D04↑j 28 .text:7C96262F cmp esi, edi 29 .text:7C962631 jnz short loc_7C96261A 30 .text:7C962633 mov byte ptr [ebp+arg_0+3], 0 31 .text:7C962637 32 .text:7C962637 loc_7C962637: ; CODE XREF: RtlCallVectoredExceptionHandlers(x,x)+17D37↓j 33 .text:7C962637 push ebx 34 .text:7C962638 call _RtlLeaveCriticalSection@4 ; RtlLeaveCriticalSection(x) 35 .text:7C96263D mov al, byte ptr [ebp+arg_0+3] 36 .text:7C962640 pop esi 37 .text:7C962641 pop ebx 38 .text:7C962642 jmp loc_7C94A92F 39 .text:7C962647 ; --------------------------------------------------------------------------- 40 .text:7C962647 41 .text:7C962647 loc_7C962647: ; CODE XREF: RtlCallVectoredExceptionHandlers(x,x)+17D17↑j 42 .text:7C962647 mov byte ptr [ebp+arg_0+3], 1 43 .text:7C96264B jmp short loc_7C962637 44 .text:7C96264B ; END OF FUNCTION CHUNK FOR _RtlCallVectoredExceptionHandlers@8 45 .text:7C96264D ; --------------------------------------------------------------------------- 46 .text:7C96264D ; START OF FUNCTION CHUNK FOR _RtlAddVectoredExceptionHandler@8 47 .text:7C96264D 48 .text:7C96264D loc_7C96264D: ; CODE XREF: RtlAddVectoredExceptionHandler(x,x)+3C↑j 49 .text:7C96264D mov eax, _RtlpCalloutEntryListBlink ; 挂在Veh链尾部 50 .text:7C962652 mov [esi+_VECTORED_EXCEPTION_NODE.ListEntry.Flink], offset _RtlpCalloutEntryList 51 .text:7C962658 mov [esi+_VECTORED_EXCEPTION_NODE.ListEntry.Blink], eax 52 .text:7C96265B mov [eax], esi 53 .text:7C96265D mov _RtlpCalloutEntryListBlink, esi 54 .text:7C962663 jmp loc_7C956C53 55 .text:7C962663 ; END OF FUNCTION CHUNK FOR _RtlAddVectoredExceptionHandler@8 56 .text:7C962668 ; --------------------------------------------------------------------------- 57 .text:7C962668 ; START OF FUNCTION CHUNK FOR _RtlRemoveVectoredExceptionHandler@4 58 .text:7C962668 59 .text:7C962668 loc_7C962668: ; CODE XREF: RtlRemoveVectoredExceptionHandler(x)+29↑j 60 .text:7C962668 mov eax, [eax] 61 .text:7C96266A jmp loc_7C956C85
III. User abnormal distribution
Before we analyzed the distribution of users to analyze KiUserException Dispatch ER (ntdll.dll) function, and now we analyze this function.
1. flowchart
2. disassembled code a bit more, not made up of.
Fourth, on the Safe VEH mechanisms (analysis IsValidHander function)
To be continued ???