Winsock实现-AFD驱动分析(一)
0x00前言
socket机制在windwos系统中的实现分为用户空间和内核空间实现,用户空间就是 ws2_32.lib 这个dll 库 系统空间就是afd.sys这个驱动
这里我们就来分析afd.sys驱动
分析文件 windows 11 的afd.sys 驱动文件
0x01DriverEntry分析
DriverEntry 函数是驱动程序的 初始化函数 。
先是创建名字是afd 的设备对象
注册irp函数
用windbg 查看就是
Dispatch routines: [00] IRP_MJ_CREATE fffff80339791b80 afd!AfdDispatch [01] IRP_MJ_CREATE_NAMED_PIPE fffff80339791b80 afd!AfdDispatch [02] IRP_MJ_CLOSE fffff80339791b80 afd!AfdDispatch [03] IRP_MJ_READ fffff80339791b80 afd!AfdDispatch [04] IRP_MJ_WRITE fffff80339791b80 afd!AfdDispatch [05] IRP_MJ_QUERY_INFORMATION fffff80339791b80 afd!AfdDispatch [06] IRP_MJ_SET_INFORMATION fffff80339791b80 afd!AfdDispatch [07] IRP_MJ_QUERY_EA fffff80339791b80 afd!AfdDispatch [08] IRP_MJ_SET_EA fffff80339791b80 afd!AfdDispatch [09] IRP_MJ_FLUSH_BUFFERS fffff80339791b80 afd!AfdDispatch [0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff80339791b80 afd!AfdDispatch [0b] IRP_MJ_SET_VOLUME_INFORMATION fffff80339791b80 afd!AfdDispatch [0c] IRP_MJ_DIRECTORY_CONTROL fffff80339791b80 afd!AfdDispatch [0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff80339791b80 afd!AfdDispatch [0e] IRP_MJ_DEVICE_CONTROL fffff80339799180 afd!AfdDispatchDeviceControl [0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff80339744be0 afd!AfdWskDispatchInternalDeviceControl [10] IRP_MJ_SHUTDOWN fffff80339791b80 afd!AfdDispatch [11] IRP_MJ_LOCK_CONTROL fffff80339791b80 afd!AfdDispatch [12] IRP_MJ_CLEANUP fffff80339791b80 afd!AfdDispatch [13] IRP_MJ_CREATE_MAILSLOT fffff80339791b80 afd!AfdDispatch [14] IRP_MJ_QUERY_SECURITY fffff80339791b80 afd!AfdDispatch [15] IRP_MJ_SET_SECURITY fffff80339791b80 afd!AfdDispatch [16] IRP_MJ_POWER fffff80339791b80 afd!AfdDispatch [17] IRP_MJ_SYSTEM_CONTROL fffff80339788c70 afd!AfdEtwDispatch [18] IRP_MJ_DEVICE_CHANGE fffff80339791b80 afd!AfdDispatch [19] IRP_MJ_QUERY_QUOTA fffff80339791b80 afd!AfdDispatch [1a] IRP_MJ_SET_QUOTA fffff80339791b80 afd!AfdDispatch [1b] IRP_MJ_PNP fffff80339791b80 afd!AfdDispatch Fast I/O routines: FastIoRead fffff8033977f000 afd!AfdFastIoRead FastIoWrite fffff8033977f110 afd!AfdFastIoWrite FastIoUnlockAll fffff803397860f0 afd!AfdSanFastUnlockAll FastIoDeviceControl fffff80339773080 afd!AfdFastIoDeviceControl
完整逆向代码
NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath) { int v3; // esi int SecurityDescriptor; // edi REGHANDLE v5; // rcx struct _ERESOURCE *PoolWithTagPriority; // rax int v8; // r8d int v9; // r9d int v10; // r8d int v11; // r9d int v12; // r8d int v13; // r9d int v14; // r8d int v15; // r9d int v16; // r8d int v17; // r9d int v18; // r8d int v19; // r9d int v20; // r8d int v21; // r9d int v22; // r8d int v23; // r9d int v24; // r8d int v25; // r9d int v26; // r8d int v27; // r9d int v28; // r8d int v29; // r9d int inited; // eax KIRQL v31; // bp int DeviceObjectj; // [rsp+30h] [rbp-48h] int DeviceObject; // [rsp+30h] [rbp-48h] int DeviceObjecta; // [rsp+30h] [rbp-48h] int DeviceObjectb; // [rsp+30h] [rbp-48h] int DeviceObjectc; // [rsp+30h] [rbp-48h] int DeviceObjectd; // [rsp+30h] [rbp-48h] int DeviceObjecte; // [rsp+30h] [rbp-48h] int DeviceObjectf; // [rsp+30h] [rbp-48h] int DeviceObjectg; // [rsp+30h] [rbp-48h] int DeviceObjecth; // [rsp+30h] [rbp-48h] int DeviceObjecti; // [rsp+30h] [rbp-48h] struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-38h] BYREF ULONG VerifierFlags; // [rsp+90h] [rbp+18h] BYREF DestinationString = 0i64; VerifierFlags = 0; v3 = -1073741823; wil_InitializeFeatureStaging(DriverObject, RegistryPath); TraceLoggingRegisterEx_EtwRegister_EtwSetInformation(); *(_QWORD *)&WPP_MAIN_CB.Type = 0i64; WPP_MAIN_CB.Queue.ListEntry.Flink = 0i64; WPP_MAIN_CB.NextDevice = 0i64; WPP_MAIN_CB.DriverObject = (struct _DRIVER_OBJECT *)&WPP_ThisDir_CTLGUID_AfdWppGuid; *(_OWORD *)&WPP_MAIN_CB.DeviceExtension = 0i64; WPP_MAIN_CB.CurrentIrp = 0i64; WPP_MAIN_CB.Timer = (PIO_TIMER)1; WppLoadTracingSupport(); WPP_MAIN_CB.CurrentIrp = 0i64; WppInitKm(); AfdHungCloseRequestTimeout.QuadPart = -3000000000i64; if ( MmIsVerifierEnabled(&VerifierFlags) >= 0 ) AfdHungCloseRequestTimeout.QuadPart *= 4i64; NetioSetTriageBlock(2i64, &AfdGlobalTriageBlock); KeInitializeSpinLock((PKSPIN_LOCK)&WPP_MAIN_CB.Queue.ListEntry.Blink); RtlInitUnicodeString(&DestinationString, L"\\Device\\Afd"); SecurityDescriptor = IoCreateDevice(DriverObject, 0, &DestinationString, 0x11u, 0x20000u, 0, &AfdDeviceObject); if ( SecurityDescriptor < 0 ) { if ( (WPP_MAIN_CB.DeviceType & 0x80000) != 0 ) WPP_SF_d(10i64, &WPP_6fe5a0215e293b8ae6b1bfab0b1011f1_Traceguids); goto LABEL_6; } SecurityDescriptor = NetioNrtStart(DriverObject); if ( SecurityDescriptor >= 0 ) { AfdWorkQueueItem = IoAllocateWorkItem(AfdDeviceObject); if ( !AfdWorkQueueItem ) { if ( ((__int64)WPP_MAIN_CB.Queue.ListEntry.Flink & 0x80000) != 0 ) WPP_SF_(11i64, &WPP_6fe5a0215e293b8ae6b1bfab0b1011f1_Traceguids); goto LABEL_44; } KeInitializeEvent(&AfdContextWaitEvent, NotificationEvent, 0); SecurityDescriptor = AfdCreateSecurityDescriptor(); if ( SecurityDescriptor < 0 ) goto LABEL_6; AfdInitializeData(); AfdReadRegistry(); PoolWithTagPriority = (struct _ERESOURCE *)ExAllocatePoolWithTagPriority( (POOL_TYPE)512, (int)AfdAlignmentTableSize + 256, 0x72646641u, HighPoolPriority); AfdGlobalData = PoolWithTagPriority; if ( !PoolWithTagPriority ) goto LABEL_44; ExInitializeResourceLite(PoolWithTagPriority); AfdInitializeBufferManager(); AfdPnlHugeBufferSize = (unsigned int)AfdCalculateBufferSize((unsigned int)AfdHugeBufferSize); AfdPnlLargeBufferSize = (unsigned int)AfdCalculateBufferSize((unsigned int)AfdLargeBufferSize); if ( AfdPnlLargeBufferSize == AfdPnlHugeBufferSize ) LODWORD(AfdLargeBufferSize) = AfdHugeBufferSize; AfdPnlMediumBufferSize = (unsigned int)AfdCalculateBufferSize((unsigned int)AfdMediumBufferSize); if ( AfdPnlMediumBufferSize == AfdPnlLargeBufferSize ) LODWORD(AfdMediumBufferSize) = AfdLargeBufferSize; AfdPnlSmallBufferSize = (unsigned int)AfdCalculateBufferSize((unsigned int)AfdSmallBufferSize); if ( AfdPnlSmallBufferSize == AfdPnlMediumBufferSize ) LODWORD(AfdSmallBufferSize) = AfdMediumBufferSize; ExInitializeNPagedLookasideList( (PNPAGED_LOOKASIDE_LIST)&AfdGlobalData[1].ActiveCount, AfdAllocateTpInfo, AfdFreeTpInfo, 0x200u, ((24 * AfdDefaultTpInfoElementCount + 271) & 0xFFFFFFF0) + 96, 0x46646641u, 0); AfdPnlBufferTagPool = (PVOID)PnlCreateLookasideList( (int)AfdAllocateBufferTag, (int)AfdFreeBufferTag, v8, v9, 0x50ui64, 0x42646641u, DeviceObjectj, 0x42646641u); if ( !AfdPnlBufferTagPool ) goto LABEL_44; AfdPnlHugeBufferPool = (PVOID)PnlCreateLookasideList( (int)&AfdAllocateBuffer, (int)AfdFreeBuffer, v10, v11, AfdPnlHugeBufferSize, 0x42646641u, DeviceObject, 0x42646641u); if ( !AfdPnlHugeBufferPool ) goto LABEL_44; AfdPnlLargeBufferPool = (PVOID)PnlCreateLookasideList( (int)&AfdAllocateBuffer, (int)AfdFreeBuffer, v12, v13, AfdPnlLargeBufferSize, 0x42646641u, DeviceObjecta, 0x42646641u); if ( !AfdPnlLargeBufferPool ) goto LABEL_44; AfdPnlMediumBufferPool = (PVOID)PnlCreateLookasideList( (int)&AfdAllocateBuffer, (int)AfdFreeBuffer, v14, v15, AfdPnlMediumBufferSize, 0x42646641u, DeviceObjectb, 0x42646641u); if ( !AfdPnlMediumBufferPool ) goto LABEL_44; AfdPnlSmallBufferPool = (PVOID)PnlCreateLookasideList( (int)&AfdAllocateBuffer, (int)AfdFreeBuffer, v16, v17, AfdPnlSmallBufferSize, 0x42646641u, DeviceObjectc, 0x42646641u); if ( !AfdPnlSmallBufferPool ) goto LABEL_44; PplConnectionPool = (PVOID)PplCreateLookasideList( 0, 0, v18, v19, 0x100ui64, 0x43646641u, DeviceObjectd, 0x43646641u); if ( !PplConnectionPool ) goto LABEL_44; PplEndpointPool = (PVOID)PplCreateLookasideList(0, 0, v20, v21, 0x1C0ui64, 0x45646641u, DeviceObjecte, 0x45646641u); if ( !PplEndpointPool ) goto LABEL_44; PplTditlEndpointPool = (PVOID)PplCreateLookasideList( 0, 0, v22, v23, 0x1E0ui64, 0x45646641u, DeviceObjectf, 0x45646641u); if ( !PplTditlEndpointPool ) goto LABEL_44; WskProPplSocket = (PVOID)PplCreateLookasideList(0, 0, v24, v25, 0xC8ui64, 0x734B5357u, DeviceObjectg, 0x734B5357u); if ( !WskProPplSocket ) goto LABEL_44; PplAddressPool = (PVOID)PplCreateLookasideList( (int)AfdAllocateRemoteAddress, (int)AfdFreeRemoteAddress, v26, v27, (unsigned int)AfdStandardAddressLength, 0x52646641u, DeviceObjecth, 0x52646641u); if ( !PplAddressPool ) goto LABEL_44; AfdPnlSendDgramBatchStatePool = (PVOID)PnlCreateLookasideList( 0, 0, v28, v29, 0x5A0ui64, 0x62646641u, DeviceObjecti, 0x62646641u); if ( !AfdPnlSendDgramBatchStatePool || !(unsigned __int8)AfdInitializeGroup() ) goto LABEL_44; memset64(DriverObject->MajorFunction, (unsigned __int64)&AfdDispatch, 0x1Cui64); DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)AfdDispatchDeviceControl; DriverObject->MajorFunction[15] = (PDRIVER_DISPATCH)AfdWskDispatchInternalDeviceControl; DriverObject->MajorFunction[23] = (PDRIVER_DISPATCH)&AfdEtwDispatch; DriverObject->FastIoDispatch = (PFAST_IO_DISPATCH)&AfdFastIoDispatch; DriverObject->DriverUnload = (PDRIVER_UNLOAD)AfdUnload; AfdDeviceObject->Flags |= 0x10u; AfdDeviceObject->StackSize = AfdIrpStackSize; IoGetCurrentProcess(); if ( AfdParametersNotifyHandle ) AfdReadVolatileParameters(0i64); inited = AfdEtwInitLog(); v3 = inited; if ( inited < 0 ) { SecurityDescriptor = inited; goto LABEL_6; } if ( !AfdDoNotHoldNICBuffers ) { KeInitializeDpc(&AfdTimerWheel, AfdTimerWheelHandler, 0i64); KeInitializeTimerEx(&Timer, NotificationTimer); KeInitializeSpinLock(&SpinLock); P = ExAllocatePoolWithTagPriority((POOL_TYPE)512, 0x3038ui64, 0x45646641u, LowPoolPriority); if ( !P ) { LABEL_44: SecurityDescriptor = -1073741670; goto LABEL_6; } v31 = KeAcquireSpinLockRaiseToDpc(&SpinLock); if ( (unsigned __int8)RtlInitializeTimerWheel(P, 512i64, 1i64) ) { byte_1C0028A18 = 1; KeSetCoalescableTimer(&Timer, (LARGE_INTEGER)-10000000i64, 0, 0x1F4u, &AfdTimerWheel); SecurityDescriptor = 0; } else { ExFreePoolWithTag(P, 0x45646641u); P = 0i64; SecurityDescriptor = -1073741670; } KeReleaseSpinLock(&SpinLock, v31); if ( SecurityDescriptor < 0 ) goto LABEL_6; } AfdLoaded = (PRKEVENT)1; SecurityDescriptor = AfdTlStartClientModule(); if ( SecurityDescriptor >= 0 ) { SecurityDescriptor = AfdPodInit(DriverObject); if ( SecurityDescriptor >= 0 ) { SecurityDescriptor = AfdWskStartProviderModule(); if ( SecurityDescriptor >= 0 ) { SecurityDescriptor = AfdPcwInit(); if ( SecurityDescriptor >= 0 ) { AfdSqmGlobalInit(); return SecurityDescriptor; } } } } } LABEL_6: AfdWskStopProviderModule(); AfdPodDeinit(); AfdTlStopClientModule(); if ( v3 >= 0 ) AfdEtwUnRegisterLog(); AfdStopTimerWheel(); AfdTerminateGroup(); if ( AfdAdminSecurityDescriptor ) { ExFreePoolWithTag(AfdAdminSecurityDescriptor, 0); AfdAdminSecurityDescriptor = 0i64; } if ( AfdGlobalData ) { ExDeleteNPagedLookasideList((PNPAGED_LOOKASIDE_LIST)&AfdGlobalData[1].ActiveCount); ExDeleteResourceLite(AfdGlobalData); ExFreePoolWithTag(AfdGlobalData, 0x72646641u); AfdGlobalData = 0i64; } if ( PplConnectionPool ) PplDestroyLookasideList(PplConnectionPool, 0x43646641u); if ( PplEndpointPool ) PplDestroyLookasideList(PplEndpointPool, 0x45646641u); if ( PplTditlEndpointPool ) PplDestroyLookasideList(PplTditlEndpointPool, 0x45646641u); if ( WskProPplSocket ) PplDestroyLookasideList(WskProPplSocket, 0x734B5357u); if ( PplAddressPool ) PplDestroyLookasideList(PplAddressPool, 0x52646641u); if ( AfdPnlBufferTagPool ) PnlDestroyLookasideList(AfdPnlBufferTagPool, 0x42646641u); if ( AfdPnlHugeBufferPool ) PnlDestroyLookasideList(AfdPnlHugeBufferPool, 0x42646641u); if ( AfdPnlLargeBufferPool ) PnlDestroyLookasideList(AfdPnlLargeBufferPool, 0x42646641u); if ( AfdPnlMediumBufferPool ) PnlDestroyLookasideList(AfdPnlMediumBufferPool, 0x42646641u); if ( AfdPnlSmallBufferPool ) PnlDestroyLookasideList(AfdPnlSmallBufferPool, 0x42646641u); if ( AfdPnlSendDgramBatchStatePool ) PnlDestroyLookasideList(AfdPnlSendDgramBatchStatePool, 0x62646641u); if ( AfdWorkQueueItem ) { IoFreeWorkItem(AfdWorkQueueItem); AfdWorkQueueItem = 0i64; } if ( AfdDeviceObject ) { IoDeleteDevice(AfdDeviceObject); AfdDeviceObject = 0i64; } NetioNrtStop(); AfdTdiDeInit(); AfdPcwCleanup(); AfdTerminateWpp(); v5 = RegHandle; RegHandle = 0i64; dword_1C0028120 = 0; EtwUnregister(v5); wil_UninitializeFeatureStaging(); return SecurityDescriptor; }
从此山高路远,纵马扬鞭。愿往后旅途,三冬暖,春不寒,天黑有灯,下雨有伞。此生尽兴,不负勇往。
